USB autorun helps ease the configuration of HP Switch switches by providing a way to auto-execute CLI commands from a USB flash drive. Using this solution, you can create a command file (also known as an AutoRun
file), write it to a USB storage device, and then execute the file simply by inserting the USB device into the switch's 'Auxiliary Port.' The AutoRun file is executed automatically when autorun is enabled on the switch and can be designed for various purposes, such as to configure the switch, to update software, or to retrieve diagnostic logs for troubleshooting purposes.
The overall USB autorun solution requires the following components:
-
An HP Switch switch that can securely use USB autorun to load authorized configurations and write reporting information. This requires software versions xx.13.01 or greater.
-
The network management application HP Switch Manager Plus (PCM+). PCM+ is required to create a valid AutoRun file and to view the results after the file has been executed on the switch.
|
|
NOTE: The ability to create a valid AutoRun file will be incorporated into an upcoming HP Switch Manager update; see the HP Switch Manager documentation for details. For guidelines on using the USB port for basic file copy capabilities, see Using USB to transfer files to and from the switch. The general process for using USB autorun is as follows (steps 1, 2, and 7 require an upcoming update to PCM+, as described above):
|
|
|
By default, the switch is unsecured when shipped (that is, USB autorun is enabled by default). However, as soon as an operator or manager password is configured, autorun is disabled and must be re-enabled at the configuration level of the CLI before it can be used. The requirement to use PCM+ to create a valid AutoRun file helps prevent a nonauthorized command file from being created and processed by the switch.
In terms of physical security, access to the switch's console port and USB port are equivalent. Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you have the following configuration options via the CLI (see Configuring autorun on the switch (CLI)):
You can verify autorun operations by checking the following items:
The following table shows LED indications on the Auxiliary Port that allow you to identify the different USB operation states.
Color | State | Meaning |
---|---|---|
Green | Slow blinking | Switch is processing USB AutoRun file. |
Green | Solid | Switch has finished processing USB AutoRun file. This LED state indicates the AutoRun file was successfully executed and the report files were generated. You can review the report files on a USB-enabled computer for more details. Upon removal of the USB device, the LED turns OFF. |
N/A | Off |
Indicates one or more of the following:
If the USB device has just been removed from the port, the switch executes any post commands. |
Amber | Fast blinking | Processing Error. The AutoRun file stops processing when an error is encountered (For example, no more disk space is available on the USB device to write the result and report files). For more information on the error, remove the USB device and inspect its contents on a USB-enabled computer. |
The following files are generated during autorun operations and written to the USB flash drive:
-
Report files (.xml file)—show which CLI commands have been run. The file name includes a serial number and datetime stamp to indicate when and on which device the AutoRun file was executed.
-
Result files (.txt file)—contain the CLI output for each command that was run on the switch, allowing you to verify whether a command was executed successfully or not.
For details on how to use the switch's Event Log or syslog for help in isolating autorun-related problems, see Using the Event Log for troubleshooting switch problems.
To enable/disable the autorun feature on the switch, the following commands can be executed from configuration mode in the CLI.
Syntax:
When executed from the configuration mode, enables or disables USB autorun on the switch.
Use the
encryption-key
keyword to configure or remove an encryption-key (a base-64 encoded string). The encryption key is a prerequisite for enabling autorun in secure-mode. Encryption is regarded only when the AutoRun file is also signed by an authentic source.Use the
secure-mode
keyword to enable or disable secure mode for autorun.
For information about enabling secure mode on autorun, see Autorun secure mode.
You can use autorun secure mode to verify the authenticity of autorun command files. Secure-mode is configured using the autorun secure-mode
command and can be enabled under both of the following conditions:
There is an additional security option to install a valid key-pair for signing the result files that are generated during autorun operations. You can generate the key-pair on the switch using the crypto key generate autorun [
command.rsa
]
|
|
NOTE: You can also install the key-pair from a tftp server or via the USB port using the |
|
|
-
Autorun is enabled by default, until passwords are set on the device.
-
To enable secure mode, both an encryption key and trusted certificate must be set.
-
If secure mode is disabled, the key-pair can be removed using the
crypto key zeorize autorun
command. -
When installing the autorun certificate file and/or the other key files, the files must be in PEM format.
When an operator or manager password is configured on a switch, autorun is disabled automatically, and a message is displayed on the screen, as shown in the following Example:
HP Switch# password manager New password for manager: ***** Please retype new password for manager: ***** Autorun is disabled as operator/manager is configured.
After passwords are set, you can re-enable autorun as needed using the autorun
command.
For more information on configuring passwords, see chapter "Username and Password Security" in the Access Security Guide for your switch.