HP 5120 Configuration Manual

Download

HP 5120 SI Switch Series

Fundamentals Configuration Guide

Part number: 5998-1899

Software version: Release 1513

Document version: 6W100-20130830

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

CLI configuration ·························································································································································· 1

FIPS compliance ································································································································································ 1 What is CLI? ······································································································································································ 1 Entering the CLI ································································································································································· 2 Command conventions ····················································································································································· 2 Undo form of a command ················································································································································ 3 CLI view description ·························································································································································· 3

Entering system view ················································································································································ 4 Exiting the current view ············································································································································ 4

Returning to user view ·············································································································································· 4 Using the CLI online help ················································································································································· 5 Typing commands ····························································································································································· 6

Editing command lines ············································································································································· 6

Typing incomplete keywords ··································································································································· 6

Configuring command aliases ································································································································ 6

Configuring CLI hotkeys ··········································································································································· 7

Redisplaying input but not submitted commands ·································································································· 8 Checking command line errors ········································································································································ 9 Using command history ···················································································································································· 9

Accessing history commands ·································································································································· 9

Configuring the history buffer size ······················································································································ 10 Controlling the CLI display ············································································································································ 10

Multi-screen display ··············································································································································· 10

Filtering output information ··································································································································· 11 Configuring user privilege and command levels ········································································································ 14

Configuring a user privilege level ······················································································································· 15

Switching user privilege level ······························································································································· 18

Modifying the level of a command ····················································································································· 21 Saving the current configuration ·································································································································· 22 Displaying and maintaining CLI ··································································································································· 22

Login methods ···························································································································································· 23

Users and user interfaces······································································································································ 24

Numbering user interfaces ··································································································································· 25

CLI login ······································································································································································ 26

Overview ········································································································································································· 26 FIPS compliance ····························································································································································· 26 Logging in through the console port ···························································································································· 26

Configuration requirements ·································································································································· 27

Login procedure ····················································································································································· 27

Console login authentication modes ··················································································································· 29

Configuring none authentication for console login ··························································································· 30

Configuring password authentication for console login ··················································································· 31

Configuring scheme authentication for console login ······················································································· 32

Configuring common settings for console login (optional) ··············································································· 34 Logging in through telnet ··············································································································································· 36

Telnet login authentication modes ······················································································································· 37

Configuring none authentication for telnet login ······························································································· 38

Configuring password authentication for telnet login ······················································································· 39

Configuring scheme authentication for telnet login ··························································································· 40

Configuring common settings for VTY user interfaces (optional) ······································································ 44

Configuring the device to log in to a telnet server as a telnet client ································································ 45 Logging in through SSH ················································································································································ 46

Configuring the SSH server ·································································································································· 47

Configuring the SSH client to log in to the SSH server ····················································································· 50 Logging in through modems ········································································································································· 51

Modem login authentication modes ···················································································································· 54

Configuring none authentication for modem login ···························································································· 55

Configuring password authentication for modem login ···················································································· 55

Configuring scheme authentication for modem login ······················································································· 56

Configuring common settings for modem login (optional) ················································································ 59 Displaying and maintaining CLI login ························································································································· 62

Web login ·································································································································································· 63

Web login overview ······················································································································································ 63 FIPS compliance ····························································································································································· 64 Configuring HTTP login ················································································································································· 64 Configuring HTTPS login ··············································································································································· 65 Displaying and maintaining web login ······················································································································· 67 Web login example ······················································································································································· 67

HTTP login example ·············································································································································· 67

HTTPS login example ············································································································································ 69

NMS login ·································································································································································· 72

NMS login overview ······················································································································································ 72 Configuring NMS login ················································································································································· 72 NMS login example······················································································································································· 74

User login control ······················································································································································· 75

User login control overview ·········································································································································· 75 FIPS compliance ····························································································································································· 75 Configuring login control over telnet users ·················································································································· 75

Configuration preparation ···································································································································· 75

Configuring source IP-based login control over telnet users ············································································· 76

Configuring source and destination IP-based login control over telnet users ················································· 76

Configuring source MAC-based login control over telnet users ······································································· 77

Source MAC-based login control configuration example ················································································· 77 Configuring source IP-based login control over NMS users ······················································································ 78

Configuring source IP-based login control over NMS users ············································································· 78

Source IP-based login control over NMS users configuration example ·························································· 79 Configuring source IP-based login control over web users ······················································································· 80

Configuring source IP-based login control over web users ··············································································· 80

Logging off online web users ······························································································································· 81

Source IP-based login control over web users configuration example ···························································· 81

FTP configuration ························································································································································ 83

FTP overview ··································································································································································· 83

Introduction to FTP ················································································································································· 83

Operation of FTP ··················································································································································· 83 FIPS compliance ····························································································································································· 84 Configuring the FTP client ············································································································································· 84

Establishing an FTP connection ···························································································································· 85

Operating the directories on an FTP server ········································································································ 86

Operating the files on an FTP server ··················································································································· 86

Using another username to log in to an FTP server ··························································································· 87

Maintaining and debugging an FTP connection ································································································ 88

Terminating an FTP connection ···························································································································· 88

FTP client configuration example ························································································································· 88 Configuring the FTP server ············································································································································ 90

Configuring FTP server operating parameters ···································································································· 90

Configuring authentication and authorization on the FTP server ····································································· 91

FTP server configuration example ························································································································ 92 Displaying and maintaining FTP ··································································································································· 93

TFTP configuration ······················································································································································ 95

TFTP overview ································································································································································· 95

Introduction to TFTP ··············································································································································· 95

Operation of TFTP ················································································································································· 95 FIPS compliance ····························································································································································· 96 Configuring the TFTP client············································································································································ 96 Displaying and maintaining the TFTP client ················································································································ 97 TFTP client configuration example ································································································································ 97

File management ························································································································································ 99

Managing files ······························································································································································· 99

Filename formats ··················································································································································· 99 Directory operations ···················································································································································· 100

Displaying directory information ······················································································································· 100

Displaying the current working directory ·········································································································· 100

Changing the current working directory ··········································································································· 100

Creating a directory ············································································································································ 100

Removing a directory ·········································································································································· 101 File operations ······························································································································································ 101

Displaying file information ································································································································· 101

Displaying the contents of a file ························································································································· 101

Renaming a file ···················································································································································· 101

Copying a file ······················································································································································ 102

Moving a file ························································································································································ 102

Deleting a file ······················································································································································· 102

Restoring a file from the recycle bin ·················································································································· 102

Emptying the recycle bin ···································································································································· 102

Verifying file integrity ·········································································································································· 103 Batch operations ·························································································································································· 103 Storage medium operations ········································································································································ 103

Managing the space of a storage medium ······································································································ 103

Displaying and maintaining the NAND flash memory ··················································································· 104 Setting prompt modes ·················································································································································· 105 Example for file operations ········································································································································· 105

Configuration file management ····························································································································· 107

Configuration file overview ········································································································································· 107

Configuration types ············································································································································· 107

Configuration file format and content ··············································································································· 108

Startup configuration loading process ·············································································································· 108

iii

Introduction ·························································································································································· 110

Enabling configuration file auto-save ················································································································ 110

Modes in saving the configuration ···················································································································· 111

Using automatic configuration backup after a software upgrade ································································· 111 Setting configuration rollback ····································································································································· 112

Configuration rollback ········································································································································ 112

Configuration task list ········································································································································· 113

Configuring parameters for saving the running configuration ······································································· 113

Enabling automatic saving of the running configuration ················································································ 114

Manually saving the running configuration ······································································································ 115

Setting configuration rollback ···························································································································· 115 Specifying a startup configuration file to be used at the next system startup ························································ 116 Backing up the startup configuration file ··················································································································· 116 Deleting a startup configuration file to be used at the next startup ········································································ 117 Restoring a startup configuration file ························································································································· 117 Displaying and maintaining a configuration file ······································································································ 118

Software upgrade configuration ···························································································································· 119

Switch software overview ············································································································································ 119 FIPS compliance ··························································································································································· 120 Software upgrade methods ········································································································································· 120 Upgrading the Boot ROM program through a system reboot ················································································· 120 Upgrading the boot file through a system reboot ····································································································· 122 Upgrading the boot file of an IRF member switch ···································································································· 122 Software upgrade by installing hotfixes ···················································································································· 123

Basic concepts in hotfix ······································································································································ 123

Patch status ··························································································································································· 124

Configuration prerequisites ································································································································ 126

One-step patch installation ································································································································· 127

Step-by-step patch installation ···························································································································· 128

Step-by-step patch uninstallation ························································································································ 128 Displaying and maintaining the software upgrade ·································································································· 129 Software upgrade configuration examples ··············································································································· 129

Immediate upgrade configuration example ····································································································· 129

Hotfix configuration example ····························································································································· 131

Device management ··············································································································································· 133

Device management overview ···································································································································· 134 Configuring the device name ····································································································································· 134 Configuring the system clock ······································································································································ 134

Configuring the system clock ····························································································································· 134

Displaying the system clock ································································································································ 135 Enabling displaying the copyright statement ············································································································ 138 Configuring banners ···················································································································································· 138

Introduction to banners ······································································································································· 138

Configuring banners ··········································································································································· 139

Banner configuration example ··························································································································· 140 Configuring the exception handling method ············································································································· 140 Rebooting the device ··················································································································································· 141 Configuring scheduled tasks ······································································································································· 142

What is a scheduled task ··································································································································· 142

Configuring a scheduled task ···························································································································· 142 Configuring the detection timer ·································································································································· 144

Configuring temperature alarm thresholds for a member device ··········································································· 145 Clearing the 16-bit interface indexes not used in the current system ····································································· 146 Disabling password recovery capability ··················································································································· 146 Identifying and diagnosing pluggable transceivers ································································································· 147

Introduction to pluggable transceivers ·············································································································· 147

Identifying pluggable transceivers ····················································································································· 147

Diagnosing pluggable transceivers ··················································································································· 148 Displaying and maintaining device management configuration ············································································ 148

Support and other resources ·································································································································· 150

Contacting HP ······························································································································································ 150

Subscription service ············································································································································ 150 Related information ······················································································································································ 150

Documents ···························································································································································· 150

Websites ······························································································································································· 150 Conventions ·································································································································································· 151

Index ········································································································································································ 153

CLI configuration

This chapter includes these sections:

• What is CLI?

• Entering the CLI

• Command conventions

• Undo form of a command

• CLI view description

• Using the CLI online help

• Typing commands

• Checking command line errors

• Using command history

• Controlling the CLI display

• Configuring user privilege and command levels

• Saving the current configuration

• Displaying and maintaining CLI

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see the Security Configuration Guide.

Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode.

What is CLI?

The command line interface (CLI) enables you to interact with your device by typing text commands. At the CLI, you can instruct your device to perform a given task by typing a text command and then pressing Enter. Compared with the graphical user interface (GUI) where you can use a mouse to perform configurations, the CLI allows you to input more information in one command line.

Figure 1 CLI example

Entering the CLI

HP devices provide multiple methods for entering the CLI, such as through the console port, through telnet, or through SSH. For more information, see "Logging in through the console port."

Command conventions

Command conventions help you understand command meanings. Commands in HP product manuals comply with the conventions listed in Table 1.

Table 1 Command conventions

Convention Descri

Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ]

{ x | y | ... }

[ x | y | ... ]

{ x | y | ... } *

[ x | y | ... ] *

&<1-n>

Square brackets enclose syntax choices (keywords or arguments) that are optional.

Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.

Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none.

Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one.

Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.

The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times.

tion

# A line that starts with a pound (#) sign is comments.

NOTE:

The keywords of HP command lines are case insensitive.

Use the clock datetime time date command as an example to understand the meaning of the command line parameters according to Figure 2.

Figure 2 Read command line parameters

clock datetime

Boldface: Keywords

For example, you can type the following command line at the CLI of your device and press Enter to set the device system time to 10 o'clock 30 minutes 20 seconds, February 23, 2010.

<sysname> clock datetime 10:30:20 2/23/2010

You can read any command that is more complicated by referring to Table 1.

time date

Italic: Arguments.

Replace them with actual values at the

CLI.

Undo form of a command

The undo form of a command restores the default, disables a function, or removes a configuration.

Almost all configuration commands have an undo form. For example, the info-center enable command enables the information center, and the undo info-center enable command disables the information center.

CLI view description

Commands are grouped into different classes by function. To use a command, you must enter the class view of the command.

CLI views adopt a hierarchical structure. See Figure 3.

• A

fter logging in to the switch, you are in user view. The prompt of user view is <device name>. In user view, you can perform display, debugging, and file management operations, set the system time, restart your device, and perform FTP and telnet operations.

• You can enter system view from user view. In system view, you can configure parameters such as

daylight saving time, banners, and short-cut keys.

• From system view, you can enter different function views. For example, enter interface view to

configure interface parameters, create a VLAN and enter its view, enter user interface view to configure login user attributes, create a local user and enter local user view to configure the password and level of the local user.

NOTE:

Enter ? in any view to display all the commands that can be executed in this view.

Figure 3 Command line views

Interface

view

VLAN view

User view

System

view

Entering system view

When you log in to the device, you automatically enter user view, where <Device name> is displayed. You can perform limited operations in user view, for example, display operations, file operations, and Telnet operations. To perform further configuration for the device, enter system view.

Follow the step below to enter system view:

To do… Use the command…

Enter system view system-view

User

Interface

view

Local user

view

Remarks

Required

Available in user view

Exiting the current view

The CLI is divided into different command views. Each view has a set of specific commands and defines the effective scope of the commands. The commands available to you at any given time depend on the view you are in.

Follow the step below to exit the current view:

To do… Use the command…

Return to the parent view from the current view

NOTE:

• The quit command in user view stops the current connection between the terminal and the device.

• In public key code view, use the public-key-code end command to return to the parent view (public ke

view). In public key view, use the peer-public-key end command to return to system view.

Returning to user view

This feature allows you to return to user view from any other view, without using the quit command repeatedly. You can also press Ctrl+Z to return to user view from the current view.

quit

Remarks

Required

Available in any view.

Follow the step below to exit to user view:

To do… Use the command…

Return to user view return

Using the CLI online help

Type a question mark (?) to obtain online help. See the following examples.

1. Type ? in any view to display all commands available in this view and brief descriptions of these

commands. For example:

<sysname> ? User view commands: archive Specify archive settings backup Backup next startup-configuration file to TFTP server boot-loader Set boot loader bootrom Update/read/backup/restore bootrom cd Change current directory

…Omitted…

2. Type part of a command and a ? separated by a space.

Remarks

Required

Available in any view except user view

If ? is at the position of a keyword, the CLI displays all possible keywords with a brief description for each keyword. For example:

<sysname> terminal ? debugging Send debug information to terminal logging Send log information to terminal monitor Send information output to current terminal trapping Send trap information to terminal

If ? is at the position of an argument, the CLI displays a description about this argument. For example:

<sysname> system-view [sysname] interface vlan-interface ? <1-4094> VLAN interface number [sysname] interface vlan-interface 1 ? <cr> [sysname] interface vlan-interface 1

The string <cr> indicates that the command is a complete command, and you can execute the command by pressing Enter.

3. Type an incomplete character string followed by a ?. The CLI displays all commands starting with

the typed character(s).

<sysname> c? cd clock cluster copy <sysname> display cl? clipboard

clock

cluster

Typing commands

Editing command lines

Table 2 lists some shortcut keys you can use to edit command lines.

Table 2 Editing functions

Function

Common keys

Backspace

Left arrow key or Ctrl+B The cursor moves one character space to the left.

Right arrow key or Ctrl+F The cursor moves one character space to the right.

Tab

If the edit buffer is not full, pressing a common key inserts the character at the position of the cursor and moves the cursor to the right.

Deletes the character to the left of the cursor and moves the cursor back one character.

If you press Tab after entering part of a keyword, the system automatically completes the keyword:

• If finding a unique match, the system substitutes the complete keyword for

the incomplete one and displays it in the next line.

• If there is more than one match, you can press Tab repeatedly to display

in cycles all the keywords starting with the character string that you typed.

• If there is no match, the system does not modify the incomplete keyword

and displays it again in the next line.

Typing incomplete keywords

You can input a command comprising incomplete keywords that uniquely identify the complete command.

In user view, for example, command system-view, to enter system view, type sy.

You can also press Tab to have an incomplete keyword automatically completed.

Configuring command aliases

The command keyword alias function allows you to replace the first keyword of a non-undo command or the second keyword of an undo command with your preferred keyword when you execute the command. For example, if you configure show as the alias for the display keyword, you can enter either show clock or display clock to execute the display clock command.

Usage guidelines

• After you successfully execute a command by using a keyword alias, the system displays and saves

the keyword, instead of its alias.

• When you define a command alias, the cmdkey and alias arguments must be in their complete

form.

• If a string you entered partially matches a keyword and an alias, the command indicated by the

alias is executed. To execute the command indicated by the keyword, enter the complete keyword.

• If a string you entered exactly matches a keyword and partially matches an alias, the command

indicated by the keyword is executed. To execute the command indicated by the alias, enter the complete alias.

• If you enter a string that partially matches multiple aliases, the system displays a prompt.

• If you press Tab after you input the keyword of an alias, the original format of the keyword is

displayed.

Configuration procedure

Follow these steps to configure command aliases:

To do… Use the command…

Enter system view system-view —

Enable the command alias function command-alias enable

Configure a command alias

Configuring CLI hotkeys

Follow these steps to configure CLI hotkeys:

To do… Use the command…

Enter system view system-view —

Configure CLI hotkeys

Display hotkeys display hotkey

command-alias mapping cmdkey alias

hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command

Remarks

Required

Disabled by default, which means you cannot configure command aliases.

Required

Not configured by default.

Remarks

Optional

The Ctrl+G, Ctrl+L and Ctrl+O hotkeys are specified at the CLI by default.

Available in any view. See Table 3 for hotkeys reserved by the syst

em.

NOTE:

By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are associated with pre-defined commands and the Ctrl+T and Ctrl+U hotkeys are not.

• Ctrl+G corresponds to the display current-configuration command.

• Ctrl+L corresponds to the display ip routing-table command.

• Ctrl+O corresponds to the undo debugging all command.

Table 3 Hotkeys reserved by the system

Hotke

Ctrl+A Moves the cursor to the beginning of the current line.

Ctrl+B Moves the cursor one character to the left.

Function

Hotkey Function

Ctrl+C Stops performing a command.

Ctrl+D Deletes the character at the current cursor position.

Ctrl+E Moves the cursor to the end of the current line.

Ctrl+F Moves the cursor one character to the right.

Ctrl+H Deletes the character to the left of the cursor.

Ctrl+K Terminates an outgoing connection.

Ctrl+N Displays the next command in the history command buffer.

Ctrl+P Displays the previous command in the history command buffer.

Ctrl+R Redisplays the current line information.

Ctrl+V Pastes the content in the clipboard.

Ctrl+W

Ctrl+X Deletes all the characters to the left of the cursor.

Ctrl+Y Deletes all the characters to the right of the cursor.

Ctrl+Z Exits to user view.

Ctrl+] Terminates an incoming connection or a redirect connection.

Esc+B

Esc+D

Esc+F

Esc+N

Esc+P Moves the cursor up by one line (available before you press Enter)

Esc+< Specifies the cursor as the beginning of the clipboard.

Esc+> Specifies the cursor as the ending of the clipboard.

Deletes all the characters in a continuous string to the left of the cursor.

Moves the cursor to the leading character of the continuous string to the left.

Deletes all the characters of the continuous string at the current cursor position and to the right of the cursor.

Moves the cursor to the front of the next continuous string to the right.

Moves the cursor down by one line (available before you press Enter)

NOTE:

The hotkeys in the table above are defined by the switch. If the same hotkeys are defined by the terminal software that you use to interact with the switch, the hotkeys defined by the terminal software take effect.

Redisplaying input but not submitted commands

If your command input is interrupted by output system information, you can use this feature to redisplay the previously input but not submitted commands.

Follow these steps to enable redisplaying of input but not submitted commands:

To do… Use the command… Remarks

Enter system view system-view —

To do… Use the command… Remarks

Enable redisplaying of input but not submitted commands

info-center synchronous

NOTE:

• If you have no input at the command line prompt and the system outputs system information such as

logs, the system will not display the command line prompt after the output.

• If the system outputs system information when you are typin

confirmation), the system will not redisplay the prompt information but a line break after the output and then display what you have typed.

• For more information about the info-center synchronous command, see the

Monitoring Command Reference

Checking command line errors

If a command contains syntax errors, the CLI reports error information.

Table 4 Common command line errors

Error information

% Unrecognized command found at '^' position. The command was not found.

Cause

Required

Disabled by default

interactive information (not YES/NO for

Network Management an

% Incomplete command found at '^' position. Incomplete command

% Ambiguous command found at '^' position. Ambiguous command

Too many parameters Too many parameters

% Wrong parameter found at '^' position. Wrong parameters

Using command history

The CLI automatically saves the commands recently used in the history command buffer. You can access and execute them again.

Accessing history commands

Follow a step below to access history commands:

To do… Use the ke

Display history commands display history-command

Display the previous history command

Display the next history command

Up arrow key or Ctrl+P

Down arrow key or Ctrl+N Displays the next history command, if any

/command…

Result

Displays valid history commands you used

Displays the previous history command, if any

NOTE:

You can use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are defined differently. You can use Ctrl+P or Ctrl+N instead.

• The commands saved in the history command buffer are in the same format in which you typed the

commands. If you type an incomplete command, the command saved in the history command buffer is also an incomplete one.

• If you execute the same command repeatedly, the switch saves only the earliest record. However, if

you execute the same command in different formats, the system saves them as different commands. For example, if you execute the display cu command repeatedly, the system saves only one command in the history command buffer. If you execute the command in the format of display cu and display current-configuration respectively, the system saves them as two commands.

• By default, the CLI can save up to 10 commands for each user. To set the capacity of the history

command buffer for the current user interface, use the history-command max-size command. (For more information about the history-command max-size command, see the Fundamentals Command Reference.

Configuring the history buffer size

Follow these steps to configure the history buffer size:

To do… Use the command…

Enter system view system-view —

user-interface { first-num1

Enter user interface view

Set the maximum number of commands that can be saved in the history buffer

NOTE:

For more information about the user-interface and history-command max-size commands, see the

Fundamentals Command Reference

[ last-num1 ] | { aux | vty } first-num2 [ last-num2 ] }

history-command max-size

size-value

Controlling the CLI display

Multi-screen display

Controlling multi-screen display

If the output information spans multiple screens, each screen pauses after it is displayed. Perform one of the following operations to proceed.

Remarks

—

Optional

By default, the history buffer can save up to 10 commands.

Action Function

Press Space Displays the next screen.

Press Enter Displays the next line.

Action Function

Press Ctrl+C Stops the display and the command execution.

Press <PageUp> Displays the previous page.

Press <PageDown> Displays the next page.

By default, each screen displays up t o 24 lin es. To cha n ge the m aximum numb er of line s displayed o n the next screen, use the screen-length command. For more information about the screen-length command, see the Fundamentals Command Reference.

Disabling multi-screen display

You can use the following command to disable the multi-screen display function. All of the output information is displayed at one time and the screen is refreshed continuously until the last screen is displayed.

To do… Use the command…

Disable the multi-screen display function

screen-length disable

Filtering output information

NOTE:

Only display commands that support | { begin | exclude | include } output information. When the display commands support these parameters depends on your device model.

Remarks

Required

By default, a login user uses the settings of the screen-length command. The default settings of the screen-length command are: multiple-screen display is enabled and up to 24 lines are displayed on the next screen.

This command is executed in user view, and takes effect for the current user only. When the user re-logs into the switch, the default configuration is restored.

regular-expression

] support filterin

Introduction

You can use regular expressions in display commands to filter output information.

The following methods are available for filtering output information:

• Input the begin, exclude, or include keyword plus a regular expression in the display command to

filter the output information.

• When the system displays the output information in multiple screens, use /, - or + plus a regular

expression to filter subsequent output information. / equals the keyword begin, - equals the keyword exclude, and + equals the keyword include.

The following definitions apply to the begin, exclude, and include keywords:

• begin: Displays the first line that matches the specified regular expression and all lines that follow.

• exclude: Displays all lines that do not match the specified regular expression.

• include: Displays all lines that match the specified regular expression.

A regular expression is a case sensitive string of 1 to 256 characters. It supports the following special characters.

Character Meanin

^string

string$

Starting sign. string appears only at the beginning of a line.

Ending sign. string appears only at the end of a line.

Matches any single character, such as a single character, a special character, and a blank.

Matches the preceding character or character group zero or multiple times.

Matches the preceding character or character group one or multiple times

Matches the preceding or succeeding character string

If it is at t h e beginn i n g or the e nd of a regular expression, it equals ^ or $. In other cases, it equals comma, space, round bracket, or curly bracket.

Remarks

For example, regular expression "^user" only matches a string beginning with "user", not "Auser".

For example, regular expression "user$" only matches a string ending with "user", not "userA".

For example, ".s" matches "as" and "bs".

For example, "zo*" matches "z" and "zoo"; "(zo)*" matches "zo" and "zozo".

For example, "zo+" matches "zo" and "zoo", but not "z".

For example, "def|int" only matches a character string containing "def" or "int".

For example, "a_b" matches "a b" or "a(b"; "_ab" only matches a line starting with "ab"; "ab_" only matches a line ending with "ab".

[ ]

( )

It connects two values (the smaller one before it and the bigger one after it) to indicate a range together with [ ].

Matches a single character contained within the brackets.

A character group. It is usually used with "+" or "*".

For example, "1-9" means 1 to 9 (inclusive); "a-h" means a to h (inclusive).

For example, [16A] matches a string containing any character among 1, 6, and A; [1-36A] matches a string containing any character among 1, 2, 3, 6, and A (- is a hyphen).

"]" can be matched as a common character only when it is put at the beginning of characters within the brackets, for example [ ]string]. There is no such limit on "[".

For example, (123A) means a character group "123A"; "408(12)+" matches 40812 or

408121212. But it does not match 408.

Character Meaning Remarks

Repeats the character string specified by the index. A character

For example, (string)\1 repeats string, and a matching string must contain stringstring. (string1)(string2)\2 repeats string2, and a matching string must contain string1string2string2. (string1)(string2)\1\2 repeats string1 and string2 respectively, and a matching string must contain string1string2string1string2.

For example, [^16A] means to match a string containing any character except 1, 6 or A, and the matching string can also contain 1, 6 or A, but cannot contain these three characters only. For example, [^16A] matches "abc" and "m16", but not 1, 16, or 16A.

\index

[^]

string refers to the string within () before \. index refers to the sequence number (starting from 1 from left to right) of the character group before \. If only one character group appears before \, index can only be 1; if n character groups appear before index, index can be any integer from 1 to n.

Matches a single character not contained within the brackets.

\<string

string\>

\bcharacter2

\Bcharacter

character1\w

\W Equals \b.

Matches a character string starting with string.

Matches a character string ending with string.

Matches character1character2. character1 can be any character except number, letter or underline, and \b equals [^A-Za-z0-9_].

Matches a string containing character, and no space is allowed before character.

Matches character1character2. character2 must be a number, letter, or underline, and \w equals [^A-Za-z0-9_].

Escape character. If a special character listed in this table follows \, the specific meaning of the character is removed.

For example, "\<do" matches word "domain" and string "doa".

For example, "do\>" matches word "undo" and string "abcdo".

For example, "\ba" matches "-a" with "-" being character1, and "a" being character2, but it does not match "2a" or "ba".

For example, "\Bt" matches "t" in "install", but not "t" in "big top".

For example, "v\w" matches "vlan", with "v" being character1, and "l" being character2. v\w also matches "service", with "i" being character2.

For example, "\Wa" matches "-a", with "-" being character1, and "a" being character2, but does not match "2a" or "ba".

For example, "\\" matches a string containing "\", "\^" matches a string containing "^", and "\\b" matches a string containing "\b".

Example of filtering output information

1. Example of using the begin keyword

# Display the configuration from the line containing "user-interface" to the last line in the current configuration (the output information depends on the current configuration).

<Sysname> display current-configuration | begin user-interface user-interface aux 0 user-interface vty 0 15 authentication-mode none

user privilege level 3

# return

2. Example of using the exclude keyword

# Display the non-direct routes in the routing table (the output depends on the current configuration).

<Sysname> display ip routing-table | exclude Direct Routing Tables: Public

Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/24 Static 60 2 10.1.1.2 Vlan2

3. Example of using the include keyword

# Display the route entries that contain Vlan in the routing table (the output depends on the current configuration).

<Sysname> display ip routing-table | include Vlan Routing Tables: Public

Destination/Mask Proto Pre Cost NextHop Interface

192.168.1.0/24 Direct 0 0 192.168.1.42 Vlan999

Configuring user privilege and command levels

To avoid unauthorized access, the switch defines user privilege levels and command levels. User privilege levels correspond to command levels. When a user at a specific privilege level logs in, the user can only use commands at that level, or lower levels.

All the commands are categorized into four levels: visit, monitor, system, and manage, and are identified from low to high, respectively by 0 through 3. Table 5 de

Table 5 Default command levels

Level Privile

0 Visit

1 Monitor

2 System

e Description

Involves commands for network diagnosis and accessing an external device. Configuration of commands at this level cannot survive a device restart. Upon device restart, the commands at this level will be restored to the default settings.

Commands at this level include ping, tracert, telnet and ssh2.

Involves commands for system maintenance and service fault diagnosis. Commands at this level are not allowed to be saved after being configured. After the switch is restarted, the commands at this level will be restored to the default settings.

Commands at this level include debugging, terminal, refresh, reset, and send.

Involves service configuration commands, such as routing configuration commands and commands for configuring services at different network levels.

By default, commands at this level include all configuration commands except for those at the manage level.

scribes the command levels.

Level Privilege Description

Involves commands that influence the basic operation of the system and commands for configuring system support modules.

3 Manage

By default, commands at this level involve the configuration commands of file system, FTP, TFTP, Xmodem download, user management, level setting, and parameter settings within a system (which are not defined by any protocols or RFCs).

Configuring a user privilege level

A user privilege level can be configured by using AAA authentication parameters or under a user interface.

Configure user privilege level by using AAA authentication parameters

If the authentication mode of a user interface is scheme, the user privilege level of users logging into the user interface is specified in AAA authentication configuration.

Follow these steps to configure the user privilege level by using AAA authentication parameters:

To do… Use the command…

Enter system view system-view —

user-interface { first-num1

Enter user interface view

Specify the scheme authentication mode

Return to system view quit —

Configure the authentication mode for SSH users as password

[ last-num1 ] | { aux | vty }

first-num2 [ last-num2 ] }

authentication-mode scheme

For more information about SSH, see the Security Configuration Guide.

• Use the local-user command to

create a local user and enter local user view.

• Use the level keyword in the

authorization-attribute

command to configure the user privilege level.

Configure the user privilege level on the authentication server

Configure the user privilege level by using AAA authentication parameters

Using local authentication

Using remote authentication (RADIUS, HWTACACS authentications)

Remarks

—

Required

By default, the authentication mode for VTY users is password, and no authentication is needed for AUX login users.

Required if users use SSH to log in, and username and password are needed at authentication

Use either approach

• For local authentication, if you

do not configure the user privilege level, the user privilege level is 0.

• For remote authentication, if

you do not configure the user privilege level, the user privilege level depends on the default configuration of the authentication server.

Example of configuring a user privilege level by using AAA authentication parameters

# You are required to authenticate the users that telnet to the switch through VTY 1, verify their username and password, and specify the user privilege level as 3.

<Sysname> system-view [Sysname] user-interface vty 1 [Sysname-ui-vty1] authentication-mode scheme [Sysname-ui-vty1] quit [Sysname] local-user test [Sysname-luser-test] password cipher 12345678 [Sysname-luser-test] service-type telnet

When users telnet to the switch through VT Y 1, they need to i nput username test and password 12345678. After passing the authentication, the users can only use the commands of level 0. If the users want to use commands of levels 0, 1, 2 and 3, the following configuration is required:

[Sysname-luser-test] authorization-attribute level 3

Configuring the user privilege level under a user interface

• If the authentication mode of a user interface is scheme, and SSH publickey authentication type

(only a username is needed for this authentication type) is adopted, the user privilege level of users logging into the user interface is the user interface level.

• If the authentication mode of a user interface is none or password, the user privilege level of users

logging into the user interface is the user interface level.

Follow these steps to configure the user privilege level under a user interface (SSH publickey authentication type):

To do… Use the command…

Configure the authentication type for SSH users as publickey

Enter system view system-view —

Enter user interface view

Configure the authentication mode for any user that uses the current user interface to log in to the switch

Configure the privilege level for users that log in through the current user interface

For more information about SSH, see the Security Configuration Guide.

user-interface { first-num1 [ last-num1 ] | vty first-num2 [ last-num2 ] }

authentication-mode scheme

user privilege level level

Remarks

Required if the SSH login mode is adopted, and only username is needed during authentication.

After the configuration, the authentication mode of the corresponding user interface must be set to scheme.

—

Required

By default, the authentication mode for VTY users is password, and no authentication is needed for AUX users.

Optional

By default, the user privilege level for users logged in through the AUX user interface is 3, and that for users logged in through the VTY interfaces is 0.

Follow these steps to configure the user privilege level under a user interface (none or password authentication mode):

To do… Use the command…

Enter system view system-view —

user-interface { first-num1

Enter user interface view

[ last-num1 ] | { aux | vty } first-num2 [ last-num2 ] }

Configure the authentication mode for any user that uses the current user interface to log in to the switch

authentication-mode { none | password }

Configure the privilege level of users logged in through the current

user privilege level level

user interface

Examples of configuring a user privilege level under a user interface

# Configure the switch to allow Telnet users to log in without authentication. (Free access brings security risks. For security, do not allow free access.)

<Sysname> system-view [Sysname] user-interface vty 0 15 [Sysname-ui-vty0-15] authentication-mode none

Remarks

—

Optional

By default, the authentication mode for VTY user interfaces is password, and no authentication is needed for AUX login users.

Optional

By default, the user privilege level for users logged in through the AUX user interface is 3, and that for users logged in through the VTY interfaces is 0.

Now, Telnet users can log in to the switch without authentication, but can use only the following commands:

<Sysname> ? User view commands: display Display current system information ping Ping function quit Exit from current command view rsh Establish one RSH connection ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tftp Open TFTP connection tracert Trace route function

# Set the user privilege level to 1 for Telnet users.

[Sysname-ui-vty0-15] user privilege level 1

Now, Telnet users can access more commands:

<Sysname> ? User view commands: debugging Enable system debugging functions dialer Dialer disconnect display Display current system information ping Ping function quit Exit from current command view

refresh Do soft reset reset Reset operation rsh Establish one RSH connection screen-length Specify the lines displayed on one screen send Send information to other user terminal interface ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection terminal Set the terminal line characteristics tftp Open TFTP connection tracert Trace route function undo Cancel current setting

# Configure the switch to authenticate Telnet users by verifying their password, and set their user privilege level to 2.

<Sysname> system-view [Sysname] user-interface vty 0 15 [Sysname-ui-vty0-15] authentication-mode password [Sysname-ui-vty0-15] set authentication password cipher 123 [Sysname-ui-vty0-15] user privilege level 2

By default, telnet users can use the commands of level 0 after passing authentication. After the configuration above is completed, when users log in to the switch through Telnet, they need to input password 12 3, and then they can use commands of levels 0, 1, and 2.

NOTE:

• For more information about user interfaces, see "Login methods." F

user-interface, authentication-mode, and user privilege level commands, see the

Command Reference

• For more information about AAA authentication, see the Security Configuration Guide. For more

information about the local-user and authorization-attribute commands, see the

Reference

• For more information about SSH, see the

Switching user privilege level

Users can switch to a different user privilege level temporarily without logging out and terminating the current connection. After the privilege level switch, users can continue to configure the switch without the need to re-log in, but the commands that they can execute have changed. For example, if the current user privilege level is 3, the user can configure system parameters. After switching to user privilege level 0, the user can only execute simple commands, like ping and tracert, and only a few display commands. The switching operation is effective for the current login. After the user logs in again, the user privilege restores to the original level.

• To avoid problems, HP recommends that administrators log in to the switch by using a lower

privilege level and view switch operating parameters, and when they have to maintain the switch, they can switch to a higher level temporarily

or more information about the

Security Configuration Guide

Fundamentals

Security Command

• If the administrators need to leave for a while or ask someone else to manage the switch temporarily,

they can switch to a lower privilege level before they leave to restrict the operation by others.

Setting the authentication mode for user privilege level switch

A user can switch to a privilege level equal to or lower than the current one unconditionally and is not required to input a password (if any).

For security, a user is required to input the password (if any) to switch to a higher privilege level. The authentication falls into one of the following four categories:

Authentication mode

local

scheme

local scheme

Meaning Description

The switch authenticates a user by using the privilege level switch

Local password authentication

Remote AAA authentication through HWTACACS or RADIUS

password input by the user.

When this mode is applied, you need to set the password for privilege level switch with the super password command.

The switch sends the username and password for privilege level switch to the HWTACACS or RADIUS server for remote authentication.

When this mode is applied, you need to perform the following configurations:

• Configure HWTACACS or RADIUS scheme and reference the

created scheme in the ISP domain. For more information, see the Security Configuration Guide.

• Create the corresponding user and configure password on the

HWTACACS or RADIUS server.

Performs the local password authentication first and then the remote AAA authentication

The switch authenticates a user by using the local password first. If no local password is set, the privilege level is switched directly for the users logged in from the AUX port, and remote AAA authentication is performed on the users logged in from VTY user interfaces.

Performs remote

AAA authentication is performed first, and if the remote HWTACACS or RADIUS server does not respond or AAA configuration on the switch is invalid, the local password authentication is performed.

scheme local

AAA authentication first and then the local password authentication

Follow these steps to set the authentication mode for user privilege level switch:

To do… Use the command…

Enter system view system-view —

Set the authentication mode for user privilege level switch

super authentication-mode { local | scheme } *

Remarks

Optional

local by default.

• In non-FIPS mode:

super password [ level

Configure the password for user privilege level switch

user-level ] [ hash ] { cipher | simple } password

• In FIPS mode:

super password [ level

user-level ] { cipher | simple } password

Required if the authentication mode is set to local.

By default, no privilege level switch password is configured.

CAUTION:

• If no user privilege level is specified when you configure the password for switching the user privilege

level with the super password command, the user privilege level defaults to 3.

• Whether you specify the simple keyword or the cipher keyword, the password is saved to the

configuration file in cipher text.

• If the user logs in from the AUX user interface (the console port), the user can switch the privilege level

to a higher level even if the authentication mode is local and no password for user privile is configured.

Switching the user privilege level

Follow the step to switch the user privilege level:

e level switch

To do… Use the command…

Switch the user privilege level super [ level ]

Remarks

Required

When logging in to the switch, a user has a user privilege level, which depends on user interface or authentication user level.

Available in user view.

When you switch the user privilege level, the information you need to provide varies with combinations of the user interface authentication mode and the super authentication mode.

Table 6 Information input for user privilege level switch

User interface authentication mode

none/password

User privilege level switch authentication mode

local

local scheme

Information input for the first authentication mode

Local user privilege level switch password (configured on the switch)

Local user privilege level switch password

Information input after the authentication mode changes

—

Username and password for privilege level switch (configured on the AAA server)

scheme

scheme local

local

scheme

local scheme

Username and password for privilege level switch

Local user privilege level switch password

—

Local user privilege level switch password

—

Password for privilege level switch (configured on the AAA server). The system uses the username used for logging in as the privilege level switch username.

User interface

authentication mode

CAUTION:

User privilege level switch authentication mode

scheme

scheme local

Information input for the first authentication mode

Password for privilege level switch (configured on the AAA server). The system uses the username used for logging in as the privilege level switch username.

Information input after the authentication mode changes

—

Local user privilege level switch password

• When the authentication mode is set to local, configure the local password before switching to a hi

user privilege level.

• When the authentication mode is set to scheme, configure AAA related parameters before switching to

a higher user privilege level.

her

• The privilege level switch fails after three (for scheme authentication) or five (for local authentication)

consecutive unsuccessful password attempts.

• In scheme authentication mode, a user who fails to provide the correct password durin

attempts must wait 15 minutes before trying again. Trying again before the 15-minute period elapses restores the wait timer to 15 minutes and restarts the timer.

• For more information about user interface authentication, see "Login methods."

Modifying the level of a command

All the commands in a view default to different levels. The administrator can change the default level of a command to a lower level or a higher level as needed.

Follow these steps to modify the command level:

To do… Use the command…

Enter system view system-view —

Configure the command level in a specified view

CAUTION:

HP recommends that you use the default command level or modify the command level under the of professional staff. An improper change of the command level may bring inconvenience to your maintenance and operation, or even potential security problems.

command-privilege level level view view command

five consecutive

Remarks

Required

See Table 5 for the default settings.

uidance

Saving the current configuration

On the device, you can input the save command in any view to save all the submitted and executed commands into the configuration file. Commands saved in the configuration file can survive a reboot. The save command does not take effect on one-time commands, such as display commands, which display specified information, and the reset commands, which clear specified information. The one-time commands executed are never saved.

Displaying and maintaining CLI

To do… Use the command… Remarks

Display defined command aliases and the corresponding commands

Display the clipboard information

display command-alias [ | { begin | exclude | include }

regular-expression ]

display clipboard [ | { begin | exclude | include }

regular-expression ]

Available in any view

Login methods

This chapter includes these sections:

• Login methods

• User interface overview

FIPS compliance

Login methods

You can log in to the switch by using the following methods.

Table 7 Login methods

in method Default state

CLI login

Logging in through the console p

Logging in through telnet

Logging in through SSH

ort

By default, you can log in to a device through the console port, the authentication mode is None (no username or password required), and the user privilege level is 3.

By default, you cannot log in to a device through telnet. To do so, log in to the device through the console port, and complete the following configuration:

• Enable the telnet function.

• Configure the IP address of the VLAN interface, and make sure that

• Configure the authentication mode of VTY login users (password

• Configure the user privilege level of VTY login users (0 by default).

NOTE:

Telnet is not supported in FIPS mode.

By default, you cannot log in to a device through SSH. To do so, log in to the device through the console port, and complete the following configuration:

• Enable the SSH function and configure SSH attributes.

• Configure the IP address of the VLAN interface, and make sure that

• Configure the authentication mode of VTY login users as scheme

• Configure the user privilege level of VTY login users (0 by default).

your device and the telnet client can reach each other (by default, the device does not have an IP address.).

by default).

your device and the SSH client can reach each other (by default, your device does not have an IP address.).

(password by default).

+ 127 hidden pages

HP 5120 Configuration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

CLI configuration

FIPS compliance

What is CLI?

Entering the CLI

Command conventions

Undo form of a command

CLI view description

Entering system view

Exiting the current view

Returning to user view

Using the CLI online help

Typing commands

Editing command lines

Typing incomplete keywords

Configuring command aliases

Usage guidelines

Configuration procedure

Configuring CLI hotkeys

Redisplaying input but not submitted commands

Checking command line errors

Using command history

Accessing history commands

Configuring the history buffer size

Controlling the CLI display

Multi-screen display

Controlling multi-screen display

Disabling multi-screen display

Filtering output information

Introduction

Example of filtering output information

Configuring user privilege and command levels

Configuring a user privilege level

Configure user privilege level by using AAA authentication parameters

Example of configuring a user privilege level by using AAA authentication parameters

Configuring the user privilege level under a user interface

Examples of configuring a user privilege level under a user interface

Switching user privilege level

Setting the authentication mode for user privilege level switch

Switching the user privilege level

Modifying the level of a command

Saving the current configuration

Displaying and maintaining CLI

Login methods

FIPS compliance

Login methods