HP Enterprise FlexNetwork 10500 Series Configuration Manual Download Page 40

Page: 40 / 325

RBAC configuration examples

RBAC configuration example for local AAA authentication
users

Network requirements

As shown in

Figure 2

, the switch performs local AAA authentication for the Telnet user. The user

account for the Telnet user is

user1@bbb

and is assigned user role

role1

Configure

role1

to have the following permissions:

•

Can execute the read commands of any feature.

•

Cannot configure any VLANs except VLANs 10 to 20.

Figure 2 Network diagram

Configuration procedure

# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).

<Switch> system-view

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[Switch-Vlan-interface2] quit

# Enable Telnet server.

[Switch] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[Switch] line vty 0 63

[Switch-line-vty0-63] authentication-mode scheme

[Switch-line-vty0-63] quit

# Enable local authentication and authorization for ISP domain

bbb

[Switch] domain bbb

[Switch-isp-bbb] authentication login local

[Switch-isp-bbb] authorization login local

[Switch-isp-bbb] quit

# Create user role

role1

[Switch] role name role1

# Configure rule 1 to permit the user role to access the read commands of all features.

[Switch-role-role1] rule 1 permit read feature

# Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view.

[Switch-role-role1] rule 2 permit command system-view ; vlan *

# Change the VLAN policy to permit the user role to configure only VLANs 10 to 20.

[Switch-role-role1] vlan policy deny

[Switch-role-role1-vlanpolicy] permit vlan 10 to 20

[Switch-role-role1-vlanpolicy] quit

Internet

Switch

Telnet user

192.168.1.58/24

Vlan-int 2

192.168.1.70/24

Summary of Contents for FlexNetwork 10500 Series

Page 1: ...HPE FlexNetwork 10500 Switch Series Fundamentals Configuration Guide Part number 5200 1887a Software version 10500 CMW710 R7557P01 Document version 6W101 20171020 ...

Page 2: ...nd 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise ...

Page 3: ...7 Permission assignment 17 User role assignment 20 FIPS compliance 20 Configuration task list 21 Creating a user role 21 Configuring user role rules 21 Configuration restrictions and guidelines 22 Configuration procedure 22 Configuring a feature group 23 Configuring resource access policies 24 Configuring the user role interface policy 24 Configuring the user role VLAN policy 24 Configuring the us...

Page 4: ...vice to log in to an SSH server 61 Displaying and maintaining CLI login 62 Configuring Web login 63 FIPS compliance 63 Configuring HTTP login 63 Configuring HTTPS login 64 Displaying and maintaining Web login 66 Web login configuration examples 67 HTTP login configuration example 67 HTTPS login configuration example 67 Accessing the device through SNMP 70 Configuring RESTful access 71 FIPS complia...

Page 5: ...6 Configuring the device as an IPv6 TFTP client 97 Managing file systems 98 Overview 98 File systems 98 Directories 99 Files 99 Specifying a directory name or file name 100 FIPS compliance 100 File system management restrictions and guidelines 100 Managing storage media and file systems 101 Partitioning a CF card or a USB disk 101 Mounting or unmounting a file system 102 Formatting a file system 1...

Page 6: ...w 120 Software types 120 Software file naming conventions 120 Comware image redundancy and loading procedure 120 System startup process 121 Upgrade methods 122 Upgrade restrictions and guidelines 123 Preparing for the upgrade 123 Upgrade task list 123 Preloading the BootWare image to BootWare 124 Specifying startup images and completing the upgrade in standalone mode 124 Specifying startup images ...

Page 7: ...tall commands for ISSU on an IRF fabric 167 Feature upgrade example 167 Using the emergency shell 172 Managing the file systems 172 Obtaining a system image from an FTP TFTP server 173 Configuring the management Ethernet interface 173 Checking the connectivity to a server 174 Accessing the server 174 Loading the system image 175 Rebooting the device 175 Displaying device information in emergency s...

Page 8: ...rupt signals 220 Configuring hardware failure detection and protection 220 Specifying the actions to be taken for hardware failures 220 Enabling hardware failure protection for interfaces 221 Enabling hardware failure protection for aggregation groups 221 Enabling data forwarding path failure detection 222 Verifying and diagnosing transceiver modules 222 Verifying transceiver modules 222 Diagnosin...

Page 9: ... the next startup 265 Managing the BootWare image 266 Skipping console login authentication 268 Managing storage media 269 Using the EXTENDED ASSISTANT menu 270 BootWare shortcut keys 271 Comware software upgrade examples 272 Using XMODEM to upgrade software through the console port 272 Using TFTP to upgrade Comware software through the management Ethernet port 273 Using FTP to upgrade Comware sof...

Page 10: ...ere Device name indicates the device name The device name is Sysname by default You can change it by using the sysname command In user view you can perform the following tasks Perform basic operations including display debug file management FTP Telnet clock setting and reboot Enter system view The system view prompt is Device name In system view you can perform the following tasks Configure global...

Page 11: ...tion of a command to display all available options To access the CLI online help use one of the following methods Enter a question mark at a view prompt to display the first keyword of every command available in the view For example Sysname User view commands archive Archive configuration arp Address Resolution Protocol ARP module backup Backup operation bash Enter the bash shell boot loader Softw...

Page 12: ...view Sysname interface vlan interface 1 4094 Vlan interface interface number Sysname interface vlan interface 1 cr Sysname interface vlan interface 1 1 4094 is the value range for the argument cr indicates that the command is complete and you can press Enter to execute the command Enter an incomplete keyword string followed by a question mark to display all keywords starting with that string The C...

Page 13: ...istory buffer Tab If you press Tab after typing part of a keyword the system automatically completes the keyword If a unique match is found the system displays the complete keyword If there is more than one match press Tab multiple times to pick the keyword you want to enter If there is no match the system does not modify what you entered but displays it again in the next line The total length of ...

Page 14: ...ype For a command line all interface types are case insensitive Table 2 shows the full spellings and acronyms of interface types For example to use the interface command to enter the view of interface Ten GigabitEthernet 1 0 1 you can enter the command line in the following formats interface ten gigabitethernet 1 0 1 interface ten g 1 0 1 interface ten gig 1 0 1 The spaces between the interface ty...

Page 15: ...n use ship to execute all commands starting with display ip Enter ship routing table to execute the display ip routing table command Enter ship interface to execute the display ip interface command Usage guidelines After you successfully execute a command by using an alias the system saves the command instead of the alias to the running configuration The command string represented by an alias can ...

Page 16: ...es effect To configure a command hotkey Step Command Remarks 1 Enter system view system view N A 2 Configure a hotkey hotkey hotkey command function function none Table 4 shows the default definitions for the hotkeys 3 Optional Display hotkeys display hotkey This command is available in any view Table 4 System reserved hotkeys Hotkey Function or command Ctrl A move_the_cursor_to_the_beginning_of_t...

Page 17: ... from the cursor to the end of the line Ctrl Z return_to_the_User_View Returns to user view Ctrl kill_incoming_connection_or_redirect_connection Terminates the current connection Esc B move_the_cursor_back_one_word Moves the cursor back one word Esc D delete_all_characters_from_the_cursor_to_the_end_of_the_word Deletes all characters from the cursor to the end of the word Esc F move_the_cursor_for...

Page 18: ...r arguments are missing Ambiguous command found at position The entered character sequence matches more than one command Too many parameters The entered character sequence contains excessive keywords or arguments Wrong parameter found at position The argument in the marked position is invalid Using the command history feature The system automatically saves commands successfully executed by a login...

Page 19: ...rds before buffering the command If you enter a command in the same format multiple times in succession the system buffers the command only once If you enter a command in different formats multiple times the system buffers each command format For example display cu and display current configuration are buffered as two entries but successive repetitions of display cu create only one entry To buffer...

Page 20: ...ays the previous page PageDown Displays the next page Disabling pausing between screens of output To disable pausing between screens of output execute the following command in user view Task Command Remarks Disable pausing between screens of output for the current CLI session screen length disable By default a CLI session uses the screen length screen length command settings in user line view This...

Page 21: ...ecial characters supported in a regular expression Characters Meaning Examples Matches the beginning of a line u matches all lines beginning with u A line beginning with Au is not matched Matches the end of a line u matches all lines ending with u A line ending with uA is not matched period Matches any single character s matches as and bs Matches the preceding character or string zero one or multi...

Page 22: ...rn is also a match if the characters preceding the pattern are not digits letters or underscores do matches domain and doa Matches a string that ends with the pattern preceding A string that contains the pattern is also a match if the characters following the pattern are not digits letters or underscores do matches undo and cdo b Matches a word that starts with the pattern following b or ends with...

Page 23: ...1 0 1 UP 1000M a F a A 1 Display SNMP related running configuration lines Sysname display current configuration include snmp snmp agent snmp agent community write private snmp agent community read public snmp agent sys info version all snmp agent target host trap address udp domain 192 168 1 26 params securityname public Saving the output from a display command to a file A display command shows ce...

Page 24: ...VLAN type Static Route interface Not configured Description VLAN 0001 Name VLAN 0001 Tagged ports None Untagged ports Gigabitethernet1 0 2 Append the VLAN 999 settings to the end of the file vlan txt Sysname display vlan 999 vlan txt Verify that the VLAN 999 settings are appended to the end of the file vlan txt Sysname more vlan txt VLAN ID 1 VLAN type Static Route interface Not configured Descrip...

Page 25: ...in the running configuration to the file test txt Sysname display current configuration include snmp test txt Display the first line that begins with user group in the running configuration and all the following lines Sysname display current configuration by linenum begin user group 114 user group system 115 116 return The colon following a line number indicates that the line contains the string u...

Page 26: ...n use the vlan command to create VLAN 10 and enter its view However you cannot create any other VLANs If the user role has access to VLAN 10 but does not have access to the vlan command you cannot use the command to enter the view of VLAN 10 When a user logs in to the device with any user role and enters in a view help information is displayed for the system defined command aliases in the view How...

Page 27: ...fined user roles These user roles have access to all system resources interfaces VLANs and VPN instances However their access permissions differ as shown in Table 8 Among all of the predefined user roles only network admin mdc admin and level 15 can perform the following tasks Access the RBAC feature Change the settings in user line view including the user role authentication mode protocol inbound...

Page 28: ...XML view Accesses all read type Web menu items Accesses all read type XML elements Accesses all read type MIB nodes level n n 0 to 15 level 0 Has access to diagnostic commands including ping tracert ssh2 telnet and super Level 0 access rights are configurable level 1 Has access to the display commands of all features and resources in the system except for display history command all The level 1 us...

Page 29: ...s to the qos apply policy command and permits access only to interface Ten GigabitEthernet 1 0 1 User role B permits access to the qos apply policy command and all interfaces Depending on the authentication method user role assignment has the following methods AAA authorization If scheme authentication is used the AAA module handles user role assignment If the user passes local authorization the d...

Page 30: ...ol To create a user role Step Command Remarks 1 Enter system view system view N A 2 Create a user role and enter its view role name role name By default the system has the following predefined user roles network admin network operator mdc admin mdc operator level n where n equals an integer in the range of 0 to 15 security audit guest manager Among these user roles only the permissions and descrip...

Page 31: ...ny command ping If a predefined user role rule and a user defined user role rule conflict the user defined user role rule takes effect The following guidelines apply to OID rules The system compares an OID with the OIDs specified in user role rules and it uses the longest match principle to select a rule for the OID For example a user role cannot access the MIB node with OID 1 3 6 1 4 1 25506 141 ...

Page 32: ...features available in the system Enter feature names the same as the feature names are displayed including the case Configuring a feature group Use feature groups to bulk assign command access permissions to sets of features In addition to the predefined feature groups you can create a maximum of 64 custom feature groups and assign a feature to multiple feature groups To configure a feature group ...

Page 33: ... interfaces This command denies the access of the user role to all interfaces if the permit interface command is not configured 4 Optional Specify a list of interfaces accessible to the user role permit interface interface list By default no accessible interfaces are configured in user role interface policy view Repeat this step to add multiple accessible interfaces Configuring the user role VLAN ...

Page 34: ...s To control user access to the system you must assign a minimum of one user role Make sure a minimum of one user role among the user roles assigned by the server exists on the device User role assignment procedure varies for remote AAA authentication users local AAA authentication users and non AAA authentication users see User role assignment For more information about AAA authentication see Sec...

Page 35: ...les level 0 level 1 level 2 to assign level 0 level 1 and level 2 to an HWTACACS user If the AAA server assigns the security audit user role and other user roles to the same user only the security audit user role takes effect Assigning user roles to local AAA authentication users Configure user roles for local AAA authentication users in their local user accounts Every local user has a default use...

Page 36: ...e password authentication or no authentication SSH clients that use publickey or password publickey authentication User roles assigned to these SSH clients are specified in their respective device management user accounts For more information about user lines see Login overview and Configuring CLI login For more information about SSH see Security Configuration Guide To assign a user role to non AA...

Page 37: ...with The next time you are logged in with the user account the original user role settings take effect Configuration restrictions and guidelines When you configure temporary user role authorization follow these restrictions and guidelines To enable a user to obtain another user role without reconnecting to the device you must configure user role authentication Table 9 describes the available authe...

Page 38: ...ywords Authentication mode Description local Local password authentication only local only The device uses the locally configured password for authentication If no local password is configured for a user role in this mode an AUX user can obtain the user role by either entering a string or not entering anything scheme Remote AAA authentication through HWTACACS or RADIUS remote only The device sends...

Page 39: ...ord is set If you do not specify the role role name option the command sets a password for the default target user role Obtaining temporary user role authorization Perform the following task in user view Task Command Remarks Obtain the temporary authorization to use a user role super role name If you do not specify the role name argument you obtain the default target user role for temporary user r...

Page 40: ... enable Enable scheme authentication on the user lines for Telnet users Switch line vty 0 63 Switch line vty0 63 authentication mode scheme Switch line vty0 63 quit Enable local authentication and authorization for ISP domain bbb Switch domain bbb Switch isp bbb authentication login local Switch isp bbb authorization login local Switch isp bbb quit Create user role role1 Switch role name role1 Con...

Page 41: ...0 to 20 This example uses VLAN 10 Switch system view Switch vlan 10 Switch vlan10 quit Verify that you cannot create any VLAN other than VLANs 10 to 20 This example uses VLAN 30 Switch vlan 30 Permission denied Verify that you can use all read commands of any feature This example uses display clock Switch display clock 09 31 56 UTC Sat 01 01 2016 Switch quit Verify that you cannot use the write or...

Page 42: ...5 255 0 Switch Vlan interface3 quit Enable Telnet server Switch telnet server enable Enable scheme authentication on the user lines for Telnet users Switch line vty 0 63 Switch line vty0 63 authentication mode scheme Switch line vty0 63 quit Create RADIUS scheme rad and enter RADIUS scheme view Switch radius scheme rad Specify the primary server address and the service port in the scheme Switch ra...

Page 43: ... Configure rule 5 to permit the user role to enter interface view and use all commands available in interface view Switch role role2 rule 5 permit command system view interface Configure the user role VLAN policy to disable configuration of any VLAN except VLANs 1 to 20 Switch role role2 vlan policy deny Switch role role2 vlanpolicy permit vlan 1 to 20 Switch role role2 vlanpolicy quit Configure t...

Page 44: ... vlan 10 Switch vlan10 port ten gigabitethernet 1 0 2 Switch vlan10 port ten gigabitethernet 1 0 5 Permission denied RBAC temporary user role authorization configuration example HWTACACS authentication Network requirements As shown in Figure 4 the switch uses local authentication for login users including the Telnet user The user account for the Telnet user is test bbb and is assigned user role le...

Page 45: ...port in the scheme Switch hwtacacs hwtac primary authentication 10 1 1 1 49 Set the shared key to expert in the scheme for the switch to authenticate to the server Switch hwtacacs hwtac key authentication simple expert Exclude ISP domain names from the usernames sent to the HWTACACS server Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Create ISP domain bbb and en...

Page 46: ...per password role network admin simple 654321 Switch quit 2 Configure the HWTACACS server This example uses ACSv4 0 a Access the User Setup page b Add a user account named test Details not shown c In the Advanced TACACS Settings area configure the following parameters Select Level 3 for the Max Privilege for any AAA Client option If the target user role is only network admin for temporary user rol...

Page 47: ...hat you have access to diagnostic commands Switch telnet 192 168 1 70 Trying 192 168 1 70 Press CTRL K to abort Connected to 192 168 1 59 Copyright c 2010 2017 Hewlett Packard Enterprise Development LP Without the owner s prior written consent no decompiling or reverse engineering shall be allowed login test bbb Password Switch User view commands ping Ping function quit Exit from current command v...

Page 48: ...e output shows that you have obtained the level 3 user role 3 Use the method in step 2 to verify that you can obtain the level 0 level 1 level 2 and network admin user roles Details not shown RBAC temporary user role authorization configuration example RADIUS authentication Network requirements As shown in Figure 7 the switch uses local authentication for login users including the Telnet user The ...

Page 49: ...e expert Exclude ISP domain names from the usernames sent to the RADIUS server Switch radius radius user name format without domain Switch radius radius quit Create ISP domain bbb and enter ISP domain view Switch domain bbb Configure ISP domain bbb to use local authentication for login users Switch isp bbb authentication login local Configure ISP domain bbb to use local authorization for login use...

Page 50: ...0 Press CTRL K to abort Connected to 192 168 1 59 Copyright c 2010 2017 Hewlett Packard Enterprise Development LP Without the owner s prior written consent no decompiling or reverse engineering shall be allowed login test bbb Password Switch User view commands ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Switch to a user role system v...

Page 51: ...than should be permitted by the assigned user roles Analysis The local user might have been assigned to user roles without your knowledge For example the local user is automatically assigned the default user role when you create the user Solution To resolve the issue 1 Use the display local user command to examine the local user accounts for undesirable user roles and remove them 2 If the issue pe...

Page 52: ... command A RADIUS user can log in with the default user role when no user role is assigned by the RADIUS server Add the user role authorization attributes on the RADIUS server 2 If the issue persists contact Hewlett Packard Enterprise Support ...

Page 53: ...mode Table 10 Login methods at a glance Login method Default settings and minimum configuration requirements Login configuration CLI login Configuring CLI login Console login By default console login is enabled and does not require authentication The default user role is network admin To improve device security configure password or scheme authentication for the AUX line immediately after you log ...

Page 54: ...disabled To enable SNMP access perform the following tasks Assign an IP address to a Layer 3 interface Make sure the interface and the NMS can reach each other Configure SNMP basic parameters Accessing the device through SNMP RESTful access By default RESTful access is disabled To enable RESTful access perform the following tasks Assign an IP address to a Layer 3 interface Make sure the interface ...

Page 55: ...e console cable to the console port IMPORTANT The serial ports on PCs do not support hot swapping To connect a PC to an operating device first connect the PC end To disconnect a PC from an operating device first disconnect the device end Figure 9 Connecting a terminal to the console port 3 If the PC is off turn on the PC 4 On the PC launch the terminal emulation program and create a connection tha...

Page 56: ... method and user line matrix User line Login method Console line Console port on the LSUM1SUPD0 JH198A JH206 MPU AUX line USB console port on the LSUM1SUPD0 JH198A JH206 MPU Console port on other MPUs Virtual type terminal VTY line Telnet or SSH User line numbering Every user line has an absolute number and a relative number An absolute number uniquely identifies a user line among all user lines T...

Page 57: ...8 Configure login authentication methods in ISP domain view For more information see Security Configuration Guide User roles A user is assigned user roles at login The user roles control the commands available for the user For more information about user roles see Configuring RBAC The device assigns user roles based on the login authentication mode and user type In none or password authentication ...

Page 58: ...gin Configuring password authentication for console or USB console login Configuring scheme authentication for console or USB console login In FIPS mode only the scheme authentication mode is supported Optional Configuring common AUX or console line settings N A Console or USB console login configuration changes do not take effect for current online users They take effect only for new login users ...

Page 59: ...w applies only to the user line A setting in user line class view applies to all user lines of the class A non default setting in either view takes precedence over a default setting in the other view A non default setting in user line view takes precedence over a non default setting in user line class view A setting in user line class view does not take effect for current online users It takes eff...

Page 60: ...s enabled for the AUX line by default In FIPS mode scheme authentication is enabled by default To use scheme authentication you must also perform the following tasks Configure login authentication methods in ISP domain view For remote authentication configure a RADIUS HWTACACS or LDAP scheme For local authentication create a local user account and configure the relevant attributes For more informa...

Page 61: ... class view 5 Specify the number of stop bits for a character stopbits 1 1 5 2 The default is 1 Stop bits indicate the end of a character The more the stop bits the slower the transmission This command is not available in AUX or console line class view 6 Specify the number of data bits for a character databits 5 6 7 8 The default is 8 Configure this command depending on the character coding type F...

Page 62: ...ax size value By default the buffer saves up to 10 history commands 14 Set the CLI connection idle timeout timer idle timeout minutes seconds By default the CLI connection idle timeout timer is 10 minutes If no interaction occurs between the device and the user within the idle timeout interval the system automatically terminates the user connection on the user line If you set the timeout timer to ...

Page 63: ...etting in user line view applies only to the user line A setting in user line class view applies to all user lines of the class A non default setting in either view takes precedence over a default setting in the other view A non default setting in user line view takes precedence over a non default setting in user line class view A setting in user line class view does not take effect for current on...

Page 64: ...user line class view does not take effect for current online users It takes effect only for new login users 3 Enable password authentication authentication mode password In non FIPS mode password authentication is enabled for VTY lines by default In VTY line view this command is associated with the protocol inbound command If you specify a non default value for one of the two commands the other co...

Page 65: ...ode password authentication is enabled for VTY lines by default In VTY line view this command is associated with the protocol inbound command If you specify a non default value for one of the two commands the other command uses the default setting regardless of the setting in VTY line class view To use scheme authentication you must also perform the following tasks Configure login authentication m...

Page 66: ...scp dscp value For a Telnet server running IPv6 telnet server ipv6 dscp dscp value By default the DSCP value is 48 Specifying the Telnet service port number You can use this feature to change the Telnet service port number To specify the Telnet service port number Step Command Remarks 1 Enter system view system view N A 2 Specify the Telnet service port number In an IPv4 network telnet server port...

Page 67: ...g a task escape key character default The default setting is Ctrl C 6 Set the user line locking key lock key key string By default no user line locking key is set 7 Specify the terminal display type terminal type ansi vt100 The default terminal display type is ANSI 8 Set the maximum number of lines of command output to send to the terminal at a time screen length screen length By default the devic...

Page 68: ...Use the device to log in to a Telnet server Log in to an IPv4 Telnet server telnet remote host service port vpn instance vpn instance name source interface interface type interface number ip ip address dscp dscp value Log in to an IPv6 Telnet server telnet ipv6 remote host i interface type interface number port number vpn instance vpn instance name source interface interface type interface number ...

Page 69: ...nd specify the authentication mode In non FIPS mode ssh user username service type stelnet authentication type password any password publickey publickey assign publickey keyname In FIPS mode ssh user username service type stelnet authentication type password password publickey assign publickey keyname By default no SSH user is configured on the device 5 Enter VTY line view or class view Enter VTY ...

Page 70: ...y a non default value for one of the two commands the other command uses the default setting regardless of the setting in VTY line class view 8 Optional Set the maximum number of concurrent SSH users aaa session limit ssh max sessions The default is 32 Changing this setting does not affect users who are currently online If the new limit is less than the number of online SSH users no additional SSH...

Page 71: ... you can execute this command to release some connections You cannot use this command to release the connection you are using This command is available in user view Lock the current user line and set the password for unlocking the line lock By default the system does not lock any user lines This command is not supported in FIPS mode This command is available in user view Lock the current user line...

Page 72: ... Web login web captcha verification code By default no fixed verification code is configured A Web user must enter the verification code displayed on the login page at login 2 Enter system view system view N A 3 Enable the HTTP service ip http enable By default the HTTP service is disabled 4 Optional Specify the HTTP service port number ip http port port number The default HTTP service port number...

Page 73: ...ed mode after you enable HTTPS service on the device Secure mode The device uses a certificate signed by a CA and a set of user defined security protection settings to ensure security For the device to operate in secure mode you must perform the following tasks Enable HTTPS service on the device Specify an SSL server policy for the service Configure PKI domain related parameters Simplified mode is...

Page 74: ...vice has a local certificate the SSL handshake negotiation succeeds and the HTTPS service starts up If the device does not have a local certificate the certificate application process starts Because the certificate application process takes a long time the SSL handshake negotiation might fail and the HTTPS service might not be started To solve the problem execute this command again until the HTTPS...

Page 75: ...s saved in hashed form By default no password is configured for a local user In non FIPS mode the local user can pass authentication after entering the correct username and passing attribute checks In FIPS mode the local user cannot pass authentication For security purposes configure a password for the local user 13 Assign a user role to the local user authorization attribute user role user role T...

Page 76: ...er manage admin quit Enable HTTP Sysname ip http enable Verifying the configuration 1 On the PC run the IE browser and enter the IP address of the device in the address bar 2 On the login page enter the username password and verification code Select English and click Login After you pass authentication the homepage appears and you can configure the device HTTPS login configuration example Network ...

Page 77: ...al name hostkey length 1024 Device pki domain 1 quit Create RSA local key pairs Device public key local create rsa Retrieve the CA certificate Device pki retrieve certificate domain 1 ca Configure the device to request a local certificate through SCEP Device pki request certificate domain 1 Create SSL server policy myssl Specify PKI domain 1 for the SSL server policy and enable certificate based S...

Page 78: ...era Set the password to 123 the service type to HTTPS and the user role to network admin Device local user usera Device luser usera password simple 123 Device luser usera service type https Device luser usera authorization attribute user role network admin 2 Configure the host HTTPS client On the host run the IE browser and enter http 10 1 2 2 certsrv in the address bar Request a certificate for t...

Page 79: ...NMPv2c and SNMPv3 and can cooperate with various network management software products However the device and the NMS must use the same SNMP version By default SNMP access is disabled To configure SNMP access you must first log in to the device through any other method For more information about SNMP see Network Management and Monitoring Configuration Guide Agent NMS MIB Get Set requests Get Set re...

Page 80: ...e Security Configuration Guide RESTful access over HTTP is not supported in FIPS mode Configuring RESTful access over HTTP Step Command Remarks 1 Enter system view system view N A 2 Enable RESTful access over HTTP restful http enable By default RESTful access over HTTP is disabled 3 Create a local user and enter local user view local user user name class manage By default no local user is configur...

Page 81: ...ash simple password In FIPS mode password The password is saved in hashed form By default no password is configured for a local user 5 Optional Assign a user role to the local user authorization attribute user role user role The default user role is network operator for a RESTful access user 6 Specify the HTTPS service for the local user service type https By default no service type is specified f...

Page 82: ...ress If an applied ACL does not exist or does not have any rules no user login restriction is applied If the ACL exists and has rules only users permitted by the ACL can access the device through Telnet or SSH Configuration procedures To control Telnet logins Step Command Remarks 1 Enter system view system view N A 2 Apply an ACL to filter Telnet logins telnet server acl mac acl number telnet serv...

Page 83: ...dure Configure an ACL to permit packets sourced from Host A and Host B Sysname system view Sysname acl basic 2000 match order config Sysname acl ipv4 basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl ipv4 basic 2000 rule 2 permit source 10 110 100 46 0 Sysname acl ipv4 basic 2000 quit Apply the ACL to filter Telnet logins Sysname telnet server acl 2000 Controlling Web logins Use a basic ...

Page 84: ... number name acl name By default no ACL is applied to the HTTP or HTTPS service Logging off online Web users To log off online Web users execute the following command in user view Task Command Log off online Web users free web users all user id user id user name user name Configuration example Network requirements As shown in Figure 17 the device is an HTTP server Configure the device to provide H...

Page 85: ...ommunity name mib view view name acl ipv4 acl number name ipv4 acl name acl ipv6 ipv6 acl number name ipv6 acl name In RBAC mode snmp agent community simple cipher community name user role role name acl ipv4 acl number name ipv4 acl name acl ipv6 ipv6 acl number name ipv6 acl name Method 2 Create an SNMPv1 v2c group and add a user to the group specifying ACLs for the group and user a snmp agent gr...

Page 86: ... role role name remote ipv4 address ipv6 ipv6 address vpn instance vpn instance name cipher simple authentication mode md5 sha auth password privacy mode aes128 3des des56 priv password acl ipv4 acl number name ipv4 acl name acl ipv6 ipv6 acl number name ipv6 acl name In FIPS mode In VACM mode snmp agent usm user v3 user name group name remote ipv4 address ipv6 ipv6 address vpn instance vpn instan...

Page 87: ... a user depend only on the user s user roles When the authentication mode is scheme you can configure the command authorization feature to further control access to commands After you enable command authorization a user can use only commands that are permitted by both the AAA scheme and user roles The command authorization method can be different from the user login authorization method This secti...

Page 88: ...fault In FIPS mode scheme authentication is enabled by default In VTY line view this command is associated with the protocol inbound command If you specify a non default value for one of the two commands the other command uses the default setting regardless of the setting in VTY line class view 4 Enable command authorization command authorization By default command authorization is disabled and th...

Page 89: ...s tac primary authorization 192 168 2 20 49 Set the shared keys to expert Device hwtacacs tac key authentication simple expert Device hwtacacs tac key authorization simple expert Remove domain names from usernames sent to the HWTACACS server Device hwtacacs tac user name format without domain Device hwtacacs tac quit Configure the system defined domain system Device domain system Use HWTACACS sche...

Page 90: ... A 2 Enter user line view or user line class view Enter user line view line first number1 last number1 aux console vty first number2 last number2 Enter user line class view line class aux console vty A setting in user line view applies only to the user line A setting in user line class view applies to all user lines of the class A non default setting in either view takes precedence over a default ...

Page 91: ...sers need to log in to the device to manage the device Configure the device to send commands executed by users to the HWTACACS server to monitor and control user operations on the device Figure 20 Network diagram Configuration procedure Enable the Telnet server Device system view Device telnet server enable Enable command accounting for user line AUX 0 Device line aux 0 Device line aux0 command ac...

Page 92: ...0 49 Set the shared key to expert Device hwtacacs tac key accounting simple expert Remove domain names from usernames sent to the HWTACACS server Device hwtacacs tac user name format without domain Device hwtacacs tac quit Configure the system defined domain system to use the HWTACACS scheme for command accounting Device domain system Device isp system accounting command hwtacacs scheme tac Device...

Page 93: ...es Active mode PORT The FTP server initiates the TCP connection This mode is not suitable when the FTP client is behind a firewall for example when the FTP client resides in a private network Passive mode PASV The FTP client initiates the TCP connection This mode is not suitable when the server does not allow the client to use a random unprivileged port greater than 1024 FTP operation mode varies ...

Page 94: ...al Set the maximum number of concurrent FTP users aaa session limit ftp max sessions The default is 32 Changing this setting does not affect users who are currently online If the new list is less than the number of online FTP users no additional FTP users can log in until the number drops below the new limit For more information about this command see Security Command Reference Configuring authent...

Page 95: ...rs display ftp user FTP server configuration example in standalone mode Network requirements Configure the device as an FTP server Create a local user account named abc on the FTP server Set the password to 123456 Use the user account to log in to the FTP server from the FTP client Upload the temp bin file from the FTP client to the FTP server Download configuration file startup cfg from the FTP s...

Page 96: ...4 51 38 seclog 4 rw 2943 Jul 02 2011 08 03 08 startup cfg 5 rw 63901 Jul 02 2011 08 03 08 startup mdb 6 rw 716 Jun 21 2011 14 58 02 hostkey 7 rw 572 Jun 21 2011 14 58 02 serverkey 8 rw 6541264 Aug 04 2011 20 40 49 backup bin 473664 KB total 467080 KB free Sysname delete unreserved flash backup bin 3 Perform FTP operations from the PC FTP client Log in to the FTP server at 1 1 1 1 using username ab...

Page 97: ...d abc Set the password to 123456 Sysname system view Sysname local user abc class manage Sysname luser abc password simple 123456 Assign the network admin user role to the user Set the working directory to the root directory of the flash memory on the global active MPU To set the working directory to the root directory of the flash memory on one of the global standby MPUs replace flash with for ex...

Page 98: ...ystem view system view N A 2 Optional Specify a source IP address for outgoing FTP packets ftp client source interface interface type interface number ip source ip address By default no source IP address is specified The device uses the primary IP address of the output interface as the source IP address 3 Return to user view quit N A 4 Log in to the FTP server Method 1 Log in to the FTP server fro...

Page 99: ...one set by the ftp client ipv6 source command Managing directories on the FTP server Perform the following tasks in FTP client view Task Command Display directory and file information on the FTP server Display the detailed information of a directory or file on the FTP server dir remotefile localfile Display the name of a directory or file on the FTP server ls remotefile localfile Change the workin...

Page 100: ...cd directory N A Upload a file to the FTP server put localfile remotefile N A Download a file from the FTP server get remotefile localfile N A Add the content of a file on the FTP client to a file on the FTP server append localfile remotefile N A Specify the retransmit marker restart marker Use this command together with the put get or append command Update the local file newer remotefile N A Get ...

Page 101: ...ion is enabled Enable or disable FTP client debugging debug By default FTP client debugging is disabled Clear the reply information in the buffer reset N A Terminating the FTP connection Execute one of the following commands in FTP client view Task Command Terminate the connection to the FTP server without exiting FTP client view disconnect close Terminate the connection to the FTP server and retu...

Page 102: ...ing username abc and password 123456 Sysname ftp 10 1 1 1 Press CTRL C to abort Connected to 10 1 1 1 10 1 1 1 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User 10 1 1 1 none abc 331 Give me your password please Password 230 Logged in successfully Remote system type is MSDOS ftp Set the file transfer mode to binary ftp binary 200 TYPE is now 8 bit binary Download the temp bi...

Page 103: ...rom the FTP client to the FTP server for backup Figure 25 Network diagram Configuration procedure Configure IP addresses as shown in Figure 25 Make sure the IRF fabric and PC can reach each other Details not shown Examine the storage space on the member devices If the free space is insufficient use the delete unreserved file url command to delete unused files Details not shown Log in to the FTP se...

Page 104: ... root directory of the flash memory on the global standby MPUs ftp get temp bin chassis1 slot1 flash temp bin ftp get temp bin chassis2 slot0 flash temp bin ftp get temp bin chassis2 slot1 flash temp bin Use the ASCII mode to upload configuration file config cfg from the IRF fabric to the PC for backup ftp ascii 200 TYPE is now ASCII ftp put config cfg back config cfg local config cfg remote back ...

Page 105: ...ds and parameters might differ in FIPS mode and non FIPS mode For more information about FIPS mode see Security Configuration Guide TFTP is not supported in FIPS mode Configuring the device as an IPv4 TFTP client Step Command Remarks 1 Enter system view system view N A 2 Optional Use an ACL to control the client s access to TFTP servers tftp server acl acl number By default no ACL is used for acce...

Page 106: ...r ipv6 source ipv6 address By default no source IPv6 address is specified The source address is automatically selected as defined in RFC 3484 4 Return to user view quit N A 5 Download or upload a file in an IPv6 network tftp ipv6 tftp server i interface type interface number get put sget source filename destination filename vpn instance vpn instance name dscp dscp value source interface interface ...

Page 107: ...cation In standalone mode To identify a file system on the active MPU you do not need to specify the file system location To identify a file system on the standby MPU you must specify the file system location in the slotn format The n argument represents the slot number of a card For example the location is slot16 for a file system that resides on the card in slot 16 In IRF mode To identify a file...

Page 108: ...ure the directory name does not start with a dot character Commonly used directories The device has some factory default directories The system automatically creates directories during operation These directories include diagfile Stores diagnostic information files logfile Stores log files seclog Stores security log files versionInfo Stores software version information files Files File naming conv...

Page 109: ...directoryn filename where directoryn is the directory in which the file resides Enter the relative path of the file and the file name For example the working directory is flash The samplefile cfg file is in the test2 directory shown in Figure 27 To specify the file you can use the following methods flash test test1 test2 samplefile cfg test test1 test2 samplefile cfg FIPS compliance The device sup...

Page 110: ...rking directory to the root directory of the file system b Execute the dir command Before managing file systems directories and files make sure you know the possible impact Managing storage media and file systems Partitioning a CF card or a USB disk A CF card or a USB disk can be divided into logical devices called partitions Operations on one partition do not affect the other partitions Restricti...

Page 111: ...rage medium from the device you must first unmount all file systems on the storage medium to disconnect the medium from the device Removing a connected hot swappable storage medium might damage files on the storage medium or even the storage medium itself To use an unmounted file system you must mount the file system again Restrictions and guidelines You can mount or unmount a file system only whe...

Page 112: ...playing directory information Perform this task in user view Task Command Remarks Display directory or file information dir all file directory all filesystems If multiple users perform file operations for example creating or deleting files or directories at the same time the output for this command might be incorrect Displaying the working directory Perform this task in user view Task Command Disp...

Page 113: ...es tar list archive file file Deleting a directory To delete a directory you must delete all files and subdirectories in the directory To delete a file use the delete command To delete a subdirectory use the rmdir command Deleting a directory permanently deletes all its files in the recycle bin if any Perform this task in user view Task Command Delete a directory rmdir directory Setting the operat...

Page 114: ...irectory or file information dir all file directory all filesystems If multiple users perform file operations for example creating or deleting files or directories at the same time the output for this command might be incorrect Displaying the contents of a text file Perform this task in user view Task Command Display the contents of a text file more file Renaming a file Perform this task in user v...

Page 115: ... archived files tar list archive file file Deleting or restoring a file You can delete a file permanently or move it to the recycle bin A file moved to the recycle bin can be restored but a permanently deleted file cannot Files in the recycle bin occupy storage space To save storage space periodically empty the recycle bin by using the reset recycle bin command Perform the following tasks in user ...

Page 116: ...are used to verify file integrity Use the following commands in user view Task Command Calculate the digest of a file by using the SHA 256 algorithm sha256sum file Calculate the digest of a file by using the MD5 algorithm md5sum file Setting the operation mode for files The device supports the following file operation modes alert The system prompts for confirmation when your operation might cause ...

Page 117: ...faults are custom basic settings that came with the device Factory defaults vary by device models and might differ from the initial default settings for the commands The device starts up with the factory defaults if it does not have a next startup configuration file or all the specified next startup configuration files are corrupt or deleted To display the factory defaults use the display default ...

Page 118: ...ile that has the same name as the cfg file The device loads an mdb file faster than loading a cfg file Startup configuration file selection At startup the device uses the following procedure to identify the configuration file to load 1 The device searches for a valid cfg next startup configuration file For more information about the file selection rules see Next startup configuration file redundan...

Page 119: ...ncryption enables the device to encrypt a startup configuration file automatically when it saves the running configuration All devices running Comware 7 software use the same method to encrypt configuration files NOTE Any devices running Comware 7 software can decrypt the encrypted configuration files To prevent an encrypted file from being decoded by unauthorized users make sure the file is acces...

Page 120: ...iguration Restrictions and guidelines When a card is removed from the device its settings are retained in memory but removed from the running configuration on the device Saving the running configuration before installing the replacement card will remove the card s settings from the next startup configuration file If you have saved the running configuration after removing a card perform the followi...

Page 121: ...y file and starts overwriting the target next startup configuration file after the save operation is complete If a reboot or power failure occurs during the save operation the next startup configuration file is still retained Use the safe mode if the power source is not reliable or you are remotely configuring the device In standalone mode To save the running configuration perform one of the follo...

Page 122: ...iguration file without rebooting the device use the configuration rollback feature This feature helps you revert to a previous configuration state or adapt the running configuration to different network environments The configuration rollback feature compares the running configuration against the specified replacement configuration file and handles configuration differences as follows If a command...

Page 123: ...tion archives is reached the system deletes the oldest archive to make room for the new archive To set configuration archive parameters Step Command Remarks 1 Enter system view system view N A 2 Set the directory and file name prefix for archiving the running configuration archive configuration location directory filename prefix filename prefix By default no path or file name prefix is set for con...

Page 124: ...the configuration attempt fails Make sure you have set an archive path and file name prefix before performing this task Perform the following task in user view Task Command Manually archive the running configuration archive configuration Rolling back configuration CAUTION To ensure a successful rollback do not perform the following operations while the system is rolling back the configuration Inst...

Page 125: ...ature prevents a misconfiguration from causing the inability to access the device and is especially useful when you configure the device remotely When you use this feature follow these restrictions and guidelines In a multi user context make sure no one else is configuring the device You cannot perform any operations during the configuration rollback The configuration commit delay feature is a one...

Page 126: ...pecify a next startup configuration file startup saved configuration cfgfile backup main By default no next startup configuration files are specified If you do not specify the backup or main keyword this command specifies the configuration file as the main next startup configuration file Use the display startup command and the display saved configuration command in any view to verify the configura...

Page 127: ...tup display saved configuration N A Deleting a next startup configuration file CAUTION In standalone mode This task permanently deletes a next startup configuration file from the device In IRF mode This task permanently deletes a next startup configuration file from all member devices You can perform this task to delete a next startup configuration file If both the main and backup next startup con...

Page 128: ... interface type interface number all chassis chassis number Display the differences that the running configuration has as compared with the next startup configuration display current configuration diff Display the factory defaults display default configuration Display the differences between configurations display diff configfile file name s configfile file name d current configuration startup con...

Page 129: ...management interface management configuration management and routing Feature image A bin file that contains advanced software features Users purchase feature images as needed Patch image A bin file irregularly released for fixing bugs without rebooting the device A patch image does not add new features or functions Comware images that have been loaded are called current software images Comware ima...

Page 130: ...pon power on the BootWare image runs to initialize hardware and then the startup software images run to start up the entire system as shown in Figure 29 Main boot image exists and valid Start Backup boot image exists and valid No Startup fails You must load the image from the BootWare menu Main system image exists and valid Backup system image exists and valid No Yes Yes All main feature images ex...

Page 131: ... the BootWare menu BootWare image Comware software images Use this method when the device cannot start up correctly To use this method first connect to the console port and power cycle the device Then press Ctrl B at prompt to access the BootWare menu IMPORTANT Upgrade an IRF system from the CLI instead of the BootWare menu if possible The BootWare menu method increases the service downtime becaus...

Page 132: ...ium is partitioned save the file to the root directory of the first file system on the storage medium For more information about FTP and TFTP see Configuring FTP or Configuring TFTP For more information about partitioning see Managing file systems Upgrade task list Tasks at a glance Remarks Optional Preloading the BootWare image to BootWare If a BootWare upgrade is required you can perform this ta...

Page 133: ...ting the upgrade in standalone mode Perform this task in user view To specify the startup image file and complete the upgrade Step Command Remarks 1 Specify main or backup startup images for the active MPU Use an ipe file for upgrade boot loader file ipe filename all slot slot number backup main Use bin files for upgrade boot loader file boot filename system filename feature filename 1 30 all slot...

Page 134: ...its main startup images are synchronized to the standby MPU This synchronization occurs regardless of whether any change has occurred to this set of startup images If the active MPU started up with backup startup images its backup startup images are synchronized to the standby MPU This synchronization occurs regardless of whether any change has occurred to this set of startup images Startup image ...

Page 135: ...grade has been performed use the install commit command to update the main startup images on the active MPU before software synchronization The command ensures startup image consistency between the active MPU and the standby MPU The boot loader update command uses the main or backup startup image list for synchronization instead of the current software images list The main images list is used if t...

Page 136: ...enable software synchronization from the active MPU to the standby MPU at startup Step Command Remarks 1 Enter system view system view N A 2 Enable startup software version check for the standby MPU undo version check ignore By default startup software version check is enabled 3 Enable software auto update for the standby MPU version auto update enable By default software version auto update is en...

Page 137: ...to the current directory as boot_backup bin and system_backup bin Sysname copy boot bin boot_backup bin Sysname copy system bin system_backup bin Specify boot_backup bin and system_backup bin as the backup startup image files for both MPUs Sysname boot loader file boot flash boot_backup bin system flash system_backup bin slot 0 backup Sysname boot loader file boot flash boot_backup bin system flas...

Page 138: ... chassis 2 slot 1 main Copy the bin image files decompressed from startup a2105 ipe and save them to the current directory as boot_backup bin and system_backup bin Sysname copy boot bin boot_backup bin Sysname copy system bin system_backup bin Specify boot_backup bin and system_backup bin as the backup startup image files for all MPUs Sysname boot loader file boot flash boot_backup bin system flas...

Page 139: ...130 Sysname display version ...

Page 140: ...are version is compatible with the new software version This upgrade type supports the ISSU methods in Table 13 Incompatible upgrade The running software version is incompatible with the new software version The two versions cannot run concurrently This upgrade type supports only one upgrade method also called incompatible upgrade This method requires a cold reboot to upgrade both control and data...

Page 141: ...on an IRF fabric Feature image upgrade and system patching on a device in standalone mode or on an IRF fabric Impact on the system Large Small Technical skill requirements Low As a best practice use this command set High Administrators must have extensive system knowledge and understand the impact of each upgrade task on the network Preparing for ISSU To perform a successful ISSU make sure all the...

Page 142: ...ormation The signature of a software image might be HP HP US or HPE Identifying the ISSU method 1 Execute the display version comp matrix file command for the upgrade image version compatibility information 2 Check the Version compatibility list field If the running software version is in the list a compatible upgrade is required If the running software version is not in the list an incompatible u...

Page 143: ...evice while you are performing the ISSU Do not perform any of the following tasks during an ISSU Reboot add or remove cards Execute commands that are irrelevant to the ISSU Modify delete or rename image files You cannot use both install and issu commands for an ISSU However you can use display issu commands with both command sets For more information see Displaying and maintaining ISSU You do not ...

Page 144: ...is complicated 3 Return to user view quit N A 4 Load the upgrade images as main startup software images on subordinate members Use bin image files issu load file boot filename system filename feature filename 1 30 chassis chassis number reboot Use an ipe image file issu load file ipe ipe filename chassis chassis number 1 3 reboot Specify the member ID of a subordinate member for the chassis number...

Page 145: ...ter subordinate switchover to complete the ISSU process issu run switchover N A Performing an ISSU by using install commands ISSU task list Tasks at a glance Remarks Optional Decompressing an ipe file To use install commands for upgrade you must use bin image files If the upgrade file is an ipe file perform this task before you use install commands for upgrade Required Perform one of the following...

Page 146: ... an image you must begin with the active MPU When you upgrade an image you must begin with the standby MPU In IRF mode When you install an image you must begin with the master On each member device begin with the active MPU When you upgrade an image you must begin with a subordinate device On each member device begin with the standby MPU When you install or upgrade images on an active MPU the syst...

Page 147: ... patch images In standalone mode install activate patch filename all slot slot number In IRF mode install activate patch filename all chassis chassis number slot slot number Uninstalling feature or patch images The uninstall operation only removes images from the current software image list For the change to take effect after a reboot you must perform a commit operation to remove the images from t...

Page 148: ...pgrade or install or uninstall patches the main startup image list does not update with the changes The software changes are lost at reboot For the changes to take effect after a reboot you must commit the changes Perform this task in user view Task Command Remarks Commit the software changes install commit This command commits all software changes Verifying software images Perform this task to ve...

Page 149: ...ware images included in an ipe file display install ipe info ipe filename Display ongoing ISSU activate and deactivate operations display install job Display ISSU log entries display install log log id verbose Display software image file information display install package filename all verbose Display all software image files that include a specific component or file display install which componen...

Page 150: ...ame chassis chassis number slot slot number N A Display ISSU status information display issu state This command applies only to an ISSU that uses issu commands Display version compatibility information and identify the upgrade method display version comp matrix N A Clear ISSU log entries reset install log history oldest log number N A Troubleshooting ISSU in IRF mode Failure to execute the issu lo...

Page 151: ...Sysname tftp 2 2 2 2 get feature1 r0202 bin Total Received Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 256 100 256 0 0 764 0 810 Display active software images Sysname display install active Active packages on chassis 1 slot 6 flash boot r0201 bin flash system r0201 bin flash feature1 r0201 bin Active packages on chassis 1 slot 7 flash boot r0201 bin flash sy...

Page 152: ...rding to following table on chassis 1 slot 6 flash feature1 r0202 bin feature1 CFA Influenced service according to following table on chassis 1 slot 7 flash feature1 r0202 bin feature1 CFA Influenced service according to following table on chassis 2 slot 6 flash feature1 r0202 bin feature1 CFA Influenced service according to following table on chassis 2 slot 7 flash feature1 r0202 bin feature1 CFA...

Page 153: ... bin Done Verifying the file flash feature1 r0202 bin on Chassis 2 slot 7 Done Upgrade summary according to following table flash feature1 r0202 bin Running Version New Version Alpha 0201 Alpha 0202 Chassis Slot Upgrade Way 2 6 Service Upgrade 2 7 Service Upgrade Upgrading software images to compatible versions Continue Y N y This operation might take several minutes please wait Done Perform a mai...

Page 154: ...r0201 bin flash feature1 r0202 bin Active packages on chassis 1 slot 7 flash boot r0201 bin flash system r0201 bin flash feature1 r0202 bin Active packages on chassis 2 slot 6 flash boot r0201 bin flash system r0201 bin flash feature1 r0202 bin Active packages on chassis 2 slot 7 flash boot r0201 bin flash system r0201 bin flash feature1 r0202 bin Feature upgrade to an incompatible version Upgrade...

Page 155: ...01 bin flash system r0201 bin flash feature1 r0201 bin Active packages on chassis 2 slot 6 flash boot r0201 bin flash system r0201 bin flash feature1 r0201 bin Active packages on chassis 2 slot 7 flash boot r0201 bin flash system r0201 bin flash feature1 r0201 bin Identify the recommended ISSU method for the upgrade and view the possible impact of the upgrade Sysname display version comp matrix fi...

Page 156: ...IRF fabric by itself Sysname issu load file feature flash feature1 r0202 bin chassis 2 This operation will delete the rollback point information for the previous upgrade and maybe get unsaved configuration lost Continue Y N y Verifying the file flash feature1 r0202 bin on Chassis 1 slot 6 Done Copying file flash feature1 r0202 bin to chassis2 slot6 flash feature1 r0202 bin Done Verifying the file ...

Page 157: ...stem r0201 bin flash feature1 r0202 bin Active packages on chassis 1 slot 7 flash boot r0201 bin flash system r0201 bin flash feature1 r0202 bin Active packages on chassis 2 slot 6 flash boot r0201 bin flash system r0201 bin flash feature1 r0202 bin Active packages on chassis 2 slot 7 flash boot r0201 bin flash system r0201 bin flash feature1 r0202 bin Examples of using issu commands for ISSU on a...

Page 158: ... soft version1 bin Active packages on chassis 1 slot 6 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 1 slot 7 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 2 slot 3 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 2 slot...

Page 159: ...cmw710 system test bin flash soft version1 bin Active packages on chassis 4 slot 6 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 4 slot 7 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Identify the ISSU method and possible impact of the upgrade Sysname display version comp matrix file feature flash soft v...

Page 160: ... 1 quit Sysname interface gigabitethernet3 3 0 1 Sysname GigabitEthernet3 3 0 1 link delay 0 mode updown Sysname GigabitEthernet3 3 0 1 quit Sysname interface gigabitethernet4 3 0 1 Sysname GigabitEthernet4 3 0 1 link delay 0 mode updown Sysname GigabitEthernet4 3 0 1 quit Sysname quit Upgrade the feature on subordinate member 2 Sysname issu load file feature flash soft version2 bin chassis 2 This...

Page 161: ... to chassis1 slot7 flash soft version2 bin Done Verifying the file flash soft version2 bin on chassis 1 slot 7 Done Upgrade summary according to following table flash soft version2 bin Running Version New Version None Release 7168 Chassis Slot Upgrade Way 1 3 Service Upgrade 1 6 Service Upgrade 1 7 Service Upgrade Upgrading software images to compatible versions Continue Y N y This operation might...

Page 162: ...ice Upgrade 4 6 Service Upgrade 4 7 Service Upgrade Upgrading software images to compatible versions Continue Y N y This operation might take several minutes please wait Done Verify that all members are running the new image Sysname display install active Active packages on chassis 1 slot 3 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2 bin Active packages on chassis 1...

Page 163: ... slot 3 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2 bin Active packages on chassis 4 slot 6 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2 bin Active packages on chassis 4 slot 7 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2 bin Feature upgrade to an incompatible version upgrading one subordinate member firs...

Page 164: ... soft version1 bin Active packages on chassis 1 slot 6 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 1 slot 7 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 2 slot 3 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 2 slot...

Page 165: ...t version1 bin Active packages on chassis 4 slot 6 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 4 slot 7 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Identify the ISSU method and possible impact of the upgrade Sysname display version comp matrix file feature flash soft version2 bin Verifying the file f...

Page 166: ...issu load file feature flash soft version2 bin chassis 2 This operation will delete the rollback point information for the previous upgrade and maybe get unsaved configuration lost Continue Y N y Verifying the file flash soft version2 bin on chassis 1 slot 6 Done Copying file flash soft version2 bin to chassis2 slot6 flash soft version2 bin Done Verifying the file flash soft version2 bin on chassi...

Page 167: ...de summary according to following table flash soft version2 bin Running Version New Version Release 7168 Release 7168 Chassis Slot Upgrade Way 1 3 Reboot 1 6 Reboot 1 7 Reboot 3 3 Reboot 3 6 Reboot 3 7 Reboot 4 3 Reboot 4 6 Reboot 4 7 Reboot Upgrading software images to incompatible versions Continue Y N y This operation might take several minutes please wait Done Verify that all members are runni...

Page 168: ...bin flash cmw710 system test bin flash soft version2 bin Active packages on chassis 4 slot 3 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2 bin Active packages on chassis 4 slot 6 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2 bin Active packages on chassis 4 slot 7 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2...

Page 169: ... soft version1 bin Active packages on chassis 1 slot 6 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 1 slot 7 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 2 slot 3 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 2 slot...

Page 170: ...t version1 bin Active packages on chassis 4 slot 6 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Active packages on chassis 4 slot 7 flash cmw710 boot test bin flash cmw710 system test bin flash soft version1 bin Identify the ISSU method and possible impact of the upgrade Sysname display version comp matrix file feature flash soft version2 bin Verifying the file f...

Page 171: ... 4 This operation will delete the rollback point information for the previous upgrade and maybe get unsaved configuration lost Continue Y N y Verifying the file flash soft version2 bin on chassis 1 slot 6 Done Copying file flash soft version2 bin to chassis2 slot6 flash soft version2 bin Done Copying file flash soft version2 bin to chassis2 slot7 flash soft version2 bin Done Copying file flash sof...

Page 172: ...ollowing table flash soft version2 bin Running Version New Version Release 7168 Release 7168 Chassis Slot Upgrade Way 1 3 Reboot 1 6 Reboot 1 7 Reboot Upgrading software images to incompatible versions Continue Y N y This operation might take several minutes please wait Done Verify that all members are running the new image Sysname display install active Active packages on chassis 1 slot 3 flash c...

Page 173: ... 7 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2 bin Active packages on chassis 4 slot 3 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2 bin Active packages on chassis 4 slot 6 flash cmw710 boot test bin flash cmw710 system test bin flash soft version2 bin Active packages on chassis 4 slot 7 flash cmw710 boot test bin flash cmw710 system te...

Page 174: ...n flash system r0201 bin flash feature1 r0201 bin Active packages on slot 7 flash boot r0201 bin flash system r0201 bin flash feature1 r0201 bin Identify the version compatibility recommended ISSU methods and possible impact of the upgrade Sysname install activate feature flash feature1 r0202 bin slot 7 test Copying file flash feature1 r0202 bin to slot7 flash feature1 r0202 bin Done Verifying the...

Page 175: ...ash feature1 r0202 bin Done Verifying the file flash feature1 r0202 bin on slot 7 Done Upgrade summary according to following table flash feature1 r0202 bin Running Version New Version Alpha 0201 Alpha 0202 Slot Upgrade Way 7 Service Upgrade Upgrading software images to compatible versions Continue Y N y This operation might take several minutes please wait Done Sysname install activate feature fl...

Page 176: ... Each member has one MPU in slot 6 active MPU and one MPU in slot 7 standby MPU Upgrade the feature1 feature from R0201 to R0202 The two versions are compatible Figure 38 Network diagram Upgrade procedure Download the ipe file that contains the R0202 feature image from the TFTP server Sysname tftp 2 2 2 2 get feature1 r0202 ipe Total Received Xferd Average Speed Time Time Time Current Dload Upload...

Page 177: ...e possible impact of the upgrade Sysname install activate feature flash feature1 r0202 bin chassis 2 slot 7 test Copying file flash feature1 r0202 bin to chassis2 slot7 flash feature1 r0202 bin Done Verifying the file flash feature1 r0202 bin on chassis 2 slot 7 Done Upgrade summary according to following table flash feature1 r0202 bin Running Version New Version Alpha 0201 Alpha 0202 Chassis Slot...

Page 178: ...1 7 Service Upgrade Influenced service according to following table on chassis 1 slot 6 flash feature1 r0202 bin feature1 CFA Influenced service according to following table on chassis 1 slot 7 flash feature1 r0202 bin feature1 CFA Sysname install activate feature flash feature1 r0202 bin chassis 1 slot 6 test Verifying the file flash feature1 r0202 bin on chassis 1 slot 6 Done Upgrade summary acc...

Page 179: ... flash feature1 r0202 bin to chassis2 slot6 flash feature1 r0202 bin Done Verifying the file flash feature1 r0202 bin on chassis 2 slot 6 Done Upgrade summary according to following table flash feature1 r0202 bin Running Version New Version Alpha 0201 Alpha 0202 Chassis Slot Upgrade Way 2 6 Service Upgrade Upgrading software images to compatible versions Continue Y N y This operation might take se...

Page 180: ...ght take several minutes please wait Done Verify that the new feature image has been activated Sysname display install active Active packages on chassis 1 slot 6 flash boot r0201 bin flash system r0201 bin flash feature1 r0202 bin Active packages on chassis 1 slot 7 flash boot r0201 bin flash system r0201 bin flash feature1 r0202 bin Active packages on chassis 2 slot 6 flash boot r0201 bin flash s...

Page 181: ...ore information about how to log in through the console port see Using the console port for the first device access This feature is not available on LSU1SUPB0 JG496A and LSUM1SUPD0 JH198A JH206 MPUs Managing the file systems The emergency shell provides some basic file system management commands for managing files directories and storage media IMPORTANT A file deleted by using the delete command c...

Page 182: ...following tasks Assign an IP address the management Ethernet interface Bring up the management Ethernet interface If the servers reside on a different network specify a gateway for the management Ethernet interface To configure the management Ethernet interface on an IPv4 network Step Command Remarks 1 Enter system view system view N A 2 Enter management Ethernet interface view interface m eth0 N ...

Page 183: ...e the following command in any view Task Command Check the connectivity to an IPv6 address ping ipv6 c count s size ipv6 address Accessing the server In emergency shell mode the device can perform the following operations Act as an FTP or TFTP client to download software packages from an FTP or TFTP server Act as an FTP or TFTP client to upload software packages to an FTP or TFTP server Act as a T...

Page 184: ...r ipv6 address get remote file local file put local file remote file Use TFTP to download a file from or upload a file to an IPv6 server tftp ipv6 server ipv6 address get remote file local file put local file remote file Loading the system image IMPORTANT The version of the system image must match that of the boot image Before loading a system image use the display version and display install pack...

Page 185: ... The device and PC can reach each other Use the TFTP client service on the device to download system image system bin from the PC and start the Comware system on the device Figure 39 Network diagram Usage procedure Identify which files are stored and how much space is available in the file system boot dir Directory of flash 0 drw 5954 Apr 26 2007 21 06 29 logfile 1 rw 1842 Apr 27 2007 04 37 17 boo...

Page 186: ...m 1 2 1 1 seq 1 ttl 128 time 0 717 ms 56 bytes from 1 2 1 1 seq 2 ttl 128 time 0 891 ms 56 bytes from 1 2 1 1 seq 3 ttl 128 time 0 745 ms 56 bytes from 1 2 1 1 seq 4 ttl 128 time 0 911 ms 1 2 1 1 ping statistics 5 packets transmitted 5 packets received 0 packet loss round trip min avg max 0 717 1 101 2 243 ms Download the system bin file from the TFTP server boot tftp 1 2 1 1 get system bin flash ...

Page 187: ...178 Press ENTER to get started After you press Enter the following information appears System System Sep 23 18 29 59 777 2016 S58 59 SHELL 5 SHELL_LOGIN TTY logged in from aux0 ...

Page 188: ...erver HTTP or TFTP server A DNS server might also be required Server based automatic configuration applies to scenarios that have the following characteristics A number of devices need to be configured The devices to be configured are widely distributed The configuration workload on individual devices is heavy Using server based automatic configuration As shown in Figure 40 server based automatic ...

Page 189: ...s mappings and must be named network cfg All mapping entries in the host name file must use the ip host host name ip address format Each mapping entry must reside on a separate line For example ip host host1 101 101 101 101 ip host host2 101 101 101 102 ip host client1 101 101 101 103 ip host client2 101 101 101 104 Configuration files To prepare configuration files For devices that require differ...

Page 190: ...owing tasks for each of the devices on the DHCP server Create a DHCP address pool Configure a static address binding Specify a configuration file or script file Because an address pool can use only one configuration file you can specify only one static address binding for an address pool For devices for which you have prepared the same configuration file use either of the following methods Method ...

Page 191: ...arks 1 Enter system view system view N A 2 Enable DHCP dhcp enable By default DHCP is disabled 3 Create a DHCP address pool and enter its view dhcp server ip pool pool name By default no DHCP address pool is created 4 Configure the address pool Method 1 Specify the primary subnet for the address pool network network address mask length mask mask Method 2 Configure a static binding static bind ip a...

Page 192: ...f the management Ethernet interface at Layer 2 If the status is up the device uses the management Ethernet interface 2 Identifies the status of Layer 2 Ethernet interfaces If one or more Layer 2 Ethernet interfaces are in up state the device uses the VLAN interface of the default VLAN 3 Sorts all Layer 3 Ethernet interfaces in up state first in lexicographical order of interface types and then in ...

Page 193: ...equire administrators to enter their respective usernames and passwords at login Figure 41 Network diagram Configuration procedure 1 Configure the DHCP server Create a VLAN interface and assign an IP address to the interface SwitchA system view SwitchA vlan 2 SwitchA vlan2 port gigabitethernet 1 0 1 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 1 ...

Page 194: ...2 168 3 0 24 SwitchA dhcp pool rd tftp server ip address 192 168 1 40 SwitchA dhcp pool rd gateway list 192 168 3 1 SwitchA dhcp pool rd bootfile name rd cfg SwitchA dhcp pool rd quit Configure static routes to the DHCP relay agents SwitchA ip route static 192 168 2 0 24 192 168 1 41 SwitchA ip route static 192 168 3 0 24 192 168 1 43 SwitchA quit 2 Configure the gateway Switch B Create VLAN inter...

Page 195: ... vlan interface 3 SwitchC Vlan interface3 ip address 192 168 3 1 24 SwitchC Vlan interface3 quit Enable DHCP SwitchC dhcp enable Enable the DHCP relay agent on VLAN interface 3 SwitchC interface vlan interface 3 SwitchC Vlan interface3 dhcp select relay Specify the DHCP server address SwitchC Vlan interface3 dhcp relay server address 192 168 1 42 4 Configure the TFTP server On the TFTP server crea...

Page 196: ... the working directory Details not shown Verify that the TFTP server and DHCP relay agents can reach each other Details not shown Verifying the configuration 1 Power on Switch D Switch E Switch F and Switch G 2 After the access devices start up display assigned IP addresses on Switch A SwitchA display dhcp server ip in use IP address Client identifier Lease expiration Type Hardware address 192 168...

Page 197: ...configuration tasks Enable the administrator to Telnet to Switch A to manage Switch A Require the administrator to enter the correct username and password at login Figure 42 Network diagram Configuration procedure 1 Configure the DHCP server Enable DHCP DeviceA system view DeviceA dhcp enable Configure address pool 1 to assign IP addresses on the 192 168 1 0 24 subnet to clients DeviceA dhcp serve...

Page 198: ...iration Type Hardware address 192 168 1 2 0030 3030 632e 3239 Dec 12 17 41 15 2013 Auto C 3035 2e36 3736 622d 4574 6830 2f30 2f32 3 Telnet to 192 168 1 2 from Device A DeviceA telnet 192 168 1 2 4 Enter username user and password abcabc as prompted Details not shown You are logged in to Switch A Automatic configuration using HTTP server and Python script Network requirements As shown in Figure 43 ...

Page 199: ... type telnet quit user interface vty 0 63 authentication mode scheme user role network admin quit interface gigabitethernet 1 0 1 port link mode route ip address dhcp alloc return Start HTTP service software and enable HTTP service Details not shown Verifying the configuration 1 Power on Switch A 2 After Switch A starts up display assigned IP addresses on Device A DeviceA display dhcp server ip in...

Page 200: ...rks cfg configuration file Commands required for IRF setup You can create a configuration file by copying and modifying the configuration file of an existing IRF fabric sn txt Serial numbers of the member switches Each SN uniquely identifies a switch These SNs will be used for assigning a unique IRF member ID to each member switch Optional ipe or bin software image file Software images If the memb...

Page 201: ...pool 1 bootfile name http 192 168 1 40 device py DeviceA dhcp pool 1 quit Enable the DHCP server on GigabitEthernet 1 0 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 dhcp select server DeviceA GigabitEthernet1 0 1 quit 4 Power on Switch A and Switch B Switch A and Switch B will obtain the Python script file from the DHCP server and execute the script After completing the I...

Page 202: ...193 Auto upgrade yes Mac persistent always Domain ID 0 Auto merge yes The output shows that the switches have formed an IRF fabric ...

Page 203: ...esholds Optional Specifying load sharing modes for a service module Optional Specifying an operating mode and a proxy mode for a service module Optional Enabling the port down feature globally Optional Configuring an asset profile for a physical component Optional Isolating a switching fabric module Optional Suppressing switching fabric module removal interrupt signals Optional Configuring hardwar...

Page 204: ...ource clock protocol none ntp mdc mdc id By default the device uses the NTP time source specified on the default MDC If you execute this command multiple times the most recent configuration takes effect 3 Optional Set the local UTC time a Return to user view quit b Specify a UTC time for the device clock datetime time date c Enter system view again system view Required when the local UTC time sour...

Page 205: ...ystem supports the following banners Legal banner Appears after the copyright statement To continue login the user must enter Y or press Enter To quit the process the user must enter N Y and N are case insensitive Message of the Day MOTD banner Appears after the legal banner and before the login banner Login banner Appears only when password or scheme authentication is configured Incoming banner T...

Page 206: ...input the password as follows System system view System header shell A Please input banner content and quit with the character A Have a nice day Please input the password A Method 3 After you type the final command keyword type the start delimiter and part of the banner and press Enter Then enter the rest of the banner as prompted and end the final line with the same delimiter The banner plus the ...

Page 207: ...e advance keyword is supported on EC SE SF and SG interface modules Change to the operating mode takes effect after a reboot Rebooting the device CAUTION A device reboot might interrupt network services To avoid configuration loss use the save command to save the running configuration before a reboot For more information about the save command see Fundamentals Command Reference Before a reboot use...

Page 208: ... device reboot The device supports only one device reboot schedule If you configure the scheduler reboot at or scheduler reboot delay command multiple times or configure both commands the most recent configuration takes effect To schedule a reboot execute one of the following commands in user view Task Command Remarks Specify the reboot date and time scheduler reboot at time date By default no reb...

Page 209: ...b exists 3 Assign a command to the job command id command By default no command is assigned to a job You can assign multiple commands to a job A command with a smaller ID will be executed first To assign a command command A to a job you must first assign the job the command or commands for entering the view of command A 4 Exit to system view quit N A 5 Create a schedule scheduler schedule schedule...

Page 210: ...e clock datetime clock summer time or clock timezone commands does not change the execution time table that is already configured for a schedule Schedule configuration example Network requirements As shown in Figure 45 two interfaces of the device are connected to users To save energy configure the device to perform the following operations Enable the interfaces at 8 00 a m every Monday through Fr...

Page 211: ...t1 0 2 command 1 system view Sysname job start GigabitEthernet1 0 2 command 2 interface gigabitethernet 1 0 2 Sysname job start GigabitEthernet1 0 2 command 3 undo shutdown Sysname job start GigabitEthernet1 0 2 quit Configure a periodic schedule for enabling the interfaces at 8 00 a m every Monday through Friday Sysname scheduler schedule START pc1 pc2 Sysname schedule START pc1 pc2 job start Gig...

Page 212: ...hedule type Run on every Mon Tue Wed Thu Fri at 18 00 00 Start time Wed Sep 28 18 00 00 2011 Last execution time Wed Sep 28 18 00 00 2011 Last completion time Wed Sep 28 18 00 01 2011 Execution counts 1 Job name Last execution status shutdown GigabitEthernet1 0 1 Successful shutdown GigabitEthernet1 0 2 Successful Display schedule log information Sysname display scheduler logfile Job name start Gi...

Page 213: ...ame system view System View return to User View with Ctrl Z Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 shutdown Disabling password recovery capability Password recovery capability controls console user access to the device configuration and SDRAM from BootWare menus This feature also decides the method for handling console login password loss see Figure 46 If password rec...

Page 214: ... boot or reboot after you choose this option Skip Current System Configuration Yes No Skip the configuration file at the next startup This is a one time operation It takes effect only for the first system boot or reboot after you choose this option This option does not delete the configuration file Restore to Factory Default Configuration No Yes Delete the next startup configuration file and load ...

Page 215: ...ple with the CPU usage threshold If the sample is greater the device sends a trap Samples and saves CPU usage at a configurable interval if CPU usage tracking is enabled To monitor CPU usage in standalone mode Step Command Remarks 1 Enter system view system view N A 2 Set the CPU usage threshold monitor cpu usage threshold cpu threshold slot slot number cpu cpu number The default CPU usage thresho...

Page 216: ...ordinate system display cpu usage history job job id chassis chassis number slot slot number cpu cpu number This command is available in any view Setting memory alarm thresholds To monitor memory usage the device performs the following operations Samples memory usage at an interval of 1 minute and compares the sample with the memory usage threshold If the sample is greater the device sends a trap ...

Page 217: ... amount of free memory space increases to or above the severe alarm threshold N A Severe alarm removed notification The amount of free memory space increases to or above the minor alarm threshold N A Minor alarm removed notification The amount of free memory space increases to or above the normal state threshold N A Figure 47 Memory alarm notifications and alarm removed notifications To set memory...

Page 218: ...hen the temperature reaches the high temperature alarming threshold the device repeatedly sends log messages and traps and sets the LEDs on the device panel This feature is supported only on the default MDC To configure the temperature alarm thresholds Step Command Remarks 1 Enter system view system view N A 2 Configure the temperature alarm thresholds In standalone mode temperature limit slot slo...

Page 219: ...ation ip destination mac ingress port source ip source mac flexible chassis chassis number slot slot number If you execute the command multiple times the most recent configuration takes effect If you specify an unsupported load sharing mode an error message is displayed When IRF links use the default load sharing modes the load sharing mode set by the fabric load sharing mode flexible command take...

Page 220: ...d ipv6 Increases the IPv6 routing table size to provide higher Layer 3 packet forwarding performance A large IPv6 routing table is required balance Increases the MAC address table size ARP table size and routing table size to provide more balanced Layer 2 and Layer 3 packet forwarding performance than the mix bridging routing mode Requirements for the MAC address table ARP table and routing table ...

Page 221: ... ARP NNI 16K Routing IPv4 256K Routing IPv6 8K mix bridging routing ARP NNI 16K MAC 128K Routing IPv4 128K Routing IPv6 8K standard ipv6 ARP NNI 16K MAC 32K Routing IPv4 16K Routing IPv6 8K ipv6 ARP NNI 16K MAC 32K Routing IPv4 16K Routing IPv6 256K Table 21 Table sizes on EC service modules in operating modes Mode Specifications normal LSUM1CGC2EC0 JH196A JH204A ARP UNI 55K ARP NNI 64K MAC 224K R...

Page 222: ... 256K Routing IPv6 6K mix bridging routing LSUM1CGC2EC0 JH196A JH204A ARP UNI 64K ARP NNI 64K MAC 128K Routing IPv4 128K Routing IPv6 64K Other modules ARP UNI 128K ARP NNI 64K MAC 128K Routing IPv4 128K Routing IPv6 64K ipv6 LSUM1CGC2EC0 JH196A JH204A ARP UNI 55K ARP NNI 64K MAC 128K Routing IPv4 16K Routing IPv6 128K Other modules ARP UNI 128K ARP NNI 64K MAC 128K Routing IPv4 16K Routing IPv6 1...

Page 223: ...ng IPv4 16K Routing IPv6 8K bridging LSUM2GP44TSSE0 JH191A JH199A and LSUM2GT48SE0 JH192A JH200A ARP UNI 16K ARP NNI 16K MAC 64K mix bridging routing LSUM2GP44TSSE0 JH191A JH199A and LSUM2GT48SE0 JH192A JH200A ARP UNI 32K ARP NNI 16K MAC 32K Routing IPv4 32K Routing IPv6 12K standard ipv6 LSU1GP24TXSE0 JC617A JG376A LSU1GT48SE0 JC618A JG377A LSU1GP48SE0 JC619A JG378A LSU1TGX4SE0 JC620A JG379A LSU1...

Page 224: ... IPv4 128K Routing IPv6 16K LSUM2QGS12SG0 JH434A LSUM2TGS48SG0 JH433A and LSUM2TGS32QSSG0 JH432A ARP UNI 8K ARP NNI 32K Routing IPv4 128K Routing IPv6 16K mix bridging routing LSUM1TGS48SG0 JH197A JH205A ARP UNI 80K ARP NNI 48K MAC 160K Routing IPv4 16K Routing IPv6 6K LSUM2QGS12SG0 JH434A LSUM2TGS48SG0 JH433A and LSUM2TGS32QSSG0 JH432A ARP UNI 72K ARP NNI 32K MAC 160K Routing IPv4 16K Routing IPv...

Page 225: ...table for a forwarding entry Table 27 shows the hardware and proxy mode compatibility Table 27 Hardware and proxy mode compatibility Proxy mode Compatibility route proxy high adj prxoy high l3 proxy high Supported on EC and SG modules route proxy low Not supported on SG interface modules that are operating in balance or routing mode adj proxy low Not supported on the following modules EA interface...

Page 226: ...incipal If you fail to do so the proxy function might not operate For example if you set the proxy mode to route proxy low for a service module you must set the proxy mode to route proxy high or l3 proxy high for another service module on the device Do not terminate tunneled packets or MPLS packets on a service module that is operating in route proxy low mode For more information about tunneling a...

Page 227: ...le Enabling the port down feature globally The port down feature applies to scenarios where two devices one active and one standby are used for high availability for example a network deployed with VRRP This feature shuts down all service ports on the active device immediately after both MPUs on the active device are removed or reboot abnormally The shutdown operation ensures quick service switcho...

Page 228: ...calculation Isolation restrictions and guidelines CAUTION Isolating the only switching fabric module of the switch disables the forwarding feature Do not reboot the device while a switching fabric module is being isolated If the switch has multiple switching fabric modules isolating a switching fabric module decreases the forwarding bandwidth and reduces the forwarding performance If you do not wa...

Page 229: ...ns in response To view hardware failure detection and protection information use the display hardware failure detection command Specifying the actions to be taken for hardware failures The device can take the following actions in response to hardware failures isolate Performs the following tasks as appropriate to reduce impact from the failures Shuts down the relevant ports Prohibits loading softw...

Page 230: ...ate By default the system takes the action of warning sending traps in response to forwarding plane failures 3 Enter Ethernet interface view interface interface type interface number N A 4 Enable hardware failure protection for the interface hardware failure protection auto down By default hardware failure protection is enabled Enabling hardware failure protection for aggregation groups Hardware f...

Page 231: ... 1 Enter system view system view N A 2 Enable data forwarding path failure detection forward path detection enable By default data forwarding path failure detection is enabled This command is supported only on the default MDC Verifying and diagnosing transceiver modules Verifying transceiver modules You can use one of the following methods to verify the genuineness of a transceiver module Display ...

Page 232: ...he current values of the digital diagnosis parameters on transceiver modules display transceiver diagnosis interface interface type interface number This command cannot display information about some transceiver modules Disabling alarm traps for transceiver modules Disable alarm traps if the transceiver modules were manufactured or sold by Hewlett Packard Enterprise The device regularly detects tr...

Page 233: ...e the factory default configuration for the device restore factory default This command takes effect after a device reboot Displaying and maintaining device management configuration Execute display commands in any view Execute the reset scheduler logfile command in user view Execute the reset version update record command in system view Standalone mode Task Command Display device alarm information...

Page 234: ...lay memory usage statistics display memory summary slot slot number cpu cpu number Display memory alarm thresholds and statistics display memory threshold slot slot number cpu cpu number Display power suppply information display power supply verbose Display job configuration information display scheduler job job name Display job execution log information display scheduler logfile Display the autom...

Page 235: ...t slot number cpu cpu number Display hardware information display device cf card flash chassis chassis number slot slot number verbose Display electronic label information for the device display device manuinfo chassis chassis number slot slot number Display electronic label information for the specified chassis backplane display device manuinfo chassis chassis number chassis only Display electron...

Page 236: ...mode status chassis chassis number Display system stability and status information display system stable state mdc id all Display the current system working mode display system working mode Display ITU channel information This command is supported only on the HPE X130 10G SFP LC LH80 Tunable Transceiver JL250A module display transceiver itu channel interface interface type interface number support...

Page 237: ... the following commands on an MDC displays CPU or memory information for the MDC display cpu usage display cpu usage configuration display cpu usage history display memory The following commands are supported only on the default MDC display device manuinfo display device manuinfo chassis only display device manuinfo fan display device manuinfo power display environment display fan ...

Page 238: ...rrectly If a problem occurs when the Tcl commands are being executed you can terminate the process by closing the connection if you logged in through Telnet or SSH If you logged in from the console port you must restart the device As a best practice log in through Telnet or SSH To use Tcl to configure the device Task Command Remarks Enter Tcl configuration view from user view tclsh N A Execute a T...

Page 239: ...rated by semi colons to execute the commands in the order they are entered For example ospf 100 area 0 Specify multiple Comware commands for the cli command quote them and separate them by a space and a semicolon For example cli ospf 100 area 0 Specify one Comware command for each cli command and separate them by a space and a semicolon For example cli ospf 100 cli area 0 To execute Comware comman...

Page 240: ...rameters Upgrade BootWare Start the primary or backup BootWare extended segment Using the BASIC BOOTWARE menu on LSU1SUPB0 JG496A MPUs Using the BASIC BOOTWARE menu on MPUs except LSU1SUPB0 JG496A Extended EXTENDED BOOTWARE Upgrade Comware software Manage files Using the EXTENDED BOOTWARE menu on LSU1SUPB0 JG496A MPUs Using the EXTENDED BOOTWARE menu on MPUs except LSU1SUPB0 JG496A Extended EXTEND...

Page 241: ...are 0 Reboot Ctrl U Access BASIC ASSISTANT MENU Enter your choice 0 5 Table 29 BASIC BOOTWARE menu options Option Task 1 Modify Serial Interface Parameter Change the baud rate of the console port 2 Update Extended BootWare Update the extended BootWare segment If the extended segment is corrupt choose this option to repair it 3 Update Full BootWare Update the entire BootWare including the basic seg...

Page 242: ...the default 9600 bps at reboot To establish a console session with the device after a reboot you must change the baud rate setting on the configuration terminal to 9600 bps Updating the extended BootWare segment If the extended BootWare segment is corrupt enter 2 in the BASIC BOOTWARE menu to update it Enter your choice 0 5 2 Please Start To Transfer File Press Ctrl C To Exit Waiting CCCCC Downloa...

Page 243: ...ze 500MB BASIC CPLD Version 4 0 EXTENDED CPLD Version 3 0 PCB Version Ver A BootWare Validating Press Ctrl B to access EXTENDED BOOTWARE MENU Running the backup extended BootWare segment To bootstrap the Comware software images with the backup extended BootWare segment enter 5 in the BASIC BOOTWARE menu For information about backing up the extended BootWare segment see Managing the BootWare image ...

Page 244: ...fail to do this within the time limit the system starts to run the extended BootWare segment BASIC BOOTWARE MENU Ver 1 03 1 Modify Serial Interface Parameter 2 Update Extended BootWare 3 Update Full BootWare 4 Boot Extended BootWare 5 Boot Backup Extended BootWare 0 Reboot Ctrl U Access BASIC ASSISTANT MENU Enter your choice 0 5 Table 30 BASIC BOOTWARE menu options Option Task 1 Modify Serial Inte...

Page 245: ...y Baudrate Available 1 9600 Default 2 19200 3 38400 4 57600 5 115200 0 Exit Enter your choice 0 5 2 Enter the number that represents the baud rate you want to choose For example enter 5 to set the baud rate to 115200 bps NOTE The baud rate change is a one time operation The baud rate will restore to the default 9600 bps at reboot To establish a console session with the device after a reboot you mu...

Page 246: ...are Version 1 03 Compiled Date Jul 19 2014 CPU Type XLP208 Rev A2 CPU Clock Speed 1000MHz Memory Type DDR3 SDRAM Memory Size 8192MB Memory Speed 667MHz BootWare Size 1536KB Flash Size 4MB BootWare Validating Press Ctrl B to access EXTENDED BOOTWARE MENU Running the backup extended BootWare segment To bootstrap the Comware software images with the backup extended BootWare segment enter 5 in the BAS...

Page 247: ...ts decompressing the Comware software System is starting Press Ctrl D to access BASIC BOOTWARE MENU Press Ctrl T to start memory test Booting Normal Extended BootWare The Extended BootWare is self decompressing Done BootWare Version 1 33 Compiled Date Nov 20 2014 CPU Type XLP316 CPU Clock Speed 1200MHz Memory Type DDR3 SDRAM Memory Size 8192MB Memory Speed 667MHz BootWare Size 1536KB Flash Size 50...

Page 248: ...e Comware software through the console port Upgrading Comware software through the console port 3 Enter Ethernet SubMenu Download files with FTP or TFTP and upgrade the Comware software through the management Ethernet port Upgrading Comware software through the management Ethernet port 4 File Control Display files on the current storage medium Set a software image file as the primary or backup sta...

Page 249: ... in separate bin files and in an ipe package file so you can update the images separately or as a whole You can set one Comware software image as a main M or backup B image For more information see Changing the file attribute of a Comware software image At startup the device always attempts to boot first with the main Comware software images If the attempt fails for example because the image file ...

Page 250: ...password recovery capability is disabled 2 Update Main Image File Download Comware software images to the current storage medium as main images the file attribute is set to M As a result the M file attribute of the original main images is removed 3 Update Backup Image File Download Comware software images to the current storage medium as backup images the file attribute is set to B As a result the...

Page 251: ... File flash test boot r7328 bin Done 7 Enter 0 in the Serial submenu to return to the EXTENDED BOOTWARE menu 8 Enter 1 in the EXTENDED BOOTWARE menu to run the new software Upgrading Comware software through the management Ethernet port You can upgrade the Comware software through the management Ethernet port from the Ethernet submenu To upgrade Comware software through the management Ethernet por...

Page 252: ...u Return to the EXTENDED BOOTWARE menu 2 Enter 5 in the Ethernet submenu to configure file transfer settings Enter your choice 0 5 5 ETHERNET PARAMETER SET Note Clear field Go to previous field Ctrl D Quit Protocol FTP or TFTP FTP Load File Name 10500 ipe Target File Name 10500 ipe Server IP Address 172 1 88 125 Local IP Address 172 1 88 22 Subnet Mask 0 0 0 0 Gateway IP Address 0 0 0 0 FTP User N...

Page 253: ...onfigured on the FTP server This field is not available for TFTP 3 Choose an option from 1 to 3 For example to upgrade the main Comware software images enter 2 Enter Ethernet SubMenu Note the operating device is flash 1 Download Image Program To SDRAM And Run 2 Update Main Image File 3 Update Backup Image File 4 Modify Ethernet Parameter 0 Exit To Main Menu Ensure The Parameter Be Modified Before ...

Page 254: ...ile CONTROL Note the operating device is flash 1 Display All File s 2 Set Image File type 3 Set Bin File type 4 Delete File 5 Copy File 0 Exit To Main Menu Enter your choice 0 5 Displaying all files To display all files on the current storage medium enter 1 in the FILE CONTROL submenu Enter your choice 0 5 1 Display all file s in flash M MAIN B BACKUP N A NOT ASSIGNED NO Size B Time Type Name 1 27...

Page 255: ... boot image file update bin has the B attribute If you assign the M attribute to update bin update bin will have both the M and B attributes M B and the file attribute of main bin will change to N A To change the attribute of Comware software images 1 Enter 3 in the File Control submenu Enter your choice 0 5 3 M MAIN B BACKUP N A NOT ASSIGNED NO Size B Time Type Name 1 40095744 Aug 08 2014 11 16 5...

Page 256: ... versionCtl da t 5 1056 Mar 10 2013 19 18 43 N A flash versionInfo version0 dat 6 86 Mar 18 2013 09 59 13 N A flash ifindex dat 7 294388736 Aug 08 2014 11 27 50 M B flash 10500 cmw710 system R7557 P01 bin 0 Exit Enter file No 2 Enter the number of the file to delete Enter file No 7 3 When the following prompt appears enter Y The file you selected is flash 10500 cmw710 system R7557P01 bin Delete it...

Page 257: ...task only if the switch has one MPU If the switch has two MPUs you cannot restore the factory default configuration To restore the factory default configuration from the EXTENDED BOOTWARE menu make sure password recovery capability is disabled If the capability is enabled you cannot perform the task To enable the system to start up with the factory default configuration instead of a next startup c...

Page 258: ...the EXTENDED BOOTWARE menu EXTENDED BOOTWARE MENU 1 Boot System 2 Enter Serial SubMenu 3 Enter Ethernet SubMenu 4 File Control 5 Restore to Factory Default Configuration 6 Skip Current System Configuration 7 BootWare Operation Menu 8 Skip Authentication for Console Login 9 Storage Device Operation 0 Reboot Ctrl Z Access EXTENDED ASSISTANT MENU Ctrl F Format File System Enter your choice 0 9 6 Flag...

Page 259: ...BootWare image If the BootWare image is corrupt you can use a backup BootWare image to recover it Enter 2 in the BootWare Operation menu to recover the BootWare image You may choose to recover the entire image its basic segment or extended segment Enter your choice 0 4 2 Will you restore the Basic BootWare Y N Y Begin to restore Normal Basic BootWare Done Will you restore the Extended BootWare Y N...

Page 260: ... Ethernet Parameter Configure the FTP or TFTP file transfer settings 0 Exit To Main Menu Return to the BootWare Operation menu Skipping console login authentication IMPORTANT To perform this task make sure password recovery capability is enabled If the capability is disabled you cannot perform this task Perform this task only if the switch has one MPU If the switch has two MPUs you cannot skip con...

Page 261: ...o enter user line view No password is required for console login whether or not you save the running configuration Reconfigure the authentication password Saved the running configuration Y Y N Execute the quit command Execute the reboot command The new password is saved You must provide the new password for console login The new password is saved You must provide the old password for console login...

Page 262: ...nd length Enter your choice 0 2 1 Info Press Ctrl C to abort or return to EXTENDED ASSISTANT MENU Info Enter the address and length in hexadecimal notation Info Only 4 bytes mode supported Enter memory address 80 Enter memory length 2 00000080 3c1b8f10 277b0a04 3 To search memory for certain data enter 2 and then provide the start and end addresses and the value of interest Enter your choice 0 2 2...

Page 263: ... BOOTWARE menu press Ctrl B within three seconds after the Press Ctrl B to access EXTENDED BOOTWARE MENU prompt message appears If you fail to do this the system starts decompressing the Comware software RAM test successful Press Ctrl T to start five step full RAM test Press Ctrl Y to start nine step full RAM test System is starting Press Ctrl D to access BASIC BOOTWARE MENU Booting Normal Extende...

Page 264: ...NU 1 Boot System 2 Enter Serial SubMenu 3 Enter Ethernet SubMenu 4 File Control 5 Restore to Factory Default Configuration 6 Skip Current System Configuration 7 BootWare Operation Menu 8 Skip Authentication for Console Login 9 Storage Device Operation 0 Reboot Ctrl Z Access EXTENDED ASSISTANT MENU Ctrl A Enter Command Line Ctrl F Format File System Enter your choice 0 9 Table 40 EXTENDED BOOTWARE ...

Page 265: ...es effect only for the first system boot or reboot after you choose this option This option is not available if password recovery capability is disabled Skipping console login authentication 9 Storage Device Operation Set the storage medium from which the MPU will start up Set the storage medium where file operations are performed This storage medium is referred to as the current storage medium in...

Page 266: ...ial submenu To upgrade the Comware software through the console port from the Serial submenu 1 Enter 2 in the EXTENDED BOOTWARE menu to access the Serial submenu Enter Serial SubMenu Note the operating device is flash 1 Download Image Program To SDRAM And Run 2 Update Main Image File 3 Update Backup Image File 4 Download Files 5 Modify Serial Interface Parameter 0 Exit To Main Menu Enter your choi...

Page 267: ...r change the default baud rate to a higher value before downloading Comware software with XMODEM through the console port 4 Enter 0 to return to the Serial submenu 5 Choose an option from 1 to 4 For example to upgrade the main Comware software images enter 2 Enter Serial SubMenu Note the operating device is flash 1 Download Image Program To SDRAM And Run 2 Update Main Image File 3 Update Backup Im...

Page 268: ... Load and run Comware software images in SDRAM This option is only available when password recovery capability is enabled 2 Update Main Image File Download Comware software images to the current storage medium as main images the file attribute is set to M As a result the M file attribute of the original main images is removed 3 Update Backup Image File Download Comware software images to the curre...

Page 269: ...t storage medium on the device By default the target file name is the same as the source file name Server IP Address Set the IP address of the FTP or TFTP server Local IP Address Set the IP address of the device Subnet Mask Set the IP address mask Gateway IP Address Set a gateway IP address if the device is on a different network than the server FTP User Name Set the username for accessing the FTP...

Page 270: ...Control 5 Restore to Factory Default Configuration 6 Skip Current System Configuration 7 BootWare Operation Menu 8 Skip Authentication for Console Login 9 Storage Device Operation 0 Reboot Ctrl Z Access EXTENDED ASSISTANT MENU Ctrl F Format File System Enter your choice 0 9 4 The following File Control submenu appears File CONTROL Note the operating device is flash 1 Display All File s 2 Set Image...

Page 271: ...or each type of Comware image If you assign the same attribute to two images that are the same type the most recent assignment causes the previously assigned attribute to be removed For example the boot image file main bin has the M attribute and the boot image file update bin has the B attribute If you assign the M attribute to update bin update bin will have both the M and B attributes M B and t...

Page 272: ...leting the file in flash M MAIN B BACKUP N A NOT ASSIGNED Display all file s in flash M MAIN B BACKUP N A NOT ASSIGNED NO Size B Time Type Name 1 4577 Feb 19 2013 13 07 54 N A flash labtop cfg 2 141952 Feb 19 2013 13 07 54 N A flash labtop mdb 3 341547 Feb 20 2013 12 00 15 N A flash logfile logfile log 4 0 Jul 29 2014 16 32 27 N A flash test cfg 5 1681 Jul 29 2014 17 34 42 N A flash vlan txt 6 829...

Page 273: ...ze Available Space 1 flash YAFFS2 1048576KB 792990KB 0 Exit Enter your choice 0 1 3 Enter the number of the destination storage medium For example enter 1 to copy the file to the flash memory Enter your choice 0 1 1 The destination file can t be the same as the source file Restoring the factory default configuration CAUTION Performing this task can cause all next startup configuration files in the...

Page 274: ...word recovery capability is disabled enter Y at the prompt to complete the task Because the password recovery capability is disabled this operation can cause the configuration files to be deleted and the system will start up with factory defaults Are you sure to continue Y N Y Setting Done Skipping the configuration file at the next startup To skip the configuration file at the next startup enter ...

Page 275: ...re image its basic segment or extended segment When the BootWare image is corrupt you can use the backup image for recovery Enter 1 in the BootWare Operation menu to perform a BootWare image backup Enter your choice 0 4 1 Will you backup the Basic BootWare Y N Y Begin to backup the Basic BootWare Done Will you backup the Extended BootWare Y N Y Begin to backup the Extended BootWare Done Recovering...

Page 276: ...form any upgrade task 0 Exit To Main Menu Return to the BootWare Operation menu To upgrade the BootWare image through the management Ethernet port enter 4 in the BootWare Operation menu Enter your choice 0 4 4 BOOTWARE OPERATION ETHERNET SUB MENU 1 Update Full BootWare 2 Update Extended BootWare 3 Update Basic BootWare 4 Modify Ethernet Parameter 0 Exit To Main Menu Enter your choice 0 4 Table 46 ...

Page 277: ...ogin password enter 8 in the EXTENDED BOOTWARE menu and then enter 1 or 0 in the EXTENDED BOOTWARE menu The switch will reboot and load the next startup configuration file with the console login password ignored Enter your choice 0 9 8 Clear Image Password Success After the switch starts up you can configure a new console login password and save the running configuration so the new password takes ...

Page 278: ...o enter user line view No password is required for console login whether or not you save the running configuration Reconfigure the authentication password Saved the running configuration Y Y N Execute the quit command Execute the reboot command The new password is saved You must provide the new password for console login The new password is saved You must provide the old password for console login...

Page 279: ...nd length Enter your choice 0 2 1 Info Press Ctrl C to abort or return to EXTENDED ASSISTANT MENU Info Enter the address and length in hexadecimal notation Info Only 4 bytes mode supported Enter memory address 80 Enter memory length 2 00000080 00000000 00000000 3 To search memory for certain data enter 2 and then provide the start and end addresses and the value of interest Enter your choice 0 2 2...

Page 280: ...l C Please Start To Transfer File Press Ctrl C To Exit Stops the ongoing file transfer and exits the current operation interface Info Press Ctrl C to abort or return to EXTENDED ASSISTANT MENU Returns to the EXTENDED ASSISTANT menu If the system is outputting the result of an operation this shortcut key combination aborts the display first Ctrl D Press Ctrl D to access BASIC BOOTWARE MENU Accesses...

Page 281: ...al s Baudrate Accordingly Baudrate Available 1 9600 Default 2 19200 3 38400 4 57600 5 115200 0 Exit Enter your choice 0 5 1 3 Select the correct download baud rate In this example enter 1 to select 9600 bps 4 Change the baud rate of your terminal to match the setting on the Serial submenu Then close your connection to the device and reestablish the connection to make the terminal s baud rate chang...

Page 282: ... Select Transfer Send File in the HyperTerminal window In the dialog box that appears click Browse to select the source file and select Xmodem from the Protocol list In this example the file D update main bin is selected Figure 50 File transmission dialog box 7 Click Send The following dialog box appears Figure 51 File transfer progress After the file transfer is complete the Serial submenu appear...

Page 283: ...ge File 3 Update Backup Image File 4 Download Files 5 Modify Ethernet Parameter 0 Exit To Main Menu Ensure The Parameter Be Modified Before Downloading Enter your choice 0 5 5 To download a file enter 5 to modify management Ethernet port settings Enter your choice 0 5 5 ETHERNET PARAMETER SET Note Clear field Go to previous field Ctrl D Quit Protocol FTP or TFTP tftp Load File Name 10500 ipe Targe...

Page 284: ...h the management Ethernet port In this example the device acts as the FTP client To upgrade Comware software through the management Ethernet port 1 Connect the device to the intended FTP server through the device s management Ethernet port and obtain the IP address of the intended TFTP server Connect your terminal to the device s console port You can use the same PC for the two purposes 2 On the i...

Page 285: ...you must enter the Python shell To enter the Python shell Task Command Enter the Python shell from user view python Executing a Python script Execute a Python script in user view Task Command Execute a Python script python filename Exiting the Python shell Execute this command in the Python shell Task Command Exit the Python shell exit Python usage example Network requirements Use a Python script ...

Page 286: ...d the script to the device Sysname tftp 192 168 1 26 get test py Execute the script Sysname python flash test py Sysname startup saved configuration flash main cfg main Please wait Done Sysname startup saved configuration flash backup cfg backup Please wait Done Verifying the configuration Display startup configuration files Sysname display startup Current startup saved configuration file flash st...

Page 287: ... 168 1 26 test cfg flash test cfg user password comware Transfer object at 0xb7eab0e0 Use from comware import API to import an API and use API to execute the API For example to use the extended API Transfer to download the test cfg file from TFTP server 192 168 1 26 Sysname python Python 2 7 3 default GCC 4 4 1 on linux2 Type help copyright credits or license for more information from comware impo...

Page 288: ... more information import comware comware CLI system view local user test class manage Sample output Sysname system view System View return to User View with Ctrl Z Sysname local user test class manage New local user added comware CLI object at 0xb7f680a0 get_output Use get_output to get the output from executed commands Syntax CLI get_output Returns Output from executed commands Examples Add a loc...

Page 289: ... characters If the server belongs to the public network do not specify this argument login_timeout Specifies the timeout for the operation in seconds The default is 10 user Specifies the username for logging in to the server password Specifies the login password Returns Transfer object Examples Download the test cfg file from TFTP server 192 168 1 26 Sysname python Python 2 7 3 default GCC 4 4 1 o...

Page 290: ...de A list object in the format of 1 slot number The slot number indicates the slot number of the active MPU In IRF mode A list object in the format of chassis number slot number The chassis number and slot number indicate the member ID of the master device and the slot number of the global active MPU on the master device Examples Get the slot number of the active MPU in standalone mode or global a...

Page 291: ...mber of the standby MPU in standalone mode or the slot numbers of the global standby MPUs in IRF mode Sysname python Python 2 7 3 default GCC 4 4 1 on linux2 Type help copyright credits or license for more information import comware comware get_standby_slot Sample output API get_slot_range get_slot_range Use get_slot_range to get the supported IRF member ID range Syntax get_slot_range Returns A di...

Page 292: ...d The status argument indicates the status of the card The chassis number argument indicates the member ID of the device The role argument indicates the role of the card The CPU number argument indicates the ID of the main CPU on the card Examples Get information about a card Sysname python Python 2 7 3 default GCC 4 4 1 on linux2 Type help copyright credits or license for more information import ...

Page 293: ...ntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in Boldface For example the New User wind...

Page 294: ...epresents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gateway or load balancing device Represents a security module such as a firewall load balancing NetStream SSL VPN IPS or ACG module Examples provided in this ...

Page 295: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Page 296: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Page 297: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Page 298: ...ed API functions 278 Python extended API import 278 archiving configuration archive 113 configuration archive parameters 114 configuration archiving automatic 115 file 106 file system directory 104 running configuration manual 115 argument CLI string text type 4 ASCII transfer mode 84 assigning login management CLI user line assignment 47 RBAC local AAA authentication user role 26 RBAC non AAA aut...

Page 299: ...de 196 shell type 196 single line input mode 196 binary transfer mode 84 boot loader software upgrade startup image file specification in IRF mode 125 software upgrade startup image file specification in standalone mode 124 BootWare software upgrade image preload 124 software upgrade image type 120 120 software upgrade methods 122 software upgrade preparation 123 software upgrade startup image fil...

Page 300: ...y use 7 CLI command line editing 4 CLI command redisplay 8 CLI interface type value 5 CLI string text type argument value 4 CLI undo command form 3 command line interface Use CLI ISSU 131 ISSU command series 132 ISSU device operating status verification 132 ISSU feature status verification 133 ISSU install commands 136 ISSU method identification 133 ISSU performance issu commands 135 ISSU procedur...

Page 301: ...gement Ethernet interface 173 FTP 84 FTP basic server parameters 84 FTP client IRF mode 94 FTP client standalone mode 93 FTP server IRF mode 88 FTP server standalone mode 86 login management CLI configuration 47 login management CLI console common line settings 51 login management CLI console password authentication 50 login management CLI console scheme authentication 51 login management CLI loca...

Page 302: ...er role 25 deleting file 106 file system directory 104 next startup configuration file 118 recycle bin file 107 detecting device data forwarding path failure 222 device hardware failure protection 220 device port status detection timer 206 determining ISSU procedure 134 device automatic configuration 179 automatic configuration HTTP server Python script 189 automatic configuration HTTP server Tcl ...

Page 303: ...24 RBAC temporary user role authorization 28 30 RBAC temporary user role authorization HWTACACS authentication 35 RBAC temporary user role authorization RADIUS authentication 39 RBAC user role assignment 20 25 RBAC user role authentication 30 RBAC user role creation 21 RBAC user role interface policy 24 RBAC user role local AAA authentication 26 RBAC user role non AAA authentication 27 RBAC user r...

Page 304: ...ver directory management 90 disabling CLI output screen pausing 11 device transceiver module alarm traps 223 login management CLI console authentication 49 login management Telnet login authentication 54 sending removal interrupt signals before switching fabric module removal 220 disabling sending removal interrupt signals before switching fabric module removal 220 displaying configuration file di...

Page 305: ...guration host name file server based 180 automatic configuration script file server based 181 compression 106 configuration file content 109 configuration file difference comparison 110 configuration file format 109 configuration file formats 109 configuration file management 108 copying 105 decompression 106 deletion 106 device configuration startup file selection 109 digest calculation 107 extra...

Page 306: ... 109 109 formatting file system 102 FTP automatic configuration file server configuration server based 180 basic server parameters configuration 84 client configuration IRF mode 94 client configuration standalone mode 93 client connection establishment 89 client display 92 command help information display 92 configuration 84 connection maintain 92 connection termination 92 device as client 89 devi...

Page 307: ...mage redundancy 120 software upgrade Comware image type 120 software upgrade Comware system image type 120 software upgrade startup image file specification in IRF mode 125 software upgrade startup image file specification in standalone mode 124 importing Python extended API 278 incoming banner type 196 In Service Software Upgrade Use ISSU install commands ISSU feature uninstall 138 ISSU inactive ...

Page 308: ...e removal install commands 139 install commands 136 install commands IRF mode 167 install commands standalone mode 164 IPE file decompression install commands 137 issu commands 135 issu commands IRF mode 142 148 maintaining 140 methods 131 patch image uninstall install commands 138 restrictions 134 saving running configuration 135 software activate deactivate install commands 139 software image in...

Page 309: ... online Web user 75 login device banner login type 196 login management CLI configuration 47 CLI console authentication disable 49 CLI console common line settings 51 CLI console password authentication 50 CLI console scheme authentication 51 CLI local console port login 49 CLI login authentication modes 48 CLI login display 62 CLI login maintain 62 CLI user line assignment 47 CLI user line identi...

Page 310: ...ion 48 login management scheme CLI authentication 48 module device transceiver module alarm traps 223 device transceiver module diagnosis 222 223 device transceiver module ITU channel number 223 device transceiver module verification 222 222 monitoring device CPU usage 206 mounting file system 102 moving file 106 MPU emergency shell device reboot 175 emergency shell use 172 176 ISSU 131 ISSU insta...

Page 311: ...shell server access 174 emergency shell system software image load 175 enabling port down function globally 218 file system 98 file system directories 99 file system directory management 103 file system directory name specification 100 file system file management 105 file system file name specification 100 100 file system files 99 file system storage media management 101 FTP basic server parameter...

Page 312: ...r role creation 21 RBAC user role interface policy 24 RBAC user role local AAA authentication 26 RBAC user role non AAA authentication 27 RBAC user role remote AAA authentication 26 RBAC user role rule configuration 21 RBAC user role VLAN policy 24 RBAC user role VPN instance policy 25 software upgrade 127 switching fabric module isolate 219 troubleshooting FTP connection 92 network management aut...

Page 313: ...ands IRF mode 167 ISSU install commands standalone mode 164 ISSU issu commands IRF mode 142 148 permitting RBAC permission assignment 17 RBAC user role assignment 20 physical component asset profile 218 policy RBAC interface access policy 18 RBAC resource access policies 24 RBAC user role assignment 25 RBAC user role interface policy 24 RBAC user role local AAA authentication 26 RBAC user role non...

Page 314: ...rver IRF mode 88 configuring FTP server standalone mode 86 configuring login management CLI console common line settings 51 configuring login management CLI console password authentication 50 configuring login management CLI console scheme authentication 51 configuring login management CLI local console port login 49 configuring login management command accounting 81 82 configuring login managemen...

Page 315: ...ware upgrade image settings 127 displaying text file content 105 editing CLI command line 4 enabling CLI redisplay of entered but not submitted command 8 enabling configuration archiving automatic 115 enabling configuration encryption 110 enabling device copyright statement display 196 enabling device data forwarding path failure detection 222 enabling device hardware failure protection aggregatio...

Page 316: ...uration file 118 returning CLI user view 2 returning to CLI upper level view from any view 2 rolling back configuration file 115 saving CLI display command output to file 14 saving CLI running configuration 16 saving running configuration 111 112 scheduling device management task 199 201 setting configuration archive parameters 114 setting device memory alarm thresholds 207 setting device port sta...

Page 317: ... FIPS compliance 20 local AAA authentication user configuration 31 non AAA authorization 20 permission assignment 17 predefined user roles 18 RADIUS authentication user configuration 32 resource access policies 18 24 rule configuration restrictions 22 settings display 30 temporary user role authorization 30 temporary user role authorization HWTACACS authentication 35 temporary user role authorizat...

Page 318: ...cy 25 Role Based Access Control Use RBAC rolling back configuration 113 configuration file configuration 115 root file system root directory 99 routing FTP configuration 84 FTP server configuration IRF mode 88 FTP server configuration standalone mode 86 TFTP configuration 96 96 rule CLI command history buffering rules 10 RBAC command rule 17 RBAC feature execute rule 17 RBAC feature group rule 17 ...

Page 319: ...BAC user role remote AAA authentication 26 RBAC user role rule configuration 21 RBAC user role VLAN policy 24 RBAC user role VPN instance policy 25 server automatic configuration HTTP server Python script 189 automatic configuration HTTP server Tcl script 188 automatic configuration IRF fabric setup 191 automatic configuration server based 179 184 automatic configuration TFTP server based 184 auto...

Page 320: ...F mode 142 148 ISSU method identification 133 ISSU performance issu commands 135 ISSU preparation 132 ISSU procedure determination 134 ISSU software image install commands 137 ISSU software image upgrade install commands 137 ISSU upgrade image preparation 133 methods 122 MPU synchronization 126 non ISSU upgrade preparation 123 overview 120 restrictions 123 startup image file specification in IRF m...

Page 321: ...ut management 16 CLI display command output save to file 14 CLI display command output viewing 16 CLI interface type value 5 CLI online help access 2 CLI output control 11 11 CLI running configuration save 16 CLI string text type argument value 4 CLI system view entry from user view 2 CLI undo command form 3 CLI upper level view return from any view 2 CLI use 1 CLI user view return 2 CLI view hier...

Page 322: ...install commands IRF mode 167 ISSU image signature 131 133 ISSU inactive software image removal install commands 139 ISSU install commands IRF mode 167 ISSU install commands standalone mode 164 ISSU issu commands IRF mode 142 148 ISSU method identification 133 ISSU patch image install commands 138 ISSU performance issu commands 135 ISSU preparation 132 ISSU procedure determination 134 ISSU softwar...

Page 323: ...8 software upgrade configuration in standalone mode 127 switching fabric module isolate 219 Tcl usage 229 TFTP configuration 96 Using Tcl 229 T task device management task scheduling 199 201 Tcl automatic configuration HTTP server Tcl script 188 configuring the device 229 executing Comware commands 230 use 229 TCP device as FTP client 89 device as FTP server 84 FTP client connection establishment ...

Page 324: ... See also user line interface login management Telnet VTY common line settings 57 login management CLI user roles 48 login management login control Telnet 74 login management login control Telnet SSH 73 login management SNMP access control 76 77 login management user device access control 73 login management Web login control 74 75 login management Web login control source IP based 75 login manage...

Page 325: ...rchy 1 VLAN RBAC user role VLAN policy 24 RBAC VLAN access policy 18 VPN RBAC user role VPN instance policy 25 RBAC VPN instance access policy 18 VTY line settings 57 W Web login configuration 63 67 login configuration HTTP 63 67 login configuration HTTPS 64 67 login control configuration source IP based 75 login display 66 login FIPS compliance 63 login maintain 66 login management user logoff 75...

Search results

Summary of Contents for FlexNetwork 10500 Series

Reviews:

HP Enterprise FlexNetwork 10500 Series, Configuration Manual, Page: 40 / 325

Search results

Summary of Contents for FlexNetwork 10500 Series

Reviews: