Basic Configuration

Configuring CLI

Configuring ZAM

Configuring Basic Management

Configuring RBAC

Configuring Line

Configuring File System

Configuring USB

Configuring FTP Server

Configuring FTP Client

Configuring TFTP Server

Configuring TFTP Client

Configuring HTTP

Configuring Syslog

Configuring Software Upgrade

Configuring Uboot

Configuring Rboot

Configuring License Management

Configuration Guide Contents

Contents

1 Configuring CLI .................................................................................................................................. 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Accessing the CLI .......................................................................................................... 1

1.1.2 Command Modes........................................................................................................... 1

1.1.3 System Help ................................................................................................................... 3

1.1.4 Abbreviated Commands ................................................................................................ 4

1.1.5 No and Default Options of Commands .......................................................................... 5

1.1.6 Prompts for Incorrect Commands .................................................................................. 5

1.1.7 History Commands ........................................................................................................ 5

1.1.8 Featured Editing............................................................................................................. 6

1.1.9 Searching and Filtering of the show Command Output ................................................ 7

1.1.10 Command Alias ............................................................................................................ 8

1.1.11 Character Set Encoding ............................................................................................... 9

1.2 Restrictions and Guidelines ..................................................................................................... 10

1.3 Configuration Task Summary .................................................................................................. 10

1.4 Operating the Python Script..................................................................................................... 10

1.5 Configuring a Command Alias ................................................................................................. 10

1.6 Configuring the Privilege Level of a Command ....................................................................... 11

1.7 Configuring the Character Set Encoding Format .................................................................... 11

1.8 Monitoring ................................................................................................................................ 12

i
Configuration Guide Configuring CLI

1 Configuring CLI
1.1 Introduction
The command line interface (CLI) is a window for text instruction interaction between users and network devices.
Users can enter commands in the CLI to configure and manage network devices.

1.1.1 Accessing the CLI

Before using the CLI, you need to connect a terminal or PC to a network device. After you start the network
device and initialize the hardware and software of the network device, you can use the CLI. If you use the network
device for the first time, you can connect it only through the console port. This is called out-of-band management.
After performing relevant configuration, you can connect and manage the network device by telnetting to the
virtual terminal.

1.1.2 Command Modes

The device has many commands, and you can classify them by function to facilitate their use. The CLI provides
several commands modes, and all commands are registered in one or several command modes. You must enter
the mode of a command before using this command. Command modes are related with each other but differ
from each other.

As soon as a new session is set up between a user and the management interface of a network device, you
enter user EXEC mode. In this mode, you can use a few commands and the command functions are limited,
such as the show command. Execution results of commands in user EXEC mode are not saved.

To use more commands, enter privileged EXEC mode. Generally, you must enter a password to enter privileged
EXEC mode. In privileged EXEC mode, you can use all commands registered in this command mode, and further
enter global configuration mode.

Using commands in configuration modes (such as global configuration mode and interface configuration mode)
affects configurations in use. If you save the configurations, these commands are saved and run when the
system restarts. To enter another configuration mode, enter global configuration mode. If you perform
configuration in global configuration mode, you can enter various configuration sub-modes, such as interface
configuration mode.

1
Configuration Guide Configuring CLI

Table 1-1 Description of the Command Modes (suppose that the name of the network device is
"Device")

Function
Command Exit or Entering
Access Method Prompt Description of the
Mode Next Mode
Mode

Run the exit

A user enters the
command to exit Use this command
user EXEC mode this mode.
User EXEC mode to conduct
by default when Device> Run the enable
mode command to basic tests or display
accessing a enter the system information.
network device. privileged EXEC
mode.

Run the disable

command to Use this command
In User EXEC
return to the user mode to check
mode, run the EXEC mode.
Privileged whether the
enable command to Device# Run the
EXEC mode configure configurations take
enter the privileged command to effect. This mode is
EXEC mode. enter global
configuration password-protected.
mode.

Run the exit or

end command, or
press Ctrl+C to
return to the
privileged EXEC
In Privileged EXEC mode. Use commands in this
mode, run the Run the interface
Global command to mode to configure
configure
configuration Device(config)# enter interface global parameters
command to enter configuration
mode mode. In the that affect the entire
the global
interface network device.
configuration mode. command, you
must specify the
interface
configuration sub-
mode you want to
enter.

Run the end

command or
press Ctrl+C to
return to the
In global privileged EXEC
configuration mode, mode.
Run the exit Use this command
Interface run the interface
Device(config-if- command to mode to configure
configuration gigabitethernet 0/1 return to global
gigabitethernet 0/1)# configuration various interfaces of
mode command to enter mode. In the the network device.
the interface interface
command, you
configuration mode. must specify the
interface
configuration sub-
mode you want to
enter.

2
Configuration Guide Configuring CLI

Function
Command Exit or Entering
Access Method Prompt Description of the
Mode Next Mode
Mode

Run the end

In global command or
press Ctrl+C to
configuration mode, return to the
VLAN Use this command
run the vlan vlan-id privileged EXEC
configuration Device(config-vlan)# mode. mode to configure
command to enter
mode Run the exit VLAN parameters.
the VLAN command to
configuration mode. return to global
configuration
mode.

1.1.3 System Help

When entering commands in the CLI, you can obtain help information by using the following methods:

 At the command prompt in any mode, enter a question mark (?) to list the commands supported in current
command mode and command description.

Device# ?
Exec commands:
<1-99> Session number to resume
bfd Bfd
calendar Set the calendar clock
cd Change directory
check Safe-verify check
checkpoint Create configuration rollback checkpoint
clear Reset functions
cli-python Execute cli python file
clock Manage the clock/calendar clock
cmdk Reset process by scripts name
configure Enter configuration mode
copy Copy file from source to destine file or dir
debug Debugging functionality (see 'undebug')
delete Delete file
dir List directory contents
disable Close privilege command
show Show running system information
do To run exec commands in config mode
 Enter a space and a question mark (?) after a keyword of a command to list the next keyword or variable
associated with the keyword.

Device(config)# interface ?
AggregatePort Aggregate port interface
Dialer Dialer interface
GigabitEthernet Gigabit Ethernet interface
Loopback Loopback interface

3
Configuration Guide Configuring CLI

Null Null interface

Tunnel Tunnel interface
VLAN Vlan interfaces
Wireless Wireless interface
range Interface range command

Note
If a keyword is followed by a parameter value, the value range and description of this parameter are
displayed as follows.

Device(config)# interface loopback ?

<0-2147483647> Loopback port number

 Enter a question mark (?) after an incomplete string of a command keyword to list all command keywords
starting with the string.

Device# d?
debug delete dir disable disconnect do
 After an incomplete command keyword is entered, if the suffix of this keyword is unique, press the Tab key
to display the complete keyword.

Device# show inter<Tab>

Device# show interface
 In any command mode, you can run the help command to obtain brief description of the help system.

Device(config)# help
Help may be requested at any point in a command by entering
a question mark '?'. If nothing matches, the help list will
be empty and you must backup until entering a '?' shows the
available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a
command argument (e.g. 'show ?') and describes each possible
argument.
2. Partial help is provided when an abbreviated argument is entered
and you want to know what arguments match the input
(e.g. 'show pr?'.)

1.1.4 Abbreviated Commands

If a command is long, you can enter a part of the command keyword characters that are used to identify the
command keyword.

For example, the interface gigabitethernet 0/1 command for entering the configuration mode of interface
GigabitEthernet 0/1 is abbreviated as follows:

Device(config)# int g0/1

Device(config-if-GigabitEthernet 0/1)#

4
Configuration Guide Configuring CLI

1.1.5 No and Default Options of Commands

Most commands have the no option. Generally, the no option is used to disable a feature or function, or perform
an operation opposite to a command. For example, run the no shutdown command on an interface to perform
the operation opposite to the shutdown command, that is, enable the interface. The keyword without the no
option is used to enable a disabled feature or a feature that is disabled by default.

Most configuration commands have the default option. The default option is used to restore settings of a
command to default values. Default values of most commands are used to disable this function. Therefore, in
most cases, the function of the default option is the same as that of the no option. For some commands, however,
the default values are used to enable this function. In this case, the function of the default option is opposite to
that of the no option. At this time, the default option is used to enable the function of this command and set the
variables to default values.

Note

For specific function of the no or default option of each command, see the command reference.

1.1.6 Prompts for Incorrect Commands

If an incorrect command is entered, an error prompt is displayed.

Table 1-2 Common CLI Errors

Error Description How to Obtain Help

The characters entered are too Enter the command again, and enter a question
% Ambiguous
few to identify a unique mark (?) after the ambiguous word. All the
command: "show c"
command. possible keywords are displayed.

The mandatory keyword or Enter the command again, and enter a space
% Incomplete
variable is not entered in the and a question mark (?). All the possible
command.
command. keywords or variables are displayed.

An incorrect command is
% Invalid input At the current command mode prompt, enter a
entered. The symbol (^)
detected at '^' question mark (?). All the command keywords
indicates the position of the
marker. allowed in this command mode are displayed.
wrong word.

1.1.7 History Commands

The system automatically saves commands that are entered recently. You can use shortcut keys to query or call
history commands.

5
Configuration Guide Configuring CLI

Table 1-3 Operation Methods

Operation Result

Ctrl+P or the The previous command in the history command list is displayed. Starting from the latest
Up key record, you can repeatedly perform this operation to query earlier records.

After pressing Ctrl+P or the Up key, you can perform this operation to return to a
Ctrl+N or the
command that is more recently executed in the history command list. You can repeatedly
Down key
perform this operation to query more recently executed commands.

Specification

The standard terminals, such as the VT100 series, support the direction keys.

1.1.8 Featured Editing

When editing commands, you can use the keys or shortcut keys listed in the following table:

Table 1-4 Description of Shortcut Keys

Key or
Function Description
Shortcut Key

Left key or
Move the cursor to the left by one character.
Ctrl+B

Move the cursor in a Right key or

Move the cursor to the right by one character.
line. Ctrl+F

Ctrl+A Move the cursor to the head of the command line.

Ctrl+E Move the cursor to the end of the command line.

Delete an entered Backspace key Delete one character to the left of the cursor.

character. Delete key Delete one character to the right of the cursor.

When the output is displayed, press the Enter key to move the
Enter key output one line upward and display the next line. Use this key

Move the output by only when the output does not end yet.

one line or one page. When the output is displayed, press the Space key to page down
Space key and display the next page. Only when the output does not end,
use this key.

When the cursor is close to the right boundary, the entire command line moves to the left by 20 characters, and
the hidden front part is replaced with a dollar ($) sign. You can use related keys or shortcut keys to move the
cursor to the characters in the front or return to the head of the command line.

6
Configuration Guide Configuring CLI

For example, the entire access-list command may be wider than the screen. When the cursor is first close to
the end of the command line, the entire command line moves to the left by 20 characters, and the hidden front
part is replaced with a dollar sign ($). Each time the cursor is close to the right boundary, the entire command
line moves to the left by 20 characters.

access-list 199 permit ip host 192.168.180.220 host

$ost 192.168.180.220 host 202.101.99.12
$0.220 host 202.101.99.12 time-range tr
Press Ctrl+A to return to the head of the command line. At this time, the hidden tail part of the command line is
replaced with a dollar sign ($).

access-list 199 permit ip host 192.168.180.220 host 202.101.99.$

Note

The default line width of terminals is 80 characters.

1.1.9 Searching and Filtering of the show Command Output

 To search specified content in the output of the show command, run the following command:

Table 1-5 Searching for Specified Content in the Output of the show Command

Command Purpose

Searches for specified content in the output of the

show any-command | [ regexp ] begin regular-
show command, and outputs the first line containing
expression
the content and all information that follows this line.

 To filter specified content in the output of the show command, run the following commands:

Table 1-6 Filtering Specified Content in the Output of the show Command

Command Purpose

Filters the output of the show command to filter out

show any-command | [ regexp ] exclude regular-
lines containing the specified content, and outputs
expression
other information.

Filters the output of the show command to output

show any-command | [ regexp ] include regular-
only the lines containing the specified content, and
expression
filters out other information.

7
Configuration Guide Configuring CLI

Note
 The show command can be executed in any mode.
 Searched content is case-sensitive.

When the regexp keyword is specified, a regular expression can be used for filtering content. The following table
describes the usages of special characters in a regular expression.

Table 1-7 Description of Usages of Special Characters in a Regular Expression

Character Symbol Special Meaning

Period . Matches any single character.

Plus sign + Matches one or any sequence in a string.

Caret ^ Matches the start of a string.

Underline _ Matches commas, brackets, start and end of a string, and spaces.

Square brackets [] Matches a single character within a range.

To search or filter the output of the show command, you must enter a vertical line (|). After the vertical line,
specify the search or filter rules and content to be searched or filtered (characters or strings). Content to be
searched and filtered is case-sensitive.

Device# show running-config | include interface

interface GigabitEthernet 0/0
interface GigabitEthernet 0/1
interface GigabitEthernet 0/2
interface GigabitEthernet 0/3
interface GigabitEthernet 0/4
interface GigabitEthernet 0/5
interface GigabitEthernet 0/6
interface GigabitEthernet 0/7
Device# show running-config | regexp include GigabitEthernet [0-9]/1
interface GigabitEthernet 0/1

1.1.10 Command Alias

You can specify any word as the alias of a command to simplify the input of the command string.

1. Default aliases in the system

In configuration mode or privileged EXEC mode, default aliases are available for some commands. You can run
the show aliases command to display these default aliases.

Device(config)# show aliases

Exec mode alias:
u undebug
un undebug

8
Configuration Guide Configuring CLI

Note

Default aliases in the system cannot be deleted.

2. System help regarding command aliases

 The system provides help information for command aliases. An asterisk (*) is displayed in front of an alias in
the following format:

*command-alias=original-command
For example, in privileged EXEC mode, the default command alias "s" represents the keyword show. If you
enter "s?", help information of the keywords and aliases starting with "u" is displayed.

Device# u?
*u=undebug *un=undebug undebug no upgrade username
 If the command represented by an alias contains more than one word, the command is showed in a pair of
quotation marks.

For example, in privileged EXEC mode, configure the alias "sv" to replace the show version command. If
you enter "s?", help information of the keywords and aliases starting with "d" is displayed.

Device# s?
*s=show *sv=”show version” show start-chat
start-terminal-service
 You can use an alias to obtain help information of the command represented by the alias.

For example, if you configure the alias "ia" in interface configuration mode to represent the ip address
command, you can enter "ia?" in interface configuration mode to obtain help information of "ip address?",
and replace the alias with the actual command.

Device(config-if)# ia ?
A.B.C.D IP address
dhcp IP Address via DHCP
Device(config-if)#ip address

Caution

If you enter a space in front of a command alias, the command represented by this alias is displayed.

1.1.11 Character Set Encoding

The function of character set encoding enables the device to use a unified character set encoding format by
configuring character set encoding. After a command is entered in the CLI of a terminal, the command is
automatically converted into a command in the unified character set encoding format before delivery.

Note

When hybrid formats exist in current running configurations, you must manually delete running configurations
containing the encoding format different from the target format before modifying the character set encoding
format.

9
Configuration Guide Configuring CLI

1.2 Restrictions and Guidelines

You can adopt UTF-8/GBK to perform configuration in Chinese. When you use the cursor to process words or
delete Backspace in the CLI, the interface may display errors or garbled characters. You are advised to delete
all current characters and then configure a unified character set encoding format. Upon word processing or
Backspace deletion, you can run the show running-config command to check whether the configurations are
correct. (To delete a Chinese character, you must press the Backspace key twice in the case of GBK, but must
press the Backspace key three times in the case of UTF-8.)

1.3 Configuration Task Summary

CLI configuration includes the following tasks: All the configuration tasks below are optional. Select the
configuration tasks as required.

 Operating the Python Script

 Configuring a Command Alias

 Configuring the Privilege Level of a Command

 Configuring the Character Set Encoding Format

1.4 Operating the Python Script

1. Overview

This section describes how to load and unload the Python script of CLI.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Operate the Python script. The configuration steps below are mutually exclusive. Select one of them for
configuration.

○ Load the Python script.

cli-python insmod python-filename

○ Unload the Python script.

cli-python rmmod python-filename

1.5 Configuring a Command Alias

1. Overview

You can specify any word as the alias of a command to simplify the input of the command string.

2. Restrictions and Guidelines

 The command replaced with an alias must start from the first character of the command line.

 The command replaced with an alias must be complete.

 An alias must be entered in full; otherwise, it cannot be identified.

10
Configuration Guide Configuring CLI

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure an alias to replace the front part of a command.

alias mode command-alias original-command

Default aliases are available for some commands in global configuration mode or privileged EXEC mode by
default.

1.6 Configuring the Privilege Level of a Command

1. Overview

This section describes how to configure the privilege level of a command.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the privilege level of a command.

privilege mode [ all ] { level level | default } command-string

1.7 Configuring the Character Set Encoding Format

1. Overview

This section describes how to configure a unified character set encoding format for the device.

2. Restrictions and Guidelines

 When hybrid formats exist in current running configurations of the device, you must manually delete running
configurations containing the encoding format different from the target format before modifying the character
set encoding format.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the character set encoding format.

language character-set { default | GBK | UTF-8 }

By default, hybrid formats are supported.

11
Configuration Guide Configuring CLI

1.8 Monitoring
Run the show command to check the running status of a configured function to verify the configuration effect.

Table 1-8 Monitoring of the CLI

Command Purpose

show aliases [ mode ] Displays all command aliases or the command aliases in specific
command mode.

show cli session Displays information about the running CLI session.

show cli model state Displays the readiness status of the CLI line card.

12
Configuration Guide Contents

Contents

1 Configuring ZAM ................................................................................................................................ 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Principles........................................................................................................................ 1

1.2 Restrictions and Guidelines ....................................................................................................... 2

1.3 Configuring ZAM ........................................................................................................................ 2

1.3.1 Overview ........................................................................................................................ 2

1.3.2 Restrictions and Guidelines ........................................................................................... 2

1.3.3 Prerequisites .................................................................................................................. 2

1.3.4 Procedure....................................................................................................................... 3

1.4 Monitoring .................................................................................................................................. 4

1.5 Configuration Examples............................................................................................................. 4

1.5.1 Configuring ZAM ............................................................................................................ 4

i
Configuration Guide Configuring ZAM

1 Configuring ZAM
1.1 Introduction
1.1.1 Overview

The zero automatic manager (ZAM) function enables the device to automatically download the software version,
upgrade the device version, and apply configuration files when the device has no configuration and the network
administrator is not in contact with the field devices. ZAM simplifies the operation, maintenance, and deployment
of massive devices, lowers the labor cost, reduces human errors, and improves the efficiency of network
deployment.

1.1.2 Principles

Figure 1-1 ZAM Automatic Go-Online Solution

DHCP Server

Device DNS Server

File Server

ZAM go-online and deployment include four stages as follows:

Initialization

At this stage, a device that goes online without configurations connects to a network and completes
initialization. The device automatically pre-deploys the ZAM environment. During the pre-deployment, the
service port must be used as the ZAM interface. The device automatically performs configuration, without
any need of extra configuration by the administrator.

(2) DHCP

Upon the pre-deployment above, the ZAM interface requests an IP address from the Dynamic Host
Configuration Protocol (DHCP) server via the DHCP protocol. In a reply packet, the reply packet carries
Option 66 (containing the IP address of the file server) and Option 67 (containing the name of the Python
script to be downloaded). The requirements are as follows:

○ The ZAM interface supports DHCP.

○ Configure the ZAM interface with a DHCP-allocated IP address. DHCP requests support Option 66 and
Option 67, and Option 66 and Option 67 have been configured in the address pool of the DHCP server.

1
Configuration Guide Configuring ZAM

○ The device analyzes and deploys the IP address of the ZAM interface, and analyzes the content of Option
66 and Option 67.

(3) TFTP

Based on the file name of the Python script and the IP address of the ZAM server (on which the TFTP server
function will be deployed) obtained during DHCP, the device downloads the corresponding configuration
script from the ZAM server.

Upon downloading above, the device executes the configuration script and downloads the corresponding
configuration file or version from the ZAM server.

(4) Configuration loading

After the Python script is executed, the device restarts automatically to update the device version and load
the configuration file.

1.2 Restrictions and Guidelines

 An automatic retry is available after a ZAM failure. In this case, check whether the network functions properly
and whether the DHCP server is correctly configured based on the ZAM failure prompt.

 For a product version with ZAM disabled by default, please manually enable this function.

1.3 Configuring ZAM

1.3.1 Overview
This section describes how to configure ZAM to enable a device with no configurations to implement automatic
deployment.

1.3.2 Restrictions and Guidelines

To use the ZAM function, deploy the ZAM server and DHCP server.

1.3.3 Prerequisites

 Configure the address pool, Option 66, and Option 67 for the DHCP server. The configuration example is as
follows:

ip dhcp pool poap

option 67 ascii zam.py
option 66 ascii 100.1.1.2
 Deploy the TFTP server function on the ZAM server. Store the Python script file in the root directory of the
ZAM server, and create the folders listed in Table 1-1 in the root directory to store the files required during
the ZAM configuration.

2
Configuration Guide Configuring ZAM

Table 1-1 Description of Folders to Be Created on the ZAM Server

Folder Name Content Function

xxxx.cfg: Indicates the configuration file of the

device. The configuration file of each device is
named after the sn value of the device and
uses .cfg as the suffix.
POAP_CFG xxxx.cfg xxxx.params: Indicates the parameter file of the
xxxx.params device. It contains the path to the downloaded
configuration file, path to the file used for
version upgrade, and the name of the version
file.
The device automatically downloads the files.

POAP_IMAGE Version binary file The folder stores the version file of the device.
The device automatically downloads the file.

The folder stores the log files uploaded during

the ZAM configuration of the device. The log
POAP_LOG Log file files of each device are named after the sn
value of the device.
The device automatically uploads the files.

The folder stores the sn value file of the device

POAP_STARTUP Device sn value files where ZAM needs to be configured.
The device automatically uploads the file.

The folder stores the ZAM result log files,

POAP_STATUS - which are named after the sn value.
The device automatically uploads the files.

1.3.4 Procedure
(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enable ZAM.

zam

The ZAM function is enabled by default.

3
Configuration Guide Configuring ZAM

1.4 Monitoring
Run the show command to check the configuration.

Run the debug command to output debugging information.

Caution

Debugging occupies system resources, so disable it immediately if not required.

Table 1-2 ZAM Monitoring

Command Purpose

debug zam Enables the ZAM framework event debugging.

show zam Displays the configuration and status of ZAM.

1.5 Configuration Examples

1.5.1 Configuring ZAM

1. Requirements

Manage and control onboarding and deployment of all devices in the network in a unified manner. Realize the
unified management of onboarding and deployment of all devices.

2. Topology

Figure 1-2 ZAM Topology

DHCP Server

G 0/1 G 0/2
Device 10.1.1.1/24 G 0/1
1.1.1.2/24
Eth 0
1.1.1.1/24

ZAM Server

3. Notes

 Configure the DHCP server.

 Configure the ZAM server.

 Enable the ZAM function on the devices.

4. Procedure

(1) Configure the DHCP server.

4
Configuration Guide Configuring ZAM

Set the IP address of GigabitEthernet 0/1 of the DHCP server to 1.1.1.2/24.

Dhcp_Server> enable
Dhcp_Server# configure terminal
Dhcp_Server(config)# interface gigabitEthernet 0/1
Dhcp_Server(config-if-GigabitEthernet 0/1)# ip address 1.1.1.2 255.255.255.0
Set the IP address of GigabitEthernet 0/2 of the DHCP server to 10.1.1.1/24.

Dhcp_Server(config)#interface gigabitEthernet 0/2

Dhcp_Server(config-if-GigabitEthernet 0/2)# ip address 10.1.1.1 255.255.255.0
Enable the DHCP server function.

Dhcp_Server(config)# service dhcp

Configure the address pool of the DHCP server.

Dhcp_Server(config)# ip dhcp pool zam

Dhcp_Server(config-dhcp-pool)# network 10.1.1.1 255.255.255.0
Dhcp_Server(config-dhcp-pool)# default-router 10.1.1.1
Configure Option 66.

Dhcp_Server(config-dhcp-pool)# option 66 ascii 1.1.1.1

Configure Option 67.

Dhcp_Server(config-dhcp-pool)# option 67 ascii zam.py

(2) Configure the ZAM server. Store the intermediate file (Python script named zam.py), and the configuration
files and version files to be delivered to the devices on the ZAM server. For details, see 1.3.3 Prerequisites.

(3) Enable the ZAM function on the devices.

Delete the configuration files from the devices.

Device# delete config.text

Do you want to delete [flash:/config.text]? [Y/N]:y
Delete success.
Run the reload command to restart the devices to enable the ZAM function.

Device# reload
Reload system?(Y/N)y
Device#[1042947.400971] %SYS-0-REBOOT: Rebooting by job: dp_mom_thread/3877
[1042947.408318]

U-Boot 1.4.12--g1b6cd5f (Dec 17 2019 - 21:58:43 +0800)

......
......
*May 13 15:47:36: %ZAM-6-EVENT: Get tftp server ip 1.1.1.1.
*May 13 15:47:36: %IPMIX-6-ADDRESS_ASSIGN: Interface VLAN 1 assigned DHCP
address 10.1.1.2, mask 255.255.255.0.
*May 13 15:47:36: %ZAM-6-EVENT: Get boot file name zam.py.
*May 13 15:47:42: %ZAM-6-EVENT: Download script success, rename to zam.py.
*May 13 15:47:42: %ZAM-6-INFO: Begin to exec script zam.py.
Thu May 13 15:47:46 2021 INFO: script(version:1.0.12440) running...

5
Configuration Guide Configuring ZAM

Thu May 13 15:47:46 2021 DEBUG: server ip: 1.1.1.1, port type: SVI
Thu May 13 15:47:46 2021 DEBUG: current version: RSR830W_RGOS 12.6(4)B1802,
Release(11152707
Thu May 13 15:47:46 2021 DEBUG: current patch: NA
Thu May 13 15:47:47 2021 DEBUG: execute upload command: copy
flash:/G1NQ7UW700483.POAP tftp://1.1.1.1/POAP_STARTUP/G1NQ7UW700483.POAP...
Thu May 13 15:47:47 2021 DEBUG: upload G1NQ7UW700483.POAP success
Thu May 13 15:47:47 2021 DEBUG: begin to download G1NQ7UW700483.params ...
Thu May 13 15:47:47 2021 DEBUG: execute download command: copy
tftp://1.1.1.1/POAP_CFG/G1NQ7UW700483.params flash:/poap.tmp.params...
Thu May 13 15:47:48 2021 DEBUG: download G1NQ7UW700483.params success
Thu May 13 15:47:48 2021 DEBUG: parse image_name=RSR830W.bin
Thu May 13 15:47:48 2021 DEBUG: begin to download G1NQ7UW700483.cfg ...
Thu May 13 15:47:48 2021 DEBUG: execute download command: copy
tftp://1.1.1.1/POAP_CFG/G1NQ7UW700483.cfg flash:/poap.tmp.cfg...
Thu May 13 15:47:48 2021 DEBUG: download G1NQ7UW700483.cfg success
Thu May 13 15:47:48 2021 INFO: download G1NQ7UW700483.cfg success, save to
flash:/poap.tmp.cfg
Thu May 13 15:47:48 2021 INFO: begin to download RSR830W.bin ...
Thu May 13 15:47:48 2021 DEBUG: execute download command: copy
tftp://1.1.1.1/POAP_IMAGE/RSR830W.bin tmp:/poap.image.bin...
Thu May 13 15:54:20 2021 DEBUG: download RSR830W.bin success
Thu May 13 15:54:20 2021 INFO: download RSR830W.bin success, save to
tmp:/poap.image.bin
Thu May 13 15:54:20 2021 INFO: upgrade system begin...
< The terminal is lock >
Upgrade start
!!!!100%
Upgrade skip, reason: The version in device is the same
< The terminal is unlock >
Thu May 13 15:54:43 2021 INFO: upgrade status: skip
Thu May 13 15:54:53 2021 DEBUG: rename file poap.tmp.cfg to config.text
Thu May 13 15:54:53 2021 INFO: script ending...
Thu May 13 15:54:54 2021 DEBUG: execute upload command: copy
flash:/poap.tmp.log tftp://1.1.1.1/POAP_LOG/G1NQ7UW700483.LOG...
Thu May 13 15:54:55 2021 DEBUG: upload G1NQ7UW700483.LOG success
Thu May 13 15:54:56 2021 DEBUG: execute upload command: copy
flash:/G1NQ7UW700483.ok tftp://1.1.1.1/POAP_STATUS/G1NQ7UW700483.ok...
Thu May 13 15:54:56 2021 DEBUG: upload G1NQ7UW700483.ok success
*May 13 15:55:00: %ZAM-6-EVENT: Script exec success, request device reset now.
*May 13 15:55:00: %DP-3-RESET_DEV: Reset device 1 due to zam reload device.
*May 13 15:55:02: %ZAM-6-EVENT: Script exec success, request device reset now.
*May 13 15:55:02: %DP-3-MACHINE_RESTART: MACHINE_RESTART.

5. Verification

Run the show dhcp lease command to display the obtained IP address.

6
Configuration Guide Configuring ZAM

Device# show dhcp lease-time

Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet 0/1
Temp sub net mask: 0.0.0.0
DHCP Lease server: 0.0.0.0, state: 3 Init-proc
Retry count: 7 Client-ID: 01800588aba05e4D676D7430
Temp IP addr: 10.1.1.2 for peer on Interface: VLAN 1
Temp sub net mask: 255.255.255.0
DHCP Lease server: 10.1.1.1, state: 9 Inform-proc
DHCP transaction id: 75cf492b
Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs
Next timer fires after: 43054 secs
Retry count: 0 Client-ID: 01800588aba05d564C414E31
Run the show zam command to check the execution status of the ZAM function.

Device# show zam

ZAM state :enable
ZAM status :Now is waiting for do shell exec
Server ip :1.1.1.1
Usb path :NULL
Interface name :VLAN 1
Interface type :SVI
Succ Interface name :VLAN 1
Script URL :tftp://1.1.1.1/zam.py

6. Configuration Files

DHCP server configuration file

hostname Dhcp_Server
!
ip dhcp pool zam
option 66 ascii 1.1.1.1
option 67 ascii zam.py
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
!
end

7. Common Errors

 The network connection between the device and the ZAM server is abnormal.

 The configuration file on the device is not deleted.

7
Configuration Guide Contents

Contents

1 Configuring Basic Management ......................................................................................................... 1

1.1 Overview .................................................................................................................................... 1

1.2 Basic Concepts .......................................................................................................................... 1

1.3 Protocol Specification ................................................................................................................ 2

1.4 Restrictions and Guidelines ....................................................................................................... 2

1.5 Configuration Task Summary .................................................................................................... 2

1.6 Configuring Basic System Parameters ...................................................................................... 3

1.6.1 Configuration Tasks ....................................................................................................... 3

1.6.2 Configuring Connection to a Supervisor Module or Member Device ............................ 3

1.6.3 Configuring a System Name and Command Prompt .................................................... 4

1.6.4 Configuring System Notifications ................................................................................... 4

1.6.5 Configuring the System Clock ....................................................................................... 5

1.7 Enabling or Disabling a Specific Service ................................................................................... 7

1.8 Configuring Passwords and Privilege Levels ............................................................................ 7

1.9 Configuring Telnet Login.......................................................................................................... 10

1.9.1 Configuration Tasks ..................................................................................................... 10

1.9.2 Configuring the Telnet Service ..................................................................................... 10

1.9.3 Configuring Telnet Access Security ............................................................................. 12

1.10 Configuring Logging in to Other Devices Through Telnet ..................................................... 14

1.10.1 Overview .................................................................................................................... 14

1.10.2 Restrictions and Guidelines ....................................................................................... 14

1.10.3 Procedure................................................................................................................... 14

i
Configuration Guide Contents

1.11 Configuring Management ...................................................................................................... 15

1.11.1 Configuration Tasks .................................................................................................... 15

1.11.2 Running Batch File Commands ................................................................................. 15

1.11.3 Configuring Multiple-configuration Booting ................................................................ 16

1.11.4 Configuring Automatic Configuration File Backup to a Remote Server..................... 16

1.11.5 Configuring Automatic Backup of the Running Configuration File ............................ 17

1.11.6 Rolling Back System Configurations .......................................................................... 18

1.11.7 Saving the Configuration ............................................................................................ 19

1.11.8 Configuring the Login Failure Recording Function .................................................... 19

1.12 Configuring a Restart Policy .................................................................................................. 20

1.12.1 Configuration Tasks ................................................................................................... 20

1.12.2 Configuring Immediate Restart .................................................................................. 20

1.12.3 Configuring Scheduled Restart .................................................................................. 20

1.13 Configuring a Memory Usage Threshold ............................................................................... 21

1.13.1 Overview .................................................................................................................... 21

1.13.2 Procedure................................................................................................................... 21

1.14 Configuring a CPU Usage Threshold .................................................................................... 22

1.14.1 Overview .................................................................................................................... 22

1.14.2 Restrictions and Guidelines ....................................................................................... 22

1.14.3 Procedure................................................................................................................... 22

1.15 Monitoring and Maintenance ................................................................................................. 22

1.16 Configuration Examples......................................................................................................... 24

1.16.1 Configuring Login Authentication and Telnet Service ................................................ 24

1.16.2 Configuring Basic System Parameters ...................................................................... 25

ii
Configuration Guide Contents

iii
Configuration Guide Configuring Basic Management

1 Configuring Basic Management

1.1 Overview
To reduce the inconvenience caused by on-site maintenance, IT devices are widely managed remotely. Even
initial deployment can be carried out remotely. Remote management needs to consider the various operational
needs of network administrators and the security of device management. A series of functions of basic
management address security, maintenance and monitoring issues.

 Security: Basic management provides permissions, encryption authentication and access control to ensure
device security.

 Maintenance: Basic management provides flexible configuration management methods, such as backup,
rollback and batch execution, etc.

 Monitoring: Basic management provides various software and hardware monitoring functions to display
information of memory, CPU, bus, session, etc..

1.2 Basic Concepts

Table 1-1 Basic Concepts

Concept Description

The Trivial File Transfer Protocol (TFTP) is a protocol used for simple file transfer
TFTP between a client and a server in the Transmission Control Protocol (TCP)/Internet
Protocol (IP) suite.

Authentication, Authorization and Accounting (AAA), including:

 Authentication: Verifies user identities and available network services.

 Authorization: Grants network services to users according to authentication results.

 Accounting: Records the network service consumption of users and to send the records
AAA to the billing system.

After the AAA mode is enabled, some servers (or the local user database) are used to
authenticate users' management permissions according to their usernames and
password at terminal login and the configured AAA login authentication method list. For
details about AAA, see Configuring AAA.

The Remote Authentication Dial in User Service (RADIUS) is the most widely used AAA
RADIUS
protocol.

1
Configuration Guide Configuring Basic Management

Concept Description

Telnet is a terminal emulation protocol in the TCP/IP protocol suite which provides a
connection to a remote host by creating a virtual terminal. It is a standard protocol at
Layer 7 (application layer) of the Open System Interconnection (OSI) model and is used
Telnet
on the Internet for remote login. During remote login through telnet, users must enter the
usernames and passwords for authentication. Telnet sets up a connection between the
local personal computer (PC) and a remote host.

System information includes the system description, system power-on time, system
System
hardware and software versions, control-layer software version, and boot-layer software
information
version.

Hardware information includes the physical device information as well as information

about pluggable modules on the device.

Hardware  The device information includes the device description and slot quantity.
information  The slot information includes the slot ID, module description (which is empty if a slot
does not have a module), number of physical ports on a module inserted into a slot, and
maximum number of ports supported by a slot.

System configurations include:

 Running configurations: Configurations running on all component modules of the

System
system.
configurations
 Startup configurations: Configurations stored in the non-volatile random-access memory
(NVRAM) of the system.

1.3 Protocol Specification

RFC 874: Telnet Protocol Specification

1.4 Restrictions and Guidelines

When you enter a string, note the following points:

 The string enclosed within a pair of quotation marks can be any characters. If you want to use quotation
marks within a string, escape characters are required. For example, if you enter "hello my friend \"Haha\"",
the string is displayed as hello my friend "Haha".

 A string without backtick characters automatically extends to the end of the command line. For example, if
you enter "hello my friend \"Haha\", the string is displayed as hello my friend "Haha".

 A string without quotation marks cannot contain delimiters, such as spaces or TAB. The string, ha-ha or Haha
for instance, is a valid string.

1.5 Configuration Task Summary

All the following configuration tasks are optional and may be selected as needed.

2
Configuration Guide Configuring Basic Management

Basic functions:

 Configuring Basic System Parameters

○ Configuring Connection to a Supervisor Module or

○ Configuring a System Name and Command Prompt

○ Configuring System Notifications

○ Configuring the System Clock

 Enabling or Disabling a Specific Service

Permission and login control:

 Configuring Passwords and Privilege Levels

 Configuring Telnet Login

○ Configuring the Telnet Service

○ Configuring Telnet Access Security

○ Configuring Logging in to Other Devices Through Telnet

Configuration and maintenance:

 Configuring Management

○ Running Batch File Commands

○ Configuring Multiple-configuration Booting

○ Configuring Automatic Configuration File Backup to a Remote Server

○ Rolling Back System Configurations

○ Saving the Configuration

 Configuring a Restart Policy

○ Configuring Immediate Restart

○ Configuring Scheduled Restart

1.6 Configuring Basic System Parameters

1.6.1 Configuration Tasks

Basic system parameter configuration includes the following tasks:

 Configuring Connection to a Supervisor Module or

 Configuring the System Clock

 Configuring a System Name and Command Prompt

 Configuring System Notifications

1.6.2 Configuring Connection to a Supervisor Module or Member Device

1. Overview
In multiple fixed devices, an administrator can connect to a member device through this function.

3
Configuration Guide Configuring Basic Management

2. Procedure
(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Connect to a supervisor module or member device.

session master

1.6.3 Configuring a System Name and Command Prompt

1. Overview

To facilitate management, you can configure a system name for each device to identify the device. The default
system name is Ruijie, and acts as the default command prompt. The command prompt changes with the system
name. A system name longer than 32 characters is truncated to keep only the first 32 characters.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure a system name.

hostname hostname

The default system name is Ruijie.

(4) Configure a command prompt.

prompt prompt-string

No CLI prompt is configured by default, and the system name is used as the command prompt.

1.6.4 Configuring System Notifications

1. Overview

System notifications are prompts displayed after user login and are classified into the following two types:

 Message of the day (MOTD): Sends urgent messages to users. MOTD information is displayed on the
terminal after a user logs in to the device.

 Login banner: Provides some common login prompts and appears after MOTD information.

2. Restrictions and Guidelines

After entering a delimiter and pressing Enter, you can enter text, and then enter a delimiter and press Enter
again to stop entering the text. Any characters following the ending delimiter are dropped. Text in the notification
information must not contain the delimiter letter.

3. Procedure

(1) Enter the privileged EXEC mode.

4
Configuration Guide Configuring Basic Management

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure MOTD information.

banner motd message

No MOTD information is configured by default.

(4) Configure login banner information.

banner login message

No login banner information is configured by default.

(5) Configure a prompt indicating the establishment of a reverse Telnet connection.

banner incoming message

No prompt for the establishment of a reverse Telnet connection is configured by default.

(6) Configure a prompt for the access to the privileged EXEC mode.

banner privilege-mode message

No prompt for the access to the privileged EXEC mode is configured by default.

(7) Configure a prompt for SLIP/PPP line connection.

banner slip-ppp message

No prompt for SLIP/PPP line connection is configured by default.

(8) Configure a prompt for user login authentication timeout.

banner prompt-timeout message

No prompt for user login authentication timeout is configured by default.

(9) (Optional) Enter the line configuration mode.

line [ console | vty ] first-line [ last-line ]

(10) Configure a welcome prompt indicating that a user has entered the user EXEC mode of a line.

banner exec message

No welcome prompt indicating that a user has entered the user EXEC mode of a line is configured by
default.

(11) (Optional) Configure a prompt indicating that the function of displaying EXEC prompt information is
activated again for a specific line.

banner exec-banner message

The function of displaying EXEC prompt information is activated for all lines by default.

1.6.5 Configuring the System Clock

1. Overview

The system clock includes the date (year, month, and day), time (hour, minute, and second), and week
information. This function is used to record event occurrence time, such as the system logging. When you use
a device for the first time, set its system time to the current date and time manually.

5
Configuration Guide Configuring Basic Management

2. Restrictions and Guidelines

 The device clock starts from the configured time and keeps running even when the device is powered off.

 If a device has no hardware clock, the manually configured time becomes invalid when the device is powered
off.

 If both DST and time zone need to be configured, configure clock timezone first, and then clock summer-
time; otherwise, the DST will not take effect.

 If the device has both DST and time zone configured, when you run the no clock timezone command to
delete the time zone configuration, the DST configuration will also be deleted, and you need to reconfigure
DST.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Configure the system date and clock.

clock set hh:mm:ss [ MM [ DD [ YY ] ] ]

The default system clock is 1970-01-01 00:00:00.

(3) (Optional) Update the hardware clock.

clock update-calendar

The system is not configured to synchronize the hardware time with the software time by default.

(4) (Optional) Configure the hardware clock of the device

calendar set hh:mm:ss [ MM [ DD [ YY ] ] ]

The default hardware time of the device is 1970-01-01 00:00:00.

(5) (Optional) Configure the system to synchronize the software time with the hardware time.

clock read-calendar

The system is not configured to synchronize the software time with the hardware time by default.

(6) Enter the global configuration mode.

configure terminal

(7) (Optional) Configure the summer time.

clock summer-time summer-time-zone start start-month [ week | last ] start-date hh:mm end end-
month [ week | last ] end-date hh:mm [ ahead hours-offset [ minutes-offset ] ]

The summer time is not configured by default.

(8) (Optional) Configure the time zone.

clock timezone timezone hours-offset [ minutes-offset ]

The time zone is set as Universal Time Coordinated (UTC) by default.

6
Configuration Guide Configuring Basic Management

1.7 Enabling or Disabling a Specific Service

1. Overview

When the system is running, you can dynamically adjust system services, including SSH server service, Telnet
server service, SNMP agent service, and Web server service.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enable a specific service.

enable service { snmp-agent | ssh-server | telnet-server | web-server [ all | http | https ] }

The Simple Network Management Protocol (SNMP) agent, Secure Shell (SSH) server, Telnet server, and
web server are disabled by default.

1.8 Configuring Passwords and Privilege Levels

1. Overview

Privilege levels and passwords for different privilege levels can be configured to distinguish access needs of
different users’ devices.

16 privilege levels from 0 to 15 are defined for users in the command line interface (CLI) of network devices.
Users of various privilege levels can run different commands. A smaller value indicates a lower privilege level.
Level 0 is the lowest level and users of this level can run only a few commands, whereas level 15 is the highest
level and users of this level can run all commands. Levels 0 and 1 are common user levels without the device
configuration permission (users are not allowed to enter the global configuration mode). Levels 2 to 15 are
privileged user levels with the device configuration permission.

Password protection is configured for each privilege level on the device so that users of different levels can use
different command collections. An increase in privilege level requires the input of the correct password of the
target privilege level, whereas a reduction in privilege level does not require password input.

Passwords fall into two types: passwords and secrets.

 Passwords are simple encrypted passwords. You can set them for privilege levels 1 to 15.

 Secrets are secure encrypted passwords. You can set them for privilege levels 1 to 15.

Passwords must be stored in encryption mode. Passwords use simple encryption, and secrets use secure
encryption.

Caution
 If a privilege level is configured with both a password and a secret, the password does not take effect.
 If no password is configured for a privileged user level, you do not need to input a password to enter this
level. For security purposes, it is recommended that a password be configured for privileged user levels.

7
Configuration Guide Configuring Basic Management

2. Restrictions and Guidelines

 When a password or secret is configured for the first time and the plaintext string is less than eight characters
or contains only one type of characters, the system prompts you that it is a weak password.

 After logging in to a device, a user can run the enable or disable command to raise or lower his/her privilege
level to access commands at different privilege levels. An increase in privilege level requires the input of the
correct password of the target privilege level by default.

 You can specify the level keyword in the password configuration command to configure a password for a
specific privilege level. After you set a password for a specific privilege level, the password works for the
users who need to access commands of this level.

 The enable commands include (for role switching), enable password, and enable secret. If no role is
specified, these three commands are used to set the role configured by running the command.

 enable password

○ This command is used to configure passwords only for level 15 and takes effect only when no secret is
configured. If you use this command to configure a password for a non-15 level, the system displays a
warning and the password is automatically converted into a secret.

○ If the password and secret set for level 15 are the same, the system displays a warning.

○ If you specify an encryption type but enter a plaintext password during password configuration, you
cannot enter the privileged EXEC mode again.

3. Procedure

(1) Enter the privileged EXEC mode.

(2) Change the user privilege level.

○ Increase the user privilege level.

enable [ privilege-level ]

When the RBAC function is enabled, you can run this command to switch the role of the current terminal.
By default, the role is switched to Network-admin.

○ Reduce the user privilege level.

disable [ privilege-level ]

The privilege level specified in the disable command must be lower than the current level.

When the RBAC function is enabled, this command cannot be run.

(3) Enter the privileged EXEC mode.

enable

(4) (Optional) Display help information.

help

(5) Change the privilege level.

○ Raise the privilege level.

enable [ privilege-level | role role-name ]

When the role-based access control (RBAC) function is enabled, this command can be used to switch
the terminal role. If no role is specified, the system switches to role network-admin by default.

○ Lower the privilege level.

8
Configuration Guide Configuring Basic Management

disable [ privilege-level ]

The privilege level specified in this command must be lower than the current level.

When the RBAC function is enabled, this command is unavailable.

(6) Enter the global configuration mode.

configure terminal

(7) Configure a password.

enable password [ level password-level | role role-name ] [ [ 0 ] password | 7 encrypted-password ]

Preamble spaces are allowed in front of the password but the spaces are ignored. Intermediate and
trailing spaces are recognized.

(8) Configure a secret.

enable secret { [ level secret-level ] | [ role role-name ] } { [ 0 ] password | { 5 | 8 } encrypted-secret }

When the RBAC function is enabled and no role is specified, this command is used to set a password for
role network-admin by default.

(9) (Optional) Configure a handling policy when the number of consecutive authentication failures to enter
the privileged EXEC mode reaches the limit.

enable user-block { disable | failed-times times period period | reactive time }

The allowed maximum number of consecutive authentication failures is 3, the period for resetting the
consecutive authentication failure count is 10 minutes, and a user will be locked for 10 minutes after the
number of consecutive authentication failures reaches the limit. You can run the enable user-block disable
command to disable the function.

(10) (Optional) Configure the algorithm used for encryption.

enable algorithm-type { md5 | sha256 }

The SHA-256 algorithm is used for encryption by default.

(11) (Optional) Configure a role for the enable command.

The default role for the enable command is network-admin.This function can be configured only when
is enabled.

(12) (Optional) Enable level increase logging.

login privilege log

The level increase or role switching logging function is disabled by default.

(13) Configure command privilege levels.

privilege mode { all | level level | reset } command-string

(14) Enter the line configuration mode.

line [ console | vty ] first-line [ last-line ]

(15) Configure a password for line-based login.

password { [ 0 ] password | 7 encrypted-password }

(16) Verify the password for line-based login.

login

9
Configuration Guide Configuring Basic Management

The verification function of simple login passwords is disabled for the console line and enabled for the
virtual terminal lines by default.

(17) Exit the configuration mode and return to the upper-level mode or exit the command line interface
(CLI) from the privileged EXEC mode.

exit

1.9 Configuring Telnet Login

1.9.1 Configuration Tasks

Telnet login includes the following tasks, which are all optional and can be chosen according to the actual
situation:

 Configuring the Telnet Service

 Configuring Telnet Access Security

1.9.2 Configuring the Telnet Service

1. Overview
As an application-layer protocol in the TCP/IP protocol suite, telnet provides the standard for remote login and
virtual terminal communication on the Internet.

The Telnet client service allows a local or remote login user of the device to access other remote system
resources on the Internet. As shown in the following figure, a user uses a PC to connect to device A by using the
terminal emulation program or telnet program and then logs in to device B by running the telnet command to
configure and manage device B.

Figure 1-1 Telnet Service

Device A Device B
Workstation (Telnet Server)
(Telnet Client)

Telnet allows the device to use IPv4 and IPv6 addresses for communication. The Telnet server can accept
connection requests sent from a Telnet client with an IPv4 or IPv6 address. The Telnet client can initiate
connection requests to a host configured with an IPv4 or IPv6 address.

When the Telnet server service is enabled on the device, you can use the Telnet client to connect to the device
securely and configure the following functions:

 Configure an access control list (ACL) for the Telnet server.

 Disable the IP address blocking function of the Telnet server.

 Configure the number of authentication failures, beyond which an IP address is blocked, and the time period
for counting consecutive authentication failures on the Telnet server.

 Configure the period for awakening blocked IP addresses on the Telnet server.

 Clear entries about blocking and authentication failures of all or specific IP addresses.

10
Configuration Guide Configuring Basic Management

2. Restrictions and Guidelines

 When the number of authentication failures of telnet login meets the IP address blocking conditions in the
authentication failure count period, source IP address blocking is triggered. That is, the Telnet client of this
source IP address is not allowed to log in to the device to prevent the device from being attacked. The Telnet
client can log in to the device only after the IP address awakening period expires.

 With the IP address blocking function enabled, a user logs in to the device through Telnet. When the number
of consecutive authentication failures reaches the configured count within the authentication failure count
period, source IP address blocking is triggered. When such number does not reach the configured count or
one authentication operation is successful within the authentication failure count period, the authentication
failures are cleared.

 After the time for awaking a blocked source IP address comes, entries about the IP address blocking are
cleared. The blocked IP address is awakened immediately and can be used to log in to the device through
the Telnet client.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure an ACL for the Telnet server.

ip telnet access-class { acl-name | acl-number }

No IPv4 ACL filtering rule is configured by default.

ipv6 telnet access-class ipv6-acl-name

No IPv6 ACL filtering rule is configured by default.

(4) Disable the IP address blocking function of the Telnet server.

ip telnet ip-block disable

The IP address blocking function of the Telnet server is enabled by default.

(5) Configure the number of authentication failures, beyond which an IP address is blocked, and the period for
counting consecutive authentication failures on the Telnet server.

ip telnet ip-block failed-times failed-times period failed-period-time

The allowed maximum number of authentication failures is 6, and the period for counting consecutive
authentication failures is 5 minutes by default.

(6) Configure the period for awakening blocked IP addresses on the Telnet server.

ip telnet ip-block reactive reactive-period-time

The default period for awakening blocked IP addresses is 5 minutes.

(7) Enter the line configuration mode.

line vty line-number

(8) (Optional) Configure the connection timeout time.

exec-timeout exec-timeout-minutes [ exec-timeout-seconds ]

11
Configuration Guide Configuring Basic Management

The default connection timeout time of the device on a line is 10 minutes.

If there is no input information during the specified time, the server interrupts the established connection.

(9) (Optional) Configure the session timeout time.

session-timeout session-timeout-time [ output ]

The default session timeout time is 0 minute for remote terminals. That is, the sessions never time out. If
there is no input information during the specified time, the device closes sessions established to a remote
terminal on the current line and restores the terminal to the idle state.

(10) (Optional) Enable EXEC prompt information display for a specific line.

exec-banner

EXEC prompt information display is enabled for all lines by default.

(11) (Optional) Enable MOTD prompt information display for a specific line.

motd-banner

MOTD prompt information display is enabled for all lines by default.

1.9.3 Configuring Telnet Access Security

1. Overview

When AAA is disabled, you can configure a line password or local user authentication to control users to log in
to and manage the device. When login authentication (through the login command) is configured for a line, only
users who pass the line password verification are allowed to log in. When local user authentication (through the
login local command) is configured for a line, the username and password entered by a user are checked
against those stored in the local user database. If they are matched, the user can access the device with proper
management permissions.

When AAA is enabled, some servers can be used to authenticate users' management permissions by their
usernames and passwords at their login. Only authenticated users are allowed to log in. For example, a RADIUS
server can authenticate usernames and passwords and control users' permissions to manage the device. Thus,
instead of using locally stored password information for authentication, the device sends encrypted user
information to the RADIUS server for verification. The server configures unified usernames, passwords, shared
passwords, and access policies of users to manage and control user access and improve the security of user
information.

Caution

After AAA is enabled, line password verification and local user authentication do not take effect.

2. Restrictions and Guidelines

 In the enabled AAA authentication mode, set line-based login for this authentication, and use the AAA
authentication methods, including RADIUS authentication, local authentication, and no authentication.

 In the enabled AAA security service, to perform non-AAA authentication for a line run the login access non-
aaa command. The configuration is valid for all terminals.

 The username command is used to create a local user database for authentication. The encryption type 7
needs to be specified only when encrypted passwords are copied and pasted. If the value 7 is specified as

12
Configuration Guide Configuring Basic Management

the encryption type, the entered ciphertext string must consist of an even number of characters. The login
user cannot delete his/her account.

 To lock a session, enable locking on the terminal connected to a line in line configuration mode, and run the
lock command in the EXEC mode of the terminal to lock the terminal. When a user enters any character on
the locked terminal, the password prompt is displayed. The terminal will be automatically unlocked if the
entered password is correct.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure a local user account and optional authorization information.

username username [ algorithm-type { md5 | sha256 } ] [ login mode { console | ssh | telnet | ftp } ]
[ online amount amount-number ] [ permission oper-mode path ] { [ privilege privilege-level ] | [ role
text-string ] } [ reject remote-login ] [ web-auth ] [ pwd-modify ] [ nopassword | password [ 0 | 7 ] text-
string | secret [ 0 | 5 | 8 ] text-string ]

No local user account or authorization information is configured by default.

(4) (Optional) Import user information from a file.

username import file-name

(5) (Optional) Export user information to a file.

username export file-name

(6) Enter the line configuration mode.

line [ console | vty ] first-line [ last-line ]

(7) Configure the encryption type for line-based login.

algorithm-type { md5 | sha256 }

The default encryption type for line-based login is SHA256.

(8) Configure an MD5/SHA-256 irreversible encrypted password for line-based login.

secret { [ 0 ] password | { 5 | 8 } encrypted-secret }

No encrypted password is configured for line-based login by default.

(9) Configure a password for line-based login.

password { [ 0 ] password | 7 encrypted-password }

No password is configured for line-based login by default.

(10) Configure local authentication for line-based login.

login local

When AAA is enabled, no local user authentication is configured for lines by default.

(11) (Optional) Configure AAA authentication for line-based login.

login authentication { list-name | default }

When AAA is enabled, the default authentication method is used by default.

13
Configuration Guide Configuring Basic Management

(12) (Optional) Configure non-AAA authentication for line-based login when AAA is enabled.

a Return to the global configuration mode.

exit

b Allow non-AAA authentication for line login when AAA is enabled.

login access non-aaa

When AAA is enabled, non-AAA authentication is disabled by default.

(13) (Optional) Enable locking on a terminal connected to a line.

lockable

The function of locking terminals connected to the current line is disabled by default.

(14) Return to the privileged EXEC mode.

end

1.10 Configuring Logging in to Other Devices Through Telnet

1.10.1 Overview

As an application-layer protocol in the TCP/IP protocol suite, Telnet provides the standard for remote login and
virtual terminal communication on the Internet. The Telnet client service allows a local or remote login user of
the device to access other remote system resources on the Internet.

1.10.2 Restrictions and Guidelines

 If you have run the telnet command to initiate a Telnet client session, you can press Ctrl+Shift+6+X (press
Ctrl+Shift+6, release the buttons, and then press X) to temporarily exit the session. To restore this session,
run the <1–99> command. To display information about established sessions, run the show sessions
command.

 Before you remotely log in to the device through Telnet, you can run the enable service telnet-server
command to enable the Telnet server service on the device.

1.10.3 Procedure

(1) Enter the privileged EXEC mode.

enable

Run the telnet command to log in to the Telnet server.

(2) Log in to the Telnet server.

(3) do telnet { hostname | ipv4-address | ipv6-address } [ port-number | /source { ip ipv4-address | ipv6

ipv6-address | interface interface-type interface-number } | /vrf vrf-name ] *(Optional) Restore the
established Telnet client session.

1–99

(4) (Optional) Disconnect a suspended Telnet client session.

disconnect session-id

(5) (Optional) Specify the IP address of an interface as the source IP address of a Telnet connection. .

ip telnet source-interface interface-type interface-number

14
Configuration Guide Configuring Basic Management

The Telnet source interface is the reachable outbound interface of the Telnet server by default.

(6) (Optional) Return to the privileged EXEC mode.

end

(7) (Optional) Lock the current terminal connected to a line.

lock

1.11 Configuring Management

1.11.1 Configuration Tasks

Management Configuration includes the following tasks. All the following configuration tasks are optional and may
be selected as needed.

 Running Batch File Commands

 Configuring Multiple-configuration Booting

 Configuring Automatic Configuration File Backup to a Remote Server

 Configuring Automatic Backup of the Running Configuration File

 Rolling Back System Configurations

 Saving the Configuration

 Configuring the Login Failure Recording Function

1.11.2 Running Batch File Commands

1. Overview

To management system functions, it may take a long time to enter many commands on the CLI. This process is
prone to errors and omissions. You can put the commands in a batch file according to configuration steps, and
execute the file to complete related configurations.

2. Restrictions and Guidelines

 You can specify the name and content of the batch file on your PC and transfer the file to the flash memory
of the device through TFTP. The content of the batch file simulates user input. Therefore, you must edit the
content according to the configuration sequence of the CLI commands. For some interactive commands, you
must write the responses in the batch file to ensure that the commands are normally run.

 The batch file must not exceed 128 KB in size; otherwise, it will fail to be executed. You can divide a large
batch file into multiple files smaller than 128 KB in size each.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Run the execute command to execute the batch file.

execute flash:file-name

15
Configuration Guide Configuring Basic Management

1.11.3 Configuring Multiple-configuration Booting

1. Overview

Multiple-configuration booting allows users to modify the saving paths and names of startup configuration files
of the device. This function saves configurations to an extended flash memory or an extended Universal Serial
Bus (USB) flash drive of the device only.

2. Restrictions and Guidelines

 The startup configuration file name can be a file name or an existing path. For example, if the startup
configuration file name is set to flash:/Hostname/Hostname.text or usb0:/Hostname/Hostname.text,
flash:/Hostname. The file folder flash:/Hostname and usb0:/Hostname must exist, or the write command
will fail to save the configurations. In the master-slave mode, the paths must exist on all devices.

 To save configurations to an extended USB flash drive, the device must support at least one USB port. If the
device supports two or more USB ports, this function only saves the boot configuration to USB0

 To save the startup configuration file to a USB flash drive, the device must provide a USB port with a USB
flash drive inserted. Otherwise, the write command will fail to save the configurations. In the master-slave
mode, all devices must have a USB flash drive inserted.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Modify the saving path and name of startup configuration file.

boot config { flash:file-name | usb0:file-name }

The saving path and name of the startup configuration file is flash:/config.text by default.

1.11.4 Configuring Automatic Configuration File Backup to a Remote Server

1. Overview

By configuring the specific information and interval, you can automatically back up the configuration file of the
device to the remote server.

2. Restrictions and Guidelines

 If no configuration file exists during command execution, an error is displayed.

 If the configuration file is deleted after the configuration command takes effect, the system stops backing up
the configuration file to the remote server after the preset time expires.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

16
Configuration Guide Configuring Basic Management

(3) Configure automatic backup of the configuration file backup to a remote server.

auto-backup configuration { ftp server [ port port-number ] username username password { [ 0 ]

password | 7 encrypted-password } | tftp server } interval interval-time [ path folder ] ] [ vrf vrf-name ]

The automatic configuration file backup function is not configured by default.

1.11.5 Configuring Automatic Backup of the Running Configuration File

1. Overview

With automatic backup of the running configuration file enabled, when the running configuration of the device
changes, the running configuration file can be automatically backed up to the remote server.

2. Restrictions and Guidelines

 When there is a change in the running configuration, the device checks for changes in the running
configuration file for a delay of 1 minute. If the current running configuration is the same as that 1 minute
before, the current running configuration file will be backed up to the remote server. If changes occur
continuously within 1 minute, the running configuration backup will be triggered 1 minute after the last change
or 5 minutes after the first change.

 During device restart, the device will automatically back up the running configuration to the remote server
once.

 When the running configuration file is backed up to the remote server, NETCONF will simultaneously send
real-time configuration update notifications.

 Only HTTPS can be used for transmission, and the HTTPS file server needs to be deployed first.

 Only one file server can be configured. If you need to replace the existing file server, you must first delete it
and then reconfigure it.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the device to automatically back up the running configuration file to a remote server and enter
the configuration mode of automatic backup of the running configuration file.

auto-backup running-config

Automatic backup of the running configuration file is not configured by default.

(4) Configure the remote server where the running configuration file is backed up.

server ipv4-address port port-number [ auto-vrf | vrf vrf-name ] transport https [ username username
password { [ 0 ] password | 7 encrypted-password } ] [ remote-path path ]

The device is not configured to back up the running configuration file to the remote server.

17
Configuration Guide Configuring Basic Management

1.11.6 Rolling Back System Configurations

1. Overview

Rollback configuration allows you to make a snapshot for the current configurations, that is, a copy or checkpoint
of the current configurations, and apply the checkpoint configurations to the device without restarting the device.
This function applies to the following scenarios:

 You need to copy the configuration file from another device to the new device, and the configuration takes
effect without device reboot.

 When current system configurations contain too many errors to locate or roll back one by one, you must roll
back the current configurations to a previous correct state.

 When the device application environment changes and the device needs to run the configurations in a
configuration file, you can roll back the current configurations to the specified configuration file state without
restarting the device.

During rollback, the system compares and handles the differences between the current configurations and
checkpoint configurations.

 For the same commands in both configurations, the system does not process them.

 For the commands only in the current configurations, the system cancels them.

 For the commands only in the checkpoint configurations, the system runs them.

 For the different commands between both the current configurations and checkpoint configurations, the
system cancels them, and then runs related commands in the checkpoint configurations.

2. Restrictions and Guidelines

 The indentation format of the configuration file must be consistent with that in the show running-config
command. During rollback, the system determines whether the configuration belongs to a certain mode
according to space indentation. If the indentation is incorrect, the mode will be incorrectly determined and
the rollback will be abnormal.

 The checkpoint data volume depends on the flash memory size. The small flash memory can store data of
four checkpoints, and data of 10 checkpoints can be stored for others.

 Only one user can create checkpoints and configure rollback on a device at a time.

 It is recommended that you check the consistency of serial port baud rates between the current system
configurations and checkpoint configurations before you perform rollback. If they are inconsistent, you are
advised to change the serial port baud rate to that of the checkpoint configurations. Otherwise, a rate change
will occur during rollback, causing a failure to display the rollback process information.

 During configuration rollback, do not hot-swap any supervisor module, line card, or service board and ensure
that the device topology environment is the same as the environment of checkpoint creation. For example, if
the device topology is a standalone environment during checkpoint creation but a virtual switching unit (VSU)
environment during rollback, configuration rollback may fail.

 If an "Increased configuration:" message is displayed after rollback, the content after the message are
configurations increasing from the checkpoint configurations. The message is displayed because some
commands cannot be reversed or fail to be reversed. For details, see the command reference of specific
functions, and manually reserve these commands.

 If a "Decreased configuration:" message is displayed after rollback, configurations decrease from the

18
Configuration Guide Configuring Basic Management

checkpoint configurations. This is because some commands fail to be executed during rollback. For details,
see the command reference of specific functions, and manually run these commands.

3. Procedure

Configuration file rollback:

(1) Enter the privileged EXEC mode.

enable

(2) Copy the configuration file to the device.

copy source-interface-url destination-url

(3) Rollback the configuration with the configuration file.

rollback running-config config-file file-name

Checkpoint rollback:

(1) Enter the privileged EXEC mode.

enable

(2) Create a checkpoint.

checkpoint [ checkpoint-name ] [ description description ]

No checkpoint is configured by default.

(3) Roll back configurations.

rollback running-config checkpoint checkpoint-name [ display-differences | ignore-results ]

(4) Clear checkpoint data.

clear checkpoint database

1.11.7 Saving the Configuration

1. Overview

The device supports manual saving and automatic saving. The running configuration is not saved by default,
and the device will use the startup configuration file after restarting. Therefore, you are advised to use this
function in time to save the running configuration to the startup configuration file

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Save system configurations (running-config) to a specific position.

write [ auto-save interval interval-time | memory [ auto-save interval interval-time ] | terminal ]

1.11.8 Configuring the Login Failure Recording Function

4. Overview
The login failure recording function is enabled by default. You can run the show line fail-record command to
show the login failure information recorded. You can also configure the maximum number of entries that can be
recorded and disable the recording function.

19
Configuration Guide Configuring Basic Management

5. Procedure
(1) Enter the privileged EXEC mode.
enable

(2) Enter the global configuration mode.

configure terminal

(3) Disable the login failure recording function.

no login fail-record enable

The login failure recording function is enabled by default.

(4) Configure the maximum number of entries that can be recorded.

login fail-record size

The maximum number of login failure records is 512 by default.

1.12 Configuring a Restart Policy

1.12.1 Configuration Tasks

The restart policy configuration includes the following tasks:

 Configuring Immediate Restart

 Configuring Scheduled Restart

1.12.2 Configuring Immediate Restart

1. Overview

Immediate restart applies when the device needs to be restarted immediately.

2. Restrictions and Guidelines

 A restart may interrupt services. Exercise caution.

 If the device to be restarted is being upgraded, it does not perform the restart.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Configure immediate device restart.

reload

1.12.3 Configuring Scheduled Restart

1. Overview

A restart policy enables the device to restart as scheduled. The following two scheduled restart functions are
supported:

 Configure the system to restart after an interval. The interval is in the format of mmm or hhh:mm, in minutes.
You can select either of the formats. You can specify an interval name to reflect the restart purpose.

 Configure the system to restart at a future time point.

20
Configuration Guide Configuring Basic Management

2. Restrictions and Guidelines

 A restart may interrupt services. Exercise caution.

 If the device to be restarted is being upgraded, the system does not perform the restart.

 The restart time must be later than the current system time but cannot be more than 31 days later than the
current system time. After you configure a restart schedule, do not change the system clock (for example,
change the system time to a time after the restart time). Otherwise, the configuration may fail.

 To restart the system at a future time point, the system must support the clock function and the input time
value must be a future time point. A new restart schedule overwrites the existing one. If the system is restarted
before a restart schedule takes effect, the schedule will be lost.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Configure scheduled device restart.

○ Configure a scheduled restart schedule.

reload at hh:mm:ss [ MM [ DD [ YY ] ] ]

○ Configure a countdown restart schedule.

reload in { [ hh : ] mm ] }

No restart function is configured by default.

(3) (Optional) Cancel the restart schedule.

reload cancel

1.13 Configuring a Memory Usage Threshold

1.13.1 Overview

A memory usage threshold is used to monitor the memory status of a device. Excess of this threshold may cause
service exceptions. If the actual memory usage exceeds this threshold, a syslog alarm is generated. For example,
if the configured memory usage threshold is 90%, when this threshold is exceeded, a syslog alarm is generated.

1.13.2 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure a memory usage threshold.

memory low-watermark set memory-threshold

The default memory usage threshold is 90%.

21
Configuration Guide Configuring Basic Management

1.14 Configuring a CPU Usage Threshold

1.14.1 Overview

When the CPU usage of the device is above the upper threshold, a CPU usage overlimit alarm is triggered. The
default CPU usage upper threshold is 85%. When the CPU usage of the device drops below the lower threshold,
a CPU usage restore notification is triggered. The default CPU usage lower threshold is 75%. If the default upper
threshold and lower threshold for the CPU usage do not need actual needs, you can adjust the thresholds
accordingly.

1.14.2 Restrictions and Guidelines

 The configuration takes effect immediately.

 The upper threshold and lower threshold for the CPU usage are synchronized to all cards in-position. All the
cards use the same upper threshold and lower threshold for the CPU usage.

1.14.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the upper threshold and lower threshold for the CPU usage.

cpu high-watermark set [ down down-value | up up-value ] *

The default upper threshold and lower threshold for the CPU usage are 85% and 75%, respectively.

1.15 Monitoring and Maintenance

Run the show command to check the configuration.

Run the clear command to delete all types of information.

Caution

During device operation, running the clear command may cause service interruption due to key information loss.

Table 1-2 Monitoring and Maintenance of Basic Management

Command Function

clear checkpoint database Clears checkpoints and related data.

Unlocks users who are locked because the number of

clear enable user-block { user | all | no-user } consecutive authentication failures to enter the privileged
EXEC mode exceeds the limit.

clear telnet ip-block { ipv4-address | ipv6- Clears entries about blocked IP addresses and
address | all } authentication failures.

22
Configuration Guide Configuring Basic Management

Command Function

memory history clear { all | half | one-forth } Clears historical memory usage records.

Displays the saving path and name of startup

show boot config
configuration file.

show calendar Displays the hardware time of the system.

show checkpoint { checkpoint-name | all | Displays all information about a checkpoint or a summary
summary } of all checkpoints.

show clock Displays the current system time.

Displays CPU usage information of system tasks on

show cpu [ core | slot [ slot-id | all-info ] ]
control cores and non-virtual cores.

show cpu-monitor history [ slot { slot-id | all-

Displays the CPU usage excess history of the device.
info } ]

show cpurule all Displays the CPU rule configuration.

show debug Displays information about enabled debugging functions.

Displays users who are blocked from privileged EXEC

show enable user-block
mode authentication on the device.

show hostname Displays the host name of the device.

Displays the current character set encoding format of the

show language character-set
device.

show line { console line-number | vty line-

Displays the line configurations.
number | line-number }

show login fail-record Displays the device login failure information recorded.

show memory [ process-id | process-name |

history | low-watermark | slot [ uslot [ sorted Displays memory information.
total ] | all-info [ sorted total ] ] | sorted total ]

show memory vsd vsd-id Displays Virtual Storage Director (VSD) information.

show memory-monitor history [ slot { slot-id |

Displays the memory usage excess history of the device.
all-info } ]

Displays information about devices mounted on the

show pci-bus
Peripheral Component Interconnect (PCI) bus.

show processes cpu detailed { process-id |

Displays detailed information about specified tasks.
process-name }

23
Configuration Guide Configuring Basic Management

Command Function

show processes cpu [ [ 15min | 1min | 5min |

Displays system tasks.
5sec ] [ nonzero ] | history [ table ] ]

show reload Displays system restart settings.

show running-config [ interface interface-

Displays the running configurations of the device system
type interface-number | router { bgp | isis |
or configurations of an interface.
ospf } ]

show service Displays the service status (enabled/disabled).

Displays information about established Telnet client

show sessions
instances.

show startup-config Displays the device configurations stored in the NVRAM.

Displays information about blocked IP addresses and

show telnet ip-block { all | list }
authentication failures.

show this Displays effective system configurations in current mode.

Displays information about devices mounted on the USB

show usb-bus
bus.

show version Displays system information.

1.16 Configuration Examples

1.16.1 Configuring Login Authentication and Telnet Service

1. Requirements

You can use Device A as a jump server through the workstation to manage Device B remotely.

 Establish a Telnet session to a remote device.

 Complete login identity authentication.

2. Topology

Figure 1-1 Configuring the Telnet Service

Device A Device B
Workstation
(Telnet Client) (Telnet Server)

3. Notes

 Establish a Telnet session to the remote device whose IPv4 address is 192.168.65.119.

24
Configuration Guide Configuring Basic Management

Establish a Telnet session to the remote device whose IPv6 address is 2AAA:BBBB::CCCC.

4. Procedure

(1) Configure user and authorization information on Device B.

Hostname(config-line)# login
Hostname> enable
Hostname# configure terminal
Hostname(config)# line vty 0
Hostname(config-line)# password Guestuser
Hostname(config-line)# login
(2) Establish a Telnet session to a remote device on Device A.

Run the telnet command in privileged EXEC mode, or run the do telnet command in user EXEC mode,
privileged EXEC mode, global configuration mode, or interface configuration mode.

Hostname# telnet 192.168.65.119

Trying 192.168.65.119 ... Open
User Access Verification
Password: Guestuser
Hostname# telnet 2AAA:BBBB::CCCC
Trying 2AAA:BBBB::CCCC ... Open
User Access Verification
Password:
Hostname(config)# do telnet 2AAA:BBBB::CCCC
Trying 2AAA:BBBB::CCCC ... Open
User Access Verification
Password: Guestuser

5. Verification

 Run the ping command to display the configurations. If the remote device can be pinged, the Telnet service
is configured.

 Verify the login identity. If the login is successful, login authentication is configured.

1.16.2 Configuring Basic System Parameters

1. Notes

 Configure the system time.

 Configure MOTD information.

 Configure login banner information.

 Set the serial port baud rate to 57,600 bps.

2. Procedure

(1) Configure the system time.

Set the system time to June 20, 2003, 10:10:12.

Hostname> enable
Hostname# clock set 10:10:12 6 20 2003

25
Configuration Guide Configuring Basic Management

(2) Configure MOTD information.

Set the MOTD content to "Notice: system will shutdown on July 6th." with the pound key (#) as the delimiter.

Hostname# configure terminal

Hostname(config)# banner motd #
Enter TEXT message. End with the character '#'.
Notice: system will shutdown on July 6th.#
Hostname(config)#
(3) Configure login banner information.

Set the login banner content to "Access for authorized users only. Please enter your password." with the
pound key (#) as the delimiter.

Hostname(config)# banner login #

Enter TEXT message. End with the character '#'
Access for authorized users only. Please enter your password.
(4) Set the serial port baud rate to 57,600 bps.

Hostname# configure terminal

Hostname(config)# line console 0
Hostname(config-line)# speed 57600

3. Verification

 Verify the system time.

Run the show clock command in privileged EXEC mode to display the system time.

Hostname# clock
clock: 2003-6-20 10:10:54
 Verify MOTD information.

Connect to the local device through the console, telnet, or SSH, and check whether the MOTD information
is displayed before the CLI appears.

Hostname# telnet 192.168.65.236

Notice: system will shutdown on July 6th.
Access for authorized users only. Please enter your password.
User Access Verification
Password:
 Verify login banner information.

Connect to the local device through the console, telnet, or SSH, and check whether the login banner
information is displayed before the CLI appears.

Hostname# telnet 192.168.65.236

Notice: system will shutdown on July 6th
Access for authorized users only. Please enter your password
User Access Verification
Password:
 Verify that the serial port baud rate is set to 57,600 bps.

Run the show line command to display the configurations.

26
Configuration Guide Configuring Basic Management

Hostname# show line console 0

CON Type speed Overruns
* 0 CON 57600 0
Line 0, Location: "", Type: "vt100"
Length: 25 lines, Width: 80 columns
Special Chars: Escape Disconnect Activation
^^x none ^M
Timeouts: Idle EXEC Idle Session
never never
History is enabled, history size is 10
Total input: 22 bytes
Total output: 115 bytes
Data overflow: 0 bytes
stop rx interrupt: 0 times
Modem: READY

27
Configuration Guide Contents

Contents

1 Configuring RBAC .............................................................................................................................. 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Basic Concepts .............................................................................................................. 1

1.2 Configuration Task Summary .................................................................................................... 3

1.3 Configuring a Feature Group ..................................................................................................... 3

1.3.1 Overview ........................................................................................................................ 3

1.3.2 Restrictions and Guidelines ........................................................................................... 3

1.3.3 Procedure....................................................................................................................... 3

1.4 Configuring Role Permissions ................................................................................................... 4

1.4.1 Overview ........................................................................................................................ 4

1.4.2 Configuration Tasks ....................................................................................................... 4

1.4.3 Enabling the RBAC Function ......................................................................................... 4

1.4.4 Configuring Roles .......................................................................................................... 4

1.4.5 Configuring Rule Permissions for a Role....................................................................... 5

1.4.6 Configuring Description of a Role .................................................................................. 6

1.4.7 Prohibiting a Role from Operating All Interface Resources ........................................... 7

1.4.8 Allowing a Role to Operate a Specific Interface Resource............................................ 7

1.4.9 Prohibiting a Role from Operating All VLAN Resources ............................................... 8

1.4.10 Allowing a Role to Operate a Specific VLAN Resource .............................................. 8

1.4.11 Prohibiting a Role from Operating All VRF Resources ................................................ 8

1.4.12 Allowing a Role to Operate a Specific VRF Resource ................................................ 9

i
Configuration Guide Contents

1.5 Monitoring .................................................................................................................................. 9

1.6 Configuration Examples........................................................................................................... 10

1.6.1 Configuring Role Permissions ..................................................................................... 10

ii
Configuration Guide Configuring RBAC

1 Configuring RBAC
1.1 Introduction
1.1.1 Overview

Role-based access control (RBAC) associates roles with permissions. Users are assigned with appropriate roles
with -permissions. The authorization structure of user-role-permission is formed to simplify permission
management. Roles are defined to complete various tasks, and a device administrator can predefine all the roles
and their permissions. To change a user's permission, use RBAC to change only the permission of his role. This
process reduces the authorization workload and device management overhead.

1.1.2 Basic Concepts

 Feature

Features vary with CLI commands. CLI commands with the same features constitute one feature.

 Feature group

A feature group is composed of features. Different features are classified as needed to form one feature
group. In short, a feature group is composed of several types of CLI commands.

 User

By default, a user does not have any permissions to operate a device. Only after you specify a proper role
to a user, the user has the permission of this role. There are local users and remote AAA server users. Local
users are used for local authentication while remote AAA server users are used for remote AAA
authentication.

 Role

There are predefined system roles and user-defined roles. The system predefines 18 roles, including
network-admin, network-operator, and priv-n (0–15). Each role is granted with specific operation
permissions. Table 1-1 lists these roles and their permissions.

Table 1-1 Roles and Permissions

Role Default Permission

network-admin Administrator role, with all operation permissions.

Operator role, with the following permissions:

 Permission control:
○ CLI commands: allowed to run the ping, show, ssh, telnet, traceroute, ssh-
session, and terminal commands and the command to change the current local
network-operator user password. The show command displays all information.
 Resource control:
○ Interfaces: allowed to operate all interfaces.
○ Virtual local area networks (VLANs): allowed to operate all VLANs.
○ VPN routing and forwarding (VRF): allowed to operate all VRF instances.

1
Configuration Guide Configuring RBAC

Level-0 role, assigned with the following permissions:

 Permission control:
○ CLI commands: allowed to run the ping, ssh, telnet, traceroute, ssh-session,
priv-0 and enable commands.
 Resource control:
○ Interfaces: allowed to operate all interfaces.
○ VLANs: allowed to operate all VLANs.
○ VRF: allowed to operate all VRF instances.
Level-1 to level-13 roles, with the following permissions:

 Permission control:
No default permissions
priv-n (1-13)
 Resource control:
○ Interfaces: allowed to operate all interfaces.
○ VLANs: allowed to operate all VLANs.
○ VRF: allowed to operate all VRF instances.

Level-14 role, with the following permissions:

 Permission control:
○ CLI commands: allowed to run CLI commands other than the more, upgrade,
priv-14 and debug commands that are executable only by an administrator.
 Resource control:
○ Interfaces: allowed to operate all interfaces.
○ VLANs: allowed to operate all VLANs.
○ VRF: allowed to operate all VRF instances.
priv-15 Level-15 role, with the same all operation permissions as the role network-admin.

 Permission

Permissions fall into three modes - read, write, and execute - or into two types - rule permissions and
resource permissions. Rule permissions include those of command-based rules, those of feature-based
rules, and those of feature group-based rules. Resource permissions include those of interface resources,
those of VLAN resources, and those of VRF resources.

Rule permissions configured for user roles are divided into the following categories:

○ Prohibit a role from running or allow a role to execute a specific command line.

○ Prohibit a role from running or allows a role to run one or several types of commands for specified or all
features.

○ Prohibit a role from running or allows a role to run one or several types of commands for all features in
a feature group.

Resources permissions configured for user roles are divided into the following categories:

○ Prohibit a role from operating or allow a role to operate all or some interfaces.

○ Prohibit a role from operating or allow a role to operate all or some VLANs.

○ Prohibit a role from operating or allow a role to operate all or some VRF instances.

2
Configuration Guide Configuring RBAC

1.2 Configuration Task Summary

RBAC configuration includes the following tasks:

(1) (Optional) Configuring a Feature Group

(2) Configuring Role Permissions

a Enabling the RBAC Function

b Configuring Roles

c Configuring Rule Permissions for a Role

d (Optional) Configuring Description of a Role

e (Optional) Prohibiting a Role from Operating All Interface Resources

f (Optional) Allowing a Role to Operate a Specific Interface Resource

g (Optional) Prohibiting a Role from Operating All VLAN Resources

h (Optional) Allowing a Role to Operate a Specific VLAN Resource

i (Optional) Prohibiting a Role from Operating All VRF Resources

j (Optional) Allowing a Role to Operate a Specific VRF Resource

1.3 Configuring a Feature Group

1.3.1 Overview

This section describes how to create a feature group and add features to the feature group.

1.3.2 Restrictions and Guidelines

 Feature groups predefined in the system cannot be deleted or modified.

 Up to 64 feature groups can be customized.

1.3.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Create a feature group and enter the feature group configuration mode.

role feature-group name group-name

The system predefines feature groups L2 and L3 by default. Feature group L2 contains all commands for
functions related to L2 protocols. Feature group L3 contains all commands for functions related to L3
protocols.

(4) Add features to the feature group.

feature feature-name

By default, a system predefined feature group contains default features while a user-defined feature group
contains no feature.

3
Configuration Guide Configuring RBAC

1.4 Configuring Role Permissions

1.4.1 Overview

This section describes how to create a user role and configure its operation permissions. After a user is
authenticated to get a proper role, he has operation permissions.

1.4.2 Configuration Tasks

User role permission configuration includes the following tasks:

(1) Enabling the RBAC Function

(2) Configuring Roles

(3) Configuring Rule Permissions for a Role

(4) (Optional) Configuring Description of a Role

(5) (Optional) Prohibiting a Role from Operating All Interface Resources

(6) (Optional) Allowing a Role to Operate a Specific Interface Resource

(7) (Optional) Prohibiting a Role from Operating All VLAN Resources

(8) (Optional) Allowing a Role to Operate a Specific VLAN Resource

(9) (Optional) Prohibiting a Role from Operating All VRF Resources

(10) (Optional) Allowing a Role to Operate a Specific VRF Resource

1.4.3 Enabling the RBAC Function

1. Overview

This section describes how to enable the RBAC function.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enable the RBAC function.

role enable

The RBAC function is disabled by default.

1.4.4 Configuring Roles

1. Overview

This section describes how to customize a role.

2. Restrictions and Guidelines

 System predefined roles cannot be deleted by running the no command. The default permission of only the
priv-n (0–13) role can be restored by running the default command.

 Permissions can be added to the priv-n (0–13) role only.

4
Configuration Guide Configuring RBAC

 Users can customize up to 64 roles and configure permissions for the roles. .

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Create a role and enter the role configuration mode.

role name role-name

By default, the system predefines 18 roles, including network-admin, network-operator, and priv-n (0–
15). Each role is granted with specific operation permissions.

1.4.5 Configuring Rule Permissions for a Role

1. Overview

This section describes how to configure the rule permissions for a role.

2. Restrictions and Guidelines

 By default, system predefined roles have predefined rule permissions while user-defined roles have no rule
permission.

 During rule configuration, if the specified rule number does not exist, create a rule; otherwise, modify the rule
corresponding to the specified rule number. The modified rule supports newly authenticated users only.

 A user role is allowed to create multiple rules, and permissions executable by this role is a union set of these
rules. If permissions defined by these rules conflict with each other, rules with larger serial numbers prevail.
For example, if command A is prohibited by rule 1, and command B is prohibited by rule 2, but command A
is allowed by rule 3, rule 2 and rule 3 finally take effect. Specifically, command A is allowed and command B
is prohibited.

 Predefined rules for predefined roles in the system cannot be deleted or modified. If there is a conflict between
system predefined rules and user-defined rules, user-defined rules prevail.

 Up to 256 rules can be configured for each role. A maximum of 1024 rules can be configured for all roles on
the device.

 To configure command-based rules, follow the rules below:

○ Division of segments. To describe a multi-level mode command, divide the command character string
into multiple segments by a semicolon (;). Each segment represents one or a series of commands. The
command in the latter segment is used to execute the mode of a command in the preceding segment. A
segment must contain at least one printable character.

○ Use of semicolons. To describe a multi-level mode command, separate the command segments with a
semicolon. For example, the character string config ; logging on is used to grant a permission over the
syslog on command in configuration mode. The semicolon in the last command segment indicates that
the permission is granted over the current mode command. For example, the character string config ;
interface * is used to grant a permission over only the command to enter the interface configuration
mode. The absence of a semicolon in the last command segment indicates that permissions are granted
over the current command mode and all commands in this mode. For example, the character string

5
Configuration Guide Configuring RBAC

config ; interface * is used to grant permissions over all commands in interface mode.

○ Use of asterisks. Each command segment contains at least one asterisk (*). An asterisk resides either
in the middle or at both ends of a command segment. Each asterisk serves to fuzzily match a command.
For example, the character string config ; * is used to grant permissions over all the commands in
configuration mode. The character string config ; logging * flush is used to grant a permission over a
command starting with syslog and ending with flush in configuration mode. The character string config ;
logging * is used to grant permissions over all commands starting with syslog in configuration mode.
When an asterisk resides in the middle of a command segment and the asterisk is used to match the
command, the command is matched up to only the first asterisk in the middle, and the subsequent
command segments are all considered matched. An execution command must be fully matched.

○ Matching of keyword prefixes. A prefix matching algorithm is used for the matching between the
command keyword and the command character string. That is, if the first several consecutive characters
or all characters of a keyword in the command line match the keyword defined in a rule, the command
line matches this rule. Therefore, a command character string may include a partial or complete
command keyword. For example, if the rule rule 1 deny command show ssh is effective, the show ssh
command and the show ssh-session command are disabled.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enter the role configuration mode.

role name role-name

(4) Configure rule permissions for a role.

rule rule-number { permit | deny } { command command-string | { read | execute | write } * { feature
[ feature-name ] | feature-group feature-group-name } }

By default, predefined roles have predefined rule permissions while user-defined roles have no rule
permission.

1.4.6 Configuring Description of a Role

1. Overview

This section describes how to configure the description for a role.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enter the role configuration mode.

role name role-name

6
Configuration Guide Configuring RBAC

(4) Configure the description for a role.

description description

By default, a predefined role is provided with a default description with the user-defined role is provided with
no description.

1.4.7 Prohibiting a Role from Operating All Interface Resources

1. Overview

This section describes how to prohibit a role from -creating, deleting or applying all interface resources.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enter the role configuration mode.

role name role-name

(4) Prohibit a role from operating all interface resources and enter the interface configuration mode of the role.

interface policy deny

By default, a role has the permission to operate all interface resources.

1.4.8 Allowing a Role to Operate a Specific Interface Resource

1. Overview

This section describes how to allow a role to create, delete or apply a specific interface resource.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enter the role configuration mode.

role name role-name

(4) Prohibit a role from operating all interface resources and enter the interface configuration mode of the role.

interface policy deny

(5) Enable the role to operate a specific interface resource.

permit interface interface-type interface-number-list

By default, a role is prohibited from operating all interface resources.

7
Configuration Guide Configuring RBAC

1.4.9 Prohibiting a Role from Operating All VLAN Resources

1. Overview

This section describes how to prohibit a role from creating, deleting or applying all VLAN resources.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enter the role configuration mode.

role name role-name

(4) Prohibit a role from operating all VLAN resources and enter the VLAN configuration mode of the role.

vlan policy deny

By default, a role has the permission to operate all VLAN resources.

1.4.10 Allowing a Role to Operate a Specific VLAN Resource

1. Overview

This section describes how to allow a role to create, delete, and apply a specific VLAN resource.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enter the role configuration mode.

role name role-name

(4) Prohibit a role from operating all VLAN resources and enter the VLAN configuration mode of the role.

vlan policy deny

(5) Allow a role to operate a specific VLAN resource.

permit vlan vlan-list

By default, a role is prohibited from operating all VLAN resources.

1.4.11 Prohibiting a Role from Operating All VRF Resources

1. Overview

This section describes how to prohibit a role from creating, deleting or applying all VRF resources.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

8
Configuration Guide Configuring RBAC

(2) Enter the global configuration mode.

configure terminal

(3) Enter the role configuration mode.

role name role-name

(4) Prohibit a role from operating all VRF resources and enter the VRF configuration mode of the role.

vrf policy deny

By default, a role has the permission to operate all VRF resources.

1.4.12 Allowing a Role to Operate a Specific VRF Resource

1. Overview

This section describes how to allow a role to create, delete or apply a specific VRF resource.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enter the role configuration mode.

role name role-name

(4) Prohibit a role from operating all VRF resources and enter the role VRF configuration mode.

vrf policy deny

(5) Enable a role to operate a specific VRF resource.

permit vrf vrf-name

By default, a role is prohibited from operating all VRF resources.

1.5 Monitoring
Run the show commands to check the configuration.

Run the clear command to clear information.

Caution

During device operation, running the clear command may cause service interruption due to key information
loss.

Run the debug command to output various debugging information.

Caution

Debugging occupies system resources, so disable it immediately if not required.

9
Configuration Guide Configuring RBAC

Table 1-2 RBAC Monitoring

Command Purpose

debugging rbac Debugs the RBAC module.

show role [ name role-name ] Displays the information about a specific role or all roles.

show role feature [ detail | name Displays the basic information or details about a specific feature or
feature-name ] all features.

show role feature-group [ name Displays the basic information or details about a specific feature
group-name ] [ detail ] group or all feature groups.

1.6 Configuration Examples

1.6.1 Configuring Role Permissions

1. Requirements

(1) Create the role test, set the description to "test role", and configure permissions to:

○ Check all device information.

○ Execute all commands of features snmpd and syslogd.

○ Execute commands to create and delete interfaces, VLANs and VRF instances.

○ Prohibit the role from operating any interface resources, but allow the role to operate VLAN 1 on
interfaces.
○ Prohibit the role from operating all interface resources, but allow the role to operate interface VLAN 1.

○ Prohibit the role from operating all VRF resources, but allow the role to operate the VRF instance test.

(2) Create a user with username user, password user123, and role test.

(3) Configure username and password-based authentication for telnet login.

(4) Let a user log in to a device from a PC in telnet mode, and perform authentication with username user and
password user123. Upon login, the user is assigned with role test and has permissions of role test.

2. Topology

Figure 1-1 Configuring Role Permissions

PC Device A

3. Notes

 Enable the RBAC function.

 Create a role and configure its description.

 Configure role permissions to:

10
Configuration Guide Configuring RBAC

○ Operate all show commands.

○ Operate all read, write, and execution commands of features snmpd and syslogd.

○ Execute interface, VLAN and VRF commands, as well as all commands in corresponding modes.

○ Prohibit the role from operating any interface resources, but allow the role to operate VLAN 1 on
interfaces.
○ Prohibit the role from operating all VLAN resources, but allow it to operate VLAN 1.

○ Prohibit the role from operating all VRF resources, but allow it to operate VRF instance test.

○ Create a user with username user and password user123, and assign the user with the role test.

○ Configure username and password-based authentication for Telnet login.

4. Procedure

(1) Enable the RBAC function.

Enable the RBAC function for device A.

DeviceA> enable
DeviceA# configure terminal
DeviceA(config)# role enable
(2) Create a role and configure its description.

Create the role test for device A and set the description for the role.

DeviceA(config)# role name test

DeviceA(config-role)# description test role
(3) Configure the role permissions.

Allow the role to run all show commands.

DeviceA(config-role)# rule 1 permit command show *

Allow the role to operate all read, write, and execute commands of features snmpd and syslogd.

DeviceA(config-role)# rule 2 permit read write execute feature snmpd

DeviceA(config-role)# rule 3 permit read write execute feature syslogd
Allow the role to execute interface, VLAN and VRF commands, as well as all commands in corresponding
modes.

DeviceA(config-role)# rule 4 permit command config;interface *

DeviceA(config-role)# rule 5 permit command config;vlan *
DeviceA(config-role)# rule 6 permit command config;vrf definition *
Prohibit the role from operating any interface resources, but allow the role to operate VLAN 1 on interfaces.

DeviceA(config-role)# interface policy deny

DeviceA(config-role-interface)# permit interface vlan 1
DeviceA(config-role-interface)# exit
Prohibit the role from operating all VLAN resources, but allow it to operate VLAN 1.

DeviceA(config-role)# vlan policy deny

DeviceA(config-role-vlan)# permit vlan 1
DeviceA(config-role-vlan)# exit
Prohibit the role from operating all VRF resources, but allow it to operate the VRF instance test.

11
Configuration Guide Configuring RBAC

DeviceA(config-role)# vrf policy deny

DeviceA(config-role-vrf)# permit vrf test
DeviceA(config-role-vrf)# exit
DeviceA(config-role)# exit
Create a user with username user and password user123, and assign the user with the role test.

DeviceA(config)# user-account user password user123

DeviceA(config)# user-account user role test
Configure local username and password-based authentication for remote telnet login.

DeviceA(config)# line vty 0 4

DeviceA(config-line)# line-login local

5. Verification

Check role information.

DeviceA# show role name test

Role: test
Description: test role
Interface policy: deny
Permit interfaces:
VLAN1
VLAN policy: deny
Permit VLANs: 1
Vrf policy: deny
Permit vrfs: test
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit command show *
2 permit RWX feature snmpd
3 permit RWX feature syslogd
4 permit command config;interface *
5 permit command config;vlan *
6 permit command config;vrf definition *
R:Read W:Write X:Execute
Run any show command.

DeviceA# show privilege

Current privilege role is test
DeviceA# show users
Line User Host(s) Idle Location
---------------- ------------ -------------------- ---------- ------------------
* 1 vty 0 user idle 00:00:00 172.30.31.16
Run all read, write, and execution commands of features snmpd and syslogd.

DeviceA# show syslog

Syslog logging: enabled
Console logging: level debugging, 46 messages logged

12
Configuration Guide Configuring RBAC

Monitor logging: level debugging, 19 messages logged

Buffer logging: level debugging, 46 messages logged
Standard format:false
Timestamp debug messages: datetime
Timestamp log messages: datetime
Sequence-number log messages: disable
Sysname log messages: disable
Count log messages: disable
Trap logging: level informational, 46 message lines logged,0 fail
Log Buffer (Total 1048576 Bytes): have written 4462
*Oct 16 07:23:17: %CLI-6-STARTUP: Cli server process startup.
*Oct 16 07:23:17: %LOCALEAP-6-PKIMANAGE: Self-Signed PKI is activated
DeviceA# show snmp-agent
Chassis: 60FF60
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 Drop PDUs
0 UDP parse errors
0 SNMP packets output
0 Too big errors (Maximum packet size 1472)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP global trap: disabled
SNMP logging: disabled
SNMP agent: enabled
SNMP v1: enabled
Run the interface access command. Then, a prompt for no permission appears.

DeviceA(config)# snmp-agent community test rw

DeviceA(config)# syslog server 1.1.1.1
DeviceA(config)# interface vlan 1
DeviceA(config-if-VLAN 1)# description test
DeviceA(config-if-VLAN 1)# exit
DeviceA(config)# interface gigabitethernet 0/1
% User doesn't have sufficient privilege to execute this command.
DeviceA(config)# vlan 1

13
Configuration Guide Configuring RBAC

DeviceA(config-vlan)# name test

DeviceA(config-vlan)# exit
DeviceA(config)# vlan 2
% User doesn't have sufficient privilege to execute this command.
DeviceA(config)# vrf definition test
DeviceA(config-vrf)# description test
DeviceA(config-vrf)# exit
DeviceA(config)# vrf definition test1
% User doesn't have sufficient privilege to execute this command.

6. Configuration Files

Device A configuration file

hostname DeviceA
!
user-account user password user123
user-account user role test
!
role enable
!
role name test
description test role
rule 1 permit command show *
rule 2 permit read write execute feature snmpd
rule 3 permit read write execute feature syslogd
rule 4 permit command config;interface *
rule 5 permit command config;vlan *
rule 6 permit command config;vrf definition *
interface policy deny
permit interface VLAN 1
vlan policy deny
permit vlan 1
vrf policy deny
permit vrf test
!
line vty 0 4
line-login local

14
 Contents

1 Configuring Lines ............................................................................................................................... 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Principles........................................................................................................................ 1

1.2 Configuration Task Summary .................................................................................................... 1

1.3 Configuring the Number of VTY Terminals ............................................................................... 1

1.3.1 Overview ........................................................................................................................ 1

1.3.2 Restrictions and Guidelines ........................................................................................... 1

1.3.3 Procedure....................................................................................................................... 2

1.4 Configuring Line Attributes ........................................................................................................ 2

1.4.1 Overview ........................................................................................................................ 2

1.4.2 Restrictions and Guidelines ........................................................................................... 2

1.4.3 Procedure....................................................................................................................... 3

1.5 Configuring Terminal Attributes ................................................................................................. 6

1.5.1 Overview ........................................................................................................................ 6

1.5.2 Procedure....................................................................................................................... 6

1.6 Monitoring .................................................................................................................................. 8

1.7 Configuration Examples............................................................................................................. 9

1.7.1 Configuring Line Attributes............................................................................................. 9

i
Configuration Guide Configuring Lines

1 Configuring Lines
1.1 Introduction
1.1.1 Overview

There are various types of terminal lines on network devices. You can group and manage terminal lines by types.
Configurations of these terminal lines are called line configurations. On network devices, terminal lines are
classified into multiple types such as CTY and virtual type terminal (VTY).

1.1.2 Principles

1. Basic Concepts

 CTY

The CTY line is a line connected to the console port. Most network devices have one console port. You can
access the local system through the console port.

 VTY

A VTY line is a virtual terminal line not connected to any hardware. It is used for telnet or Secure Shell (SSH)
connection.

1.2 Configuration Task Summary

Line configuration includes the following tasks.

The following tasks are optional. Select them based on your requirements.

 (Optional)Configuring the Number of VTY Terminals

 (Optional)Configuring Line Attributes

 (Optional)Configuring Terminal Attributes

1.3 Configuring the Number of VTY Terminals

1.3.1 Overview

This section describes how to enter the line configuration mode to configure other functions.

1.3.2 Restrictions and Guidelines

 The login-line vty command allows you to enter the VTY line configuration mode and specify the number of
VTY connections.

 To reduce the number of available VTY connections, run the no login-line vty line-number command.

 To configure the allowed maximum number of VTY connections, run the login-line maximum-vty command.
If the allowed maximum number of VTY connections is set to 0, all remote connections fail. If the allowed
maximum number of VTY connections is set to a value less than the number of online remote connections,
the configuration fails and a prompt appears.

1
Configuration Guide Configuring Lines

Note
 Remote connections include Telnet, SSH, and session connections.
 The allowed maximum number of VTY connections and the number of available VTY connections are
separately managed. A remote connection is established successfully only when both conditions are met.

1.3.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

config-system terminal

(3) (Optional) Configure the allowed maximum number of VTY connections.

login-line maximum-vty max-number

The default maximum number of VTY connections is 36.

(4) Enter the line configuration mode.

login-line { console | vty } first-line [ last-line ]

(5) Increase or decrease VTY connections.

login-line vty line-number

There are five VTY connections, numbered from 0 to 4 by default. You can increase the number of VTY
connections to 36, with new ones numbered from 5 to 35.

VTY connections numbered from 0 to 4 are default connections of the system, which cannot be deleted.
Only new connections can be deleted.

1.4 Configuring Line Attributes

1.4.1 Overview

This section describes how to configure line attributes in line configuration mode.

1.4.2 Restrictions and Guidelines

 When the absolute timeout time set for a line expires, the device immediately disconnects the line even if a
user is operating the line terminal. Before the line is disconnected, the system displays the remaining time
and a prompt, indicating that the terminal will exit.

 After a user acts as a dumb terminal to connect to the device through an asynchronous serial port, the user
remotely logs in to the specified host through telnet specified in the autocommand command or obtains the
specified application-based terminal service by running the autocommand command.

 The asynchronous hardware of the device generates seven data bits with parity check in flow communication
mode. If parity is generated, specify seven data bits per character. If no parity is generated, specify eight data
bits per character. Only early devices support five or six data bits, which are seldom used.

 By running the flowcontrol command, you can specify the flow control mode to keep the Tx rate of one end
the same as the Rx rate of the peer end. Since terminals cannot receive data while sending data, flow control
can prevent data loss. When high-speed data processing devices communicate with low-speed data

2
Configuration Guide Configuring Lines

processing devices (for example, a printer communicates with a network port), you also need to enable flow
control to prevent data loss. Ruijie General Operating System (RGOS) provides the following two flow control
modes:

○ Software flow control, also called soft flow control, which uses control keys for control. The default stop
and start characters for software flow control are Ctrl+S (XOFF, ASCII value 19) and Ctrl+Q (XON, ASCII
value 17), respectively. You can run the stop-character and start-character commands to configure
them.

○ Hardware flow control, also called hard flow control, which uses hardware for control.

 In telnet connection scenarios, you can run the terminal-type command to configure the type of terminals
simulated on the terminal connected to a line as required. Upon telnet connection, one end negotiates with
the other end about the terminal type based on its terminal type configuration (telnet negotiation ID: 0x18).
For details, see RFC 854. You can run the terminal-type vt100 command to restore the default terminal type.

1.4.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

config-system terminal

(3) (Optional) Configure the allowed maximum number of VTY connections.

login-line maximum-vty max-number

The default maximum number of VTY connections is 36.

(4) Enter the line configuration mode.

login-line { console | vty } first-line [ last-line ]

(5) (Optional) Configure an access control list (ACL) to control terminal login.

IPv4 network:

access-class { acl-number | acl-name } { in | out }

IPv6 network:

ipv6 access-class acl-name { in | out }

No ACL is configured for controlling terminal login by default.

(6) (Optional) Enable accounting for a line. All the following configurations are optional and may be selected as
needed.

○ Enable command accounting for a line.

accounting commands level { list-name | default }

The command accounting function is disabled by default.

○ Enable user access accounting for a line.

accounting exec { list-name | default }

The user access accounting function is disabled by default.

○ Enable command authorization for a line.

aaa-authorization commands authorization-commands-level { list-name | default }

3
Configuration Guide Configuring Lines

The command authorization function is disabled by default.

(7) (Optional) Enable EXEC authorization for a line.

aaa-authorization execute { list-name | default }

The EXEC authorization function is disabled by default.

(8) Configure the access to the CLI through a line.

execute

Accessing the CLI through lines is enabled by default.

(9) Configure line attributes. The following configurations are optional. Select them based on your requirements.

○ Configure the absolute timeout time for a line.

absolute-timeout absolute-timeout-time

No absolute timeout time is configured for a line by default.

○ Configure the character for activating a null terminal session.

activation-character ascii-value

The default character for activating a terminal session is the carriage return character (ASCII value 13).

○ Enable automatic command execution.

autocommand autocommand-command

Automatic command execution for a line is disabled by default.

○ Configure the hotkey for disconnecting terminal connections.

disconnect-character ascii-value

The default hotkey for disconnecting terminal connections is Ctrl+D (ASCII value 4).

○ Configure the character for exiting a line.

escape-character escape-value

The default character for exiting a line is Ctrl+Shift+6 (ASCII value 30).

○ Configure the access to the CLI through a line.

execute

Accessing the CLI through lines is enabled by default.

○ Enable historical command recording for a specified line terminal and configure the allowed maximum
number of recorded historical commands for the current terminal.

history [ size size ]

The historical command recording function is enabled by default, and the default number of recorded
historical commands is 10.

○ Configure the maximum number of lines that are displayed on a single screen on a specified line terminal.

length screen-length

The maximum number of lines that are displayed on a single screen is 24 by default.

○ Configure location description for a specific line.

location location

No location description is configured for a specific line by default.

4
Configuration Guide Configuring Lines

○ Enable logging display on terminals.

monitor

Logging display on terminals is disabled by default.

○ Configure a privilege level for line-based login.

privilege level privilege-level

The default privilege level for line-based login is 1.

○ Configure the prompt for refusing line-based login.

refuse-message [ c message c ]

No prompt is configured for refusing line-based login by default.

○ Configure the baud rate for the current terminal.

terminal speed baudrate

The default baud rate is 9600.

○ Configure the maximum number of columns that are displayed in a single line on the terminal connected
to a specified line, that is, the line width.

width screen-width

The line width is 79 by default.

○ Configure a role in a line.

role role-name

By default, each line is configured with a role; the role for serial interfaces, auxiliary interfaces, and
extended serial interfaces is network-admin; the role for other lines is network-operator.

Before configuring a role for a line, you must use the role enable command to enable RBAC in global
configuration mode. For details on how to configure RBAC, see RBAC Configuration in Basic
Configuration Guide.

Caution

Each line can be configured with a maximum of 64 roles. At least one role must be configured for each line.
You cannot delete the last role. When you delete the last role, the system will display a failure message.

(10) Configure asynchronous line attributes. The following configurations are optional. Select them based on
your requirements.

○ Configure the number of data bits per character for asynchronous lines in flow communication mode.

databits bit

The default number of data bits per character for asynchronous lines in flow communication mode is 8.

○ Configure the CLI character encoding format for asynchronous lines.

exec-character-bits { 7 | 8 }

The system selects a full 8-bit ASCII character set as the CLI character set by default.

To enter Chinese characters or display Chinese characters, images, or other international characters in
the CLI, run the exec-character-bits 8 command.

○ Configure the flow control mode for asynchronous lines.

flowcontrol { hardware | none | software }

5
Configuration Guide Configuring Lines

No flow control is configured for asynchronous lines by default.

○ Configure the parity bit for asynchronous lines.

parity { even | none | odd }

When using certain hardware (such as an asynchronous serial port and console port) for communication,
you usually need to configure a parity bit.

○ Configure the start character for software flow control for asynchronous lines.

start-character ascii-value

The default start character for software flow control for asynchronous lines is Ctrl+Q (ASCII value 17).

After software flow control is enabled for an asynchronous line, the start character indicates the start of
data transmission.

○ Configure the stop character for software flow control for asynchronous lines.

stop-character ascii-value

The default stop character for software flow control for asynchronous lines is Ctrl+S (ASCII value 19).

After software flow control is enabled for an asynchronous line, the stop character indicates the end of
data transmission.

○ Configure the number of stop bits in each byte transmitted through asynchronous lines.

stopbits { 1 | 2 }

The default number of stop bits in each byte transmitted through asynchronous lines is 1.

You should configure the stop bits for communication between an asynchronous line and the connected
network device (such as a conventional numb terminal and modem).

○ Configure the type of terminals simulated by an asynchronous line terminal.

terminal-type terminal-type-string

The default type of terminals simulated by a line is vt100.

1.5 Configuring Terminal Attributes

1.5.1 Overview

This section describes how to configure system terminal attributes.

1.5.2 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Configure terminal attributes. The following configurations are optional. Select them based on your
requirements.

○ Configure the number of data bits per character for asynchronous lines in flow communication mode.

terminal databits bit

The default number of data bits per character for the current terminal in flow communication mode is 8.

○ Configure the character for exiting the current terminal.

terminal escape-character escape-value

6
Configuration Guide Configuring Lines

The default character for exiting the current terminal is Ctrl+Shift+6 (ASCII value 30).

○ Configure the CLI character encoding format for the current terminal.

terminal exec-character-bits { 7 | 8 }

To enter Chinese characters or display Chinese characters, images, or other international characters in
the CLI, run the terminal exec-character-bits 8 command.

○ Configure the flow control mode for the current terminal.

terminal flowcontrol { hardware | none | software }

No flow control is configured for asynchronous lines by default.

○ Enable historical command recording for the current terminal and configure the allowed maximum
number of recorded historical commands.

terminal history [ size size ]

The historical command recording function is enabled by default, and the default number of recorded
historical commands is 10.

○ Configure the maximum number of lines that are displayed on a single screen on the current terminal.

terminal length screen-length

The maximum number of lines that are displayed on a single screen is 24 by default.

○ Configure location description for the current terminal.

terminal location location

No location description is configured for the current terminal by default.

○ Configure the parity bit for the asynchronous line corresponding to the current terminal.

terminal parity { even | none | odd }

No parity bit is configured for the asynchronous line corresponding to the current terminal by default.

When using certain hardware (such as an asynchronous serial port and console port) for communication,
you usually need to configure a parity bit.

○ Configure the baud rate for the current terminal.

terminal speed baudrate

The default baud rate is 9600.

○ Configure the start character for software flow control for the current terminal.

terminal start-character ascii-value

The default start character for software flow control for the current terminal is Ctrl+Q (ASCII value 17).

○ Configure the stop character for software flow control for the current terminal.

terminal stop-character ascii-value

The default stop character for software flow control for the current terminal is Ctrl+S (ASCII value 19).

○ Configure the number of stop bits in each byte transmitted through the current terminal.

terminal stopbits { 1 | 2 }

The default number of stop bits in each byte transmitted through the current terminal is 2.

○ Configure the type of terminals simulated by the current terminal.

7
Configuration Guide Configuring Lines

terminal terminal-type terminal-type-string

The default terminal type is vt100.

○ Configure the maximum number of columns that are displayed in a single line on the current terminal,
that is, the line width.

terminal width screen-width

The maximum number of columns that are displayed in a single line is 79 by default.

(3) Enter the global configuration mode.

config-system terminal

(4) Enter the line configuration mode.

login-line { console | vty } first-line [ last-line ]

(5) (Optional) Configure the login authentication timeout time for the current terminal.

line-login login timeout response-timeout-time

The default authentication timeout time for line-based login is 30 seconds.

(6) (Optional) Configure communication protocols supported by the current terminal.

transport input { all | ssh | telnet | none }

All communication protocols are supported by default. That is, both SSH and telnet are supported.

(7) (Optional) Configure the prompt for terminal logout.

vacant-message [ c message c ]

No prompt is configured for terminal logout by default.

(8) (Optional) Configure the maximum number of columns that are displayed in a single line on the current
terminal, that is, the line width.

width screen-width

The maximum number of columns that are displayed in a single line is 79 by default.

1.6 Monitoring
Run the show commands to check the configuration.

Run the clear commands to clear information.

Caution

During device operation, running the clear command may cause service interruption due to key information
loss.

Table 1-1 Monitoring

Command Purpose

show history Displays historical command records of a line.

8
Configuration Guide Configuring Lines

Command Purpose

Displays historical command records of all terminal

show history all-users
users.

show enable cipher Displays the authorized password in JSON format.

show login-line { line-number | console console-line-

Displays the line configuration.
number | password | vty vty-line-number }

show enable Displays the privilege level of a line.

show users [ total ] Displays login user information of a line.

show web-api line vty info Displays the VTY configuration in JSON format.

clear login-line { line-number | console console-line-

Clears the connection status of a line.
number | vty vty-line-number }

clear history all-users Clears historical records.

1.7 Configuration Examples

1.7.1 Configuring Line Attributes

1. Requirements

When users use VTY connections to remotely log in to the device through telnet, the network administrator can
configure VTY line attributes based on the use and security requirements of the device. Configure an ACL to
control terminal login, set the privilege level of VTY line users to 14, and require users of VTY line-based login
to enter a password. Set the absolute timeout time of VTY connections to 30 minutes.

2. Topology

Figure 1-1 Configuring Line Attributes

Host Device

3. Notes

 Set the maximum number of VTY line users to 6.

 Configure an ACL to allow users of some IP addresses to access the device.

 Configure attributes of VTY line user.

 Configure the privilege level, login verification method, and verification password of VTY line users.

4. Procedure

Configure an ACL named acl1 to control terminal login.

9
Configuration Guide Configuring Lines

Device> enable
Device# config-system terminal
Device(config)# ip access-list standard acl1
Device(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Device(config-std-nacl)# exit
Device(config)# login-line vty 0 6
Device(config-line)# access-class acl1 in
Set the maximum number of VTY line users to 6.

Device(config)# login-line vty 0 6

Set the baud rate to 115200 bps.

Device(config-line)# speed 115200

Set the number of data bits to 8.

Device(config-line)# databits 8
Set the parity bit to even.

Device(config-line)# parity even

Set the number of stop bits to 1.

Device(config-line)# stopbits 1
Set the absolute timeout time of VTY connections to 30 minutes.

Device(config-line)# absolute-timeout 30
Configure software flow control.

Device(config-line)# flowcontrol software

Set the maximum number of lines that are displayed on a single screen to 100.

Device(config-line)# length 100

Set the maximum number of columns that are displayed in a line to 256.

Device(config-line)# width 256

Enable historical command recording and set the number of recorded historical commands to 200.

Device(config-line)# history size 200

Set the privilege level of line-based login to 14.

Device(config-line)# privilege level 14

Configure the user verification method.

Device(config-line)# line-login local

Device(config-line)# exit
Configure a username.

Device(config)# user-account Device privilege 15 password test_1234

5. Verification

Users of the IP address 192.168.1.100 can log in to the device through tenet. Users beyond the IP addresses
in the 192.168.1.0/24 network segment cannot log in to the device. Run the show users command to display
users who log in to the device.

10
Configuration Guide Configuring Lines

Device# show users

Line User Host(s) Idle Location
---------------- ------------ -------------------- ---------- ------------------
* 0 con 0 --- idle 00:00:00 ---
1 vty 0 Device idle 00:00:04 192.168.1.100
Run the show login-line vty command to display the line status of the console.

Device# show login-line vty 1

VTY Type speed Overruns

1 VTY 115200 0
Line 2, Location: "", Type: "vt100"
Length: 100 lines, Width: 256 columns
Special Chars: Escape Disconnect Activation
^^x ^D ^M
Timeouts: Idle EXEC Idle Session
00:10:00 never
History is enabled, history size is 200.
Total input: 0 bytes
Total output: 0 bytes
Data overflow: 0 bytes
stop rx interrupt: 0 times

6. Configuration Files

Device configuration file

hostname Device
!
user-account Device enable 15 password test_1234
!
login-line console 0
line-timeout 0 0
speed 115200
login-line console 0
line-timeout 0 0
speed 115200
login-line vty 0 6
absolute-timeout 30
access-class acl1 in
privilege level 14
line-login local
password test_123
flowcontrol software
parity even
stopbits 1
width 256
length 100

11
Configuration Guide Configuring Lines

monitor
history size 200
speed 115200
login-line vty 7 35
access-class acl1 in
line-login local
!
end

12
Configuration Guide Contents

Contents

1 Configuring File System Management ............................................................................................... 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Basic Concepts .............................................................................................................. 1

1.1.3 Way to Manage Files ..................................................................................................... 2

1.2 Configuration Task Summary .................................................................................................... 2

1.3 Configuring a Directory .............................................................................................................. 3

1.3.1 Displaying the Working Directory................................................................................... 3

1.3.2 Changing the Working Directory .................................................................................... 3

1.3.3 Displaying Directory Information .................................................................................... 3

1.3.4 Creating a Directory ....................................................................................................... 3

1.3.5 Deleting a Directory ....................................................................................................... 4

1.4 Configuring a File ....................................................................................................................... 4

1.4.1 Displaying File Content .................................................................................................. 4

1.4.2 Displaying File Information ............................................................................................ 4

1.4.3 Copying a File ................................................................................................................ 4

1.4.4 Renaming a File ............................................................................................................. 5

1.4.5 Deleting a File ................................................................................................................ 5

1.4.6 Ejecting a USB Device ................................................................................................... 5

1.4.7 Erasing a File System .................................................................................................... 5

1.4.8 Configuring Prompt Level .............................................................................................. 6

1.4.9 Formatting a Flash Memory Disk ................................................................................... 6

i
Configuration Guide Contents

1.5 Monitoring .................................................................................................................................. 6

1.6 Configuration Examples............................................................................................................. 7

1.6.1 Configuring Basic Features of File System Management ............................................. 7

ii
Configuration Guide Configuring File System Management

1 Configuring File System Management

1.1 Introduction
1.1.1 Overview

Files required for running a device, including configuration files and system software, are saved in the storage
media of the device. File system management refers to the management of directories and files in storage media,
including creation, deletion, modification and viewing of files.

1.1.2 Basic Concepts

The storage media supported by devices include fixed media (Flash) and pluggable media (USB flash drive).
Each storage medium is called a file system.

1. Storage media and file system name

 The file system of Flash-type storage media is named as "flash:".

 The file system of USB drive-type storage media is named as "usb:".

2. Default file system

The file system used by default after a user logs in to the device when multiple storage media are available for
the device.

3. Name of folder and file

The name of a folder or file can contain numbers, letters or special characters except asterisk (*), vertical bar
symbol (|), backslash (\), slash (/), question mark (?), angle brackets (<>), quotation mark ("), and colon (:).

4. Root directory

The root directory is the default directory once the user logs in to the device. It is expressed by a slash (/). For
example, "flash:/" indicates the root directory of Flash.

5. Working directory

The working directory is also called the current working directory. The default working directory is the root
directory of Flash.

6. Path

The location of a file or folder.

Note

filesystem: specifies the uniform resource locator (URL) of a file system, followed by a colon (:). File systems
include flash:, usb:, and tmp:. In addition, directory indicates a file name with the path, or specifies a path
name. If the name starts with a slash (/), the path is an absolute path; otherwise, the path is a relative path.

1
Configuration Guide Configuring File System Management

1.1.3 Way to Manage Files

To manage files, log in to the system directly or use File Transfer Protocol (FTP) or Trivial File Transfer Protocol
(TFTP).

Table 1-1 Way to Manage Files

Way to Manage Files Application Scenario

A device fails to access information, and you need to repair the device or
Direct login to the system
manage the files and directories in the device.

FTP is applicable to file transfer scenarios which do not require high security of
FTP
network, and widely used for version upgrade.

In laboratory LAN with good network conditions, use TFTP to load and upgrade
TFTP
versions online.

1.2 Configuration Task Summary

Configuration of file system management includes the following tasks: All the configuration tasks below are
optional. Select the configuration tasks as required.

 Configuring a Directory

○ Displaying the Working Directory

○ Changing the Working Directory

○ Displaying Directory Information

○ Creating a Directory

 Configuring a File

○ Displaying File Content

○ Displaying File Information

○ Copying a File

○ Renaming a File

○ Deleting a File

○ Ejecting a USB Device

○ Erasing a File System

○ Configuring Prompt Level

○ Formatting a Flash Memory Disk

2
Configuration Guide Configuring File System Management

1.3 Configuring a Directory

1.3.1 Displaying the Working Directory

1. Overview

This feature displays the complete path of the current working directory.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Display the complete path of the current working directory.

pwd

1.3.2 Changing the Working Directory

1. Overview

This feature changes the current working directory.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Change the current working directory.

cd [ filesystem: ] [ directory ]

1.3.3 Displaying Directory Information

1. Overview

This feature displays the list of files and sub-directories under a directory.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Display the files under a directory.

dir [ filesystem: ] [ file-url ]

1.3.4 Creating a Directory

1. Overview

This feature creates a directory.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Create a directory.

3
Configuration Guide Configuring File System Management

mkdir [ filesystem: ] directory

1.3.5 Deleting a Directory

1. Overview

This feature deletes a directory.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Delete an empty directory.

rmdir [ filesystem: ] directory

1.4 Configuring a File

1.4.1 Displaying File Content

1. Overview

This feature displays the content of a file.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Display the content of a file.

more [ /ascii | /binary ] [ filesystem: ] file-url

1.4.2 Displaying File Information

1. Overview

This feature displays the information of a file.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Display the information of a file.

file [ filesystem: ] file-url

1.4.3 Copying a File

1. Overview

This feature copies a file.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

4
Configuration Guide Configuring File System Management

(2) Copy a file.

copy { source-url | running-config | startup-config } { destination-url | running-config | startup-config }

1.4.4 Renaming a File

1. Overview

This feature renames a file.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Rename a file or folder.

rename source-url destination-url

1.4.5 Deleting a File

1. Overview

This feature deletes a file.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Delete a file.

delete { [ filesystem: ] file-url | startup-config }

1.4.6 Ejecting a USB Device

1. Overview

This feature ejects a USB device.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Eject a USB device.

eject usb0

1.4.7 Erasing a File System

1. Overview

This feature erases a file system of a device.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Erase the file system of a USB device.

5
Configuration Guide Configuring File System Management

erase usb0

1.4.8 Configuring Prompt Level

1. Overview

This feature configures the prompt level for executing a file or folder.

 When the prompt level is set to noisy, the system asks you to confirm all the files.

 When the prompt level is set to quiet, the system seldom gives a prompt.

2. Procedure

(1) Enter the enabled EXEC mode.

enable

(2) Configure the prompt level for operating a file.

file prompt [ noisy | quiet ]

The prompt level for operating a file is noisy by default.

1.4.9 Formatting a Flash Memory Disk

1. Overview

This feature formats a Flash memory disk.

2. Restrictions and Guidelines

The device restarts after this feature is executed. After that, the Flash partition is formatted. Then, all files except
the configuration files in the flash partition are deleted. Before formatting the flash disk, you are advised to back
up important files in the flash partition.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Format a Flash memory disk.

format flash

1.5 Monitoring
Run the show command to check the configuration.

Table 1-2 File System Management Monitoring

Command Purpose

show disk { flash | usb } Displays the USB flash drive or flash information.

show file systems Displays information about file systems.

show mount Displays information about the file system mounted on the device.

6
Configuration Guide Configuring File System Management

1.6 Configuration Examples

1.6.1 Configuring Basic Features of File System Management
1. Requirements

Operate the files in the device after logging in to the device through the Console port or with a Telnet connection.

2. Notes

 Display the files and sub-directories under the current directory.

 Create the test directory.

 Copy the config.text file to the test directory and name it test.text.

3. Procedure

(1) Display the files and sub-directories under the current directory.

Device# dir flash:/

Directory of flash:/
Number Properties Size Time Name
------ ---------- ---------- ------------------------ --------------------
1 -rw- 9.9k Fri Jan 3 02:49:39 2020 Hostname.text
2 -rw- 113.3M Sat Jun 13 14:15:17 2020
3 -rw- 5.3k Wed Jun 10 14:12:45 2020 cfgmpls
4 drwx 4.0k Mon Jan 6 21:12:20 2020 startup
5 -rw- 2.6k Sat Jun 13 16:13:12 2020 cfgpol
6 -rwx 1.6k Thu May 21 13:39:30 2020 rsa1_private.bin
…
33 files, 22 directories
1,939,972,096 bytes data total (383,688,704 bytes free)
3,959,422,976 bytes flash total (383,688,704 bytes free)
(2) Create the test directory. Copy the config.text file to the test directory and name it test.text.

Device# mkdir test

(3) Copy the config.text file to the test directory and name it test.text.

Device# copy config.text flash:/test/test.text

Copying, press Ctrl+C to quit
!
Accessing flash:/config.text finished, 7652 bytes prepared
Flushing data to flash:/test/test.text...
Flush data done
Copy success.

4. Verification

Enter the test directory.

Device# cd test
Display the current working path.

Device# pwd

7
Configuration Guide Configuring File System Management

flash:/test
Display the files under the test directory.

Device# dir
Directory of flash:/test
Number Properties Size Time Name
------ ---------- ---------- ------------------------ --------------------
1 -rw- 7.5k Tue Jan 7 19:56:44 2020 test.text
1 file, 0 directories
1,939,972,096 bytes data total (383,676,416 bytes free)
3,959,422,976 bytes flash total (383,676,416 bytes free)

8
 Contents

1 Configuring USB................................................................................................................................. 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.2 Configuration Task Summary .................................................................................................... 1

1.3 Using a USB Device .................................................................................................................. 1

1.4 Ejecting a USB Device ............................................................................................................... 2

1.5 Monitoring .................................................................................................................................. 2

1.6 Configuration Examples............................................................................................................. 3

1.6.1 Configuring USB Basic Features ................................................................................... 3

i
Configuration Guide Configuring USB

1 Configuring USB
1.1 Introduction
1.1.1 Overview

Universal Serial Bus (USB) is an external bus standard. In this document, it refers to peripheral devices in line
with the USB standard, such as USB flash drives. USB devices are hot-swappable. They serve to copy files
(such as configuration files and log files) from a communication device or copy external data (such as system
upgrade files) to an internal storage device.

USB devices are applied in scenarios such as file system management and upgrade. The detailed scenarios
are specified in configuration guides for different features. This document describes only the identification,
viewing, use, and removal of USB devices.

1.2 Configuration Task Summary

USB configuration includes the following tasks:

(1) Using a USB

(2) Ejecting a USB Device

1.3 Using a USB Device

1. Overview

When you insert a USB device into a USB port, the system automatically finds the USB device. The driver
module of the system, upon identifying the USB device, initializes the device and loads the file system in it. Then,
the system reads and writes the USB device. Run commands (cd, copy, delete or dir) of the file system to
operate the USB device.

2. Restrictions and Guidelines

 The system only uses products that support standard Small Computer System Interface (SCSI) commands
(generally USB flash drives). Other products, including USB flash drives attached to USB network interface
cards (NICs) and those with virtual USB drives, are not supported.

 A USB device supports file allocation tables (FATs) only. Other file systems can be used on a USB device
only after they are converted to FATs through a PC.

3. Prerequisites

Insert a USB device.

4. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Run commands of the file system to operate the USB device. Configure one of the following tasks.

1
Configuration Guide Configuring USB

○ Enter the USB device partition.

cd usb: [ directory ]

The path name, if not specified, is the name of the root path of the USB device partition by default.

○ Copy files between file systems.

copy source-url dstination-url

When the file to be copied exists on the target URL, the target file system determines the action, for
example, reporting an error, overwriting the file, or asking users to make the choice.

○ Delete a file in the USB device.

delete usb: [ file-url ]

○ Check whether the file is in the USB device.

dir usb: [ file-url ]

The path name, if not specified, is the name of the root path of the USB device partition by default.

Note
When multiple partitions exist in the USB device, only the first FAT partition is accessible.
The concept of parent directory is not available for the USB device path. After accessing the USB
device by running cd usb*:\, return to the flash file system by running cd flash:\.

1.4 Ejecting a USB Device

1. Overview

This feature ejects a USB device while keeping the data stored in the device intact.
2. Restrictions and Guidelines

 Do not remove a USB device when the system is using it. Otherwise, the data stored in the device will be
damaged. Therefore, disconnect the USB device from the system before removing it.

 Upon successful disconnection, the system prints a prompt. After that, remove the device. USB device
disconnection failure indicates that the system is using the device. Remove the device when the system is
not using it.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Remove the USB device.

usb remove device-id

1.5 Monitoring
Run the show command to check the USB device.

2
Configuration Guide Configuring USB

Table 1-1 USB Monitoring

Command Purpose

show usb Displays information about the inserted USB device.

1.6 Configuration Examples

1.6.1 Configuring USB Basic Features

1. Requirements

Operate the files in the device as follows after logging in to the device through the Console port or with a Telnet
connection.

 Insert the USB flash drive into the port.

 Copy the config.txt file in the drive to Flash.

 Run the usb remove command to remove the USB device.

2. Notes

 After you insert a USB flash drive into the port, the system displays a prompt of successful loading of the
drive.

 Before removing the USB device, run the corresponding command to eject it. This is to avoid an error resulted
from the system using the device.

3. Procedure

(1) After you insert a USB flash drive into the port, the system finds the USB device and loads the drive. After
that, the system prints the following prompt information:

*Jan 1 00:09:42: %USB-5-USB_DISK_FOUND: USB Disk <Mass Storage> has been

inserted to USB port 0!
*Jan 1 00:09:42: %USB-5-USB_DISK_PARTITION_MOUNT: Mount usb0
(type:FAT32),size : 15789711360B(15789.7MB)

Note

Mass Storage specifies the name of the identified device. “usb0” specifies the first USB device. Size
specifies the size of the partition. The USB flash drive has a space of 15789.7 MB.

(2) Copy the config.txt file in the drive to Flash.

Hostname# dir usb0:/

Directory of usb0:/
1 -rwx 4 Tue Jan 1 00:00:00 1980 fac_test
2 -rwx 1 Mon Sep 30 13:15:48 2013 config.txt
2 files, 0 directories
15,789,711,360 bytes total (15,789,686,784 bytes free)
Hostname#

3
Configuration Guide Configuring USB

Hostname# copy usb0:/config.txt flash:/

Copying: !
Accessing usb0:/config.txt finished, 1 bytes prepared
Flushing data to flash:/config.txt...
Flush data done
(3) Remove the USB device.

Hostnam# usb remove 0

OK, now you can pull out the device 0.

4. Verification

Insert the USB flash drive to check the USB device.

Hostname> enable
Hostname# show usb
Device: Mass Storage
ID: 0
URL prefix: usb0
Disk Partitions:
usb0(type:vfat)
Size:15789711360B(15789.7MB)
Available size:15789686784B(15789.6MB)
Run the dir command to check whether the config.txt file in the flash is copied successfully.

Hostname# dir flash:/

Directory of flash:/
20 ---- 1 Thu Jan 1 00:04:51 2020 config.txt
1 files, 0 directories
5,095,424 bytes total (4,960,256 bytes free)
Run the show usb command to check whether the USB device is removed. The device with ID 0 is not displayed
when the show usb command is run.

Hostname# show usb

No partition found.

5. Common Errors

 A device that uses non-standard SCSI is inserted into the USB port.

 The system cannot identify the USB device as the device is not a FAT.

4
Configuration Guide Contents

Contents

1 Configuring the FTP Server ............................................................................................................... 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Principles........................................................................................................................ 1

1.1.3 Protocols and Standards ............................................................................................... 3

1.2 Configuration Task Summary .................................................................................................... 3

1.3 Configuring Basic Functions of the FTP Server ........................................................................ 3

1.3.1 Overview ........................................................................................................................ 3

1.3.2 Procedure....................................................................................................................... 3

1.4 Configuring FTP Session Management..................................................................................... 4

1.4.1 Overview ........................................................................................................................ 4

1.4.2 Procedure....................................................................................................................... 4

1.5 Configuring the FTP Lock Function ........................................................................................... 5

1.5.1 Overview ........................................................................................................................ 5

1.5.2 Restrictions and Guidelines ........................................................................................... 5

1.5.3 Procedure....................................................................................................................... 5

1.6 Enabling AAA on the FTP Server .............................................................................................. 6

1.6.1 Overview ........................................................................................................................ 6

1.6.2 Restrictions and Guidelines ........................................................................................... 6

1.6.3 Prerequisites .................................................................................................................. 6

1.6.4 Procedure....................................................................................................................... 6

1.7 Configuring Read/Write Permission Control of FTP Users ....................................................... 6

i
Configuration Guide Contents

1.7.1 Overview ........................................................................................................................ 6

1.7.2 Procedure....................................................................................................................... 6

1.8 Monitoring .................................................................................................................................. 7

1.9 Configuration Examples............................................................................................................. 7

1.9.1 Providing the FTP Service in a LAN .............................................................................. 7

ii
Configuration Guide Configuring the FTP Server

1 Configuring the FTP Server

1.1 Introduction
1.1.1 Overview

File Transfer Protocol (FTP) is a standard application layer protocol formulated by the IETF Network Working
Group. It implements file transfer based on Transmission Control Protocol (TCP). FTP is a major method for
transferring files on the Internet.

FTP adopts the client/server model. As shown in Figure 1-1, a device can act as an FTP server to provide remote
client access and program operations. By issuing commands to the server through the client, you can view the
files in the FTP server directory, copy files from a remote computer to the local device, and transfer local files to
the server. In addition, FTP provides functions, such as login authentication and read/write access control.

Figure 1-1 FTP Client/Server Mode

FTP Client FTP Server

1.1.2 Principles

1. FTP Connection

FTP sets up two TCP connections between the client and the server, namely the control connection and the
data connection.

 The control connection uses port 21 to transmit control commands, and is always in enabled state.

 The data connection uses port 20 to transmit data. The server can proactively enable or disable the data
connection. It sets up a new data connection every time a file or directory is transferred.

For some simple sessions, only the control connection needs to be enabled, the client sends a command to the
server, and the server returns a response after receiving the command. The process is shown in Figure 1-2.

1
Configuration Guide Configuring the FTP Server

Figure 1-2 Control Connection

FTP Client FTP Server

Control Created

Command

Reply

When the client sends a command for uploading or downloading data, both the control connection and data
connection must be established.

2. User Login and Authentication

To access files on the FTP server, the FTP client must have a user account authorized by the FTP server. By
default, a device supports configuration of up to 10 users, 2 connections per user, and 10 connections with the
server.

In addition, the read and write permissions of files can be defined to effectively prevent unauthorized users from
accessing internal files. When the number of a user's FTP login failures reaches the upper limit, the IP address
or username used for login is locked. Within a certain period of time, all users cannot log in to the FTP server
properly using this IP address or username.

3. Supported FTP Commands

After receiving an FTP connection request, the FTP server requires the client to provide the username and
password for authentication.

If the client passes the authentication, the FTP client commands can be executed. The following table lists the
FTP client commands supported by the FTP server.

Table 1-1 FTP Client Commands Supported by the FTP Server

ascii close mdelete mput quit size

bin delete mdir nlist recv system

bye dir mget passive rename type

cd get mkdir put rmdir user

cdup ls mls pwd send

2
Configuration Guide Configuring the FTP Server

For how to use these FTP client commands, refer to the documentation of the FTP client software used. In
addition, many FTP client tools, such as CuteFTP and FlashFXP, provide the graphic user interface (GUI), which
allows users to perform operations without configuring FTP commands.

1.1.3 Protocols and Standards

 RFC 959: File Transfer Protocol (FTP)

 RFC 3659: Extensions to FTP

 RFC 2228: FTP Security Extensions

 RFC 2428: FTP Extensions for IPv6 and NATs

 RFC 1635: How to Use Anonymous FTP

1.2 Configuration Task Summary

FTP server configuration includes the following tasks:

(1) Configuring Basic Functions of the FTP Server

(2) (Optional) Configuring FTP Session Management

(3) (Optional) Configuring the FTP Lock Function

(4) (Optional) Enabling AAA on the FTP Server

(5) (Optional) Configuring Read/Write Permission Control of FTP Users

1.3 Configuring Basic Functions of the FTP Server

1.3.1 Overview

This section describes how to enable the FTP server and configure the username, password, and top-level
directory to provide the FTP service for the FTP client.

1.3.2 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enable the FTP server.

ftp-server enable

The FTP server is disabled by default.

(4) Configure the top-level directory of the FTP server.

ftp-server topdir directory

By default, no top-level directory under which the FTP client can read and write files is configured, that is,
the client is prohibited from accessing any directory on the FTP server.

(5) Configure a username and password for server login.

ftp-server username username [ privilege level ] password [ type ] password

3
Configuration Guide Configuring the FTP Server

By default, no username and password are configured for login to the FTP server, that is, no login users are
restricted.

1.4 Configuring FTP Session Management

1.4.1 Overview

 The FTP login times refers to the number of times that the user's account and password can be verified when
the user logs in to the FTP server.

 The FTP login timeout refers to the maximum time that the user can stay online after the username and
password are verified. If the username and password are not verified again before login timeout, the session
will be terminated to ensure that other users can log in to the FTP server.

 The idle timeout refers to the time from the completion of the last FTP operation to the start of the next FTP
operation in an FTP session. After the server responds to an FTP client command (for example, after a file
is completely transferred), the server starts to count the idle time again, and stops counting when the next
FTP client command arrives. Therefore, the configuration of the idle timeout does not affect time-consuming
file transfer operations.

1.4.2 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure FTP session management. Configure at least one of the following tasks.

○ Configure the FTP login times.

ftp-server login times times

By default, the FTP login times is 1, that is, a session will be terminated after you enter an incorrect
username or password for three times so that other users can go online.

○ Configure the FTP login timeout.

ftp-server login timeout time

By default, the FTP login timeout is 2 minutes.

○ Configure the idle timeout.

ftp-server timeout time

By default, the idle timeout of an FTP session is 10 minutes.

○ Configure the maximum number of FTP sessions.

ftp-server max-sessions number

By default, the maximum number of FTP sessions is 20.

4
Configuration Guide Configuring the FTP Server

1.5 Configuring the FTP Lock Function

1.5.1 Overview

 After the IP address lock function is enabled, if the cumulative number of login failures caused by entry of the
incorrect username or password reaches the configured upper limit, the FTP session is terminated and the
user’s IP address is locked. In addition, all users cannot log in to the FTP server properly using this IP address
or username.

 After the username lock function is enabled, if the cumulative number of login failures caused by entry of the
incorrect password reaches the configured upper limit, the FTP session is terminated and the username is
locked. The user cannot log in to the FTP server, but other users are not affected.

 The FTP lock time refers to the duration that a user needs to wait for automatic unlocking after the user is
locked because the number of the user's login failures reaches the upper limit. The locked user can log in to
the FTP server only after the login silence time expires.

 The maximum number of login verification times allowed by the FTP lock function refers to the maximum
number of times that the username and password of a user can be verified after the FTP lock function is
enabled. The default value is 3. If the number of verification failures exceeds the configured upper limit, the
session is terminated and the user is locked.

1.5.2 Restrictions and Guidelines

After the IP address lock function is enabled, if the number of locked IP addresses reaches the upper limit, the
full lock function is enabled. Then, the FTP server no longer accepts the connection request from any user until
the number of locked IP addresses is smaller than the upper limit.

1.5.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the FTP lock function. Configure at least one of the following tasks.

○ Disable the IP address lock function.

ftp-server login ip-block disable

The IP address lock function is enabled by default.

○ Configure the username lock function.

ftp-server login username-block disable

The username lock function is enabled by default.

○ Configure the FTP lock time.

ftp-server login silence-time time

By default, the FTP lock time is 5 minutes.

○ Configure the maximum number of IP addresses that can be locked after the IP address lock function is
enabled.

5
Configuration Guide Configuring the FTP Server

ftp-server login max-block-limit limit

By default, up to 30 IP addresses can be locked.

○ Configure the maximum number of login verification times allowed by the FTP lock function.

ftp-server login block failed-times times

By default, the maximum number of login verification times allowed by the FTP lock function is 3.

1.6 Enabling AAA on the FTP Server

1.6.1 Overview

By default, FTP does not support AAA login authentication. However, you can enable AAA on the FTP server
through configuration.

1.6.2 Restrictions and Guidelines

This command takes effect only after FTP is enabled.

1.6.3 Prerequisites

Enable the AAA function before configuring this command. For details about how to enable AAA, see Configuring
AAA.

1.6.4 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enable AAA on the FTP server.

ftp-server authentication { default | name }

By default, FTP does not support AAA login authentication.

1.7 Configuring Read/Write Permission Control of FTP Users

1.7.1 Overview

After the user read/write permission control function is enabled, the configured FTP user levels or AAA username
levels can be used to control read/write permissions. By default, users of all levels have the read/write
permissions. After permission control is enabled, if the user level is not configured, it is set to 1 by default and
the user has only the read permission, that is, the user can only download data. You can configure FTP users
of different levels as required for read/write permission control.

1.7.2 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

6
Configuration Guide Configuring the FTP Server

configure terminal

(3) Enable read/write permission control of FTP users.

ftp-server login permission enable

By default, read/write permission control of FTP users is disabled.

1.8 Monitoring
Run the show commands to check the configuration.

Run the debug command to output debugging information.

Caution

Debugging occupies system resources, so disable it immediately if not required.

Run the clear command to clear information.

Caution

During device operation, running the clear command may cause service interruption due to key information
loss.

Table 1-2 FTP Server Monitoring

Command Purpose

clear ftp-server block-list [ all | ip-address { ipv4- clear ftp-server block-list { all | ip-address { ipv4-
address | ipv6-address } [ vrf vrf-name ] | username address | ipv6-address } [ vrf vrf-name ] | username
user ] user }

show ftp-server show ftp-server

show ftp-server { ip-block | username-block } list show ftp-server { ip-block | username-block } list

debug ftp-server err debug ftp-server err

debug ftp-server pro debug ftp-server pro

1.9 Configuration Examples

1.9.1 Providing the FTP Service in a LAN

1. Requirements

As shown in Figure 1-3, a device in a LAN acts as the FTP server to provide the upload and download services
for users. The switch is an access device. The required session idle timeout is 5 minutes.

7
Configuration Guide Configuring the FTP Server

2. Topology

Figure 1-3 Providing the FTP Service in a LAN

User Host Switch Device A

G0/1
192.168.21.26/24 192.168.21.100/24

3. Notes

Configure device A as follows:

(1) Enable the FTP server function.

(2) Configure the top-level directory /syslog.

(3) Set the username to user and password to password.

(4) Set the session idle timeout to 5 minutes.

4. Procedure

(1) Configure device A.

a. Configure an IP address.

DeviceA> enable
DeviceA# configure terminal
DeviceA(config)# interface gigabitethernet 0/1
DeviceA(config-if-GigabitEthernet 0/1)# ip address 192.168.21.100
255.255.255.0
DeviceA(config-if-GigabitEthernet 0/1)# exit
b. Enable the FTP server function.

DeviceA(config)# ftp-server enable

c. Configure the top-level directory /syslog.

DeviceA(config)# ftp-server topdir /syslog

d. Set the username to user and password to password.

DeviceA(config)# ftp-server username user password password

e. Set the session idle timeout to 5 minutes.

DeviceA(config)# ftp-server timeout 5

(2) Configure the user host.

Set the IP address of the user host to 192.168.21.26/24.

5. Verification

Run the show ftp-server command to display the FTP server configuration.

DeviceA# show ftp-server

ftp-server information
===================================

8
Configuration Guide Configuring the FTP Server

enable : Y
topdir : /syslog
timeout: 5min
total connect: 0
username:user
password:(PLAINT)password
connect num[0]

6. Configuration Files

 Device A configuration file

hostname DeviceA
!
interface gigabitEthernet 0/1
ip address 192.168.21.100 255.255.255
!
ftp-server enable
ftp-server topdir /syslog
ftp-server timeout 5
ftp-server username user password password
!

7. Common Errors

 No username is configured.

 No password is configured.

 No top-level directory is configured.

9
Configuration Guide Contents

Contents

1 Configuring FTP Client ....................................................................................................................... 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Principles........................................................................................................................ 1

1.1.3 Protocols and Standards ............................................................................................... 3

1.2 Configuration Task Summary .................................................................................................... 3

1.3 Enabling the FTP Client to Upload Files ................................................................................... 3

1.3.1 Overview ........................................................................................................................ 3

1.3.2 Restrictions and Guidelines ........................................................................................... 4

1.3.3 Prerequisites .................................................................................................................. 4

1.3.4 Procedure....................................................................................................................... 4

1.4 Enabling the FTP Client to Download Files ............................................................................... 4

1.4.1 Overview ........................................................................................................................ 4

1.4.2 Restrictions and Guidelines ........................................................................................... 4

1.4.3 Prerequisites .................................................................................................................. 4

1.4.4 Procedure....................................................................................................................... 4

1.5 Configuring the FTP Connection Mode ..................................................................................... 5

1.5.1 Overview ........................................................................................................................ 5

1.5.2 Restrictions and Guidelines ........................................................................................... 5

1.5.3 Procedure....................................................................................................................... 5

1.6 Configuring the Transmission Mode of the FTP Client ............................................................. 5

1.6.1 Overview ........................................................................................................................ 5

i
Configuration Guide Contents

1.6.2 Restrictions and Guidelines ........................................................................................... 5

1.6.3 Procedure....................................................................................................................... 5

1.7 Configuring the Source IP Address for FTP Connection........................................................... 6

1.7.1 Overview ........................................................................................................................ 6

1.7.2 Restrictions and Guidelines ........................................................................................... 6

1.7.3 Procedure....................................................................................................................... 6

1.8 Monitoring .................................................................................................................................. 6

1.9 Configuration Examples............................................................................................................. 6

1.9.1 Configuring the FTP Client............................................................................................. 6

ii
Configuration Guide Configuring FTP Client

1 Configuring FTP Client

1.1 Introduction
1.1.1 Overview

The File Transfer Protocol (FTP) is an application of TCP/IP. By setting up a connection-oriented and reliable
TCP connection between the FTP client and server, a user can access a remote computer that runs the FTP
server program.

An FTP client enables file transfer between a device and the FTP server over FTP. A user uses the client to send
a command to the server. The server responds to the command and sends the execution result to the client. By
means of command interaction, the user can view files in the server directory, copy files from a remote computer
to a local computer, and transfer local files to a remote computer.

FTP facilitates sharing of program/data files and remote use of computers. Users can transfer data in an efficient
and reliable manner without caring about differences between files systems on different hosts.

An FTP client runs interactive commands in a way different from a standard FTP client. You enter the copy
command in the CLI to automatically run commands related to the control connection, such as open, user, and
pass. After a control connection is established, the file transfer process starts. Then, a data connection is
established to upload or download files.

Note

For the principles of the connection between the FTP client and server, see Configuring FTP Server.

The following sections introduce only the FTP client.

1.1.2 Principles

1. FTP Connection Mode

FTP supports two data connection modes: active (PORT) and passive (PASV). The two modes differ only in the
way that a data connection is established, and the control connection is the same.

 In PORT mode, when a data connection is established, the FTP server initiates a request to establish a new
connection with the client for data transmission. This mode cannot be used if the firewall is deployed on the
FTP client. The connection establishment process is as follows:

a The FTP client establishes a control channel through port 1026 and port 21 of the FTP server, and sends
control commands through this channel.

b The client sends the PORT command through this channel when it needs to receive data. The PORT
command contains the port information (1027) of the client data channel.

c When transmitting data, the server connects to port 1027 of the client through port 20 on the server to
establish a data channel for data transmission and reception.

d The client sends a response. Data transmission ends.

1
Configuration Guide Configuring FTP Client

Figure 1-1 PORT Mode

FTP Client FTP Server

1027 1026 21 20
Data Cmd Cmd Data
a

 In PASV mode, the FTP client initiates a request when a data connection is established. The connection
establishment process is as follows:

a The FTP client establishes a control channel through port 1026 and port 21 of the FTP server, and sends
control commands through this channel.

b The client sends the PASV command through this channel when it needs to receive data.

c After receiving the PASV command, the FTP server randomly opens a high-end port 2024 and notifies
the client of data transmission to this port.

d The client uses port 1027 to connect to port 2024 of the FTP server, and then sends or receives data on
this channel. The FTP server does not need to establish a new connection with the client.

Figure 1-2 PASV Mode

FTP Client FTP Server

1027 1026 21 20
Data Cmd Cmd Data
a 2024

Note

The control connection for command and feedback transmission is always present whereas the data
connection is established as required. Only the FTP client can select the PASV or PORT mode. The FTP mode

2
Configuration Guide Configuring FTP Client

supported by an FTP client depends on the actual FTP client software. An FTP client uses the PASV mode by
default.

2. FTP File Transmission Modes

FTP provides two file transmission modes:

 Binary transmission mode: It is used to transfer program files (for example, .app, .bin and .btm files),
executable files, compressed files, image files, and all ASCII values. In this transmission mode, data is not
processed, and therefore the transmission rate is faster than that of the text transmission mode.

 Text transmission mode (ASCII mode): It is used to transfer text files (such as .txt, .bat, and .cfg files). This
mode is different from the binary mode in carriage return and line feed processing. In ASCII mode, carriage
return and line feed are converted to local CRC characters. For example, \n in Unix is \r\n in Windows or \r
in Mac. Assume that a file copied by a user contains ASCII text. If a remote computer does not run Unix, FTP
automatically converts the file format accepted by the remote computer during file transfer.

3. Specifying the Source IP Address for FTP Transmission

You can configure a source IP address for the FTP client and use it to communicate with an FTP server. With
this IP address, the FTP client can connect to the server and share files with the server.

4. Checking Sizes of Files Downloaded from an FTP Server

When the FTP client downloads a file, it checks the file size by default to detect file transfer errors (if any). You
can also disable the file size check when downloading files from FTP servers that cannot reply to FTP clients
with file sizes.

1.1.3 Protocols and Standards

 RFC 959: FILE TRANSFER PROTOCOL (FTP)

1.2 Configuration Task Summary

All the configuration tasks below are optional. Select the configuration tasks as required.

 Configuring basic functions of the FTP client

○ Enabling the FTP Client to Upload Files

○ Enabling the FTP Client to Download Files

 Configuring extended functions of the FTP client

○ Configuring the FTP Connection Mode

○ Configuring the Transmission Mode of the FTP Client

○ Configuring the Source IP Address for FTP Connection

1.3 Enabling the FTP Client to Upload Files

1.3.1 Overview

You can use the FTP client to upload files to the FTP server.

3
Configuration Guide Configuring FTP Client

1.3.2 Restrictions and Guidelines

During file transfer, do not insert or remove a storage medium or transmission medium to or from the device to
avoid transmission errors.

1.3.3 Prerequisites

The user must have an account with the read and write permissions for the FTP server, and can use this account
to access the target folder on the FTP server.

1.3.4 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Upload files.

copy flash:local-file ftp: //account-information@remote-file

1.4 Enabling the FTP Client to Download Files

1.4.1 Overview
You can use the FTP client to download files from the FTP server.

1.4.2 Restrictions and Guidelines

During file transfer, do not insert or remove a storage medium or transmission medium to or from the device to
avoid transmission errors.

1.4.3 Prerequisites
The user must have an account with the read permission for the FTP server, and can use this account to access
the target files on the FTP server.

1.4.4 Procedure
(1) Enter the privileged EXEC mode.

enable

(2) (Optional) Disable the size check of files downloaded from the FTP server.

○ Enter the global configuration mode.

configure terminal

○ Disable the size check of files downloaded from the FTP server.

ftp-client disable-size-check

By default, the sizes of files downloaded from the FTP server are checked.

○ Exit the global configuration mode.

exit

(3) Download files.

copy ftp://account-information@remote-file flash:local-file

4
Configuration Guide Configuring FTP Client

1.5 Configuring the FTP Connection Mode

1.5.1 Overview

You can download or upload files in the specified FTP connection mode. The default FTP connection mode is
PASV. You can set the FTP connection mode to PORT, in which the FTP server initiates a connection request to
the client.

1.5.2 Restrictions and Guidelines

If you need to specify the vrf vrf-name parameter when configuring the FTP client, configure the VRF first. For
details about the VRF, see Configuring VRF.

1.5.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Set the connection mode to PORT.

ftp-client [ vrf vrf-name ] port

The default FTP connection mode is PASV.

1.6 Configuring the Transmission Mode of the FTP Client

1.6.1 Overview

You can download or upload files in the specified transmission mode of the FTP client. The default transmission
mode is Binary. You can also set the transmission mode to ASCII according to your requirements.

1.6.2 Restrictions and Guidelines

If you need to specify the vrf vrf-name parameter when configuring the FTP client, configure the VRF first. For
details about the VRF, see Configuring VRF.

1.6.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Set the transmission mode to ASCII.

ftp-client [ vrf vrf-name ] ascii

The default transmission mode is Binary.

5
Configuration Guide Configuring FTP Client

1.7 Configuring the Source IP Address for FTP Connection

1.7.1 Overview

You can download or upload files using the specified IP address of the FTP client. The FTP client is bound to
the IP address of a port so that the client can use this IP address to connect to the server.

1.7.2 Restrictions and Guidelines

If you need to specify the vrf vrf-name parameter when configuring the FTP client, configure the VRF first. For
details about the VRF, see Configuring VRF.

1.7.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the source IP address for FTP connection.

ftp-client [ vrf vrf-name ] source { ipv4-address | ipv6-address | interface-type interface-number }

By default, no source IP address is bound to the FTP client. Instead, an IP address is selected for the client
based on the route.

1.8 Monitoring
Run the show command to check the configuration.

Run the debug command to output debugging information.

Caution

Debugging occupies system resources, so disable it immediately if not required.

Table 1-1 Monitoring

Command Purpose

show ftp-client Displays the FTP client configurations.

debug ftp-client Debugs the FTP client.

1.9 Configuration Examples

1.9.1 Configuring the FTP Client

1. Requirements

As shown in Figure 1-3, in a LAN, a local device needs to share files with a remote FTP server, and FTP is
required to work in the specified connection mode and transmission mode.

6
Configuration Guide Configuring FTP Client

2. Topology

Figure 1-3 Topology of FTP Client

Device A Switch FTP Server

G0/1
192.168.21.26/24 192.168.21.100/24

3. Notes

 Set the FTP connection mode to PORT.

 Set the transmission mode to ASCII.

 Use the username user and password pass to log in to the FTP server, upload the local-file file in the home
directory of the local device to the root directory of the FTP server, and rename the file remote-file.

 Use the username user and password pass to log in to the FTP server, download the remote-file file from
the root directory of the FTP server to the home directory of the local device, and rename this file local-file.

4. Procedure

(1) Configure the FTP server.

Set the IP address of the FTP server to 192.168.21.100/24.

(2) Configure device A.

a. Configure the IP address of device A.

DeviceA> enable
DeviceA# configure terminal
DeviceA(config)# interface gigabitethernet 0/1
DeviceA(config-if-GigabitEthernet 0/1)# ip address 192.168.21.26 255.255.255.0
DeviceA(config-if-GigabitEthernet 0/1)# exit
b. Set the transmission mode to ASCII.

Device A(config)# ftp-client ascii

c. Set the FTP connection mode to PORT.

Device A(config)# ftp-client port

Device A(config)# exit
d. Upload the file.

Device A# copy flash: home/local-file

ftp://user:[email protected]/root/remote-file
e. Download the file.

Device A# copy ftp://user:[email protected]/root/remote-file flash:

home/local-file

5. Verification

Run the show ftp-client command to view the FTP client configurations.

DeviceA> enable

7
Configuration Guide Configuring FTP Client

DeviceA# show ftp-client

ftp-client information
===================================
type: ASCII
mode: PORT

6. Configuration Files

Device A configuration file

hostname DeviceA

interface gigabitethernet 0/1

ip address 192.168.21.26 255.255.255

ftp-client ascii

ftp-client port

7. Common Errors

 The command formats for uploading and downloading are incorrect.

 The username or password is incorrect.

8
Configuration Guide Contents

Contents

1 Configuring TFTP Server ................................................................................................................... 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Principles........................................................................................................................ 1

1.1.3 Protocols and Standards ............................................................................................... 3

1.2 Configuring Basic Functions of the TFTP Server ...................................................................... 3

1.2.1 Overview ........................................................................................................................ 3

1.2.2 Procedure....................................................................................................................... 3

1.3 Monitoring .................................................................................................................................. 4

1.4 Configuration Examples............................................................................................................. 4

1.4.1 Configuring the TFTP Server ......................................................................................... 4

i
Configuration Guide Configuring TFTP Server

1 Configuring TFTP Server

1.1 Introduction
1.1.1 Overview

Trivial File Transfer Protocol (TFTP) is a standard application layer protocol formulated by the IETF Network
Working Group. TFTP uses User Datagram Protocol (UDP) as its transport protocol, and the well-known UDP
port for TFTP traffic is 69.

TFTP provides the uncomplicated and inexpensive file transfer service. Many commonly used FTP features are
unavailable in TFTP. TFTP can only upload or download files, but not list directories, perform authentication, or
provide a security mechanism. TFTP employs a timeout and retransmission strategy to ensure data transmission.
TFTP is described in RFC1350.

A TFTP client can conveniently download files (such as upgrade packages) on the device from the TFTP server,
or upload files directly to the file system of the TFTP server.

1.1.2 Principles

1. TFTP Packet

After the TFTP client initiates a file read or write request, and the TFTP server approves the request, TFTP
transmits the data in 512-byte packets. A packet with less than 512 bytes indicates that the transmission is
completed.

Each packet contains a data block, and the next packet can be sent only after an acknowledgment (ACK) packet
is received from the peer. If the ACK packet is not received within the specified time, the last packet sent is
retransmitted.

The header of a TFTP packet contains an Opcode field, which indicates the packet type. Opcodes 1 to 5
represent five types of packets:

 1: Read Request (RRQ)

 2: Write Request (WRQ)

 3: Data (DATA)

 4: Acknowledgment (ACK)

 5: Error (ERROR)

1
Configuration Guide Configuring TFTP Server

Figure 1-1 TFTP Packet

Read and Write Request Packet Opcode (1 or 2) File Name 0 Mode 0

2 Bytes n Bytes 1 n Bytes 1

Data Packet Opcode (3) Block# Data

2 Bytes 2 Bytes 0~512 Bytes

Acknowledgment Packet Opcode (4) Block#

2 Bytes 2 Bytes

Error Packet Opcode (5) Block# Error Message 0

2 Bytes 2 Bytes 2 Bytes 1

The Error Message in an error packet contains 2 bytes in ASCII code. TFTP provides the following error codes:
 0: Not defined;

 1: File not found;

 2: Access violation;

 3: Disk full;

 4: Illegal TFTP operation;

 5: Unknown port;

 6: File already exists;

 7: No such user.

2. TFTP Working Modes

Figure 1-2 TFTP Working Modes

TFTP Client TFTP Server

RRQ/WRQ

DATA/ACK

ACK/DATA

DATA

ACK

2
Configuration Guide Configuring TFTP Server

(1) The TFTP client initiates a read request (RRQ) or write request (WRQ) to the TFTP server.

(2) If the TFTP server receives an RRQ, it checks whether the read conditions are met (whether the file exists
and whether the TFTP client has the access permission). If yes, the TFTP server sends a data packet (DATA)
to the TFTP client. If the TFTP server receives a WRQ, it checks whether the write conditions are met
(whether there is enough space and whether the FTP client has the write permission). If yes, the TFTP server
sends an ACK packet to the TFTP client.

(3) If the TFTP client receives a DATA packet when preparing to download a file, it replies with an ACK packet.
If the TFTP client receives an ACK packet when preparing to upload a file, it continues to send the DATA
packet.

(4) The process of sending the ACK packet repeats until the last DATA packet with less than 512 bytes is received
and indicates the end of the transmission.

(5) If an error is encountered in the transmission process, an ERROR packet is sent to the peer.

3. TFTP File Transmission Modes

TFTP supports the following transmission modes:

 Binary mode for transmitting program files

 ASCII mode for transmitting text files

1.1.3 Protocols and Standards

 RFC 1350: The TFTP Protocol (revision 2)

 RFC 2347: TFTP Option Extension

 RFC 2348: TFTP Blocksize Option

 RFC 2349: TFTP Timeout Interval and Transfer Size Options

1.2 Configuring Basic Functions of the TFTP Server

1.2.1 Overview

This section describes how to configure the TFTP server to provide the upload and download service for the
TFTP client.

1.2.2 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the top-level directory of the TFTP server.

tftp-server topdir directory

By default, the TFTP client can read and write files in the Flash directory.

(4) Enable the TFTP server function.

tftp-server enable

3
Configuration Guide Configuring TFTP Server

The TFTP server is disabled by default.

1.3 Monitoring
Run the show command to check the configuration.

Run the debug command to output debugging information.

Caution

Debugging occupies system resources, so disable it immediately if not required.

Table 1-1 Monitoring

Command Purpose

show tftp-server Displays the TFTP server configurations.

show tftp-server updating-list Displays the file download progress on the client.

debug tftp-server Debugs the server.

1.4 Configuration Examples

1.4.1 Configuring the TFTP Server

1. Requirements

Configure a TFTP server in a LAN so that users can upload and download files.

2. Topology

Figure 1-3 Topology of TFTP Server

Host Device A

G0/1
192.168.21.26/24 192.168.21.100/24

3. Notes

Configure Device A as follows:

(1) Enable the TFTP server.

(2) Configure the top-level directory.

4. Procedure

(1) Configure device A.

Configure the IP address of the Ethernet interface.

4
Configuration Guide Configuring TFTP Server

DeviceA> enable
DeviceA# configure terminal
DeviceA(config)# interface gigabitethernet 0/1
DeviceA(config-if-GigabitEthernet 0/1)# ip address 192.168.21.100
255.255.255.0
DeviceA(config-if-GigabitEthernet 0/1)# exit
Configure the top-level directory of the TFTP server.

DeviceA(config)# tftp-server topdir /tmp

Enable the FTP server function.

DeviceA(config)# tftp-server enable

(2) Configure the host.

Set the IP address of the host to 192.168.21.26/24.

5. Verification

Run the show tftp-server command to view the FTP server configurations.

DeviceA# show tftp-server

tftp-server information
===================================
enable : Y
topdir : /tmp

6. Configuration Files

TFTP server configuration file

hostname DeviceA
!
interface GigabitEthernet 0/1
ip address 192.168.21.100 255.255.255.0
!
tftp-server enable
tftp-server topdir /tmp
!

7. Common Errors

 No top-level directory is configured.

5
Configuration Guide Contents

Contents

1 Configuring TFTP Client ..................................................................................................................... 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Principles........................................................................................................................ 1

1.1.3 Protocols and Standards ............................................................................................... 1

1.2 Configuration Task Summary .................................................................................................... 1

1.3 Enabling the TFTP Client to Upload Files ................................................................................. 2

1.3.1 Overview ........................................................................................................................ 2

1.3.2 Restrictions and Guidelines ........................................................................................... 2

1.3.3 Procedure....................................................................................................................... 2

1.4 Enabling the TFTP Client to Download Files............................................................................. 2

1.4.1 Overview ........................................................................................................................ 2

1.4.2 Restrictions and Guidelines ........................................................................................... 2

1.4.3 Procedure....................................................................................................................... 2

1.5 Binding the Source IP Address to the TFTP Client ................................................................... 2

1.5.1 Overview ........................................................................................................................ 2

1.5.2 Procedure....................................................................................................................... 2

1.6 Configuring a Port Number for TFTP Connection ..................................................................... 3

1.6.1 Overview ........................................................................................................................ 3

1.6.2 Restrictions and Guidelines ........................................................................................... 3

1.6.3 Procedure....................................................................................................................... 3

1.7 Monitoring .................................................................................................................................. 3

i
Configuration Guide Contents

1.8 Configuration Examples............................................................................................................. 3

1.8.1 Configuring the TFTP Client .......................................................................................... 3

ii
Configuration Guide Configuring TFTP Client

1 Configuring TFTP Client

1.1 Introduction
1.1.1 Overview

The Trivial File Transfer Protocol (TFTP) is a specific application of Transmission Control Protocol/Internet
Protocol (TCP/IP). File transfer between TFTP client and server is implemented based on User Datagram
Protocol (UDP), and the default port number is 69. Compared with the TCP-based FTP protocol, TFTP does not
require authentication or have complex packets. It is suitable for a stable network environment and small file
transfer.

Note

TFTP is suitable for small file transfer, and FTP supports transfer of large files.

1.1.2 Principles

1. Specifying the Source Interface IP Address for TFTP Transmission

You can configure a source IP address for the TFTP client and use it to communicate with a TFTP server. With
this IP address, the TFTP client can connect to the server and share files with the server. Specifying the egress
interface of packets facilitates interface management.

2. Specifying a Port Number for Connection with the TFTP Server

You can specify a port number on the TFTP client to connect with the TFTP server and transfer files. Specifying
a port number also prevents attacks.

1.1.3 Protocols and Standards

 RFC 783: Trivial FILE TRANSFER PROTOCOL (TFTP)

1.2 Configuration Task Summary

All the configuration tasks below are optional. Select the configuration tasks as required.

 Basic functions of the TFTP client

○ Enabling the TFTP Client to Upload Files

○ Enabling the TFTP Client to Download Files

 Extended functions of the TFTP client

○ Binding the Source IP Address to the TFTP Client

○ Configuring a Port Number for TFTP Connection

1
Configuration Guide Configuring TFTP Client

1.3 Enabling the TFTP Client to Upload Files

1.3.1 Overview

You can upload files from the TFTP client to the TFTP server.

1.3.2 Restrictions and Guidelines

During file transfer, do not insert or remove a storage medium or transmission medium to or from the device to
avoid transmission errors.

1.3.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Upload files.

copy flash:local-file tftp://remote-file

1.4 Enabling the TFTP Client to Download Files

1.4.1 Overview

You can download files from the TFTP server to the TFTP client.

1.4.2 Restrictions and Guidelines

During file transfer, do not insert or remove a storage medium or transmission medium to or from the device to
avoid transmission errors.

1.4.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Download files.

copy tftp://remote-file flash:local-file

1.5 Binding the Source IP Address to the TFTP Client

1.5.1 Overview

You can bind a source IP address to the TFTP client so that the client can use this IP address to communicate
with the server for file upload or download.

1.5.2 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

2
Configuration Guide Configuring TFTP Client

(3) Bind a source IP address to the TFTP client.

tftp-client source { ip ipv4-address | ipv6 ipv6-address | interface-type interface-number }

By default, no source IP address is bound to the TFTP client. Instead, an IP address is selected for the client
based on the route.

1.6 Configuring a Port Number for TFTP Connection

1.6.1 Overview

You can specify the port number used by the TFTP client to connect with the TFTP server for file upload and
download.

1.6.2 Restrictions and Guidelines

The range of the port number configured for the TFTP client is from 20000 to 65534.

1.6.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the port number used by the TFTP client to connect with the TFTP server.

tftp-client port port-number

The default port number used by the TFTP client to connect with the TFTP server is 69.

1.7 Monitoring
Run the debug command to output debugging information.

Caution

Debugging occupies system resources, so disable it immediately if not required.

Table 1-1 Monitoring

Command Purpose

debug tftp Debugs the TFTP client.

1.8 Configuration Examples

1.8.1 Configuring the TFTP Client

1. Requirements

A local device needs to upload a file to a remote TFTP server, and download another file from the TFTP server.

3
Configuration Guide Configuring TFTP Client

2. Topology

Figure 1-1 Topology of TFTP Client

Device A TFTP Server

G0/1 192.168.21.100/24
192.168.21.26/24

3. Notes

 Upload the local-file file in the Flash directory on device A to the root directory of the TFTP server with an
IP address 192.168.21.100, and rename the file remote-file.

 Download the remote-file file from the root directory of the TFTP server with the IP address 192.168.21.100
to the Flash directory on device A, and save the file as download-file.

4. Procedure

(1) Configure the TFTP server.

Set the IP address of the TFTP Server to 192.168.21.100/24.

(2) Configure device A.

a. Configure an IP address.

DeviceA> enable
DeviceA# configure terminal
DeviceA(config)# interface gigabitethernet 0/1
DeviceA(config-if-GigabitEthernet 0/1)# ip address 192.168.21.26 255.255.255
DeviceA(config-if-GigabitEthernet 0/1)# exit
b. Upload the file.

DeviceA# copy flash:local-file tftp://192.168.23.69/root/remote-file

c. Download the file.

DeviceA# copy tftp://192.168.23.69/root/remote-file flash: download-file

5. Verification

Check whether the remote-file file is configured on the TFTP server.

Run the dir command on device A to check whether the download-file file is configured in the home directory
of the Flash.

6. Configuration Files

Device A configuration file

hostname DeviceA
!
interface gigabitEthernet 0/1
ip address 192.168.21.26 255.255.255.0
!

4
Configuration Guide Configuring TFTP Client

7. Common Errors

 The format of the uploaded or downloaded file is incorrect.

5
Configuration Guide Contents

Contents

1 Configuring HTTP............................................................................................................................... 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Principles........................................................................................................................ 1

1.1.3 Protocols and Standards ............................................................................................... 2

1.2 Configuration Task Summary .................................................................................................... 2

1.3 Configuring Basic Functions of the HTTP Service .................................................................... 2

1.3.1 Overview ........................................................................................................................ 2

1.3.2 Restrictions and Guidelines ........................................................................................... 3

1.3.3 Procedure....................................................................................................................... 3

1.4 Configuring Remote HTTP Upgrade ......................................................................................... 4

1.4.1 Overview ........................................................................................................................ 4

1.4.2 Restrictions and Guidelines ........................................................................................... 4

1.4.3 Procedure....................................................................................................................... 4

1.5 Monitoring .................................................................................................................................. 5

1.6 Configuration Examples............................................................................................................. 5

1.6.1 Configuring Basic Features of HTTP Service ................................................................ 5

1.6.2 Configuring Remote HTTP Upgrade.............................................................................. 7

i
Configuration Guide Configuring HTTP

1 Configuring HTTP
1.1 Introduction
1.1.1 Overview

The Hypertext Transfer Protocol (HTTP) is used to transmit web page information on the Internet. It is at the
application layer of the TCP/IP protocol stack. The transport layer adopts the connection-oriented Transmission
Control Protocol (TCP).

The Hypertext Transfer Protocol Secure (HTTPS) is an HTTP protocol supporting the Secure Sockets Layer
(SSL) protocol. HTTPS is used to create a secure channel on an insecure network, to prevent information from
being monitored and protect against man-in-the-middle attacks. HTTPS is widely used in secure and sensitive
communication on the Internet, for example, electronic transaction payments.

1.1.2 Principles

1. HTTP Service

HTTP is a service provided for web management. Users log in to devices through web pages to configure and
manage the devices.

Web management covers web clients and web servers. Similarly, the HTTP service adopts the client/server
mode. The HTTP client is embedded in the web browser of the web management client. It sends HTTP packets
and receives and processes HTTP response packets. The web server (HTTP server) is embedded in devices.
The information exchange between the client and the server is as follows:

 A TCP connection is established between the client and the server. The default port number of the HTTP
service is 80 and the default port number of the HTTPS service is 443.

 The client sends a request to the server.

 The server parses the request sent by the client. The request content includes obtaining a web page, running
a CLI command, and uploading a file.

 After executing the request content, the server sends a response to the client.

 The TCP connection between the server and the client is closed.

2. HTTPS Service

The HTTPS service is an SSL-based HTTP service, as shown in Figure 1-1. The HTTPS service improves the
device security through the following services provided by the SSL protocol:

 Mutual authentication is needed between the client and the server to ensure that data is sent to the correct
client and server, and unauthorized users are prevented from attacking the device.

 The communication data between the client and the server is encrypted to prevent the data from being stolen
midway, ensuring security and integrity of the data transmission and achieving security management of the
device.

1
Configuration Guide Configuring HTTP

Figure 1-1 Principle of HTTPS Service

Web browser Web server

Plaintext
communication
HTTP HTTP
Ciphertext
communication
SSL SSL

Caution

To run HTTPS properly, a server must have a Public Key Infrastructure (PKI) certificate while a client may not.

3. HTTP Upgrade Service

One HTTP upgrade methods is available: remote HTTP upgrade.

 Remote upgrade service

The device is connected to a remote HTTP server as a client and upgrades local files by obtaining files from the
server. Principles are as follows:

a Connect the device to the server. The server address configured is preferred. If the server address is not
connected, connect the device to the server address in the local upgrade file.

b The device sends the version numbers of its service modules to the server.

c The server parses the version numbers and provides a file download list.

d Based on the file download list, the device connects to the file server and downloads the upgrade file.
The device can connect to different servers to download different upgrade files.

e The device upgrades itself by using the upgrade file.

1.1.3 Protocols and Standards

 RFC 1945: Hypertext Transfer Protocol -- HTTP/1.0

 RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1

 RFC 2818: Hypertext Transfer Protocol Over TLS -- HTTPS

1.2 Configuration Task Summary

HTTP service configuration includes the following tasks:

(1) Configuring Basic Functions of the HTTP Service

(2) Configuring Remote HTTP Upgrade

1.3 Configuring Basic Functions of the HTTP Service

1.3.1 Overview

After the HTTP service is enabled on a device, you can log in to the web management page to manage the
device after passing authentication, and can monitor the device status, configure the device, and upload and
download files.

2
Configuration Guide Configuring HTTP

1.3.2 Restrictions and Guidelines

 Usernames and passwords involve three permission levels: Up to 10 usernames and passwords are
configured for each permission level.

 By default, the system creates the account admin. The account cannot be deleted and only the password of
the account can be changed. The administrator account admin corresponds to the level 0 privilege. Account
admin owns all function privileges on the web client and can edit other management accounts and authorize
the accounts to access pages. All new accounts correspond to the level 1 privilege.

 To change the HTTPS service port, you must configure the HTTPS service port.

 You can configure an HTTPS service port number to reduce attacks initiated by unauthorized users on
HTTPS service.

 For security purposes, you are advised to enable only the HTTPS service. If users access the system using
HTTP, they will be redirected to the HTTPS service to ensure high security.

 Multi-user management is supported, and multiple accounts can be logged in simultaneously. In addition, the
same account can be logged in on multiple clients (such as multiple browsers) simultaneously.

 During the login, if you do not operate the web page for more than 5 minutes, you will log out due to time out
and need to log in again.

1.3.3 Procedure

Enter the privileged EXEC mode.

enable

Enter the global configuration mode.

configure terminal

Configure the HTTP service.

enable service web-server [ http | https | all ]

The HTTP and HTTPS service features are disabled by default.

Configure the HTTP authentication information.

webmaster level privilege-level username username { password [ 0 | 7 ] encrypted-password | secret [ 0

| 8 ] unencrypted-password }

The permission level bound to a user is 0, username is admin, and plaintext password is admin by default.

Configures an HTTP service port.

http port port-number

The default port number of the HTTP service is 80.

Configures an HTTPS service port.

http secure-port port-number

The default port number of the HTTPS service is 443.

3
Configuration Guide Configuring HTTP

1.4 Configuring Remote HTTP Upgrade

1.4.1 Overview

The device is connected to a remote HTTP server as a client and upgrades local files by obtaining files from the
server.

1.4.2 Restrictions and Guidelines

 Before configuring the domain name of an HTTP upgrade server, enable the Domain Name System (DNS)
on the device and configure the DNS server address.

 The server address may not be configured because the local upgrade record file records the addresses of
possible upgrade servers.

 The server address does not support IPv6.

 Run the http update server command to configure the server address and port number for HTTP upgrade.

 During an HTTP upgrade, the device first connects to the server address configured by this command. If the
server address is not connected, the device attempts to connect to server addresses recorded in the local
file in turn. If none of the servers are connected, the upgrade cannot be performed.

 The system records the address or addresses of one or more upgrade servers. These addresses cannot be
modified.

 If there is no special requirement, the HTTP upgrade time does not need to be configured by default.

 The http update time daily command can be used to change the automatic upgrade time, but can only
configure a time point in each day. The time is accurate to minutes.

 In automatic upgrade mode, the device checks the file versions on the server as scheduled every day and
upgrades itself by using the upgrade file.

1.4.3 Procedure

Enter the privileged EXEC mode.

enable

Enter the global configuration mode.

configure terminal

Configure the HTTP upgrade server.

http update server { host-name | ipv4-address } [ extend | port port-number | uri ]

The default server address for HTTP upgrade is 0.0.0.0 and the default port number is 80.

(Optional) Configure the HTTP upgrade mode.

http update mode manual

The default HTTP upgrade mode is automatic upgrade.

(Optional) Configure the HTTP automatic detection time.

http update time daily hh:mm

The automatic detection time is random in the range from 00:00 to 23:59 by default.

Exit to the privileged EXEC mode.

4
Configuration Guide Configuring HTTP

end

(Optional) Configure the device to detect upgrade files on the HTTP server.

http check-version [ extend ]

The function of detecting the version information of upgrade files on an HTTP server is enabled by default.

Use the upgrade file to manually upgrade the specified service module.

http update [ extend ] { all | string }

No file for manual upgrade is configured by default.

Specify the source IP address for downloads.

http update source_ip ipv4-address

No source IP address is specified by default.

1.5 Monitoring
Run the show command to check the configuration.

Table 1-1 HTTP Service Monitoring

Command Purpose

show web-server status Displays the configuration and status of the web service.

1.6 Configuration Examples

1.6.1 Configuring Basic Features of HTTP Service

1. Requirements

To manage a device in web mode, log in to the device through a web browser and configure related features.

2. Topology

Figure 1-2 Topology for Basic Features of HTTP Service

Device Web Browser

G0/1 1.1.1.1/24
1.1.1.10/24

3. Notes

 Configure Layer 3 route reachable between the server and the device.

 To improve security, change the authentication username, HTTP service port, and HTTPS service port for
login to the device. Moreover, configure redirection to HTTPS when accessing through HTTP. Thus, the web
browser can access the web server through either HTTP or HTTPS.

5
Configuration Guide Configuring HTTP

4. Procedure

Configure the management IP address on the device to make the device reachable to the server through Layer
3 routes.

Hostname> enable

Hostname# configure terminal

Hostname(config)# interface gigabitethernet 0/1

Hostname(config-if-GigabitEthernet 0/1)# ip address 1.1.1.10 255.255.255.0

Enable both the HTTP and HTTPS services.

Hostname(config)# enable service web-server

Set the HTTP service port number to 8080.

Hostname(config)# http port 8080

Set the HTTPS service port number to 4430.

Hostname(config)# http secure-port 4430

Configure the HTTP authentication information.

Hostname(config)# webmaster level 1 username test1 password 0 test_password1

5. Verification

Run the ping command to check whether the Layer 3 route between the server and the server is reachable.

Hostname# ping 1.1.1.10

Sending 5, 100-byte ICMP Echoes to 1.1.1.10, timeout is 2 seconds:

< press Ctrl+C to break >

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms.

Run the show web-server status command to display the configuration of the HTTP service.

Hostname# show web-server status

http server status: enabled

http server port: 8080

https server status:enabled

https server port: 4430

6. Configuration Files

hostname Device

http port 8080

http secure-port 4430

enable service web-server http

enable service web-server https

webmaster level 1 username test1 password 7 $10$019$f42SP+Nr3PTQbnvvEPQ=$

6
Configuration Guide Configuring HTTP

interface GigabitEthernet 0/1

no switchport

ip address 1.1.1.10 255.255.255.0

end

7. Common Errors

If the HTTP service port is not the default port 80 or 443, you must enter a specific configured service port in the
browser. Otherwise, you cannot access the device in web mode.

1.6.2 Configuring Remote HTTP Upgrade

1. Requirements

To reduce the impact on network communications, perform upgrade early in the morning. Therefore, you can
use the remote HTTP upgrade feature to upgrade the device using files.

2. Topology

Figure 1-3 Topology for Remote HTTP Upgrade

Device

G0/1
1.1.1.10/24

1.1.1.20/24 1.1.1.1/24

Upgrade Server Web Browser

3. Notes

 Configure Layer 3 route reachable between the server and the device.

 Enable the HTTP service.

 Before configuring the domain name of an HTTP upgrade server, enable DNS on the device and configure
the DNS server address.

 Set the scheduled time for the device to remotely check for upgrade files on the upgrade server to 02:00
every day.
 The device checks for upgrade files on the upgrade server.
 The device downloads the latest file from the HTTP upgrade server and updates.
4. Procedure

Configure the management IP address on the device to make the device reachable to the server through Layer
3 routes.

7
Configuration Guide Configuring HTTP

Hostname> enable

Hostname# configure terminal

Hostname(config)# interface gigabitethernet 0/1

Hostname(config-if-GigabitEthernet 0/1)# ip address 1.1.1.10 255.255.255.0

Configure DNS.

Hostname(config)# ip domain-lookup

Hostname(config)# ip nameserver-config 192.168.58.110

Enable the HTTP service.

Hostname(config)# enable service web-server

Set the scheduled time for the device to start remote monitoring to 02:00.

Hostname(config)# http update time daily 02:00

Configure the device to obtain upgrade files from the remote server.

Hostname# http check-version

Configure the device to download upgrade files from the server and update the device.

Hostname# http update all

5. Verification

Run the ping command to check whether the Layer 3 route between the server and the server is reachable.

Hostname# ping 1.1.1.20

Sending 5, 100-byte ICMP Echoes to 1.1.1.20, timeout is 2 seconds:

< press Ctrl+C to break >

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms.

6. Configuration Files

hostname Device

ip domain-lookup

ip name-server 192.168.58.110

enable service web-server http

enable service web-server https

http update time daily 02:00

interface GigabitEthernet 0/1

no switchport

ip address 1.1.1.10 255.255.255.0

8
Configuration Guide Configuring HTTP

end

7. Common Errors

DNS is disabled, so the device cannot establish a connection with the server.

9
 Contents

1 Configuring Syslog ............................................................................................................................. 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Classification of System Logs ........................................................................................ 1

1.1.3 Levels of System Logs ................................................................................................... 1

1.1.4 Output Direction of System Logs ................................................................................... 2

1.1.5 RFC 3164 Log Format ................................................................................................... 2

1.1.6 RFC 5424 Log Format ................................................................................................... 6

1.1.7 System Log Filtering ...................................................................................................... 8

1.1.8 Log Reporting ................................................................................................................ 9

1.1.9 Configuring System Log Monitoring ............................................................................ 10

1.1.10 Protocols and Standards ........................................................................................... 10

1.2 Configuration Task Summary .................................................................................................. 10

1.3 Configuring Basic Syslog Features ......................................................................................... 11

1.3.1 Overview ...................................................................................................................... 11

1.3.2 Procedure..................................................................................................................... 11

1.4 Configuring the System Log Format ........................................................................................ 11

1.4.1 Overview ...................................................................................................................... 11

1.4.2 Configuration Tasks ..................................................................................................... 11

1.4.3 Configuring the RFC 3164 Log Format ....................................................................... 11

1.4.4 Configuring the RFC 5424 Log Format ....................................................................... 12

1.4.5 Configuring a Space Next to <pri> in the Log Format ................................................. 13

i
1.5 Configuring Log Reporting ....................................................................................................... 13

1.5.1 Configuration Tasks ..................................................................................................... 13

1.5.2 Restrictions and Guidelines ......................................................................................... 13

1.5.3 Configuring Level-based Log Reporting ...................................................................... 13

1.5.4 Configuring Delayed Log Reporting ............................................................................ 14

1.5.5 Configuring Periodical Log Reporting .......................................................................... 15

1.6 Configuring System Log Monitoring ........................................................................................ 16

1.6.1 Overview ...................................................................................................................... 16

1.6.2 Restrictions and Guidelines ......................................................................................... 16

1.6.3 Procedure..................................................................................................................... 17

1.7 Configuring the Output Direction of System Logs ................................................................... 17

1.7.1 Configuration Tasks ..................................................................................................... 17

1.7.2 Configuring the Output of System Logs to the Console .............................................. 17

1.7.3 Configuring the Output of System Logs to the Monitor Terminal................................. 18

1.7.4 Configuring the Device to Write System Logs into the Memory Buffer ....................... 19

1.7.5 Configuring the Transmission of System Logs to the Log Server ............................... 19

1.7.6 Configuring the Function of Writing System Logs into Log Files................................. 21

1.8 Configuring System Log Filtering ............................................................................................ 22

1.8.1 Overview ...................................................................................................................... 22

1.8.2 Restrictions and Guidelines ......................................................................................... 22

1.8.3 Procedure..................................................................................................................... 22

1.9 Configuring Performance Logging Function ............................................................................ 23

1.9.1 Overview ...................................................................................................................... 23

1.9.2 Restrictions and Guidelines ......................................................................................... 23

ii
 1.9.3 Procedure..................................................................................................................... 23

1.10 Configuring Synchronization of User Input and Log Output .................................................. 23

1.10.1 Overview .................................................................................................................... 23

1.10.2 Restrictions and Guidelines ....................................................................................... 23

1.10.3 Procedure................................................................................................................... 24

1.11 Monitoring .............................................................................................................................. 24

1.12 Configuration Examples......................................................................................................... 24

1.12.1 Configuring the RFC 3164 Log Format ..................................................................... 24

1.12.2 Configuring the RFC 5424 Log Format ..................................................................... 28

iii
Configuration Guide Configuring Syslog

1 Configuring Syslog
1.1 Introduction
1.1.1 Overview

If link status change or events such as receiving of exception packets and processing exception occur during
the device running, a log packet in a fixed format is generated automatically. A log packet can be added with a
timestamp and a sequence number, classified by the log priority, and output to the console, monitor terminal, log
server, or other media. Logs are used by administrators to monitor the running status of the device, analyze the
network conditions, and locate problems.

1.1.2 Classification of System Logs

System logs fall into two types:

 Common logs

 Debugging logs

Note

To generate debugging logs, you need to enable a debug command. Such logs are used to locate problems,
and may be ignored by users.

1.1.3 Levels of System Logs

Eight severities are defined for system logs in a descending order, including emergency, alert, critical, error,
warning, notification, informational, and debugging, which correspond to eight numerical values from 0 to 7
respectively. A smaller value indicates a higher severity. Table 1-1 describes the log severities.

Note

Only logs with a severity equal to or higher than the specified severity are output. For example, if the severity of
logs is set to informational (severity 6), logs of severity 6 or higher are output.

Table 1-1 Description of Log Severities

Keyword Level Description

emergencies 0 Indicates that the system cannot run normally.

alerts 1 Indicates that corrective measures must be taken immediately.

critical 2 Indicates a critical circumstance.

errors 3 Indicates an error message.

warnings 4 Indicates a warning.

1
Configuration Guide Configuring Syslog

Keyword Level Description

notifications 5 Indicates a common but important message that requires attention.

informational 6 Indicates an informational message.

debugging 7 Indicates debugging information.

1.1.4 Output Direction of System Logs

System logs can be output to the console, monitor, server, buffer, and file. The default level and type of logs
vary with the output direction. You can customize filtering rules for different output directions. Table 1-2
describes output directions of system logs.

Table 1-2 Description of System Log Output Directions

Name of
Default Output Default Output
Output Description
Direction Level
Direction

debugging
console Console Outputs logs and debugging information.
(Level 7)

debugging Outputs logs and debugging information to facilitate

monitor Monitor terminal
(Level 7) remote maintenance.

informational
server Log server Outputs logs and debugging information.
(Level 6)

Outputs logs and debugging information. The log

debugging
buffer Log buffer buffer is used to store system logs during the device
(Level 7)
running.

informational Outputs logs and debugging information, and

file Log file
(Level 6) periodically writes logs in the log buffer into files.

1.1.5 RFC 3164 Log Format

Formats of system logs may vary with the system log output direction.

1. Non-server Direction

When logs are output to the console, monitor terminal, log buffer, or log file, the system logs are in the following
format:

seq no: *timestamp: sysname %module-level-mnemonic: content

The log format is described as follows:

Sequence number: *timestamp: system name %module name-severity-mnemonic: log text

For example, if you exit the configuration mode, the following log is displayed on the console:

2
Configuration Guide Configuring Syslog

001233: *May 22 09:44:36: Hostname %SYS-5-CONFIG_I: Configured from console by console

2. Server Direction

When logs are output to the log server, the system logs are in the following format:

<priority>seq no: *timestamp: sysname %module-level-mnemonic: content

The log format is described as follows:

<Priority> sequence number: *timestamp: system name %module name-severity-mnemonic: log text

For example, if you exit the configuration mode, the following log is displayed on the log server:

<189>001233: *May 22 09:44:36: Hostname %SYS-5-CONFIG_I: Configured from console by

console
The following details each field in the log format:

 priority

The priority is calculated using the following formula: Facility × 8 + Level. "Level" indicates the log severity
and "Facility" indicates the numerical code of the facility. The default facility value is local7 (23). Table 1-3
lists the value range of the facility.

Note

This field is valid only when logs are output to the log server.

Table 1-3 Description of the Log Priority Parameter

Numerical Code Facility Keyword Facility Description

0 kern Kernel messages

1 user User-level messages

2 mail Mail system

3 daemon System daemons

4 auth1 Security/Authorization messages

5 syslog Messages generated internally by syslog

6 lpr Line printer subsystem

7 news Network news subsystem

8 uucp UUCP subsystem

9 clock1 Clock daemon

10 auth2 Security/Authorization messages

11 ftp FTP daemon

12 ntp NTP subsystem

3
Configuration Guide Configuring Syslog

Numerical Code Facility Keyword Facility Description

13 logaudit Log audit

14 logalert Log alert

15 clock2 Clock daemon

16 local0 Local use 0 (local0)

17 local1 Local use 1 (local1)

18 local2 Local use 2 (local2)

19 local3 Local use 3 (local3)

20 local4 Local use 4 (local4)

21 local5 Local use 5 (local5)

22 local6 Local use 6 (local6)

23 local7 Local use 7 (local7)

 seq no (sequence number)

The sequence number of a system log is a 6-digit integer, and increases with system logs. By default, the
sequence number is not displayed. You can run a command to display or hide this field.

 timestamp

The timestamp records the generation time of a system log to help you check and locate system events.
The devices support two formats of system log timestamps: datetime and uptime.

○ Datetime format

The complete datetime format is as follows:

Mmm dd yyyy hh:mm:ss.msec

Table 1-4 describes each parameter of the timestamp in the datetime format.

○ Uptime format

The complete uptime format is as follows:

dd:hh:mm:ss
Table 1-5 describes each parameter of the timestamp in the uptime format.

Table 1-4 Description of Parameters in the Timestamp in the Datetime Format

Timestamp Parameter
Description
Parameter Name

Indicates the abbreviated month. The 12 months in a year are abbreviated as

Mmm Month
Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.

dd Day Indicates the day in the current month.

4
Configuration Guide Configuring Syslog

Timestamp Parameter
Description
Parameter Name

yyyy Year Indicates the year, not displayed by default.

hh Hour Indicates the hour.

mm Minute Indicates the minute.

ss Second Indicates the second.

msec Millisecond Indicates the millisecond.

Note

By default, the timestamp in the datetime format in system logs does not contain the year and milliseconds. You
can run a command to display or hide the year and millisecond in the timestamp in the datetime format.

Table 1-5 Description of Parameters in the Timestamp in the Uptime Format

Timestamp Parameter Parameter Name Description

dd Day Indicates the day in the month in which the device starts up.

hh Hour Indicates the hour at which the device starts up.

mm Minute Indicates the minute at which the device starts up.

ss Second Indicates the second at which the device starts up.

Note

If the device does not have a real time clock (RTC), which is hardware used to record the absolute time of the
system, the device uses its startup time (in the uptime format) as the system log timestamp by default. If the
device has an RTC, the device uses its absolute time (in the datetime format) as the system log timestamp by
default.

 sysname (system name)

This field records the name of the device that generates a log so that the log server can identify the host of
such device. By default, the field is not displayed. You can run a command to display or hide this field.

 module (module name)

This field indicates the name of the module that generates a log. The value is an upper-case string of 2 to
20 characters, which can contain upper-case letters, digits, and underscores. The module field is
mandatory for common logs by default, and optional for debugging logs.

 level (log severity)

5
Configuration Guide Configuring Syslog

Eight system log severities from 0 to 7 are defined. The severity of system logs generated by each module
is determined during development and cannot be changed.

 mnemonic

This field indicates a summary of the generation of a log. The value is a string of 4 to 64 characters, which
can contain upper-case and lower-case letters, digits, and underscores. The mnemonic field is mandatory
for common logs by default, and optional for debugging logs.

 content (log text)

This field indicates the content of a system log.

1.1.6 RFC 5424 Log Format

All system logs are in the following format regardless of their output directions:

<priority>version timestamp sysname MODULE LEVEL MNEMONIC [structured-data]

description
The log format is described as follows:

<Priority>version timestamp system name module name level mnemonic structured parameter area log content

For example, if you exit the configuration mode, the following log is displayed on the console:

<133>1 2013-07-24T12:19:33.130290Z Hostname SYS 5 CONFIG - Configured from console

by console
The following details each field:

 priority

The priority is calculated using the following formula: Facility × 8 + Level. "Level" indicates the log severity
and "Facility" indicates the facility value. The facility value can be set during log configuration. When the
RFC 5424 log function is enabled, the default facility value is local0 (16).

 version

According to RFC 5424, the version is always 1.

 timestamp

The timestamp records the generation time of a system log to help you check and locate system events.
The timestamp format of RFC 5424 is Universal Time Coordinated (UTC). The devices use the following
uniform timestamp format when the RFC 5424 logging function is enabled.

YYYY-MM-DDTHH:MM:SS.SECFRACZ
Table 1-6 describes each parameter.

Table 1-6 Description of Timestamp Parameters

Timestamp Parameter Parameter Name Description

YYYY Year Indicates the year.

MM Month Indicates the month in the current year.

DD Day Indicates the day in the current month.

T Separator A date must end with "T".

6
Configuration Guide Configuring Syslog

Timestamp Parameter Parameter Name Description

HH Hour Indicates the hour.

MM Minute Indicates the minute.

SS Second Indicates the second.

SECFRAC Millisecond Indicates the millisecond (1–6 digits).

Z End mark Time must end with "Z".

 sysname (system name)

This field indicates the name of the device that generates a log so that the log server can identify the host
of such device.

 MODULE (module name)

This field indicates the name of the module that generates a log. The value is an upper-case string of 2 to
20 characters, which can contain upper-case letters, digits, and underscores. The module field is
mandatory for common logs by default, and optional for debugging logs.

 LEVEL (log severity)

Eight system log severities from 0 to 7 are defined. The severity of system logs generated by each module
is determined during development and cannot be changed.

 MNEMONIC

This field indicates a summary of the generation of a log. The value is a string of 4 to 64 characters, which
can contain upper-case and lower-case letters, digits, and underscores. The mnemonic field is mandatory
for common logs by default, and optional for debugging logs.

 structured-data (structured parameter area)

This field is introduced to RFC 5424, to describe log parameters in a way that helps device parsing. Each
log can contain 0 or multiple parameters. If no parameter exists, the placeholder (-) must be used. Each
parameter is in the following format:

[SD_ID@enterpriseID PARAM-NAME=PARAM-VALUE]
Table 1-7 describes each parameter.

Table 1-7 Description of Structured Parameters

Structured Parameter
Description
Parameter Name

Name of
The name of parameter information is capitalized, and must be unique in a
SD_ID parameter
log.
information

"@enterpriseID" is necessary for the customized parameters, but not for

@ Separator
parameters defined in RFC 5424.

7
Configuration Guide Configuring Syslog

Structured Parameter
Description
Parameter Name

The enterprise ID is maintained by the Internet Assigned Numbers

enterpriseID Enterprise ID Authority (IANA). The enterprise ID of devices is 4881. You can query the
enterprise ID at the official website of IANA.

Parameter The parameter name is capitalized, and must be unique in the structured
PARAM-NAME
name parameter area of a log.

The parameter value must be enclosed in double quotation marks. Values

Parameter
PARAM-VALUE of the IP address and MAC address must be capitalized, and values of
value
other parameters are capitalized as required.

 description (log text)

This field indicates the content of a system log.

1.1.7 System Log Filtering

By default, the logs generated by the system are output in all directions. The device provides the log filtering
function, which allows you to filter logs by log output direction, log keyword, and matching rule. When you do not
care about some logs or you care about some logs only, use the log filtering function to filter the logs.

 Filtering direction

Four log filtering directions are defined:

○ Buffer: Filters the logs sent to the log buffer, that is, the logs displayed by the show logging command.

○ File: Filters the logs written into logging files.

○ Server: Filters the logs sent to the log server.

○ Terminal: Filters the logs sent to the console and monitor terminal (including telnet and SSH).

Note

The four filtering directions can be used either collectively (logs in various directions are filtered) or separately
(logs in one direction are filtered).

 Filtering mode

Two filtering modes are available:

○ contains-only: Indicates that only the logs that contain keywords specified in the filtering rules are
output. When you care about some logs only, you can apply the contains-only mode on the device to
output only the logs that match the filtering rules on the terminal. Thus, you can check whether any
event occurs.

○ filter-only: Indicates that the logs that contain keywords specified in the filtering rules are filtered and
are not output. Too many logs from a module may result in spamming on the terminal CLI. If you do not
care about this type of logs, you can apply filter-only and configure filtering rules to filter such logs.

8
Configuration Guide Configuring Syslog

Note

The two filtering modes are mutually exclusive, that is, you can configure only one filtering mode at a time.

 Filtering rule

Two log filtering rules are available:

○ exact-match: If exact-match is selected, you must select all the three filtering options (log module, log
severity, and log mnemonic). To filter a specific log, use the exact-match filtering rule.

○ single-match: If single-match is selected, you only need to select one of the three filtering options (log
module, log severity, and log mnemonic). To filter a specified type of log, use the single-match filtering
rule.

Note

If the same module name, log severity, or mnemonic is configured in both the single-match and exact-match
rules, the single-match rule prevails.

1.1.8 Log Reporting

The log reporting functions falls into level-based reporting, delayed reporting, and periodical reporting, which
are described as follows:

 Level-based reporting

You can perform the level-based policy function to send logs of modules and severities to different
destinations.

For example, you can configure a command to send OSPF module logs of level 4 or lower to the log server,
and OSPF module logs of level 5 or higher to local log files.

 Delayed reporting

Delayed log reporting means that instead of being directly sent to the log server, system logs generated in
the system are buffered in the log files in the device and then periodically sent to the log server. Delayed
log reporting can be configured to reduce the packet transmission and interaction frequency between the
device and the log server. In this way, the performance pressure on the device and the log server and the
burden of the intermediate network is reduced.

 Periodical reporting

Logs about device performance statistics are periodically sent. All timers for periodically sending logs are
managed by the syslog module. When a timer expires, the syslog module calls the log processing function
registered by each module to display and output the performance statistic logs to the remote syslog server
in real time. The server analyzes these logs to evaluate the device performance.

Caution
 To configure log reporting, enable the RFC 5424 log format function; otherwise, you cannot configure
level-based reporting, delayed reporting, and periodical reporting.
 When the RFC 5424 log format is enabled, logs can be output in all directions, and delayed reporting is
enabled by default. At the same time, the periodical reporting function is disabled.

9
Configuration Guide Configuring Syslog

1.1.9 Configuring System Log Monitoring

System log monitoring means that the system monitors external connections to the device and records logs.

 After user login/logout logging is enabled, the system records the user's connections to the device. The
recorded information includes the login username and source address.

 After user operation logging is enabled, the system records device configuration changes. The recorded
information includes the operation username, source address, and operation content.

1.1.10 Protocols and Standards

 RFC 3164: The BSD syslog Protocol

 RFC 5424: The_Syslog_Protocol

1.2 Configuration Task Summary

Syslog configuration includes the following tasks:

(1) Configuring Basic Syslog Features

(2) (Optional) Configuring the System Log Format

The configurations are exclusive. Configure either of the tasks.

○ Configuring the RFC 3164 Log Format

○ Configuring the RFC 5424 Log Format

○ Configuring a Space Next to <pri> in the Log Format

(3) Configuring Log Reporting

Configure at least one of the functions.

○ Configuring Level-based Log Reporting

○ Configuring Delayed Log Reporting

○ (Optional) Configuring Periodical Log Reporting

(4) (Optional) Configuring System Log Monitoring

(5) (Optional) Configuring the Output Direction of System Logs

Configure at least one of the output directions.

○ Configuring the Output of System Logs to the Console

○ Configuring the Output of System Logs to the Monitor Terminal

○ Configuring the Device to Write System Logs into the Memory Buffer

○ Configuring the Transmission of System Logs to the Log Server

○ Configuring the Function of Writing System Logs into Log Files

(6) (Optional) Configuring System Log Filtering

(7) (Optional) Configuring Performance Logging Function

(8) (Optional) Configuring Synchronization of User Input and Log Output

10
Configuration Guide Configuring Syslog

1.3 Configuring Basic Syslog Features

1.3.1 Overview

This section describes how to enable the syslog function so that the system processes logs and users view the
logs generated by the device.

1.3.2 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enable logging.

logging on

By default, logging is enabled.

1.4 Configuring the System Log Format

1.4.1 Overview

By configuring system log display, you can adjust the display format of system logs.

1.4.2 Configuration Tasks

System log format configuration includes the following tasks. The following configurations are mutually
exclusive. Configure either of the tasks.

 Configuring the RFC 3164 Log Format

 Configuring the RFC 5424 Log Format

 Configuring a Space Next to <pri> in the Log Format

1.4.3 Configuring the RFC 3164 Log Format

1. Restrictions and Guidelines

 If the device does not have an RTC, which is hardware used to record the absolute time of the system, the
system uses the device startup time (in the uptime format) as the log timestamp. In this case, the configured
device time is invalid. If the device has an RTC, the system uses the device time (in the datetime format) as
the log timestamp.

 Add a system name to logs to identify the device that generates a system log after the system log is sent to
the server.

 Add a sequence number to logs. The sequence number starts from 1. After the sequence number is added,
the system can monitor the loss and the generation sequence of logs. The log sequence number is a 6-digit
integer. Each time a log is generated, the sequence number increases by one. When the sequence number
increases from 1 to 1,000,000, or reaches 2^32, it starts from 000000 again.

 After the RFC 3164 format is enabled, the logging delay-send, logging policy, and logging statistic
commands that are applicable to the RFC 5424 format will become invalid and be hidden.

11
Configuration Guide Configuring Syslog

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) (Optional) Configure the timestamp format for system logs.

service logging-timestamp [ message-type [ datetime [ msec | year ] * | uptime ] ]

The system logs use the datetime timestamp format, and the timestamp does not contain the year and
milliseconds by default.

(4) (Optional) Add the system name to system logs.

service sysname

By default, system logs do not contain the system name.

(5) (Optional) Add the sequence number to system logs.

service logging sequence-numbers

By default, system logs do not contain the sequence number.

(6) Configure the system log format. The configurations are exclusive. Configure one of the log formats.

○ Set the system log format to the standard log format.

service standard-logging

○ Set the system log format to the private log format.

service private-logging

1.4.4 Configuring the RFC 5424 Log Format

1. Restrictions and Guidelines

 After the RFC 5424 log format is enabled, a uniform timestamp format is adopted, and uptime and datetime
are not differentiated.

 In the RFC 5424 log format, the timestamp may or may not contain the time zone. Currently, only the
timestamp without the time zone is supported.

 After the RFC 5424 format is enabled, the service sequence-numbers, service sysname, service
timestamps, service private-logging, and service standard-logging commands that are applicable to
the RFC 3164 format will become invalid and be hidden.

2. Procedure

(1) Enter the enabled EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Set the system log format to the RFC 5424 log format.

service log-format rfc5424

12
Configuration Guide Configuring Syslog

1.4.5 Configuring a Space Next to <pri> in the Log Format

1. Restrictions and Guidelines

 if there is no special requirement, configure a space on the device that needs a space next to <pri> in the log
format.

 The default format of logs sent to a server are as follows:

<pri>*timestamp: %module-level-mnemonic: content

The order is as follows:

<pri>*timestamp: %module-level-mnemonic: content

If the function is enabled, the format of logs sent to a server are as follows:

<pri> *timestamp: %module-level-mnemonic: content

Compared with the default log format, a space is added next to <pri>.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure a space next to <PRI> in the log format.

logging priv-format private

A space is next to <PRI> in the log format compared to the default setting.

1.5 Configuring Log Reporting

1.5.1 Configuration Tasks

The log reporting configuration includes the following tasks. Configure at least one of the tasks.

 Configuring Level-based Log Reporting

 Configuring Delayed Log Reporting

 (Optional) Configuring Periodical Log Reporting

1.5.2 Restrictions and Guidelines

The log reporting function can be configured and takes effect only when the RFC 5424 format is enabled.

1.5.3 Configuring Level-based Log Reporting

1. Overview

You can configure a level-based log reporting policy to output logs of different modules and severities to
different destinations.

2. Procedure

(1) Enter the privileged EXEC mode.

13
Configuration Guide Configuring Syslog

enable

(2) Enter the global configuration mode.

configure terminal

(3) Set the system log format to the RFC 5424 log format.

service log-format rfc5424

(4) Configure a level-based log reporting policy.

logging policy module module-name [ not-lesser-than ] policy-level direction { all | buffer | console |
file | monitor | server }

No level-based log reporting policy is configured by default.

1.5.4 Configuring Delayed Log Reporting

1. Overview

Delayed log reporting means that system logs generated in the system are buffered in the log files on the device
and then periodically sent to the log server, but are not directly sent to the log server. Delayed log reporting can
be configured for system logs to reduce the message transmission and interaction frequency between the
device and the log server. In this way, the performance pressure on the device and the syslog server and the
burden of the intermediate network is reduced.

2. Restrictions and Guidelines

 Generally, you are not advised to output logs reported in a delayed manner to the console or remote terminal.
Otherwise, many logs reported in a delayed manner are displayed, increasing the burden on the device.

 The configured file name cannot contain any dot (.) because the system automatically adds the index and
the file name extension (.txt) to the file name when generating a locally buffered file. The index increases
each time a new file is generated. In addition, the file name cannot contain characters prohibited by the file
system of your PC, such as \, /, :, *, ", <, >, and |. For example, the configured file name is log_server, the
current index is 5, the file size is 1000 bytes, and the source IP address of the device sending the log file is
10.2.3.5. The name of the log file sent to the remote server is log_server_1000_10.2.3.5_5.txt while the
name of the log file stored on the device is log_server_5.txt. If the source IP address is an IPv6 address,
the colon (:) in the IPv6 address must be replaced by the hyphen (-) because the colon (:) is prohibited by
the file system. For example, the file name is log_server, the current file index is 6, the file size is 1000
bytes, and the source IPv6 address of the device sending the log file is 2001::1. The name of the log file sent
to the remote server is log_server_1000_2001-1_6.txt while the name of the log file stored on the device is
log_server_6.txt.

 If few logs are generated on the device, you are advised to set the interval of delayed log reporting to a large
value so that more logs are sent to the remote server at a time.

 By default, the log file sent to the remote server is named File size_device IP address_index.txt. If the
name of the file for delayed log reporting is modified, the log file sent to the remote server is named
Configured file name prefix_file size_device IP address_index.txt. The file stored on the local flash
space of the device is named Configured file name prefix_index.txt. The default file name prefix is
logging_ftp_server, the interval for delayed log reporting is 3600s (1 hour), and the log file size is 128 KB.

 The maximum interval for delayed log reporting is 65535s (18 hours). If you set the interval for delayed log
reporting to a larger value, the size of logs generated in this period may exceed the file size (128 KB). To

14
Configuration Guide Configuring Syslog

prevent loss of logs, the logs are written into a new log file, and the index increases by 1. When the timer
expires, all log files buffered in this period are sent to the log server at a time.

 The flash space for buffering local log files on the device is limited. Therefore, up to eight log files are
buffered on the device. If more than eight log files are buffered on the device, all the log files generated
earlier are sent to the log server at a time.

 You can send logs to the log server through File Transfer Protocol (FTP) or Trivial File Transfer Protocol
(TFTP). The addresses of up to five log servers are configured for one device. Either FTP or TFTP is
specified for each server.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Set the system log format to the RFC 5424 log format.

service log-format rfc5424

(4) Configure delayed log reporting. The following configurations are optional. Configure at least one of them as
actually needed.

○ Configure delayed log reporting to the console and remote terminal.

logging delay-send terminal

Delayed log reporting to the console and remote terminal is disabled by default.

○ Configure the name of the file for delayed log reporting.

logging delay-send file flash: delay-send-filename

The default format of the log file name is file size_device IP address_index.txt.

○ Configure the interval for delayed log reporting.

logging delay-send interval delay-send-interval

The interval for delayed log reporting is 3600s (1 hour) by default.

○ Configure the server address and reporting mode.

logging delay-send server { hostname | ipv4-address | ipv6 ipv6-address } [ vrf vrf-name ] mode { ftp
user username password [ 0 | 7 ] password | tftp }

Delayed log reporting is disabled by default.

1.5.5 Configuring Periodical Log Reporting

1. Overview

This section describes how to configure periodical log reporting so that the server can collect all the logs on the
device at the same time point.

2. Restrictions and Guidelines

 The interval of periodical log reporting and the function of outputting logs to the console and remote terminal
take effect only after periodical log reporting is enabled.

15
Configuration Guide Configuring Syslog

 You are advised to disable the function of outputting periodically reported logs to the console and remote
terminal. Otherwise, when the reporting timer expires, many performance statistics logs are displayed,
increasing the burden on the device.

 To ensure that the server collects all performance statistics logs from the device at the same time point, the
timers of all statistical objects are restarted when you modify the interval of one statistic object.

 The default interval of periodical log reporting is 15 minutes. To enable the server to collect all performance
statistics logs from the device at the same time point, you need to set the log reporting interval of different
statistic objects to be a multiple of another interval. The interval can be set to 0, 15, 30, 60, or 120. Here, the
value 0 indicates that periodical log reporting is disabled.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Set the system log format to the RFC 5424 log format.

service log-format rfc5424

(4) Configure periodical log reporting.

logging statistic enable

Periodical log reporting is disabled by default.

(5) (Optional) Configure periodical log reporting to the console and remote terminal.

logging statistic terminal

Periodical log reporting to the console and remote terminal is disabled by default.

(6) (Optional) Configure the interval for periodical log reporting.

logging statistic mnemonic mnemonic interval logging-statistic-interval

The default interval of periodical log reporting is 15 min.

1.6 Configuring System Log Monitoring

1.6.1 Overview

System log monitoring enables the system to monitor the external connections to the device and record logs.

1.6.2 Restrictions and Guidelines

 If both the logging userinfo command and the logging userinfo command-log command are configured
on the device, only the results shown by the logging userinfo command-log command are displayed when
you run the show running-config command.

 The logging userinfo command is run in global configuration mode to enable login/logout logging. After this
function is configured, the device displays logs when users access the devices through telnet, Secure Shell
(SSH), or Hypertext Transfer Protocol (HTTP) so that the administrator monitors the device connection
status.

16
Configuration Guide Configuring Syslog

 The logging userinfo command-log command is run in global configuration mode to enable user operation
logging. After this function is configured, the system displays related logs to notify the administrator of
configuration changes.

 User operations are logged when commands are configured and run. By default, the device does not
generate operation logs when a user modifies the device configuration. If the 5424 log format is configured,
that is, the service log-format rfc5424 command is configured, you need to configure the logging
delay-send terminal command so that operation logs are output to the terminal (because delayed log
reporting is registered for operation logs).

1.6.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure system log monitoring. The following configurations are all optional. Configure at least one of
them as actually needed.

○ Enable user login/logout logging.

logging userinfo

User login/logout logging is disabled by default.

○ Enable user operation logging.

logging userinfo command-log

User operation logging is disabled by default.

1.7 Configuring the Output Direction of System Logs

1.7.1 Configuration Tasks

System log output direction configuration includes the following tasks. Configure at least one of the tasks.

 (Optional) Configuring the Output of System Logs to the Console

 (Optional) Configuring the Output of System Logs to the Monitor Terminal

 (Optional) Configuring the Device to Write System Logs into the Memory Buffer

 (Optional) Configuring the Transmission of System Logs to the Log Server

 (Optional) Configuring the Function of Writing System Logs into Log Files

1.7.2 Configuring the Output of System Logs to the Console

1. Overview

This section describes how to configure the output of system logs to the console so that the device can output
logs generated by the system to the console. Then, administrator can monitor the running status of the system.

2. Restrictions and Guidelines

 If too many system logs are generated, you can limit the logging rate to reduce logs output to the console.

17
Configuration Guide Configuring Syslog

 By default, system logging is enabled. You are advised not to disable it. If too many system logs are
displayed, you can configure the severity of logs to be displayed on different devices to reduce the logs
displayed.

 The logging count command is run to enable the log statistics function in global configuration mode. After
this function is enabled, the system records the number of times logs are generated by each module and the
generation time of the last log.

 The default severity of logs that are displayed on the console is debugging (Level 7). You can run the show
logging config command in privileged EXEC mode to display the severity of logs that are displayed on the
console.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enable log statistics collection.

logging count

Log statistics collection is disabled by default.

(4) (Optional) Configure the severity of logs that are output to the console.

logging console [severity-level ]

The default severity of logs that are displayed on the console is 7 (debugging information).

(5) (Optional) Configure logging rate limiting.

logging rate-limit [ console ] [ all ] number [ except [ severity-level ] ]

Logging rate limiting is disabled by default.

1.7.3 Configuring the Output of System Logs to the Monitor Terminal

1. Overview

This section describes how to configure the output of system logs to the monitor terminal so that the device can
output system logs to the remote monitor terminal. Then, the administrator can monitor the running status of the
system.

2. Restrictions and Guidelines

 If too many system logs are generated, you can limit the logging rate to reduce logs output to the monitor
terminal.

 By default, the current monitor terminal is not allowed to output logs after you remotely connect to the device.
You need to manually run the terminal monitor command to allow the current monitor terminal to display
logs. The terminal monitor command is valid only for the current connection. When the terminal reconnects
to the device, the default settings of this command are restored.

3. Procedure

(1) Enter the privileged EXEC mode.

18
Configuration Guide Configuring Syslog

enable

(2) Enable log display on the current monitor terminal.

terminal monitor

Log display in the window of the monitor terminal is disable by default.

(3) Enter the global configuration mode.

configure terminal

(4) (Optional) Configure the severity of logs to be output to the monitor terminal.

logging monitor [ severity-level ]

The default severity of logs that are displayed in the window of the monitor terminal is 7 (debugging
information).

1.7.4 Configuring the Device to Write System Logs into the Memory Buffer

1. Overview

This section describes how to configure the device to write system logs into the memory buffer so that the
device can write generated system logs into the memory buffer. Then, the administrator can view recent system
logs by running the show logging command.

2. Restrictions and Guidelines

 If the buffer is full, earlier logs are overwritten when system logs are written into the memory buffer.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the parameters for the memory buffer, into which logs are to be written.

logging buffered [ buffer-size ] [ severity-level ]

The buffer size is 10 mega-byte and the log severity is 7 by default.

1.7.5 Configuring the Transmission of System Logs to the Log Server

1. Overview

This section describes how to configure the device to transmit generated system logs to the log server so that
the administrator can monitor device logs on the server.

2. Restrictions and Guidelines

 The log timestamp or sequence number function must be enabled. Otherwise, the logs are not sent to the
log server.

 The logging server command is used to specify the address of the log server that receives logs. You can
specify multiple log servers, and logs are sent simultaneously to all these log servers.

 Up to five log servers are configured for device.

19
Configuration Guide Configuring Syslog

 To track and manage logs, you can use the logging source interface command to set the source IP
address of all log packets to the IP address of an interface. Thus, the administrator can identify the device
that sends the logs based on the unique address. If this source interface is not configured or the IP address
is not configured for this source interface, the source IP address of log packets is the IP address of the
interface that sends the log packets.

3. The logging trap command is used to configure the severity Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the transmission of logs to a specified log server.

logging server { hostname | ipv4-address | ipv6 ipv6-address } [ vrf vrf-name ] [ tcp-transport

[ tcp-port port-number ] [ tls ] | udp-port port-number ] [ udp-port port-number ] [ facility facility-type ]
[ level inform-level ]

logging { ipv4-address | ipv6 ipv6-address } [ vrf vrf-name ] [ tcp-transport [ tcp-port port-number ]

[ tls ] | udp-port port-number ] [ udp-port port-number ] [ facility facility-type ] [ level inform-level ]

No syslog server is specified to record logs by default.

(4) (Optional) Configure the severity of logs that are sent to the syslog server.

logging trap [ severity-level ]

The default severity of logs is 6 (informational messages). Logs of levels 0 to 6 can be sent to the log
server.

(5) (Optional) Configure the facility value for logs to be sent to the log server.

logging facility facility-type

When the RFC 5424 log format is enabled, the default facility value is 16 (Local0, Local use); when the
RFC 5424 log format is disabled, the default facility value is 23 (Local7, Local use).

(6) (Optional) Configure the source interface for logs to be sent to the log server.

logging source interface interface-type interface-number

No log source address is configured by default, and the source IP address of the log packets sent to the
server is the IP address of the interface that sends the log packets.

(7) (Optional) Configure the source address for logs to be sent to the log server.

○ Configure an IPv4 source address for the logs to be sent to the log server.

logging source ip ipv4-address

○ Configure an IPv6 source address for the logs to be sent to the log server.

logging source ipv6 ipv6-address

No log source address is configured by default, and the source IP address of the log packets sent to the
server is the IP address of the interface that sends the log packets.

20
Configuration Guide Configuring Syslog

1.7.6 Configuring the Function of Writing System Logs into Log Files

1. Overview

This section describes how to configure the function of writing system logs into log files so that the device can
save generated system logs to the log files for viewing. Logs are saved in a log file buffer before being saved to
the log file. The system writes the content in the log file buffer to the log file at the specified frequency, and you
can also save the logs to a log file manually. After the logs are saved, the content in the log file buffer will be
cleared. When logs need to be saved, the device automatically generates log files.

2. Restrictions and Guidelines

 System logs are not immediately written into log files. They are first buffered in the memory buffer, and then
written into log files either periodically (at an interval of 1 hour by default) or when the buffer is full.

 When no log file is generated and the remaining space of the storage medium is insufficient, the device does
not save the newly generated logs to a log file. Therefore, you must regularly clean up the storage space of
the storage medium to ensure the log file function.

 The logging file command is used to create a log file with a specified file name on a specified file storage
device. The file size increases with logs, but cannot exceed the configured value of max-file-size. If the
value of max-file-size is not specified, the default size of a log file is 128 KB.

 After the logging file command is configured, the system saves logs to log files. A log file name does not
contain any file type extension. The log file name extension is always txt, which cannot be changed.

 After this function is configured, logs will be written into log files at an interval of 1 hour. If you have run the
logging file flash:syslog command, 16 log files are created, such as syslog.txt, syslog_1.txt,
syslog_2.txt, …, syslog_14.txt, and syslog_15.txt. Logs are overwritten into the 16 log files in sequence
and cyclically. For example, the system writes logs into syslog_1.txt after syslog.txt is fully occupied.
When syslog_15.txt is fully occupied, logs are written into syslog.txt again.

 The system will not delete the generated log files after the number of log files is modified. Therefore, to save
the space of the extended flash space, you need to manually delete the log files generated in the system
(before deletion, you can transfer the log files to an external server through TFTP). For example, 32 log files
are created by default after the function of writing logs into log files is enabled. If the device has generated
32 log files and if you want to change the number of log files to 2, new logs are overwritten into the log files
with the index of 0 and 1 by turns. The existing log files with the index of 2 to 32 are retained. You can
manually delete these log files as needed.

 After the time-based log storage is enabled, the system writes logs of the same level that are generated in
the same day into the same log file. The log file is named yyyy-mm-dd_filename_level.txt, where
yyyy-mm-dd indicates the absolute time of the day when the logs are generated, filename indicates the log
file name configured by the logging file flash command, and level indicates the log severity.

 After you specify the storage time for logs of a level, the system will delete the logs once the storage time
expires. For better network management, the storage time ranges from 7 days to 365 days.

 If the time-based log storage is not enabled, logs are stored based on the file size to support old
configuration commands.

 After the logging flash flush command is configured, the logs in the buffer are immediately written into a
log file.

21
Configuration Guide Configuring Syslog

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Configure the parameters for the log file, into which logs are written.

logging file { flash:filename | usb0:filename } [ max-file-size ] [ inform-level ]

(4) Configure the number of log files.

logging file numbers file-numbers

The default number of log files is 16.

(5) Configure the interval for writing logs into log files.

logging flash interval log-write-flash-interval

By default, logs are written into flash files at an interval of 3600s.

(6) Configure the storage time of logs written into log files.

logging life-time level inform-level life-time-days

No storage time is configured by default. The storage time depends on the configured log file size.

(7) Configure the function of immediately writing logs in the buffer into log files.

logging flash flush

1.8 Configuring System Log Filtering

1.8.1 Overview

By default, all the logs generated by the system are displayed on the console or other terminals. By configuring
log filtering, the network administrator can filter the generated system logs, select only the required logs to be
displayed, or have the logs displayed on a specified terminal.

1.8.2 Restrictions and Guidelines

 Two filtering modes are available: contains-only and filter-only, which are mutually exclusive. You can
configure only one filtering mode at a time.

 Log filtering rules fall into exact-match and single-match. The single-match rule prevails over the
exact-match rule. If the same module, mnemonic, or information level is configured in both the
single-match and exact-match rules, the logs complying with the single-match rule are filtered first.

1.8.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

22
Configuration Guide Configuring Syslog

(3) Configure the log filtering direction. The following configurations are optional. Select at least one of the
configurations as actually needed.

○ Configure the log filtering direction.

logging filter direction { all | buffer | file | server | terminal }

Logs sent to all the directions are filtered by default, namely, all is set.

○ Configure the log filtering mode.

logging filter type { contains-only | filter-only }

The filtering type is set to filter-only by default.

(4) Configure the log filtering rule.

logging filter rule { exact-match module module-name mnemonic mnemonic-name level inform-level |
single-match { level inform-level | mnemonic mnemonic-name | module module-name } }

No log filtering rule is configured by default.

1.9 Configuring Performance Logging Function

1.9.1 Overview

After the performance logging function is enabled, the logs that are output through the performance logging
interface will be transmitted through the performance logging channel.

1.9.2 Restrictions and Guidelines

The performance logging function needs to be configured only when massive logs are displayed on the server
within a short period. Only several functional services require this function.

1.9.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enable the performance logging function.

logging performance switch

The performance logging function is disabled by default.

1.10 Configuring Synchronization of User Input and Log Output

1.10.1 Overview

When the synchronization of user input and log output is enabled, even if logs are displayed during user input,
the user input information is displayed after display, thereby ensuring the input integrity and continuity.

1.10.2 Restrictions and Guidelines

The logging synchronous command is configured in line configuration mode, and on each line that enables
this function.

23
Configuration Guide Configuring Syslog

1.10.3 Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Enter the global configuration mode.

configure terminal

(3) Enter the configuration mode of a specified line.

line { console | vty } first-line [ last-line ]

(4) Synchronize user input and log output.

logging synchronous

Synchronization of user input and log output is disabled by default.

1.11 Monitoring
Run the show commands to check the configuration.

Run the clear commands to clear information.

Caution

During device operation, running the clear command may cause service interruption due to key information
loss.

Table 1-8 Syslog Monitoring

Command Purpose

clear logging Clears logs in the memory buffer.

Displays log statistics and logs in the memory buffer based on the
show logging
timestamp from earliest to latest.

show logging reverse [ timestamp Displays log statistics and logs in the memory buffer based on the
YY MM DD hh:mm:ss ] timestamp from latest to earliest.

show logging config Displays system log configurations and statistics.

show logging count Displays log statistics of each module in the system.

1.12 Configuration Examples

1.12.1 Configuring the RFC 3164 Log Format

1. Requirements

The network administrator can check system logs to learn about the operation status of the device,
better understand and manage the device, or locate problems.

24
Configuration Guide Configuring Syslog

2. Topology

Figure 1-1 Topology for RFC 3164 Log Format Configuration

G0/1 192.168.1.20/24
192.168.1.10/24
Device Syslog Server

3. Notes

 Configure the Layer 3 network reachable between the device and the server.

 Enable logging.

 Configure the log format.

○ Set the system log format to RFC 3164 format.

○ Configure the log display format.

○ Set the timestamp format to datetime and add the millisecond and year to the timestamp.

○ Add the system name to the system log format.

○ Add the sequence number to the system log format.

 Configure log monitoring.

○ Configure log statistics collection.

○ Set the rate of outputting system logs to the console to 50 logs per second.

○ Configure the display of logs on the monitor terminal.

 Synchronize user input and log output.

 Enable performance logging.

 Configure log filtering.

○ Set the filtering directions of logs to terminal and server.

○ Set the log filtering mode to filter-only.

○ Set the log filtering rule to single-match to filter the logs with a module name containing "SYS".

 Configure the output direction of system logs.

○ Configure the function of writing system logs into a log file named syslog.

○ Configure the transmission of system logs to the log server with the IPv4 address of 192.168.1.20.

○ Configure the size of the system logs to be written into the memory buffer to 128 KB (131072 bytes).

4. Procedure

(1) Configure the management IP address for the device.

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 0/1
Device(config-if-GigabitEthernet 0/1)# ip address 192.168.1.10 255.255.255.0
Device(config-if-GigabitEthernet 0/1)# exit

25
Configuration Guide Configuring Syslog

(2) Enable logging.

Device(config)# logging on
(3) Configure the system log format.

Set the system log format to RFC 5424 log format.

Device(config)# no service log-format rfc5424

Set the log show format to standard log format.

Device(config)# service standard-logging

Set the timestamp format to datetime and add the millisecond and year to the timestamp.

Device(config)# service logging-timestamp normal-log datetime year msec

Device(config)# service logging-timestamp debug-log datetime year msec
Add the system name to the system log format.

Device(config)# service sysname

Add the sequence number to the system log format.

Device(config)# service sequence-numbers

(4) Configure log monitoring.

Device(config)# logging userinfo

Device(config)# logging userinfo command-log
Configure log statistics collection.

Device(config)# logging count

Configure the output of system logs to the console.

Device(config)# logging console informational

Set the rate of outputting system logs to the console to 50 logs per second.

Device(config)# logging rate-limit console 50

Configure the output of system logs to the monitor terminal.

Device(config)# logging monitor informational

Device(config)# line vty 0 4
Device(config-line)# monitor
(5) Synchronize user input and log output.

Device(config-line)#logging synchronous
Device(config-line)#exit
(6) Enable performance logging.

Device(config)# logging performance switch

(7) Configure log filtering.

Set the filtering directions of logs to terminal and server.

Device(config)# logging filter direction server

Device(config)# logging filter direction terminal
Set the log filtering mode to filter-only.

Device(config)# logging filter type filter-only

26
Configuration Guide Configuring Syslog

Set the log filtering rule to single-match to filter the logs with a module name containing "SYS".

Device(config)# logging filter rule single-match module SYS

(8) Configure the output direction of system logs.

Configure the function of writing system logs into a log file named syslog.

Device(config)# logging file flash:syslog debugging

Device(config)# logging flash interval 600
Configure the transmission of system logs to the log server with the IPv4 address of 192.168.1.20.

Device(config)# logging server 192.168.1.20

Configure the size of the system logs to be written into the memory buffer to 128 KB (131072 bytes).

Device(config)# logging buffered 131072 informational

5. Verification

Run the ping command to check whether the Layer 3 route between the server and the log server is reachable.

Device# ping 192.168.1.20

Sending 5, 100-byte ICMP Echoes to 192.168.1.20, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
Run the show logging config command to check the configuration.

Device# show logging config

Syslog logging: enabled
Console logging: level informational, 82 messages logged
Monitor logging: level informational, 0 messages logged
Buffer logging: level debugging, 83 messages logged
File logging: level debugging, 83 messages logged
File name:syslog.txt, size 128 Kbytes, the 1 file is currently being written
Standard format:true
Timestamp debug messages: datetime
Timestamp log messages: datetime
Sequence-number log messages: enable
Sysname log messages: enable
Count log messages: enable
Trap logging: level debugging, 82 message lines logged,8 fail
logging to 192.168.1.20

6. Configuration Files

Device configuration file

hostname Device

service standard-syslog

service sysname

service sequence-numbers

27
Configuration Guide Configuring Syslog

service timestamps debug datetime msec year

service timestamps normal-log datetime msec year

logging filter direction server

logging filter direction terminal

logging filter rule single-match module SYS

logging rate-limit console 50

logging count

logging userinfo command-log

logging buffered 131072 informational

logging file flash:syslog debugging

logging flash interval 600

logging console informational

logging monitor informational

logging server 192.168.1.20

logging performance switch

interface GigabitEthernet 0/1

ip address 192.168.1.10 255.255.255.0

end

1.12.2 Configuring the RFC 5424 Log Format

1. Requirements

The network administrator can check system logs to learn about the operation status of the device, better
understand and manage the device, or locate problems.

2. Topology

Figure 1-2 Topology for RFC 5424 Log Format Configuration

G0/1 192.168.1.20/24
192.168.1.10/24
Device Syslog Server

3. Notes

 Configure the Layer 3 network reachable between the device and the server.

 Enable logging

 Set the system log format to RFC 5424 format.

 Configure log reporting.

○ Configure level-based log reporting.

28
Configuration Guide Configuring Syslog

○ Configure delayed log reporting.

○ Configure periodical log reporting.

 Configure log monitoring.

○ Configure the log statistics collection.

○ Set the rate of outputting system logs to the console to 50 logs per second.

○ Configure the display of logs on the monitor terminal.

 Synchronize user input and log output.

 Enable performance logging.

 Configure log filtering.

○ Set the filtering directions of logs to terminal and server.

○ Set the log filtering mode to filter-only.

○ Set the log filtering rule to single-match to filter the logs with a module name containing "SYS".

 Configure the output direction of system logs.

○ Configure the function of writing system logs into a log file named syslog.

○ Configure the transmission of system logs to the log server with the IPv4 address of 192.168.1.20.

○ Configure the size of the system logs to be written into the memory buffer to 128 KB (131072 bytes).

4. Procedure

(1) Configure the management IP address for the device.

Device> enable
Device# configure terminal
Device(config)#interface gigabitethernet 0/1
Device(config-if-GigabitEthernet 0/1)# ip address 192.168.1.10 255.255.255.0
Device(config-if-GigabitEthernet 0/1)# exit
(2) Enable logging

Device(config)# logging on
(3) Set the system log format to RFC 5424 format.

Device(config)# service log-format rfc5424

(4) Configure log reporting.

Configure delayed log reporting.

Device(config)# logging delay-send terminal

Device(config)# logging delay-send interval 7200
Device(config)# logging delay-send file flash:syslog
Device(config)# logging delay-send server 192.168.1.20 mode ftp user admin password
admin
Configure level-based log reporting.

Device(config)# logging policy module SYS not-lesser-than 5 direction console

Device(config)# logging policy module SYS 3 direction buffer
Configure periodical log reporting.

29
Configuration Guide Configuring Syslog

Device(config)# logging statistic enable

Device(config)# logging statistic terminal
Device(config)# logging statistic mnemonic TUNNEL_STAT interval 30
(5) Configure log monitoring.

Device(config)# logging userinfo

Device(config)# logging userinfo command-log
Configure log statistics collection.

Device(config)# logging count

Configure the output of system logs to the console.

Device(config)# logging console informational

Set the rate of outputting system logs to the console to 50 logs per second.

Device(config)# logging rate-limit console 50

Configure the output of system logs to the monitor terminal.

Device(config)# logging monitor informational

Device(config)# line vty 0 4
Device(config-line)# monitor
(6) Synchronize user input and log output

Device(config-line)# logging synchronous

Device(config-line)# exit
(7) Enable performance logging.

Device(config)# logging performance switch

(8) Configure system log filtering.

Set the filtering directions of logs to terminal and server.

Device(config)# logging filter direction server

Device(config)# logging filter direction terminal
Set the log filtering mode to filter-only.

Device(config)# logging filter type filter-only

Set the log filtering rule to single-match to filter the logs with a module name containing "SYS".

Device(config)# logging filter rule single-match module SYS

(9) Configure the output direction of system logs.

Configure the function of writing system logs into a log file named syslog.

Device(config)# logging file flash:syslog debugging

Device(config)# logging flash interval 600
Configure the transmission of system logs to the log server with the IPv4 address of 192.168.1.20.

Device(config)# logging server 192.168.1.20

Configure the size of the system logs to be written into the memory buffer to 128 KB (131072 bytes).

Device(config)# logging buffered 131072 informational

30
Configuration Guide Configuring Syslog

5. Verification

(1) Run the ping command to check whether the Layer 3 route between the server and the log server is
reachable.

Device# ping 192.168.1.20

Sending 5, 100-byte ICMP Echoes to 192.168.1.20, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms.
(2) Run the show logging config command to check the configuration result.

Device# show logging config

Syslog logging: enabled
Console logging: level informational, 84 messages logged
Monitor logging: level informational, 0 messages logged
Buffer logging: level debugging, 92 messages logged
File logging: level debugging, 105 messages logged
File name:syslog.txt, size 128 Kbytes, the 1 file is currently being written
Statistic log messages: enable
Statistic log messages to terminal: enable
Delay-send log messages to terminal: enable
Delay-send file name:syslog, Current write index:0, Current send index:0,
Cycle:7200 seconds
Count log messages: enable
Trap logging: level debugging, 84 message lines logged,10 fail
logging to 192.168.1.20
Delay-send logging: 0 message lines logged
logging to 192.168.1.20 by ftp

6. Configuration Files

Device configuration file

hostname Device
!
service log-format rfc5424

logging filter direction server

logging filter direction terminal

logging filter rule single-match module SYS

logging rate-limit console 50

logging count

logging userinfo command-log

logging buffered 131072 informational

logging file flash:syslog debugging

logging flash interval 600

logging console informational

31
Configuration Guide Configuring Syslog

logging monitor informational

logging facility local7

logging server 192.168.1.20

logging performance switch

logging policy module SYS not-lesser-than 5 direction console

logging policy module SYS 3 direction buffer

logging statistic enable

logging statistic terminal

logging statistic mnemonic TUNNEL_STAT interval 30

logging delay-send terminal

logging delay-send interval 7200

logging delay-send file flash:syslog

logging delay-send server 192.168.1.20 mode ftp user admin password admin
!
interface GigabitEthernet 0/1
ip address 192.168.1.10 255.255.255.0
!
end

32
 Contents

1 Configuring Software Upgrade ........................................................................................................... 1

1.1 Introduction ................................................................................................................................ 1

1.2 Restrictions and Guidelines ....................................................................................................... 1

1.3 Principles of System Version Upgrade ...................................................................................... 1

1.4 Principles of Patch Version Upgrade ......................................................................................... 2

1.4.1 Basic Concepts .............................................................................................................. 2

1.4.2 Patch Package Management......................................................................................... 3

1.4.3 Patch Automatic Synchronization .................................................................................. 3

1.5 Configuration Task Summary .................................................................................................... 3

1.6 Configuring System Version Upgrade ....................................................................................... 4

1.6.1 Configuration Tasks ....................................................................................................... 4

1.6.2 Configuring Subsystem Upgrade/Degrade .................................................................... 4

1.6.3 Configuring Version Automatic Synchronization ............................................................ 5

1.7 Configuring Patch Version Upgrade .......................................................................................... 5

1.7.1 Overview ........................................................................................................................ 5

1.7.2 Configuration Restrictions and Guidance ...................................................................... 6

1.7.3 Configuration Tasks ....................................................................................................... 6

1.7.4 Installing a Patch Package ............................................................................................ 6

1.7.5 Activating a Patch Package by One Click...................................................................... 7

1.7.6 Uninstalling a Patch Package ........................................................................................ 8

1.7.7 Configuring Patch Automatic Synchronization .............................................................. 8

1.8 Configuring Verification .............................................................................................................. 9

i
 1.8.1 Overview ........................................................................................................................ 9

1.8.2 Configuration Tasks ....................................................................................................... 9

1.8.3 Configuring Trusted Boot ............................................................................................... 9

1.8.4 Checking the Software ................................................................................................... 9

1.9 Monitoring ................................................................................................................................ 10

1.10 Configuration Examples......................................................................................................... 11

1.10.1 Configuring Subsystem Upgrade ............................................................................... 11

1.10.2 Installing a Patch Package ........................................................................................ 13

1.10.3 Uninstalling a Patch Package .................................................................................... 17

ii
Configuration Guide Configuring Software Upgrade

1 Configuring Software Upgrade

1.1 Introduction
Adopting a modular structure, Ruijie General Operating System (RGOS) supports overall system upgrade and
subsystem upgrade, as well as the upgrade through patches. The package management module of RGOS is
used to install, query, and maintain components of the device. By upgrading the software of the device, users
can install software that is more stable or contains more features in the system.

1.2 Restrictions and Guidelines

If the password encryption type is 7 or 8, when the device version is downgraded to a version that does not
support the AES128/SHA256 encryption algorithm, the password may not be identified. Therefore, before the
device is downgraded, you must reconfigure the password as a cleartext password or a type 7 password
ciphertext generated on a lower version device.

 During device upgrade, the following error message may be reported: cannot open "/dev/ubi7_0". If the
device is upgraded finally, the reported error is automatically rectified. If the device fails to be upgraded, try
to upgrade the device again. If the error persists, check for hardware damage.

1.3 Principles of System Version Upgrade

1. Basic Concepts

 Subsystem

A subsystem exists on a device in the form of images. subsystems include:

○ Uboot: After being powered on, the device loads and runs the Uboot subsystem. This subsystem
initializes the device, and loads and runs system images.

○ Rboot: This subsystem is a set of dedicated programs used to install or upgrade the main program.

○ Basic Input Output System (BIOS): This subsystem is dedicated for devices running the X86
architecture.

○ Main program: This subsystem is a collection of Operating Systems (OSs) and applications in the
system.

 Main package

The main package is often used to upgrade/degrade subsystems of box-type devices. The main package is
a combination package of the Uboot, Rboot, and main program subsystems. The main package is used for
overall system upgrade/degradation.

 Rack package

A rack package is used to upgrade/degrade subsystems of rack-type devices. It contains the Main
packages of the supervisor modules, switch fabric modules, and line cards. The rack package allows all the
modules on a rack-type device to be upgraded once for all.

 BIOS package

1
Configuration Guide Configuring Software Upgrade

The BIOS package is used to upgrade the BIOS of the device. It is used on the devices running the X86
architecture only.

Caution

An installation package in this document refers to installation files of all the subsystems of the device.

2. Upgrading/Degrading and Managing Subsystems

Subsystem upgrade/degradation aims to update the software functions by replacing the subsystem
components in the device with the ones in an installation package. Redundancy design is adopted for
subsystems, so subsystems of the device are often not directly replaced with the subsystems in the package
during upgrade/degradation. Instead, subsystems are added to the device and then activated.

 Upgrade/Degradation

Subsystems exist on the device in different forms. Therefore, they are upgraded or degraded differently.

○ Uboot: Generally, this subsystem exists in the NOR flash memory of the device in the form of images. It
is upgraded/degraded by writing images into the NOR flash memory of the device.

○ Rboot: Generally, this subsystem exists in the NOR flash memory of the device in the form of images. It
is upgraded/degraded by writing images into the NOR flash memory of the device.

○ BIOS: Generally, this subsystem exists in the flash memory of the device in the form of images. It is
upgraded/degraded by writing images into the flash memory of the device.

○ Main program: Generally, this subsystem exists in the NAND flash memory of the device in the form of
images. It is upgraded/degraded by writing images into the NAND flash memory of the device.

 Management

During upgrade of the subsystem component of the main program, the upgrade/degradation module
always records the subsystem component in use, the redundant subsystem components, and
management information of various versions in the configuration file. The module queries the available
subsystem components and then loads subsystem components as needed.

The redundancy design is adopted for each subsystem component. During the upgrade/degradation:

○ Uboot: This subsystem contains a master boot subsystem and a slave boot subsystem. Only the master
boot subsystem is upgraded, and the slave boot subsystem is always redundant.

○ Rboot: This subsystem contains one program. More redundancies are allowed if there is enough space.

○ BIOS: This subsystem contains a master BIOS and a slave BIOS. The two BIOSs can be upgraded.

○ Main program: One redundancy is allowed if there is enough space.

 Upgrade

Put upgrade files in the local device, and then run the upgrade command.

1.4 Principles of Patch Version Upgrade

1.4.1 Basic Concepts

 Patch package

2
Configuration Guide Configuring Software Upgrade

A patch package contains several patches. You can upgrade the package to fix various problems for the
main program. If a patch package contains hot patches, they take effect before you restart the device
restart. If a patch package contains cold patches, they take effect only after the device is restarted.

1.4.2 Patch Package Management

Upgrade of cold patches is to expand the component files in a package into the device. The upgrade takes
effect only after the device is restarted.

Such process is similar to the upgrade of hot patches. But in the latter upgrade, only the files to be revised are
replaced and then the new files take effect automatically.

Patch management is to use the database to record the patch information. The query, installation, and
uninstallation correspond to the insertion, query, and deletion of the database.

Patch management includes three states: installed, activated, and confirmed:

 A patch in the installed state only indicates that this patch exists on the device, but it has not taken effect.

 Only a patch in the activated state is effective, but it will automatically roll back to the previous state after the
device is restarted.

 A confirmed patch is also an effective patch, and the patch will not roll back even if the device is restarted.

1.4.3 Patch Automatic Synchronization

Patch automatic synchronization aims to coordinate multiple subsystems (boards and chassis) within a system.
During software upgrade, the system automatically sends the patch installed on the supervisor module to all the
members meeting component installation rules. When a new member is added, the system automatically
synchronizes the patch installed on the supervisor module to the new member. Thus, no resolved patch
problem occurs even if synchronization is omitted.

Patch automatic synchronization rules:

 The versions of all the subsystems must come from the same rack package before patch automatic
synchronization is performed.

 The patch installed on the master supervisor module is used as the benchmark. If the same patch is
installed on a newly connected member but the patch status is higher than that of the supervisor module, the
patch on the new member is not be processed. The status order of patches is: add, active, and running.

1.5 Configuration Task Summary

Software upgrade configuration includes the following tasks:

 Configuring System Version Upgrade

a Configuring Subsystem Upgrade/Degrade

b Configuring Version Automatic Synchronization

 Configuring Patch Version Upgrade

a Installing a Patch Package

b Activating a Patch Package by One Click

c Uninstalling a Patch Package

3
Configuration Guide Configuring Software Upgrade

d Configuring Patch Automatic Synchronization

 Configuring Verification

a Configuring Trusted Boot

b Checking the Software

1.6 Configuring System Version Upgrade

1.6.1 Configuration Tasks

System version upgrade configuration includes the following tasks:

(1) Configuring Subsystem Upgrade/Degrade

(2) (Optional) Configuring Version Automatic Synchronization

1.6.2 Configuring Subsystem Upgrade/Degrade

Warning

Boot upgrade is risky. If the device is powered off during upgrade, the device may be damaged and thus does
not work. If the upgrade fails, do not power off the device, but attempt to upgrade the boot again.

1. Overview

Subsystem installation packages include the following types:

 Main package for device upgrade: After the upgrade using the main package is completed, all system
software in the device is updated, and the overall software is enhanced.

 Rack package for upgrade: After the upgrade using the rack package is completed, all system software in
the rack-type device is updated, and the overall software is enhanced.

2. Restrictions and Guidelines

 To upgrade a main package of the device, download the installation package to the local device and run the
upgrade command.

 To upgrade a rack package, store the rack package in a USB flash drive or SD card of the device because
the rack package is large, and then run the upgrade command.

 请在升级之前使用verify命令确认安装包的MD5是否符合预期。

 After running the upgrade command to complete the upgrade of the installation package, you need to run
the reload command to restart the device to complete the update process. Otherwise, the installation

package before the upgrade will be still running on the system. 在执行reload命令重启设备前，请确认是

否需要执行write命令保存配置。

3. Procedure

(1) Enter the privileged EXEC mode.

4
Configuration Guide Configuring Software Upgrade

enable

(2) Upgrade the installation package corresponding to the device.

upgrade { url [ slot slot-id | slot all ] | download { ftp://path [ slot slot-id | slot all ] [ vrf vrf-name ] |
https://path [ slot slot-id | slot all ] [ vrf vrf-name ] | tftp://path [ slot slot-id | slot all ] [ vrf vrf-name ] } }
[ force ]

(3) Upgrade all Uboot and Rboot files on the device.

upgrade boot { url [ slot slot-id | slot all ] | download { ftp://path [ slot slot-id | slot all ] [ vrf vrf-name ] |
https://path [ slot slot-id | slot all ] [ vrf vrf-name ] | tftp://path [ slot slot-id | slot all ] [ vrf vrf-name ] } }
[ force ]

(4) Restart the device to complete the upgrade process.

reload

1.6.3 Configuring Version Automatic Synchronization

1. Overview

Configure a version automatic synchronization policy.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Configure a version automatic synchronization policy.

upgrade auto-sync policy { none | compatible | coordinate }

(3) Configure a version automatic synchronization range.

upgrade auto-sync range vsu

Specification
VSU is not supported by the RG-RSR830 series.

(4) Configure the path of the upgrade package for version automatic synchronization.

upgrade auto-sync package url

(5) Configure the status of the version automatic synchronization service.

upgrade sync-server [ close | open ]

Automatic version synchronization is enabled by default.

1.7 Configuring Patch Version Upgrade

1.7.1 Overview

Besides the main program version, provides a patch mechanism to quickly fix the problems occurring on the
main program version. A hot patch package can fix software bugs before the device is restarted; but an installed
cold patch package can take effect only after the device is restarted. This patch package fixes a specific

5
Configuration Guide Configuring Software Upgrade

software version only. After the main program version is upgraded, the corresponding patch will become invalid
automatically. RGOS provides a patching mechanism in addition to the main program version to quickly fix bugs
in the main program version. The patch package can only fix the bugs in specific software versions. After the
main program version is upgraded, the corresponding patch will expire automatically.

1.7.2 Configuration Restrictions and Guidance

 After the hot patch package is installed, the patch will take effect directly without restarting the device. If a
cold patch package is installed, the device must be restarted for the patch to take effect.

1.7.3 Configuration Tasks

Patch version configuration includes the following tasks:

(1) Installing a Patch Package

(2) Activating a Patch Package by One Click

(3) Uninstalling a Patch Package

(4) Configuring Patch Automatic Synchronization

1.7.4 Installing a Patch Package

1. Overview

Install a patch package to fix software bugs. A patch package is used to upgrade a specific version of software
only.

2. Restrictions and Guidelines

 Before installing a patch package, download it to a local directory of the device.

Caution

The downloaded patch package cannot be renamed. The name of the patch package is used as the operation
keyword for the subsequent patch activation, deactivation, and uninstallation.

 The installed patch must be activated before it is used. You must activate the patch first temporarily and then
permanently. If a patch is activated temporarily, the patch will roll back to the previous state after the device is
restarted. You can activate a patch temporarily only when verifying the patch function temporarily.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Download a patch package.

install add url [ slot slot-id | slot all ]

(3) Install the patch package by performing either of the following operations:

 Run the general patch command to install the patch package.

a Activate the installed patch temporarily.

install activate package_name [ slot slot-id | slot all ]

6
Configuration Guide Configuring Software Upgrade

b Activate the patch permanently.

install commit [ slot slot-id | slot all ]

 Run the patch command to install the patch package.

a Activate the installed patch temporarily.

patch active [ slot slot-id | slot all ]

b Activate the patch permanently.

patch running [ slot slot-id | slot all ]

(4) Activate the patch permanently by one click.

patch auto-running [ slot slot-id | slot all ]

(5) (Optional) Restart the device for the patch to take effect.

reload

Run this command only after a cold patch is installed.

1.7.5 Activating a Patch Package by One Click

1. Overview

Install a patch package to fix software bugs. A patch package is used to upgrade a specific version of software
only.

2. Restrictions and Guidelines

 To fix software bugs without upgrading the main program and perform temporary verification, activate the
patch package temporarily by one click.

 To fix software bugs without upgrading the main program, activate the patch package permanently by one
click.

 If you need to ignore the CPU and memory checks of the system when installing a patch, add the
ignore_cpu_mem parameter to the one-click upgrade command. The CPU and memory waterlines are
built-in by default in the system, and their values are both 85%.

Caution

The downloaded patch package cannot be renamed. The name of the patch package name is used as the
operation keyword for the subsequent patch activation, deactivation, and uninstallation.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Activate the patch package by one click.

○ Activate the patch package temporarily by one click.

upgrade url patch-active [ slot slot-id | slot all ] [ force ]

7
Configuration Guide Configuring Software Upgrade

upgrade download { ftp://path | https://path | tftp://path } patch-active [ vrf vrf-name ] [ slot slot-id |
slot all ] [ force ]

○ Activate the patch package permanently by one click.

upgrade url patch-running [ slot slot-id | slot all ] [ force ]

upgrade download { ftp://path | https://path | tftp://path } patch-running [ vrf vrf-name ] [ slot slot-id |
slot all ] [ force ]

○ Perform upgrade by one click to activate the patch package permanently.

patch autoload url [ slot slot-id | slot all ] [ ignore_cpu_mem ]

1.7.6 Uninstalling a Patch Package

1. Overview

Deactivate the activated patches and remove the existing patches from the device, that is, the database
information.

2. Restrictions and Guidelines

For users, only one patch is effective on the device. Therefore, only one patch to be activated is allowed on the
device. To install another patch package of a function component, you need to uninstall the previous patch.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Uninstall a patch. Run one of the following commands to uninstall the patch package:

 Run the general patch command to uninstall a patch package.

a Deactivate an activated patch.

install deactivate package_name [ slot slot-id | slot all ]

b Uninstall a patch.

install remove package_name [ slot slot-id | slot all ]

 Run the patch command to uninstall a patch package.

a Deactivate an activated patch.

patch deactivate package_name [ slot slot-id | slot all ]

b Uninstall a patch.

patch delete [ slot slot-id | slot all ]

1.7.7 Configuring Patch Automatic Synchronization

1. Overview

Configure the patch automatic synchronization policy.

2. Procedure

(1) Enter the privileged EXEC mode.

enable

8
Configuration Guide Configuring Software Upgrade

(2) Enter the global configuration mode.

configure terminal

(3) Configure patch automatic synchronization.

install auto-sync { disable | enable }

Patch automatic synchronization is enabled by default.

1.8 Configuring Verification

1.8.1 Overview

In the main program upgrades, patch upgrades, and system startup processes, RGOS supports tamper
resistance for system files to ensure system security and trustworthiness.

1.8.2 Configuration Tasks

The configuration tasks are as follows:

 Configuring Trusted Boot

 Checking the Software

1.8.3 Configuring Trusted Boot

1. Overview
The trusted boot function can be enabled after configuration. When the function is enabled, the device will
perform tamper resistance verification on the device system files during the next reboot. If the verification fails,
the device will not be able to start correctly.

Caution

After enabling the trusted boot function for the device, if the device system files are tampered with, the device
will be unable to start properly and will require a system upgrade.

2. Procedure
(1) Enter the privileged mode.

enable

(2) Enable the trusted boot function.

safe-verify enable

By default, the trusted boot function is disabled.

1.8.4 Checking the Software

1. Overview

The device software can be checked for tampering with no need to reboot the device after configuration.

2. Restrictions and Guidelines

When the device software is being checked for tampering, other CLI operations are not allowed until the check
is completed.

9
Configuration Guide Configuring Software Upgrade

3. Procedure

(1) Enter the privileged mode.

enable

(2) Check whether the device software has been tampered with.

check safe-verify running

1.9 Monitoring
Run the show commands to check the configuration.

Run the check commands to check information.

Run the clear commands to clear information.

Caution

During device operation, running the clear command may cause service interruption due to key information
loss.

Table 1-1 Software Upgrade Monitoring

Command Purpose

check version Checks the version matching.

show cmpnt { { begin | client | server }

{ backup | current } { all_log | error_log |
Displays patch debugging information.
major_log | msg_log | trace_log } |
auto_db | new_list | upgrade_db }

show install [ detail ] [ slot slot-id | slot Displays information about the hot patch package already
all ] installed on the device in a multi-patch solution.

Checks whether the device is enabled with patch automatic

show install auto-sync
synchronization.

show patch [ detail ] [ slot slot-id | slot Displays information about the hot patch package already
all ] installed on the device in a single-patch solution.

Displays information about all patch packages that need to be

show patch auto-sync
automatically synchronized on the device.

show safe-verify status Checks whether the trusted boot function is enabled.

Displays the automatic synchronization upgrade configuration

show upgrade auto-sync
of the device.

show upgrade history Displays the upgrade history.

10
Configuration Guide Configuring Software Upgrade

Command Purpose

Displays the upgrade status of the device and the installation

show upgrade status
status of a patch.

clear install storage [ slot slot-id | slot Clears all the patch packages not running currently and
all ] corresponding database information.

1.10 Configuration Examples

1.10.1 Configuring Subsystem Upgrade

1. Requirements

Upgrade a subsystem installation package to update all software in the device so that the overall software is
enhanced and the known software bugs are fixed. Use Figure 1-1 as an example. The upgrade download
tftp://path command is used to upgrade the subsystems of the device by using the installation package file
stored on the TFTP server.

2. Topology

Figure 1-1 Subsystem Upgrade Topology

G0/1 192.168.1.20/24
192.168.1.10/24
Device TFTP Server

3. Notes

 Configure an IP address for the network Ethernet interface on the device so that the L3 route is reachable
between the device and the TFTP server.

 Run the upgrade download tftp://path command to upgrade the installation package file stored on the
TFTP server.

4. Procedure

(1) Configure the Ethernet interface IP address and default route on the device.

Hostname> enable
Hostname# configure terminal
Hostname(config)# interface gigabitethernet 0/1
Hostname(config-if-GigabitEthernet 0/1)# ip address 192.168.1.10 255.255.255.0
Hostname(config-if-GigabitEthernet 0/1)# exit
Hostname(config)# ip route 0.0.0.0 0.0.0.0 gigabitethernet 0/1 192.168.1.20
Hostname(config)# end

11
Configuration Guide Configuring Software Upgrade

(2) Before upgrading the device, run the ping command to check whether the L3 route between the device and
the TFTP server is reachable.

Hostname# ping 192.168.1.20

Sending 5, 100-byte ICMP Echoes to 192.168.1.20, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms.

(3) Run the upgrade download tftp://path command to upgrade the device, 并确认升级结果。

Hostname# upgrade download tftp://192.168.1.20/main.bin force

*Nov 23 13:21:39: %UPGRADE-6-INFO: Copy to /tmp/vsd/0/upgrade_rep/
*Nov 23 13:21:39: %UPGRADE-6-INFO: Please wait for a moment......
Press Ctrl+C to quit
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!
< The terminal is locked by upgrade module >
Upgrade start
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!10%
< you can press Ctrl+C to unlock terminal >
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!20%
< you can press Ctrl+C to unlock terminal >
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!30%
< you can press Ctrl+C to unlock terminal >
!!!!!!!!!!!!!!!!!!!!!!!!!!!100%
Upgrade success
< The terminal is unlocked by upgrade module >
[Slot 0]
Device type : rsr830w
Status : success
(4) After upgrading the subsystems, run the reload command to restart the device so that the configuration
takes effect.

Hostname# reload
Reload system?(Y/N)y
*Dec 25 06:48:02: %SYSMON-5-RELOAD: Reset system from [CONSOLE] with reason
[Management port/Reset system by reload command]
Hostname#*Dec 25 06:48:02: %DP-3-RESET_DEV: Reset device 1 due to
SYSMON/3766/CONSOLE/Management port/Reset system by reload command
*Dec 25 06:48:04: %DP-3-MACHINE_RESTART: MACHINE_RESTART

5. Verification

Check the running version on the device. If the version information changes, the upgrade is successful.

Hostname# show version

12
Configuration Guide Configuring Software Upgrade

System description : Ruijie 1G Edge Router(RG-RSR830W) by Ruijie Networks

System start time : 1970-01-01 00:00:00
System uptime : 03:10:24:18
System hardware version : 1.00
System software version : RSR830W_RGOS 12.6(4)B1802, Release(11160507)
System patch number : NA
System serial number : G1SS50J000112
System boot version : 1.4.39(Master) 1.4.35(Slave)
System rboot version : 1.1.69
Module information:
Slot 0 : RG-RSR830W
System uptime : 03:10:24:18
Hardware version : 1.00
Boot version : 1.4.39(Master) 1.4.35(Slave)
Rboot version : 1.1.69
Software version : RSR830W_RGOS 12.6(4)B1802, Release(11160507)
Serial number : G1SS50J000112

6. Common Errors

If an error occurs during the upgrade, the system displays the cause of the upgrade failure. You can also run the
show upgrade status command to display the result of the last upgrade.

The following describes several types of common error messages:

 Invalid installation package: The possible cause is that the package is damaged or is not an installation
package. You are advised to obtain the correct installation package and perform the upgrade again.

 Installation package not supported by the device: The possible cause is that you use the installation
package of other devices. You are advised to obtain the correct installation package, verify the package
information, and perform the upgrade again.

 Insufficient device space: Generally, this error occurs on a rack-type device. You are advised to check
whether the device is equipped with a USB flash drive or SD card. Rack-type devices often have USB flash
drives.

1.10.2 Installing a Patch Package

1. Requirements

Install a patch package to fix software bugs without upgrading the main program version.

2. Topology

Figure 1-2 Patch Package Installation Topology

G0/1 192.168.1.20/24
192.168.1.10/24
Device TFTP Server

13
Configuration Guide Configuring Software Upgrade

3. Notes

 Configure the L3 route reachable to the device.

 Copy the patch package to the device.

 Run the patch installation command.

 Activate a hot patch.

○ Activate a hot patch temporarily.

○ Activate a hot patch permanently.

 Configure patch automatic synchronization.

4. Procedure

(1) Configure the Ethernet interface IP address and default route on the device.

Hostname> enable
Hostname# configure terminal
Hostname(config)#interface gigabitethernet 0/1
Hostname(config-if-GigabitEthernet 0/1)# ip address 192.168.1.10 255.255.255.0
Hostname(config-if-GigabitEthernet 0/1)# exit
Hostname(config)# ip route 0.0.0.0 0.0.0.0 gigabitethernet 0/1 192.168.1.20
Hostname(config)# end
(2) Install a patch package.

Hostname# install add tftp//192.168.1.20/smu_rf_hot1002_0118.bin

Press Ctrl+C to quit
!
< The terminal is lock >
Operating, please wait for a moment.....
!!!!! 100%
Patch operation finish!
Operate result information:
-------------------------------------
Slot Result Comment
1/0 Success None
2/0 Success None

< The terminal is unlock >

(3) Activate a patch.

 Run the install command to activate the patch.

a Run the install active command to activate the hot patch temporarily.

Hostname# install activate smu_rf_hot1002_0118.bin

< The terminal is lock >
Operating, please wait for a moment.......
!!!!! 100%
Patch operation finish!
Operate result information:

14
Configuration Guide Configuring Software Upgrade

-------------------------------------
Slot Result Comment
1/0 Success None
2/0 Success None

< The terminal is unlock >

b Run the install commit command to activate the hot patch permanently.

Hostname# install commit

< The terminal is lock >
Operating, please wait for a moment...
!!!!! 100%
Patch operation finish!
Operate result information:
-------------------------------------
Slot Result Comment
1/0 Success None
2/0 Success None

< The terminal is unlock >

 Run the patch command to activate the patch.
a Run the patch active command to activate the hot patch temporarily.

Hostname# patch active

< The terminal is lock >
Operating, please wait for a moment.......
!!!!! 100%
Patch operation finish!
Operate result information:
-------------------------------------
Slot Result Comment
1/0 Success None
2/0 Success None

< The terminal is unlock >

b Run the patch running command to activate the hot patch permanently.

Hostname# patch running

< The terminal is lock >
Operating, please wait for a moment...
!!!!! 100%
Patch operation finish!
Operate result information:
-------------------------------------
Slot Result Comment
1/0 Success None
2/0 Success None

15
Configuration Guide Configuring Software Upgrade

< The terminal is unlock >

(4) Configure automatic synchronization of the patch.

Hostname# configure
Enter configuration commands, one per line. End with CNTL/Z.
Hostname(config)# install auto-sync enable

5. Verification

Run the show install command to display information about the hot patches installed on the device.

Hostname# show install

Install information:
[Slot 1/0]
Name State Flag Effective time Package
smu_rf_hot1002_0118.bin running Hot 2019-09-17 19:00:02

[Slot 2/0]
Name State Flag Effective time Package
smu_rf_hot1002_0118.bin running Hot 2019-09-17 19:00:02
Run the show patch command to display information about the hot patches installed on the device.

Hostname# show patch

[Slot 1/0]
Patch package SP1 installed in the system, version:5.0.0.0
----------------------------------------
Patch : SP1.bin
Status : active
Version : 5.0.0.0
Size : 1770
Install time: 2021-09-03 10:00:24
Description : test SP1

[Slot 2/0]
Patch package SP1 installed in the system, version:5.0.0.0
----------------------------------------
Patch : SP1.bin
Status : active
Version : 5.0.0.0
Size : 1770
Install time: 2021-09-03 10:00:24
Description : test SP1

6. Common Errors

 If you run the install commit command when a patch is not activated, an error is prompted. The install
commit command takes effect only when the patch is in the active state.

 If you run the patch running command when a patch is not activated, an error is prompted. The patch
running command takes effect only when the patch is in the active state.

16
Configuration Guide Configuring Software Upgrade

1.10.3 Uninstalling a Patch Package

1. Requirements

One function component in one device can run one patch only. To install a new patch for this function
component, you need to uninstall the previous patch before installation.

2. Notes

(1) Run the patch deactivation command.

(2) Run the patch uninstall command.

3. Procedure

(1) Uninstall a patch.

 Run the install command to uninstall a patch.

a Run the install deactivate command to deactivate the patch.

Hostname# install deactivate smu_rf_hot1002_0118.bin

< The terminal is lock >
Operating, please wait for a moment.......
! 100%
Patch operation finish!
Operate result information:
-------------------------------------
Slot Result Comment
1/0 Success None
2/0 Success None

< The terminal is lock >

b Run the install remove command to uninstall the patch.

Hostname#install remove smu_rf_hot1002_0118.bin

< The terminal is lock >
Operating, please wait for a moment...
! 100%
Patch operation finish!
Operate result information:
-------------------------------------
Slot Result Comment
1/0 Success None
2/0 Success None

< The terminal is lock >

 Run the patch command to uninstall a patch.

a Run the patch deactive command to deactivate the patch.

Hostname# patch deactive

< The terminal is lock >
Operating, please wait for a moment.......

17
Configuration Guide Configuring Software Upgrade

! 100%
Patch operation finish!
Operate result information:
-------------------------------------
Slot Result Comment
1/0 Success None
2/0 Success None

< The terminal is lock >

b Run the patch delete command to uninstall the patch.

Hostname# patch delete

< The terminal is lock >
Operating, please wait for a moment...
! 100%
Patch operation finish!
Operate result information:
-------------------------------------
Slot Result Comment
1/0 Success None
2/0 Success None

< The terminal is lock >

4. Verification

Run the show install command to display the patch uninstallation result.

Hostname#show install
Install information:
[Slot 1/0]
[No Install information]

[Slot 2/0]
[No Install information]
Run the show patch command to display the patch uninstallation result.

Hostname# show patch

[Slot 1/0]
[No patch package installed in the systemInstall information]

[Slot 2/0]
[No patch package installed in the systemInstall information]

18
 Contents

1 Configuring Uboot .............................................................................................................................. 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Accessing the Uboot Menu ............................................................................................ 1

1.1.3 Downloading XModem ................................................................................................... 2

1.1.4 Running the Main Program ............................................................................................ 2

1.1.5 Running the Rboot Program .......................................................................................... 2

1.1.6 Querying and Setting Other Functions .......................................................................... 2

2 Configuring the SIMPLE CLI .............................................................................................................. 4

2.1 Introduction ................................................................................................................................ 4

2.1.1 Overview ........................................................................................................................ 4

2.1.2 Accessing the SIMPLE CLI Operation Interface ............................................................ 4

2.1.3 Downloading Xmdown ................................................................................................... 5

2.1.4 Running the Rboot Program .......................................................................................... 5

2.1.5 Running the Main Program ............................................................................................ 5

2.1.6 Setting the Baud Rate .................................................................................................... 6

2.1.7 Reloading the System .................................................................................................... 6

2.1.8 Displaying the Version ................................................................................................... 6

2.1.9 Skipping to the Menu Interface ...................................................................................... 6

i
Configuration Guide Configuring Uboot

1 Configuring Uboot
1.1 Introduction
1.1.1 Overview

The Uboot menu includes all functions supported by the universal boot loader (Uboot), including booting the
main program, booting Rboot, and updating Uboot or Rboot.

1.1.2 Accessing the Uboot Menu

1. Connecting to the Client

Connect the COM port of a PC to the serial port of the device through a serial port cable, start the
HyperTerminal, and configure the following settings:

 Protocol type for connection: Serial

 Port for connection: COM

 Bits per second: 9600

 Data bit: 8

 Parity check: N/A

 Stop bit: 1

 Data flow control: N/A

2. Starting the Device

After the device is started, the following information is displayed:

Press Ctrl+B to enter Boot Menu, Press Ctrl+C to enter Rboot

Press Ctrl+B.

3. Accessing the Uboot Menu Interface

The interface is displayed as follows:

====== BootLoader Menu("Ctrl+Z" to upper level) ======

TOP menu items.
************************************************
0. XModem utilities.
1. Run main.
2. Run rboot.
3. Scattered utilities.
************************************************
Press a key to run the command:
After the device displays the menu interface, select a menu item to select the corresponding function.

Press the first character of the menu item to perform the function of the menu item. If the menu item is a
submenu, the submenu is accessed. The device displays the interface of the submenu.

1
Configuration Guide Configuring Uboot

Press Ctrl+Z to exit the current submenu and return to the previous-level menu.

1.1.3 Downloading XModem

On the menu interface, select Upgrade bootloader.

This is a submenu. After you access the submenu, the following information is displayed:

====== BootLoader Menu("Ctrl+Z" to upper level) ======

XModem utilities.
************************************************
0. Upgrade bootloader.
1. Upgrade rboot.
************************************************
Press a key to run the command:

1. Upgrading bootloader

This function downloads a Uboot file to the flash memory to update the master Uboot of the system.

(1) On the menu interface, select Upgrade bootloader.

(2) Click Send File under Transfer in HyperTerminal and select a Uboot image file to be downloaded (for
example, UBOOT.BIN).

(3) Click Send.

(4) Wait until the system displays a message indicating that the operation is complete.

2. Upgrading rboot

This function downloads an Rboot file to the flash memory to update Rboot of the system.

(1) On the menu interface, select Upgrade rboot.

(2) Click Send File under Transfer in HyperTerminal and select an Rboot image file to be downloaded (for
example, RBOOT.BIN).

(3) Click Send.

(4) Wait until the system displays a message indicating that the operation is complete.

1.1.4 Running the Main Program

On the menu interface, select Run main. The program automatically skips to the main program from Uboot.

1.1.5 Running the Rboot Program

On the menu interface, select Run rboot. The program automatically skips to Rboot from Uboot.

1.1.6 Querying and Setting Other Functions

On the menu interface, select Scattered utilities.

This is a submenu. After you access the submenu, the following information is displayed:

====== BootLoader Menu("Ctrl+Z" to upper level) ======

Scattered utilities.
************************************************
0. Show the bootloader version.

2
Configuration Guide Configuring Uboot

1. Reload system.
2. Set baudrate.
3. Set default environment.
4. Set debug mode.
5. Run main without enable password.
************************************************
Press a key to run the command:

1. Showing the bootloader Version

This function is used to display the version of the boot program on the current flash memory.

(1) On the menu interface, select Show the bootloader version.

(2) The version of Uboot is displayed.

Information similar to the following is displayed:

'master_bootloader' program information:

Version: 1.3.13
'slave_bootloader' program information:
Version: 1.3.13

2. Reloading the System

On the menu interface, select Reload system. The system reboots automatically.

3. Setting the Baudrate

This is a submenu. In the submenu, select Set baudrate. The following information is displayed:

====== BootLoader Menu("Ctrl+Z" to upper level) ======

Set baudrate.
************************************************
0. Change baudrate to 9600
1. Change baudrate to 57600
2. Change baudrate to 115200
************************************************
Press a key to run the command:
 On the menu interface, select Change baudrate to 9600. The system changes the baud rate to 9600.

 On the menu interface, select Change baudrate to 57600. The system changes the baud rate to 57600.

 On the menu interface, select Change baudrate to 115200. The system changes the baud rate to 115200.

4. Setting the Default Environmental Variable

This function is used to replace the environmental variable stored on the flash memory with the default
environmental variable.

On the menu interface, select Set default environment. The following information is displayed:

Warning: The environment information maybe lose, Are you sure to continue? [yes/No]:
Enter yes or no. If you do not enter any character, no is used by default. When this menu is used to set the
default environmental variable, the baud rate is not restored to the default value. The baud rate currently saved
on the flash memory is still used.

3
Configuration Guide Configuring the SIMPLE CLI

5. Setting the Debugging Mode

This is a submenu. After you access the submenu, the following information is displayed:

====== BootLoader Menu("Ctrl+Z" to upper level) ======

Set debug mode.
************************************************
0. Debug switch On.
1. Debug switch Off.
************************************************
Press a key to run the command:
Select Debug switch On to enable the debugging mode or select Debug switch Off to disable the debugging
mode.

The main program and Rboot output more boot logs in debugging mode than those in normal mode.

6. Starting the Main Program without Enabling Password

On the menu interface, select Run main without enable password. Click OK. The main program is started. In
the main program, you can enable the device without a password. This function is used when you forget the
password. This function is effective for only the current operation. After reboot, the password is still required.

2 Configuring the SIMPLE CLI

2.1 Introduction
2.1.1 Overview

The SIMPLE command line interface (CLI) includes some functions supported by Uboot, which are
implemented through command lines, including booting the main program, booting Rboot, and updating Uboot
or Rboot.

2.1.2 Accessing the SIMPLE CLI Operation Interface

On the Uboot menu interface, press Ctrl+Q to access the SIMPLE CLI operation interface.

====== BootLoader Menu("Ctrl+Z" to upper level) ======

TOP menu items.
************************************************
0. XModem utilities.
1. Run main.
2. Run rboot.
3. Scattered utilities.
************************************************
Press a key to run the command:
Enter help. The functions of commands are displayed as follows:

bootloader# help
Total commands:

4
Configuration Guide Configuring the SIMPLE CLI

help Dump command list OR show a command's details

xmdown Download programs through XModem.
runrboot Run rboot program.
runmain Run main program.
setbaud Set BOOT/BOOTLOADER baudrate tools.
reload Reload tools.
version Show current version information.
quit Quit from CLI command line.

2.1.3 Downloading Xmdown

You can run this command to upgrade the main Uboot program and Rboot program on the flash memory.

Enter help xmdown. The usage details of the xmdown command are displayed.

bootloader# help xmdown

Syntax: xmdown (-boot | -rboot)
Usage Details:
-boot: Upgrade BootLoader.
-rboot: Upgrade Rboot.
Examples:
xmdown -boot
xmdown -rboot

1. xmdown -boot

This command is used to upgrade the main Uboot program on the flash memory.

(1) Enter xmdown –boot and press Enter.

(2) Click Send File under Transfer in HyperTerminal and select a Uboot image file to be downloaded (for
example, UBOOT.BIN).

(3) Click Send.

(4) Wait until the system displays a message indicating that the operation is complete.

2. xmdown -rboot

This command is used to upgrade the Rboot program on the flash memory.

(1) Enter xmdown –rboot and press Enter.

(2) Click Send File under Transfer in HyperTerminal and select an Rboot image file to be downloaded (for
example, RBOOT.BIN).

(3) Click Send.

(4) Wait until the system displays a message indicating that the operation is complete.

2.1.4 Running the Rboot Program

Enter the runrboot command. The program automatically skips to Rboot from Uboot.

2.1.5 Running the Main Program

Enter the runmain command. The program automatically skips to the main program from Uboot.

5
Configuration Guide Configuring the SIMPLE CLI

2.1.6 Setting the Baud Rate

After the setbaud command is run, the baud rate of the current device is changed and the changed baud rate is
saved to the environmental variable partition of the flash memory.

Enter the help setbaud command. The usage details of the setbaud command are displayed:

hostname# help setbaud

Syntax: setbaud (-h | -m | -l)
Usage Details:
-h: Set to 115200
-m: Set to 57600
-l: Set to 9600
Examples:
setbaud -l
setbaud -m
setbaud –h
 setbaud -l: The baud rate of the current device is changed into 9600 and the changed baud rate is saved to
the environmental variable partition of the flash memory.

 setbaud -m: The baud rate of the current device is changed into 57600 and the changed baud rate is saved
to the environmental variable partition of the flash memory.

 setbaud -h: The baud rate of the current device is changed into 115200 and the changed baud rate is saved
to the environmental variable partition of the flash memory.

2.1.7 Reloading the System

Enter the reload command and press Enter. The system reboots automatically.

2.1.8 Displaying the Version

Enter the version command and press Enter. The system displays the versions of the master Uboot and slave
Uboot. For example:

bootloader# version
'master_bootloader' program information:
Version: 1.3.13
'slave_bootloader' program information:
Version: 1.3.13

2.1.9 Skipping to the Menu Interface

Enter the quit command and press Enter. The system returns to the menu interface.

6
 Contents

1 Configuring Rboot .............................................................................................................................. 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 Overview ........................................................................................................................ 1

1.1.2 Accessing the Rboot Menu ............................................................................................ 1

1.1.3 Downloading TFTP utilities ............................................................................................ 2

1.1.4 Downloading X/Y/ZModem ............................................................................................ 3

1.1.5 Running the Main Program ............................................................................................ 6

1.1.6 Querying and Setting Other Functions .......................................................................... 6

i
Configuration Guide Configuring Rboot

1 Configuring Rboot
1.1 Introduction
1.1.1 Overview

The Rboot menu includes all functions supported by Rboot, including booting the main program, updating the
universal boot loader (Uboot), updating Rboot, and reinstalling the system.

1.1.2 Accessing the Rboot Menu

1. Connecting to the Client

Connect the COM port of a PC to the serial port of the device through a serial port cable, start the client
software, and configure the following settings:

 Protocol type -for connection: Serial

 Port for connection: COM

 Bits per second: 9600

 Data bit: 8

 Parity check: N/A

 Stop bit: 1

 Data flow control: N/A

2. Starting the Device

After the device is started, the following information is displayed:

Press Ctrl+B to enter Boot Menu, Press Ctrl+C to enter Rboot

Press Ctrl+C.

When Rboot is started, the current version is displayed.

Rboot Version: 1.1.22

------------------------------------------------

3. Accessing the Rboot Menu Interface

The interface displays the following:

====== Rboot Menu(Ctrl+Z to upper level) ======

TOP menu items.
************************************************
0. Tftp utilities.
1. X/Y/ZModem utilities.
2. Run main.
3. SetMac utilities.
4. Scattered utilities.
************************************************

1
Configuration Guide Configuring Rboot

Press a key to run the command:

After the device displays the menu interface, select a menu item to select the corresponding function.

Press the first character of the menu item to perform the function of the menu item. If the menu item is a
submenu, the submenu is accessed. The device displays the interface of the submenu.

Press Ctrl+Z to exit the current submenu and return to the previous-level menu.

1.1.3 Downloading TFTP utilities

This is a submenu. After you access the submenu, the following information is displayed:

====== Rboot Menu(Ctrl+Z to upper level) ======

Tftp utilities.
************************************************
0. Upgrade uboot/bios program.
1. Upgrade rboot program.
2. Upgrade main program.
3. Upgrade the entire device by distribute package.
4. Burn the total FlashROM by this downloaded file.
************************************************
Press a key to run the command:

1. Upgrading Uboot/BIOS

This function downloads a Uboot or BIOS file to the flash memory to update the master or slave Uboot of the
system or the master or slave BIOS of the system, depending on the specific requirement.

(1) Start the Trivial File Transfer Protocol (TFTP) server on the PC or supervisor module.

(2) Be sure to put the Uboot or BIOS upgrade image file to be downloaded in the TFTP server directory of the
PC or supervisor module.

(3) Connect the device to the PC through an Ethernet cable.

(4) On the menu interface, select Upgrade uboot/bios program.

(5) Enter Local IP (IP address of the switch), Remote IP (IP address of the PC), and Filename (name of the
Uboot or BIOS file to be downloaded) based on prompts and press Enter.

(6) Wait until the system shows a message indicating that the operation is complete.

2. Upgrading Rboot

This function downloads an Rboot file to the flash memory to update Rboot of the system.

(1) Start the TFTP server on the PC or supervisor module.

(2) Be sure to put the Rboot upgrade image file to be downloaded in the TFTP server directory of the PC or
supervisor module.

(3) Connect the device to the PC through an Ethernet cable.

(4) On the menu interface, select Upgrade rboot program.

(5) Enter Local IP (IP address of the switch), Remote IP (IP address of the PC), and Filename (name of the
Rboot file to be downloaded) based on prompts and press Enter.

2
Configuration Guide Configuring Rboot

3. Upgrading the Main Program

The function is used to parse a main program package and upgrade the main program. If the main program
package contains Uboot or Rboot, Uboot or Rboot is upgraded depending on the version.

(1) Start the TFTP server on the PC or supervisor module.

(2) Be sure to put the upgrade image file of the main program to be downloaded in the TFTP server directory of
the PC or supervisor module.

(3) Connect the device to the PC through an Ethernet cable.

(4) On the menu interface, select Upgrade main program.

(5) Enter Local IP (IP address of the switch), Remote IP (IP address of the PC), and Filename (name of the
main program file to be downloaded) based on prompts and press Enter.

(6) Wait until the system displays a message indicating that the operation is complete.

4. Upgrading the Flash ROM File

This function is used to refresh the ROM files (including the slave Uboot, master Uboot, and Rboot) in the flash
memory to burn such files into the flash memory again. After upgrade, the baud rate is changed to 9600 and
SetMac needs to be set again.

(1) Start the TFTP server on the PC or supervisor module.

(2) Be sure to put the ROM upgrade image file to be downloaded in the TFTP server directory of the PC or
supervisor module.

(3) Connect the device to the PC through an Ethernet cable.

(4) On the menu interface, select Burn the total FlashROM by this downloaded file.

(5) Enter Local IP (IP address of the switch), Remote IP (IP address of the PC), and Filename (name of the
program file to be downloaded) based on prompts and press Enter.

(6) Wait until the system displays a message indicating that the operation is complete.

1.1.4 Downloading X/Y/ZModem

This is a submenu. After you access the submenu, the following information is displayed:

====== BootLoader Menu("Ctrl+Z" to upper level) ======

XModem utilities.
************************************************
X/Y/ZModem utilities.
************************************************
0. XModem utilities.
1. YModem utilities.
2. ZModem utilities.
3. Local utilities.
************************************************
Press a key to run the command:

1. Upgrading XModem

This function is used to download Uboot, BIOS, Rboot, main program, software package, or ROM through
XMODEM and install it on the device.

3
Configuration Guide Configuring Rboot

(1) On the menu interface, select XModem utilities.

(2) The device displays the following submenus:

====== Rboot Menu (Ctrl+Z to upper level) ======

XModem utilities.
************************************************
0. Upgrade uboot/bios program.
1. Upgrade rboot program.
2. Upgrade main program.
3. Upgrade the entire device by distribute package.
4. Burn the total FlashROM by this downloaded file.
************************************************
Press a key to run the command:
(3) Select a required upgrade type.

(4) Select Transfer > Send File in HyperTerminal, select XMODEM for the protocol, and select a file to be
downloaded by the upgrade type.

(5) Click Send.

(6) Wait until the system displays a message indicating that the operation is complete.

2. Upgrading YModem

This function is used to download Uboot, BIOS, Rboot, main program, software package, or ROM through
YMODEM and install it on the device.

(1) On the menu interface, select YModem utilities.

(2) The device displays the following submenus:

====== Rboot Menu (Ctrl+Z to upper level) ======

YModem utilities.
************************************************
0. Upgrade uboot/bios program.
1. Upgrade rboot program.
2. Upgrade main program.
3. Upgrade the entire device by distribute package.
4. Burn the total FlashROM by this downloaded file.
************************************************
Press a key to run the command:
(3) Select a required upgrade type.

Note

This menu is similar to the TFTP menu. For details, see the TFTP menu.

(4) Select Transfer > Send File in HyperTerminal, select YMODEM for the protocol, and select a file to be
downloaded by upgrade type.

(5) Click Send.

(6) Wait until the system displays a message indicating that the operation is complete.

4
Configuration Guide Configuring Rboot

3. Upgrading ZModem

This function is used to download Uboot, BIOS, Rboot, main program, software package, or ROM through
ZMODEM and install them on the device.

(1) On the menu interface, select ZModem utilities.

(2) The device displays the following submenus:

====== Rboot Menu (Ctrl+Z to upper level) ======

ZModem utilities.
************************************************
0. Upgrade uboot/bios program.
1. Upgrade rboot program.
2. Upgrade main program.
3. Upgrade the entire device by distribute package.
4. Burn the total FlashROM by this downloaded file.
************************************************
Press a key to run the command:
(3) Select a required upgrade type.

(4) Select Transfer > Send File in HyperTerminal, select ZMODEM for the protocol, and select a file to be
downloaded by upgrade type.

(5) Click Send.

(6) Wait until the system displays a message indicating that the operation is complete.

4. Upgrading Local Utilities

This function is used to download the Uboot, BIOS, Rboot, main program, software package, and ROM to a
USB flash drive or flash memory partition and install them on the device.

(1) On the menu interface, select Local utilities.

(2) The device displays the following submenus:

====== Rboot Menu (Ctrl+Z to upper level) ======

Local utilities.
************************************************
0. Upgrade uboot/bios program.
1. Upgrade rboot program.
2. Upgrade main program.
3. Upgrade the entire device by distribute package.
4. Burn the total FlashROM by this downloaded file.
************************************************
Press a key to run the command:
(3) Select a required upgrade type.

(4) Based on the prompt, enter a file path.

a If a USB flash drive is used, the file path is the location of the usb0: file. If there are multiple USB flash
drives or partitions, the file paths are usb1: file location, usb2: file location, and so on.

b If a flash memory partition is used, the file path is the location of the flash: file.

(5) Wait until the system displays a message indicating that the operation is complete.

5
Configuration Guide Configuring Rboot

1.1.5 Running the Main Program

On the menu interface, enter 3. The program is booted to access the main program.

1.1.6 Querying and Setting Other Functions

This is a submenu. After you access the submenu, the following information is displayed:

====== Rboot Menu(Ctrl+Z to upper level) ======

Scattered utilities.
************************************************
0. Show Version.
1. Reload System.
2. Set Baudrate.
3. Format Flash.
4. Exit menu.
5. Set debug mode.
6. Run main without enable password.
7. Set Download Gateway.
************************************************
Press a key to run the command:

Note

Options in the submenu increases with the update of the Rboot version but some Rboot items of some earlier
products may not be listed.

1. Displaying the Boot Version

This function is used to display the versions of Uboot/BIOS and Rboot on all flash memories.

(1) On the menu interface, select Show Version.

(2) The system displays versions of Uboot/BIOS and Rboot.

Example:

The First MasterBoot Version: 1.3.13

The First SlaveBoot Version: 1.3.13
The First Rboot Version: 1.0.5
The Second MasterBoot Version: 1.3.13
The Second SlaveBoot Version: 1.3.13
The Second Rboot Version: 1.0.5

Note

Some devices may not display all the six boot programs above and NA is displayed for the inexistent boot
programs.

2. Reloading the System

On the menu interface, select Reload System. The system reboots automatically.

6
Configuration Guide Configuring Rboot

3. Setting the Baud Rate

This is a submenu. After you access the submenu, the following information is displayed:

====== BootLoader Menu("Ctrl+Z" to upper level) ======

Set baudrate.
************************************************
0. Change baudrate to 9600
1. Change baudrate to 57600
2. Change baudrate to 115200
************************************************
Press a key to run the command:
○ On the menu interface, select Change baudrate to 9600. The system changes the baud rate to 9600.

○ On the menu interface, select Change baudrate to 57600. The system changes the baud rate to
57600.

○ On the menu interface, select Change baudrate to 115200. The system changes the baud rate to
115200.

Note

The configuration applies to the boot program. In the main program, the baud rate of the boot program may
change with the configuration of the main program.

4. Formatting the Main Storage Partition

Warning

If this function is used, the main program and all configurations of the device and all files in the flash memory
partition are lost. Therefore, do not use this function unless necessary.

On the menu interface, select Format Flash. The main partition is formatted and a partition table is recreated.

5. Setting the Debugging Mode

This is a submenu. After you access the submenu, the following information is displayed:

====== Rboot Menu (Ctrl+Z to upper level) ======

Set debug mode.
************************************************
0. Debug switch On.
1. Debug switch Off.
************************************************
Press a key to run the command:
Select Debug switch On to enable the debugging mode or select Debug switch Off to disable the debugging
mode.

The main program outputs more logs in debugging mode than those in normal mode.

7
Configuration Guide Configuring Rboot

6. Running the Main Program Without Enabling Password

On the menu interface, select Run main without enable password. Click OK. The main program is started. In
the main program, you can enable the device without a password. This function is used when you forget the
password. This function is effective for only the current operation. After reboot, the password is still required.

Some devices do not support startup without a password under Rboot (but supports startup without a password
under Uboot). In this case, the following information is displayed:

Not supported in Rboot.

Please reload, press Ctrl+B to enter Uboot,
and select the same item in Uboot menu.
For such devices, access Uboot during startup and select the Run main without enable password menu.

7. Downloading TFTP Across Gateways

This function is used to configure a gateway and a mask so that TFTP can be downloaded across gateways.

On the menu interface, select Set Download Gateway. The following information is displayed:

Plz enter the Local GatewayIP [<NULL>]:

Enter the IP address of a gateway in the format of X.Y.Z.W. The following message is displayed:

Plz enter the IP Netmask [<NULL>]:

Enter a subnet mask in the format of X.Y.Z.W. The following message is displayed:

Set Local GatewayIP to <set IP address of the gateway>

Set IP Netmask to <set subnet mask>
Then return to the main menu and select items in Tftp utilities. The gateway and subnet mask are displayed
during downloading and TFTP items are downloaded across gateways.

TFTP: Detect Gateway <set IP address of the gateway> ...

TFTP: Detect Netmask <set subnet mask> ...
The gateway configuration is not retained. After you leave Rboot, the configuration is lost.

To clear the gateway configuration in Rboot, enter a null address in Set Download Gateway.

Plz enter the Local GatewayIP [<NULL>]:

Plz enter the IP Netmask [<NULL>]:
Clear Local GatewayIP config.
Clear IP Netmask config.

8
Configuration Guide Contents

Contents

1 Configuring License Management ..................................................................................................... 1

1.1 Introduction ................................................................................................................................ 1

1.1.1 License Management Overview .................................................................................... 1

1.1.2 Principles........................................................................................................................ 1

1.2 Configuration Task Summary .................................................................................................... 3

1.3 Configuring License Management ............................................................................................. 3

1.3.1 Overview ........................................................................................................................ 3

1.3.2 Installing License File..................................................................................................... 3

1.3.3 Backing Up License File ................................................................................................ 4

1.3.4 Configuring Grace Period Warning ................................................................................ 5

1.3.5 Updating License File .................................................................................................... 5

1.3.6 Uninstalling License ....................................................................................................... 6

1.3.7 Unbinding the License ................................................................................................... 6

1.4 Monitoring .................................................................................................................................. 7

i
Configuration Guide Configuring License Management

1 Configuring License Management

1.1 Introduction
1.1.1 License Management Overview

A user needs to install a correct license file to use some extension functions of a device. A user can use the
general and extension functions of the RGOS only after obtaining a license. Extended functions provided by the
system can be used only after being licensed.

Note

Typically, all features of the Ruijie General Operating System (RGOS) are pre-installed in the factory. For
feature licenses and license types, see their configuration guides. RGOS features or basic functions that are
not expressly specified can be used directly without licenses.

1.1.2 Principles

1. Basic Concepts

 Software to be licensed

A software function used by only a licensed user.

 Feature license

As a license for a special feature, it is obtained through a license file, hardware entity, or legal contract. This
license specifies the maximum number of supported users, the maximum number of supported instances,
and valid period.

 Product authorization key (PAK)

It is a manner of granting a license to a user by providing a license code.

 Purchase voucher

A voucher of purchasing a license. The voucher contains the PAK and license download address. The
legitimate owner of the purchase voucher logs in to the license download address, and uses the PAK to
sign up. The license file is downloaded from the displayed link or is directly sent to the registered email.

 Host ID

A unique serial number for identifying each device.

 License file

A file that controls the features of a licensed software. A license file is generated by using a special tool
based on contract information, and each license file contains a digital signature to prevent tampering. The
license file serves a product. That is, one license file is used on only one device and matches the device's
host ID. License is not transferred. Licensed functions are available when the license file is installed.

 Temporary license

A temporary license becomes invalid after the valid period expires.

1
Configuration Guide Configuring License Management

 Evaluation license

An evaluation license is temporary, and has been installed on the device before delivery. It is used to
provide users with features for trial use. This type of license is independent of the host ID.

 Permanent license

This license has no time limit and is permanently effective upon purchase by the user.

 License stacking

Different licenses can be used on one device. For example, if a device provides both the FCoE and TRILL
functions, users can purchase the licenses of the two functions and use them on the same device.

 Single-instance license

Only one license can be installed for one feature at a time.

 Grace period warning

A grace period warning is generated in forms of log and trap messages 180 days before a license expires.
Setting a grace period warning prevents licensed software from being affected when an aging license
suddenly stops working upon expiration.

2. License Acquisition and Use

 Use of License

A license must be obtained from official website or marketing channel. It is device-specific. You log in to the
website specified in the purchase voucher and provide the PAK and host ID to obtain the license file, which
is directly downloaded or given through an email. After acquisition, you need to install the license file.
Afterwards, you can use the features of the license.

The licenses include permanent license and temporary license. When a user first enables a temporary
license to use a feature, the valid period of the license starts, and after the period ends, the feature will be
disabled. To continue using this feature, this user can purchase another license (permanent or temporary)
from official website or marketing channel.

 License check

After a device starts to run, the license for each feature needs to be checked. If the corresponding license
is properly installed, this feature is ready for application. Otherwise, this feature becomes invalid and
cannot be used.

Note

Checking the licenses for various features occurs at different times. The licenses for some features are
checked during startup, and the licenses for other features are checked in real time.

 Loss of the license file

License files are stored in the /data directory of a device and is not lost after software upgrade.

If the memory or file system is damaged during product use but the license file has been backed up, you
can install the backup license file again after system recovery. If the license file is not backed up, you can
visit official website to obtain the license file again. This process is the same as the previous acquisition
process (you do not need to purchase the license again).

2
Configuration Guide Configuring License Management

Licensing is device-based. After a license is provided for a specified device, the license file is verified only
on this device. Upon maintenance or replacement of a device, the host ID may change and the obtained
license file may not be identified. In this case, contact after-sales personnel.

3. Backup, Update, and Uninstallation of a License File

 License file backup

When a fault such as damage of file system storage media occurs on a device, the license file on this
device may be lost after you troubleshoot this fault. Therefore, you need to back up the license file in
advance to reinstall it after you troubleshoot the fault.

 License file update

If the existing license of the system fails to meet the feature requirements, you can visit official website to
purchase a desired license and then update the license file locally.

 License file uninstallation

If you do not need a feature, you can uninstall the license for this feature to improve the utilization of
resources like the memory. To reuse this feature, reinstall the license. It is recommended that license files
be kept properly.

1.2 Configuration Task Summary

Configuration of license management includes the following tasks:

(1) Installing License File

(2) Backing Up License File

(3) (Optional) Grace Period Warning

(4) (Optional) Updating License File

(5) (Optional) Uninstalling License

(6) (Optional) Unbinding the License

1.3 Configuring License Management

1.3.1 Overview

This section describes how to enable or disable a feature by installing or uninstalling a license file.

1.3.2 Installing License File

1. Overview

This section describes how to install a license file to enable a licensed feature.

2. Restrictions and Guidelines

 Ruijie provides a paper purchase voucher that contains a PAK when you purchase a license.

 Log in to official website and obtain a license file as prompted.

 If you use a feature without being licensed, the CLI window displays a prompt, indicating that the feature is
not licensed and is unavailable, and provides a website to download a license file.

3
Configuration Guide Configuring License Management

 After downloading a license file from the specified website, upload this license file to the device (or store it in
a USB flash drive) for installation. You can install the license file offline. Copy the license file to the file
system of the device. Use conventional file system operation commands. For example, download the
license file through Trivial File Transfer Protocol (TFTP) or copy the license file to a USB flash drive.

 After a license file is installed on a device, this license file is automatically backed up in the /data directory of
the system (the license file is suffixed with .lic). The backup license file is deleted when the installed license
is uninstalled.

 Install the license file.

○ When you run the license install command, only the local device is installed with the license file.

○ The license auto-install command is equivalent to the license install command.

 Different devices do not share the same license file.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Obtain the SN of the device.

show license hostid

The name of a license file cannot be modified.

This command can be executed without permission.

(3) (Optional) Install the license file. Configure one of the following tasks as required.

○ Install one license.

license install { flash: | usb0: } filename

○ Automatically match and install a license.

license auto-install { flash: | usb0: } filename

1.3.3 Backing Up License File

1. Overview

Back up the license files of one or all features in the system.

2. Restrictions and Guidelines

 Evaluation license files cannot be backed up.

 Sufficient storage space is required to store backup license files. Generally, one license file is 4 KB to 10 KB.

 Backup license files are normal files.

 When all license files in the system are backed up, a .tar file is generated.

 You can run the dir command to save the license files to other storage devices, for example, a USB flash
drive.

 After backing up license files, you can run the dir command to confirm the generated license files, and
compare them with the license file names displayed in the installed license fields of permanently licensed
features in the command output of the show license all-license or show license file command, to check
whether licenses are correctly backed up.

4
Configuration Guide Configuring License Management

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Back up the license files in the system.

○ Back up all permanent license files on the device.

license copy-all { flash: | usb0: } [ target-filename ]

○ Back up license files or license files specified by features.

license copy-file filename { flash: | usb0: } [ target-filename ]

No license file is backed up by default.

1.3.4 Configuring Grace Period Warning

1. Overview

This section describes how to evaluate the expiration date of a license and how to provide early warnings in
form of log messages to remind users of taking actions in advance.

2. Restrictions and Guidelines

 Each licensed feature is separately configured.

 The grace period warning is affected by the device time.

 A permanent license file needs no grace period warning.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Set the grace period for reminding the user of the expiration of a license.

license grace-period filename time

The grace period before the expiration of a license is 180 days by default.

1.3.5 Updating License File

1. Overview

This section describes how to update the license file for a feature of the system. Generally, this function is
performed to update an evaluation license file into a temporary license file.

2. Restrictions and Guidelines

 A formal permanent license file does not need to be updated.

 A later license version cannot be updated into an earlier one.

 A license file contains a generation time field. The value of this field is the time when the license file is
generated on the website. When the value is closer to the current time, the license file has a later version.

3. Procedure

(1) Enter the privileged EXEC mode.

5
Configuration Guide Configuring License Management

enable

(2) Update the license file.

license update { flash: | usb0: } filename

1.3.6 Uninstalling License

1. Overview

This section describes how to uninstall one or all feature licenses in the system when the features are not
needed.

Note

This function becomes invalid when the corresponding license is uninstalled.

2. Restrictions and Guidelines

 If the licensed feature is running, the uninstallation does not take effect immediately, but takes effect after
the feature is enabled or the device is restarted next time.

 You are advised to back up a license file before uninstallation to reinstall an uninstalled license when
needed.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Uninstall a license in the system. Configure one of the following tasks as required.

○ license uninstall license [ filename ]

○ license auto-uninstall device-id license [ filename ]

This command can be executed without permission.

1.3.7 Unbinding the License

1. Overview

If you want to unbind a license from a device on the license website, unbind the license on the device first.

2. Restrictions and Guidelines

 Upon unbinding a license, you obtain a verification code, which is used to unbind the license on the license
website.

 After the license is unbound, the corresponding license file cannot be reinstalled.

 The function of the license auto-unbind command is the same as that of the license unbind command.

3. Procedure

(1) Enter the privileged EXEC mode.

enable

(2) Unbind a license in the system. Configure one of the following tasks as required.

6
Configuration Guide Configuring License Management

○ license unbind pak

○ license auto-unbind device-id pak

This command can be executed without permission.

1.4 Monitoring
Run the show command to check the configuration.

Table 1-1 Monitoring

Command Purpose

show license all-license Displays the list of all installed license files on the device.

show license file file-license Displays the information about a specified license file on the device.

show license dev-license Displays license configurations of all devices.

show license usage Displays licenses in use.

show license hostid Displays the device SN used for licensing.

show license dev-hostid Displays the device SN of each device.

show license unbind-code Displays the verification code of a license unbound from the device.

show license dev-unbind-code Displays the verification code of a license unbound from each device
in the environment.