HP VPN Firewall Appliances System Management and Maintenance Command Reference Part number: 5998-4180 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C (Release 3808) VPN firewall modules (Release 3177) 20-Gbps VPN firewall modules (Release 3817) Document version: 6PW101-20130923
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Ping, tracert, and system debugging commands······································································································· 1 Ping and tracert commands ············································································································································· 1 ping ············································································································································································ 1 pin
rmdir ······································································································································································· 46 undelete ·································································································································································· 47 Software upgrade commands ··································································································································· 4
info-center logfile enable ······································································································································ 93 info-center logfile frequency ································································································································· 94 info-center logfile overwrite-protection ················································································································ 95 info-center logfile size-qu
ntp-service source-interface································································································································· 137 ntp-service unicast-peer ······································································································································· 138 ntp-service unicast-server ···································································································································· 139 RMON commands ······
ssh server authentication-timeout························································································································ 199 ssh server compatible-ssh1x enable ·················································································································· 199 ssh server enable ················································································································································· 200 ssh server rekey-interval ······
ascii······································································································································································· 239 binary ··································································································································································· 240 bye ····························································································································································
Support and other resources ·································································································································· 279 Contacting HP ······························································································································································ 279 Subscription service ············································································································································ 279 Relate
Ping, tracert, and system debugging commands Ping and tracert commands ping Use ping to verify whether the destination in an IP network is reachable, and to display the related statistics.
-p pad: Specifies the value of the pad field in an ICMP echo request, in hexadecimal format, 1 to 8 bits, in the range 0 to ffffffff. If the specified value is less than 8 bits, 0s are added in front of the value to extend it to 8 bits. For example, if pad is configured as 0x2f, then the packets are padded with 0x0000002f repeatedly to make the total length of the packet meet the requirements of the device.
--- 1.1.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/41/205 ms The output shows the following: • The destination is reachable. • All ICMP echo requests sent by the source have got responses. • The minimum time, average time, and maximum time for the packet’s roundtrip time are 1 ms, 41 ms, and 205 ms, respectively. # Test whether the device with an IP address of 1.1.2.2 in VPN 1 is reachable. ping -vpn-instance vpn1 1.1.2.
1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 --- 1.1.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Field Description Received the ICMP reply from the device whose IP address is 1.1.2.2. If no reply is received during the timeout period, "Request time out" is displayed. Reply from 1.1.2.2 : bytes=56 Sequence=1 ttl=255 time=1 ms • bytes—Number of data bytes in the ICMP reply. • Sequence—Packet sequence, used to determine whether a segment is lost, disordered or repeated. • ttl—TTL value in the ICMP reply. • time—Response time. Record Route Devices through which the ICMP echo request passed.
-s packet-size: Specifies the length (in bytes) of ICMPv6 echo requests (excluding the IPv6 packet header and the ICMPv6 packet header). The value range is 20 to 8100, and the default is 56. -t timeout: Specifies the timeout time (in milliseconds) of an ICMPv6 echo reply. The value range is 0 to 65535, and the default is 2000. host: Specifies the IPv6 address or host name of the destination.
Reply from 2001::1 bytes=56 Sequence=3 hop limit=64 time = 20 ms Reply from 2001::1 bytes=56 Sequence=4 hop limit=64 time = 4 ms Reply from 2001::1 bytes=56 Sequence=5 hop limit=64 time = 16 ms --- 2001::2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
host: Specifies the IP address or host name of the destination. The host name is a case-insensitive string of 1 to 255 characters. Usage guidelines After having identified network failure with the ping command, use the tracert command to determine the failed nodes. Output from the tracert command includes IP addresses of all the Layer 3 devices the packets traverse from source to destination.
Parameters -f first-ttl: Specifies the TTL value of the first packet. The value range is 1 to 255, and the default is 1. The value must be less than the maximum TTL. -m max-ttl: Specifies the maximum number of hops allowed for a packet. The value range is 1 to 255, and the default is 30. The value must be greater than the first TTL. -p port: Specifies an invalid UDP port of the destination. The value range is 1 to 65535, and the default value 33434.
Syntax debugging { all [ timeout time ] | module-name [ option ] } undo debugging { all | module-name [ option ] } Default Debugging functions for all modules are disabled. Views User view Default command level 3: System level Parameters all: Enables all debugging functions. timeout time: Specifies the timeout time in minutes for the debugging all command. When all debugging is enabled, the system automatically executes the undo debugging all command after the time. The value range is 1 to 1440.
Default command level 1: Monitor level Parameters interface interface-type interface-number: Displays the debugging settings of the specified interface, where interface-type interface-number represents the interface type and number. module-name: Specifies a module by its name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
IP performance optimization commands display icmp statistics Use display icmp statistics to display ICMP statistics. Syntax display icmp statistics [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
display ip socket Use display ip socket to display socket information. Syntax display ip socket [ socktype sock-type ] [ task-id socket-id ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters socktype sock-type: Displays the socket information about this type. The value range for the sock type is 1 to 3, corresponding to TCP, UDP, and raw IP, respectively. task-id: Displays the socket information about this task.
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, sb_maxcc = 0, rb_maxcc = 0, socket option = SO_ACCEPTCONN SO_REUSEADDR SO_REUSEPORT SO_SENDVPNID(0), socket state = SS_PRIV SS_ASYNC Task = VTYD(38), socketid = 4, Proto = 6, LA = 192.168.1.40:23, FA = 192.168.1.
Task = TRAP(52), socketid = 1, Proto = 17, LA = 0.0.0.0:1025, FA = 0.0.0.0:0, sndbuf = 9216, rcvbuf = 0, sb_cc = 0, rb_cc = 0, sb_maxcc = 0, rb_maxcc = 0, socket option = SO_UDPCHECKSUM, socket state = SS_PRIV Task = RDSO(56), socketid = 2, Proto = 17, LA = 0.0.0.0:1812, FA = 0.0.0.0:0, sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, sb_maxcc = 0, rb_maxcc = 0, socket option = SO_UDPCHECKSUM, socket state = SS_PRIV SOCK_RAW: Task = ROUT(69), socketid = 8, Proto = 89, LA = 0.0.0.0, FA = 0.0.0.
socket state = SS_PRIV SS_NBIO SS_ASYNC Table 3 Command output Field Description SOCK_STREAM TCP socket. SOCK_DGRAM UDP socket. SOCK_RAW Raw IP socket. Task Task number. socketid Socket ID. Proto Protocol number of the socket, indicating the protocol type that IP carries. LA Local address and local port number. FA Remote address and remote port number. sndbuf Sending buffer size (in bytes) of the socket. rcvbuf Receiving buffer size (in bytes) of the socket.
Examples # Display statistics of IP packets. display ip statistics Input: Output: sum 7120 local 112 bad protocol 0 bad format 0 bad checksum 0 bad options 0 forwarding 0 local 27 dropped 0 no route 2 output 0 compress fails 0 Fragment:input 0 dropped 0 fragmented 0 couldn't fragment 0 0 timeouts Reassembling:sum 0 Table 4 Command output Field Input Output Fragment Reassembling Description sum Total number of packets received.
Syntax display tcp statistics [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Packets dropped with MD5 authentication: 0 Packets permitted with MD5 authentication: 0 Table 5 Command output Field Received packets Sent packets Description Total Total number of packets received. packets in sequence Number of packets arriving in sequence. window probe packets Number of window probe packets received. window update packets Number of window update packets received. checksum error Number of checksum error packets received. offset error Number of offset error packets received.
Field Description established connections Number of connections established. Closed connections Number of connections closed. In brackets are connections closed accidentally (before receiving SYN from the peer) and connections closed initiatively (after receiving SYN from the peer). Packets dropped with MD5 authentication Number of packets dropped by MD5 authentication. Packets permitted with MD5 authentication Number of packets permitted by MD5 authentication.
Table 6 Command output Field Received packets Sent packets Description Total Total number of UDP packets received. checksum error Total number of packets with incorrect checksum. shorter than header Number of packets with data shorter than head. data length larger than packet Number of packets with data longer than packet. unicast(no socket on port) Number of unicast packets with no socket on port.
system-view [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] ip forward-broadcast acl 2001 ip forward-broadcast (system view) Use ip forward-broadcast to enable the device to receive directed broadcasts. Use undo ip forward-broadcast to disable the device from receiving directed broadcasts. Syntax ip forward-broadcast undo ip forward-broadcast Default The device is not allowed to receive directed broadcasts.
ip ttl-expires enable Use ip ttl-expires enable to enable sending ICMP timeout packets. Use undo ip ttl-expires to disable sending ICMP timeout packets. Syntax ip ttl-expires enable undo ip ttl-expires Default Sending ICMP timeout packets is disabled. Views System view Default command level 2: System level Usage guidelines If the feature is disabled, the device does not send TTL timeout ICMP packets, but still sends "reassembly timeout" ICMP packets. Examples # Enable sending ICMP timeout packets.
reset ip statistics Use reset ip statistics to clear statistics of IP packets. Syntax reset ip statistics Views User view Default command level 1: Monitor level Parameters None Examples # Clear statistics of IP packets. reset ip statistics Related commands • display ip statistics • display ip interface reset tcp statistics Use reset tcp statistics to clear statistics of TCP traffic.
Views User view Default command level 1: Monitor level Examples # Clear statistics of UDP traffic. reset udp statistics tcp mss Use tcp mss to configure the TCP MSS. Use undo tcp mss to restore the default. Syntax tcp mss value undo tcp mss Default The TCP MSS is 1460 bytes. Views Interface view Default command level 2: System level Parameters value: TCP maximum segment size (MSS) in bytes, in the range of 128 to 2048.
Default TCP path MTU discovery is disabled. Views System view Default command level 2: System level Parameters aging minutes: Sets the aging time of the path MTU, in the range of 10 to 30 minutes. The default aging time is 10 minutes. no-aging: Does not age out the path MTU. Examples # Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes.
Related commands • tcp timer syn-timeout • tcp window tcp timer syn-timeout Use tcp timer syn-timeout to configure the TCP synwait timer. Use undo tcp timer syn-timeout to restore the default. Syntax tcp timer syn-timeout time-value undo tcp timer syn-timeout Default The TCP synwait timer is 75 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the TCP synwait timer in seconds, in the range of 2 to 600.
Default command level 2: System level Parameters window-size: Size of the send/receive buffer in KB, in the range of 1 to 32. Examples # Configure the size of the TCP send/receive buffer as 3 KB.
File system management commands In the following examples, the current working directory is the root directory of the storage medium on the device. For information about the qualified file name formats, see Getting Started Guide.
# Return to the upper directory. (A space is required after the keyword cd.) cd .. # Return to the root directory. cd / After you change the current directory by using the cd command, you can use the pwd command to view the path of the current working directory. copy Use copy to copy a file. Syntax copy fileurl-source fileurl-dest Views User view Default command level 3: Manage level Parameters fileurl-source: Name of the source file.
Description Use the crypto-digest command to compute the digest of a specified file. The computed digest is used to verify the correctness and integrity of the file to prevent the file from being tampered with. For example, you can use the command to compute the digest of the software image file of a device, and compare the digest with that on the web site of the device vendor to verify whether the file is valid. Examples # Use the SHA-256 algorithm to compute the digest of the file cc.bin.
dir Use dir to display files or folders. Syntax dir [ /all ] [ file-url | /all-filesystems ] Views User view Default command level 3: Manage level Parameters /all: Displays all files and folders in the current directory, including hidden files, hidden folders, files moved from the current directory to the recycle bin. Files in the recycle bin are enclosed in square brackets [ ]. file-url: Displays the specified file. Asterisks (*) are acceptable as wildcards. For example, to display files with the .
Table 7 Command output Field Description Directory of Current working directory. d Directory. If this field does not exist, it indicates a file. r The file or directory is readable. w The file or directory is writable. h The file or directory is hidden. [] The file is in the recycle bin. display nandflash file-location Use display nandflash file-location to display the location of the specified file in the NAND Flash memory.
Hardware Compatibility 20-Gbps VPN firewall modules No Examples # Display the location of the file test.cfg in the NAND Flash memory. display nandflash file-location test.cfg Logical Chunk Physical Page --------------------------chunk(0) 1234 chunk(1) 1236 chunk(2) 1235 filename: test.cfg Table 8 Command output Field Description Logic Chunk Serial number of the logical pages. Physical Page Serial number of the physical pages.
Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No Examples # Display the number and location of bad blocks in the NAND Flash memory. display nandflash badblock-location No Physical block -----------------------------badblock(0) 1234 badblock(1) 1235 badblock(2) 1236 3200 block(s) total, 3 block(s) bad. Table 9 Command output Field Description No Serial number of the bad blocks.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines This command is always used in combination with the display nandflash file-location command to check the correctness of the data in the NAND Flash memory.
Parameters filename: Name of a batch file with the .bat extension. To change the extension of a configuration file to .bat, use the rename command. Usage guidelines Batch files are command line files. Executing a batch file is to execute a set of command lines in the file. Do not include invisible characters in a batch file. If an invisible character is found during the execution, the batch process will abort and the commands that have been executed cannot be cancelled.
Hardware Storage medium name F1000-A-EI/F1000-S-EI Flash (partitioning not supported) F1000-E cfa F5000 cfa F5000-S/F5000-C cfa VPN firewall modules cfa 20-Gbps VPN firewall modules cfa Examples # Divide the CF card on the device evenly into three partitions in simple mode.
// Enter 127 to specify the size of the second partition as 127 MB. The remaining space is less than 32MB. Please reenter the size of partition 2. Partition 2 (32MB~96MB, 128MB, CTRL+C to quit, Enter to use all space left): // Enter 56 to respecify the size of the second partition as 56 MB. Partition 3 (32MB~40MB, 72MB, CTRL+C to quit, Enter to use all space left): // Press Enter to assign the remaining space to the third partition.
Syntax fixdisk medium-name Views User view Default command level 3: Manage level Parameters medium-name: Storage medium name.
The following matrix shows the values for the medium-name argument on different firewalls and firewall modules: Hardware Storage medium name F1000-A-EI/F1000-S-EI flash0 F1000-E cfa0 F5000 cfa0 F5000-S/F5000-C cfa0 VPN firewall modules cfa0 20-Gbps VPN firewall modules cfa0 FAT16: Formats a storage medium using the FAT16 format. FAT16 does not support Tab matching and must be entered completely if used. FAT32: Formats a storage medium using the FAT32 format.
Usage guidelines The name of the folder to be created must be unique in the specified directory. Otherwise, you will fail to create the folder in the directory. To use this command to create a folder, the specified directory must exist. For example, to create folder cfa0:/test/mytest, the test folder must exist. Otherwise, you will fail to create the mytest folder. Examples # Create a folder named test in the current directory. mkdir test .... %Created dir cfa0:/test.
more test.txt Welcome to HP. # Display the contents of file testcfg.cfg. more testcfg.cfg # version 5.20, Beta 1201, Standard # sysname Sysname # vlan 2 # return move Use move to move a file. Syntax move fileurl-source fileurl-dest Views User view Default command level 3: Manage level Parameters fileurl-source: Name of the source file. fileurl-dest: Name of the target file or folder.
pwd Use pwd to display the current path. Syntax pwd Views User view Default command level 3: Manage level Examples # Display the current path. pwd cfa0: rename Use rename to rename a file or folder. The target file name must be unique in the current path. Syntax rename fileurl-source fileurl-dest Views User view Default command level 3: Manage level Parameters fileurl-source: Name of the source file or folder. fileurl-dest: Name of the target file or folder.
Default command level 3: Manage level Parameters /force: Deletes all files in the recycle bin, including files that cannot be deleted by the command without the /force keyword. Usage guidelines If a file is corrupted, you might not be able to delete the file using the reset recycle-bin command. Use the reset recycle-bin /force command to delete the corrupted file in the recycle bin forcibly. The delete file-url command only moves a file to the recycle bin.
2 -rw- 8036197 May 14 2008 10:13:18 main.app 3 -rw- 2386 Apr 26 2008 13:30:30 back.cfg 4 drw- - May 08 2008 09:49:25 test 5 -rwh 716 Apr 24 2007 16:17:30 hostkey 6 -rwh 572 Apr 24 2007 16:17:44 serverkey 7 -rw- 2386 May 08 2008 11:14:20 [a.cfg] 14605 KB total (6734 KB free) // The output shows that file cfa0:/b.cfg is deleted permanently. # Delete file aa.cfg in the subdirectory test and in the recycle bin: 4. Enter the subdirectory cd test/ 5.
After you execute the rmdir command successfully, the files in the recycle bin in the folder will be automatically deleted. Examples # Remove folder mydir. rmdir mydir Rmdir cfa0:/mydir?[Y/N]:y %Removed directory cfa0:/mydir. undelete Use undelete to restore a file from the recycle bin. Syntax undelete file-url Views User view Default command level 3: Manage level Parameters file-url: Name of the file to be restored.
Software upgrade commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Access Control Configuration Guide.
Usage guidelines To execute the boot-loader command successfully, make sure you have saved the image file to the root directory of the storage medium on the device. In FIPS mode, the file must pass authenticity verification before it can be set as a startup system software image file. Examples # Specify test.bin as the main startup system software image file. This example assumes that this file has been saved in the root directory of the storage medium. boot-loader file test.
Examples # Read the BootWare image. bootrom read all Now reading bootrom, please wait... Read bootrom! Please wait... Start reading basic bootrom! Read basic bootrom completed! Start reading extended bootrom! Read extended bootrom completed! Read bootrom completed! Please check the file! After the BootWare image is read, you can find extbtm.bin and basbtm.bin on the storage medium of the device. dir Directory of cfa0:/ 0 -rw- 37961708 Jul 27 2012 11:38:04 main.
This command will restore bootrom file, Continue? [Y/N]:y Now restoring bootrom, please wait... Restore bootrom! Please wait... Read backup basic bootrom completed! ................................................ Restore basic bootrom completed! Read backup extended bootrom completed! ................................................ Restore extended bootrom completed! Restore bootrom completed! # Use the a.btw file to upgrade the BootWare image of the device. bootrom update file a.
[Sysname] bootrom-update security-check enable display boot-loader Use display boot-loader to display system software image information, including the current system software image and the startup system software images. Syntax display boot-loader [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
display patch Use display patch to display patch files that have been installed. If a patch file is loaded from a patch package file, this command also displays the package file version. Syntax display patch [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 3: Manage level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Examples # Display patch information. display patch information The location of patches: cfa0: Slot Version Temporary Common Current Active Running Start-Address ---------------------------------------------------------------------0 HFW004 0 1 1 0 1 0x310bd74 Table 11 Command output Field Description The location of patches Patch file location. You can use the patch location command to change the location. Slot Ignored. This field always displays 0. Version Patch version.
The patch active command changes the state of DEACTIVE patches to ACTIVE state and runs the patches. To continue to run these patches after a reboot, use the patch run command to change their state to RUNNING. If not, the state of ACTIVE patches changes back to DEACTIVE at a reboot. Examples # Activate patch 3 and all its previous DEACTIVE patches. system-view [Sysname] patch active 3 # Activate all DEACTIVE patches.
Default command level 3: Manage level Parameters patch-number: Specifies the sequence number of a patch. The value rang is 1 to 200. If no sequence number is specified, this command removes all patches in the patch memory area. If a sequence number is specified, this command removes the specified patch and all its subsequent patches. Usage guidelines This command does not delete patches from the storage medium. After being removed from the patch memory area, the patches changes to the IDLE state.
state after a reboot. If not, the installed patches are set in ACTIVE state and change to the DEACTIVE state at a reboot. The undo patch install command change the state of ACTIVE and RUNNING patches to IDLE, but does not delete them from the storage medium. If you execute the patch install patch-location command, the directory specified for the patch-location argument replaces the directory specified with the patch location command after the upgrade is complete.
Parameters file filename: Specifies a patch package file name. If the package file is specified, the system loads patch files from the patch package. If no package file is specified, the system loads patch files from the storage medium on the device. Usage guidelines Before loading patches, make sure you have saved the patch files to the specified patch file location. If no patch location has been specified, the system by default loads patch files from the root directory of the storage medium.
Examples # Specify the root directory of the CF card as the patch file location. system-view [Sysname] patch location cfa0: patch run Use patch run to confirm ACTIVE patches. Syntax patch run [ patch-number ] Views System view Default command level 3: Manage level Parameters patch-number: Specifies the sequence number of a patch. The value range is 1 to 200. If no sequence number is specified, this command confirms all ACTIVE patches and changes their state to RUNNING.
Password recovery control commands password-recovery enable Use password-recovery enable to enable password recovery capability. Use undo password-recovery enable to disable password recovery capability. Syntax password-recovery enable undo password-recovery enable Default Password recovery capability is enabled. Views System view Default command level 3: Manage level Usage guidelines Password recovery capability controls console user access to the device configuration and SDRAM from BootWare menus.
Configuration file management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Access Control Configuration Guide.
• If a low-speed storage medium (such as a flash memory) is used, archive the running configuration manually, or configure automatic archiving with an interval longer than 1440 minutes (24 hours). • If a high-speed storage medium (such as a CF card) is used and the device configuration changes frequently, set a shorter saving interval. Examples # Archive the running configuration. archive configuration Warning: Save the running configuration to an archive file. Continue? [Y/N]: Y Please wait..
• If the device configuration does not change frequently, manually archive the running configuration as needed. • If a low-speed storage medium (such as a flash memory) is used, archive the running configuration manually, or configure automatic archiving with an interval longer than 1440 minutes (24 hours). • If a high-speed storage medium (such as a CF card) is used and the device configuration changes frequently, set a shorter saving interval.
Configuration archives take the file name format prefix_serial number.cfg, for example, 20080620archive_1.cfg and 20080620archive_2.cfg. The serial number is automatically assigned from 1 to 1000, increasing by 1. After the serial number reaches 1000, it restarts from 1.
Usage guidelines Before you can set a limit on configuration archives, use the archive configuration location command to specify a configuration archive directory and archive file name prefix. After the maximum number of configuration archives is reached, the system deletes the oldest archive for the new archive. Changing the limit setting to a lower value does not cause immediate deletion of exceeding archives.
backup startup-configuration to 2.2.2.2 192-168-1-26.cfg Backup next startup-configuration file to 2.2.2.2, please wait…finished! configuration encrypt Use configuration encrypt to enable configuration encryption. Use undo configuration encrypt to restore the default. Syntax configuration encrypt { private-key | public-key } undo configuration encrypt Default Configuration encryption is disabled. The running configuration is saved to a configuration file without encryption.
Default command level 3: Manage level Parameters filename: Specifies the name of the replacement configuration file for configuration rollback. Usage guidelines To replace the running configuration with the configuration in a configuration file without rebooting the device, use the configuration rollback function. This function helps you revert to a previous configuration state or adapt the running configuration to different network environments.
Examples # Display configuration archive information. display archive configuration Location: cfa0:/archive Filename prefix: my_archive Archive interval in minutes: 120 Maximum number of archive files: 10 Saved archive files: No. TimeStamp FileName 1 Jan 05 2012 20:24:54 my_archive_1.cfg 2 Jan 05 2012 20:34:54 my_archive_2.cfg # 3 Jan 05 2012 20:44:54 my_archive_3.cfg '#' indicates the most recent archive file. Next archive file to be saved: my_archive_4.
• post-system: Displays the post-system configuration. • system: Displays the system configuration. • user-interface: Displays the user interface configuration. interface [ interface-type [ interface-number ] ]: Displays interface configuration, where interface-type represents the interface type and interface-number represents the interface number. exclude modules: Excludes the configuration of specific modules. The modules argument can be acl, acl6, or both separated by a space.
Related commands • display saved-configuration • reset saved-configuration • save display default-configuration Use display default-configuration to display the factory defaults. Syntax display default-configuration [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Views Any view Default command level 2: System level Parameters by-linenum: Identifies each line of displayed information with a line number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
At the prompt of More, press Enter to display the next line, press Space to display the next screen of configuration, or press Ctrl+C or any other key to stop displaying the configuration. # Display the next-startup configuration file and number each line. display saved-configuration by-linenum 1: # 2: 3: version 5.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines Use this command to verify the configuration you have made in a certain view. Typically, this command does not display parameters that are set to their default settings.
Views User view Default command level 3: Manage level Usage guidelines Delete the next-startup configuration file if it does not match the software version or is corrupted. Use this command with caution. This command permanently deletes the next-startup configuration file. Examples # Delete the next-startup configuration file. reset saved-configuration The saved configuration file will be erased. Are you sure? [Y/N]:y Configuration file in cfa0 is being cleared. Please wait ...........
Examples # Download the configuration file test.cfg from the TFTP server at 2.2.2.2, and specify the file as the startup configuration file for the next startup. restore startup-configuration from 2.2.2.2 test.cfg Restore next startup-configuration file from 2.2.2.2. Please wait.............. finished! save Use save file-url to save the running configuration to a configuration file, without specifying the file as a next-startup configuration file.
# Save the running configuration to the configuration file startup.cfg in the root directory of the storage medium, and specify the configuration file as the next-startup configuration file. display startup Current startup saved-configuration file: cfa0:/hmr.cfg Next startup saved-configuration file: cfa0:/aa.cfg save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[cfa0:/aa.
Examples # Specify the next-startup configuration file. startup saved-configuration testcfg.cfg Please wait .... ...
Information center commands display channel Use display channel to display channel information. Syntax display channel [ channel-number | channel-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters channel-number: Specifies a channel by its number in the range of 0 to 9. channel-name: Specifies a channel by its name, a default name or a self-defined name.
Examples # Display information about channel 0. display channel 0 channel number:0, channel name:console MODU_ID NAME ffff0000 default ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL Y Y Y informational debugging debugging The output shows that the system is allowed to output log information with a severity from 0 to 4, trap information with a severity from 0 to 7, and debug information with a severity from 0 to 7 to the console.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information center configuration information. display info-center Information Center:enabled Log host: 1.1.1.
Table 16 Severity description Severity Value Description Corresponding keyword in commands Emergency 0 The system is unusable. emergencies Alert 1 Action must be taken immediately. alerts Critical 2 Critical condition. critical Error 3 Error condition. errors Warning 4 Warning condition. warnings Notification 5 Normal but significant condition. notifications Informational 6 Informational message. informational Debug 7 Debug message.
Field Description Channel number Channel number of the log buffer. The default channel number is 4. Channel name Channel name of the log buffer. The default channel name is logbuffer. Dropped messages Number of dropped messages. Overwritten messages Number of overwritten messages (when the buffer size is not big enough to hold all messages, the latest messages overwrite the old ones). Current messages Number of current messages.
Field Description WARN Represents warning. See Table 16 for details. NOTIF Represents notice. See Table 16 for details. INFO Represents informational. See Table 16 for details. DEBUG Represents debug. See Table 16 for details. display logfile buffer Use display logfile buffer to display the contents of the log file buffer.
%@27091414#Aug 7 08:04:02:470 2009 Sysname IFNET/4/INTERFACE UPDOWN: Trap 1.3.6.1.6.3.1.1.5.4: Interface 983040 is Up, ifAdminStatus is 1, ifOperStatus is 1 … display logfile summary Use display logfile summary to display the log file configuration. Syntax display logfile summary [ | { begin | exclude | include } regular-expression ] Views System view for security log management Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
Table 19 Command output Field Description Log file is State of the log file feature, enabled or disabled. Channel number Log file channel number, which defaults to 9. Log file size quota Maximum storage space of a log file. Log file directory Log file directory. Writing frequency Log file writing frequency. display security-logfile buffer Use display security-logfile buffer to display the contents of the security log file buffer.
display security-logfile summary Use display security-logfile summary to display the summary of the security log file. Syntax display security-logfile summary [ | { begin | exclude | include } regular-expression ] Views System view for security log management Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
display trapbuffer Use display trapbuffer to display the state and the trap information of the trap buffer. Without the size buffersize argument, the command displays all trap information. Syntax display trapbuffer [ reverse ] [ size buffersize ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters reverse: Displays trap entries chronologically, with the most recent entry at the top.
#Aug 20 13:27:26:971 2013 Sysname SHELL/4/LOGIN: Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console Table 21 Command output Field Description Trapping buffer configuration and contents State of the trap buffer, enabled or disabled. Allowed max buffer size Maximum capacity of the trap buffer. Actual buffer size Actual capacity of the trap buffer. Channel number Channel number of the trap buffer, which defaults to 3. channel name Channel name of the trap buffer, which defaults to trapbuffer.
Syntax info-center channel channel-number name channel-name undo info-center channel channel-number Default See Table 14 for information about default channel names and channel numbers. Views System view Default command level 2: System level Parameters channel-number: Specifies a channel by its number in the range of 0 to 9. channel-name: Specifies a name for the channel, a case-insensitive string of 1 to 30 characters. It must be a combination of letters and numbers and start with a letter.
Examples # Specify the console output channel as channel 0. system-view [Sysname] info-center console channel 0 info-center enable Use info-center enable to enable the information center. Use undo info-center enable to disable the information center. Syntax info-center enable undo info-center enable Default The information center is enabled.
Parameters unicom: Specifies the unicom format. china-telecom: Specifies the china-telecom format. china-unicom-nat444: Specifies the china-unicom-nat444 format. Usage guidelines System information sent to the log host can be in HP, unicom, china-telecom, or china-unicom-nat444 format. The china-telecom and china-unicom-nat444 formats are available only for NAT444. For more information about system information formats, see System Management and Maintenance Configuration Guide.
Views System view Default command level 2: System level Parameters channel-number: Specifies a channel by its number in the range of 0 to 9. channel-name: Specifies a channel by its name, a default name or a self-defined name. For information about configuring a channel name, see info-center channel name. buffersize: Specifies the maximum number of log messages that can be stored in the log buffer.
Default command level 2: System level Usage guidelines The following matrix shows support for the info-center logfile enable command on different firewalls and firewall modules: Hardware Command compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules Yes Examples # Enable the log file feature.
Hardware Command compatible F1000-E Yes F5000 Yes F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules Yes Examples # Configure the interval for saving system information to the log file as 60000 seconds.
undo info-center logfile size-quota Default The storage space reserved for a log file is 10 MB. Views System view Default command level 2: System level Parameters size: Specifies the maximum storage space reserved for a log file, in the range of 1 to 10 MB.
Parameters dir-name: Specifies a directory by its name, a string of 1 to 64 characters. Usage guidelines The specified directory must have been created. The configuration made by this command cannot survive a system restart.
Parameters vpn-instance vpn-instance-name: Specifies a VPN by its name, a case-sensitive string of 1 to 31 characters. If the log host is on the public network, do not specify this option. ipv6 host-ipv6-address: Specifies the IPv6 address of a log host. host-ipv4-address: Specifies the IPv4 address of a log host. port port-number: Specifies the port number of the log host, in the range of 1 to 65535. The default value is 514. It must be the same as the value configured on the log host.
Default The source IP address of output log information is the primary IP address of the matching route's egress interface. Views System view Default command level 2: System level Parameters interface-type interface-number: Specifies the egress interface for log information by the interface type and interface number.
undo info-center monitor channel Default The system outputs information to the monitor through channel 1. Views System view Default command level 2: System level Parameters channel-number: Specifies a channel by its number in the range of 0 to 9. channel-name: Specifies a channel by its name, a default name or a self-defined name. For information about configuring a channel name, see info-center channel name.
inform the administrator. The administrator can log in to the device as the security log administrator, and back up the security log file. Examples # Set the alarm threshold for security log file usage to 90%. system-view [Sysname] info-center security-logfile alarm-threshold 90 Related commands info-center security-logfile size-quota info-center security-logfile enable Use info-center security-logfile enable to enable the saving of the security logs into the security log file.
Views System view Default command level 2: System level Parameters freq-sec: Specifies the security log file saving interval in the range of 10 to 86400 seconds. Examples # Save security logs to the security log file every 600 seconds.
Syntax info-center security-logfile switch-directory dir-name Default The directory to save the security log file is the seclog directory under the root directory of the storage medium. Views System view for security log management Default command level 2: System level Parameters dir-name: Specifies a directory by its name, a string of 1 to 64 characters. Usage guidelines The specified directory must have been created. The configuration made by this command cannot survive a system restart.
Parameters channel-number: Specifies a channel by its number in the range of 0 to 9. channel-name: Specifies a channel by its name, a default name or a self-defined name. For information about configuring a channel name, see the info-center channel name command. Examples # Output system information to the SNMP module through channel 6.
Usage guidelines This command sets an output rule for a specified module or all modules. For example, you can output IP log information with a severity higher than warning to the log host, and output IP log information with a severity higher than informational to the log buffer. If you do not set an output rule for a module, the module uses the default output rule or the output rule set by using the default keyword.
Destination Source modules Log file All supported modules Trap Log Debug Status Severity Status Severity Status Severity Enabled Debug Enabled Debug Disabled Debug Examples # Output VLAN module's trap information with a severity level of at least emergency to the channel console. All other system information cannot be output to this channel.
[Sysname] display current- Enter configuration to complete the display current-configuration command, and press the Enter key to execute the command. # Enable synchronous information output, and then save the current configuration (enter interactive information). system-view [Sysname] info-center synchronous % Info-center synchronous output is on [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]: At this time, the system receives the log information.
info-center timestamp Use info-center timestamp to configure the timestamp format for system information sent to all destinations except the log host. Use undo info-center timestamp to restore the default. Syntax info-center timestamp { debugging | log | trap } { boot | date | none } undo info-center timestamp { debugging | log | trap } Default The timestamp format for system information is date.
[Sysname] info-center timestamp log date At this time, if you log in to the FTP server by using the username ftp, the log information generated is as follows: %May 30 05:36:29:579 2003 Sysname FTPD/5/FTPD_LOGIN: User ftp (192.168.1.23) has logged in successfully. # Configure the timestamp format for log information as none.
info-center trapbuffer Use info-center trapbuffer to configure information output to the trap buffer. Use undo info-center trapbuffer to disable information output to the trap buffer. Syntax info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] * undo info-center trapbuffer [ channel | size ] Default The system outputs information to the trap buffer through channel 3 (trapbuffer), and the maximum buffer size is 256.
Default command level 2: System level Usage guidelines The system clears the log file buffer after saving logs from the buffer to the log file automatically or manually. The following matrix shows support for the logfile save command on different firewalls and firewall modules: Hardware Command compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules Yes Examples # Save logs in the log file buffer into the log file.
Default command level 3: Manage level Examples # Clear the trap buffer. reset trapbuffer security-logfile save Use security-logfile save to manually save security logs from the security log file buffer into the security log file. Syntax security-logfile save Default The system automatically saves security logs from the security log file buffer into the security log file at the interval configured by the info-center security-logfile frequency command.
Default The display of debug information is disabled on both the console and the current terminal. Views User view Default command level 1: Monitor level Usage guidelines To view debug information, execute the terminal monitor and terminal debugging commands, enable the information center (enabled by default), and use a debugging command to enable the related debugging. The configuration of this command is only valid for the current connection between the terminal and the device.
terminal monitor Use terminal monitor to enable the monitoring of system information on the current terminal. Use undo terminal monitor to disable the monitoring of system information on the current terminal. Syntax terminal monitor undo terminal monitor Default Monitoring of the system information is enabled on the console and disabled on the monitor terminal.
Usage guidelines To view the trap information, execute the terminal monitor and terminal trapping commands, and then enable the information center (enabled by default). The configuration of this command is only valid for the current connection between the terminal and the device. If a new connection is established, the display of trap information on the terminal restores the default. Examples # Enable the display of trap information on the current terminal.
Logging management commands display userlog export Use display userlog export to view the configuration and statistics for flow logs exported to the log server. Syntax display userlog export [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Field Description Flow logs are not sent to the log server. Possible reasons are: No userlog export is enabled • Exporting flow logs to the log server is not configured. • Flow logs are sent to the information center. Export Version 1 logs to log server Export flow log packets of version 1.0 to the log server. Source address of exported logs Source IP address of the flow logging packets (this field will not be displayed if the source IP address is not configured).
Default command level 2: System level Usage guidelines Flow logs are saved in the cache before being exported to the information center or log server. Clearing flow logs in the cache might cause loss of log information. Use this command with caution. Examples # Clear flow logs in the cache. reset userlog flow logbuffer userlog flow export host Use the userlog flow export host command to configure the IPv4 address and UDP port number of the log server.
Examples # Export flow logs to port 2000 on IPv4 log server 1.2.3.6. system-view [Sysname] userlog flow export host 1.2.3.6 2000 Related commands userlog flow export host ipv6 userlog flow export host ipv6 Use userlog flow export host to configure the IPv6 address and UDP port number of the log server. Use the undo userlog flow export host command to remove the configuration.
Related commands userlog flow export host userlog flow export source-ip Use userlog flow export source-ip to configure the source IP address of flow logging packets. Use undo userlog flow export source-ip to restore the default. Syntax userlog flow export source-ip ip-address undo userlog flow export source-ip Default The source IP address of flow logging packets is the IP address of the egress interface.
Parameters None Usage guidelines Flow logs can be recorded in UTC or localtime: • UTC—Coordinated Universal Time, loosely defined as current date and time of day in Greenwich, England. • Localtime—Coordinated Universal Time (UTC) plus the UTC offset. Examples # Configure the system to record flow logs in localtime. system-view [Sysname] userlog flow export timestamps localtime userlog flow export version Use userlog flow export version to configure the flow logging version.
Syntax userlog flow syslog undo userlog flow syslog Default Flow logs are exported to the log server. Views System view Default command level 2: System level Usage guidelines The two export methods of flow logs are mutually exclusive. If you configure two methods simultaneously, the system automatically exports the flow logs to the information center. Exporting flow logs to the information center occupies device storage space. Use this export method only if there are a small amount of logs.
NTP commands display ntp-service sessions Use display ntp-service sessions to display information about all NTP sessions. Syntax display ntp-service sessions [ verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters verbose: Displays detailed information about all NTP sessions. If you do not specify this keyword, only brief information about the NTP sessions is displayed.
Field Description Reference clock ID of the clock source: • If the reference clock is the local clock, the value of this field is related to the value of the stra field: { reference { When the value of the stra field is 0 or 1, this field will be LOCL. When the stra field has another value, this field will be the IP address of the local clock. • If the reference clock is the clock of another device on the network, the value of this field will be the IP address of that device.
orgtime: 10:56:22.442 UTC Aug 7 2009(CE2686D6.71484513) rcvtime: 10:56:22.442 UTC Aug 7 2009(CE2686D6.7149E881) xmttime: 10:56:22.442 UTC Aug 7 2009(CE2686D6.71464DC2) filter delay : 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filter offset: 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filter disper: 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.
Field Description Operation mode of the local device: local mode local poll • • • • • • • • unspec—The mode is unspecified. active—Active mode. passive—Passive mode. client—Client mode. server—Server mode. bdcast—Broadcast server mode. control—Control query mode. private—Private message mode. Poll interval of the local device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the poll interval of the local device is 26, or 64 seconds.
Field Description reftime Reference timestamp in the NTP message. orgtime Originate timestamp in the NTP message. rcvtime Receive timestamp in the NTP message. xmttime Transmit timestamp in the NTP message. filter delay Delay information. filter offset Offset information. filter disper Dispersion information. Status of the reference clock: reference clock status • working normally. • working abnormally. timecode Time code. Total associations Total number of associations.
Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^17 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900(00000000.00000000) Table 26 Command output Field Description Status of the system clock: Clock status • Synchronized—The system clock has been synchronized. • Unsynchronized—The system clock has not been synchronized. Clock stratum Stratum level of the system clock.
Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Syntax ntp-service access { peer | query | server | synchronization } acl-number undo ntp-service access { peer | query | server | synchronization } Default The access-control right for the peer devices to access the NTP services of the local device is set to peer. Views System view Default command level 3: Manage level Parameters peer: Permits full access.
Use undo ntp-service authentication enable to disable NTP authentication. Syntax ntp-service authentication enable undo ntp-service authentication enable Default NTP authentication is disabled. Views System view Default command level 3: Manage level Examples # Enable NTP authentication.
Usage guidelines In a security-demanding network, the NTP authentication feature should be enabled for a system running NTP. This feature enhances the network security by using the client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication. After you specify an NTP authentication key, configure the key as a trusted key by using the ntp-service reliable authentication-keyid command.
ntp-service broadcast-server Use ntp-service broadcast-server to configure the device to operate in NTP broadcast server mode and use the current interface to send NTP broadcast packets. Use undo ntp-service broadcast-server to remove the configuration. Syntax ntp-service broadcast-server [ authentication-keyid keyid | version number ] * undo ntp-service broadcast-server Default The device does not operate in any NTP operation mode.
Default command level 3: Manage level Examples # Disable interface GigabitEthernet 0/1 from receiving NTP messages. system-view [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] ntp-service in-interface disable ntp-service max-dynamic-sessions Use ntp-service max-dynamic-sessions to set the maximum number of dynamic NTP sessions that are allowed to be established locally.
ntp-service multicast-client Use ntp-service multicast-client to configure the device to operate in NTP multicast client mode and use the current interface to receive NTP multicast packets. Use undo ntp-service multicast-client to remove the configuration. Syntax ntp-service multicast-client [ ip-address ] undo ntp-service multicast-client [ ip-address ] Default The device does not operate in any NTP operation mode.
Parameters ip-address: Multicast IP address, which defaults to 224.0.1.1. authentication-keyid keyid: Specifies the key ID to be used for sending multicast messages to multicast clients, where keyid is in the range of 1 to 4294967295. This parameter is not meaningful if authentication is not required. ttl ttl-number: Specifies the TTL of NTP multicast messages, where ttl-number is in the range of 1 to 255 and defaults to 16. version number: Specifies the NTP version.
ntp-service reliable authentication-keyid Use ntp-service reliable authentication-keyid to specify that the created authentication key is a trusted key. When NTP authentication is enabled, a client can be synchronized only to a server that can provide a trusted authentication key. Use undo ntp-service reliable authentication-keyid to remove the configuration.
Default command level 3: Manage level Parameters interface-type interface-number: Specifies an interface by its type and number. Usage guidelines If you do not want the IP address of a certain interface on the local device to become the destination address of response messages, use this command to specify the source interface for NTP messages so that the source IP address in NTP messages is the primary IP address of this interface.
source-interface interface-type interface-number: Specifies the source interface for NTP messages. In an NTP message the local device sends to its peer, the source IP address is the primary IP address of this interface. The interface-type interface-number argument represents the interface type and number. version number: Specifies the NTP version. The value range for the number argument is 1 to 4, and the default is 3.
authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the NTP server, where keyid is in the range of 1 to 4294967295. priority: Specifies this NTP server as the first choice under the same condition. source-interface interface-type interface-number: Specifies the source interface for NTP messages. In an NTP message the local device sends to the NTP server, the source IP address is the primary IP address of this interface.
RMON commands display rmon alarm Use display rmon alarm to display RMON alarm entries. Syntax display rmon alarm [ entry-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters entry-number: Specifies the index of an RMON alarm entry, in the range of 1 to 65535. If no entry is specified, the command displays all alarm entries. |: Filters command output by specifying a regular expression.
Table 28 Command output Field Description Status of the alarm entry entry-number created by the owner is status. AlarmEntry entry-number owned by owner is status • entry-number—Alarm entry, corresponding to the MIB node alarmIndex. • owner—Entry owner, corresponding to the MIB node alarmOwner. • status—Entry status, corresponding to the MIB node alarmStatus. { VALID—The entry is valid. { UNDERCREATION—The entry is invalid.
Parameters entry-number: Specifies the index of an RMON event entry, in the range of 1 to 65535. If no entry is specified, the configuration of all event entries is displayed. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
display rmon eventlog Use display rmon eventlog to display log information for the specified or all event entries. Syntax display rmon eventlog [ entry-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters entry-number: Specifies the index of an event entry, in the range of 1 to 65535. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Field Description Entry status: • VALID—The entry is valid. • UNDERCREATION—The entry is invalid. VALID The display rmon command can display invalid entries, but the display current-configuration and display this commands do not display their settings. Status value is stored in the MIB node eventStatus. Generates eventLog at Time when the log was created (time passed since the device was booted), corresponding to the MIB node logTime.
HistoryControlEntry 1 owned by null is VALID Samples interface : GigabitEthernet0/1
Field Description Maximum number of history table entries that can be saved, corresponding to the MIB node historyControlBucketsGranted. buckets max If the specified value of the buckets argument exceeds the history table size supported by the device, the supported history table size is displayed. If the current number of the entries in the table has reached the maximum number, the system will delete the earliest entry to save the latest one.
Views Any view Default command level 1: Monitor level Parameters entry-number: Specifies a private alarm entry index in the range of 1 to 65535. If no entry is specified, the configuration of all private alarm entries is displayed. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Field Description Rising threshold Alarm rising threshold. An event is triggered when the sampled value is greater than or equal to this threshold. Falling threshold Alarm falling threshold. An event is triggered when the sampled value is less than or equal to this threshold. linked with event Event index associated with the private alarm. When startup enables How can an alarm be triggered. This entry will exist Lifetime of the entry, which can be forever or span the specified period.
etherStatsBroadcastPkts : 503581 , etherStatsMulticastPkts : 44013 etherStatsUndersizePkts : 0 , etherStatsOversizePkts : 0 etherStatsFragments : 0 , etherStatsJabbers : 0 , etherStatsCollisions : 0 etherStatsCRCAlignErrors : 0 etherStatsDropEvents (insufficient resources): 0 Packets received according to length: 64 : 0 , 65-127 : 0 , 128-255 256-511: 0 , 512-1023: 0 , 1024-1518: 0 : 0 Table 33 Command output Field Description EtherStatsEntry Entry of the statistics table, whic
Field Description etherStatsCollisions Number of collisions received on the interface during the statistical period, corresponding to the MIB node etherStatsCollisions. etherStatsDropEvents Total number of drop events received on the interface during the statistical period, corresponding to the MIB node etherStatsDropEvents. Incoming-packet statistics by packet length for the statistical period: • 64—Number of 64-byte packets. The value is stored in the MIB node etherStatsPkts64Octets.
so on) of the etherStatsEntry entry, the instance of the leaf node (like ifInOctets, ifInUcastPkts, ifInNUcastPkts, and so on) of the ifEntry entry. sampling-interval: Sets the sampling interval in the range of 5 to 65535 seconds. absolute: Sets the sampling type to absolute. The system obtains the value of the variable when the sampling time is reached. delta: Sets the sampling type to delta.
[Sysname] rmon event 1 log [Sysname] rmon event 2 none [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] rmon statistics 1 [Sysname-GigabitEthernet0/1] quit [Sysname] rmon alarm 1 1.3.6.1.2.1.16.1.1.1.4.1 10 absolute rising-threshold 5000 1 falling-threshold 5 2 owner user1 1.3.6.1.2.1.16.1.1.1.4 is the OID of the leaf node etherStatsOctets. It represents the incoming packet statistics in bytes for interfaces. In this example, you can use etherStatsOctets.1 to replace the parameter 1.3.
none: Performs no action when the event occurs. trap trap-community: Trap event. The system sends a trap with a community name when the event occurs. The trap-community argument specifies the community name of the network management station that receives trap messages, a string of 1 to 127 characters. owner text: Specifies the entry owner, a case-sensitive string of 1 to 127 characters that can contain spaces.
Usage guidelines After an entry is created, the system periodically samples the number of packets received/sent on the interface, and saves the statistics as an instance under the leaf node of the etherHistoryEntry table. The maximum number of statistics records can be saved for the entry is specified by buckets number. If the maximum number of the statistics records for the entry has been reached, the system deletes the earliest record for the latest one.
prialarm-des: Private alarm entry description, a string of 1 to 127 characters. sampling-interval: Sets the sampling interval in the range of 10 to 65535 seconds. absolute | changeratio | delta: Sets the sampling type to absolute, delta, or change ratio. Absolute sampling is to obtain the value of the variable when the sampling time is reached. Delta sampling is to obtain the variation value of the variable during the sampling interval when the sampling time is reached.
Set the lifetime of the entry to forever and owner to user1. system-view [Sysname] rmon event 1 log [Sysname] rmon event 2 none [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] rmon statistics 1 [Sysname-GigabitEthernet0/1] quit [Sysname] rmon prialarm 1 (.1.3.6.1.2.1.16.1.1.1.6.1*100/.1.3.6.1.2.1.16.1.1.1.5.1) BroadcastPktsRatioOfGE0/1 10 absolute rising-threshold 80 1 falling-threshold 5 2 entrytype forever owner user1 1.3.6.1.2.1.16.1.1.1.6.
Each RMON statistics table entry provides a set of cumulative traffic statistics collected up to the present time for an interface. Statistics include number of collisions, CRC alignment errors, number of undersize or oversize packets, number of broadcasts, number of multicasts, number of bytes received, and number of packets received. The statistics are cleared at a reboot. To display the RMON statistics table, use the display rmon statistics command.
SNMP commands display snmp-agent community Use display snmp-agent community to display SNMPv1 and SNMPv2c community information. Syntax In non-FIPS mode: display snmp-agent community [ read | write ] [ | { begin | exclude | include } regular-expression ] This command is not available for FIPS mode. Views Any view Default command level 1: Monitor level Parameters read: Displays information about SNMP read-only communities. write: Displays information about SNMP read and write communities.
Group name: testv1 Storage-type: nonVolatile Table 34 Command output Field Description Community name Displays the community name created by using the snmp-agent community command or the username created by using the snmp-agent usm-user { v1 | v2c } command. SNMP group name: • If the community is created by using the snmp-agent community command, Group name the group name is the same as the community name.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
display snmp-agent local-engineid Use display snmp-agent local-engineid to display the local SNMP engine ID. Syntax display snmp-agent local-engineid [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Field Description MIB Subtree MIB subtree covered by the MIB view. Subtree mask MIB subtree mask. Storage-type Type of the medium where the subtree view is stored. Access privilege for the MIB subtree in the MIB view: View Type • Included—All objects in the MIB subtree are accessible in the MIB view. • Excluded—None of the objects in the MIB subtree is accessible in the MIB view. View status Status of the MIB view.
2 MIB objects altered successfully 7 GetRequest-PDU accepted and processed 7 GetNextRequest-PDU accepted and processed 1653 GetBulkRequest-PDU accepted and processed 1669 GetResponse-PDU accepted and processed 2 SetRequest-PDU accepted and processed 0 Trap PDUs accepted and processed 0 Alternate Response Class PDUs dropped silently 0 Forwarded Confirmed Class PDUs dropped silently Table 37 Command output Field Description Messages delivered to the SNMP entity Number of messages that the SNMP agent has r
Field Description Alternate Response Class PDUs dropped silently Number of dropped response packets. Forwarded Confirmed Class PDUs dropped silently Number of forwarded packets that have been dropped. display snmp-agent sys-info Use display snmp-agent sys-info to display the current SNMP system information.
display snmp-agent trap queue Use display snmp-agent trap queue to display basic information about the trap queue, including the trap queue name, queue length, and number of traps in the queue. Syntax display snmp-agent trap queue [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Parameters engineid engineid: Displays SNMPv3 user information for the SNMP engine ID identified by engineid. When an SNMPv3 user is created, the system records the local SNMP entity engine ID. The user becomes invalid when the engine ID changes and becomes valid again when the recorded engine ID is restored. username user-name: Displays information about the specified SNMPv3 user. The username is case-sensitive. group group-name: Displays SNMPv3 user information for an SNMP group.
Field Description Storage type: Storage-type • • • • • volatile. nonvolatile. permanent. readOnly. other. For more information about these storage types, see Table 34. UserStatus SNMP user status. Related commands snmp-agent usm-user v3 enable snmp trap updown Use enable snmp trap updown to enable link state traps on an interface. Use undo enable snmp trap updown to disable link state traps on an interface.
snmp-agent Use snmp-agent to enable the SNMP agent. Use undo snmp-agent to disable the SNMP agent. Syntax snmp-agent undo snmp-agent Default The SNMP agent is disabled. Views System view Default command level 3: Manage level Usage guidelines The snmp-agent command is optional for an SNMP configuration task. The SNMP agent is automatically enabled when you execute any command that begins with snmp-agent except for the snmp-agent calculate-password command. Examples # Enable the SNMP agent.
mode: Specifies authentication and privacy algorithms. Select a mode option, depending on the authentication and privacy algorithm you are configuring with the snmp-agent usm-user v3 command. The three privacy algorithms Advanced Encryption Standard (AES), Triple Data Encryption Standard (3DES), and Data Encryption Standard (DES) are in descending order of security strength. Higher security means more complex implementation mechanism and lower speed. DES is enough to meet general requirements.
Syntax In non-FIPS mode: snmp-agent community { read | write } [ cipher ] community-name [ mib-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * undo snmp-agent community { read | write } [ cipher ] community-name This command is not available for FIPS mode. Views System view Default command level 3: Manage level Parameters read: Assigns the specified community the read only access to MIB objects. A read-only community can only inquire MIB information.
Examples # Create the read-only community readaccess so an NMS can use the protocol SNMPv1 or SNMPv2c and community name readaccess to read the MIB objects in the default view ViewDefault. system-view [Sysname] snmp-agent sys-info version v1 v2c [Sysname] snmp-agent community read readaccess # Create the read and write community writeaccess so only the host at 1.1.1.1 can use the protocol SNMPv2c and community name writeaccess to read and set the MIB objects in the default view ViewDefault.
Views System view Default command level 3: Manage level Parameters v1: Specifies SNMPv1. v2c: Specifies SNMPv2c. v3: Specifies SNMPv3. group-name: Specifies a group name, a string of 1 to 32 characters. authentication: Specifies the security model of the SNMPv3 group to be authentication only (without privacy). privacy: Specifies the security model of the SNMPv3 group to be authentication and privacy. read-view view-name: Specifies a read-only MIB view.
snmp-agent local-engineid Use snmp-agent local-engineid to configure the SNMP engine ID of the local SNMP agent. Use undo snmp-agent local-engineid to restore the default local SNMP engine ID. Syntax snmp-agent local-engineid engineid undo snmp-agent local-engineid Default The local engine ID is the combination of the company ID and the device ID. Device ID varies by product and might be an IP address, a MAC address, or a user-defined hexadecimal string.
Views System view Default command level 3: Manage level Parameters all: Enables logging SNMP GET and SET operations. get-operation: Enables logging SNMP GET operations. set-operation: Enables logging SNMP SET operations. Usage guidelines Use SNMP logging to record the SNMP operations performed on the SNMP agent for auditing NMS behaviors. The SNMP agent sends log data to the information center. You can configure the information center to output the data to a specific destination as needed.
oid-tree: Specifies a MIB subtree by its root node's OID (for example 1.4.5.3.1) or object name (for example, system). An OID is a dotted numeric string that uniquely identifies an object in the MIB tree. mask mask-value: Sets a MIB subtree mask, a hexadecimal string. Its length must be an even number in the range of 2 to 32. For example, you can specify 0a, aa, but not 0aa. If no subtree mask is specified, the MIB subtree mask is an all-F hexadecimal string.
Default command level 3: Manage level Parameters byte-count: Specifies the maximum size (in bytes) of SNMP packets that the SNMP agent can receive or send. The value range is 484 to 17940. Usage guidelines If any device on the path to the NMS does not support packet fragmentation, limit the SNMP packet size to prevent large-sized packets from being discarded. For most networks, the default value is sufficient. Examples # Set the maximum SNMP packet size to 1024 bytes.
• v3: Specifies SNMPv3. Usage guidelines Configure the SNMP agent with the same SNMP version as the NMS for successful communications between them. In FIPS mode, SNMPv3 is not supported. Examples # Configure the system contact as Dial System Operator at beeper # 27345.
ipv6 ipv6-address: Specifies the IPv6 address of the target host. udp-port port-number: Specifies the UDP port for receiving SNMP traps. The default UDP port is 162. vpn-instance vpn-instance-name: Specifies the VPN to which the target host belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the target host is on the public network, do not specify this option. This combination is applicable only in a network supporting IPv4.
snmp-agent trap enable Use snmp-agent trap enable to enable traps globally. Use undo snmp-agent trap enable to disable traps globally.
ospf: Enables SNMP traps for the OSPF module. • process-id: OSPF process ID in the range of 1 to 65535. • ifauthfail: Interface authentication failure traps. • ifcfgerror: Interface configuration error traps. • ifrxbadpkt: Traps for receiving incorrect packets. • ifstatechange: Interface state change traps. • iftxretransmit: Traps for packet receiving and forwarding events on interfaces. • lsdbapproachoverflow: Traps for approaching LSDB overflow. • lsdboverflow: LSDB overflow traps.
Usage guidelines After you globally enable a trap function for a module, whether the module generates traps also depends on the configuration of the module. For more information, see the sections for each module. To generate linkUp or linkDown traps when the link state of an interface changes, you must enable the linkUp or linkDown trap function globally by using the snmp-agent trap enable [ standard [ linkdown | linkup ] * ] command and on the interface by using the enable snmp trap updown command.
Trap 1.3.6.1.6.3.1.1.5.4: Interface 983555 is Up, ifAdminStatus is 1, ifOperStatus is 1, ifDescr is GigabitEthernet0/1, ifType is 6 • A standard linkDown trap is in the following format: #Apr 24 11:47:35:224 2008 Sysname IFNET/4/INTERFACE UPDOWN: Trap 1.3.6.1.6.3.1.1.5.3: Interface 983555 is Down, ifAdminStatus is 2, ifOperStatus is 2 • An extended linkDown trap is in the following format: #Apr 24 11:42:54:314 2008 AR29.46 IFNET/4/INTERFACE UPDOWN: Trap 1.3.6.1.6.3.1.1.5.
snmp-agent trap queue-size Use snmp-agent trap queue-size to set the size of the trap sending queue. Use undo snmp-agent trap queue-size to restore the default queue size. Syntax snmp-agent trap queue-size size undo snmp-agent trap queue-size Default Up to 100 traps can be stored in the trap sending queue. Views System view Default command level 3: Manage level Parameters size: Specifies the number of traps that can be stored in the trap sending queue. The value range is 1 to 1000.
Views System view Default command level 3: Manage level Parameters interface-type { interface-number | interface-number.subnumber }: Specifies the interface type and interface number. The interface-number argument represents the main interface number. The subnumber argument represents the subinterface number in the range of 1 to 4094.
Parameters v1: Specifies SNMPv1. v2c: Specifies SNMPv2c. user-name: Specifies a username, a case-sensitive string of 1 to 32 characters. group-name: Specifies a group name, a case-sensitive string of 1 to 32 characters. acl acl-number: Specifies a basic ACL to filter NMSs by source IPv4 address. The acl-number argument represents a basic ACL number in the range of 2000 to 2999.
snmp-agent usm-user v3 Use snmp-agent usm-user v3 to add an SNMPv3 user to an SNMP group. Use undo snmp-agent usm-user v3 to delete an SNMPv3 user from an SNMP group.
priv-password: Specifies a case-sensitive plaintext or encrypted privacy key. A plaintext key is a string of 1 to 64 characters. If the cipher keyword is specified, the encrypted privacy key length requirements differ by authentication algorithm and key string format, as shown in Table 40.
Examples # Add the user testUser to the SNMPv3 group testGroup. Configure the security model as authentication without privacy, the authentication algorithm as MD5, the plaintext key as authkey.
RSH commands rsh Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters. If you do not specify a username, the system name of the device, which can be set by using the sysname command, applies.
2001-12-07 17:28 122,880 wrshdctl.exe 2003-06-21 10:51 192,512 wrshdnt.cpl 2001-12-09 16:41 38,991 wrshdnt.hlp 2001-12-09 16:26 1,740 wrshdnt.cnt 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 2003-06-23 18:18 2003-06-22 11:13 2001-09-02 15:41 49,152 wrshdrdr.exe 2003-06-21 10:32 69,632 wrshdrun.exe 2004-01-02 15:54 196,608 wrshdsp.exe 2004-01-02 15:54 102,400 wrshdnt.exe 2001-07-30 18:05 766 wrshdnt.ico 2004-07-13 09:10 3,253 INSTALL.LOG 4,803 wrshdnt_header.
SSH commands SSH server commands display ssh server Use the display ssh server command on an SSH server to display the SSH server status or sessions. Syntax display ssh server { session | status } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters session: Displays the SSH server sessions. status: Displays the SSH server status. |: Filters command output by specifying a regular expression.
Field Description SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH Authentication retries Maximum number of SSH authentication attempts. SFTP Server Whether the Secure FTP (SFTP) server function is enabled. SFTP Server Idle-Timeout SFTP connection idle timeout timer.
display ssh user-information Use the display ssh user-information command on an SSH server to display information about SSH users. Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users.
Field Description Service-type Service type, including SFTP, Stelnet, SCP, and all. If all authentication methods are supported, this field displays all. Related commands ssh user sftp server enable Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled.
Default command level 3: Manage level Parameters time-out-value: Specifies a timeout timer in minutes, in the range of 1 to 35791. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a smaller value so that the connection resources can be promptly released. Examples # Set the idle timeout timer for SFTP user connections to 500 minutes.
Examples # Set the maximum number of SSH connection authentication attempts to 4. system-view [Sysname] ssh server authentication-retries 4 Related commands display ssh server ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default.
Default The SSH server supports SSH1 clients. Views System view Default command level 3: Manage level Usage guidelines The configuration takes effect only on the clients at next login. Examples # Enable the SSH server to support SSH1 clients. system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate with the server.
Use undo ssh server rekey-interval to restore the default. Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The update interval of the RSA server key pair is 0. The system does not update the RSA server key pair. Views System view Default command level 3: Manage level Parameters hours: Specifies an interval for updating the server key pair in hours, in the range of 1 to 24. Usage guidelines This command is only available to SSH users that use SSH1 client software.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. service-type: Specifies the service type of an SSH user, which can be one of the following: • all: Specifies Stelnet, SFTP, and SCP. • scp: Specifies the service type as SCP. • sftp: Specifies the service type as SFTP. • stelnet: Specifies the service type of Stelnet. authentication-type: Specifies the authentication method of an SSH user: • password: Specifies password authentication.
method is publickey or password-publickey, the working folder is the one set by using the ssh user command.
Default command level 3: Manage level Parameters remote-path: Specifies a path on the server. If this argument is not specified, the command displays the current working path. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1. sftp-client> cd new1 Current Directory is: /new1 cdup Use cdup to return to the upper-level directory.
Parameters remote-file&<1-10>: Specifies one or more files on the server. &<1-10> means that you can provide up to 10 filenames, which are separated by space. Usage guidelines This command functions as the remove command. Examples # Delete file temp.c from the server. sftp-client> delete temp.c The following files will be deleted: /temp.c Are you sure to delete it? [Y/N]:y This operation might take a long time. Please wait...
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 display sftp client source Use display sftp client source to display the source IP address or source interface configured for the SFTP client.
Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to examine the public key of the server saved on the client. Examples # Display the mappings between SSH servers and their host public keys on the client. display ssh server-info Server Name(IP) Server public key name ______________________________________________________ 192.168.0.1 abc_key01 192.168.0.
Views SFTP client view Default command level 3: Manage level Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. If this argument is not specified, the file will be saved locally with the same name as that on the SFTP server. Examples # Download file temp1.c and save it as temp.c locally. sftp-client> get temp1.c temp.c Remote file:/temp1.c ---> Local file: temp.
Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the filenames and the folder names under a directory. -l: Displays detailed information about the files and folders under a directory in the form of a list. remote-path: Specifies the directory to be queried. Usage guidelines If the –a and –l keywords are not specified, the command displays detailed information about files and folders under a directory in the form of a list.
put Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Default command level 3: Manage level Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name for the file on an SFTP server. If this argument is not specified, the file will be saved remotely with the same name as the local one. Examples # Upload local file temp.c to the SFTP server and save it as temp1.c. sftp-client> put temp.c temp1.c Local file:temp.
Default command level 3: Manage level Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp-client> quit Connection closed. remove Use remove to delete files from a remote server. Syntax remove remote-file&<1-10> Views SFTP client view Default command level 3: Manage level Parameters remote-file&<1-10>: Specifies one or more files on an SFTP server.
Default command level 3: Manage level Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies a new name for the file or directory. Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp-client> rename temp1.c temp2.c File successfully renamed rmdir Use rmdir to delete the specified directories from an SFTP server.
Parameters ipv6: Specifies the type of the server as IPv6. If this keyword is not specified, the server is an IPv4 server. server: Specifies an IPv4 or IPv6 server by its address or host name. For an IPv4 server, it is a case-insensitive string of 1 to 255 characters. For an IPv6 server, it is a case-insensitive string of 1 to 255 characters. port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22. get: Downloads the file. put: Uploads the file.
Examples # Connect to the SCP server 192.168.0.1, download the file remote.bin from the server, and save it locally to the file local.bin scp 192.168.0.1 get remote.bin local.bin sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view.
• aes256: Specifies the encryption algorithm aes256-cbc. • des: Specifies the encryption algorithm des-cbc. prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm.
sftp 10.1.1.2 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 Input Username: sftp client ipv6 source Use sftp client ipv6 source to specify the source IPv6 address or source interface for the SFTP client. Use undo sftp client ipv6 source to remove the configuration.
Default An SFTP client uses the IP address of the interface specified by the route of the device to access the SFTP server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address.
Parameters server: Specifies an IPv6 server by its address or host name, a case-insensitive string of 1 to 46 characters. port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the VPN to which the server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
• The preferred client-to-server HMAC algorithm is sha1-96. • The preferred key exchange algorithm is dh-group-exchange. • The preferred server-to-client encryption algorithm is aes128. • The preferred server-to-client HMAC algorithm is sha1-96. In FIPS mode, the default algorithms are as follows: • The public key algorithm is rsa. • The preferred client-to-server encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is sha1-96.
Usage guidelines If the client does not support first-time authentication, it will reject unauthenticated servers. In this case, you need to configure the public keys of the servers and specify the mappings between public keys and servers on the client, so that the client uses the correct public key of a server to authenticate the server. The specified host public key of the server must already exist. Examples # Configure the public key of the server at 192.168.0.1 to be key1.
ssh client ipv6 source Use ssh client ipv6 source to specify the source IPv6 address or source interface for the Stelnet client. Use undo ssh client ipv6 source to remove the configuration. Syntax ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo ssh client ipv6 source Default An Stelnet client uses the IPv6 address of the interface specified by the route of the device to access the Stelnet server.
Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address. Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends that you specify a loopback interface or dialer interface as the source interface.
port-number: Port number of the server, in the range of 0 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the VPN to which the server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. identity-key: Specifies the algorithm for publickey authentication. In non-FIPS mode, the algorithm is either dsa or rsa and the default is dsa. In FIPS mode, the algorithm is rsa.
• The preferred server-to-client HMAC algorithm is sha1-96. In FIPS mode, the default algorithms are as follows: • The public key algorithm is rsa. • The preferred client-to-server encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is sha1-96. • The preferred key exchange algorithm is dh-group14. • The preferred server-to-client encryption algorithm is aes128. • The preferred server-to-client HMAC algorithm is sha1-96. Examples # Log in to Stelnet server 10.214.50.
vpn-instance vpn-instance-name: Specifies the VPN to which the server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. identity-key: Specifies the algorithm for publickey authentication. In non-FIPS mode, the algorithm is either dsa or rsa and the default is dsa. In FIPS mode, the algorithm is rsa. • dsa: Specifies the public key algorithm dsa. • rsa: Specifies the public key algorithm rsa.
In FIPS mode, the default algorithms are as follows: • The public key algorithm is rsa. • The preferred client-to-server encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is sha1-96. • The preferred key exchange algorithm is dh-group14. • The preferred server-to-client encryption algorithm is aes128. • The preferred server-to-client HMAC algorithm is sha1-96.
VD commands allocate interface Use allocate interface to assign a Layer 3 interface to a VD. Use undo allocate interface to reclaim a Layer 3 interface assigned to a VD. Syntax allocate interface interface-type interface-number undo allocate interface interface-type interface-number Default All Layer 3 interfaces belong to the default VD. A non-default VD can use any Layer 2 interface in the system but can use no Layer 3 interface.
undo allocate vlan vlan-list Default All VLANs belong to the default VD, and a non-default VD has no VLAN to use. Views VD view Default command level 2: System level Parameters vlan vlan-list: Specifies the VLANs to be assigned to the VD. The vlan-list argument must be in the form { vlan-id1 [ to vlan-id2 ] }&<1-10>, where vlan-id1 and vlan-id2 are the IDs of two existing VLANs in the range 1 to 4094 and vlan-id2 must be greater than vlan-id1.
Parameters max-entries: Specifies the maximum number of sessions that can be set up on a non-default VD.
Default command level 2: System level Parameters max-entries: Specifies the maximum number of concurrent sessions that can be set up on a VD.
Default command level 2: System level Parameters vd-name: Specifies the VD name, a case-insensitive string of 1 to 20 characters. Usage guidelines To return from a VD system view to the system view of the default VD, use the quit command. Examples # Enter the system view of existing VD test. system-view [Sysname] switchto vd test [Sysname-vsys-test] # Return to system view.
Hardware Value range F1000-A-EI: 1 to 128 F1000-A-EI/F1000-S-EI F1000-S-EI: 1 to 64 F1000-E 1 to 256 F5000 1 to 256 F5000-S/F5000-C 1 to 256 VPN firewall modules 1 to 256 20-Gbps VPN firewall modules 1 to 1024 Usage guidelines You cannot delete the default VD, or change its name or ID. When creating a VD on a device, you must specify a VD name and a VD ID that are respectively unique on the device.
FTP commands NOTE: FTP configuration commands are not supported in FIPS mode. FTP server commands display ftp-server Use display ftp-server to display the FTP server configuration and status information. Syntax display ftp-server [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 3: Manage level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide.
Field Description User count Number of the current login users. Timeout value (in minute) Allowed idle time of an FTP connection. If there is no packet exchange between the FTP server and client during this period, the FTP connection will be broken. Put Method File update method of the FTP server, fast or normal. Related commands • ftp server enable • ftp timeout • ftp update display ftp-user Use display ftp-user to display the detailed information of current FTP users.
Table 46 Command output Field Description UserName Name of the user. HostIP IP address of the user. Port Port number of the user. Idle Duration time of the current FTP connection in minutes. HomeDir Authorized directory for the user. free ftp user Use free ftp user to manually release the FTP connection established by using a specific user account. Syntax free ftp user username Views User view Default command level 3: Manage level Parameters username: Username.
Views System view Default command level 3: Manage level Parameters acl-number: Basic ACL number in the range of 2000 to 2999. Usage guidelines You can use this command to permit FTP requests from specific FTP clients only. This configuration takes effect for FTP connections to be established only, and does not impact existing FTP connections. If you execute the command multiple times, the most recently specified ACL takes effect. Examples # Use ACL 2001 to allow only the client 1.1.1.
Use undo ftp timeout to restore the default. Syntax ftp timeout minute undo ftp timeout Default The FTP idle-timeout timer is 30 minutes. Views System view Default command level 3: Manage level Parameters minute: Idle-timeout time in the range of 1 to 35791 minutes. Usage guidelines If no packet is exchanged on an FTP connection within the idle-timeout time, the FTP connection is broken. Examples # Set the idle-timeout timer to 36 minutes.
Examples # Set the FTP update mode to normal. system-view [Sysname] ftp update normal [Sysname] FTP client commands Before executing FTP client configuration commands, make sure you have made correct authority configurations for users on the FTP server. Authorized operations include view the files under the current directory, read/download the specified files, create directory/upload files, and rename/remove files. The prompt information in the following examples varies with FTP server types.
binary Use binary to set the file transfer mode to binary, which is also called the "flow mode". Syntax binary Default The transfer mode is ASCII mode. Views FTP client view Default command level 3: Manage level Examples # Set the file transfer mode to binary. [ftp] binary 200 Type set to I. [ftp] Related commands ascii bye Use bye to disconnect from the remote FTP server and return to user view.
• disconnect • quit cd Use cd to change the current working directory to another directory on the FTP server. Syntax cd { directory | .. | / } Views FTP client view Default command level 3: Manage level Parameters directory: Name of the target directory, in the format [drive:][/]path, where drive represents the storage medium name. If the target directory does not exist, the cd command does not change the current working directory.
cdup Use cdup to enter the upper directory of the FTP server. Syntax cdup Views FTP client view Default command level 3: Manage level Usage guidelines This command does not change the working directory if the current directory is the FTP root directory. Examples # Change the working directory to the upper directory. [ftp] pwd 257 "/ftp/subdir" is current directory. [ftp] cdup 200 CDUP command successful. [ftp] pwd 257 "/ftp" is current directory.
[ftp] debugging Use debugging to enable FTP client debugging. Use undo debugging to disable FTP client debugging. Syntax debugging undo debugging Default FTP client debugging is disabled. Views FTP client view Default command level 1: Monitor level Examples # The device serves as the FTP client. Enable FTP client debugging and use the active mode to download file sample.file from the current directory of the FTP server. terminal monitor terminal debugging ftp 192.168.1.
FTPC: File transfer started with the signal light turned on. FTPC: File transfer completed with the signal light turned off. .226 Transfer complete. FTP: 3304 byte(s) received in 4.889 second(s), 675.00 byte(s)/sec. [ftp] Table 47 Command output Field Description ---> PORT 192,168,1,44,4,21 FTP command. 192,168,1,44 specifies the destination IP address, and 4,21 is used to calculate the data port number by using the formula 4*256+21.
dir Use dir to display detailed information about the files and subdirectories under the current directory on the FTP server. Use dir remotefile to display detailed information about a specific file or directory on the FTP server. Use dir remotefile localfile to save detailed information about a specific file or directory on the FTP server to a local file.
[ftp] quit more aa.txt -rwxrwxrwx 1 noone nogroup 3077 Jun 20 15:34 router.cfg disconnect Use disconnect to disconnect from the remote FTP server but remain in FTP client view. Syntax disconnect Views FTP client view Default command level 3: Manage level Usage guidelines This command is equal to the close command. Examples # Disconnect from the remote FTP server but remain in FTP client view. [ftp] disconnect 221 Server closing.
Examples # Display the source IP address configuration of the FTP client. display ftp client configuration The source IP address is 192.168.0.123 Related commands ftp client source ftp Use ftp to log in to an IPv4 FTP server and enter FTP client view.
Connected to 192.168.0.211. 220 FTP Server ready. User(192.168.0.211:(none)):abc 331 Password required for abc Password: 230 User logged in. [ftp] ftp client source Use ftp client source to specify a source IP address for outgoing FTP packets. Use undo ftp client source to restore the default. Syntax ftp client source { interface interface-type interface-number | ip source-ip-address } undo ftp client source Default The primary IP address of the output interface is used as the source IP address.
# Use the primary IP address of interface GigabitEthernet 0/1 as the source IP address for outgoing FTP packets. system-view [Sysname] ftp client source interface gigabitethernet 0/1 [Sysname] Related commands display ftp client configuration ftp ipv6 Use ftp ipv6 to log in to an IPv6 FTP server and enter FTP client view.
User(3000::200:(none)): MY_NAME 331 Please specify the password. Password: 230 Login successful. [ftp] # Log in to the FTP server at 3000::200 in VPN 1. ftp ipv6 3000::200 vpn-instance vpn1 Trying 3000::200 ... Press CTRL+K to abort Connected to 3000::200. 220 Welcome! User(3000::200:(none)): MY_NAME 331 Please specify the password. Password: 230 Login successful. [ftp] get Use get to download a file from the FTP server and save it.
Views FTP client view Default command level 3: Manage level Examples # Display the local working directory. [ftp] lcd FTP: Local directory now cfa0:/clienttemp. The output shows that the working directory of the FTP client before execution of the ftp command is cfa0:/clienttemp. ls Use ls to list files and subdirectories in the current directory of the FTP server. Use ls remotefile to list files under a specific subdirectory or verify the existence of a file in the current directory of the FTP server.
bb.cfg testcfg.cfg 226 Transfer complete. FTP: 87 byte(s) received in 0.132 second(s) 659.00 byte(s)/sec. # List all files in subdirectory logfile. [ftp] ls logfile 227 Entering Passive Mode (192,168,1,50,10,49). 125 ASCII mode data connection already open, transfer starting for /logfile/*. logfile.log a.cfg 226 Transfer complete. FTP: 20 byte(s) received in 0.075 second(s), 266.00 byte(s)/sec. . # Save the names of all files in subdirectory logfile to file aa.txt. [ftp] ls logfile aa.
[ftp] mkdir mytest 257 "/mytest" new directory created. [ftp] open Use open to log in to the IPv4 FTP server under FTP client view. Syntax open server-address [ service-port ] Views FTP client view Default command level 3: Manage level Parameters server-address: IP address or host name of a remote FTP server. service-port: Port number of the remote FTP server, in the range of 0 to 65535. The default value is 21. Usage guidelines At login, enter the username and password.
Syntax open ipv6 server-address [ service-port ] [ -i interface-type interface-number ] Views FTP client view Default command level 3: Manage level Parameters server-address: IP address or host name of the remote FTP server. service-port: Port number of the remote FTP server, in the range of 0 to 65535. The default value is 21. -i interface-type interface-number: Specifies an output interface by its type and number.
Views FTP client view Default command level 3: Manage level Usage guidelines FTP can operate in either of the following modes: • Active mode—The FTP server initiates the TCP connection. • Passive mode—The FTP client initiates the TCP connection. Examples # Set the FTP operation mode to passive. [ftp] passive FTP: passive is on [ftp] put Use put to upload a file on the client to the remote FTP server.
pwd Use pwd to display the currently accessed directory on the remote FTP server. Syntax pwd Views FTP client view Default command level 3: Manage level Examples # Display the currently accessed directory on the remote FTP server. [ftp] cd servertemp [ftp] pwd 257 "/servertemp" is current directory. The output shows that the servertemp folder in the FTP root directory is being accessed by the user. quit Use quit to disconnect the FTP client from the remote FTP server and exit to user view.
Default command level 3: Manage level Parameters protocol-command: FTP command. Usage guidelines If no argument is specified, FTP-related commands supported by the remote FTP server are displayed. Examples # Display FTP commands supported by the remote FTP server. [ftp] remotehelp 214-Here is a list of available ftp commands Those with '*' are not yet implemented.
Field Description APPE* Appended file. ALLO* Allocation space. REST* Restart. RNFR* Rename the source. RNTO* Rename the destination. ABOR* Abort the transmission. DELE Delete a file. RMD Delete a folder. MKD Create a folder. PWD Print working directory. LIST List files. NLST List file description. SITE* Locate a parameter. SYST Display system parameters. STAT* State. HELP Help. NOOP* No operation. XCUP Extension command, the same meaning as CDUP.
Usage guidelines Only authorized users are allowed to use this command. Delete all files and subdirectories under a directory before you delete the directory. For information about how to delete files, see the delete command. When you execute the rmdir command, the files in the remote recycle bin in the directory will be automatically deleted. Examples # Delete the temp1 directory from the FTP root directory. [ftp] rmdir /temp1 200 RMD command successful.
331 Password required for ftp. 230 User logged in. [ftp] verbose Use verbose to enable display of detailed prompt information received from the server. Use undo verbose to disable display of detailed prompt information. Syntax verbose undo verbose Default The display of detailed prompt information is enabled. Views FTP client view Default command level 3: Manage level Examples # Enable display of detailed prompt information.
TFTP commands NOTE: TFTP configuration commands are not supported in FIPS mode. display tftp client configuration Use display tftp client configuration to display source IP address configuration of the TFTP client. Syntax display tftp client configuration [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
Syntax tftp-server [ ipv6 ] acl acl-number undo tftp-server [ ipv6 ] acl Default No ACL is used to control the device's access to a TFTP server. Views System view Default command level 3: Manage level Parameters ipv6: References an IPv6 ACL. If it is not specified, an IPv4 ACL is referenced. acl-number: Number of a basic ACL, in the range of 2000 to 2999. Usage guidelines You can use an ACL to deny or permit the device's access to a specific TFTP server.
Default command level 3: Manage level Parameters server-address: IP address or host name of a TFTP server. get: Downloads a file in normal mode. put: Uploads a file. sget: Downloads a file in secure mode. source-filename: Source file name. destination-filename: Destination file name. If this argument is not specified, the file uses the source file name, and is saved in the directory where the user performed the TFTP operation. vpn-instance vpn-instance-name: Specifies the VPN where the TFTP server belongs.
Syntax tftp client source { interface interface-type interface-number | ip source-ip-address } undo tftp client source Default The primary IP address of the output interface is used as the source IP address for outgoing TFTP packets. Views System view Default command level 2: System level Parameters interface interface-type interface-number: Specifies a source interface for outgoing TFTP packets. ip source-ip-address: Specifies a source IP address for outgoing TFTP packets.
Syntax tftp ipv6 tftp-ipv6-server [ -i interface-type interface-number ] { get | put } source-filename [ destination-filename ] [ vpn-instance vpn-instance-name ] Views User view Default command level 3: Manage level Parameters tftp-ipv6-server: IPv6 address or host name of a TFTP server, a string of 1 to 46 characters. -i interface-type interface-number: Specifies an output interface by its type and number.
CWMP commands The following matrix shows the CWMP feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No cwmp Use cwmp to enter CWMP view. Syntax cwmp Views System view Default command level 2: System level Examples # Enter CWMP view.
Default command level 2: System level Parameters cipher: Specifies a ciphertext password. simple: Specifies a plaintext password. password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 255 characters. If cipher is specified, it must be a ciphertext string of 1 to 373 characters. If neither cipher nor simple is specified, you set a plaintext password string.
Examples # Specify the ACS URL http://www.acs.com:80/acs. system [Sysname] cwmp [Sysname-cwmp] cwmp acs url http://www.acs.com:80/acs cwmp acs username Use cwmp acs username to configure the username used for connecting to the ACS. Use undo cwmp acs username to restore the default. Syntax cwmp acs username username undo cwmp acs username Default No username is configured for connecting to the ACS.
Syntax cwmp cpe connect retry times undo cwmp cpe connect retry Default No limit is set on the maximum number of connection attempts. The CPE regularly attempts to connect to the ACS until the connection is set up. Views CWMP view Default command level 2: System level Parameters times: Specifies the maximum number of attempts made to retry a connection. The value range is 0 to 100. 0 indicates that no attempt is made to retry a connection.
cwmp cpe inform interval Use cwmp cpe inform interval to configure the interval at which the CPE sends Inform messages. Use undo cwmp cpe inform interval to restore the default. Syntax cwmp cpe inform interval seconds undo cwmp cpe inform interval Default The Inform message sending interval is 600 seconds. Views CWMP view Default command level 2: System level Parameters seconds: Sets the Inform message sending interval in the range of 10 to 86400 seconds.
cwmp cpe inform time Use cwmp cpe inform time to configure the CPE to send an Inform message at a specified time. Use undo cwmp cpe inform time to restore the default. Syntax cwmp cpe inform time time undo cwmp cpe inform time Default The CPE is not configured to send an Inform message at a specific time. Views CWMP view Default command level 2: System level Parameters time: Time at which the CPE sends an Inform message.
simple: Specifies a plaintext password. password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 255 characters. If cipher is specified, it must be a ciphertext string of 1 to 373 characters. If neither cipher nor simple is specified, you set a plaintext password string. Usage guidelines Make sure the CPE username and password are the same as configured on the ACS. If not, the ACS cannot establish a CWMP connection to the CPE.
Examples # Configure the username used for connecting to the CPE as newname. system [Sysname] cwmp [Sysname-cwmp] cwmp cpe username newname Related commands cwmp cpe password cwmp cpe wait timeout Use cwmp cpe wait timeout to configure the close-wait timer for the CPE to close the idle connection to ACS. Use undo cwmp cpe wait timeout to restore the default. Syntax cwmp cpe wait timeout seconds undo cwmp cpe wait timeout Default The CPE close-wait timer is 30 seconds.
undo cwmp device-type Default The device works in gateway mode. View CWMP view Default level 2: System level Parameters device: Sets the device to operate in device mode. Use this keyword if no lower-level CPEs attach to the device. gateway: Sets the device to operate in gateway mode. If the device is the egress to the WAN and has CPEs attached to it, use this keyword to enable the ACS to manage the device and all the attached CPEs. Examples # Configure the device to operate in gateway mode.
display cwmp configuration Use display cwmp configuration to display the current CWMP configuration. Syntax display cwmp configuration [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Field Description Wait timeout Close-wait timer. It sets how long the connection to the ACS can be idle before it is shut down. If no data has been transmitted over the connection before the timer expires, the CPE disconnects the connection to the ACS. Reconnection times Number of attempts the CPE can make to retry a connection. Source IP interface Interface connecting to the ACS on the CPE. You can set this interface with the cwmp cpe connect interface command.
Table 50 Command output Field Description ACS URL URL of the ACS. It is displayed as null if not configured. Mode through which CWMP gets the ACS URL. It is displayed as null if ACS URL is not configured. ACS information is set by ACS username • user—The ACS URL is configured through CLI. • config file—The ACS URL is configured through ACS. • DHCP—The ACS URL is configured through DHCP. Authentication username for connecting to the ACS. It is displayed as null if not configured.
Usage guidelines CWMP uses HTTP or HTTPS for data transmission. If the ACS uses HTTPS for secure access, its URL begins with https://. You must configure an SSL client policy for the CPE to authenticate the ACS for establishing an HTTPS connection. Examples # Specify the SSL client policy test for ACS authentication.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ABCDEFGHILMNOPQRSTUVW cwmp cpe username,272 A cwmp cpe wait timeout,273 allocate interface,228 cwmp device-type,273 allocate vlan,228 cwmp enable,274 archive configuration,61 archive configuration interval,62 D archive configuration location,63 debugging,243 archive configuration max,64 debugging,9 ascii,239 delete,244 B delete,31 delete,204 backup startup-configuration,65 dir,205 binary,240 dir,245 boot-loader,48 dir,32 bootrom,49 disconnect,246 bootrom-update security-check
display ntp-service trace,128 free ftp user,236 display patch,53 ftp,247 display patch information,53 ftp client source,248 display rmon alarm,141 ftp ipv6,249 display rmon event,142 ftp server acl,236 display rmon eventlog,144 ftp server enable,237 display rmon history,145 ftp timeout,237 display rmon prialarm,147 ftp update,238 display rmon statistics,149 G display saved-configuration,70 get,250 display security-logfile buffer,86 get,208 display security-logfile summary,87 display sf
ip unreachables enable,23 ping ipv6,5 L put,211 put,255 lcd,250 pwd,256 limit-resource session max-entries,229 pwd,211 logfile save,110 pwd,44 ls,251 ls,209 Q M quit,256 quit,211 mkdir,210 mkdir,41 R mkdir,252 remotehelp,256 more,42 remove,212 move,43 rename,44 N rename,212 reset ip statistics,24 ntp-service access,129 reset logbuffer,111 ntp-service authentication enable,130 reset recycle-bin,44 ntp-service authentication-keyid,131 reset saved-configuration,74 ntp-service broa
sftp server idle-timeout,197 switchto,231 snmp-agent,171 T snmp-agent calculate-password,171 tcp mss,25 snmp-agent community,172 tcp path-mtu-discovery,25 snmp-agent group,174 tcp timer fin-timeout,26 snmp-agent local-engineid,176 tcp timer syn-timeout,27 snmp-agent log,176 tcp window,27 snmp-agent mib-view,177 terminal debugging,112 snmp-agent packet max-size,178 terminal logging,113 snmp-agent sys-info,179 terminal monitor,114 snmp-agent target-host,180 terminal trapping,114 snmp-age
