Page 1
HP MSR Router Series Fundamentals Configuration Guide(V5) Part number: 5998-8197 Software version: CMW520-R2513 Document version: 6PW106-20150808...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Contents Using the CLI ································································································································································ 1 Command conventions ····················································································································································· 1 Using the undo form of a command ······························································································································· 2 CLI views ············································································································································································ 2 Entering system view from user view ······················································································································ 3 Returning to the upper-level view from any view ·································································································· 3 ...
Page 4
Configuring the SSH server on the device ·········································································································· 41 Using the device to log in to an SSH server ······································································································· 43 Local login through the AUX port ································································································································· 43 Configuring none authentication for AUX login ································································································· 44 ...
Page 5
Enabling displaying the copyright statement ·············································································································· 87 Configuring banners ······················································································································································ 87 Banner message input modes ······························································································································ 87 Configuration procedure ······································································································································ 88 Configuring the maximum number of concurrent users ····························································································· 89 Configuring the exception handling method ··············································································································· 89 ...
Page 6
Displaying the contents of a file ························································································································· 113 Renaming a file ···················································································································································· 113 Copying a file ······················································································································································ 113 Moving a file ························································································································································ 113 Deleting/restoring a file ····································································································································· 113 Emptying the recycle bin ···································································································································· 114 Calculating the digest of a file ···························································································································...
Page 7
Deployment guidelines ········································································································································ 153 Enabling automatic configuration from a USB disk ························································································· 154 Support and other resources ·································································································································· 155 Contacting HP ······························································································································································ 155 Subscription service ············································································································································ 155 Related information ······················································································································································ 155 Documents ···························································································································································· 155 ...
Using the CLI At the command-line interface (CLI), you can enter text commands to configure, manage, and monitor your device. Figure 1 CLI example You can log in to the CLI in a variety of ways. For example, you can log in through the console port, or using Telnet or SSH.
You are placed in user view immediately after you are logged in to the CLI. The user view prompt is <Device-name>, where the Device-name argument, representing the device hostname, defaults to HP and can be changed by using the sysname command. In user view, you can perform basic operations including display, debug, file management, FTP, Telnet, clock setting, and reboot.
Figure 3 CLI view hierarchy Entering system view from user view Task Command Enter system view from user view. system-view Returning to the upper-level view from any view Task Command Return to the upper-level view from any view. quit Executing the quit command in user view terminates your connection to the device. In public key code view, use the public-key-code end command to return to the upper-level view (public key view).
Accessing the CLI online help The CLI online help is context sensitive. You can enter a question mark at any prompt or in any position of a command to display all available options. To access the CLI online help, use one of the following methods: •...
Entering a command When you enter a command, you can use keys or hotkeys to edit the command line, or use abbreviated keywords or keyword aliases. Editing a command line Use the keys listed in Table 2 or the hotkeys listed in Table 3 to edit a command line.
Configuring and using command keyword aliases The command keyword alias function allows you to replace the first keyword of a non-undo command or the second keyword of an undo command with your preferred keyword when you execute the command. For example, if you configure show as the alias for the display keyword, you can enter show in place of display to execute a display command.
Page 14
Step Command Remarks By default: • Ctrl+G is assigned the display current-configuration command. hotkey { CTRL_G | CTRL_L | • Ctrl+L is assigned the display ip Configure hotkeys. CTRL_O | CTRL_T | CTRL_U } routing-table command. command • Ctrl+O is assigned the undo debugging all command.
Hotkey Function Esc+P Moves the cursor up one line. This hotkey is available before you press Enter. Esc+< Moves the cursor to the beginning of the clipboard. Esc+> Moves the cursor to the ending of the clipboard. Enabling redisplaying entered-but-not-submitted commands The redisplay entered-but-not-submitted commands feature enables the system to display what you have typed (except Yes or No for confirmation) at the CLI when your configuration is interrupted by system output such as logs.
Using the command history function The system can automatically save successfully executed commands to the command history buffer for the current user interface. You can view them and execute them again, or set the maximum number of commands that can be saved in the command history buffer. A command is saved to the command history buffer in the exact format as it was entered.
Pausing between screens of output If the output being displayed is more than will fit on one screen, the system automatically pauses after displaying a screen. By default, up to 24 lines can be displayed on a screen. To change the screen length, use the screen-length screen-length command.
Page 18
Table 6 Special characters supported in a regular expression Character Meaning Examples "^user" matches all lines beginning with "user". A ^string Matches the beginning of a line. line beginning with "Auser" is not matched. "user$" matches lines ending with "user". A line string$ Matches the end of a line.
Page 19
Character Meaning Examples [^16A] means to match a string containing any character except 1, 6 or A, and the matching string Matches a single character not can also contain 1, 6 or A, but cannot contain these contained within the brackets. three characters only.
# Use | include Vlan in the display ip routing-table command to filter in route entries that contain Vlan. <Sysname> display ip routing-table | include Vlan Routing Tables: Public Destination/Mask Proto Cost NextHop Interface 192.168.1.0/24 Direct 0 192.168.1.42 Vlan999 Configuring user privilege and command levels To avoid unauthorized access, the device defines the user privilege levels and command levels in Table 7.
Page 21
Configuring a user privilege level for users through the AAA module Step Command Remarks Enter system view. system-view user-interface { first-num1 [ last-num1 ] Enter user interface view. | { aux | console | tty | vty } first-num2 [ last-num2 ] } By default, the authentication mode for VTY and AUX users is Specify the scheme...
Page 22
Step Command Remarks Configure the authentication For more information, see Security Required only for SSH users who type for SSH users as Configuration Guide. use public-key authentication. publickey. Enter system view. system-view user-interface { first-num1 Enter user interface view. [ last-num1 ] | vty first-num2 [ last-num2 ] } By default, the authentication Enable the scheme...
ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function # Configure the device to perform no authentication for Telnet users, and to authorize authenticated Telnet users to use level-0 and level- 1 commands. (Use no authentication mode only in a secure network environment.) <Sysname>...
Page 24
After the user logs in again, the user privilege restores to the original level. To avoid problems, HP recommends that administrators log in with a lower privilege level to view switch operating parameters, and switch to a higher level temporarily only when they must maintain the device.
Page 25
Step Command Remarks If local authentication is involved, this step is required. By default, a privilege level has no Configure the password for super password [ level user-level ] password. the user privilege level. { cipher | simple } password If no user privilege level is specified when you configure the command, the user privilege level defaults to...
User privilege User interface level switching Information required for the Information required for the authentication authentication first authentication mode second authentication mode mode mode Password configured for the local privilege level on the device with the super password command. Password for privilege level Password configured for the switching configured on the local scheme...
Page 27
Task Command Remarks display clipboard [ | { begin | exclude | Display data in the clipboard. Available in any view. include } regular-expression ]...
Login overview This chapter describes the available login methods and their configuration procedures. FIPS compliance Table 9 shows the support of devices for the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Login method Configuration requirements To use SSH service, complete the following configuration tasks: • Enable the SSH server function and configure SSH attributes. • Assign an IP address to a Layer 3 interface and make sure the • Logging in through SSH interface and the SSH client can reach each other.
User interface assignment The device automatically assigns user interfaces to CLI login users, depending on their login methods. Each user interface can be assigned to only one user at a time. If no user interface is available, a CLI login attempt will be rejected. The maximum number of user interfaces varies by device. For a CLI login, the device always picks the lowest numbered user interface from the idle user interfaces available for the type of login.
Logging in to the CLI By default, the first time you access the CLI you must log in through the console port. At the CLI, you can configure Telnet, SSH, or modem dial-in (through the AUX port) for remote access. Logging in through the console port for the first time To log in through the console port, make sure the console terminal has a terminal emulation program (for example, HyperTerminal in Windows XP).
Page 32
Figure 5 Connection description Figure 6 Specifying the serial port used to establish the connection...
Power on the device and press Enter at the prompt. Figure 8 CLI At the default user view prompt <HP>, enter commands to configure the device or view the running status of the device. To get help, enter ?. Configuring console login control settings The following authentication modes are available for controlling console logins: None—Requires no authentication.
Table 13 Configuration required for different console login authentication modes Authentication Configuration tasks Reference mode "Configuring none Set the authentication mode to none for the console user None authentication for console interface. login" Enable password authentication on the console user "Configuring password interface.
Figure 9 Accessing the CLI through the console port without authentication Configuring password authentication for console login Step Command Remarks Enter system view. system-view Enter console user interface user-interface console first-number view. [ last-number ] By default, you can log in to the Enable password device through the console port authentication-mode password...
Page 36
To make the command authorization or command accounting function take effect, apply an • HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters. • If the local authentication scheme is used, use the authorization-attribute level level command in local user view to set the user privilege level on the device.
Page 37
Step Command Remarks Optional. By default, command accounting is disabled. The accounting server does not record the commands executed by users. Command accounting allows the HWTACACS server to record all commands executed by users, regardless of command execution results. This function helps control Enable command command accounting and monitor user behaviors on the...
The next time you attempt to log in through the console port, you must provide the configured login username and password, as shown in Figure 1 Figure 11 Scheme authentication interface for console login Configuring common console user interface settings (optional) Some common settings configured for a console user interface take effect immediately and can interrupt the console login session.
Page 39
By default, the terminal display type is ANSI. The device supports two types of terminal display: ANSI and VT100. HP recommends that you set the display type of both the device and the terminal to VT100. If the device Specify the terminal display...
Step Command Remarks The default idle-timeout is 10 minutes. The system automatically terminates the user's connection if there is no information interaction Set the idle-timeout timer. idle-timeout minutes [ seconds ] between the device and the user within the idle-timeout time. Setting idle-timeout to 0 disables the idle-timeout function.
Table 15 Configuration required for different Telnet login authentication modes Authentication Configuration tasks Reference mode "Configuring none Set the authentication mode to none for the VTY user None authentication for Telnet interface. login" Enable password authentication on the VTY user "Configuring password interface.
Figure 13 Telnetting to the device without authentication Configuring password authentication for Telnet login Step Command Remarks Enter system view. system-view Enable Telnet server. telnet server enable Enter one or multiple VTY user-interface vty first-number user interface views. [ last-number ] Enable password authentication-mode password authentication.
Figure 14 Password authentication interface for Telnet login Configuring scheme authentication for Telnet login Follow these guidelines when you configure scheme authentication for Telnet login: To make the command authorization or command accounting function take effect, apply an • HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters.
Page 44
Step Command Remarks Optional. By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. Enable command command authorization If command authorization is enabled, a authorization. command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme.
Step Command Remarks Optional. Specify the command authorization-attribute level level of the local user. level By default, the command level is 0. Specify Telnet service for service-type telnet By default, no service type is specified. the local user. Exit to system view. quit Configure common "Configuring common...
Page 46
Step Command Remarks Enter one or multiple VTY user user-interface vty first-number interface views. [ last-number ] Optional. Enable the terminal service. shell By default, terminal service is enabled. Optional. By default, all the three protocols are supported. Enable the user interfaces to protocol inbound { all | pad | support PAD, Telnet, SSH, or all of In non-FIPS mode, the device...
Using the device to log in to a Telnet server You can use the device as a Telnet client to log in to a Telnet server. If the server is located in a different subnet than the device, make sure the two devices have routes to reach each other. Figure 16 Telnetting from the device to a Telnet server To use the device to log in to a Telnet server: Step...
Table 16 SSH server and client requirements Device role Requirements Assign an IP address to a Layer 3 interface, and make sure the interface and the client can reach each other. SSH server Configure the authentication mode and other settings. If the host operates as an SSH client, run the SSH client program on the host.
Page 49
Step Command Remarks Optional. By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. Enable command command authorization If command authorization is authorization. enabled, a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme.
Step Command Remarks Set a password for the local password { cipher | simple } By default, no password is set. user. password Optional. Specify the command level of authorization-attribute level level the user. By default, the command level is 0. Specify SSH service for the By default, no service type is service-type ssh...
Figure 19 AUX login diagram To control AUX logins, configure authentication and user privilege for AUX port users. By default, password authentication applies to AUX login, but no login password is configured. To allow AUX login, you must configure a password. The following are authentication modes available for controlling AUX logins: None—Requires no authentication and is insecure.
Step Command Remarks Configure common settings "Configuring common settings Optional. for AUX login. for AUX login (optional)." The next time you attempt to log in through the AUX port, you do not need to provide any username or password, as shown in Figure Figure 20 Accessing the CLI through the AUX port without authentication Configuring password authentication for AUX login...
Figure 21 Password authentication interface for AUX login Configuring scheme authentication for AUX login Follow these guidelines when you configure scheme authentication for AUX login: To make the command authorization or command accounting function take effect, apply an • HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters.
Page 54
Step Command Remarks Optional. By default, command authorization is disabled. The commands available for a user only depend on the user privilege Enable command level. command authorization authorization. If command authorization is enabled, a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme.
Step Command Remarks Create a local user and enter local-user user-name local user view. Set a password for the local password { cipher | simple } By default, no password is set. user. password Optional. Specifies the command level authorization-attribute level level By default, the command level is of the local user.
Page 56
associate Device A's IP address with the Telnet redirect listening port, a user can use the telnet DeviceA-IP-address command to log in to Device B. This Telnet redirect function enables a device to provide Telnet service with its IP address protected. To configure common settings for AUX user interfaces: Step Command...
Page 57
By default, the terminal display type is ANSI. The device supports two types of terminal display: ANSI and VT100. HP recommends that you set the display type of both the device and the client to VT100. If the device and the client use...
Step Command Remarks Configure the user interface to change carriage returns 0x0d By default, the user interface does 0x0a and 0x0d 0x00 received not change carriage returns redirect return-deal from-telnet from Telnet clients to 0x0d received from Telnet clients during during redirecting a Telnet redirecting a Telnet connection.
Page 59
IMPORTANT: Identify the mark on the console port and make sure you are connecting to the correct port. • The serial ports on PCs do not support hot swapping. If the switch has been powered on, always • connect the console cable to the PC before connecting to the switch, and when you disconnect the cable, first disconnect from the switch.
Page 60
Figure 25 Specifying the serial port used to establish the connection Figure 26 Setting the properties of the serial port Power on the device and press Enter at the prompt.
Figure 27 CLI At the default user view prompt <HP>, enter commands to configure the device or check the running status of the device. To get help, enter ?. Modem dial-in through the AUX port An administrator can use a pair of modems to remotely connect to the device through its AUX port over PSTN when the IP network connection is broken.
Authentication Configuration task Reference mode Enable scheme authentication on the AUX user interface. Configure local or remote authentication settings. To configure local authentication: Configure a local user and specify the password. "Configuring scheme Configure the device to use local authentication. Scheme authentication for To configure remote authentication:...
Page 63
Launch the terminal emulation program on the PC and create a connection using the telephone number of the modem connected to the device. Figure 29 Figure 30 shows the configuration procedure in Windows XP HyperTerminal. On Windows Server 2003, add the HyperTerminal program first, and then log in to and manage the device as described in this document.
Page 64
Character string CONNECT9600 is displayed on the terminal. Press Enter as prompted. Figure 32 Login page At the default user view prompt <HP>, enter commands to configure the device or check the running status of the device. To get help, enter ?. IMPORTANT: Do not directly close the HyperTerminal.
Configuring none authentication for modem dial-in Step Command Remarks Enter system view. system-view Enter one or more AUX user user-interface aux first-number interface views. [ last-number ] Enable none authentication authentication-mode none mode. Configure common settings "Configuring common settings Optional. for the AUX user interfaces.
The next time you attempt to dial in to the device, you must provide the configured login password, as shown in Figure Figure 34 Password authentication interface for modem dial-in users Configuring scheme authentication for modem dial-in Follow these guidelines when you configure scheme authentication for AUX login: •...
Page 67
Step Command Remarks Optional. By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. Enable command command authorization If command authorization is authorization. enabled, a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme.
Step Command Remarks Create a local user and enter local user local-user user-name view. Set a password for the password { cipher | simple } password By default, no password is set. local user. Optional. Specify the command authorization-attribute level level level of the local user.
Page 69
IMPORTANT: To avoid packet loss, make sure the speed of the AUX port is slower than the transmission rate of the modem. You can connect a device (Device B) to the AUX port of the current device (Device A), and configure the current device to redirect a Telnet login user to that device.
Page 70
By default, the terminal display type is ANSI. The device supports two types of terminal display: ANSI and VT100. HP recommends that you set the display type of both the device and the client to VT100. If the device and Configure the type of...
Step Command Remarks Enable Telnet redirect for the By default, the redirect function is redirect enable current user interface. disabled. The default port number is the Specify a Telnet redirect redirect listen-port port-number absolute user interface number plus listening port. 2000.
Page 72
Task Command Remarks display user-interface [ num1 | { aux | console | tty | vty } num2 ] Display user interface information. Available in any view. [ summary ] [ | { begin | exclude | include } regular-expression ] Display the configuration of the display telnet client configuration device when it serves as a Telnet...
Logging in to the Web interface The device provides a built-in Web server for you to configure the device through a Web browser. The device supports HTTP 1.0 and HTTPS for transferring webpage data across the Internet. HTTPS uses SSL to encrypt data between the client and the server for data integrity and security, and is more secure than HTTP.
Step Command Remarks Optional. The default HTTP service port is 80. Configure the HTTP ip http port port-number If you execute the command multiple service port number. times, the most recent configuration takes effect. Optional. By default, the HTTP service is not associated with any ACL.
Page 75
If the HTTPS service and the SSL VPN service use the same port number, they must have the same • SSL server policy. Otherwise, only one of the two services can be enabled. If the HTTPS service and the SSL VPN service use the same port number and the same SSL server •...
Page 76
Step Command Remarks Optional. By default, the HTTPS service is not associated with any certificate-based attribute access control policy. Associating the HTTPS service with a certificate-based attribute access control policy Associate the HTTPS enables the device to control the access rights service with a of clients.
Step Command Remarks Configure a password { cipher | simple } By default, no password is configured for the password for the password local user. local user. Specify the authorization-attribute level By default, no command level is configured for command level of the level the local user.
<Sysname> system-view [Sysname] interface ethernet1/1 [Sysname-Ethernet1/1] ip address 192.168.0.58 255.255.255.0 [Sysname-Ethernet1/1] quit # Create a local user named admin, and set the password to admin for the user. Specify the Web service type for the local user, and set the command level to 3 for this user. [Sysname] local-user admin [Sysname-luser-admin] service-type web [Sysname-luser-admin] authorization-attribute level 3...
Configuration procedure This example assumes that the CA is named new-ca, runs Windows Server, and is installed with the SCEP add-on. This example also assumes that the device, host, and CA can reach one other. Configure the device (HTTPS server): # Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN of the entity as ssl.security.com.
Page 80
# Associate the HTTPS service with certificate attribute-based access control policy myacp. [Device] ip https certificate access-control-policy myacp # Enable the HTTPS service. [Device] ip https enable # Create a local user named usera, set the password to 123, specify the Web service type, and specify the user privilege level 3.
Logging in through SNMP You can run SNMP on an NMS to access the device MIB and perform GET and SET operations to manage and monitor the device. The device supports SNMPv1, SNMPv2c, and SNMPv3, and can work with various network management software products, including IMC. For more information about SNMP, see Network Management and Monitoring Configuration Guide.
NMS login example Network requirements Configure the device and network management station so you can remotely manage the device through SNMPv3. Figure 40 Network diagram Configuration procedure Configure the device: # Assign an IP address to the device. Make sure the device and the NMS can reach each other. (Details not shown.) # Enter system view.
Controlling user logins Use ACLs to prevent unauthorized logins. For more information about ACLs, see ACL and QoS Configuration Guide. Controlling Telnet logins Use a basic ACL (2000 to 2999) to filter Telnet traffic by source IP address. Use an advanced ACL (3000 to 3999) to filter Telnet traffic by source and/or destination IP address.
Step Command Remarks Create an advanced ACL and acl [ ipv6 ] number acl-number enter its view, or enter the By default, no advanced ACL [ name name ] [ match-order view of an existing advanced exists. { config | auto } ] ACL.
[Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-basic-2000] quit # Associate the ACL with the SNMP community and the SNMP group. [Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000 Configuring Web login control...
Page 89
Figure 43 Network diagram Host A 10.110.100.46 IP network Device Host B 10.110.100.52 Configuration procedure # Create ACL 2000, and configure rule 1 to permit packets sourced from Host B. <Sysname> system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0 # Associate the ACL with the HTTP service so only the Web users on Host B can access the device.
A device name identifies a device in a network and works as the user view prompt at the CLI. For example, if the device name is Sysname, the user view prompt is <Sysname>. To configure the device name: Step Command Remarks Enter system view. system-view Optional. Configure the device name. sysname sysname The default device name is HP.
Changing the system time You must synchronize your device with a trusted time source by using NTP or changing the system time before you run it on the network. Network management depends on an accurate system time setting, because the timestamps of system messages and logs use the system time. For NTP configuration, see Network Management and Monitoring Configuration Guide.
Command Effective system time Configuration example System time clock datetime 1:00 date-time outside the 2007/1/1 daylight saving time 01:00:00 UTC Mon clock summer-time ss range: 01/01/2007 one-off 1:00 date-time 2006/1/1 1:00 2006/8/8 2 10:00:00 ss Mon 01/01/2007 If the date-time plus 1, 3 clock datetime 8:00 summer-offset is outside the...
Step Command Remarks • Set a non-recurring scheme: clock summer-time zone-name Optional. one-off start-time start-date Use either command. end-time end-date add-time Set a daylight saving time By default, daylight saving time is scheme. • Set a recurring scheme: disabled, and the UTC time zone clock summer-time zone-name applies.
keywords and the delimiters cannot exceed 510 characters. In this mode, do not press Enter before you input the end delimiter. For example, you can configure the shell banner "Have a nice day." as follows: <System> system-view [System] header shell %Have a nice day.% Multiple-line input •...
Configuring the maximum number of concurrent users You can configure this command to limit the number of users that can enter the system view simultaneously. When the number of concurrent users reaches the upper limit, other users cannot enter system view. When multiple users configure a setting in system view, the most recent configuration applies.
Reboot the device immediately at the CLI. • • At the CLI, schedule a reboot to occur at a specific time and date or after a delay. Power off and then power on the device. This method might cause data loss, and is the •...
Job configuration methods You can configure jobs by using the non-modular or modular method. Use the non-modular method for a one-time command execution and use non-modular method for complex maintenance work. Table 22 A comparison of non-modular and modular methods Scheduling a job by using the Scheduling a job by using the Comparison item...
Scheduling a job by using the non-modular method To schedule a job, execute one of the following commands in user view: Task Command Remarks Use either command. • Schedule a job to run a NOTE: command at a specific time: •...
Page 100
Figure 44 Network diagram Configuration procedure # Enter system view. <Sysname> system-view # Create a job named pc1, and enter its view. [Sysname] job pc1 # Configure the job to be executed in the view of Ethernet 1/1. [Sysname-job-pc1] view ethernet 1/1 # Configure the device to enable Ethernet 1/1 at 8:00 on working days every week.
# Configure the device to shut down Ethernet 1/3 at 18:00 on working days every week. [Sysname-job-pc3] time 2 repeating at 18:00 week-day mon tue wed thu fri command shutdown [Sysname-job-pc3] quit # Display information about scheduled jobs. [Sysname] display job Job name: pc1 Specified view: Ethernet1/1 Time 1: Execute command undo shutdown at 08:00 Mondays Tuesdays Wednesdays Thursdays...
Figure 45 Handling console login password loss Console login password lost Reboot the device to access the extended Boot ROM menu Password recovery capability enabled? Restore to Factory Default Skip Current System Skip Authentication for Configuration Configuration Console Login Reboot the device Configure new password in system view Save the running configuration...
NMS of the new IP address. The IP address changes of the interface not under monitor will be ignored. The device preferentially monitors the primary interface. HP recommends that you specify the interface that has better route or more reliable link as the primary.
To monitor NMS-connected interfaces: Step Command Remarks Enter system view. system-view • Specify the primary interface: Configure at least one command. nms primary monitor-interface By default, no interfaces are interface-type interface-number configured as NMS-connected Specify NMS-connected • Specify the secondary interfaces to be monitored.
Ethernet packet transmission by switching the interface card to operate in EFM mode, thus protecting user investment and improving packet transmission speed by avoiding ATM devices from converting packets between Ethernet packets and ATM cells. • 3G modem (PPP/Ethernet)—Supports switching between PPP mode and Ethernet mode. In PPP mode, the link layer protocol is PPP and the network layer protocol is IP.
Verifying transceiver modules You can verify the genuineness of a transceiver module in the following ways: Display the key parameters of a transceiver module, including its transceiver type, connector type, • central wavelength of the transmit laser, transfer distance and vendor name. •...
Disabling the USB ports Before you disable the USB ports, make sure the USB ports are not being used for data read/write operation. Otherwise, the operation might fail. Disabling the USB ports also disables the USB-based storage and 3G functions. To disable the USB ports: Task Command...
Page 108
Task Command Remarks display diagnostic-information [ | Display or save running status data { begin | exclude | include } Available in any view. for multiple feature modules. regular-expression ] display cpu-usage [ entry-number [ offset ] [ verbose ] [ from-device ] ] [ | Display CPU usage statistics.
Managing configuration files You can manage configuration files at the CLI or by using the Boot menu of the device. This chapter describes only managing configuration files from the CLI. Overview A configuration file saves configurations as a set of text commands. You can save the running configuration to a configuration file so the configuration takes effect after you reboot the device.
• You can execute the save command to save the running configuration to a configuration file. To make sure the configuration file can be loaded, HP recommends not modifying the content and format of the configuration file. Next-startup configuration file redundancy You can specify one main next-startup configuration file and one backup next-startup configuration file for redundancy.
Hardware FIPS mode MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes. Saving the running configuration To make configuration changes take effect at the next startup, save the running configuration to the startup configuration file to be used at the next startup before the device reboots. Complete the following tasks to save the running configuration: Task Remarks...
process, the next-startup configuration file is lost. You must re-specify a new startup configuration file after the device reboots (see "Specifying a configuration file for the next startup"). Safe mode—Use the save command with the safely keyword. Safe mode is slower than fast mode, •...
Overwrite the configuration file—The system uses the running configuration to overwrite the old • configuration file on the device without backing up the file. Make sure the storage medium has enough space for the backup configuration file and the new next-startup configuration file.
Step Command Remarks Create the configuration See "Managing the file system." archive directory. Enter system view. system-view By default, no path or file name prefix is set for configuration archives, and the system does not regularly save configuration. IMPORTANT: Configure the directory and archive configuration location The undo form of this command file name prefix for archiving...
Manually archiving running configuration To save system resources, disable automatic configuration archiving and manually archive configuration if the configuration will not be changed very often. You can also manually archive configuration before performing complicated configuration tasks so you can use the archive for configuration recovery after the configuration attempt fails.
Task Command Remarks The configuration file must use Specify the startup configuration startup saved-configuration cfgfile the .cfg extension and be saved in file to be used at the next startup. [ backup | main ] the root directory of storage media.
Deleting a next-startup configuration file CAUTION: This task permanently deletes the next-startup configuration file from the device. Before performing this task, back up the file as needed. You can delete the main, the backup, or both. If the main and backup next-startup configuration files are the same file, the system sets the attribute of the configuration file to NULL instead of deleting the file.
Managing the file system The following matrix shows the storage media supported on different router models: Hardware Storage media • Flash MSR900 • USB disk • Flash MSR93X • USB disk • Flash MSR20-1X • USB disk • CF card MSR20 •...
Format Description Length Example Specifies a file in a specific folder in the current working directory. The path argument represents the test/a.cfg indicates a file named path to the file. If the file is in a 1 to 135 path/file-name a.cfg in the test folder in the current single-level folder, specify the characters...
The copy operation enables you to create a file. You can also create a file by performing the download operation or using the save command. Displaying file information Perform this task in user view. Task Command Display file or directory information. dir [ /all ] [ file-url | /all-filesystems ] Displaying the contents of a file Perform this task in user view.
A file in the recycle bin occupies storage space. To release the occupied space, execute the reset recycle-bin command in the directory that holds the file. To save storage space, periodically empty the recycle bin with the reset recycle-bin command. Perform the following tasks in user view: Task Command...
Task Command Display the current working directory. Changing the current working directory Perform this task in user view. Task Command Change the current working cd { directory | .. | / } directory. Creating a directory Perform this task in user view. Task Command Create a directory.
To manage the space of a storage medium, perform one of the following tasks in user view: Task Command Remarks Repair a storage medium. fixdisk device FAT16 and FAT32 are not Format a storage medium. format device [ FAT16 | FAT32 ] applicable to a Flash.
Task Command Remarks By default, a storage medium is automatically mounted Mount a storage medium. mount device and in mounted state when connected to the system. By default, a storage medium is automatically mounted Unmount a storage medium. umount device and in mounted state when connected to the system.
Task Command display nandflash page-data page-value [ | { begin | Display data on the specified physical page. exclude | include } regular-expression ] Performing batch operations A batch file comprises a set of executable commands. Executing a batch file is the same as executing the commands one by one.
Page 126
19540 KB total (2521 KB free) # Create new folder mytest in the test directory. <Sysname> cd test <Sysname> mkdir mytest %Created dir flash:/test/mytest. # Display the current working directory. <Sysname> pwd flash:/test # Display the files and the subdirectories in the test directory. <Sysname>...
Configuring FTP NOTE: FTP is not supported in FIPS mode. File Transfer Protocol (FTP) is an application layer protocol based on the client/server model. It is used to transfer files from one host to another over a TCP/IP network. FTP server uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959.
Using the device as an FTP client To connect to an FTP server or enter FTP client view, make sure the following requirements are met: You have level-3 (Manage) user privileges on the device. In FTP client view, whether a directory or •...
Step Command Remarks • (Method 1) Log in to the remote FTP server in user view: ftp [ server-address [ service-port ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number | ip Log in to the remote FTP Use either method.
Working with the files on the FTP server After you log in to the server, you can upload a file to or download a file from the authorized directory by following these steps: Use the dir or ls command to display the directory and the location of the file on the FTP server. Delete unused files to get more free storage space.
Maintaining and troubleshooting the FTP connection Task Command Remarks Display the help information of remotehelp [ protocol-command ] FTP-related commands on the FTP server. Enable information display in a detailed By default, the function is verbose manner. enabled. Enable FTP related debugging when the By default, the function is debugging device acts as the FTP client.
Press CTRL+K to abort Connected to 10.1.1.1 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(10.1.1.1:(none)):abc 331 Give me your password, please Password: 230 Logged in successfully # Set the file transfer mode to binary. [ftp] binary 200 Type set to I.
NOTE: When you use the Internet Explorer browser to log in to the device operating as an FTP server, some FTP functions are not available. This is because multiple connections are required during the login process but the device supports only one connection at a time. Configuring basic parameters The FTP server uses one of the following modes to update a file when you upload the file (use the put command) to the FTP server:...
Remote authentication—The device sends the client's username and password to a remote • authentication server for authentication. The user account is configured on the remote authentication server rather than the device. To assign an FTP user write access (including upload, delete, and create) to the device, assign level-3 (Manage) user privileges to the user.
Page 135
# Create a local user account abc, set its password to abc and the user privilege level to level 3 (the manage level), specify the root directory of the Flash as the authorized directory, and specify the service type as FTP. <Sysname>...
NOTE: After you finish transferring the Boot ROM image through FTP, execute the bootrom update command to upgrade Boot ROM. Upgrade the device: # Specify newest.bin as the main system software image file for the next startup. <Sysname> boot-loader file newest.bin main IMPORTANT: The system software image file used for the next startup and the startup configuration file must be saved in the root directory of the storage medium.
Configuring TFTP NOTE: TFTP is not supported in FIPS mode. Trivial File Transfer Protocol (TFTP) is a simplified version of FTP for file transfer over secure reliable networks. TFTP uses UDP port 69 for connection establishment and data transmission. In contrast to TCP-based FTP, TFTP requires no authentication or complex message exchanges, and is easier to deploy.
Using the device as a TFTP client The device provides the following modes for downloading a new file from a TFTP server: Normal download—The new file is written directly to the storage medium and overwrites the old file • that has the same name as it. If file download is interrupted, both old and new files are lost. Secure download—The new file is downloaded to memory and will not be written to the storage •...
Step Command Remarks • For IPv4: tftp server-address { get | put | sget } source-filename [ destination-filename ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number | ip Download or upload a file. Optional. source-ip-address } ] •...
Page 140
# Examine the storage medium of the device for insufficiency or impairment. If no sufficient free space is available, use the fixdisk command to fix the storage medium or use the delete/unreserved file-url command to delete unused files. (Details not shown.) # Download system software image file newest.bin from the PC.
Managing licenses License compliance Table 28 shows the support of devices for the license feature. Table 28 Hardware and license compatibility matrix Hardware License MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 Yes (Only supported by MPU-G2) MSR1000 Registering the software The system software comes with a trial period. You must register the software within its trial period. If you have not registered the software before the trial period expires, the software automatically restarts every 30 minutes.
Upgrading software You can use the CLI or Boot menu to upgrade software. This chapter describes only upgrading the software and installing hotfixes from the CLI. Upgrading software includes upgrading the BootWare (called "bootrom" in CLI) and system software. Each time the device is powered on, it runs the BootWare image to initialize hardware and display hardware information, and then runs the system software image (called the "boot file"...
Hardware FIPS mode MSR30 Yes (except the MSR30-16). MSR50 Yes. Software upgrade methods You can use one of the following methods to upgrade software: Upgrading method Software types Remarks Upgrading from the CLI: • BootWare image • You must reboot the device to complete the upgrade. System software Upgrading software This method causes service disruption.
Upgrading system software Step Command Remarks Use FTP or TFTP to transfer the The image file must be saved in system software image to the See "Configuring FTP" or the root directory for a successful root directory of the device's "Configuring TFTP."...
Patch states A patch is in IDLE, DEACTIVE, ACTIVE, or RUNNING state, depending on the patch manipulation command. Patch manipulation commands include patch load (load), patch active (run temporarily), patch run (confirm running), patch deactive (stop running), patch delete (delete), patch install (install), and undo patch install (uninstall).
Page 146
Figure 53 Patches that are not loaded to the patch memory area DEACTIVE state Patches in DEACTIVE state have been loaded to the patch memory area but have not yet run in the system. Suppose that the patch file you are loading has seven patches. After the seven patches successfully pass the version check and CRC check, they are loaded to the patch memory area and are in DEACTIVE state.
Figure 55 Patches are activated RUNNING state After you confirm ACTIVE patches, their state changes to RUNNING and persists after a reboot. In contrast to ACTIVE patches, RUNNING patches continue to take effect after a reboot. For example, if you confirm the first three patches in Figure 55, their state changes from ACTIVE to RUNNING, and the...
Save the patch file or the patch package file to the root directory of the device's storage media. • • Correctly name a patch file in the patch_PATCH-FlAG suffix.bin format. The PATCH-FLAG suffix is pre-defined, and must be the same as the first three characters of the value for the Version field in the output from the display patch information command.
Page 149
Task Remarks Loading a patch file Required. Activating patches Required. Confirming ACTIVE patches Optional. Configuring the patch file location The patch file location must be the root directory of a storage medium. If the device has only one storage medium, you do not need to perform this task. To configure the patch file location: Step Command...
Activating patches Activating a patch changes its state to ACTIVE. An ACTIVE patch runs in memory until a reboot occurs. To have a patch continue to run after a reboot, you must change its state to RUNNING. To activate patches: Step Command Enter system view.
Displaying and maintaining software upgrade Task Command Remarks Display information about the display boot-loader [ | { begin | exclude Available in any view. system software image. | include } regular-expression ] Display information about the display patch [ | { begin | exclude | Available in any view.
[FTP-Server-luser-aaa] authorization-attribute work-directory flash:/aaa Configure the device: # Log in to the FTP server. <Device> ftp 2.2.2.2 Trying 2.2.2.2 ... Press CTRL+K to abort Connected to 2.2.2.2. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(2.2.2.2:(none)):aaa 331 Give me your password, please Password: 230 Logged in successfully...
Page 153
# Save the patch file patch_xxx.bin to the directory of the TFTP server. (Details not shown.) Configure the device: # Use the save command to save the running configuration. (Details not shown.) # Examine the space of the Flash on the device. If the free space is not sufficient for the patches, delete unused files to release space.
Automatic configuration Automatic configuration enables a device without any configuration file to automatically obtain and execute a configuration file during startup. Automatic configuration simplifies network configuration, facilitates centralized management, and reduces maintenance workload. To implement automatic configuration, the network administrator saves configuration files on a server and a device automatically obtains and executes a specific configuration file.
How automatic configuration operates During startup, the device sets the first interface in up state as the DHCP client to request parameters from the DHCP server, such as an IP address and name of a TFTP server, IP address of a DNS server, and the configuration file name.
Using DHCP to obtain an IP address and other configuration information Address acquisition process As mentioned in "How automatic configuration operates," a device sets the first up interface as the DHCP client during startup. The DHCP client broadcasts a DHCP request, where the Option 55 field specifies the information the client wants to obtain from the DHCP server such as the configuration file name, domain name and IP address of the TFTP server, and DNS server IP address.
To configure static address pools, you must obtain corresponding client IDs. To obtain a device's client ID, use the display dhcp server ip-in-use command to display address binding information on the DHCP server after the device obtains its IP address through DHCP. Obtaining the configuration file from the TFTP server A device can obtain the following files from the TFTP server during automatic configuration: The configuration file specified by the Option 67 or file field in the DHCP response.
Page 158
Obtaining the configuration file Figure 61 Obtaining the configuration file A device obtains its configuration file by using the following work flow: • If the DHCP response contains the configuration file name, the device requests the specified configuration file from the TFTP server. If not, the device tries to get its host name from the host name file obtained from the TFTP server.
If the IP address and the domain name of the TFTP server are not contained in the DHCP response • or they are illegitimate, the device broadcasts a TFTP request. After broadcasting a TFTP request, the device selects the TFTP server that responds first to obtain the configuration file.
During the reboot, the device checks whether all commands in the main startup configuration file are executed successfully. If yes, the automatic configuration succeeds. If not, the automatic configuration fails, and the device writes a log entry to a log file that is named autodeploy.cfg.log and saved in the root directory of the USB disk.
The USB disk for automatic configuration must be inserted to the device before the device starts up. The configuration file intended for automatic configuration must meet the following requirements: Be named in the format device serial number.cfg or xxx.autodeploy.cfg, or use the name •...
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 164
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 172
restoring file, 1 13 configuring FTP server, redisplaying unsubmitted commands, configuring FTP server basic parameters, redundancy configuring SSH server, next-startup configuration file redundancy, managing FTP directories, regular expressions, switching to another user account (FTP), removing working with FTP files, patches, setting removing directory, 1 15...
Page 173
next-startup configuration file, configuring login password authentication, next-startup configuration file redundancy, configuring login scheme authentication, step-by-step patch installation configuring source IP-based user login control, task list, configuring source MAC-based user login control, 78, stopping configuring source/destination IP-based user login running patches, control, storage media configuring user login control,...
Page 174
switching to another user account (FTP), switching to higher privilege level, user interface assignment, numbering, view, user privilege configuring authentication mode for switching level, user view, entering system view, returning to, view CLI, interface, local user, public key code, system, user, user interface, VLAN,...