Академический Документы
Профессиональный Документы
Культура Документы
Copyright 2008-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors
Trademarks
H3C,
, Aolynk,
, H3Care,
, TOP G,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C WX series documentation set describes the software features for the H3C WX Series Access Controllers and guides you through the software configuration procedures. The configuration guides also provide configuration examples to help you apply the software features to different network scenarios. The Fundamentals Configuration Guide describes CLI, logging in to the AC, device management, FTP and TFTP, user interface, file management, basic system configuration, HTTP, and hotfix configurations. This preface includes: Audience Conventions About the H3C WX Series Documentation Set Obtaining Documentation Technical Support Documentation Feedback
Audience
This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the WX series
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Boldface italic [] { x | y | ... } [ x | y | ... ] { x | y | ... } * Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one.
Description Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Boldface > Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means an action or information that needs special attention to ensure successful configuration or good performance. Means a complementary description. Means techniques helpful for you to make configuration with ease.
Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, an access controller module, or a switching engine on a unified switch.
Convention
Description
WX Series Access Controllers Getting Started Guides WX Series Access Controllers Configuration Guides WX Series Access Controllers Command References WX Series Access Controllers Web-based Configuration Guides WX3000 Series Release Notes Unified Switches
Guide you through the main functions of your AC, and describes how to install and log in to your AC, perform basic configurations, maintain software, and troubleshoot your AC. Describe software features and configuration procedures. Provide a quick reference to all available commands. Describes configuration procedures through the web interface.
Software configuration
WX5002 Series Access Controllers Release Notes WX5004 Series Access Controllers Release Notes WX6103 Series Access Controllers Release Notes
Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading.
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, getting started, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version.
Technical Support
customer_service@h3c.com http://www.h3c.com
Documentation Feedback
You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Read Compatibility Matrixes before using an H3C WX series access controller. Support of the H3C WX series access controllers for features and commands may vary by AC model. For more information, see Feature Matrixes and Command Matrixes in Compatibility Matrixes. The term AC in this document refers to H3C access controllers, access controller modules, and H3C WX series unified switches' access controller engines. The interface types and the number of interfaces vary by AC model. This document uses GE interfaces to show how to configure Ethernet interfaces. The models listed in this manual are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
Table of Contents
1 Applicable Models and Software Versions 1-1 2 Typical Network Scenarios2-1 AC Networking 2-1 Access Controller Module Networking 2-1 Unified Switch Networking 2-2 3 Feature Matrixes 3-1 Feature Matrix for the WX5000 Series3-1 Feature Matrix for the WX6000 Series3-7 Feature Matrix for the WX3000 Series3-11 4 Command Matrixes4-1 Command Matrix for the WX5000 Series 4-1 Command Matrix for the WX6000 Series 4-15 Command Matrix for the WX3000 Series 4-24 5 CLI Configuration 5-1 What Is CLI? 5-1 Entering the CLI 5-1 Entering CLI Through the Console Port 5-2 Entering CLI Through Telnet 5-6 CLI Descriptions5-7 Command Conventions 5-7 CLI View Description 5-8 Using the CLI 5-9 Using the CLI Online Help5-9 Command Line Error Information 5-10 Typing and Editing Commands 5-11 Displaying and Executing History Commands 5-11 Undo Form of a Command5-12 Controlling CLI Display 5-12 Configuring the CLI 5-15 Configuring CLI Hotkeys5-15 Configuring Command Aliases5-16 Synchronous Information Output5-17 Configuring Command Levels 5-18 Saving Configurations 5-19 6 FTP Configuration 6-1 FTP Overview 6-1 Introduction to FTP 6-1 Operation of FTP 6-1 Configuring the FTP Client6-3
i
Establishing an FTP Connection 6-3 Operating the Directories on an FTP Server 6-4 Operating the Files on an FTP Server6-5 Using Another Username to Log In to an FTP Server 6-6 Maintaining and Debugging an FTP Connection 6-6 Terminating an FTP Connection 6-6 FTP Client Configuration Example 6-7 Configuring the FTP Server 6-8 Configuring FTP Server Operating Parameters 6-8 Configuring Authentication and Authorization on the FTP Server 6-9 FTP Server Configuration Example6-10 Displaying and Maintaining FTP 6-12 7 TFTP Configuration 7-1 TFTP Overview 7-1 Introduction to TFTP7-1 Operation of TFTP7-1 Configuring the TFTP Client 7-2 Displaying and Maintaining the TFTP Client7-3 TFTP Client Configuration Example 7-3 8 Logging In to an Access Controller Product 8-1 Logging In to an Access Controller Product8-1 Introduction to the User Interface8-1 Supported User Interfaces 8-1 User Interface Number 8-1 Common User Interface Configuration8-2 9 Logging In Through the Console Port9-1 Introduction 9-1 Setting Up the Connection to the Console Port 9-1 Console Port Login Configuration 9-4 Configuring Common Settings for Console Login 9-4 Console Port Login Configurations for Different Authentication Modes9-5 Configuring None Authentication for Console Port Login 9-6 Configuration Procedure9-6 Configuration Example 9-8 Configuring Password Authentication for Console Port Login9-9 Configuration Procedure9-9 Configuration Example 9-10 Configuring Scheme Authentication for Console Port Login 9-12 Configuration Procedure9-12 Configuration Example 9-14 10 Logging In Through Telnet 10-1 Introduction 10-1 Establishing a Telnet Connection 10-2
ii
Telnetting to an Access Controller from a Terminal 10-2 Telnetting to Another Access Controller from the Current One10-4 Common Configuration10-4 Telnet Configurations for Different Authentication Modes10-5 Configuring None Authentication for Telnet Login 10-6 Configuration Procedure10-6 Configuration Example 10-7 Configuring Password Authentication for Telnet Login10-8 Configuration Procedure10-8 Configuration Example 10-9 Configuring Scheme Authentication for Telnet Login 10-11 Configuration Procedure10-11 Configuration Example 10-13 11 Logging In Through the Web-Based Network Management System 11-1 Introduction 11-1 Setting Up a Web Configuration Environment 11-2 12 Logging In Through an NMS 12-1 Introduction 12-1 Connection Establishment 12-1 13 Controlling Login Users13-1 Introduction 13-1 Controlling Telnet Users 13-1 Prerequisites13-1 Controlling Telnet Users by SSIDs of Clients13-2 Controlling Telnet Users by Source IP Addresses 13-2 Controlling Telnet Users by Source and Destination IP Addresses13-3 Controlling Telnet Users by Source MAC Addresses 13-3 Configuration Example 13-4 Controlling Network Management Users by Source IP Addresses 13-5 Prerequisites13-5 Controlling Network Management Users by Source IP Addresses13-5 Configuration Example 13-6 14 File Management14-1 Managing Files14-1 Filename Formats14-1 Directory Operations 14-2 Displaying Directory Information 14-2 Displaying the Current Working Directory 14-2 Changing the Current Working Directory 14-2 Creating a Directory14-2 Removing a Directory 14-2 File Operations14-3 Displaying File Information 14-3
iii
Displaying the Contents of a File14-3 Renaming a File 14-3 Copying a File14-4 Moving a File 14-4 Deleting a File14-4 Restoring a File from the Recycle Bin 14-4 Emptying the Recycle Bin 14-4 Batch Operations 14-5 Storage Medium Operations 14-5 Managing the Space of a Storage Medium 14-5 Mounting/Unmounting a Storage Medium14-6 Setting Prompt Modes14-6 Example for File Operations 14-7 15 Configuration File Management15-1 Configuration File Overview15-1 Types of Configuration 15-1 Format and Content of a Configuration File 15-1 Coexistence of Multiple Configuration Files 15-2 Startup with the Configuration File 15-2 Saving the Current Running Configuration 15-2 Introduction15-2 Encrypting a Configuration File 15-2 Modes in Saving the Configuration 15-3 Setting Configuration Rollback15-4 Configuration Rollback 15-4 Configuration Task List15-4 Configuring Parameters for Saving the Current Running Configuration 15-5 Enabling Automatic Saving of the Running Configuration 15-6 Manually Saving the Current Running Configuration 15-6 Setting Configuration Rollback 15-7 Specifying a Startup Configuration File to Be Used at the Next System Startup 15-7 Backing Up the Startup Configuration File15-8 Deleting a Startup Configuration File to Be Used at the Next Startup15-8 Restoring a Startup Configuration File15-9 Displaying and Maintaining Device Configuration 15-9 16 Device Management 16-1 Device Management Overview 16-1 Device Management Configuration Task List 16-1 Registering the Software16-2 Rebooting the AC16-2 Configuring the Scheduled Automatic Execution Function16-3 Upgrading AC Software 16-4 AC Software Overview 16-4 Upgrading the Boot ROM Program Through Command Lines 16-5
iv
Upgrading the Boot File Through Command Lines16-6 Configuring Temperature Alarm Thresholds for a Board16-6 Clearing the 16-bit Interface Indexes Not Used in the Current System16-6 Displaying and Maintaining Device Management Configuration 16-7 Device Management Configuration Examples16-8 Remote Scheduled Automatic Upgrade Configuration Example 16-8 17 User Interface Configuration 17-1 User Interface Overview17-1 Brief Introduction 17-1 Users and User Interfaces17-2 Numbering User Interfaces 17-2 User Interface Configuration Task List17-2 Configuring Asynchronous Serial Interface Attributes 17-3 Configuring Terminal Attributes 17-4 Configuring the auto-execute Command 17-5 Configuring User Privilege Level Under a User Interface 17-5 Configuring Access Restriction on VTY User Interfaces 17-6 Configuring Supported Protocols on VTY User Interfaces 17-7 Configuring Authentication Mode for Users at Login 17-7 Configuring Command Authorization 17-9 Configuring Command Accounting 17-10 Defining Shortcut Keys for Starting Terminal Sessions/Aborting Tasks17-10 Sending Messages to the Specified User Interfaces 17-11 Releasing the Connection Established on the User Interfaces17-11 Displaying and Maintaining User Interfaces17-11 User Interface Configuration Examples 17-12 User Authentication Configuration Example 17-12 Command Authorization Configuration Example 17-13 Command Accounting Configuration Example 17-14 18 Basic Configurations 18-1 Configuration Display 18-1 Quick Configuration18-2 Basic Configurations 18-2 Entering System View 18-3 Exiting the Current View 18-3 Exiting to User View 18-3 Configuring the AC Name 18-3 Configuring the System Clock 18-4 Configuring a Banner18-6 Configuring CLI Hotkeys18-8 Configuring Command Aliases18-9 Configuring User Privilege Levels and Command Levels 18-10 Configuring the Number of Concurrent Users18-16 Displaying and Maintaining Basic Configurations 18-16
v
CLI Features 18-17 Introduction to CLI 18-17 Online Help with Command Lines 18-18 Synchronous Information Output18-19 Undo Form of a Command18-19 Editing Features 18-19 CLI Display 18-20 Saving History Commands18-23 Command Line Error Information 18-23 19 HTTP Configuration19-1 HTTP Overview19-1 How HTTP Works19-1 Logging In to the Access Controller (AC) Through HTTP 19-1 Protocols and Standards 19-1 Enabling the HTTP Service19-2 Configuring the Port Number of the HTTP Service19-2 Associating the HTTP Service with an ACL19-2 Displaying and Maintaining HTTP19-3 20 HTTPS Configuration 20-1 HTTPS Overview 20-1 HTTPS Configuration Task List 20-1 Associating the HTTPS Service with an SSL Server Policy 20-2 Enabling the HTTPS Service 20-2 Associating the HTTPS Service with a Certificate Attribute Access Control Policy20-3 Configuring the Port Number of the HTTPS Service 20-3 Associating the HTTPS Service with an ACL 20-4 Displaying and Maintaining HTTPS 20-4 HTTPS Configuration Example20-5 21 Hotfix Configuration 21-1 Hotfix Overview 21-1 Basic Concepts in Hotfix21-1 Patch Status 21-2 Hotfix Configuration Task List 21-4 Configuration Prerequisites21-5 One-Step Patch Installation 21-5 Step-by-Step Patch Installation21-6 Step-by-Step Patch Installation Task List21-6 Configuring the Patch File Location 21-6 Loading a Patch File21-6 Activating Patches 21-7 Confirming Running Patches21-7 One-Step Patch Uninstallation21-8 Step-by-Step Patch Uninstallation 21-8 Step-by-Step Patch Uninstallation Task List 21-8
vi
Stopping Running Patches21-8 Deleting Patches 21-8 Displaying and Maintaining Hotfix21-9 Hotfix Configuration Example 21-9 22 Index 22-1
vii
1-1
AC Networking
As shown in the following figure, the AC is connected to Switch (Layer 2 or Layer 3) through GE1/0/1, which can be connected to APs directly or connected to APs over an IP network. Clients can be connected to the network through the APs to implement WLAN user access. Figure 2-1 AC networking
Scheme 1 AC GE 1/0/1 Server
IP network
AP 1
AP 2
Client A
Client B
2-1
2-2
Feature Matrixes
In this document, Yes means a feature or command is supported, and No means not supported.
The LS8M1WCMA0, LSWM1WCM10, and LSWM1WCM20 on the WX5000 series adopt the OAP architecture. Installed on the expansion slots of switches, they work as OAP cards to exchange data and status and control information with the switches through their internal service interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on GE interfaces on the LS8M1WCMA0, XGE 1/0/1 on the LSWM1WCM10, and the logical interface BAGG1 aggregated by GE 1/0/1 and GE 1/0/2 on the LSWM1WCM20.
Yes
3-1
Document
WX5002 No
WX5002V2 No
LS8M1WCMA0 No
WX5004 No
LSWM1WCM10 No
LSWM1WCM20 Yes
Flash Supports 32 concurrent APs by default, and can be extended to support 64. No on the WX5002-12 8
CF
Flash
CF Supports 64 concurren t APs by default, and can be extended to support 256. Yes 256 Yes
CF
Flash
No
Hot AC backup WLAN services configuration Ethernet interface configuration Maximum number of SSIDs supported Combo port configuration
No 128 Yes
No 128 No
Yes 256 No Yes. Do not use the shutdown command on internal interfaces; otherwise, the normal operation of the device will be affected. No
No 128 No Yes. Do not use the shutdown command on internal interfaces; otherwise, the normal operation of the device will be affected. No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
3-2
Document
Module
WX5004 Yes on GE interfaces only Yes Yes No Remote port mirroring and cross-boa rd mirroring not supported Yes
Yes No Yes
Yes Yes No
Port mirroring
No
No
No
DNS configuration IP performance optimization configuration Adjacency table configuration IPv6 basics configuration IPv6 application configuration
IPv6 DNS configuration Configuring ICMP to send error packets Displaying and maintaining adjacency table IPv6 basics configuration IPv6 application configuration
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
No
Yes
No
Yes
Yes
Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
3-3
Module IP routing basics configuration IPv6 static routing configuration MLD snooping configuration IPv6 multicast VLAN configuration ACL configuration
Feature IPv6 features IPv6 static routing configuration MLD snooping IPv6 multicast VLAN IPv6 ACL Configuring line rate
QoS
Configuring CAR applicable to all traffic of online users Specifying the device ID to be used in stateful failover mode Configuring Layer 3 portal authentication Specifying the portal group to which the portal service backup interface belongs
AAA
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
Yes
No
Yes
No
Yes
Yes
No
Portal configuration
Specifying the device ID to be used in stateful failover mode Specifying the backup source IP address for RADIUS packets to be sent Specifying a source IPv6 address or interface for an SSH client
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
No
SSH2.0 configuration
Yes
Yes
Yes
Yes
Yes
Yes
3-4
Document
Module
Feature Establishing a connection between an SSH client and an IPv6 SSH server Specifying a source IPv6 address or interface for an SFTP client Establishing a connection between an SFTP client and an IPv6 SFTP server IPv6 SFTP client
WX5002
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes Telnet, SNMP, and web managemen t packets whose destination IP address is the local host
Yes
Yes
Yes ICMP, IEC, Telnet, and SNMP packets whose destinatio n IP address is the local host
Yes
Yes
ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host
Telnet, SNMP, and web management packets whose destination IP address is the local host
ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host
ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host
3-5
Document
Module
Feature
WX5002 11MAC/802. 1X/ARP/DH CP/HWTAC AS/ICMP/IG MP/MLD/L WAPP/ND/ NTP/PIM/R ADIUS Data packets: all packets except the above packets.
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
UDP/TCP/8 02.1X/DHC P/IGMP/NT P/ARP/LWA PP/LooPbac k/PPPoE/IA CTP/ACSEI/ STP/LWAP P_DATA/De fault
11MAC/802.1X/ ARP/DHCP/HW TACAS/ICMP/IG MP/MLD/LWAP P/ND/NTP/PIM /RADIUS Data packets: all packets except the above packets.
UDP/TCP/ 802.1X/D HCP/IGM P/NTP/AR P/LWAPP /LooPbac k/PPPoE/I ACTP/AC SEI/ STP/LWA PP_DATA /Default
Enabling attack prevention for protocols Configuring rate limits for a protocol Network Management and Monitoring Configuration Guide
No
Yes
No
Yes
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Logfile
No
Yes
No
Yes
Yes
No
OAP module configuration OAA Configuration Guide OAA configuration ACSEI server configuration ACSEI client configuration Access Controller Module Basic Configuration Guide Access Controller Module Basic Configuration Access Controller Module Basic Configuration
No No No
No No Yes
No No Yes
No No Yes
No
No
Yes
No
Yes
Yes
3-6
The switch interface module on the WX6103, and the LSQM1WCMB0, LSBM1WCM2A0, and LSRM1WCM2A1 access controller modules on the WX6000 series adopt the OAP architecture. Installed on the expansion slots of switches, they work as OAP cards to exchange data and status and control information with the switches through their internal service interfaces. The XGE interfaces on the switch interface module on the WX6103, and the LSQM1WCMB0, LSBM1WCM2A0, and LSWM1WCM10 access controller modules are internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on them.
License
WLAN Configuration
WLAN services
Hot AC backup
3-7
Volume Guide
Module configuration
Feature Maximum number of SSIDs supported Combo port configuration Shutting down an Ethernet interface 512
WX6103
LSQM1WCMB0 512
LSBM1WCM2A0 512
LSRM1WCM2A1 512
The MPU does not support the Combo port. Yes Internal loopback testing supported on XGE interfaces only No No No No No Yes No
No
No
No
Ethernet interface configuration Configuring flow control on an Ethernet interface Layer 2 LAN Switching Configuration Guide Link aggregation configuration MSTP Configuration Layer 2 forwarding configuration Port mirroring configuration DNS configuration IP performance optimization configuration Layer 3 IP Services Configuration Guide Adjacency table configuration IPv6 basics configuration IPv6 application configuration Loopback detection on an Ethernet interface Link aggregation STP Layer 2 forwarding Port mirroring IPv6 DNS configuration Configuring ICMP to send error packets Displaying and maintaining adjacency table IPv6 basics configuration IPv6 application configuration
Yes
Yes
Yes
Yes
Yes Yes
Yes Yes
No No
Yes Yes
3-8
Volume
Module IP routing basics configuration IPv6 static routing configuration MLD snooping configuration IPv6 multicast VLAN configuration ACL configuration
Feature IPv6-related displaying and maintaining commands IPv6 static routing configuration MLD snooping IPv6 multicast VLAN IPv6 ACL Configuring line rate Yes
WX6103
LSQM1WCMB0 Yes
LSBM1WCM2A0 No
LSRM1WCM2A1 Yes
No No No No No Yes
QoS
Configuring CAR applicable to all traffic of online users Specifying the device ID to be used in stateful failover mode Configuring Layer 3 portal authentication Specifying the portal group to which the portal service backup interface belongs
AAA configuration
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Portal configuration
Specifying the device ID to be used in stateful failover mode Specifying the backup source IP address for RADIUS packets to be sent
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
SSH2.0 configuration
Yes
Yes
No
Yes
3-9
Volume
Module
Feature Establishing a connection between an SSH client and an IPv6 SSH server Specifying a source IPv6 address or interface for an SFTP client Establishing a connection between an SFTP client and an IPv6 SFTP server IPv6 SFTP client
WX6103
LSQM1WCMB0
LSBM1WCM2A0
LSRM1WCM2A1
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/PPPoE/IACT P/ACSEI/ STP/LWAPP_DAT A/Default Yes Yes
Yes ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/PPPoE/IACT P/ACSEI/ STP/LWAPP_DAT A/Default Yes Yes
No ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/PPPoE/IACT P/ACSEI/ STP/LWAPP_DAT A/Default Yes Yes
Yes ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/PPPoE/IACT P/ACSEI/ STP/LWAPP_DAT A/Default Yes Yes
Enabling attack prevention for protocols Configuring rate limits for a protocol Network Management and Monitoring Configuration Guide OAA Configuration Guide Information center configuration OAA configuration Logfile OAP module configuration ACSEI server configuration
Yes
No
No
No
No No
No No
No No
Volume
Module
WX6103
LSQM1WCMB0 Yes
LSBM1WCM2A0 Yes
LSRM1WCM2A1 Yes
No
Yes
Yes
Yes
The access controller engine and switching engine on the WX3000 series adopt the OAP architecture. The switching engine is integrated on the access controller engine as an OAP card. You actually log in to the access controller engine when you log in to the device by default. GE 1/0/1 interfaces on the WX3024, WX3010 and WX3008 are used to exchange data, status and control information with GE1/0/29 (WX3024), GE1/0/11 (WX3010) or GE1/0/9 (WX3008) on the switching engine. Do not configure services such as QoS rate limiting and 802.1X authentication on these interfaces.
3-11
Volume
Module
WX3024 Flash
WX3010 Flash No No 64 No
WX3008
24 APs at most by default, and can be extended to 48 APs. No 64 No No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No Internal loopback testing supported on GE interfaces only No No No No No No Yes No
12 APs at most by default, and can be extended to 24 APs. No 64 No No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No Internal loopback testing supported on GE interfaces only No No No No No No Yes No
Maximum number of SSIDs supported Combo port configuration Shutting down an Ethernet interface
No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No Internal loopback testing supported on GE interfaces only No No No No No No Yes No
Layer 2 LAN Switching Configuration Guide Link aggregation configuration MSTP Configuration Layer 2 forwarding configuration Port mirroring configuration Layer 3 IP Services Configuration Guide DNS configuration IP performance optimization configuration Adjacency table configuration IPv6 basics configuration
Link aggregation configuration STP Layer 2 forwarding Port mirroring configuration IPv6 DNS configuration Configuring ICMP to send error packets Displaying and maintaining an adjacency table IPv6 basics configuration
3-12
Volume
Module IPv6 application configuration IP routing basics configuration IPv6 static routing configuration MLD snooping configuration
Feature IPv6 application configuration IPv6-related displaying and maintaining commands IPv6 static routing configuration MLS snooping IPv6 multicast VLAN IPv6 ACL Configuring line rate No No No No No No No Yes No Yes
WX3008
QoS
Configuring CAR applicable to all traffic of online users Specifying the device ID to be used in stateful failover mode Configuring Layer 3 portal authentication Specifying the portal group to which the portal service backup interface belongs
AAA configuration
No
No
No
Portal configuration Specifying the device ID to be used in stateful failover mode Specifying the backup source IP address for RADIUS packets to be sent SSH2.0 configuration Specifying a source IPv6 address or interface for an SSH client Establishing a connection between an SSH client and an IPv6 SSH server No No No
No
No
No
No
No
No
No
No
No
3-13
Volume
Module
Feature Specifying a source IPv6 address or interface for an SFTP client Establishing a connection between an SFTP client and an IPv6 SFTP server IPv6 SFTP client Management protocol packets supported No
WX3024 No
WX3010 No
WX3008
No No ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/DHC P/IGMP/NTP/ARP/LWA PP/LooPback/PPPoE/I ACTP/ACSEI/ STP/LWAPP_DATA/De fault Yes Yes
No No ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/DHC P/IGMP/NTP/ARP/LWA PP/LooPback/PPPoE/I ACTP/ACSEI /STP/LWAPP_DATA/De fault Yes Yes
No No ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/DHC P/IGMP/NTP/ARP/LWA PP/LooPback/PPPoE/I ACTP/ACSEI /STP/LWAPP_DATA/De fault Yes Yes
Enabling attack prevention for protocols Configuring rate limits for a protocol Network Management and Monitoring Configuration Guide Information center configuration Logfile OAP module configuration OAA Configuration Guide OAA configuration ACSEI server configuration ACSEI client configuration Access Controller Module Basic Configuration Guide Access Controller Module Basic Configuration Access Controller Module Basic Configuration
No Yes No No No
No Yes No No No
No Yes No No No
3-14
Command Matrixes
In this document, Yes means a feature or command is supported, and No means not supported.
AUX and VTY user interfaces are supported. User Interface Commands display user-interface When number is an absolute index, the value ranges from 0 to 5.
Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
4-1
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6. Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
LSWM1WCM10
LSWM1WCM20
AUX and VTY user interfaces are supported. free user-interface When number is an absolute index, the value ranges from 0 to 5.
Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. send When number is an absolute index, the value ranges from 0 to 5.
Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
4-2
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6. No Yes Yes Yes Yes Yes usb not supported fan-id ranges from 1 to 5. power-id takes the value of 1 or 2. No
LSWM1WCM10
LSWM1WCM20
AUX and VTY user interfaces are supported. user-interface When number is an absolute index, the value ranges from 0 to 5.
Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
configuration encrypt ftp ipv6 File management commands mount open ipv6 tftp ipv6 umount Device management commands
No Yes No No Yes No cf-card, usb, subslot subslot-number not supported fan-id takes the value of 1 or 2. power-id takes the value of 1 or 2. No
No Yes No No Yes No cf-card, usb, subslot subslot-number not supported fan-id takes the value of 1 or 2. power-id takes the value of 1 or 2. No
display device
display fan
display power
No
No
display rps
No
No
4-3
Volume
Module
WX5002 No on the WX5002-128 By default, lower-value is 5, and upper-value is 60 number ranges from 1 to 6.
WX5004 Yes By default, lower-valu e is 0, and upper-valu e is 90 number ranges from 1 to 7. interface-n umber ranges from 0 to 1023. interface-n umber ranges from 0 to 1023. Yes interface-in dex ranges from 0 to 1023. group-id ranges from 1 to 64.
LSWM1WCM10 Yes
temperature-limit
No
Basic system configuration commands WLAN Command Reference WLAN interface commands
configure-user count
interface wlan-ess
bind wlan-ess
4-4
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 hellointerv al ranges from 100 to 2000 millisecond s, and defaults to 2000 millisecond s. group-id ranges from 1 to 64. group-id ranges from 1 to 64. Yes Yes Yes Yes Yes Yes Yes Yes Yes
LSWM1WCM10
LSWM1WCM20
hot-backup hellointerval
No
hellointerval ranges from 100 to 2000 milliseconds, and defaults to 2000 milliseconds.
No
No
hellointerval ranges from 100 to 2000 milliseconds, and defaults to 2000 milliseconds.
wlan ap-group
wlan permit-ap-group display wlan client display wlan mobility-group WLAN roaming commands member mobility-tunnel undo member source Layer 2 LAN Switching Command Reference Ethernet interface commands duplex display loopback-detecti on flow-control
4-5
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. Yes Yes Yes Yes Yes Yes The maximum value is 512. count ranges from 0 to 8192.
LSWM1WCM10
LSWM1WCM20
jumboframe enable
value ranges from 1600 to 9216 bytes and defaults to 1600 bytes.
value ranges from 1600 to 4096 bytes and defaults to 1600 bytes.
value ranges from 1600 to 4096 bytes and defaults to 1600 bytes.
value ranges from 1600 to 4096 bytes and defaults to 1600 bytes.
value ranges from 1600 to 4096 bytes and defaults to 1600 bytes.
loopback loopback-detecti on control enable loopback-detecti on enable loopback-detecti on interval-time shutdown speed interface vlan-interface
Yes Yes Yes Yes Yes Yes The maximum value is 64.
Yes Yes Yes Yes Yes Yes The maximum value is 64.
VLAN commands
mac-address max-mac-count All commands in the link aggregation commands manual All commands in the MSTP commands manual
Yes
Yes
No
No
No
No
MSTP commands
No
Yes
No
Yes
No
No
4-6
Volume
Command All commands in the Layer 2 commands manual All commands in the port mirroring commands manual pppoe-server max-sessions local-mac
WX5002
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
Yes
No
Yes
Yes
No
No
Yes
Yes
No
Yes
No
No
number ranges from 1 to 2048. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 8192.
PPP commands pppoe-server max-sessions total number ranges from 1 to 2048 and defaults to 1024. number ranges from 1 to 4096 and defaults to 4096. number ranges from 1 to 2048 and defaults to 1024.
ARP commands
arp max-learning-nu m All commands in IPv6 DNS configuration commands ip redirects enable
DNS commands
Yes
Yes
Yes
Yes
Yes
Yes
No No No Yes
No No No No
No No No Yes
No No No Yes
No No No Yes
display adjacent-table
4-7
Volume
Module
WX5002
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
Yes
Yes
Yes
Yes
Yes
Yes
All commands in IPv6 application commands manual display ipv6 routing-table display ipv6 routing-table ipv6-address display ipv6 routing-table ipv6-address1 ipv6-address2
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
display ipv6 routing-table protocol display ipv6 routing-table statistics display ipv6 routing-table verbose reset ipv6 routing-table statistics
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
4-8
Volume
WX5002
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
Yes
Yes
Yes
Yes
Yes
Yes
igmp-snooping fast-leave
Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Yes Yes
Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Yes Yes
Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Yes Yes
Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Yes Yes
Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Yes Yes
Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Yes Yes
port multicast-vlan
4-9
Volume
Module
WX5004 Layer 2 aggregate interface view not supported Yes green action not supported remark-lppass new-localprecedenc e not supported Yes Yes
ACL Commands
Yes
Yes
Yes
Yes
Yes
QoS Commands
car
Yes Yes
Yes Yes
Yes Yes
4-10
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 classifier tcl-name not supported inbound-i nterface interface-ty pe interface-n umber not supported
LSWM1WCM10
LSWM1WCM20
classifier tcl-name not supported inbound-interf ace interface-type interface-numb er not supported if-match Yes local-precede nce local-preceden ce-list not supported rtp start-port start-port-numb er end-port end-port-numb er not supported Yes
classifier tcl-name not supported inbound-interfa ce interface-type interface-numbe r not supported local-preceden ce local-precedenc e-list not supported rtp start-port start-port-numbe r end-port end-port-numbe r not supported
classifier tcl-name not supported inbound-interfa ce interface-type interface-number not supported local-preceden ce local-precedenc e-list not supported rtp start-port start-port-numbe r end-port end-port-number not supported
local-prec edence local-prece dence-list not supported rtp start-port start-port-n umber end-port end-port-n umber not supported
qos pql inbound-interfac e qos pql protocol qos cql inbound-interfac e qos cql protocol qos car qos map-table
No No No No Yes Yes
No No No No Yes Yes
No No No No Yes Yes
No No No No Yes Yes
4-11
Volume
Module
Command
WX5002
WX5002V2 [ ebs excess-burst-si ze ] not supported Yes Yes user-number ranges from 1 to 4096. user-number ranges from 1 to 4096 and defaults to 4096.
LS8M1WCMA0
WX5004
LSWM1WCM10 [ ebs excess-burst-siz e ] not supported Yes Yes user-number ranges from 1 to 4096.
LSWM1WCM20 [ ebs excess-burst-siz e ] not supported Yes No user-number ranges from 1 to 2048.
qos lr
Yes
Yes
No
Yes Yes user-numb er ranges from 1 to 4096. user-numb er ranges from 1 to 4096 and defaults to 4096. layer3 supported
802.1X commands
dot1x max-user
Portal commands
portal server server-name method { direct | layer3 | redhcp } portal backup-group group-id nas device-id device-id radius nas-backup-ip ip-address radius scheme radius-scheme-na me nas-backup-ip ip-address
layer3 supported
layer3 supported
layer3 supported
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
No
4-12
Volume
Module
WX5002V2 max-number ranges from 1 to 4096. Yes Yes Yes Yes Yes
WX5004 max-numb er ranges from 1 to 4096. Yes Yes Yes Yes Yes
LSWM1WCM10 max-number ranges from 1 to 4096. Yes Yes Yes Yes Yes
LSWM1WCM20 max-number ranges from 1 to 2048. Yes Yes Yes Yes Yes
SSH2.0 commands
ssh2 ipv6 sftp client ipv6 source sftp ipv6 anti-attack protocol enable anti-attack protocol threshold display anti-attack { 11mac | admin | all | arp | data | dhcp | dot1x | hwtacas | icmp | igmp | lwapp | nd | ntp | pim | radius } display anti-attack { protocol protocol | all }
No
Yes
No
Yes
Yes
Yes
Yes
No
Yes
No
No
No
No
Yes
No
Yes
Yes
Yes
Yes Yes No
Yes Yes No
Yes Yes No
4-13
Volume
Module
Command display logfile summary info-center logfile enable info-center logfile frequency info-center logfile size-quota info-center logfile switch-directory logfile save No No No No No No
WX5002
LS8M1WCMA0 No No No No No No
LSWM1WCM10 Yes Yes Yes Yes Yes Yes Yes on the device side of the access controller module Yes No No No No
LSWM1WCM20 No No No No No No Yes on the device side of the access controller module Yes No No No No
mcms connect
No
No
No
No
mcms reboot oap connect slot OAA OAA commands oap management-ip oap reboot slot ACSEI server configuration commands ACSEI client configuration commands
No No No No No
No No No No No
No
Yes
Yes
Yes
Yes
Yes
4-14
display user-interface
Volume
Module
Command mount open ipv6 tftp ipv6 umount display device display fan display power Yes Yes Yes Yes Yes
WX6103
LSQM1WCMB0 Yes Yes Yes Yes Yes fan-id can only be 1. power-id takes the value of 1 or 2. No Yes By default, lower-value is 0, and upper-value is 86 number ranges from 1 to 13. interface-number ranges from 0 to 1023. interface-number ranges from 0 to 1023. Yes interface-index ranges from 0 to 1023. group-id ranges from 1 to 640.
LSBM1WCM2A0 Yes Yes No Yes Yes fan-id can only be 1. power-id takes the value of 1 or 2. No Yes By default, lower-value is 0, and upper-value is 86 number ranges from 1 to 13. interface-number ranges from 0 to 1023. interface-number ranges from 0 to 1023. Yes interface-index ranges from 0 to 1023. group-id ranges from 1 to 640.
LSRM1WCM2A1 Yes Yes Yes Yes Yes fan-id can only be 1. power-id takes the value of 1 or 2. No Yes By default, lower-value is 0, and upper-value is 86 number ranges from 1 to 13. interface-number ranges from 0 to 1023. interface-number ranges from 0 to 1023. Yes interface-index ranges from 0 to 1023. group-id ranges from 1 to 640.
fan-id can only be 1. power-id takes the value of 1 or 2. No Yes By default, lower-value is 0, and upper-value is 86 number ranges from 1 to 13. interface-number ranges from 0 to 1023. interface-number ranges from 0 to 1023. Yes interface-index ranges from 0 to 1023. group-id ranges from 1 to 640.
Basic system configuration commands WLAN Command Reference WLAN interface commands
configure-user count
interface wlan-ess WLAN service commands All commands for hot AC backup bind wlan-ess display wlan ap-group
4-16
Volume
Module
Command
WX6103 hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. group-id ranges from 1 to 640. group-id ranges from 1 to 640. Yes
LSQM1WCMB0 hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. group-id ranges from 1 to 640. group-id ranges from 1 to 640. Yes
LSBM1WCM2A0 hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. group-id ranges from 1 to 640. group-id ranges from 1 to 640. member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported iactp6 not supported undo member ipv6 ipv6-address not supported ipv6 ipv6-address not supported Yes Yes Yes value ranges from 1600 to 4096 bytes and defaults to 1600 bytes.
LSRM1WCM2A1 hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. group-id ranges from 1 to 640. group-id ranges from 1 to 640. Yes
hot-backup hellointerval
Yes
Yes
Yes
source Layer 2 LAN Switching Command Reference Ethernet interface commands duplex display loopback-detection flow-control
Yes Yes Yes Yes value ranges from 1600 to 9216 bytes and defaults to 1600 bytes.
Yes Yes Yes Yes value ranges from 1600 to 4096 bytes and defaults to 1600 bytes.
Yes Yes Yes Yes value ranges from 1600 to 4096 bytes and defaults to 1600 bytes.
jumboframe enable
4-17
Volume
Module
Command loopback loopback-detection control enable loopback-detection enable loopback-detection interval-time shutdown speed Yes Yes Yes Yes Yes Yes
WX6103
LSQM1WCMB0 Yes Yes Yes Yes Yes No The maximum value is 1024. count ranges from 0 to 24576. No No No No number ranges from 1 to 20480. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 24576. Yes
LSBM1WCM2A0 Yes Yes Yes Yes Yes Yes The maximum value is 1024. count ranges from 0 to 24576. No No No No number ranges from 1 to 20480. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 24576. No
LSRM1WCM2A1 Yes Yes Yes Yes Yes No The maximum value is 1024. count ranges from 0 to 24576. No No No No number ranges from 1 to 20480. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 24576. Yes
VLAN commands MAC address table management commands Link aggregation commands MSTP commands Layer 2 forwarding commands Port mirroring commands
interface vlan-interface mac-address max-mac-count All commands All commands All commands All commands pppoe-server max-sessions local-mac
The maximum value is 1024. count ranges from 0 to 24576. No No No No number ranges from 1 to 20480. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 24576. Yes 4-18
Volume
Module
WX6103
LSQM1WCMB0 No No No Yes Yes number ranges from 1 to 1024 and defaults to 1024. Yes Yes
LSRM1WCM2A1 No No No Yes Yes number ranges from 1 to 1024 and defaults to 1024. Yes Yes
ipv6 neighbors max-learning-num All commands display ipv6 routing-table display ipv6 routing-table ipv6-address display ipv6 routing-table ipv6-address1 ipv6-address2 display ipv6 routing-table protocol display ipv6 routing-table statistics display ipv6 routing-table verbose
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
4-19
Volume
Module
WX6103
LSQM1WCMB0 Yes
LSBM1WCM2A0 No
LSRM1WCM2A1 Yes
Yes Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Yes Yes Layer 2 aggregate interface view not supported Yes
Yes Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Yes Yes Layer 2 aggregate interface view not supported Yes
No Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported Yes
Yes Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported Yes
IGMP snooping commands igmp-snooping static-group igmp-snooping static-router-port vlan Multicast VLAN commands MLD snooping commands port multicast-vlan MLD snooping commands IPv6 multicast VLAN commands IPv6 multicast VLAN commands port multicast-vlan ipv6 IPv6 ACL Configuration Commands
ACL Commands
4-20
Volume
Module
Command
LSQM1WCMB0 green action not supported remark-lp-pass new-local-precedenc e not supported No Yes classifier tcl-name not supported inbound-interface interface-type interface-number not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes Yes
LSBM1WCM2A0 green action not supported remark-lp-pass new-local-precedenc e not supported No Yes classifier tcl-name not supported inbound-interface interface-type interface-number not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes Yes
LSRM1WCM2A1 green action not supported remark-lp-pass new-local-precedenc e not supported No Yes classifier tcl-name not supported inbound-interface interface-type interface-number not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes Yes
car
remark-lp-pass new-local-precedenc e not supported No Yes classifier tcl-name not supported inbound-interface interface-type interface-number not supported rtp start-port start-port-number end-port end-port-number not supported
qos pql inbound-interface qos pql protocol qos cql inbound-interface qos cql protocol qos car qos lr qos map-table redirect Security Command Reference AAA commands nas device-id device-id
4-21
Volume
Command dot1x max-user mac-authentication max-user user-number portal server server-name method { direct | layer3 | redhcp } portal backup-group group-id nas device-id device-id
WX6103 user-number ranges from 1 to 20480. user-number ranges from 1 to 4096 and defaults to 4096.
LSQM1WCMB0 user-number ranges from 1 to 20480. user-number ranges from 1 to 4096 and defaults to 4096.
LSBM1WCM2A0 user-number ranges from 1 to 20480. user-number ranges from 1 to 4096 and defaults to 4096.
LSRM1WCM2A1 user-number ranges from 1 to 20480. user-number ranges from 1 to 4096 and defaults to 4096.
layer3 supported
layer3 supported
layer3 supported
layer3 supported
Portal commands
radius nas-backup-ip ip-address radius scheme radius-scheme-name nas-backup-ip ip-address portal max-user max-number ssh client ipv6 source ssh2 ipv6
Yes
Yes
Yes
Yes
max-number ranges from 1 to 20480. Yes Yes Yes Yes Yes Yes
max-number ranges from 1 to 20480. Yes Yes Yes Yes Yes Yes
max-number ranges from 1 to 20480. Yes Yes Yes Yes Yes Yes
SSH2.0 commands sftp client ipv6 source sftp ipv6 Security protection commands anti-attack protocol enable anti-attack protocol threshold
4-22
Volume
Module
Command display anti-attack { 11mac | admin | all | arp | data | dhcp | dot1x | hwtacas | icmp | igmp | lwapp | nd | ntp | pim | radius } display anti-attack { protocol protocol | all }
WX6103
LSQM1WCMB0
LSBM1WCM2A0
LSRM1WCM2A1
No
No
No
No
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No Yes Yes Yes
Yes No No No No No No No No No No No No No No
ping ipv6 tracert ipv6 display logfile buffer display logfile summary
info-center logfile enable Information center commands info-center logfile frequency info-center logfile size-quota info-center logfile switch-directory logfile save
OAA
OAA commands
mcms connect mcms reboot oap connect slot oap management-ip oap reboot slot
4-23
Volume
Module
Command ACSEI server configuration commands ACSEI client configuration commands Yes
WX6103
LSQM1WCMB0 No
LSBM1WCM2A0 No
LSRM1WCM2A1 No
Yes
Yes
Yes
Yes
Volume
Module
WX3024 Yes No No No No No
WX3010 Yes No No No No No
WX3008
mount open ipv6 tftp ipv6 umount display device display fan
cf-card and usb not supported fan-id takes the value of 1 or 2. power-id can only be 1. Yes Yes By default, lower-value is 4, and upper-value is 79. number ranges from 1 to 6. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. No interface-index ranges from 0 to 63. group-id ranges from 1 to 64.
cf-card and usb not supported fan-id ranges from 1 to 3. power-id can only be 1. No Yes By default, lower-value is 0, and upper-value is 63. number ranges from 1 to 6. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. No interface-index ranges from 0 to 63. group-id ranges from 1 to 12.
cf-card and usb not supported fan-id ranges from 1 to 3. power-id can only be 1. No Yes By default, lower-value is 0, and upper-value is 63. number ranges from 1 to 6. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. No interface-index ranges from 0 to 63. group-id ranges from 1 to 12.
configure-user count
display interface wlan-ess WLAN interface commands interface wlan-ess WLAN services commands All commands for hot AC backup bind wlan-ess display wlan ap-group
4-25
Volume
Module
WX3024 No
WX3010 No
WX3008
group-id ranges from 1 to 64. group-id ranges from 1 to 64. member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported iactp6 not supported undo member ipv6 ipv6-address not supported ipv6 ipv6-address not supported No No No value ranges from 1600 to 4086 bytes and defaults to 1600 bytes. Only internal is supported No No
group-id ranges from 1 to 12. group-id ranges from 1 to 12. member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported iactp6 not supported undo member ipv6 ipv6-address not supported ipv6 ipv6-address not supported No No No value ranges from 1600 to 9216 bytes and defaults to 1600 bytes. Only internal is supported No No
group-id ranges from 1 to 12. group-id ranges from 1 to 12. member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported iactp6 not supported undo member ipv6 /ipv6-address not supported ipv6 ipv6-address not supported No No No value ranges from 1600 to 9216 bytes and defaults to 1600 bytes. Only internal is supported No No
source Layer 2 LAN Switching Command Reference Ethernet interface commands duplex display loopback-detection flow-control jumboframe enable loopback loopback-detection control enable loopback-detection enable
4-26
Volume
Module
WX3024 No
WX3010 No
WX3008
shutdown
No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No The maximum value is 32. count ranges from 0 to 2048. No No No No number ranges from 1 to 1024. number ranges from 1 to 1024 and defaults to 1024. number ranges from 0 to 2048.
No on GE1/0/1 of the access controller engine and GE1/0/11 on the switching engine No The maximum value is 32. count ranges from 0 to 2048. No No No No number ranges from 1 to 1024. number ranges from 1 to 1024 and defaults to 1024. number ranges from 0 to 2048.
No on GE1/0/1 of the access controller engine and GE1/0/9 on the switching engine No The maximum value is 32. count ranges from 0 to 2048. No No No No number ranges from 1 to 1024. number ranges from 1 to 1024 and defaults to 1024. number ranges from 0 to 2048.
speed VLAN commands MAC address table management commands Link aggregation commands MSTP commands Layer 2 forwarding commands Port mirroring commands interface vlan-interface mac-address max-mac-count All commands All commands All commands All commands pppoe-server max-sessions local-mac PPP commands pppoe-server max-sessions total ARP commands arp max-learning-num
4-27
Volume
Command All commands for IPv6 DNS configuration ip redirects enable No No No No Yes No No No No No No No No No No No
WX3024 No No No No Yes No No No No No No No No No No No
WX3010 No No No No Yes No No No No No No No No No No No
WX3008
IP performance optimization commands Adjacency table commands IPv6 basics commands IPv6 application commands
ip ttl-expires enable ip unreachables enable display adjacent-table All commands ipv6 neighbors max-learning-num All commands display ipv6 routing-table display ipv6 routing-table ipv6-address display ipv6 routing-table ipv6-address1 ipv6-address2
display ipv6 routing-table protocol display ipv6 routing-table statistics display ipv6 routing-table verbose reset ipv6 routing-table statistics
IPv6 static routing commands IP Multicast Command Reference IGMP snooping commands
All commands
igmp-snooping fast-leave
Volume
Module
WX3024 Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported No green action not supported
WX3010 Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported No green action not supported remark-lp-pass new-local-precedence not supported
WX3008 Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported No green action not supported remark-lp-pass new-local-precedence not supported
igmp-snooping static-group
port multicast-vlan
IPv6 multicast VLAN commands port multicast-vlan ipv6 ACL and QoS Command Reference IPv6 ACL Configuration Commands
ACL Commands
QoS commands
car
4-29
Volume
Module
WX3024 Yes No
WX3010 Yes No
WX3008
classifier tcl-name not supported inbound-interface interface-type interface-number not supported IPv6 ACL not supported rtp start-port start-port-number end-port end-port-number not supported
classifier tcl-name not supported inbound-interface interface-type interface-number not supported local-precedence local-precedence-list not supported IPv6 ACL not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes No No user-number ranges from 1 to 2048.
classifier tcl-name not supported inbound-interface interface-type interface-number not supported local-precedence local-precedence-list not supported IPv6 ACL not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes No No user-number ranges from 1 to 2048.
if-match
qos pql inbound-interface qos pql protocol qos cql inbound-interface qos cql protocol qos car qos lr qos map-table redirect Congestion management configuration commands Security Command Reference AAA commands 802.1X commands nas device-id device-id dot1x max-user
4-30
Volume
Command mac-authentication max-user user-number portal server server-name method { direct | layer3 | redhcp } portal backup-group group-id nas device-id device-id
WX3024 user-number ranges from 1 to 1024 and defaults to 1024. layer3 supported
WX3010 user-number ranges from 1 to 1024 and defaults to 1024. layer3 supported
WX3008 user-number ranges from 1 to 1024 and defaults to 1024. layer3 supported
No No No
No No No
No No No
Portal commands
radius nas-backup-ip ip-address radius scheme radius-scheme-name nas-backup-ip ip-address portal max-user max-number ssh client ipv6 source ssh2 ipv6
No
No
No
SSH2.0 commands sftp client ipv6 source sftp ipv6 anti-attack protocol enable anti-attack protocol threshold Security protection commands display anti-attack { 11mac | admin | all | arp | data | dhcp | dot1x | hwtacas | icmp | igmp | lwapp | nd | ntp | pim | radius } display anti-attack { protocol protocol | all }
No
No
No
Yes
Yes
Yes
4-31
Volume
Command ping ipv6 tracert ipv6 display logfile buffer display logfile summary No No No No No No No No No No No Yes Yes Yes No No
WX3008
info-center logfile enable info-center logfile frequency info-center logfile size-quota info-center logfile switch-directory logfile save mcms connect mcms reboot oap connect slot oap management-ip
OAA
OAA commands oap reboot slot ACSEI server configuration commands ACSEI client configuration commands
4-32
CLI Configuration
This chapter includes these sections: What Is CLI? Entering the CLI CLI Descriptions Using the CLI Configuring the CLI
What Is CLI?
The command line interface (CLI) is an interface where you can interact with your device by typing text commands. At the CLI, you can instruct your device to perform a given task by typing a text command and then pressing Enter to submit it to your device. At the CLI, you can enter commands to configure your access controller (AC), and verify the configuration based on the output. Thus, the CLI facilitates your AC configuration and management. The CLI of H3C ACs is as shown in Figure 5-1. Figure 5-1 Schematic diagram for the CLI
5-1
Through SSH with encryption. For more information, see SSH2.0 in the Security Configuration Guide.
Because the serial port of a PC is not hot swappable, do not plug or unplug the console cable when your AC is powered on. When connecting the PC to your AC, first plug the DB-9 connector of the console cable into the PC, and then plug the RJ-45 connector of the console cable into your AC. When disconnecting the PC from the your AC, first unplug the RJ-45 connector and then the DB-9 connector.
2)
Launch a terminal emulation utility on your PC. In this chapter, the HyperTerminal in Windows XP is used as an example. Click Start > All Programs > Accessories > Communications > HyperTerminal to enter the HyperTerminal window. The Connection Description window as shown in Figure 5-3 appears. Type a connection name (test, for example) in the Name input box, and click OK.
5-2
3)
Then, the Connect To window as shown in Figure 5-4 appears. Select the serial port you want to use from the Connect using drop-down list, and then click OK.
Figure 5-4 Specify the serial port used to establish the connection
4)
The COM1 Properties window as shown in Figure 5-5 appears. On the window, set Bits per second to 9600, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None. Click OK.
5-3
5)
5-4
Select File > Properties on the HyperTerminal window, and the test Properties window appears. Select the Settings tab as shown in Figure 5-7, select VT100 from the Emulation drop-down list, and then click OK. Figure 5-7 Select the emulation terminal on the test Properties window
6)
Press Enter on the HyperTerminal window. Then the CLI of your AC appears on the window, as shown in Figure 5-8, indicating that you have successfully logged in to your AC.
5-5
Figure 5-8 Schematic diagram for successful login through the console port
None
Password
5-6
An AC provides multiple VTY user interfaces. At one time, only one user can telnet to a VTY user interface. Because a remote terminal cannot select the VTY user interface through which it logs in to the AC, it is recommended that you configure all VTY user interfaces with the same authentication method. The following example is configured in this way.
The number of VTY user interfaces provided by a H3C device varies by AC model. In this document, an AC providing five VTY user interfaces is used as an example, which means that the VTY user interface number ranges from 0 to 4. If your AC provides a different number of VTY user interfaces, make sure that the VTY interface number you configure is within the actual range.
# Create VLAN-interface 1.
[Sysname] interface vlan-interface 1
# Configure the authentication method for the VTY user interfaces as needed. Omitted. For more information, see Logging In to the AC. # Configure command level 3 for users that log in through VTY user interfaces 0 through 4.
[Sysname-ui-vty0-4]user privilege level 3
CLI Descriptions
Command Conventions
Commands in Command Reference comply with the following conventions. Table 5-2 Command conventions
Convention Boldface Italic [] { x | y | ... } Description The keywords of a command line are in Boldface. Keep keywords unchanged when typing them in the CLI. Command arguments are in italic. Replace arguments with actual values in the CLI. Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. One is selected. 5-7
Description Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected. The argument(s) before the ampersand (&) sign can be entered 1 to n times. A line starting with the # sign is comments.
Take the clock datetime time date command as an example to understand the command meaning according to Table 5-2. Figure 5-9 Read command line parameters
Type the following command line in the CLI of a device and press Enter. You set the device system time to 10 oclock 30 minutes 20 seconds, February 23, 2010.
<Sysname> clock datetime 10:30:20 2/23/2010
You can read any commands more complicated according to Table 5-2.
5-8
If the current view is user view, executing the quit command breaks the connection between the user terminal and the AC.
5-9
......omitted......
Type part of a command and ? separated by a space. If ? is at the position of a keyword, the CLI displays all possible keywords with a brief description about each of these keywords.
<Sysname> terminal ? debugging logging monitor trapping Send debug information to terminal Send log information to terminal Send information output to current terminal Send trap information to terminal
If ? is at the position of an argument, the CLI displays a description about this argument.
<Sysname> system-view [Sysname] interface vlan-interface ? <1-4094> <cr> [Sysname] interface vlan-interface 1 VLAN interface number
The string <cr> indicates that the command is already complete, and you can execute the command by pressing Enter. Type a character string followed by ?. The CLI displays all commands starting with this string.
<Sysname> c? cd clock copy
Type part of a keyword followed by a ?. The CLI displays all keywords starting with the character string you typed.
<Sysname> display cl? clipboard clock
5-10
When editing the command lines, you can use the hotkeys listed in Table 5-6 besides those in Table 5-4, or you can define shortcut keys by yourself. For more information, see Configuring CLI Hotkeys.
5-11
You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are defined differently. You can press Ctrl+P or Ctrl+N instead.
The commands saved in the history command buffer are in the same format in which you typed the commands. If you typed an incomplete command, the command saved in the history command buffer is also an incomplete one. If you execute the same command repeatedly, the device saves only the earliest record. However, if you execute the same command in different formats, the system saves them as different commands. For example, if you execute the display cu command repeatedly, the system saves only one command in the history command buffer. If you execute the command in the format of display cu and display current-configuration respectively, the system saves them as two commands. By default, the CLI can save up to 10 commands for each user. You can use the history-command max-size command to set the capacity of the history command buffer for the current user interface (For more information about the history-command max-size command, see User Interface in the Fundamentals Command Reference).
5-12
Action Press Space Press Enter Press Ctrl+C Press <Ctrl+E> Press <PageUp> Press <PageDown> Displays the next screen. Displays the next line.
Function
Stops the display and the command execution. Moves the cursor to the end of the current line. Displays the previous page. Displays the next page.
screen-length disable
5-13
Character string$
Meaning Ending sign. string appears only at the end of a line. Matches any single character, such as a single character, a special character, and a blank. Matches the preceding character or character group zero or multiple times. Matches the preceding character or character group one or multiple times Matches the preceding or succeeding character string If it is at the beginning or the end of a regular expression, it equals ^ or $. In other cases, it equals comma, space, round bracket, or curly bracket. It connects two values (the smaller one before it and the bigger one after it) to indicate a range together with [ ].
Remarks For example, regular expression "user$ only matches a string ending with user, not userA. For example, .l matches both vlan and mpls. For example, zo* matches z and zoo; (zo)* matches zo and zozo. For example, zo+ matches zo and zoo, but not z. For example, def|int only matches a character string containing def or int. For example, a_b matches a b or a(b; _ab only matches a line starting with ab; ab_ only matches a line ending with ab. For example, 1-9 means 1 to 9 (inclusive); a-h means a to h (inclusive). For example, [16A] matches a string containing any character among 1, 6, and A; [1-36A] matches a string containing any character among 1, 2, 3, 6, and A (- is a hyphen). ] can be matched as a common character only when it is put at the beginning of characters within the brackets, for example [ ]string]. There is no such limit on [. For example, (123A) means a character group 123A; 408(12)+ matches 40812 or 408121212. But it does not match 408.
* + |
[]
()
A character group. It is usually used with + or *. Repeats the character string specified by the index. A character string refers to the string within () before \. index refers to the sequence number (starting from 1 from left to right) of the character group before \. If only one character group appears before \, index can only be 1; if n character groups appear before index, index can be any integer from 1 to n.
\index
For example, (string)\1 repeats string, and thus a matching string must contain stringstring. (string1)(string2)\2 repeats string2, and thus a matching string must contain string1string2string2. (string1)(string2)\1\2 repeats string1 and string2 respectively, and thus a matching string must contain string1string2string1string2.
[^]
For example, [^16A] means to match a string containing any character except 1, 6 or A, and the matching string can also contain 1, 6 or A, but cannot contain these three characters only. For example, [^16A] matches abc and m16, but not 1, 16, or 16A. For example, \<do matches word domain and string doa. For example, do\> matches word undo and string abcdo. For example, \ba matches -a with - being character1, and a being character2, but it does not match 2a or ba.
\<string string\>
Matches a character string starting with string. Matches a character string ending with string. Matches character1character2. character1 can be any character except number, letter or underline, and \b equals [^A-Za-z0-9_].
\bcharacter2
5-14
Character \Bcharacter
Meaning Matches a string containing character, and no space is allowed before character. Matches character1character2. character2 must be a number, letter, or underline, and \w equals [^A-Za-z0-9_]. Equals \b. Escape character. If a special character listed in this table follows \, the specific meaning of the character is removed.
Remarks For example, \Bt matches t in install, but not t in big top. For example, v\w matches vlan, with v being character1, and l being character2. v\w also matches service, with i being character2. For example, \Wa matches -a, with - being character1, and a being character2, but does not match 2a or ba. For example, \\ matches a string containing \, \^ matches a string containing ^, and \\b matches a string containing \b.
character1\w
\W
Display hotkeys
By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are associated with corresponding commands as follows and the Ctrl+T and Ctrl+U are NULL. Ctrl+G corresponds to the display current-configuration command. Ctrl+L corresponds to the display ip routing-table command. Ctrl+O corresponds to the undo debugging all command.
Hotkey <Ctrl+D> <Ctrl+E> <Ctrl+F> <Ctrl+H> <Ctrl+K> <Ctrl+N> <Ctrl+P> <Ctrl+R> <Ctrl+V> <Ctrl+W> <Ctrl+X> <Ctrl+Y> <Ctrl+Z> <Ctrl+]> <Esc+B> <Esc+D> <Esc+F> <Esc+N> <Esc+P> <Esc+<> <Esc+>>
Function Deletes the character at the current cursor position. Moves the cursor to the end of the current line. Moves the cursor one character to the right. Deletes the character to the left of the cursor. Terminates an outgoing connection. Displays the next command in the history command buffer. Displays the previous command in the history command buffer. Redisplays the current line information. Pastes the content in the clipboard. Deletes all the characters in a continuous string to the left of the cursor. Deletes all the characters to the left of the cursor. Deletes all the characters to the right of the cursor. Returns to user view. Terminates an incoming connection or a redirect connection. Moves the cursor to the leading character of the continuous string to the left. Deletes all the characters of the continuous string at the current cursor position and to the right of the cursor. Moves the cursor to the front of the next continuous string to the right. Moves the cursor down by one line (available before you press Enter) Moves the cursor up by one line (available before you press Enter) Specifies the cursor as the beginning of the clipboard. Specifies the cursor as the ending of the clipboard.
These hotkeys are defined by the device. When you interact with the device from terminal software, these keys may be also defined in terminal software to perform other operations. If so, the hotkey definition of the terminal software will dominate.
5-16
When you type a command alias, the system displays and saves the command in its original format instead of its alias. That is, you can define and use a command alias but the command is not saved and restored in its alias. When you define a command alias, the cmdkey and alias arguments must be in complete form. With the command alias function enabled, when you type an incomplete keyword, which partially matches both a defined alias and the keyword of a command, the alias wins; to execute the command whose keyword partially matches your input, you must type the complete keyword. When you input a character string that matches multiple aliases partially, the system prompts you for various matching information. If you press Tab after you type the keyword of an alias, the original format of the keyword is displayed. You can replace only the first keyword of a non-undo command instead of the complete command; and you can replace only the second keyword of an undo command. Follow these steps to configure command aliases:
To do Enter system view Enable the command alias function Configure command aliases Use the command system-view Required command-alias enable Disabled by default, that is, you cannot configure command aliases. Required Not configured by default. Remarks
To display the configured command aliases, use the display command-alias command.
5-17
With this feature enabled: If you have no input at the command line prompt and the system outputs system information, for example, logs, the system will not display the command line prompt after the outputs. If the system outputs system information when you are typing interactive information (not YES/NO for confirmation), the system will not redisplay the prompt information but a line break after the outputs and then what you have typed.
For more information about the info-center synchronous command, see Information Center in the Network Management and Monitoring Command Reference.
Visit
Monitor
System
For how to configure the user privilege level, see Basic System Configuration in the Fundamentals Configuration Guide.
5-18
H3C recommends you to use the default command level or change the command level under the guidance of professional staff because an improper command level change brings inconvenience to your maintenance and operation, or even potential security problem.
Saving Configurations
Some commands in the CLI of H3C ACs are one-time commands, such as display commands, which display specified information, and the reset commands, which clear specified information. These commands are executed one-time only and are not saved when the AC reboots. For other commands, after executing them, input the save command in any view to save all the submitted and executed commands into the configuration file. All saved commands are not lost after the AC reboots.
5-19
FTP Configuration
This chapter includes these sections: FTP Overview Configuring the FTP Client Configuring the FTP Server Displaying and Maintaining FTP
FTP Overview
Introduction to FTP
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network. FTP uses TCP ports 20 and 21 for file transfer. Port 20 is used to transmit data, and port 21 to transmit control commands. See RFC 959 for details of FTP basic operation. FTP transfers files in two modes: Binary mode: transfers files as raw data, like .app, .bin, and .btm files. ASCII mode: transfers files as text, like .txt, .bat, and .cfg files.
Operation of FTP
FTP adopts the client/server model. Your AC (Device) can function either as the client or as the server (as shown in Figure 6-1). When the device serves as the FTP client, use Telnet or an emulation program to log in to the device from the PC, execute the ftp command to establish a connection from the device (FTP client) to the PC (FTP server), and then upload/download files to/from the server. When the device serves as the FTP server, run the FTP client program on the PC to establish a connection to the FTP server and upload/download files to/from the server Figure 6-1 Network diagram for FTP
When the device serves as the FTP client, you need to perform the following configuration:
6-1
Table 6-1 Configuration when the device serves as the FTP client
Device Device (FTP client) Configuration Use the ftp command to establish the connection to the remote FTP server Enable FTP server on the PC, and configure the username, password, user privilege level, and so on. Remarks If the remote FTP server supports anonymous FTP, the device can log in to it directly; if not, the device must obtain the FTP username and password first to log in to the remote FTP server.
PC (FTP server)
When the device serves as the FTP server, you need to perform the following configuration: Table 6-2 Configuration when the device serves as the FTP server
Device Configuration Disabled by default. Enable the FTP server function You can use the display ftp-server command to view the FTP server configuration on the device. Configure the username, password, and authorized directory for an FTP user. Configure authentication and authorization The device does not support anonymous FTP for security reasons. Therefore, you must set a valid username and password. By default, authenticated users can access the root directory of the device. Parameters such as the FTP connection timeout time You can log in to the FTP server only after you input the correct FTP username and password. Remarks
Configure the FTP server operating parameters PC (FTP client) Use the FTP client program to log in to the FTP server.
Make sure that the FTP server and the FTP client can reach each other before establishing the FTP connection. When you use IE to log in to the device serving as the FTP server, some FTP functions are not available. This is because multiple connections are established during the login process but the device supports only one connection at a time.
6-2
Only users with the manage level can use the ftp command to log in to an FTP server, enter FTP client view, and execute directory and file related commands. However, whether the commands can be executed successfully depends on the authorizations of the FTP server.
quit
6-3
Use the command ftp [ server-address [ service-port ] [ source { interface interface-type interface-number | ip source-ip-address } ] ] ftp open server-address [ service-port ]
Remarks
Use either approach. The ftp command is available in user view; and the open command is available in FTP client view.
If no primary IP address is configured on the specified source interface, no FTP connection can be established. If you use the ftp client source command to first configure the source interface and then the source IP address of the transmitted packets, the newly configured source IP address will take effect instead of the current source interface, and vice versa.
6-4
Remarks Optional
Delete the specified file on the remote FTP server permanently Set the file transfer mode to ASCII Set the file transfer mode to binary Set the data transmission mode to passive Display the local working directory of the FTP client Upload a file to the FTP server Download a file from the FTP server
delete remotefile
ascii
binary
passive
6-5
verbose
debugging
close
bye
6-6
FTP server
Internet
10.1.1.1/16
Device
PC
Configuration procedure
If the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations.
# Upload the configuration file config.cfg of Device to the server for backup.
[ftp] ascii 200 Type set to A. [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2).
6-7
125 Using existing data connection. 226 Closing data connection; File transfer successful. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye 221 Service closing control connection
# Specify newest.app as the main startup file to be used at the next startup.
<Sysname> boot-loader file newest.app main
# Reboot the device, and the startup file is updated at the system reboot.
<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For more information about the boot-loader command, see Device Management in the Fundamentals Command Reference.
6-8
To do Set the file update mode for the FTP server Quit to user view Manually release the FTP connection established with the specified username
Use the command ftp update { fast | normal } quit free ftp user username Optional
Remarks
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } *
6-9
For
more
information
about
the
local-user,
password,
service-type
ftp,
and
authorization-attribute commands, see AAA in the Security Command Reference. When the AC serves as the FTP server, if the client is to perform the write operations (upload, delete, create, and delete for example) on the ACs file system, the FTP login users must be level 3 users; if the client is to perform other operations, for example, read operation, the AC has no restriction on the user level of the FTP login users, that is, any level from 0 to 3 is allowed.
FTP server
Internet
PC
1.1.1.1/16
Device
Configuration procedure
1) Configure Device (FTP Server) # Create an FTP user account ftp, set its password to pwd and the user privilege level to level 3 (the manage level). Authorize ftps access to the root directory of the cfa0, and specify ftp to use FTP.
<Sysname> system-view [Sysname] local-user ftp [Sysname-luser-ftp] password simple pwd [Sysname-luser-ftp] authorization-attribute level 3 [Sysname-luser-ftp] authorization-attribute work-directory cfa0:/ [Sysname-luser-ftp] service-type ftp [Sysname-luser-ftp] quit
# Check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded.
<Sysname> dir Directory of cfa0:/
6-10
0 1 2 3 4
-rw-rw-rw-rwdrw-
Jun 02 2010 10:44:14 Jun 02 2010 14:44:32 Jun 02 2010 14:44:34 May 13 2010 14:55:12 Apr 08 2010 15:01:52
2)
# Download the configuration file config.cfg of the device to the PC for backup.
ftp> get config.cfg back-config.cfg
You can take the same steps to upgrade configuration file with FTP. When upgrading the configuration file with FTP, put the new file under the root directory of the storage medium. After you finish upgrading the Boot ROM program through FTP, you must execute the bootrom update command to upgrade the Boot ROM.
3)
Upgrade Device
# Specify newest.app as the main startup file to be used at the next startup.
<Sysname> boot-loader file newest.app main
# Reboot the device and the startup file is updated at the system reboot.
<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, see Device Management in the Fundamentals Command Reference.
6-11
6-12
TFTP Configuration
This chapter includes these sections: TFTP Overview Configuring the TFTP Client Displaying and Maintaining the TFTP Client TFTP Client Configuration Example
TFTP Overview
Introduction to TFTP
The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less complex than FTP in interactive access interface and authentication. Therefore, it is more suitable in environments where complex interaction is not needed between client and server. TFTP uses the UDP port 69 for data transmission. For TFTP basic operation, see RFC 1986. In TFTP, file transfer is initiated by the client. In a normal file downloading process, the client sends a read request to the TFTP server, receives data from the server, and then sends the acknowledgement to the server. In a normal file uploading process, the client sends a write request to the TFTP server, sends data to the server, and receives the acknowledgement from the server. TFTP transfers files in two modes: Binary mode for program file transmission, like files with the suffixes .app, .bin, or .btm. ASCII mode for text file transmission, like files with the suffixes .txt, .bat, or .cfg.
Operation of TFTP
7-1
Before using TFTP, the administrator needs to configure IP addresses for the TFTP client and server, and make sure that there is a reachable route between the TFTP client and server. When the device serves as the TFTP client, you need to perform the following configuration: Table 7-1 Configuration when the device serves as the TFTP client
Device Configuration Configure the IP address and routing function, and ensure that the route between the device and the TFTP server is available. Use the tftp command to establish a connection to the remote TFTP server to upload/download files to/from the TFTP server Enable TFTP server on the PC, and configure the TFTP working directory. Remarks
PC (TFTP server)
7-2
The source address specified with the tftp client source command is valid for all TFTP connections and the source address specified with the tftp command is valid only for the current tftp connection. Follow these steps to configure the TFTP client:
To do Enter system view Use an ACL to control the ACs access to TFTP servers Use the command system-view Optional tftp-server [ ipv6 ] acl acl-number By default, no ACL is used to control the ACs access to TFTP servers. Optional Configure the source address of the TFTP client tftp client source { interface interface-type interface-number | ip source-ip-address } An AC uses the source address determined by the matched route to communicate with the TFTP server by default. Remarks
quit tftp server-address { get | put | sget } source-filename [ destination-filename ] [ source { interface interface-type interface-number | ip source-ip-address } ] tftp ipv6 tftp-ipv6-server [ -i interface-type interface-number ] { get | put } source-file [ destination-file ]
If no primary IP address is configured on the source interface, no TFTP connection can be established. If you use the ftp client source command to first configure the source interface and then the source IP address of the packets of the TFTP client, the new source IP address will overwrite the current one, and vice versa.
7-3
Device downloads a startup file from PC for upgrading and uploads a configuration file named config.cfg to PC for backup. Figure 7-2 Smooth upgrading using the TFTP client function
Configuration procedure
1) Configure PC (TFTP Server), the configuration procedure is omitted. On the PC, enable the TFTP server Configure a TFTP working directory 2) Configure Device (TFTP Client)
If the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations.
# Specify newest.app as the main startup file to be used at the next startup.
<Sysname> boot-loader file newest.appbbb.app main
The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, see Device Management in the Fundamentals Command Reference.
7-4
Support for the user interface and the number of simultaneous logged-in users depends on the AC model. Support of IPv6-related configurations depends on the AC model.
1)
Absolute numbering: AUX user interface: Numbered first, and is 0. Console user interface: Numbered first, and is 0. VTY user interfaces: Numbered after AUX user interfaces and increases in the step of 1
2)
A relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows: AUX user interface: AUX 0 Console user interface: Console 0 VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.
Enter system view Set the banner Set a system name for the access controller product Enter user interface view
sysname string
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } escape-key { default | character }
8-2
To do
Remarks
The default timeout time of a user interface is 10 minutes. Set the timeout time for the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. You can use the idle-timeout 0 command to disable the timeout function. Optional Set the maximum number of lines the screen can contain By default, the screen can contain up to 24 lines. screen-length screen-length You can use the screen-length 0 command to disable the function to display information in pages. Optional shell By default, terminal services are available in all user interfaces. Optional Set the display type of a terminal terminal type { ansi | vt100 } By default, the terminal display type is ANSI. The device must use the same type of display as the terminal. If the terminal uses VT 100, the device should also use VT 100.
Display the information about the current user interface/all user interfaces Display the physical attributes and configuration of the current/a specified user interface
You can execute this command in any view. The interface type and quantity supported by this command vary by device model.
8-3
Introduction
Support for the console port and AUX port varies by AC model. Support of IPv6-related configurations depends on the AC model.
Logging in through the console port is the most common way to log in to an AC. It is also the prerequisite to configuring other login methods. By default, you can log in to an AC through its console port only. To log in to an AC through its console port, the related configuration of the user terminal must be in accordance with that of the console port. Table 9-1 lists the default settings of a console port. Table 9-1 The default settings of a console port
Setting Baud rate Check mode Stop bits Data bits 9,600 bps No check bit 1 8 Default
After logging in to your AC, you can modify the settings of the console port. For more information, see Console Port Login Configuration.
9-1
Figure 9-1 Diagram for setting the connection to the console port
RS-232 port Console port
Console cable PC AC
Step2 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 9-2 through Figure 9-4 for the connection to be created. Normally, the parameters of a terminal are configured as those listed in Table 9-1.
If you use the Windows 2003 Server operating system on your PC, add a HyperTerminal, and then log in to and manage the AC as described in this document. If you use Windows 2008 Server, Windows 7, Windows Vista, or any other operating system on your PC, use the third party terminal software. For how to use the third party terminal software, see the user guide or online help of that software.
9-2
Step3 Turn on the AC. You are prompted to press Enter if the AC successfully completes the power-on self test (POST). The prompt (such as <H3C>) appears after you press Enter, as shown in Figure 9-5.
9-3
Step4 You can then configure the AC or check the information about the AC by executing commands. You can also get help by typing ?. For information about the commands, see the following sections.
Data bits Configure the command level available to the users logging in to the AUX/console user interface
9-4
Description
The default shortcut key combination for aborting tasks is Ctrl+C. Optional By default, pressing the Enter key starts the terminal session. Optional By default, terminal services are available in all user interfaces Optional By default, the screen can contain up to 24 lines. Optional By default, the history command buffer can contain up to 10 commands. Optional The default timeout time is 10 minutes.
Terminal configuration
Make terminal services available Set the maximum number of lines the screen can contain Set history command buffer size Set the timeout time of a user interface
Common console login configuration takes effect immediately. The connection may be interrupted when you perform such configuration after logging in through the console port. Therefore, use another login method to configure the console port settings. To log in to your AC again through the console port, modify the settings of the terminal program running on your PC to make them consistent with the console port settings on your AC. For more information, see Setting Up the Connection to the Console Port.
9-5
Authenticati on mode
Console port login configuration AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional
Description
Local authentication is performed by default. For more information, see AAA in the Security Configuration Guide. Required
Scheme
The user name and password of a local user are configured on the access controller. The user name and password of a remote user are configured on the RADIUS server. Refer to user manual of RADIUS server for more. Required Optional For more information, see Table 9-2.
Set service type for AUX/console users Perform common configuration for console port login
A change to the authentication mode of console port login does not take effect unless you exit and enter the CLI again.
Required By default, users logging in through the AUX/console port are not authenticated.
9-6
Remarks
The default baud rate of an AUX/console port (also the console port) is 9,600 bps. Optional By default, the check mode of a console port is set to none, that is, no check bit. Optional The stop bits of an AUX/console port is 1. Optional The default data bits of a console port is 8. Optional By default, commands of level 3 are available to users logging in to the AUX/console user interface. Optional By default, pressing the Enter key starts the terminal session. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional
Set the check mode Set the stop bits Set the data bits
stopbits { 1 | 1.5 | 2 }
databits { 5 | 6 | 7 | 8 }
Configure the command level available to users logging in to the user interface Define a shortcut key for starting terminal sessions
activation-key character
shell
screen-length screen-length
By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Optional
The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.
With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. You can use the idle-timeout 0 command to disable the timeout function.
The command level available to users logging in to the device depends on both the authentication-mode none command and the user privilege level level command, as listed in the following table.
9-7
Configuration Example
Network requirements
Assume the AC supports Telnet, and the user level of telnet users is set to the manage level (level 3). Telnet to the AC, and configure parameters for console login as follows. Configure none authentication mode for console login. Configure command level 2 for console users. Configure the baud rate of the console port as 19200 bps. Configure the screen to contain up to 30 lines. Configure the history command buffer to contain up to 20 commands. Configure the timeout time of the console user interface as 6 minutes. Figure 9-6 Network diagram for AUX user interface configuration (with the authentication mode being none)
Configuration procedure
# Enter system view.
<Sysname> system-view
# Specify the none authentication mode for users that log in through the console port.
[Sysname-ui-aux0] authentication-mode none
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
9-8
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
To ensure successful login, change the settings of the terminal emulation program running on the PC to make them consistent with those on the AC. See Setting Up the Connection to the Console Port.
Set the baud rate Set the check mode Set the stop bits Set the data bits Configure the command level available to users logging in to the user interface Define a shortcut key for starting terminal sessions
stopbits { 1 | 1.5 | 2 }
databits { 5 | 6 | 7 | 8 }
Define a shortcut key for aborting tasks Make terminal services available to the user interface
9-9
Remarks
By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Optional
The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.
With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. You can use the idle-timeout 0 command to disable the timeout function.
The level the commands of which are available to users logging in to the device depends on both the authentication-mode password and the user privilege level level command, as listed in the following table. Table 9-5 Determine the command level (B)
Scenario Command level Authentication mode Local authentication (authentication-mode password) User type Users logging in to the AUX/console user interface Command The user privilege level level command not executed The user privilege level level command already executed Level 3 Determined by the level argument
Configuration Example
Network requirements
Assume the AC supports Telnet, and the user level of telnet users is set to the manage level (level 3). Telnet to the AC, and configure parameters for console login as follows. Configure the password authentication mode for console login. Configure the local password as 123456 (in plain text). Configure command level 2 for console users. Configure the baud rate of the console port as 19200 bps. Configure the screen to contain up to 30 lines. Configure the history command buffer to contain up to 20 commands. Configure the timeout time of the console user interface as 6 minutes.
9-10
Figure 9-7 Network diagram for AUX user interface configuration (with the authentication mode being password)
Configuration procedure
# Enter system view.
<Sysname> system-view
# Specify commands of level 2 are available to the user logging in to the AUX user interface.
[Sysname-ui-aux0] user privilege level 2
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
To ensure successful login, change the settings of the terminal emulation program running on the PC to make them consistent with those on the AC. See Setting Up the Connection to the Console Port for more.
9-11
quit
Create a local user (Enter local user view.) Set the authentication password for the local user
local-user user-name password { simple | cipher } password service-type terminal authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } * quit user-interface aux 0
Required
authentication-mode scheme
The specified AAA scheme determines whether to authenticate users locally or remotely. Users are authenticated locally by default.
9-12
Remarks
The default baud rate of the AUX/console port is 9,600 bps. Optional
By default, the check mode of an AUX/console port is set to none, that is, no check bit. Optional
Set the stop bits Set the data bits Configure the command level available to users logging in to the user interface Define a shortcut key for starting terminal sessions
stopbits { 1 | 1.5 | 2 }
The default stop bits of an AUX/console port is 1. Optional The default data bits of a console port is 8. Optional
databits { 5 | 6 | 7 | 8 }
By default, commands of level 3 are available to users logging in to the AUX/console user interface. Optional
activation-key character
By default, pressing the Enter key starts the terminal session. Optional
Define a shortcut key for aborting tasks Make terminal services available to the user interface
The default shortcut key combination for aborting tasks is Ctrl+C. Optional
shell
screen-length screen-length
By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Optional
The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.
With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. You can use the idle-timeout 0 command to disable the timeout function.
The level of the commands that are available to users logging in to the device depends on the authorization-attribute command, as listed in Table 9-6.
9-13
authentication-mode scheme
Configuration Example
Network requirements
Assume the AC supports Telnet, and the user level of telnet users is set to the manage level (level 3). Telnet to the AC, and configure parameters for console login as follows. Configure the name of the local user as guest. Configure the local password as 123456 (in plain text). Set the service type of the local user to Terminal and the command level to 2. Configure the scheme authentication mode. Configure the baud rate of the console port as 19200 bps. Configure the screen to contain up to 30 lines. Configure the history command buffer to contain up to 20 commands. Configure the timeout time of the console user interface as 6 minutes. Figure 9-8 Network diagram for AUX user interface configuration (with the authentication mode being scheme)
Configuration procedure
# Enter system view.
<Sysname> system-view
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
To ensure successful login, change the settings of the terminal emulation program running on the PC to make them consistent with those on the AC. See Setting Up the Connection to the Console Port for more.
9-15
10
Introduction
You can telnet to a remote AC to manage and maintain the AC. To achieve this, you need to configure both the device and the Telnet terminal. Table 10-1 Telnet login configuration requirements
Item Requirement Start the Telnet Server (Telnet server is enabled by default). Access controller product The IP address of the VLAN interface of the AC is configured and the AC and the Telnet terminal can reach each other. The authentication mode and other settings are configured. See Table 10-2 and Table 10-3. Telnet is running. Telnet terminal The IP address of the management VLAN interface of the AC is available.
After you log in to the access controller through Telnet, you can issue commands to the access controller by way of pasting session text, which cannot exceed 2000 bytes, and the pasted commands must be in the same view; otherwise, the access controller may not execute the commands correctly. If the session text exceeds 2000 bytes, you can save it in a configuration file, upload the configuration file to the access controller and reboot the access controller with this configuration file. For more information, see File Management in the Fundamentals Configuration Guide. To log in on the access controller using Telnet based on IPv6 is same as that based on IPv4. For more information, see IPv6 Application in the Layer 3 IP Services Configuration Guide. Support for the login on the access controller using Telnet based on IPv6 varies by AC model. Support of IPv6-related configurations depends on the AC model.
10-1
You can assign an IP address to the VLAN interface of the access controller that does not have a management Ethernet port to make sure the route between the PC and the access controller is valid. For more information, see VLAN and MAC Address Table in the Layer 2 LAN Switching Configuration Guide.
Connect to the console port. Refer to Setting Up the Connection to the Console Port. Execute the following commands in the terminal window to assign an IP address to the management Ethernet interface of the access controller. # Configure the IP address of the management Ethernet interface on the device as 202.38.160.92, with the subnet mask 255.255.255.0.
<Sysname> system-view [Sysname] interface M-Ethernet 1/0/1 [Sysname-M-Ethernet1/0/1] ip address 202.38.160.92 255.255.255.0
# Or, configure the IP address of VLAN-interface 1 on the device as 202.38.160.92, with the subnet mask 255.255.255.0.
<Sysname> system-view [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 202.38.160.92 255.255.255.0
Step2 Before Telnet users can log in to the device, corresponding configurations should have been performed on the device according to different authentication modes for them. For more information, see Configuring None Authentication for Telnet Login, Configuring Password Authentication for Telnet Login, and Configuring Scheme Authentication for Telnet Login. By default, Telnet users need to pass the password authentication to login. Step3 Connect your PC to the management Ethernet interface (or Ethernet interface) of the device, as shown in Figure 10-1. Make sure the PC and the management Ethernet interface (or Ethernet interface) of the device can reach each other if the PC and the access controller are not in the same LAN.
10-2
Step4 Launch Telnet on your PC, with the IP address of the management Ethernet interface of the device, as shown in the following figure. Figure 10-2 Launch Telnet
Step5 Enter the password when the Telnet window displays Login authentication and prompts for login password. The CLI prompt (such as <Sysname>) appears if the password provided is correct. If all VTY user interfaces of the access controller are in use, you will fail to establish the connection and receive the message that says The number of users currently using the system configuration has reached the maximum. Please wait until one of the users releases the system configuration.. An access controller can accommodate up to five Telnet connections at same time. Step6 After successfully Telnetting to the device, you can configure the access controller or display the information about the access controller by executing corresponding commands. You can also type ? at any time for help. For more information, see Basic System Configuration in the Fundamentals Command Reference.
A Telnet connection will be terminated if you remove or modify the IP address of the management interface or VLAN interface in the Telnet session. By default, commands of level 0 are available to Telnet users authenticated by password. For more information about command levels, see Basic System Configuration in the Fundamentals Configuration Guide.
10-3
Step1 Configure the user name and password for Telnet on the access controller operating as the Telnet server. For more information, see Configuring None Authentication for Telnet Login, Configuring Password Authentication for Telnet Login, and Configuring Scheme Authentication for Telnet Login. By default, Telnet users need to pass the password authentication to login. Step2 Telnet to the access controller operating as the Telnet client. Step3 Execute this command on the access controller operating as the Telnet client: <Sysname> telnet xxxx, where xxxx is the IP address or the host name of the access controller operating as the Telnet server. You can use the ip host to assign a host name to an access controller. Step4 Enter the password. If the password is correct, the CLI prompt (such as <Sysname>) appears. If all VTY user interfaces of the access controller are in use, you will fail to establish the connection and receive the message that says All user interfaces are used, please try later!. Step5 After successfully Telnetting to the access controller, you can configure the access controller or display the information about the access controller by executing corresponding commands. You can also type ? at any time for help. For more information, see Basic System Configuration in the Fundamentals Command Reference.
Common Configuration
Table 10-2 lists the common Telnet configuration. Table 10-2 Common Telnet configuration
Configuration VTY user interface configuration Configure the command level available to users logging in to the VTY user interface Configure the protocols the user interface supports Optional By default, commands of level 0 are available to users logging in to a VTY user interface. Optional By default, Telnet and SSH protocol are supported. Description
10-4
Configuration Set the command that is automatically executed when a user logs into the user interface Define a shortcut key for aborting tasks Optional
Description
By default, no command is automatically executed when a user logs into a user interface. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional By default, terminal services are available in all user interfaces Optional By default, the screen can contain up to 24 lines. Optional By default, the history command buffer can contain up to 10 commands. Optional The default timeout time is 10 minutes.
Make terminal services available VTY terminal configuration Set the maximum number of lines the screen can contain Set history command buffer size Set the timeout time of a user interface
The auto-execute command command may cause you unable to perform common configuration in the user interface, so use it with caution. Before executing the auto-execute command command and save your configuration, make sure you can log in to the access controller in other modes and can cancel the configuration.
10-5
Authentication mode
Telnet configuration AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional
Description
Local authentication is performed by default. For more information, see AAA in the Security Configuration Guide. Required The user name and password of a local user are configured on the access controller. The user name and password of a remote user are configured on the RADIUS server. Refer to user manual of RADIUS server for more. Required Optional For more information, see Table 10-2.
Scheme
Set service type for VTY users Perform common Telnet configuration
10-6
To do
Remarks
screen-length screen-length
By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Optional
The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.
With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. You can use the idle-timeout 0 command to disable the timeout function.
If you configure not to authenticate the users, the command level available to users logging in to the device depends on both the authentication-mode none command and the user privilege level level command, as listed in Table 10-4. Table 10-4 Determine the command level when users logging in to the device are not authenticated
Scenario Command level Authentication mode None (authentication-mode none) User type Command The user privilege level level command not executed VTY users The user privilege level level command already executed Determined by the level argument Level 0
Configuration Example
Network requirements
You have logged in to the AC. By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. The network requirements are as follows: Do not authenticate users logging in to VTY 0. Commands of level 2 are available to users logging in to VTY 0. Telnet is supported. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of VTY 0 is 6 minutes.
10-7
Figure 10-4 Network diagram for Telnet configuration (with the authentication mode being none)
RS-232 port Console port
Console cable PC AC
Configuration procedure
# Enter system view, and enable the Telnet service.
<Sysname> system-view [Sysname] telnet server enable
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
Required
Required Optional By default, commands of level 0 are available to users logging in to VTY user interface. Optional By default, both Telnet protocol and SSH protocol are supported.
Configure the command level available to users logging in to the user interface Configure the protocol to be supported by the user interface
10-8
To do Set the command that is automatically executed when a user logs into the user interface
Remarks
By default, no command is automatically executed when a user logs into a user interface. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional
shell
screen-length screen-length
By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Optional
The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.
With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. You can use the idle-timeout 0 command to disable the timeout function.
If password authentication is configured, the command level for users that log in to the AC depends on both the authentication-mode password command and the user privilege level level command, as listed in Table 10-5. Table 10-5 Determine the command level when users logging in to the device are authenticated in the password mode
Scenario Command level Authentication mode Password (authentication-mode password) User type Command The user privilege level level command not executed VTY users The user privilege level level command already executed Determined by the level argument Level 0
Configuration Example
Network requirements
You have logged in to the AC. By default, you can log in to the device through the console port without authentication and have user
10-9
privilege level 3 after login. The network requirements are as follows: Authenticate users logging in to VTY 0 using a local password. Set the local password to 123456 (in plain text). Commands of level 2 are available to users logging in to VTY 0. Telnet is supported. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of VTY 0 is 6 minutes. Figure 10-5 Network diagram for Telnet configuration (with the authentication mode being password)
RS-232 port Console port
Console cable PC AC
Configuration procedure
# Enter system view, and enable the Telnet service.
<Sysname> system-view [Sysname] telnet server enable
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
10-10
quit
Create a local user and enter local user view Set the authentication password for the local user Specify the service type for VTY users Quit to system view Enter one or more VTY user interface views
local-user user-name password { simple | cipher } password service-type telnet [ level level ] quit user-interface vty first-number [ last-number ]
10-11
To do
Remarks
screen-length screen-length
By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Optional
The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.
With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. You can use the idle-timeout 0 command to disable the timeout function.
If scheme authentication is configured, the command level for users that log in to the AC depends on the authentication-mode scheme command, the user privilege level level command, and the authorization-attribute level command, as listed in Table 10-6. Table 10-6 Determine the command level when users logging in to the device are authenticated in the scheme mode
Scenario Authenticati on mode authenticati on-mode scheme User type Command The user privilege level level command is not executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is not executed, and the authorization-attribute level command specifies the available command level. The user privilege level level command is executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is executed, and the authorization-attribute level command specifies the available command level. VTY users that are authenticated in the RSA mode of SSH The user privilege level level command is not executed, and the authorization-attribute level command does not specify the available command level. Level 0 The user privilege level level command is not executed, and the authorization-attribute level command specifies the available command level. Command level
Level 0 Determined by the authorizationattribute level command Level 0 Determined by the authorizationattribute level command
10-12
Scenario Authenticati on mode User type Command The user privilege level level command is executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is executed, and the authorization-attribute level command specifies the available command level. The user privilege level level command is not executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is not executed, and the authorization-attribute level command specifies the available command level. The user privilege level level command is executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is executed, and the service-type command specifies the available command level. Command level
Level 0 Determined by the authorizationattribute level command Level 0 Determined by the service-type command
For more information about AAA, RADIUS, and SSH, see AAA and SSH 2.0 in the Security Configuration Guide.
Configuration Example
Network requirements
You have logged in to the AC. By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. The network requirements are as follows: Configure the name of the local user as guest. Set the authentication password of the local user to 123456 (in plain text). Set the service type of VTY users to Telnet. Configure scheme authentication for users logging in to VTY 0 in scheme mode. The commands of level 2 are available to users logging in to VTY 0. Telnet is supported in VTY 0. The screen can contain up to 30 lines. The history command buffer can store up to 20 commands. The timeout time of VTY 0 is 6 minutes.
10-13
Figure 10-6 Network diagram for Telnet configuration (with the authentication mode being scheme)
RS-232 port Console port
Console cable PC AC
Configuration procedure
# Enter system view, and enable the Telnet service.
<Sysname> system-view [Sysname] telnet server enable
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
# Set the authentication password of the local user to 123456 (in plain text).
[Sysname-luser-guest] password simple 123456
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
10-14
11
Logging in through the web-based network management system varies by device model. In this chapter, the access controller engines of the WX3024 unified switches are used in the examples. Support of IPv6-related configurations depends on the AC model.
This chapter includes these sections: Introduction Setting Up a Web Configuration Environment
Introduction
Each H3C WX series access controller product has a Web server built in. It enables you to log in to the device through a Web browser and then manage and maintain the device intuitively by interacting with the built-in Web server. To log in to the access controller product through the built-in Web-based network management system, you need to perform the related configuration on both the switching engine and the PC operating as the network management terminal. Table 11-1 Requirements for logging in to the device through the Web-based network management system
Item Requirement The VLAN interface or management interface of the access controller product is assigned an IP address, and the route between the access controller product and the Web network management terminal is reachable. The user name and password for logging in to the Web-based network management system are configured. PC operating as the network management terminal IE is available. The IP address of the VLAN interface of the device, the user name, and the password are available.
11-1
An access controller product has a factory default configuration when it is shipped. With this configuration, you can input http://192.168.0.100 in the address bar of the browser on a Web network management terminal (PC), supposing that a route between the Web network management terminal and the access controller product is available, and the browser will display the login page. Input the default username, password admin and verification code, select the language, and then you can log in to the Web interface. If you have saved your configuration file, the device will start up this configuration file at next boot, and the factory defaults are ineffective.
For the WX5002, WX5002V2, and WX5004, you can log in to the AC through the Web-based network management system. For the access controller modules LS8M1WCMA0, LSQM1WCMB0, LSBM1WCM2A0, LSRM1WCM2A1, LSWM1WCM10, and LSWM1WCM20, you can log in to the access controller modules through the Web-based network management system. For the WX6103, you can log in to the main control board through the Web-based network management system. For the login to the switch interface board, see Logging In to the Access Controller Switch Interface Board in the H3C WX6103 Access Controller Switch Interface Board Configuration Guide. For the WX3024, WX3010, and WX3008, you can log in to the access controller engine through the Web-based network management system. For the login to the switching engine, see Logging In to the Switching Engine in the H3C WX3000 Series Unified Switches Switching Engine Configuration Guide.
# Create a Web user account, setting both the user name and the password to admin and the user level to 3 (manage level).
[Sysname] local-user admin [Sysname-luser-admin] service-type telnet [Sysname-luser-admin] authorization-attribute level 3 [Sysname-luser-admin] password simple admin [Sysname-luser-admin] quit
Step2 Configure the management IP address for the switching engine of the WX3024 (Optional). # After configuring the IP address, you can go to the Web interface of the switching engine from the Web interface of the access controller engine. 192.168.0.101 is the management IP address of the
11-2
switching engine, and slot 0 is the slot number of the switching engine. Currently, only the WX3000 series support this function.
[Sysname] oap management-ip 192.168.0.101 slot 0
Step3 Set up a Web configuration environment, as shown in Figure 11-1. Figure 11-1 Set up a Web configuration environment
Internet PC AC
Step4 Log in to the switching engine through IE. Launch IE on the Web-based network management terminal (your PC) and enter http://192.168.0.100 in the address bar. (Make sure the route between the Web-based network management terminal and the switching engine is available.) Step5 When the login authentication interface (as shown in Figure 11-2) appears, enter the user name and the password admin, type the verify code, and then click Login to bring up the main page of the Web-based network management system. Figure 11-2 The login page of the Web-based network management system
11-3
12
Introduction
You can also log in to an access controller through an NMS (network management station), and then configure and manage the access controller through the agent module on the access controller. The agent here refers to the server-side software running on network devices (access controllers). SNMP (Simple Network Management Protocol) is applied between the NMS and the agent. To log in to an access controller through an NMS, you need to perform related configuration on both the NMS and the device. Table 12-1 Requirements for logging in to the device through an NMS
Item Requirement The IP address of the management VLAN of the access controller is configured. The route between the NMS and the access controller is available. The basic SNMP functions are configured. (For more information, see SNMP in the Network Management and Monitoring Configuration Guide.) The NMS is properly configured. (Refer to the user manual of your NMS for more.)
Access controller
NMS
Connection Establishment
Figure 12-1 Network diagram for logging in through an NMS
12-1
13
Introduction
An access controller provides ways to control different types of login users, as listed in Table 13-1. Table 13-1 Ways to control different types of login users
Login mode Control method By SSIDs of clients By source IP addresses Telnet By source, destination IP addresses, protocols carried over IP, and protocol features By source MAC addresses SNMP By source IP addresses Implementation Through WLAN ACL Through basic ACLs Related section Controlling Telnet Users by SSIDs of Clients Controlling Telnet Users by Source IP Addresses Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet Users by Source MAC Addresses Controlling Network Management Users by Source IP Addresses
13-1
Required
The interface type and quantity supported by this command vary by device model.
13-2
To do
Remarks
The inbound keyword filters the users trying to Telnet to the current access controller. Apply the ACL to control Telnet users by source IP addresses acl [ ipv6 ] acl-number { inbound | outbound } The outbound keyword filters the users trying to Telnet to other access controllers from the current access controller. The interface type supported by this command varies by device model. Support for the IPv6 addresses depends on the device model.
rule [ rule-id ] { permit | deny } rule-string quit user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] }
13-3
To do Enter system view Create a basic ACL or enter basic ACL view
Use the command system-view acl number acl-number [ name acl-name ] [ match-order { auto | config } ]
Remarks
As for the acl number command, the config keyword is specified by default. Required
You can define rules as needed to filter by specific source MAC addresses. The interface type and quantity supported by this command vary by device model. Required
The inbound keyword filters the users trying to Telnet to the current access controller.
Configuration Example
Network requirements
Only the Telnet users sourced from the IP address of 10.110.100.52 and 10.110.100.46 are permitted to log in to the access controller. Figure 13-1 Network diagram for controlling Telnet users using ACLs
10.110.100.52/24
Host A
IP network
Host B AC
10.110.100.46/24
Configuration procedure
# Define a basic ACL.
<Sysname> system-view [Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-basic-2000] rule 3 deny [Sysname-acl-basic-2000] quit
# Apply the ACL to only permit Telnet users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the access controller..
[Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound
13-4
Prerequisites
The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
Define rules for the ACL Quit to system view Apply the ACL while configuring the SNMP community name
13-5
You can specify different ACLs while configuring the SNMP community name, the SNMP group name and the SNMP user name. For SNMP-related commands, see SNMP in the Network Management and Monitoring Command Reference.
Because SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) take effect in the network management systems that adopt SNMPv1 or SNMPv2c. Similarly, as SNMP group name and SNMP user name are features of SNMPv2c and the higher SNMP versions, the specified ACLs in the commands that configure SNMP group names (the snmp-agent group command and the snmp-agent group v3 command) and SNMP user names (the snmp-agent usm-user command and the snmp-agent usm-user v3 command) take effect in the network management systems that adopt SNMPv2c or higher SNMP versions. If you configure both the SNMP group name and the SNMP user name and specify ACLs in the two operations, the access controller will filter network management users by both SNMP group name and SNMP user name.
Configuration Example
Network requirements
Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to access the access controller. Figure 13-2 Network diagram for controlling SNMP users using ACLs
10.110.100.52/24
Host A
IP network
Host B AC
10.110.100.46/24
Configuration procedure
# Define a basic ACL.
<Sysname> system-view [Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-basic-2000] rule 3 deny [Sysname-acl-basic-2000] quit
# Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the access controller.
[Sysname] snmp-agent community read aaa acl 2000
13-6
[Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000
13-7
14
File Management
Managing Files Directory Operations File Operations Batch Operations Storage Medium Operations Setting Prompt Modes Example for File Operations
Managing Files
Files such as host software and configuration files that are necessary for the operation of the device are saved in the storage media of the device. You can manage files on your device through these operations: Directory Operations, File Operations, Batch Operations, Storage Medium Operations, and Setting Prompt Modes.
Filename Formats
When you specify a file, you must enter the filename in one of the following formats. Filename formats:
Format file-name Description Specifies a file in the current working directory. Specifies a file in the specified folder in the current working directory. path indicates the name of the folder. You can specify multiple folders, indicating a file under a multi-level folder. Specifies a file in the specified storage medium on the device. drive represents the storage medium name, which is usually flash or cf. If there is only one storage medium on the device, you do not need to provide information about the storage medium. If there are multiple storage media on the device, you must provide the related information to identify the storage medium. Length 1 to 91 characters Example a.cfg indicates a file named a.cfg in the current working directory
path/file-name
1 to 135 characters
test/a.cfg indicates a file named a.cfg in the test folder in the current working directory.
drive:/[path]/file-na me
1 to 135 characters
flash:/test/a.cfg indicates a file named a.cfg in the test folder in the root directory of the flash memory.
14-1
Directory Operations
You can create or remove a directory, display the current working directory, the specified directory, file information, and so on.
Creating a Directory
To do Create a directory Use the command mkdir directory Required Available in user view Remarks
Removing a Directory
To do Remove a directory Use the command rmdir directory Required Available in user view Remarks
14-2
The directory to be removed must be empty, meaning that before you remove a directory, you must delete all the files and the subdirectory in this directory. For more information about the delete and rmdir commands, see File Management in the Fundamentals Command Reference. Execution of the rmdir command automatically deletes the files in the recycle bin in the current directory.
File Operations
You can display the specified directory or file information; display file contents; rename, copy, move, remove, restore, and delete files.
You can create a file by copying, downloading or using the save command.
Renaming a File
To do Rename a file Use the command rename fileurl-source fileurl-dest Required Available in user view Remarks
14-3
Copying a File
To do Copy a file Use the command copy fileurl-source fileurl-dest Required Available in user view Remarks
Moving a File
To do Move a file Use the command move fileurl-source fileurl-dest Required Available in user view Remarks
Deleting a File
To do Move a file to the recycle bin or delete it permanently Use the command delete [ /unreserved ] file-url Required Available in user view Remarks
The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, execute the reset recycle-bin command in the directory to which the file originally belongs. It is recommended to empty the recycle bin timely with the reset recycle-bin command to save storage space. The delete /unreserved file-url command deletes a file permanently and the action cannot be undone. Execution of this command equals execution of the delete file-url command and then the reset recycle-bin command in the same directory.
14-4
To do Delete the file in the current directory and in the recycle bin
Remarks
Batch Operations
A batch file is a set of executable commands. Executing a batch file equals executing the commands in the batch file one by one. To execute a batch file: 1) 2) 3) Edit the batch file on your PC. Download the batch file to the device. If the suffix of the file is not .bat, use the rename command to change the suffix to .bat. Execute the batch file.
Execution of a batch file does not guarantee successful execution of every command in the batch file. If a command has error settings or the conditions for executing the command are not satisfied, the system skips the command to the next one.
14-5
When you format a storage medium, all the files stored on it are erased and cannot be restored. In particular, if there is a startup configuration file on the storage medium, formatting the storage medium results in loss of the startup configuration file.
When mounting or unmounting a storage medium, or performing file operations on it, do not unplug or switchover the storage medium or the card where the storage medium resides. Otherwise, the file system could be damaged. Before removing a mounted storage medium from the system, unmount it to avoid damaging the storage medium.
14-6
To do Enter system view Set the operation prompt mode of the file system
Remarks
drw-
mytest
14-7
15
The device provides the configuration file management function. You can manage configuration files at a user-friendly command line interface (CLI). This chapter includes these sections: Configuration File Overview Saving the Current Running Configuration Setting Configuration Rollback Specifying a Startup Configuration File to Be Used at the Next System Startup Backing Up the Startup Configuration File Deleting a Startup Configuration File to Be Used at the Next Startup Restoring a Startup Configuration File Displaying and Maintaining Device Configuration
Types of Configuration
The device maintains two types of configuration files: Startup configuration: Configuration used for initialization when the device boots. If this file does not exist, the system boots using null configuration, that is, using the default parameters. Running configuration: The currently running configuration of the system. The current running configuration may include the startup configuration if the startup configuration is not modified during system operation, and it also includes the new configuration added during the system operation. The current running configuration is stored in the temporary storage medium of the device, and will be removed if not saved when the device reboots.
15-1
Configuration file encryption enables you to encrypt a configuration file before saving it by using the save command. To read the encrypted configuration file, you must decrypt it with a legal key, thus protecting the configuration file. Two kinds of keys are supported to encrypt a configuration file. You can select either of them according to your application environment: Private key: A configuration file encrypted by this kind of key can be decrypted and recognized only by the local device.
15-2
Public key: A configuration file encrypted by this kind of key can be decrypted and recognized by all devices supporting this feature. Follow the steps below to enable configuration file encryption:
To do Enter system view Use the command system-view Optional Enable configuration file encryption configuration encrypt { private-key | public-key } Disabled by default, that is, the current valid configurations are directly saved to the configuration file. Remarks
For the device that supports this feature, you can use the display saved-configuration command instead of the more command to view the encrypted configuration file, because the latter cannot decrypt the file. Otherwise, you will be prompted for operation failure or garbled characters.
save [ safely ]
15-3
The configuration file must be with extension .cfg. During the execution of the save [ safely ] command, the startup configuration file to be used at the next system startup may be lost if the device reboots or the power supply fails. In this case, the device will boot with the null configuration, and after the device reboots, you need to re-specify a startup configuration file for the next system startup (see Specifying a Startup Configuration File to Be Used at the Next System Startup).
15-4
Task Configuring Parameters for Saving the Current Running Configuration Enabling Automatic Saving of the Running Configuration Manually Saving the Current Running Configuration Setting Configuration Rollback Required Required
Remarks
If the undo archive configuration location command is executed, the current running configuration can neither be saved manually nor automatically, and the configuration by executing the archive configuration interval and archive configuration max commands restores to the default, meanwhile, the saved configuration files are cleared. The value of the file-number argument is determined by the memory space. You are recommended to set a comparatively small value for the file-number argument if the available memory space is small.
15-5
The path and filename prefix for saving configuration files must be specified before you configure the automatic saving period.
15-6
Specify the path and filename prefix of a save configuration file before you manually save the current running configuration; otherwise, the operation fails.
Do not unplug and plug a card during configuration rollback (that is, the system is executing the configuration replace file command). In addition, configuration rollback may fail if one of the following situations is present (if a command cannot be rolled back, the system skips it and processes the next one): The complete undo form of a command is not supported, namely, you cannot get the actual undo form of the command by simply putting the keyword undo in front of the command, so the complete undo form of the command cannot be recognized by the device. The configuration cannot be removed, such as hardware-related commands Commands in different views are dependent on each other If the replacement configuration file is not a complete file generated by using the save or archive configuration command, or the file is copied from a different type of device, the configuration cannot be rolled back. Ensure that the replacement configuration file is correct and compatible with the current device.
15-7
Remarks
A configuration file must use .cfg as its extension name and the startup configuration file must be saved in the root directory of the storage medium.
Before the backup operation: Ensure that the server is reachable and enabled with TFTP service, and the client has the read and write permission. Use the display startup command (in user view) to check whether you have specified a startup configuration file to be used at the next startup, and use the dir command to view whether the specified startup configuration file exists. If the file is set as NULL or does not exist, the backup operation fails.
15-8
To do Delete a startup configuration file to be used at the next startup from the storage medium
Remarks
This command permanently deletes startup configuration files to be used at the next startup from the device. Use it with caution.
Before restoring a configuration file, ensure that the server is reachable, the server is enabled with TFTP service, and the client has read and write permission. After execution of the command, use the display startup command (in user view) to verify that the filename of the configuration file to be used at the next system startup is the same as that specified by the filename argument, and use the dir command to view whether the specified startup configuration file exists.
15-9
To do
Use the command display current-configuration [ [ configuration [ configuration ] | interface [ interface-type ] [ interface-number ] ] [ by-linenum ] [ | { begin | include | exclude } text ] ]
Remarks
For more information about the display this and display current-configuration commands, see Basic System Configuration in the Fundamentals Command Reference.
15-10
16
Device Management
Device Management Overview Device Management Configuration Task List Registering the Software Rebooting the AC Configuring the Scheduled Automatic Execution Function Upgrading AC Software Configuring Temperature Alarm Thresholds for a Board Clearing the 16-bit Interface Indexes Not Used in the Current System Displaying and Maintaining Device Management Configuration Device Management Configuration Examples
There are many types of storage media such as flash memory, compact flash (CF), universal serial bus (USB), and hard disk. Different devices support different types of storage media. Flash memory is exemplified in this document.
16-1
Rebooting the AC
When a fault occurs to a running AC, you can remove the fault by rebooting the AC, depending on the actual situation. You can reboot an AC following any of the three methods: Power on the AC after powering it off, which is also called hard reboot or cold start. This method impacts the AC a lot. Powering off a running AC will cause data loss and hardware damages. It is not recommended. Trigger the immediate reboot through command lines. Enable the scheduled reboot function through command lines. You can set a time at which the AC can automatically reboot, or set a delay so that the AC can automatically reboot within the delay. The last two methods are command line operations. Reboot through command lines is also called hot start, which is mainly used to reboot an AC in remote maintenance without performing hardware reboot of the AC. Follow the step below to reboot an AC through command lines immediately:
To do Reboot the whole system immediately Use the command reboot Required Available in user view Remarks
16-2
To do Enable the scheduled reboot function and specify a specific reboot time and date Enable the scheduled reboot function and specify a reboot waiting time
Remarks
Use either approach. The scheduled reboot function is disabled by default. Available in user view.
AC reboot may result in interruption of the ongoing services. Use these commands with caution. Before the AC reboots, use the save command to save the current configurations. For more information about the save command, see File System Management in the Fundamentals Command Reference. Before the AC reboots, use the commands of display startup and display boot-loader to check if the configuration file and boot file for the next boot are configured. (For more information about the display startup command, see File System Management in the Fundamentals Command Reference. The precision of the rebooting timer is 1 minute. One minute before the rebooting time, the AC will prompt REBOOT IN ONE MINUTE and will reboot in one minute. If a main boot file fails or does not exist, the AC cannot be rebooted with the reboot command. In this case, you can re-specify a main boot file to reboot the AC, or you can power off the AC then power it on and the system automatically uses the backup boot file to restart the AC. If you are performing file operations when the AC is to be rebooted, the system does not execute the command for the sake of security.
16-3
To do
Remarks
Bind the execution time with the commands in the task, that is, configure the time to execute the commands in the task
time timeID { one-off | repeating } at time1 [ month-date month-day | week-day week-daylist ] command command time timeID { one-off | repeating } delay time2 command command
Only one view can be specified for a task, that is, all commands in the task are executed in the same specified view. If different views are specified by executing the view view-name command repeatedly, only the last configuration takes effect. The view must be currently supported by the system, with its name specified using its complete format but not an abbreviation. Most commonly used view names include: monitor for user view, system for system view, and Vlan-interfacex for VLAN interface view. timeID is used to uniquely identify the binding between a command and its execution time. A scheduled task can contain up to ten commands. The command specified by the command command argument must be a command that can be executed in the view specified by the view view-name command; otherwise this command cannot be automatically executed. Therefore, ensure the correctness of the configuration.
Upgrading AC Software
AC Software Overview
AC software consists of the Boot ROM program and the system boot file. After the AC is powered on, the AC runs the Boot ROM program, initializes the hardware, and displays the hardware information. Then the AC runs the boot file. The boot file provides drivers and adaption for hardware, and implements service features. The Boot ROM program and system boot file are required for the startup and running of an AC. Figure 16-1 illustrates their relationship.
16-4
Figure 16-1 Relationship between the Boot ROM program and the system boot file
Select the Reboot option to reboot the device Start
Press Ctrl+B No
Yes
Enter Boot ROM menu to upgrade the Boot ROM program or boot File
Enter CLI
Finish
The Boot ROM program and system boot file can both be upgraded through the Boot ROM menu or command lines. The following sections describe the upgrading through command lines. For instructions about how to upgrade them through the Boot ROM menu, see the installation guide of your AC.
You must save the Boot ROM file under the root directory of the AC. You can copy or move a file to change its path to the root directory.
16-5
When multiple Boot ROM files are available on the storage medium, you can specify a file for the next boot by executing the following command. A main boot file is used to boot an AC and a backup boot file is used to boot an AC only when a main boot file is unavailable. Follow the step below to specify a boot file for the next boot:
To do Specify a boot file for the next boot Use the command boot-loader file file-url { main | backup } Required Available in user view. Remarks
You must save the file for the next boot under the root directory of the AC. You can copy or move a file to change its path to the root directory.
Clearing the 16-bit Interface Indexes Not Used in the Current System
In practical networks, the network management software requires the AC to provide a uniform, stable 16-bit interface index. That is, a one-to-one relationship should be kept between the interface name and the interface index in the same AC. For the purpose of the stability of an interface index, the system will save the 16-bit interface index when a board or logical interface is removed. If you repeatedly insert and remove different subbcards or interface boards to create or delete a large number of logical interfaces, the interface indexes will be used up, which will result in interface creation
16-6
failures. To avoid such a case, you can clear all 16-bit interface indexes saved but not used in the current system in user view. After the above operation, For a re-created interface, the new interface index may not be consistent with the original one. For existing interfaces, their interface indexes remain unchanged. Follow the step below to clear the 16-bit interface indexes not used in the current system:
To do Clear the 16-bit interface indexes saved but not used in the current system Use the command reset unused porttag Required Available in user view Remarks
A confirmation is required when you execute this command. If you fail to make a confirmation within 30 seconds or enter N to cancel the operation, the command will not be executed.
Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view
To do Display the reboot time of the AC Display detailed information of the scheduled task
Configuration procedure
1) Configuration on FTP Server (Note that configurations may vary with different types of servers) Set the access parameters for the FTP client # Enable FTP Server.
<FTP-Server> system-view [FTP-Server] ftp server enable
16-8
Use text editor on the FTP server to edit batch file auto-update.txt. The following is the content of the batch file:
return startup saved-configuration new-config.cfg boot-loader file soft-version2.bin main reboot
2)
Configuration on the AC
# Log in to FTP Server (note that the prompt may vary with servers.)
<AC> ftp 2.2.2.2 Trying 2.2.2.2 ... Press CTRL+K to abort Connected to 2.2.2.2. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(2.2.2.2:(none)):aaa 331 Give me your password, please Password: 230 Logged in successfully [ftp]
To ensure correctness of the file, you can use the more command to view the content of the file. # Execute the scheduled automatic execution function to enable the AC to be automatically upgraded at 3 am.
<AC> system-view [AC] job autoupdate [AC-job-autoupdate] view monitor [AC-job-autoupdate] time 1 one-off at 03:00 command execute auto-update.bat
After the AC reboots, use the display version command to check if the upgrade is successful.
16-9
17
This documentation covers three types of user interfaces, console, AUX, and VTY. Support for the user interface and the number of simultaneous logged-in users depends on the device model.
User interface (also called line) allows you to manage and monitor the session between the terminal and device when you are using the console port, AUX port, and asynchronous serial interfaces to log in to the device by Telnet or SSH. At present, the system supports the following three configuration modes: Local configuration via the console port Local/Remote configuration via the AUX port (Auxiliary port) Local/Remote configuration through Telnet or SSH The three modes correspond to three types of user interfaces. They are:
17-1
Console port: Used to manage and monitor users logging in via the console port. Console port is a line device port. The device provides one console port of EIA/TIA-232 DCE type. AUX port: Used to manage and monitor users logging in via the AUX port. AUX port is also a line device port. The device provides one AUX port of EIA/TIA-232 DTE type. VTY (virtual type terminal): Used to manage and monitor users logging in via VTY. VTY port is a logical terminal line used when you access the device by means of Telnet or SSH.
Absolute numbering
Absolute numbering allows you to uniquely specify a user interface or a group of user interfaces. The numbering system starts from number 0 with a step of 1. The numbering approach numbers the four types of user interfaces in the sequence of console port, AUX port, and VTY. You can use the display user-interface command without any parameters to view all user interfaces currently supported and their absolute number.
Relative numbering
Relative numbering can specify a user interface or a group of user interfaces of a specific type. The number is valid only when used under that type of user interface. It makes no sense when used under other types of user interfaces. Relative numbering numbers a user interface in the form of user interface type + number. The rules of relative numbering are as follows: CON is numbered CON 0. AUX is numbered AUX 0. VTYs are numbered from 0 in ascending order, with a step of 1.
Task Configuring User Privilege Level Under a User Interface Configuring Access Restriction on VTY User Interfaces Configuring Supported Protocols on VTY User Interfaces Configuring Authentication Mode for Users at Login Configuring Command Authorization Configuring Command Accounting Defining Shortcut Keys for Starting Terminal Sessions/Aborting Tasks Sending Messages to the Specified User Interfaces Releasing the Connection Established on the User Interfaces
Remarks Optional Optional Optional Optional Optional Optional Optional Optional Optional
17-3
The settings of transmission rate, data bits, parity check, stop bits, and flow control must be consistent on terminals and user interface for communication.
Set the display type of the current user terminal Set the number of the history commands that can be stored in the history buffer Return to user view Lock user interface, preventing unauthorized users from using this interface
The system supports two types of terminal display: ANSI and VT100. If the terminal display of the device and the client (for example, hyper terminal or Telnet terminal) is inconsistent or is set to ANSI, and if the total number of the characters of the currently using command line exceeds 80, anomalies such as cursor corruption or abnormal display of the terminal display may occur on the client. Therefore, you are recommended to set the display type of both the device and the client to VT100.
17-4
The auto-execute command command is supported on all types of user interfaces except the Console port and the AUX port functioning as the console port.
The auto-execute command command may disable you from configuring the system through the terminal line to which the command is applied. Therefore, before configuring the command and saving the configuration (using the save command), make sure that you can access the system by other means to remove the configuration in case a problem occurs.
17-5
To do
Remarks
By default, users logging in from Console port have a privilege level of 3; users logging in from other user interfaces have a privilege level of 0.
For more information about user levels, see Basic System Configuration. The user privilege level can be configured under a user interface or by setting AAA authentication parameters, and which configuration mode takes effect depends on the authentication mode at user login. For more information, see Basic System Configuration.
The system regards the basic/advanced ACL with the inbound keyword, the basic/advanced ACL with the outbound keyword, WLAN ACL, and Layer 2 ACL as four different types of ACLs, which can coexist in one VTY user interface. If there are different types of ACLs in one VTY user interface, the match order is WLAN ACL, basic/advanced ACL, and Layer 2 ACL. In one VTY user interface, the number of ACL of each type is one at most, and the latest configured one is valid.
17-6
If SSH is configured, you must set the authentication mode to scheme using the authentication-mode scheme command to guarantee a successful login. The protocol inbound ssh command fails if the authentication mode is password or none. For the corresponding configuration, see the authentication-mode command in User Interface Commands. The protocol(s) configured through the protocol inbound command takes effect next time you log in from that user interface.
log in through SSH, the rules apply to the password authentication only. For more information about the SSH, see SSH2.0 in the Security Configuration Guide. Follow these steps to configure authentication mode for users at login as none:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required Set authentication mode to none for users logging in through the interface authentication-mode none By default, the authentication mode is password for users logging in through VTY and AUX user interfaces and is none for users logging in through console user interfaces. Remarks
Follow these steps to configure authentication mode for users at login as password:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required Set authentication mode password for users logging in through the interface By default, the authentication mode is password for users logging in through VTY and AUX user interfaces and is none for users logging in through console user interfaces. Required No local authentication password is set by default. Remarks
authentication-mode password
Follow these steps to configure authentication mode for users at login as scheme (local authentication):
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required Set authentication mode scheme for users logging in through the interface authentication-mode scheme [ command-authorization ] By default, the authentication mode is password for users logging in through VTY and AUX user interfaces and is none for users logging in through console user interfaces. Optional Set user privilege level See Configuring User Privilege Level Under a User Interface By default, users logging in from Console port have a privilege level of 3; users logging in from other user interfaces have a privilege level of 0. Remarks
17-8
To do Go back to system view Set authentication username and enter local user view Set authentication password quit
Remarks
Users logging in via VTY user interface use telnet or ssh service; users logging in via console or AUX port use terminal service. Optional By default, users that are authorized the FTP or SFTP service type can access the root directory of the device, and their user level is 0. You can use this command to modify the default settings.
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } *
For more information about the local-user, password, service-type, and authorization-attribute commands, see AAA in the Security Command Reference.
17-9
To do
Remarks
command authorization
Disabled by default, that is, users can execute commands without authorization.
17-10
Remarks
You cannot use this command to release the connection that you are using.
17-11
To do Display the information about the specified or all user interface(s) Display the history commands that the current user has configured
Use the command display user-interface [ num1 | { aux | console | vty } num2 ] [ summary ] display history-command
Configuration procedure
# Assign an IP address to AC to make AC be reachable to both Host A and Host B. The configuration is omitted. # Enable telnet services on AC.
<AC> system-view [AC] telnet server enable
# Set that no authentication is needed when users use the console port to log in to AC. Set the privilege level of the administrator logging in through the console port to 3, that is, the administrator can execute all the commands supported by AC.
[AC] user-interface console 0 [AC-ui-console0] authentication-mode none [AC-ui-console0] user privilege level 3 [AC-ui-console0] quit
# Set to use password authentication when users use VTY 0 interface to log in to AC from Host B. The authentication password is 123. Then set the privilege level of the users logging in through VTY 0 to 2.
[AC] user-interface vty 0 4 [AC-ui-vty0-4] authentication-mode password [AC-ui-vty0-4] set authentication password cipher 123 [AC-ui-vty0-4] user privilege level 2 [AC-ui-vty0-4] quit
17-12
Configuration procedure
# Assign an IP address to AC to make AC be reachable to Host A and HWTACACS server respectively. The configuration is omitted. # Enable the telnet service on AC.
<AC> system-view [AC] telnet server enable
# Set to use username and password authentication when users use VTY interface 0 through 4 to log in to AC. The command that the user can execute depends on the authentication result.
[AC] user-interface vty 0 4 [AC-ui-vty0-4] authentication-mode scheme
# Enable command authorization to restrict the command level for login users.
[AC-ui-vty0-4] command authorization [AC-ui-vty0-4] quit
# Create a HWTACACS scheme named tac and configure the IP address and TCP port for the primary authorization server for the scheme. Ensure that the port number be consistent with that on the HWTACACS server. Set the shared key for authentication packets to expert for the scheme and the HWTACACS server type of the scheme to standard. Specify AC to remove the domain name in the username sent to the HWTACACS server for the scheme.
[AC] hwtacacs scheme tac [AC-hwtacacs-tac] primary authentication 192.168.2.20 49 [AC-hwtacacs-tac] primary authorization 192.168.2.20 49 [AC-hwtacacs-tac] key authentication expert [AC-hwtacacs-tac] key authorization expert [AC-hwtacacs-tac] server-type standard [AC-hwtacacs-tac] user-name-format without-domain [AC-hwtacacs-tac] quit
# Configure the default ISP domain system to use HWTACACS scheme tac for login users and use local authorization as the backup.
[AC] domain system
17-13
[AC-isp-system] authentication login hwtacacs-scheme tac local [AC-isp-system] authorization command hwtacacs-scheme tac local [AC-isp-system] quit
# Add a local user named monitor, set the user password to 123, and specify to display the password in cipher text. Authorize user monitor to use the telnet service and specify the level of the user as 1, that is, the monitor level.
[AC] local-user monitor [AC-luser-admin] password cipher 123 [AC-luser-admin] service-type telnet [AC-luser-admin] authorization-attribute level 1
Configuration procedure
# Enable the telnet service on AC.
<AC> system-view [AC] telnet server enable
# Enable command accounting for users logging in through the console port.
[AC] user-interface console 0 [AC-ui-console0] command accounting [AC-ui-console0] quit
17-14
# Create a HWTACACS scheme named tac and configure the IP address and TCP port for the primary authorization server for the scheme. Make that the port number is consistent with that on the HWTACACS server. Set the shared key for authentication packets to expert for the scheme. Specify AC to remove the domain name in the username sent to the HWTACACS server for the scheme.
[AC] hwtacacs scheme tac [AC-hwtacacs-tac] primary accounting 192.168.2.20 49 [AC-radius-rad] key accounting expert [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit
# Create ISP domain system, and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users
[AC] domain system [AC-isp-system] accounting command hwtacacs-scheme tac [AC-isp-system] quit
17-15
18
Basic Configurations
Configuration Display Quick Configuration Basic Configurations CLI Features
Configuration Display
To avoid duplicate configuration, you can use the display commands to view the current configuration of the AC before configuring the AC. The configurations of an AC fall into the following categories: Factory defaults: When ACs are shipped, they are installed with some basic configurations, which are called factory defaults. These default configurations ensure that an AC can start up and run normally when it has no configuration file or the configuration file is damaged. Current configuration: The currently running configuration on the AC. Unless otherwise noted (such as the command is effective only after the AC reboot), the current configuration is only effective currently, that is, it will not take effect after the AC reboot. Saved configuration: Configuration saved in the configuration file, which helps to restore configurations conveniently. Follow these steps to display AC configurations:
To do Use the command display current-configuration [ [ configuration [ configuration ] | interface [ interface-type ] [ interface-number ] ] [ by-linenum ] [ | { begin | exclude | include } regular-expression ] ] more file-url If the file is the configuration file for the next startup of the AC, you can use this command: display saved-configuration [ by-linenum ] Remarks
Display the saved configuration, that is, the content of the configuration file
The more command is available in user view. The display saved-configuration command is available in any view.
For more information about the more and display saved-configuration commands, see File Management in the Fundamentals Command Reference.
18-1
Quick Configuration
The quick configuration function guides you with the command lines. After the execution of the quick configuration command, the system guides you to enter the basic parameters (such as AC name, system clock, VLAN, IP address, depending on the AC model) of the AC one by one in the way of prompt information, and then the AC can be in a running status after your configuration. With this function, you do not have to input multiple commands to configure these parameters, and thus your configuration is simplified. Follow these steps to perform quick configuration:
To do Enter system view Perform quick configuration Use the command system-view quick configuration Required Remarks
Your configurations will be executed only after all the interactions of quick configuration are completed; if the interaction process is interrupted, no configuration will be performed. During the interaction process of quick configuration, you can press Ctrl+C to end the interaction process; or the interaction process can be ended using a timeout timer, which is 30 seconds. The default value of each configuration item is displayed in []. If no value exists in [], it indicates that no default value is available for the configuration item; if a value exists in [], pressing Enter indicates that the default value is adopted. You can configure some parameters multiple times. In this case, the system will prompt press <cr> to exit; if you press Enter, you will exit the configuration of the current item and go to the next configuration item. For example, you can create multiple VLAN interfaces, and configure their IP addresses and masks; if you press Enter, VLAN interface configuration will be ended, and the system will go to the next configuration item.
Basic Configurations
This section covers the following topics: Entering System View Exiting the Current View Exiting to User View Configuring the AC Name Configuring the System Clock Configuring a Banner Configuring CLI Hotkeys Configuring User Privilege Levels and Command Levels Configuring the Number of Concurrent Users Displaying and Maintaining Basic Configurations
18-2
18-3
Remarks
Adopt daylight saving time from the start-time on the start-date to the end-time on the end-date. Daylight saving time adds the add-time to the current time of the AC. Adopt daylight saving time repeatedly
Optional Use either command By default, daylight saving time is configured on the AC, and the UTC time zone is applied.
18-4
Table 18-1 Relationship between the configuration and display of the system clock
Configuration System clock displayed by the display clock command date-time The original system clock zone-offset Example Configure: clock datetime 1:00 2007/1/1 Display: 01:00:00 UTC Mon 01/01/2007 Configure: clock timezone zone-time add 1 Display: 02:00:00 zone-time Sat 01/01/2005 Configure: clock datetime 2:00 2007/2/2 and clock timezone zone-time add 1 Display: 03:00:00 zone-time Fri 02/02/2007 Configure: clock timezone zone-time add 1 and clock datetime 3:00 2007/3/3 Display: 03:00:00 zone-time Sat 03/03/2007 If the original system clock is not in the daylight saving time range, the original system clock is displayed. 3 If the original system clock is in the daylight saving time range, the original system clock + summer-offset is displayed. If date-time is not in the daylight saving time range, date-time is displayed. 1 and 3 If date-time is in the daylight saving time range, date-time + summer-offset is displayed. If date-time is not in the daylight saving time range, date-time is displayed. date-time is in the daylight saving time range: [1], 3 and 1 If the value of date-time summer-offset is not in the summer-time range, date-time - summer-offset is displayed; If the value of date-time summer-offset is in the summer-time range, date-time is displayed. Configure: clock datetime 8:00 2007/1/1 and clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 Display: 10:00:00 ss Mon 01/01/2007 Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 1:00 2008/1/1 Display: 01:00:00 UTC Tue 01/01/2008 Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 1:30 2007/1/1 Display: 23:30:00 UTC Sun 12/31/2006 Configure: clock summer-time ss one-off 00:30 2005/1/1 1:00 2005/8/8 2 Display: 03:00:00 ss Sat 01/01/2005 Configure: clock datetime 1:00 2007/1/1 and clock summer-time ss one-off 1:00 2006/1/1 1:00 2006/8/8 2 Display: 01:00:00 UTC Mon 01/01/2007 Configure: clock summer-time ss one-off 1:00 2006/1/1 1:00 2006/8/8 2 Display: 01:00:00 UTC Sat 01/01/2005
1 and 2
date-time zone-offset
[1], 2 and 1
date-time
Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 3:00 2007/1/1 Display: 03:00:00 ss Mon 01/01/2007
If the value of the original system clock zone-offset is not in the summer-time range, the original system clock zone-offset is displayed. 2 and 3 or 3 and 2 If the value of the original system clock zone-offset is in the summer-time range, the original system clock zone-offset + summer-offset is displayed.
Configure: clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 Display: 02:00:00 zone-time Sat 01/01/2005 Configure: clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2005/1/1 1:00 2005/8/8 2 Display: 04:00:00 ss Sat 01/01/2005 Configure: clock datetime 1:00 2007/1/1, clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 Display: 02:00:00 zone-time Mon 01/01/2007
18-5
Configuration
System clock displayed by the display clock command If the value of "date-time""zone-offset" is not in the summer-time range, "date-time""zone-offset" is displayed. If the value of "date-time""zone-offset" is in the summer-time range, "date-time""zone-offset"+sum mer-offset is displayed. If date-time is not in the daylight saving time range, date-time is displayed. date-time is in the daylight saving time range:
Example Configure: clock datetime 1:00 2007/1/1, clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 Display: 04:00:00 ss Mon 01/01/2007 Configure: clock timezone zone-time add 1, clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 and clock datetime 1:00 2007/1/1 Display: 01:00:00 zone-time Mon 01/01/2007 Configure: clock timezone zone-time add 1, clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 and clock datetime 1:30 2008/1/1 Display: 23:30:00 zone-time Mon 12/31/2007
1, 2 and 3 or 1, 3 and 2
If the value of date-time-summer-offset is not in the summer-time range, date-time-summer-offset is displayed; If the value of date-time-summer-offset is in the summer-time range, date-time is displayed.
Configure: clock timezone zone-time add 1, clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 and clock datetime 3:00 2008/1/1 Display: 03:00:00 ss Tue 01/01/2008
Configuring a Banner
Introduction to banners
Banners are prompt information displayed by the system when users are connected to the AC, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed. At present, the system supports the following five kinds of welcome information. shell banner, also called session banner, displayed when a user enters the console. incoming banner, also called user interface banner, displayed when a user interface is activated by a Modem user. login banner, welcome information at login authentications, displayed when password and scheme authentications are configured. motd (Message of the Day) banner, welcome information displayed before authentication. legal banner, also called authorization information. The system displays some copyright or authorization information, and then displays the legal banner before a user logs in, waiting for the user to confirm whether to continue the authentication or login. If entering Y or pressing the Enter key, the user enters the authentication or login process; if entering N, the user quits the authentication or login process. Y and N are case insensitive.
Configuring a banner
When you configure a banner, the system supports two input modes: 1) Single-line input
18-6
In this mode, all the banner information and the command keywords are input in the same line. The start and end characters of the input text must be the same but are not part of the banner information. In this case, the input text, together with the command keywords, cannot exceed 510 characters. Do not insert the line feed character into the banner information. 2) Multiple-line input
In this mode, all the banner information is input in multiple lines by pressing the Enter key. In this case, up to 2000 characters can be input. The latter input mode can be achieved in the following three methods: Method I: Press the Enter key directly after the command keywords, and end the setting with the % character. The Enter and % characters are not part of the banner information. Method II: Input a character after the command keywords at the first line, and then press the Enter key. End the setting with the character input at the first line. The character at the first line and the end character are not part of the banner information. Method III: Input multiple characters after the command keywords at the first line (with the first and last characters different), then press the Enter key. End the setting with the first character input at the first line. The first input character at the first line and the end character are not part of the banner information. The line feed character inserted in the information is part of the banner information. Follow these steps to configure a banner:
To do Enter system view Configure the banner to be displayed at login (available for Modem login users) Configure the banner to be displayed at login authentication Configure the authorization information before login Configure the banner to be displayed when a user enters user view (non Modem login users) Configure the banner to be displayed before login Use the command system-view header incoming text header login text header legal text header shell text header motd text Optional Optional Optional Optional Optional Remarks
18-7
Please input banner content, and quit with the character 'W'. Welcome to H3C! W
Display hotkeys
By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are configured with command line and the Ctrl+T and Ctrl+U commands are NULL. Ctrl+G corresponds to the display current-configuration command. Ctrl+L corresponds to the display ip routing-table command. Ctrl+O corresponds to the undo debugging all command.
18-8
Hotkey Ctrl+Z Ctrl+] Esc+B Esc+D Esc+F Esc+N Esc+P Esc+< Esc+> Exits to user view.
Function
Terminates an incoming connection or a redirect connection. Moves the cursor to the leading character of the continuous string to the left. Deletes all the characters of the continuous string at the current cursor position and to the right of the cursor. Moves the cursor to the front of the next continuous string to the right. Moves the cursor down by one line (available before you press Enter) Moves the cursor up by one line (available before you press Enter) Specifies the cursor as the beginning of the clipboard. Specifies the cursor as the ending of the clipboard.
These hotkeys are defined by the AC. When you interact with the AC from terminal software, these keys may be defined to perform other operations. If so, the definition of the terminal software will dominate.
18-9
Visit
Monitor
System
Manage
If the user interface authentication mode is scheme when a user logs in, and username and password are needed at login, then the user privilege level is specified in the configuration of AAA authentication. Follow these steps to configure user privilege level by using AAA authentication parameters:
18-10
Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required
Remarks
Configure the authentication mode for logging in to the user interface as scheme
authentication-mode scheme
By default, the authentication mode for VTY and AUX users is password, and no authentication is needed for console login users. Required if users use SSH to log in, and username and password are needed at authentication Required User either approach For local authentication, if you do not configure the user level, the user level is 0, that is, users of this level can use commands with level 0 only. For remote authentication, if you do not configure the user level, the user level depends on the default configuration of the authentication server.
Exit to system view Configure the authentication mode for SSH users as password
quit For more information, see SSH2.0 in the Security Configuration Guide. Use the local-user command to create a local user and enter local user view. Use the level keyword in the authorization-attribute command to configure the user level.
For more information about the user interface, see User Interface Configuration. For more information about the user-interface, authentication-mode and user privilege level commands, see User Interface in the Fundamentals Command Reference. For more information about the AAA authentication, see AAA in the Security Configuration Guide. For more information about the local-user and authorization-attribute commands, see AAA in the Security Command Reference. For more information about the SSH, see SSH 2.0 in the Security Configuration Guide.
2)
# Authenticate the users telnetting to the AC through VTY 1, verify their usernames and passwords locally, and specify the user privilege level as 3.
<Sysname> system-view [Sysname] user-interface vty 1 [Sysname-ui-vty1] authentication-mode scheme [Sysname-ui-vty1] quit [Sysname] local-user test [Sysname-luser-test] password cipher 123 [Sysname-luser-test] service-type telnet
18-11
After the above configuration, when users telnet to the AC through VTY 1, they need to input username test and password 123. After passing the authentication, users can only use the commands of level 0. If the users need to use commands of levels 0, 1, 2 and 3, the following configuration is required:
[Sysname-luser-test] authorization-attribute level 3
3)
Configure the user privilege level under a user interface If the user interface authentication mode is scheme when a user logs in, and SSH publickey authentication type (only username is needed for this authentication type) is adopted, then the user privilege level is the user interface level; If a user logs in using the none or password mode (namely, no username is needed), the user privilege level is the user interface level.
Follow these steps to configure the user privilege level under a user interface (SSH publickey authentication type):
To do Use the command Remarks Required if users adopt the SSH login mode, and only username, instead of password is needed at authentication. After the configuration, the authentication mode of the corresponding user interface must be set to scheme. Optional Configure the authentication mode when a user uses the current user interface to log in to the AC authentication-mode scheme [ command-authorization ] By default, the authentication mode for VTY and AUX user interfaces is password, and console user interface does not need authentication. Optional Configure the privilege level of the user logging in from the current user interface user privilege level level By default, the user privilege level for users logging in from the console user interface is 3, and that for users logging from the other user interfaces is 0.
Follow these steps to configure the user privilege level under a user interface (none or password authentication mode):
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Remarks
18-12
To do
Remarks
Configure the authentication mode when a user uses the current user interface to log in to the AC
By default, the authentication mode for VTY and AUX user interfaces is password, and console user interface does not need authentication. Optional
Configure the privilege level of the user logging in from the current user interface
By default, the user privilege level for users logging in from the console user interface is 3, and that for users logging from the other user interfaces is 0.
4)
Example of configuring user privilege level under a user interface Perform no authentication to the users telnetting to the AC, and specify the user privilege level as 1. (Performing no authentication to users brings potential security problem. Therefore, you are recommended to use it in a secure network environment.)
<Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode none [Sysname-ui-vty0-4] user privilege level 1
By default, when users telnet to the AC, they can only use the following commands after passing the authentication:
<Sysname> ? User view commands: display ping quit rsh ssh2 super telnet tftp tracert Display current system information Ping function Exit from current command view Establish one RSH connection Establish a secure shell client connection Set the current user priority level Establish one TELNET connection Open TFTP connection Trace route function
After you set the user privilege level under the user interface, users can log in to the AC through Telnet without any authentication and can use the following commands:
<Sysname> ? User view commands: debugging dialer display ping quit refresh reset rsh screen-length send ssh2 Enable system debugging functions Dialer disconnect Display current system information Ping function Exit from current command view Do soft reset Reset operation Establish one RSH connection Specify the lines displayed on one screen Send information to other user terminal interface Establish a secure shell client connection
18-13
Set the current user priority level Establish one TELNET connection Set the terminal line characteristics Open TFTP connection Trace route function Cancel current setting
Authenticate the users logging in to the AC through Telnet, verify their passwords, and specify the user privilege levels as 2.
<Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty1] authentication-mode password [Sysname-ui-vty0-4] set authentication password cipher 123 [Sysname-ui-vty0-4] user privilege level 2
By default, when users log in to the AC through Telnet, they can use the commands of level 0 after passing the authentication. After you set the user privilege level under the user interface, when users log in to the AC through Telnet, they need to input password 123, and then they can use commands of levels 0, 1, and 2.
18-14
scheme local: First scheme and then local, that is, AAA authentication is performed first, and if the AAA configuration is invalid (domain parameters or authentication scheme are not configured) or the server does not respond, the authentication requiring the local password is performed. If the authentication mode for login users of the current user interface is set to none or password with the authentication-mode none or authentication-mode password command, the user does not need to input the username when logging in; therefore, if scheme authentication is required for the privilege level switch, the system prompts for the username and password (the username and the password must be the same as those configured on the AAA server); in other cases, no username is required. Follow these steps to switch user privilege level:
To do Enter system view Set the authentication mode for user privilege level switch Configure the password (used for the local authentication mode) for user privilege level switch Exit to user view Use the command system-view super authentication-mode { local | scheme } * super password [ level user-level ] { simple | cipher } password quit Optional local by default. Required By default, no password is configured. Required Switch the user privilege level super [ level ] When logging in to the AC, a user has a user privilege level, which is decided by user interface or authentication user level. Remarks
When you configure the password for switching user privilege level with the super password command, the user privilege level is 3 if no user privilege level is specified. The password for switching user privilege level can be displayed in both cipher text and simple text. You are recommended to adopt the former because the latter is easily cracked. When the authentication mode is set to local, you need to configure the local password before switching a user to a higher user privilege level. When the authentication mode is set to scheme, you need to configure AAA related parameters before switching a user to a higher user privilege level. The timeout time of AAA authentication is 120 seconds, after that, the AAA authentication is considered as no response. The privilege level switch fails after three consecutive unsuccessful attempts.
Use the command system-view command-privilege level level view view command Required
Remarks
You are recommended to use the default command level or modify the command level under the guidance of professional staff; otherwise, the change of command level may bring inconvenience to your maintenance and operation, or even potential security problem.
When multiple users enter system view at the same time to configure certain attribute, only the last configuration applies. When the number of users has reached the limit, other users cannot enter system view.
18-16
Remarks
During daily maintenance or when the system is operating abnormally, you need to display the running status of each functional module to locate the problem. Generally, you need to execute the corresponding display commands for each module, because each module has independent running information. To collect more information at one time, you can execute the display diagnostic-information command to display or save the statistics of the running status of multiple modules in the system. Execution of the display diagnostic-information command equals execution of the commands display clock, display version, display device, and display current-configuration one by one. These commands depend on the AC model.
For more information about the display users command, see User Interface Commands. The display commands discussed above are for the global configuration.
CLI Features
This section covers the following topics: Introduction to CLI Online Help with Command Lines Synchronous Information Output Undo Form of a Command Editing Features CLI Display Saving History Command Command Line Error Information
Introduction to CLI
CLI is an interaction interface between ACs and users. Through CLI, you can configure your ACs by entering commands and view the output information and verify your configurations, thus facilitating your configuration and management of your ACs. CLI provides the following features for you to configure and manage your ACs: Hierarchical command protection where you can only execute the commands at your own or lower levels. See Configuring User Privilege Levels and Command Levels for details. Easy access to on-line help by entering ?. See Online Help with Command Lines for details. Abundant debugging information for fault diagnosis Saving and executing commands that have been executed
18-17
Fuzzy match for convenience of input. When you execute a command, you can input part of the characters in a keyword. However, to enable you to confirm your operation, the command can be executed only when you input enough characters to make the command unique. Take the commands save, startup saved-configuration, and system-view which start with s as an example. To save the current configuration, you need to input sa at least; to set the configuration file for next startup, you need to input st s at least; to enter system view, you need to input sy at least. You can press Tab to complement the command, or you can input the complete command.
......omitted...... 2) Enter a command and a ? separated by a space. If ? is at the position of a keyword, all the keywords are given with a brief description.
<Sysname> terminal ? debugging logging monitor trapping Send debug information to terminal Send log information to terminal Send information output to current terminal Send trap information to terminal
3)
Enter a command and a ? separated by a space. If ? is at the position of a parameter, the description about this parameter is given.
Where, <cr> indicates that there is no parameter at this position. The command is then repeated in the next command line and executed if you press <Enter>.
18-18
4)
Enter a character string followed by a ?. All the commands starting with this string are displayed.
cd clock copy
<Sysname> c?
5)
Enter a command followed by a character string and a ?. All the keywords starting with this string are listed.
6)
Press Tab after entering the first several letters of a keyword to display the complete keyword, provided these letters can uniquely identify the keyword in this command. If several matches are found, the complete keyword which is matched first is displayed (the matching rule is: the letters next to the input letters are arranged in alphabetic order, and the letter in the first place is matched first.). If you repeatedly press Tab, all the keywords starting with the letter that you enter are displayed in cycles, and you can select the keywords needed.
Editing Features
The CLI provides the basic command editing functions and supports multi-line editing. When you execute a command, the system automatically goes to the next line if the maximum length of the command is reached. You cannot press Enter to go to the next line; otherwise, the system will automatically execute the command. The maximum length of each command is 510 characters. Table 18-4 lists these functions. Table 18-4 Edit functions
Key Common keys Backspace Function If the editing buffer is not full, insert the character at the position of the cursor and move the cursor to the right. Deletes the character to the left of the cursor and move the cursor back one character.
18-19
Key Left-arrow key or Ctrl+B Right-arrow key or Ctrl+F Up-arrow key or Ctrl+P Displays history commands Down-arrow key or Ctrl+N
Function The cursor moves one character space to the left. The cursor moves one character space to the right.
Pressing Tab after entering part of a keyword enables the fuzzy help function. If finding a unique match, the system substitutes the complete keyword for the incomplete one and displays it in the next line. When there are several matches, if you repeatedly press Tab, all the keywords starting with the letter that you enter are displayed in cycles. If there is no match at all, the system does not modify the incomplete keyword and displays it again in the next line.
Tab
When editing the command line, you can use other shortcut keys (For details, see Table 18-2) besides the shortcut keys defined in Table 18-4, or you can define shortcut keys by yourself. (For details, see Configuring CLI Hotkeys.)
CLI Display
With the output information filtering function, you can quickly find the information you are interested in. When there is a lot of information to be output, the system displays the information in multiple screens.
18-20
string$
For example, zo* can match z and zoo; (zo)* can match zo and zozo. For example, zo+ can match zo and zoo, but not z. For example, def|int can only match a character string containing def or int. For example, a_b can match a b or a(b; _ab can only match a line starting with ab; ab_ can only match a line ending with ab. For example, 1-9 means numbers from 1 to 9 (inclusive); a-h means from a to h (inclusive). For example, [16A] can match a string containing any character among 1, 6, and A; [1-36A] can match a string containing any character among 1, 2, 3, 6, and A (with - being a hyphen). ] can be matched only when it is put at the beginning of [ ] if it is used as a common character in [ ], for example [ ]string]. There is no such limit on [. For example, (123A) means a character group 123A; 408(12)+ can match 40812 or 408121212. But it cannot match 408. For example, (string)\1 means to repeat string for once, and (string)\1 must match a string containing stringstring; (string1)(string2)\2 means to repeat string2 for once, and (string1)(string2)\2 must match a string containing string1string2string2; (string1)(string2)\1\2 means to repeat string1 for once first, and then repeat string2 for once, and (string1)(string2)\1\2 must match a string containing string1string2string1string2. For example, [^16A] means to match a string containing any character except 1, 6 or A, and the string can also contain 1, 6 or A, but cannot contain these three characters only. For example, [^16A] can match abc and m16, but not 1, 16, or 16A. For example, \<do can match word domain or string doa.
[]
()
A character group. It is usually used with + or *. Repeats a specified character group for once. A character group refers to the string in () before \. index refers to the sequence number (starting from 1 from left to right) of the character group before \: if only one character group appears before \, then index can only be 1; if n character groups appear before index, then index can be any integer from 1 to n.
\index
[^]
\<string
18-21
Character string\>
Meaning Used to match a character string ending with string. Used to match character1character2. character1 can be any character except number, letter or underline, and \b equals [^A-Za-z0-9_]. It must match a string containing character, and there can no spaces before character. Used to match character1character2. character2 must be a number, letter or underline, and \w equals [^A-Za-z0-9_].
Remarks For example, do\> can match word undo or string abcdo. For example, \ba can match -a, with - represents character1, and a represents character2; while \ba cannot match 2a or ba. For example, \Bt can match t in install, but not t in big top. For example, v\w can match vlan, with v being character1, and l being character2. v\w can also match service, with i being character2. For example, \Wa can match -a, with - representing character1, and a representing character2; while \ba cannot match 2a or ba. For example, \\ can match a string containing \, \^ can match a string containing ^, and \\b can match a string containing \b.
\bcharacter2
\Bcharacter
character1\w
\W
Equals \b. Escape character. If single special characters listed in this table follow \, the specific meanings of the characters will be removed.
Multiple-screen output
When there is a lot of information to be output, the system displays the information in multiple screens. Generally, 24 lines are displayed on one screen, and you can also use the screen-length command to set the number of lines displayed on the next screen. (For more information about this command, see User Interface in the Fundamentals Command Reference.) You can follow the step below to disable the multiple-screen output function of the current user.
To do Use the command Required Disable the multiple-screen output function of the current user By default, a login user uses the settings of the screen-length command. The default settings of the screen-length command are: multiple-screen output is enabled and 24 lines are displayed on the next screen. This command is executed in user view, and therefore is applicable to the current user only. When a user re-logs in, the settings restore to the system default. Remarks
screen-length disable
Display functions
CLI offers the following feature: When the information displayed exceeds one screen, you can pause using one of the methods shown in Table 18-6. Table 18-6 Display functions
Action Press Space when information display pauses Press Enter when information display pauses Press Ctrl+C when information display pauses Ctrl+E Function Continues to display information of the next screen page. Continues to display information of the next line. Stops the display and the command execution. Moves the cursor to the end of the current line.
18-22
Function Displays information on the previous page. Displays information on the next page.
You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up-arrow and down-arrow keys are invalid in Windows 9X HyperTerminal, because they are defined in a different way. You can use Ctrl+P and Ctrl+N instead.
18-23
18-24
19
HTTP Configuration
HTTP Overview Enabling the HTTP Service Configuring the Port Number of the HTTP Service Associating the HTTP Service with an ACL Displaying and Maintaining HTTP
HTTP Overview
The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet. It is an application-level protocol in the TCP/IP protocol suite. The connection-oriented Transport Control Protocol (TCP) is adopted on the transport layer. Currently, HTTP/1.0 is supported on the device.
19-1
If you execute the ip http port command for multiple times, the last configured port number is used.
19-2
The HTTP service can be associated with a WLAN ACL (with the ACL numbers 100 to 199) and basic ACL (with the ACL numbers 2000 to 2999), and the two types of ACLs will not overwrite each other. However, ACLs of the same type will overwrite each other, that is, if you execute the ip http acl command for multiple times to associate the HTTP with the same type of ACLs, the HTTP service is only associated with the last specified ACL. When the HTTP service is associated with a WLAN ACL, the HTTP service uses this ACL to filter wireless clients only, and does not filter wired clients with this ACL. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
19-3
20
HTTPS Configuration
HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Configuring the Port Number of the HTTPS Service Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS HTTPS Configuration Example
HTTPS Overview
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL) protocol. The SSL protocol of HTTPS enhances the security of the AC in the following ways: Uses the SSL protocol to ensure the legal clients to access the AC securely and prohibit the illegal clients; Encrypts the data exchanged between the HTTPS client and the AC to ensure the data security and integrity, thus realizing the security management of the AC; Defines certificate attribute-based access control policy for the AC to control the access right of the client, in order to further avoid attacks from illegal clients.
The total number of HTTP connections and HTTPS connections on an AC cannot exceed 10. For more information about SSL, see SSL in the Security Configuration Guide.
20-1
Configuration task Configuring the Port Number of the HTTPS Service Associating the HTTPS Service with an ACL
If the ip https ssl-server-policy command is executed repeatedly, the HTTPS service is only associated with the last specified SSL server policy. When the HTTPS service is disabled, the association between the HTTPS service and the SSL server is automatically removed. To enable it again, you need to re-associate the HTTPS service with an SSL server policy. When the HTTPS service is enabled, no modification of its associated SSL server policy takes effect.
20-2
After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration. Enabling of the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the AC already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation. Since the application process takes much time, the SSL negotiation may fail and the HTTPS service cannot be started normally. Therefore, the ip https enable command must be executed for multiple times to ensure normal startup of the HTTPS service.
Associating the HTTPS Service with a Certificate Attribute Access Control Policy
Associating the HTTPS service with a configured certificate access control policy helps control the access right of the client, thus providing the AC with enhanced security. Follow these steps to associate the HTTPS service with a certificate attribute access control policy:
To do Enter system view Associate the HTTPS service with a certificate attribute access control policy Use the command system-view ip https certificate access-control-policy policy-name Required Not associated by default. Remarks
If the ip https certificate access-control-policy command is executed repeatedly, the HTTPS server is only associated with the last specified certificate attribute access control policy. If the HTTPS service is associated with a certificate attribute access control policy, the client-verify enable command must be configured in the SSL server policy. Otherwise, the client cannot log in to the AC. If the HTTPS service is associated with a certificate attribute access control policy, the latter must contain at least one permit rule. Otherwise, no HTTPS client can log in to the AC. For the configuration of an SSL server policy, see PKI in the Security Configuration Guide.
To do Enter system view Configure the port number of the HTTPS service
Remarks
If you execute the ip https port command for multiple times, the last configured port number is used.
The HTTPS service can be associated with a WLAN ACL (with the ACL numbers 100 to 199) and basic ACL (with the ACL numbers 2000 to 2999), and the two types of ACLs will not overwrite each other. However, ACLs of the same type will overwrite each other, that is, if you execute the ip https acl command for multiple times to associate the HTTPS service with the same type of ACLs, the HTTPS service is only associated with the last specified ACL. When the HTTPS service is associated with a WLAN ACL, the HTTPS service uses this ACL to filter wireless clients only, and does not filter wired clients with this ACL. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
20-4
In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component.
10.1.1.2/24
10.1.2.2/24
Host
CA
Configuration procedure
Perform the following configurations on AC: 1) Apply for a certificate for AC
20-5
2)
3)
# Configure certificate access control policy myacp and create a control rule.
[AC] pki certificate access-control-policy myacp [AC-pki-cert-acp-myacp] rule 1 permit mygroup1 [AC-pki-cert-acp-myacp] quit
4)
# Associate the HTTPS service with the SSL server policy myssl.
[AC] ip https ssl-server-policy myssl
5)
Associate the HTTPS service with a certificate attribute access control policy
# Associate the HTTPS service with certificate attribute access control policy myacp.
[AC] ip https certificate access-control-policy myacp
6)
7)
Launch the IE explorer on Host, and enter https://10.1.1.1. You can log in to AC and control it.
The URL of the HTTPS server starts with https://, and that of the HTTP server starts with http://. For more information about PKI commands, see PKI in the Security Command Reference. For more information about the public-key local create rsa command, see Public Key in the Security Command Reference. For more information about SSL commands, see SSL in the Security Command Reference.
20-6
21
Hotfix Configuration
Hotfix Overview Hotfix Configuration Task List One-Step Patch Installation Step-by-Step Patch Installation One-Step Patch Uninstallation Step-by-Step Patch Uninstallation Displaying and Maintaining Hotfix Hotfix Configuration Example
Hotfix Overview
Hotfix is a fast and cost-effective method to repair software defect of a device. Compared with another method, software version upgrade, hotfix can upgrade the software without interrupting the running services of the device, that is, it can repair the software defect of the current version without rebooting the device.
Incremental patch
Patches in a patch file are all incremental patches. An incremental patch means that the patch is dependent on the previous patch units. For example, if a patch file has three patch units, patch 3 can be running only after patch 1 and 2 take effect. You cannot run patch 3 separately.
21-1
Patch Status
Each patch has its status, which can be switched by command lines. The relationship between patch state changes and command actions is shown in Figure 21-1. The patch can be in the state of IDLE, DEACTIVE, ACTIVE, and RUNNING. Load, run temporarily, confirm running, stop running, delete, install, and uninstall represent operations, corresponding to commands of patch load, patch active, patch run, patch deactive, patch delete, patch install, and undo patch install. For example, if you execute the patch active command for the patches in the DEACTIVE state, the patches turn to the ACTIVE state. Figure 21-1 Relationship between patch states changes and command actions
Information about patch states is saved in file pathstate on the storage medium. It is recommended not to operate this file.
IDLE state
Patches in the IDLE state are not loaded. You cannot install or run the patches, as shown in Figure 21-2 (suppose the memory patch area can load up to eight patches). The patches that are in the IDLE state will be still in this state after system reboot.
21-2
Figure 21-2 Patches are not loaded to the memory patch area
DEACTIVE state
Patches in the DEACTIVE state have been loaded to the memory patch area but have not run in the system yet. Suppose that there are seven patches in the patch file to be loaded. After the seven patches successfully pass the version check and CRC check, they will be loaded to the memory patch area and turn to the DEACTIVE state. At this time, the patch states in the system are as shown in Figure 21-3. The patches that are in the DEACTIVE state will be still in the DEACTIVE state after system reboot. Figure 21-3 A patch file is loaded to the memory patch area
ACTIVE state
Patches in the ACTIVE state are those that are running temporarily in the system and will become DEACTIVE after system reboot. For the seven patches in Figure 21-3, if you activate the first five patches, the state of them will change from DEACTIVE to ACTIVE. At this time, the patch states in the system are as shown in Figure 21-4. The patches that are in the ACTIVE state will be in the DEACTIVE state after system reboot.
21-3
RUNNING state
After you confirm the running of the ACTIVE patches, the state of the patches will become RUNNING, and will be in the RUNNING state after system reboot. For the five patches in Figure 21-4, if you confirm to run the first three patches, the state of them will change from ACTIVE to RUNNING. At this time, the patch states of the system are as shown in Figure 21-5. Figure 21-5 Patches are running
The patches that are in the RUNNING state will be still in the RUNNING state after system reboot.
21-4
Configuration Prerequisites
Patches are released per device model or card type. Before patching the system, you need to save the appropriate patch files to the storage media of the device using FTP or TFTP. When saving the page files, note that The patch files match the device model and software version. If they do not match, the hotfixing operation will fail. Name the patch file properly. Otherwise, the system cannot locate the patch file and the hotfixing operation will fail. The name is in the format of "patch_PATCH-FLAG suffix.bin". The PATCH-FLAG is pre-defined and support for the PATCH-FLAG depends on device model or card type. The first three characters of the version item (using the display patch information command) represent the PATCH-FLAG suffix. The system searches the storage medium for patch files based on the PATCH-FLAG. If there is a match, the system loads patches to or install them on the memory patch area. Table 21-1 Default patches for different card types
Card type All cards that support wireless functions. PATCH-FLAG Default patch name
Cards that support wireless functions refer to cards that support AC functions, excluding the switching engine on the WX3000 series and the switching interface card on the WX6103.
PATCH-MPU
patch_mpu.bin
21-5
The patch must match the card type and version. The patch install command changes the patch file location specified with the patch location command to the directory specified by the patch-location argument of the patch install command.
The patch install command changes patch file location specified with the patch location command to the directory specified by the patch-location argument of the patch install command. For example, if you execute the patch location xxx command and then the patch install yyy command, the patch file location automatically changes from xxx to yyy.
21-6
Set the file transfer mode to binary mode before using FTP or TFTP to upload/download patch files to/from the storage medium of the device. Otherwise, patch file cannot be parsed properly.
Activating Patches
After you activate a patch, the patch will take effect and is in the test-run stage. After the device is reset or rebooted, the patch becomes invalid. If you find that an ACTIVE patch is of some problem, you can reboot the device to deactivate the patch, so as to avoid a series of running faults resulting from patch error. Follow these steps to activate patches:
To do Enter system view Activate the specified patches Use the command system-view patch active patch-number Required Remarks
21-7
Deleting Patches
Deleting patches only removes the patches from the memory patch area, and does not delete them from the storage medium. The patches turn to IDLE state after this operation. After a patch is deleted, the system runs in the way before it is installed with the patch. Follow these steps to delete patches:
To do Enter system view Delete the specified patches from the memory patch area Use the command system-view patch delete patch-number Required Remarks
21-8
Configuration procedure
1) Configure the TFTP Server. Note that the configuration varies depending on server type and the configuration procedure is omitted. Enable the TFTP server function. Save patch file patch_xxx.bin to the directory of the TFTP server. 2) Configure AC (TFTP Client).
Make sure the free space of the storage medium is big enough to store the patch file.
# Before upgrading the software, use the save command to save the current system configuration. The configuration procedure is omitted. # Load patch file patch_xxx.bin from the TFTP server to the root directory of the device storage medium.
<AC> tftp 2.2.2.2 get patch_xxx.bin
21-9
22
A 19-2
Index
Configuring Command Accounting 17-10 Configuring Command Authorization 2-1 17-9 Configuring None Authentication for Console Port Login 9-6 Configuring None Authentication for Telnet Login 10-6 Configuring Password Authentication for Console Port Login Telnet Login 10-8 9-12 9-9 Configuring Password Authentication for Configuring Scheme Authentication for Console Port Login Configuring Scheme Authentication for Telnet Login 10-11 Configuring Supported Protocols on VTY User Interfaces 17-7 Configuring Temperature Alarm Thresholds for a Board 16-6 Configuring Terminal Attributes 17-4 Configuring the auto-execute Command 17-5 Configuring the CLI 5-15 6-3 6-8 14-5
Associating the HTTP Service with an ACL Associating the HTTPS Service with a Certificate Attribute Access Control Policy 20-3 Associating the HTTPS Service with an ACL 20-4 Associating the HTTPS Service with an SSL Server Policy B Backing Up the Startup Configuration File 15-8 Basic Configurations 18-2 Batch Operations C Clearing the 16-bit Interface Indexes Not Used in the Current System CLI Descriptions 5-7 CLI Features 4-24 Command Matrix for the WX5000 Series 4-1 Command Matrix for the WX6000 Series 4-15 Configuration Display 18-1 Configuration File Overview Configuration Prerequisites Interfaces 17-6 Configuring Asynchronous Serial Interface Attributes Login 17-7
22-1
20-2
16-6
18-17
Configuring the FTP Client Configuring the FTP Server Service Service 19-2 20-3 16-3
Configuring the Port Number of the HTTP Configuring the Port Number of the HTTPS Configuring the Scheduled Automatic Execution Function Configuring the TFTP Client User Interface 17-5 7-2
15-1 21-5
Configuring User Privilege Level Under a Connection Establishment 12-1 Console Port Login Configuration 9-4
17-3
Controlling Network Management Users by Source IP Addresses 13-5 Controlling Telnet Users D Defining Shortcut Keys for Starting Terminal Sessions/Aborting Tasks 17-10 Deleting a Startup Configuration File to Be Used at the Next Startup 15-8 Device Management Configuration Examples 16-8 Device Management Configuration Task List 16-1 Device Management Overview 16-1 Directory Operations 14-2 Displaying and Maintaining Device Configuration 15-9 16-7 6-12 21-9 19-3 Displaying and Maintaining Device Management Configuration Displaying and Maintaining FTP Displaying and Maintaining Hotfix Displaying and Maintaining HTTP 13-1
Hotfix Configuration Example 21-9 Hotfix Configuration Task List 21-4 Hotfix Overview 21-1 HTTP Overview 19-1 HTTPS Configuration Example 20-5 HTTPS Configuration Task List 20-1 HTTPS Overview I Introduction to the User Interface Introduction 10-1 Introduction 11-1 Introduction 12-1 Introduction 13-1 Introduction 9-1 L Logging In to an Access Controller Product 8-1 M Managing Files 14-1 O One-Step Patch Installation 21-5 8-1 20-1
Displaying and Maintaining HTTPS 20-4 Displaying and Maintaining the TFTP Client 7-3 Displaying and Maintaining User Interfaces 17-11 E Enabling the HTTP Service Enabling the HTTPS Service Entering the CLI 5-1 Establishing a Telnet Connection Example for File Operations F Feature Matrix for the WX3000 Series 3-11 Feature Matrix for the WX5000 Series Feature Matrix for the WX6000 Series File Operations 14-3 FTP Overview H
22-2
One-Step Patch Uninstallation 21-8 Q Quick Configuration 18-2 19-2 20-2 R Rebooting the AC 16-2
Registering the Software 16-2 10-2 Releasing the Connection Established on the User Interfaces 17-11 Restoring a Startup Configuration File 15-9 S 3-1 3-7 Saving the Current Running Configuration 15-2 Sending Messages to the Specified User Interfaces 17-11 Setting Configuration Rollback 15-4 Setting Prompt Modes 14-6
14-7
6-1
Setting Up a Web Configuration Environment 11-2 Setting Up the Connection to the Console Port 9-1 15-7 Specifying a Startup Configuration File to Be Used at the Next System Startup Step-by-Step Patch Installation 21-6 Step-by-Step Patch Uninstallation Storage Medium Operations T TFTP Client Configuration Example 7-3 TFTP Overview 7-1 U Unified Switch Networking 2-2 Upgrading AC Software 17-12 User Interface Configuration Task List 17-2 User Interface Overview Using the CLI W What Is CLI? 5-1 5-9 17-1 16-4 14-5 21-8
22-3