01 Fundamentals Configuration Guide Book

H3C WX Series Access Controllers Fundamentals Configuration Guide
Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Document Version: 6W105-20101124
Copyright 2008-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors
All Rights Reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C,
, Aolynk,
, H3Care,
, TOP G,
, IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C WX series documentation set describes the software features for the H3C WX Series Access Controllers and guides you through the software configuration procedures. The configuration guides also provide configuration examples to help you apply the software features to different network scenarios. The Fundamentals Configuration Guide describes CLI, logging in to the AC, device management, FTP and TFTP, user interface, file management, basic system configuration, HTTP, and hotfix configurations. This preface includes: Audience Conventions About the H3C WX Series Documentation Set Obtaining Documentation Technical Support Documentation Feedback
Audience
This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the WX series
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Boldface italic [] { x | y | ... } [ x | y | ... ] { x | y | ... } * Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one.
Convention [ x | y | ... ] * &<1-n> #
Description Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Boldface > Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means an action or information that needs special attention to ensure successful configuration or good performance. Means a complementary description. Means techniques helpful for you to make configuration with ease.
Network topology icons

Convention Description Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, an access controller module, or a switching engine on a unified switch.
Represents an access point.
Represents a mesh access point.
Convention
Description
Represents omnidirectional signals.
Represents directional signals.
About the H3C WX Series Documentation Set

The H3C WX series documentation set includes:
Category Documents WX3000 Series Unified Wired and Wireless Switches Brochure Product description and specifications WX5000 Series Access Controllers Brochure WX6000 Series Access Controllers Brochure LSWM1WCM10 Access Module Card Manual LSWM1WCM20 Access Module Card Manual Hardware specifications and installation LSRM1WCM2A1 Access Module Card Manual LSQM1WCMB0 Access Module Installation Manual LSBM1WCM2A0 Access Module Installation Manual Controller Controller Controller Controller Controller Guide you through hardware specifications and installation methods to help you install your AC. Provide the hardware specifications of the cards, and describe how to install and remove the cards. Describe product specifications and benefits. Purposes
WX Series Access Controllers Getting Started Guides WX Series Access Controllers Configuration Guides WX Series Access Controllers Command References WX Series Access Controllers Web-based Configuration Guides WX3000 Series Release Notes Unified Switches
Guide you through the main functions of your AC, and describes how to install and log in to your AC, perform basic configurations, maintain software, and troubleshoot your AC. Describe software features and configuration procedures. Provide a quick reference to all available commands. Describes configuration procedures through the web interface.
Software configuration
Operations and maintenance
WX5002 Series Access Controllers Release Notes WX5004 Series Access Controllers Release Notes WX6103 Series Access Controllers Release Notes
Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading.
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, getting started, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version.
Technical Support
customer_service@h3c.com http://www.h3c.com
Documentation Feedback
You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Read Compatibility Matrixes before using an H3C WX series access controller. Support of the H3C WX series access controllers for features and commands may vary by AC model. For more information, see Feature Matrixes and Command Matrixes in Compatibility Matrixes. The term AC in this document refers to H3C access controllers, access controller modules, and H3C WX series unified switches' access controller engines. The interface types and the number of interfaces vary by AC model. This document uses GE interfaces to show how to configure Ethernet interfaces. The models listed in this manual are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
Table of Contents
1 Applicable Models and Software Versions 1-1 2 Typical Network Scenarios2-1 AC Networking 2-1 Access Controller Module Networking 2-1 Unified Switch Networking 2-2 3 Feature Matrixes 3-1 Feature Matrix for the WX5000 Series3-1 Feature Matrix for the WX6000 Series3-7 Feature Matrix for the WX3000 Series3-11 4 Command Matrixes4-1 Command Matrix for the WX5000 Series 4-1 Command Matrix for the WX6000 Series 4-15 Command Matrix for the WX3000 Series 4-24 5 CLI Configuration 5-1 What Is CLI? 5-1 Entering the CLI 5-1 Entering CLI Through the Console Port 5-2 Entering CLI Through Telnet 5-6 CLI Descriptions5-7 Command Conventions 5-7 CLI View Description 5-8 Using the CLI 5-9 Using the CLI Online Help5-9 Command Line Error Information 5-10 Typing and Editing Commands 5-11 Displaying and Executing History Commands 5-11 Undo Form of a Command5-12 Controlling CLI Display 5-12 Configuring the CLI 5-15 Configuring CLI Hotkeys5-15 Configuring Command Aliases5-16 Synchronous Information Output5-17 Configuring Command Levels 5-18 Saving Configurations 5-19 6 FTP Configuration 6-1 FTP Overview 6-1 Introduction to FTP 6-1 Operation of FTP 6-1 Configuring the FTP Client6-3
i
Establishing an FTP Connection 6-3 Operating the Directories on an FTP Server 6-4 Operating the Files on an FTP Server6-5 Using Another Username to Log In to an FTP Server 6-6 Maintaining and Debugging an FTP Connection 6-6 Terminating an FTP Connection 6-6 FTP Client Configuration Example 6-7 Configuring the FTP Server 6-8 Configuring FTP Server Operating Parameters 6-8 Configuring Authentication and Authorization on the FTP Server 6-9 FTP Server Configuration Example6-10 Displaying and Maintaining FTP 6-12 7 TFTP Configuration 7-1 TFTP Overview 7-1 Introduction to TFTP7-1 Operation of TFTP7-1 Configuring the TFTP Client 7-2 Displaying and Maintaining the TFTP Client7-3 TFTP Client Configuration Example 7-3 8 Logging In to an Access Controller Product 8-1 Logging In to an Access Controller Product8-1 Introduction to the User Interface8-1 Supported User Interfaces 8-1 User Interface Number 8-1 Common User Interface Configuration8-2 9 Logging In Through the Console Port9-1 Introduction 9-1 Setting Up the Connection to the Console Port 9-1 Console Port Login Configuration 9-4 Configuring Common Settings for Console Login 9-4 Console Port Login Configurations for Different Authentication Modes9-5 Configuring None Authentication for Console Port Login 9-6 Configuration Procedure9-6 Configuration Example 9-8 Configuring Password Authentication for Console Port Login9-9 Configuration Procedure9-9 Configuration Example 9-10 Configuring Scheme Authentication for Console Port Login 9-12 Configuration Procedure9-12 Configuration Example 9-14 10 Logging In Through Telnet 10-1 Introduction 10-1 Establishing a Telnet Connection 10-2
ii
Telnetting to an Access Controller from a Terminal 10-2 Telnetting to Another Access Controller from the Current One10-4 Common Configuration10-4 Telnet Configurations for Different Authentication Modes10-5 Configuring None Authentication for Telnet Login 10-6 Configuration Procedure10-6 Configuration Example 10-7 Configuring Password Authentication for Telnet Login10-8 Configuration Procedure10-8 Configuration Example 10-9 Configuring Scheme Authentication for Telnet Login 10-11 Configuration Procedure10-11 Configuration Example 10-13 11 Logging In Through the Web-Based Network Management System 11-1 Introduction 11-1 Setting Up a Web Configuration Environment 11-2 12 Logging In Through an NMS 12-1 Introduction 12-1 Connection Establishment 12-1 13 Controlling Login Users13-1 Introduction 13-1 Controlling Telnet Users 13-1 Prerequisites13-1 Controlling Telnet Users by SSIDs of Clients13-2 Controlling Telnet Users by Source IP Addresses 13-2 Controlling Telnet Users by Source and Destination IP Addresses13-3 Controlling Telnet Users by Source MAC Addresses 13-3 Configuration Example 13-4 Controlling Network Management Users by Source IP Addresses 13-5 Prerequisites13-5 Controlling Network Management Users by Source IP Addresses13-5 Configuration Example 13-6 14 File Management14-1 Managing Files14-1 Filename Formats14-1 Directory Operations 14-2 Displaying Directory Information 14-2 Displaying the Current Working Directory 14-2 Changing the Current Working Directory 14-2 Creating a Directory14-2 Removing a Directory 14-2 File Operations14-3 Displaying File Information 14-3
iii
Displaying the Contents of a File14-3 Renaming a File 14-3 Copying a File14-4 Moving a File 14-4 Deleting a File14-4 Restoring a File from the Recycle Bin 14-4 Emptying the Recycle Bin 14-4 Batch Operations 14-5 Storage Medium Operations 14-5 Managing the Space of a Storage Medium 14-5 Mounting/Unmounting a Storage Medium14-6 Setting Prompt Modes14-6 Example for File Operations 14-7 15 Configuration File Management15-1 Configuration File Overview15-1 Types of Configuration 15-1 Format and Content of a Configuration File 15-1 Coexistence of Multiple Configuration Files 15-2 Startup with the Configuration File 15-2 Saving the Current Running Configuration 15-2 Introduction15-2 Encrypting a Configuration File 15-2 Modes in Saving the Configuration 15-3 Setting Configuration Rollback15-4 Configuration Rollback 15-4 Configuration Task List15-4 Configuring Parameters for Saving the Current Running Configuration 15-5 Enabling Automatic Saving of the Running Configuration 15-6 Manually Saving the Current Running Configuration 15-6 Setting Configuration Rollback 15-7 Specifying a Startup Configuration File to Be Used at the Next System Startup 15-7 Backing Up the Startup Configuration File15-8 Deleting a Startup Configuration File to Be Used at the Next Startup15-8 Restoring a Startup Configuration File15-9 Displaying and Maintaining Device Configuration 15-9 16 Device Management 16-1 Device Management Overview 16-1 Device Management Configuration Task List 16-1 Registering the Software16-2 Rebooting the AC16-2 Configuring the Scheduled Automatic Execution Function16-3 Upgrading AC Software 16-4 AC Software Overview 16-4 Upgrading the Boot ROM Program Through Command Lines 16-5
iv
Upgrading the Boot File Through Command Lines16-6 Configuring Temperature Alarm Thresholds for a Board16-6 Clearing the 16-bit Interface Indexes Not Used in the Current System16-6 Displaying and Maintaining Device Management Configuration 16-7 Device Management Configuration Examples16-8 Remote Scheduled Automatic Upgrade Configuration Example 16-8 17 User Interface Configuration 17-1 User Interface Overview17-1 Brief Introduction 17-1 Users and User Interfaces17-2 Numbering User Interfaces 17-2 User Interface Configuration Task List17-2 Configuring Asynchronous Serial Interface Attributes 17-3 Configuring Terminal Attributes 17-4 Configuring the auto-execute Command 17-5 Configuring User Privilege Level Under a User Interface 17-5 Configuring Access Restriction on VTY User Interfaces 17-6 Configuring Supported Protocols on VTY User Interfaces 17-7 Configuring Authentication Mode for Users at Login 17-7 Configuring Command Authorization 17-9 Configuring Command Accounting 17-10 Defining Shortcut Keys for Starting Terminal Sessions/Aborting Tasks17-10 Sending Messages to the Specified User Interfaces 17-11 Releasing the Connection Established on the User Interfaces17-11 Displaying and Maintaining User Interfaces17-11 User Interface Configuration Examples 17-12 User Authentication Configuration Example 17-12 Command Authorization Configuration Example 17-13 Command Accounting Configuration Example 17-14 18 Basic Configurations 18-1 Configuration Display 18-1 Quick Configuration18-2 Basic Configurations 18-2 Entering System View 18-3 Exiting the Current View 18-3 Exiting to User View 18-3 Configuring the AC Name 18-3 Configuring the System Clock 18-4 Configuring a Banner18-6 Configuring CLI Hotkeys18-8 Configuring Command Aliases18-9 Configuring User Privilege Levels and Command Levels 18-10 Configuring the Number of Concurrent Users18-16 Displaying and Maintaining Basic Configurations 18-16
v
CLI Features 18-17 Introduction to CLI 18-17 Online Help with Command Lines 18-18 Synchronous Information Output18-19 Undo Form of a Command18-19 Editing Features 18-19 CLI Display 18-20 Saving History Commands18-23 Command Line Error Information 18-23 19 HTTP Configuration19-1 HTTP Overview19-1 How HTTP Works19-1 Logging In to the Access Controller (AC) Through HTTP 19-1 Protocols and Standards 19-1 Enabling the HTTP Service19-2 Configuring the Port Number of the HTTP Service19-2 Associating the HTTP Service with an ACL19-2 Displaying and Maintaining HTTP19-3 20 HTTPS Configuration 20-1 HTTPS Overview 20-1 HTTPS Configuration Task List 20-1 Associating the HTTPS Service with an SSL Server Policy 20-2 Enabling the HTTPS Service 20-2 Associating the HTTPS Service with a Certificate Attribute Access Control Policy20-3 Configuring the Port Number of the HTTPS Service 20-3 Associating the HTTPS Service with an ACL 20-4 Displaying and Maintaining HTTPS 20-4 HTTPS Configuration Example20-5 21 Hotfix Configuration 21-1 Hotfix Overview 21-1 Basic Concepts in Hotfix21-1 Patch Status 21-2 Hotfix Configuration Task List 21-4 Configuration Prerequisites21-5 One-Step Patch Installation 21-5 Step-by-Step Patch Installation21-6 Step-by-Step Patch Installation Task List21-6 Configuring the Patch File Location 21-6 Loading a Patch File21-6 Activating Patches 21-7 Confirming Running Patches21-7 One-Step Patch Uninstallation21-8 Step-by-Step Patch Uninstallation 21-8 Step-by-Step Patch Uninstallation Task List 21-8
vi
Stopping Running Patches21-8 Deleting Patches 21-8 Displaying and Maintaining Hotfix21-9 Hotfix Configuration Example 21-9 22 Index 22-1
vii
Applicable Models and Software Versions

H3C WX series access controllers include the WX3000 series unified switches, and WX5000 and WX6000 series access controllers. Table 1-1 shows the applicable models and software versions. Table 1-1 Applicable models and software versions
Model WX3024 unified switches WX3010 unified switches WX3000-CMW520-R3111P03 WX3008 unified switches LSWM1WCM20 access controller module WX5002 access controller WX5002-CMW520-R1112 LS8M1WCMA0 access controller module WX5002V2 access controller WX5004 access controller LSWM1WCM10 access controller module WX6103 access controller LSQM1WCMB0 access controller module WX6103-CMW520-R2115P08 LSBM1WCM2A0 access controller module LSRM1WCM2A1 access controller module WX5004-CMW520-R2107P04 Software version
1-1
Typical Network Scenarios
AC Networking
As shown in the following figure, the AC is connected to Switch (Layer 2 or Layer 3) through GE1/0/1, which can be connected to APs directly or connected to APs over an IP network. Clients can be connected to the network through the APs to implement WLAN user access. Figure 2-1 AC networking
Scheme 1 AC GE 1/0/1 Server
IP network
AP 1
AP 2
Client A
Client B
Access Controller Module Networking

As shown in the following figure, installed with an access controller module, Switch (Layer 2 or Layer 3) can be connected to APs directly or connected to APs over an IP network. Clients can be connected to the network through the APs to implement WLAN user access.
2-1
Figure 2-2 Access controller module networking
Unified Switch Networking

As shown in Figure 2-3, Unified switch (functions as both an AC and a Layer 2 switch) can be connected to APs directly or connected to APs over an IP network. Clients can be connected to the network through the APs to implement WLAN user access. Figure 2-3 Unified switch networking diagram
2-2
Feature Matrixes
In this document, Yes means a feature or command is supported, and No means not supported.
Feature Matrix for the WX5000 Series
The LS8M1WCMA0, LSWM1WCM10, and LSWM1WCM20 on the WX5000 series adopt the OAP architecture. Installed on the expansion slots of switches, they work as OAP cards to exchange data and status and control information with the switches through their internal service interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on GE interfaces on the LS8M1WCMA0, XGE 1/0/1 on the LSWM1WCM10, and the logical interface BAGG1 aggregated by GE 1/0/1 and GE 1/0/2 on the LSWM1WCM20.
Table 3-1 Feature matrix for the WX5000 series

Document Fundamentals Configuration Guide Module Feature AUX user interface Login configuration Console user interface Telnet User interface configuration WX5002 Yes No Yes Console user interface not supported WX5002V2 No Yes Yes AUX user interface not supported LS8M1WCMA0 Yes No Yes WX5004 No Yes Yes AUX user interface not supported LSWM1WCM10 Yes No Yes Console user interface not supported LSWM1WCM20 Yes No Yes Console user interface not supported
User interface type
Yes
3-1
Document
Module File system management configuration
Feature Configuration file encryption Storage media supported
WX5002 No
WX5002V2 No
LS8M1WCMA0 No
WX5004 No
LSWM1WCM10 No
LSWM1WCM20 Yes
Flash Supports 32 concurrent APs by default, and can be extended to support 64. No on the WX5002-12 8
CF
Flash
CF Supports 64 concurren t APs by default, and can be extended to support 256. Yes 256 Yes
CF
Flash
Device management configuration License
Supports 32 concurrent APs by default, and can be extended to support 64.
No
WLAN Configuration Guide Layer 2 LAN Switching Configuration Guide
Hot AC backup WLAN services configuration Ethernet interface configuration Maximum number of SSIDs supported Combo port configuration
No 128 Yes
Yes 256 Yes
No 128 No
Yes 256 No Yes. Do not use the shutdown command on internal interfaces; otherwise, the normal operation of the device will be affected. No
No 128 No Yes. Do not use the shutdown command on internal interfaces; otherwise, the normal operation of the device will be affected. No
Shutting down an Ethernet interface
Yes
Yes
Yes
Yes
Configuring flow control on an Ethernet interface
Yes
Yes
Yes
Yes
3-2
Document
Module
Feature Configuring loopback detection on an Ethernet interface
WX5002 Yes on GE interfaces only
WX5002V2 Yes on GE interfaces only
LS8M1WCMA0 Internal loopback testing supported on GE interfaces only No No Yes
WX5004 Yes on GE interfaces only Yes Yes No Remote port mirroring and cross-boa rd mirroring not supported Yes
LSWM1WCM10 Internal loopback testing supported on XGE interfaces only No No No
LSWM1WCM20 Internal loopback testing supported on GE interfaces only Yes No No
Link aggregation configuration MSTP Configuration Layer 2 forwarding configuration
Link aggregation STP Layer 2 forwarding
Yes No Yes
Yes Yes No
Port mirroring configuration
Port mirroring
Remote port mirroring and cross-board mirroring not supported
Remote port mirroring and cross-board mirroring not supported
No
No
No
DNS configuration IP performance optimization configuration Adjacency table configuration IPv6 basics configuration IPv6 application configuration
IPv6 DNS configuration Configuring ICMP to send error packets Displaying and maintaining adjacency table IPv6 basics configuration IPv6 application configuration
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
Layer 3 IP Services Configuration Guide
No
Yes
No
Yes
Yes
Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
3-3
Document Layer 3 IP Routing Configuration Guide
Module IP routing basics configuration IPv6 static routing configuration MLD snooping configuration IPv6 multicast VLAN configuration ACL configuration
Feature IPv6 features IPv6 static routing configuration MLD snooping IPv6 multicast VLAN IPv6 ACL Configuring line rate
WX5002 Yes Yes Yes Yes Yes Yes No
WX5002V2 Yes Yes Yes Yes Yes Yes Yes
LS8M1WCMA0 Yes Yes Yes Yes Yes Yes No
WX5004 Yes Yes Yes Yes Yes Yes Yes
LSWM1WCM10 Yes Yes Yes Yes Yes Yes Yes
LSWM1WCM20 Yes Yes Yes Yes Yes Yes Yes
IP Multicast Configuration Guide
ACL and QoS Configuration Guide
QoS
Configuring CAR applicable to all traffic of online users Specifying the device ID to be used in stateful failover mode Configuring Layer 3 portal authentication Specifying the portal group to which the portal service backup interface belongs
Security Configuration Guide
AAA
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
Yes
No
Yes
No
Yes
Yes
No
Portal configuration
Specifying the device ID to be used in stateful failover mode Specifying the backup source IP address for RADIUS packets to be sent Specifying a source IPv6 address or interface for an SSH client
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
No
SSH2.0 configuration
Yes
Yes
Yes
Yes
Yes
Yes
3-4
Document
Module
Feature Establishing a connection between an SSH client and an IPv6 SSH server Specifying a source IPv6 address or interface for an SFTP client Establishing a connection between an SFTP client and an IPv6 SFTP server IPv6 SFTP client
WX5002
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes Telnet, SNMP, and web managemen t packets whose destination IP address is the local host
Yes
Yes
Yes ICMP, IEC, Telnet, and SNMP packets whose destinatio n IP address is the local host
Yes
Yes
Security protection configuration
Management protocol packets supported
ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host
Telnet, SNMP, and web management packets whose destination IP address is the local host
3-5
Document
Module
Feature
WX5002 11MAC/802. 1X/ARP/DH CP/HWTAC AS/ICMP/IG MP/MLD/L WAPP/ND/ NTP/PIM/R ADIUS Data packets: all packets except the above packets.
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
Other protocol packets supported
UDP/TCP/8 02.1X/DHC P/IGMP/NT P/ARP/LWA PP/LooPbac k/PPPoE/IA CTP/ACSEI/ STP/LWAP P_DATA/De fault
11MAC/802.1X/ ARP/DHCP/HW TACAS/ICMP/IG MP/MLD/LWAP P/ND/NTP/PIM /RADIUS Data packets: all packets except the above packets.
UDP/TCP/ 802.1X/D HCP/IGM P/NTP/AR P/LWAPP /LooPbac k/PPPoE/I ACTP/AC SEI/ STP/LWA PP_DATA /Default
UDP/TCP/802.1 X/DHCP/IGMP/ NTP/ARP/LWA PP/LooPback/P PPoE/IACTP/A CSEI/ STP/LWAPP_D ATA/Default
UDP/TCP/802.1 X/DHCP/IGMP/ NTP/ARP/LWA PP/LooPback/P PPoE/IACTP/A CSEI/ STP/LWAPP_D ATA/Default
Enabling attack prevention for protocols Configuring rate limits for a protocol Network Management and Monitoring Configuration Guide
No
Yes
No
Yes
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Information center configuration
Logfile
No
Yes
No
Yes
Yes
No
OAP module configuration OAA Configuration Guide OAA configuration ACSEI server configuration ACSEI client configuration Access Controller Module Basic Configuration Guide Access Controller Module Basic Configuration Access Controller Module Basic Configuration
No No No
Yes Yes Yes
No No Yes
Yes Yes Yes
No No Yes
No No Yes
No
No
Yes
No
Yes
Yes
3-6
The switch interface module on the WX6103, and the LSQM1WCMB0, LSBM1WCM2A0, and LSRM1WCM2A1 access controller modules on the WX6000 series adopt the OAP architecture. Installed on the expansion slots of switches, they work as OAP cards to exchange data and status and control information with the switches through their internal service interfaces. The XGE interfaces on the switch interface module on the WX6103, and the LSQM1WCMB0, LSBM1WCM2A0, and LSWM1WCM10 access controller modules are internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on them.

Volume Module Feature AUX user interface Login configuration Console user interface Telnet User interface configuration File management configuration User interface type Configuration file encryption Storage media supported Device management configuration No Yes Yes AUX user interface not supported No CF and USB 128 APs at most by default, and can be extended to 640 APs. Yes WX6103 LSQM1WCMB0 No Yes Yes AUX user interface not supported No CF and USB 128 APs at most by default, and can be extended to 640 APs. Yes LSBM1WCM2A0 No Yes Yes (IPv6 telnet not supported) AUX user interface not supported No CF and USB 128 APs at most by default, and can be extended to 640 APs. Yes LSRM1WCM2A1 Yes Yes Yes AUX user interface not supported No CF and USB 128 APs at most by default, and can be extended to 640 APs. Yes
Fundamentals Configuration Guide
License
WLAN Configuration
WLAN services
Hot AC backup
3-7
Volume Guide
Module configuration
Feature Maximum number of SSIDs supported Combo port configuration Shutting down an Ethernet interface 512
WX6103
LSQM1WCMB0 512
LSBM1WCM2A0 512
LSRM1WCM2A1 512
The MPU does not support the Combo port. Yes Internal loopback testing supported on XGE interfaces only No No No No No Yes No
No
No
No
Yes Internal loopback testing supported on XGE interfaces only No No No No No Yes No
Yes Internal loopback testing supported on XGE interfaces only No No No No No No No
Yes Internal loopback testing supported on XGE interfaces only No No No No No Yes No
Ethernet interface configuration Configuring flow control on an Ethernet interface Layer 2 LAN Switching Configuration Guide Link aggregation configuration MSTP Configuration Layer 2 forwarding configuration Port mirroring configuration DNS configuration IP performance optimization configuration Layer 3 IP Services Configuration Guide Adjacency table configuration IPv6 basics configuration IPv6 application configuration Loopback detection on an Ethernet interface Link aggregation STP Layer 2 forwarding Port mirroring IPv6 DNS configuration Configuring ICMP to send error packets Displaying and maintaining adjacency table IPv6 basics configuration IPv6 application configuration
Yes
Yes
Yes
Yes
Yes Yes
Yes Yes
No No
Yes Yes
3-8
Volume
Module IP routing basics configuration IPv6 static routing configuration MLD snooping configuration IPv6 multicast VLAN configuration ACL configuration
Feature IPv6-related displaying and maintaining commands IPv6 static routing configuration MLD snooping IPv6 multicast VLAN IPv6 ACL Configuring line rate Yes
WX6103
LSQM1WCMB0 Yes
LSBM1WCM2A0 No
LSRM1WCM2A1 Yes
Layer 3 IP Routing Configuration Guide
Yes Yes Yes Yes No Yes
Yes Yes Yes Yes No Yes
No No No No No Yes
Yes No No Yes No Yes
QoS
AAA configuration
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Portal configuration
Specifying the device ID to be used in stateful failover mode Specifying the backup source IP address for RADIUS packets to be sent
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
SSH2.0 configuration
Specifying a source IPv6 address or interface for an SSH client
Yes
Yes
No
Yes
3-9
Volume
Module
Feature Establishing a connection between an SSH client and an IPv6 SSH server Specifying a source IPv6 address or interface for an SFTP client Establishing a connection between an SFTP client and an IPv6 SFTP server IPv6 SFTP client
WX6103
LSQM1WCMB0
LSBM1WCM2A0
LSRM1WCM2A1
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/PPPoE/IACT P/ACSEI/ STP/LWAPP_DAT A/Default Yes Yes
No ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/PPPoE/IACT P/ACSEI/ STP/LWAPP_DAT A/Default Yes Yes
Management protocol packets supported
Enabling attack prevention for protocols Configuring rate limits for a protocol Network Management and Monitoring Configuration Guide OAA Configuration Guide Information center configuration OAA configuration Logfile OAP module configuration ACSEI server configuration
Yes
No
No
No
Yes Yes 3-10
No No
No No
No No
Volume
Module
Feature ACSEI client configuration Yes
WX6103
LSQM1WCMB0 Yes
LSBM1WCM2A0 Yes
LSRM1WCM2A1 Yes
Access Controller Module Basic Configuration Guide
Access Controller Module Basic Configuration
Access Controller Module Basic Configuration
No
Yes
Yes
Yes
The access controller engine and switching engine on the WX3000 series adopt the OAP architecture. The switching engine is integrated on the access controller engine as an OAP card. You actually log in to the access controller engine when you log in to the device by default. GE 1/0/1 interfaces on the WX3024, WX3010 and WX3008 are used to exchange data, status and control information with GE1/0/29 (WX3024), GE1/0/11 (WX3010) or GE1/0/9 (WX3008) on the switching engine. Do not configure services such as QoS rate limiting and 802.1X authentication on these interfaces.

Volume Fundamentals Configuration Guide Login configuration Module Feature AUX user interface Console user interface Telnet User interface configuration File management configuration User interface type Configuration file encryption Yes No Yes (IPv6 telnet not supported) Console user interface not supported Yes WX3024 Yes No Yes (IPv6 telnet not supported) Console user interface not supported Yes WX3010 Yes No Yes (IPv6 telnet not supported) Console user interface not supported Yes WX3008
3-11
Volume
Module
Feature Storage media supported Flash
WX3024 Flash
WX3010 Flash No No 64 No
WX3008
Device management configuration
License Hot AC backup
24 APs at most by default, and can be extended to 48 APs. No 64 No No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No Internal loopback testing supported on GE interfaces only No No No No No No Yes No
12 APs at most by default, and can be extended to 24 APs. No 64 No No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No Internal loopback testing supported on GE interfaces only No No No No No No Yes No
WLAN Configuration Guide
WLAN services configuration
Maximum number of SSIDs supported Combo port configuration Shutting down an Ethernet interface
Ethernet interface configuration
No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No Internal loopback testing supported on GE interfaces only No No No No No No Yes No
Configuring flow control on an Ethernet interface Loopback detection on an Ethernet interface
Layer 2 LAN Switching Configuration Guide Link aggregation configuration MSTP Configuration Layer 2 forwarding configuration Port mirroring configuration Layer 3 IP Services Configuration Guide DNS configuration IP performance optimization configuration Adjacency table configuration IPv6 basics configuration
Link aggregation configuration STP Layer 2 forwarding Port mirroring configuration IPv6 DNS configuration Configuring ICMP to send error packets Displaying and maintaining an adjacency table IPv6 basics configuration
3-12
Volume
Module IPv6 application configuration IP routing basics configuration IPv6 static routing configuration MLD snooping configuration
Feature IPv6 application configuration IPv6-related displaying and maintaining commands IPv6 static routing configuration MLS snooping IPv6 multicast VLAN IPv6 ACL Configuring line rate No No No No No No No Yes No Yes
WX3024 No No No No No No No Yes No Yes
WX3010 No No No No No No No Yes No Yes
WX3008
Layer 3 IP Routing Configuration Guide
IPv6 multicast VLAN configuration ACL configuration
QoS
AAA configuration
No
No
No
Portal configuration Specifying the device ID to be used in stateful failover mode Specifying the backup source IP address for RADIUS packets to be sent SSH2.0 configuration Specifying a source IPv6 address or interface for an SSH client Establishing a connection between an SSH client and an IPv6 SSH server No No No
No
No
No
No
No
No
No
No
No
3-13
Volume
Module
Feature Specifying a source IPv6 address or interface for an SFTP client Establishing a connection between an SFTP client and an IPv6 SFTP server IPv6 SFTP client Management protocol packets supported No
WX3024 No
WX3010 No
WX3008
No No ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/DHC P/IGMP/NTP/ARP/LWA PP/LooPback/PPPoE/I ACTP/ACSEI/ STP/LWAPP_DATA/De fault Yes Yes
No No ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/DHC P/IGMP/NTP/ARP/LWA PP/LooPback/PPPoE/I ACTP/ACSEI /STP/LWAPP_DATA/De fault Yes Yes
No No ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host UDP/TCP/802.1X/DHC P/IGMP/NTP/ARP/LWA PP/LooPback/PPPoE/I ACTP/ACSEI /STP/LWAPP_DATA/De fault Yes Yes
Enabling attack prevention for protocols Configuring rate limits for a protocol Network Management and Monitoring Configuration Guide Information center configuration Logfile OAP module configuration OAA Configuration Guide OAA configuration ACSEI server configuration ACSEI client configuration Access Controller Module Basic Configuration Guide Access Controller Module Basic Configuration Access Controller Module Basic Configuration
No Yes No No No
No Yes No No No
No Yes No No No
3-14
Command Matrixes
In this document, Yes means a feature or command is supported, and No means not supported.
Command Matrix for the WX5000 Series

Table 4-1 Command matrix for the WX5000 series
Volume Fundamentals Command Reference Module Login commands Command telnet ipv6 Yes WX5002 WX5002V2 Yes LS8M1WCMA0 Yes WX5004 Yes Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6. LSWM1WCM10 Yes LSWM1WCM20 Yes
AUX and VTY user interfaces are supported. User Interface Commands display user-interface When number is an absolute index, the value ranges from 0 to 5.
Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5.
4-1
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6. Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6.
LSWM1WCM10
LSWM1WCM20
AUX and VTY user interfaces are supported. free user-interface When number is an absolute index, the value ranges from 0 to 5.
AUX and VTY user interfaces are supported. send When number is an absolute index, the value ranges from 0 to 5.
4-2
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 Console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6. No Yes Yes Yes Yes Yes usb not supported fan-id ranges from 1 to 5. power-id takes the value of 1 or 2. No
LSWM1WCM10
LSWM1WCM20
AUX and VTY user interfaces are supported. user-interface When number is an absolute index, the value ranges from 0 to 5.
configuration encrypt ftp ipv6 File management commands mount open ipv6 tftp ipv6 umount Device management commands
No Yes No No Yes No cf-card, usb, subslot subslot-number not supported fan-id takes the value of 1 or 2. power-id takes the value of 1 or 2. No
No Yes No No Yes No usb not supported
No Yes No No Yes No cf-card, usb, subslot subslot-number not supported fan-id takes the value of 1 or 2. power-id takes the value of 1 or 2. No
No Yes No No Yes No usb and subslot subslot-number not supported No
Yes Yes No No Yes No cf-card, usb, subslot subslot-number not supported No
display device
display fan
fan-id ranges from 1 to 5. power-id takes the value of 1 or 2. No
display power
No
No
display rps
No
No
4-3
Volume
Module
Command license append
WX5002 No on the WX5002-128 By default, lower-value is 5, and upper-value is 60 number ranges from 1 to 6.
WX5002V2 Yes By default, lower-value is 0, and upper-value is 90 number ranges from 1 to 7.
LS8M1WCMA0 Yes By default, lower-value is 5, and upper-value is 60 number ranges from 1 to 6.
WX5004 Yes By default, lower-valu e is 0, and upper-valu e is 90 number ranges from 1 to 7. interface-n umber ranges from 0 to 1023. interface-n umber ranges from 0 to 1023. Yes interface-in dex ranges from 0 to 1023. group-id ranges from 1 to 64.
LSWM1WCM10 Yes
LSWM1WCM20 Yes By default, lower-value is 0, and upper-value is 60 number ranges from 1 to 7.
temperature-limit
No
Basic system configuration commands WLAN Command Reference WLAN interface commands
configure-user count
number ranges from 1 to 7.
display interface wlan-ess
interface-numbe r ranges from 0 to 127.
interface-numb er ranges from 0 to 1023.
interface-number ranges from 0 to 127.
interface wlan-ess
interface-numb er ranges from 0 to 1023.
interface-number ranges from 0 to 127.
WLAN services commands
All commands for hot AC backup
No interface-index ranges from 0 to 127.
Yes interface-index ranges from 0 to 1023.
Yes interface-index ranges from 0 to 1023.
bind wlan-ess
display wlan ap-group
group-id ranges from 1 to 128.
4-4
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 hellointerv al ranges from 100 to 2000 millisecond s, and defaults to 2000 millisecond s. group-id ranges from 1 to 64. group-id ranges from 1 to 64. Yes Yes Yes Yes Yes Yes Yes Yes Yes
LSWM1WCM10
LSWM1WCM20
hot-backup hellointerval
No
hellointerval ranges from 100 to 2000 milliseconds, and defaults to 2000 milliseconds.
No
No
hellointerval ranges from 100 to 2000 milliseconds, and defaults to 2000 milliseconds.
wlan ap-group
wlan permit-ap-group display wlan client display wlan mobility-group WLAN roaming commands member mobility-tunnel undo member source Layer 2 LAN Switching Command Reference Ethernet interface commands duplex display loopback-detecti on flow-control
Yes Yes Yes Yes Yes Yes Yes Yes Yes
Yes Yes Yes Yes Yes Yes No Yes No
Yes Yes Yes Yes Yes Yes No No No
4-5
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. Yes Yes Yes Yes Yes Yes The maximum value is 512. count ranges from 0 to 8192.
LSWM1WCM10
LSWM1WCM20
jumboframe enable
value ranges from 1600 to 9216 bytes and defaults to 1600 bytes.
loopback loopback-detecti on control enable loopback-detecti on enable loopback-detecti on interval-time shutdown speed interface vlan-interface
Yes Yes Yes Yes Yes Yes The maximum value is 64.
Yes Yes Yes Yes Yes Yes The maximum value is 64.
Yes Yes Yes Yes Yes No The maximum value is 64.
Only internal is supported. No No No No No The maximum value is 512.
Only internal is supported. No No No No No The maximum value is 64.
VLAN commands
MAC Address Table Commands
mac-address max-mac-count All commands in the link aggregation commands manual All commands in the MSTP commands manual
count ranges from 0 to 4096.
Link aggregation commands
Yes
Yes
No
No
No
No
MSTP commands
No
Yes
No
Yes
No
No
4-6
Volume
Module Layer 2 forwarding commands
Command All commands in the Layer 2 commands manual All commands in the port mirroring commands manual pppoe-server max-sessions local-mac
WX5002
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
Yes
No
Yes
Yes
No
No
Port mirroring commands
Yes
Yes
No
Yes
No
No
number ranges from 1 to 2048. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 8192.
Layer 2 WAN Command Reference
PPP commands pppoe-server max-sessions total number ranges from 1 to 2048 and defaults to 1024. number ranges from 1 to 4096 and defaults to 4096. number ranges from 1 to 2048 and defaults to 1024.
number ranges from 1 to 4096 and defaults to 4096.
Layer 3 IP Services Command Reference
ARP commands
arp max-learning-nu m All commands in IPv6 DNS configuration commands ip redirects enable
DNS commands
Yes
Yes
Yes
Yes
Yes
Yes
Yes Yes Yes No
No No No Yes
No No No No
No No No Yes
No No No Yes
No No No Yes
IP performance optimization commands
ip ttl-expires enable ip unreachables enable
Adjacency table commands
display adjacent-table
4-7
Volume
Module
Command All commands in IPv6 basics commands manual
WX5002
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
Yes
Yes
Yes
Yes
Yes
Yes
IPv6 basics commands ipv6 neighbors max-learning-nu m
IPv6 application commands Layer 3 IP Routing Command Reference
All commands in IPv6 application commands manual display ipv6 routing-table display ipv6 routing-table ipv6-address display ipv6 routing-table ipv6-address1 ipv6-address2
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
IP routing basics commands
display ipv6 routing-table protocol display ipv6 routing-table statistics display ipv6 routing-table verbose reset ipv6 routing-table statistics
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
4-8
Volume
Module IPv6 static routing commands
Command All commands in IPv6 static routing commands manual
WX5002
WX5002V2
LS8M1WCMA0
WX5004
LSWM1WCM10
LSWM1WCM20
Yes
Yes
Yes
Yes
Yes
Yes
IP Multicast Command Reference
igmp-snooping fast-leave
Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Layer 2 aggregate interface view supported Yes Yes
Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Yes Yes
Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Yes Yes
igmp-snooping group-limit IGMP snooping commands igmp-snooping static-group
igmp-snooping static-router-port vlan
Multicast VLAN commands
port multicast-vlan
MLD snooping commands IPv6 multicast VLAN commands
4-9
Volume
Module
Command port multicast-vlan ipv6
WX5002 Layer 2 aggregate interface view supported
WX5002V2 Layer 2 aggregate interface view supported
LS8M1WCMA0 Layer 2 aggregate interface view supported
WX5004 Layer 2 aggregate interface view not supported Yes green action not supported remark-lppass new-localprecedenc e not supported Yes Yes
LSWM1WCM10 Layer 2 aggregate interface view not supported
LSWM1WCM20 Layer 2 aggregate interface view supported
ACL and QoS Command Reference
ACL Commands
IPv6 ACL Configuration Commands
Yes
Yes
Yes
Yes
Yes
QoS Commands
car
pir peak-informatio n-rate not supported
green action not supported remark-lp-pas s new-local-prec edence not supported
pir peak-informatio n-rate not supported
green action not supported remark-lp-pass new-local-prece dence not supported
green action not supported remark-lp-pass new-local-prece dence not supported
display qos lr interface display qos map-table
Yes dscp-lp not supported
Yes Yes
Yes dscp-lp not supported
Yes Yes
Yes Yes
4-10
Volume
Module
Command
WX5002
WX5002V2
LS8M1WCMA0
WX5004 classifier tcl-name not supported inbound-i nterface interface-ty pe interface-n umber not supported
LSWM1WCM10
LSWM1WCM20
classifier tcl-name not supported inbound-interf ace interface-type interface-numb er not supported if-match Yes local-precede nce local-preceden ce-list not supported rtp start-port start-port-numb er end-port end-port-numb er not supported Yes
classifier tcl-name not supported inbound-interfa ce interface-type interface-numbe r not supported local-preceden ce local-precedenc e-list not supported rtp start-port start-port-numbe r end-port end-port-numbe r not supported
classifier tcl-name not supported inbound-interfa ce interface-type interface-number not supported local-preceden ce local-precedenc e-list not supported rtp start-port start-port-numbe r end-port end-port-number not supported
local-prec edence local-prece dence-list not supported rtp start-port start-port-n umber end-port end-port-n umber not supported
qos pql inbound-interfac e qos pql protocol qos cql inbound-interfac e qos cql protocol qos car qos map-table
Yes Yes Yes Yes No dscp-lp not supported
No No No No Yes Yes
Yes Yes Yes Yes No dscp-lp not supported
No No No No Yes Yes
No No No No Yes Yes
No No No No Yes Yes
4-11
Volume
Module
Command
WX5002
WX5002V2 [ ebs excess-burst-si ze ] not supported Yes Yes user-number ranges from 1 to 4096. user-number ranges from 1 to 4096 and defaults to 4096.
LS8M1WCMA0
WX5004
LSWM1WCM10 [ ebs excess-burst-siz e ] not supported Yes Yes user-number ranges from 1 to 4096.
LSWM1WCM20 [ ebs excess-burst-siz e ] not supported Yes No user-number ranges from 1 to 2048.
qos lr
Yes
Yes
No
redirect Security Command Reference AAA commands nas device-id device-id
No No user-number ranges from 1 to 2048.
No No user-number ranges from 1 to 2048.
Yes Yes user-numb er ranges from 1 to 4096. user-numb er ranges from 1 to 4096 and defaults to 4096. layer3 supported
802.1X commands
dot1x max-user
MAC authentication commands
mac-authenticati on max-user user-number
user-number ranges from 1 to 1024 and defaults to 1024.
Portal commands
portal server server-name method { direct | layer3 | redhcp } portal backup-group group-id nas device-id device-id radius nas-backup-ip ip-address radius scheme radius-scheme-na me nas-backup-ip ip-address
layer3 not supported
layer3 supported
layer3 not supported
layer3 supported
layer3 supported
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
No
4-12
Volume
Module
Command portal max-user max-number ssh client ipv6 source
WX5002 max-number ranges from 1 to 2048. Yes Yes Yes Yes No
WX5002V2 max-number ranges from 1 to 4096. Yes Yes Yes Yes Yes
LS8M1WCMA0 max-number ranges from 1 to 2048. Yes Yes Yes Yes No
WX5004 max-numb er ranges from 1 to 4096. Yes Yes Yes Yes Yes
LSWM1WCM10 max-number ranges from 1 to 4096. Yes Yes Yes Yes Yes
LSWM1WCM20 max-number ranges from 1 to 2048. Yes Yes Yes Yes Yes
SSH2.0 commands
ssh2 ipv6 sftp client ipv6 source sftp ipv6 anti-attack protocol enable anti-attack protocol threshold display anti-attack { 11mac | admin | all | arp | data | dhcp | dot1x | hwtacas | icmp | igmp | lwapp | nd | ntp | pim | radius } display anti-attack { protocol protocol | all }
No
Yes
No
Yes
Yes
Yes
Security protection commands
Yes
No
Yes
No
No
No
No
Yes
No
Yes
Yes
Yes
Network Management and Monitoring Command Reference
System maintenance and debugging commands Information center commands
ping ipv6 tracert ipv6 display logfile buffer
Yes Yes No
Yes Yes Yes
Yes Yes No
Yes Yes Yes
Yes Yes Yes
Yes Yes No
4-13
Volume
Module
Command display logfile summary info-center logfile enable info-center logfile frequency info-center logfile size-quota info-center logfile switch-directory logfile save No No No No No No
WX5002
WX5002V2 Yes Yes Yes Yes Yes Yes
LS8M1WCMA0 No No No No No No
WX5004 Yes Yes Yes Yes Yes Yes
LSWM1WCM10 Yes Yes Yes Yes Yes Yes Yes on the device side of the access controller module Yes No No No No
LSWM1WCM20 No No No No No No Yes on the device side of the access controller module Yes No No No No
mcms connect
No
No
No
No
mcms reboot oap connect slot OAA OAA commands oap management-ip oap reboot slot ACSEI server configuration commands ACSEI client configuration commands
No No No No No
No Yes Yes Yes Yes
No No No No No
No Yes Yes Yes Yes
No
Yes
Yes
Yes
Yes
Yes
4-14

Volume Fundamentals Command Reference Module Login commands Command telnet ipv6 Yes AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 6. AUX, console and VTY user interfaces are supported. free user-interface When number is an absolute index, the value ranges from 0 to 6. AUX, console and VTY user interfaces are supported. send When number is an absolute index, the value ranges from 0 to 6. AUX, console and VTY user interfaces are supported. user-interface When number is an absolute index, the value ranges from 0 to 6. No Yes 4-15 WX6103 LSQM1WCMB0 Yes AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. No Yes LSBM1WCM2A0 No AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. No No LSRM1WCM2A1 Yes AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 12. No Yes
display user-interface
User Interface Commands
File management configuration commands
configuration encrypt ftp ipv6
Volume
Module
Command mount open ipv6 tftp ipv6 umount display device display fan display power Yes Yes Yes Yes Yes
WX6103
LSQM1WCMB0 Yes Yes Yes Yes Yes fan-id can only be 1. power-id takes the value of 1 or 2. No Yes By default, lower-value is 0, and upper-value is 86 number ranges from 1 to 13. interface-number ranges from 0 to 1023. interface-number ranges from 0 to 1023. Yes interface-index ranges from 0 to 1023. group-id ranges from 1 to 640.
LSBM1WCM2A0 Yes Yes No Yes Yes fan-id can only be 1. power-id takes the value of 1 or 2. No Yes By default, lower-value is 0, and upper-value is 86 number ranges from 1 to 13. interface-number ranges from 0 to 1023. interface-number ranges from 0 to 1023. Yes interface-index ranges from 0 to 1023. group-id ranges from 1 to 640.
LSRM1WCM2A1 Yes Yes Yes Yes Yes fan-id can only be 1. power-id takes the value of 1 or 2. No Yes By default, lower-value is 0, and upper-value is 86 number ranges from 1 to 13. interface-number ranges from 0 to 1023. interface-number ranges from 0 to 1023. Yes interface-index ranges from 0 to 1023. group-id ranges from 1 to 640.
fan-id can only be 1. power-id takes the value of 1 or 2. No Yes By default, lower-value is 0, and upper-value is 86 number ranges from 1 to 13. interface-number ranges from 0 to 1023. interface-number ranges from 0 to 1023. Yes interface-index ranges from 0 to 1023. group-id ranges from 1 to 640.
Device management commands
display rps license append temperature-limit
Basic system configuration commands WLAN Command Reference WLAN interface commands
display interface wlan-ess
interface wlan-ess WLAN service commands All commands for hot AC backup bind wlan-ess display wlan ap-group
4-16
Volume
Module
Command
WX6103 hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. group-id ranges from 1 to 640. group-id ranges from 1 to 640. Yes
LSQM1WCMB0 hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. group-id ranges from 1 to 640. group-id ranges from 1 to 640. Yes
LSBM1WCM2A0 hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. group-id ranges from 1 to 640. group-id ranges from 1 to 640. member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported iactp6 not supported undo member ipv6 ipv6-address not supported ipv6 ipv6-address not supported Yes Yes Yes value ranges from 1600 to 4096 bytes and defaults to 1600 bytes.
LSRM1WCM2A1 hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. group-id ranges from 1 to 640. group-id ranges from 1 to 640. Yes
hot-backup hellointerval
wlan ap-group wlan permit-ap-group display wlan client
display wlan mobility-group
Yes
Yes
Yes
WLAN roaming commands
member mobility-tunnel undo member
Yes Yes Yes
Yes Yes Yes
Yes Yes Yes
source Layer 2 LAN Switching Command Reference Ethernet interface commands duplex display loopback-detection flow-control
Yes Yes Yes Yes value ranges from 1600 to 9216 bytes and defaults to 1600 bytes.
jumboframe enable
4-17
Volume
Module
Command loopback loopback-detection control enable loopback-detection enable loopback-detection interval-time shutdown speed Yes Yes Yes Yes Yes Yes
WX6103
LSQM1WCMB0 Yes Yes Yes Yes Yes No The maximum value is 1024. count ranges from 0 to 24576. No No No No number ranges from 1 to 20480. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 24576. Yes
LSBM1WCM2A0 Yes Yes Yes Yes Yes Yes The maximum value is 1024. count ranges from 0 to 24576. No No No No number ranges from 1 to 20480. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 24576. No
LSRM1WCM2A1 Yes Yes Yes Yes Yes No The maximum value is 1024. count ranges from 0 to 24576. No No No No number ranges from 1 to 20480. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 24576. Yes
VLAN commands MAC address table management commands Link aggregation commands MSTP commands Layer 2 forwarding commands Port mirroring commands
interface vlan-interface mac-address max-mac-count All commands All commands All commands All commands pppoe-server max-sessions local-mac
The maximum value is 1024. count ranges from 0 to 24576. No No No No number ranges from 1 to 20480. number ranges from 1 to 65535 and defaults to 4096. number ranges from 0 to 24576. Yes 4-18
PPP commands pppoe-server max-sessions total
ARP commands DNS commands
arp max-learning-num All commands for IPv6 DNS configuration
Volume
Module
Command ip redirects enable No No No Yes Yes
WX6103
LSQM1WCMB0 No No No Yes Yes number ranges from 1 to 1024 and defaults to 1024. Yes Yes
LSBM1WCM2A0 No No No Yes No number ranges from 1 to 1024 and defaults to 1024. No No
LSRM1WCM2A1 No No No Yes Yes number ranges from 1 to 1024 and defaults to 1024. Yes Yes
IP performance optimization commands
ip ttl-expires enable ip unreachables enable display adjacent-table All commands
Adjacency table commands
IPv6 basics commands
ipv6 neighbors max-learning-num All commands display ipv6 routing-table display ipv6 routing-table ipv6-address display ipv6 routing-table ipv6-address1 ipv6-address2 display ipv6 routing-table protocol display ipv6 routing-table statistics display ipv6 routing-table verbose
number ranges from 1 to 1024 and defaults to 1024. Yes Yes
IPv6 application commands IP Routing Command Reference IP routing basics commands
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
4-19
Volume
Module
Command reset ipv6 routing-table statistics Yes
WX6103
LSQM1WCMB0 Yes
LSBM1WCM2A0 No
LSRM1WCM2A1 Yes
IPv6 static routing commands
All commands igmp-snooping fast-leave igmp-snooping group-limit
Yes Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Yes Yes Layer 2 aggregate interface view not supported Yes
Yes Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Yes Yes Layer 2 aggregate interface view not supported Yes
No Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported Yes
Yes Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported Yes
IGMP snooping commands igmp-snooping static-group igmp-snooping static-router-port vlan Multicast VLAN commands MLD snooping commands port multicast-vlan MLD snooping commands IPv6 multicast VLAN commands IPv6 multicast VLAN commands port multicast-vlan ipv6 IPv6 ACL Configuration Commands
IP Multicast Command Reference
ACL and QoS Command Reference
ACL Commands
4-20
Volume
Module
Command
WX6103 green action not supported
LSQM1WCMB0 green action not supported remark-lp-pass new-local-precedenc e not supported No Yes classifier tcl-name not supported inbound-interface interface-type interface-number not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes Yes
LSBM1WCM2A0 green action not supported remark-lp-pass new-local-precedenc e not supported No Yes classifier tcl-name not supported inbound-interface interface-type interface-number not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes Yes
LSRM1WCM2A1 green action not supported remark-lp-pass new-local-precedenc e not supported No Yes classifier tcl-name not supported inbound-interface interface-type interface-number not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes Yes
car
remark-lp-pass new-local-precedenc e not supported No Yes classifier tcl-name not supported inbound-interface interface-type interface-number not supported rtp start-port start-port-number end-port end-port-number not supported
display qos lr interface display qos map-table
if-match QoS commands
qos pql inbound-interface qos pql protocol qos cql inbound-interface qos cql protocol qos car qos lr qos map-table redirect Security Command Reference AAA commands nas device-id device-id
No No No No Yes No Yes Yes Yes
4-21
Volume
Module 802.1X commands MAC authentication commands
Command dot1x max-user mac-authentication max-user user-number portal server server-name method { direct | layer3 | redhcp } portal backup-group group-id nas device-id device-id
WX6103 user-number ranges from 1 to 20480. user-number ranges from 1 to 4096 and defaults to 4096.
LSQM1WCMB0 user-number ranges from 1 to 20480. user-number ranges from 1 to 4096 and defaults to 4096.
LSBM1WCM2A0 user-number ranges from 1 to 20480. user-number ranges from 1 to 4096 and defaults to 4096.
LSRM1WCM2A1 user-number ranges from 1 to 20480. user-number ranges from 1 to 4096 and defaults to 4096.
layer3 supported
layer3 supported
layer3 supported
layer3 supported
Yes Yes Yes
Yes Yes Yes
Yes Yes Yes
Yes Yes Yes
Portal commands
radius nas-backup-ip ip-address radius scheme radius-scheme-name nas-backup-ip ip-address portal max-user max-number ssh client ipv6 source ssh2 ipv6
Yes
Yes
Yes
Yes
max-number ranges from 1 to 20480. Yes Yes Yes Yes Yes Yes
max-number ranges from 1 to 20480. No No No No Yes Yes
SSH2.0 commands sftp client ipv6 source sftp ipv6 Security protection commands anti-attack protocol enable anti-attack protocol threshold
4-22
Volume
Module
Command display anti-attack { 11mac | admin | all | arp | data | dhcp | dot1x | hwtacas | icmp | igmp | lwapp | nd | ntp | pim | radius } display anti-attack { protocol protocol | all }
WX6103
LSQM1WCMB0
LSBM1WCM2A0
LSRM1WCM2A1
No
No
No
No
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No Yes Yes Yes
Yes Yes Yes No No No No No No No No No No No No
Yes No No No No No No No No No No No No No No
Yes Yes Yes No No No No No No No No No No No No
System maintenance and debugging commands
ping ipv6 tracert ipv6 display logfile buffer display logfile summary
Network Management and Monitoring Command Reference
info-center logfile enable Information center commands info-center logfile frequency info-center logfile size-quota info-center logfile switch-directory logfile save
OAA
OAA commands
mcms connect mcms reboot oap connect slot oap management-ip oap reboot slot
4-23
Volume
Module
Command ACSEI server configuration commands ACSEI client configuration commands Yes
WX6103
LSQM1WCMB0 No
LSBM1WCM2A0 No
LSRM1WCM2A1 No
Yes
Yes
Yes
Yes

Volume Fundamentals Command Reference Module Login commands Command telnet ipv6 No AUX and VTY user interfaces are supported. display user-interface When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are supported. free user-interface User Interface Commands send When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are supported. user-interface When number is an absolute index, the value ranges from 0 to 5. 4-24 WX3024 No AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5. WX3010 No AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are supported. When number is an absolute index, the value ranges from 0 to 5. WX3008
Volume
Module
Command configuration encrypt ftp ipv6 Yes No No No No No
WX3024 Yes No No No No No
WX3010 Yes No No No No No
WX3008
File management configuration commands
mount open ipv6 tftp ipv6 umount display device display fan
cf-card and usb not supported fan-id takes the value of 1 or 2. power-id can only be 1. Yes Yes By default, lower-value is 4, and upper-value is 79. number ranges from 1 to 6. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. No interface-index ranges from 0 to 63. group-id ranges from 1 to 64.
cf-card and usb not supported fan-id ranges from 1 to 3. power-id can only be 1. No Yes By default, lower-value is 0, and upper-value is 63. number ranges from 1 to 6. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. No interface-index ranges from 0 to 63. group-id ranges from 1 to 12.
cf-card and usb not supported fan-id ranges from 1 to 3. power-id can only be 1. No Yes By default, lower-value is 0, and upper-value is 63. number ranges from 1 to 6. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. No interface-index ranges from 0 to 63. group-id ranges from 1 to 12.
Device management commands
display power display rps license append temperature-limit
Basic system configuration commands WLAN Command Reference
display interface wlan-ess WLAN interface commands interface wlan-ess WLAN services commands All commands for hot AC backup bind wlan-ess display wlan ap-group
4-25
Volume
Module
Command hot-backup hellointerval wlan ap-group wlan permit-ap-group No
WX3024 No
WX3010 No
WX3008
group-id ranges from 1 to 64. group-id ranges from 1 to 64. member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported iactp6 not supported undo member ipv6 ipv6-address not supported ipv6 ipv6-address not supported No No No value ranges from 1600 to 4086 bytes and defaults to 1600 bytes. Only internal is supported No No
group-id ranges from 1 to 12. group-id ranges from 1 to 12. member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported iactp6 not supported undo member ipv6 ipv6-address not supported ipv6 ipv6-address not supported No No No value ranges from 1600 to 9216 bytes and defaults to 1600 bytes. Only internal is supported No No
group-id ranges from 1 to 12. group-id ranges from 1 to 12. member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported member ipv6 ipv6-address not supported iactp6 not supported undo member ipv6 /ipv6-address not supported ipv6 ipv6-address not supported No No No value ranges from 1600 to 9216 bytes and defaults to 1600 bytes. Only internal is supported No No
display wlan client
display wlan mobility-group
WLAN roaming commands
member mobility-tunnel undo member
source Layer 2 LAN Switching Command Reference Ethernet interface commands duplex display loopback-detection flow-control jumboframe enable loopback loopback-detection control enable loopback-detection enable
4-26
Volume
Module
Command loopback-detection interval-time No
WX3024 No
WX3010 No
WX3008
shutdown
No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No The maximum value is 32. count ranges from 0 to 2048. No No No No number ranges from 1 to 1024. number ranges from 1 to 1024 and defaults to 1024. number ranges from 0 to 2048.
speed VLAN commands MAC address table management commands Link aggregation commands MSTP commands Layer 2 forwarding commands Port mirroring commands interface vlan-interface mac-address max-mac-count All commands All commands All commands All commands pppoe-server max-sessions local-mac PPP commands pppoe-server max-sessions total ARP commands arp max-learning-num
4-27
Volume
Module DNS commands
Command All commands for IPv6 DNS configuration ip redirects enable No No No No Yes No No No No No No No No No No No
WX3024 No No No No Yes No No No No No No No No No No No
WX3010 No No No No Yes No No No No No No No No No No No
WX3008
IP performance optimization commands Adjacency table commands IPv6 basics commands IPv6 application commands
ip ttl-expires enable ip unreachables enable display adjacent-table All commands ipv6 neighbors max-learning-num All commands display ipv6 routing-table display ipv6 routing-table ipv6-address display ipv6 routing-table ipv6-address1 ipv6-address2
Layer 3 IP Routing Command Reference
IP routing basics commands
display ipv6 routing-table protocol display ipv6 routing-table statistics display ipv6 routing-table verbose reset ipv6 routing-table statistics
IPv6 static routing commands IP Multicast Command Reference IGMP snooping commands
All commands
igmp-snooping fast-leave
Layer 2 aggregate interface view not supported 4-28
Layer 2 aggregate interface view not supported
Layer 2 aggregate interface view not supported
Volume
Module
Command igmp-snooping group-limit
WX3024 Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported No green action not supported
WX3010 Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported No green action not supported remark-lp-pass new-local-precedence not supported
WX3008 Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported Layer 2 aggregate interface view not supported No No Layer 2 aggregate interface view not supported No green action not supported remark-lp-pass new-local-precedence not supported
igmp-snooping static-group
igmp-snooping static-router-port vlan Multicast VLAN commands MLD snooping commands
port multicast-vlan
IPv6 multicast VLAN commands port multicast-vlan ipv6 ACL and QoS Command Reference IPv6 ACL Configuration Commands
ACL Commands
QoS commands
car
remark-lp-pass new-local-precedence not supported
4-29
Volume
Module
Command display qos map-table display qos lr interface Yes No
WX3024 Yes No
WX3010 Yes No
WX3008
classifier tcl-name not supported inbound-interface interface-type interface-number not supported IPv6 ACL not supported rtp start-port start-port-number end-port end-port-number not supported
classifier tcl-name not supported inbound-interface interface-type interface-number not supported local-precedence local-precedence-list not supported IPv6 ACL not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes No No user-number ranges from 1 to 2048.
classifier tcl-name not supported inbound-interface interface-type interface-number not supported local-precedence local-precedence-list not supported IPv6 ACL not supported rtp start-port start-port-number end-port end-port-number not supported No No No No Yes No Yes Yes No No user-number ranges from 1 to 2048.
if-match
qos pql inbound-interface qos pql protocol qos cql inbound-interface qos cql protocol qos car qos lr qos map-table redirect Congestion management configuration commands Security Command Reference AAA commands 802.1X commands nas device-id device-id dot1x max-user
No No No No Yes No Yes Yes No No user-number ranges from 1 to 2048.
4-30
Volume
Module MAC authentication commands
Command mac-authentication max-user user-number portal server server-name method { direct | layer3 | redhcp } portal backup-group group-id nas device-id device-id
WX3024 user-number ranges from 1 to 1024 and defaults to 1024. layer3 supported
No No No
No No No
No No No
Portal commands
radius nas-backup-ip ip-address radius scheme radius-scheme-name nas-backup-ip ip-address portal max-user max-number ssh client ipv6 source ssh2 ipv6
No
No
No
SSH2.0 commands sftp client ipv6 source sftp ipv6 anti-attack protocol enable anti-attack protocol threshold Security protection commands display anti-attack { 11mac | admin | all | arp | data | dhcp | dot1x | hwtacas | icmp | igmp | lwapp | nd | ntp | pim | radius } display anti-attack { protocol protocol | all }
No
No
No
Yes
Yes
Yes
4-31
Volume
Module System maintenance and debugging commands
Command ping ipv6 tracert ipv6 display logfile buffer display logfile summary No No No No No No No No No No No Yes Yes Yes No No
WX3024 No No No No No No No No No No No Yes Yes Yes No No
WX3010 No No No No No No No No No No No Yes Yes Yes No No
WX3008
Network Management and Monitoring Command Reference Information center commands
info-center logfile enable info-center logfile frequency info-center logfile size-quota info-center logfile switch-directory logfile save mcms connect mcms reboot oap connect slot oap management-ip
OAA
OAA commands oap reboot slot ACSEI server configuration commands ACSEI client configuration commands
4-32
CLI Configuration
This chapter includes these sections: What Is CLI? Entering the CLI CLI Descriptions Using the CLI Configuring the CLI
What Is CLI?
The command line interface (CLI) is an interface where you can interact with your device by typing text commands. At the CLI, you can instruct your device to perform a given task by typing a text command and then pressing Enter to submit it to your device. At the CLI, you can enter commands to configure your access controller (AC), and verify the configuration based on the output. Thus, the CLI facilitates your AC configuration and management. The CLI of H3C ACs is as shown in Figure 5-1. Figure 5-1 Schematic diagram for the CLI
Entering the CLI

The WX series access controllers provide multiple methods of entering the CLI, as follows: Through the console port. For more information, see Entering CLI Through the Console Port. Through Telnet. For more information, see Entering CLI Through Telnet.
5-1
Through SSH with encryption. For more information, see SSH2.0 in the Security Configuration Guide.
Entering CLI Through the Console Port

When you use the CLI of an AC for the first time, you can log in to the AC and enter the CLI through the console port only. Follow these steps to log in to your AC and enter the CLI through the console port: 1) Use the console cable shipped with your AC to connect your PC to your AC. Plug the DB-9 (female) connector of the console cable into the 9-pin serial port of your PC. Then plug the RJ-45 connector of the console cable into the console port of your AC. Figure 5-2 Use the console cable to connect your PC to your AC
Identify the interfaces correctly to avoid any connection error.
Because the serial port of a PC is not hot swappable, do not plug or unplug the console cable when your AC is powered on. When connecting the PC to your AC, first plug the DB-9 connector of the console cable into the PC, and then plug the RJ-45 connector of the console cable into your AC. When disconnecting the PC from the your AC, first unplug the RJ-45 connector and then the DB-9 connector.
2)
Launch a terminal emulation utility on your PC. In this chapter, the HyperTerminal in Windows XP is used as an example. Click Start > All Programs > Accessories > Communications > HyperTerminal to enter the HyperTerminal window. The Connection Description window as shown in Figure 5-3 appears. Type a connection name (test, for example) in the Name input box, and click OK.
5-2
Figure 5-3 Connection description
3)
Then, the Connect To window as shown in Figure 5-4 appears. Select the serial port you want to use from the Connect using drop-down list, and then click OK.
Figure 5-4 Specify the serial port used to establish the connection
4)
The COM1 Properties window as shown in Figure 5-5 appears. On the window, set Bits per second to 9600, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None. Click OK.
5-3
Figure 5-5 Set the properties of the serial port
5)
The HyperTerminal window as shown in Figure 5-6 appears.
Figure 5-6 The HyperTerminal window
5-4
Select File > Properties on the HyperTerminal window, and the test Properties window appears. Select the Settings tab as shown in Figure 5-7, select VT100 from the Emulation drop-down list, and then click OK. Figure 5-7 Select the emulation terminal on the test Properties window
6)
Press Enter on the HyperTerminal window. Then the CLI of your AC appears on the window, as shown in Figure 5-8, indicating that you have successfully logged in to your AC.
5-5
Figure 5-8 Schematic diagram for successful login through the console port
Entering CLI Through Telnet

After you log in to your AC through the console port for the first time, configure Telnet login as soon as possible so that you can use a remote terminal to configure and manage your AC.
Telnet login authentication methods

In order to restrict the login to your AC, H3C provides three Telnet login authentication methods. Select a proper method according to your network conditions. Table 5-1 Telnet login authentication methods
Authentication method Description Easy to configure Allows any user to telnet to your AC Least secure Easy to configure Allows any user knowing the password to telnet to your AC Secure, but incapable of assigning different privilege levels to different users Complex to configure Allows users inputting the correct username and password to telnet to your AC Most secure, and capable of assigning different privilege levels to different users Application scenarios Lab environments and extremely secure network environments Configuration
None
Password
Environments that do not need granular privilege management
For more information, see Logging In to the AC.
Username and password
Environments where multiple operators cooperate to manage the device
5-6
An AC provides multiple VTY user interfaces. At one time, only one user can telnet to a VTY user interface. Because a remote terminal cannot select the VTY user interface through which it logs in to the AC, it is recommended that you configure all VTY user interfaces with the same authentication method. The following example is configured in this way.
The number of VTY user interfaces provided by a H3C device varies by AC model. In this document, an AC providing five VTY user interfaces is used as an example, which means that the VTY user interface number ranges from 0 to 4. If your AC provides a different number of VTY user interfaces, make sure that the VTY interface number you configure is within the actual range.
Telnet login configuration example

# Enter system view.
<Sysname> system-view
# Enable the telnet service.

[Sysname] telnet server enable
# Create VLAN-interface 1.
[Sysname] interface vlan-interface 1
# Assign an IP address to VLAN-interface 1, 192.168.0.72 for example.

[Sysname-Vlan-interface1] ip address 192.168.0.72 24 [Sysname-Vlan-interface1] quit
# Enter the view of VTY user interfaces 0 through 4.

[Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4]
# Configure the authentication method for the VTY user interfaces as needed. Omitted. For more information, see Logging In to the AC. # Configure command level 3 for users that log in through VTY user interfaces 0 through 4.
[Sysname-ui-vty0-4]user privilege level 3
CLI Descriptions
Command Conventions
Commands in Command Reference comply with the following conventions. Table 5-2 Command conventions
Convention Boldface Italic [] { x | y | ... } Description The keywords of a command line are in Boldface. Keep keywords unchanged when typing them in the CLI. Command arguments are in italic. Replace arguments with actual values in the CLI. Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. One is selected. 5-7
Convention [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * &<1-n> #
Description Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected. The argument(s) before the ampersand (&) sign can be entered 1 to n times. A line starting with the # sign is comments.
The command lines of the AC are case insensitive.
Take the clock datetime time date command as an example to understand the command meaning according to Table 5-2. Figure 5-9 Read command line parameters
Type the following command line in the CLI of a device and press Enter. You set the device system time to 10 oclock 30 minutes 20 seconds, February 23, 2010.
<Sysname> clock datetime 10:30:20 2/23/2010
You can read any commands more complicated according to Table 5-2.
CLI View Description

CLI views are designed to meet various configuration requirements. The following describes the most commonly used view operations: entering system view, exiting the current view, and returning to user view.
Entering system view

After logging in to the device, you are in user view and the prompt is <device name>. In user view, only a few operations are allowed, for example, display operations, file operations, FTP and Telnet operations. To further configure the device, you need to enter system view.
5-8
Follow these steps to enter system view:

To do Enter system view. Use the command system-view Required Available in user view Remarks
Exiting the current view

The devices CLI views are multi-layered, for example, user view > system view > interface view, VLAN view, etc. Use the following command to exit the current view after finishing configuration in the current view: Follow these steps to exit the current view:
To do Exit the current view to return to the previous view quit Use the command Required Available in any view Remarks
If the current view is user view, executing the quit command breaks the connection between the user terminal and the AC.
Returning to user view

To return to user view from any non-user view, you do not have to execute the quit command repeatedly. Instead, you can use the return command or press Ctrl+Z. Follow these steps to return to user view directly:
To do Return to user view directly Use the command return Required Available in any view except user view Remarks
Using the CLI

Using the CLI Online Help
In the CLI, you can type a question mark (?) to obtain detailed online help. See the following examples. Type ? in any view to display all commands available in this view and brief descriptions about these commands.
<Sysname> ? User view commands: archive backup boot-loader bootrom cd clock Specify archive settings Backup next startup-configuration file to TFTP server Set boot loader Update/read/backup/restore bootrom Change current directory Specify the system clock
5-9
......omitted......
Type part of a command and ? separated by a space. If ? is at the position of a keyword, the CLI displays all possible keywords with a brief description about each of these keywords.
<Sysname> terminal ? debugging logging monitor trapping Send debug information to terminal Send log information to terminal Send information output to current terminal Send trap information to terminal
If ? is at the position of an argument, the CLI displays a description about this argument.
<Sysname> system-view [Sysname] interface vlan-interface ? <1-4094> <cr> [Sysname] interface vlan-interface 1 VLAN interface number
[Sysname] interface vlan-interface 1 ?
The string <cr> indicates that the command is already complete, and you can execute the command by pressing Enter. Type a character string followed by ?. The CLI displays all commands starting with this string.
<Sysname> c? cd clock copy
Type part of a keyword followed by a ?. The CLI displays all keywords starting with the character string you typed.
<Sysname> display cl? clipboard clock
Command Line Error Information

If a command you typed contains syntax errors, the CLI reports error information. Table 5-3 lists some common command line errors. Table 5-3 Common command line errors
Error information Cause The command was not found. The keyword was not found. % Unrecognized command found at '^' position. The parameter type is wrong. The parameter value is beyond the allowed range. % Incomplete command found at '^' position. % Ambiguous command found at '^' position. % Too many parameters found at '^' position. % Wrong parameter found at '^' position. Incomplete command Ambiguous command Too many parameters Wrong parameters
5-10
Typing and Editing Commands

Fuzzy match
The H3C WX series access controllers support fuzzy match for efficient input of commands. If in the current view, the character string you have typed can already uniquely identify a keyword, you do not need to type the complete keyword. For example, in user view, commands starting with an s include save, startup saved-configuration, and system-view. To save the current configuration, type sa. To set the configuration file for next startup, type st s. To enter system view, type sy. You can also press Tab to have a partial keyword automatically completed, and check that the keyword is the one you intended to use.
Editing command lines

Table 5-4 lists some shortcut keys you can use to edit command lines. Table 5-4 Editing functions
Key Common keys Backspace Left arrow key or Ctrl+B Right arrow key or Ctrl+F Function If the edit buffer is not full, insert the character at the position of the cursor and move the cursor to the right. Deletes the character to the left of the cursor and move the cursor back one character. The cursor moves one character space to the left. The cursor moves one character space to the right. If you press Tab after entering part of a keyword, the system automatically completes the keyword: Tab If finding a unique match, the system substitutes the complete keyword for the incomplete one and displays it in the next line. If there is more than one match, you can press Tab repeatedly to display in cycles all the keywords starting with the character string that you typed. If there is no match, the system does not modify the incomplete keyword and displays it again in the next line.
When editing the command lines, you can use the hotkeys listed in Table 5-6 besides those in Table 5-4, or you can define shortcut keys by yourself. For more information, see Configuring CLI Hotkeys.
Displaying and Executing History Commands

The CLI automatically saves the commands recently used in the history command buffer. You can access commands in the history command buffer and execute them again.
5-11
Table 5-5 Access history commands

To do Display history commands Access the previous history command Access the next history command Use the key/command display history-command Up arrow key or Ctrl+P Down arrow key or Ctrl+N Result Displays valid history commands you used Displays the previous history command, if any Displays the next history command, if any
You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are defined differently. You can press Ctrl+P or Ctrl+N instead.
The commands saved in the history command buffer are in the same format in which you typed the commands. If you typed an incomplete command, the command saved in the history command buffer is also an incomplete one. If you execute the same command repeatedly, the device saves only the earliest record. However, if you execute the same command in different formats, the system saves them as different commands. For example, if you execute the display cu command repeatedly, the system saves only one command in the history command buffer. If you execute the command in the format of display cu and display current-configuration respectively, the system saves them as two commands. By default, the CLI can save up to 10 commands for each user. You can use the history-command max-size command to set the capacity of the history command buffer for the current user interface (For more information about the history-command max-size command, see User Interface in the Fundamentals Command Reference).
Undo Form of a Command

The undo form of a command typically restores the default, disables a function, or removes a configuration. Almost every configuration command has its undo form. For example, the info-center enable command is used to enable the information center, while the undo info-center enable command is used to disable the information center.
Controlling CLI Display

Controlling multi-screen display
If the output information spans multiple screens, each screen pauses after displayed. Then, you can perform one of the following operations to proceed.
5-12
Action Press Space Press Enter Press Ctrl+C Press <Ctrl+E> Press <PageUp> Press <PageDown> Displays the next screen. Displays the next line.
Function
Stops the display and the command execution. Moves the cursor to the end of the current line. Displays the previous page. Displays the next page.
Configuring multi-screen display settings

By default, each screen displays 24 lines at most. You can use the screen-length command to change the maximum number of lines displayed on the next screen. (For more information about the screen-length command, see User Interface in the Fundamentals Command Reference) You can use the following command to disable the multi-screen display function. After that, all the output information is displayed at one time and the screen is refreshed continuously until the last screen is displayed.
To do Use the command Required Disable the multi-screen display function By default, a login user uses the settings of the screen-length command. The default settings of the screen-length command are: multiple-screen display is enabled and up to 24 lines are displayed on the next screen. This command is executed in user view, and takes effect for the current user only. When the user re-logs into the AC, the default configuration is restored. Remarks
screen-length disable
Filtering output information

You can use regular expressions in display commands to filter output information. There are two ways to filter output information. Input the begin, exclude, or include keyword plus a regular expression in the display command to filter the output information. When the system displays the output information in multiple screens, use /, - or + plus a regular expression to filter subsequent output information. / equals the keyword begin, - equals the keyword exclude, and + equals the keyword include. The following describes the begin, exclude, and include keywords: begin: Displays the line that matches the regular expression and all the subsequent lines. exclude: Displays the lines that do not match the regular expression. include: Displays the lines that match the regular expression. A regular expression is a case sensitive string of 1 to 256 characters. It also supports the following special characters.
Character ^string Meaning Starting sign. string appears only at the beginning of a line. Remarks For example, regular expression ûser only matches a string beginning with user, not Auser.
5-13
Character string$
Meaning Ending sign. string appears only at the end of a line. Matches any single character, such as a single character, a special character, and a blank. Matches the preceding character or character group zero or multiple times. Matches the preceding character or character group one or multiple times Matches the preceding or succeeding character string If it is at the beginning or the end of a regular expression, it equals ^ or $. In other cases, it equals comma, space, round bracket, or curly bracket. It connects two values (the smaller one before it and the bigger one after it) to indicate a range together with [ ].
Remarks For example, regular expression "user$ only matches a string ending with user, not userA. For example, .l matches both vlan and mpls. For example, zo* matches z and zoo; (zo)* matches zo and zozo. For example, zo+ matches zo and zoo, but not z. For example, def|int only matches a character string containing def or int. For example, a_b matches a b or a(b; _ab only matches a line starting with ab; ab_ only matches a line ending with ab. For example, 1-9 means 1 to 9 (inclusive); a-h means a to h (inclusive). For example, [16A] matches a string containing any character among 1, 6, and A; [1-36A] matches a string containing any character among 1, 2, 3, 6, and A (- is a hyphen). ] can be matched as a common character only when it is put at the beginning of characters within the brackets, for example [ ]string]. There is no such limit on [. For example, (123A) means a character group 123A; 408(12)+ matches 40812 or 408121212. But it does not match 408.
* + |
[]
Matches a single character contained within the brackets.
()
A character group. It is usually used with + or *. Repeats the character string specified by the index. A character string refers to the string within () before \. index refers to the sequence number (starting from 1 from left to right) of the character group before \. If only one character group appears before \, index can only be 1; if n character groups appear before index, index can be any integer from 1 to n.
\index
For example, (string)\1 repeats string, and thus a matching string must contain stringstring. (string1)(string2)\2 repeats string2, and thus a matching string must contain string1string2string2. (string1)(string2)\1\2 repeats string1 and string2 respectively, and thus a matching string must contain string1string2string1string2.
[^]
Matches a single character not contained within the brackets.
For example, [^16A] means to match a string containing any character except 1, 6 or A, and the matching string can also contain 1, 6 or A, but cannot contain these three characters only. For example, [^16A] matches abc and m16, but not 1, 16, or 16A. For example, \<do matches word domain and string doa. For example, do\> matches word undo and string abcdo. For example, \ba matches -a with - being character1, and a being character2, but it does not match 2a or ba.
\<string string\>
Matches a character string starting with string. Matches a character string ending with string. Matches character1character2. character1 can be any character except number, letter or underline, and \b equals [Â-Za-z0-9_].
\bcharacter2
5-14
Character \Bcharacter
Meaning Matches a string containing character, and no space is allowed before character. Matches character1character2. character2 must be a number, letter, or underline, and \w equals [Â-Za-z0-9_]. Equals \b. Escape character. If a special character listed in this table follows \, the specific meaning of the character is removed.
Remarks For example, \Bt matches t in install, but not t in big top. For example, v\w matches vlan, with v being character1, and l being character2. v\w also matches service, with i being character2. For example, \Wa matches -a, with - being character1, and a being character2, but does not match 2a or ba. For example, \\ matches a string containing \, \^ matches a string containing ^, and \\b matches a string containing \b.
character1\w
\W
Configuring the CLI

Configuring CLI Hotkeys
The system provides five hotkeys that you can customize for common operations. After your configuration, you can press the hotkeys to perform corresponding operations. Follow these steps to configure CLI hotkeys:
To do Enter system view Use the command system-view hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command display hotkey Optional For more information about the defaults, see the Note below. Available in any view. See Table 5-6 for hotkeys reserved by the system. Remarks
Configure CLI hotkeys
Display hotkeys
By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are associated with corresponding commands as follows and the Ctrl+T and Ctrl+U are NULL. Ctrl+G corresponds to the display current-configuration command. Ctrl+L corresponds to the display ip routing-table command. Ctrl+O corresponds to the undo debugging all command.
Table 5-6 Hotkeys reserved by the system

Hotkey <Ctrl+A> <Ctrl+B> <Ctrl+C> Function Moves the cursor to the beginning of the current line. Moves the cursor one character to the left. Stops performing a command. 5-15
Hotkey <Ctrl+D> <Ctrl+E> <Ctrl+F> <Ctrl+H> <Ctrl+K> <Ctrl+N> <Ctrl+P> <Ctrl+R> <Ctrl+V> <Ctrl+W> <Ctrl+X> <Ctrl+Y> <Ctrl+Z> <Ctrl+]> <Esc+B> <Esc+D> <Esc+F> <Esc+N> <Esc+P> <Esc+<> <Esc+>>
Function Deletes the character at the current cursor position. Moves the cursor to the end of the current line. Moves the cursor one character to the right. Deletes the character to the left of the cursor. Terminates an outgoing connection. Displays the next command in the history command buffer. Displays the previous command in the history command buffer. Redisplays the current line information. Pastes the content in the clipboard. Deletes all the characters in a continuous string to the left of the cursor. Deletes all the characters to the left of the cursor. Deletes all the characters to the right of the cursor. Returns to user view. Terminates an incoming connection or a redirect connection. Moves the cursor to the leading character of the continuous string to the left. Deletes all the characters of the continuous string at the current cursor position and to the right of the cursor. Moves the cursor to the front of the next continuous string to the right. Moves the cursor down by one line (available before you press Enter) Moves the cursor up by one line (available before you press Enter) Specifies the cursor as the beginning of the clipboard. Specifies the cursor as the ending of the clipboard.
These hotkeys are defined by the device. When you interact with the device from terminal software, these keys may be also defined in terminal software to perform other operations. If so, the hotkey definition of the terminal software will dominate.
Configuring Command Aliases

You can replace the first keyword of a command with your preferred keyword by configuring the command alias function. For example, if you configure show as the replacement of the display keyword for each display command, you can input the command alias show xx to execute the display xx command. Note the following when you configure command aliases:
5-16
When you type a command alias, the system displays and saves the command in its original format instead of its alias. That is, you can define and use a command alias but the command is not saved and restored in its alias. When you define a command alias, the cmdkey and alias arguments must be in complete form. With the command alias function enabled, when you type an incomplete keyword, which partially matches both a defined alias and the keyword of a command, the alias wins; to execute the command whose keyword partially matches your input, you must type the complete keyword. When you input a character string that matches multiple aliases partially, the system prompts you for various matching information. If you press Tab after you type the keyword of an alias, the original format of the keyword is displayed. You can replace only the first keyword of a non-undo command instead of the complete command; and you can replace only the second keyword of an undo command. Follow these steps to configure command aliases:
To do Enter system view Enable the command alias function Configure command aliases Use the command system-view Required command-alias enable Disabled by default, that is, you cannot configure command aliases. Required Not configured by default. Remarks
command-alias mapping cmdkey alias
To display the configured command aliases, use the display command-alias command.
Synchronous Information Output

Synchronous information output refers to the feature that if your input is interrupted by system output, then after the completion of system output the system displays a command line prompt and your input so far, and you can continue your operations from where you were stopped. Follow these steps to enable synchronous information output:
To do Enter system view Enable synchronous information output Use the command system-view info-center synchronous Required Disabled by default Remarks
5-17
With this feature enabled: If you have no input at the command line prompt and the system outputs system information, for example, logs, the system will not display the command line prompt after the outputs. If the system outputs system information when you are typing interactive information (not YES/NO for confirmation), the system will not redisplay the prompt information but a line break after the outputs and then what you have typed.
For more information about the info-center synchronous command, see Information Center in the Network Management and Monitoring Command Reference.
Configuring Command Levels

Introduction
The AC uses user privilege levels and command levels to block unauthorized users. User privilege levels correspond to command levels. When users at different privilege levels log in, they can only use commands at their own level, or lower levels. All the commands are categorized into four levels, which are visit, monitor, system, and manage from low to high, and identified respectively by 0 through 3. Table 5-7 describes the levels of the commands. Table 5-7 Default command levels
Level Privilege Description Involves commands for network diagnosis and commands for accessing an external device. Configuration of commands at this level cannot survive a device restart. Upon device restart, the commands at this level will be restored to the default settings. Commands at this level include ping, tracert, telnet and ssh2. Involves commands for system maintenance and service fault diagnosis. Commands at this level are not allowed to be saved after being configured. After the switch is restarted, the commands at this level will be restored to the default settings. Commands at this level include debugging, terminal, refresh, reset, and send. Provides service configuration commands, including routing configuration commands and commands for configuring services at different network levels. By default, commands at this level include all configuration commands except for those at manage level. Involves commands that influence the basic operation of the system and commands for configuring system support modules. 3 Manage By default, commands at this level involve the configuration commands of file system, FTP, TFTP, Xmodem download, user management, level setting, and parameter settings within a system (which are not defined by any protocols or RFCs).
Visit
Monitor
System
For how to configure the user privilege level, see Basic System Configuration in the Fundamentals Configuration Guide.
5-18
Modifying the command level

All the commands are defaulted to different levels. The administrator can modify the default command level to improve management flexibility. Follow these steps to change the command level:
To do Enter system view Configure the command level in a specified view Use the command system-view command-privilege level level view view command Required See Table 5-7 for the default settings. Remarks
H3C recommends you to use the default command level or change the command level under the guidance of professional staff because an improper command level change brings inconvenience to your maintenance and operation, or even potential security problem.
Saving Configurations
Some commands in the CLI of H3C ACs are one-time commands, such as display commands, which display specified information, and the reset commands, which clear specified information. These commands are executed one-time only and are not saved when the AC reboots. For other commands, after executing them, input the save command in any view to save all the submitted and executed commands into the configuration file. All saved commands are not lost after the AC reboots.
5-19
FTP Configuration
This chapter includes these sections: FTP Overview Configuring the FTP Client Configuring the FTP Server Displaying and Maintaining FTP
FTP Overview
Introduction to FTP
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network. FTP uses TCP ports 20 and 21 for file transfer. Port 20 is used to transmit data, and port 21 to transmit control commands. See RFC 959 for details of FTP basic operation. FTP transfers files in two modes: Binary mode: transfers files as raw data, like .app, .bin, and .btm files. ASCII mode: transfers files as text, like .txt, .bat, and .cfg files.
Operation of FTP
FTP adopts the client/server model. Your AC (Device) can function either as the client or as the server (as shown in Figure 6-1). When the device serves as the FTP client, use Telnet or an emulation program to log in to the device from the PC, execute the ftp command to establish a connection from the device (FTP client) to the PC (FTP server), and then upload/download files to/from the server. When the device serves as the FTP server, run the FTP client program on the PC to establish a connection to the FTP server and upload/download files to/from the server Figure 6-1 Network diagram for FTP
When the device serves as the FTP client, you need to perform the following configuration:
6-1
Table 6-1 Configuration when the device serves as the FTP client
Device Device (FTP client) Configuration Use the ftp command to establish the connection to the remote FTP server Enable FTP server on the PC, and configure the username, password, user privilege level, and so on. Remarks If the remote FTP server supports anonymous FTP, the device can log in to it directly; if not, the device must obtain the FTP username and password first to log in to the remote FTP server.
PC (FTP server)
When the device serves as the FTP server, you need to perform the following configuration: Table 6-2 Configuration when the device serves as the FTP server
Device Configuration Disabled by default. Enable the FTP server function You can use the display ftp-server command to view the FTP server configuration on the device. Configure the username, password, and authorized directory for an FTP user. Configure authentication and authorization The device does not support anonymous FTP for security reasons. Therefore, you must set a valid username and password. By default, authenticated users can access the root directory of the device. Parameters such as the FTP connection timeout time You can log in to the FTP server only after you input the correct FTP username and password. Remarks
Device (FTP server)
Configure the FTP server operating parameters PC (FTP client) Use the FTP client program to log in to the FTP server.
Make sure that the FTP server and the FTP client can reach each other before establishing the FTP connection. When you use IE to log in to the device serving as the FTP server, some FTP functions are not available. This is because multiple connections are established during the login process but the device supports only one connection at a time.
6-2
Configuring the FTP Client
Only users with the manage level can use the ftp command to log in to an FTP server, enter FTP client view, and execute directory and file related commands. However, whether the commands can be executed successfully depends on the authorizations of the FTP server.
Establishing an FTP Connection

Before you can access the FTP server, you must first establish a connection from the FTP client to the FTP server. You can either use the ftp command to establish the connection directly or use the open command in FTP client view to establish the connection. Source address binding means to configure an IP address on a stable interface, and then use this IP address as the source IP address of an FTP connection. The source address binding function simplifies the configuration of ACL rules and security policies. You just need to specify the source or destination address argument in an ACL rule as this address to filter inbound and outbound packets on the AC, ignoring the difference between interface IP addresses as well as the affect of interface statuses. You can configure the source address by configuring the source interface or source IP address. The primary IP address configured on the source interface is the source address of the transmitted packets. The source address of the transmitted packets is selected following these rules: If no source address is specified, the FTP client uses the IP address of the interface determined by the matched route as the source IP address to communicate with an FTP server. If the source address is specified with the ftp client source or ftp command, this source address is used to communicate with an FTP server. If you use the ftp client source command and the ftp command to specify a source address respectively, the source address specified with the ftp command is used to communicate with an FTP server. The source address specified with the ftp client source command is valid for all FTP connections and the source address specified with the ftp command is valid only for the current FTP connection. Follow these steps to establish an IPv4 FTP connection:
To do Enter system view Use the command system-view Optional Configure the source address of the FTP client ftp client source { interface interface-type interface-number | ip source-ip-address } An AC uses the IP address of the interface determined by the matched route as the source IP address to communicate with the FTP server by default. Remarks
Exit to system view
quit
6-3
To do Log in to the remote FTP server directly in user view
Use the command ftp [ server-address [ service-port ] [ source { interface interface-type interface-number | ip source-ip-address } ] ] ftp open server-address [ service-port ]
Remarks
Use either approach. The ftp command is available in user view; and the open command is available in FTP client view.
Log in to the remote FTP server indirectly in FTP client view
If no primary IP address is configured on the specified source interface, no FTP connection can be established. If you use the ftp client source command to first configure the source interface and then the source IP address of the transmitted packets, the newly configured source IP address will take effect instead of the current source interface, and vice versa.
Follow these steps to establish an IPv6 FTP connection:

To do Log in to the remote FTP server directly in user view Use the command ftp ipv6 [ server-address [ service-port ] [ source ipv6 source-ipv6-address ] [ -i interface-type interface-number ] ] ftp ipv6 Log in to the remote FTP server indirectly in FTP client view open ipv6 server-address [ service-port ] [ -i interface-type interface-number ] Remarks Use either approach. The ftp ipv6 command is available in user view; and the open ipv6 command is available in FTP client view.
Operating the Directories on an FTP Server

After the AC serving as the FTP client has established a connection with an FTP server (For how to establish an FTP connection, see Establishing an FTP Connection.), you can create or delete folders under the authorized directory of the FTP server. Follow these steps to operate the directories on an FTP server:
To do Display detailed information about a directory or file on the remote FTP server Query a directory or file on the remote FTP server Change the working directory of the remote FTP server Exit the current working directory and return to an upper level directory of the remote FTP server Display the working directory that is being accessed Create a directory on the remote FTP server Use the command dir [ remotefile [ localfile ] ] ls [ remotefile [ localfile ] ] cd { directory | .. | / } cdup pwd mkdir directory Remarks Optional Optional Optional Optional Optional Optional
6-4
To do Remove the specified working directory on the remote FTP server
Use the command rmdir directory
Remarks Optional
Operating the Files on an FTP Server

After the AC serving as the FTP client has established a connection with an FTP server (For how to establish an FTP connection, see Establishing an FTP Connection.), you can upload a file to or download a file from the FTP server under the authorized directory of the FTP server by following these steps: 1) 2) 3) 4) 5) Use the dir or ls command to display the directory and the location of the file on the FTP server. Delete useless files for effective use of the storage space. Set the file transfer mode. FTP transmits files in two modes: ASCII and binary. ASCII mode transfers files as text. Binary mode transfers files as raw data. Use the lcd command to display the local working directory of the FTP client. You can upload the file under this directory, or save the downloaded file under this directory. Upload or download the file.
Follow these steps to operate the files on an FTP server:

To do Use the command Optional Display detailed information about a directory or file on the remote FTP server dir [ remotefile [ localfile ] ] The ls command displays the name of a directory or file only, while the dir command displays detailed information such as the file size and creation time. Optional Query a directory or file on the remote FTP server ls [ remotefile [ localfile ] ] The ls command displays the name of a directory or file only, while the dir command displays detailed information such as the file size and creation time. Optional Optional ASCII by default. Optional ASCII by default. Optional Passive by default. Optional Optional Optional Remarks
Delete the specified file on the remote FTP server permanently Set the file transfer mode to ASCII Set the file transfer mode to binary Set the data transmission mode to passive Display the local working directory of the FTP client Upload a file to the FTP server Download a file from the FTP server
delete remotefile
ascii
binary
passive
lcd put localfile [ remotefile ] get remotefile [ localfile ]
6-5
Using Another Username to Log In to an FTP Server

After the AC serving as the FTP client has established a connection with the FTP server (For how to establish an FTP connection, see Establishing an FTP Connection.), you can use another username to log in to the FTP server. This feature allows you to switch to different user levels without affecting the current FTP connection (namely, the FTP control connection, data connection and connection status are not changed); if you input an incorrect username or password, the current connection will be terminated, and you must return to user view and log in with the ftp command again. Follow the step below to use another username to log in to the FTP server:
To do Use another username to relog in after successfully logging in to the FTP server Use the command user username [ password ] Remarks Optional
Maintaining and Debugging an FTP Connection

After an AC serving as the FTP client has established a connection with the FTP server (For how to establish an FTP connection, see Establishing an FTP Connection.), you can perform the following operations to locate and diagnose problems encountered in an FTP connection:
To do Display the help information of FTP-related commands supported by the remote FTP server Enable information display in a detailed manner Enable FTP related debugging when the AC acts as the FTP client Use the command remotehelp [ protocol-command ] Optional Optional Enabled by default Optional Disabled by default Remarks
verbose
debugging
Terminating an FTP Connection

After the AC serving as the FTP client has established a connection with the FTP server (For how to establish an FTP connection, see Establishing an FTP Connection.), you can use any of the following commands to terminate an FTP connection:
To do Terminate the connection to the FTP server without exiting FTP client view Terminate the connection to the FTP server without exiting FTP client view Terminate the connection to the FTP server and return to user view Terminate the connection to the FTP server and return to user view Use the command disconnect Optional Equal to the close command. Optional Equal to the disconnect command. Optional Optional quit Available in FTP client view, equal to the bye command. Remarks
close
bye
6-6
FTP Client Configuration Example

Network requirements
As shown in Figure 6-2, use Device as an FTP client and PC as the FTP server. Their IP addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. An available route exists between Device and PC. Device downloads a startup file from PC for device upgrade, and uploads the configuration file to PC for backup. On PC, an FTP user account has been created for the FTP client, with the username being abc and the password being pwd. Figure 6-2 Network diagram for FTPing a startup file from an FTP server
FTP client
10.2.1.1/16
FTP server
Internet
10.1.1.1/16
Device
PC
Configuration procedure
If the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations.
# Log in to the server through FTP.

<Sysname> ftp 10.1.1.1 Trying 10.1.1.1 Press CTRL+K to abort Connected to 10.1.1.1 220 3Com 3CDaemon FTP Server Version 2.0 User(10.1.1.1:(none)):abc 331 User name ok, need password Password: 230 Logged in successfully
# Set the file transfer mode to binary to transmit startup file.

[ftp] binary 200 Type set to I.
# Download the startup file newest.app from PC to Device.

[ftp] get newest.app
# Upload the configuration file config.cfg of Device to the server for backup.
[ftp] ascii 200 Type set to A. [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2).
6-7
125 Using existing data connection. 226 Closing data connection; File transfer successful. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye 221 Service closing control connection
# Specify newest.app as the main startup file to be used at the next startup.
<Sysname> boot-loader file newest.app main
# Reboot the device, and the startup file is updated at the system reboot.
<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For more information about the boot-loader command, see Device Management in the Fundamentals Command Reference.
Configuring the FTP Server

Configuring FTP Server Operating Parameters
The FTP server uses one of the two modes to update a file when you upload the file (use the put command) to the FTP server: In fast mode, the FTP server starts writing data to the storage medium after a file is transferred to the memory. This prevents the existing file on the FTP server from being corrupted in the event that anomaly, power failure for example, occurs during a file transfer. In normal mode, the FTP server writes data to the storage medium while receiving data. This means that any anomaly, power failure for example, during file transfer might result in file corruption on the FTP server. This mode, however, consumes less memory space than the fast mode. Follow these steps to configure the FTP server:
To do Enter system view Enable the FTP server Use the command system-view ftp server enable Required Disabled by default. Optional ftp server acl acl-number By default, no ACL is used to control FTP clients access to the AC. Optional 30 minutes by default. Configure the idle-timeout timer ftp timeout minutes Within the idle-timeout time, if there is no information interaction between the FTP server and client, the connection between them is terminated. Remarks
Use an ACL to control FTP clients access to the AC
6-8
To do Set the file update mode for the FTP server Quit to user view Manually release the FTP connection established with the specified username
Use the command ftp update { fast | normal } quit free ftp user username Optional
Remarks
Normal update is used by default. Optional Available in user view
Configuring Authentication and Authorization on the FTP Server

To allow an FTP user to access certain directories on the FTP server, you need to create an account for the user, authorizing access to the directories and associating the username and password with the account. The following configuration is used when the FTP server authenticates and authorizes a local FTP user. If the FTP server needs to authenticate a remote FTP user, you need to configure authentication, authorization and accounting (AAA) policy instead of the local user. For detailed configuration, see AAA in the Security Configuration Guide. Follow these steps to configure authentication and authorization for FTP server:
To do Enter system view Use the command system-view Required Create a local user and enter its view local-user user-name No local user exists by default, and the system does not support FTP anonymous user access. Required Required Assign the FTP service to the user service-type ftp By default, the system does not support anonymous FTP access, and does not assign any service. If the FTP service is assigned, the root directory of the AC is used by default. Optional By default, the FTP/SFTP users can access the root directory of the AC, and the user level is 0. You can change the default configuration by using this command. Remarks
Assign a password to the user
password { simple | cipher } password
Configure user properties
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } *
6-9
For
more
information
about
the
local-user,
password,
service-type
ftp,
and
authorization-attribute commands, see AAA in the Security Command Reference. When the AC serves as the FTP server, if the client is to perform the write operations (upload, delete, create, and delete for example) on the ACs file system, the FTP login users must be level 3 users; if the client is to perform other operations, for example, read operation, the AC has no restriction on the user level of the FTP login users, that is, any level from 0 to 3 is allowed.
FTP Server Configuration Example

As shown in Figure 6-3, use Device as an FTP server, and the PC as the FTP client. Their IP addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device and PC. PC keeps the updated startup file of the device. Use FTP to upgrade the device and back up the configuration file. Set the username to ftp and the password to pwd for the FTP client to log in to the FTP server. Figure 6-3 Upgrading using the FTP server
FTP client
1.2.1.1/16
FTP server
Internet
PC
1.1.1.1/16
Device
1) Configure Device (FTP Server) # Create an FTP user account ftp, set its password to pwd and the user privilege level to level 3 (the manage level). Authorize ftps access to the root directory of the cfa0, and specify ftp to use FTP.
<Sysname> system-view [Sysname] local-user ftp [Sysname-luser-ftp] password simple pwd [Sysname-luser-ftp] authorization-attribute level 3 [Sysname-luser-ftp] authorization-attribute work-directory cfa0:/ [Sysname-luser-ftp] service-type ftp [Sysname-luser-ftp] quit
# Enable FTP server.

[Sysname] ftp server enable [Sysname] quit
# Check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded.
<Sysname> dir Directory of cfa0:/
6-10
0 1 2 3 4
-rw-rw-rw-rwdrw-
13350944 1014 1364 350 -
Jun 02 2010 10:44:14 Jun 02 2010 14:44:32 Jun 02 2010 14:44:34 May 13 2010 14:55:12 Apr 08 2010 15:01:52
wx5004.bin system.xml xyx.cfg manuinfo.txt logfile
32686 KB total (19632 KB free)
File system type of cfa0: FAT16 <Sysname> delete /unreserved xyx.cfg
2)
Configure the PC (FTP Client)
# Log in to the FTP server through FTP.

c:\> ftp 1.1.1.1 Connected to 1.1.1.1. 220 FTP service ready. User(1.1.1.1:(none)): ftp 331 Password required for ftp. Password: 230 User logged in.
# Download the configuration file config.cfg of the device to the PC for backup.
ftp> get config.cfg back-config.cfg
# Upload the configuration file newest.app to Device.

ftp> put newest.app ftp> bye
You can take the same steps to upgrade configuration file with FTP. When upgrading the configuration file with FTP, put the new file under the root directory of the storage medium. After you finish upgrading the Boot ROM program through FTP, you must execute the bootrom update command to upgrade the Boot ROM.
3)
Upgrade Device
<Sysname> boot-loader file newest.app main
# Reboot the device and the startup file is updated at the system reboot.
<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, see Device Management in the Fundamentals Command Reference.
6-11
Displaying and Maintaining FTP

To do Display the configuration of the FTP client Display the configuration of the FTP server Display detailed information about logged-in FTP users Use the command display ftp client configuration display ftp-server display ftp-user Remarks Available in any view Available in any view Available in any view
6-12
TFTP Configuration
This chapter includes these sections: TFTP Overview Configuring the TFTP Client Displaying and Maintaining the TFTP Client TFTP Client Configuration Example
TFTP Overview
Introduction to TFTP
The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less complex than FTP in interactive access interface and authentication. Therefore, it is more suitable in environments where complex interaction is not needed between client and server. TFTP uses the UDP port 69 for data transmission. For TFTP basic operation, see RFC 1986. In TFTP, file transfer is initiated by the client. In a normal file downloading process, the client sends a read request to the TFTP server, receives data from the server, and then sends the acknowledgement to the server. In a normal file uploading process, the client sends a write request to the TFTP server, sends data to the server, and receives the acknowledgement from the server. TFTP transfers files in two modes: Binary mode for program file transmission, like files with the suffixes .app, .bin, or .btm. ASCII mode for text file transmission, like files with the suffixes .txt, .bat, or .cfg.
Operation of TFTP
Only the TFTP client service is available with your AC at present.
Figure 7-1 TFTP configuration diagram
7-1
Before using TFTP, the administrator needs to configure IP addresses for the TFTP client and server, and make sure that there is a reachable route between the TFTP client and server. When the device serves as the TFTP client, you need to perform the following configuration: Table 7-1 Configuration when the device serves as the TFTP client
Device Configuration Configure the IP address and routing function, and ensure that the route between the device and the TFTP server is available. Use the tftp command to establish a connection to the remote TFTP server to upload/download files to/from the TFTP server Enable TFTP server on the PC, and configure the TFTP working directory. Remarks
Device (TFTP client)
PC (TFTP server)
Configuring the TFTP Client

When an AC acts as a TFTP client, you can upload a file on the AC to a TFTP server and download a file from the TFTP server to the local AC. You can use either of the following ways to download a file: Normal download: The AC writes the obtained file to the storage medium directly. In this way, if you use a filename that exists in the directory, the original system file will be overwritten and if file download fails (for example, due to network disconnection), the AC cannot start up normally because the original system file has been deleted. Secure download: The AC saves the obtained file to its memory and does not write it to the storage medium until the whole file is obtained. In this way, if file download fails (for example, due to network disconnection), the AC can still start up because the original system file is not overwritten. This mode is more secure but consumes more memory. You are recommended to use the secure mode or, if you use the normal mode, specify a filename not existing in the current directory as the target filename when downloading the startup file or the startup configuration file. Source address binding means to configure an IP address on a stable interface such as a loopback interface or Dialer interface, and then use this IP address as the source IP address of a TFTP connection. The source address binding function simplifies the configuration of ACL rules and security policies. You just need to specify the source or destination address argument in an ACL rule as this address to filter inbound and outbound packets on the AC, ignoring the difference between interface IP addresses as well as the affect of interface statuses. You can configure the source address by configuring the source interface or source IP address. The primary IP address configured on the source interface is the source address of the transmitted packets. The source address of the transmitted packets is selected following these rules: If no source address of the TFTP client is specified, an AC uses the IP address of the interface determined by the matched route as the source IP address to communicate with a TFTP server. If the source address is specified with the tftp client source or tftp command, this source address is adopted. If you use the tftp client source command and the tftp command to specify a source address respectively, the source address configured with the tftp command is used to communicate with a TFTP server.
7-2
The source address specified with the tftp client source command is valid for all TFTP connections and the source address specified with the tftp command is valid only for the current tftp connection. Follow these steps to configure the TFTP client:
To do Enter system view Use an ACL to control the ACs access to TFTP servers Use the command system-view Optional tftp-server [ ipv6 ] acl acl-number By default, no ACL is used to control the ACs access to TFTP servers. Optional Configure the source address of the TFTP client tftp client source { interface interface-type interface-number | ip source-ip-address } An AC uses the source address determined by the matched route to communicate with the TFTP server by default. Remarks
Return to user view
quit tftp server-address { get | put | sget } source-filename [ destination-filename ] [ source { interface interface-type interface-number | ip source-ip-address } ] tftp ipv6 tftp-ipv6-server [ -i interface-type interface-number ] { get | put } source-file [ destination-file ]
Download or upload a file in an IPv4 network
Optional Available in user view
Download or upload a file in an IPv6 network
Optional Available in user view
If no primary IP address is configured on the source interface, no TFTP connection can be established. If you use the ftp client source command to first configure the source interface and then the source IP address of the packets of the TFTP client, the new source IP address will overwrite the current one, and vice versa.
Displaying and Maintaining the TFTP Client

To do Display the configuration of the TFTP client Use the command display tftp client configuration Remarks Available in any view
TFTP Client Configuration Example

As shown in Figure 7-2, use a PC as the TFTP server and Device as the TFTP client. Their IP addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device and PC.
7-3
Device downloads a startup file from PC for upgrading and uploads a configuration file named config.cfg to PC for backup. Figure 7-2 Smooth upgrading using the TFTP client function
1) Configure PC (TFTP Server), the configuration procedure is omitted. On the PC, enable the TFTP server Configure a TFTP working directory 2) Configure Device (TFTP Client)
If the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations.

# Download application file newest.app from PC.

<Sysname> tftp 1.2.1.1 get newest.app
# Upload a configuration file config.cfg to the TFTP server.

<Sysname> tftp 1.2.1.1 put config.cfg configback.cfg
<Sysname> boot-loader file newest.appbbb.app main
# Reboot the device and the software is upgraded.

<Sysname> reboot
The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, see Device Management in the Fundamentals Command Reference.
7-4
Logging In to an Access Controller Product

This chapter includes these sections: Logging In to an Access Controller Product Introduction to the User Interface
Logging In to an Access Controller Product

You can log in to an access controller product in one of the following ways: Logging in locally through the console port Telnetting locally or remotely to an Ethernet port Logging in through the web-based network management system Logging in through an NMS
Introduction to the User Interface

Supported User Interfaces
The AC supports three types of user interfaces: AUX, console and VTY.
Support for the user interface and the number of simultaneous logged-in users depends on the AC model. Support of IPv6-related configurations depends on the AC model.
Table 8-1 Description on user interface

User interface AUX Console VTY Applicable user Users logging in through the console port Users logging in through the console port Telnet users and SSH users Port used Console port Console port Ethernet port Description Each AC can accommodate one AUX user. Each AC can accommodate one console user. Each AC can accommodate up to five VTY users.
User Interface Number

User interfaces can be numbered in two ways: absolute numbering and relative numbering.
8-1
1)
Absolute numbering: AUX user interface: Numbered first, and is 0. Console user interface: Numbered first, and is 0. VTY user interfaces: Numbered after AUX user interfaces and increases in the step of 1
2)
A relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows: AUX user interface: AUX 0 Console user interface: Console 0 VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.
Common User Interface Configuration

To do Lock the current user interface Send messages to all user interfaces or a specified user interface Use the command Optional lock Execute this command in user view. A user interface is not locked by default. send { all | num1 | { aux | console | vty } num2 } Optional Execute this command in user view. Optional Disconnect a specified user interface free user-interface { num1 | { aux | console | vty } num2 Execute this command in user view. The interface type and quantity supported by this command vary by device model. Optional By default, no banner is configured. Optional The default system name is H3C. The interface type and quantity supported by this command vary by device model. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional Set the history command buffer size history-command max-size value The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Remarks
Enter system view Set the banner Set a system name for the access controller product Enter user interface view
system-view header { incoming | legal | login | motd | shell } text
sysname string
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } escape-key { default | character }
Define a shortcut key for aborting tasks
8-2
To do
Use the command Optional
Remarks
The default timeout time of a user interface is 10 minutes. Set the timeout time for the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. You can use the idle-timeout 0 command to disable the timeout function. Optional Set the maximum number of lines the screen can contain By default, the screen can contain up to 24 lines. screen-length screen-length You can use the screen-length 0 command to disable the function to display information in pages. Optional shell By default, terminal services are available in all user interfaces. Optional Set the display type of a terminal terminal type { ansi | vt100 } By default, the terminal display type is ANSI. The device must use the same type of display as the terminal. If the terminal uses VT 100, the device should also use VT 100.
Make terminal services available
Display the information about the current user interface/all user interfaces Display the physical attributes and configuration of the current/a specified user interface
display users [ all ]
You can execute this command in any view.
display user-interface [ num1 | { aux | console | vty } num2 ] [ summary ]
You can execute this command in any view. The interface type and quantity supported by this command vary by device model.
8-3
Logging In Through the Console Port

This chapter includes these sections: Introduction Setting Up the Connection to the Console Port Console Port Login Configuration Configuring None Authentication for Console Port Login Configuring Password Authentication for Console Port Login Configuring Scheme Authentication for Console Port Login
Introduction
Support for the console port and AUX port varies by AC model. Support of IPv6-related configurations depends on the AC model.
Logging in through the console port is the most common way to log in to an AC. It is also the prerequisite to configuring other login methods. By default, you can log in to an AC through its console port only. To log in to an AC through its console port, the related configuration of the user terminal must be in accordance with that of the console port. Table 9-1 lists the default settings of a console port. Table 9-1 The default settings of a console port
Setting Baud rate Check mode Stop bits Data bits 9,600 bps No check bit 1 8 Default
After logging in to your AC, you can modify the settings of the console port. For more information, see Console Port Login Configuration.
Setting Up the Connection to the Console Port

Step1 Connect the serial port of your PC/terminal to the console port of the AC, as shown in Figure 9-1.
9-1
Figure 9-1 Diagram for setting the connection to the console port
RS-232 port Console port
Console cable PC AC
Step2 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 9-2 through Figure 9-4 for the connection to be created. Normally, the parameters of a terminal are configured as those listed in Table 9-1.
If you use the Windows 2003 Server operating system on your PC, add a HyperTerminal, and then log in to and manage the AC as described in this document. If you use Windows 2008 Server, Windows 7, Windows Vista, or any other operating system on your PC, use the third party terminal software. For how to use the third party terminal software, see the user guide or online help of that software.
Figure 9-2 Create a connection
9-2
Figure 9-3 Specify the port used to establish the connection
Figure 9-4 Set port parameters terminal window
Step3 Turn on the AC. You are prompted to press Enter if the AC successfully completes the power-on self test (POST). The prompt (such as <H3C>) appears after you press Enter, as shown in Figure 9-5.
9-3
Figure 9-5 The terminal window
Step4 You can then configure the AC or check the information about the AC by executing commands. You can also get help by typing ?. For information about the commands, see the following sections.
Console Port Login Configuration

Configuring Common Settings for Console Login
Table 9-2 lists the common settings for console port login. Table 9-2 Common settings for console port login
Configuration Baud rate Optional The default baud rate is 9,600 bps. Optional Check mode Console port configuration Stop bits By default, the check mode of the console port is set to none, which means no check bit. Optional The default stop bits of a console port is 1. Optional The default data bits of a console port is 8. Optional By default, commands of level 3 are available to the users logging in to the AUX/console user interface. Description
Data bits Configure the command level available to the users logging in to the AUX/console user interface
AUX/Console user interface configuration
9-4
Configuration Define a shortcut key for aborting tasks Optional
Description
The default shortcut key combination for aborting tasks is Ctrl+C. Optional By default, pressing the Enter key starts the terminal session. Optional By default, terminal services are available in all user interfaces Optional By default, the screen can contain up to 24 lines. Optional By default, the history command buffer can contain up to 10 commands. Optional The default timeout time is 10 minutes.
Define a shortcut key for starting terminal sessions
Terminal configuration
Make terminal services available Set the maximum number of lines the screen can contain Set history command buffer size Set the timeout time of a user interface
Common console login configuration takes effect immediately. The connection may be interrupted when you perform such configuration after logging in through the console port. Therefore, use another login method to configure the console port settings. To log in to your AC again through the console port, modify the settings of the terminal program running on your PC to make them consistent with the console port settings on your AC. For more information, see Setting Up the Connection to the Console Port.
Console Port Login Configurations for Different Authentication Modes

Table 9-3 lists console port login configurations for different authentication modes. Table 9-3 Console port login configurations for different authentication modes
Authenticati on mode None Console port login configuration Perform common configuration Configure the password Password Perform common configuration Perform common configuration for console port login Configure the password for local authentication Perform common configuration for console port login Optional For more information, see Table 9-2. Required Optional For more information, see Table 9-2. Description
9-5
Authenticati on mode
Console port login configuration AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional
Description
Specify to perform local authentication or RADIUS authentication
Local authentication is performed by default. For more information, see AAA in the Security Configuration Guide. Required
Scheme
Configure user name and password
Configure user names and passwords for local/remote users
The user name and password of a local user are configured on the access controller. The user name and password of a remote user are configured on the RADIUS server. Refer to user manual of RADIUS server for more. Required Optional For more information, see Table 9-2.
Manage AUX/console users Perform common configuration
Set service type for AUX/console users Perform common configuration for console port login
A change to the authentication mode of console port login does not take effect unless you exit and enter the CLI again.
Configuring None Authentication for Console Port Login

Configuration Procedure
To do Enter system view Enter AUX/console user interface view Use the command system-view user-interface aux 0 user-interface console 0 authentication-mode none Remarks
Specify the none authentication mode
Required By default, users logging in through the AUX/console port are not authenticated.
9-6
To do Set the baud rate
Use the command Optional speed speed-value
Remarks
The default baud rate of an AUX/console port (also the console port) is 9,600 bps. Optional By default, the check mode of a console port is set to none, that is, no check bit. Optional The stop bits of an AUX/console port is 1. Optional The default data bits of a console port is 8. Optional By default, commands of level 3 are available to users logging in to the AUX/console user interface. Optional By default, pressing the Enter key starts the terminal session. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional
Configure the console port
Set the check mode Set the stop bits Set the data bits
parity { even | mark | none | odd | space }
stopbits { 1 | 1.5 | 2 }
databits { 5 | 6 | 7 | 8 }
Configure the command level available to users logging in to the user interface Define a shortcut key for starting terminal sessions
user privilege level level
activation-key character
escape-key { default | character }
shell
By default, terminal services are available in all user interfaces. Optional
Set the maximum number of lines the screen can contain
screen-length screen-length
By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Optional
Set the history command buffer size
history-command max-size value
The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.
Set the timeout time for the user interface
idle-timeout minutes [ seconds ]
With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. You can use the idle-timeout 0 command to disable the timeout function.
The command level available to users logging in to the device depends on both the authentication-mode none command and the user privilege level level command, as listed in the following table.
9-7
Table 9-4 Determine the command level (A)

Scenario Command level Authentication mode None (authentication-mode none) User type Users logging in through AUX/console ports Command The user privilege level level command not executed The user privilege level level command already executed Level 3 Determined by the level argument
Configuration Example
Assume the AC supports Telnet, and the user level of telnet users is set to the manage level (level 3). Telnet to the AC, and configure parameters for console login as follows. Configure none authentication mode for console login. Configure command level 2 for console users. Configure the baud rate of the console port as 19200 bps. Configure the screen to contain up to 30 lines. Configure the history command buffer to contain up to 20 commands. Configure the timeout time of the console user interface as 6 minutes. Figure 9-6 Network diagram for AUX user interface configuration (with the authentication mode being none)
# Enter AUX user interface view.

[Sysname] user-interface aux 0
# Specify the none authentication mode for users that log in through the console port.
[Sysname-ui-aux0] authentication-mode none
# Specify command level 2 for console users.

[Sysname-ui-aux0] user privilege level 2
# Set the baud rate of the console port to 19,200 bps.

[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
9-8
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.

[Sysname-ui-aux0] idle-timeout 6
To ensure successful login, change the settings of the terminal emulation program running on the PC to make them consistent with those on the AC. See Setting Up the Connection to the Console Port.
Configuring Password Authentication for Console Port Login

To do Enter system view Enter AUX/console user interface view Use the command system-view user-interface aux 0 user-interface console 0 Required Enable password authentication authentication-mode password By default, users logging in through the console port are not authenticated, while users logging in through Telnet need to pass the password authentication. Required Optional speed speed-value The default baud rate of an AUX/console port (also the console port) is 9,600 bps. Optional By default, the check mode of an AUX/console port is set to none, that is, no check bit. Optional The default stop bits of an AUX/console port is 1. Optional The default data bits of an AUX/console port is 8. Optional user privilege level level By default, commands of level 3 are available to users logging in to the AUX/console user interface. Optional activation-key character By default, pressing the Enter key starts the terminal session. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional shell By default, terminal services are available in all user interfaces. Remarks
Set the local password
set authentication password { cipher | simple } password
Set the baud rate Set the check mode Set the stop bits Set the data bits Configure the command level available to users logging in to the user interface Define a shortcut key for starting terminal sessions
stopbits { 1 | 1.5 | 2 }
databits { 5 | 6 | 7 | 8 }
Define a shortcut key for aborting tasks Make terminal services available to the user interface
9-9
To do Set the maximum number of lines the screen can contain
Use the command Optional screen-length screen-length
Remarks
Set history command buffer size
The level the commands of which are available to users logging in to the device depends on both the authentication-mode password and the user privilege level level command, as listed in the following table. Table 9-5 Determine the command level (B)
Scenario Command level Authentication mode Local authentication (authentication-mode password) User type Users logging in to the AUX/console user interface Command The user privilege level level command not executed The user privilege level level command already executed Level 3 Determined by the level argument
Assume the AC supports Telnet, and the user level of telnet users is set to the manage level (level 3). Telnet to the AC, and configure parameters for console login as follows. Configure the password authentication mode for console login. Configure the local password as 123456 (in plain text). Configure command level 2 for console users. Configure the baud rate of the console port as 19200 bps. Configure the screen to contain up to 30 lines. Configure the history command buffer to contain up to 20 commands. Configure the timeout time of the console user interface as 6 minutes.
9-10
Figure 9-7 Network diagram for AUX user interface configuration (with the authentication mode being password)

# Specify the password authentication mode.

[Sysname-ui-aux0] authentication-mode password
# Set the local password to 123456 (in plain text).

[Sysname-ui-aux0] set authentication password simple 123456
# Specify commands of level 2 are available to the user logging in to the AUX user interface.
[Sysname-ui-aux0] user privilege level 2


To ensure successful login, change the settings of the terminal emulation program running on the PC to make them consistent with those on the AC. See Setting Up the Connection to the Console Port for more.
9-11
Configuring Scheme Authentication for Console Port Login

To do Enter system view Enter the default ISP domain view Specify the AAA scheme to be applied to the domain Use the command system-view domain domain-name authentication default { hwtacacs- scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } Optional By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well. If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well: Perform AAA&RADIUS configuration on the access controller. (For more information, see the configuration guide of the AAA server.) Configure the user name and password accordingly on the AAA server. (For more information, see the configuration guide of the AAA server.) Required No local user exists by default. Required Remarks
Configure the authenticati on mode
Quit to system view
quit
Create a local user (Enter local user view.) Set the authentication password for the local user
local-user user-name password { simple | cipher } password service-type terminal authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } * quit user-interface aux 0
Specify the service type for AUX and console users
Required
Quit to system view Enter AUX/console user interface view
user-interface console 0 Required
Enable the scheme authentication
authentication-mode scheme
The specified AAA scheme determines whether to authenticate users locally or remotely. Users are authenticated locally by default.
9-12
To do Set the baud rate
Use the command Optional speed speed-value
Remarks
The default baud rate of the AUX/console port is 9,600 bps. Optional
Set the check mode
By default, the check mode of an AUX/console port is set to none, that is, no check bit. Optional
Set the stop bits Set the data bits Configure the command level available to users logging in to the user interface Define a shortcut key for starting terminal sessions
stopbits { 1 | 1.5 | 2 }
The default stop bits of an AUX/console port is 1. Optional The default data bits of a console port is 8. Optional
databits { 5 | 6 | 7 | 8 }
By default, commands of level 3 are available to users logging in to the AUX/console user interface. Optional
activation-key character
By default, pressing the Enter key starts the terminal session. Optional
Define a shortcut key for aborting tasks Make terminal services available to the user interface
The default shortcut key combination for aborting tasks is Ctrl+C. Optional
shell
The level of the commands that are available to users logging in to the device depends on the authorization-attribute command, as listed in Table 9-6.
9-13
Table 9-6 Determine the command level

Scenario Command level Authentication mode User type Users logging in to the AUX/console port and pass AAA&RADIUS or local authentication Command Level 0 The authorization-attribute command does not specify the available command level. The default command level available for local users is level 0. Determined by the authorization-attri bute command
The authorization-attribute command specifies the available command level.
Assume the AC supports Telnet, and the user level of telnet users is set to the manage level (level 3). Telnet to the AC, and configure parameters for console login as follows. Configure the name of the local user as guest. Configure the local password as 123456 (in plain text). Set the service type of the local user to Terminal and the command level to 2. Configure the scheme authentication mode. Configure the baud rate of the console port as 19200 bps. Configure the screen to contain up to 30 lines. Configure the history command buffer to contain up to 20 commands. Configure the timeout time of the console user interface as 6 minutes. Figure 9-8 Network diagram for AUX user interface configuration (with the authentication mode being scheme)
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
# Set the authentication password to 123456 (in plain text).

[Sysname-luser-guest] password simple 123456
# Set the command level to 2.

9-14
[Sysname-luser-guest] authorization-attribute level 2 [Sysname-luser-guest] service-type terminal [Sysname-luser-guest] quit

# Enable scheme authentication for console users.

[Sysname-ui-aux0] authentication-mode scheme


To ensure successful login, change the settings of the terminal emulation program running on the PC to make them consistent with those on the AC. See Setting Up the Connection to the Console Port for more.
9-15
10
Logging In Through Telnet

Introduction Establishing a Telnet Connection Configuring None Authentication for Telnet Login Configuring Password Authentication for Telnet Login Configuring Scheme Authentication for Telnet Login
This chapter includes these sections:
Introduction
You can telnet to a remote AC to manage and maintain the AC. To achieve this, you need to configure both the device and the Telnet terminal. Table 10-1 Telnet login configuration requirements
Item Requirement Start the Telnet Server (Telnet server is enabled by default). Access controller product The IP address of the VLAN interface of the AC is configured and the AC and the Telnet terminal can reach each other. The authentication mode and other settings are configured. See Table 10-2 and Table 10-3. Telnet is running. Telnet terminal The IP address of the management VLAN interface of the AC is available.
After you log in to the access controller through Telnet, you can issue commands to the access controller by way of pasting session text, which cannot exceed 2000 bytes, and the pasted commands must be in the same view; otherwise, the access controller may not execute the commands correctly. If the session text exceeds 2000 bytes, you can save it in a configuration file, upload the configuration file to the access controller and reboot the access controller with this configuration file. For more information, see File Management in the Fundamentals Configuration Guide. To log in on the access controller using Telnet based on IPv6 is same as that based on IPv4. For more information, see IPv6 Application in the Layer 3 IP Services Configuration Guide. Support for the login on the access controller using Telnet based on IPv6 varies by AC model. Support of IPv6-related configurations depends on the AC model.
10-1
Establishing a Telnet Connection

Telnetting to an Access Controller from a Terminal
Step1 Log in to the AC through the management Ethernet interface or VLAN interface.
You can assign an IP address to the VLAN interface of the access controller that does not have a management Ethernet port to make sure the route between the PC and the access controller is valid. For more information, see VLAN and MAC Address Table in the Layer 2 LAN Switching Configuration Guide.
Connect to the console port. Refer to Setting Up the Connection to the Console Port. Execute the following commands in the terminal window to assign an IP address to the management Ethernet interface of the access controller. # Configure the IP address of the management Ethernet interface on the device as 202.38.160.92, with the subnet mask 255.255.255.0.
<Sysname> system-view [Sysname] interface M-Ethernet 1/0/1 [Sysname-M-Ethernet1/0/1] ip address 202.38.160.92 255.255.255.0
# Or, configure the IP address of VLAN-interface 1 on the device as 202.38.160.92, with the subnet mask 255.255.255.0.
<Sysname> system-view [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 202.38.160.92 255.255.255.0
Step2 Before Telnet users can log in to the device, corresponding configurations should have been performed on the device according to different authentication modes for them. For more information, see Configuring None Authentication for Telnet Login, Configuring Password Authentication for Telnet Login, and Configuring Scheme Authentication for Telnet Login. By default, Telnet users need to pass the password authentication to login. Step3 Connect your PC to the management Ethernet interface (or Ethernet interface) of the device, as shown in Figure 10-1. Make sure the PC and the management Ethernet interface (or Ethernet interface) of the device can reach each other if the PC and the access controller are not in the same LAN.
10-2
Figure 10-1 Network diagram for Telnet connection establishment
Step4 Launch Telnet on your PC, with the IP address of the management Ethernet interface of the device, as shown in the following figure. Figure 10-2 Launch Telnet
Step5 Enter the password when the Telnet window displays Login authentication and prompts for login password. The CLI prompt (such as <Sysname>) appears if the password provided is correct. If all VTY user interfaces of the access controller are in use, you will fail to establish the connection and receive the message that says The number of users currently using the system configuration has reached the maximum. Please wait until one of the users releases the system configuration.. An access controller can accommodate up to five Telnet connections at same time. Step6 After successfully Telnetting to the device, you can configure the access controller or display the information about the access controller by executing corresponding commands. You can also type ? at any time for help. For more information, see Basic System Configuration in the Fundamentals Command Reference.
A Telnet connection will be terminated if you remove or modify the IP address of the management interface or VLAN interface in the Telnet session. By default, commands of level 0 are available to Telnet users authenticated by password. For more information about command levels, see Basic System Configuration in the Fundamentals Configuration Guide.
10-3
Telnetting to Another Access Controller from the Current One

You can Telnet to another access controller product from the current one. In this case, the current access controller product operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two access controller products are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available. As shown in Figure 10-3, after Telnetting to an access controller product (labeled as Telnet client), you can Telnet to another device (labeled as Telnet server) by executing the telnet command and then to configure the latter. Figure 10-3 Network diagram for Telnetting to another access controller from the current one
Step1 Configure the user name and password for Telnet on the access controller operating as the Telnet server. For more information, see Configuring None Authentication for Telnet Login, Configuring Password Authentication for Telnet Login, and Configuring Scheme Authentication for Telnet Login. By default, Telnet users need to pass the password authentication to login. Step2 Telnet to the access controller operating as the Telnet client. Step3 Execute this command on the access controller operating as the Telnet client: <Sysname> telnet xxxx, where xxxx is the IP address or the host name of the access controller operating as the Telnet server. You can use the ip host to assign a host name to an access controller. Step4 Enter the password. If the password is correct, the CLI prompt (such as <Sysname>) appears. If all VTY user interfaces of the access controller are in use, you will fail to establish the connection and receive the message that says All user interfaces are used, please try later!. Step5 After successfully Telnetting to the access controller, you can configure the access controller or display the information about the access controller by executing corresponding commands. You can also type ? at any time for help. For more information, see Basic System Configuration in the Fundamentals Command Reference.
Common Configuration
Table 10-2 lists the common Telnet configuration. Table 10-2 Common Telnet configuration
Configuration VTY user interface configuration Configure the command level available to users logging in to the VTY user interface Configure the protocols the user interface supports Optional By default, commands of level 0 are available to users logging in to a VTY user interface. Optional By default, Telnet and SSH protocol are supported. Description
10-4
Configuration Set the command that is automatically executed when a user logs into the user interface Define a shortcut key for aborting tasks Optional
Description
By default, no command is automatically executed when a user logs into a user interface. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional By default, terminal services are available in all user interfaces Optional By default, the screen can contain up to 24 lines. Optional By default, the history command buffer can contain up to 10 commands. Optional The default timeout time is 10 minutes.
Make terminal services available VTY terminal configuration Set the maximum number of lines the screen can contain Set history command buffer size Set the timeout time of a user interface
The auto-execute command command may cause you unable to perform common configuration in the user interface, so use it with caution. Before executing the auto-execute command command and save your configuration, make sure you can log in to the access controller in other modes and can cancel the configuration.
Telnet Configurations for Different Authentication Modes

Table 10-3 lists Telnet configurations for different authentication modes. Table 10-3 Telnet configurations for different authentication modes
Authentication mode None Telnet configuration Perform common configuration Configure the password Password Perform common configuration Perform common Telnet configuration Perform common Telnet configuration Configure the password for local authentication Optional For more information, see Table 10-2. Required Optional For more information, see Table 10-2. Description
10-5
Authentication mode
Telnet configuration AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional
Description
Specify to perform local authentication or RADIUS authentication
Local authentication is performed by default. For more information, see AAA in the Security Configuration Guide. Required The user name and password of a local user are configured on the access controller. The user name and password of a remote user are configured on the RADIUS server. Refer to user manual of RADIUS server for more. Required Optional For more information, see Table 10-2.
Scheme
Configure user name and password
Configure user names and passwords for local/remote users
Manage VTY users Perform common configuration
Set service type for VTY users Perform common Telnet configuration
Configuring None Authentication for Telnet Login

To do Enter system view Enter one or more VTY user interface views Configure not to authenticate users logging in to VTY user interfaces Configure the command level available to users logging in to VTY user interface Configure the protocols to be supported by the VTY user interface Set the command that is automatically executed when a user logs into the user interface Use the command system-view user-interface vty first-number [ last-number ] Required authentication-mode none By default, VTY users are authenticated after logging in. Optional user privilege level level By default, commands of level 0 are available to users logging in to VTY user interfaces. Optional By default, both Telnet protocol and SSH protocol are supported. Optional auto-execute command text By default, no command is automatically executed when a user logs into a user interface. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional shell By default, terminal services are available in all user interfaces. Remarks
protocol inbound { all | ssh | telnet }
10-6
To do
Remarks
Set the timeout time of the VTY user interface
If you configure not to authenticate the users, the command level available to users logging in to the device depends on both the authentication-mode none command and the user privilege level level command, as listed in Table 10-4. Table 10-4 Determine the command level when users logging in to the device are not authenticated
Scenario Command level Authentication mode None (authentication-mode none) User type Command The user privilege level level command not executed VTY users The user privilege level level command already executed Determined by the level argument Level 0
You have logged in to the AC. By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. The network requirements are as follows: Do not authenticate users logging in to VTY 0. Commands of level 2 are available to users logging in to VTY 0. Telnet is supported. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of VTY 0 is 6 minutes.
10-7
Figure 10-4 Network diagram for Telnet configuration (with the authentication mode being none)
Console cable PC AC
# Enter system view, and enable the Telnet service.
<Sysname> system-view [Sysname] telnet server enable
# Enter VTY 0 user interface view.

[Sysname] user-interface vty 0
# Enable none authentication for Telnet users that log in to VTY 0.

[Sysname-ui-vty0] authentication-mode none
# Specify commands of level 2 are available to users logging in to VTY 0.

[Sysname-ui-vty0] user privilege level 2
# Configure Telnet protocol is supported.

[Sysname-ui-vty0] protocol inbound telnet
[Sysname-ui-vty0] screen-length 30
[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.

[Sysname-ui-vty0] idle-timeout 6
Configuring Password Authentication for Telnet Login

To do Enter system view Enter one or more VTY user interface views Enable password authentication Use the command system-view user-interface vty first-number [ last-number ] authentication-mode password set authentication password { cipher | simple } password user privilege level level Remarks
Required
Set the local password
Required Optional By default, commands of level 0 are available to users logging in to VTY user interface. Optional By default, both Telnet protocol and SSH protocol are supported.
Configure the command level available to users logging in to the user interface Configure the protocol to be supported by the user interface
10-8
To do Set the command that is automatically executed when a user logs into the user interface
Use the command Optional auto-execute command text
Remarks
By default, no command is automatically executed when a user logs into a user interface. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional
shell
Set the timeout time of the user interface
If password authentication is configured, the command level for users that log in to the AC depends on both the authentication-mode password command and the user privilege level level command, as listed in Table 10-5. Table 10-5 Determine the command level when users logging in to the device are authenticated in the password mode
Scenario Command level Authentication mode Password (authentication-mode password) User type Command The user privilege level level command not executed VTY users The user privilege level level command already executed Determined by the level argument Level 0
You have logged in to the AC. By default, you can log in to the device through the console port without authentication and have user
10-9
privilege level 3 after login. The network requirements are as follows: Authenticate users logging in to VTY 0 using a local password. Set the local password to 123456 (in plain text). Commands of level 2 are available to users logging in to VTY 0. Telnet is supported. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of VTY 0 is 6 minutes. Figure 10-5 Network diagram for Telnet configuration (with the authentication mode being password)
Console cable PC AC

# Enable password authentication for users that log in to VTY 0.

[Sysname-ui-vty0] authentication-mode password
# Set the local password to 123456 (in plain text).

[Sysname-ui-vty0] set authentication password simple 123456
# Specify commands of level 2 are available to users logging in to VTY 0.

[Sysname-ui-vty0] user privilege level 2
# Configure VTY 0 to support Telnet.


10-10
Configuring Scheme Authentication for Telnet Login

To do Enter system view Enter the default ISP domain view Use the command system-view domain domain-name authentication default { hwtacacs-scheme hwtacacs-scheme- name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } Optional By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well. If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well: Perform AAA&RADIUS configuration on the access controller. (For more information, see AAA in the Security Configuration Guide.) Configure the user name and password accordingly on the AAA server. (For more information, see the configuration guide of the AAA server.) No local user exists by default. Required Required Required Configure to authenticate users locally or remotely authentication-mode scheme The specified AAA scheme determines whether to authenticate users locally or remotely. Users are authenticated locally by default. Configure the command level available to users logging in to the user interface Configure the supported protocol Set the command that is automatically executed when a user logs into the user interface Define a shortcut key for aborting tasks Optional user privilege level level By default, commands of level 0 are available to users logging in to the VTY user interfaces. Optional Both Telnet protocol and SSH protocol are supported by default. Optional By default, no command is automatically executed when a user logs into a user interface. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional shell Terminal services are available in all use interfaces by default. Remarks
Configure the authenticatio n scheme
Configure the AAA scheme to be applied to the domain
Quit to system view
quit
Create a local user and enter local user view Set the authentication password for the local user Specify the service type for VTY users Quit to system view Enter one or more VTY user interface views
local-user user-name password { simple | cipher } password service-type telnet [ level level ] quit user-interface vty first-number [ last-number ]
auto-execute command text
10-11
To do
Remarks
If scheme authentication is configured, the command level for users that log in to the AC depends on the authentication-mode scheme command, the user privilege level level command, and the authorization-attribute level command, as listed in Table 10-6. Table 10-6 Determine the command level when users logging in to the device are authenticated in the scheme mode
Scenario Authenticati on mode authenticati on-mode scheme User type Command The user privilege level level command is not executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is not executed, and the authorization-attribute level command specifies the available command level. The user privilege level level command is executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is executed, and the authorization-attribute level command specifies the available command level. VTY users that are authenticated in the RSA mode of SSH The user privilege level level command is not executed, and the authorization-attribute level command does not specify the available command level. Level 0 The user privilege level level command is not executed, and the authorization-attribute level command specifies the available command level. Command level
Level 0 Determined by the authorizationattribute level command Level 0 Determined by the authorizationattribute level command
VTY users that are AAA&RADIUS authenticated or locally authenticated
10-12
Scenario Authenticati on mode User type Command The user privilege level level command is executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is executed, and the authorization-attribute level command specifies the available command level. The user privilege level level command is not executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is not executed, and the authorization-attribute level command specifies the available command level. The user privilege level level command is executed, and the authorization-attribute level command does not specify the available command level. The user privilege level level command is executed, and the service-type command specifies the available command level. Command level
Determined by the user privilege level level command
Level 0 Determined by the authorizationattribute level command Level 0 Determined by the service-type command
VTY users that are authenticated in the password mode of SSH
For more information about AAA, RADIUS, and SSH, see AAA and SSH 2.0 in the Security Configuration Guide.
You have logged in to the AC. By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. The network requirements are as follows: Configure the name of the local user as guest. Set the authentication password of the local user to 123456 (in plain text). Set the service type of VTY users to Telnet. Configure scheme authentication for users logging in to VTY 0 in scheme mode. The commands of level 2 are available to users logging in to VTY 0. Telnet is supported in VTY 0. The screen can contain up to 30 lines. The history command buffer can store up to 20 commands. The timeout time of VTY 0 is 6 minutes.
10-13
Figure 10-6 Network diagram for Telnet configuration (with the authentication mode being scheme)
Console cable PC AC
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
# Set the authentication password of the local user to 123456 (in plain text).
[Sysname-luser-guest] password simple 123456
# Set the service type to Telnet, and command level to 2.

[Sysname-luser-guest] authorization-attribute level 2 [Sysname-luser-guest] service-type telnet [Sysname-luser-guest] quit

# Configure scheme authentication for users that log in to VTY 0.

[Sysname-ui-vty0] authentication-mode scheme
# Configure Telnet protocol is supported.


10-14
Logging In Through the Web-Based Network Management System
11
Logging in through the web-based network management system varies by device model. In this chapter, the access controller engines of the WX3024 unified switches are used in the examples. Support of IPv6-related configurations depends on the AC model.
This chapter includes these sections: Introduction Setting Up a Web Configuration Environment
Introduction
Each H3C WX series access controller product has a Web server built in. It enables you to log in to the device through a Web browser and then manage and maintain the device intuitively by interacting with the built-in Web server. To log in to the access controller product through the built-in Web-based network management system, you need to perform the related configuration on both the switching engine and the PC operating as the network management terminal. Table 11-1 Requirements for logging in to the device through the Web-based network management system
Item Requirement The VLAN interface or management interface of the access controller product is assigned an IP address, and the route between the access controller product and the Web network management terminal is reachable. The user name and password for logging in to the Web-based network management system are configured. PC operating as the network management terminal IE is available. The IP address of the VLAN interface of the device, the user name, and the password are available.
Access controller product
11-1
An access controller product has a factory default configuration when it is shipped. With this configuration, you can input http://192.168.0.100 in the address bar of the browser on a Web network management terminal (PC), supposing that a route between the Web network management terminal and the access controller product is available, and the browser will display the login page. Input the default username, password admin and verification code, select the language, and then you can log in to the Web interface. If you have saved your configuration file, the device will start up this configuration file at next boot, and the factory defaults are ineffective.
For the WX5002, WX5002V2, and WX5004, you can log in to the AC through the Web-based network management system. For the access controller modules LS8M1WCMA0, LSQM1WCMB0, LSBM1WCM2A0, LSRM1WCM2A1, LSWM1WCM10, and LSWM1WCM20, you can log in to the access controller modules through the Web-based network management system. For the WX6103, you can log in to the main control board through the Web-based network management system. For the login to the switch interface board, see Logging In to the Access Controller Switch Interface Board in the H3C WX6103 Access Controller Switch Interface Board Configuration Guide. For the WX3024, WX3010, and WX3008, you can log in to the access controller engine through the Web-based network management system. For the login to the switching engine, see Logging In to the Switching Engine in the H3C WX3000 Series Unified Switches Switching Engine Configuration Guide.
Setting Up a Web Configuration Environment

Step1 Before logging in to the access controller engine of the WX3024 (AC in Figure 11-1) through the Web-based network management system, assign an IP address to the switching engine (for devices providing management Ethernet ports, you can configure the IP address on the management Ethernet interface), and configure Web network management user name and authentication password. # Assign an IP address to the access controller engine of the WX3024.
<Sysname> system-view [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.100 24 [Sysname-Vlan-interface1] quit
# Create a Web user account, setting both the user name and the password to admin and the user level to 3 (manage level).
[Sysname] local-user admin [Sysname-luser-admin] service-type telnet [Sysname-luser-admin] authorization-attribute level 3 [Sysname-luser-admin] password simple admin [Sysname-luser-admin] quit
Step2 Configure the management IP address for the switching engine of the WX3024 (Optional). # After configuring the IP address, you can go to the Web interface of the switching engine from the Web interface of the access controller engine. 192.168.0.101 is the management IP address of the
11-2
switching engine, and slot 0 is the slot number of the switching engine. Currently, only the WX3000 series support this function.
[Sysname] oap management-ip 192.168.0.101 slot 0
Step3 Set up a Web configuration environment, as shown in Figure 11-1. Figure 11-1 Set up a Web configuration environment
Internet PC AC
Step4 Log in to the switching engine through IE. Launch IE on the Web-based network management terminal (your PC) and enter http://192.168.0.100 in the address bar. (Make sure the route between the Web-based network management terminal and the switching engine is available.) Step5 When the login authentication interface (as shown in Figure 11-2) appears, enter the user name and the password admin, type the verify code, and then click Login to bring up the main page of the Web-based network management system. Figure 11-2 The login page of the Web-based network management system
11-3
12
Logging In Through an NMS

Introduction Connection Establishment
Introduction
You can also log in to an access controller through an NMS (network management station), and then configure and manage the access controller through the agent module on the access controller. The agent here refers to the server-side software running on network devices (access controllers). SNMP (Simple Network Management Protocol) is applied between the NMS and the agent. To log in to an access controller through an NMS, you need to perform related configuration on both the NMS and the device. Table 12-1 Requirements for logging in to the device through an NMS
Item Requirement The IP address of the management VLAN of the access controller is configured. The route between the NMS and the access controller is available. The basic SNMP functions are configured. (For more information, see SNMP in the Network Management and Monitoring Configuration Guide.) The NMS is properly configured. (Refer to the user manual of your NMS for more.)
Access controller
NMS
Connection Establishment
Figure 12-1 Network diagram for logging in through an NMS
12-1
13
Controlling Login Users

Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses
Support of IPv6-related configurations depends on the AC model.
Introduction
An access controller provides ways to control different types of login users, as listed in Table 13-1. Table 13-1 Ways to control different types of login users
Login mode Control method By SSIDs of clients By source IP addresses Telnet By source, destination IP addresses, protocols carried over IP, and protocol features By source MAC addresses SNMP By source IP addresses Implementation Through WLAN ACL Through basic ACLs Related section Controlling Telnet Users by SSIDs of Clients Controlling Telnet Users by Source IP Addresses Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet Users by Source MAC Addresses Controlling Network Management Users by Source IP Addresses
Through advanced ACLs
Through Layer 2 ACLs Through basic ACLs
Controlling Telnet Users

Prerequisites
The controlling policy against Telnet users is determined, including the wireless clients, source and destination IP addresses to be controlled and the controlling actions (permitting or denying).
13-1
Controlling Telnet Users by SSIDs of Clients

Controlling Telnet users by service set identifiers (SSIDs) is achieved by matching WLAN ACLs with packets based on SSIDs of clients. WLAN ACLs are numbered from 100 to 199. For information about defining an ACL, see ACL in the ACL and QoS Configuration Guide.
To do Enter system view Create a WLAN ACL and enter WLAN ACL view Define a rule for the WLAN ACL Quit to system view Use the command system-view acl number acl-number rule [ rule-id ] { permit | deny } [ ssid ssid-name ] quit user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required Required The interface type and quantity supported by this command vary by device model. Required Apply the WLAN ACL to control Telnet users by SSIDs of WLAN clients acl acl-number inbound The inbound keyword filters the users trying to Telnet to the current access controller. Support for this command depends on the supported interface type. Remarks
Enter user interface view
Controlling Telnet Users by Source IP Addresses

Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999. For information about defining an ACL, see ACL in the ACL and QoS Configuration Guide.
To do Enter system view Use the command system-view Required Create a basic ACL or enter basic ACL view acl [ ipv6 ] number acl-number [ match-order { config | auto } ] As for the acl number command, the config keyword is specified by default. Support for the IPv6 addresses vary by device model. rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]* quit user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Remarks
Define rules for the ACL
Required
Quit to system view
The interface type and quantity supported by this command vary by device model.
13-2
To do
Use the command Required
Remarks
The inbound keyword filters the users trying to Telnet to the current access controller. Apply the ACL to control Telnet users by source IP addresses acl [ ipv6 ] acl-number { inbound | outbound } The outbound keyword filters the users trying to Telnet to other access controllers from the current access controller. The interface type supported by this command varies by device model. Support for the IPv6 addresses depends on the device model.
Controlling Telnet Users by Source and Destination IP Addresses

Controlling Telnet users by source and destination IP addresses is achieved by applying advanced ACLs, which are numbered from 3000 to 3999. For information about defining an ACL, see ACL in the ACL and QoS Configuration Guide.
To do Enter system view Use the command system-view Required Create an advanced ACL or enter advanced ACL view acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ] As for the acl number command, the config keyword is specified by default. Support for the IPv6 addresses varies by device model. Required You can define rules as needed to filter by specific source and destination IP addresses. The interface type and quantity supported by this command vary by device model. Required The inbound keyword filters the users trying to Telnet to the current access controller. Apply the ACL to control Telnet users by specified source and destination IP addresses acl [ ipv6 ] acl-number { inbound | outbound } The outbound keyword filters the users trying to Telnet to other access controllers from the current access controller. The interface type supported by this command varies by device model. Support for the IPv6 addresses depends on the device model. Remarks
rule [ rule-id ] { permit | deny } rule-string quit user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] }
Quit to system view
Controlling Telnet Users by Source MAC Addresses

Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs, which are numbered from 4000 to 4999. For information about defining an ACL, see ACL in the ACL and QoS Configuration Guide.
13-3
To do Enter system view Create a basic ACL or enter basic ACL view
Use the command system-view acl number acl-number [ name acl-name ] [ match-order { auto | config } ]
Remarks
As for the acl number command, the config keyword is specified by default. Required
rule [ rule-id ] { permit | deny } rule-string
You can define rules as needed to filter by specific source MAC addresses. The interface type and quantity supported by this command vary by device model. Required
Quit to system view
quit user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] }
Apply the ACL to control Telnet users by source MAC addresses
acl acl-number inbound
The inbound keyword filters the users trying to Telnet to the current access controller.
Only the Telnet users sourced from the IP address of 10.110.100.52 and 10.110.100.46 are permitted to log in to the access controller. Figure 13-1 Network diagram for controlling Telnet users using ACLs
10.110.100.52/24
Host A
IP network
Host B AC
10.110.100.46/24
# Define a basic ACL.
<Sysname> system-view [Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-basic-2000] rule 3 deny [Sysname-acl-basic-2000] quit
# Apply the ACL to only permit Telnet users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the access controller..
[Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound
13-4
Controlling Network Management Users by Source IP Addresses

You can manage an access controller through network management software. Network management users can access controllers through SNMP. You need to perform the following two operations to control network management users by source IP addresses. Defining an ACL Applying the ACL to control users accessing the access controller through SNMP
Prerequisites
The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
Controlling Network Management Users by Source IP Addresses

Controlling network management users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999. For information about defining an ACL, see ACL in the ACL and QoS Configuration Guide.
To do Enter system view Create a basic ACL or enter basic ACL view system-view acl number acl-number [ name acl-name ] [ match-order { auto | config } ] rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]* quit snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ] * snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] snmp-agent usm-user v3 user-name group-name [ cipher ] [ authentication-mode { md5 | sha } auth-password [ privacy-mode { des56 | aes128 } priv-password ] ] [ acl acl-number ] Required Required Use the command As for the acl number command, the config keyword is specified by default. Required Required Remarks
Define rules for the ACL Quit to system view Apply the ACL while configuring the SNMP community name
Apply the ACL while configuring the SNMP group name
Apply the ACL while configuring the SNMP user name
13-5
You can specify different ACLs while configuring the SNMP community name, the SNMP group name and the SNMP user name. For SNMP-related commands, see SNMP in the Network Management and Monitoring Command Reference.
Because SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) take effect in the network management systems that adopt SNMPv1 or SNMPv2c. Similarly, as SNMP group name and SNMP user name are features of SNMPv2c and the higher SNMP versions, the specified ACLs in the commands that configure SNMP group names (the snmp-agent group command and the snmp-agent group v3 command) and SNMP user names (the snmp-agent usm-user command and the snmp-agent usm-user v3 command) take effect in the network management systems that adopt SNMPv2c or higher SNMP versions. If you configure both the SNMP group name and the SNMP user name and specify ACLs in the two operations, the access controller will filter network management users by both SNMP group name and SNMP user name.
Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to access the access controller. Figure 13-2 Network diagram for controlling SNMP users using ACLs
10.110.100.52/24
Host A
IP network
Host B AC
10.110.100.46/24
# Define a basic ACL.
<Sysname> system-view [Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-basic-2000] rule 3 deny [Sysname-acl-basic-2000] quit
# Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the access controller.
[Sysname] snmp-agent community read aaa acl 2000
13-6
[Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000
13-7
14
File Management
Managing Files Directory Operations File Operations Batch Operations Storage Medium Operations Setting Prompt Modes Example for File Operations
Managing Files
Files such as host software and configuration files that are necessary for the operation of the device are saved in the storage media of the device. You can manage files on your device through these operations: Directory Operations, File Operations, Batch Operations, Storage Medium Operations, and Setting Prompt Modes.
Filename Formats
When you specify a file, you must enter the filename in one of the following formats. Filename formats:
Format file-name Description Specifies a file in the current working directory. Specifies a file in the specified folder in the current working directory. path indicates the name of the folder. You can specify multiple folders, indicating a file under a multi-level folder. Specifies a file in the specified storage medium on the device. drive represents the storage medium name, which is usually flash or cf. If there is only one storage medium on the device, you do not need to provide information about the storage medium. If there are multiple storage media on the device, you must provide the related information to identify the storage medium. Length 1 to 91 characters Example a.cfg indicates a file named a.cfg in the current working directory
path/file-name
1 to 135 characters
test/a.cfg indicates a file named a.cfg in the test folder in the current working directory.
drive:/[path]/file-na me
1 to 135 characters
flash:/test/a.cfg indicates a file named a.cfg in the test folder in the root directory of the flash memory.
14-1
Directory Operations
You can create or remove a directory, display the current working directory, the specified directory, file information, and so on.
Displaying Directory Information

To do Display directory or file information Use the command dir [ /all ] [ file-url ] Required Available in user view Remarks
Displaying the Current Working Directory

To do Display the current working directory pwd Use the command Required Available in user view Remarks
Changing the Current Working Directory

To do Change the current working directory Use the command cd { directory | .. | / } Required Available in user view Remarks
Creating a Directory
To do Create a directory Use the command mkdir directory Required Available in user view Remarks
Removing a Directory
To do Remove a directory Use the command rmdir directory Required Available in user view Remarks
14-2
The directory to be removed must be empty, meaning that before you remove a directory, you must delete all the files and the subdirectory in this directory. For more information about the delete and rmdir commands, see File Management in the Fundamentals Command Reference. Execution of the rmdir command automatically deletes the files in the recycle bin in the current directory.
File Operations
You can display the specified directory or file information; display file contents; rename, copy, move, remove, restore, and delete files.
You can create a file by copying, downloading or using the save command.
Displaying File Information

To do Display file or directory information Use the command dir [ /all ] [ file-url ] Required Available in user view Remarks
Displaying the Contents of a File

To do Use the command Required Display the contents of a file more file-url Currently only a .txt file can be displayed. Available in user view Remarks
Renaming a File
To do Rename a file Use the command rename fileurl-source fileurl-dest Required Available in user view Remarks
14-3
Copying a File
To do Copy a file Use the command copy fileurl-source fileurl-dest Required Available in user view Remarks
Moving a File
To do Move a file Use the command move fileurl-source fileurl-dest Required Available in user view Remarks
Deleting a File
To do Move a file to the recycle bin or delete it permanently Use the command delete [ /unreserved ] file-url Required Available in user view Remarks
The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, execute the reset recycle-bin command in the directory to which the file originally belongs. It is recommended to empty the recycle bin timely with the reset recycle-bin command to save storage space. The delete /unreserved file-url command deletes a file permanently and the action cannot be undone. Execution of this command equals execution of the delete file-url command and then the reset recycle-bin command in the same directory.
Restoring a File from the Recycle Bin

To do Restore a file from the recycle bin Use the command undelete file-url Required Available in user view Remarks
Emptying the Recycle Bin

To do Use the command Optional Enter the original working directory of the file to be deleted cd { directory | .. | / } If the original directory of the file to be deleted is not the current working directory, this command is required. Available in user view Remarks
14-4
To do Delete the file in the current directory and in the recycle bin
Use the command reset recycle-bin [ /force ] Required
Remarks
Available in user view
Batch Operations
A batch file is a set of executable commands. Executing a batch file equals executing the commands in the batch file one by one. To execute a batch file: 1) 2) 3) Edit the batch file on your PC. Download the batch file to the device. If the suffix of the file is not .bat, use the rename command to change the suffix to .bat. Execute the batch file.
Follow these steps below to execute a batch file:

To do Enter system view Execute a batch file Use the command system-view execute filename Required Remarks
Execution of a batch file does not guarantee successful execution of every command in the batch file. If a command has error settings or the conditions for executing the command are not satisfied, the system skips the command to the next one.
Storage Medium Operations

Managing the Space of a Storage Medium
When the space of a storage medium becomes inaccessible due to abnormal operations, you can use the fixdisk command to restore the space of the storage medium. The execution of the format command formats the storage medium, and all the data on the storage medium is deleted. Use the following commands to manage the space of a storage medium:
To do Restore the space of a storage medium Format a storage medium Use the command fixdisk device Optional Available in user view Optional Available in user view Remarks
format device [ FAT16 | FAT32 ]
14-5
When you format a storage medium, all the files stored on it are erased and cannot be restored. In particular, if there is a startup configuration file on the storage medium, formatting the storage medium results in loss of the startup configuration file.
Mounting/Unmounting a Storage Medium

For a hot swappable storage medium (excluding flash), such as a CF card, you can use the mount and umount command to mount or unmount it. When a storage medium is connected to a lower version system, the system cannot recognize the storage medium. To perform read and write operations to the storage medium, you must mount it. When a device is unmounted, it is in a disconnected state, and you can then remove the storage medium from the system safely. Mounting a storage medium reconnects the storage medium to the system. Follow a step below to mount or unmount a storage medium:
To do Mount a storage medium Use the command Optional mount device By default, a storage medium is automatically mounted and in mounted state when connected to the system. Optional Unmount a storage medium umount device By default, a storage medium is automatically mounted and in mounted state when connected to the system. Before unplugging a storage medium, unmount it. Remarks
When mounting or unmounting a storage medium, or performing file operations on it, do not unplug or switchover the storage medium or the card where the storage medium resides. Otherwise, the file system could be damaged. Before removing a mounted storage medium from the system, unmount it to avoid damaging the storage medium.
Setting Prompt Modes

The system provides the following two prompt modes: alert: In this mode, the system warns you about operations that may bring undesirable consequences such as file corruption or data loss. quiet: In this mode, the system does not prompt confirmation for any operation. To prevent undesirable consequence resulting from misoperations, the alert mode is preferred.
14-6
To do Enter system view Set the operation prompt mode of the file system
Use the command system-view file prompt { alert | quiet } Optional
Remarks
The default is alert.
Example for File Operations

# Display the files and the subdirectories in the current directory.
<Sysname> dir Directory of flash:/ 0 1 2 3 drw-rwdrw-rw1218 184108 Feb 16 2006 11:45:36 Feb 16 2006 11:46:19 Feb 16 2006 15:20:27 Feb 16 2006 15:30:20 logfile config.cfg test aaa.bin
# Create a new folder called mytest in the test directory.

<Sysname> cd test <Sysname> mkdir mytest %Created dir flash:/test/mytest.
# Display the current working directory.

<Sysname> pwd flash:/test
# Display the files and the subdirectories in the test directory.

<Sysname> dir Directory of flash:/test/
drw-
Feb 16 2006 15:28:14
mytest
# Return to the upper directory.

<Sysname> cd ..
# Display the current working directory.

<Sysname> pwd flash:
14-7
15
Configuration File Management
The device provides the configuration file management function. You can manage configuration files at a user-friendly command line interface (CLI). This chapter includes these sections: Configuration File Overview Saving the Current Running Configuration Setting Configuration Rollback Specifying a Startup Configuration File to Be Used at the Next System Startup Backing Up the Startup Configuration File Deleting a Startup Configuration File to Be Used at the Next Startup Restoring a Startup Configuration File Displaying and Maintaining Device Configuration
Configuration File Overview

A configuration file saves the device configurations in command lines in text format to ensure that these configurations can be kept when the device restarts or the configurations are rolled back. You can view the configuration information conveniently through configuration files.
Types of Configuration
The device maintains two types of configuration files: Startup configuration: Configuration used for initialization when the device boots. If this file does not exist, the system boots using null configuration, that is, using the default parameters. Running configuration: The currently running configuration of the system. The current running configuration may include the startup configuration if the startup configuration is not modified during system operation, and it also includes the new configuration added during the system operation. The current running configuration is stored in the temporary storage medium of the device, and will be removed if not saved when the device reboots.
Format and Content of a Configuration File

A configuration file is saved as a text file. It is saved following these rules: A configuration file contains commands, and only non-default configuration settings are saved. Commands in a configuration file are listed in sections by views, usually in the order of system view, interface view, routing protocol view, and user interface view. Sections are separated with one or multiple blank lines or comment lines that start with a pound sign #. A configuration file ends with a return.
15-1
Coexistence of Multiple Configuration Files

The device can save multiple configuration files on its storage medium. You can save the configuration used in different networking environments as different configuration files. In this case, when the device moves between these networking environments, you just need to specify the corresponding configuration file as the startup configuration file to be used at the next startup of the device and restart the device, so that the device can adapt to the network rapidly, saving the configuration workload. A device starts up using only one configuration file. However, you can specify two startup configuration files, main startup configuration file and backup startup configuration file to be used at the next startup of the device as needed when the device has main and backup configuration files. The device starts up using the main startup configuration file.
Startup with the Configuration File

The device takes the following steps when it starts up: 1) 2) If you have specified a startup configuration file to be used at the next startup, and this file exists, the device starts up with this startup configuration file. If the specified startup configuration file does not exist, the device starts up with null configuration (the factory default configuration).
Saving the Current Running Configuration

Introduction
To make configuration changes take effect at the next startup of the device, you can save the running configuration to the startup configuration file to be used at the next startup before the device reboots. Complete these tasks to save the current configuration:
Task Encrypting a Configuration File Modes in Saving the Configuration Optional Required Remarks
Encrypting a Configuration File
Support for this feature depends on the device model.
Configuration file encryption enables you to encrypt a configuration file before saving it by using the save command. To read the encrypted configuration file, you must decrypt it with a legal key, thus protecting the configuration file. Two kinds of keys are supported to encrypt a configuration file. You can select either of them according to your application environment: Private key: A configuration file encrypted by this kind of key can be decrypted and recognized only by the local device.
15-2
Public key: A configuration file encrypted by this kind of key can be decrypted and recognized by all devices supporting this feature. Follow the steps below to enable configuration file encryption:
To do Enter system view Use the command system-view Optional Enable configuration file encryption configuration encrypt { private-key | public-key } Disabled by default, that is, the current valid configurations are directly saved to the configuration file. Remarks
For the device that supports this feature, you can use the display saved-configuration command instead of the more command to view the encrypted configuration file, because the latter cannot decrypt the file. Otherwise, you will be prompted for operation failure or garbled characters.
Modes in Saving the Configuration

Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file more quickly but is likely to lose the existing configuration file if the device reboots or the power fails during the process. Safe mode. This is the mode when you use the save command with the safely keyword. The mode saves the file more slowly but can retain the configuration file in the device even if the device reboots or the power fails during the process. The fast saving mode is suitable for environments where power supply is stable. The safe mode, however, is preferred in environments where stable power supply is unavailable or remote maintenance is involved. Follow the steps below to save the current configuration:
To do Save the current configuration to the specified file, but the configuration file will not be set as the file for the next startup Save the current configuration to the root directory of the storage medium and specify the file as the startup configuration file that will be used at the next system startup Use the command save file-url Remarks
Required Use either command Available in any view.
save [ safely ]
15-3
The configuration file must be with extension .cfg. During the execution of the save [ safely ] command, the startup configuration file to be used at the next system startup may be lost if the device reboots or the power supply fails. In this case, the device will boot with the null configuration, and after the device reboots, you need to re-specify a startup configuration file for the next system startup (see Specifying a Startup Configuration File to Be Used at the Next System Startup).
Setting Configuration Rollback

Configuration Rollback
Configuration rollback allows you to revert to a previous configuration state based on a specified configuration file. The specified configuration file must be a valid .cfg file generated by using either the backup function (manually or automatically) or the save command, or, if a configuration file is generated by another device, the configuration file must comply with the format of the configuration file on the current device. You are recommended to use the configuration file that is generated by using the backup function (manually or automatically). Configuration rollback can be applied in these situations: Running configuration error. Rolling back the running configuration to a correct one is needed. The application environment has changed and the device has to run in a configuration state based on a previous configuration file without being rebooted. Before setting configuration rollback: 1) 2) Specify the filename prefix and path for saving the running configuration. Save the running configuration with the specified filename (filename prefix + serial number) to the specified path. The running configuration can be saved automatically or manually. When you enter the configuration replace file command, the system compares the current running configuration and the specified replacement configuration file. The configuration replace file command: Preserves all commands present in both the replacement configuration file and the current running configuration. Removes commands from the current running configuration that are not present in the replacement configuration file. Applies the commands from the replacement configuration file that are not present in the current running configuration. Applies the commands from the replacement configuration file that have different configurations in the current running configuration.
Configuration Task List

Complete these tasks to configure the configuration rollback:
15-4
Task Configuring Parameters for Saving the Current Running Configuration Enabling Automatic Saving of the Running Configuration Manually Saving the Current Running Configuration Setting Configuration Rollback Required Required
Remarks
Use either approach Required
Configuring Parameters for Saving the Current Running Configuration

Before the current running configuration is saved manually or automatically, the file path and filename prefix must be configured. After that, the system saves the current running configuration with the specified filename (filename prefix_serial number.cfg) to the specified path. The filename of a saved configuration file is like 20080620archive_1.cfg, or 20080620archive_2.cfg. The saved configuration files are numbered automatically, from 1 to 1,000 (with an increment of 1). If the serial number reaches 1,000, it restarts from 1. If you change the path or filename prefix, or reboot the device, the saved file serial number restarts from 1, and the system recounts the saved configuration files. If you change the path of the saved configuration files, the files in the original path become common configuration files, and are not processed as saved configuration files, and are not displayed when you view saved configuration files. The number of saved configuration files has an upper limit. After the maximum number of files is saved, the system deletes the oldest files when the next configuration file is saved. Follow these steps to configure parameters for saving the current running configuration:
To do Enter system view Use the command system-view Required Configure the path and filename prefix for saving configuration files archive configuration location directory filename-prefix filename-prefix By default, the path and filename for saving configuration files are not configured, and the system does not save the configuration file at a specified interval. Optional The default number is 5. Remarks
Set the maximum number of configuration files that can be saved
archive configuration max file-number
If the undo archive configuration location command is executed, the current running configuration can neither be saved manually nor automatically, and the configuration by executing the archive configuration interval and archive configuration max commands restores to the default, meanwhile, the saved configuration files are cleared. The value of the file-number argument is determined by the memory space. You are recommended to set a comparatively small value for the file-number argument if the available memory space is small.
15-5
Enabling Automatic Saving of the Running Configuration

You can configure the system to save the current running configuration at a specified interval, and use the display archive configuration command to view the filenames and save time of the saved configuration files, so as to roll back the current configuration to a previous configuration state. Configure an automatic saving interval according to the storage medium performance and the frequency of configuration modification: If the configuration of the device does not change frequently, manually save the current running configuration as needed If a low-speed storage medium (such as a flash) is used, save the current running configuration manually, or configure automatic saving with an interval longer than 1,440 minutes (24 hours). If a high-speed storage medium (such as a CF card) is used and the configuration of the device changes frequently, set a shorter saving interval. Follow these steps to enable automatic saving of the current running configuration:
To do Enter system view Enable the automatic saving of the current running configuration, and set the interval Use the command system-view archive configuration interval minutes Optional Disabled by default Remarks
The path and filename prefix for saving configuration files must be specified before you configure the automatic saving period.
Manually Saving the Current Running Configuration

Automatic saving of the current running configuration occupies system resources, and frequent saving greatly affects system performance. Therefore, if the system configuration does not change frequently, you are recommended to disable the automatic saving of the current running configuration and save it manually. Before performing complicated configuration, you can manually save the current running configuration so that the device can revert to the previous state when the configuration fails. Follow the step below to manually save the current running configuration:
To do Manually save the current running configuration Use the command archive configuration Required Available in user view Remarks
15-6
Specify the path and filename prefix of a save configuration file before you manually save the current running configuration; otherwise, the operation fails.
Setting Configuration Rollback

Follow these steps to set configuration rollback:
To do Enter system view Set configuration rollback Use the command system-view configuration replace file filename Required Remarks
Do not unplug and plug a card during configuration rollback (that is, the system is executing the configuration replace file command). In addition, configuration rollback may fail if one of the following situations is present (if a command cannot be rolled back, the system skips it and processes the next one): The complete undo form of a command is not supported, namely, you cannot get the actual undo form of the command by simply putting the keyword undo in front of the command, so the complete undo form of the command cannot be recognized by the device. The configuration cannot be removed, such as hardware-related commands Commands in different views are dependent on each other If the replacement configuration file is not a complete file generated by using the save or archive configuration command, or the file is copied from a different type of device, the configuration cannot be rolled back. Ensure that the replacement configuration file is correct and compatible with the current device.
Specifying a Startup Configuration File to Be Used at the Next System Startup

To specify a startup configuration file to be used at the next system startup: Use the save command. If you save the running configuration to the specified configuration file in the interactive mode, the system automatically sets the file as the startup configuration file to be used at the next system startup. Use the command dedicated to specify a startup configuration file to be used at the next startup, which is described in the following table: Follow the step below to specify a startup configuration file to be used at the next startup (centralized device):
15-7
To do Specify a startup configuration file to be used at the next startup
Use the command startup saved-configuration cfgfile Required
Remarks
A configuration file must use .cfg as its extension name and the startup configuration file must be saved in the root directory of the storage medium.
Backing Up the Startup Configuration File

The backup function allows you to copy the startup configuration file to be used at the next startup from the device to the TFTP server. Follow the step below to back up the startup configuration file to be used at the next startup:
To do Back up the startup configuration file to be used at the next startup to the specified TFTP server Use the command backup startup-configuration to dest-addr [dest- filename ] Required Available in user view Remarks
Before the backup operation: Ensure that the server is reachable and enabled with TFTP service, and the client has the read and write permission. Use the display startup command (in user view) to check whether you have specified a startup configuration file to be used at the next startup, and use the dir command to view whether the specified startup configuration file exists. If the file is set as NULL or does not exist, the backup operation fails.
Deleting a Startup Configuration File to Be Used at the Next Startup

You can delete a startup configuration file to be used at the next startup at the CLI. You may need to delete a startup configuration file to be used at the next startup for one of these reasons: After you upgrade system software, the existing startup configuration files do not match the new system software. Startup configuration files are corrupted (often caused by loading a wrong configuration file). With startup configuration files deleted, the devices uses null configuration at the next startup. Follow the step below to delete a startup configuration file to be used at the next startup:
15-8
To do Delete a startup configuration file to be used at the next startup from the storage medium
Use the command reset saved-configuration Required
Remarks
This command permanently deletes startup configuration files to be used at the next startup from the device. Use it with caution.
Restoring a Startup Configuration File

The restore function allows you to copy a configuration file from a TFTP server to the device and specify the file as the startup configuration file to be used at the next startup. Follow the step below to restore a startup configuration file to be used at the next startup:
To do Restore a startup configuration file to be used at the next startup Use the command restore startup-configuration from src-addr src-filename Required Available in user view Remarks
Before restoring a configuration file, ensure that the server is reachable, the server is enabled with TFTP service, and the client has read and write permission. After execution of the command, use the display startup command (in user view) to verify that the filename of the configuration file to be used at the next system startup is the same as that specified by the filename argument, and use the dir command to view whether the specified startup configuration file exists.
Displaying and Maintaining Device Configuration

To do Display the information about configuration rollback Display the current running configuration file saved on the storage medium of the device Display the configuration files used at this and the next system startup Display the validated configuration in current view Use the command display archive configuration Remarks Available in any view
display saved-configuration [ by-linenum ]
Available in any view
display startup display this [ by-linenum ]
Available in any view Available in any view
15-9
To do
Use the command display current-configuration [ [ configuration [ configuration ] | interface [ interface-type ] [ interface-number ] ] [ by-linenum ] [ | { begin | include | exclude } text ] ]
Remarks
Display the current configuration
For more information about the display this and display current-configuration commands, see Basic System Configuration in the Fundamentals Command Reference.
15-10
16
Device Management
Device Management Overview Device Management Configuration Task List Registering the Software Rebooting the AC Configuring the Scheduled Automatic Execution Function Upgrading AC Software Configuring Temperature Alarm Thresholds for a Board Clearing the 16-bit Interface Indexes Not Used in the Current System Displaying and Maintaining Device Management Configuration Device Management Configuration Examples
There are many types of storage media such as flash memory, compact flash (CF), universal serial bus (USB), and hard disk. Different devices support different types of storage media. Flash memory is exemplified in this document.
Device Management Overview

Through the device management function, you can view the current working state of an AC, configure running parameters, and perform daily maintenance and management.
Device Management Configuration Task List

Complete these tasks to configure device management:
Task Registering the Software Rebooting the AC Configuring the Scheduled Automatic Execution Function Upgrading AC Software Configuring Temperature Alarm Thresholds for a Board Clearing the 16-bit Interface Indexes Not Used in the Current System Required Optional Optional Optional Optional Optional Remarks
16-1
Registering the Software

License is provided on the AC to protect the authorized users legal rights. You can input the license key and activation key to confirm the validity of a license. With this function, you can control the number of login access points (APs). You can add a valid license by using commands; either a wrong license key or activation key causes the failure of the adding operation. License also controls the number of login APs. If the number of the login APs on a board reaches the maximum, you cannot add a new license for it. Follow the step below to register the software:
To do Use the command Required Add a license license append license-key activation-key Available in system view. After adding the license successfully, you need to reboot the AC to make the license effective. Remarks
Support for license depends on your AC model.
Rebooting the AC
When a fault occurs to a running AC, you can remove the fault by rebooting the AC, depending on the actual situation. You can reboot an AC following any of the three methods: Power on the AC after powering it off, which is also called hard reboot or cold start. This method impacts the AC a lot. Powering off a running AC will cause data loss and hardware damages. It is not recommended. Trigger the immediate reboot through command lines. Enable the scheduled reboot function through command lines. You can set a time at which the AC can automatically reboot, or set a delay so that the AC can automatically reboot within the delay. The last two methods are command line operations. Reboot through command lines is also called hot start, which is mainly used to reboot an AC in remote maintenance without performing hardware reboot of the AC. Follow the step below to reboot an AC through command lines immediately:
To do Reboot the whole system immediately Use the command reboot Required Available in user view Remarks
Follow these steps to reboot an AC at a time through command lines:
16-2
To do Enable the scheduled reboot function and specify a specific reboot time and date Enable the scheduled reboot function and specify a reboot waiting time
Use the command schedule reboot at hh:mm [ date ] Required
Remarks
Use either approach. The scheduled reboot function is disabled by default. Available in user view.
schedule reboot delay { hh:mm | mm }
AC reboot may result in interruption of the ongoing services. Use these commands with caution. Before the AC reboots, use the save command to save the current configurations. For more information about the save command, see File System Management in the Fundamentals Command Reference. Before the AC reboots, use the commands of display startup and display boot-loader to check if the configuration file and boot file for the next boot are configured. (For more information about the display startup command, see File System Management in the Fundamentals Command Reference. The precision of the rebooting timer is 1 minute. One minute before the rebooting time, the AC will prompt REBOOT IN ONE MINUTE and will reboot in one minute. If a main boot file fails or does not exist, the AC cannot be rebooted with the reboot command. In this case, you can re-specify a main boot file to reboot the AC, or you can power off the AC then power it on and the system automatically uses the backup boot file to restart the AC. If you are performing file operations when the AC is to be rebooted, the system does not execute the command for the sake of security.
Configuring the Scheduled Automatic Execution Function

The scheduled automatic execution function means that the system automatically executes a specified command at a specified time in a specified view. This function is used for scheduled system upgrade or configuration. Follow these steps to configure the scheduled automatic execution function:
To do Enter system view Create a scheduled task and enter job view, or enter this view directly if a task is ready Specify the view in which the task is executed Use the command system-view Required job job-name No scheduled task is created by default. Required view view-name By default, no view is specified for executing the scheduled task. Remarks
16-3
To do
Use the command time timeID at time1 date command command
Remarks
Bind the execution time with the commands in the task, that is, configure the time to execute the commands in the task
time timeID { one-off | repeating } at time1 [ month-date month-day | week-day week-daylist ] command command time timeID { one-off | repeating } delay time2 command command
Required Use any of the commands.
Only one view can be specified for a task, that is, all commands in the task are executed in the same specified view. If different views are specified by executing the view view-name command repeatedly, only the last configuration takes effect. The view must be currently supported by the system, with its name specified using its complete format but not an abbreviation. Most commonly used view names include: monitor for user view, system for system view, and Vlan-interfacex for VLAN interface view. timeID is used to uniquely identify the binding between a command and its execution time. A scheduled task can contain up to ten commands. The command specified by the command command argument must be a command that can be executed in the view specified by the view view-name command; otherwise this command cannot be automatically executed. Therefore, ensure the correctness of the configuration.
Upgrading AC Software
AC Software Overview
AC software consists of the Boot ROM program and the system boot file. After the AC is powered on, the AC runs the Boot ROM program, initializes the hardware, and displays the hardware information. Then the AC runs the boot file. The boot file provides drivers and adaption for hardware, and implements service features. The Boot ROM program and system boot file are required for the startup and running of an AC. Figure 16-1 illustrates their relationship.
16-4
Figure 16-1 Relationship between the Boot ROM program and the system boot file
Select the Reboot option to reboot the device Start
Boot ROM runs
Press Ctrl+B No
Yes
Enter Boot ROM menu to upgrade the Boot ROM program or boot File
Run boot file
Enter CLI
Finish
The Boot ROM program and system boot file can both be upgraded through the Boot ROM menu or command lines. The following sections describe the upgrading through command lines. For instructions about how to upgrade them through the Boot ROM menu, see the installation guide of your AC.
Upgrading the Boot ROM Program Through Command Lines

Follow these steps to upgrade the Boot ROM program: 1) 2) 3) Copy the Boot ROM program to the root directory of the AC's storage medium using FTP or TFTP. Use a command to specify the Boot ROM program for the next boot. Reboot the AC to make the specified Boot ROM program take effect.
Follow the step below to upgrade the Boot ROM program:

To do Use the command Required Read, restore, back up, or upgrade the Boot ROM program on the AC bootrom { read | restore | backup | update file file-url } [ all | part ] All contents of the Boot ROM file are operated if the all and part keywords are not specified. Available in user view. Remarks
You must save the Boot ROM file under the root directory of the AC. You can copy or move a file to change its path to the root directory.
16-5
Upgrading the Boot File Through Command Lines

Follow these steps to upgrade the boot file: 1) 2) 3) Save the boot file to the root directory of the AC's storage medium using FTP, TFTP, or other approaches. Use a command to specify the boot file for the next boot of the AC. Reboot the AC to make the boot file take effect.
When multiple Boot ROM files are available on the storage medium, you can specify a file for the next boot by executing the following command. A main boot file is used to boot an AC and a backup boot file is used to boot an AC only when a main boot file is unavailable. Follow the step below to specify a boot file for the next boot:
To do Specify a boot file for the next boot Use the command boot-loader file file-url { main | backup } Required Available in user view. Remarks
You must save the file for the next boot under the root directory of the AC. You can copy or move a file to change its path to the root directory.
Configuring Temperature Alarm Thresholds for a Board

You can set temperature alarm thresholds for a board by using the following command. When the temperature of a board exceeds the threshold, the AC will generate alarm signals. Follow these steps to configure temperature alarm thresholds for a board:
To do Enter system view Configure temperature alarm thresholds for a board Use the command system-view temperature-limit slot-number lower-value upper-value Optional The temperature alarm thresholds for a board vary by AC model. Remarks
Clearing the 16-bit Interface Indexes Not Used in the Current System
In practical networks, the network management software requires the AC to provide a uniform, stable 16-bit interface index. That is, a one-to-one relationship should be kept between the interface name and the interface index in the same AC. For the purpose of the stability of an interface index, the system will save the 16-bit interface index when a board or logical interface is removed. If you repeatedly insert and remove different subbcards or interface boards to create or delete a large number of logical interfaces, the interface indexes will be used up, which will result in interface creation
16-6
failures. To avoid such a case, you can clear all 16-bit interface indexes saved but not used in the current system in user view. After the above operation, For a re-created interface, the new interface index may not be consistent with the original one. For existing interfaces, their interface indexes remain unchanged. Follow the step below to clear the 16-bit interface indexes not used in the current system:
To do Clear the 16-bit interface indexes saved but not used in the current system Use the command reset unused porttag Required Available in user view Remarks
A confirmation is required when you execute this command. If you fail to make a confirmation within 30 seconds or enter N to cancel the operation, the command will not be executed.
Displaying and Maintaining Device Management Configuration

Follow these steps to display and maintain device management configuration:
To do Display information of the boot file Display the statistics of the CPU usage Display history statistics of the CPU usage in a chart Display information about a card, subcard, CF card, USB or hardware on the AC Display electrical label information of the AC Display the serial number and checksum of the AC Display the temperature information of AC Display the operating state of fans of the AC Display the software registration information Display the memory usage of the AC Display the power state of the AC Display state of the redundant power system (RPS) Display the reboot type of the AC Use the command display boot-loader display cpu-usage [ entry-number [ offset ] [ verbose ] [ from-device ] ] display cpu-usage history [ task task-id ] display device [ cf-card | usb ] [ subslot subslot-number | verbose ] display device manuinfo display device serial-number display environment [ cpu ] display fan [ fan-id ] display license display memory display power [ power-id ] display rps [ rps-id ] display reboot-type 16-7 Remarks Available in any view Available in any view Available in any view
Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view
To do Display the reboot time of the AC Display detailed information of the scheduled task
Use the command display schedule reboot display job [ job-name ]
Remarks Available in any view Available in any view
Support for the display rps command depends on your AC model.
Device Management Configuration Examples

Remote Scheduled Automatic Upgrade Configuration Example
Network requirement
The current software version is soft-version1 for the AC. Upgrade the software version of the AC to soft-version2 and configuration file to new-config at a time when few services are processed (for example, at 3 am) through remote operations. The newest application soft-version2.bin and the newest configuration file new-config.cfg are both saved under the aaa directory of the FTP Server. The IP address of the AC is 1.1.1.1/24, the IP address of the FTP Server is 2.2.2.2/24, and FTP Server is reachable. User can log in to the AC via Telnet and a route exists between User and the AC. Figure 16-2 Network diagram for remote scheduled automatic upgrade
1) Configuration on FTP Server (Note that configurations may vary with different types of servers) Set the access parameters for the FTP client # Enable FTP Server.
<FTP-Server> system-view [FTP-Server] ftp server enable
16-8
# Set the FTP username to aaa and password to hello.

[FTP-Server] local-user aaa [FTP-Server-luser-aaa] password cipher hello
# Configure the user to have access to the aaa directory.

[FTP-Server-luser-aaa] service-type ftp [FTP-Server-luser-aaa] authorization-attribute work-directory flash:/aaa
Use text editor on the FTP server to edit batch file auto-update.txt. The following is the content of the batch file:
return startup saved-configuration new-config.cfg boot-loader file soft-version2.bin main reboot
2)
Configuration on the AC
# Log in to FTP Server (note that the prompt may vary with servers.)
<AC> ftp 2.2.2.2 Trying 2.2.2.2 ... Press CTRL+K to abort Connected to 2.2.2.2. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(2.2.2.2:(none)):aaa 331 Give me your password, please Password: 230 Logged in successfully [ftp]
# Download file auto-update.txt on the FTP server.

[ftp] ascii [ftp] get auto-update.txt
# Download file new-config.cfg on the FTP server.

[ftp]get new-config.cfg
# Download file soft-version2.bin on the FTP server.

[ftp] binary [ftp] get soft-version2.bin [ftp] bye <AC>
# Modify the extension of file auto-update.txt as .bat.

<AC> rename auto-update.txt auto-update.bat
To ensure correctness of the file, you can use the more command to view the content of the file. # Execute the scheduled automatic execution function to enable the AC to be automatically upgraded at 3 am.
<AC> system-view [AC] job autoupdate [AC-job-autoupdate] view monitor [AC-job-autoupdate] time 1 one-off at 03:00 command execute auto-update.bat
After the AC reboots, use the display version command to check if the upgrade is successful.
16-9
17
User Interface Configuration

User Interface Overview User Interface Configuration Task List Configuring Asynchronous Serial Interface Attributes Configuring Terminal Attributes Configuring the auto-execute Command Configuring User Privilege Level Under a User Interface Configuring Access Restriction on VTY User Interfaces Configuring Supported Protocols on VTY User Interfaces Configuring Authentication Mode for Users at Login Configuring Command Authorization Configuring Command Accounting Defining Shortcut Keys for Starting Terminal Sessions/Aborting Tasks Sending Messages to the Specified User Interfaces Releasing the Connection Established on the User Interfaces Displaying and Maintaining User Interfaces User Interface Configuration Examples
User Interface Overview

Brief Introduction
This documentation covers three types of user interfaces, console, AUX, and VTY. Support for the user interface and the number of simultaneous logged-in users depends on the device model.
User interface (also called line) allows you to manage and monitor the session between the terminal and device when you are using the console port, AUX port, and asynchronous serial interfaces to log in to the device by Telnet or SSH. At present, the system supports the following three configuration modes: Local configuration via the console port Local/Remote configuration via the AUX port (Auxiliary port) Local/Remote configuration through Telnet or SSH The three modes correspond to three types of user interfaces. They are:
17-1
Console port: Used to manage and monitor users logging in via the console port. Console port is a line device port. The device provides one console port of EIA/TIA-232 DCE type. AUX port: Used to manage and monitor users logging in via the AUX port. AUX port is also a line device port. The device provides one AUX port of EIA/TIA-232 DTE type. VTY (virtual type terminal): Used to manage and monitor users logging in via VTY. VTY port is a logical terminal line used when you access the device by means of Telnet or SSH.
Users and User Interfaces

At a time, only one user can use the user interface. The user interface configuration applies to the user that has logged in. For example, if user A uses the console port to log in, the configuration in user interface view of the console port applies to user A; if user A logs in through VTY 1, the configuration in user interface view of VTY 1 applies. A device may support multiple Ethernet interfaces, and thus multiple VTY user interfaces are supported. These user interfaces do not associate with specific users. When a user initiates a connection request, based on the login type the system automatically assigns a type of idle user interface with the smallest number to the user. During the login, the configuration in the user interface view takes effect. The user interface varies depending on the login type and the login time.
Numbering User Interfaces

User interfaces can be numbered in two ways: absolute numbering and relative numbering.
Absolute numbering
Absolute numbering allows you to uniquely specify a user interface or a group of user interfaces. The numbering system starts from number 0 with a step of 1. The numbering approach numbers the four types of user interfaces in the sequence of console port, AUX port, and VTY. You can use the display user-interface command without any parameters to view all user interfaces currently supported and their absolute number.
Relative numbering
Relative numbering can specify a user interface or a group of user interfaces of a specific type. The number is valid only when used under that type of user interface. It makes no sense when used under other types of user interfaces. Relative numbering numbers a user interface in the form of user interface type + number. The rules of relative numbering are as follows: CON is numbered CON 0. AUX is numbered AUX 0. VTYs are numbered from 0 in ascending order, with a step of 1.
User Interface Configuration Task List

Complete these tasks to configure user interface:
Task Configuring Asynchronous Serial Interface Attributes Configuring Terminal Attributes Configuring the auto-execute Command 17-2 Remarks Optional Optional Optional
Task Configuring User Privilege Level Under a User Interface Configuring Access Restriction on VTY User Interfaces Configuring Supported Protocols on VTY User Interfaces Configuring Authentication Mode for Users at Login Configuring Command Authorization Configuring Command Accounting Defining Shortcut Keys for Starting Terminal Sessions/Aborting Tasks Sending Messages to the Specified User Interfaces Releasing the Connection Established on the User Interfaces
Remarks Optional Optional Optional Optional Optional Optional Optional Optional Optional
Configuring Asynchronous Serial Interface Attributes

A serial interface contains the following key attributes: Transmission rate: Number of bits that the device transmits to the terminal per second. It measures the transmission speed. Typically a higher transmission rate is used between closer distances for communication. Data bits: Number of bits representing one character. The setting depends on the contexts to be transmitted, For example, you can set it to 7 if standard ASCII characters are to be sent; set it to 8 if extended ASCII characters are to be sent. Parity check: An error checking technique to detect whether errors occurred in the data transmission. Stop bits: The last bits transmitted in data transmission to unequivocally indicate the end of a character. The more the bits are, the slower the transmission is. These attribute settings must be consistent on two interfaces for communication. Follow these steps to configure asynchronous attributes of a serial interface:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } speed speed-value Optional 9600 bps by default Optional 8 by default Optional None by default Optional 1 by default Remarks
Configure transmission speed
Configure the data bits
databits { 5 | 6 | 7 | 8 } parity { even | mark | none | odd | space } stopbits { 1 | 1.5 | 2 }
Set the parity check
Set the stop bits
17-3
The settings of transmission rate, data bits, parity check, stop bits, and flow control must be consistent on terminals and user interface for communication.
Configuring Terminal Attributes

Follow these steps to configure terminal attributes:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Optional Start the terminal service shell The terminal service is enabled on all user interfaces by default. Optional 10 minutes by default. Optional Set the number of lines displayed on the next screen screen-length screen-length Twenty-four lines of data are displayed on the next screen by default. Optional ANSI by default. Optional The history buffer can store 10 commands by default. Optional Disabled by default. Remarks
Set the idle-timeout disconnection function for terminal users
Set the display type of the current user terminal Set the number of the history commands that can be stored in the history buffer Return to user view Lock user interface, preventing unauthorized users from using this interface
terminal type { ansi | vt100 }
history-command max-size size-value return lock
The system supports two types of terminal display: ANSI and VT100. If the terminal display of the device and the client (for example, hyper terminal or Telnet terminal) is inconsistent or is set to ANSI, and if the total number of the characters of the currently using command line exceeds 80, anomalies such as cursor corruption or abnormal display of the terminal display may occur on the client. Therefore, you are recommended to set the display type of both the device and the client to VT100.
17-4
Configuring the auto-execute Command

With the auto-execute command command enabled the system automatically executes the configured command when you log in. After the command is completed or after the tasks triggered by the command are completed, the connection breaks automatically. This command is normally used to configure the Telnet command to enable you to connect to the specified host automatically. Follow these steps to configure auto-execute command:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | vty } first-num2 [ last-num2 ] } auto-execute command command Required No command is set to be automatically executed by default. Remarks
Configure the command to be automatically executed
The auto-execute command command is supported on all types of user interfaces except the Console port and the AUX port functioning as the console port.
The auto-execute command command may disable you from configuring the system through the terminal line to which the command is applied. Therefore, before configuring the command and saving the configuration (using the save command), make sure that you can access the system by other means to remove the configuration in case a problem occurs.
Configuring User Privilege Level Under a User Interface

User privilege level restricts the access rights of different users to the device. If the authentication mode is scheme when a user logs in (that is, username and password are needed), and SSH public key authentication is adopted, his privilege level is the user interface level, which is configured in user interface view. The default user interface level is 0. If the authentication mode is none or password when a user logs in (that is, no username is needed), his privilege level is the user interface level. Follow these steps to configure the user privilege level under a user interface:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Remarks
17-5
To do
Remarks
Configure users privilege level under the current user interface
By default, users logging in from Console port have a privilege level of 3; users logging in from other user interfaces have a privilege level of 0.
For more information about user levels, see Basic System Configuration. The user privilege level can be configured under a user interface or by setting AAA authentication parameters, and which configuration mode takes effect depends on the authentication mode at user login. For more information, see Basic System Configuration.
Configuring Access Restriction on VTY User Interfaces

You can configure access restriction on the VTY user interface through referencing an ACL. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide. If no ACL is configured on the VTY user interface, there will be no access restriction on the VTY user interface for establishing a Telnet or SSH connection If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for establishing a Telnet or SSH connection match the ACL rule, the connection will be permitted or denied according to the ACL rule; if not, the connection will be denied directly. Follow these steps to configure access restriction on VTY user interfaces:
To do Enter system view Enter VTY user interface view Configure the access restriction on the VTY user interface By referencing basic/advanced ACL By referencing WLAN/Layer 2 ACL Use the command system-view user-interface { first-num1 [ last-num1 ] | vty first-num2 [ last-num2 ] } acl [ ipv6 ] acl-number { inbound | outbound } acl acl-number inbound Required Use either command No restriction is set by default. Remarks
The system regards the basic/advanced ACL with the inbound keyword, the basic/advanced ACL with the outbound keyword, WLAN ACL, and Layer 2 ACL as four different types of ACLs, which can coexist in one VTY user interface. If there are different types of ACLs in one VTY user interface, the match order is WLAN ACL, basic/advanced ACL, and Layer 2 ACL. In one VTY user interface, the number of ACL of each type is one at most, and the latest configured one is valid.
17-6
Configuring Supported Protocols on VTY User Interfaces

Currently, only the VTY user interface allows configuration on the supported protocols. Follow these steps to configure supported protocols on the active VTY user interface:
To do Enter system view Enter VTY user interface view Configure the supported protocol(s) on the active user interface Use the command system-view user-interface { first-num1 [ last-num1 ] | vty first-num2 [ last-num2 ] } Optional protocol inbound { all | ssh | telnet } Both Telnet and SSH are supported by default. Remarks
If SSH is configured, you must set the authentication mode to scheme using the authentication-mode scheme command to guarantee a successful login. The protocol inbound ssh command fails if the authentication mode is password or none. For the corresponding configuration, see the authentication-mode command in User Interface Commands. The protocol(s) configured through the protocol inbound command takes effect next time you log in from that user interface.
Configuring Authentication Mode for Users at Login

With the configuration of authentication mode under a user interface, you can decide whether to authenticate users when they log in through the specified user interface, thus enhancing the security of the device. The supported authentication modes on the device are none, password, and scheme. If you specify the authentication mode as none, then no username and password are needed when users log on through the specified user interface, which may be insecure. If you specify the authentication mode as password, then password authentication is needed when users log on through the specified user interface (Console user interface exclusive). Input of empty or wrong password may result in login failure. If no authentication password is set, when users relog in through AUX, VTY and MODEM user interfaces, the system prompts Login password has not been set! and the login fails; when users relog in through other user interfaces such as the Console user interface, they can log in without entering the password. If you specify the authentication mode as scheme, then username and password authentication is needed when users log on through the specified user interface. Input of empty or wrong password may result in login failure. Before terminating the redirected Telnet connection, set the username and password. User authentication falls into local authentication and remote authentication. If local authentication is adopted, you need to configure a local user and the corresponding parameters as shown in the table for configuring authentication mode at login as scheme; if remote authentication is adopted, you need to configure username and password on the remote authentication server. For more information about the user authentication modes and parameters, see AAA in the Security Configuration Guide. By default, the device performs local authentication on users. If you
17-7
log in through SSH, the rules apply to the password authentication only. For more information about the SSH, see SSH2.0 in the Security Configuration Guide. Follow these steps to configure authentication mode for users at login as none:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required Set authentication mode to none for users logging in through the interface authentication-mode none By default, the authentication mode is password for users logging in through VTY and AUX user interfaces and is none for users logging in through console user interfaces. Remarks
Follow these steps to configure authentication mode for users at login as password:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required Set authentication mode password for users logging in through the interface By default, the authentication mode is password for users logging in through VTY and AUX user interfaces and is none for users logging in through console user interfaces. Required No local authentication password is set by default. Remarks
authentication-mode password
Set local authentication password
set authentication password { cipher | simple } password
Follow these steps to configure authentication mode for users at login as scheme (local authentication):
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required Set authentication mode scheme for users logging in through the interface authentication-mode scheme [ command-authorization ] By default, the authentication mode is password for users logging in through VTY and AUX user interfaces and is none for users logging in through console user interfaces. Optional Set user privilege level See Configuring User Privilege Level Under a User Interface By default, users logging in from Console port have a privilege level of 3; users logging in from other user interfaces have a privilege level of 0. Remarks
17-8
To do Go back to system view Set authentication username and enter local user view Set authentication password quit
Remarks
local-user user-name password { cipher | simple } password
No local user is set on the device by default. Required Required
Set the service type that can be used by users
service-type { ssh | telnet | terminal } *
Users logging in via VTY user interface use telnet or ssh service; users logging in via console or AUX port use terminal service. Optional By default, users that are authorized the FTP or SFTP service type can access the root directory of the device, and their user level is 0. You can use this command to modify the default settings.
Configure the authorization attributes for the local user
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } *
For more information about the local-user, password, service-type, and authorization-attribute commands, see AAA in the Security Command Reference.
Configuring Command Authorization

By default, the command level for a login user depends on the user level. The user is authorized the command with the default level not higher than the user level. With the command authorization configured, the command level for a login user is decided by both the user level and AAA authorization. If a user executes a command of the corresponding user level, the authorization server checks whether the command is authorized. If yes, the command can be executed. The authorization server checks the commands authorized for users through the username, and thus the command authorization configuration involves three steps: 1) 2) 3) Configure the authentication mode as scheme (username and password are required for authentication) when users log in. Enable command authorization. For more information, see the following table. Configure command authorization, and specify the IP addresses of the authorization server and other related parameters. For more information, see AAA in the Security Configuration Guide. Follow these steps to enable command authorization:
17-9
To do
Remarks
Enable command authorization
command authorization
Disabled by default, that is, users can execute commands without authorization.
Configuring Command Accounting

Command accounting allows the HWTACACS server to record all executed commands that are supported by the device regardless of the command execution result. This helps control and monitor the user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command will be recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands will be recorded on the HWTACACS server. The command accounting configuration involves two steps: 1) 2) Enable command accounting. For more information, see the following table. Configure a command accounting scheme. Specify the IP addresses of the accounting server and other related parameters. For more information, see AAA in the Security Configuration Guide. Follow these steps to enable command accounting:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required Enable command accounting command accounting Disabled by default, that is, the accounting server does not record the commands the users execute. Remarks
Defining Shortcut Keys for Starting Terminal Sessions/Aborting Tasks

Follow these steps to define shortcut keys for starting terminal sessions/aborting tasks:
To do Enter system view Enter user interface view Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Optional activation-key character Pressing Enter starts the terminal session by default. Remarks
Define a shortcut key for starting terminal sessions
17-10
To do Define a shortcut key for aborting tasks
Use the command escape-key { default | character } Optional
Remarks
The default shortcut key combination for aborting tasks is Ctrl+C.
The activation-key command is not supported on the VTY user interface.
Sending Messages to the Specified User Interfaces

Follow these steps to send messages to the specified user interfaces:
To do Send messages to the specified user interface(s) Use the command send { all | num1 | { aux | console | vty } num2 } Required Available in user view. Remarks
Releasing the Connection Established on the User Interfaces

Multiple users can log in to the system to configure the device simultaneously. In some circumstances, when the administrator wants to make configurations without interruption from the users that have logged in using other user interfaces, the administrator can execute the following commands to release the connection established on the specified user interfaces. Follow the step to release the connection established on the user interfaces:
To do Release the connection established on the specified user interface(s) Use the command free user-interface { num1 | { aux | console | vty } num2 } Required Available in user view. Remarks
You cannot use this command to release the connection that you are using.
Displaying and Maintaining User Interfaces

To do Display the information about the user interfaces being used Display the information about all the user interfaces supported on the device Use the command display users display users all Remarks Available in any view Available in any view
17-11
To do Display the information about the specified or all user interface(s) Display the history commands that the current user has configured
Use the command display user-interface [ num1 | { aux | console | vty } num2 ] [ summary ] display history-command
Remarks Available in any view
User Interface Configuration Examples

User Authentication Configuration Example
As shown in Figure 17-1, command levels should be configured for different users to secure AC: The device administrator accesses AC through the console port on Host A. When the administrator logs in to AC, username and password are not required. Users access AC through an Ethernet interface on Host B. When a user logs in to AC, only password is required. Only the authenticated users can log in and perform configurations. Figure 17-1 Network diagram for configuring user authentication
# Assign an IP address to AC to make AC be reachable to both Host A and Host B. The configuration is omitted. # Enable telnet services on AC.
<AC> system-view [AC] telnet server enable
# Set that no authentication is needed when users use the console port to log in to AC. Set the privilege level of the administrator logging in through the console port to 3, that is, the administrator can execute all the commands supported by AC.
[AC] user-interface console 0 [AC-ui-console0] authentication-mode none [AC-ui-console0] user privilege level 3 [AC-ui-console0] quit
# Set to use password authentication when users use VTY 0 interface to log in to AC from Host B. The authentication password is 123. Then set the privilege level of the users logging in through VTY 0 to 2.
[AC] user-interface vty 0 4 [AC-ui-vty0-4] authentication-mode password [AC-ui-vty0-4] set authentication password cipher 123 [AC-ui-vty0-4] user privilege level 2 [AC-ui-vty0-4] quit
17-12
Command Authorization Configuration Example

As shown in Figure 17-2, command levels should be configured for different users to secure AC: After a user logs in to AC, the commands the user enter must be authorized by the HWTACACS server first before being executed. If the HWTACACS server fails to authorize the commands, local authorization is used. Figure 17-2 Network diagram for configuring command authorization
# Assign an IP address to AC to make AC be reachable to Host A and HWTACACS server respectively. The configuration is omitted. # Enable the telnet service on AC.
# Set to use username and password authentication when users use VTY interface 0 through 4 to log in to AC. The command that the user can execute depends on the authentication result.
[AC] user-interface vty 0 4 [AC-ui-vty0-4] authentication-mode scheme
# Enable command authorization to restrict the command level for login users.
[AC-ui-vty0-4] command authorization [AC-ui-vty0-4] quit
# Create a HWTACACS scheme named tac and configure the IP address and TCP port for the primary authorization server for the scheme. Ensure that the port number be consistent with that on the HWTACACS server. Set the shared key for authentication packets to expert for the scheme and the HWTACACS server type of the scheme to standard. Specify AC to remove the domain name in the username sent to the HWTACACS server for the scheme.
[AC] hwtacacs scheme tac [AC-hwtacacs-tac] primary authentication 192.168.2.20 49 [AC-hwtacacs-tac] primary authorization 192.168.2.20 49 [AC-hwtacacs-tac] key authentication expert [AC-hwtacacs-tac] key authorization expert [AC-hwtacacs-tac] server-type standard [AC-hwtacacs-tac] user-name-format without-domain [AC-hwtacacs-tac] quit
# Configure the default ISP domain system to use HWTACACS scheme tac for login users and use local authorization as the backup.
[AC] domain system
17-13
[AC-isp-system] authentication login hwtacacs-scheme tac local [AC-isp-system] authorization command hwtacacs-scheme tac local [AC-isp-system] quit
# Add a local user named monitor, set the user password to 123, and specify to display the password in cipher text. Authorize user monitor to use the telnet service and specify the level of the user as 1, that is, the monitor level.
[AC] local-user monitor [AC-luser-admin] password cipher 123 [AC-luser-admin] service-type telnet [AC-luser-admin] authorization-attribute level 1
Command Accounting Configuration Example

As shown in Figure 17-3, configure the commands that the login users execute to be recorded on the HWTACACS server to control and monitor user operations. Figure 17-3 Network diagram for configuring command accounting
# Enable the telnet service on AC.
# Enable command accounting for users logging in through the console port.
[AC] user-interface console 0 [AC-ui-console0] command accounting [AC-ui-console0] quit
# Enable command accounting for users logging in through telnet.

[AC] user-interface vty 0 4 [AC-ui-vty0-4] command accounting [AC-ui-vty0-4] quit
17-14
# Create a HWTACACS scheme named tac and configure the IP address and TCP port for the primary authorization server for the scheme. Make that the port number is consistent with that on the HWTACACS server. Set the shared key for authentication packets to expert for the scheme. Specify AC to remove the domain name in the username sent to the HWTACACS server for the scheme.
[AC] hwtacacs scheme tac [AC-hwtacacs-tac] primary accounting 192.168.2.20 49 [AC-radius-rad] key accounting expert [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit
# Create ISP domain system, and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users
[AC] domain system [AC-isp-system] accounting command hwtacacs-scheme tac [AC-isp-system] quit
17-15
18
Basic Configurations
Configuration Display Quick Configuration Basic Configurations CLI Features
Configuration Display
To avoid duplicate configuration, you can use the display commands to view the current configuration of the AC before configuring the AC. The configurations of an AC fall into the following categories: Factory defaults: When ACs are shipped, they are installed with some basic configurations, which are called factory defaults. These default configurations ensure that an AC can start up and run normally when it has no configuration file or the configuration file is damaged. Current configuration: The currently running configuration on the AC. Unless otherwise noted (such as the command is effective only after the AC reboot), the current configuration is only effective currently, that is, it will not take effect after the AC reboot. Saved configuration: Configuration saved in the configuration file, which helps to restore configurations conveniently. Follow these steps to display AC configurations:
To do Use the command display current-configuration [ [ configuration [ configuration ] | interface [ interface-type ] [ interface-number ] ] [ by-linenum ] [ | { begin | exclude | include } regular-expression ] ] more file-url If the file is the configuration file for the next startup of the AC, you can use this command: display saved-configuration [ by-linenum ] Remarks
Display the current validated configurations of the AC
Display the saved configuration, that is, the content of the configuration file
The more command is available in user view. The display saved-configuration command is available in any view.
For more information about the more and display saved-configuration commands, see File Management in the Fundamentals Command Reference.
18-1
Quick Configuration
The quick configuration function guides you with the command lines. After the execution of the quick configuration command, the system guides you to enter the basic parameters (such as AC name, system clock, VLAN, IP address, depending on the AC model) of the AC one by one in the way of prompt information, and then the AC can be in a running status after your configuration. With this function, you do not have to input multiple commands to configure these parameters, and thus your configuration is simplified. Follow these steps to perform quick configuration:
To do Enter system view Perform quick configuration Use the command system-view quick configuration Required Remarks
Your configurations will be executed only after all the interactions of quick configuration are completed; if the interaction process is interrupted, no configuration will be performed. During the interaction process of quick configuration, you can press Ctrl+C to end the interaction process; or the interaction process can be ended using a timeout timer, which is 30 seconds. The default value of each configuration item is displayed in []. If no value exists in [], it indicates that no default value is available for the configuration item; if a value exists in [], pressing Enter indicates that the default value is adopted. You can configure some parameters multiple times. In this case, the system will prompt press <cr> to exit; if you press Enter, you will exit the configuration of the current item and go to the next configuration item. For example, you can create multiple VLAN interfaces, and configure their IP addresses and masks; if you press Enter, VLAN interface configuration will be ended, and the system will go to the next configuration item.
Basic Configurations
This section covers the following topics: Entering System View Exiting the Current View Exiting to User View Configuring the AC Name Configuring the System Clock Configuring a Banner Configuring CLI Hotkeys Configuring User Privilege Levels and Command Levels Configuring the Number of Concurrent Users Displaying and Maintaining Basic Configurations
18-2
Entering System View

After logging in to the AC, you will automatically enter user view. At this time, the system displays <Device name>. You can perform limited operations in user view, such as display operations, file operations, and Telnet operations. To perform further configurations of the AC, enter system view. Follow the step below to enter system view:
To do Enter system view from user view Use the command system-view Required Available in user view Remarks
Exiting the Current View

The system divides the command line interface into multiple command views, which adopt a hierarchical structure. For example, there is system view under user view, and interface view and VLAN view under system view. After configuring the functions under the current view, you can perform the following operation to exit the current view. Follow the step below to exit the current view:
To do Return to the parent view from the current view Use the command Required quit If the current view is user view, the command terminates the connection between the user terminal and the AC. Available in any view. Remarks
Exiting to User View

This feature allows you to return to user view easily from any other view, without the need to execute the quit command repeatedly. You can also use the hot key Ctrl+Z to return to user view from the current view. Follow the step below to exit to user view:
To do Exit to user view Use the command return Required Available in any view except user view Remarks
Configuring the AC Name

The AC name is used to identify an AC in a network. Inside the system, the AC name corresponds to the prompt of the CLI. For example, if the AC name is Sysname, the prompt of user view is <Sysname>. Follow these steps to configure the AC name:
18-3
To do Enter system view Configure the AC name
Use the command system-view sysname sysname Optional
Remarks
By default, the AC name is H3C.
Configuring the System Clock

Configuring the system clock
The system clock, displayed by system time stamp, is decided by the configured relative time, time zone, and daylight saving time. You can view the system clock by using the display clock command. Follow these steps to configure the system clock:
To do Set time and date Enter system view Use the command clock datetime time date system-view clock timezone zone-name { add | minus } zone-offset Optional Available in user view. Optional Universal time coordinated (UTC) time zone by default. Remarks
Set the time zone
Set a daylight saving time scheme
Adopt daylight saving time from the start-time on the start-date to the end-time on the end-date. Daylight saving time adds the add-time to the current time of the AC. Adopt daylight saving time repeatedly
clock summer-time zone-name one-off start-time start-date end-time end-date add-time
Optional Use either command By default, daylight saving time is configured on the AC, and the UTC time zone is applied.
clock summer-time zone-name repeating start-time start-date end-time end-date add-time
Displaying the system clock

The system clock is decided by the commands clock datetime, clock timezone and clock summer-time. If these three commands are not configured, the display clock command displays the original system clock. If you combine these three commands in different ways, the system clock is displayed in the ways shown in Table 18-1. The meanings of the parameters in the configuration column are as follows: 1 indicates date-time has been configured with the clock datetime. 2 indicates time-zone has been configured with the clock timezone command and the offset time is zone-offset. 3 indicates daylight saving time has been configured with the clock summer-time command and the offset time is summer-offset. [1] indicates the clock datetime command is an optional configuration. The default system clock is 2005/1/1 1:00:00 in the example.
18-4
Table 18-1 Relationship between the configuration and display of the system clock
Configuration System clock displayed by the display clock command date-time The original system clock zone-offset Example Configure: clock datetime 1:00 2007/1/1 Display: 01:00:00 UTC Mon 01/01/2007 Configure: clock timezone zone-time add 1 Display: 02:00:00 zone-time Sat 01/01/2005 Configure: clock datetime 2:00 2007/2/2 and clock timezone zone-time add 1 Display: 03:00:00 zone-time Fri 02/02/2007 Configure: clock timezone zone-time add 1 and clock datetime 3:00 2007/3/3 Display: 03:00:00 zone-time Sat 03/03/2007 If the original system clock is not in the daylight saving time range, the original system clock is displayed. 3 If the original system clock is in the daylight saving time range, the original system clock + summer-offset is displayed. If date-time is not in the daylight saving time range, date-time is displayed. 1 and 3 If date-time is in the daylight saving time range, date-time + summer-offset is displayed. If date-time is not in the daylight saving time range, date-time is displayed. date-time is in the daylight saving time range: [1], 3 and 1 If the value of date-time summer-offset is not in the summer-time range, date-time - summer-offset is displayed; If the value of date-time summer-offset is in the summer-time range, date-time is displayed. Configure: clock datetime 8:00 2007/1/1 and clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 Display: 10:00:00 ss Mon 01/01/2007 Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 1:00 2008/1/1 Display: 01:00:00 UTC Tue 01/01/2008 Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 1:30 2007/1/1 Display: 23:30:00 UTC Sun 12/31/2006 Configure: clock summer-time ss one-off 00:30 2005/1/1 1:00 2005/8/8 2 Display: 03:00:00 ss Sat 01/01/2005 Configure: clock datetime 1:00 2007/1/1 and clock summer-time ss one-off 1:00 2006/1/1 1:00 2006/8/8 2 Display: 01:00:00 UTC Mon 01/01/2007 Configure: clock summer-time ss one-off 1:00 2006/1/1 1:00 2006/8/8 2 Display: 01:00:00 UTC Sat 01/01/2005
1 and 2
date-time zone-offset
[1], 2 and 1
date-time
Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 3:00 2007/1/1 Display: 03:00:00 ss Mon 01/01/2007
If the value of the original system clock zone-offset is not in the summer-time range, the original system clock zone-offset is displayed. 2 and 3 or 3 and 2 If the value of the original system clock zone-offset is in the summer-time range, the original system clock zone-offset + summer-offset is displayed.
Configure: clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 Display: 02:00:00 zone-time Sat 01/01/2005 Configure: clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2005/1/1 1:00 2005/8/8 2 Display: 04:00:00 ss Sat 01/01/2005 Configure: clock datetime 1:00 2007/1/1, clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 Display: 02:00:00 zone-time Mon 01/01/2007
18-5
Configuration
System clock displayed by the display clock command If the value of "date-time""zone-offset" is not in the summer-time range, "date-time""zone-offset" is displayed. If the value of "date-time""zone-offset" is in the summer-time range, "date-time""zone-offset"+sum mer-offset is displayed. If date-time is not in the daylight saving time range, date-time is displayed. date-time is in the daylight saving time range:
Example Configure: clock datetime 1:00 2007/1/1, clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 Display: 04:00:00 ss Mon 01/01/2007 Configure: clock timezone zone-time add 1, clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 and clock datetime 1:00 2007/1/1 Display: 01:00:00 zone-time Mon 01/01/2007 Configure: clock timezone zone-time add 1, clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 and clock datetime 1:30 2008/1/1 Display: 23:30:00 zone-time Mon 12/31/2007
1, 2 and 3 or 1, 3 and 2
[1], 2, 3 and 1 or [1], 3, 2 and 1
If the value of date-time-summer-offset is not in the summer-time range, date-time-summer-offset is displayed; If the value of date-time-summer-offset is in the summer-time range, date-time is displayed.
Configure: clock timezone zone-time add 1, clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 and clock datetime 3:00 2008/1/1 Display: 03:00:00 ss Tue 01/01/2008
Configuring a Banner
Introduction to banners
Banners are prompt information displayed by the system when users are connected to the AC, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed. At present, the system supports the following five kinds of welcome information. shell banner, also called session banner, displayed when a user enters the console. incoming banner, also called user interface banner, displayed when a user interface is activated by a Modem user. login banner, welcome information at login authentications, displayed when password and scheme authentications are configured. motd (Message of the Day) banner, welcome information displayed before authentication. legal banner, also called authorization information. The system displays some copyright or authorization information, and then displays the legal banner before a user logs in, waiting for the user to confirm whether to continue the authentication or login. If entering Y or pressing the Enter key, the user enters the authentication or login process; if entering N, the user quits the authentication or login process. Y and N are case insensitive.
Configuring a banner
When you configure a banner, the system supports two input modes: 1) Single-line input
18-6
In this mode, all the banner information and the command keywords are input in the same line. The start and end characters of the input text must be the same but are not part of the banner information. In this case, the input text, together with the command keywords, cannot exceed 510 characters. Do not insert the line feed character into the banner information. 2) Multiple-line input
In this mode, all the banner information is input in multiple lines by pressing the Enter key. In this case, up to 2000 characters can be input. The latter input mode can be achieved in the following three methods: Method I: Press the Enter key directly after the command keywords, and end the setting with the % character. The Enter and % characters are not part of the banner information. Method II: Input a character after the command keywords at the first line, and then press the Enter key. End the setting with the character input at the first line. The character at the first line and the end character are not part of the banner information. Method III: Input multiple characters after the command keywords at the first line (with the first and last characters different), then press the Enter key. End the setting with the first character input at the first line. The first input character at the first line and the end character are not part of the banner information. The line feed character inserted in the information is part of the banner information. Follow these steps to configure a banner:
To do Enter system view Configure the banner to be displayed at login (available for Modem login users) Configure the banner to be displayed at login authentication Configure the authorization information before login Configure the banner to be displayed when a user enters user view (non Modem login users) Configure the banner to be displayed before login Use the command system-view header incoming text header login text header legal text header shell text header motd text Optional Optional Optional Optional Optional Remarks
Banner configuration example

# Configure the banner to be displayed when a user enters user view as Welcome to H3C!. Single-line input mode:
<System> system-view [System] header shell %Welcome to H3C!%
Multiple-line input mode (method I):

<System> system-view [System] header shell Please input banner content, and quit with the character '%'. Welcome to H3C! %
Multiple-line input mode (method II):

<System> system-view [System] header shell W
18-7
Please input banner content, and quit with the character 'W'. Welcome to H3C! W
Configuring CLI Hotkeys

Follow these steps to configure CLI hotkeys:
To do Enter system view Use the command system-view hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command display hotkey Optional The Ctrl+G, Ctrl+L and Ctrl+O hotkeys are specified with command lines by default. Available in any view. See Table 18-2 for hotkeys reserved by the system. Remarks
Configure CLI hotkeys
Display hotkeys
By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are configured with command line and the Ctrl+T and Ctrl+U commands are NULL. Ctrl+G corresponds to the display current-configuration command. Ctrl+L corresponds to the display ip routing-table command. Ctrl+O corresponds to the undo debugging all command.
Table 18-2 Hotkeys reserved by the system

Hotkey Ctrl+A Ctrl+B Ctrl+C Ctrl+D Ctrl+E Ctrl+F Ctrl+H Ctrl+K Ctrl+N Ctrl+P Ctrl+R Ctrl+V Ctrl+W Ctrl+X Ctrl+Y Function Moves the cursor to the beginning of the current line. Moves the cursor one character to the left. Stops performing a command. Deletes the character at the current cursor position. Moves the cursor to the end of the current line. Moves the cursor one character to the right. Deletes the character to the left of the cursor. Terminates an outgoing connection. Displays the next command in the history command buffer. Displays the previous command in the history command buffer. Redisplays the current line information. Pastes the content in the clipboard. Deletes all the characters in a continuous string to the left of the cursor. Deletes all the characters to the left of the cursor. Deletes all the characters to the right of the cursor.
18-8
Hotkey Ctrl+Z Ctrl+] Esc+B Esc+D Esc+F Esc+N Esc+P Esc+< Esc+> Exits to user view.
Function
Terminates an incoming connection or a redirect connection. Moves the cursor to the leading character of the continuous string to the left. Deletes all the characters of the continuous string at the current cursor position and to the right of the cursor. Moves the cursor to the front of the next continuous string to the right. Moves the cursor down by one line (available before you press Enter) Moves the cursor up by one line (available before you press Enter) Specifies the cursor as the beginning of the clipboard. Specifies the cursor as the ending of the clipboard.
These hotkeys are defined by the AC. When you interact with the AC from terminal software, these keys may be defined to perform other operations. If so, the definition of the terminal software will dominate.
Configuring Command Aliases

You can replace the first keyword of a command supported by the AC with your preferred keyword by configuring the command alias function. For example, if you configure show as the replacement of the display keyword for each display command, you can input the command alias show xx to execute the display xx command. Note the following when you configure command aliases: When you input a command alias, the system displays and saves the command in its original format instead of its alias. That is, you can define and use a command alias but the command is not saved and restored in its alias. When you define a command alias, the cmdkey and alias arguments must be in its complete form. With the command alias function enabled, when you input an incomplete keyword, which partially matches both a defined alias and the keyword of a command, the alias wins; to execute the command whose keyword partially matches your input, you need to input the complete keyword. When you input a character string that matches multiple aliases partially, the system prompts you for various matched information. If you press Tab after you input the keyword of an alias, the original format of the keyword will be displayed. You can replace only the first keyword of a non-undo command instead of the complete command; and you can replace only the second keyword of undo commands.
18-9
Follow these steps to configure command aliases:

To do Enter system view Enable the command alias function Configure command aliases Use the command system-view Required command-alias enable Disabled by default, that is, you cannot configure command aliases. Required Not configured by default. Remarks
command-alias mapping cmdkey alias
Configuring User Privilege Levels and Command Levels

Introduction
To restrict the different users access to the AC, the system manages the users by their privilege levels. User privilege levels correspond to command levels. After users at different privilege levels log in, they can only use commands at their own, or lower, levels. All the commands are categorized into four levels, which are visit, monitor, system, and manage from low to high, and identified respectively by 0 through 3. Table 18-3 describes the levels of the commands. Table 18-3 Default command levels
Level Privilege Description Involves commands for network diagnosis and commands for accessing an external AC. Commands at this level are not allowed to be saved after being configured. After the AC is restarted, the commands at this level will be restored to the default settings. Commands at this level include ping, tracert, telnet and ssh2. Includes commands for system maintenance and service fault diagnosis. Commands at this level are not allowed to be saved after being configured. After the AC is restarted, the commands at this level will be restored to the default settings. Commands at this level include debugging, terminal, refresh, reset, and send. Provides service configuration commands, including routing and commands at each level of the network for providing services. By default, commands at this level include all configuration commands except for those at manage level. Influences the basic operation of the system and the system support modules for service support. By default, commands at this level involve file system, FTP, TFTP, Xmodem command download, user management, level setting, as well as parameter setting within a system (the last case involves those non-protocol or non RFC provisioned commands).
Visit
Monitor
System
Manage
Configuring user privilege level

User privilege level can be configured by using AAA authentication parameters or under a user interface. 1) Configure user privilege level by using AAA authentication parameters
If the user interface authentication mode is scheme when a user logs in, and username and password are needed at login, then the user privilege level is specified in the configuration of AAA authentication. Follow these steps to configure user privilege level by using AAA authentication parameters:
18-10
To do Enter system view Enter user interface view
Use the command system-view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } Required
Remarks
Configure the authentication mode for logging in to the user interface as scheme
By default, the authentication mode for VTY and AUX users is password, and no authentication is needed for console login users. Required if users use SSH to log in, and username and password are needed at authentication Required User either approach For local authentication, if you do not configure the user level, the user level is 0, that is, users of this level can use commands with level 0 only. For remote authentication, if you do not configure the user level, the user level depends on the default configuration of the authentication server.
Exit to system view Configure the authentication mode for SSH users as password
quit For more information, see SSH2.0 in the Security Configuration Guide. Use the local-user command to create a local user and enter local user view. Use the level keyword in the authorization-attribute command to configure the user level.
Configure the user privilege level by using AAA authentication parameters
Using local authentication
Using remote authentication (RADIUS, HWTACACS, and LDAP authentications)
Configure user level on the authentication server
For more information about the user interface, see User Interface Configuration. For more information about the user-interface, authentication-mode and user privilege level commands, see User Interface in the Fundamentals Command Reference. For more information about the AAA authentication, see AAA in the Security Configuration Guide. For more information about the local-user and authorization-attribute commands, see AAA in the Security Command Reference. For more information about the SSH, see SSH 2.0 in the Security Configuration Guide.
2)
Example of configuring user privilege level by using AAA authentication parameters
# Authenticate the users telnetting to the AC through VTY 1, verify their usernames and passwords locally, and specify the user privilege level as 3.
<Sysname> system-view [Sysname] user-interface vty 1 [Sysname-ui-vty1] authentication-mode scheme [Sysname-ui-vty1] quit [Sysname] local-user test [Sysname-luser-test] password cipher 123 [Sysname-luser-test] service-type telnet
18-11
After the above configuration, when users telnet to the AC through VTY 1, they need to input username test and password 123. After passing the authentication, users can only use the commands of level 0. If the users need to use commands of levels 0, 1, 2 and 3, the following configuration is required:
[Sysname-luser-test] authorization-attribute level 3
3)
Configure the user privilege level under a user interface If the user interface authentication mode is scheme when a user logs in, and SSH publickey authentication type (only username is needed for this authentication type) is adopted, then the user privilege level is the user interface level; If a user logs in using the none or password mode (namely, no username is needed), the user privilege level is the user interface level.
Follow these steps to configure the user privilege level under a user interface (SSH publickey authentication type):
To do Use the command Remarks Required if users adopt the SSH login mode, and only username, instead of password is needed at authentication. After the configuration, the authentication mode of the corresponding user interface must be set to scheme. Optional Configure the authentication mode when a user uses the current user interface to log in to the AC authentication-mode scheme [ command-authorization ] By default, the authentication mode for VTY and AUX user interfaces is password, and console user interface does not need authentication. Optional Configure the privilege level of the user logging in from the current user interface user privilege level level By default, the user privilege level for users logging in from the console user interface is 3, and that for users logging from the other user interfaces is 0.
Configure the authentication type for SSH users as publickey
For more information, see SSH2.0 in the Security Configuration Guide.
Enter system view Enter user interface view
system-view user-interface { first-num1 [ last-num1 ] | vty first-num2 [ last-num2 ] }
Follow these steps to configure the user privilege level under a user interface (none or password authentication mode):
18-12
To do
Remarks
Configure the authentication mode when a user uses the current user interface to log in to the AC
authentication-mode { none | password }
By default, the authentication mode for VTY and AUX user interfaces is password, and console user interface does not need authentication. Optional
Configure the privilege level of the user logging in from the current user interface
By default, the user privilege level for users logging in from the console user interface is 3, and that for users logging from the other user interfaces is 0.
4)
Example of configuring user privilege level under a user interface Perform no authentication to the users telnetting to the AC, and specify the user privilege level as 1. (Performing no authentication to users brings potential security problem. Therefore, you are recommended to use it in a secure network environment.)
<Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode none [Sysname-ui-vty0-4] user privilege level 1
By default, when users telnet to the AC, they can only use the following commands after passing the authentication:
<Sysname> ? User view commands: display ping quit rsh ssh2 super telnet tftp tracert Display current system information Ping function Exit from current command view Establish one RSH connection Establish a secure shell client connection Set the current user priority level Establish one TELNET connection Open TFTP connection Trace route function
After you set the user privilege level under the user interface, users can log in to the AC through Telnet without any authentication and can use the following commands:
<Sysname> ? User view commands: debugging dialer display ping quit refresh reset rsh screen-length send ssh2 Enable system debugging functions Dialer disconnect Display current system information Ping function Exit from current command view Do soft reset Reset operation Establish one RSH connection Specify the lines displayed on one screen Send information to other user terminal interface Establish a secure shell client connection
18-13
super telnet terminal tftp tracert undo
Set the current user priority level Establish one TELNET connection Set the terminal line characteristics Open TFTP connection Trace route function Cancel current setting
Authenticate the users logging in to the AC through Telnet, verify their passwords, and specify the user privilege levels as 2.
<Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty1] authentication-mode password [Sysname-ui-vty0-4] set authentication password cipher 123 [Sysname-ui-vty0-4] user privilege level 2
By default, when users log in to the AC through Telnet, they can use the commands of level 0 after passing the authentication. After you set the user privilege level under the user interface, when users log in to the AC through Telnet, they need to input password 123, and then they can use commands of levels 0, 1, and 2.
Switching user privilege level

Users can switch their user privilege level temporarily without logging out and disconnecting the current connection; after the switch, users can continue to configure the AC without the need of relogin, but the commands that they can execute have changed. For example, if the current user privilege level is 3, the user can configure system parameters; after switching the user privilege level to 0, the user can only execute some simple commands, like ping and tracert, and only a few display commands. The switching of user privilege level is temporary, and effective for the current login; after the user relogs in, the user privilege restores to the original level. To avoid misoperations, the administrators are recommended to log in to the AC by using a lower privilege level and view AC operating parameters, and when they have to maintain the AC, they can switch to a higher level temporarily; when the administrators need to leave for a while or ask someone else to manage the AC temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others. 1) 2) A user can switch to a privilege level equal to or lower than the current one unconditionally and is not required to input the password (if any). A user is required to input the password (if any) to switch to a higher privilege level for security sake. The authentication falls into one of the following four categories: local: Authenticates a user by using the local password set with the super password command. In this case, when no password is set with the super password command, privilege level switch succeeds if the user is logged in from the console port (here indicates the console port or the AUX port used as the console port), and the switch fails if the user is logged in from either the AUX interface or VTY user interface or inputs an incorrect switch password. scheme: AAA authentication. For more information about the AAA, see AAA in the Security Configuration Guide. local scheme: First local and then scheme, that is, authenticates a user by using the local password first, and if no password is set, for the user logged in from the console port, the privilege level switch succeeds; for the user logged in from any of the AUX or VTY user interfaces, the AAA authentication is performed.
18-14
scheme local: First scheme and then local, that is, AAA authentication is performed first, and if the AAA configuration is invalid (domain parameters or authentication scheme are not configured) or the server does not respond, the authentication requiring the local password is performed. If the authentication mode for login users of the current user interface is set to none or password with the authentication-mode none or authentication-mode password command, the user does not need to input the username when logging in; therefore, if scheme authentication is required for the privilege level switch, the system prompts for the username and password (the username and the password must be the same as those configured on the AAA server); in other cases, no username is required. Follow these steps to switch user privilege level:
To do Enter system view Set the authentication mode for user privilege level switch Configure the password (used for the local authentication mode) for user privilege level switch Exit to user view Use the command system-view super authentication-mode { local | scheme } * super password [ level user-level ] { simple | cipher } password quit Optional local by default. Required By default, no password is configured. Required Switch the user privilege level super [ level ] When logging in to the AC, a user has a user privilege level, which is decided by user interface or authentication user level. Remarks
When you configure the password for switching user privilege level with the super password command, the user privilege level is 3 if no user privilege level is specified. The password for switching user privilege level can be displayed in both cipher text and simple text. You are recommended to adopt the former because the latter is easily cracked. When the authentication mode is set to local, you need to configure the local password before switching a user to a higher user privilege level. When the authentication mode is set to scheme, you need to configure AAA related parameters before switching a user to a higher user privilege level. The timeout time of AAA authentication is 120 seconds, after that, the AAA authentication is considered as no response. The privilege level switch fails after three consecutive unsuccessful attempts.
Modifying command level

All the commands in a view are defaulted to different levels, as shown in Table 5-7. The administrator can modify the command level based on users needs to make users of a lower level use commands with a higher level or improve AC security. Follow these steps to modify the command level:
18-15
To do Enter system view Configure the command level in a specified view
Use the command system-view command-privilege level level view view command Required
Remarks
See Table 5-7 for the default settings.
You are recommended to use the default command level or modify the command level under the guidance of professional staff; otherwise, the change of command level may bring inconvenience to your maintenance and operation, or even potential security problem.
Configuring the Number of Concurrent Users

Follow these steps to configure the number of concurrent users:
To do Enter system view Configure the number of concurrent users Use the command system-view Optional configure-user count number Two users are allowed to perform the operation in system view. Remarks
When multiple users enter system view at the same time to configure certain attribute, only the last configuration applies. When the number of users has reached the limit, other users cannot enter system view.
Displaying and Maintaining Basic Configurations

To do Display information on system version Display information on the system clock Display defined command aliases and the corresponding commands Display information on terminal users Display the users that have logged in to the AC and that are not in user view Display the valid configuration under current view Display clipboard information Use the command display version display clock display command-alias display users [ all ] display configure-user display this [ by-linenum ] display clipboard Remarks Available in any view
18-16
To do Display and save statistics the running status of multiple modules
Use the command display diagnostic-information
Remarks
During daily maintenance or when the system is operating abnormally, you need to display the running status of each functional module to locate the problem. Generally, you need to execute the corresponding display commands for each module, because each module has independent running information. To collect more information at one time, you can execute the display diagnostic-information command to display or save the statistics of the running status of multiple modules in the system. Execution of the display diagnostic-information command equals execution of the commands display clock, display version, display device, and display current-configuration one by one. These commands depend on the AC model.
For more information about the display users command, see User Interface Commands. The display commands discussed above are for the global configuration.
CLI Features
This section covers the following topics: Introduction to CLI Online Help with Command Lines Synchronous Information Output Undo Form of a Command Editing Features CLI Display Saving History Command Command Line Error Information
Introduction to CLI
CLI is an interaction interface between ACs and users. Through CLI, you can configure your ACs by entering commands and view the output information and verify your configurations, thus facilitating your configuration and management of your ACs. CLI provides the following features for you to configure and manage your ACs: Hierarchical command protection where you can only execute the commands at your own or lower levels. See Configuring User Privilege Levels and Command Levels for details. Easy access to on-line help by entering ?. See Online Help with Command Lines for details. Abundant debugging information for fault diagnosis Saving and executing commands that have been executed
18-17
Fuzzy match for convenience of input. When you execute a command, you can input part of the characters in a keyword. However, to enable you to confirm your operation, the command can be executed only when you input enough characters to make the command unique. Take the commands save, startup saved-configuration, and system-view which start with s as an example. To save the current configuration, you need to input sa at least; to set the configuration file for next startup, you need to input st s at least; to enter system view, you need to input sy at least. You can press Tab to complement the command, or you can input the complete command.
Online Help with Command Lines

The following are the types of online help available with the CLI: Full help Fuzzy help To obtain the desired help information, you can: 1) Enter ? in any view to access all the commands in this view and brief description about them as well.
<Sysname> ? User view commands: archive backup boot-loader bootrom cd clock copy debugging delete dir display Specify archive settings Backup next startup-configuration file to TFTP server Set boot loader Update/read/backup/restore bootrom Change current directory Specify the system clock Copy from one file to another Enable system debugging functions Delete a file List files on a file system Display current system information
......omitted...... 2) Enter a command and a ? separated by a space. If ? is at the position of a keyword, all the keywords are given with a brief description.
<Sysname> terminal ? debugging logging monitor trapping Send debug information to terminal Send log information to terminal Send information output to current terminal Send trap information to terminal
3)
Enter a command and a ? separated by a space. If ? is at the position of a parameter, the description about this parameter is given.
<Sysname> system-view [Sysname] interface vlan-interface ? <1-4094> VLAN interface number
[Sysname] interface vlan-interface 1 ? <cr> [Sysname] interface vlan-interface 1
Where, <cr> indicates that there is no parameter at this position. The command is then repeated in the next command line and executed if you press <Enter>.
18-18
4)
Enter a character string followed by a ?. All the commands starting with this string are displayed.
cd clock copy
<Sysname> c?
5)
Enter a command followed by a character string and a ?. All the keywords starting with this string are listed.
<Sysname> display cl? clipboard clock
6)
Press Tab after entering the first several letters of a keyword to display the complete keyword, provided these letters can uniquely identify the keyword in this command. If several matches are found, the complete keyword which is matched first is displayed (the matching rule is: the letters next to the input letters are arranged in alphabetic order, and the letter in the first place is matched first.). If you repeatedly press Tab, all the keywords starting with the letter that you enter are displayed in cycles, and you can select the keywords needed.
Synchronous Information Output

Synchronous information output refers to the feature that if the users input is interrupted by system output, then after the completion of system output the system will display a command line prompt and your input so far, and you can continue your operations from where you were stopped. You can use the info-center synchronous command to enable synchronous information output. For more information about this function, see Information Center in the Network Management and Monitoring Configuration Guide.
Undo Form of a Command

Adding the keyword undo can form an undo command. Almost every configuration command has an undo form. undo commands are generally used to restore the system default, disable a function or cancel a configuration. For example, the info-center enable command is used to enable the information center, while the undo info-center enable command is used to disable the information center. (By default, the information center is enabled.)
Editing Features
The CLI provides the basic command editing functions and supports multi-line editing. When you execute a command, the system automatically goes to the next line if the maximum length of the command is reached. You cannot press Enter to go to the next line; otherwise, the system will automatically execute the command. The maximum length of each command is 510 characters. Table 18-4 lists these functions. Table 18-4 Edit functions
Key Common keys Backspace Function If the editing buffer is not full, insert the character at the position of the cursor and move the cursor to the right. Deletes the character to the left of the cursor and move the cursor back one character.
18-19
Key Left-arrow key or Ctrl+B Right-arrow key or Ctrl+F Up-arrow key or Ctrl+P Displays history commands Down-arrow key or Ctrl+N
Function The cursor moves one character space to the left. The cursor moves one character space to the right.
Pressing Tab after entering part of a keyword enables the fuzzy help function. If finding a unique match, the system substitutes the complete keyword for the incomplete one and displays it in the next line. When there are several matches, if you repeatedly press Tab, all the keywords starting with the letter that you enter are displayed in cycles. If there is no match at all, the system does not modify the incomplete keyword and displays it again in the next line.
Tab
When editing the command line, you can use other shortcut keys (For details, see Table 18-2) besides the shortcut keys defined in Table 18-4, or you can define shortcut keys by yourself. (For details, see Configuring CLI Hotkeys.)
CLI Display
With the output information filtering function, you can quickly find the information you are interested in. When there is a lot of information to be output, the system displays the information in multiple screens.
Filtering the output information

The AC provides the function to filter the output information. You can specify a regular expression to search information you need. You can use these two methods to filter the output information: Input the begin, exclude or include keyword plus a regular expression in the CLI to filter the output information. When the system displays the information in multiple screens, use /, - or + plus a regular expression. / equals the keyword begin, - equals the keyword exclude, and + equals the keyword include. The description of the begin, exclude, and include keywords is as follows: begin: Displays the line that matches the regular expression and all the subsequent lines. exclude: Displays the lines that do not match the regular expression. include: Displays only the lines that match the regular expression. A regular expression is a case sensitive string of 1 to 256 characters. It also supports special characters as shown in Table 18-5.
18-20
Table 18-5 Special characters in a regular expression

Character ^string Meaning Starting sign, string appears only at the beginning of a line. Ending sign, string appears only at the end of a line. Full stop, a wildcard used in place of any character, including single character, special character and blank. Asterisk, used to match a character or character group before it zero or multiple times. Addition, used to match a character or character group one or multiple times before it Vertical bar, used to match the whole string on the left or right of it Underline. If it is at the beginning or the end of a regular expression, it equals ^ or $; in other cases, it equals comma, space, round bracket, or curly bracket. Hyphen. It connects two values (the smaller one before it and the bigger one after it) to indicate a range together with [ ]. Remarks For example, regular expression ûser only matches a string beginning with user, not Auser. For example, regular expression "user$ only matches a string ending with user, not userA. For example, .l can match vlan or mpls.
string$
For example, zo* can match z and zoo; (zo)* can match zo and zozo. For example, zo+ can match zo and zoo, but not z. For example, def|int can only match a character string containing def or int. For example, a_b can match a b or a(b; _ab can only match a line starting with ab; ab_ can only match a line ending with ab. For example, 1-9 means numbers from 1 to 9 (inclusive); a-h means from a to h (inclusive). For example, [16A] can match a string containing any character among 1, 6, and A; [1-36A] can match a string containing any character among 1, 2, 3, 6, and A (with - being a hyphen). ] can be matched only when it is put at the beginning of [ ] if it is used as a common character in [ ], for example [ ]string]. There is no such limit on [. For example, (123A) means a character group 123A; 408(12)+ can match 40812 or 408121212. But it cannot match 408. For example, (string)\1 means to repeat string for once, and (string)\1 must match a string containing stringstring; (string1)(string2)\2 means to repeat string2 for once, and (string1)(string2)\2 must match a string containing string1string2string2; (string1)(string2)\1\2 means to repeat string1 for once first, and then repeat string2 for once, and (string1)(string2)\1\2 must match a string containing string1string2string1string2. For example, [^16A] means to match a string containing any character except 1, 6 or A, and the string can also contain 1, 6 or A, but cannot contain these three characters only. For example, [^16A] can match abc and m16, but not 1, 16, or 16A. For example, \<do can match word domain or string doa.
[]
A range of characters, Matches any character in the specified range.
()
A character group. It is usually used with + or *. Repeats a specified character group for once. A character group refers to the string in () before \. index refers to the sequence number (starting from 1 from left to right) of the character group before \: if only one character group appears before \, then index can only be 1; if n character groups appear before index, then index can be any integer from 1 to n.
\index
[^]
Used to match any character not in a specified range.
\<string
Used to match a character string starting with string.
18-21
Character string\>
Meaning Used to match a character string ending with string. Used to match character1character2. character1 can be any character except number, letter or underline, and \b equals [Â-Za-z0-9_]. It must match a string containing character, and there can no spaces before character. Used to match character1character2. character2 must be a number, letter or underline, and \w equals [Â-Za-z0-9_].
Remarks For example, do\> can match word undo or string abcdo. For example, \ba can match -a, with - represents character1, and a represents character2; while \ba cannot match 2a or ba. For example, \Bt can match t in install, but not t in big top. For example, v\w can match vlan, with v being character1, and l being character2. v\w can also match service, with i being character2. For example, \Wa can match -a, with - representing character1, and a representing character2; while \ba cannot match 2a or ba. For example, \\ can match a string containing \, \^ can match a string containing ^, and \\b can match a string containing \b.
\bcharacter2
\Bcharacter
character1\w
\W
Equals \b. Escape character. If single special characters listed in this table follow \, the specific meanings of the characters will be removed.
Multiple-screen output
When there is a lot of information to be output, the system displays the information in multiple screens. Generally, 24 lines are displayed on one screen, and you can also use the screen-length command to set the number of lines displayed on the next screen. (For more information about this command, see User Interface in the Fundamentals Command Reference.) You can follow the step below to disable the multiple-screen output function of the current user.
To do Use the command Required Disable the multiple-screen output function of the current user By default, a login user uses the settings of the screen-length command. The default settings of the screen-length command are: multiple-screen output is enabled and 24 lines are displayed on the next screen. This command is executed in user view, and therefore is applicable to the current user only. When a user re-logs in, the settings restore to the system default. Remarks
screen-length disable
Display functions
CLI offers the following feature: When the information displayed exceeds one screen, you can pause using one of the methods shown in Table 18-6. Table 18-6 Display functions
Action Press Space when information display pauses Press Enter when information display pauses Press Ctrl+C when information display pauses Ctrl+E Function Continues to display information of the next screen page. Continues to display information of the next line. Stops the display and the command execution. Moves the cursor to the end of the current line.
18-22
Action PageUp PageDown
Function Displays information on the previous page. Displays information on the next page.
Saving History Commands

The CLI can automatically save the commands that have been used lately to the history buffer. You can know the operations that have been executed successfully, invoke and repeatedly execute them as needed. By default, the CLI can save up to ten commands for each user. You can use the history-command max-size command to set the capacity of the history commands log buffer for the current user interface (For more information about the history-command max-size command, see User Interface in the Fundamentals Command Reference). The following table lists the operations that you can perform. In addition: The commands saved in the history buffer are in the same format as the commands you input. If you input an incomplete command, the command saved in the history buffer is also an incomplete command. If you execute the same command repeatedly, the AC saves only the earliest command. However, if you execute the same command in different formats, the system considers them as different commands. For example, if you execute the display cu command repeatedly, the system saves only one command in the history buffer; if you execute the command in the format of display cu and display current-configuration respectively, the system saves them as two commands. Follow these steps to access history commands:
To do View the history commands Access the previous history command Access the next history command Use the key/command display history-command Up-arrow key or Ctrl+P Down-arrow key or Ctrl+N Result Displays the commands that you have entered Displays the earlier history command, if there is any. Displays the next history command, if there is any.
You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up-arrow and down-arrow keys are invalid in Windows 9X HyperTerminal, because they are defined in a different way. You can use Ctrl+P and Ctrl+N instead.
Command Line Error Information

The commands are executed only if they have no syntax error. Otherwise, error information is reported. Table 5-3 lists some common errors.
18-23
Table 18-7 Common command line errors

Error information Cause The command was not found. The keyword was not found. % Unrecognized command found at '^' position. Parameter type error The parameter value is beyond the allowed range. % Incomplete command found at '^' position. % Ambiguous command found at '^' position. Too many parameters % Wrong parameter found at '^' position. Incomplete command Ambiguous command, Too many parameters Wrong parameter
18-24
19
HTTP Configuration
HTTP Overview Enabling the HTTP Service Configuring the Port Number of the HTTP Service Associating the HTTP Service with an ACL Displaying and Maintaining HTTP
HTTP Overview
The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet. It is an application-level protocol in the TCP/IP protocol suite. The connection-oriented Transport Control Protocol (TCP) is adopted on the transport layer. Currently, HTTP/1.0 is supported on the device.
How HTTP Works

In HTTP, the client/server mode is used for communication. The client and the server exchange messages following these procedures: 1) 2) 3) 4) A TCP connection is created between the client and the server. Typically, the port number is 80. The client sends a request to the server. The server processes the request and sends back a response. The TCP connection is closed.
Logging In to the Access Controller (AC) Through HTTP

You can log In to the AC by using HTTP with HTTP service enabled, accessing and controlling the AC with Web-based network management. To implement security management on the AC, you can use the following methods to enhance the security of the AC. Enable HTTP service only when necessary. Change the port number of the HTTP service as a port number not commonly used (80 or 8080), thus reducing attacks from illegal users on the HTTP service. Associate the HTTP service with an ACL to let pass only the filtered clients.
Protocols and Standards

RFC 1945: Hypertext Transfer Protocol HTTP/1.0
19-1
Enabling the HTTP Service

The AC can act as the HTTP server and the users can access and control the AC through the Web function only after the HTTP service is enabled. Follow these steps to enable the HTTP service:
To do Enter system view Enable the HTTP service Use the command system-view ip http enable Required Enabled by default. Remarks
Configuring the Port Number of the HTTP Service

Configuration of the port number of the HTTP service can reduce the attacks from illegal users on the HTTP service. Follow these steps to configure the port number of the HTTP service:
To do Enter system view Configure the port number of the HTTP service Use the command system-view Required ip http port port-number By default, the port number of the HTTP service is 80. Remarks
If you execute the ip http port command for multiple times, the last configured port number is used.
Associating the HTTP Service with an ACL

By associating the HTTP service with an ACL, only the clients that pass ACL filtering are allowed to access the AC. Follow these steps to associate the HTTP service with an ACL:
To do Enters system view Associate the HTTP service with an ACL Use the command system-view Required ip http acl acl-number The HTTP service is not associated with an ACL by default. Remarks
19-2
The HTTP service can be associated with a WLAN ACL (with the ACL numbers 100 to 199) and basic ACL (with the ACL numbers 2000 to 2999), and the two types of ACLs will not overwrite each other. However, ACLs of the same type will overwrite each other, that is, if you execute the ip http acl command for multiple times to associate the HTTP with the same type of ACLs, the HTTP service is only associated with the last specified ACL. When the HTTP service is associated with a WLAN ACL, the HTTP service uses this ACL to filter wireless clients only, and does not filter wired clients with this ACL. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
Displaying and Maintaining HTTP

To do Display information about HTTP Use the command display ip http Remarks Available in any view
19-3
20
HTTPS Configuration
HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Configuring the Port Number of the HTTPS Service Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS HTTPS Configuration Example
HTTPS Overview
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL) protocol. The SSL protocol of HTTPS enhances the security of the AC in the following ways: Uses the SSL protocol to ensure the legal clients to access the AC securely and prohibit the illegal clients; Encrypts the data exchanged between the HTTPS client and the AC to ensure the data security and integrity, thus realizing the security management of the AC; Defines certificate attribute-based access control policy for the AC to control the access right of the client, in order to further avoid attacks from illegal clients.
The total number of HTTP connections and HTTPS connections on an AC cannot exceed 10. For more information about SSL, see SSL in the Security Configuration Guide.
HTTPS Configuration Task List

Complete these tasks to configure HTTPS:
Configuration task Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Remarks Required Required Optional
20-1
Configuration task Configuring the Port Number of the HTTPS Service Associating the HTTPS Service with an ACL
Remarks Optional Optional
Associating the HTTPS Service with an SSL Server Policy

You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service. Follow these steps to associate the HTTPS service with an SSL server policy:
To do Enter system view Associate the HTTPS service with an SSL server policy Use the command system-view ip https ssl-server-policy policy-name Required Not associated by default Remarks
If the ip https ssl-server-policy command is executed repeatedly, the HTTPS service is only associated with the last specified SSL server policy. When the HTTPS service is disabled, the association between the HTTPS service and the SSL server is automatically removed. To enable it again, you need to re-associate the HTTPS service with an SSL server policy. When the HTTPS service is enabled, no modification of its associated SSL server policy takes effect.
Enabling the HTTPS Service

The AC can act as the HTTPS server and users can access and control the AC through the Web function only when the HTTPS service is enabled. Follow these steps to enable the HTTPS service:
To do Enter system view Enable the HTTPS service Use the command system-view ip https enable Required Disabled by default. Remarks
20-2
After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration. Enabling of the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the AC already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation. Since the application process takes much time, the SSL negotiation may fail and the HTTPS service cannot be started normally. Therefore, the ip https enable command must be executed for multiple times to ensure normal startup of the HTTPS service.
Associating the HTTPS Service with a Certificate Attribute Access Control Policy
Associating the HTTPS service with a configured certificate access control policy helps control the access right of the client, thus providing the AC with enhanced security. Follow these steps to associate the HTTPS service with a certificate attribute access control policy:
To do Enter system view Associate the HTTPS service with a certificate attribute access control policy Use the command system-view ip https certificate access-control-policy policy-name Required Not associated by default. Remarks
If the ip https certificate access-control-policy command is executed repeatedly, the HTTPS server is only associated with the last specified certificate attribute access control policy. If the HTTPS service is associated with a certificate attribute access control policy, the client-verify enable command must be configured in the SSL server policy. Otherwise, the client cannot log in to the AC. If the HTTPS service is associated with a certificate attribute access control policy, the latter must contain at least one permit rule. Otherwise, no HTTPS client can log in to the AC. For the configuration of an SSL server policy, see PKI in the Security Configuration Guide.
Configuring the Port Number of the HTTPS Service

Configuration of the port number of the HTTPS service can reduce the attacks from illegal users on the HTTPS service. Follow these steps to configure the port number of the HTTPS service:
20-3
To do Enter system view Configure the port number of the HTTPS service
Use the command system-view Optional ip https port port-number
Remarks
By default, the port number of the HTTPS service is 443.
If you execute the ip https port command for multiple times, the last configured port number is used.
Associating the HTTPS Service with an ACL

Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering. Follow these steps to associate the HTTPS service with an ACL:
To do Enter system view Associate the HTTPS service with an ACL Use the command system-view ip https acl acl-number Required Not associated by default. Remarks
The HTTPS service can be associated with a WLAN ACL (with the ACL numbers 100 to 199) and basic ACL (with the ACL numbers 2000 to 2999), and the two types of ACLs will not overwrite each other. However, ACLs of the same type will overwrite each other, that is, if you execute the ip https acl command for multiple times to associate the HTTPS service with the same type of ACLs, the HTTPS service is only associated with the last specified ACL. When the HTTPS service is associated with a WLAN ACL, the HTTPS service uses this ACL to filter wireless clients only, and does not filter wired clients with this ACL. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
Displaying and Maintaining HTTPS

To do Display information about HTTPS Use the command display ip https Remarks Available in any view
20-4
HTTPS Configuration Example

Host acts as the HTTPS client and AC acts as the HTTPS server. Host accesses AC through Web to control AC. CA (Certificate Authority) issues certificate to AC. The common name of CA is new-ca.
In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component.
Figure 20-1 Network diagram for HTTPS configuration

AC
10.1.1.1/24 10.1.2.1/24
10.1.1.2/24
10.1.2.2/24
Host
CA
Perform the following configurations on AC: 1) Apply for a certificate for AC
# Configure a PKI entity.

<AC> system-view [AC] pki entity en [AC-pki-entity-en] common-name http-server1 [AC-pki-entity-en] fqdn ssl.security.com [AC-pki-entity-en] quit
# Configure a PKI domain.

[AC] pki domain 1 [AC-pki-domain-1] ca identifier new-ca [AC-pki-domain-1] certificate request url http://10.1.2.2:8080/certsrv/mscep/mscep.dll [AC-pki-domain-1] certificate request from ra [AC-pki-domain-1] certificate request entity en [AC-pki-domain-1] quit
# Generate a local RSA key pair.

[AC] public-key local create rsa
# Obtain a server certificate from CA.

[AC] pki retrieval-certificate ca domain 1
# Apply for a local certificate.
20-5
[AC] pki request-certificate domain 1
2)
Configure an SSL server policy associated with the HTTPS service
# Configure an SSL server policy.

[AC] ssl server-policy myssl [AC-ssl-server-policy-myssl] pki-domain 1 [AC-ssl-server-policy-myssl] client-verify enable [AC-ssl-server-policy-myssl] quit
3)
Configure a certificate access control policy
# Configure a certificate attribute group.

[AC] pki certificate attribute-group mygroup1 [AC-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca [AC-pki-cert-attribute-group-mygroup1] quit
# Configure certificate access control policy myacp and create a control rule.
[AC] pki certificate access-control-policy myacp [AC-pki-cert-acp-myacp] rule 1 permit mygroup1 [AC-pki-cert-acp-myacp] quit
4)
Reference an SSL server policy
# Associate the HTTPS service with the SSL server policy myssl.
[AC] ip https ssl-server-policy myssl
5)
Associate the HTTPS service with a certificate attribute access control policy
# Associate the HTTPS service with certificate attribute access control policy myacp.
[AC] ip https certificate access-control-policy myacp
6)
Enable the HTTPS service
# Enable the HTTPS service.

[AC] ip https enable
7)
Verify the configuration
Launch the IE explorer on Host, and enter https://10.1.1.1. You can log in to AC and control it.
The URL of the HTTPS server starts with https://, and that of the HTTP server starts with http://. For more information about PKI commands, see PKI in the Security Command Reference. For more information about the public-key local create rsa command, see Public Key in the Security Command Reference. For more information about SSL commands, see SSL in the Security Command Reference.
20-6
21
Hotfix Configuration
Hotfix Overview Hotfix Configuration Task List One-Step Patch Installation Step-by-Step Patch Installation One-Step Patch Uninstallation Step-by-Step Patch Uninstallation Displaying and Maintaining Hotfix Hotfix Configuration Example
Hotfix Overview
Hotfix is a fast and cost-effective method to repair software defect of a device. Compared with another method, software version upgrade, hotfix can upgrade the software without interrupting the running services of the device, that is, it can repair the software defect of the current version without rebooting the device.
Basic Concepts in Hotfix

Patch and patch file
A patch, also called patch unit, is a package to fix software defects. Generally, patches are released as patch files. A patch file may contain one or more patches for different defects. After loaded from the storage medium to the memory patch area, each patch is assigned a unique number, which starts from 1, for identification, management and operation. For example, if a patch file has three patch units, they will be numbered as 1, 2, and 3 respectively.
Incremental patch
Patches in a patch file are all incremental patches. An incremental patch means that the patch is dependent on the previous patch units. For example, if a patch file has three patch units, patch 3 can be running only after patch 1 and 2 take effect. You cannot run patch 3 separately.
Common patch and temporary patch

Patches fall into two types, common patches and temporary patches. Common patches are those formally released through the version release flow. Temporary patches are those not formally released through the version release flow, but temporarily provided to solve the emergent problems. The common patches always include the functions of the previous temporary patches, so as to replace them. The patch type affects the patch loading process only: the system will delete all the temporary patches before it loads the common patch.
21-1
Patch Status
Each patch has its status, which can be switched by command lines. The relationship between patch state changes and command actions is shown in Figure 21-1. The patch can be in the state of IDLE, DEACTIVE, ACTIVE, and RUNNING. Load, run temporarily, confirm running, stop running, delete, install, and uninstall represent operations, corresponding to commands of patch load, patch active, patch run, patch deactive, patch delete, patch install, and undo patch install. For example, if you execute the patch active command for the patches in the DEACTIVE state, the patches turn to the ACTIVE state. Figure 21-1 Relationship between patch states changes and command actions
Information about patch states is saved in file pathstate on the storage medium. It is recommended not to operate this file.
IDLE state
Patches in the IDLE state are not loaded. You cannot install or run the patches, as shown in Figure 21-2 (suppose the memory patch area can load up to eight patches). The patches that are in the IDLE state will be still in this state after system reboot.
21-2
Figure 21-2 Patches are not loaded to the memory patch area
Currently, the system patch area supports up to 200 patches.
DEACTIVE state
Patches in the DEACTIVE state have been loaded to the memory patch area but have not run in the system yet. Suppose that there are seven patches in the patch file to be loaded. After the seven patches successfully pass the version check and CRC check, they will be loaded to the memory patch area and turn to the DEACTIVE state. At this time, the patch states in the system are as shown in Figure 21-3. The patches that are in the DEACTIVE state will be still in the DEACTIVE state after system reboot. Figure 21-3 A patch file is loaded to the memory patch area
ACTIVE state
Patches in the ACTIVE state are those that are running temporarily in the system and will become DEACTIVE after system reboot. For the seven patches in Figure 21-3, if you activate the first five patches, the state of them will change from DEACTIVE to ACTIVE. At this time, the patch states in the system are as shown in Figure 21-4. The patches that are in the ACTIVE state will be in the DEACTIVE state after system reboot.
21-3
Figure 21-4 Patches are activated
RUNNING state
After you confirm the running of the ACTIVE patches, the state of the patches will become RUNNING, and will be in the RUNNING state after system reboot. For the five patches in Figure 21-4, if you confirm to run the first three patches, the state of them will change from ACTIVE to RUNNING. At this time, the patch states of the system are as shown in Figure 21-5. Figure 21-5 Patches are running
The patches that are in the RUNNING state will be still in the RUNNING state after system reboot.
Hotfix Configuration Task List

Task One-Step Patch Installation Install patches Step-by-Step Patch Installation One-Step Patch Uninstallation Uninstall patches Step-by-Step Patch Uninstallation Remarks Use either method. The step-by-step patch installation allows you to control the patch status. Use either method. The step-by-step patch uninstallation allows you to control the patch status.
21-4
Configuration Prerequisites
Patches are released per device model or card type. Before patching the system, you need to save the appropriate patch files to the storage media of the device using FTP or TFTP. When saving the page files, note that The patch files match the device model and software version. If they do not match, the hotfixing operation will fail. Name the patch file properly. Otherwise, the system cannot locate the patch file and the hotfixing operation will fail. The name is in the format of "patch_PATCH-FLAG suffix.bin". The PATCH-FLAG is pre-defined and support for the PATCH-FLAG depends on device model or card type. The first three characters of the version item (using the display patch information command) represent the PATCH-FLAG suffix. The system searches the storage medium for patch files based on the PATCH-FLAG. If there is a match, the system loads patches to or install them on the memory patch area. Table 21-1 Default patches for different card types
Card type All cards that support wireless functions. PATCH-FLAG Default patch name
Cards that support wireless functions refer to cards that support AC functions, excluding the switching engine on the WX3000 series and the switching interface card on the WX6103.
PATCH-MPU
patch_mpu.bin
One-Step Patch Installation

You can use the patch install command to install patches in one step. After you execute the command, the system displays the message "Do you want to continue running patches after reboot? [Y/N]:". Entering y or Y: All the specified patches are installed, and turn to the RUNNING state from IDLE. This equals execution of the commands patch location, patch load, patch active, and patch run. The patches remain RUNNING after system reboot. Entering n or N: All the specified patches are installed and turn to the ACTIVE state from IDLE. This equals execution of the commands patch location, patch load and patch active. The patches turn to the DEACTIVE state after system reboot. Follow these steps to install the patches in one step:
To do Enter system view Install the patches in one step Use the command system-view patch install patch-location Required Remarks
21-5
The patch must match the card type and version. The patch install command changes the patch file location specified with the patch location command to the directory specified by the patch-location argument of the patch install command.
Step-by-Step Patch Installation

Step-by-Step Patch Installation Task List
Task Configuring the Patch File Location Loading a Patch File Activating Patches Confirming Running Patches Optional Required Required Optional Remarks
Configuring the Patch File Location

If you save the patch files to other storage media on the device, you need to specify the directory where the patch files locate with the patch-location argument. Then the system loads the appropriate patch files in the specified directory. If the device has only one storage medium, you do not need to execute this command. Follow these steps to configure the patch file location:
To do Enter system view Configure the patch file location Use the command system-view patch location patch-location Optional flash: or cfa0: by default Remarks
The patch install command changes patch file location specified with the patch location command to the directory specified by the patch-location argument of the patch install command. For example, if you execute the patch location xxx command and then the patch install yyy command, the patch file location automatically changes from xxx to yyy.
Loading a Patch File

Loading the right patch files is the basis of other hotfixing operations.
21-6
Set the file transfer mode to binary mode before using FTP or TFTP to upload/download patch files to/from the storage medium of the device. Otherwise, patch file cannot be parsed properly.
Follow these steps to load a patch file:

To do Enter system view Load the patch file from the storage medium (such as the flash or the CF card) to the memory patch area Use the command system-view patch load Required Remarks
Activating Patches
After you activate a patch, the patch will take effect and is in the test-run stage. After the device is reset or rebooted, the patch becomes invalid. If you find that an ACTIVE patch is of some problem, you can reboot the device to deactivate the patch, so as to avoid a series of running faults resulting from patch error. Follow these steps to activate patches:
To do Enter system view Activate the specified patches Use the command system-view patch active patch-number Required Remarks
Confirming Running Patches

After you confirm the running of a patch, the patch state becomes RUNNING, and the patch is in the normal running stage. After the device is reset or rebooted, the patch is still valid. Follow these steps to confirm the running of the patches:
To do Enter system view Confirm the running of the specified patches Use the command system-view patch run patch-number Required Remarks
This operation is applicable to patches in the ACTIVE state only.
21-7
One-Step Patch Uninstallation

You can use the undo patch install command to uninstall patches in one step. The patches then turn to the IDLE state. This equals the execution of the commands patch deactive and patch delete. Follow these steps to uninstall the patches in one step:
To do Enter system view Uninstall the patches Use the command system-view undo patch install Required Remarks
Step-by-Step Patch Uninstallation

Step-by-Step Patch Uninstallation Task List
Task Stopping Running Patches Deleting Patches Required Required Remarks
Stopping Running Patches

After you stop running a patch, the patch state becomes DEACTIVE, and the system runs in the way before it is installed with the patch. Follow these steps to stop running patches:
To do Enter system view Stop running the specified patches Use the command system-view patch deactive patch-number Required Remarks
Deleting Patches
Deleting patches only removes the patches from the memory patch area, and does not delete them from the storage medium. The patches turn to IDLE state after this operation. After a patch is deleted, the system runs in the way before it is installed with the patch. Follow these steps to delete patches:
To do Enter system view Delete the specified patches from the memory patch area Use the command system-view patch delete patch-number Required Remarks
21-8
Displaying and Maintaining Hotfix

To do Display the patch information Use the command display patch information Remarks Available in any view
Hotfix Configuration Example

The software running on AC is of some problem, and thus hotfixing is needed. The patch file patch_xxx.bin is saved on the TFTP server. The IP address of AC is 1.1.1.1/24, and that of TFTP Server is 2.2.2.2/24. The route between AC and TFTP Server is reachable. Figure 21-6 Network diagram of hotfix configuration
1) Configure the TFTP Server. Note that the configuration varies depending on server type and the configuration procedure is omitted. Enable the TFTP server function. Save patch file patch_xxx.bin to the directory of the TFTP server. 2) Configure AC (TFTP Client).
Make sure the free space of the storage medium is big enough to store the patch file.
# Before upgrading the software, use the save command to save the current system configuration. The configuration procedure is omitted. # Load patch file patch_xxx.bin from the TFTP server to the root directory of the device storage medium.
<AC> tftp 2.2.2.2 get patch_xxx.bin
# Install the patch.

<AC> system-view [AC] patch install flash: Patches will be installed. Continue? [Y/N]:y Do you want to continue running patches after reboot? [Y/N]:y Installing patches........ Installation completed, and patches will continue to run after reboot.
21-9
22
A 19-2
Index
Configuring Command Accounting 17-10 Configuring Command Authorization 2-1 17-9 Configuring None Authentication for Console Port Login 9-6 Configuring None Authentication for Telnet Login 10-6 Configuring Password Authentication for Console Port Login Telnet Login 10-8 9-12 9-9 Configuring Password Authentication for Configuring Scheme Authentication for Console Port Login Configuring Scheme Authentication for Telnet Login 10-11 Configuring Supported Protocols on VTY User Interfaces 17-7 Configuring Temperature Alarm Thresholds for a Board 16-6 Configuring Terminal Attributes 17-4 Configuring the auto-execute Command 17-5 Configuring the CLI 5-15 6-3 6-8 14-5
AC Networking 2-1 Access Controller Module Networking
Associating the HTTP Service with an ACL Associating the HTTPS Service with a Certificate Attribute Access Control Policy 20-3 Associating the HTTPS Service with an ACL 20-4 Associating the HTTPS Service with an SSL Server Policy B Backing Up the Startup Configuration File 15-8 Basic Configurations 18-2 Batch Operations C Clearing the 16-bit Interface Indexes Not Used in the Current System CLI Descriptions 5-7 CLI Features 4-24 Command Matrix for the WX5000 Series 4-1 Command Matrix for the WX6000 Series 4-15 Configuration Display 18-1 Configuration File Overview Configuration Prerequisites Interfaces 17-6 Configuring Asynchronous Serial Interface Attributes Login 17-7
22-1
20-2
16-6
18-17
Configuring the FTP Client Configuring the FTP Server Service Service 19-2 20-3 16-3
Configuring the Port Number of the HTTP Configuring the Port Number of the HTTPS Configuring the Scheduled Automatic Execution Function Configuring the TFTP Client User Interface 17-5 7-2
15-1 21-5
Configuring Access Restriction on VTY User
Configuring User Privilege Level Under a Connection Establishment 12-1 Console Port Login Configuration 9-4
17-3
Configuring Authentication Mode for Users at
Controlling Network Management Users by Source IP Addresses 13-5 Controlling Telnet Users D Defining Shortcut Keys for Starting Terminal Sessions/Aborting Tasks 17-10 Deleting a Startup Configuration File to Be Used at the Next Startup 15-8 Device Management Configuration Examples 16-8 Device Management Configuration Task List 16-1 Device Management Overview 16-1 Directory Operations 14-2 Displaying and Maintaining Device Configuration 15-9 16-7 6-12 21-9 19-3 Displaying and Maintaining Device Management Configuration Displaying and Maintaining FTP Displaying and Maintaining Hotfix Displaying and Maintaining HTTP 13-1
Hotfix Configuration Example 21-9 Hotfix Configuration Task List 21-4 Hotfix Overview 21-1 HTTP Overview 19-1 HTTPS Configuration Example 20-5 HTTPS Configuration Task List 20-1 HTTPS Overview I Introduction to the User Interface Introduction 10-1 Introduction 11-1 Introduction 12-1 Introduction 13-1 Introduction 9-1 L Logging In to an Access Controller Product 8-1 M Managing Files 14-1 O One-Step Patch Installation 21-5 8-1 20-1
Displaying and Maintaining HTTPS 20-4 Displaying and Maintaining the TFTP Client 7-3 Displaying and Maintaining User Interfaces 17-11 E Enabling the HTTP Service Enabling the HTTPS Service Entering the CLI 5-1 Establishing a Telnet Connection Example for File Operations F Feature Matrix for the WX3000 Series 3-11 Feature Matrix for the WX5000 Series Feature Matrix for the WX6000 Series File Operations 14-3 FTP Overview H
22-2
One-Step Patch Uninstallation 21-8 Q Quick Configuration 18-2 19-2 20-2 R Rebooting the AC 16-2
Registering the Software 16-2 10-2 Releasing the Connection Established on the User Interfaces 17-11 Restoring a Startup Configuration File 15-9 S 3-1 3-7 Saving the Current Running Configuration 15-2 Sending Messages to the Specified User Interfaces 17-11 Setting Configuration Rollback 15-4 Setting Prompt Modes 14-6
14-7
6-1
Setting Up a Web Configuration Environment 11-2 Setting Up the Connection to the Console Port 9-1 15-7 Specifying a Startup Configuration File to Be Used at the Next System Startup Step-by-Step Patch Installation 21-6 Step-by-Step Patch Uninstallation Storage Medium Operations T TFTP Client Configuration Example 7-3 TFTP Overview 7-1 U Unified Switch Networking 2-2 Upgrading AC Software 17-12 User Interface Configuration Task List 17-2 User Interface Overview Using the CLI W What Is CLI? 5-1 5-9 17-1 16-4 14-5 21-8
User Interface Configuration Examples
22-3

01 Fundamentals Configuration Guide Book

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

01 Fundamentals Configuration Guide Book

Încărcat de

Drepturi de autor:

Formate disponibile

H3C WX Series Access Controllers Fundamentals Configuration Guide

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

All Rights Reserved

, IRF, NetPilot, Neocean, NeoVTL,

Convention [ x | y | ... ] * &<1-n> #

Network topology icons

Represents an access point.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

About the H3C WX Series Documentation Set

Operations and maintenance

Applicable Models and Software Versions

Typical Network Scenarios

Access Controller Module Networking

Figure 2-2 Access controller module networking

Unified Switch Networking

Feature Matrix for the WX5000 Series

Table 3-1 Feature matrix for the WX5000 series

User interface type

Module File system management configuration

Feature Configuration file encryption Storage media supported

Device management configuration License

Supports 32 concurrent APs by default, and can be extended to support 64.

Supports 64 concurrent APs by default, and can be extended to support 256.

Supports 32 concurrent APs by default, and can be extended to support 128.

WLAN Configuration Guide Layer 2 LAN Switching Configuration Guide

Yes 256 Yes

Shutting down an Ethernet interface

Configuring flow control on an Ethernet interface

Feature Configuring loopback detection on an Ethernet interface

WX5002 Yes on GE interfaces only

WX5002V2 Yes on GE interfaces only

LS8M1WCMA0 Internal loopback testing supported on GE interfaces only No No Yes

LSWM1WCM10 Internal loopback testing supported on XGE interfaces only No No No

LSWM1WCM20 Internal loopback testing supported on GE interfaces only Yes No No

Link aggregation configuration MSTP Configuration Layer 2 forwarding configuration

Link aggregation STP Layer 2 forwarding

Port mirroring configuration

Remote port mirroring and cross-board mirroring not supported

Remote port mirroring and cross-board mirroring not supported

Layer 3 IP Services Configuration Guide

Document Layer 3 IP Routing Configuration Guide

WX5002 Yes Yes Yes Yes Yes Yes No

WX5002V2 Yes Yes Yes Yes Yes Yes Yes

LS8M1WCMA0 Yes Yes Yes Yes Yes Yes No

WX5004 Yes Yes Yes Yes Yes Yes Yes

LSWM1WCM10 Yes Yes Yes Yes Yes Yes Yes

LSWM1WCM20 Yes Yes Yes Yes Yes Yes Yes

IP Multicast Configuration Guide

ACL and QoS Configuration Guide

Security Configuration Guide

Security protection configuration

Management protocol packets supported

Other protocol packets supported

UDP/TCP/802.1 X/DHCP/IGMP/ NTP/ARP/LWA PP/LooPback/P PPoE/IACTP/A CSEI/ STP/LWAPP_D ATA/Default

UDP/TCP/802.1 X/DHCP/IGMP/ NTP/ARP/LWA PP/LooPback/P PPoE/IACTP/A CSEI/ STP/LWAPP_D ATA/Default

Information center configuration

Yes Yes Yes

Yes Yes Yes

Feature Matrix for the WX6000 Series

Table 3-2 Feature matrix for the WX6000 series

Fundamentals Configuration Guide

Yes Internal loopback testing supported on XGE interfaces only No No No No No Yes No