Page 1 HPE FlexFabric 5940 Switch Series Fundamentals Configuration Guide Part number: 5200-1009b Software version: Release 25xx Document version: 6W102-20170830...
Page 2 © Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents Using the CLI ·················································································· 1 CLI views ································································································································· 1 Entering system view from user view ······················································································· 2 Returning to the upper-level view from any view ········································································· 2 Returning to user view ·········································································································· 2 Accessing the CLI online help ······································································································· 2 ...
Page 4 Troubleshooting RBAC ·············································································································· 41 Local users have more access permissions than intended ························································· 41 Login attempts by RADIUS users always fail ··········································································· 41 Login overview ·············································································· 42 Using the console port for the first device access ·································· 44 ...
Page 5 Using the device as an FTP client ································································································ 80 Establishing an FTP connection ··························································································· 80 Managing directories on the FTP server ················································································· 81 Working with files on the FTP server ······················································································ 82 Changing to another user account ························································································ 83 ...
Page 6 Restrictions and guidelines ································································································ 101 Using different methods to save the running configuration ························································ 101 Configuring configuration rollback ······························································································ 102 Configuration task list ······································································································· 103 Setting configuration archive parameters ·············································································· 103 Enabling automatic configuration archiving ··········································································· 104 ...
Page 7 Feature upgrade to an incompatible version ·········································································· 132 Feature rollback example ·································································································· 134 Examples of using install commands for ISSU ·············································································· 136 Feature upgrade example ································································································· 136 Feature rollback example ·································································································· 139 Managing the device ····································································· 140 ...
Page 8 Using automatic configuration ························································· 171 Overview ······························································································································ 171 Using server-based automatic configuration ················································································ 171 Server-based automatic configuration task list ······································································· 171 Configuring the file server ································································································· 172 Preparing the files for automatic configuration ······································································· 172 ...
Page 9: Using The Cli
Using the CLI At the command-line interface (CLI), you can enter text commands to configure, manage, and monitor the device. The following text is displayed when you access the CLI: ****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.
Page 10: Entering System View From User View
Enter interface view to configure interface parameters. Enter VLAN view to add ports to the VLAN. Enter user line view to configure login user attributes. A feature view might have child views. For example, NQA operation view has the child view HTTP operation view.
Page 11: Using The Undo Form Of A Command
debugging Enable to display debugging logs on the current terminal logging Display logs on the current terminal monitor Enable to display logs on the current terminal If the question mark is in the place of an argument, the CLI displays the description for the argument.
Page 12: Entering A Text Or String Type Value For An Argument
Table 1 Command line editing keys Keys Function If the edit buffer is not full, pressing a common key inserts a character at the cursor and moves the cursor to the right. The edit buffer can store up to 511 Common keys characters.
Page 13: Entering An Interface Type
Entering an interface type You can enter an interface type in one of the following formats: • Full spelling of the interface type. • An abbreviation that uniquely identifies the interface type. • Acronym of the interface type. For a command line, all interface types are case insensitive. Table 2 shows the full spellings and acronyms of interface types.
Page 14: Configuring And Using Command Aliases
Configuring and using command aliases You can configure one or more aliases for a command or the starting keywords of commands. Then, you can use the aliases to execute the command or commands. If the command or commands have undo forms, you can also use the aliases to execute the undo command or commands. For example, if you configure the alias shiprt for display ip routing-table, you can enter shiprt to execute the display ip routing-table command.
Page 15: Configuring And Using Command Hotkeys
Configuring and using command hotkeys The system defines the hotkeys shown in Table 4 and provides a set of configurable command hotkeys. Pressing a command hotkey is the same as entering a command. If a hotkey is also defined by the terminal software you are using to interact with the device, the terminal software definition takes effect.
Page 16: Enabling Redisplaying Entered-But-Not-Submitted Commands
Hotkey Function Moves the cursor back one word. Esc+B Deletes all characters from the cursor to the end of the word. Esc+D Moves the cursor forward one word. Esc+F Moves the cursor down one line. You can use this hotkey before pressing Enter. Esc+N Moves the cursor up one line.
Page 17: Using The Command History Feature
Using the command history feature The system automatically saves commands successfully executed by a login user to the following two command history buffers: • Command history buffer for the user line. • Command history buffer for all user lines. Table 6 Comparison between the two types of command history buffers Command history buffer for a user Command history buffer for all Item...
Page 18: Repeating Commands In The Command History Buffer For A Line
Repeating commands in the command history buffer for a line You can recall and execute commands in the command history buffer for the current user line multiple times. To repeat commands in the command history buffer for the current user line: Task Command Remarks...
Page 19: Numbering Each Output Line From A Display Command
Task Command Remarks By default, a CLI session uses the screen-length Disable pausing screen-length command settings in user line view. between screens of screen-length output for the current disable This command is a one-time command and takes effect CLI session. only for the current CLI session.
Page 20 Characters Meaning Examples "u$" matches all lines ending with "u". A line Matches the end of a line. ending with "uA" is not matched. . (period) Matches any single character. ".s" matches "as" and "bs". Matches the preceding character or "zo*"...
Page 21 Characters Meaning Examples Matches a word that starts with the "er\b" matches "never", but not "verb" or "erase". pattern following \b or ends with the "\ber" matches "erase", but not "verb" or "never". pattern preceding \b. Matches a word that contains the pattern but does not start or end with "er\B"...
Page 22: Saving The Output From A Display Command To A File
Type: A - access; T - trunk; H - hybrid Interface Link Speed Duplex Type PVID Description XGE1/0/1 10G(a) F(a) # Display SNMP-related running configuration lines. <Sysname> display current-configuration | include snmp snmp-agent snmp-agent community write private snmp-agent community read public snmp-agent sys-info version all snmp-agent target-host trap address udp-domain 192.168.1.26 params securityname public Saving the output from a display command to a file...
Page 23: Viewing And Managing The Output From A Display Command Effectively
Description: VLAN 0001 Name: VLAN 0001 Tagged ports: None Untagged ports: None VLAN ID: 999 VLAN type: Static Route interface: Configured IP address: 192.168.2.1 Subnet mask: 255.255.255.0 Description: For LAN Access Name: VLAN 0999 Tagged ports: None Untagged ports: None Viewing and managing the output from a display command effectively You can use the following methods in combination to filter and manage the output from a display...
Page 24 have been successfully executed, except for the one-time commands. Typical one-time commands include display commands used for displaying information and reset commands used for clearing information. For more information about the save command, see Fundamentals Command Reference.
Page 25: Configuring Rbac
Configuring RBAC Overview Role-based access control (RBAC) controls user access to items and system resources based on user roles. In this chapter, items include commands, XML elements, and MIB nodes, and system resources include interfaces, VLANs, and VPN instances. RBAC assigns access permissions to user roles that are created for different job functions. Users are given permission to access a set of items and resources based on the users' user roles.
Page 26 • Read—Commands, XML elements, or MIB nodes that display configuration and maintenance information. For example, the display commands and the dir command. • Write—Commands, XML elements, or MIB nodes that configure the features in the system. For example, the info-center enable command and the debugging command. •...
Page 27: User Role Assignment
User role name Permissions • Accesses the display commands for features and resources in the system. To display all accessible commands of the user role, use the display role command. • Enables local authentication login users to change their own network-operator passwords.
Page 28: Fips Compliance
Depending on the authentication method, user role assignment has the following methods: • AAA authorization—If scheme authentication is used, the AAA module handles user role assignment. If the user passes local authorization, the device assigns the user roles specified in the local user account.
Page 29: Configuring User Role Rules
Step Command Remarks By default, the system has the following predefined user roles: • network-admin. • network-operator. • level-n (where n equals an integer Create a user role and in the range of 0 to 15). role name role-name enter its view. •...
Page 30: Configuration Procedure
rule 2 deny read write oid 1.3.6.1.4.1 rule 3 permit read write oid 1.3.6.1.4.1 Configuration procedure To configure rules for a user role: Step Command Remarks Enter system view. system-view Enter user role view. role name role-name • Configure a command rule: rule number { deny | permit } command command-string By default, a user-defined user role...
Page 31: Configuring Resource Access Policies
Step Command Remarks By default, a feature group does not have any feature. Repeat this step to add multiple features to the feature group. Add a feature to the feature feature-name feature group. IMPORTANT: You can specify only features available in the system.
Page 32: Configuring The User Role Vpn Instance Policy
Step Command Remarks By default, the VLAN policy of the user role permits access to all VLANs. Enter user role VLAN vlan policy deny This command denies the access of policy view. the user role to all VLANs if the permit vlan command is not configured.
Page 33: Assigning User Roles To Remote Aaa Authentication Users
Step Command Remarks Enter system view. system-view By default, the default user role feature is disabled. If you do not specify a user role, the Enable the default user role default-role enable default user role is network-operator. role feature. [ role-name ] If the none authorization method is used for local users, you must enable the default user role feature.
Page 34: Configuring Temporary User Role Authorization
• SSH clients that use publickey or password-publickey authentication. User roles assigned to these SSH clients are specified in their respective device management user accounts. For more information about user lines, see "Login overview" and "Configuring CLI login." For more information about SSH, see Security Configuration Guide.
Page 35 − The HWTACACS custom attribute is configured for the account in the form of allowed-roles="role". The variable role represents the target user role. • If RADIUS authentication is used, the following rules apply: The device does not use the username you enter to request user role authentication. It uses a username in the $enabn$ format.
Page 36: Configuring User Role Authentication
Keywords Authentication mode Description Remote AAA authentication is performed first. Local password authentication is performed in either of Remote AAA the following situations: authentication first, and scheme then local password • The HWTACACS or RADIUS server does not local authentication respond.
Page 37: Rbac Configuration Examples
Task Command Display user role feature display role feature [ name feature-name | verbose ] information. Display user role feature group display role feature-group [ name feature-group-name ] [ verbose ] information. RBAC configuration examples RBAC configuration example for local AAA authentication users Network requirements As shown in...
Page 38 [Switch-role-role1] rule 1 permit read feature # Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view. [Switch-role-role1] rule 2 permit command system-view ; vlan * # Change the VLAN policy to permit the user role to configure only VLANs 10 to 20. [Switch-role-role1] vlan policy deny [Switch-role-role1-vlanpolicy] permit vlan 10 to 20 [Switch-role-role1-vlanpolicy] quit...
Page 39: Rbac Configuration Example For Radius Authentication Users
RBAC configuration example for RADIUS authentication users Network requirements As shown in Figure 3, the switch uses the FreeRADIUS server to provide AAA service for login users, including the Telnet user. The user account for the Telnet user is hello@bbb and is assigned user role role2.
Page 40 # Create RADIUS scheme rad and enter RADIUS scheme view. [Switch] radius scheme rad # Specify the primary server address and the service port in the scheme. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key to expert in the scheme for the switch to authenticate to the server. [Switch-radius-rad] key authentication simple expert [Switch-radius-rad] quit # Specify scheme rad as the authentication and authorization schemes for ISP domain bbb.
Page 41: Rbac Temporary User Role Authorization Configuration Example (Hwtacacs Authentication)
[Switch-role-role2] quit Configure the RADIUS server: # Add either of the user role attributes to the dictionary file of the FreeRADIUS server. Cisco-AVPair = "shell:roles=\"role2\"" Cisco-AVPair = "shell:roles*\"role2\"" # Configure the settings required for the FreeRADIUS server to communicate with the switch. (Details not shown.) Verifying the configuration # Telnet to the switch, and enter the username and password to access the switch.
Page 42 Figure 4 Network diagram Configuration procedure Configure the switch: # Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user). <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3 (the interface connected to the HWTACACS server).
Page 43 [Switch-isp-bbb] authorization login local # Apply HWTACACS scheme hwtac to the ISP domain for user role authentication. [Switch-isp-bbb] authentication super hwtacacs-scheme hwtac [Switch-isp-bbb] quit # Create a device management user named test and enter local user view. [Switch] local-user test class manage # Set the user service type to Telnet.
Page 44 Figure 5 Configuring advanced TACACS+ settings d. Select Shell (exec) and Custom attributes, and enter allowed-roles="network-admin" in the Custom attributes field. Use a blank space to separate the allowed roles.
Page 45 Figure 6 Configuring custom attributes for the Telnet user Verifying the configuration Telnet to the switch, and enter username test@bbb and password aabbcc to access the switch. Verify that you have access to diagnostic commands. <Switch> telnet 192.168.1.70 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.59 ...
Page 46: Rbac Temporary User Role Authorization Configuration Example (Radius Authentication)
Verify that you can obtain the level-3 user role: # Use the super password to obtain the level-3 user role. When the system prompts for a username and password, enter username test@bbb and password enabpass. <Switch> super level-3 Username: test@bbb Password: The following output shows that you have obtained the level-3 user role.
Page 47 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3 (the interface connected to the RADIUS server). [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit # Enable Telnet server. [Switch] telnet server enable # Enable scheme authentication on the user lines for Telnet users.
Page 48 a. Add a user account named $enab0$ and set the password to 123456. (Details not shown.) b. Access the Cisco IOS/PIX 6.x RADIUS Attributes page. c. Configure the cisco-av-pair attribute, as shown in Figure Figure 8 Configuring the cisco-av-pair attribute Verifying the configuration Telnet to the switch, and enter username test@bbb and password aabbcc to access the switch.
Page 49: Troubleshooting Rbac
User privilege role is network-admin, and only those commands that authorized to the role can be used. # If the ACS server does not respond, enter local authentication password abcdef654321 at the prompt. Invalid configuration or no response from the authentication server. Change authentication mode to local.
Page 50: Login Overview
Login overview The first time you access the device, you can only log in to the CLI through the console port. After login, you can change console login parameters or configure other access methods, including Telnet, SSH, SNMP, and RESTful. The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements.
Page 51 Default settings and minimum configuration Login Login method requirements configuration By default, RESTful access is disabled. To enable RESTful access, perform the following tasks: • Assign an IP address to a Layer 3 interface. Make sure the interface and the RESTful access user's host can reach each other.
Page 52: Using The Console Port For The First Device Access
Bits per second—9600 bps. Flow control—None. Parity—None. Stop bits—1. Data bits—8. Power on the device and press Enter as prompted. The default user view prompt <HPE> appears. You can enter commands to configure or manage the device. To get help, enter ?.
Page 53: Configuring Cli Login
Configuring CLI login By default, you can log in to the CLI through the console port. After you log in, you can configure other CLI login methods, including Telnet and SSH. To prevent illegal access to the CLI and control user behavior, perform the following tasks as required: •...
Page 54: Login Authentication Modes
Login authentication modes You can configure login authentication to prevent illegal access to the device CLI. In non-FIPS mode, the device supports the following login authentication modes: • None—Disables authentication. This mode allows access without authentication and is insecure. • Password—Requires password authentication.
Page 55: Disabling Authentication For Console Login
Figure 10 Logging in through the console port By default, console login is enabled both locally and remotely and it does not require authentication. The default user role is network-admin. To improve device security, configure password or scheme authentication for the AUX line immediately after you log in to the device for the first time. To configure console login, perform the following tasks: Tasks at a glance Remarks...
Page 56: Configuring Password Authentication For Console Login
Configuring password authentication for console login Step Command Remarks Enter system view. system-view A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view •...
Page 57: Configuring Common Aux Line Settings
To use scheme authentication, you must also perform the following tasks: • Configure login authentication methods in ISP domain view. • For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme. • For local authentication, create a local user account and configure the relevant attributes. For more information, see Security Configuration Guide.
Page 58 Step Command Remarks The default is 8. Configure this command depending on the character coding type. For example, set the number of data bits to 7 for Specify the standard ASCII characters. Set the number of data number of data bits to 8 for extended databits { 5 | 6 | 7 | 8 } bits for a ASCII characters.
Page 59: Configuring Telnet Login
Step Command Remarks By default, no command is specified for auto execution. 15. Specify the The device will automatically execute the command to be specified command when a user logs in automatically through the user line, and close the user auto-execute command command executed for login connection after the command is...
Page 60: Configuring Password Authentication For Telnet Login
* Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** <HPE> If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.
Page 61: Configuring Scheme Authentication For Telnet Login
* no decompiling or reverse-engineering shall be allowed. ****************************************************************************** Password: <HPE> If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears. Configuring scheme authentication for Telnet login...
Page 62 * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** login: admin Password: <HPE> If the maximum number of login users has been reached, the login attempt fails and the message "All lines are used, please try later!" appears. Setting the maximum number of concurrent Telnet users...
Page 63 Step Command Remarks The default is 32. Changing this setting does not affect users who are currently online. If the new limit is less than Set the maximum number the number of online Telnet users, no additional aaa session-limit of concurrent Telnet users can Telnet in until the number drops telnet max-sessions users.
Page 64: Using The Device To Log In To A Telnet Server
Step Command Remarks By default, both Telnet and SSH are supported. A protocol change does not take effect for current online users. It takes effect only for new login users. Specify the supported protocol inbound { all | In VTY line view, this command is associated protocols.
Page 65: Configuring Ssh Login
To use the device to log in to a Telnet server: Step Command Remarks Enter system view. system-view By default, no source IPv4 address or source interface is (Optional.) Specify the telnet client source { interface specified. The device uses the source IPv4 address or interface-type interface-number | ip primary IPv4 address of the...
Page 66 Step Command Remarks • In non-FIPS mode: public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 ] | rsa } [ name key-name ] Create local key By default, no local key pairs are created. pairs. •...
Page 67: Using The Device To Log In To An Ssh Server
Step Command Remarks In non-FIPS mode, both Telnet and SSH are supported by default. In FIPS mode, SSH is supported by default. • A protocol change does not take effect for In non-FIPS mode: current online users. It takes effect only for protocol inbound { all | (Optional.) Specify new login users.
Page 68 Dial the telephone number to establish a connection to the device. After you hear the dial tone, press Enter as prompted. If the authentication mode is none, the prompt <HPE> appears. If the authentication mode is password or scheme, you must enter the correct authentication information.
Page 69: Displaying And Maintaining Cli Login
IMPORTANT: Do not directly close the HyperTerminal. Doing so can cause some modems to stay in use, and all subsequent dial-in attempts will fail. To terminate the modem connection to the device, execute the ATH command in the HyperTerminal. If the command cannot be entered, enter AT+ + +. When the word OK appears, execute the ATH command.
Page 70: Enabling Http And Https
Enabling HTTP and HTTPS The device supports HTTP (1.0 and 1.1) and HTTPS. You can use enable HTTP and HTTPS on the device. HTTPS uses SSL to ensure the integrity and security of data exchanged between the client and the server, and is more secure than HTTP.
Page 71: Displaying And Maintaining Http And Https
Step Command Remarks By default, HTTPS is disabled. Enabling the HTTPS service triggers the SSL handshake negotiation process. • If the device has a local certificate, the SSL handshake negotiation succeeds and the HTTPS service starts up. Enable the HTTPS •...
Page 72 Figure 14 SNMP access diagram Get/Set requests Get/Set responses and Traps Agent The device supports SNMPv1, SNMPv2c, and SNMPv3, and can cooperate with various network management software products. However, the device and the NMS must use the same SNMP version. By default, SNMP access is disabled.
Page 73: Configuring Restful Access
Configuring RESTful access The device provides the Representational State Transfer application programming interface (RESTful API). Based on this API, you can use programming languages such as Python, Ruby, or Java to write programs to perform the following tasks: • Send RESTful requests to the device to pass authentication. •...
Page 74 Step Command Remarks Create a local user and enter local-user user-name [ class By default, no local user is local user view. manage ] configured. • In non-FIPS mode: The password is saved in hashed password [ { hash | simple } form.
Page 75: Controlling User Access To The Device
Controlling user access to the device Use ACLs to prevent unauthorized access, and configure command authorization and accounting to monitor and control user behavior. For more information about ACLs, see ACL and QoS Configuration Guide. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode.
Page 76: Configuration Example
Configuration example Network requirements As shown in Figure 15, the device is a Telnet server. Configure the device to permit only Telnet packets sourced from Host A and Host B. Figure 15 Network diagram Configuration procedure # Configure an ACL to permit packets sourced from Host A and Host B. <Sysname>...
Page 77 Step Command Remarks • (Method 1.) Create an SNMP community and specify ACLs for the community: In VACM mode: snmp-agent community { read | write } [ simple | cipher ] community-name [ mib-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] * In RBAC mode: snmp-agent community [ simple | cipher ]...
Page 78: Configuration Example
Step Command Remarks In non-FIPS mode: • In VACM mode: snmp-agent usm-user v3 user-name group-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | 3des | des56 } priv-password ] ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name...
Page 79: Configuring Command Authorization
Figure 16 Network diagram Configuration procedure # Create an ACL to permit packets sourced from Host A and Host B. <Sysname> system-view [Sysname] acl basic 2000 match-order config [Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-ipv4-basic-2000] quit # Associate the ACL with the SNMP community and the SNMP group.
Page 80: Configuration Example
Step Command Remarks A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. • Enter user line view: line { first-number1 A non-default setting in either view takes [ last-number1 ] | { aux | precedence over a default setting in the Enter user line view or...
Page 81 Figure 17 Network diagram Configuration procedure # Assign IP addresses to relevant interfaces. Make sure the device and the HWTACACS server can reach each other. Make sure the device and Host A can reach each other. (Details not shown.) # Enable the Telnet server. <Device>...
Page 82: Configuring Command Accounting
[Device-luser-manage-monitor] authorization-attribute user-role level-1 Configuring command accounting Command accounting uses the HWTACACS server to record all executed commands to monitor user behavior on the device. If command accounting is enabled but command authorization is not, every executed command is recorded. If both command accounting and command authorization are enabled, only authorized commands that are executed are recorded.
Page 83: Configuration Example
Step Command Remarks By default, command accounting is disabled. The accounting server does not record the commands executed by users. If the command accounting command is Enable command configured in user line class view, command accounting accounting. command accounting is enabled on all user lines in the class.
Page 84 [Device-line-vty0-63] quit # Create HWTACACS scheme tac. [Device] hwtacacs scheme tac # Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for accounting. [Device-hwtacacs-tac] primary accounting 192.168.2.20 49 # Set the shared key to expert. [Device-hwtacacs-tac] key accounting simple expert # Remove domain names from usernames sent to the HWTACACS server.
Page 85: Configuring Ftp
Configuring FTP File Transfer Protocol (FTP) is an application layer protocol for transferring files from one host to another over an IP network, as shown in Figure 19. It uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959. FTP is based on the client/server model.
Page 86: Configuring Authentication And Authorization
Step Command Remarks (Optional.) Use an ACL to ftp server acl By default, no ACL is used for access control access to the FTP { ipv4-acl-number | ipv6 control. server. ipv6-acl-number } (Optional.) Associate an SSL ftp server server policy with the FTP By default, no SSL server policy is ssl-server-policy server to ensure data...
Page 87: Manually Releasing Ftp Connections
Manually releasing FTP connections Execute the following commands in user view. Task Command • Release the FTP connection established by using a specific user account: Manually release FTP free ftp user username connections. • Release the FTP connection to a specific IP address: free ftp user-ip [ ipv6 ] client-address [ port port-num ] Displaying and maintaining the FTP server Execute display commands in any view.
Page 88: Using The Device As An Ftp Client
# Create a local user with username abc and password 123456. <Sysname> system-view [Sysname] local-user abc class manage [Sysname-luser-abc] password simple 123456 # Assign the network-admin user role to the user. Set the working directory to the root directory of the flash memory on the master. (To set the working directory to the root directory of the flash memory on the subordinate member, you must include the slot number in the directory path.) [Sysname-luser-abc] authorization-attribute user-role network-admin work-directory...
Page 89: Managing Directories On The Ftp Server
Step Command Remarks By default, no source IP address is specified. The (Optional.) Specify a ftp client source { interface interface-type device uses the primary IP source IP address for interface-number | ip source-ip-address } address of the output outgoing FTP packets. interface as the source IP address.
Page 90: Working With Files On The Ftp Server
Task Command • Display the detailed information of a directory or file on the FTP server: dir [ remotefile [ localfile ] ] Display directory and file information on the FTP • server. Display the name of a directory or file on the FTP server: ls [ remotefile [ localfile ] ] Change the working directory on the FTP server.
Page 91: Changing To Another User Account
Task Command Remarks Add the content of a file on the FTP client to a file on the FTP append localfile [ remotefile ] server. Use this command together Specify the retransmit marker. with the put, get, or append restart marker command.
Page 92: Terminating The Ftp Connection
Terminating the FTP connection Execute one of the following commands in FTP client view: Task Command • disconnect Terminate the connection to the FTP server without • exiting FTP client view. close • Terminate the connection to the FTP server and •...
Page 93 Configuration procedure # Configure IP addresses as shown in Figure 21. Make sure the IRF fabric and PC can reach each other. (Details not shown.) # Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files.
Page 94: Configuring Tftp
Configuring TFTP Trivial File Transfer Protocol (TFTP) is a simplified version of FTP for file transfer over secure reliable networks. TFTP uses UDP port 69 for data transmission. In contrast to TCP-based FTP, TFTP does not require authentication or complex message exchanges, and is easier to deploy. TFTP is suited for reliable network environments.
Page 95: Configuring The Device As An Ipv6 Tftp Client
Configuring the device as an IPv6 TFTP client Step Command Remarks Enter system view. system-view (Optional.) Use an ACL to By default, no ACL is used for tftp-server ipv6 acl control the client's access to access control. ipv6-acl-number TFTP servers. By default, no source IPv6 tftp client ipv6 source Specify the source IPv6...
Page 96: Managing File Systems
Managing file systems Overview File systems The device supports the following types of storage media: • Flash memory. • Hot-swappable storage medium USB disk. The flash memory has one file system. The USB disk can be partitioned. An unpartitioned USB disk has one file system. A partitioned USB disk has one file system on each partition.
Page 97: Directories
Directories Directories in a file system are structured in a tree form. Root directory The root directory is represented by a forwarding slash (/). For example, flash:/ represents the root directory of the flash memory. Working directory The working directory is also called the current directory. The default working directory is the root directory of the flash memory on the master device.
Page 98: Specifying A Directory Name Or File Name
Specifying a directory name or file name Specifying a directory name To specify a directory, you can use the absolute path or a relative path. For example, the working directory is flash:/. To specify the test2 directory in Figure 23, you can use the following methods: •...
Page 99: Managing Storage Media And File Systems
Make sure a USB disk is not write protected before an operation that requires the write right on the disk. You cannot access a storage medium that is being partitioned, or a file system that is being formatted or repaired. Before managing file systems, directories, and files, make sure you know the possible impact.
Page 100: Formatting A File System
Restrictions and guidelines You can mount or unmount a file system only when no other users are accessing the file system. To prevent a USB disk and the USB interface from being damaged, make sure the following requirements are met before unmounting file systems on the USB disk: •...
Page 101: Displaying The Working Directory
Displaying the working directory Perform this task in user view. Task Command Display the working directory. Changing the working directory Perform this task in user view. Task Command Change the working directory. cd { directory | .. } Creating a directory Perform this task in user view.
Page 102: Deleting A Directory
Deleting a directory To delete a directory, you must delete all files and subdirectories in the directory. To delete a file, use the delete command. To delete a subdirectory, use the rmdir command. Deleting a directory permanently deletes all its files in the recycle bin, if any. Perform this task in user view.
Page 103: Renaming A File
Renaming a file Perform this task in user view. Task Command Rename a file. rename source-file dest-file Copying a file Perform this task in user view. Task Command Copy a file. copy source-file { dest-file | dest-directory } Moving a file Perform this task in user view.
Page 104: Deleting Files From The Recycle Bin
Files in the recycle bin occupy storage space. To save storage space, periodically empty the recycle bin by using the reset recycle-bin command. Perform the following tasks in user view: Task Command Delete a file by moving it to the recycle bin. delete file Restore a file from the recycle bin.
Page 105 Step Command Remarks Enter system view. system-view The default mode is alert. Set the operation mode for file prompt { alert | quiet } This command also sets the files. operation mode for directories.
Page 106: Managing Configuration Files
Managing configuration files Overview You can manage configuration files from the CLI or the BootWare menu. The following information explains how to manage configuration files from the CLI. A configuration file saves a set of commands for configuring software features on the device. You can save any configuration to a configuration file so the configuration can survive a reboot.
Page 107: Next-Startup Configuration File Redundancy
Next-startup configuration file redundancy You can specify one main next-startup configuration file and one backup next-startup configuration file for redundancy. At startup, the device tries to select the .cfg startup configuration in the following order: The main next-startup configuration file. The backup next-startup configuration file if the main next-startup configuration file is unavailable.
Page 108: Fips Compliance
password hash $h$6$Twd73mLrN8O2vvD5$Cz1vgdpR4KoTiRQNE9pg33gU14Br2p1VguczLSVyJLO2huV5Syx/LfDIf8ROLtV ErJ/C31oq2rFtmNuyZf4STw== service-type ssh telnet terminal authorization-attribute user-role network-admin authorization-attribute user-role network-operator interface Vlan-interface1 ip address 192.168.1.84 255.255.255.0 FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Page 109: Saving The Running Configuration
Task Command Display the differences that a configuration file, the running configuration, or the display diff configfile file-name-s { configfile file-name-d | next-startup configuration has as compared current-configuration | startup-configuration } with the specified source configuration file. Display the differences that a configuration display diff current-configuration { configfile file-name-d | file or the next-startup configuration has as startup-configuration }...
Page 110: Configuring Configuration Rollback
• Safe mode—Use the save command with the safely keyword. Safe mode is slower than fast mode, but more secure. In safe mode, the system saves the configuration in a temporary file and starts overwriting the target next-startup configuration file after the save operation is complete.
Page 111: Configuration Task List
Configuration task list Tasks at a glance (Required.) Setting configuration archive parameters (Required.) Perform one of the following tasks: • Enabling automatic configuration archiving • Manually archiving the running configuration (Required.) Rolling back configuration Setting configuration archive parameters Before archiving the running configuration, either manually or automatically, you must set a file directory and file name prefix for configuration archives.
Page 112: Enabling Automatic Configuration Archiving
Step Command Remarks (Optional.) Set the The default number is 5. maximum number of archive configuration max Change the setting depending on the amount configuration file-number of storage available on the device. archives. Enabling automatic configuration archiving Make sure you have set an archive path and file name prefix before performing this task. To enable automatic configuration archiving: Step Command...
Page 113: Configuring Configuration Commit Delay
Step Command Remarks Roll the running configuration back to the The specified configuration file configuration replace file configuration defined by a must not be encrypted. filename configuration file. The configuration rollback feature might fail to reconfigure some commands in the running configuration for one of the following reasons: •...
Page 114: Specifying A Next-Startup Configuration File
Specifying a next-startup configuration file CAUTION: Using the undo startup saved-configuration command can cause an IRF split after the IRF fabric or an IRF member reboots. You can specify a .cfg file as a next-startup configuration file when you execute the save [ safely ] [ backup | main ] [ force ] command.
Page 115: Restoring The Main Next-Startup Configuration File From A Tftp Server
Step Command Remarks backup startup-configuration Back up the next-startup to { ipv4-server | ipv6 This command is not supported in configuration file to a TFTP ipv6-server } [ dest-filename ] FIPS mode. server in user view. [ vpn-instance vpn-instance-name ] Restoring the main next-startup configuration file from a TFTP server Perform this task to download a configuration file to the device from a TFTP server and specify the...
Page 116: Displaying And Maintaining Configuration Files
Perform the following task in user view: Task Command Remarks If you do not specify the backup Delete a next-startup or main keyword, this command reset saved-configuration configuration file. [ backup | main ] deletes the main next-startup configuration file. Displaying and maintaining configuration files Execute display commands in any view and reset commands in user view.
Page 117: Upgrading Software
Upgrading software Overview Software upgrade enables you to add new features and fix bugs. This chapter describes types of software and methods to upgrade software from the CLI without using ISSU. For a comparison of all software upgrade methods, see "Upgrade methods."...
Page 118: System Startup Process
If both the main and backup boot images are nonexistent or invalid, access the BootWare menu during the system startup to upgrade software. Figure 24 Comware image loading procedure System startup process Upon power-on, the BootWare image runs to initialize hardware, and then the startup software images run to start up the entire system, as shown in Figure...
Page 119: Upgrade Methods
Figure 25 System startup process Start BootWare runs Enter BootWare menus to upgrade Press Ctrl+B in 1 BootWare second？ or startup software images Startup software images System starts up Upgrade methods Upgrading method Software types Remarks • BootWare image Upgrading from the CLI This method is disruptive.
Page 120: Upgrade Restrictions And Guidelines
Upgrade restrictions and guidelines The switch can start up from the built-in flash memory or the USB disk. As a best practice, store the startup images in the built-in flash memory. If you store the startup images on the USB disk, do not remove the USB disk during the startup process.
Page 121: Specifying Startup Images And Completing The Upgrade
Specifying startup images and completing the upgrade Perform this task in user view. To specify the startup image file and complete the upgrade: Step Command Remarks • Use an .ipe file for upgrade: boot-loader file ipe-filename { all | slot slot-number } { backup | Specify main or main }...
Page 122: Displaying And Maintaining Software Image Settings
Displaying and maintaining software image settings Execute display commands in any view. Task Command Display current software images and startup software images. display boot-loader [ slot slot-number ] Software upgrade example Network requirements As shown in Figure 26, use the file startup-a2105.ipe to upgrade software images for the IRF fabric. Figure 26 Network diagram Master Subordinate...
Page 123 # Use TFTP to download the image file startup-a2105.ipe from the TFTP server to the root directory of the flash memory on the master device. <Sysname> tftp 2.2.2.2 get startup-a2105.ipe # Specify startup-a2105.ipe as the main startup image file for all IRF member devices. <Sysname>...
Page 124: Performing An Issu
Performing an ISSU Unless otherwise stated, the term "upgrade" refers to both software upgrade and downgrade in ISSU. Overview The In-Service Software Upgrade (ISSU) feature upgrades the Comware software with a minimum amount of downtime. ISSU is implemented on the basis of the following design advantages: •...
Page 125: Issu Commands
ISSU method Description CAUTION: The Reboot method disrupts service on a single-member IRF fabric. As a best practice, schedule the downtime carefully to minimize the upgrade impact on the Reboot services. The Reboot method reboots member devices to complete the software upgrade. While one member device is rebooting, the other member devices can provide services.
Page 126: Identifying The Issu Method
Use FTP or TFTP to transfer upgrade image files (in .bin or .ipe) to the root directory of a file system on the master device. Identifying the ISSU method Execute the display version comp-matrix file command for the upgrade image version compatibility information.
Page 127: Understanding Issu Guidelines
Understanding ISSU guidelines During an ISSU, use the following guidelines: • In a multiuser environment, make sure no other administrators access the device while you are performing the ISSU. • Do not perform any of the following tasks during an ISSU: Reboot member devices.
Page 128: Upgrading A Multichassis Irf Fabric
Upgrading a multichassis IRF fabric Performing a compatible upgrade Step Command Remarks Enter system view. system-view By default, the automatic rollback timer is set to 45 minutes. This timer starts when you execute the (Optional.) Set the issu run switchover command. If you automatic rollback issu rollback-timer minutes do not execute the issu accept or...
Page 129 Step Command Remarks Repeat step 10 and this step to upgrade the remaining members one by one, including the original master. IMPORTANT: After executing the command for one member, you must wait for the 10. Upgrade the member to restart and join the IRF remaining members fabric before you execute the issu commit slot slot-number...
Page 130: Upgrading A Single-Chassis Irf Fabric
Step Command Remarks The issu run switchover command upgrades the remaining members. To roll back to the original software images during this ISSU process, use Perform an ISSU the issu rollback command. switchover to issu run switchover complete the ISSU This ISSU process does not support process.
Page 131: Performing An Issu By Using Install Commands
Performing a reboot or incompatible upgrade Step Command Remarks The system is stable if the System State field displays Stable. Verify that the display system stable state For a successful ISSU, you must make system is stable. sure the system is stable before you proceed to the next step.
Page 132: Decompressing An .Ipe File
Tasks at a glance Remarks Perform this task to verify that the software changes (Optional.) Verifying software images are correct. (Optional.) Deleting inactive software images Perform this task to delete images Decompressing an .ipe file Perform this task in user view. Step Command (Optional.) Identify images that are included in the .ipe file.
Page 133: Uninstalling Feature Or Patch Images
• If yes, read the release notes to identify the functionality differences between the running patch images and the new patch images. If the new patch images cover all functions provided by the old patch images, activating the new patch images overwrites the old patch images. After installing the new patch images, uninstall and delete the old patch images to remove them from software image lists and release the storage space.
Page 134: Rolling Back The Running Software Images
Step Command Remarks The system is stable if the System State field displays Stable. Verify that the For a successful uninstallation, you display system stable state system is stable. must make sure the system is stable before you proceed to the next step.
Page 135: Committing Software Changes
Committing software changes When you activate or deactivate images for an incremental upgrade, or install or uninstall patches, the main startup image list does not update with the changes. The software changes are lost at reboot. For the changes to take effect after a reboot, you must commit the changes. Perform this task in user view.
Page 136: Examples Of Using Issu Commands For Issu
Task Command Remarks display install inactive [ slot Display inactive software images. slot-number ] [ verbose ] Display the software images included display install ipe-info ipe-filename in an .ipe file. Display ongoing ISSU activate, display install job deactivate, and rollback operations. display install log [ log-id ] Display ISSU log entries.
Page 137: Upgrade Procedure
Figure 27 Network diagram Master Subordinate (Member_ID=1) (Member_ID=2) Internet 1.1.1.1/24 2.2.2.2/24 Note: The orange line represents an IRF connection. TFTP server Upgrade procedure # Download the image file that contains the T0001016 Feature1 feature from the TFTP server. <Sysname> tftp 2.2.2.2 get feature1-t0001016.bin % Total % Received % Xferd Average Speed...
Page 138 Influenced service according to following table on slot 1: flash:/feature1-t0001016.bin Feature1 Influenced service according to following table on slot 2: flash:/feature1-t0001016.bin Feature1 The output shows that a reboot upgrade is recommended and the Feature1 module will be rebooted during the upgrade. # Upgrade the feature on the subordinate member.
Page 139 <Sysname> issu run switchover Verifying the file flash:/feature1-t0001016.bin on slot 1...Done. Upgrade summary according to following table: flash:/feature1-t0001016.bin Running Version New Version Test 0001015 Test 0001016 Slot Switchover Way Active standby process switchover Upgrading software images to compatible versions. Continue? [Y/N]:y This operation might take several minutes, please wait...Done.
Page 140: Feature Upgrade To An Incompatible Version
Feature upgrade to an incompatible version Upgrade requirements As shown in Figure 28, the IRF fabric has two members. Upgrade the Feature1 feature from T0001015 to T0001016. The two versions are incompatible. Figure 28 Network diagram Master Subordinate (Member_ID=1) (Member_ID=2) Internet 1.1.1.1/24 2.2.2.2/24...
Page 141 7.1.070-Test 0001016 Incompatible upgrade. The output shows that the two versions are incompatible. The member devices will be rebooted for the upgrade. # Upgrade the feature on the subordinate member. <Sysname> issu load file feature flash:/feature1-t0001016.bin slot 2 This operation will delete the rollback point information for the previous upgrade and maybe get unsaved configuration lost.
Page 142: Feature Rollback Example
Feature rollback example Rollback requirement As shown in Figure 29, the IRF fabric has two members. Roll back the Feature1 feature from T0001016 to T0001015 after upgrading it from T0001015 to T0001016. The two versions are compatible. Figure 29 Network diagram Master Subordinate (Member_ID=1)
Page 143 Version Dependency System List: 7.1.070-Test 0001015 7.1.070-Test 0001016 Slot Upgrade Way Reboot Reboot Influenced service according to following table on slot 1: flash:/feature1-t0001016.bin Feature1 Influenced service according to following table on slot 2: flash:/feature1-t0001016.bin Feature1 The output shows that a reboot upgrade is recommended. # Upgrade the feature on the subordinate member.
Page 144: Examples Of Using Install Commands For Issu
Active packages on slot 1: flash:/boot-t0001015.bin flash:/system-t0001015.bin flash:/feature1-t0001015.bin Active packages on slot 2: flash:/boot-t0001015.bin flash:/system-t0001015.bin flash:/feature1-t0001016.bin # Roll back the feature to T0001015. <Sysname> issu rollback This command will quit the ISSU process and roll back to the previous version. Continue? [Y/N]:Y # Verify that both members are running the old feature image.
Page 145 <Sysname> tftp 2.2.2.2 get feature1-t0001016.ipe % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 --:--:-- --:--:-- --:--:-- Writing file...Done. # Decompress the .ipe file. <Sysname> install add flash:/feature1-t0001016.ipe flash: Verifying the file flash:/feature1-t0001016.ipe on slot 1...Done. Decompressing file feature1-t0001016.bin to flash:/feature1-t0001016.bin.......Done.
Page 146 Influenced service according to following table on slot 1: flash:/feature1-t0001016.bin Feature1 The output shows that a reboot upgrade is recommended for both members, and the Feature1 module will be rebooted during the upgrade. # Activate the new feature image to upgrade the feature. <Sysname>...
Page 147: Feature Rollback Example
This operation will take several minutes, please wait......Done. Feature rollback example Rollback requirement As shown in Figure 30, the IRF fabric has two members. The Feature1 feature has been upgraded from T0001015 to T0001016. However, the software change has not been committed. Roll back the Feature1 feature from T0001016 to T0001015.
Page 148: Managing The Device
A device name (also called hostname) identifies a device in a network and is used in CLI view prompts. For example, if the device name is Sysname, the user view prompt is <Sysname>. To configure the device name: Step Command Remarks Enter system view. system-view Configure the device name. The default device name is HPE. sysname sysname...
Page 149: Configuring The System Time
Configuring the system time Correct system time is essential to network management and communication. Configure the system time correctly before you run the device on the network. The device can use the locally set system time, or obtain the UTC time from an NTP source and calculate the system time.
Page 150: Enabling Displaying The Copyright Statement
Step Command Remarks By default, the device uses the NTP time source. Specify the system time clock protocol ntp If you execute the clock protocol command source. multiple times, the most recent configuration takes effect. By default, the time zone is not set. After you set the time zone, the device recalculates the system time.
Page 151: Banner Input Methods
• Legal banner—Appears after the copyright statement. To continue login, the user must enter Y or press Enter. To quit the process, the user must enter N. Y and N are case insensitive. • Message of the Day (MOTD) banner—Appears after the legal banner and before the login banner.
Page 152: Configuration Procedure
Configuration procedure To configure banners: Step Command Remarks Enter system view. system-view By default, no legal banner is Configure the legal banner. header legal text configured. By default, no MOTD banner is Configure the MOTD banner. header motd text configured. By default, no login banner is Configure the login banner.
Page 153: Setting The Hardware Resource Mode For Tables
Setting the hardware resource mode for tables IMPORTANT: For this feature to take effect, you must save the running configuration and reboot the device. Before rebooting the device, make sure you fully understand the impact on your network, The switch supports multiple hardware resource modes for the MAC address table, ARP/ND table, and routing tables.
Page 154: Rebooting The Device
Task Command Remarks The subslot subslot-number option is reboot [ slot slot-number [ subslot available only on the HPE FlexFabric 5940 Reboot the device. subslot-number ] ] [ force ] 2-slot Switch (JH397A) and HPE FlexFabric 5940 4-slot Switch (JH398A).
Page 155: Scheduling A Task
To schedule a reboot, execute either of the following commands in user view: Task Command Remarks Specify the reboot date and By default, no reboot date or time is scheduler reboot at time [ date ] time. specified. By default, no reboot delay time is Specify the reboot delay time.
Page 156 Step Command Remarks Create a schedule. By default, no schedule exists. scheduler schedule schedule-name By default, no job is assigned to a schedule. Assign a job to a job job-name You can assign multiple jobs to a schedule. schedule. The jobs will be executed concurrently.
Page 157: Schedule Configuration Example
Step Command Remarks • Execute the schedule at an interval from the specified time By default, no execution time is specified for a schedule. time repeating at time [ month-date [ month-day | Executing commands clock Specify an execution last ] | week-day datetime, clock summer-time, time table for the week-day&<1-7>...
Page 158 [Sysname-job-start-Ten-GigabitEthernet1/0/1] command 2 interface ten-gigabitethernet 1/0/1 [Sysname-job-start-Ten-GigabitEthernet1/0/1] command 3 undo shutdown [Sysname-job-start-Ten-GigabitEthernet1/0/1] quit # Configure a job for disabling interface Ten-GigabitEthernet 1/0/2. [Sysname] scheduler job shutdown-Ten-GigabitEthernet1/0/2 [Sysname-job-shutdown-Ten-GigabitEthernet1/0/2] command 1 system-view [Sysname-job-shutdown-Ten-GigabitEthernet1/0/2] command 2 interface ten-gigabitethernet 1/0/2 [Sysname-job-shutdown-Ten-GigabitEthernet1/0/2] command 3 shutdown [Sysname-job-shutdown-Ten-GigabitEthernet1/0/2] quit # Configure a job for enabling interface Ten-GigabitEthernet 1/0/2.
Page 159 undo shutdown Job name: start-Ten-GigabitEthernet1/0/2 system-view interface ten-gigabitethernet 1/0/2 undo shutdown # Display the schedule information. [Sysname] display scheduler schedule Schedule name : START-pc1/pc2 Schedule type : Run on every Mon Tue Wed Thu Fri at 08:00:00 Start time : Wed Sep 28 08:00:00 2011 Last execution time : Wed Sep 28 08:00:00 2011 Last completion time : Wed Sep 28 08:00:03 2011...
Page 160: Disabling Password Recovery Capability
[Sysname]interface ten-gigabitethernet 1/0/2. [Sysname-Ten-GigabitEthernet1/0/2]undo shutdown Job name : shutdown-Ten-GigabitEthernet1/0/1 Schedule name : STOP-pc1/pc2 Execution time : Wed Sep 28 18:00:00 2011 Completion time : Wed Sep 28 18:00:01 2011 --------------------------------- Job output ----------------------------------- <Sysname>system-view System View: return to User View with Ctrl+Z. [Sysname]interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1]shutdown Job name...
Page 161: Setting The Port Status Detection Timer
To specify the preferred airflow direction: Step Command Remarks Enter system view. system-view The default airflow direction is Specify the preferred fan prefer-direction slot slot-number from the power supply side to the airflow direction. { power-to-port | port-to-power } port side. Setting the port status detection timer The device starts a port status detection timer when a port is shut down by a protocol.
Page 162: Setting Memory Alarm Thresholds
Setting memory alarm thresholds To monitor memory usage, the device performs the following operations: • Samples memory usage at an interval of 1 minute, and compares the sample with the memory usage threshold. If the sample is greater, the device sends a trap. •...
Page 163: Configuring The Temperature Alarm Thresholds
Figure 32 Memory alarm notification and alarm-removed notification Free memory space Minor alarm-removed Normal Minor Severe alarm-removed alarm Minor Critical alarm-removed Severe alarm Severe Critical alarm Critical Time To set memory alarm thresholds: Step Command Remarks Enter system view. system-view memory-threshold [ slot Set the memory By default, the memory usage threshold is...
Page 164: Disabling Usb Interfaces
The device regularly checks transceiver modules for their vendor names. If a transceiver module does not have a vendor name or the vendor name is not HPE, the device repeatedly outputs traps and log messages. For information about logging rules, see Network Management and Monitoring Configuration.
Page 165: Diagnosing Transceiver Modules
Task Command Remarks Display the electrical label This command cannot display display transceiver manuinfo information of transceiver interface [ interface-type information for some transceiver modules. interface-number ] modules. Diagnosing transceiver modules The device provides the alarm and digital diagnosis functions for transceiver modules. When a transceiver module fails or is not operating correctly, you can perform the following tasks: •...
Page 166 Display hardware information. The subslot subslot-number option is available display device [ flash | usb ] [ slot slot-number only on the HPE FlexFabric 5940 2-slot Switch [ subslot subslot-number ] | verbose ] (JH397A) and HPE FlexFabric 5940 4-slot Switch (JH398A).
Page 167: Using Tcl
Using Tcl Comware V7 provides a built-in tool command language (Tcl) interpreter. From user view, you can use the tclsh command to enter Tcl configuration view to execute the following commands: • All Tcl 8.5 commands. • Comware commands. The Tcl configuration view is equivalent to the user view. You can use Comware commands in Tcl configuration view in the same way they are used in user view.
Page 168 • For Comware commands, you can enter ? to obtain online help or press Tab to complete an abbreviated command. For more information, see "Using the CLI." • The cli command is a Tcl command, so you cannot enter ? to obtain online help or press Tab to complete an abbreviated command.
Page 169: Using Python
Using Python Comware 7 provides a built-in Python interpreter that supports the following items: • Python 2.7 commands. • Python 2.7 standard API. • Comware 7 extended API. For more information about the Comware 7 extended API, see "Comware 7 extended Python API."...
Page 170 Figure 33 Network diagram Usage procedure # Use a text editor on the PC to configure Python script test.py as follows: #!usr/bin/python import comware comware.Transfer('tftp', '192.168.1.26', 'main.cfg', 'flash:/main.cfg') comware.Transfer('tftp', '192.168.1.26', 'backup.cfg', 'flash:/backup.cfg') comware.CLI('startup saved-configuration flash:/main.cfg main ;startup saved-configuration flash:/backup.cfg backup') # Use TFTP to download the script to the device.
Page 171: Comware 7 Extended Python Api
Comware 7 extended Python API The Comware 7 extended Python API is compatible with the Python syntax. Importing and using the Comware 7 extended Python API To use the Comware 7 extended Python API, you must import the API to Python. Use either of the following methods to import and use the Comware 7 extended Python API: •...
Page 172: Usage Guidelines
do_print: Specifies whether to output the execution result: • True—Outputs the execution result. This value is the default. • False—Does not output the execution result. Usage guidelines This API supports only Comware commands. It does not support Linux, Python, or Tcl commands. Returns CLI objects Examples...
Page 173: Transfer Class
Transfer class Transfer Use Transfer to download a file from a server. Syntax Transfer(protocol=‘’, host=‘’, source=‘’, dest=‘’, vrf=‘’,login_timeout=10, user=‘’, password=‘’) Parameters protocol: Specifies the protocol used to download a file: • ftp—Uses FTP. • tftp—Uses TFTP. • http—Uses HTTP. host: Specifies the IP address of the remote server. source: Specifies the name of the file to be downloaded from the remote server.
Page 174: Api Get_Self_Slot
<Sysname> python Python 2.7.3 (default) [GCC 4.4.1] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import comware >>> c = comware.Transfer('tftp', '1.1.1.1', 'test.cfg', 'flash:/test.cfg', user='', password='') >>> c.get_error() Sample output “Timeout was reached” API get_self_slot get_self_slot Use get_self_slot to get the member ID of the master device.
Page 175: Api Get_Slot_Range
Examples # Get the member IDs of the subordinate devices. <Sysname> python Python 2.7.3 (default) [GCC 4.4.1] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import comware >>> comware.get_standby_slot() Sample output [[-1, 1], [-1, 2]] API get_slot_range get_slot_range Use get_slot_range to get the supported IRF member ID range.
Page 176 Examples # Get information about a member device. <Sysname> python Python 2.7.3 (default) [GCC 4.4.1] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import comware >>> comware.get_slot_info(1) Sample output {'Slot': 1, 'Status': 'Normal', 'Chassis': 0, 'Role': 'Master', 'Cpu': 0}...
Page 177: Configuring Preprovisioning
Configuring preprovisioning Preprovisioning allows you to preconfigure offline modules, including subcards and IRF member devices. You can preprovision a module before installing or attaching the module to the system. The preprovisioned settings are applied when the module comes online. If the module goes offline, the existing preprovisioned settings are retained.
Page 178: Displaying And Maintaining Preprovisioned Settings
Displaying and maintaining preprovisioned settings Execute display commands in any view and the reset command in user view. Task Command Display preprovisioned-commands application failure records. display provision failed-config Display preprovisioned-commands application failure records. reset provision failed-config...
Page 179: Using Automatic Configuration
Using automatic configuration Overview When the device starts up without a valid next-startup configuration file, the device searches the root directory of its default file system for the autocfg.py, autocfg.tcl, and autocfg.cfg files. If any one of the files exists (only one of the files can exist), the device loads the file. If none of the files exists, the device uses the automatic configuration feature to obtain a set of configuration settings.
Page 180: Configuring The File Server
Tasks at a glance (Required.) Preparing the files for automatic configuration (Required.) Configuring the DHCP server (Optional.) Configuring the DNS server (Optional.) Configuring the gateway (Required.) Preparing the interface used for automatic configuration (Required.) Starting and completing automatic configuration Configuring the file server For devices to obtain configuration information from a TFTP server, start TFTP service on the file server.
Page 181: Configuring The Dhcp Server
During the automatic configuration process, a device first tries to obtain a configuration file dedicated for it. If no dedicated configuration file is found, the device tries to obtain the common configuration file. If no common configuration file is found when a TFTP file server is used, the device obtains and uses the default configuration file.
Page 182 The file can contain only the common settings for the devices. You can provide a method for the device administrators to change the configurations after their devices start up. Configuring the DHCP server when an HTTP file server is used Step Command Remarks...
Page 183: Configuring The Dns Server
Step Command Remarks Specify the By default, no configuration file configuration file name name or script file name is bootfile-name bootfile-name or the script file name. specified. Configuring the DNS server A DNS server is required in the following situations: •...
Page 184: Server-Based Automatic Configuration Examples
After obtaining a configuration file, the device automatically executes the configuration file. Use the save command to save the running configuration. The device does not save the obtained configuration file locally. If you do not save the running configuration, the device must use the automatic configuration feature again after a reboot. For more information about the save command, see Fundamentals Command Reference.
Page 185 [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.1.42 24 [SwitchA-Vlan-interface2] quit # Enable DHCP. [SwitchA] dhcp enable # Enable the DHCP server on VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] dhcp select server [SwitchA-Vlan-interface2] quit # Configure address pool market to assign IP addresses on the 192.168.2.0/24 subnet to clients in the Marketing department.
Page 186: Enable Dhcp
[SwitchB] dhcp enable # Enable the DHCP relay agent on VLAN-interface 3. [SwitchB] interface vlan-interface 3 [SwitchB-Vlan-interface3] dhcp select relay # Specify the DHCP server address. [SwitchB-Vlan-interface3] dhcp relay server-address 192.168.1.42 Configure the gateway Switch C: # Create VLAN interfaces and assign IP addresses to the interfaces. <SwitchC>...
Page 187 interface ten-gigabitethernet 1/0/1 port access vlan 3 quit user-interface vty 0 63 authentication-mode scheme user-role network-admin return # On the TFTP server, create a configuration file named rd.cfg. sysname RD telnet server enable vlan 3 local-user rd password simple rd service-type telnet quit interface Vlan-interface3...
Page 188: Automatic Configuration Using Http Server And Tcl Script
7266-6163-6533 192.168.2.3 3030-3066-2e65-3230- May 6 05:22:50 2013 Auto(C) 302e-3232-3033-2d56- 6c61-6e2d-696e-7465- 7266-6163-6533 192.168.3.2 3030-6530-2e66-6330- May 6 05:23:15 2013 Auto(C) 302e-3335-3131-2d56- 6c61-6e2d-696e-7465- 7266-6163-6531 192.168.3.3 3030-6530-2e66-6330- May 6 05:24:10 2013 Auto(C) 302e-3335-3135-2d56- 6c61-6e2d-696e-7465- 7266-6163-6532 Telnet to 192.168.2.2 from Switch A. <SwitchA> telnet 192.168.2.2 Enter username market and password market as prompted.
Page 189: Automatic Configuration Using Http Server And Python Script
[DeviceA-dhcp-pool-1] bootfile-name http://192.168.1.40/device.tcl Configure the HTTP server: # Create a configuration file named device.tcl on the HTTP server. return system-view telnet server enable local-user user password simple abcabc service-type telnet quit user-interface vty 0 63 authentication-mode scheme user-role network-admin quit interface Vlan-interface1 port link-mode route ip address dhcp-alloc...
Page 190 Figure 37 Network diagram Device A DHCP server XGE1/0/1 192.168.1.1 XGE1/0/1 Switch A 192.168.1.40 HTTP server Configuration procedure Configure the DHCP server: # Enable DHCP. <DeviceA> system-view [DeviceA] dhcp enable # Configure address pool 1 to assign IP addresses on the 192.168.1.0/24 subnet to clients. [DeviceA] dhcp server ip-pool 1 [DeviceA-dhcp-pool-1] network 192.168.1.0 24 # Specify the URL of the script file for the clients.
Page 191: Automatic Irf Setup
Automatic IRF setup Network requirements As shown in Figure 38, Switch A and Switch B do not have a configuration file. Configure the servers so the switches can obtain a Python script to complete their respective configurations and form an IRF fabric. Figure 38 Network diagram Configuration procedure Assign IP addresses to the interfaces.
Page 192 File Content Remarks Python commands that complete the following tasks: (Optional.) Verify that the flash memory has sufficient space for the files to be downloaded. Download the configuration file and sn.txt. For more information about .py Python script file (Optional.) Download the software Python script configuration, see image file and specify it as the main "Using...
Page 193 Auto upgrade : yes Mac persistent : always Domain ID Auto merge : yes The output shows that the switches have formed an IRF fabric.
Page 194: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Bold text represents commands and keywords that you enter literally as shown. Boldface Italic text represents arguments that you replace with actual values. Italic Square brackets enclose syntax choices (keywords or arguments) that are optional.
Page 195: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 196: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 197: Websites
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 198 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 199: Index
Index configuration archive, configuration archive parameters, configuration archiving (automatic), RBAC AAA authorization, file, RBAC default user role, file system directory, RBAC local AAA authentication user running configuration (manual), configuration, argument (CLI string/text type), RBAC local AAA authentication user role, ASCII transfer mode, RBAC non-AAA authentication user role, assigning RBAC non-AAA authorization,...
Page 200 login management command software upgrade methods, authorization, 71, 72 software upgrade preparation, login management user device access software upgrade startup image file control, specification, RBAC temporary user role authorization, software upgrade system startup, auto buffering automatic configuration archiving, CLI command history buffering rules, configuration.
Page 201 software upgrade, 109, 112 Python extended API, string/text type argument value, Python extended API functions, system view entry from user view, Python extended API import, undo command form, Python language use, 161, 161 upper-level view return from any view, software upgrade Boot image type, use, software upgrade feature image, user lines,...
Page 202 automatic configuration DHCP server (HTTP login management Telnet login scheme server-based), authentication, automatic configuration DHCP server preprovisioning, (server-based), RBAC, 17, 20, 29 automatic configuration DHCP server (TFTP RBAC feature group, server-based), RBAC for RADIUS authentication user, automatic configuration DNS server RBAC local AAA authentication user, (server-based), RBAC resource access policies,...
Page 203 CLI display command output save to file, CLI display command output viewing, deactivating CLI output control, 10, 10 ISSU deactivate operation (install CLI running configuration save, commands), CLI system view entry from user view, decompressing CLI upper-level view return from any view, file, CLI use, ISSU IPE file (install commands),...
Page 204 RBAC remote AAA authentication user DHCP role, automatic configuration, RBAC resource access policies, automatic configuration (HTTP server+Python RBAC temporary user role script)(on switch), authorization, 26, 28 automatic configuration (HTTP server+Tcl RBAC temporary user role authorization script)(on switch), (HWTACACS authentication), automatic configuration (IRF setup)(on RBAC temporary user role authorization switch), (RADIUS authentication),...
Page 205 file system file information, executing file system text file content, Python script, file system working directory display, Tcl configuration view Comware command, FTP client, exiting FTP command help information, Python shell, FTP server, extracting HTTP, file, HTTPS, file system directory, ISSU, login management CLI login, factory default device configuration,...
Page 206 next-startup configuration file, storage media restrictions, next-startup configuration file redundancy, storage media USB disk partition, recycle bin file deletion, text file content display, renaming, unmount, restoration, working directory change, software upgrade file naming, working directory display, system. See file system File Transfer Protocol.
Page 207 automatic configuration (server-based), software upgrade Comware Boot image type, get operation software upgrade Comware image loading, Python extended API functions software upgrade Comware image (get_self_slot), redundancy, Python extended API functions software upgrade Comware image type, (get_slot_info), software upgrade Comware system image Python extended API functions type, (get_slot_range),...
Page 208 ISSU single-chassis IRF fabric (issu commands), ISSU software image verification (install CLI command hotkey, commands), ISSU upgrade, ISSU legal banner type, command series, line console port login, login management CLI console/AUX common line device operating status, settings, display, login management CLI user line, feature compatible upgrade (issu login management CLI user line assignment, commands),...
Page 209 login management Telnet login password user device access FIPS compliance, authentication, login management Telnet login scheme main authentication, software upgrade image set, login management Telnet server device login, maintaining login management Telnet VTY common line configuration files, settings, device management configuration, login FTP connection, device banner login type,...
Page 210 table hardware resource mode, device as FTP client, modem device as FTP server, login management configuration, device banner configuration, login management overview, device banner input methods, module device banner types, device transceiver module device copyright statement display, diagnosis, 156, 157 device CPU usage monitoring, device transceiver module device factory-default configuration restore,...
Page 211 ISSU feature compatible upgrade (issu RBAC non-AAA authentication user role, commands), RBAC permission assignment, ISSU feature incompatible upgrade (issu RBAC RADIUS authentication user commands), configuration, ISSU feature rollback (install commands), RBAC remote AAA authentication user role, ISSU feature status verification, RBAC resource access policies, ISSU feature upgrade (install RBAC temporary user role authorization,...
Page 212 none ISSU feature rollback (install commands), login management CLI authentication ISSU feature upgrade (install mode, commands), 136, 139 numbering ISSU install commands, CLI display command output lines, ISSU issu commands, permitting RBAC permission assignment, obtaining RBAC user role assignment, RBAC temporary user role authorization, policy online RBAC interface access policy,...
Page 213 changing file system working directory, configuring login management command authorization, 71, 72 changing FTP user accounts, configuring login management RESTful access committing ISSU software changes (install (HTTP), commands), configuring login management RESTful access comparing configuration file (HTTPS), differences, 100, 100 configuring login management SNMP access completing software upgrade, control,...
Page 214 deleting ISSU inactive software image (install executing Tcl configuration view Comware commands), command, deleting next-startup configuration file, exiting Python shell, determining ISSU upgrade method, extracting file, diagnosing device transceiver extracting file system directory, module, 156, 157 filtering CLI display command output, disabling CLI console authentication formatting file system, disable,...
Page 215 preparing automatic configuration files understanding CLI command-line error (server-based), message, preparing for software upgrade uninstalling ISSU feature (install commands), (non-ISSU), uninstalling ISSU patch images (install preparing ISSU upgrade image, commands), rebooting device, unmounting file system, rebooting device (CLI), upgrading ISSU multichassis IRF fabric (issu commands), rebooting device (scheduled), upgrading ISSU single-chassis IRF fabric (issu...
Page 216 configuration, 17, 20, 29 file system directory, default user role, repairing feature group configuration, file system, FIPS compliance, repeating local AAA authentication user CLI command history buffered commands, configuration, Representational State Transfer API. Use RESTful local AAA authentication user role, resource non-AAA authentication user role, RBAC resource access policies,...
Page 217 file system root directory, Python extended API functions (get_self_slot), routing Python extended API functions FTP configuration, (get_slot_info), FTP server configuration, Python extended API functions TFTP configuration, 86, 86 (get_slot_range), rule Python extended API functions CLI command history buffering rules, (get_standby_slot), RBAC command rule, Python extended API functions (Transfer RBAC feature execute rule,...
Page 218 automatic configuration (IRF setup)(on BootWare image preload, switch), BootWare image type, automatic configuration (server-based)(on CLI method, 109, 112 switch), completion, automatic configuration (TFTP Comware Boot image type, server-based)(on switch), Comware feature image, automatic configuration DHCP server Comware image loading, (server-based), Comware image redundancy, automatic configuration DNS server Comware image type,...
Page 219 login configuration, automatic configuration gateway (server-based), login control, 67, 68 automatic configuration start (server-based), login management overview, automatic configuration use (server-based), server device login, CLI command abbreviation, starting CLI command alias configuration, automatic configuration (server-based), CLI command alias use, starting up CLI command entry, device configuration startup file selection, CLI command history,...
Page 220 device password recovery capability ISSU method identification, disable, ISSU multichassis IRF fabric upgrade (issu device port status detection timer, commands), device reboot, ISSU patch image (install commands), device reboot (CLI), ISSU performance (issu commands), device reboot (scheduled), ISSU running software image rollback (install commands), device system operating mode, ISSU software activate/deactivate (install...
Page 221 login management Telnet login password FTP client connection establishment, authentication, FTP configuration, login management Telnet login scheme FTP server configuration, authentication, IPv4 TFTP client configuration, login management Telnet packet DSCP IPv6 TFTP client configuration, value, TFTP configuration, login management Telnet server device Telnet login, concurrent users max,...
Page 222 device module diagnosis, 156, 157 RBAC configuration, 17, 20, 29 device module verification, 156, 156 RBAC feature group configuration, transferring RBAC local AAA authentication user configuration, Python extended API functions (Transfer class), RBAC local AAA authentication user role, Trivial File Transfer Protocol. Use TFTP RBAC non-AAA authentication user role, troubleshooting...
Page 223 VLAN RBAC user role VLAN policy, RBAC VLAN access policy, RBAC user role VPN instance policy, RBAC VPN instance access policy, VTY line settings, working file system working directory, working directory change, display, working with FTP server files,...

This manual is also suitable for:

Flexfabric 5950 series

HPE FlexFabric 5940 Series Configuration Manual

Using the CLI

Configuring RBAC

Login Overview

Using the Console Port for the First Device Access

Configuring CLI Login

Enabling HTTP and HTTPS

Accessing the Device through SNMP

Configuring Restful Access

Controlling User Access to the Device

Configuring FTP

Configuring TFTP

Managing File Systems

Managing Configuration Files

Upgrading Software

Performing an ISSU

Managing the Device

Using Tcl

Using Python

Comware 7 Extended Python API

Configuring Preprovisioning

Using Automatic Configuration

Quick Links

Troubleshooting

Related Manuals for HPE FlexFabric 5940 Series

Summary of Contents for HPE FlexFabric 5940 Series