Professional Documents
Culture Documents
Fundamentals
Configuration Guide
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S7500E documentation set includes 12 configuration guides, which describe the software
features for the H3C S7500E Series Ethernet Switches and guide you through the software
configuration procedures. These configuration guides also provide configuration examples to help you
apply software features to different network scenarios.
The Fundamentals Configuration Guide describes how to configure the command line interface (CLI),
log in to the switch, perform file management, configuration file management, and device management
for your switch, upgrade the software, and perform automatic configuration.
This preface includes:
z Audience
z Document Organization
z Conventions
z About the H3C S7500E Documentation Set
z Obtaining Documentation
z Documentation Feedback
Audience
This documentation is intended for:
z Network planners
z Field technical support and servicing engineers
z Network administrators working with the S7500E series
Document Organization
The Fundamentals Configuration Guide comprises these parts:
CLI Configuration Login Methods CLI Login NMS Login
File Management
User Login Control FTP Configuration TFTP Configuration
Configuration
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
italic Italic text represents arguments that you replace with actual values.
The argument or keyword and argument combination before the ampersand (&)
&<1-n>
sign can be entered 1 to n times.
GUI conventions
Convention Description
<> Button names are inside angle brackets. For example, click <OK>.
Window names, menu items, data table and field names are inside square
[]
brackets. For example, pop up the [New User] window.
Symbols
Convention Description
Means reader be careful. Improper operation may cause data loss or damage to
equipment.
Software configuration Command references Provide a quick reference to all available commands.
H3C
Describes the appearance, specifications, LEDs, and
PSR320-A[PSR320-D]
installation and removal of the H3C
Power Module User
PSR320-A/PSR320-D power module.
Manual
H3C
Describes the appearance, specifications, LEDs, and
PSR650-A[PSR650-D]
installation and removal of the H3C
Power Module User
PSR650-A/PSR650-D power module.
Manual
H3C
Describes the appearance, specifications, LEDs, and
PSR1400-A[PSR1400-D]
installation and removal of the H3C
Power Module User
PSR1400-A/PSR1400-D power module.
Manual
Power configuration
H3C PSR2800-ACV Describes the appearance, specifications, LEDs, and
Power Module User installation and removal of the H3C PSR2800-ACV
Manual power module.
H3C PWR-SPA Power Describes the functions and appearance of the H3C
Module Adapter User PWR-SPA power module adapter, and how to use it
Manual with the PSR650 power module.
Optional cards Card manuals The S7500E series Ethernet switches support various
card models. Each model is provided with a card
Category Documents Purposes
manual that describes:
z The type, number, and transmission rate of
interfaces
z Applicable switches of the card
z Required software version
z Pluggable modules supported by the card
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, and
software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with
the software version.
Documentation Feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Table of Contents
i
Login Procedure ······························································································································3-2
Console Login Authentication Modes······························································································3-5
Configuring None Authentication for Console Login ·······································································3-6
Configuring Password Authentication for Console Login ································································3-7
Configuring Scheme Authentication for Console Login···································································3-9
Configuring Common Settings for Console Login (Optional) ························································3-12
Logging In Through Telnet····················································································································3-15
Introduction····································································································································3-15
Telnet Login Authentication Modes ·······························································································3-16
Configuring None Authentication for Telnet Login ········································································3-17
Configuring Password Authentication for Telnet Login ·································································3-18
Configuring Scheme Authentication for Telnet Login····································································3-19
Configuring Common Settings for VTY User Interfaces (Optional)···············································3-23
Configuring the Device to Log In to Another Device as a Telnet Client ········································3-25
Logging In Through SSH ······················································································································3-26
Introduction····································································································································3-26
Configuring the SSH Server ··········································································································3-27
Configuring the SSH Client to Log In to the SSH Server ······························································3-29
Logging In Through Modems ················································································································3-30
Introduction····································································································································3-30
Configuration Requirements··········································································································3-30
Login Procedure ····························································································································3-30
Modem Login Authentication Modes ·····························································································3-34
Configuring None Authentication for Modem Login ······································································3-35
Configuring Password Authentication for Modem Login ·······························································3-36
Configuring Scheme Authentication for Modem Login··································································3-37
Configuring Common Settings for Modem Login (Optional) ·························································3-41
Displaying and Maintaining CLI Login···································································································3-44
ii
6 FTP Configuration ·····································································································································6-1
FTP Overview ·········································································································································6-1
Introduction to FTP ··························································································································6-1
Operation of FTP ·····························································································································6-1
Configuring the FTP Client······················································································································6-3
Establishing an FTP Connection ·····································································································6-3
Operating the Directories on an FTP Server ···················································································6-5
Operating the Files on an FTP Server·····························································································6-5
Using Another Username to Log In to an FTP Server ····································································6-6
Maintaining and Debugging an FTP Connection ············································································6-7
Terminating an FTP Connection ·····································································································6-7
FTP Client Configuration Example (Distributed Device) ·································································6-8
FTP Client Configuration Example (Distributed IRF Device) ··························································6-9
Configuring the FTP Server ··················································································································6-11
Configuring FTP Server Operating Parameters ············································································6-11
Configuring Authentication and Authorization on the FTP Server ················································6-12
FTP Server Configuration Example (Distributed Device)······························································6-14
FTP Server Configuration Example (Distributed IRF Device) ·······················································6-16
Displaying and Maintaining FTP ···········································································································6-18
iii
Emptying the Recycle Bin ···············································································································8-7
Batch Operations ····································································································································8-7
Storage Medium Operations ···················································································································8-8
Managing the Space of a Storage Medium ·····················································································8-8
Mounting/Unmounting a Storage Medium·······················································································8-9
Setting File System Prompt Modes·········································································································8-9
File System Operations Example··········································································································8-10
iv
Software Upgrade Configuration Example ·························································································10-14
Immediate Upgrade Configuration Example (Distributed Device) ··············································10-14
Immediate Upgrade Configuration Example (Distributed IRF Virtual Device) ····························10-16
Hotfix Configuration Example······································································································10-17
12 Index ·······················································································································································12-1
v
1 CLI Configuration
This chapter includes these sections:
z What Is CLI?
z Entering the CLI
z Command Conventions
z Undo Form of a Command
z CLI View Description
z Using the CLI Online Help
z Typing Commands
z Checking Command Line Errors
z Using Command History
z Controlling CLI Display
z Configuring User Privilege and Command Levels
z Saving the Current Configuration
z Displaying and Maintaining CLI
What Is CLI?
The command line interface (CLI) enables you to interact with your device by typing text commands. At
the CLI, you can instruct your device to perform a given task by typing a text command and then
pressing Enter to submit it to your device. Compared with the graphical user interface (GUI) where you
can use a mouse to perform configurations, the CLI allows you to input more information in one
command line. The CLI of H3C devices is as shown in Figure 1-1.
1-1
Figure 1-1 CLI
Command Conventions
Command conventions help you understand command meanings. Commands in H3C product
manuals comply with the conventions listed in Table 1-1.
Table 1-1 Command conventions
Convention Description
Command arguments are in italic. Replace arguments with actual values at the
Italic
CLI.
Alternative items are grouped in braces and separated by vertical bars. One is
{ x | y | ... }
selected.
1-2
Convention Description
&<1-n> The argument(s) before the ampersand (&) sign can be entered 1 to n times.
Take the clock datetime time date command as an example to understand the command meaning
according to Table 1-1.
Figure 1-2 Read command line parameters
For example, you can type the following command line at the CLI of your device and press Enter to set
the device system time to 10 o’clock 30 minutes 20 seconds, February 23, 2010.
<sysname> clock datetime 10:30:20 2/23/2010
You can read any command that is more complicated according to Table 1-1.
1-3
z After logging in to the switch, you are in user view. The prompt of user view is <device name>. In
user view, you can perform display, debugging, and file management operations, set the system
time, restart your device, and perform FTP and telnet operations.
z You can enter system view from user view. In system view, you can configure parameters such as
daylight saving time, banners, and short-cut keys.
z In system view, you can enter different function views. For example, enter interface view to
configure interface parameters, create a VLAN and enter its view, enter user interface view to
configure login user attributes, create a local user and enter local user view to configure the
password and level of the local user, and enter OSPF view to configure OSPF parameters.
To know which commands are supported in a certain view, enter ? in this view. Then the system
displays all the commands that can be executed in this view.
When you log in to the device, you automatically enter user view, where <Device name> is displayed.
You can perform limited operations in user view, such as display operations, file operations, and Telnet
operations. To perform further configurations for the device, enter system view.
Follow the step below to enter system view:
Required
Enter system view from user view system-view
Available in user view
1-4
Exiting the Current View
The CLI is divided into different command views. Each view has a set of specific commands and
defines the effective scope of the commands. The commands available to you at any given time
depend on the view you are in.
Follow the step below to exit the current view:
z Executed in user view, the quit command terminates the current connection between the terminal
and the device.
z In public key code view, use the public-key-code end command to return to the parent view
(public key view). In public key view, use the peer-public-key end command to return to system
view.
This feature allows you to return to user view from any other view, without the need to execute the quit
command repeatedly. You can also press Ctrl+Z to return to user view from the current view.
Follow the step below to exit to user view:
Required
Return to user view return Available in any view except user
view
1-5
bootrom Update/read/backup/restore bootrom
cd Change current directory
clock Specify the system clock
…Omitted…
2) Type part of a command and a ? separated by a space.
If ? is at the position of a keyword, the CLI displays all possible keywords with a brief description for
each keyword. For example:
<sysname> terminal ?
debugging Send debug information to terminal
logging Send log information to terminal
monitor Send information output to current terminal
trapping Send trap information to terminal
If ? is at the position of an argument, the CLI displays a description about this argument. For example:
<sysname> system-view
[sysname] interface vlan-interface ?
<1-4094> VLAN interface number
[sysname] interface vlan-interface 1 ?
<cr>
[sysname] interface vlan-interface 1
The string <cr> indicates that the command is a complete command, and you can execute the
command by pressing Enter.
3) Type an incomplete character string followed by a ?. The CLI displays all commands starting with
the typed character(s).
<sysname> c?
cd
clock
cluster
copy
<sysname> display cl?
clipboard
clock
cluster
Typing Commands
Editing Command Lines
Table 1-2 lists some shortcut keys you can use to edit command lines.
Table 1-2 Editing functions
Key Function
If the edit buffer is not full, pressing a common key inserts the character at
Common keys
the position of the cursor and move the cursor to the right.
Deletes the character to the left of the cursor and move the cursor back one
Backspace
character.
Left arrow key or Ctrl+B The cursor moves one character space to the left.
1-6
Key Function
Right arrow key or Ctrl+F The cursor moves one character space to the right.
If you press Tab after entering part of a keyword, the system automatically
completes the keyword:
You can input a command comprising incomplete keywords that can uniquely identify the complete
command.
For example, in user view, commands starting with an s include startup saved-configuration and
system-view.
z To enter system view, type sy.
z To set the configuration file for next startup, type st s.
You can also press Tab to have an incomplete keyword automatically completed.
The command alias function allows you to replace the first keyword of a command with your preferred
keyword. For example, if you configure show as the replacement of the display keyword for each
display command, to execute the display xx command, input the command alias show xx.
Note the following when configuring command aliases:
z When you input a command alias, the system displays and saves the command in its original
format instead of its alias. In other words, you can define and use a command alias but the
command is not restored in its alias format.
z When you define a command alias, the cmdkey and alias arguments must be in their complete
form.
z With the command alias function enabled, when you input an incomplete keyword, which partially
matches both a defined alias and the keyword of a command, the alias wins; to execute the
command whose keyword partially matches your input, input the complete keyword. When you
input a character string that partially matches multiple aliases, the system gives you prompts.
z If you press Tab after you input the keyword of an alias, the original format of the keyword is
displayed.
z You can replace only the first keyword of a non-undo command instead of the complete command;
and you can replace only the second keyword of undo commands.
Follow these steps to configure command aliases:
1-7
To do… Use the command… Remarks
Required
Enable the command alias Disabled by default, which means
command-alias enable
function you cannot configure command
aliases.
Optional
hotkey { CTRL_G | CTRL_L |
The Ctrl+G, Ctrl+L and Ctrl+O
Configure CLI hotkeys CTRL_O | CTRL_T | CTRL_U }
hotkeys are specified at the CLI by
command
default.
By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are associated with corresponding commands and
the Ctrl+T and Ctrl+U hotkeys are not.
z Ctrl+G corresponds to the display current-configuration command.
z Ctrl+L corresponds to the display ip routing-table command.
z Ctrl+O corresponds to the undo debugging all command.
Hotkey Function
1-8
Hotkey Function
Moves the cursor to the front of the next continuous string to the
Esc+F
right.
Moves the cursor down by one line (available before you press
Esc+N
Enter)
Esc+P Moves the cursor up by one line (available before you press Enter)
1-9
The hotkeys in the table above are defined by the switch. If the same hotkeys are defined by the
terminal software that you use to interact with the switch, the hotkeys defined by the terminal software
take effect.
If your command input is interrupted by output system information, you can use this feature to
redisplay the previously input but not submitted commands so that you can continue your operation
from where you were stopped.
Follow these steps to enable redisplaying of input but not submitted commands:
% Unrecognized command found at '^' position. The command was not found.
1-10
Error information Cause
You can use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet.
However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are
defined differently. You can press Ctrl+P or Ctrl+N instead.
z The commands saved in the history command buffer are in the same format in which you typed
the commands. If you type an incomplete command, the command saved in the history command
buffer is also an incomplete one.
z If you execute the same command repeatedly, the switch saves only the earliest record. However,
if you execute the same command in different formats, the system saves them as different
commands. For example, if you execute the display cu command repeatedly, the system saves
only one command in the history command buffer. If you execute the command in the format of
display cu and display current-configuration respectively, the system saves them as two
commands.
z By default, the CLI can save up to 10 commands for each user. To set the capacity of the history
command buffer for the current user interface, use the history-command max-size command.
1-11
(For more information about the history-command max-size command, see Logging In to the
Switch Commands in the Fundamentals Command Reference.
user-interface { first-num1
Enter user interface view [ last-num1 ] | { aux | vty } —
first-num2 [ last-num2 ] }
For more information about the user-interface and history-command max-size commands, see
Logging In to the Switch Commands in the Fundamentals Command Reference.
Action Function
By default, each screen displays up to 24 lines. To change the maximum number of lines displayed on
the next screen, use the screen-length command. For more information about the screen-length
command, see Logging In to the Switch Commands in the Fundamentals Command Reference.
1-12
Disabling multi-screen display
You can use the following command to disable the multi-screen display function. Then, all the output
information is displayed at one time and the screen is refreshed continuously until the last screen is
displayed.
Required
Only display commands that support | { begin | exclude | include } regular-expression ] support
filtering output information. When the display commands support these parameters depends on your
device model.
Introduction
You can use regular expressions in display commands to filter output information.
There are two ways to filter output information.
z Input the begin, exclude, or include keyword plus a regular expression in the display command
to filter the output information.
z When the system displays the output information in multiple screens, use /, - or + plus a regular
expression to filter subsequent output information. / equals the keyword begin, - equals the
keyword exclude, and + equals the keyword include.
The following describes the begin, exclude, and include keywords:
z begin: Displays the first line that matches the specified regular expression and all lines that follow.
z exclude: Displays the lines that do not match the specified regular expression.
z include: Displays all lines that match the specified regular expression.
1-13
A regular expression is a case sensitive string of 1 to 256 characters. It also supports the following
special characters.
Starting sign. string appears only at For example, regular expression “^user” only
^string
the beginning of a line. matches a string beginning with “user”, not “Auser”.
Ending sign. string appears only at For example, regular expression "user$” only
string$
the end of a line. matches a string ending with “user”, not “userA”.
1-14
Character Meaning Remarks
Matches a character string starting For example, “\<do” matches word “domain” and
\<string
with string. string “doa”.
Matches a character string ending For example, “do\>” matches word “undo” and string
string\>
with string. “abcdo”.
Matches character1character2.
For example, “\ba” matches “-a” with “-“ being
character1 can be any character
\bcharacter2 character1, and “a” being character2, but it does not
except number, letter or underline,
match “2a” or “ba”.
and \b equals [^A-Za-z0-9_].
Matches character1character2.
For example, “v\w” matches “vlan”, with “v” being
character2 must be a number, letter,
character1\w character1, and “l” being character2. v\w also
or underline, and \w equals
matches “service”, with “i” being character2.
[^A-Za-z0-9_].
1-15
Example of filtering output information
1) Example of using the begin keyword
# Display the configuration from the line containing “user-interface” to the last line in the current
configuration (the output information depends on the device model and the current configuration).
<Sysname> display current-configuration | begin user-interface
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
return
2) Example of using the exclude keyword
# Display the non-direct routes in the routing table (the output depends on the device model and the
current configuration).
<Sysname> display ip routing-table | exclude Direct
Routing Tables: Public
To avoid unauthorized access, the switch defines user privilege levels and command levels. User
privilege levels correspond to command levels. When a user at a privilege level logs in, the user can
only use commands at that level, and lower levels.
All the commands are categorized into four levels, which are visit, monitor, system, and manage from
low to high, and identified respectively by 0 through 3. Table 1-5 describes the levels of the commands.
1-16
Table 1-5 Default command levels
Involves commands that influence the basic operation of the system and
commands for configuring system support modules.
A user privilege level can be configured by using AAA authentication parameters or under a user
interface.
Configure user privilege level by using AAA authentication parameters
If the authentication mode of a user interface is scheme, the user privilege level of users logging into
the user interface is specified in AAA authentication configuration.
Follow these steps to configure the user privilege level by using AAA authentication parameters:
user-interface { first-num1
Enter user interface view [ last-num1 ] | { aux | vty } —
first-num2 [ last-num2 ] }
1-17
To do… Use the command… Remarks
Required
For more information, see SSH2.0 Required if users use SSH to log
Configure the authentication mode
Configuration in the Security in, and username and password
for SSH users as password
Configuration Guide. are needed at authentication
1-18
Configure the user privilege level under a user interface
z If the user interface authentication mode is scheme when a user logs in, and SSH publickey
authentication type (only username is needed for this authentication type) is adopted, the user
privilege level is the user interface level.
z If the authentication mode of a user interface is scheme, and SSH publickey authentication type
(only username is needed for this authentication type) is adopted, the user privilege level of users
logging into the user interface is the user interface level.
z If the authentication mode of a user interface is none or password, the user privilege level of users
logging into the user interface is the user interface level.
Follow these steps to configure the user privilege level under a user interface (SSH publickey
authentication type):
user-interface { first-num1
Enter user interface view [ last-num1 ] | vty first-num2 —
[ last-num2 ] }
Optional
Configure the authentication mode
By default, the authentication
for any user that uses the current
authentication-mode scheme mode for VTY and AUX users is
user interface to log in to the
password, and no authentication
switch
is needed for AUX users.
Optional
Follow these steps to configure the user privilege level under a user interface (none or password
authentication mode):
1-19
To do… Use the command… Remarks
user-interface { first-num1
Enter user interface view [ last-num1 ] | { aux | vty } —
first-num2 [ last-num2 ] }
Optional
Configure the authentication mode By default, the authentication
for any user that uses the current authentication-mode { none | mode for VTY and AUX user
user interface to log in to the password } interfaces is password, and no
switch authentication is needed for AUX
login users.
Optional
z For more information about user interfaces, see CLI Login in the Fundamentals Configuration
Guide. For more information about the user-interface, authentication-mode, and user privilege
level commands, see Logging In to the Switch Commands in the Fundamentals Command
Reference.
z For more information about AAA authentication, see AAA Configuration in the Security
Configuration Guide. For more information about the local-user and authorization-attribute
commands, see AAA Configuration Commands in the Security Command Reference.
z For more information about SSH, see SSH 2.0 Configuration in the Security Configuration Guide.
1-20
Switching User Privilege Level
Introduction
Users can switch to a user privilege level temporarily without logging out and terminating the current
connection. After the switch, users can continue to configure the switch without the need of relogin, but
the commands that they can execute have changed. For example, if the current user privilege level is 3,
the user can configure system parameters. After switching to the user privilege level 0, the user can
only execute some simple commands, like ping and tracert, and only a few display commands. The
switching operation is effective for the current login. After the user relogs in, the user privilege restores
to the original level.
z To avoid misoperations, the administrators are recommended to log in to the switch by using a
lower privilege level and view switch operating parameters, and when they have to maintain the
switch, they can switch to a higher level temporarily
z When the administrators need to leave for a while or ask someone else to manage the switch
temporarily, they can switch to a lower privilege level before they leave to restrict the operation by
others.
Setting the authentication mode for user privilege level switch
z A user can switch to a privilege level equal to or lower than the current one unconditionally and is
not required to input the password (if any).
z A user is required to input the password (if any) to switch to a higher privilege level for security
sake. The authentication falls into one of the following four categories:
Authentication
Meaning Description
mode
The switch sends the username and password for privilege level
switch to the HWTACACS or RADIUS server for remote
authentication.
Remote AAA
When this mode is applied, you need to perform the following
authentication
configurations:
scheme through
HWTACACS or z Configure HWTACACS or RADIUS scheme and reference the
RADIUS created scheme in the ISP domain. For more information, see
AAA Configuration in the Security Configuration Guide.
z Create the corresponding user and configure password on the
HWTACACS or RADIUS server.
1-21
Authentication
Meaning Description
mode
Performs remote
AAA AAA authentication is performed first, and if the remote
authentication first HWTACACS or RADIUS server does not respond or AAA
scheme local
and then the local configuration on the switch is invalid, the local password
password authentication is performed.
authentication
Follow these steps to set the authentication mode for user privilege level switch:
1-22
z When you configure the password for switching the user privilege level with the super password
command, the user privilege level is 3 if no user privilege level is specified.
z If you specify the simple keyword, the password saved in the configuration file is in plain text,
which is easy to be stolen. If you specify the cipher keyword, the password saved in the
configuration file is in cipher text, which is safer.
z The timeout time of AAA authentication is 120 seconds. Then, the AAA authentication is
considered as no response.
z If the user logs in from the console user interface (the console port or the AUX port used as the
console port) to switch to a higher level, although the authentication mode is local, and no user
privilege level password is configured, the privilege level can be switched successfully.
Required
When you switch the user privilege level, the information you need to input varies with combinations of
user interface authentication mode and super authentication mode.
Table 1-6 Information input for user privilege level switch
1-23
User privilege level
User interface
switch Information input for the Information input after the
authentication
authentication first authentication mode authentication mode changes
mode
mode
z When the authentication mode is set to local, configure the local password before switching to a
higher user privilege level.
z When the authentication mode is set to scheme, configure AAA related parameters before
switching to a higher user privilege level.
z The privilege level switch fails after three consecutive unsuccessful password attempts.
z For more information about user interface authentication, see CLI Login in the Fundamentals
Configuration Guide.
1-24
Modifying the Level of a Command
All the commands in a view are defaulted to different levels. The administrator can change the default
level of a command to a lower level or a higher level as needed.
Follow these steps to modify the command level:
Required
Configure the command level in a command-privilege level level
See Table 1-5 for the default
specified view view view command
settings.
You are recommended to use the default command level or modify the command level under the
guidance of professional staff. An improper change of the command level may bring inconvenience to
your maintenance and operation, or even potential security problems.
display command-alias [ |
Display defined command aliases
{ begin | exclude | include } Available in any view
and the corresponding commands
regular-expression ]
1-25
2 Login Methods
This chapter includes these sections:
z Login Methods
z User Interface Overview
Login Methods
You can log in to a device in the following ways.
Table 2-1 Login methods
Logging In By default, you can log in to a device through the console port, the
CLI Login Through the authentication mode is None (no username or password required),
Console Port and the user privilege level is 3.
2-1
Login method Default state
Logging In
By default, you can log in to a device through modems. The default
Through
user privilege level of modem login users is 3.
Modems
At a time, only one user can use a user interface. The configuration made in a user interface view
applies to any login user. For example, if user A uses the console port to log in, the configuration in the
console port user interface view applies to user A; if user A logs in through VTY 1, the configuration in
VTY 1 user interface view applies to user A.
A device can be equipped with two AUX user interface, and five VTY user interfaces. These user
interfaces do not associate with specific users. When a user initiates a connection request, the system
automatically assigns an idle user interface with the smallest number to the user based on the login
method. During the login, the configuration in the user interface view takes effect. The user interface
varies depending on the login method and the login time.
2-2
Numbering User Interfaces
User interfaces can be numbered in two ways: absolute numbering and relative numbering.
Absolute numbering
Absolute numbering identifies a user interface or a group of different types of user interfaces. The
specified user interfaces are numbered from number 0 with a step of 1 and in the sequence of AUX,
and VTY user interfaces. You can use the display user-interface command without any parameters
to view supported user interfaces and their absolute numbers.
Relative numbering
Relative numbering allows you to specify a user interface or a group of user interfaces of a specific
type. The number format is “user interface type + number”. The rules of relative numbering are as
follows:
z AUX ports are numbered from 0 in the ascending order, with a step of 1.
z VTYs are numbered from 0 in the ascending order, with a step of 1.
2-3
3 CLI Login
This chapter includes these sections:
z Overview
z Logging In Through the Console Port
z Logging In Through Telnet
z Logging In Through SSH
z Logging In Through Modems
z Displaying and Maintaining CLI Login
Overview
The CLI enables you to interact with a device by typing text commands. At the CLI, you can instruct
your device to perform a given task by typing a text command and then pressing Enter to submit it to
your device. Compared with the graphical user interface (GUI) where you can use a mouse to perform
configuration, the CLI allows you to input more information in one command line.
You can log in to the device at the CLI through the console port, telnet, SSH, or modem.
z By default, you can log in to a device through the console port without any authentication, which
brings security problems.
z By default, you cannot log in to a device through telnet, SSH, so you cannot remotely manage and
maintain the device.
Therefore, you need to perform configurations to increase device security and manageability.
Logging in through the console port is the most common login method, and is also the first step to
configure other login methods.
By default, you can log in to a device through its console port only. After logging in to the device
through the console port, you can configure other login methods.
This section includes:
z Configuration Requirements
z Login Procedure
z Console Login Authentication Modes
z Configuring None Authentication for Console Login
z Configuring Password Authentication for Console Login
z Configuring Scheme Authentication for Console Login
z Configuring Common Settings for Console Login (Optional)
3-1
Configuration Requirements
The following table shows the configuration requirements of console port login.
Object Requirements
The port properties of the hyper terminal must be the same as the default settings of the console port
shown in the following table.
Setting Default
Parity None
Stop bits 1
Data bits 8
Login Procedure
As shown in Figure 3-1, use the console cable shipped with the device to connect the PC and the
device. Plug the DB-9 connector of the console cable into the serial port of the PC, and plug the RJ-45
connector into the console port of your device.
Figure 3-1 Connect the device and PC through a console cable
3-2
Because the serial port of a PC does not support hot-swap, do not plug or unplug the console cable to
or from the PC when your device is powered on. To connect the PC to the device, first plug the DB-9
connector of the console cable into the PC, and then plug the RJ-45 connector of the console cable
into your device. To disconnect the PC from the device, first unplug the RJ-45 connector and then the
DB-9 connector.
Launch a terminal emulation program (such as HyperTerminal in Windows XP/Windows 2000). The
following takes the HyperTerminal of Windows XP as an example. Select a serial port to be connected
to the device, and set terminal parameters as follows: set Bits per second to 9600, Data bits to 8,
Parity to None, Stop bits to 1, and Flow control to None, as shown in Figure 3-2 through Figure 3-4.
On the Windows 2003 Server operating system, you need to add the HyperTerminal program first, and
then log in to and manage the device as described in this document. On the Windows 2008 Server,
Windows 7, Windows Vista, or some other operating system, you need to obtain a third party terminal
control program first, and follow the user guide or online help of that program to log in to the device.
3-3
Figure 3-3 Specify the serial port used to establish the connection
Turn on the device. You are prompted to press Enter if the device successfully completes the
power-on self test (POST). A prompt such as <H3C> appears after you press Enter, as shown in
Figure 3-5.
3-4
Figure 3-5 Configuration page
Execute commands to configure the device or check the running status of the device. To get help,
type ?.
Three authentication modes are available for console port login: none, password, and scheme.
z none: Requires no username and password at the next login through the console port. This mode
is insecure.
z password: Requires password authentication at the next login through the console port. Keep
your password. If you lose your password, see H3C Series Ethernet Switches Login Password
Recovery Manual for password recovery.
z scheme: Requires username and password authentication at the next login through the console
port. Authentication falls into local authentication and remote authentication. To use local
authentication, configure a local user and related parameters. To use remote authentication,
configure the username and password on the remote authentication server. For more information
about authentication modes and parameters, see AAA Configuration in the Security
Configuration Guide. Keep your username and password. If you lose your password, see H3C
Series Ethernet Switches Login Password Recovery Manual for password recovery.
The following table lists console port login configurations for different authentication modes:
Authenticati
Configuration Remarks
on mode
Password Configure to authenticate users by using the local password For more information, see
3-5
Authenticati
Configuration Remarks
on mode
Configuring Password
Set the local password Authentication for Console
Login.
Configure a
RADIUS/HWTACAC
S scheme
Configure the
authentication
username and
Local password
authentication
Configure the AAA
scheme used by the
domain as local
A newly configured authentication mode does not take effect unless you exit and enter the CLI again.
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Configuration procedure
Follow these steps to configure none authentication for console login:
3-6
To do… Use the command… Remarks
Required
Optional
Configure common settings for
— See Configuring Common Settings
AUX user interface view
for Console Login (Optional).
After the configuration, when you log in to the device through the console port at the next time, you are
prompted to press enter. A prompt such as <H3C> appears after you press Enter, as shown in Figure
3-6.
Figure 3-6 Configuration page
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
3-7
Configuration procedure
Follow these steps to configure password authentication for console login:
Required
Required
set authentication password
Set the local password By default, no local password is
{ cipher | simple } password
set.
Optional
Configure common settings for
— See Configuring Common Settings
AUX user interface view
for Console Login (Optional).
After the configuration, when you log in to the device through the console port at the next time, you are
prompted to enter a login password. A prompt such as <H3C> appears after you input the password
and press Enter, as shown in Figure 3-7.
Figure 3-7 Configuration page
3-8
Configuring Scheme Authentication for Console Login
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Configuration procedure
Follow these steps to configure scheme authentication for console login:
Required
Optional
z By default, command
authorization is not enabled.
z By default, the command level
depends on the user privilege
level. A user is authorized a
command level not higher than
the user privilege level. With
command authorization enabled,
Enable command authorization command authorization the command level for a login
user is determined by both the
user privilege level and AAA
authorization. If a user executes
a command of the corresponding
command level, the
authorization server checks
whether the command is
authorized. If yes, the command
can be executed.
3-9
To do… Use the command… Remarks
Optional
3-10
To do… Use the command… Remarks
radius-scheme-name argument,
perform the following configuration
as well:
Required
Specify the service type for the
service-type terminal By default, no service type is
local user
specified.
Optional
Configure common settings for
— See Configuring Common Settings
AUX user interface view
for Console Login (Optional).
After you enable command authorization, you need to perform the following configuration to make the
function take effect:
z Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters. For more information, see AAA Configuration in the Security
Configuration Guide.
z Reference the created HWTACACS scheme in the ISP domain. For more information, see AAA
Configuration in the Security Configuration Guide.
After you enable command accounting, you need to perform the following configuration to make the
function take effect:
z Create a HWTACACS scheme, and specify the IP address of the accounting server and other
accounting parameters. For more information, see AAA Configuration in the Security
Configuration Guide.
3-11
z Reference the created HWTACACS scheme in the ISP domain. For more information, see AAA
Configuration in the Security Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users
can access depends on the user privilege level defined in the AAA scheme.
z When the AAA scheme is local, the user privilege level is defined by the authorization-attribute
level level command.
z When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the
RADIUS or HWTACACS server.
z For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the
Security Configuration Guide.
After the configuration, when you log in to the device through the console port, you are prompted to
enter a login username and password. A prompt such as <H3C> appears after you input the password
and username and press Enter, as shown in Figure 3-8.
Figure 3-8 Configuration page
Follow these steps to configure common settings for console port login
3-12
To do… Use the command… Remarks
Optional
Configure
By default, the transmission rate is
AUX user
Configure the 9600 bps.
interface speed speed-value
baud rate Transmission rate is the number of
view
properties bits that the device transmits to the
terminal per second.
Optional
Optional
3-13
To do… Use the command… Remarks
Optional
Optional
Configure the user
By default, the default command
privilege level for user privilege level level
level is 3 for the console user
login users
interface.
Optional
Set the maximum
By default, the next screen displays
number of lines on screen-length screen-length
24 lines.
the next screen.
A value of 0 disables the function.
Optional
3-14
The common settings configured for console login take effect immediately. If you configure the
common settings after you log in through the console port, the current connection may be interrupted.
Therefore, use another login method. After you configure common settings for console login, you need
to modify the settings on the terminal to make them consistent with those on the device.
The device supports telnet. You can telnet to the device to remotely manage and maintain it, as shown
in Figure 3-9.
Figure 3-9 Telnet login
Object Requirements
Configure the IP address of the VLAN interface, and make sure the telnet
By default, the device is enabled with the telnet server and client functions.
z On a device that serves as the telnet client, you can log in to a telnet server to perform operations
on the server.
z On a device that serves as the telnet server, you can configure the authentication mode and user
privilege level for telnet users. By default, password authentication is adopted for telnet login, but
no login password is configured. Therefore, you cannot log in to the device through telnet by
default. Before you can telnet to the device, you need to log in to the device through the console
port and configure the authentication mode, user privilege level, and common settings.
This section includes these topics:
z Telnet Login Authentication Modes
z Configuring None Authentication for Telnet Login
z Configuring Password Authentication for Telnet Login
3-15
z Configuring Scheme Authentication for Telnet Login
z Configuring Common Settings for VTY User Interfaces (Optional)
z Configuring the Device to Log In to Another Device as a Telnet Client
Three authentication modes are available for telnet login: none, password, and scheme.
z none: Requires no username and password at the next login through telnet. This mode is
insecure.
z password: Requires password authentication at the next login through telnet. Keep your
password. If you lose your password, log in to the device through the console port to view or
modify the password.
z scheme: Requires username and password authentication at the next login through telnet.
Authentication falls into local authentication and remote authentication. To use local
authentication, configure a local user and related parameters. To use remote authentication,
configure the username and password on the remote authentication server. For more information
about authentication modes and parameters, see AAA Configuration in the Security Configuration
Guide. Keep your username and password. If you lose your password, see H3C Series Ethernet
Switches Login Password Recovery Manual for password recovery.
The following table lists telnet login configurations for different authentication modes.
Authentication
Configuration Remarks
mode
Configure to authenticate users by using the local For more information, see
password Configuring Password
Password
Authentication for Telnet
Set the local password Login.
Configure the
username and
password on the AAA
server
3-16
Authentication
Configuration Remarks
mode
Configure the
authentication
username and
Local password
authentication
Configure the AAA
scheme used by the
domain as local
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Configuration procedure
Follow these steps to configure none authentication for telnet login:
Required
Enable telnet telnet server enable By default, the telnet service is
disabled.
Required
Specify the none authentication
authentication-mode none By default, authentication mode for
mode
VTY user interfaces is password.
Optional
Configure common settings for
— See Configuring Common Settings
VTY user interfaces
for VTY User Interfaces (Optional).
3-17
z You enter the VTY user interface, as shown in Figure 3-10.
z If “All user interfaces are used, please try later!” is displayed, it means the current login users
exceed the maximum number. Please try later.
Figure 3-10 Configuration page
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Configuration procedure
Follow these steps to configure password authentication for telnet login:
Required
Enable telnet telnet server enable By default, the telnet service is
enabled.
Required
Specify the password By default, authentication mode
authentication-mode password
authentication mode for VTY user interfaces is
password.
3-18
To do… Use the command… Remarks
Required
set authentication password { cipher
Set the local password By default, no local password is
| simple } password
set.
Optional
Configure common settings for See Configuring Common
—
VTY user interfaces Settings for VTY User
Interfaces (Optional).
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Configuration procedure
Follow these steps to configure scheme authentication for telnet login
3-19
To do… Use the command… Remarks
Required
Enable telnet telnet server enable By default, the telnet service is
enabled.
Required
Optional
3-20
To do… Use the command… Remarks
Optional
z By default, command
accounting is disabled. The
accounting server does not
record the commands executed
by users.
z Command accounting allows
the HWTACACS server to
record all executed commands
that are supported by the
device, regardless of the
command execution result. This
Enable command accounting command accounting helps control and monitor user
operations on the device. If
command accounting is
enabled and command
authorization is not enabled,
every executed command is
recorded on the HWTACACS
server. If both command
accounting and command
authorization are enabled, only
the authorized and executed
commands are recorded on the
HWTACACS server.
3-21
To do… Use the command… Remarks
Required
password { cipher | simple }
Set the local password By default, no local password is
password
set.
Required
Specify the service type for the local
service-type telnet By default, no service type is
user
specified.
Optional
Configure common settings for VTY
— See Configuring Common Settings
user interfaces
for VTY User Interfaces (Optional).
After you enable command authorization, you need to perform the following configuration to make the
function take effect:
z Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters. For more information, see AAA Configuration in the Security
Configuration Guide.
z Reference the created HWTACACS scheme in the ISP domain. For more information, see AAA
Configuration in the Security Configuration Guide.
After you enable command accounting, you need to perform the following configuration to make the
function take effect:
3-22
z Create a HWTACACS scheme, and specify the IP address of the accounting server and other
accounting parameters. For more information, see AAA Configuration in the Security
Configuration Guide.
z Reference the created HWTACACS scheme in the ISP domain. For more information, see AAA
Configuration in the Security Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users
can access depends on the user privilege level defined in the AAA scheme.
z When the AAA scheme is local, the user privilege level is defined by the authorization-attribute
level level command.
z When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the
RADIUS or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the Security
Configuration Guide.
When you log in to the device through telnet again:
z You are required to enter the login username and password. A prompt such as <H3C> appears
after you enter the correct username (for example, admin) and password and press Enter, as
shown in Figure 3-12.
z If “All user interfaces are used, please try later!” is displayed, it means the current login users
exceed the maximum number. Please try later.
Figure 3-12 Configuration page
Follow these steps to configure Common settings for VTY user interfaces:
3-23
To do… Use the command… Remarks
Required
Create a VLAN interface and enter interface vlan-interface If the VLAN interface already
VLAN interface view vlan-interface-id exists, the command enters the
VLAN interface view.
Required
Specify an IP address for a VLAN ip address ip-address { mask |
By default, no IP address is
interface mask-length }
specified for a VLAN interface.
Optional
Define a shortcut key escape-key { default |
By default, you can press Ctrl+C to
for terminating tasks character }
terminate a task.
Optional
Configure the type of
terminal type { ansi | vt100 } By default, the terminal display
terminal display
type is ANSI.
Optional
Set the maximum
By default, the next screen
number of lines on screen-length screen-length
displays 24 lines.
the next screen
A value of 0 disables the function.
Optional
Set the size of history history-command max-size
By default, the buffer saves 10
command buffer value
history commands.
3-24
To do… Use the command… Remarks
Optional
Optional
By default, command
auto-execution is disabled.
The auto-execute command command may disable you from configuring the system through the
user interface to which the command is applied. Therefore, before configuring the command and
saving the configuration (by using the save command), make sure that you can access the device
through VTY, TTY, console, or AUX interfaces to remove the configuration when a problem occurs.
Configuration prerequisites
You have logged in to the device.
3-25
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Figure 3-13 Log in to another device from the current device
If the telnet client port and the telnet server port that connect them are not in the same subnet, make
sure that the two devices can reach each other.
Configuration procedure
Follow the step below to configure the device to log in to a telnet server as a telnet client:
Secure Shell (SSH) offers an approach to log into a remote device securely. By providing encryption
and strong authentication, it protects devices against attacks such as IP spoofing and plain text
password interception. The device supports SSH, and you can log in to the device through SSH to
remotely manage and maintain the device, as shown in Figure 3-14.
Figure 3-14 SSH login diagram
3-26
Object Requirements
Configure the IP address of the VLAN interface, and make sure the SSH
By default, the device is enabled with the SSH server and client functions.
z On a device that serves as the SSH client, you can log in to an SSH server to perform operations
on the server.
z On a device that serves as the SSH server, you can configure the authentication mode and user
level for SSH users. By default, password authentication is adopted for SSH login, but no login
password is configured. Therefore, you cannot log in to the device through SSH by default. Before
you can log in to the device through SSH, you need to log in to the device through the console port
and configure the authentication mode, user level, and common settings.
This section includes these topics:
z Configuring the SSH Server
z Configuring the SSH Client to Log In to the SSH Server
Configuration prerequisites
You have logged in to the device, and want to log in to the device through SSH in the future.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Configuration procedure
Follow these steps to configure the device that serves as an SSH server:
Required
public-key local create { dsa |
Create local key pair(s) By default, no local key pair(s) are
rsa }
created.
Required
Enable SSH server ssh server enable
By default, SSH server is disabled.
3-27
To do… Use the command… Remarks
Required
Specify the scheme authentication
authentication-mode scheme By default, authentication mode for
mode
VTY user interfaces is password.
Required
password { cipher | simple }
Set the local password By default, no local password is
password
set.
Required
Specify the service type for the
service-type ssh By default, no service type is
local user
specified.
Optional
Configure common settings for
— See Configuring Common Settings
VTY user interfaces
for VTY User Interfaces (Optional).
For more information about SSH, see SSH2.0 Configuration in the Security Configuration Guide.
3-28
Configuring the SSH Client to Log In to the SSH Server
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Figure 3-15 Log in to another device from the current device
If the telnet client and the telnet server are not in the same subnet, make sure that the two devices can
reach each other.
Configuration procedure
Follow these steps to configure the SSH client to log in to the SSH server:
Required
Required
You can configure other settings for the SSH client to work with the SSH server. For more information,
see SSH2.0 in the Security Command Reference.
3-29
Logging In Through Modems
Introduction
The administrator can use two modems to remotely maintain a switch through its Console port over the
Public Switched Telephone Network (PSTN) when the IP network connection is broken.
This section includes these topics:
z Configuration Requirements
z Login Procedure
z Modem Login Authentication Modes
z Configuring None Authentication for Modem Login
z Configuring Password Authentication for Modem Login
z Configuring Scheme Authentication for Modem Login
z Configuring Common Settings for Modem Login (Optional)
Configuration Requirements
By default, no authentication is needed when you log in through modems, and the default user
privilege level is 3.
To use this method, perform necessary configurations at both the device side and administrator side.
The following table shows the configuration requirements of remote login through Console port by
using modem dial-in:
Object Requirement
Login Procedure
Set up a configuration environment as shown in Figure 3-16: connect the serial port of the PC and the
Console port of the device to a modem respectively.
3-30
Figure 3-16 Set up a configuration terminal
On the device,
z The baud rate of the Console port is lower than the transmission rate of the modem. Otherwise,
packets may be lost.
z The parity check mode, stop bits, and data bits of the Console port adopt the default settings.
Perform the following configurations on the modem that is directly connected to the device:
AT&F ----------------------- Restore the factory defaults
ATS0=1 ----------------------- Configure auto-answer on first ring
AT&D ----------------------- Ignore data Terminal Ready signals
AT&K0 ----------------------- Disable local flow control
AT&R1 ----------------------- Ignore Data Flow Control signals
AT&S0 ----------------------- Force DSR to remain on
ATEQ1&W ----------------------- Disable the modem from response to commands and save the
configuration
To verify your configuration, enter AT&V to show the configuration results.
The configuration commands and the output for different modems may be different. For more
information, see the user guide of your modem.
Launch a terminal emulation utility (such as HyperTerminal in Windows XP/Windows 2000), create a
new connection (the telephone number is the number of the modem connected to the device).
3-31
On the Windows 2003 Server operating system, you need to add the HyperTerminal program first, and
then log in to and manage the device as described in this document. On the Windows 2008 Server,
Windows 7, Windows Vista, or some other operating system, you need to obtain a third party terminal
control program first, and follow the user guide or online help of that program to log in to the device.
Dial the destination number on the PC to establish a connection with the device, as shown in Figure
3-17 through Figure 3-19.
Figure 3-17 Connection Description
3-32
Figure 3-19 Dial the number
Character string CONNECT9600 is displayed on the terminal. Then a prompt such as <H3C> appears when
you press Enter.
Figure 3-20 Configuration page
Execute commands to configure the device or check the running status of the device. To get help,
type ?.
3-33
z To terminate the connection between the PC and device, execute the ATH command on the
terminal to terminate the connection between the PC and modem. If you cannot execute the
command on the terminal, input AT+ + + and then press Enter. When you are prompted OK,
execute the ATH command, and the connection is terminated if OK is displayed. You can also
terminal the connection between the PC and deice by clicking on the hyper terminal window.
z Do not close the hyper terminal directly. Otherwise, the remote modem may be always online, and
you will fail to dial in at the next time.
Three authentication modes are available for modem dial-in login: none, password, and scheme.
z none: Requires no username and password at the next login through modems. This mode is
insecure.
z password: Requires password authentication at the next login through the console port. Keep
your password. If you lose your password, log in to the device through the console port to view or
modify the password.
z scheme: Requires username and password authentication at the next login through the console
port. Authentication falls into local authentication and remote authentication. To use local
authentication, configure a local user and related parameters. To use remote authentication,
configure the username and password on the remote authentication server. For more information
about authentication modes and parameters, see AAA Configuration in the Security
Configuration Guide. Keep your username and password. If you lose your password, see H3C
Series Ethernet Switches Login Password Recovery Manual for password recovery.
The following table lists modem login configurations for different authentication modes:
Authentication
Configuration Remarks
mode
Configure to authenticate users by using the local password For more information,
see Configuring
Password Password
Set the local password Authentication for
Modem Login.
3-34
Authentication
Configuration Remarks
mode
Remote AAA
Configure the AAA scheme
Select authentication
used by the domain
an
authenti Configure the username and
cation password on the AAA server
scheme
Configure the authentication
username and password
Local authentication
Configure the AAA scheme
used by the domain as local
Modem login authentication changes do not take effect until you exit the CLI and log in again.
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Configuration procedure
Follow these steps to configure none authentication for modem login:
Required
Specify the none authentication By default, users that log in
authentication-mode none
mode through the console port are not
authenticated.
3-35
To do… Use the command… Remarks
Optional
Configure common settings for
— See Configuring Common Settings
VTY user interfaces
for VTY User Interfaces (Optional).
After the configuration, when you log in to the device through modems, you are prompted to press
Enter. A prompt such as <H3C> appears after you press Enter, as shown in Figure 3-21.
Figure 3-21 Configuration page
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Configuration procedure
Follow these steps to configure password authentication for modem login:
3-36
To do… Use the command… Remarks
Required
Required
set authentication password
Set the local password By default, no local password is
{ cipher | simple } password
set.
Optional
Configure common settings for For more information, see
—
VTY user interfaces Configuring Common Settings for
VTY User Interfaces (Optional).
After the configuration, when you log in to the device through modems, you are prompted to enter a
login password. A prompt such as <H3C> appears after you input the password and press Enter, as
shown in Figure 3-22.
Figure 3-22 Configuration page
Configuration prerequisites
You have logged in to the device.
3-37
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For how to log in to the device with default configuration, see Configuration
Requirements.
Configuration procedure
Follow these steps to configure scheme authentication for modem login:
Required
Optional
z By default, command
authorization is not enabled.
z By default, command level for a
login user depends on the user
privilege level. The user is
authorized the command with
the default level not higher than
the user privilege level. With the
Enable command
command authorization command authorization
authorization
configured, the command level
for a login user is determined by
both the user privilege level and
AAA authorization. If a user
executes a command of the
corresponding command level,
the authorization server checks
whether the command is
authorized. If yes, the command
can be executed.
3-38
To do… Use the command… Remarks
Optional
3-39
To do… Use the command… Remarks
Required
Specify the service type for
service-type terminal By default, no service type is
the local user
specified.
Optional
Configure common settings
— See Configuring Common Settings
for VTY user interfaces
for VTY User Interfaces (Optional).
After you enable command authorization, you need to perform the following configuration to make the
function take effect:
z Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters. For more information, see AAA Configuration in the Security
Configuration Guide.
z Reference the created HWTACACS scheme in the ISP domain. For more information, see AAA
Configuration in the Security Configuration Guide.
After you enable command accounting, you need to perform the following configuration to make the
function take effect:
z Create a HWTACACS scheme, and specify the IP address of the accounting server and other
accounting parameters. For more information, see AAA Configuration in the Security
Configuration Guide.
3-40
z Reference the created HWTACACS scheme in the ISP domain. For more information, see AAA
Configuration in the Security Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users
can access depends on the user privilege level defined in the AAA scheme.
z When the AAA scheme is local, the user privilege level is defined by the authorization-attribute
level level command.
z When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the
RADIUS or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the Security
Configuration Guide.
After the configuration, when you log in to the device through modems, you are prompted to enter a
login username and password. A prompt such as <H3C> appears after you input the password and
username and press Enter, as shown in Figure 3-23.
Figure 3-23 Configuration page
3-41
To do… Use the command… Remarks
Optional
Optional
Configure the parity { even | mark | none | odd By default, the parity check mode of
parity check mode | space } the AUX port is set to none, which
means no check bit.
Optional
Optional
3-42
To do… Use the command… Remarks
Optional
Optional
Set the maximum
By default, the next screen displays
number of lines on screen-length screen-length
24 lines at most.
the next screen
A value of 0 disables the function.
Optional
3-43
To do… Use the command… Remarks
Configure the
Optional
modem to operate
modem auto-answer Manual answer mode applies by
in the auto-answer
default.
mode
z The common settings configured for Console login take effect immediately. If you configure the
common settings after you log in through the Console port, the current connection may be
interrupted. Therefore, use another login method. After you configure common settings for
Console login, you need to modify the settings on the terminal to make them consistent with those
on the device.
z The baud rate of the Console port must be lower than the transmission rate of the modem.
Otherwise, packets may be lost.
3-44
To do… Use the command… Remarks
3-45
3-1
4 NMS Login
This chapter includes these sections:
z NMS Login Overview
z Configuring NMS Login
z NMS Login Example
Object Requirements
Device Make sure the device and the NMS can reach each other
NMS Configure the NMS. For more information, see the manual of your NMS
4-1
To do… Use the command… Remarks
Optional
Disabled by default.
Enable SNMP agent snmp-agent You can enable SNMP agent with this
command or any command that
begins with snmp-agent.
snmp-agent usm-user v3
Required
user-name group-name [ [ cipher ]
If the cipher keyword is specified,
Add a user to the SNMP authentication-mode { md5 | sha }
both auth-password and
group auth-password [ privacy-mode
priv-password are cipher text
{ 3des | aes128 | des56 }
passwords.
priv-password ] ] [ acl acl-number ]
Optional
Disabled by default.
snmp-agent community
Required
Configure Configure an { read | write }
Use either approach.
SNMP NMS Directly SNMP community-name [ acl
access right community acl-number | mib-view The direction configuration
view-name ]* approach is for SNMPv1 or
4-2
To do… Use the command… Remarks
The device supports three SNMP versions: SNMPv1, SNMPv2C and SNMPv3. For more information
about SNMP, see SNMP Configuration in the Network Management and Monitoring Configuration
Guide.
4-3
Figure 4-2 iMC login page
Type the username and password, and then click Login. The iMC homepage appears, as shown in
Figure 4-3.
Figure 4-3 iMC homepage
Log in to the iMC and configure SNMP settings for the iMC to find the device. After the device is found,
you can manage and maintain the device through the iMC. For example, query device information or
configure device parameters.
The SNMP settings on the iMC must be the same as those configured on the device. If not, the device
cannot be found or managed by the iMC. See the iMC manuals for more information.
Click Help in the upper right corner of each configuration page to get corresponding help information.
4-4
4-5
5 User Login Control
This chapter includes these sections:
z User Login Control Overview
z Configuring Login Control over Telnet Users
z Configuring Source IP-Based Login Control over NMS Users
Before configuration, determine the permitted or denied source IP addresses, source MAC addresses,
and destination IP addresses.
Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement
source IP-based login control over telnet users. Basic ACLs are numbered from 2000 to 2999. For
more information about ACL, see ACL Configuration in the ACL and QoS Configuration Guide.
Follow these steps to configure source IP-based login control over telnet users:
5-1
To do… Use the command… Remarks
Required
Configuring Source and Destination IP-Based Login Control over Telnet Users
Because advanced ACLs can match both source and destination IP addresses of packets, you can
use advanced ACLs to implement source and destination IP-based login control over telnet users.
Advanced ACLs are numbered from 3000 to 3999. For more information about ACL, see ACL
Configuration in the ACL and QoS Configuration Guide.
Follow these steps to configure source and destination IP-based login control over telnet users:
Configure rules for the ACL rule [ rule-id ] { permit | deny } rule-string Required
5-2
To do… Use the command… Remarks
Required
Because Ethernet frame header ACLs can match the source MAC addresses of packets, you can use
Ethernet frame header ACLs to implement source MAC-based login control over telnet users. Ethernet
frame header ACLs are numbered from 4000 to 4999. For more information about ACL, see ACL
Configuration in the ACL and QoS Configuration Guide.
Follow these steps to configure source MAC-based login control over telnet users:
Required
Use the ACL to control user login
acl acl-number inbound inbound: Filters incoming telnet
by source MAC address
packets.
The above configuration does not take effect if the telnet client and server are not in the same subnet.
Network requirements
As shown in Figure 5-1, configure an ACL on the Device to permit only incoming telnet packets
sourced from Host A and Host B.
5-3
Figure 5-1 Network diagram for configuring source MAC-based login control
Configuration procedure
# Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to
permit packets sourced from Host A.
<Sysname> system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Reference ACL 2000 in user interface view to allow telnet users from Host A and Host B to access
the Device.
[Sysname] user-interface vty 0 15
[Sysname-ui-vty0-15] acl 2000 inbound
Configuration Preparation
Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement
source IP-based login control over NMS users. Basic ACLs are numbered from 2000 to 2999. For
more information about ACL, see ACL Configuration in the ACL and QoS Configuration Guide.
Follow these steps to configure source IP-based login control over NMS users:
5-4
To do… Use the command… Remarks
snmp-agent usm-user v3
user-name group-name [ [ cipher ]
Associate the user with the ACL
authentication-mode { md5 |
sha } auth-password
[ privacy-mode { 3des | aes128 |
des56 } priv-password ] ] [ acl
acl-number ]
Network requirements
As shown in Figure 5-2, configure the device to allow only NMS users from Host A and Host B to
access.
5-5
Figure 5-2 Network diagram for configuring source IP-based login control over NMS users
Configuration procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit
packets sourced from Host A.
<Sysname> system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname] snmp-agent group v2c groupa acl 2000
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000
5-6
6 FTP Configuration
When configuring FTP, go to these sections for information you are interested in:
z FTP Overview
z Configuring the FTP Client
z Configuring the FTP Server
z Displaying and Maintaining FTP
FTP Overview
Introduction to FTP
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and
client over a TCP/IP network.
FTP uses TCP ports 20 and 21 for file transfer. Port 20 is used to transmit data, and port 21 to transmit
control commands. Refer to RFC 959 for details of FTP basic operation.
FTP transfers files in two modes:
z Binary mode: transfers files as raw data, like .app, .bin, and .btm files.
z ASCII mode: transfers files as text, like .txt, .bat, and .cfg files.
Operation of FTP
FTP adopts the client/server model. Your device can function either as the client or as the server (as
shown in Figure 6-1).
z When the device serves as the FTP client and the PC serves as the FTP server, execute the ftp
command on the device to establish a connection to the FTP server and upload/download files
to/from the server.
z When the device serves as the FTP server and the PC serves as the FTP client, run the FTP
client program on the PC to establish a connection to the FTP server and upload/download files
to/from the server.
Figure 6-1 Network diagram for FTP
When the device serves as the FTP client, you need to perform the following configuration:
6-1
Table 6-1 Configuration when the device serves as the FTP client
When the device serves as the FTP server, you need to perform the following configuration:
Table 6-2 Configuration when the device serves as the FTP server
Disabled by default.
Enable the FTP server function You can use the display ftp-server command to view
the FTP server configuration on the device.
Use the FTP client program to You can log in to the FTP server only after you input the
PC (FTP client)
log in to the FTP server. correct FTP username and password.
z Make sure that the FTP server and the FTP client are reachable to each other before establishing
the FTP connection; otherwise the connection fails.
z When you use IE to log in to the device serving as the FTP server, part of the FTP functions is not
available. This is because multiple connections are established during the login process but the
device supports only one connection at a time.
6-2
Configuring the FTP Client
Only users with the manage level can use the ftp command to log in to an FTP server, enter FTP client
view, and execute directory and file related commands. However, whether the commands can be
executed successfully depends on the authorizations of the FTP server.
To access an FTP server, an FTP client must establish a connection with the FTP server. Two ways are
available to establish a connection: using the ftp command to establish the connection directly; using
the open command in FTP client view.
Before using the ftp command to establish a FTP connection, you can perform source address binding.
The source address binding means to configure an IP address on a stable interface such as a
loopback interface, and then use this IP address as the source IP address of an FTP connection. The
source address binding function simplifies the configuration of ACL rules and security policies. You just
need to specify the source or destination address argument in an ACL rule as this address to filter
inbound and outbound packets on the device, ignoring the difference between interface IP addresses
as well as the affect of interface statuses. You can configure the source address by configuring the
source interface or source IP address. The primary IP address configured on the source interface is
the source address of the transmitted packets. The source address of the transmitted packets is
selected following these rules:
z If no source address is specified, the FTP client uses the IP address of the interface determined
by the matched route as the source IP address to communicate with an FTP server.
z If the source address is specified with the ftp client source or ftp command, this source address
is used to communicate with an FTP server.
z If you use the ftp client source command and the ftp command to specify a source address
respectively, the source address specified with the ftp command is used to communicate with an
FTP server.
The source address specified with the ftp client source command is valid for all FTP connections and
the source address specified with the ftp command is valid only for the current FTP connection.
Follow these steps to establish an FTP connection (In IPv4 networking):
6-3
To do… Use the command… Remarks
Optional
z If no primary IP address is configured on the specified source interface, no FTP connection can be
established.
z If you use the ftp client source command to first configure the source interface and then the
source IP address of the transmitted packets, the newly configured source IP address will take
effect instead of the current source interface, and vice versa.
6-4
Operating the Directories on an FTP Server
After the device serving as the FTP client has established a connection with an FTP server (For how to
establish an FTP connection, refer to Establishing an FTP Connection.), you can create or delete
folders under the authorized directory of the FTP server.
Follow these steps to operate the directories on an FTP server:
Query a directory or file on the remote FTP server ls [ remotefile [ localfile ] ] Optional
After the device serving as the FTP client has established a connection with an FTP server (For how to
establish an FTP connection, refer to Establishing an FTP Connection.), you can upload a file to or
download a file from the FTP server under the authorized directory of the FTP server by following
these steps:
1) Use the dir or ls command to display the directory and the location of the file on the FTP server.
2) Delete useless files for effective use of the storage space.
3) Set the file transfer mode. FTP transmits files in two modes: ASCII and binary. ASCII mode
transfers files as text. Binary mode transfers files as raw data.
4) Use the lcd command to display the local working directory of the FTP client. You can upload the
file under this directory, or save the downloaded file under this directory.
5) Upload or download the file.
Follow these steps to operate the files on an FTP server:
6-5
To do… Use the command… Remarks
Optional
Display detailed information The ls command displays the name of a
about a directory or file on the dir [ remotefile [ localfile ] ] directory or file only, while the dir
remote FTP server command displays detailed information
such as the file size and creation time.
Optional
After the device serving as the FTP client has established a connection with the FTP server (For how
to establish an FTP connection, refer to Establishing an FTP Connection.), you can use another
username to log in to the FTP server.
This feature allows you to switch to different user levels without affecting the current FTP connection
(namely, the FTP control connection, data connection and connection status are not changed); if you
input an incorrect username or password, the current connection will be terminated, and you must log
in again to access the FTP server.
Follow the step below to use another username to log in to the FTP server:
6-6
To do… Use the command… Remarks
After a device serving as the FTP client has established a connection with the FTP server (For how to
establish an FTP connection, refer to Establishing an FTP Connection.), you can perform the following
operations to locate and diagnose problems encountered in an FTP connection:
After the device serving as the FTP client has established a connection with the FTP server (For how
to establish an FTP connection, refer to Establishing an FTP Connection.), you can use any of the
following commands to terminate an FTP connection:
Optional
Terminate the connection to the FTP
close Equal to the disconnect
server without exiting FTP client view
command.
Optional
Terminate the connection to the FTP
bye Equal to the quit command in
server and return to user view
FTP client view.
Optional
Terminate the connection to the FTP
quit Available in FTP client view,
server and return to user view
equal to the bye command.
6-7
FTP Client Configuration Example (Distributed Device)
Network requirements
z As shown in Figure 6-2, use Device as an FTP client and PC as the FTP server. Their IP
addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. An available route exists between Device
and PC.
z Device downloads a startup file from PC for device upgrade, and uploads the configuration file to
PC for backup.
z On PC, an FTP user account has been created for the FTP client, with the username being abc
and the password being pwd.
Figure 6-2 Network diagram for FTPing a startup file from an FTP server
Configuration procedure
If the available memory space of the device is not enough, use the fixdisk command to clear the
memory or use the delete /unreserved file-url command to delete the files not in use and then perform
the following operations.
6-8
[ftp] get newest.app slot1#flash:/newest.app
# Upload the configuration file config.cfg of Device to the server for backup.
[ftp] ascii
200 Type set to A.
[ftp] put config.cfg back-config.cfg
227 Entering Passive Mode (10,1,1,1,4,2).
125 ASCII mode data connection already open, transfer starting for /config.cfg.
226 Transfer complete.
FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec.
[ftp] bye
# Specify newest.app as the main startup file to be used at the next startup.
z Specify newest.app as the main startup file to be used at the next startup for the AMB.
<Sysname> boot-loader file newest.app slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on slot 0!
z Specify newest.app as the main startup file to be used at the next startup for the SMB (in slot 1).
<Sysname> boot-loader file slot1#flash:/newest.app slot 1 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on slot 1!
# Reboot the device, and the startup file is updated at the system reboot.
<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium.
You can copy or move a file to the root directory of the storage medium. For the details of the
boot-loader command, refer to Upgrading Software Commands in the Fundamentals Command
Reference.
Network requirements
z As shown in Figure 6-3, Device is a IRF system, which is composed of a master and a slave. The
member ID of the master is 1, and the slot numbers of the AMB and the SMB on the master are 0
and 1 respectively. The member ID of the slave is 2, and the slot numbers of the AMB and SMB
on the slave are 0 and 1 respectively.
z Device serves as an FTP client. PC serves as the FTP server. Their IP addresses are as shown in
the following figure. Device and PC are reachable to each other.
z Device downloads a startup file from PC for upgrade, and uploads the configuration file to PC for
backup.
z On PC, an FTP user account has been created for the FTP client, with the username being abc
and the password being pwd.
6-9
Figure 6-3 Network diagram for FTPing a startup file from an FTP server
Configuration procedure
If the available memory space of the device is insufficient, use the fixdisk command to clear the
memory or use the delete /unreserved file-url command to delete the files not in use and then perform
the following operations.
6-10
[ftp] ascii
200 Type set to A.
[ftp] put config.cfg back-config.cfg
227 Entering Passive Mode (10,1,1,1,4,2).
125 ASCII mode data connection already open, transfer starting for /config.cfg.
226 Transfer complete.
FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec.
[ftp] bye
# Specify newest.app as the main startup file to be used at the next startup for the AMB of the IRF.
<Sysname> boot-loader file newest.app chassis 1 slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 1 slot
0!
# Specify newest.app as the main startup file to be used at the next startup for the SMBs of the IRF.
<Sysname> boot-loader file chassis1#slot1#flash:/newest.app chassis 1 slot 1 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 1 slot
1!
<Sysname> boot-loader file chassis2#slot0#flash:/newest.app chassis 1 slot 1 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 2 slot
0!
<Sysname> boot-loader file chassis2#slot1#flash:/newest.app chassis 1 slot 1 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 2 slot
1!
# Reboot the device, and the startup file is updated at the system reboot.
<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium.
You can copy or move a file to the root directory of the storage medium. For the details of the
boot-loader command, refer to Upgrading Software Commands in the Fundamentals Command
Reference.
The FTP server uses one of the two modes to update a file when you upload the file (use the put
command) to the FTP server:
z In fast mode, the FTP server starts writing data to the storage medium after a file is transferred to
the memory. This prevents the existing file on the FTP server from being corrupted in the event
that anomaly, power failure for example, occurs during a file transfer.
6-11
z In normal mode, the FTP server writes data to the storage medium while receiving data. This
means that any anomaly, power failure for example, during file transfer might result in file
corruption on the FTP server. This mode, however, consumes less memory space than the fast
mode.
Follow these steps to configure the FTP server:
Required
Enable the FTP server ftp server enable
Disabled by default.
Optional
Use an ACL to control FTP clients’
ftp server acl acl-number By default, no ACL is used to control
access to the device
FTP clients’ access to the device.
Optional
30 minutes by default.
To allow an FTP user to access certain directories on the FTP server, you need to create an account
for the user, authorizing access to the directories and associating the username and password with the
account.
The following configuration is used when the FTP server authenticates and authorizes a local FTP user.
If the FTP server needs to authenticate a remote FTP user, you need to configure authentication,
authorization and accounting (AAA) policy instead of the local user. For detailed configuration, refer to
AAA Configuration in the Security Configuration Guide.
In local authentication, the device checks the input username and password against those configured
on the device. In remote authentication, the device sends the input username and password to the
6-12
remote authentication server, which then checks whether they are consistent with those configured on
the device.
Follow these steps to configure authentication and authorization for FTP server:
Required
Create a local user and No local user exists by default, and the
local-user user-name
enter its view system does not support FTP anonymous
user access.
Required
authorization-attribute { acl
Optional
acl-number | callback-number
By default, the FTP/SFTP users can access
Configure user callback-number | idle-cut minute
the root directory of the device, and the user
properties | level level | user-profile
level is 0. You can change the default
profile-name | vlan vlan-id |
configuration by using this command.
work-directory directory-name } *
z For more information about the local-user, password, service-type ftp, and
authorization-attribute commands, refer to AAA Commands in the Security Command
Reference.
z When the device serves as the FTP server, if the client is to perform the write operations (upload,
delete, create, and delete for example) on the device’s file system, the FTP login users must be
level 3 users; if the client is to perform other operations, for example, read operation, the device
has no restriction on the user level of the FTP login users, that is, any level from 0 to 3 is allowed.
6-13
FTP Server Configuration Example (Distributed Device)
Network requirements
z As shown in Figure 6-4, use Device as an FTP server, and the PC as the FTP client. Their IP
addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device
and PC.
z PC keeps the updated startup file of the device. Use FTP to upgrade the device and back up the
configuration file.
z Set the username to ftp and the password to pwd for the FTP client to log in to the FTP server.
Figure 6-4 Upgrading using the FTP server
Configuration procedure
1) Configure Device (FTP Server)
# Create an FTP user account ftp, set its password to pwd and the user privilege level to level 3 (the
manage level). Authorize ftp’s access to the root directory of the flash on the AMB, and specify ftp to
use FTP.
<Sysname> system-view
[Sysname] local-user ftp
[Sysname-luser-ftp] password simple pwd
[Sysname-luser-ftp] authorization-attribute level 3
[Sysname-luser-ftp] authorization-attribute work-directory flash:/
# To access the flash root directory of the SMB (in slot 1), execute this command:
[Sysname-luser-ftp] authorization-attribute work-directory slot1#flash:/
[Sysname-luser-ftp] service-type ftp
[Sysname-luser-ftp] quit
# Enable FTP server.
[Sysname] ftp server enable
[Sysname] quit
# Check files on your device. Remove those redundant to ensure adequate space for the startup file to
be uploaded.
<Sysname> dir
Directory of flash:/
z You can take the same steps to upgrade configuration file with FTP. When upgrading the
configuration file with FTP, put the new file under the root directory of the storage medium.
z After you finish upgrading the Boot ROM program through FTP, you must execute the bootrom
update command to upgrade the Boot ROM.
3) Upgrade Device
# Copy the startup file newest.app to the root directory of the storage medium on the SMB (in slot 1).
<Sysname> copy newest.app slot1#flash:/
# Specify newest.app as the main startup file to be used at the next startup.
z Specify newest.app as the main startup file to be used at the next startup for the AMB.
<Sysname> boot-loader file newest.app slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on slot 0!
z Specify newest.app as the main startup file to be used at the next startup for the SMB (in slot 1).
<Sysname> boot-loader file slot1#flash:/newest.app slot 1 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on slot 1!
# Reboot the device and the startup file is updated at the system reboot.
<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium.
You can copy or move a file to the root directory of the storage medium. For the details of the
boot-loader command, refer to Upgrading Software Commands in the Fundamentals Command
Reference.
6-15
FTP Server Configuration Example (Distributed IRF Device)
Network requirements
z As shown in Figure 6-5, Device is a IRFsystem, which is composed of a master and a slave. The
member ID of the master is 1, and the slot numbers of the AMB and the SMB on the master are 0
and 1 respectively. The member ID of the slave is 2, and the slot numbers of the AMB and SMB
on the slave are 0 and 1 respectively.
z Device serves as an FTP server and PC as the FTP client. Their IP addresses are as shown in the
following figure. Device and PC are reachable to each other.
z Device downloads a startup file from PC for upgrade, and uploads the configuration file to PC for
backup.
z On PC, an FTP user account has been created for the FTP client, with the username being abc
and the password being pwd.
Figure 6-5 Network diagram for FTPing a startup file from an FTP server
Configuration procedure
If the available memory space of the device is insufficient, use the fixdisk command to clear the
memory or use the delete /unreserved file-url command to delete the files not in use and then perform
the following operations.
6-16
[Sysname-luser-ftp] authorization-attribute work-directory chassis2#slot1#flash:/
[Sysname-luser-ftp] service-type ftp
[Sysname-luser-ftp] quit
# Enable FTP server.
[Sysname] ftp server enable
[Sysname] quit
2) Configure the PC (FTP Client)
# Log in to the FTP server through FTP.
c:\> ftp 1.1.1.1
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):ftp
331 Password required for ftp.
Password:
230 User logged in.
# Download the configuration file config.cfg of the device to the PC for backup.
ftp> get config.cfg back-config.cfg
# Upload the configuration file newest.app to the root directory of the storage medium on the AMB of
the IRF.
ftp> put newest.app
ftp> bye
z You can take the same steps to upgrade configuration file with FTP. When upgrading the
configuration file with FTP, put the new file under the root directory of the storage medium.
z After you finish upgrading the Boot ROM program through FTP, you must execute the bootrom
update command to upgrade the Boot ROM.
3) Upgrade Device
# Copy the startup file newest.app from PC to the root directory of the storage media of the SMBs of
the IRF (the member ID and slot number of the member device where one SMB resides are both 1; the
member ID and slot number of the member device where another SMB resides are 2 and 0
respectively; the member ID and slot number of the member device where the third SMB resides are 2
and 1 respectively).
<Sysname> copy newest.app chassis1#slot1#flash:/
<Sysname> copy newest.app chassis2#slot0#flash:/
<Sysname> copy newest.app chassis2#slot1#flash:/
# Specify newest.app as the main startup file to be used at the next startup for all the main boards of
the IRF.
<Sysname> boot-loader file newest.app chassis 1 slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 1 slot
0!
<Sysname> boot-loader file chassis1#slot1#flash:/newest.app chassis 1 slot 1 main
6-17
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 1 slot
1!
<Sysname> boot-loader file chassis2#slot0#flash:/newest.app chassis 1 slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 2 slot
0!
<Sysname> boot-loader file chassis2#slot1#flash:/newest.app chassis 1 slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 2 slot
1!
# Reboot the device, and the startup file is updated at the system reboot.
<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium.
You can copy or move a file to the root directory of the storage medium. For the details of the
boot-loader command, refer to Upgrading Software Commands in the Fundamentals Command
Reference.
Display the configuration of the FTP server display ftp-server Available in any view
6-18
7 TFTP Configuration
When configuring TFTP, go to these sections for information you are interested in:
z TFTP Overview
z Configuring the TFTP Client
z Displaying and Maintaining the TFTP Client
z TFTP Client Configuration Example (Distributed Device)
z TFTP Client Configuration Example (Distributed IRF Device)
TFTP Overview
Introduction to TFTP
The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is
less complex than FTP in interactive access interface and authentication. Therefore, it is more suitable
in environments where complex interaction is not needed between client and server.
TFTP uses the UDP port 69 for data transmission. For TFTP basic operation, refer to RFC 1986.
In TFTP, file transfer is initiated by the client.
z In a normal file downloading process, the client sends a read request to the TFTP server, receives
data from the server, and then sends the acknowledgement to the server.
z In a normal file uploading process, the client sends a write request to the TFTP server, sends data
to the server, and receives the acknowledgement from the server.
TFTP transfers files in two modes:
z Binary mode for program file transmission, like files with the suffixes .app, .bin, or .btm.
z ASCII mode for text file transmission, like files with the suffixes .txt, .bat, or .cfg.
Operation of TFTP
Only the TFTP client service is available with your device at present.
7-1
Before using TFTP, the administrator needs to configure IP addresses for the TFTP client and server,
and make sure that there is a reachable route between the TFTP client and server.
When the device serves as the TFTP client, you need to perform the following configuration:
Table 7-1 Configuration when the device serves as the TFTP client
7-2
the source address of the transmitted packets. The source address of the transmitted packets is
selected following these rules:
z If no source address of the TFTP client is specified, a device uses the IP address of the interface
determined by the matched route as the source IP address to communicate with a TFTP server.
z If the source address is specified with the tftp client source or tftp command, this source
address is adopted.
z If you use the tftp client source command and the tftp command to specify a source address
respectively, the source address configured with the tftp command is used to communicate with a
TFTP server.
The source address specified with the tftp client source command is valid for all TFTP connections
and the source address specified with the tftp command is valid only for the current tftp connection.
Follow these steps to configure the TFTP client:
Optional
Use an ACL to control the device’s By default, no ACL is used to
tftp-server [ ipv6 ] acl acl-number
access to TFTP servers control the device’s access to
TFTP servers.
Optional
tftp client source { interface A device uses the source address
Configure the source address of
interface-type interface-number | determined by the matched route
the TFTP client
ip source-ip-address } to communicate with the TFTP
server by default.
7-3
z If no primary IP address is configured on the source interface, no TFTP connection can be
established.
z If you use the ftp client source command to first configure the source interface and then the
source IP address of the packets of the TFTP client, the new source IP address will overwrite the
current one, and vice versa.
Configuration procedure
1) Configure PC (TFTP Server), the configuration procedure is omitted.
z On the PC, enable the TFTP server
z Configure a TFTP working directory
2) Configure Device (TFTP Client)
7-4
If the available memory space of the device is not enough, use the fixdisk command to clear the
memory or use the delete /unreserved file-url command to delete the files not in use and then perform
the following operations.
The startup file used for the next startup must be saved under the root directory of the storage medium.
You can copy or move a file to the root directory of the storage medium. For the details of the
boot-loader command, refer to Upgrading Software Commands in the Fundamentals Command
Reference.
7-5
z Device serves as a TFTP client and PC as the TFTP server. Their IP addresses are as shown in
the following figure. Device and PC are reachable to each other.
z Device downloads a startup file from PC for upgrade and uploads a configuration file named
config.cfg to PC for backup.
Figure 7-3 Smooth upgrading using the TFTP client function
Configuration procedure
1) Configure PC (TFTP Server), the detailed configuration procedure is omitted.
z On the PC, enable TFTP server
z Configure a TFTP working directory
2) Configure Device (TFTP Client)
If the available memory space of the device is insufficient, use the fixdisk command to clear the
memory or use the delete /unreserved file-url command to delete the files not in use and then perform
the following operations.
7-6
# Specify newest.app as the main startup file to be used at the next startup for all the main boards of
the IRF.
<Sysname> boot-loader file newest.app chassis 1 slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 1 slot
0!
<Sysname> boot-loader file chassis1#slot1#flash:/newest.app chassis 1 slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 1 slot
1!
<Sysname> boot-loader file chassis2#slot0#flash:/newest.app chassis 1 slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 2 slot
0!
<Sysname> boot-loader file chassis2#slot1#flash:/newest.app chassis 1 slot 0 main
This command will set the boot file of the specified board. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on chassis 2 slot
1!
# Reboot the device and the software is upgraded.
<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium.
You can copy or move a file to the root directory of the storage medium. For the details of the
boot-loader command, refer to Upgrading Software Commands in the Fundamentals Command
Reference.
7-7
8 File System Management
The S7500E Series Ethernet Switches are distributed devices supporting Intelligent Resilient
Framework (IRF). Two S7500E series can be connected together to form a distributed IRF device. If
an S7500E series is not in any IRF, it operates as a distributed device; if the S7500E series is in an
IRF, it operates as a distributed IRF device. For introduction of IRF, refer to IRF Configuration in the
IRF Configuration Guide.
When managing a file system, go to these sections for information you are interested in:
z File System
z Directory Operations
z File Operations
z Batch Operations
z Storage Medium Operations
z Setting File System Prompt Modes
z File System Operations Example
File System
File System Overview
A major function of the file system is to manage storage media. It allows you to perform operations
such as directory create and delete, and file copy and display.
File system operations fall into Directory Operations, File Operations, Batch Operations, Storage
Medium Operations, and Setting File System Prompt Modes.
Filename Formats
When you specify a file, you must enter the filename in one of the following formats.
Filename formats (distributed device):
8-1
Format Description Length Example
8-2
Format Description Length Example
Directory Operations
Directory operations include creating/removing a directory, displaying the current working directory,
displaying the specified directory or file information, and so on.
8-3
Displaying Directory Information
Required
Display directory or file information dir [ /all ] [ file-url ]
Available in user view
Creating a Directory
Required
Create a directory mkdir directory
Available in user view
Removing a Directory
Required
Remove a directory rmdir directory
Available in user view
8-4
z The directory to be removed must be empty, meaning that before you remove a directory, you
must delete all the files and the subdirectory under this directory. For file deletion, refer to the
delete command; for subdirectory deletion, refer to the rmdir command.
z After you execute the rmdir command successfully, the files in the recycle bin under the directory
will be automatically deleted.
File Operations
File operations include displaying the specified directory or file information; displaying file contents;
renaming, copying, moving, removing, restoring, and deleting files.
You can create a file by copying, downloading or using the save command.
Required
Display file or directory information dir [ /all ] [ file-url ]
Available in user view
Required
8-5
Renaming a File
Required
Rename a file rename fileurl-source fileurl-dest
Available in user view
Copying a File
Required
Copy a file copy fileurl-source fileurl-dest
Available in user view
Moving a File
Required
Move a file move fileurl-source fileurl-dest
Available in user view
Deleting a File
z The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, you need
to execute the reset recycle-bin command in the directory that the file originally belongs. It is
recommended to empty the recycle bin timely with the reset recycle-bin command to save
storage space.
z The delete /unreserved file-url command deletes a file permanently and the action cannot be
undone. Execution of this command equals that you execute the delete file-url command and then
the reset recycle-bin command in the same directory.
8-6
Restoring a File from the Recycle Bin
Required
Restore a file from the recycle bin undelete file-url
Available in user view
Optional
Batch Operations
A batch file is a set of executable commands. Executing a batch file equals executing the commands in
the batch file one by one.
The following steps are recommended to execute a batch file:
1) Edit the batch file on your PC.
2) Download the batch file to the device. If the suffix of the file is not .bat, use the rename command
to change the suffix to .bat.
3) Execute the batch file.
Follow the steps below to execute a batch file:
8-7
To do… Use the command… Remarks
Execution of a batch file does not guarantee the successful execution of every command in the batch
file. If a command has error settings or the conditions for executing the command are not satisfied, this
command will fail to be executed, and the system will skip the command to the next one.
When some space of a storage medium becomes inaccessible due to abnormal operations for
example, you can use the fixdisk command to restore the space of the storage medium. The
execution of the format command will format the storage medium, and all the data on the storage
medium will be deleted.
Use the following commands to manage the storage medium space:
Optional
z When you format a storage medium, all the files stored on it are erased and cannot be restored. In
particular, if there is a startup configuration file on the storage medium, formatting the storage
medium results in loss of the startup configuration file.
z You can execute the fixdisk command for a storage medium on the active main board (AMB), but
you cannot execute the command for a storage medium on the SMB (distributed device).
8-8
Mounting/Unmounting a Storage Medium
For a hot swappable storage medium (excluding flash), such as a CF card, you can use the mount
and umount command to mount or unmount it.
z By default, a storage medium is automatically mounted when connected to the device. However,
when a storage medium is connected to a lower version system, the system cannot recognize the
storage medium. To perform read and write operations to the storage medium, you must mount it.
z When a device is unmounted, it is in a disconnected state, and you can then remove the storage
medium from the system safely. If you plug out a storage medium without unmounting it, files on
the storage medium or even the storage medium may be damaged.
z An unmounted storage medium can be used only when it is mounted again.
Follow the steps below to mount/unmount a storage medium:
Optional
Optional
z When mounting or unmounting a storage medium, or performing file operations on it, do not
unplug or switchover the storage medium or the card where the storage medium resides.
Otherwise, the file system could be damaged.
z Before removing a mounted storage medium from the system, you should first unmount it to avoid
damaging the storage medium.
8-9
To do… Use the command… Remarks
8-10
9 Configuration File Management
The device provides the configuration file management function with a user-friendly command line
interface (CLI) for you to manage the configuration files conveniently.
This section covers these topics:
z Configuration File Overview
z Configuration Display
z Saving the Current Configuration
z Setting Configuration Rollback
z Specifying a Startup Configuration File for the Next System Startup
z Backing Up the Startup Configuration File
z Deleting the Startup Configuration File for the Next Startup
z Restoring the Startup Configuration File
z Displaying and Maintaining Device Configuration
Types of Configuration
9-1
z Ends with a return.
Multiple configuration files can be stored on a storage medium of a device. You can save the
configuration used in different environments as different configuration files. In this case, when the
device moves between these networking environments, you just need to specify the corresponding
configuration file as the startup configuration file for the next boot of the device and restart the device,
so that the device can adapt to the network rapidly, saving the configuration workload.
Configuration Display
Follow these steps to display device configurations:
display current-configuration
[ [ configuration [ configuration ] | interface
Display the current validated
[ interface-type ] [ interface-number ] ]
configurations of the device
[ by-linenum ] [ | { begin | exclude |
include } regular-expression ] ] Available in any view.
You can modify the current configuration on your device using command line interface. However, the
current configuration is temporary. To make the modified configuration take effect at the next boot of
the device, you must save the current configuration to the startup configuration file before the device
reboots.
1) Distributed device
z After the configuration file auto-save function is enabled, when you save the current configuration
by executing the save [ safely ] command or executing the save filename all command and then
9-2
pressing Enter, the AMB and SMB will automatically save the current configuration to the
specified configuration file, and use the file as the configuration file for the next startup, thus
keeping the consistency of the configuration files on the AMB and SMB.
z If the configuration file auto-save function is not enabled, when you save the current configuration
by executing the save [ safely ] command or executing the save filename all command and then
pressing Enter, only the AMB will automatically save the current configuration to the specified
configuration file, and use the file as the configuration file for the next startup; the SMB will neither
save the configuration file nor configure the file for the next startup.
2) Distributed IRF device
z After the configuration file auto-save function is enabled, when you save the current configuration
by executing the save [ safely ] command or executing the save filename all command and then
pressing Enter, each main board of a IRF will automatically save the current configuration to the
specified configuration file, and use the file as the configuration file for its next startup, thus
keeping the consistency of the configuration files on the AMB and SMBs of the IRF.
z If the configuration file auto-save function is not enabled, when you save the current configuration
by executing the save [ safely ] command or executing the save filename all command and then
pressing Enter, only the AMB of the IRF will automatically save the current configuration to the
specified configuration file, and use the file as the configuration file for the next startup; the SMBs
of the IRF will neither save the configuration file nor reconfigure the file for the next startup.
Follow these steps to configure the configuration file auto-save function:
Optional
Enable configuration file auto-save slave auto-update config
Enabled by default.
If you execute the save filename command and press Enter, the system saves the current
configuration to the specified path, but the SMB does not save the configuration.
z Fast saving mode. This is the mode when you use the save command without the safely keyword.
The mode saves the file more quickly but is likely to lose the existing configuration file if the device
reboots or the power fails during the process.
z Safe mode. This is the mode when you use the save command with the safely keyword. The
mode saves the file more slowly but can retain the configuration file in the device even if the
device reboots or the power fails during the process.
9-3
The fast saving mode is suitable for environments where power supply is stable. The safe mode,
however, is preferred in environments where stable power supply is unavailable or remote
maintenance is involved.
Follow the steps below to save the current configuration (distributed device):
9-4
Follow these steps to save the current configuration (distributed IRF device):
Configuration rollback allows you to revert to a previous configuration state based on a specified
configuration file. The specified configuration file must be a valid .cfg file, namely, it can be generated
by using either the backup function (manually or automatically) or the save command, and even the
compatible configuration file of another device. You are recommended to use the configuration file that
is generated by using the backup function (manually or automatically). Configuration rollback is applied
in the following situations:
9-5
z The current configurations are wrong; and there are too many wrong configurations to locate or to
correct one by one. Rolling back the current configuration to a correct one is needed.
z The application environment has changed and the device has to run in a configuration state based
on a previous configuration file without being rebooted.
Set configuration rollback following these steps:
1) Specify the filename prefix and path for saving the current configuration.
2) Save the current running configuration with the specified filename (filename prefix + serial number)
to the specified path. The current running configuration can be saved in two ways: the system
saves the current running configuration at a specified interval; or you can save the current running
configuration as needed.
3) Roll back the current running configuration to the configuration state based on a saved
configuration file. When the related command is entered, the system first compares and then
processes the differences between the current running configuration and the specified
replacement configuration file:
z The rollback operation does not execute the commands that are the same in the replacement
configuration file and in the current configuration file.
z The rollback operation removes the commands only present in the current configuration file but
not in the replacement configuration file; namely, the corresponding undo form commands are
executed.
z The rollback operation executes the commands only present in the replacement configuration file
but not in the current configuration file.
z The rollback operation removes the commands that are different in the replacement configuration
file and in the current configuration file, and then executes them according to the replacement
configuration file.
z The current running configuration is only saved to the AMB, and only the configuration on the AMB
can be rolled back. However, the related configuration will be synchronized to the SMB to ensure
the rollback of the configuration after an active/standby switchover. (distributed device)
z The current running configuration is only saved to the AMB of a IRF, and only the configuration on
the AMB can be rolled back. However, the related configuration will be synchronized to the SMBs
of the IRF to ensure the rollback of the configuration after the AMB of the IRF is changed.
(distributed IRF device)
Task Remarks
9-6
Task Remarks
Before the current running configuration is saved manually or automatically, the file path and filename
prefix must be configured. After that, the system saves the current running configuration with the
specified filename (filename prefix_serial number.cfg) to the specified path. The filename of a saved
configuration file is like 20080620archive_1.cfg, or 20080620archive_2.cfg. The saved configuration
files are numbered automatically, from 1 to 1,000 (with increment of 1). If the serial number reaches
1,000, it restarts from 1. If you change the path or filename prefix, or reboot the device, the saved file
serial number restarts from 1, and the system recounts the saved configuration files. If you change the
path of the saved configuration files, the files in the original path become common configuration files,
and are not processed as saved configuration files.
The number of saved configuration files has an upper limit. After the maximum number of files is saved,
the system deletes the oldest files when the next configuration file is saved.
Follow these steps to configure parameters for saving the current running configuration:
Required
9-7
z The saving and rollback operations are executed only on the AMB. To make the configuration
rollback take effect on the new AMB after an active/standby switchover, execute the archive
configuration location command to specify the path and filename prefix of the saved
configuration file on both the AMB and SMB. Therefore, before the execution of this command,
ensure that the specified path is available on both the AMB and SMB, and the path cannot include
any slot number. (distributed device)
z The saving and rollback operations are executed only on the AMB of a IRF. To make the
configuration rollback take effect on the new AMB after an AMB change, execute the archive
configuration location command to specify the path and filename prefix of the saved
configuration file on all the main boards of the IRF. Therefore, before the execution of this
command, ensure that the specified path is available on all the main boards of the IRF, and the
path cannot include any member ID and slot number. (distributed IRF device)
z If the undo archive configuration location command is executed, the current running
configuration can neither be saved manually nor automatically, and the configuration by executing
the archive configuration interval and archive configuration max commands restores to the
default, meanwhile, the saved configuration files are cleared.
z The value of the file-number argument is determined by the memory space. You are
recommended to set a comparatively small value for the file-number argument if the available
memory space is small.
You can configure the system to save the current running configuration at a specified interval, and use
the display archive configuration command to view the filenames and save time of the saved
configuration files, so as to roll back the current configuration to a previous configuration state.
Configure an automatic saving interval according to the storage medium performance and the
frequency of configuration modification:
z If the configuration of the device does not change frequently, you are recommended to save the
current running configuration manually as needed
z If a low-speed storage medium (such as a flash) is used, you are recommended either to save the
current running configuration manually, or to configure automatic saving with an interval longer
than 1,440 minutes (24 hours).
z If a high-speed storage medium (such as a CF card) is used and the configuration of the device
changes frequently, you are recommended to set a shorter saving interval.
Follow these steps to automatically save the current running configuration:
9-8
To do… Use the command… Remarks
The path and filename prefix of a saved configuration file must be specified before you configure the
automatic saving period.
Automatic saving of the current running configuration occupies system resources, and frequent saving
greatly affects system performance. Therefore, if the system configuration does not change frequently,
you are recommended to disable the automatic saving of the current running configuration and save it
manually.
In addition, automatic saving of the current running configuration is performed periodically, and manual
saving can immediately save the current running configuration. Therefore, before performing
complicated configuration, you can manually save the current running configuration so that the device
can revert to the previous state when the configuration fails.
Follow the step below to save the current running configuration manually:
The path and filename prefix of a saved configuration file must be specified before you save the
current running configuration manually; otherwise, the operation fails.
9-9
To do… Use the command… Remarks
Do not unplug and plug a card during configuration rollback (that is, the system is executing the
configuration replace file command). In addition, configuration rollback may fail if one of the
following situations is present (if a command cannot be rolled back, the system skips it and processes
the next one):
z The complete undo form of a command is not supported, namely, you cannot get the actual undo
form of the command by simply putting the keyword undo in front of the command, so the
complete undo form of the command cannot be recognized by the device.
z The configuration cannot be removed, such as hardware-related commands
z Commands in different views are dependent on each other
z If the replacement configuration file is not a complete file generated by using the save or archive
configuration command, or the file is copied from a different type of device, the configuration
cannot be rolled back. Ensure that the replacement configuration file is correct and compatible
with the current device.
Follow the step below to specify a configuration file as the startup configuration file for the next system
startup (distributed IRF device):
9-10
To do… Use the command… Remarks
A configuration file must use .cfg as its extension name and the startup configuration file must be
saved under the root directory of the storage medium.
9-11
After the startup configuration file is deleted, the system will use the null configuration when the device
reboots.
Follow the step below to delete the startup configuration file for the next startup:
z This command will permanently delete the configuration files from the AMB and SMB. Use it with
caution. (distributed device)
z This command will permanently delete the configuration files from all the main boards of an IRF.
Use it with caution. (distributed IRF device)
z Before restoring a configuration file, ensure that the server is reachable, the server is enabled with
TFTP service, and the client has read and write permission.
z After execution of the command, use the display startup command (in user view) to verify that
the filename of the configuration file to be used at the next system startup is the same with that
specified by the filename argument.
9-12
Displaying and Maintaining Device Configuration
display current-configuration
[ [ configuration [ configuration ] |
interface [ interface-type ]
Display the current configuration Available in any view
[ interface-number ] ]
[ by-linenum ] [ | { begin | include
| exclude } text ] ]
9-13
10 Software Upgrade Configuration
This chapter includes these sections:
z Device Software Overview
z Software Upgrade Methods
z Upgrading the Boot ROM Program Through a System Reboot
z Upgrading the Boot File Through a System Reboot
z Software Upgrade by Installing Hotfixes
Enter CLI
Finish
10-1
For instructions about how to upgrade them through the Boot ROM menu, see the installation menu of
your device.
The upgrading at the CLI falls into three categories:
Upgrading the Boot File z This causes running service interruption during the
Through a System System boot file upgrade process, and is not recommended.
Reboot
10-2
function enabled, the device can strictly check the Boot ROM upgrade files for correctness and the
version configuration information to ensure a successful upgrade.
Follow these steps to upgrade the Boot ROM program:
Required
Read, restore, back up, or upgrade bootrom { backup | read | All contents of the Boot ROM file
the Boot ROM program on cards restore | update file file-url } slot are operated if the all and part
or subcards (distributed device) slot-number-list [ all | part ] keywords are not specified.
z To execute the bootrom command successfully, save the Boot ROM file in the root directory of
the storage media on the active main board (AMB) (distributed device)
z To execute the bootrom command successfully, save the Boot ROM file in a main board's root
directory of the storage medium on a specified member device. (distributed IRF member device)
10-3
To do… Use the command… Remarks
Specify a boot file for the next boot boot-loader file file-url slot Required
of the AMB or the SMB slot-number { main | backup } Available in user view.
z You must save the file to be used at the next device boot in the root directory of the device. You
can copy or move a file to change the path of it to the root directory.
z To execute the boot-loader command successfully, save the file to be used at the next device
boot in the root directory of the storage media on the AMB (distributed device)
z The names of the files for the next boot of the AMB and the SMB may be different, but the
versions of the files must be the same; otherwise, the device may not boot normally. (distributed
device)
z To execute the boot-loader command successfully, save the file to be used at the next device
boot in a main board's root directory of the storage medium on a specified member device.
(distributed IRF member device)
10-4
Software Upgrade by Installing Hotfixes
Hotfix Overview
Hotfix is a fast, cost-effective method to repair software defects of a device. Compared with another
method, software version upgrade, hotfix can upgrade the software without interrupting the running
services of the device. In other words, it can repair the software defects of the current version without
rebooting the device.
Patch Status
Each patch has its status, which can be switched only by commands. The relationship between patch
state changes and command actions is shown in Figure 10-2. The patch can be in the state of IDLE,
DEACTIVE, ACTIVE, and RUNNING. Load, run temporarily, confirm running, stop running, delete,
install, and uninstall represent operations, corresponding to commands of patch load, patch active,
patch run, patch deactive, patch delete, patch install, and undo patch install. For example, if you
execute the patch active command for the patches in the DEACTIVE state, the patches turn to the
ACTIVE state.
10-5
Figure 10-2 Relationship between patch state changes and command actions
Information about patch states is saved in file patchstate on the flash. It is recommended not to
operate this file.
IDLE state
Patches in the IDLE state are not loaded. You cannot install or run the patches, as shown in Figure
10-3 (suppose the memory patch area can load up to eight patches).
Figure 10-3 Patches are not loaded to the memory patch area
10-6
Currently, the memory patch area supports up to 200 patches.
DEACTIVE state
Patches in the DEACTIVE state have been loaded to the memory patch area but have not run in the
system yet. Suppose that there are seven patches in the patch file to be loaded. After the seven
patches successfully pass the version check and CRC check, they are loaded to the memory patch
area and are in the DEACTIVE state. At this time, the patch states in the system are as shown in
Figure 10-4.
Figure 10-4 A patch file is loaded to the memory patch area
ACTIVE state
Patches in the ACTIVE state are those that have run temporarily in the system and become
DEACTIVE after system reboot. For the seven patches in Figure 10-4, if you activate the first five
patches, their states change from DEACTIVE to ACTIVE. At this time, the patch states in the system
are as shown in Figure 10-5.
The patches that are in the ACTIVE state are in the DEACTIVE state after system reboot.
Figure 10-5 Patches are activated
RUNNING state
After you confirm the running of the ACTIVE patches, the state of the patches become RUNNING and
are in the RUNNING state after system reboot. For the five patches in Figure 10-5, if you confirm
10-7
running the first three patches, their states change from ACTIVE to RUNNING. At this time, the patch
states of the system are as shown in Figure 10-6.
The patches that are in the RUNNING state are still in the RUNNING state after system reboot.
Figure 10-6 Patches are running
Task Remarks
Configuration Prerequisites
Patches are released per device model or card type. Before patching the system, you need to save the
appropriate patch files to the storage media of the device using FTP or TFTP. When saving the patch
files, note that:
z The patch files match the device model and software version. If they are not matched, the
hotfixing operation fails.
z Name the patch file properly. Otherwise, the system cannot locate the patch file and the hotfixing
operation fails. The name is in the format of "patch_PATCH-FLAG suffix.bin". The PATCH-FLAG
is pre-defined and support for the PATCH-FLAG depends on device model or card type. The first
three characters of the version item (using the display patch information command) represent
the PATCH-FLAG suffix. The system searches the root directory of the storage medium (flash by
default) for patch files based on the PATCH-FLAG. If there is a match, the system loads patches
to or install them on the memory patch area.
Table 10-1 describes the default patch name for each card type.
10-8
Table 10-1 Default patch names for different card types
The loading and installation are performed on all cards that are in position and OAM CPU, so before
these operations, save the patch files for the active main board (AMB) and interface card to the root
directory of the AMB's storage medium, and save the patch files for the standby main board (SMB) to
the root directories of the SMB's storage medium. Make sure the patch files saved on the AMB and
SMB are the same.
To install patches in one step, use the patch install command. After you execute the command, the
system displays the message "Do you want to continue running patches after reboot? [Y/N]:".
z Entering y or Y: All the specified patches are installed, and turn to the RUNNING state from IDLE.
This equals execution of the commands patch location, patch load, patch active, and patch
run. The patches remain RUNNING after system reboot.
z Entering n or N: All the specified patches are installed and turn to the ACTIVE state from IDLE.
This equals execution of the commands patch location, patch load and patch active. The
patches turn to the DEACTIVE state after system reboot.
Follow these steps to install the patches in one step:
10-9
Step-by-Step Patch Installation
Task Remarks
Optional
Configure the patch file location patch location patch-location
flash: by default
z The directory specified by the patch-location argument must exist on both the AMB and SMB. If
the SMB does not have such directory, the system cannot locate the patch files on the SMB.
(distributed device)
z The patch install command changes patch file location specified with the patch location
command to the directory specified by the patch-location argument of the patch install command.
For example, if you execute the patch location xxx command and then the patch install yyy
command, the patch file location automatically changes from xxx to yyy.
10-10
Set the file transfer mode to binary mode before using FTP or TFTP to upload/download patch files
to/from the flash of the device. Otherwise, patch file cannot be parsed properly.
Follow these steps to load a patch file: (distributed IRF member device)
Activating Patches
After you activate a patch, the patch takes effect and is in the test-run stage. After the device is reset or
rebooted, the patch becomes invalid.
If you find that an ACTIVE patch is of some problem, reboot the device to deactivate the patch, so as to
avoid a series of running faults resulting from patch error.
Follow these steps to activate patches: (distributed device)
10-11
To do… Use the command… Remarks
Follow these steps to confirm the running of patches: (distributed IRF member device)
Task Remarks
10-12
To do… Use the command… Remarks
Follow these steps to stop running patches: (distributed IRF member device)
Deleting Patches
Deleting patches only removes the patches from the memory patch area, and does not delete them
from the storage medium. The patches turn to IDLE state after this operation. After a patch is deleted,
the system runs in the way before it is installed with the patch.
Follow these steps to delete patches: (distributed device)
10-13
To do… Use the command… Remarks
Display the patch information display patch information Available in any view
Network requirements
z As shown in Figure 10-7, the current software version is soft-version1, and Boot ROM version is
bootrom-version1 for the device. Immediately upgrade the software version and Boot ROM
version of the device to soft-version2 and bootrom-version2 respectively through remote
operations.
z The latest applications soft-version2.app and bootrom-version2.btm are both saved in the aaa
directory of the FTP server.
z The IP address of the device is 1.1.1.1/24, the IP address of the FTP server is 2.2.2.2/24, and the
device and the FTP server can reach each other.
z A user has logged in to the device via Telnet and the user and device can reach each other.
Figure 10-7 Network diagram for immediate upgrade
FTP Server
2.2.2.2/24
Internet
Telnet
FTP Client
Device
User
1.1.1.1/24
Configuration procedure
z Configuration on the FTP server (Configurations may vary with different types of servers)
# Enable the FTP server.
<FTP-Server> system-view
[FTP-Server] ftp server enable
# Set the FTP username to aaa and password to hello.
[FTP-Server] local-user aaa
[FTP-Server-luser-aaa] password cipher hello
# Configure the user to have access to the aaa directory.
[FTP-Server-luser-aaa] service-type ftp
[FTP-Server-luser-aaa] authorization-attribute work-directory flash:/aaa
10-14
z Configuration on the device
If the size of the flash on the device is not large enough, delete the original application programs from
the Flash before downloading.
# Before upgrade, execute the save command to save the current configuration (configuration
procedure is omitted).
# Log in to the FTP server (The prompt may vary with servers.)
<Device> ftp 2.2.2.2
Trying 2.2.2.2 ...
Press CTRL+K to abort
Connected to 2.2.2.2.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(2.2.2.2:(none)):aaa
331 Give me your password, please
Password:
230 Logged in successfully
[ftp]
# Download the soft-version2.app and bootrom-version2.btm programs on the FTP server to the
flash of the device.
[ftp] binary
[ftp] get soft-version2.app
[ftp] get bootrom-version2.btm
[ftp] bye
<Device>
# Enable the validity check function for Boot ROM file upgrade.
<Device> system-view
[Device] bootrom-update security-check enable
[Device] quit
# Upgrade the Boot ROM file of the AMB (resides in slot 0).
<Device> bootrom update file bootrom-version2.btm slot 0
# Upgrade the Boot ROM file of the SMB (resides in slot 1).
<Device> copy bootrom-version2.btm slot1#flash:/bootrom-version2.btm
<Device> bootrom update file slot1#flash:/bootrom-version2.btm slot 1
# Specify the application program for the next boot on the AMB.
<Device> boot-loader file soft-version2.app slot 0 main
# Specify the application program for the next boot on the SMB.
<Device> copy soft-version2.app slot1#flash:/soft-version2.app
<Device> boot-loader file slot1#flash:/soft-version2.app slot 1 main
# Reboot the device. The software version is upgraded now.
<Device> reboot
To check if the upgrade is successful after the device reboots, use the display version command.
10-15
Immediate Upgrade Configuration Example (Distributed IRF Virtual Device)
Network requirements
z As shown in Figure 10-8, the IRF virtual device comprises two member devices, the master with
the member ID of 1 and the slave with the member ID of 2. The AMB of the master is in slot 0, and
the SMB of the master is in slot 1. The AMB of the slave is in slot 0, and the SMB of the slave is in
slot 1.
z The current software version is soft-version1 for the IRF virtual device. Upgrade the software
version of the IRF virtual device to soft-version2 and configuration file to new-config.
z The latest application soft-version2.app and the latest configuration file new-config.cfg are both
saved on the TFTP server.
z The IP address of the IRF virtual device is 1.1.1.1/24, the IP address of the TFTP server is
2.2.2.2/24, and the TFTP server and IRF virtual device can reach each other.
Figure 10-8 Network diagram for immediate upgrade
Master Slave
(Member_ID=1) (Member_ID=2)
Internet
IRF virtual
device
1.1.1.1/24
2.2.2.2/24
TFTP server
Configuration procedure
1) Configuration on the TFTP server (Configurations may vary with different types of servers)
Obtain the boot file and configuration file through legitimate channels, such as the official website of
H3C, agents, and technical staff. Save these files under the working path of the TFTP server for the
access of the TFTP clients.
2) Configuration on the members of the IRF virtual device
# Download file new-config.cfg from the TFTP server to the main boards of the master
(Configurations may vary with different types of servers).
<IRF> tftp 2.2.2.2 get new-config.cfg
..
File will be transferred in binary mode
Downloading file from remote TFTP server, please wait.....
TFTP: 917 bytes received in 1 second(s)
10-16
# Download file soft-version2.app from the TFTP server to the master and slave.
<IRF> tftp 2.2.2.2 get soft-version2.app
...
File will be transferred in binary mode
Downloading file from remote TFTP server, please wait............
TFTP: 10058752 bytes received in 141 second(s)
Network requirements
z As shown in Figure 10-9, the software running on the device is of some problem and thus hotfixing
is needed.
z The patch files patch_mpu.bin, patch_lpb.bin and patch_lpr.bin are saved on the TFTP server.
z The IP address of the device is 1.1.1.1/24, and IP address of the TFTP Server is 2.2.2.2/24. The
device and TFTP Server can reach each other.
10-17
Figure 10-9 Network diagram of hotfix configuration
Configuration procedure
1) Configure FTP Server. The configuration varies depending on server type and the configuration
procedure is omitted.
z Enable the TFTP server function.
z Save the patch files patch_mpu.bin, patch_lpb.bin and patch_lpr.bin to the directory of the
TFTP server.
2) Configure the device.
Make sure the free flash space of the device is big enough to store the patch files.
# Before upgrading the software, use the save command to save the current system configuration.
The configuration procedure is omitted.
# Load the patch files patch_mpu.bin, patch_lpb.bin and patch_lpr.bin from the TFTP server to the
AMB.
<Device> tftp 2.2.2.2 get patch_mpu.bin
<Device> tftp 2.2.2.2 get patch_lpb.bin
<Device> tftp 2.2.2.2 get patch_lpr.bin
# Copy the patch files to the root directory of the SMB in slot 1.
<Device> copy patch_mpu.bin slot1#flash:/
<Device> copy patch_lpb.bin slot1#flash:/
<Device> copy patch_lpr.bin slot1#flash:/
# Install the patches.
<Device> system-view
[Device] patch install flash:
Patches will be installed. Continue? [Y/N]:y
Do you want to continue running patches after reboot? [Y/N]:y
Installing patches........
Installation completed, and patches will continue to run after reboot.
10-18
11 Device Management
The S7500E Series Ethernet Switches are distributed devices supporting Intelligent Resilient
Framework (IRF). Two S7500E series can be connected together to form a distributed IRF device. If
an S7500E series is not in any IRF, it operates as a distributed device; if the S7500E series is in an
IRF, it operates as a distributed IRF device. For introduction of IRF, refer to IRF Configuration in the
IRF Configuration Guide.
When configuring device management, go to these sections for information you are interested in:
z Device Management Overview
z Device Management Configuration Task List
z Configuring the Device Name
z Configuring the System Clock
z Enabling/Disabling the Display of Copyright Information
z Configuring a Banner
z Configuring the Exception Handling Method
z Rebooting a Device
z Scheduled Task Configuration
z Configuring Temperature Alarm Thresholds for a board
z Clearing the 16-bit Interface Indexes Not Used in the Current System
z Configuring the System Load Sharing Function
z Enabling Active/Standby Mode for Service Ports on SRPUs
z Configuring the Traffic Forwarding Mode of SRPUs
z Configuring the Working Mode of LPUs
z Enabling the Port Down Function Globally
z Enabling Expansion Memory Data Recovery Function on a board
z Identifying and Diagnosing Pluggable Transceivers
z Displaying and Maintaining Device Management Configuration
11-1
Device Management Configuration Task List
Complete these tasks to configure device management:
Task Remarks
Clearing the 16-bit Interface Indexes Not Used in the Current System Optional
Optional
Configure the device name sysname sysname
The device name is H3C.
11-2
Configuring the System Clock
Configuring the system clock
The system clock, displayed by system time stamp, is decided by the configured relative time, time
zone, and daylight saving time. You can view the system clock by using the display clock command.
Follow these steps to configure the system clock:
Optional
Set time and date clock datetime time date
Available in user view.
Optional
clock timezone zone-name { add
Set the time zone Universal time coordinated (UTC)
| minus } zone-offset
time zone by default.
The system clock is decided by the commands clock datetime, clock timezone and clock
summer-time. If these three commands are not configured, the display clock command displays the
original system clock. If you combine these three commands in different ways, the system clock is
displayed in the ways shown in Table 11-1. The meanings of the parameters in the configuration
column are as follows:
z 1 indicates date-time has been configured with the clock datetime.
z 2 indicates time-zone has been configured with the clock timezone command and the offset time
is zone-offset.
z 3 indicates daylight saving time has been configured with the clock summer-time command and
the offset time is summer-offset.
z [1] indicates the clock datetime command is an optional configuration.
z The default system clock is 2005/1/1 1:00:00 in the example.
11-3
Table 11-1 System clock configuration
11-4
System clock displayed by the
Configuration Example
display clock command
11-5
System clock displayed by the
Configuration Example
display clock command
11-6
System clock displayed by the
Configuration Example
display clock command
11-7
To do… Use the command… Remarks
Configuring a Banner
Introduction to banners
Banners are prompt information displayed by the system when users are connected to the device,
perform login authentication, and start interactive configuration. The administrator can set
corresponding banners as needed.
At present, the system supports the following five kinds of welcome information.
z shell banner, also called session banner, displayed when a non TTY Modem user enters user
view.
z incoming banner, also called user interface banner, displayed when a user interface is activated
by a Modem user.
z login banner, welcome information at login authentications, displayed when password and
scheme authentications are configured.
z motd (Message of the Day) banner, welcome information displayed before authentication.
z legal banner, also called authorization information. The system displays some copyright or
authorization information, and then displays the legal banner before a user logs in, waiting for the
user to confirm whether to continue the authentication or login. If entering Y or pressing the Enter
key, the user enters the authentication or login process; if entering N, the user quits the
authentication or login process. Y and N are case insensitive.
Configuring a banner
When you configure a banner, the system supports two input modes. One is to input all the banner
information right after the command keywords. The start and end characters of the input text must be
the same but are not part of the banner information. In this case, the input text, together with the
command keywords, cannot exceed 510 characters. The other is to input all the banner information in
multiple lines by pressing the Enter key. In this case, up to 2000 characters can be input.
The latter input mode can be achieved in the following three ways:
z Press the Enter key directly after the command keywords, and end the setting with the %
character. The Enter and % characters are not part of the banner information.
z Input a character after the command keywords at the first line, and then press the Enter key. End
the setting with the character input at the first line. The character at the first line and the end
character are not part of the banner information.
11-8
z Input multiple characters after the command keywords at the first line (with the first and last
characters being different), then press the Enter key. End the setting with the first character at the
first line. The first character at the first line and the end character are not part of the banner
information.
Follow these steps to configure a banner:
11-9
To do… Use the command… Remarks
Optional
Configure the exception handling
By default, the active SRPU and
method on the active switching system-failure { maintain |
the standby SRPU adopt the
and routing processing unit reboot }
reboot method to handle
(SRPU) and the standby SRPU
exceptions.
z After this command is configured, both the active SRPU and the standby SRPU adopt the same
method to handle exceptions. The system adopts the reboot method to handle exceptions
happened on an interface card or the auxiliary CPU system, that is, the system reboots the failed
card.
z The exception handling method is effective to the failed card only, and does not influence the
functions of other cards.
Follow these steps to configure exception handling method (distributed IRF device):
Optional
Configure exception handling system-failure { maintain | By default, all member devices
method on all member devices reboot } adopt the reboot method to
handle exceptions.
z After this command is configured, all the member devices adopt the same method to handle
exceptions.
z The exception handling method is effective to the failed member device only, and does not
influence the operations of other IRF members.
Rebooting a Device
When a fault occurs to a running device, you can remove the fault by rebooting the device, depending
on the actual situation.
You can reboot a device following any of the three methods:
11-10
z Power on the device after powering it off, which is also called hard reboot or cold start. This
method impacts the device a lot. Powering off a running device will cause data loss and hardware
damages. It is not recommended.
z Trigger the immediate reboot through command lines.
z Enable the scheduled reboot function through command lines. You can set a time at which the
device can automatically reboot, or set a delay so that the device can automatically reboot within
the delay.
The last two methods are command line operations. Reboot through command lines is also called hot
start, which is mainly used to reboot a device in remote maintenance without performing hardware
reboot of the device.
z Distributed device
Follow the step below to reboot a device immediately:
Required
11-11
Follow these steps to reboot a device at a time through command lines:
z Device reboot may result in the interruption of the ongoing services. Use these commands with
caution.
z Before device reboot, use the save command to save the current configurations. For details about
the save command, refer to Configuration File Management Commands in the Fundamentals
Command Reference.
z Before device reboot, use the commands of display startup and display boot-loader to check if
the configuration file and boot file for the next boot are configured. (For details about the display
startup command, refer to Configuration File Management Commands in the Fundamentals
Command Reference.
z The precision of the rebooting timer is 1 minute. One minute before the rebooting time, the device
will prompt “REBOOT IN ONE MINUTE” and will reboot in one minute.
z Use the slave restart command instead of the reboot command to reboot the standby SRPU (for
details about the slave restart command, refer to the Active and Standby Switchover Commands
in the High Availability Command Reference). If you do not specify the slot keyword, the
execution of the reboot command on the device results in the reboot of the device, including the
active SRPU, the standby SRPU and the interface cards. If you reboot the active SRPU when the
standby SRPU operates normally, an active SRPU and standby SRPU switchover will occur.
(distributed device)
z If a main boot file fails or does not exist, the device cannot be rebooted with the reboot command.
In this case, you can re-specify a main boot file to reboot the device, or you can power off the
device then power it on and the system automatically uses the backup boot file to restart the
device.
z If you are performing file operations when the device is to be rebooted, the system does not
execute the command for the sake of security.
11-12
Scheduled Task Configuration
What Is a Scheduled Task
A scheduled task defines a command or a group of commands and when such commands are to be
executed. It allows a device to execute specified command(s) at a time when no person is available to
maintain the device.
With a scheduled task configured, the device checks the configured task list every minute; if the device
detects that the time to execute a command is reached, it automatically executes the command.
Configuration prerequisites
Note the following when configuring a scheduled task:
z The commands in a scheduled task must be in the same view.
z You can specify up to 10 commands in one scheduled task. To execute more than 10 commands,
specify multiple scheduled tasks.
Configuring a scheduled task to be executed at a specified time
Follow these steps to configure a scheduled task that will be executed at a specified time
Required
Configure the view where the
You can specify only one
specified commands are to be view view
view for each scheduled
executed
task
11-13
z Modification of the system time affects the execution of a scheduled task.
z The view specified for a schedule task must be supported by the system, and the view name must
be in its complete format. Commonly used view names include monitor for user view, system for
system view, GigabitEthernetx/x/x for Ethernet interface view, and Vlan-interfacex for VLAN
interface view.
Required
Configure the view where the
You can specify only one
specified commands are to be view view
view for each scheduled
executed
task
z A scheduled task with a delay time configured is still executed when the specified delay time is
reached even if the system time is changed.
z The view specified for a schedule task must be supported by the system, and the view name must
be in its complete format. Commonly used view names include monitor for user view, system for
system view, GigabitEthernetx/x/x for Ethernet interface view, and Vlan-interfacex for VLAN
interface view.
The scheduled automatic execution function enables the system to automatically execute a specified
command at a specified time in a specified view. This function is used for scheduled system upgrade
or configuration.
Follow these steps to configure the scheduled automatic execution function:
11-14
To do… Use the command… Remarks
Note that:
z At present, you can specify user view and system view only. To automatically execute the
specified command in another view or automatically execute multiple commands at a time, you
can configure the system to automatically execute a batch file at the specified time (note that you
must provide a complete file path for the system to execute the batch file.).
z The system does not check the values of the view and command arguments. Therefore, ensure
the correctness of the command argument (including the correct format of command and the
correct relationship between the command and view arguments).
z After the specified automatic execution time is reached, the system executes the specified
command in the background without displaying any information except system information such
as log, trap and debug.
z The system does not require any interactive information when it is executing the specified
command. If there is information for you to confirm, the system automatically inputs Y or Yes; if
characters need to be input, the system automatically inputs a default character string, or inputs
an empty character string when there is no default character string.
z For the commands used to switch user interfaces, such as telnet, ftp, and ssh2, the commands
used to switch views, such as system-view, quit, and the commands used to modify status of a
user that is executing commands, such as super, the operation interface, command view and
status of the current user are not changed after the automatic execution function is performed.
z If the system time is modified after the automatic execution function is configured, the scheduled
automatic execution configuration turns invalid automatically.
z Only the last configuration takes effect if you execute the schedule job command repeatedly.
z After you configure this feature on the active SRPU, the configuration is not backed up to the
standby SRPU; after a switchover between the active SRPU and the standby SRPU, this
configuration will be ineffective.
11-15
Follow these steps to configure temperature alarm thresholds for a card: (distributed device)
Optional
Follow these steps to configure temperature alarm thresholds for a card: (distributed IRFing device)
Optional
11-16
To do… Use the command… Remarks
A confirmation is required when you execute this command. If you fail to make a confirmation within 30
seconds or enter N to cancel the operation, the command will not be executed.
11-17
Enabling Active/Standby Mode for Service Ports on SRPUs
If the switch uses LSQ1SRP2XB or LSQ1SRP12GB SRPUs, it simulates two virtual LPU slots with the
slot numbers following the largest slot number. The virtual LPUs correspond to the SRPUs, and the
Ethernet ports on the virtual LPUs correspond to the Ethernet ports on the SRPUs. If you want to
configure the Ethernet ports on the SRPUs, you need to configure on the virtual LPUs.
The SRPU LSQ1SRP2XB or LSQ1SRP12GB provides Ethernet service ports. When the S7503E,
S7506E, S7506E-V, or S7510E switch uses LSQ1SRP2XB or LSQ1SRP12GB to operate in
dual-SRPU mode, the service ports on the LSQ1SRP2XB or LSQ1SRP12GB work in one of the
following mode:
z Concurrent processing mode: All services ports on both of the two SRPUs can forward data
concurrently. If the active and standby switchover occurs due to software failure, all services ports
on both of the two SRPUs still can forward data; however, if the active and standby switchover
occurs due to hardware failure, the service ports on the failed SRPU may not forward data.
Therefore, this mode is not applicable to the network environment requiring high reliability.
z Active/standby mode: Only the service ports on the active SRPU can forward data, and the
service ports on the standby SRPU function as the backups. After the active and standby
switchover occurs, the state of service ports on the active SRPU changes from up to down, and
that of service ports on the standby SRPU changes from down to up. After that, the service ports
on the standby SRPU forward data. You can realize non-interruptible forwarding through this
mode.
Follow the steps below to enable active/standby mode for service ports on SRPUs:
z Before enabling the active/standby mode for service ports on SRPUs, you need to perform
cross-card port redundancy configurations, such as cross-card port aggregation, cross-card STP,
cross-card dynamic routing.
z This feature is applicable to SRPUs LSQ1SRP2XB and LSQ1SRP12GB only.
11-18
Configuring the Traffic Forwarding Mode of SRPUs
Introduction to SRPU traffic forwarding mode
The S7500E series Ethernet switches support multiple types of SRPUs, which support different traffic
forwarding modes. You can configure the SRPU traffic forwarding mode as needed.
Traffic forwarding modes supported by S7500E SRPUs
Supported
Recommended
traffic
SRPU model Feature application
forwarding
environment
mode
LSQ1MPUA
LSQ1CGP24TSC
LSQ1MPUB
LSQ1SRP12GB
Enhanced Layer
Double-VLAN-tag
2 forwarding z Supporting selective QinQ
networks with a large
mode with the z Providing a 128K MAC address table
quantity of MAC
MAC extension and a 4K routing table
addresses
function
Standard
z Supporting QinQ
forwarding mode Networks having high
z Powerful Layer 3 forwarding functions
with the route requirements on
z Providing a 32K MAC address table
extension routing table size
and a 128K routing table
function
11-19
Enhanced Layer 2 forwarding does not support route extension.
switch-mode { l2-enhanced |
Configure the traffic forwarding Optional
standard-bridging |
mode of the SRPU standard-routing by default
standard-routing }
To make the configured forwarding mode take effect, you need to save the configuration and restart
the switch.
The S7500E series Ethernet switches support multiple types of LPUs, each of which provides different
MAC address table and routing table. If you need to extend the MAC address table or the routing table,
you can use EA, EB, or SD LPUs, that is, the LPUs with the last two letters of the LPU model being EA,
EB, or SD, LSQ1GP12EA for example.
11-20
An EA LPU can work in either of the two modes: MAC extension (bridging) and route extension
(routing).
z MAC extension mode: The LPU can provide a 128K MAC address table. It is recommended to use
this mode in a Layer 2 network with a large MAC address table.
z Route extension mode: The LPU can provide a 128K routing table. It is recommended to use this
mode in a Layer 3 network with a large routing table.
An EB or SD LPU can work in either of the four modes: MAC extension (bridging), route extension
(routing), mixed extension (mix-bridging-routing), and normal (normal).
z MAC extension mode: The EB LPU can provide a 512K MAC address table, and the SD LPU can
provide a 128K MAC address table. It is recommended to use this mode in a Layer 2 network with
a large MAC address table.
z Route extension mode: The EB LPU can provide a 256K routing table, and the SD LPU can
provide 128K routing table. It is recommended to use this mode in a Layer 3 network with a large
routing table.
z Mixed extension mode: The EB LPU can provide 258K MAC address table and 258K routing table;
the SD LPU can provide 64K MAC address table and 64K routing table. It is recommended to use
this mode in a network with both a large MAC address table and a large routing table.
z Normal mode: Both the EB LPU and the SD LPU can provide MAC address table and routing
table with their default capacities without any expansion. It is recommended to use this mode in a
network without expansion requirements to both MAC address and routing tables.
z The S7500E series Ethernet switches support multiple types of LPUs, where only EA, EB, and SD
LPUs support working mode configuration.
z After the MAC address table or the routing table is extended, the default capacity of the MAC
address table or the routing table does not take effect any more.
z The working mode configuration of an LPU does not affect the service processing capability of the
whole switch, but that of the LPU only.
11-21
To do… Use the command… Remarks
Optional
LSQ1SRP2XB
LSQ1SRPA
LSQ1SRPB
LSQ1MPUA
LSQ1CGP24TSC
LSQ1SRPD
LSQ1MPUB
LSQ1SRP12GB
l2-enhanced or
bridging
LSQ1SRP1CB standard-bridging
standard-routing routing
11-22
z When the SRPU of the S7500E switch is LSQ1SRP1CB, it is recommended not to modify the
default working mode the EA LPUs as other modes.
z When the SRPU of the S7500E switch is LSQ1SRP2XB, LSQ1SRPA, LSQ1SRPB, LSQ1MPUA,
LSQ1CGP24TSC, LSQ1CGV24PSC, LSQ1SRPD, LSQ1MPUB or LSQ1SRP12GB, if an EA LPU
is connected to a Layer 2 forwarding network with a large number of MAC addresses, you can
modify the working mode of the EA LPU from the default to the MAC extension mode.
z EA LPUs, like LSQ1GP12EA and LSQ1TGX1EA, do not support IPv6 and IRF.
z To make the configured working mode take effect, you need to save the configuration and restart
the LPU.
z When there are multiple EB and SD LPUs on the S7500E series, you are recommended to
configure them to work in the same mode.
z To make the configured working mode take effect, you need to save the configuration and restart
the LPU.
z When you change the working mode of an EB or SD LPU for the first time or upgrade the software
version for them for the first time after working mode switch, the EB or SD LPU may be rebooted
for once or twice because of system optimization, which takes six to ten minutes.
11-23
Enabling the Port Down Function Globally
With this function enabled, if the SRPU is plugged out or reboots abnormally, all service ports will be
down immediately.
Follow these steps to enable the port down function globally:
At present, four types of pluggable transceivers are commonly used, as shown in Table 11-3. They can
be further divided into optical transceivers and electrical transceivers based on transmission medium.
11-24
Table 11-3 Commonly used pluggable transceivers
XENPAK (10-Gigabit
Generally used for 10G
Ethernet Transceiver Yes Yes
Ethernet interfaces
Package)
As pluggable transceivers are of various types and from different vendors, you can use the following
commands to view the key parameters of the pluggable transceivers, including transceiver type,
connector type, central wavelength of the laser sent, transfer distance and vendor name or name of
the vendor who customizes the transceivers to identify the pluggable transceivers.
Follow these steps to identify pluggable transceivers:
Display key parameters of the display transceiver interface Available for all pluggable
pluggable transceiver(s) [ interface-type interface-number ] transceivers.
Display part of the electrical label display transceiver manuinfo Available for anti-spoofing
information of the anti-spoofing interface [ interface-type pluggable transceiver(s)
transceiver(s) customized by H3C interface-number ] customized by H3C only.
z You can use the Vendor Name field in the prompt information of the display transceiver
command to identify an anti-spoofing pluggable transceiver customized by H3C. If the field is H3C,
it is considered an H3C-customized pluggable transceiver.
z Electrical label information is also called permanent configuration data or archive information,
which is written to the storage component of a card during device debugging or testing. The
information includes name of the card, device serial number, and vendor name or name of the
vendor who customizes the transceiver.
11-25
Diagnosing pluggable transceivers
The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable
transceivers. Optical transceivers customized by H3C also support the digital diagnosis function, which
monitors the key parameters of a transceiver, such as temperature, voltage, laser bias current, TX
power, and RX power. When these parameters are abnormal, you can take corresponding measures
to prevent transceiver faults.
Follow these steps to diagnose pluggable transceivers:
11-26
To do… Use the command… Remarks
Display the reboot time of a device display schedule reboot Available in any view
11-27
To do… Use the command… Remarks
Display the reboot time of a device display schedule reboot Available in any view
11-28
To do… Use the command… Remarks
During daily maintenance or when the system is operating abnormally, you need to display the running
status of each functional module to locate the problem. Generally, you need to execute the
corresponding display commands for each module, because each module has independent running
information. To collect more information at one time, you can execute the display
diagnostic-information command to display or save the statistics of the running status of multiple
modules in the system. Execution of the display diagnostic-information command equals execution
of the commands display clock, display version, display device, and display
current-configuration one by one.
11-29
12 Index
A Configuring Password Authentication for
Modem Login 3-36
Accessing History Commands 1-11
Configuring Password Authentication for
B
Telnet Login 3-18
Basic Concepts in Hotfix 10-5 Configuring Scheme Authentication for
12-1
Editing Command Lines 1-6 Login Procedure 3-2
Emptying the Recycle Bin 8-7 Login Procedure 3-30
Enabling Configuration File Auto-Save 9-2 M
Entering System View 1-4
Maintaining and Debugging an FTP
Establishing an FTP Connection 6-3
Connection 6-7
Exiting the Current View 1-5
Managing the Space of a Storage Medium
F 8-8
12-2
Setting Configuration Rollback 9-9
Startup with the Configuration File 9-2
Step-by-Step Patch Installation 10-10
Step-by-Step Patch Uninstallation 10-12
Switching User Privilege Level 1-21
12-3