HP  5120 series Configuration Manual

HP 5120 series Configuration Manual

Gigabit ethernet switches
Table of Contents

Advertisement

HP 5120 SI Switch Series
Fundamentals

Configuration Guide

Part number: 5998-1899
Software version: Release 1513
Document version: 6W100-20130830

Advertisement

Table of Contents
loading

Summary of Contents for HP HP 5120 series

  • Page 1: Configuration Guide

    HP 5120 SI Switch Series Fundamentals Configuration Guide Part number: 5998-1899 Software version: Release 1513 Document version: 6W100-20130830...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
  • Page 3: Table Of Contents

    Contents CLI configuration ·························································································································································· 1   FIPS compliance ································································································································································ 1   What is CLI? ······································································································································································ 1   Entering the CLI ································································································································································· 2   Command conventions ····················································································································································· 2   Undo form of a command ················································································································································ 3   CLI view description ·························································································································································· 3  ...
  • Page 4 Telnet login authentication modes ······················································································································· 37   Configuring none authentication for telnet login ······························································································· 38   Configuring password authentication for telnet login ······················································································· 39   Configuring scheme authentication for telnet login ··························································································· 40   Configuring common settings for VTY user interfaces (optional) ······································································ 44  ...
  • Page 5 Operation of FTP ··················································································································································· 83   FIPS compliance ····························································································································································· 84   Configuring the FTP client ············································································································································· 84   Establishing an FTP connection ···························································································································· 85   Operating the directories on an FTP server ········································································································ 86   Operating the files on an FTP server ··················································································································· 86  ...
  • Page 6 FIPS compliance ··························································································································································· 110   Saving the running configuration ······························································································································· 110   Introduction ·························································································································································· 110   Enabling configuration file auto-save ················································································································ 110   Modes in saving the configuration ···················································································································· 111   Using automatic configuration backup after a software upgrade ································································· 111  ...
  • Page 7 Diagnosing pluggable transceivers ··················································································································· 148   Displaying and maintaining device management configuration ············································································ 148   Support and other resources ·································································································································· 150   Contacting HP ······························································································································································ 150   Subscription service ············································································································································ 150   Related information ······················································································································································ 150   Documents ···························································································································································· 150  ...
  • Page 8: Cli Configuration

    CLI configuration This chapter includes these sections: What is CLI? • Entering the CLI • Command conventions • • Undo form of a command CLI view description • Using the CLI online help • Typing commands • Checking command line errors •...
  • Page 9: Entering The Cli

    Figure 1 CLI example Entering the CLI HP devices provide multiple methods for entering the CLI, such as through the console port, through telnet, or through SSH. For more information, see "Logging in through the console port." Command conventions Command conventions help you understand command meanings. Commands in HP product manuals...
  • Page 10: Undo Form Of A Command

    Use the clock datetime time date command as an example to understand the meaning of the command line parameters according to Figure Figure 2 Read command line parameters time date clock datetime Italic: Arguments. Replace them with Boldface: Keywords actual values at the CLI.
  • Page 11: Entering System View

    Figure 3 Command line views Interface view VLAN view User System User view Interface view view Local user view Entering system view When you log in to the device, you automatically enter user view, where <Device name> is displayed. You can perform limited operations in user view, for example, display operations, file operations, and Telnet operations.
  • Page 12: Using The Cli Online Help

    Follow the step below to exit to user view: To do… Use the command… Remarks Required Return to user view return Available in any view except user view Using the CLI online help Type a question mark (?) to obtain online help. See the following examples. Type ? in any view to display all commands available in this view and brief descriptions of these commands.
  • Page 13: Typing Commands

    clock cluster Typing commands Editing command lines Table 2 lists some shortcut keys you can use to edit command lines. Table 2 Editing functions Function If the edit buffer is not full, pressing a common key inserts the character at the Common keys position of the cursor and moves the cursor to the right.
  • Page 14: Configuring Cli Hotkeys

    If a string you entered partially matches a keyword and an alias, the command indicated by the • alias is executed. To execute the command indicated by the keyword, enter the complete keyword. If a string you entered exactly matches a keyword and partially matches an alias, the command •...
  • Page 15: Redisplaying Input But Not Submitted Commands

    Hotkey Function Ctrl+C Stops performing a command. Ctrl+D Deletes the character at the current cursor position. Ctrl+E Moves the cursor to the end of the current line. Ctrl+F Moves the cursor one character to the right. Ctrl+H Deletes the character to the left of the cursor. Ctrl+K Terminates an outgoing connection.
  • Page 16: Checking Command Line Errors

    To do… Use the command… Remarks Required Enable redisplaying of input but info-center synchronous not submitted commands Disabled by default NOTE: • If you have no input at the command line prompt and the system outputs system information such as logs, the system will not display the command line prompt after the output.
  • Page 17: Configuring The History Buffer Size

    NOTE: You can use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are defined differently. You can use Ctrl+P or Ctrl+N instead. The commands saved in the history command buffer are in the same format in which you typed the •...
  • Page 18: Filtering Output Information

    Action Function Press Ctrl+C Stops the display and the command execution. Press <PageUp> Displays the previous page. Press <PageDown> Displays the next page. By default, each screen displays up to 24 lines. To change the maximum number of lines displayed on the next screen, use the screen-length command.
  • Page 19 exclude: Displays all lines that do not match the specified regular expression. • • include: Displays all lines that match the specified regular expression. A regular expression is a case sensitive string of 1 to 256 characters. It supports the following special characters.
  • Page 20 Character Meaning Remarks Repeats the character string specified by the index. A character string refers to the string within () For example, (string)\1 repeats string, and a before \. index refers to the matching string must contain stringstring. sequence number (starting from 1 (string1)(string2)\2 repeats string2, and a \index from left to right) of the character...
  • Page 21: Configuring User Privilege And Command Levels

    user privilege level 3 return Example of using the exclude keyword # Display the non-direct routes in the routing table (the output depends on the current configuration). <Sysname> display ip routing-table | exclude Direct Routing Tables: Public Destination/Mask Proto Cost NextHop Interface 10.1.1.0/24...
  • Page 22: Configuring A User Privilege Level

    Level Privilege Description Involves commands that influence the basic operation of the system and commands for configuring system support modules. By default, commands at this level involve the configuration commands of file Manage system, FTP, TFTP, Xmodem download, user management, level setting, and parameter settings within a system (which are not defined by any protocols or RFCs).
  • Page 23 <Sysname> system-view [Sysname] user-interface vty 1 [Sysname-ui-vty1] authentication-mode scheme [Sysname-ui-vty1] quit [Sysname] local-user test [Sysname-luser-test] password cipher 12345678 [Sysname-luser-test] service-type telnet When users telnet to the switch through VTY 1, they need to input username test and password 12345678. After passing the authentication, the users can only use the commands of level 0. If the users want to use commands of levels 0, 1, 2 and 3, the following configuration is required: [Sysname-luser-test] authorization-attribute level 3 Configuring the user privilege level under a user interface...
  • Page 24 To do… Use the command… Remarks Enter system view system-view — user-interface { first-num1 Enter user interface view [ last-num1 ] | { aux | vty } — first-num2 [ last-num2 ] } Optional Configure the authentication mode By default, the authentication authentication-mode { none | for any user that uses the current mode for VTY user interfaces is...
  • Page 25: Switching User Privilege Level

    After the user logs in again, the user privilege restores to the original level. To avoid problems, HP recommends that administrators log in to the switch by using a lower • privilege level and view switch operating parameters, and when they have to maintain the switch,...
  • Page 26 Setting the authentication mode for user privilege level switch A user can switch to a privilege level equal to or lower than the current one unconditionally and is not required to input a password (if any). For security, a user is required to input the password (if any) to switch to a higher privilege level. The authentication falls into one of the following four categories: Authentication Meaning...
  • Page 27 CAUTION: If no user privilege level is specified when you configure the password for switching the user privilege • level with the super password command, the user privilege level defaults to 3. Whether you specify the simple keyword or the cipher keyword, the password is saved to the •...
  • Page 28: Modifying The Level Of A Command

    CAUTION: HP recommends that you use the default command level or modify the command level under the guidance of professional staff. An improper change of the command level may bring inconvenience to your maintenance and operation, or even potential security problems.
  • Page 29: Saving The Current Configuration

    Saving the current configuration On the device, you can input the save command in any view to save all the submitted and executed commands into the configuration file. Commands saved in the configuration file can survive a reboot. The save command does not take effect on one-time commands, such as display commands, which display specified information, and the reset commands, which clear specified information.
  • Page 30: Login Methods

    Login methods This chapter includes these sections: Login methods • User interface overview • FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see the Security Configuration Guide.
  • Page 31: User Interface Overview

    Login method Default state Logging in By default, you can log in to a device through modems. The default through modems user privilege level of modem login users is 3. By default, you cannot log in to a device through web. To do so, log in to the device through the console port, and complete the following configuration: •...
  • Page 32: Numbering User Interfaces

    interface view applies to user A; if user A logs in through VTY 1, the configuration in VTY 1 user interface view applies to user A. A device can be equipped with one AUX user interface and 16 VTY user interfaces. These user interfaces do not associate with specific users.
  • Page 33: Cli Login

    CLI login This chapter includes these sections: Overview • Logging in through the console port • Logging in through telnet • • Logging in through SSH Logging in through modems • Displaying and maintaining CLI login • Overview The CLI enables you to interact with a device by typing text commands. At the CLI, you can instruct your device to perform a given task by typing a text command and then pressing Enter to submit it to your device.
  • Page 34: Configuration Requirements

    Configuring scheme authentication for console login • • Configuring common settings for console login (optional) Configuration requirements The following table shows the configuration requirements for console port login. Object Requirements Device No configuration requirement Run the hyper terminal program. Terminal Configure the hyper terminal attributes.
  • Page 35 NOTE: On Windows 2003 Server operating system, you need to add the HyperTerminal program first, and then log in to and manage the device as described in this document. On Windows 2008 Server, Windows 7, Windows Vista, or some other operating system, you need to obtain a third party terminal control program first, and follow the user guide or online help of that program to log in to the device.
  • Page 36: Console Login Authentication Modes

    Turn on the device. You are prompted to press Enter if the device successfully completes the power-on self test (POST). A prompt such as <HP> appears after you press Enter. Execute commands to configure the device or check the running status of the device. To get help, type ?.
  • Page 37: Configuring None Authentication For Console Login

    Authenticat Configuration Remarks ion mode "Configuring password authentication for console Set the local password login." Configure the authentication scheme Configure a RADIUS/HWTACAC S scheme Configure the AAA Remote AAA scheme used by the authentication domain For more information, see Configure the "Configuring scheme Select an username and...
  • Page 38: Configuring Password Authentication For Console Login

    (optional)." When you log in to the device through the console port after the configuration, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter.
  • Page 39: Configuring Scheme Authentication For Console Login

    Configuring scheme authentication for console login Configuration prerequisites You have logged in to the device. By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, "Configuration requirements."...
  • Page 40 To do… Use the command… Remarks Optional • By default, command accounting is disabled. The accounting server does not record the commands executed by users. • Command accounting allows the HWTACACS server to record all the commands executed by users, regardless of command execution results.
  • Page 41: Configuring Common Settings For Console Login (Optional)

    When you log in to the device through the console port after the configuration, you are prompted to enter a login username and password. A prompt such as <HP> appears after you input the password and username and press Enter.
  • Page 42 To do… Use the command… Remarks Optional Enable display of copyright copyright-info enable information Enabled by default. user-interface aux first-number Enter AUX user interface view — [ last-number ] Optional By default, the transmission rate is Configure the 9600 bps. speed speed-value baud rate Transmission rate is the number of...
  • Page 43: Logging In Through Telnet

    By default, the terminal display type is ANSI. The device supports two types of terminal display: ANSI and VT100. HP recommends that you set the display type of both the device and the client to VT100. If the device and Configure the type...
  • Page 44: Telnet Login Authentication Modes

    NOTE: Telnet is not supported in FIPS mode. The device supports telnet. You can telnet to the device to remotely manage and maintain it, as shown Figure Figure 8 Telnet login The following table shows the configuration requirements of telnet login. Object Requirements Configure the IP address of the VLAN interface, and make sure the telnet server...
  • Page 45: Configuring None Authentication For Telnet Login

    username and password on the remote authentication server. For more information about authentication modes and parameters, see the Security Configuration Guide. The following table lists telnet login configurations for different authentication modes. Authentication Configuration Remarks mode For more information, see "Configuring none None Configure not to authenticate users...
  • Page 46: Configuring Password Authentication For Telnet Login

    To do… Use the command… Remarks Required Enable telnet telnet server enable By default, the telnet service is disenabled. Enter one or multiple VTY user user-interface vty first-number — interface views [ last-number ] Required Specify the none authentication authentication-mode none By default, authentication mode for mode VTY user interfaces is password.
  • Page 47: Configuring Scheme Authentication For Telnet Login

    VTY user interfaces (optional)." When you log in to the device through telnet again: You are required to enter the login password. A prompt such as <HP> appears after you enter the • correct password and press Enter, as shown in Figure If "All user interfaces are used, please try later!"...
  • Page 48 By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, "Configuration requirements." Configuration procedure Follow these steps to configure scheme authentication for telnet login To do…...
  • Page 49 To do… Use the command… Remarks Optional • By default, command accounting is disabled. The accounting server does not record the commands executed by users. • Command accounting allows the HWTACACS server to record all executed commands that are supported by the device, regardless of the command execution result.
  • Page 50 For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration Guide. When you log in to the device through telnet again: You are required to enter the login username and password. A prompt such as <HP> appears after •...
  • Page 51: Configuring Common Settings For Vty User Interfaces (Optional)

    Figure 11 Configuration page Configuring common settings for VTY user interfaces (optional) Follow these steps to configure common settings for VTY user interfaces: To do… Use the command… Remarks Enter system view system-view — Optional Enable display of copyright copyright-info enable information Enabled by default.
  • Page 52: Configuring The Device To Log In To A Telnet Server As A Telnet Client

    To do… Use the command… Remarks Optional Set the size of history history-command max-size By default, the buffer saves 10 command buffer value history commands. Optional The default idle-timeout is 10 minutes for all user interfaces. The system automatically Set the idle-timeout terminates the user's connection if idle-timeout minutes [ seconds ] timer...
  • Page 53: Logging In Through Ssh

    Figure 12 Log in to another device from the current device NOTE: If the telnet client port and the telnet server port that connect them are not in the same subnet, make sure that the two devices can reach each other. Configuration procedure Follow the step below to configure the device to log in to a telnet server as a telnet client: To do…...
  • Page 54: Configuring The Ssh Server

    the device through SSH, you need to log in to the device through the console port and configure the authentication mode, user level, and common settings. This section includes these topics: Configuring the SSH server • Configuring the SSH client to log in to the SSH server •...
  • Page 55 To do… Use the command… Remarks Optional • By default, command authorization is not enabled. • By default, command level for a login user depends on the user privilege level. The user is authorized the command with the default level not higher than the user privilege level.
  • Page 56 To do… Use the command… Remarks Enter the default Optional ISP domain domain domain-name By default, the AAA scheme is view local. authentication default If you specify the local AAA Apply the { hwtacacs-scheme scheme, perform the configuration specified AAA hwtacacs-scheme-name [ local ] | concerning local user as well.
  • Page 57: Configuring The Ssh Client To Log In To The Ssh Server

    Create a HWTACACS scheme, and specify the IP address of the authorization server and other • authorization parameters. Reference the created HWTACACS scheme in the ISP domain. • For more information, see the Security Configuration Guide. When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.
  • Page 58: Logging In Through Modems

    NOTE: You can configure other settings for the SSH client to work with the SSH server. For more information, see Security Configuration Guide Logging in through modems The administrator can use two modems to remotely maintain a switch through its Console port over the Public Switched Telephone Network (PSTN) when the IP network connection is broken.
  • Page 59 Figure 15 Set up a configuration terminal Configuration on the administrator side The PC and the modem are correctly connected, the modem is connected to a telephone cable, and the telephone number of the remote modem connected to the Console port of the remote switch is obtained. NOTE: On the device: The baud rate of the Console port is lower than the transmission rate of the modem.
  • Page 60 Figure 16 Connection Description Figure 17 Enter the phone number Figure 18 Dial the number...
  • Page 61: Modem Login Authentication Modes

    Character string CONNECT9600 is displayed on the terminal. Then a prompt such as <HP> appears when you press Enter. Execute commands to configure the device or check the running status of the device. To get help, type ?. NOTE: To terminate the connection between the PC and device, execute the ATH command on the terminal to •...
  • Page 62: Configuring None Authentication For Modem Login

    (optional)." When you log in to the device through modems after the configuration, you are prompted to press Enter. A prompt such as <HP> appears after you press Enter. Configuring password authentication for modem login NOTE: This feature is not supported in FIPS mode.
  • Page 63: Configuring Scheme Authentication For Modem Login

    When you log in to the device through modems after the configuration, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter. Configuring scheme authentication for modem login Configuration prerequisites You have logged in to the device.
  • Page 64 To do… Use the command… Remarks Required Whether local, RADIUS, or HWTACACS authentication is Specify the scheme authentication-mode scheme adopted depends on the configured authentication mode AAA scheme. By default, the authentication mode is none for modem users Optional • By default, command authorization is not enabled.
  • Page 65 To do… Use the command… Remarks Optional • By default, command accounting is disabled. The accounting server does not record the commands executed by users. • Command accounting allows the HWTACACS server to record all executed commands that are supported by the device, regardless of the command execution result.
  • Page 66: Configuring Common Settings For Modem Login (Optional)

    For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration Guide. When you log in to the device through modems after the configuration, you are prompted to enter a login username and password. A prompt such as <HP> appears after you input the password and username and press Enter.
  • Page 67 To do… Use the command… Remarks Optional Enable display of copyright copyright-info enable information Enabled by default. Enter one or more AUX user user-interface aux first-number — interface views [ last-number ] Optional By default ,the baud rate is 9600 Configure the bps.
  • Page 68 By default, the terminal display type is ANSI. The device supports two types of terminal display: ANSI and VT100. HP recommends that you set the display type of both the device and the client to VT100. If the device and Configure the type...
  • Page 69: Displaying And Maintaining Cli Login

    Displaying and maintaining CLI login To do… Use the command… Remarks Display the source IP display telnet client configuration address/interface specified for [ | { begin | exclude | include } Available in any view Telnet packets regular-expression ] Display information about the user display users [ | { begin | exclude Available in any view interfaces that are being used...
  • Page 70: Web Login

    Web login This chapter includes these sections: Web login overview • Configuring HTTP login • Configuring HTTPS login • • Displaying and maintaining web login Web login example • Web login overview The device provides a built-in web server. It enables you to log in to the web interface of the device from a PC.
  • Page 71: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode. HTTP is not supported in FIPS mode.
  • Page 72: Configuring Https Login

    To do… Use the command… Remarks Required Specify the telnet service type for service-type telnet By default, no service type is the local user configured for the local user. Exit to system view quit — Required Create a VLAN interface and enter interface vlan-interface If the VLAN interface already its view...
  • Page 73 To do… Use the command… Remarks Required Disabled by default. Enabling the HTTPS service triggers an SSL handshake negotiation process. During the process, if the local certificate of the device exists, the SSL negotiation succeeds, and the HTTPS service can be started normally. If no Enable the HTTPS service ip https enable local certificate exists, a certificate application...
  • Page 74: Displaying And Maintaining Web Login

    To do… Use the command… Remarks Required Configure a password for the password { cipher | simple } By default, no password is configured for the local user password local user. Required Specify the command level of authorization-attribute level By default, no command level is configured for the local user level the local user.
  • Page 75 Figure 19 Network diagram for configuring HTTP login Configuration procedure Configuration on the device # Log in to the device via the console port and configure the IP address of VLAN 1 of the device. VLAN 1 is the default VLAN. <Sysname>...
  • Page 76: Https Login Example

    # Type the user name, password, verify code, select English, and click Login. The homepage appears. After login, you can configure device settings through the web interface. HTTPS login example Network requirements As shown in Figure 21, to prevent unauthorized users from accessing the Device, configure HTTPS login as follows: Configure the Device as the HTTPS server, and request a certificate for it.
  • Page 77 # Create RSA local key pairs. [Device] public-key loc al create rsa # Retrieve the CA certificate from the certificate issuing server. [Device] pki retrieval-certificate ca domain 1 # Request a local certificate from a CA through SCEP for the device. [Device] pki request-certificate domain 1 # Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication.
  • Page 78 NOTE: To log in to the web interface through HTTPS, enter the URL address starting with https://. To log in to • the web interface through HTTP, enter the URL address starting with http://. Security Command Reference For more information about PKI configuration commands, see the •...
  • Page 79: Nms Login

    NMS login This chapter includes these sections: NMS login overview • Configuring NMS login • NMS login example • NMS login overview A Network Management Station (NMS) runs the SNMP client software. It offers a user-friendly interface to facilitate network management. An agent is a program that resides in the device. It receives and handles requests from the NMS.
  • Page 80 To do… Use the command… Remarks Optional Disabled by default. Enable SNMP agent snmp-agent You can enable SNMP agent with this command or any command that begins with snmp-agent. snmp-agent group v3 group-name Required [ authentication | privacy ] Configure an SNMP group [ read-view read-view ] [ write-view By default, no SNMP group is and specify its access right...
  • Page 81: Nms Login Example

    NOTE: The device supports three SNMP versions: SNMPv1, SNMPv2c and SNMPv3. For more information about Network Management and Monitoring Configuration Guide SNMP, see the NMS login example In this example, iMC is used as the NMS. Configuration on the device # Assign 1.1.1.1/24 for the IP address of device.
  • Page 82: User Login Control

    User login control This chapter includes these sections: User login control overview • Configuring login control over telnet users • Configuring source IP-based login control over NMS users • • Configuring source IP-based login control over web users User login control overview The device provides the following login control methods: Login Through Login control methods...
  • Page 83: Configuring Source Ip-Based Login Control Over Telnet Users

    Configuring source IP-based login control over telnet users Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement source IP-based login control over telnet users. Basic ACLs are numbered from 2000 to 2999. For more information about ACL, see the ACL and QoS Configuration Guide.
  • Page 84: Configuring Source Mac-Based Login Control Over Telnet Users

    To do… Use the command… Remarks Required Use the ACL to control user inbound: Filters incoming telnet acl [ ipv6 ] acl-number { inbound | login by source and packets. outbound } destination IP addresses outbound: Filters outgoing telnet packets. Configuring source MAC-based login control over telnet users Ethernet frame header ACLs can match the source MAC addresses of packets, so you can use Ethernet frame header ACLs to implement source MAC-based login control over telnet users.
  • Page 85: Configuring Source Ip-Based Login Control Over Nms Users

    Figure 23 Network diagram for configuring source MAC-based login control Configuration procedure # Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit packets sourced from Host A. <Sysname> system-view [Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0...
  • Page 86: Source Ip-Based Login Control Over Nms Users Configuration Example

    To do… Use the command… Remarks Create a basic ACL and enter its Required acl [ ipv6 ] number acl-number view, or enter the view of an [ match-order { config | auto } ] By default, no basic ACL exists. existing basic ACL rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard |...
  • Page 87: Configuring Source Ip-Based Login Control Over Web Users

    Figure 24 Network diagram for configuring source IP-based login control over NMS users Configuration procedure # Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit packets sourced from Host A. <Sysname>...
  • Page 88: Logging Off Online Web Users

    To do… Use the command… Remarks Create a basic ACL and enter its Required acl [ ipv6 ] number acl-number view, or enter the view of an [ match-order { config | auto } ] By default, no basic ACL exists. existing basic ACL rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard...
  • Page 89 [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0 # Associate the ACL with the HTTPS service so that only web users from Host B are allowed to access the device. [Sysname] ip https acl 2030...
  • Page 90: Ftp Configuration

    FTP configuration This chapter includes these sections: FTP overview • Configuring the FTP client • Configuring the FTP server • • Displaying and maintaining FTP FTP overview Introduction to FTP The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network.
  • Page 91: Fips Compliance

    Table 8 Configuration when the device serves as the FTP client Device Configuration Remarks If the remote FTP server supports anonymous FTP, the device can log in to it directly; if not, Use the ftp command to establish the Device (FTP client) the device must obtain the FTP username and connection to the remote FTP server password first to log in to the remote FTP...
  • Page 92: Establishing An Ftp Connection

    NOTE: Only users with the manage level can use the ftp command to log in to an FTP server, enter FTP client view, and execute directory and file related commands. However, whether the commands can be executed successfully depends on the authorizations of the FTP server. Establishing an FTP connection Before you can access the FTP server, you must first establish a connection from the FTP client to the FTP server.
  • Page 93: Operating The Directories On An Ftp Server

    NOTE: If no primary IP address is configured on the specified source interface, you cannot establish an FTP • connection. If you use the ftp client source command to configure a source interface and then use it to configure a •...
  • Page 94: Using Another Username To Log In To An Ftp Server

    Delete useless files for effective use of the storage space. Set the file transfer mode. FTP transmits files in two modes: ASCII and binary. ASCII mode transfers files as text. Binary mode transfers files as raw data. Use the lcd command to display the local working directory of the FTP client. You can upload the file under this directory, or save the downloaded file under this directory.
  • Page 95: Maintaining And Debugging An Ftp Connection

    To do… Use the command… Remarks Use another username to re-log in after user username [ password ] Optional successfully logging in to the FTP server Maintaining and debugging an FTP connection After a switch serving as the FTP client has established a connection with the FTP server, you can perform the following operations to locate and diagnose problems encountered in an FTP connection.
  • Page 96 On PC, an FTP user account has been created for the FTP client, with the username being abc and • the password being pwd. Figure 27 Network diagram for FTPing a boot file from an FTP server Configuration procedure CAUTION: If the available memory space of the device is not enough, use the fixdisk command to clear the memory file or use the delete /unreserved...
  • Page 97: Configuring The Ftp Server

    [ftp] bye # Specify newest.bin as the main boot file to be used at the next startup for all the member devices. <Sysname> boot-loader file newest.bin slot all main This command will set the boot file of the specified board. Continue? [Y/N]:y The specified file will be used as the main boot file at the next reboot on slot 1! The specified file will be used as the main boot file at the next reboot on slot 2! # Reboot the device, and the boot file is updated at the system reboot.
  • Page 98: Configuring Authentication And Authorization On The Ftp Server

    To do… Use the command… Remarks Quit to user view quit — Manually release the FTP Optional connection established with the free ftp user username Available in user view specified username Configuring authentication and authorization on the FTP server To allow an FTP user to access certain directories on the FTP server, you need to create an account for the user, authorizing access to the directories and associating the username and password with the account.
  • Page 99: Ftp Server Configuration Example

    FTP server configuration example Network requirements • As shown in Figure 28, an IRF virtual device comprises a master and a slave FTP server. The member ID of the master is 1 and that of the slave switch is 2. The IRF virtual device serves as an FTP server, and the PC serves as an FTP client.
  • Page 100: Displaying And Maintaining Ftp

    # Log in to the FTP server through FTP. c:\> ftp 1.1.1.1 Connected to 1.1.1.1. 220 FTP service ready. User(1.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. # Download the configuration file config.cfg of the IRF virtual device to the PC for backup. ftp>...
  • Page 101 To do… Use the command… Remarks Display detailed information about display ftp-user [ | { begin | exclude | Available in any view logged-in FTP users include } regular-expression ]...
  • Page 102: Tftp Configuration

    TFTP configuration This chapter includes these sections: TFTP overview • Configuring the TFTP client • TFTP client configuration example • TFTP overview Introduction to TFTP The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less complex than FTP in interactive access interface and authentication.
  • Page 103: Fips Compliance

    HP recommends that you use the secure mode or, if you use the normal mode, specify a filename not existing in the current directory as the target filename when downloading the boot file or the startup configuration file.
  • Page 104: Displaying And Maintaining The Tftp Client

    To do… Use the command… Remarks Optional Use an ACL to control the device's By default, no ACL is used to tftp-server [ ipv6 ] acl acl-number access to TFTP servers control the device's access to TFTP servers. Optional tftp client source { interface A device uses the source Configure the source address of interface-type interface-number | ip...
  • Page 105 Figure 30 Smooth upgrading using the TFTP client function Configuration procedure Configure the PC (TFTP Server), the configuration procedure is omitted. On the PC, enable the TFTP server • Configure a TFTP working directory • Configure the IRF virtual device (TFTP Client) CAUTION: If the available memory space of the master and slave switches is not enough, use the fixdisk command to file...
  • Page 106: File Management

    File management This chapter includes these sections: Managing files • • Directory operations File operations • • Batch operations Storage medium operations • Setting prompt modes • • Example for file operations Managing files Files such as host software and configuration files that are necessary for the operation of the device are saved in the storage media of the device.
  • Page 107: Directory Operations

    Format Description Length Example Specifies a file in the specified storage medium on the device. flash:/test/a.cfg indicates a file drive represents the storage named a.cfg in the test folder in the medium name. The storage root directory of the flash memory medium on the master is usually on the master.
  • Page 108: Removing A Directory

    Removing a directory To do… Use the command… Remarks Required Remove a directory rmdir directory Available in user view NOTE: The directory to be removed must be empty, meaning that before you remove a directory, you must • delete all the files and the subdirectory in this directory. For file deletion, see the delete command; for subdirectory deletion, see the rmdir command.
  • Page 109: Copying A File

    The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, execute the reset recycle-bin command in the directory to which the file originally belongs. HP recommends you to empty the recycle bin periodically with the reset recycle-bin command to save storage space.
  • Page 110: Verifying File Integrity

    The digest of a file can be used to verify the file integrity. For example, you can calculate the digest of a software image file and compare it with that the file digest provided on the HP website to verify whether the file has been tampered with.
  • Page 111: Displaying And Maintaining The Nand Flash Memory

    To do… Use the command… Remarks Optional Restore the space of a storage fixdisk device medium Available in user view Optional Format a storage medium format device Available in user view CAUTION: • When you format a storage medium, all the files stored on it are erased and cannot be restored. If a startup configuration file exists on the storage medium, formatting the storage medium results in loss of the startup configuration file.
  • Page 112: Setting Prompt Modes

    To do… Use the command… Remarks display nandflash page-data Display data on the specified page-value [ | { begin | exclude | physical page include } regular-expression ] Setting prompt modes The system provides the following prompt modes: alert—in this mode, the system warns you about operations that may bring undesirable •...
  • Page 113 drw- Feb 16 2006 15:28:14 mytest 97920 KB total (2519 KB free) # Return to the upper directory. <Sysname> cd .. # Display the current working directory. <Sysname> pwd flash:...
  • Page 114: Configuration File Management

    Configuration file management The device provides the configuration file management function. You can manage configuration files on the user-friendly command line interface (CLI). This chapter includes these sections: Configuration file overview • • FIPS compliance Saving the running configuration • Setting configuration rollback •...
  • Page 115: Configuration File Format And Content

    • You can execute the save command to save the running configuration to a configuration file. To make sure the configuration file can be loaded, HP recommends that you not edit the content and format of the configuration file. Startup configuration loading process Figure 31 shows the configuration loading process during startup.
  • Page 116 Figure 31 Startup configuration loading process Start Boot ROM runs Enter Boot menu? Startup configuration file specified? Main configuration file available? Backup configuration file available? Select “Skip Load default Load backup Load main Current System configuration file configuration file configuration file Configuration”...
  • Page 117: Fips Compliance

    FIPS compliance The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see the Security Configuration Guide. Saving the running configuration Introduction To make configuration changes take effect at the next startup of the device, save the running...
  • Page 118: Modes In Saving The Configuration

    Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. • The mode saves the file more quickly but is likely to lose the existing configuration file if the device reboots or the power fails during the process.
  • Page 119: Setting Configuration Rollback

    HP recommend that you use the configuration file that is generated by using the backup function (manually or automatically). Configuration rollback can be applied in the following situations: •...
  • Page 120: Configuration Task List

    Preserves all commands present in both the replacement configuration file and the running • configuration. Removes commands from the running configuration that are not present in the replacement • configuration file. Applies the commands from the replacement configuration file that are not present in the running •...
  • Page 121: Enabling Automatic Saving Of The Running Configuration

    To do… Use the command… Remarks Required By default, the path and filename Configure the path and filename archive configuration location for saving configuration files are prefix for saving configuration directory filename-prefix not configured, and the system files filename-prefix does not save the configuration file at a specified interval.
  • Page 122: Manually Saving The Running Configuration

    Manually saving the running configuration Automatic saving of the running configuration occupies system resources, and frequent can saving greatly affect system performance. If the system configuration does not change frequently, disable the automatic saving of the running configuration and save it manually. In addition, automatic saving of the running configuration is performed periodically, while manual saving can immediately save the running configuration.
  • Page 123: Specifying A Startup Configuration File To Be Used At The Next System Startup

    Specifying a startup configuration file to be used at the next system startup To specify a startup configuration file to be used at the next system startup, use the following guidelines: Use the save command. If you save the running configuration to the specified configuration file in •...
  • Page 124: Deleting A Startup Configuration File To Be Used At The Next Startup

    Deleting a startup configuration file to be used at the next startup You can delete a startup configuration file to be used at the next startup at the CLI. On a device that has main and backup startup configuration files, you can choose to delete the main, the backup, or both. If the device has only one startup configuration to be used at the next startup, the system only sets the startup configuration file to NULL.
  • Page 125: Displaying And Maintaining A Configuration File

    Displaying and maintaining a configuration file To do… Use the command… Remarks display archive configuration [ | Display the information about { begin | exclude | include } Available in any view configuration rollback regular-expression ] display default-configuration [ | Display the factory defaults of the { begin | exclude | include } Available in any view...
  • Page 126: Software Upgrade Configuration

    Software upgrade configuration This chapter includes these sections: Switch software overview • FIPS compliance • Software upgrade methods • • Upgrading the Boot ROM program through a system reboot Upgrading the boot file through a system reboot • Upgrading the boot file of an IRF member switch •...
  • Page 127: Fips Compliance

    FIPS compliance The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see the Security Configuration Guide. Software upgrade methods You can upgrade the Boot ROM program and system boot file from the Boot menu or CLI.
  • Page 128 To do… Use the command… Remarks Enter system view system-view — Optional By default, the validity check function is enabled at the time of upgrading Boot ROM. The Boot ROM programs of member devices vary with devices, Enable the validity check function bootrom-update security-check so users are easily confused when when upgrading the Boot ROM...
  • Page 129: Upgrading The Boot File Through A System Reboot

    Upgrading the boot file through a system reboot Follow these steps to upgrade the boot file through a system reboot: To do… Use the command… Remarks Required For more information about FTP Save the boot file to the root or TFTP, see the chapters "FTP directory of the Flash of the master —...
  • Page 130: Software Upgrade By Installing Hotfixes

    To do… Use the command… Remarks Required For more information about FTP or Save the boot file to the root TFTP, see the chapters "FTP directory of the Flash of the master — configuration " and " TFTP device by using FTP, TFTP, or other configuration.
  • Page 131: Patch Status

    1, for identification, management and operation. For example, if a patch file has three patch units, they are numbered as 1, 2, and 3 respectively. Incremental patch An incremental patch means that the patch is dependent on the previous patch units. For example, if a patch file has three patch units, patch 3 can be run only after patch 1 and 2 take effect.
  • Page 132 NOTE: Information about patch states is saved in the file patchstate on the Flash. Do not to operate this file. IDLE state Patches in the IDLE state are not loaded. You cannot install or run the patches, as shown in Figure 34 (suppose the memory patch area can load up to eight patches).
  • Page 133: Configuration Prerequisites

    Figure 36 Patches are activated RUNNING state After you confirm the running of the ACTIVE patches, the patch state becomes RUNNING and they are placed in the RUNNING state after system reboot. For the five patches in Figure 36, if you confirm running the first three patches, their states change from ACTIVE to RUNNING.
  • Page 134: One-Step Patch Installation

    • The following table describes the default patch name for each card type. Device PATCH-FLAG Default patch name HP 5120 SI PATCH-51s patch_51s.bin NOTE: Loading and installation are performed on all member devices of an IRF virtual device. Before performing these operations, save the same patch files to the root directories in the storage media of all member devices.
  • Page 135: Step-By-Step Patch Installation

    NOTE: The patch matches the device type and software version. • To uninstall all patches in one operation, use the undo patch install command, which has the same • effect as Step-by-step patch uninstallation. Step-by-step patch installation Follow these steps to load a patch file: To do…...
  • Page 136: Displaying And Maintaining The Software Upgrade

    To do… Use the command… Remarks Required When you stop running a patch, patch deactive patch-number slot the patch state becomes Stop running the specified patches slot-number DEACTIVE, and the system runs in the way before it is installed with the patch.
  • Page 137 Configuration on the TFTP server (Configurations may vary with different types of servers) Obtain the boot file and configuration file through legitimate channels, such as the official HP website, agents, and technical staff. Save these files under the working path of the TFTP server for the TFTP client access.
  • Page 138: Hotfix Configuration Example

    Setting the slave board ... Chassis 1 Slot 1: Set next configuration file successfully. Chassis 2 Slot 0: Set next configuration file successfully. Chassis 2 Slot 1: Set next configuration file successfully. # Specify the soft-version2.bin file as the boot file to be used at the next boot of all members of the IRF virtual device.
  • Page 139 # Before upgrading the software, use the save command to save the current system configuration. The configuration procedure is omitted. # Load the patch file patch_51s.bin from the TFTP server to the root directory of the master's storage medium. <Device> tftp 2.2.2.2 get patch_51s.bin # Load the patch file patch_51s.bin from the TFTP server to the root directory of the slave switch's storage medium.
  • Page 140: Device Management

    Device management This chapter includes these sections: Configuring the device name • Configuring the system clock • Enabling displaying the copyright statement • • Configuring banners Configuring the exception handling method • Rebooting the device • Configuring scheduled tasks • Configuring the detection timer •...
  • Page 141: Device Management Overview

    — Optional Configure the device name sysname sysname The device name is HP by default. Configuring the system clock Configuring the system clock The system clock, displayed by system time stamp, is determined by the configured relative time, time zone, and daylight saving time. To view the system clock, use the display clock command.
  • Page 142: Displaying The System Clock

    Follow these steps to configure the system clock: To do… Use the command… Remarks Optional Set time and date clock datetime time date Available in user view. Enter system view system-view — Optional clock timezone zone-name { add | Set the time zone Universal time coordinated (UTC) minus } zone-offset time zone by default.
  • Page 143 Configuration System clock configured Example Configure: clock datetime 2:00 2007/2/2 and clock timezone zone-time add 1 1 and 2 date-time ± zone-offset System clock configured:: 03:00:00 zone-time Fri 02/02/2007 Configure: clock timezone zone-time add 1 and clock datetime 3:00 2007/3/3 [1], 2 and 1 date-time System clock configured:: 03:00:00...
  • Page 144 Configuration System clock configured Example Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 If "date-time" is not in the daylight and clock datetime 1:00 2008/1/1 saving time range, the system clock configured is "date-time". System clock configured:: 01:00:00 UTC Tue 01/01/2008 "date-time"...
  • Page 145: Enabling Displaying The Copyright Statement

    Configuration System clock configured Example Configure: clock timezone zone-time "date-time" is in the daylight add 1, clock summer-time ss one-off saving time range: 1:00 2008/1/1 1:00 2008/8/8 2 and clock datetime 1:30 2008/1/1 If the value of "date-time"-"summer-offset" is not System clock configured: 23:30:00 in the summer-time range, the zone-time Mon 12/31/2007...
  • Page 146: Configuring Banners

    login banner, login welcome information, displayed when password or scheme authentication is • configured. motd (Message of the Day) banner, welcome information displayed before authentication. • legal banner, also called "license information". The system displays some copyright or license • information, and then displays the legal banner before a user logs in, waiting for the user to confirm whether to continue the authentication or login.
  • Page 147: Banner Configuration Example

    Configure the banner to be header motd text Optional displayed before login Banner configuration example # Configure the banner to be displayed when a user enters user view as Welcome to HP!. • Single-line input mode: <System> system-view [System] header shell %Welcome to HP!% Multiple-line input mode (method I): •...
  • Page 148: Rebooting The Device

    Rebooting the device When a fault occurs to a running device, reboot the device with any of the following methods to remove the fault: Power on the device after powering it off, which is also called hard reboot or cold start. This method •...
  • Page 149: Configuring Scheduled Tasks

    CAUTION: Device reboot might result in interruption of ongoing services. Use these commands with caution. • Before rebooting the device, use the save command to save the current configurations. For more • Fundamentals Command Reference information about the save command, see the •...
  • Page 150 Configuring a scheduled Configuring a scheduled Comparison item task—approach 1 task—approach 2 User view and system view. In the schedule job command, shell represents All views. In the time command, Supported views user view, and system represents system monitor represents user view. view.
  • Page 151: Configuring The Detection Timer

    Create a scheduled task and enter job job job-name Required view Required Specify the view in which the task is view view-name You can specify only one view for a executed task. time time-id at time date command command Required Configure a command to be Use any of the commands.
  • Page 152: Configuring Temperature Alarm Thresholds For A Member Device

    Configuring temperature alarm thresholds for a member device When the temperature of the device reaches a threshold, the device generates alarms. The temperature alarm thresholds include the low-temperature threshold, high-temperature warning threshold, and high-temperature alarming threshold. • If the temperature is lower than the low-temperature limit, the device logs the event and outputs the log information and trap information for users.
  • Page 153: Clearing The 16-Bit Interface Indexes Not Used In The Current System

    Clearing the 16-bit interface indexes not used in the current system In practical networks, the network management software requires the device to provide a uniform, stable 16-bit interface index. That is, a one-to-one relationship should be kept between the interface name and the interface index in the same device.
  • Page 154: Identifying And Diagnosing Pluggable Transceivers

    ] NOTE: • To identify an anti-spoofing pluggable transceiver customized by HP, use the Vendor Name field in the prompt information of the display transceiver command. If the field is HP, it is considered an HP-customized pluggable transceiver. Electrical label information is also called permanent configuration data or archive information, which is •...
  • Page 155: Diagnosing Pluggable Transceivers

    The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers. Optical transceivers customized by HP also support the digital diagnosis function, which monitors the key parameters of a transceiver, such as temperature, voltage, laser bias current, TX power, and RX power.
  • Page 156 [ slot slot-number [ rps-id ] ] This command is available on only [ | { begin | exclude | include } Available in any view HP 5120-24G-PoE+ SI Switch regular-expression ] (JG091A) model. Display the configuration of the...
  • Page 157: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
  • Page 158: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 159 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
  • Page 160: Index

    Index B C D E F I L M N O R S T U W Displaying and maintaining a configuration file,1 18 Displaying and maintaining CLI,22 Backing up the startup configuration file,1 16 Displaying and maintaining CLI login,62 Batch operations,103 Displaying and maintaining device management configuration,148...
  • Page 161 Restoring a startup configuration file,1 17 Typing commands,6 Saving the current configuration,22 Undo form of a command,3 Saving the running configuration,1 10 Upgrading the boot file of an IRF member switch,122 Setting configuration rollback,1 12 Upgrading the boot file through a system reboot,122 Setting prompt modes,105...

Table of Contents