File transfers > USB

  

 next

USB

Enabling or disabling the USB port

This feature allows configuration of the USB port with either the CLI or SNMP.

Syntax

usb-port
no usb-port

Enables the USB port. The no form of the command disables the USB port and any access to the device.

Downloading switch software using USB

This procedure assumes that:

  • A software version for the switch has been stored on a USB flash drive. (The latest software file is typically available from the HP Switch Networking website at www.hp.com/networking/support.)

  • The USB device has been plugged into the switch's USB port.

Before you use the procedure:

  • Determine the name of the software file stored on the USB flash drive (for example, k0800.swi.)

  • Decide whether the image will be installed in the primary or secondary flash.

Syntax

copy usb flash filename [ primary | secondary ]

This command automatically downloads a switch software file to primary or secondary flash. If you do not specify the flash destination, the USB download defaults to primary flash.

Example

To copy a switch software file named k0800.swi from a USB device to primary flash:

  1. Execute copy as shown below:

    The command to copy switch software from USB

    The command to copy switch software from USB

    When the switch finishes copying the software file from the USB device, it displays this progress message:

    Validating and Writing System Software to the Filesystem....

  2. When the copy finishes, you must reboot the switch to implement the newly loaded software. To do so, use one of the following commands

    Syntax

    boot system flash [ primary | secondary ]

    Boots from the selected flash.

    Syntax

    reload

    Boots from the flash image and startup-config file. A switch covered in this guide (with multiple configuration files), also uses the current startup-config file.

  3. To confirm that the software downloaded correctly, execute show system and check the Firmware revision line.

Viewing the status of the USB port

Syntax

show usb-port

Displays the status of the USB port. It can be enabled, disabled, or not present. (See show usb-port command output on version K.13.59 and later or show usb-port command output on version K.14.XX, depending on your version.)

Example

show usb-port command output on version K.13.59 and later

show usb-port command output on version K.13.59 and later

show usb-port command output on version K.14.XX

show usb-port command output on version K.14.XX

One of the following messages indicates the presence or absence of the USB device:

  • Not able to sense device in USB port

  • USB device detected in port

  • No USB device detected in port

The reseat status messages can be one of the following (K.13.XX only):

  • Undetermined USB reseat requirement

  • USB reseat not required

  • USB device reseat required for USB autorun

The autorun feature works only when a USB device is inserted and the USB port is enabled.

Using USB autorun

The general process for using USB autorun is as follows (steps 1, 2, and 7 require an upcoming update to PCM+, as described above):

  1. Create an AutoRun file using PCM+.

    See the HP Switch Manager documentation for details.
    [NOTE: ]

    NOTE: Creating the AutoRun file in PCM+ includes the following steps:

    1. Specify the target device or devices.

    2. Create the CLI script to be executed on the target devices.

    3. Determine if the file will be signed and/or encrypted.

    4. Determine if the file will be 'run once' (moved to a 'processed' directory on execution) or 'run many' (kept in the root directory of the flash drive from where it can be executed again.)

  2. Deploy the AutoRun file to a USB flash drive.

  3. (If required) Enable the autorun feature on the switch (autorun is enabled by default unless an operator or manager password has been set—See Autorun and configuring passwords.)

  4. (If the AutoRun file has been signed or encrypted) Enable secure-mode on the switch:

    1. Configure an encryption key and a valid trusted certificate

    2. Enable secure-mode via the CLI.

      See Downloading switch software.

  5. Insert the USB flash drive into the switch's USB auxiliary port.

    The switch processes the AutoRun file automatically and writes a result (.txt) file and report (.xml) file back to the USB flash drive, reporting on the command operations that were executed.

  6. Remove the USB device from the USB port.

    The switch executes any post-commands, such as rebooting the switch to apply any configuration updates.

  7. (Optional) Transfer the 'result file' and 'report file' to a PCM+-enabled computer for report checking.

    See Troubleshooting autorun operations.

Configuring autorun on the switch

Syntax

[ no ] autorun [ encryption-key key-string | secure-mode ]

When executed from the configuration mode, enables or disables USB autorun on the switch.

Use the encryption-key keyword to configure or remove an encryption-key (a base-64 encoded string.) The encryption key is a prerequisite for enabling autorun in secure-mode. Encryption is regarded only when the AutoRun file is also signed by an authentic source.

Use the secure-mode keyword to enable or disable secure mode for autorun.

(Default: Enabled—or disabled if a password has been set)

Viewing autorun configuration information

The show autorun command displays autorun configuration status information, as shown in the following example.

  HP Switch(config)# show autorun

   Autorun configuration status
 
    Enabled        : Yes
    Secure-mode    : Disabled
    Encryption-key :

Using USB autorun

USB autorun helps ease the configuration of HP Switch switches by providing a way to auto-execute CLI commands from a USB flash drive. Using this solution, you can create a command file (also known as an AutoRun file), write it to a USB storage device, and then execute the file simply by inserting the USB device into the switch's 'Auxiliary Port.' The AutoRun file is executed automatically when autorun is enabled on the switch and can be designed for various purposes, such as to configure the switch, to update software, or to retrieve diagnostic logs for troubleshooting purposes.

The overall USB autorun solution requires the following components:

  • An HP Switch switch that can securely use USB autorun to load authorized configurations and write reporting information. This requires software versions K.13.01, T.13.01 or greater.

  • The network management application HP Switch Manager Plus (PCM+.) PCM+ is required to create a valid AutoRun file and to view the results after the file has been executed on the switch.

  • A non-proprietary USB flash drive.

Security considerations

By default, the switch is unsecured when shipped (that is, USB autorun is enabled by default.) However, as soon as an operator or manager password is configured, autorun is disabled and must be re-enabled at the configuration level of the CLI before it can be used. The requirement to use PCM+ to create a valid AutoRun file helps prevent a nonauthorized command file from being created and processed by the switch.

In terms of physical security, access to the switch's console port and USB port are equivalent. Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you have the following configuration options via the CLI.

  • Disable autorun by setting an operator or manager password.

  • Disable or re-enable the USB autorun function via the CLI.

  • Enable autorun in secure mode to verify signatures in autorun command files and to decrypt encrypted command files.

Troubleshooting autorun operations

You can verify autorun operations by checking the following items:

USB auxiliary port LEDs

The following table shows LED indications on the Auxiliary Port that allow you to identify the different USB operation states.

Color State Meaning
Green Slow blinking Switch is processing USB AutoRun file.
Green Solid Switch has finished processing USB AutoRun file. This LED state indicates the AutoRun file was successfully executed and the report files were generated. You can review the report files on a USB-enabled computer for more details. Upon removal of the USB device, the LED turns OFF.
N/A Off

Indicates one or more of the following:

  • No USB device has been inserted.

  • A USB device that cannot be recognized as a USB storage device has been inserted.

  • No AutoRun file can be found on the inserted USB device..

If the USB device has just been removed from the port, the switch executes any post commands.
Amber Fast blinking Processing Error. The AutoRun file stops processing when an error is encountered (for example, no more disk space is available on the USB device to write the result and report files.) For more information on the error, remove the USB device and inspect its contents on a USB-enabled computer.

AutoRun status files.

The following files are generated during autorun operations and written to the USB flash drive:

  • Report files (.xml file)—show which CLI commands have been run. The file name includes a serial number and datetime stamp to indicate when and on which device the AutoRun file was executed.

  • Result files (.txt file)—contain the CLI output for each command that was run on the switch, allowing you to verify whether a command was executed successfully or not.
[NOTE: ]

NOTE: PCM+ provides a mechanism to read these status files and capture the results of the commands executed. It also allows you to verify the report files for their authenticity and reject files that have not been signed.

The status files do not include any records of post commands that may have been executed after the USB flash drive was removed from the switch.

Autorun secure mode

You can use autorun secure mode to verify the authenticity of autorun command files. Secure-mode is configured using the autorun secure-mode command and can be enabled under both of the following conditions:

  • An encryption-key has already been configured using the autorun encryption key command.

  • A trusted certificate for verifying autorun command files has been copied to the switch using the

    copy [ tftp | usb ] autorun-cert-file

    command.

There is an additional security option to install a valid key-pair for signing the result files that are generated during autorun operations. You can generate the key-pair on the switch using the crypto key generate autorun [rsa] command.
[NOTE: ]

NOTE: You can also install the key-pair from a tftp server or via the USB port using the

copy [ tftp | usb ] autorun-key-file ipaddr filename

command. The filename must contain the private key and the matching public key in a X509 certificate structure. Both the private key and the X509 certificate must be in PEM format.

Operating notes and restrictions

  • Autorun is enabled by default, until passwords are set on the device.

  • Secure-mode and encryption-key are disabled by default.

  • To enable secure mode, both an encryption key and trusted certificate must be set.

  • If secure-mode is enabled, the following conditions apply:

    • The encryption-key cannot be removed or unconfigured.

    • The key-pair cannot be removed.

  • If secure mode is disabled, the key-pair can be removed using the crypto key zeorize autorun command.

  • When installing the autorun certificate file and/or the other key files, the files must be in PEM format.

Autorun and configuring passwords

When an operator or manager password is configured on a switch, autorun is disabled automatically, and a message is displayed on the screen, as shown in the following example:

HP Switch# password manager
New password for manager: *****
Please retype new password for manager: *****
Autorun is disabled as operator/manager is configured.

After passwords are set, you can re-enable autorun as needed using the autorun command.

Behavior of autorun when USB port is disabled

Software versions K.13.XX operation

When using software version K.13.58, if the USB port is disabled (no usb-port command), the USB autorun function does not work in the USB port until the USB port is enabled, the config file is saved, and the switch is rebooted. The 5-volt power to the USB port remains on, even after the USB port has been disabled.

For software versions after K.13.58, the 5-volt power applied to the USB port is synchronized with the enabling of the USB port, that is, when the USB port is enabled, the 5 volts are supplied; when the USB port is disabled, the 5 volts are not supplied. For previous software versions, the power was supplied continuously. The autorun function does not require a switch reboot, but the USB device must be inserted at least once after the port is enabled so the switch recognizes that the device is present. If the USB device is inserted, and then the USB port is enabled, the switch does not recognize that a USB device is present.

Software version K.14.XX operation

For software versions K.14.XX, the USB port can be disabled and enabled without affecting the autorun feature. When the USB port is enabled, the autorun feature activates if a USB device is already inserted in the USB port.

Power is synchronized with the enabling and disabling of USB ports as described above for K.13.59 and later software.

prev

 

up

 next

Xmodem 

home

 Switch to Switch

Copyright © 2015 Hewlett-Packard Development Company, L.P.