super················································································································································1-4

super authentication-mode··············································································································1-5

super password ·······························································································································1-6

Table of Contents

Chapters

Table of Contents

Summary of Contents for 3Com 5500-EI PWR

Page 1 Table of Contents 1 CLI Configuration Commands··················································································································1-1 CLI Configuration Commands·················································································································1-1 command-privilege level··················································································································1-1 display history-command·················································································································1-4 super················································································································································1-4 super authentication-mode··············································································································1-5 super password ·······························································································································1-6...
Page 2: Cli Configuration Commands
Command level to be set, in the range of 0 to 3. view view: CLI view. It can be any CLI view that the Ethernet switch supports. The 3com switch 5500-EI supports only the CLI views listed in...
Page 3 CLI view Description mst-region MST region view mtlk-group Monitor link group view null NULL interface view ospf OSPF view ospf-area OSPF area view peer-key-code Public key editing view peer-public-key Public key view PIM view poe-profile PoE profile view qinq QinQ view qos-profile QoS profile view radius-template...
Page 4 Level Name Command Commands used to maintain the system and diagnose Monitor level service fault, such as debugging, terminal and reset commands. All configuration commands except for those at the manage System level level. Commands associated with the basic operation modules and support modules of the system, such as file system, Manage level FTP/TFTP/XMODEM downloading, user management, and...
Page 5 [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm # Restore the default level of the tftp get command. To restore the default levels of the commands starting with the tftp keyword, you only need to specify the tftp keyword. [Sysname] undo command-privilege view shell tftp display history-command Syntax...
Page 6 Executing this command without the level argument will switch the current user level to level 3 by default. Note that: Users logged into the switch fall into four user levels, which correspond to the four command levels respectively. Users at a specific level can only use the commands at the same level or lower levels.
Page 7 Description Use the super authentication-mode command to specify the authentication mode used for low-to-high user level switching. Use the undo super authentication-mode command to restore the default. By default, super password authentication is adopted for low-to-high user level switching. Note that, the two authentication modes, super password authentication and HWTACACS authentication, are available at the same time to provide authentication redundancy.
Page 8 password: Password to be set. If the simple keyword is used, you must provide a plain-text password, that is, a string of 1 to 16 characters. If the cipher keyword is used, you can provide a password in either of the two ways: Input a plain-text password, that is, a string of 1 to 16 characters, which will be automatically converted into a 24-character cipher-text password.
Page 9: Table Of Contents
Table of Contents 1 Login Commands ······································································································································1-1 Login Commands ····································································································································1-1 authentication-mode ························································································································1-1 auto-execute command ···················································································································1-3 copyright-info enable ·······················································································································1-4 databits ············································································································································1-4 display telnet-server source-ip ········································································································1-5 display telnet source-ip····················································································································1-6 display user-interface ······················································································································1-6 display users····································································································································1-9 display web users ····························································································································1-9 free user-interface ·························································································································1-10 header ···········································································································································1-11 history-command max-size ···········································································································1-13 idle-timeout ····································································································································1-13 ip http shutdown ····························································································································1-14...
Page 10: Login Commands
Login Commands Login Commands authentication-mode Syntax authentication-mode { password | scheme [ command-authorization ] | none } View User interface view Parameters none: Specifies not to authenticate users. password: Authenticates users using the local password. scheme: Authenticates users locally or remotely using usernames and passwords. command-authorization: Performs command authorization on TACACS authentication server.
Page 11 To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.
Page 12: Auto-Execute Command
auto-execute command Syntax auto-execute command text undo auto-execute command View VTY user interface view Parameters text: Command to be executed automatically. Description Use the auto-execute command command to set the command that is executed automatically after a user logs in. Use the undo auto-execute command command to disable the specified command from being automatically executed.
Page 13: Copyright-Info Enable
Note that these two commands apply to users logging in through the console port and by means of Telnet. Examples # Disable copyright information displaying. ******************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ******************************************************************************** <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 14: Display Telnet-Server Source-Ip
Parameters 7: Sets the databits to 7. 8: Sets the databits to 8. Description Use the databits command to set the databits for the user interface. Use the undo databits command to revert to the default databits. The default databits is 8. Examples # Set the databits to 7.
Page 15: Display Telnet Source-Ip
Examples # Display the source IP address configured for the switch operating as the Telnet server. <Sysname> display telnet-server source-ip The source IP you specified is 192.168.1.1 display telnet source-ip Syntax display telnet source-ip View Any view Parameters None Description Use the display telnet source-ip command to display the source IP address configured for the switch operating as the Telnet client.
Page 16 In absolute user interface number scheme, the type argument is not required. In this case, user interfaces are numbered from 0 to 12. summary: Displays the summary information about a user interface. Description Use the display user-interface command to display the information about a specified user interface or all user interfaces.
Page 17 The authentication mode used for a user to switch from the current lower user level to a higher level, including S, A, SA and AS. S: Super password authentication A: HWTACACS authentication SA: Super password authentication is preferred, Super with HWTACACS authentication being a backup AS: HWTACACS authentication is preferred, with super password authentication being a backup...
Page 18: Display Users
display users Syntax display users [ all ] View Any view Parameters all: Displays the user information about all user interfaces. Description Use the display users command to display the user information about user interfaces. If you do not specify the all keyword, only the user information about the current user interface is displayed.
Page 19: Free User-Interface
View Any view Parameters None Description Use the display web users command to display the information about the current on-line Web users. Examples # Display the information about the current on-line Web users. <Sysname> display web users Name Language Level Login Time Last Req.
Page 20: Header
Description Use the free user-interface command to free a user interface. That is, this command tears down the connection between a user and a user interface. Note that the current user interface cannot be freed. Examples # Release user interface VTY 1. <Sysname>...
Page 21 # Test the configuration remotely using Telnet. (only when login authentication is configured can the login banner be displayed). ******************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.
Page 22: History-Command Max-Size
Welcome to legal! Press Y or ENTER to continue, N to exit. Welcome to login! Login authentication Password: Welcome to shell! <Sysname> history-command max-size Syntax history-command max-size value undo history-command max-size View User interface view Parameters value: Size of the history command buffer, ranging from 0 to 256 (in terms of commands). Description Use the history-command max-size command to set the size of the history command buffer.
Page 23: Ip Http Shutdown
Parameters minutes: Number of minutes. This argument ranges from 0 to 35,791. seconds: Number of seconds. This argument ranges from 0 to 59. Description Use the idle-timeout command to set the timeout time. The connection to a user interface is terminated if no operation is performed in the user interface within the timeout time.
Page 24: Lock
After the Web file is upgraded, you need to use the boot web-package command to specify a new Web file or specify a new Web file from the boot menu after reboot for the Web server to operate properly. Refer to the File System Management part in this manual for information about the boot web-package command.
Page 25: Parity
Password: Again: locked ! In this case, the user interface is locked. To operate the user interface again, you need to press Enter and provide the password as prompted. Password: <Sysname> parity Syntax parity { even | none | odd | } undo parity View AUX user interface view...
Page 26 telnet: Supports Telnet protocol. Description Use the protocol inbound command to specify the protocols supported by the user interface. Both Telnet protocol and SSH protocol are supported by default. Related commands: user-interface vty. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22 (ports for Telnet and SSH services respectively) will be enabled or disabled after corresponding configurations.
Page 27: Screen-Length
screen-length Syntax screen-length screen-length undo screen-length View User interface view Parameters screen-length: Number of lines the screen can contain. This argument ranges from 0 to 512. Description Use the screen-length command to set the number of lines the terminal screen can contain. Use the undo screen-length command to revert to the default number of lines.
Page 28: Service-Type
Examples # Send “hello” to all user interfaces. <Sysname> send all Enter message, end with CTRL+Z or Enter; abort with CTRL+C: hello^Z Send message? [Y/N]y The current user interface will receive the following information: <Sysname> ***Message from vty1 to vty1 hello service-type Syntax...
Page 29: Set Authentication Password
Monitor level: Commands at this level are used to maintain the system, to debug service problems, and so on. The display and debugging commands are at monitor level. Commands at this level cannot be saved in configuration files. System level: Commands at this level are used to configure services. Commands concerning routing and network layers are at system level.
Page 30: Shell
password: Password to be set. The password must be in plain text if you specify the simple keyword in the set authentication password command. If you specify the cipher keyword, the password can be in either cipher text or plain text, as described in the following. When you enter the password in plain text containing no more than 16 characters (such as 123), the system converts the password to the corresponding 24-character encrypted password.
Page 31: Speed
Note the following when using the undo shell command: Terminal services cannot be disabled in AUX user interfaces. This command is unavailable in the current user interface. The execution of this command requires user confirmation. Examples # Disable terminal services in VTY 0 through VTY 4 (assuming that you log in through an AUX user interface).
Page 32: Telnet
View AUX user interface view Parameters 1: Sets the stopbits to 1. 1.5: Sets the stopbits to 1.5. 2: Sets the stopbits to 2. Description Use the stopbits command to set the stopbits of the user interface. Use the undo stopbits command to revert to the default stopbits. Execute these two commands in AUX user interface view only.
Page 33: Telnet Source-Interface
<SwitchA> telnet 129.102.0.1 Trying 129.102.0.1 ... Press CTRL+K to abort Connected to 129.102.0.1 ... ******************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ******************************************************************************** <SwitchB>...
Page 34: Telnet Source-Ip
System View: return to User View with Ctrl+Z. [Sysname] telnet source-interface Vlan-interface 2 telnet source-ip Syntax telnet source-ip ip-address undo telnet source-ip View System view Parameters ip-address: IP address to be set. Description Use the telnet source-ip command to specify the source IP address for a Telnet client. Use the undo telnet source-ip command to remove the source IP address.
Page 35: Telnet-Server Source-Ip
The source interface can be a loopback interface or a VLAN interface. If the specified interface does not exist, the system prompts that this configuration fails, and the login succeeds only when there is a route between the Telnet client and the specified source interface. With the telnet-server source-interface command configured, the client can log in to the local device using only the primary IP address of the specified interface.
Page 36: User-Interface
user-interface Syntax user-interface [ type ] first-number [ last-number ] View System view Parameters type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface). first-number: User interface index identifying the first user interface to be configured. A user interface index can be relative or absolute.
Page 37 Use the undo user privilege level command to revert to the default command level. By default, the commands at level 3 are available to the users logging in to the AUX user interface. The commands at level 0 are available to the users logging in to VTY user interfaces. Commands fall into four command levels: visit, monitor, system, and manage, which are described as follows: Visit level: Commands at this level are used to diagnose network, such as the ping, tracert, and...
Page 38: Commands For User Control
Commands for User Control Commands for Controlling Logging in Users Syntax acl acl-number { inbound | outbound } undo acl acl-number { inbound | outbound } View User interface view Parameters acl-number: ACL number. This argument can identify different types of ACLs, as listed below. 2000 to 2999, for basic ACLs 3000 to 3999, for advanced ACLs 4000 to 4999, for Layer 2 ACLs...
Page 39: Free Web-Users
free web-users Syntax free web-users { all | user-id user-id | user-name user-name } View User view Parameters all: Specifies all Web users. user-id: Web user ID, an eight-digit hexadecimal number. user-name: User name of the Web user. This argument can contain 1 to 80 characters. Description Use the free web-users command to disconnect a specified Web user or all Web users by force.
Page 40: Snmp-Agent Community
snmp-agent community Syntax snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]* undo snmp-agent community community-name View System view Parameters read: Specifies that the community has read-only permission in the specified view. write: Specifies that the community has read/write permission in the specified view. community-name: Community name, a string of 1 to 32 characters.
Page 41: Snmp-Agent Usm-User
undo snmp-agent group v3 group-name [ authentication | privacy ] View System view Parameters v1: SNMPv1. v2c: SNMPv2c. v3: SNMPv3. group-name: Group name. This argument can be of 1 to 32 characters. authentication: Specifies to authenticate SNMP data without encrypting the data. privacy: Authenticates and encrypts packets.
Page 42 View System view Parameters v1: SNMPv1. v2c: SNMPv2c. v3: SNMPv3. user-name: User name, a string of 1 to 32 characters. group-name: Name of the group to which the user corresponds. This argument is a string of 1 to 32 characters. cipher: Specifies the authentication or encryption password to be in ciphertext.
Page 44 Table of Contents 1 Configuration File Management Commands ··························································································1-1 File Attribute Configuration Commands ··································································································1-1 display current-configuration ···········································································································1-1 display current-configuration vlan····································································································1-5 display saved-configuration·············································································································1-6 display startup ·································································································································1-8 display this·······································································································································1-9 reset saved-configuration ··············································································································1-10 save ···············································································································································1-11 startup saved-configuration ···········································································································1-13...
Page 45: Configuration File Management Commands
Configuration File Management Commands The 3com 5500-EI series Ethernet switches support Expandable Resilient Networking (XRN), and allow you to access a file on the switch in one of the following ways: To access a file on the specified unit, you need to enter the file universal resource locator (URL) starting with unit[No.]>flash:/, where [No.] represents the unit ID of the switch.
Page 46 system: Indicates the system configuration. user-interface: Indicates the user interface configuration. interface: Displays port/interface configuration. interface-type: Port/interface type, which can be one of the following: Aux, Ethernet, GigabitEthernet, Loopback, NULL and VLAN-interface. interface-number: Port/interface number. by-linenum: Displays configuration information with line numbers. |: Uses a regular expression to filter the configuration of the switch to be displayed.
Page 47 After you finish a set of configurations, you can execute the display current-configuration command to display the parameters that take effect currently. Note that: Parameters that are the same as the default are not displayed. The configured parameter whose corresponding function does not take effect is not displayed. Related commands: save, reset saved-configuration, display saved-configuration.
Page 48 interface Ethernet1/0/17 interface Ethernet1/0/18 interface Ethernet1/0/19 interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface NULL0 return # Display the lines that include the strings matching 10* in the configuration information. (The character * means that the character 0 in the string before it can appear multiple times or does not appear.) <Sysname>...
Page 49: Display Current-Configuration Vlan
interface Ethernet1/0/18 interface Ethernet1/0/19 interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 # Display the configuration information starting with the string user. <Sysname> display current-configuration | include ^user user-interface aux 0 7 user-interface vty 0 4 display current-configuration vlan Syntax display current-configuration vlan [ vlan-id ] [ by-linenum ] View...
Page 50: Display Saved-Configuration
return display saved-configuration Syntax display saved-configuration [ unit unit-id ] [ by-linenum ] View Any view Parameters unit unit-id: Specifies the unit ID of a switch. With this keyword-argument combination specified, this command can display the initial configuration file of the specified unit. by-linenum: Displays configuration information with line numbers.
Page 51 interface Ethernet1/0/1 interface Ethernet1/0/2 interface Ethernet1/0/3 interface Ethernet1/0/4 interface Ethernet1/0/5 interface Ethernet1/0/6 interface Ethernet1/0/7 interface Ethernet1/0/8 interface Ethernet1/0/9 interface Ethernet1/0/10 interface Ethernet1/0/11 interface Ethernet1/0/12 interface Ethernet1/0/13 interface Ethernet1/0/14 interface Ethernet1/0/15 interface Ethernet1/0/16 interface Ethernet1/0/17 interface Ethernet1/0/18 interface Ethernet1/0/19 interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23...
Page 52: Display Startup
undo xrn-fabric authentication-mode #GLBCFG. MUST NOT DELETE interface NULL0 user-interface aux 0 7 user-interface vty 0 4 authentication-mode none user privilege level 3 return The configuration information output above in turn is the system configuration, logical interface configuration, physical port configuration, and user interface configuration. display startup Syntax display startup [ unit unit-id ]...
Page 53: Display This
Table 1-2 Description on the fields of the display startup command Field Description Current Startup The configuration file used for the current startup saved-configuration file Next main startup The main configuration file used for the next startup saved-configuration file Next backup startup The backup configuration file used for the next startup saved-configuration file Whether you can use the user-defined password to access the...
Page 54: Reset Saved-Configuration
[Sysname-ui-aux0] display this user-interface aux 0 4 idle-timeout 0 0 user-interface aux 5 7 user-interface vty 0 authentication-mode none user privilege level 3 set authentication password simple 123 idle-timeout 0 0 user-interface vty 1 4 authentication-mode none user privilege level 3 set authentication password simple 1 idle-timeout 0 0 return...
Page 55: Save
This command will permanently delete the configuration file from the switch. An error occurs when you execute this command if the configuration file to be deleted does not exist. Related commands: save. Examples # Erase the main configuration file to be used in the next startup. <Sysname>...
Page 56 the system will save the current configuration with the default name (config.cfg) in the root directory. The system supports two modes for saving the current configuration file. Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process.
Page 57: Startup Saved-Configuration
<Sysname> save unit1>flash:/234.cfg The current configuration will be saved to unit1>flash:/234.cfg [Y/N]:y Now saving current configuration to the device. Saving configuration. Please wait....Unit1 save configuration unit1>flash:/234.cfg successfully startup saved-configuration Syntax startup saved-configuration cfgfile [ backup | main ] undo startup saved-configuration [ unit unit-id ] View User view...
Page 58 The configuration file must use .cfg as its extension name and the startup configuration file must be saved at the root directory in the Flash of the switch. Related commands: display startup. Examples # Configure the configuration file named config.cfg as the main configuration file to be used for the next startup of the current switch, which is not in any fabric.
Page 59 Table of Contents 1 VLAN Configuration Commands··············································································································1-1 VLAN Configuration Commands·············································································································1-1 description ·······································································································································1-1 display interface Vlan-interface ·······································································································1-1 display vlan······································································································································1-2 interface Vlan-interface····················································································································1-4 name················································································································································1-4 shutdown ·········································································································································1-5 vlan ··················································································································································1-6 Port-Based VLAN Configuration Commands··························································································1-7 display port ······································································································································1-7 port···················································································································································1-7 port access vlan·······························································································································1-8 port hybrid pvid vlan ························································································································1-9 port hybrid vlan ································································································································1-9 port link-type ··································································································································1-10 port trunk permit vlan·····················································································································1-11...
Page 60: Vlan Configuration Commands
VLAN Configuration Commands VLAN Configuration Commands description Syntax description text undo description View VLAN view, VLAN interface view Parameter text: Case sensitive character string to describe the current VLAN or VLAN interface. Special characters and spaces are allowed. It has: 1 to 32 characters for a VLAN description.
Page 61: Display Vlan
Parameter vlan-id: ID of the specific VLAN interface. Description Use the display interface Vlan-interface command to display the information about the VLAN interface. VLAN interface is a virtual interface in Layer 3 mode, used to realize the layer 3 communication between different VLANs.
Page 62 to: Specifies multiple contiguous VLAN IDs. The VLAN ID after to cannot be less than that before to. all: Displays the information about all the VLANs. dynamic: Displays information about the dynamic VLANs (which are registered through GVRP protocol). static: Displays information about the static VLANs (which are created through manual configuration). Description Use the display vlan command to display the information about the specified VLANs or all VLANs.
Page 63: Interface Vlan-Interface
Field Description Name VLAN name Tagged Ports Ports through which packets are sent with VLAN tag kept. Untagged Ports Port through which packets are sent with VLAN tag stripped. interface Vlan-interface Syntax interface Vlan-interface vlan-id undo interface Vlan-interface vlan-id View System view Parameter vlan-id: ID of the VLAN interface, in the range of 1 to 4,094.
Page 64: Shutdown
undo name View VLAN view Parameter text: VLAN name, in the range of 1 character to 32 characters. It can contain special characters and spaces. Parameter Use the name command to assign a name to the current VLAN. Use the undo name command to restore to the default VLAN name. By default, the name of a VLAN is its VLAN ID, such as “VLAN 0001”.
Page 65: Vlan
You can use the undo shutdown command to enable a VLAN interface when its related parameters and protocols are configured. When a VLAN interface fails, you can use the shutdown command to disable the interface, and then use the undo shutdown command to enable this interface again, which may restore the interface.
Page 66: Port-Based Vlan Configuration Commands
Example # Enter VLAN 1 view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 1 [Sysname-vlan1] # Remove VLAN 5. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo vlan 5 Port-Based VLAN Configuration Commands display port Syntax display port { hybrid | trunk }...
Page 67: Port Access Vlan
Parameters interface-list: List of Ethernet ports to be added to or removed from a VLAN. Provide this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where: interface-type is port type and interface-number is port number. The port number to the right of the to keyword must be larger than or equal to the one to the left of the keyword.
Page 68: Port Hybrid Pvid Vlan
Examples # Assign GigabitEthernet 1/0/1 to VLAN 3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 3 [Sysname-vlan3] quit [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port access vlan 3 [Sysname-GigabitEthernet1/0/1] port hybrid pvid vlan Syntax port hybrid pvid vlan vlan-id undo port hybrid pvid View Ethernet port view...
Page 69: Port Link-Type
undo port hybrid vlan vlan-id-list View Ethernet port view Parameters vlan-id-list: VLAN range to which the hybrid port will be added. vlan-id-list = [ vlan-id1 [ to vlan-id2 ] ]&<1-10>, where, vlan-id is in the range of 1 to 4094 and can be discrete, and &<1-10> means you can input up to ten VLAN IDs/ID ranges.
Page 70: Port Trunk Permit Vlan
Description Use the port link-type command to set the link type of the current Ethernet port. Use the undo port link-type command to restore the default link type. By default, the link type of an Ethernet port is access. The three types of ports can coexist on an Ethernet switch. You can change the link type of an Ethernet port.
Page 71: Port Trunk Pvid Vlan
Please wait... Done. port trunk pvid vlan Syntax port trunk pvid vlan vlan-id undo port trunk pvid View Ethernet port view Parameters vlan-id: VLAN ID defined in IEEE802.1Q, in the range of 1 to 4094. It is 1 by default. Description Use the port trunk pvid vlan command to set the default VLAN ID for the trunk port.
Page 72: Display Protocol-Vlan Vlan
all: Displays the protocol-related information about all ports. Description Use the display protocol-vlan interface command to display the protocol information and protocol indexes configured for specified ports. Example # Display protocol information and protocol index configured for GigabitEthernet1/0/1 and GigabitEthernet1/0/2 ports. <Sysname>...
Page 73: Port Hybrid Protocol-Vlan Vlan
VLAN Type: Protocol-based VLAN Protocol-Index Protocol-Type ipx ethernetii VLAN ID: 15 VLAN Type: Protocol-based VLAN Protocol-Index Protocol-Type snap etype 0x0abcd port hybrid protocol-vlan vlan Syntax port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-index-end ] | all } undo port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-index-end ] | all } View Ethernet port view Parameter...
Page 74: Protocol-Vlan
The port hybrid protocol-vlan vlan command can be executed on hybrid ports only. Before you associate a port with the protocol-based VLAN, make sure the port belongs to the protocol-based VLAN. When the undo port hybrid protocol-vlan vlan command is being executed, the switch will prompt operation failure if the index of the specified protocol to be removed does not exist.
Page 75 protocol-index: Beginning protocol index ranging from 0 to 4. Note that this argument must be less than or equal to the protocol-end argument. If you do not specify this argument, the beginning protocol index will be determined by the system. protocol-index-end: End protocol index ranging from 0 to 4.
Page 76 1-17...
Page 77 Table of Contents 1 IP Address Configuration Commands·····································································································1-1 IP Address Configuration Commands·····································································································1-1 display ip interface···························································································································1-1 display ip interface brief···················································································································1-2 ip address ········································································································································1-4 2 IP Performance Optimization Configuration Commands ······································································2-1 IP Performance Configuration Commands ·····························································································2-1 display fib·········································································································································2-1 display fib ip-address·······················································································································2-2 display fib acl ···································································································································2-3 display fib |·······································································································································2-4 display fib ip-prefix···························································································································2-5 display fib statistics··························································································································2-5...
Page 78: Ip Address Configuration Commands
IP Address Configuration Commands IP Address Configuration Commands display ip interface Syntax display ip interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display ip interface command to display information about a specified or all Layer 3 interfaces.
Page 79: Display Ip Interface Brief
Timestamp reply: Information request: Information reply: Netmask request: Netmask reply: Unknown type: Table 1-1 Description on the fields of the display ip interface command Field Description Vlan-interface1 current state Current physical state of VLAN-interface 1 Line protocol current state Current state of the link layer protocol IP address of the interface followed by: Internet Address Primary: Identifies a primary IP address, or...
Page 80 View Any view Parameters interface-type: Interface type. interface-number: Interface number. Description Use the display ip interface brief command to display brief information about a specified or all Layer 3 interfaces. With no argument included, the command displays information about all layer 3 interfaces; with only the interface type specified, it displays information about all layer 3 interfaces of the specified type;...
Page 81: Ip Address
ip address Syntax ip address ip-address { mask | mask-length } [ sub ] undo ip address [ ip-address { mask | mask-length } [ sub ] ] View VLAN interface view, loopback interface view Parameters ip-address: IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation.
Page 82 Examples # Assign the primary IP address 129.12.0.1 and secondary IP address 129.12.1.1 to VLAN-interface 1 with subnet mask 255.255.255.0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 129.12.0.1 255.255.255.0 [Sysname-Vlan-interface1] ip address 129.12.1.1 255.255.255.0 sub...
Page 83: Ip Performance Configuration Commands
IP Performance Optimization Configuration Commands IP Performance Configuration Commands display fib Syntax display fib View Any view Parameters None Description Use the display fib command to display all forwarding information base (FIB) information. Examples # Display all FIB information. <Sysname> display fib Flag: U:Usable G:Gateway...
Page 84: Display Fib Ip-Address
Table 2-1 Description on the fields of the display fib command Field Description Flags: U: A route is up and available. G: Gateway route H: Local host route B: Blackhole route Flag D: Dynamic route S: Static route R: Rejected route E: Multi-path equal-cost route L: Route generated by ARP or ESIS Destination/Mask...
Page 85: Display Fib Acl
Description Use the display fib ip-address command to view the FIB entries matching the specified destination IP address. If no mask or mask length is specified, the FIB entry that matches the destination IP address and has the longest mask will be displayed; if the mask is specified, the FIB entry that exactly matches the specified destination IP address and mask will be displayed.
Page 86: Display Fib
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule permit source 211.71.75.0 0.0.0.255 [Sysname-acl-basic-2001] display acl 2001 Basic ACL 2001, 1 rule Acl's step is 1 rule 0 permit source 211.71.75.0 0.0.0.255 # Display the FIB entries filtered by ACL 2001. <Sysname>...
Page 87: Display Fib Ip-Prefix
display fib ip-prefix Syntax display fib ip-prefix ip-prefix-name View Any view Parameters ip-prefix-name: IP prefix list name, in the range of 1 to 19 characters. Description Use the display fib ip-prefix command to display the FIB entries matching a specific IP prefix list. For details about IP prefix list, refer to the part discussing IP routing in this manual.
Page 88: Display Icmp Statistics
Description Use the display fib statistics command to display the total number of FIB entries. Examples # Display the total number of FIB entries. <Sysname> display fib statistics Route Entry Count : 8 display icmp statistics Syntax display icmp statistics View Any view Parameters...
Page 89: Display Ip Socket
Field Description Number of received destination unreachable destination unreachable packets source quench Number of received source quench packets redirects Number of received redirection packets echo reply Number of received replies parameter problem Number of received parameter problem packets timestamp Number of received time stamp packets information request Number of received information request packets mask requests...
Page 90: Display Ip Statistics
Examples # Display the information about the socket of the TCP type. <Sysname> display ip socket socktype 1 SOCK_STREAM: Task = VTYD(18), socketid = 1, Proto = 6, LA = 0.0.0.0:23, FA = 0.0.0.0:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_SENDVPNID SO_SETKEEPALIVE, socket state = SS_PRIV SS_ASYNC Task = VTYD(18), socketid = 2, Proto = 6,...
Page 91 View Any view Parameters None Description Use the display ip statistics command to display the statistics about IP packets. Related commands: display ip interface, reset ip statistics. Examples # Display the statistics about IP packets. <Sysname> display ip statistics Input: 7120 local bad protocol...
Page 92: Display Tcp Statistics
Field Description output Total number of fragments sent dropped Total number of fragments discarded fragmented Total number of IP packets successfully fragmented couldn't Total number of IP packets that cannot be fragmented fragment Total number of IP packets reassembled Reassembling: timeouts Total number of reassembly timeout IP packets display tcp statistics...
Page 93 control packets: 5 (including 1 RST) window probe packets: 0, window update packets: 2 data packets: 618 (8770 bytes) data packets retransmitted: 0 (0 bytes) ACK-only packets: 40 (28 delayed) Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0 Keepalive timeout: 0, keepalive probe: 0, Keepalive timeout, so connections disconnected : Initiated connections: 0, accepted connections: 0, established connections: 0 Closed connections: 0 (dropped: 0, initiated dropped: 0) Packets dropped with MD5 authentication: 0...
Page 94: Display Tcp Status
Field Description Number of ACK packets sent; in brackets are ACK-only packets: 40 delayed ACK packets Retransmitted timeout Number of retransmission timer timeouts Number of connections broken due to connections dropped in retransmitted timeout retransmission timeouts Keepalive timeout Number of keepalive timer timeouts keepalive probe Number of keepalive probe packets sent Number of connections broken due to keepalive...
Page 95: Display Udp Statistics
Table 2-6 Description on the fields of the display tcp status command Field Description If there is an asterisk before a connection, it means that the TCP connection is authenticated through the MD5 algorithm. TCPCB TCP control block Local Add:port Local IP address and port number Foreign Add:port Remote IP address and port number...
Page 96: Icmp Redirect Send
Field Description packets: checksum error Total number of packets with incorrect checksum shorter than header Number of packets with data shorter than header data length larger than Number of packets with data longer than packet packet no socket on port Number of unicast packets with no socket on port total broadcast or multicast Total number of received broadcast or multicast...
Page 97: Icmp Unreach Send
icmp unreach send Syntax icmp unreach send undo icmp unreach send View System view Parameters None Description Use the icmp unreach send command to enable the device to send ICMP destination unreachable packets. After enabled with this feature, the switch, upon receiving a packet with an unreachable destination, discards the packet and then sends a destination unreachable packet to the source host.
Page 98: Reset Ip Statistics
Examples # Enable the device to receive directed broadcasts to a directly connected network. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip forward-broadcast reset ip statistics Syntax reset ip statistics View User view Parameters None Description Use the reset ip statistics command to clear the statistics about IP packets.
Page 99: Reset Udp Statistics
reset udp statistics Syntax reset udp statistics View User view Parameters None Description Use the reset udp statistics command to clear the statistics about UDP packets. You can use the display udp statistics command to view the current UDP packet statistics. Examples # Clear the statistics about UDP packets.
Page 100: Tcp Timer Syn-Timeout
tcp timer syn-timeout Syntax tcp timer syn-timeout time-value undo tcp timer syn-timeout View System view Parameters time-value: TCP synwait timer, in seconds, with the value ranging from 2 to 600. Description Use the tcp timer syn-timeout command to configure the TCP synwait timer. Use the undo tcp timer syn-timeout command to restore the default value of the TCP synwait timer.
Page 101 Related commands: tcp timer fin-timeout, tcp timer syn-timeout. Examples # Configure the size of the transmission and receiving buffers of the connection-oriented socket to 3 KB. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] tcp window 3 2-19...
Page 102 Table of Contents 1 Voice VLAN Configuration Commands ···································································································1-1 Voice VLAN Configuration Commands···································································································1-1 display voice vlan error-info·············································································································1-1 display voice vlan oui·······················································································································1-1 display voice vlan status··················································································································1-2 display vlan······································································································································1-3 voice vlan·········································································································································1-4 voice vlan aging·······························································································································1-5 voice vlan enable·····························································································································1-6 voice vlan legacy ·····························································································································1-7 voice vlan mac-address···················································································································1-7 voice vlan mode·······························································································································1-8 voice vlan qos··································································································································1-9 voice vlan security enable ·············································································································1-10...
Page 103: Voice Vlan Configuration Commands
Voice VLAN Configuration Commands Voice VLAN Configuration Commands display voice vlan error-info Syntax display voice vlan error-info View Any view Parameters None Description Use the display voice vlan error-info command to display the ports on which the voice VLAN function fails to be enabled.
Page 104: Display Voice Vlan Status
H3C Aolynk phone 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone display voice vlan status Syntax display voice vlan status View Any view Parameters None Description Use the display voice vlan status command to display voice VLAN-related information.
Page 105: Display Vlan
PORT MODE DSCP --------------------------------------------- Ethernet1/0/1 AUTO Ethernet1/0/2 MANUAL Table 1-1 Description on the fields of the display voice vlan status command Field Description The status of global voice VLAN function: Voice Vlan status enabled or disabled. The VLAN which is currently enabled with voice Voice Vlan ID VLAN.
Page 106: Voice Vlan
Parameters vlan-id: Specifies the ID of the current voice VLAN in the range of 1 to 4094. Description Use the display vlan command to display information about the specified VLAN. For the voice VLAN, this command displays all the ports in the VLAN. Related commands: voice vlan, voice vlan enable.
Page 107: Voice Vlan Aging
preferentially. If you do not want to use the default precedence marking settings of the switch for voice VLAN traffic, you can use the voice vlan qos command to change the settings. If you want to delete a VLAN with voice VLAN function enabled, you must disable the voice VLAN function first.
Page 108: Voice Vlan Enable
aging timer starts. If no recognizable voice traffic has been received before the timer expires, the port is removed from the voice VLAN. The voice VLAN aging timer does not take effect on ports working in manual voice VLAN assignment mode, because these ports are assigned to the voice VLAN statically.
Page 109: Voice Vlan Legacy
Parameters None Description Use the voice vlan legacy command to realize the communication between 3Com device and other vendors’ voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’ voice device. Use the undo voice vlan legacy command to disable the voice VLAN legacy function.
Page 110: Voice Vlan Mode
00d0-1e00-0000 Pingtel phone 00e0-7500-0000 Polycom phone 00e0-bb00-0000 3Com phone Related commands: display voice vlan oui. Examples # Add MAC address 00aa-bb00-0000 to the OUI list and configure its description as ABC. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 111: Voice Vlan Qos
You cannot and need not to assign a port working in automatic voice VLAN assignment mode to the voice VLAN manually. When the port receives a packet whose source MAC address matches the OUI list, the port is assigned to the voice VLAN automatically, and the packet is tagged with the voice VLAN tag.
Page 112: Voice Vlan Security Enable
Examples # Modify the CoS precedence and the DSCP precedence marked for voice VLAN traffic passing through Ethernet 1/0/1 to 5 and 40 respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] voice vlan qos 5 40 voice vlan security enable Syntax voice vlan security enable...
Page 113 Table of Contents 1 GVRP Configuration Commands ·············································································································1-1 GARP Configuration Commands ············································································································1-1 display garp statistics ······················································································································1-1 display garp timer ····························································································································1-2 garp timer ········································································································································1-3 garp timer leaveall ···························································································································1-4 reset garp statistics··························································································································1-5 GVRP Configuration Commands ············································································································1-6 display gvrp statistics·······················································································································1-6 display gvrp status···························································································································1-7 gvrp··················································································································································1-7 gvrp registration·······························································································································1-8...
Page 114: Gvrp Configuration Commands
GVRP Configuration Commands GARP Configuration Commands display garp statistics Syntax display garp statistics [ interface interface-list ] View Any view Parameters interface-list: Specifies a list of Ethernet ports for which the statistics about GARP are to be displayed. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2,...
Page 115: Display Garp Timer
GARP statistics on port Ethernet1/0/1 Number Of GVRP Frames Received Number Of GVRP Frames Transmitted Number Of Frames Discarded GARP statistics on port Ethernet1/0/2 Number Of GVRP Frames Received Number Of GVRP Frames Transmitted Number Of Frames Discarded Table 1-1 Description on the fields of the display garp statistics command Field Description Number of the GVRP frames received on the...
Page 116: Garp Timer
Leave timer LeaveAll timer Hold timer Related commands: garp timer, garp timer leaveall. Examples # Display the settings of the GARP timers on port Ethernet1/0/1. <Sysname> display garp timer interface Ethernet 1/0/1 GARP timers on port Ethernet1/0/1 Garp Join Time : 20 centiseconds Garp Leave Time : 60 centiseconds...
Page 117: Garp Timer Leaveall
Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. Hold 10 centiseconds You can change the threshold by changing the timeout time of the Join timer.
Page 118: Reset Garp Statistics
View System view Parameters timer-value: Setting (in centiseconds) of the GARP LeaveAll timer. You need to set this argument with the Leave timer settings of other Ethernet ports as references. That is, this argument needs to be larger than the Leave timer settings of any Ethernet ports. Also note that this argument needs to be a multiple of 5 and cannot be larger than 32,765.
Page 119: Gvrp Configuration Commands
Description Use the reset garp statistics command to clear the GARP statistics (including statistics about packets received/sent/discarded by GVRP) on the specified or all ports. You can use the display garp statistics command to view the NDP statistics before and after the execution of the reset garp statistics command to verify the execution result.
Page 120: Display Gvrp Status
GVRP Status : Enabled GVRP Failed Registrations GVRP Last Pdu Origin : 0000-0000-0000 GVRP Registration Type : Normal display gvrp status Syntax display gvrp status View Any view Parameters None Description Use the display gvrp status command to display the global GVRP status (enabled or disabled). Examples # Display the global GVRP status.
Page 121: Gvrp Registration
To enable GVRP for a port, you need to enable GVRP globally first. GVRP does not take effect automatically on ports upon being enabled globally. You can enable/disable GVRP only on trunk ports. After you enable GVRP on a trunk port, you cannot change the port to other types. Related commands: display gvrp status.
Page 122 Examples # Configure Ethernet1/0/1 to operate in fixed GVRP registration mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] gvrp registration fixed...
Page 123 Table of Contents 1 Port Basic Configuration Commands······································································································1-1 Port Basic Configuration Commands······································································································1-1 broadcast-suppression ····················································································································1-1 copy configuration ···························································································································1-2 description ·······································································································································1-4 display brief interface·······················································································································1-5 display interface·······························································································································1-7 display link-delay ···························································································································1-11 display loopback-detection ············································································································1-11 display packet-drop ·······················································································································1-12 display storm-constrain··················································································································1-13 display unit·····································································································································1-14 duplex ············································································································································1-16 enable log updown ························································································································1-16 flow-control ····································································································································1-17 flow-control no-pauseframe-sending ·····························································································1-18 flow interval····································································································································1-18...
Page 124: Port Basic Configuration Commands
Port Basic Configuration Commands Port Basic Configuration Commands broadcast-suppression Syntax broadcast-suppression { ratio | pps max-pps } undo broadcast-suppression View System view, Ethernet port view Parameters ratio: Maximum ratio of the broadcast traffic allowed on a port to the total transmission capacity of the port.
Page 125: Copy Configuration
The global broadcast suppression setting configured by the broadcast-suppression command in system view takes effect on all Ethernet ports in the system except for the reflection ports, stack ports and ports having their own broadcast suppression settings. If you configure broadcast-suppression command in both system view and Ethernet port view, the configuration in Ethernet port view will take effect.
Page 126 If you specify a source aggregation group ID, the system uses the port with the smallest port number in the aggregation group as the source. If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port.
Page 127: Description
Copying speed/duplex configuration... Any aggregation group port you input in the destination port list will be removed from the list and the copy command will not take effect on the port. If you want an aggregation group port to have the same configuration with the source port, you can specify the aggregation group of the port as the destination (with the destination-agg-id argument).
Page 128: Display Brief Interface
A port description can be the mixture of English characters and other Unicode characters. The mixed description cannot exceed the specified length. To use a type of Unicode characters or symbols in a port description, you need to install the corresponding Input Method Editor (IME) and log in to the device through remote login software that supports this character type.
Page 129 For details about regular expression, refer to the Configuration File Management module in this manual. Description Use the display brief interface command to display the brief configuration information about one or all interfaces, including: interface type, link state, link rate, duplex attribute, link type, default VLAN ID and description string.
Page 130: Display Interface
The state of an Ethernet port can be UP, DOWN, or ADMINISTRATIVELY DOWN. The following table shows the port state transitions. Table 1-3 Port state transitions State after executing State after executing the Initial port state the undo shutdown shutdown command command DOWN DOWN...
Page 131 Flow-control is enabled The Maximum Frame Length is 9216 Broadcast MAX-pps: 500 Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 1 Mdi type: auto Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 1 Last 300 seconds input: 0 packets/sec 0 bytes/sec Last 300 seconds output:...
Page 132 Field Description PVID Default VLAN ID of the port Mdi type Network cable type Port link-type Port link type Identify the VLANs whose packets will be forwarded Tagged VLAN ID with tags on the port. Identify the VLANs whose packets will be forwarded Untagged VLAN ID without tags on the port.
Page 133 Field Description The total number of incoming illegal packets, including: Fragments: CRC error frames of less than 64 bytes (integer or non-integer). Jabber frames: CRC error frames of more than 1518 bytes if untagged or 1522 bytes if tagged (integer or non-integer). aborts Symbol error frames: frames with at least one symbol error.
Page 134: Display Link-Delay
Field Description The lost carrier counter applicable to serial WAN interfaces lost carrier The counter increases by 1 upon each carrier loss detected during frame transmission. The no carrier counter applicable to serial WAN interfaces - no carrier The counter increases by 1 upon each carrier detection failure for frame transmission.
Page 135: Display Packet-Drop
Description Use the display loopback-detection command to display the loopback detection status on the port. If loopback detection is enabled, this information will also be displayed: time interval for loopback detection and the loopback ports. Examples # Display the loopback detection status on the port. <Sysname>...
Page 136: Display Storm-Constrain
Examples # Display the statistics on the packets dropped on Ethernet 1/0/1. <Sysname> display packet-drop interface Ethernet 1/0/1 Ethernet1/0/1: Packets dropped By GBP full or insufficient bandwidth: 0 Packets dropped By others: 0 # Display the summary statistics on the packets dropped on all the ports. <Sysname>...
Page 137: Display Unit
PortName StormType LowerLimit UpperLimit Ctr-mode Status Trap Swi-num -------------------------------------------------------------------------- Eth1/0/1 broadcast 9 shutdown normal Eth1/0/1 multicast 9 shutdown control on Eth1/0/2 unicast shutdown normal Table 1-7 Description on the fields of the display storm-constrain command Field Description Flow Statistic Interval to collect traffic statistics. Interval PortName Name of an Ethernet port...
Page 138: Description Field
Description : Aux Interface Ethernet1/0/1 current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e290-2240 Media type is twisted pair, loopback not set Port hardware type is 100_BASE_TX 100Mbps-speed mode, full-duplex mode Link speed type is force link, link duplex type is force link Flow-control is enabled The Maximum Frame Length is 9216 Broadcast MAX-pps: 500...
Page 139: Duplex
duplex Syntax duplex { auto | full | half } undo duplex View Ethernet port view Parameters auto: Sets the port to auto-negotiation mode. full: Sets the port to full duplex mode. half: Sets the port to half duplex mode. Description Use the duplex command to set the duplex mode of the current port.
Page 140: Flow-Control
Examples # By default, a port is allowed to output the Up/Down log information. Execute the shutdown command or the undo shutdown command on Ethernet 1/0/1, and the system outputs Up/Down log information of Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] shutdown [Sysname-Ethernet1/0/1]...
Page 141: Flow-Control No-Pauseframe-Sending
[Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] flow-control flow-control no-pauseframe-sending Syntax flow-control no-pauseframe-sending undo flow-control View Ethernet port view Parameters None Description Use the flow-control no-pauseframe-sending command to configure flow control to operate in Rx mode on the current port. Use the undo flow-control command to disable flow control on the port. A port configured with the flow-control no-pauseframe-sending command can receive and process remote pause frames but cannot send pause frames actively when it is congested.
Page 142: Giant-Frame Statistics Enable
Parameters Interval: Interval (in seconds) to perform statistics on port information. This argument ranges from 5 to 300 (in step of 5) and is 300 by default. Description Use the flow-interval command to set the interval to perform statistics on port information. Use the undo flow-interval command to restore the default interval.
Page 143: Interface
Giant frames refer to VLAN untagged frames of more than 1518 bytes and VLAN tagged frames of more than 1522 bytes. Examples # Enable the giant-frame statistics function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] giant-frame statistics enable interface Syntax interface interface-type interface-number...
Page 144: Link-Delay
undo jumboframe enable View Ethernet port view Parameters None Description Use the jumboframe enable command to set the maximum frame size allowed on a port to 9,216 bytes. Use the undo jumboframe enable command to set the maximum frame size allowed on a port to 1,536 bytes.
Page 145: Loopback
The port state change delay takes effect when the port goes down but not when the port goes up. The delay configured in this way does not take effect for ports in DLDP down state. For information about the DLDP down state, refer to DLDP. Examples # Set the port state change delay of Ethernet 1/0/5 to 8 seconds.
Page 146: Loopback-Detection Control Enable
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] loopback internal Loopback internal succeeded. loopback-detection control enable Syntax loopback-detection control enable undo loopback-detection control enable View Ethernet port view Parameters None Description Use the loopback-detection control enable command to enable the loopback detection control feature on the current trunk or hybrid port.
Page 147: Loopback-Detection Enable
loopback-detection enable Syntax loopback-detection enable undo loopback-detection enable View System view or Ethernet port view Parameters None Description Use the loopback-detection enable command to enable the loopback detection feature on ports to detect whether external loopback occurs on a port. Use the undo loopback-detection enable command to disable the loopback detection feature on port.
Page 148: Loopback-Detection Interface-List Enable
By default, the global loopback detection function is enabled if the device boots with the default configuration file (config.def); By default, this function is disabled. if the device boots with null configuration, Related command: loopback-detection control enable, loopback-detection shutdown enable Examples # Enable the loopback detection feature on Ethernet 1/0/1.
Page 149: Loopback-Detection Interval-Time
loopback-detection interval-time Syntax loopback-detection interval-time time undo loopback-detection interval-time View System view Parameters time: Time interval for loopback detection, in the range of 5 to 300 (in seconds). It is 30 seconds by default. Description Use the loopback-detection interval-time command to set time interval for loopback detection. Use the undo loopback-detection interval-time command to restore the default time interval.
Page 150: Loopback-Detection Shutdown Enable
Examples # Configure the system to run loopback detection on all VLANs of the trunk port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] loopback-detection per-vlan enable loopback-detection shutdown enable Syntax loopback-detection shutdown enable...
Page 151: Mdi
Example # Enable the loopback port auto-shutdown function on port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] loopback-detection enable [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] loopback-detection shutdown enable Syntax mdi { across | auto | normal } undo mdi View Ethernet port view...
Page 152: Multicast-Suppression
multicast-suppression Syntax multicast-suppression { ratio | pps max-pps } undo multicast-suppression View Ethernet port view Parameters ratio: Maximum ratio of the multicast traffic allowed on the port to the total transmission capacity of the port. This argument ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio, the less multicast traffic is allowed to be received.
Page 153: Reset Packet-Drop Interface
Parameters interface-type: Port type. interface-number: Port number. For details about the parameters, see the parameter description of the interface command. Description Use the reset counters interface command to clear the statistics of the port, preparing for a new statistics collection. If you specify neither port type nor port number, the command clears statistics of all ports.
Page 154: Shutdown
shutdown Syntax shutdown undo shutdown View Ethernet port view Parameters None Description Use the shutdown command to shut down an Ethernet port. Use the undo shutdown command to bring up an Ethernet port. By default, an Ethernet port is in up state. Examples # Shut down Ethernet 1/0/1 and then bring it up.
Page 155: Speed
Vlan-interface3 is UP %Apr 13 23:14:54:897 2000 Sysname IFNET/5/UPDOWN:- 1 -Line protocol on the interface Vlan-interface3 is UP speed Syntax speed { 10 | 100 | 1000 | auto } undo speed View Ethernet port view Parameters 10: Specifies the port speed to 10 Mbps. 100: Specifies the port speed to 100 Mbps.
Page 156: Storm-Constrain
View Ethernet port view Parameters 10: Configures 10 Mbps as an auto-negotiation speed of the port. 100: Configures 100 Mbps as an auto-negotiation speed of the port. 1000: Configures 1,000 Mbps as an auto-negotiation speed of the port. Description Use the speed auto [ 10 | 100 | 1000 ]* command to configure auto-negotiation speed(s) for the current port.
Page 157: Storm-Constrain Control
Description storm-constrain command upper lower thresholds broadcast/multicast/unicast traffic received on the port. Use the undo storm-constrain command to cancel the threshold configuration. With traffic upper and lower thresholds specified on a port, the system periodically collects statistics about the broadcast/multicast/unicast/ traffic on the port. Once it finds that a type of traffic exceeds the specified upper threshold, it blocks this type of traffic on the port or directly shuts down the port, and outputs trap/log information according to your configuration.
Page 158: Storm-Constrain Enable
If the fabric function is enabled on a port of a device, you cannot configure the storm control function on all ports of the device. If the broadcast-suppression command, multicast-suppression command or unicast suppression command is configured on a port, you cannot configure the storm control function on the port, and vice versa.
Page 159: Storm-Constrain Interval
Use the undo storm-constrain enable command to disable log/trap information from being output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. By default, log/trap information is output when traffic received on the port exceeds the upper threshold or falls below the lower threshold.
Page 160: Virtual-Cable-Test
View Ethernet port view Parameters ratio: Maximum ratio of the unknown unicast traffic allowed on the port to the total transmission capacity of the port. This argument ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio, the lesser unknown unicast traffic is allowed to be received.
Page 161 Description Use the virtual-cable-test command to enable the system to test the cable connected to a specific port and to display the results. The system can test these attributes of the cable: Cable status, including normal, abnormal, abnormal-open, abnormal-short and failure Cable length If the cable is in normal state, the displayed length value is the total length of the cable.
Page 162 Table of Contents 1 Link Aggregation Configuration Commands··························································································1-1 Link Aggregation Configuration Commands ···························································································1-1 display link-aggregation interface····································································································1-1 display link-aggregation summary···································································································1-2 display link-aggregation verbose·····································································································1-3 display lacp system-id ·····················································································································1-4 lacp enable ······································································································································1-5 lacp port-priority·······························································································································1-5 lacp system-priority··························································································································1-6 link-aggregation group description ··································································································1-6 link-aggregation group mode···········································································································1-7 port link-aggregation group ·············································································································1-8 reset lacp statistics ··························································································································1-9...
Page 163: Link Aggregation Configuration Commands
Link Aggregation Configuration Commands Link Aggregation Configuration Commands display link-aggregation interface Syntax display link-aggregation interface interface-type interface-number interface-type interface-number ] View Any view Parameters interface-type: Port type. interface-number: Port number. to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends.
Page 164: Display Link-Aggregation Summary
Table 1-1 Description on the fields of the display link-aggregation interface command Field Description ID of the aggregation group to which the Selected AggID specified port belongs Local Information about the local end Port-Priority Port priority Oper key Operation key Flag Protocol status flag Remote...
Page 165: Display Link-Aggregation Verbose
-------------------------------------------------------------------------- 0x8000,0000-0000-0000 0 NonS Ethernet1/0/2 none NonS Ethernet1/0/3 Table 1-2 Description on the fields of the display link-aggregation summary command Field Description Aggregation group type: D for dynamic, S for Aggregation Group Type static, and M for manual Load sharing type: Shar for load sharing and Loadsharing Type NonS for non-load sharing Actor ID...
Page 166: Display Lacp System
Examples # Display the details about aggregation group 1. <Sysname> display link-aggregation verbose 1 Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Flags: A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation, D -- Synchronization, E -- Collecting, F -- Distributing, G -- Defaulted, H -- Expired Aggregation ID: 1, AggregationType: Manual,...
Page 167: Lacp Enable
Parameters None Description Use the display lacp system-id command to display the device ID of the local system, including the system priority and the MAC address. Examples # Display the device ID of the local system. <Sysname> display lacp system-id Actor System ID: 0x8000, 000f-e20f-0100 The value of the Actor System ID field is the device ID.
Page 168: Lacp System-Priority
Parameters port-priority: Port priority, ranging from 0 to 65,535. Description Use the lacp port-priority command to set the priority of the current port. Use the undo lacp port-priority command to restore the default port priority. By default, the port priority is 32,768. You can use the display link-aggregation verbose command or the display link-aggregation interface command to check the configuration result.
Page 169: Link-Aggregation Group Mode
undo link-aggregation group agg-id description View System view Parameters agg-id: Aggregation group ID, in the range of 1 to 416. agg-name: Aggregation group name, a string of 1 to 32 characters. Description Use the link-aggregation group description command to set a description for an aggregation group. Use the undo link-aggregation group description command to remove the description of an aggregation group.
Page 170: Port Link-Aggregation Group
Description Use the link-aggregation group mode command to create a manual or static aggregation group. Use the undo link-aggregation group command to remove the specified aggregation group. Related commands: display link-aggregation summary. Examples # Create manual aggregation group 22 <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 171: Reset Lacp Statistics
reset lacp statistics Syntax reset lacp statistics [ interface interface-type interface-number [ to interface-type interface-number ] ] View User view Parameters interface-type: Port type interface-number: Port number to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends.
Page 172 Table of Contents 1 Port Isolation Configuration Commands ································································································1-1 Port Isolation Configuration Commands ·································································································1-1 display isolate port···························································································································1-1 port isolate ·······································································································································1-1...
Page 173: Port Isolation Configuration Commands
Port Isolation Configuration Commands Port Isolation Configuration Commands display isolate port Syntax display isolate port View Any view Parameters None Description Use the display isolate port command to display the Ethernet ports assigned to the isolation group. Examples # Display the Ethernet ports added to the isolation group. <Sysname>...
Page 174 Assigning or removing an aggregation member port to or from the isolation group can cause the other ports in the aggregation group join or leave the isolation group. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
Page 175 Table of Contents 1 Port Security Commands··························································································································1-1 Port Security Commands ························································································································1-1 display mac-address security ··········································································································1-1 display port-security·························································································································1-2 mac-address security ······················································································································1-5 port-security authorization ignore ····································································································1-6 port-security enable ·························································································································1-7 port-security guest-vlan ···················································································································1-8 port-security intrusion-mode ············································································································1-9 port-security max-mac-count·········································································································1-11 port-security ntk-mode···················································································································1-12 port-security oui ·····························································································································1-13 port-security port-mode ·················································································································1-14 port-security timer autolearn··········································································································1-17 port-security timer disableport ·······································································································1-18...
Page 176: Port Security Commands
Port Security Commands Port Security Commands display mac-address security Syntax display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] View Any view Parameters Interface interface-type interface-number: Specify a port by its type and number, of which the security MAC address information is to be displayed.
Page 177: Display Port-Security
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0000-0000-0001 Security Ethernet1/0/20 NOAGED 0000-0000-0002 Security Ethernet1/0/20 NOAGED 0000-0000-0003 Security Ethernet1/0/20 NOAGED 0000-0000-0004 Security Ethernet1/0/20 NOAGED 4 mac address(es) found on port Ethernet1/0/20 --- # Display the security MAC address entries for VLAN 1. <Sysname>...
Page 178 individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1. The total number of individual ports and port ranges defined in the list must not exceed 10.
Page 179 Port mode is AutoLearn NeedtoKnow mode is disabled Intrusion mode is no action Max mac-address num is not configured Stored mac-address num is 0 Authorization is ignore Ethernet1/0/3 is link-down Port mode is AutoLearn NeedtoKnow mode is disabled Intrusion mode is BlockMacaddress Max mac-address num is not configured Stored mac-address num is 0 Authorization is ignore...
Page 180: Mac-Address Security
Field Description Authorization information delivered by the Authorization is ignore Remote Authentication Dial-In User Service (RADIUS) server will not be applied to the port. mac-address security Syntax In system view: mac-address security mac-address interface interface-type interface-number vlan vlan-id undo mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] In Ethernet port view: mac-address security mac-address vlan vlan-id...
Page 181: Port-Security Authorization Ignore
Examples # Enable port security; configure the port security mode of Ethernet 1/0/1 as autolearn and create a security MAC address entry for 0001-0001-0001, setting the associated port to Ethernet 1/0/1 and assigning the MAC address to VLAN 1. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 182: Port-Security Enable
After a RADIUS user passes authentication, the RADIUS server authorizes the attributes configured for the user account such as the dynamic VLAN configuration. For more information, refer to AAA Command. Examples # Configure Ethernet 1/0/2 to ignore the authorization information delivered by the RADIUS server. <Sysname>...
Page 183: Port-Security Guest-Vlan
Examples # Enable port security. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled. Please wait... Done. port-security guest-vlan Syntax port-security guest-vlan vlan-id undo port-security guest-vlan View Ethernet port view...
Page 184: Port-Security Intrusion-Mode
authentication of a user fails, the blocking MAC address feature will be triggered and packets of the user will be dropped, making the user unable to access the guest VLAN. Examples # Set the security mode of port Ethernet 1/0/1 to macAddressOrUserLoginSecure, and specify VLAN 100 as the guest VLAN of the port.
Page 185 By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.
Page 186: Port-Security Max-Mac-Count
NeedtoKnow mode is disabled Intrusion mode is BlockMacaddress Max mac-address num is 2 Stored mac-address num is 2 Authorization is permit For description on the output information, refer to Table 1-2. # Configure the intrusion protection mode on Ethernet 1/0/1 as disableport-temporarily. As a result, the port will be disconnected when intrusion protection is triggered and then re-enabled 30 seconds later.
Page 187: Port-Security Ntk-Mode
By default, there is no limit on the number of MAC addresses allowed on the port. By configuring the maximum number of MAC addresses allowed on a port, you can: Limit the number of users accessing the network through the port. Limit the number of security MAC addresses that can be added on the port.
Page 188: Port-Security Oui
Description Use the port-security ntk-mode command to configure the NTK feature on the port. Use the undo port-security ntk-mode command to restore the default setting. Be default, NTK is disabled on a port, namely all frames are allowed to be sent. By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.
Page 189: Port-Security Port-Mode
Description Use the port-security oui command to set an OUI value for authentication. Use the undo port-security oui command to cancel the OUI value setting. By default, no OUI value is set for authentication. The OUI value set by this command takes effect only when the security mode of the port is set to userLoginWithOUI by the port-security port-mode command.
Page 190 Table 1-3 Keyword description Keyword Security mode Description In this mode, a port can learn a specified number of MAC addresses and save those addresses as security MAC addresses. It permits only packets whose source MAC addresses are the security MAC addresses that were learned or configured manually.
Page 191 Keyword Security mode Description In this mode, MAC-based 802.1x authentication is applied on users trying to access the network through the port. The port will be enabled when the authentication succeeds and allow packets from authenticated users to pass through. userlogin-secure userLoginSecure In this mode, only one 802.1x-authenticated...
Page 192: Port-Security Timer Autolearn
Before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of MAC addresses allowed on the port. When a port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port.
Page 193: Port-Security Timer Disableport
After you execute the port-security timer autolearn command, you can display security MAC address entries by the display mac-address security command. Though the aging time field displayed has a value of "NOAGED", the aging of security MAC address entries is enabled already. Examples # Set the security mode to autolearn, the maximum number of MAC address entries allowed on the port to 4, and the aging time for the learned security MAC address entries to 10 minutes.
Page 194: Port-Security Timer Guest-Vlan-Reauth
Related commands: port-security intrusion-mode. Examples # Set the intrusion protection mode on Ethernet 1/0/1 to disableport-temporarily. It is required that when intrusion protection is triggered, the port be shut down temporarily and then go up 30 seconds later. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 195 View System view Parameters addresslearned: Enables/disables sending traps for MAC addresses learning events. dot1xlogfailure: Enables/disables sending traps for 802.1x authentication failures. dot1xlogoff: Enables/disables sending traps for 802.1x-authenticated user logoff events. dot1xlogon: Enables/disables sending traps for 802.1x-authenticated user logon events. intrusion: Enables/disables sending traps for detections of intrusion packets. ralmlogfailure: Enables/disables sending traps for MAC authentication failures.
Page 196 # Use the display port-security command to display the related configuration information. <Sysname> display port-security Equipment port-security is enabled Intrusion trap is Enabled Disableport Timeout: 20 s OUI value: Ethernet1/0/1 is link-down Port mode is AutoLearn NeedtoKnow mode is needtoknowonly Intrusion mode is disableportTemporarily Max mac-address num is 4 Stored mac-address num is 0...
Page 197 Table of Contents 1 Port-MAC-IP Binding Commands ············································································································1-1 Port-MAC-IP Binding Commands ···········································································································1-1 am user-bind····································································································································1-1 display am user-bind ·······················································································································1-2...
Page 198 Port-MAC-IP Binding Commands Port-MAC-IP Binding Commands am user-bind Syntax In system view: am user-bind mac-addr mac-address ip-addr ip-address [ interface interface-type interface-number ] undo am user-bind mac-addr mac-address ip-addr ip-address [ interface interface-type interface-number ] In Ethernet port view: am user-bind { ip-addr ip-address | mac-addr mac-address [ ip-addr ip-address ] } undo am user-bind { ip-addr ip-address | mac-addr mac-address [ ip-addr ip-address ] } View System view, Ethernet port view...
Page 199 System View: return to User View with Ctrl+Z. [Sysname] am user-bind mac-addr 000f-e200-5101 ip-addr 10.153.1.1 interface Ethernet1/0/1 # In Ethernet port view, bind the MAC address 000f-e200-5102 and IP address 10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/2. <Sysname>...
Page 200 Table of Contents 1 DLDP Configuration Commands··············································································································1-1 DLDP Configuration Commands·············································································································1-1 display dldp······································································································································1-1 dldp ··················································································································································1-2 dldp authentication-mode ················································································································1-3 dldp interval ·····································································································································1-4 dldp reset·········································································································································1-5 dldp unidirectional-shutdown···········································································································1-5 dldp work-mode ·······························································································································1-6 dldp delaydown-timer ······················································································································1-7...
Page 201: Dldp Configuration Commands
DLDP Configuration Commands DLDP Configuration Commands display dldp Syntax display dldp { unit-id | interface-type interface-number } View Any view Parameters unit-id: Unit number of a device, only can be set as 1 for switch 5500. interface-type: Port type. interface-number: Port number. Description Use the display dldp command to display the DLDP configuration of a unit or a port.
Page 202: Dldp
Table 1-1 Description on the fields of the display dldp command Field Description Interval for sending DLDP advertisement packets (in dldp interval seconds) dldp work-mode DLDP work mode (enhance or normal) dldp authentication-mode DLDP authentication mode (none, simple, or md5) password Password for DLDP authentication DLDP action to be performed on detecting a...
Page 203: Dldp Authentication-Mode
When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently. Examples # Enable DLDP on all optical ports of the switch. <Sysname>...
Page 204: Dldp Interval
When you configure a DLDP authentication mode and authentication password on a port, make sure that the same DLDP authentication mode and password are set on the ports connected with a fiber cable or copper twisted pair. Otherwise, DLDP authentication fails. DLDP cannot work before DLDP authentication succeeds.
Page 205: Dldp Reset
unidirectional links. On the contrary, if too short an interval is set, network traffic increases, unnecessarily consuming port bandwidth. Examples # Set the interval between sending advertisement packets to 6 seconds for all DLDP-enabled ports in the advertisement state. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 206: Dldp Work-Mode
Parameters auto: Disables automatically the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down. manual: Generates log and traps and prompts the user to disable manually the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down.
Page 207: Dldp Delaydown-Timer
When DLDP works in normal mode, the system can identify only the unidirectional link caused by fiber cross-connection. When the DLDP protocol works in enhanced mode, the system can identify two types of unidirectional links: one is caused by fiber cross-connection and the other is caused by one fiber being not connected or being broken.
Page 208 Examples # Set the delaydown timer to 5 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp delaydown-timer 5...
Page 209 Table of Contents 1 MAC Address Table Management Configuration Commands ······························································1-1 MAC Address Table Management Configuration Commands································································1-1 display mac-address aging-time······································································································1-1 display mac-address························································································································1-2 mac-address····································································································································1-3 mac-address aging destination-hit enable·······················································································1-5 mac-address max-mac-count··········································································································1-5 mac-address timer···························································································································1-6...
Page 210: Mac Address Table Management Configuration Commands
MAC Address Table Management Configuration Commands This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the “Multicast Protocol” part of the manual. MAC Address Table Management Configuration Commands display mac-address aging-time Syntax display mac-address aging-time...
Page 211: Display Mac-Address
display mac-address Syntax display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static | blackhole ] [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] ] [ unit unit-id ] View Any view Parameters mac-address: Displays MAC address entries in a specified MAC address, in the format of H-H-H.
Page 212 000d-88f6-44ba Learned GigabitEthernet1/0/4 AGING 000d-88f7-9f7d Learned GigabitEthernet1/0/4 AGING 000d-88f7-b094 Learned GigabitEthernet1/0/4 AGING 000f-e200-00cc Learned GigabitEthernet1/0/4 AGING 000f-e200-2201 Learned GigabitEthernet1/0/4 AGING 000f-e207-f2e0 Learned GigabitEthernet1/0/4 AGING 000f-e209-ecf9 Learned GigabitEthernet1/0/4 AGING 7 mac address(es) found on port GigabitEthernet1/0/4 --- # Display the total number of MAC address entries for VLAN 2. <Sysname>...
Page 213 dynamic: Specifies a dynamic MAC address entry. blackhole: Specifies a blackhole MAC address entry. mac-address: Specifies a MAC address, in the form of H-H-H. When entering the MAC address, you can omit the leading 0s in each segment. For example, you can input f-e2-1 for 000f-00e2-0001. interface-type interface-number: Specifies the outgoing port by its type and number for the MAC address.
Page 214: Mac-Address Aging Destination-Hit Enable
System View: return to User View with Ctrl+Z. [Sysname] mac-address static 000f-e20f-0101 interface GigabitEthernet 1/0/1 vlan 2 mac-address aging destination-hit enable Syntax mac-address aging destination-hit enable undo mac-address aging destination-hit enable View System view Parameters None Description Use the mac-address aging destination-hit enable command to enable the destination MAC address triggered update function.
Page 215: Mac-Address Timer
Use the undo mac-address max-mac-count command to cancel the limitation on the number of MAC addresses an Ethernet port can learn. By default, the number of MAC addresses an Ethernet port can learn is unlimited. When you use the mac-address max-mac-count command, the port stops learning MAC addresses after the number of MAC addresses it learned reaches the value of the count argument you provided.
Page 216 If the aging timer is set too long, MAC address entries may still exist even if they turn invalid. This causes the switch to be unable to update its MAC address table in time. In this case, the MAC address table cannot reflect the position changes of network devices in time. Examples # Set the aging time of MAC address entries to 500 seconds.
Page 217 Table of Contents 1 Auto Detect Configuration Commands ···································································································1-1 Auto Detect Configuration Commands ···································································································1-1 detect-group ····································································································································1-1 detect-list ·········································································································································1-2 display detect-group ························································································································1-3 ip route-static detect-group··············································································································1-4 option ···············································································································································1-5 retry··················································································································································1-6 standby detect-group·······················································································································1-6 timer loop·········································································································································1-7 timer wait ·········································································································································1-7 vrrp vrid track detect-group ·············································································································1-8...
Page 218: Auto Detect Configuration Commands
Auto Detect Configuration Commands Auto Detect Configuration Commands Refer to the Routing Protocol part of the manual for information about static routing. Refer to the VRRP part of the manual for information about VRRP. detect-group Syntax detect-group group-number undo detect-group group-number View System view Parameters...
Page 219: Detect-List
[Sysname-detect-group-10] detect-list Syntax detect-list list-number ip address ip-address [ nexthop ip-address ] undo detect-list list-number View Detected group view Parameters list-number: Sequence number of the IP address to be detected. This argument ranges from 1 to 10. ip address ip-address: Specifies the destination IP address (in dotted decimal notation) to be detected. nexthop ip-address: Specifies the next hop IP address (in dotted decimal notation) for Auto Detect.
Page 220: Display Detect-Group
display detect-group Syntax display detect-group [ group-number ] View Any view Parameters group-number: Detected group number ranging from 1 to 25. Description Use the display detect-group command to display the configuration of the specified detected group or all detected groups. Examples # Display the configuration of detected group 1.
Page 221: Ip Route-Static Detect-Group
Field Description ip address IP address to be detected next hop Next hop IP address ip route-static detect-group Syntax ip route-static ip-address { mask | mask-length } { interface-type interface-number | next-hop } [ preference preference-value ] [ reject | blackhole ] detect-group group-number undo ip route-static ip-address { mask | mask-length } [ interface-type interface-number | next-hop ] [ preference preference-value ] View...
Page 222 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip route-static 192.168.1.5 24 192.168.0.2 detect-group 10 After the configuration, if detected group 10 is reachable, the static route is valid; if detected group 10 is unreachable, the static route is invalid. option Syntax option [ and | or ]...
Page 223: Retry
retry Syntax retry retry-times undo retry View Detected group view Parameters retry-times: Maximum retry times during a detect operation. This argument ranges from 0 to 10 and defaults to 2. Description Use the retry command to set the maximum retry times during a detect operation. Use the undo retry command to restore the default times.
Page 224: Timer Loop
Use the undo standby detect-group command to disable the interface backup function. Examples # Specify to enable VLAN-interface 2 (the backup interface) when the detected group 10 is unreachable. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] standby detect-group 10 After the configuration, if detected group 10 is reachable, the backup interface VLAN-interface 2 will be in the disabled state, and if detected group 10 is unreachable, VLAN-interface 2 will be enabled.
Page 225: Vrrp Vrid Track Detect-Group
undo timer wait View Detected group view Parameters seconds: Timeout waiting for an ICMP reply. This argument ranges from 1 to 30 (in seconds) and defaults to 2. Description Use the timer wait command to set a timeout waiting for an ICMP reply. Use the undo timer wait command to restore the default.
Page 226 Currently, auto detect in VRRP is only supported in S3600-EI series Ethernet switches. Examples # Specify to decrease the priority of the master switch in VRRP group 1 by 20 when the detected group 10 is unreachable. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] vrrp vrid 1 track detect-group 10 reduced 20 After this configuration, if detected group 10 is reachable, the master keeps as master, and if detected...
Page 227 Table of Contents 1 MSTP Configuration Commands ·············································································································1-1 MSTP Configuration Commands ············································································································1-1 active region-configuration ··············································································································1-1 bpdu-drop any ·································································································································1-2 check region-configuration ··············································································································1-2 display stp········································································································································1-3 display stp abnormalport ·················································································································1-7 display stp portdown························································································································1-8 display stp region-configuration·······································································································1-9 display stp root ······························································································································1-10 instance ·········································································································································1-11 region-name ··································································································································1-11 reset stp·········································································································································1-12 revision-level··································································································································1-13 stp ··················································································································································1-13...
Page 228 stp transmit-limit ····························································································································1-44 vlan-mapping modulo ····················································································································1-45 vlan-vpn tunnel ······························································································································1-46...
Page 229: Mstp Configuration Commands
MSTP Configuration Commands The stp pathcost-standard legacy command was added. Refer to pathcost-standard. MSTP Configuration Commands active region-configuration Syntax active region-configuration View MST region view Parameters None Description Use the active region-configuration command to activate the settings of a multiple spanning tree (MST) region.
Page 230: Bpdu-Drop Any
bpdu-drop any Syntax bpdu-drop any undo bpdu-drop any View Ethernet port view Parameters None Description Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port. Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port. By default, BPDU dropping is disabled.
Page 231: Display Stp
MST region-related parameters mentioned above are not consistent with those of other switches in the region. The 3Com switches 5500-EI support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches which have the settings of these parameters the same are assigned to the same MST region.
Page 232 Parameters instance-id: ID of the MSTI ranging from 0 to 16. The value of 0 refers to the common and internal spanning tree (CIST). interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 233 <Sysname> display stp instance 0 interface Ethernet 1/0/1 to Ethernet 1/0/4 brief MSTID Port Role STP State Protection Ethernet1/0/1 ALTE DISCARDING LOOP Ethernet1/0/2 DESI FORWARDING NONE Ethernet1/0/3 DESI FORWARDING NONE Ethernet1/0/4 DESI FORWARDING NONE Table 1-2 Description on the fields of the display stp brief command Field Description MSTID...
Page 234 Port Role :CIST Disabled Port Port Priority :128 Port Cost(Legacy) :Config=auto / Active=200000 Desg. Bridge/Port :32768.00e0-fc12-4001 / 128.2 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=false Transmit Limit :10 packets/hello-time Protection Type :None MSTP BPDU format :Config=auto / Active=legacy Port Config Digest Snooping :disabled...
Page 235: Display Stp Abnormalport
Field Description Designated bridge ID and port ID of the port Desg. Bridge/Port The port ID displayed is insignificant for a port which does not support port priority. Indicates whether the port is an edge port. Config indicates the Port Edged configured value, and Active indicates the actual value.
Page 236: Display Stp Portdown
<Sysname> display stp abnormalport MSTID Port Block Reason --------- -------------------- ------------- Ethernet1/0/20 Root-Protection Ethernet1/0/21 Loop-Protection Table 1-4 Description on the fields of the display stp abnormalport command Field Description MSTID MSTI ID in the MST region Port Port that has been blocked The function blocking the port: Root-Protected: root guard function Block Reason...
Page 237: Display Stp Region-Configuration
Table 1-5 Description on the fields of the display stp portdown command Field Description Port Port that has been shut down Reason that caused the port to be blocked. BPDU-Protected: BPDU attack guard function Down Reason Formatfrequency-Protected: MSTP BPDU format frequent change protection function display stp region-configuration Syntax...
Page 238: Display Stp Root
Field Description Instance Vlans Mapped VLAN-to-instance mappings in the MST region display stp root Syntax display stp root View Any view Parameters None Description Use the display stp root command to display information about the root ports in the MSTP region where the switch resides.
Page 239: Instance
instance Syntax instance instance-id vlan vlan-list undo instance instance-id [ vlan vlan-list ] View MST region view Parameters instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST. vlan-list: List of VLANs. You need to provide this argument in the form of vlan-list = { vlan-id [ to vlan-id ] }&<1-10>, where &<1-10>...
Page 240: Reset Stp
Parameters name: MST region name to be set for the switch, a string of 1 to 32 characters. Description Use the region-name command to set an MST region name for a switch. Use the undo region-name command to restore the MST region name to the default value. The default MST region name of a switch is its MAC address.
Page 241: Revision-Level
Examples # Clear the spanning tree statistics on Ethernet 1/0/1 through Ethernet 1/0/3. <Sysname> reset stp interface Ethernet 1/0/1 to Ethernet 1/0/3 revision-level Syntax revision-level level undo revision-level View MST region view Parameters level: MSTP revision level to be set for the switch. This argument ranges from 0 to 65,535. Description Use the revision-level command to set the MSTP revision level for a switch.
Page 242 Parameters enable: Enables MSTP. disable: Disables MSTP. interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp command in system view to enable/disable MSTP globally.
Page 243: Stp Bpdu-Protection
You are recommended to enable BPDU guard for devices with edge ports configured. As Gigabit ports of a 3Com switch 5500-EI cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports.
Page 244: Stp Bridge-Diameter
Examples # Enable the BPDU guard function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp bpdu-protection stp bridge-diameter Syntax stp bridge-diameter bridgenum undo stp bridge-diameter View System view Parameters bridgenum: Network diameter to be set for a switched network. This argument ranges from 2 to 7. Description Use the stp bridge-diameter command to set the network diameter of a switched network.
Page 245 stp interface interface-list compliance { auto | legacy | dot1s } undo stp interface interface-list compliance View System view, Ethernet port view Parameters auto: Configures the port(s) to recognize the MSTP BPDU format automatically and accordingly determine the format of MSTP BPDUs to send. legacy: Configures the port(s) to receive and send only compatible-format MSTP BPDUs.
Page 246: Stp Config-Digest-Snooping
# Configure Ethernet 1/0/2 to Ethernet 1/0/4 to recognize and send MSTP BPDUs in dot1s format. <Sysname> system-view [Sysname] stp interface Ethernet 1/0/2 to Ethernet1/0/4 compliance dot1s stp config-digest-snooping Syntax System view, Ethernet port view: stp config-digest-snooping undo stp config-digest-snooping System view: stp interface interface-list config-digest-snooping undo stp interface interface-list config-digest-snooping...
Page 247 As some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot interwork with other switches in an MST region even if they are configured with the same MST region-related settings as other switches in the MST region. This kind of problem can be overcome by implementing the digest snooping feature. If a switch port is connected to another manufacturer’s switch that has the same MST region-related settings but adopts a proprietary spanning tree protocol, you can enable the digest snooping feature on the port that will be receiving BPDU packets from another manufacturer's switch.
Page 248: Stp Cost
# Enable the digest snooping feature on Ethernet 1/0/2 to Ethernet 1/0/4. <Sysname> system-view [Sysname] stp interface Ethernet 1/0/2 to Ethernet1/0/4 config-digest-snooping [Sysname] stp config-digest-snooping stp cost Syntax Ethernet port view: stp [ instance instance-id ] cost cost undo stp [ instance instance-id ] cost System view: stp interface interface-list [ instance instance-id ] cost cost undo stp interface interface-list [ instance instance-id ] cost...
Page 249: Stp Dot1D-Trap
Note that: If you specify the instance-id argument to be 0 or do not specify this argument, the stp cost command sets the path cost of the port in CIST. Changing the path cost of a port in an MSTI may change the role of the port in the instance and put it in state transition.
Page 250: Stp Edged-Port
A switch sends trap messages conforming to 802.1d standard to the network management device when: The switch becomes the root bridge of an MSTI. Network topology changes are detected. Examples # Enable a switch to send trap messages conforming to 802.1d standard to the network management device when the switch becomes the root bridge of MSTI 1.
Page 251: Stp Loop-Protection
You can enable a port to turn to the forwarding state rapidly by setting it to an edge port. And you are recommended to configure the Ethernet ports directly connected to user terminals as edge ports to enable them to turn to the forwarding state rapidly. Normally, configuration BPDUs cannot reach an edge port because the port is not connected to another switch.
Page 252 Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp loop-protection command to enable the loop guard function on the current port.
Page 253: Stp Max-Hops
# Enable the loop guard function on Ethernet 1/0/2 to Ethernet 1/0/4 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 loop-protection stp max-hops Syntax stp max-hops hops undo stp max-hops View System view...
Page 254 stp mcheck System view: stp [ interface interface-list ] mcheck View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 255: Stp Mode
stp mode Syntax stp mode { stp | rstp | mstp } undo stp mode View System view Parameters stp: Specifies the STP-compatible mode. mstp: Specifies the MSTP mode. rstp: Specifies the RSTP-compatible mode. Description Use the stp mode command to set the operating mode of an MSTP-enabled switch. Use the undo stp mode command to restore the default operating mode of an MSTP-enabled switch.
Page 256 Some manufactures' switches adopt proprietary spanning tree protocols that are similar to RSTP in the way to implement rapid transition on designated ports. When a switch of this kind operates as the upstream switch of a 3Com switch 5500-EI running MSTP, the upstream designated port fails to change their states rapidly.
Page 257: Stp Pathcost-Standard
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]stp interface Ethernet1/0/1 no-agreement-check stp pathcost-standard Syntax stp pathcost-standard { dot1d-1998 | dot1t | legacy } undo stp pathcost-standard View System view Parameters dot1d-1998: The device calculates the default path cost for ports based on IEEE 802.1d-1998. dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.
Page 258: Stp Point-To-Point
Path cost in Path cost in Path cost in Link speed Duplex state 802.1d-1998 IEEE 802.1t private standard standard standard Full-duplex 200,000 Aggregated link 2 ports 1,000 10 Gbps Aggregated link 3 ports Aggregated link 4 ports Normally, when a port operates in full-duplex mode, the corresponding path cost is slightly less than that when the port operates in half-duplex mode.
Page 259 force-false: Specifies that the link connected to the current Ethernet port is not a point-to-point link. auto: Specifies to automatically determine whether or not the link connected to the current Ethernet port is a point-to-point link. interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 260: Stp Port Priority
[Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 point-to-point force-true stp port priority Syntax Ethernet port view: stp [ instance instance-id ] port priority priority undo stp [ instance instance-id ] port priority System view: stp interface interface-list instance instance-id port priority priority undo stp interface interface-list instance instance-id port priority View System view, Ethernet port view...
Page 261: Stp Portlog
Set the port priority of Ethernet 1/0/1 in MSTI 2 to 16 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 instance 2 port priority 16 # Set the port priority of Ethernet 1/0/2 to Ethernet 1/0/4 in MSTI 2 to 16 in system view. <Sysname>...
Page 262: Stp Priority
Parameters None Description Use the stp portlog all command to enable log and trap message output for the ports of all instances. Use the undo stp portlog all command to disable this function. By default, log and trap message output is disabled on the ports of all instances. Examples # Enable log and trap message output for the ports of all instances.
Page 263: Stp Region-Configuration
stp region-configuration Syntax stp region-configuration undo stp region-configuration View System view Parameters None Description Use the stp region-configuration command to enter MST region view. Use the undo stp region-configuration command to restore the MST region-related settings to the default. MST region-related parameters include: region name, revision level, and VLAN-to-instance mapping table.
Page 264 View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree. This argument ranges from 2 to 7 and defaults to 7. centi-seconds: Hello time in centiseconds of the specified spanning tree. This argument ranges from 100 to 1,000 and defaults to 200.
Page 265: Stp Root Secondary
stp root secondary Syntax stp [ instance instance-id ] root secondary [ bridge-diameter bridgenum [ hello-time centi-seconds ] ] undo stp [ instance instance-id ] root View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree.
Page 266: Stp Root-Protection
stp root-protection Syntax Ethernet port view: stp root-protection undo stp root-protection System view: stp interface interface-list root-protection undo stp interface interface-list root-protection View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 267: Stp Tc-Protection
Examples # Enable the root guard function on Ethernet 1/0/1. Enable the root guard function on Ethernet 1/0/1 in Ethernet port view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp root-protection Enable the root guard function on Ethernet 1/0/1 in system view. <Sysname>...
Page 268: Stp Tc-Protection Threshold
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp tc-protection enable stp tc-protection threshold Syntax stp tc-protection threshold number undo stp tc-protection threshold View System view Parameters number: Maximum number of times that a switch can remove the MAC address table and ARP entries within each 10 seconds, in the range of 1 to 255.
Page 269: Stp Timer Forward-Delay
stp timer forward-delay Syntax stp timer forward-delay centi-seconds undo stp timer forward-delay View System view Parameters centi-seconds: Forward delay in centiseconds to be set. This argument ranges from 400 to 3,000. Description Use the stp timer forward-delay command to set the forward delay of the switch. Use the undo stp timer forward-delay command to restore the forward delay to the default value.
Page 270: Stp Timer Max-Age
Parameters centi-seconds: Hello time to be set, in the range of 100 to 1,000 (in centiseconds). Description Use the stp timer hello command to set the hello time of the switch. Use the undo stp timer hello command to restore the hello time of the switch to the default value. By default, the hello time of the switch is 200 centiseconds.
Page 271: Stp Timer-Factor
MSTP is capable of detecting link failures and automatically restoring redundant links to the forwarding state. In CIST, switches use the max age parameter to judge whether or not a received configuration BPDU times out. Spanning trees will be recalculated if a configuration BPDU received by a port times out.
Page 272: Stp Transmit-Limit
can be four (or more) times of the hello time. For a steady network, the timeout time can be five to seven times of the hello time. Examples # Set the hello time factor to 7. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp timer-factor 7 stp transmit-limit Syntax...
Page 273: Vlan-Mapping Modulo
Examples # Set the maximum number of configuration BPDUs that can be transmitted through Ethernet 1/0/1 in each hello time to 15. In Ethernet port view: <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp transmit-limit 15 In system view: <Sysname>...
Page 274: Vlan-Vpn Tunnel
You can map VLANs to the specific MSTIs rapidly by using the vlan-mapping modulo modulo command. The ID of the MSTI to which a VLAN is mapped can be figured out by using the following formula: (VLAN ID-1) % modulo + 1. In this formula, (VLAN ID-1) % modulo yields the module of (VLAN ID-1) with regards to the modulo argument.
Page 275 The VLAN-VPN tunnel function can only be enabled on STP-enabled devices. To enable the VLAN-VPN tunnel function, make sure the links between operator’s networks are trunk links. If a fabric port exists on a switch, you cannot enable the VLAN-VPN function for any port of the switch.
Page 276 Table of Contents 1 IP Routing Table Commands····················································································································1-1 IP Routing Table Commands··················································································································1-1 display ip routing-table·····················································································································1-1 display ip routing-table acl···············································································································1-3 display ip routing-table ip-address···································································································1-5 display ip routing-table ip-address1 ip-address2·············································································1-7 display ip routing-table ip-prefix·······································································································1-7 display ip routing-table protocol·······································································································1-8 display ip routing-table radix············································································································1-9 display ip routing-table statistics····································································································1-10 display ip routing-table verbose·····································································································1-11 reset ip routing-table statistics protocol ·························································································1-12...
Page 277 traffic-share-across-interface·········································································································3-20 4 OSPF Configuration Commands··············································································································4-1 OSPF Configuration Commands ············································································································4-1 abr-summary ···································································································································4-1 area··················································································································································4-2 asbr-summary··································································································································4-2 authentication-mode ························································································································4-3 default··············································································································································4-4 default-cost ······································································································································4-5 default-route-advertise·····················································································································4-6 display router id ·······························································································································4-7 display ospf abr-asbr ·······················································································································4-8 display ospf asbr-summary ·············································································································4-9 display ospf brief····························································································································4-10 display ospf cumulative ·················································································································4-13 display ospf error ···························································································································4-14 display ospf interface·····················································································································4-17 display ospf lsdb ····························································································································4-18 display ospf nexthop······················································································································4-21...
Page 278 router id ·········································································································································4-47 silent-interface ·······························································································································4-47 snmp-agent trap enable ospf·········································································································4-48 spf-schedule-interval ·····················································································································4-49 stub ················································································································································4-50 vlink-peer ·······································································································································4-51 5 IP Routing Policy Configuration Commands··························································································5-1 IP Routing Policy Configuration Commands···························································································5-1 apply cost ········································································································································5-1 apply tag ··········································································································································5-2 display ip ip-prefix····························································································································5-2 display route-policy··························································································································5-3 if-match { acl | ip-prefix } ··················································································································5-4 if-match cost ····································································································································5-4 if-match interface ·····························································································································5-5 if-match ip next-hop ·························································································································5-6...
Page 279: Ip Routing Table Commands
IP Routing Table Commands IP Routing Table Commands display ip routing-table Syntax display ip routing-table [ | { begin | exclude | include } regular-expression ] View Any view Parameters regular-expression: Regular expression, a string of 1 to 256 case-sensitive characters used for specifying routing entries.
Page 280: Routing Protocol
2.2.2.0/24 DIRECT 2.2.2.1 Vlan-interface2 2.2.2.1/32 DIRECT 127.0.0.1 InLoopBack0 3.3.3.0/24 DIRECT 3.3.3.1 Vlan-interface3 3.3.3.1/32 DIRECT 127.0.0.1 InLoopBack0 4.4.4.0/24 DIRECT 4.4.4.1 Vlan-interface4 4.4.4.1/32 DIRECT 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 127.0.0.1 InLoopBack0 # Display the routing information from the entry containing the character string interface4 in the current routing table.
Page 281: Display Ip Routing-Table Acl
display ip routing-table acl Syntax display ip routing-table acl acl-number [ verbose ] View Any view Parameters acl-number: Basic access control list number, in the range of 2000 to 2999. verbose: With this keyword specified, detailed information of routes in the active or inactive state that match the ACL is displayed.
Page 282 State: <Int ActiveU Retain Unicast> Age: 21:34:13 Cost: 0/0 **Destination: 192.168.1.2 Mask: 255.255.255.255 Protocol: #DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) State: <NoAdvise Int ActiveU Retain Gateway Unicast> Age: 21:34:13 Cost: 0/0 Table 1-2 Description on the fields of the display ip routing-table command Field Description Destination...
Page 283: Display Ip Routing-Table Ip-Address
Field Description Description of route state: ActiveU An active unicast route, where “U” represents unicast. A blackhole route is similar to a reject route, but no ICMP Blackhole unreachable message is sent to the source. Delete A route is to be deleted. Gateway An indirect route.
Page 284 Parameters ip-address: Destination IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Length of a subnet mask, in the range of 0 to 32. longer-match: Specifies all the routes that lead to the destination address and match the specified mask.
Page 285: Display Ip Routing-Table Ip-Address1 Ip-Address2
display ip routing-table ip-address1 ip-address2 Syntax display ip routing-table ip-address1 { mask1 | mask-length1 } ip-address2 { mask2 | mask-length2 } [ verbose ] View Any view Parameters ip-address1, ip-address2: Destination IP address in dotted decimal notation. ip-address1 {mask1 | mask-length1} and ip-address2 {mask2 | mask-length2} determine one address range together.
Page 286: Display Ip Routing-Table Protocol
verbose: With this keyword specified, detailed information of routes in the active or inactive state that match the IP prefix list is displayed. With this keyword not specified, brief information of only the routes in the active state that match the prefix list is displayed. Description Use the display ip routing-table ip-prefix command to display the information of routes matching the specified IP prefix list.
Page 287: Display Ip Routing-Table Radix
Parameters protocol: You can provide one of the following values for this argument. direct: Displays direct-connect route information ospf: Displays OSPF route information. ospf-ase: Displays OSPF ASE route information. ospf-nssa: Displays OSPF not-so-stubby area (NSSA) route information. rip: Displays RIP route information. static: Displays static route information.
Page 288: Display Ip Routing-Table Statistics
Description Use the display ip routing-table radix command to display the route information in a tree structure. Examples <Sysname> display ip routing-table radix Radix tree for INET (2) inodes 7 routes 5: +-32+--{210.0.0.1 +--0+ | | +--8+--{127.0.0.0 | | | +-32+--{127.0.0.1 | +--1+ +--8+--{20.0.0.0 +-32+--{20.1.1.1...
Page 289: Display Ip Routing-Table Verbose
OSPF O_ASE O_NSSA Total Table 1-4 Description on the fields of the display ip routing-table statistics command Field Description Routing protocol type O_ASE: OSPF_ASE Proto O_NSSA: OSPF NSSA AGGRE: Aggregation protocol Route Total number of routes Active Number of active routes Number of routes added after the router is rebooted or the routing table Added is cleared last time.
Page 290: Reset Ip Routing-Table Statistics Protocol
Age: 20:17:41 Cost: 0/0 **Destination: 1.1.1.1 Mask: 255.255.255.255 Protocol: #DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) State: <NoAdvise Int ActiveU Retain Gateway Unicast> Age: 20:17:42 Cost: 0/0 **Destination: 2.2.2.0 Mask: 255.255.255.0 Protocol: #DIRECT Preference: 0 *NextHop: 2.2.2.1 Interface: 2.2.2.1(Vlan-interface2) State: <Int ActiveU Retain Unicast> Age: 20:08:05 Cost: 0/0 For descriptions of route states, see...
Page 291 OSPF O_ASE O_NSSA Total # Clear the routing statistics of all protocols from the IP routing table. <Sysname> reset ip routing-table statistics protocol all # Display the routing statistics in the IP routing table. <Sysname> display ip routing-table statistics Routing tables: Proto route active...
Page 292: Static Route Configuration Commands
Static Route Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. Static Route Configuration Commands delete static-routes all Syntax delete static-routes all View System view Parameters None Description...
Page 293: Ip Route-Static
ip route-static Syntax ip route-static ip-address { mask | mask-length } { interface-type interface-number | next-hop } [ preference preference-value ] [ reject | blackhole ] [ detect-group group number ] [ description text ] undo ip route-static ip-address { mask | mask-length } [ interface-type interface-number | next-hop ] [ preference preference-value ] View System view...
Page 294 By default, the system can obtain the subnet route directly connected to the router. When you configure a static route, if no preference is specified for the route, the preference defaults to 60, and if the route is not specified as reject or blackhole, the route will be reachable by default. When configuring a static route, note the following points: If the destination IP address and the mask are both 0.0.0.0, what you are configuring is a default route.
Page 295: Rip Configuration Commands
RIP Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. RIP Configuration Commands checkzero Syntax checkzero undo checkzero View RIP view Parameters None Description Use the checkzero command to enable the must be zero field check for RIP-1 packets. Use the undo checkzero command to disable the must be zero field check for RIP-1 packets.
Page 296: Default Cost
default cost Syntax default cost value undo default cost View RIP view Parameters value: Default cost, in the range of 1 to 16. Description Use the default cost command to set the default cost for redistributed routes. Use the undo default cost command to restore the default. By default, the default cost of a redistributed route is 1.
Page 297: Traffic-Share-Across-Interface
<Sysname> display rip RIP is running Checkzero is on Default cost : 1 Summary is on Preference : 100 Traffic-share-across-interface is off Period update timer : 30 Timeout timer : 180 Garbage-collection timer : 120 No peer router Network : 202.38.168.0 Table 3-1 Description on the fields of the display rip command Field...
Page 298: Display Rip Interface
display rip interface Syntax display rip interface View Any view Parameters None Description Use the display rip interface command to display RIP interface information. Examples # Display RIP interface information. <Sysname> display rip interface RIP Interface: public net Address Interface MetrIn/Out Input Output Split-horizon 1.0.0.1...
Page 299: Filter-Policy Export
View Any view Parameters None Description Use the display rip routing command to display RIP routing information. Examples # Display the information of the RIP routing table. <Sysname> display rip routing RIP routing table: public net A = Active I = Inactive G = Garbage collection C = Change T = Trigger RIP...
Page 300: Filter-Policy Import
View RIP view Parameters acl-number: Number of the basic or advanced ACL used to filter routing information by destination address, in the range of 2000 to 3999. ip-prefix-name: Name of the address ip-prefix list used to filter routing information by destination address, a string of 1 to 19 characters.
Page 301: Host-Route
Parameters acl-number: Number of the ACL used to filter routing information by destination address, in the range of 2000 to 3999. ip-prefix-name: Name of the address prefix list used to filter routing information by destination address, a string of 1 to 19 characters. gateway ip-prefix-name: Name of the address prefix list used to filter routing information by the address of the neighbor router advertising the information, a string of 1 to 19 characters.
Page 302: Import-Route
By default, RIP is enabled to receive host routes. In some special cases, RIP receives a great number of host routes from the same network segment. These routes are of little help to addressing but occupy a lot of resources. In this case, the undo host-route command can be used to disable RIP from receiving host routes to save network resources.
Page 303: Network
[Sysname-rip] import-route static cost 4 # Set the default cost and redistribute OSPF routes with the default cost. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] default cost 3 [Sysname-rip] import-route ospf network Syntax network network-address undo network network-address View RIP view...
Page 304: Preference
View RIP view Parameters ip-address: IP address of the interface receiving RIP packets in the unicast mode on the neighbor router, in dotted decimal notation. Description Use the peer command to specify the IP address of a neighbor, where routing updates destined for the peer are unicast, rather than multicast or broadcast.
Page 305: Reset
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] preference 20 reset Syntax reset View RIP view Parameters None Description Use the reset command to reset the system configuration parameters of RIP. When you need to re-configure the parameters of RIP, you can use this command to restore the default. Examples # Reset the RIP system configuration.
Page 306: Rip Authentication-Mode
Note that the interface-related parameters configured previously would be invalid after RIP is disabled. Examples # Enable RIP and enter RIP view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] rip authentication-mode Syntax rip authentication-mode { simple password | md5 { rfc2082 key-string key-id | rfc2453 key-string } } undo rip authentication-mode View Interface view...
Page 307: Rip Input
Related commands: rip version. You can configure RIPv1 authentication mode in interface view, but the configuration will not take effect because RIPv1 does not support authentication. Examples # Specify the interface VLAN-interface 10 to use the simple authentication with the authentication key of aaa.
Page 308: Rip Metricin
System View: return to User View with Ctrl+Z. [Sysname]interface Vlan-interface 10 [Sysname-Vlan-interface10] undo rip input rip metricin Syntax rip metricin value undo rip metricin View Interface view Parameters value: Additional metric of RIP routes received on an interface, in the range of 0 to 16. Description Use the rip metricin command to configure an additional metric for RIP routes received on an interface.
Page 309: Rip Output
Description Use the rip metricout command to configure an additional metric for RIP routes sent out of an interface. Use the undo rip metricout command to restore the default. By default, the additional metric of RIP routes sent out of an interface is 1. With the command configured on an interface, the metric of RIP routes sent on the interface will be increased.
Page 310: Rip Split-Horizon
rip split-horizon Syntax rip split-horizon undo rip split-horizon View Interface view Parameters None Description Use the rip split-horizon command to enable the split horizon function. Use the undo rip split-horizon command to disable the split horizon function. By default, the split horizon function is enabled. The split horizon function disables an interface from sending routes received from the interface to prevent routing loops between adjacent routers.
Page 311: Rip Work
Use the undo rip version command to restore the default. By default, the version of RIP running on an interface is RIP-1 and RIP-1 packets are sent in the broadcast mode. If RIP-2 runs on an interface, RIP packets are sent in the multicast mode by default, which reduces resource consumption.
Page 312: Summary
Use the undo rip work command to disable the interface from neither receiving nor sending RIP packets. By default, all interfaces except loopback interfaces are enabled to receive and send RIP packets. The differences between the rip work, rip input, and rip output commands are as follows: The rip work command controls the receiving and sending of RIP packets on an interface.
Page 313: Timers
[Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] rip version 2 [Sysname-Vlan-interface10] quit [Sysname] rip [Sysname-rip] undo summary timers Syntax timers { update update-timer | timeout timeout-timer } * undo timers { update | timeout } * View RIP view Parameters update-timer: Length of the Period Update timer in seconds, in the range of 1 to 3600. timeout-timer: Length of the Timeout timer in seconds, in the range of 1 to 3600.
Page 314 traffic-share-across-interface Syntax traffic-share-across-interface undo traffic-share-across-interface View RIP view Parameters None Description Use the traffic-share-across-interface command to enable traffic to be forwarded along multiple equivalent RIP routes. Use the undo traffic-share-across-interface command to disable this function. By default, this function is disabled. When the number of equivalent routes reaches the upper limit: If this function is enabled, the newly learned equivalent route replaces the existing equivalent route in the routing table.
Page 315: Ospf Configuration Commands
OSPF Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. OSPF Configuration Commands abr-summary Syntax abr-summary ip-address mask [ advertise | not-advertise ] undo abr-summary ip-address mask View OSPF area view Parameters...
Page 316: Area
Examples # Summarize subnets 36.42.10.0/24 and 36.42.110.0/24, in OSPF area 1 with summary route 36.42.0.0/16 and advertise it to other areas. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 1 [Sysname-ospf-1-area-0.0.0.1] network 36.42.10.0 0.0.0.255 [Sysname-ospf-1-area-0.0.0.1] network 36.42.110.0 0.0.0.255 [Sysname-ospf-1-area-0.0.0.1] abr-summary 36.42.0.0 255.255.0.0 area...
Page 317: Authentication-Mode
Parameters ip-address: IP address of the summary route, in dotted decimal notation. mask: IP address mask, in dotted decimal notation. not-advertise: Specifies not to advertise the summary route. If this argument is not provided, the summary route will be advertised. tag value: Tag value, which is mainly used to control route advertisement through a route-policy.
Page 318: Default
Use the undo authentication-mode command to cancel the authentication attribute of this area. By default, an area does not support authentication attribute. All the routers in one area must use the same authentication mode (no authentication, simple text authentication, or MD5 cipher text authentication). If the mode of supporting authentication is configured, all routers on the same segment must use the same authentication key.
Page 319: Default-Cost
type: Default type of external routes redistributed by OSPF. The value of this argument is 1 or 2. Description Use the default command to configure the default parameters for redistributed routes, including cost, interval, limit, tag, and type. Use the undo default cost command to restore the default. By default, the cost, interval, limit, tag, and type are 1, 1, 1000, 1, and 2, respectively.
Page 320: Default-Route-Advertise
You must use the stub command on all the routers connected to a Stub area to configure the area with the stub attribute. Use the default-cost command to configure the cost of the default route advertised by an ABR to a Stub area or NSSA.
Page 321: Display Router Id
cost value: Specifies the cost value of the default route. The default route with the lowest cost value is preferred. The value of value ranges from 0 to 16777214. If no cost is specified, the default cost specified by the default cost command applies. type type-value: Specifies the type of the route.
Page 322: Display Ospf Abr-Asbr
Related commands: router id. Examples # Display the router ID. <Sysname> display router id Configured router id is 1.1.1.1 display ospf abr-asbr Syntax display ospf [ process-id ] abr-asbr View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes.
Page 323: Display Ospf Asbr-Summary
Field Description Nexthop IP address of the next hop Interface Local output interface display ospf asbr-summary Syntax display ospf [ process-id ] asbr-summary [ ip-address mask ] View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes.
Page 324: Display Ospf Brief
The Count of Route is 0 Table 4-2 Description on the fields of the display ospf asbr-summary command. Field Description Network address of the summary route mask Subnet mask of the summary route Tag of the summary route Advertisement state of the summary route, including status DoNotAdvertise: The summary can not be advertised.
Page 325 Cost: 10 State: DROther Type: Broadcast Priority: 1 Designated Router: 192.168.0.153 Backup Designated Router: 192.168.0.154 Timers: Hello 10, Dead 40, Poll 40, Retransmit 5, Transmit Delay 1 Area 0.0.0.2: Authtype: none Flags: <Nssa> SPF scheduled: <> 7/5 translator state: Enabled Interface: 30.1.1.1 (Vlan-interface2) Cost: 10 State: BackupDR Type: Broadcast...
Page 326 Field Description Area type flag: Nssa: NSSA area NssaDefault: A default route is generated into the NSSA. NssaNoSummary: ABR is disabled from advertising Type-3 LSAs into NSSA. Flags NssaNoRedistribution: Prohibits advertisement of redistributed routes into NSSA. Stub: Stub area StubDefault: A default route is generated into Stub area. StubNoSummary: ABR is disabled from advertising Type-3 LSAs to Stub area.
Page 327: Display Ospf Cumulative
display ospf cumulative Syntax display ospf [ process-id ] cumulative View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf cumulative command to display cumulative OSPF statistics.
Page 328: Display Ospf Error
Routing Table: Intra Area: 1 Inter Area: 0 ASE: 0 Table 4-4 Description on the fields of the display ospf cumulative command Field Description Type of input/output OSPF packet: Hello: Hello packet DB Description: Database Description packet Type Link-State Req: Link-State Request packet IO Statistics Link-State Update: Link-State Update packet Link-State Ack: Link-State Acknowledge packet...
Page 329 Description Use the display ospf error command to display OSPF error information. Examples # Display the OSPF error information. <Sysname> display ospf error OSPF Process 1 with Router ID 1.1.1.1 OSPF packet error statistics: 0: IP: received my own packet 0: OSPF: wrong packet type 0: OSPF: wrong version 0: OSPF: wrong checksum...
Page 330 Field Description OSPF: packet size > ip length OSPF packet size exceeds IP packet length OSPF: transmit error OSPF transmission error OSPF: interface down OSPF interface is down, unavailable OSPF: unknown neighbor OSPF neighbors are unknown HELLO: netmask mismatch Network mask mismatch HELLO: hello timer mismatch Interval of HELLO packet is mismatched HELLO: dead timer mismatch...
Page 331: Display Ospf Interface
display ospf interface Syntax display ospf [ process-id ] interface [ interface-type interface-number ] View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. interface-type interface-number: Interface type and interface number.
Page 332: Display Ospf Lsdb
Field Description Priority Priority of DR for interface election Designated Router DR on the network in which the interface resides Backup Designated Router BDR on the network in which the interface resides OSPF timers, defined as follows: Hello Interval of hello packet Timers Dead Interval of dead neighbors...
Page 333 Description Use the display ospf lsdb command to display the database information about OSPF connecting state. If no OSPF process is specified, LSDB information of all OSPF processes is displayed. Examples # Display the database information about OSPF connection state. <Sysname>...
Page 334 Field Description Location of the LSA, used to indicate in which stage of the route calculation the LSA is: Uninitialized: The LSA is not initialized or is originated by another router. Clist: The LSA is on the candidate list. SpfTree: The LSA is in the SPF tree. SumAsb List: The LSA is in the AS border reachable to the attached area.
Page 335: Display Ospf Nexthop
Table 4-8 Description on the fields of the display ospf lsdb ase command Field Description type Type of the LSA ls id Link state ID of the LSA adv rtr Router ID of the router that advertises the LSA ls age Age of the LSA Length of the LSA seq#...
Page 336: Display Ospf Peer
OSPF Process 1 with Router ID 1.1.1.1 Next hops: Address Type Refcount Intf Addr Intf Name --------------------------------------------------------------- 202.38.160.1 Direct 202.38.160.1 Vlan-interface2 202.38.160.2 Neighbor 202.38.160.1 Vlan-interface2 Table 4-9 Description on the fields of the display ospf nexthop command Field Description Next hops Detailed information of next hops Address IP address of next hop...
Page 337 Dead timer expires in 31s Neighbor has been up for 01:14:14 Table 4-10 Description on the fields of the display ospf peer command Field Description RouterID ID of a neighbor router Address IP address of the interface on a neighbor router State of a neighbor: Down: This is the initial state of a neighbor conversation.
Page 338 Field Description Priority of a neighbor router DeadTime(s) Dead time, in seconds, of neighbor router Interface Type and number of the local router interface connected to the neighbor router State of a neighbor router, including Down Init Attempt 2-Way Exstart State Exchange Loading...
Page 339: Display Ospf Request-Queue
Field Description In this state, OSPF router requests neighbor routers based on the Loading updated link state information from neighbor routers and its expired information, and waits for response from neighbor routers It indicates that database synchronization between the routers that have Full established neighbor relation has been completed, and their link state databases have been consistent...
Page 340: Display Ospf Retrans-Queue
display ospf retrans-queue Syntax display ospf [ process-id ] retrans-queue View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf retrans-queue command to display the information about the OSPF retransmission queue.
Page 341: Display Ospf Routing
display ospf routing Syntax display ospf [ process-id ] routing View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf routing command to display the information about OSPF routing table.
Page 342: Display Ospf Vlink
display ospf vlink Syntax display ospf [ process-id ] vlink View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf vlink command to display the information about OSPF virtual links.
Page 343: Filter-Policy Export
Field Description OSPF timers, including Hello: Hello interval Timers Dead: Dead neighbor interval Poll: Poll interval Retransmit: Interval for retransmitting LSA Transmit Delay Delay time of transmitting LSA filter-policy export Syntax filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol ] undo filter-policy { acl-number | ip-prefix ip-prefix-name} export [ protocol ] View OSPF view...
Page 344: Filter-Policy Import
System View: return to User View with Ctrl+Z. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] ospf [Sysname-ospf-1] filter-policy 2000 export filter-policy import Syntax filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix-list-name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name | gateway ip-prefix-name } import View OSPF view...
Page 345: Import-Route
[Sysname-ospf-1] filter-policy 2000 import import-route Syntax import-route protocol [ process-id ] [ cost value | type value | tag value | route-policy route-policy-name ] * undo import-route protocol [ process-id ] View OSPF view Parameters protocol: Source routing protocol whose routes will be imported. At present, it can be direct, ospf, ospf-ase, ospf-nssa, rip, or static.
Page 346: Log-Peer-Change
[Sysname-ospf-1] import-route rip type 2 tag 33 cost 50 log-peer-change Syntax log-peer-change undo log-peer-change View OSPF view Parameters None Description Use the log-peer-change command to enable logging of OSPF neighbor state changes. Use the undo log-peer-change command to disable logging of OSPF neighbor state changes. By default, logging of OSPF neighbor state changes is disabled.
Page 347: Network
By default, the number of OSPF ECMP routes is 3. Examples # Set the number of OSPF ECMP routes to 2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] multi-path-number 2 network Syntax network ip-address wildcard-mask undo network ip-address wildcard-mask View OSPF area view...
Page 348: Nssa
nssa Syntax nssa [ default-route-advertise | no-import-route | no-summary | translate-always ] * undo nssa View OSPF area view Parameters default-route-advertise: Redistributes a default route into an NSSA. no-import-route: Redistributes no routes into an NSSA. no-summary: Advertises only a default route in a Type-3 summary LSA into the NSSA area and disables the ABR from transmitting any other Type-3 LSAs to an NSSA translate-always: Specifies the ABR as the Type-7 LSAs translator of the NSSA area.
Page 349: Ospf
If the ABR that has the translate-always keyword configured and has a neighbor in the FULL state in the backbone area, its Type-7 LSAs translator state becomes Enabled and it will translate Type-7 LSAs into Type-5 LSAs. After an OSPF area is configured as a Stub area, the ABR in the area automatically advertises a default route into the attached NSSA area.
Page 350: Ospf Authentication-Mode
To run OSPF, a router must have a router ID specified. If no router ID is specified, the system will automatically select one of the router interface IP addresses as the router ID. If a router runs multiple OSPF processes, you are recommended to specify a router ID for each process by using the ospf command.
Page 351: Ospf Cost
Description Use the ospf authentication-mode command to configure the authentication mode and key between adjacent routers. Use the undo ospf authentication-mode command to cancel the authentication key that has been set. By default, the interface does not authenticate the OSPF packets. The passwords for authentication keys of the routers on the same network segment must be identical.
Page 352: Ospf Dr-Priority
Examples # Specify the OSPF cost on the interface as 33. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf cost 33 ospf dr-priority Syntax ospf dr-priority priority undo ospf dr-priority View Interface view Parameters priority: Designated router (DR) election priority of the interface, in the range of 0 to 255.
Page 353: Ospf Mtu-Enable
Parameters process-id: OSPF process ID, in the range of 1 to 65535. Description Use the ospf mib-binding command to bind MIB operations to the specified OSPF process. Use the undo ospf mib-binding command to restore the default. By default, MIB operations are bound to the first enabled OSPF process. When OSPF enables the first process, OSPF always binds MIB operation to this process.
Page 354: Ospf Network-Type
Examples # Add the MTU of the interface VLAN-interface 3 to the MTU field in DD packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ospf mtu-enable ospf network-type Syntax ospf network-type { broadcast | nbma | p2mp [ unicast ] | p2p } undo ospf network-type View Interface view...
Page 355: Ospf Timer Dead
For a P2MP interface, If the unicast keyword is not specified, the interface sends packets to multicast addresses. If the unicast keyword is specified, the interface sends packets to unicast addresses. In this case, you must use the peer command to specify the neighbor. Note that you must use the peer command to configure the peer if the network type of the interface is NBMA or manually changed to NBMA with the ospf network-type command.
Page 356: Ospf Timer Hello
ospf timer hello Syntax ospf timer hello seconds undo ospf timer hello View Interface view Parameters seconds: Interval, in seconds, at which an interface transmits hello packet. It ranges from 1 to 255. Description Use the ospf timer hello command to configure the interval for transmitting Hello messages on an interface.
Page 357: Ospf Timer Retransmit
Description Use the ospf timer poll command to configure the poll interval at which the interface sends hello packets to the neighbor in the Down state. Use the undo ospf timer poll command to restore the default. By default, the poll interval is 40 seconds. On an NBMA network, if a neighbor becomes invalid, Hello packets will be transmitted at intervals of poll seconds.
Page 358: Ospf Trans-Delay
System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf timer retransmit 12 ospf trans-delay Syntax ospf trans-delay seconds undo ospf trans-delay View Interface view Parameters seconds: LSA transmission delay in seconds on an interface. It ranges from 1 to 3600. Description Use the ospf trans-delay command to configure the LSA transmission delay on an interface.
Page 359: Preference
Description Use the peer command to specify a neighbor and its DR priority on an NBMA network. Use the undo peer command to remove this configuration. On an NBMA network, you can configure mappings to make the network fully meshed (any two routers have a direct link in between), so OSPF can handle DR/BDR election as it does on a broadcast network.
Page 360: Reset Ospf
reset ospf Syntax reset ospf { all | process-id } View User view Parameters all: Resets all OSPF processes. process-id: OSPF process ID, in the range of 1 to 65535. Description Use the reset ospf command to reset OSPF process(es). After you use this command to reset an OSPF process: Invalid LSA is cleared immediately before LSA times out.
Page 361: Silent-Interface
router id Syntax router id router-id undo router id View System view Parameters router-id: Router ID, in dotted decimal notation. Description Use the router id command to configure the ID of a router running the OSPF protocol. Use the undo router id command to cancel the router ID that has been set. If the router-id command is not used, a router ID is set following these rules: If loopback interfaces configured with IP addresses exist, the greatest loopback interface IP address will be used as the router ID.
Page 362: Snmp-Agent Trap Enable Ospf
View OSPF view Parameters silent-interface-type: Interface type silent-interface-number: Interface number. Description Use the silent-interface command to disable an interface from transmitting OSPF packet. Use the undo silent-interface command to restore the default. By default, the interface is enabled to transmit OSPF packet. To prevent the router on some network from receiving the OSPF routing information, you can use this command to disable this interface from transmitting OSPF packet.
Page 363: Spf-Schedule-Interval
Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. ifstatechange, virifstatechange, nbrstatechange, virnbrstatechange, ifcfgerror, virifcfgerror, ifauthfail, virifauthfail, ifrxbadpkt, virifrxbadpkt, iftxretransmit, viriftxretransmit, originatelsa, maxagelsa, lsdboverflow, lsdbapproachoverflow: Types of TRAP packets that the switch produces in case of OSPF anomalies.
Page 364: Stub
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] spf-schedule-interval 6 stub Syntax stub [ no-summary ] undo stub View OSPF area view Parameters no-summary: Disables an ABR from transmitting Type-3 LSAs to a Stub area. Description Use the stub command to configure the type of an OSPF area as "Stub".
Page 365: Vlink-Peer
vlink-peer Syntax vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | simple password | md5 keyid key ] * undo vlink-peer router-id View OSPF area view Parameters route-id: Router ID of virtual link peer. hello seconds: Specifies the interval, in seconds, at which the router transmits hello packet.
Page 366 Note that, virtual link authentication adopts the MD5 cipher text or simple text authentication mode set with the authentication-mode command for Area 0. Therefore, you need to specify the authentication mode for Area 0 on both ABRs interconnected by the virtual link. Related commands: authentication-mode, display ospf.
Page 367: Ip Routing Policy Configuration Commands
IP Routing Policy Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. IP Routing Policy Configuration Commands apply cost Syntax apply cost value undo apply cost View Route policy view Parameters...
Page 368: Apply Tag
apply tag Syntax apply tag value undo apply tag View Route policy view Parameters value: Tag value of a route, in the range of 0 to 4294967295. Description Use the apply tag command to configure a tag for a route. Use the undo apply tag command to remove the configuration.
Page 369: Display Route-Policy
Examples # Display the information about the address prefix list named p1. <Sysname> display ip ip-prefix p1 name index conditions ip-prefix / mask permit 10.1.0.0/16 Table 5-1 Description on the fields of the display ip ip-prefix command Field Description name Name of an IP-prefix index Internal sequence number of an IP-prefix...
Page 370: If-Match { Acl | Ip-Prefix
Table 5-2 Description on the fields of the display route-policy command Field Description Route-policy Name of a routing policy Information about the routing policy with the matching mode configured as permit and the node as 10. Permit 10 if-match (ip-prefix) p1 Matching conditions Apply the cost 100 to the routes satisfying the apply cost 100...
Page 371: If-Match Interface
View Route policy view Parameters value: Route cost, in the range of 0 to 4294967295. Description Use the if-match cost command to configure a cost matching rule for routing information. Use the undo if-match cost command to remove the configuration. By default, no cost matching rule is defined.
Page 372: If-Match Ip Next-Hop
System View: return to User View with Ctrl+Z. [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match interface Vlan-interface 1 if-match ip next-hop Syntax if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name } undo if-match ip next-hop [ ip-prefix ] View Route policy view Parameters...
Page 373: Ip Ip-Prefix
Parameters value: Tag value, in the range of 0 to 4294967295. Description Use the if-match tag command to configure the tag matching rule for routing information. Use the undo if-match tag command to remove the matching rule. By default, no the tag matching rule for routing information is defined. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, route-policy, apply cost, apply tag.
Page 374: Route-Policy
to", and the meaning of less-equal is "less than or equal to". The range is len <= greater-equal <= less-equal <= 32. When only greater-equal is used, it denotes the prefix range [greater-equal, 32]. When only less-equal is used, it denotes the prefix range [len, less-equal]. When both greater-equal and less-equal are specified, the prefix range is [ less-equal,greater-equal ].
Page 375 node: Specifies a node index in a routing policy. node-number: Index of the node in a routing policy, in the range 0 to 2047. When this routing policy is used, the node with smaller node-number will be matched first. Description Use the route-policy command to create a routing policy or enter the Route-policy view.
Page 376: Route Capacity Configuration Commands
Route Capacity Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. Route Capacity Configuration Commands display memory Syntax display memory [ unit unit-id ] Mode Any view Parameters unit-id: Unit ID.
Page 377: Display Memory Limit
Table 6-1 Description on the fields of the display memory command Field Description Unit Specifies a Unit ID System Available Memory(bytes) Free memory size, in bytes, of the switch System Used Memory(bytes) Occupied memory size, in bytes, of the switch Used Rate Memory occupation rate display memory limit...
Page 378: Memory
Field Description system memory limit Lower limit of the switch memory. Automatic connection is enabled (If automatic auto-establish enabled connection is disabled, auto-establish disabled is displayed). Free Memory Size of the current free memory in bytes The times of disconnect: Number of disconnections of the routing protocol The times of reconnect Number of reconnections of the routing protocol...
Page 379: Memory Auto-Establish Disable
When you configure the memory command, the safety-value argument in the command must be greater than the limit-value argument; otherwise, the configuration will fail. Examples # Set the lower limit of the switch free memory to 1 MB and the safety value to 3 MB. <Sysname>...
Page 380: Memory Auto-Establish Enable
memory auto-establish enable Syntax memory auto-establish enable View System view Parameters None Description Use the memory auto-establish enable command to enable automatic connections of routing protocols when the free memory of the switch recovers to the specified value. Use the memory auto-establish disable command to disable this function. By default, when the free memory of the switch recovers to a safety value, connections of all the routing protocols will always recover (when the free memory of the switch decreases to a lower limit, the connection will be disconnected forcibly).
Page 381 Table of Contents 1 Common Multicast Configuration Commands ·······················································································1-1 Common Multicast Configuration Commands ························································································1-1 display mac-address multicast static·······························································································1-1 display mpm forwarding-table ·········································································································1-2 display mpm group ··························································································································1-3 display multicast forwarding-table ···································································································1-4 display multicast routing-table ·········································································································1-6 display multicast-source-deny ·········································································································1-8 mac-address multicast interface······································································································1-8 mac-address multicast vlan ·············································································································1-9 mtracert ·········································································································································1-10 multicast route-limit························································································································1-11...
Page 382 crp-policy ·········································································································································3-3 display pim bsr-info··························································································································3-4 display pim interface························································································································3-5 display pim neighbor························································································································3-6 display pim routing-table··················································································································3-7 display pim rp-info ···························································································································3-8 pim ···················································································································································3-9 pim bsr-boundary···························································································································3-10 pim dm ···········································································································································3-11 pim neighbor-limit ··························································································································3-11 pim neighbor-policy ·······················································································································3-12 pim sm ···········································································································································3-13 pim timer hello ·······························································································································3-13 prune delay····································································································································3-14 register-policy ································································································································3-15 reset pim neighbor·························································································································3-15 reset pim routing-table···················································································································3-16...
Page 383 5 IGMP Snooping Configuration Commands ····························································································5-1 IGMP Snooping Configuration Commands·····························································································5-1 display igmp-snooping configuration ·······························································································5-1 display igmp-snooping group ··········································································································5-2 display igmp-snooping statistics······································································································5-3 igmp-snooping ·································································································································5-4 igmp-snooping fast-leave ················································································································5-5 igmp-snooping general-query source-ip··························································································5-6 igmp-snooping group-limit ···············································································································5-7 igmp-snooping group-policy ············································································································5-8 igmp-snooping host-aging-time ·····································································································5-10 igmp-snooping max-response-time ·······························································································5-10 igmp-snooping nonflooding-enable ·······························································································5-11 igmp-snooping querier···················································································································5-12 igmp-snooping query-interval ········································································································5-13...
Page 384: Common Multicast Configuration Commands
Common Multicast Configuration Commands Common Multicast Configuration Commands display mac-address multicast static Syntax display mac-address multicast static [ [ mac-address ] vlan vlan-id ] [ count ] View Any view Parameters mac-address: Displays the static multicast MAC entry information for the specified MAC address. Without this argument provided, this command displays the information of all static multicast MAC entries in the specified VLAN.
Page 385: Display Mpm Forwarding-Table
Field Description State of the MAC address, which includes only STATE Config static, indicating that the table entry is manually added. Ports out which the multicast packets destined PORT INDEX for the multicast MAC address are forwarded State of the aging timer. The aging timer for static multicast MAC addresses has only one AGING TIME(s) state: NOAGED, indicating that the entry never...
Page 386: Display Mpm Group
Table 1-2 display mpm forwarding-table command output description Field Description Total 1 entry(entries) Total number of the entries 00001 Entry number (120.0.0.2, 225.0.0.2) Source address-group address pair The incoming VLAN interface is VLAN-interface iif Vlan-interface1200 1200. 1 oif(s): One outgoing VLAN interface is listed. The first outgoing VLAN-interface is Vlan-interface32 VLAN-interface 32, with one outgoing port under...
Page 387: Display Multicast Forwarding-Table
Ethernet1/0/24 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 Static host port(s): Dynamic host port(s): Ethernet1/0/22 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/22 Table 1-3 display mpm group command output description Field Description Total 1 IP Group(s) Total number of IP multicast groups Total 1 MAC Group(s) Total number of MAC multicast groups...
Page 388 mask: Mask of the specified multicast group address or multicast source address, 255.255.255.255 by default. mask-length: Mask length of the specified multicast group address or multicast source address. For a multicast group address, this argument is in the range of 4 to 32; for a multicast source address, this argument is in the range of 0 to 32.
Page 389: Display Multicast Routing-Table
Table 1-4 display multicast forwarding-table command output description Field Description Multicast Forwarding Cache Table Multicast forwarding table Total 1 entries Total number of matched forwarding entries 00001 Serial number of the entry Multicast source and group addresses of the (10.0.0.4, 225.1.1.1) entry The incoming interface of the multicast forwarding table is VLAN-interface 2, and the...
Page 390 The multicast routing table is the basis of multicast data delivery. You can view the multicast routing table entries to determine whether (S, G) entries have been created with correct outgoing and incoming interfaces. Related commands: reset multicast routing-table, display multicast forwarding-table. Examples # Display the multicast routing table information.
Page 391: Display Multicast-Source-Deny
display multicast-source-deny Syntax display multicast-source-deny [ interface interface-type [ interface-number ] ] View Any view Parameters interface-type: Port type. interface-number: Port number. Description Use the display multicast-source-deny command to display the multicast source port suppression status. With neither a port type nor a port number specified, the command displays the multicast source port suppression status of all the ports on the switch.
Page 392: Mac-Address Multicast Vlan
interface-type interface-number2, where interface-number2 must be greater than interface-number1). The total number of individual ports plus port ranges cannot exceed 10. For port types and port numbers, refer to the parameter description in the “Port Basic Configuration” part in this manual. vlan vlan-id: Specifies the VLAN to which the forwarding ports belong.
Page 393: Mtracert
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] mac-address multicast 0100-1000-1000 vlan 1 mtracert Syntax mtracert source-address [ group-address | last-hop-router-address group-address ] View Any view Parameters source-address: Specifies a multicast source. group-address: Specifies a multicast group. last-hop-router-address: Specifies the last-hop router, which is the local device by default.
Page 394: Multicast Route-Limit
-3 192.168.3.1 Incoming Interface Address: 192.168.4.2 Previous-Hop Router Address: 0.0.0.0 Input packet count on incoming interface: 0 Output packet count on outgoing interface: 0 Total number of packets for this source-group pair: 0 Protocol: PIM Forwarding TTL: 0 Forwarding Code: No error Table 1-6 mtracert command output description Field Description...
Page 395: Multicast Routing-Enable
Description Use the multicast route-limit command to configure the maximum number of entries the multicast routing table can hold. The switch will drop the protocol and data packets for new (S, G) entries after the limit is reached. Use the undo multicast route-limit command to restore the default. The maximum number of entries the multicast routing table can hold is 256 by default.
Page 396: Multicast Storing-Enable
multicast storing-enable Syntax multicast storing-enable undo multicast storing-enable View System view Parameters None Description Use the multicast storing-enable command to enable the multicast packet buffering feature. Use the undo multicast storing-enable command to disable the multicast packet buffering feature. With the multicast packet buffering feature enabled, multicast packets delivered to the CPU are buffered while the corresponding multicast forwarding entries are being created and forwarded out according to the multicast forwarding entries after entry creation.
Page 397: Multicast-Source-Deny
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] multicast storing-packet 50 multicast-source-deny Syntax multicast-source-deny [ interface interface-list ] undo multicast-source-deny [ interface interface-list ] View System view, Ethernet port view Parameters interface interface-list: Enables the multicast source port suppression feature on the specified port or ports.
Page 398: Reset Multicast Forwarding-Table
[Sysname-Ethernet1/0/13] multicast-source-deny reset multicast forwarding-table Syntax reset multicast forwarding-table [ statistics ] { all | { group-address [ mask { mask | mask-length } ] | source-address [ mask { mask | mask-length } ] | incoming-interface interface-type interface-number } View User view Parameters...
Page 399: Reset Multicast Routing-Table
reset multicast routing-table Syntax reset multicast routing-table { all | { group-address [ mask { mask | mask-length } ] | source-address [ mask { mask | mask-length } ] | incoming-interface interface-type interface-number } * } View User view Parameters all: Clears all routing entries from the multicast routing table.
Page 400 Description Use the unknown-multicast drop enable command to enable the function of dropping unknown multicast packets. Use the undo unknown-multicast drop enable command to disable the function of dropping unknown multicast packets. By default, the function of dropping unknown multicast packets is disabled. Examples Enable the unknown multicast drop feature.
Page 401: Igmp Configuration Commands
IGMP Configuration Commands IGMP Configuration Commands display igmp group Syntax display igmp group [ group-address | interface interface-type interface-number ] View Any view Parameters group-address: Multicast group address. With this argument provided, this command displays the information of the specified IGMP multicast group. Interface interface-type interface-number: Specifies an interface by its type and number.
Page 402: Display Igmp Interface
Table 2-1 display igmp group command output description Field Description Group address Multicast group address The last host that reported a membership for this Last Reporter group Time elapsed since multicast group was first Uptime reported (hh: mm: ss). Remaining lifetime of the multicast group (hh: Expires mm: ss).
Page 403: Igmp Enable
Table 2-2 display igmp interface command output description Field Description Vlan-interface1 (10.153.17.99): Interface name (IP address) IGMP is currently enabled on the interface. IGMP is enabled If IGMP is not enabled, no output information is displayed. IGMP version 2 (default) is running on the Current IGMP version is 2 current interface.
Page 404: Igmp Group-Limit
Description Use the igmp enable command to enable IGMP on an interface. Use the undo igmp enable command to disable IGMP on an interface. By default, IGMP is disabled on an interface. . These commands do not take effect until the multicast routing feature is enabled. You need to use this command before you can configure other IGMP features.
Page 405: Igmp Group-Policy
After the maximum number of multicast groups is reached, the interface will not join any new multicast group. If you configure the maximum number of multicast groups allowed on the interface to 1, a new group registered on the interface supersedes the existing one automatically. If the number of existing multicast groups is larger than the configured limit on the number of joined multicast groups on the interface, the system will remove the oldest entries automatically until the number of multicast groups on the interface comes down to the configured limit.
Page 406: Igmp Group-Policy Vlan
Description Use the igmp group-policy command to configure a multicast group filter on the current interface to control the access to the multicast groups in the defined group range. Use undo igmp group-policy command to remove the multicast group filter configured. By default, no filter is configured;...
Page 407: Igmp Host-Join Port
Description Use the igmp group-policy vlan command to configure a multicast group filter on the current port to control the access to the multicast groups in the defined group range. Use the undo igmp group-policy vlan command to remove the configured multicast group filter. By default, no filter is configured;...
Page 408: Igmp Host-Join Vlan
In LoopBack interface view, this command does not support the port interface-list option. Description Use the igmp host-join port command to configure one or more ports under the current VLAN interface as specified multicast group member(s), namely configure the port(s) as simulated member host(s) for a specified multicast group.
Page 409: Igmp Lastmember-Queryinterval
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port access vlan 10 [Sysname-Ethernet1/0/1] igmp host-join 225.0.0.1 vlan 10 igmp lastmember-queryinterval Syntax igmp lastmember-queryinterval seconds undo igmp lastmember-queryinterval View Interface view Parameters seconds: Interval in seconds for the IGMP querier to send IGMP group-specific query messages upon receiving an IGMP leave message, in the range of 1 to 5.
Page 410: Igmp Proxy
View Interface view Parameters seconds: Maximum response time in seconds in the IGMP general query messages, ranging from 1 to Description Use the igmp max-response-time command to configure the maximum response time carried in the IGMP general query messages. Use the undo igmp max-response-time command to restore the default. The maximum response time is 10 seconds by default.
Page 411: Igmp Robust-Count
Related commands: pim neighbor-policy. Examples # Configure VLAN-interface 1 as the IGMP proxy interface for VLAN-interface 2 on the Layer 3 switch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] multicast routing-enable [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] pim dm [Sysname-Vlan-interface1] igmp enable [Sysname- Vlan-interface1] igmp proxy vlan-interface 2 igmp robust-count...
Page 412: Igmp Timer Query
View Interface view Parameters seconds: Other querier present interval in seconds, in the range of 1 to 131,070. Description Use the igmp timer other-querier-present command to configure the other querier present interval, namely the length of time a non-querier waits before it assumes that the current IGMP querier is down. Use the undo igmp timer other-querier-present command to restore the default value.
Page 413: Igmp Version
A multicast router periodically sends IGMP general query messages onto the attached subnets to determine whether multicast group members are present on the subnets. The IGMP query interval can be tuned according to the practical conditions of the network. Related commands: igmp timer other-querier-present. Examples # Set the IGMP query interval to 150 seconds on VLAN-interface 2.
Page 414 View User view Parameters all: The first all refers to all interfaces, while the second all refers to all IGMP multicast groups. interface interface-type interface-number: Specifies an interface by its type and number. With an interface specified, the command clears the IGMP multicast group information on the specified interface.
Page 415: Pim Configuration Commands
PIM Configuration Commands PIM Configuration Commands bsr-policy Syntax bsr-policy acl-number undo bsr-policy View PIM view Parameters acl-number: ACL number to be used in the BSR filtering policy, in the range of 2000 to 2999. Description Use the bsr-policy command to limit the range of legal BSRs to prevent BSR spoofing. Use the undo bsr-policy command to restore the default.
Page 416: C-Bsr
c-bsr Syntax c-bsr interface-type interface-number hash-mask-len [ priority ] undo c-bsr View PIM view Parameters interface-type interface-number: Specifies an interface that will be configured as a C-BSR. This configuration takes effect only after PIM-SM is enabled on the interface. hash-mask-len: Length of the hash mask used for RP calculation. The effective range is 0 to 32. priority: C-BSR priority.
Page 417: Crp-Policy
group-policy: Defines a group range to be served by the specified interface after it becomes the RP. acl-number: Basic ACL number, in the range of 2,000 to 2,999. Used together with the group-policy keyword, this argument defines the group range mentioned above. priority priority-value: C-RP priority, in the range of 0 to 255, 0 by default.
Page 418: Display Pim Bsr-Info
By default, there is no limit on the C-RP address range or the multicast address range that a C-RP serves, that is, all the C-RP-Adv messages are considered to valid. Examples # Configure a C-RP policy on the BSR so that only multicast devices on subnet 1.1.1.1/32 to become C-RPs to serve only the multicast groups in the range of 225.1.0.0/16.
Page 419: Display Pim Interface
Field Description Local host is BSR The local device serves as the BSR. display pim interface Syntax display pim interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display pim interface command to display the PIM configuration information. With an interface specified, the command displays the PIM configuration information on the specified interface;...
Page 420: Display Pim Neighbor
Field Description Filtering policy of the PIM neighbors on the PIM neighbor policy current interface Totally, one PIM neighbor is present on this Total 1 PIM neighbor on interface VLAN interface. PIM DR Designated router display pim neighbor Syntax display pim neighbor [ interface interface-type interface-number ] View Any view Parameters...
Page 421: Display Pim Routing-Table
display pim routing-table Syntax display pim routing-table [ { { *g [ group-address [ mask { mask-length | mask } ] ] | **rp [ rp-address [ mask { mask-length | mask } ] ] } | { group-address [ mask { mask-length | mask } ] | source-address [ mask { mask-length | mask } ] } * } | incoming-interface interface-type interface-number | { dense-mode | sparse-mode } ] * View...
Page 422: Display Pim Rp-Info
(196.0.0.3, 228.0.0.0) Protocol 0x20: PIMSM, Flag 0x4: SPT Uptime: 00:10:49, Timeout in 196 sec Upstream interface: Vlan-interface196, RPF neighbor: NULL Downstream interface list: Vlan-interface401, Protocol 0x100: SPT, timeout in 197 sec Matched 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry Table 3-4 display pim routing-table command output description Field Description...
Page 423: Pim
View Any view Parameters group-address: Multicast group address. With this argument provided, the command displays the RP information about the specified multicast group; otherwise, the command displays the RP information about all multicast groups. Description Use the display pim rp-info command to display the RP information of the multicast group. The output of this command also includes BSR and static RP information.
Page 424: Pim Bsr-Boundary
View System view Parameters None Description Use the pim command to enter PIM view so that you can configure PIM parameters globally. Note that this command is not used to enable PIM. Use the undo pim command to clear PIM configurations made in PIM view. Examples # Enter PIM view.
Page 425: Pim Dm
System View: return to User View with Ctrl+Z. [Sysname] multicast routing-enable [Sysname] pim [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] pim bsr-boundary pim dm Syntax pim dm undo pim dm View Interface view Parameters None Description Use the pim dm command to enable PIM-DM. Use the undo pim dm command to disable PIM-DM.
Page 426: Pim Neighbor-Policy
Description Use the pim neighbor-limit command to configure the upper threshold of the number of PIM neighbors on the current interface. The switch will add no more neighbors for the interface when the limit is reached. Use the undo pim neighbor-limit command to restore the default. By default, a switch can have a maximum of 128 PIM neighbors on an interface.
Page 427: Pim Timer Hello
[Sysname-acl-basic-2000] rule deny source any [Sysname-acl-basic-2000] quit [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] pim neighbor-policy 2000 pim sm Syntax pim sm undo pim sm View Interface view Parameters None Description Use the pim sm command to enable PIM-SM on the current interface. Use the undo pim sm command to disable PIM-SM on the current interface.
Page 428: Prune Delay
Description Use the pim timer hello command to configure the PIM Hello interval on the current interface. Use the undo pim timer hello command to restore the default. By default, an interface sends Hello messages at the interval of 30 seconds. After PIM-SM is enabled on an interface, the switch periodically sends Hello messages to all the PIM-capable devices to discover PIM neighbors.
Page 429: Register-Policy
Examples # Set the PIM prune delay interval to 75 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] pim [Sysname-pim] prune delay 75 register-policy Syntax register-policy acl-number undo register-policy View PIM view Parameters acl-number: Number of IP advanced ACL that defines the rule for filtering the source and group addresses.
Page 430: Reset Pim Routing-Table
Parameters all: Clears all PIM neighbors. neighbor-address: Neighbor address. interface interface-type interface-number: Specifies an interface by its type and number. With an interface specified, the command clears PIM neighbors of the specified interface only. Description Use the reset pim neighbor command to clear the specified PIM neighbor, PIM neighbors on the specified VLAN interface, or all PIM neighbors.
Page 431: Spt-Switch-Threshold
In this command, if the group-address is a group address, and source-address is 0 (where group address can have a mask and source address has no mask), then only the (*, G) entry will be cleared. This command shall clear not only multicast route entries from PIM routing table, but also the corresponding route entries and forward entries in the multicast core routing table and MFC.
Page 432: Source-Lifetime
If you do not include the order order-value option in your command, the ACL will be appended to the end of the group-policy list. If you use this command multiple times on the same multicast group, the first matched traffic rate configuration in sequence will take effect.
Page 433: Source-Policy
The configured multicast source lifetime applies to all (S, G) entries in the PIM routing table and the multicast routing table rather than on a specific (S, G) entry, and the configuration changes the aging time of all the existing (S, G) entries. Examples # Set the multicast source lifetime to 3000 seconds.
Page 434 [Sysname] pim [Sysname-pim] source-policy 2000 [Sysname-pim] quit [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 10.10.1.1 0 [Sysname-acl-basic-2000] rule permit source any static-rp Syntax static-rp rp-address [ acl-number ] undo static-rp View PIM view Parameters rp-address: Static RP address. It must be a legal unicast IP address. acl-number: Specifies a basic ACL, used to control the range of multicast groups to be served by the static RP.
Page 435: Msdp Configuration Commands
MSDP Configuration Commands MSDP Configuration Commands cache-sa-enable Syntax cache-sa-enable undo cache-sa-enable View MSDP view Parameters None Description Use the cache-sa-enable command to enable the SA message caching mechanism. Use the undo cache-sa-enable command to disable the SA message caching mechanism. By default, the SA message caching mechanism is enabled.
Page 436: Display Msdp Peer-Status
Description Use the display msdp brief command to display the brief information of the MSDP peer state. Examples # Display the brief information of the MSDP peer state. <Sysname> display msdp brief MSDP Peer Brief Information Peer's Address State Up/Down time SA Count Reset Count 20.20.20.20...
Page 437 Examples # Display the detailed information of MSDP peer 10.110.11.11. <Sysname> display msdp peer-status 10.110.11.11 MSDP Peer 20.20.20.20, AS 100 Description: Information about connection status: State: Up Up/down time: 14:41:08 Resets: 0 Connection interface: LoopBack0 (20.20.20.30) Number of sent/received messages: 867/947 Number of discarded output messages: 0 Elapsed time since last connection or counters clear: 14:42:40 Information about (Source, Group)-based SA filtering policy:...
Page 438: Display Msdp Sa-Cache
Field Description Interface and its IP address used for setting up a Connection interface TCP connection with the remote MSDP peer Number of SA messages sent and received Number of sent/received messages through this connection Number of discarded output messages Number of discarded outgoing messages Elapsed time since last connection or counters Time passed since the information of the MSDP...
Page 439 Parameters group-address: Multicast group address. With this argument provided, the command displays the (S, G) entries for the specified multicast group. source-address: Multicast source address. With this argument provided, the command displays the (S, G) entries for the specified multicast source. as-number: AS number, in the range of 1 to 65535.
Page 440: Display Msdp Sa-Count
Field Description Length of time for which the cached (S, G) entry Uptime has been existing Length of time in which the cached (S, G) entry Expires will expire display msdp sa-count Syntax display msdp sa-count [ as-number ] View Any view Parameters as-number: AS number, in the range of 1 to 65535.
Page 441: Import-Source
Field Description AS number. “?” indicates that the system was unable to obtain the AS number. Number of source Number of multicast sources from this AS Number of group Number of multicast groups from this AS import-source Syntax import-source [ acl acl-number ] undo import-source View MSDP view...
Page 442: Msdp-Tracert
undo msdp View System view Parameters None Description Use the msdp command to enable MSDP and enter MSDP view. Use the undo msdp command to clear all configurations in MSDP view, release resources occupied by MSDP, and restore the initial state. Related commands: peer.
Page 443 Description Use the msdp-tracert command to trace the path along which an SA message travels, so as to locate message loss and minimize configuration errors. After determining the path of the SA message, you can prevent SA flooding through correct configuration. Examples # Specify the maximum number of hops to be traced and collect the detailed SA and MSDP peer information.
Page 444 Field Description Maximum number of hops is reached. Another possible value is: Return Code: Reached-max-hops Hit-src-RP: The switch of this hop is the source RP in the (S, G, RP) entry. If you use the next-hop-info keyword, the Next-Hop Router Address: 0.0.0.0 address of Peer-RPF neighbor is displayed.
Page 445: Peer Connect-Interface
peer connect-interface Syntax peer peer-address connect-interface interface-type interface-number undo peer peer-address View MSDP view Parameters peer-address: Specifies an MSDP peer by its IP address. interface-type interface-number: Specifies an interface by its type and number. The switch will use the primary address of this interface as the source IP to establish a TCP connection with the remote MSDP peer.
Page 446: Peer Mesh-Group
Description Use the peer description command to configure the descriptive text for an MSDP peer so that the administrator can easily distinguish MSDP peers. Use the undo peer description command to remove the configured descriptive text. By default, no descriptive text is configured for any MSDP peer. Related commands: display msdp peer-status.
Page 447: Peer Request-Sa-Enable
undo peer peer-address minimum-ttl View MSDP view Parameters peer-address: IP address of the MSDP peer to which the minimum TTL setting will apply. ttl-value: Minimum required TTL value, ranging from 0 to 255. Description Use the peer minimum-ttl command to configure the minimum required TTL value for a multicast packet encapsulated in an SA message to be forwarded to the specified MSDP peer.
Page 448: Peer Sa-Cache-Maximum
Examples # Configure to send an SA request message to the MSDP peer 125.10.7.6. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] msdp [Sysname-msdp] peer 125.10.7.6 request-sa-enable peer sa-cache-maximum Syntax peer peer-address sa-cache-maximum sa-limit undo peer peer-address sa-cache-maximum View MSDP view Parameters...
Page 449: Peer Sa-Request-Policy
View MSDP view Parameters peer-address: Specifies an MSDP peer by its IP address. import: Filters the SA messages from the specified MSDP peer. export: Filters the SA messages to be forwarded to the specified MSDP peer. acl acl-number: Specifies an advanced ACL number, ranging from 3000 to 3999. If no ACL is specified, all SA messages carrying (S, G) entries will be filtered out.
Page 450: Reset Msdp Peer
Description Use the peer sa-request-policy command to filter the SA request messages from the specified MSDP peer. Use the undo peer sa-request-policy command to restore the default. By default, the switch accepts all SA request messages from any MSDP peer. If no ACL is specified, all SA requests will be ignored.
Page 451: Reset Msdp Sa-Cache
reset msdp sa-cache Syntax reset msdp sa-cache [ group-address ] View User view Parameters group-address: Multicast group address; the cached (S, G) entries matching this address are to be deleted from the SA cache. If no multicast group address is specified, all cached SA entries will be cleared.
Page 452: Static-Rpf-Peer
undo shutdown peer-address View MSDP view Parameters peer-address: Specifies an MSDP peer by its IP address. Description Use the shutdown command to shut down the connection with the specified MSDP peer. Use the undo shutdown command to reactivate an MSDP peering connection. By default, the connections with all MSDP peers are active.
Page 453: Timer Retry
using the same rp-policy keyword are configured, when any of the peers receives an SA message, it will forward the SA message to the other peers. Use the rp-policy keyword for none of the MSDP peers. In this case, based on the configuration sequence, only the first static RPF peer whose connection state is UP is active.
Page 454: Igmp Snooping Configuration Commands
IGMP Snooping Configuration Commands IGMP Snooping Configuration Commands display igmp-snooping configuration Syntax display igmp-snooping configuration View Any view Parameters None Description Use the display igmp-snooping configuration command to display IGMP Snooping configuration information. If IGMP Snooping is disabled on this switch, this command displays a message showing that IGMP Snooping is not enabled.
Page 455: Display Igmp-Snooping Group
display igmp-snooping group Syntax display igmp-snooping group [ vlan vlan-id ] View Any view Parameters vlan vlan-id: Specifies the VLAN in which the multicast group information is to be displayed, where vlan-id ranges from 1 to 4094.. If you do not specify a VLAN, this command displays the multicast group information of all VLANs.
Page 456: Display Igmp-Snooping Statistics
Field Description Total number of MAC multicast groups in all Total 1 MAC Group(s). VLANs ID of the VLAN whose multicast group Vlan(id): information is displayed Total 1 IP Group(s). Total number of IP multicast groups in VLAN 100 Total number of MAC multicast groups in VLAN Total 1 MAC Group(s).
Page 457: Igmp-Snooping
Examples # Display IGMP Snooping statistics. <Sysname> display igmp-snooping statistics Received IGMP general query packet(s) number:1. Received IGMP specific query packet(s) number:0. Received IGMP V1 report packet(s) number:0. Received IGMP V2 report packet(s) number:3. Received IGMP leave packet(s) number:0. Received error IGMP packet(s) number:0. Sent IGMP specific query packet(s) number:0.
Page 458: Igmp-Snooping Fast-Leave
Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously in the same VLAN and on the corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...
Page 459: Igmp-Snooping General-Query Source-Ip
The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).
Page 460: Igmp-Snooping Group-Limit
By default, the Layer 2 multicast switch sends general query messages with the source IP address of 0.0.0.0. Related commands: igmp-snooping querier, igmp-snooping query-interval. Examples # Configure the switch to send general query messages with the source IP address 2.2.2.2 in VLAN 3. <Sysname>...
Page 461: Igmp-Snooping Group-Policy
To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.
Page 462 By default, no multicast group filter is configured. The ACL rule defines a multicast address or a multicast address range (for example 224.0.0.1 to 239.255.255.255) and is used to: Allow the port(s) to join only the multicast group(s) defined in the rule by a permit statement. Inhibit the port(s) from joining the multicast group(s) defined in the rule by a deny statement.
Page 463: Igmp-Snooping Host-Aging-Time
[Sysname-acl-basic-2001] rule permit source any [Sysname-acl-basic-2001] quit Create VLAN 2 and add Ethernet1/0/2 to VLAN 2. [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/2 [Sysname-vlan2] quit Configure ACL 2001 on Ethernet1/0/2 to it to join any IGMP multicast groups except those defined in the deny rule of ACL 2001.
Page 464: Igmp-Snooping Nonflooding-Enable
View System view Parameters seconds: Maximum response time in IGMP general queries, in the range of 1 to 25. Description Use the igmp-snooping max-response-time command to configure the maximum response time in IGMP general queries. Use the undo igmp-snooping max-response-time command to restore the default. By default, the maximum response time in IGMP general queries is 10 seconds.
Page 465: Igmp-Snooping Querier
You can configure this command only after IGMP Snooping is enabled globally. When IGMP Snooping is disabled globally, the configuration of the igmp-snooping nonflooding-enable command is also removed. If the function of dropping unknown multicast packets or the XRN fabric function is enabled, you cannot enable the IGMP Snooping non-flooding function.
Page 466: Igmp-Snooping Query-Interval
Related commands: igmp-snooping enable, igmp-snooping query-interval, igmp-snooping general-query source-ip Examples # Enable the IGMP Snooping querier in VLAN 3. <Sysname> system-view System view, return to user view with Ctrl+Z. [Sysname] igmp-snooping enable [Sysname] vlan 3 [Sysname-vlan3] igmp-snooping enable [Sysname-vlan3] igmp-snooping querier igmp-snooping query-interval Syntax igmp-snooping query-interval seconds...
Page 467: Igmp-Snooping Router-Aging-Time
igmp-snooping router-aging-time Syntax igmp-snooping router-aging-time seconds undo igmp-snooping router-aging-time View System view Parameters seconds: Aging time of router ports, in the range of 1 to 1,000, in seconds. Description Use the igmp-snooping router-aging-time command to configure the aging time of router ports. Use the undo igmp-snooping router-aging-time command to restore the default aging time.
Page 468: Igmp-Snooping Version
Examples # Disable Ethernet 1/0/1 from becoming a router port. <Sysname> system-view System view, return to user view with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] igmp-snooping query-pkt-deny igmp-snooping version Syntax igmp-snooping version version-number undo igmp-snooping version View VLAN view Parameters version-number: IGMP Snooping version, in the range of 2 to 3 and defaulting to 2.
Page 469: Igmp Host-Join Port
Parameters vlan vlan-id: VLAN ID, in the range of 1 to 4094. Description Use the igmp-snooping vlan-mapping vlan command to configure to transmit IGMP general and group-specific query messages in a specific VLAN. Use the undo igmp-snooping vlan-mapping command to restore the default. By default, the VLAN tag carried in IGMP general and group-specific query messages is not changed.
Page 470: Igmp Host-Join
Unlike a static member port, a port configured as a simulated member host will age out like a dynamic member port. Related commands: igmp-snooping enable, multicast static-group interface, multicast static-group vlan Before configuring simulated joining, enable IGMP Snooping in the VLAN corresponding to the current VLAN interface.
Page 471: Igmp-Snooping Special-Query Source-Ip
Use the undo igmp host-join command to remove the current port as a simulated member host for the specified multicast group or source-group. Unlike a static member port, a port configured as a simulated member host will age out like a dynamic member port.
Page 472: Multicast Static-Group Interface
Description Use the igmp-snooping special-query source-ip command to configure the source address to be carried in IGMP group-specific queries. Use the undo igmp-snooping special-query source-ip command to restore the default. By default, the Layer 2 multicast switch sends group-specific query messages with the source IP address of 0.0.0.0.
Page 473: Multicast Static-Group Vlan
The ports configured with this command handle Layer 2 multicast traffic only, rather than Layer 3 multicast traffic. Examples # Configure ports Ethernet 1/0/1 to Ethernet 1/0/3 under VLAN-interface 1 as static members ports for multicast group 225.0.0.1. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 474: Multicast Static-Router-Port
The port configured with this command handles Layer 2 multicast traffic only, rather than Layer 3 multicast traffic. Examples # Configure port Ethernet1/0/1 in VLAN 2 as a static member port for multicast group 225.0.0.1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] multicast static-group 225.0.0.1 vlan 2 multicast static-router-port...
Page 475: Reset Igmp-Snooping Statistics
undo multicast static-router-port vlan vlan-id View Ethernet port view Parameters vlan-id: VLAN ID the port belongs to, in the range of 1 to 4094. Description Use the multicast static-router-port vlan command to configure the current port in the specified VLAN as a static router port and specify the VLAN the port belongs to.
Page 476: Service-Type Multicast
Examples # Clear IGMP Snooping statistics. <Sysname> reset igmp-snooping statistics service-type multicast Syntax service-type multicast undo service-type multicast View VLAN view Parameters None Description Use the service-type multicast command to configure the current VLAN as a multicast VLAN. Use the undo service-type multicast command to remove the current VLAN as a multicast VLAN. By default, no VLAN is a multicast VLAN.
Page 477 [Sysname] vlan 2 [Sysname-vlan2] service-type multicast 5-24...
Page 478 Table of Contents 1 802.1x Configuration Commands ············································································································1-1 802.1x Configuration Commands ···········································································································1-1 display dot1x····································································································································1-1 dot1x ················································································································································1-4 dot1x authentication-method ···········································································································1-5 dot1x dhcp-launch ···························································································································1-6 dot1x guest-vlan ······························································································································1-7 dot1x handshake ·····························································································································1-8 dot1x handshake secure ·················································································································1-9 dot1x max-user······························································································································1-10 dot1x port-control···························································································································1-11 dot1x port-method ·························································································································1-12 dot1x quiet-period··························································································································1-13 dot1x retry······································································································································1-13 dot1x retry-version-max·················································································································1-14 dot1x re-authenticate·····················································································································1-15...
Page 479 system-guard ip enable ···················································································································4-5 system-guard l3err enable···············································································································4-6 system-guard tcn enable ·················································································································4-7 system-guard tcn rate-threshold······································································································4-7...
Page 480: 802.1X Configuration Commands
802.1x Configuration Commands 802.1x Configuration Commands display dot1x Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] View Any view Parameters sessions: Displays the information about 802.1x sessions. statistics: Displays the statistics on 802.1x. interface: Display the 802.1x-related information about a specified port. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 481: The Switch
Configuration: Transmit Period 30 s, Handshake Period 15 s ReAuth Period 3600 s, ReAuth MaxTimes Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Interval between version requests is 30s Maximal request times for version information is 3 The maximal retransmitting times EAD Quick Deploy configuration: Url: http: //192.168.19.23...
Page 482 DHCP-triggered. 802.1x authentication is DHCP-launch is disabled disabled. The online user handshaking function is Handshake is enabled enabled. Whether or not to send Trap packets when detecting a supplicant system logs in through a proxy. Disable means the switch does not send Trap Proxy trap checker is disabled packets when it detects that a supplicant system logs in through a proxy.
Page 483: Dot1X
Whether or not to send Trap packets when detecting a supplicant system in logging in through a proxy. Disable means the switch does not send Trap Proxy trap checker is disabled packets when it detects that a supplicant system logs in through a proxy. Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.
Page 484: Dot1X Authentication-Method
Description Use the dot1x command to enable 802.1x globally or for specified Ethernet ports. Use the undo dot1x command to disable 802.1x globally or for specified Ethernet ports. By default, 802.1x is disabled globally and also on all ports. In system view: If you do not provide the interface-list argument, the dot1x command enables 802.1x globally.
Page 485: Dot1X Dhcp-Launch
Parameters chap: Authenticates using challenge handshake authentication protocol (CHAP). pap: Authenticates using password authentication protocol (PAP). eap: Authenticates using extensible authentication protocol (EAP). Description Use the dot1x authentication-method command to set the 802.1x authentication method. Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method.
Page 486: Dot1X Guest-Vlan
Description Use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP. Use the undo dot1x dhcp-launch command to disable an 802.1x-enabled switch from authenticating a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.
Page 487: Dot1X Handshake
If you specify the interface-list argument, these two commands apply to the specified ports. In Ethernet port view, the interface-list argument is not available and these two commands apply to only the current Ethernet port. The guest VLAN function is available only when the switch operates in the port-based authentication mode.
Page 488: Dot1X Handshake Secure
To enable the proxy detecting function, you need to enable the online user handshaking function first. With the support of H3C proprietary clients, handshaking packets can be used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods.
Page 489: Dot1X Max-User
Examples # Enable the handshaking packet protection function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] dot1x handshake secure dot1x max-user Syntax dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] View System view, Ethernet port view Parameters...
Page 490: Dot1X Port-Control
dot1x port-control Syntax dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ] undo dot1x port-control [ interface interface-list ] View System view, Ethernet port view Parameters auto: Specifies to operate in auto access control mode. When a port operates in this mode, all the unauthenticated hosts connected to it are unauthorized.
Page 491: Dot1X Port-Method
dot1x port-method Syntax dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] View System view, Ethernet port view Parameters macbased: Performs MAC-based authentication. portbased: Performs port-based authentication. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 492: Dot1X Quiet-Period
Use the undo dot1x quiet-period command to disable the quiet-period timer. When a user fails to pass the authentication, the authenticator system (such as a 3Com switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication.
Page 493: Dot1X Retry-Version-Max
After a switch sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the switch still receives no response when the configured maximum number of authentication request transmission attempts is reached, it stops sending requests to the user.
Page 494: Dot1X Re-Authenticate
Examples # Configure the maximum number of times that the switch sends version request packets to 6. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x retry-version-max 6 dot1x re-authenticate Syntax dot1x re-authenticate [ interface interface-list ] undo dot1x re-authenticate [ interface interface-list ] View System view, Ethernet port view...
Page 495: Dot1X Supp-Proxy-Check
System View: return to User View with Ctrl+Z. [Sysname] dot1x 802.1X is enabled globally. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] dot1x 802.1X is enabled on port Ethernet1/0/1 already. [Sysname-Ethernet1/0/1] dot1x re-authenticate Re-authentication is enabled on port Ethernet1/0/1 dot1x supp-proxy-check Syntax dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] View System view, Ethernet port view...
Page 496: Dot1X Timer
Whether or not a user logs in through multiple network adapters (that is, when the user attempts to log in, it contains more than one active network adapters.) A switch can optionally take the following actions in response to any of the above three cases: Only disconnects the user but sends no Trap packets, which can be achieved by using the dot1x supp-proxy-check logoff command.
Page 497 undo dot1x timer { handshake-period | quiet-period | server-timeout | supp-timeout | tx-period | ver-period } View System view Parameters handshake-period handshake-period-value: Sets the handshake timer. This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval for a switch to send handshake request packets to online users.
Page 498: Dot1X Timer Reauth-Period
ver-period ver-period-value: Sets the client version request timer. This timer sets the version period and is triggered after a switch sends a version request packet. The switch sends another version request packet if it does receive version response packets from the supplicant system when the timer expires.
Page 499: Dot1X Version-Check
Examples # Set the 802.1x re-authentication interval to 150 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x timer reauth-period 150 dot1x version-check Syntax dot1x version-check [ interface interface-list ] undo dot1x version-check [ interface interface-list ] View System view, Ethernet port view Parameters...
Page 500: Reset Dot1X Statistics
reset dot1x statistics Syntax reset dot1x statistics [ interface interface-list ] View User view Parameters interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 501: Quick Ead Deployment Configuration Commands
Quick EAD Deployment Configuration Commands Quick EAD Deployment Configuration Commands dot1x free-ip Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip [ ip-address { mask-address | mask-length } ] View System view Parameters ip-address: Free IP address, in dotted decimal notation. mask-address: Subnet mask of the free IP address, in dotted decimal notation.
Page 502: Dot1X Timer Acl-Timeout
dot1x timer acl-timeout Syntax dot1x timer acl-timeout acl-timeout-value undo dot1x timer acl-timeout View System view Parameters acl-timeout-value: ACL timeout period (in minutes), in the range of 1 to 1440. Description Use the dot1x timer acl-timeout command to configure the ACL timeout period. Use the undo dot1x timer acl-timeout command to restore the default.
Page 503 System View: return to User View with Ctrl+Z. [Sysname] dot1x url http://192.168.19.23...
Page 504: Habp Configuration Commands
HABP Configuration Commands HABP Configuration Commands display habp Syntax display habp View Any view Parameters None Description Use the display habp command to display HABP configuration and status. Examples # Display HABP configuration and status. <Sysname> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 20 seconds Bypass VLAN: 2...
Page 505: Display Habp Table
display habp table Syntax display habp table View Any view Parameters None Description Use the display habp table command to display the MAC address table maintained by HABP. Examples # Display the MAC address table maintained by HABP. <Sysname> display habp table Holdtime Receive Port 001f-3c00-0030...
Page 506: Habp Enable
HABP counters : Packets output: 0, Input: 0 ID error: 0, Type error: 0, Version error: 0 Sent failed: 0 Table 3-3 Description on the fields of the display habp traffic command Field Description Packets output Number of the HABP packets sent Input Number of the HABP packets received ID error...
Page 507: Habp Server Vlan
habp server vlan Syntax habp server vlan vlan-id undo habp server View System view Parameters vlan-id: VLAN ID, ranging from 1 to 4094. Description Use the habp server vlan command to configure a switch to operate as an HABP server. This command also specifies the VLAN where HABP packets are broadcast.
Page 508 Examples # Configure the switch to send HABP request packets once in every 50 seconds <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] habp timer 50...
Page 509: System Guard Configuration Commands
System Guard Configuration Commands System Guard Configuration Commands display system-guard ip state Syntax display system-guard ip state View Any view Parameters None Description Use the display system-guard ip state command to view the monitoring result and parameter settings of System Guard against IP attacks. Examples # View the monitoring result and parameter settings of System Guard against IP attacks.
Page 510: Display System-Guard Ip-Record
display system-guard ip-record Syntax display system-guard ip-record View Any view Parameters None Description Use the display system-guard ip-record command to view the information about IP packets received by the CPU in the current monitoring cycle. Examples # View the information about IP packets received by the CPU in the current monitoring cycle. <Sysname>...
Page 511: Display System-Guard Tcn State
Parameters None Description Use the display system-guard l3err state command to view the status of Layer 3 error control. Examples # View the status of Layer 3 error control. <Sysname> display system-guard l3err state System-guard l3err status: enabled display system-guard tcn state Syntax display system-guard tcn state View...
Page 512: System-Guard Ip Detect-Threshold
Use the undo system-guard ip detect-maxnum command to restore the maximum number of infected hosts that can be monitored to the default setting. By default, System Guard can monitor a maximum of 30 infected hosts. Examples # Set the maximum number of infected hosts that can be concurrently monitored to 50. <Sysname>...
Page 513: System-Guard Ip Enable
The correlations among the arguments of the system-guard ip detect-threshold command can be clearly described with this example: If you set ip-record-threshold, record-times-threshold and isolate-time to 30, 1 and 3 respectively, when the system detects successively three times that over 50 IP packets (destined for an address other that an IP address of the switch) from a source IP address are received within a period of 10 seconds, the system considers to be attacked —...
Page 514: System-Guard L3Err Enable
System View: return to User View with Ctrl+Z. [Sysname] system-guard ip enable system-guard l3err enable Syntax system-guard l3err enable undo system-guard l3err enable View System view Parameters None Description Use the system-guard l3err enable command to enable Layer 3 error control. Use the undo system-guard l3err enable command to disable Layer 3 error control.
Page 515: System-Guard Tcn Enable
system-guard tcn enable Syntax system-guard tcn enable undo system-guard tcn enable View System view Parameters None Description Use the system-guard tcn enable command to enable System Guard against TCN attacks. Use the undo system-guard tcn enable command to disable System Guard against TCN attacks. With this feature enabled, System Guard monitors the TCN/TC packet receiving rate on the ports.
Page 516 Use the undo system-guard tcn rate-threshold command to restore the default threshold of TCN/TC packet receiving rate. By default, the default threshold of TCN/TC packet receiving rate is 1 pps. As the system monitoring cycle is 10 seconds, the system sends trap or log information, by default, if more than 10 TCN/TC packets are received within 10 seconds.
Page 517 Table of Contents 1 AAA Configuration Commands················································································································1-1 AAA Configuration Commands ···············································································································1-1 access-limit······································································································································1-1 accounting ·······································································································································1-2 accounting optional··························································································································1-3 attribute············································································································································1-3 authentication ··································································································································1-5 authentication super ························································································································1-6 authorization ····································································································································1-7 authorization vlan ····························································································································1-8 cut connection ·································································································································1-9 display connection ·························································································································1-10 display domain·······························································································································1-11 display local-user···························································································································1-13 domain ···········································································································································1-14 domain delimiter ····························································································································1-15 idle-cut ···········································································································································1-16 level ···············································································································································1-17 local-user ·······································································································································1-18...
Page 518 nas-ip ·············································································································································1-41 primary accounting ························································································································1-42 primary authentication ···················································································································1-43 radius client ···································································································································1-44 radius nas-ip ··································································································································1-44 radius scheme ·······························································································································1-45 radius trap······································································································································1-46 reset radius statistics ·····················································································································1-47 reset stop-accounting-buffer··········································································································1-48 retry················································································································································1-48 retry realtime-accounting ···············································································································1-49 retry stop-accounting ·····················································································································1-51 secondary accounting····················································································································1-51 secondary authentication···············································································································1-52 server-type·····································································································································1-53 state ···············································································································································1-54 stop-accounting-buffer enable·······································································································1-55 timer···············································································································································1-55 timer quiet······································································································································1-56 timer realtime-accounting ··············································································································1-57...
Page 520: Aaa Configuration Commands
AAA Configuration Commands The maximum length of a domain name is changed from 24 characters to 128 characters. See domain. AAA Configuration Commands access-limit Syntax access-limit { disable | enable max-user-number } undo access-limit View ISP domain view Parameters disable: Specifies not to limit the number of access users that can be contained in current ISP domain. enable max-user-number: Specifies the maximum number of access users that can be contained in current ISP domain.
Page 521: Accounting
[Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] access-limit enable 500 accounting Syntax accounting none radius-scheme radius-scheme-name hwtacacs-scheme hwtacacs-scheme-name } undo accounting View ISP domain view Parameters none: Specifies not to perform user accounting. radius-scheme radius-scheme-name: Specifies to use a RADIUS accounting scheme. Here, radius-scheme-name is the name of a RADIUS scheme;...
Page 522: Accounting Optional
[Sysname-isp-aabbcc.net] accounting radius-scheme radius accounting optional Syntax accounting optional undo accounting optional View ISP domain view Parameters None Description Use the accounting optional command to open the accounting-optional switch. Use the undo accounting optional command to close the accounting-optional switch so that the system performs accounting for users unconditionally.
Page 523 undo attribute { ip | mac | idle-cut | access-limit | vlan | location }* View Local user view Parameters ip ip-address: Sets the IP address of the user. mac mac-address: Sets the MAC address of the user. Here, mac-address is in H-H-H format. idle-cut second: Enables the idle-cut function for the local user and sets the allowed idle time.
Page 524: Authentication
authentication Syntax authentication radius-scheme radius-scheme-name local hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none } undo authentication View ISP domain view Parameters radius-scheme radius-scheme-name: Specifies to use a RADIUS authentication scheme. Here, radius-scheme-name is a string of up to 32 characters. hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS authentication scheme.
Page 525: Authentication Super
Examples # Reference the RADIUS scheme "radius1" as the authentication scheme of the ISP domain aabbcc.net. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] authentication radius-scheme radius1 # Reference the RADIUS scheme "rd" as the authentication scheme and the local scheme as the secondary authentication scheme of the ISP domain aabbcc.
Page 526: Authorization
The Switch 5500-EI adopts hierarchical protection for command lines so as to inhibit users at lower levels from using higher level commands to configure the switches. For details about configuring a HWTACACS authentication scheme for low-to-high user level switching, refer to Switching User Level in the Command Line Interface Operation.
Page 527: Authorization Vlan
System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] authorization none authorization vlan Syntax authorization vlan string undo authorization vlan View Local user view Parameters string: Number or descriptor of the authorized VLAN for the current user, a string of 1 to 32 characters. If it is a numeral string and there is a VLAN with the number configured, it specifies the VLAN.
Page 528: Cut Connection
cut connection Syntax cut connection { all | access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number ip-address mac-address radius-scheme radius-scheme-name | vlan vlan-id | ucibindex ucib-index | user-name user-name } View System view Parameters all: Cuts down all user connections. access-type { dot1x | mac-authentication }: Cuts down user connections of a specified access type.
Page 529: Display Connection
display connection Syntax display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number ip-address mac-address radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | vlan vlan-id | ucibindex ucib-index | user-name user-name ] View Any view Parameters access-type { dot1x | mac-authentication }: Displays user connections of a specified access type.
Page 530: Display Domain
<Sysname> display connection ------------------unit 1------------------------ Index=40 , Username=user1@domain1 MAC=000f-3d80-4ce5 , IP=0.0.0.0 On Unit 1: Total 1 connections matched, 1 listed. # Display information about the user connection with index 0. [Sysname] display connection ucibindex 0 Index=0 , Username=user1@system MAC=000f-3d80-4ce5 , IP=192.168.0.3 Access=8021X ,Auth=CHAP ,Port=Ether...
Page 531 Examples # Display configuration information about all ISP domains. <Sysname> display domain Domain = system State = Active Scheme = LOCAL Access-limit = 512 Vlan-assignment-mode = Integer Domain User Template: Idle-cut = = Enable Time = 60(min) Flow = 200(byte) Self-service URL = http://aabbcc.net Messenger Time Maxlimit = 30(min) span = 10(min) Default Domain Name: system...
Page 532: Display Local-User
display local-user Syntax display local-user [ domain isp-name | idle-cut { disable | enable } | vlan vlan-id | service-type { ftp | lan-access | ssh | telnet | terminal } | state { active | block } | user-name user-name ] View Any view Parameters...
Page 533: Domain
IP address: 192.168.0.108 MAC address: 000d-88f6-44c1 Total 1 local user(s) Matched, 1 listed. ServiceType Mask Meaning: C--Terminal F--FTP L--LanAccess S--SSH T--Telnet Table 1-3 describes the fields in the above display output. Table 1-3 Description on the fields of the display local-user command Field Description State...
Page 534: Domain Delimiter
default: Manually changes the default ISP domain, which is "system" by default. There is one and only one default ISP domain. disable: Disables the configured default ISP domain. enable: Enables the configured default ISP domain. Description Use the domain command to create an ISP domain and enter its view, or enter the view of an existing ISP domain, or configure the default ISP domain.
Page 535: Idle-Cut
Parameters at: Specifies “@” as the delimiter between the username and the ISP domain name. dot: Specifies “.” as the delimiter between the username and the ISP domain name. Description Use the domain delimiter command to specify the delimiter form between the username and the ISP domain name.
Page 536 Description Use the idle-cut command to set the user idle-cut function in current ISP domain. If a user’s traffic in the specified period of time is less than the specified amount, the system will disconnect the user. By default, this function is disabled. Note that if the authentication server assigns the idle-cut settings, the assigned ones take precedence over the settings configured here.
Page 537: Local-User
using RSA shared key for authentication, the commands they can access are determined by the levels sets on their user interfaces. Related commands: local-user. Examples # Set the level of user1 to 3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user user1 New local user added.
Page 538: Local-User Password-Display-Mode
Examples # Add a local user named user1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user user1 New local user added. [Sysname-luser-user1] # Add a local user named 01234567891234567 (note that it will appear as 012345678912345~0000 in the view prompt).
Page 539: Messenger
Examples # Specify to display all local user passwords in cipher text in whatever cases. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user password-display-mode cipher-force messenger Syntax messenger time { enable limit interval | disable } undo messenger time View ISP domain view...
Page 540 undo name View VLAN view Parameters string: Assigned VLAN name, a string of up to 32 characters. Description Use the name command to set a VLAN name, which will be used for VLAN assignment. Use the undo name command to cancel the VLAN name. By default, a VLAN uses its VLAN ID (like VLAN 0001) as its assigned VLAN name.
Page 541: Radius-Scheme
Description Use the password command to set a password for the local user. Use the undo password command to cancel the password of the local user. Note that: With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command. With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text.
Page 542: Scheme
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] radius-scheme extended scheme Syntax scheme { local | none | radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] } undo scheme [ none | radius-scheme | hwtacacs-scheme ] View ISP domain view Parameters...
Page 543: Self-Service-Url
Both the radius-scheme command and the scheme command can be used to specify the RADIUS scheme to be quoted for the ISP domain. Their functions are the same and the system takes the latest configuration. Related commands: radius scheme, display domain. Examples # Configure the ISP domain aabbcc.net to use RADIUS scheme radius1 as the primary AAA scheme and use the local scheme as the secondary authentication scheme.
Page 544: Service-Type
A user can choose the [change user password] option on the client only after passing the authentication. If the user fails the authentication, this option is in grey and is unavailable. Examples # Under the default ISP domain "system", set the URL of the web page used to modify user password on the self-service server to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.
Page 545: State
System View: return to User View with Ctrl+Z. [Sysname] local-user user1 New local user added. [Sysname-luser-user1] service-type telnet state Syntax state { active | block } View ISP domain view, local user view Parameters active: Activates the current ISP domain (in ISP domain view) or local user (in local user view), to allow users in current ISP domain or current local user to access the network.
Page 546: Vlan-Assignment-Mode
[Sysname] local-user user1 [Sysname-user-user1] state block vlan-assignment-mode Syntax vlan-assignment-mode { integer | string } View ISP domain view Parameters integer: Sets the VLAN assignment mode to integer. string: Sets the VLAN assignment mode to string. Description Use the vlan-assignment-mode command to set the VLAN assignment mode (integer or string) on the switch.
Page 547 Table 1-4 Commonly used servers and their dynamic VLAN assignment modes Server Dynamic VLAN assignment mode Integer CAMS For the latest CAMS version, you can determine the assignment mode by attribute value. String You can determine the assignment mode by FreeRADIUS attribute value (for example, 100 is integer;...
Page 548: Radius Configuration Commands
RADIUS Configuration Commands accounting optional Syntax accounting optional undo accounting optional View RADIUS scheme view Parameters None Description Use the accounting optional command to open the accounting-optional switch. Use the undo accounting optional command to close the accounting-optional switch so that the system performs accounting for users unconditionally.
Page 549: Accounting-On Enable
accounting-on enable Syntax accounting-on enable [ send times | interval interval ] undo accounting-on { enable | send | interval } View RADIUS scheme view Parameters times: Maximum number of attempts to send an Accounting-On message, ranging from 1 to 256 and defaulting to 15.
Page 550: Calling-Station-Id Mode
NAS-IP-address and session ID) contained in the message, and ends the accounting of the users based on the last accounting update message. Once the switch receives the response from the CAMS, it stops sending Accounting-On messages. If the switch does not receive any response from the CAMS after it has tried the configured maximum number of times to send the Accounting-On message, it will not send the Accounting-On message any more.
Page 551: Data-Flow-Format
Parameters mode1: Sets the MAC address format to XXXX-XXXX-XXXX, where each X represents a hexadecimal number. mode2: Sets the MAC address format to XX-XX-XX-XX-XX-XX. lowercase: Uses lowercase letters in the MAC address. uppercase: Uses uppercase letters in the MAC address. Description Use the calling-station-id mode command to configure the MAC address format of the Calling-Station-Id (Type 31) field in RADIUS packets.
Page 552: Display Local-Server Statistics
Note that the specified unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of the RADIUS server. Otherwise, accounting cannot be performed correctly. Related commands: display radius scheme. Examples # Specify to measure data and packets in data flows to RADIUS servers in kilo-bytes and kilo-packets respectively in RADIUS scheme radius1.
Page 553 View Any view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. Description Use the display radius scheme command to display configuration information about one specific or all RADIUS schemes Related commands: radius scheme. Examples # Display configuration information about all RADIUS schemes.
Page 554 Index Index number of the RADIUS scheme Type Type of the RADIUS servers address/port number primary Primary Auth IP/Port authentication server address/port number primary Primary Acct IP/Port accounting server IP address/port number of the secondary Second Auth IP/Port authentication server IP address/port number of the secondary Second Acct IP/Port accounting server...
Page 555: Display Radius Statistics
display radius statistics Syntax display radius statistics View Any view Parameters None Description Use the display radius statistics command to display the RADIUS message statistics. Related commands: radius scheme. Examples # Display RADIUS message statistics. <Sysname> display radius statistics state statistic(total=2072): DEAD=2072 AuthProc=0 AuthSucc=0...
Page 556: Display Stop-Accounting-Buffer
PORTAL access , Num=0 , Err=0 , Succ=0 Update ack , Num=0 , Err=0 , Succ=0 PORTAL access ack , Num=0 , Err=0 , Succ=0 Session ctrl pkt , Num=0 , Err=0 , Succ=0 Set policy result , Num=0 , Err=0 , Succ=0 RADIUS sent messages statistic: Auth accept...
Page 557: Key
Description Use the display stop-accounting-buffer command to display the non-response stop-accounting requests buffered in the device. You can choose to display the buffered stop-accounting requests of a specified RADIUS scheme, session (by session ID), or user (by username). You can also specify a time range to display those generated within the specified time range.
Page 558: Local-Server
Description Use the key command to set a shared key for RADIUS authentication/authorization messages or accounting messages. Use the undo key command to restore the corresponding default shared key setting. By default, no shared key exists. Note that: Both RADIUS client and server adopt MD5 algorithm to encrypt RADIUS messages before exchanging the messages with each other.
Page 559: Local-Server Nas-Ip
Description Use the local-server enable command to enable the UDP ports for local RADIUS services. Use the undo local-server command to disable the UDP ports for local RADIUS services. By default, the UDP ports for local RADIUS services are enabled. In addition to functioning as a RADIUS client to provide remote RADIUS authentication, authorization, and accounting services, the switch can act as a local RADIUS server to provide simple RADIUS server functions locally.
Page 560 The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.
Page 561: Primary Accounting
The nas-ip command in RADIUS scheme view has the same function as the radius nas-ip command in system view; and the configuration in RADIUS scheme view takes precedence over that in system view. You can set the source IP address of outgoing RADIUS messages to avoid messages returned from RADIUS server from being unable to reach their destination due to physical interface trouble.
Page 562: Primary Authentication
Examples # Set the IP address and UDP port number of the primary accounting server for RADIUS scheme radius1 to 10.110.1.2 and 1813 respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] primary accounting 10.110.1.2 1813 primary authentication Syntax...
Page 563: Radius Client
Related commands: key, radius scheme, state. Examples # Set the IP address and UDP port number of the primary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.1 and 1812 respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] primary authentication 10.110.1.1 1812...
Page 564: Radius Scheme
undo radius nas-ip View System view Parameters ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class-D address. Description Use the radius nas-ip command to set the source IP address of outgoing RADIUS messages. Use the undo radius nas-ip command to restore the default setting.
Page 565: Radius Trap
View System view Parameters radius-scheme-name: Name of the RADIUS scheme to be created, a string of up to 32 characters. Description Use the radius scheme command to create a RADIUS scheme and enter its view. Use the undo radius scheme command to delete a specified RADIUS scheme. By default, a RADIUS scheme named "system"...
Page 566: Reset Radius Statistics
Parameters authentication-server-down: Enables/disables the switch to send trap messages when a RADIUS authentication server turns down. accounting-server-down: Enables/disables the switch to send trap messages when a RADIUS accounting server turns down. Description Use the radius trap command to enable the switch to send trap messages when a RADIUS server turns down.
Page 567: Reset Stop-Accounting-Buffer
Examples # Clear RADIUS message statistics. <Sysname> reset radius statistics reset stop-accounting-buffer Syntax reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } View User view Parameters radius-scheme radius-scheme-name: Deletes the buffered stop-accounting requests of a specified RADIUS scheme.
Page 568: Retry Realtime-Accounting
undo retry View RADIUS scheme view Parameters retry-times: Maximum number of transmission attempts of a RADIUS request, ranging from 1 to 20. Description Use the retry command to set the maximum number of transmission attempts of a RADIUS request. Use the undo retry command to restore the default maximum number of transmission attempts. By default, the maximum number of RADIUS request transmission attempts is 3.
Page 569 Parameters retry-times: Maximum allowed number of continuous real-time accounting failures, ranging from 1 to 255. Description Use the retry realtime-accounting command to set the maximum allowed number of continuous real-time accounting failures. Use the undo retry realtime-accounting command to restore the default maximum number of continuous real-time accounting failures.
Page 570: Retry Stop-Accounting
[Sysname-radius-radius1] retry realtime-accounting 10 retry stop-accounting Syntax retry stop-accounting retry-times undo retry stop-accounting View RADIUS scheme view Parameters retry-times: Maximum number of transmission attempts of a buffered stop-accounting request, ranging from 10 to 65,535. Description Use the retry stop-accounting command to set the maximum number of transmission attempts of a stop-accounting request buffered due to no response.
Page 571: Secondary Authentication
undo secondary accounting View RADIUS scheme view Parameters ip-address: IP address of the secondary accounting server to be used, in dotted decimal notation. port-number: UDP port number of the secondary accounting server, ranging from 1 to 65535. Description Use the secondary accounting command to set the IP address and port number of the secondary RADIUS accounting server to be used by the current scheme.
Page 572: Server-Type
Use the undo secondary authentication command to restore the default IP address and port number of the secondary RADIUS authentication/authorization server, which is 0.0.0.0 and 1812 respectively. Related commands: key, radius scheme, state. Examples # Set the IP address and UDP port number of the secondary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.2 and 1812 respectively.
Page 573: State
[Sysname-radius-radius1] server-type extended state Syntax state { primary | secondary } { accounting | authentication } { block | active } View RADIUS scheme view Parameters primary: Specifies that the server to be set is a primary RADIUS server. secondary: Specifies that the server to be set is a secondary RADIUS server. accounting: Specifies that the server to be set is a RADIUS accounting server.
Page 574: Stop-Accounting-Buffer Enable
[Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] state secondary authentication active stop-accounting-buffer enable Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable View RADIUS scheme view Parameters None Description Use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting requests that get no response.
Page 575: Timer Quiet
undo timer View RADIUS scheme view Parameters seconds: Response timeout time of RADIUS servers, ranging from 1 to 10 seconds. Description Use the timer command to set the response timeout time of RADIUS servers (that is, the timeout time of the response timeout timer of RADIUS servers). Use the undo timer command to restore the default response timeout timer of RADIUS servers.
Page 576: Timer Realtime-Accounting
Parameters minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes. Description Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active. Use the undo timer quiet command to restore the default wait time.
Page 577: Timer Response-Timeout
The setting of the real-time accounting interval depends, to some degree, on the performance of the switch and the RADIUS server. The higher the performance of the switch and the RADIUS server is, the shorter the interval can be. It is recommended to set the interval as long as possible when the number of users is relatively great (≥1000).
Page 578: User-Name-Format
After sending out a RADIUS request (authentication/authorization request or accounting request) to a RADIUS server, the switch waits for a response from the server. The maximum time that the switch can wait for the response is called the response timeout time of RADIUS servers, and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers.
Page 579: Hwtacacs Configuration Commands
designed for you to specify whether or not ISP domain names are carried in the usernames to be sent to the RADIUS server. For a RADIUS scheme, if you have specified to exclude ISP domain names from usernames, you should not use this RADIUS scheme in more than one ISP domain. Otherwise, such errors may occur: the RADIUS server regards two different users having the same name but belonging to different ISP domains as the same user (because the usernames sent to it are the same).
Page 580: Display Hwtacacs
Note that the specified unit of data flows sent to the TACACS server must be consistent with the traffic statistics unit of the TACACS server. Otherwise, accounting cannot be performed correctly. Related commands: display hwtacacs. Examples # Specify to measure data and packets in data flows to TACACS servers in kilo-bytes and kilo-packets respectively in HWTACACS scheme hwt1.
Page 581: Display Stop-Accounting-Buffer
Current-authentication-server : 172.31.1.11:49 Current-authorization-server : 172.31.1.11:49 Current-accounting-server : 172.31.1.11:49 Source-IP-address : 0.0.0.0 key authentication : 790131 key authorization : 790131 key accounting : 790131 Quiet-interval(min) Response-timeout-Interval(sec) Realtime-accouting-Interval(min): 12 Stop-acct-PKT resending times : 100 Domain-included : No Traffic-unit Packet traffic-unit : one-packet display stop-accounting-buffer Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name...
Page 582: Hwtacacs Scheme
View System view Parameters ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class D address. Description Use the hwtacacs nas-ip command to set the source address of outgoing HWTACACS messages.
Page 583: Key
By default, no HWTACACS scheme exists. Examples # Create an HWTACACS scheme named "hwt1" and enter the corresponding HWTACACS scheme view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Syntax key { accounting | authentication | authorization } string undo key { accounting | authentication | authorization } View HWTACACS scheme view...
Page 584: Primary Accounting
nas-ip Syntax nas-ip ip-address undo nas-ip View HWTACACS scheme view Parameters ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class D address. Description Use the nas-ip command to set the source address of outgoing HWTACACS messages.
Page 585: Primary Authentication
View HWTACACS scheme view Parameters ip-address: IP address of the primary accounting server to be used, a valid unicast address in dotted decimal notation. port: Port number of the primary accounting server, ranging from 1 to 65535. Description Use the primary accounting command to set the IP address and port number of the primary HWTACACS accounting server to be used by the current scheme.
Page 586: Primary Authorization
Parameters ip-address: IP address of the primary authentication server to be used, a valid unicast address in dotted decimal notation. port: Port number of the primary authentication server, ranging from 1 to 65535. Description Use the primary authentication command to set the IP address and port number of the primary HWTACACS authentication server to be used by the current scheme.
Page 587: Reset Hwtacacs Statistics
Description Use the primary authorization command to set the IP address and port number of the primary HWTACACS authorization server to be used by the current scheme. Use the undo primary authorization command to restore the default IP address and port number of the primary authorization server, which are 0.0.0.0 and 49 respectively.
Page 588: Reset Stop-Accounting-Buffer
Examples # Clear all HWTACACS protocol statistics. <Sysname> reset hwtacacs statistics all reset stop-accounting-buffer Syntax reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name View User view Parameters hwtacacs-scheme hwtacacs-scheme-name: Deletes the buffered stop-accounting requests of a specified HWTACACS scheme. Here, hwtacacs-scheme-name is the name of a HWTACACS scheme, which is a string of up to 32 characters.
Page 589: Secondary Accounting
Description Use the retry stop-accounting command to enable the stop-accounting request retransmission function and set the maximum number of attempts to transmit a stop-accounting request. Use the undo retry stop-accounting command to restore the default setting. By default, this function is enabled and the maximum number of transmission attempts is 100. Related commands: reset...
Page 590: Secondary Authentication
Examples # Set the IP address and UDP port number of the secondary accounting server for HWTACACS scheme hwt1 to 10.163.155.12 and 49 respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 secondary authentication Syntax secondary authentication ip-address [ port ]...
Page 591: Secondary Authorization
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 secondary authorization Syntax secondary authorization ip-address [ port ] undo secondary authorization View HWTACACS scheme view Parameters ip-address: IP address of the secondary authorization server, a valid unicast address in dotted decimal notation. port: Port number of the secondary authorization server, ranging from 1 to 65535. Description Use the secondary authorization command to set the IP address and port number of the secondary HWTACACS authorization server to be used by the current scheme.
Page 592: Timer Realtime-Accounting
undo timer quiet View HWTACACS scheme view Parameters minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes. Description Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active.
Page 593: Timer Response-Timeout
To control the interval at which users are charged in real time, you can set the real-time accounting interval. After the setting, the switch periodically sends online users' accounting information to TACACS accounting server at the set interval. The setting of the real-time accounting interval depends, to some degree, on the performance of the switch and the TACACS server.
Page 594: User-Name-Format
Description Use the timer response-timeout command to set the response timeout time of TACACS servers. Use the undo timer response-timeout command to restore the default response timeout time of TACACS servers. By default, the response timeout time of TACACS servers is five seconds. As HWTACACS is based on TCP, both server response timeout and TCP timeout may cause disconnection from TACACS server.
Page 595 sending usernames to TACACS server. For this reason, the user-name-format command is designed for you to specify whether or not ISP domain names are carried in the usernames to be sent to TACACS server. For a HWTACACS scheme, if you have specified to exclude ISP domain names from usernames, you should not use this scheme in more than one ISP domain.
Page 596: Ead Configuration Commands
EAD Configuration Commands EAD Configuration Commands security-policy-server Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } View RADIUS scheme view Parameters ip-address: IP address of a security policy server. all: IP addresses of all security policy servers. Description Use the security-policy-server command to set the IP address of a security policy server. Use the undo security-policy-server command to remove one specified or all security policy server address settings.
Page 597 security-policy-server 192.168.0.1 user-name-format without-domain …...
Page 598 Table of Contents 1 MAC Address Authentication Configuration Commands ·····································································1-1 MAC Address Authentication Basic Function Configuration Commands ···············································1-1 display mac-authentication ··············································································································1-1 mac-authentication ··························································································································1-4 mac-authentication interface ···········································································································1-5 mac-authentication authmode usernameasmacaddress ································································1-6 mac-authentication authmode usernamefixed ················································································1-6 mac-authentication authpassword···································································································1-7 mac-authentication authusername ··································································································1-8 mac-authentication domain ·············································································································1-8 mac-authentication timer ·················································································································1-9 reset mac-authentication ·················································································································1-9 MAC Address Authentication Enhanced Function Configuration Commands······································1-10...
Page 599: Mac Address Authentication Basic Function Configuration Commands
MAC Address Authentication Configuration Commands The configuration of fixed password when setting the user name in MAC address mode for MAC address authentication is added. See mac-authentication authmode usernameasmacaddress. MAC Address Authentication Basic Function Configuration Commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] View Any view Parameters...
Page 600 Server response timeout value is 100s Guest VLAN re-authenticate period is 30s Max allowed user number is 1024 Current user number amounts to Current domain: not configured, use default domain Silent Mac User info: MAC ADDR From Port Port Index --- On unit 1, 1 silent mac address(es) found.
Page 601 Quiet timer sets the quiet period. A switch goes through a quiet period if a user fails to pass the Quiet period MAC address authentication. The default value is 60 seconds. Server timeout timer, which sets the timeout time Server response timeout value for the connection between a switch and the RADIUS server.
Page 602: Mac-Authentication
mac-authentication Syntax mac-authentication undo mac-authentication View System view, Ethernet port view Parameters None Description Use the mac-authentication command to enable MAC address authentication globally or on the current port. Use the undo mac-authentication command to disable MAC address authentication globally or on the current port.
Page 603: Mac-Authentication Interface
mac-authentication interface Syntax mac-authentication interface interface-list undo mac-authentication interface interface-list View System view Parameters interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 604: Mac-Authentication Authmode Usernameasmacaddress
mac-authentication authmode usernameasmacaddress Syntax mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } ] { lowercase | uppercase } | fixedpassword password ] undo mac-authentication authmode usernameasmacaddress usernameformat fixedpassword ] View System view Parameters usernameformat: Specifies the input format of the username and password. with-hyphen: Uses hyphened MAC addresses as usernames and passwords, for example, 00-05-e0-1c-02-e3.
Page 605: Mac-Authentication Authpassword
View System view Parameters None Description Use the mac-authentication authmode usernamefixed command to set the user name in fixed mode for MAC address authentication. Use the undo mac-authentication authmode command to restore the default user name mode for MAC address authentication. By default, the MAC address mode is used.
Page 606: Mac-Authentication Authusername
mac-authentication authusername Syntax mac-authentication authusername username undo mac-authentication authusername View System view Parameters username: User name used in authentication, a string of 1 to 55 characters. Description Use the mac-authentication authusername command to set a user name in fixed mode. Use the undo mac-authentication authusername command to restore the default user name.
Page 607: Mac-Authentication Timer
Examples # Configure the domain for MAC address authentication to be aabbcc. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-authentication domain aabbcc mac-authentication timer Syntax mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } undo mac-authentication timer { offline-detect | quiet | server-timeout } View System view...
Page 608: Mac Address Authentication Enhanced Function Configuration Commands
View User view Parameters interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Page 609: Mac-Authentication Max-Auth-Num
If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.
Page 610: Mac-Authentication Timer Guest-Vlan-Reauth
Use the undo mac-authentication max-auth-num command to restore the maximum number of MAC address authentication users allowed to access the port to the default value. By default, the maximum number of MAC address authentication users allowed to access a port is 256. If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port at the same time, the smaller value of the two configured limits is adopted as the maximum number of MAC address...
Page 611 Examples # Configure the switch to re-authenticate users in Guest VLANs at the interval of 60 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-authentication timer guest-vlan-reauth 60 1-13...
Page 612 Table of Contents 1 Web Authentication Configuration Commands ·····················································································1-1 Web Authentication Configuration Commands·······················································································1-1 display web-authentication configuration ························································································1-1 display web-authentication connection····························································································1-2 web-authentication customize ·········································································································1-3 web-authentication cut connection ··································································································1-5 web-authentication enable ··············································································································1-6 web-authentication free-ip ···············································································································1-6 web-authentication free-user···········································································································1-7 web-authentication max-connection································································································1-8 web-authentication select method···································································································1-9 web-authentication timer idle-cut·····································································································1-9 web-authentication timer max-online·····························································································1-10 web-authentication web-server ·····································································································1-11...
Page 613: Web Authentication Configuration Commands
Web Server: IP=30.1.1.2 Port=80 Idle-cut time: 900 sec Max-online time: 1800 sec Max-connection of device is: 512 Customized authentication-page information : Corp-Name: 3Com Corporation Platform-Name: A leading global supplier of IP-based products and solutions Phone-Num: 1-800-876-3266 Email-address: relations@3com.com File: Free IP: 1) IP=10.1.1.0...
Page 614: Display Web-Authentication Connection
Table 1-1 Description on the fields of display web-authentication configuration Field Description Status Global status of Web authentication IP address and port number of the Web Web Server authentication server Idle-cut time idle user checking interval Maximum online time specified for Web Max-online time authentication users Maximum number of Web authentication users...
Page 615: Web-Authentication Customize
<Sysname> display web-authentication connection all Username: 1 MAC: 000d-88f6-44c1 Interface: Ethernet1/0/1 VLAN: 2 Method: Shared State: ONLINE Online-Time(s): 8 Total 1 connection(s) matched Table 1-2 Description on the fields of display web-authentication connection Field Description Username Name of an online Web-authentication user MAC address of the user Interface Access port of the user...
Page 616 Phone number: 1-800-876-3266 Subject: A leading global supplier of IP-based products and solutions <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication customize corp-name 3Com Corporation mailto:relations@3com.com [Sysname] web-authentication customize email [Sysname] web-authentication customize phone-num 1-800-876-3266 [Sysname] web-authentication customize platform-name A leading global supplier of IP-based...
Page 617: Web-Authentication Cut Connection
Figure 1-1 Web authentication page with customized information web-authentication cut connection Syntax web-authentication cut connection { all | mac mac-address | user-name user-name | interface interface-type interface-number } View System view Parameters all: Specifies all online users. mac mac-address: Specifies an user by the user’s MAC address. user-name user-name: Specifies a user by the user’s name, which is a string of 1 to 184 characters.
Page 618: Web-Authentication Enable
web-authentication enable Syntax web-authentication enable undo web-authentication enable View System view Parameters None Description Use the web-authentication enable command to enable Web authentication globally. Use the undo web-authentication enable command to disable Web authentication globally. Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security, port aggregation and XRN.
Page 619: Web-Authentication Free-User
Description Use the web-authentication free-ip command to set a free IP address range, which can be accessed by users before they pass Web authentication. Use the undo web-authentication free-ip command to remove the setting or all such settings. By default, no free IP address range is set. Note: The to-be-set free IP address range cannot include the Web authentication server’s IP address.
Page 620: Web-Authentication Max-Connection
Note: You can set up to eight authentication-free users. After a user gets online in shared access method, if you configure an authentication-free user whose IP address and MAC address are the same as those of the online user, the online user will be forced to get offline.
Page 621: Web-Authentication Select Method
web-authentication select method Syntax web-authentication select method { shared | designated } undo web-authentication select View Port view Parameters shared: Sets the Web authentication access method on the port to shared. designated: Sets the Web authentication access method on the port to designated. Description Use the web-authentication select command to enable Web authentication on the current port and set the Web authentication access method on the port.
Page 622: Web-Authentication Timer Max-Online
View System view Parameters timer: Interval for checking whether an online user is idle. It ranges from 10 to 86400 seconds. Value 0 means the idle user checking function is disabled. Description Use the web-authentication timer idle-cut command to set the idle user checking interval for Web authentication.
Page 623: Web-Authentication Web-Server
Use the undo web-authentication timer max-online command to restore the default. By default, the maximum online time for users is 1800 seconds. Examples # Set the maximum online time of users to 36000 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication timer max-online 36000 web-authentication web-server Syntax...
Page 624 Table of Contents 1 VRRP Configuration Commands ·············································································································1-1 VRRP Configuration Commands ············································································································1-1 display vrrp ······································································································································1-1 display vrrp statistics ·······················································································································1-3 reset vrrp statistics···························································································································1-4 vrrp method ·····································································································································1-5 vrrp ping-enable·······························································································································1-6 vrrp vlan-interface vrid track ············································································································1-6 vrrp vrid authentication-mode··········································································································1-7 vrrp vrid preempt-mode ···················································································································1-8 vrrp vrid priority································································································································1-9 vrrp vrid timer advertise ·················································································································1-10 vrrp vrid track interface ··················································································································1-11 vrrp vrid track detect-group ···········································································································1-12...
Page 625: Vrrp Configuration Commands
VRRP Configuration Commands VRRP Configuration Commands display vrrp Syntax display vrrp [ verbose ] [ interface vlan-interface vlan-id [ vrid virtual-router-id ] ] View Any view Parameters verbose: Displays detailed state information of VRRP. vlan-interface vlan-id: Displays VRRP state information of the specified VLAN interface. vlan-id is the VLAN interface ID.
Page 626 Table 1-1 Description on the fields of the display vrrp command Field Description Current VRRP running method, including REAL-MAC and Run Method VIRTUAL-MAC Virtual IP ping Whether you can ping the virtual IP address of the VRRP group Interface Interface where the VRRP group resides VRID ID of the virtual router Status of the current switch in the VRRP group, including Master,...
Page 627: Display Vrrp Statistics
Field Description Delay Time Preemption delay Auth Type Authentication type, including NONE, SIMPLE, and MD5 Virtual IP Virtual IP address of the VRRP group Virtual MAC address corresponding to the virtual IP address of the Virtual MAC VRRP group. It is displayed only when the switch is in the state of master.
Page 628: Reset Vrrp Statistics
Invalid Auth Type Auth Type Mismatch Packet Length Errors Address List Errors Become Master Priority Zero Pkts Rcvd Advertise Rcvd Priority Zero Pkts Sent Invalid Type Pkts Rcvd : 0 Table 1-3 Description on the fields of the display vrrp statistics command Field Description Interface...
Page 629: Vrrp Method
Description Use the reset vrrp statistics command to clear the VRRP statistics information. When you execute this command, If neither a VLAN interface nor a VRRP group is specified, the statistics information about all the VRRP groups on the switch is cleared. If only a VLAN interface is specified, the statistics information about all the VRRP groups on the specified VLAN interface is cleared.
Page 630: Vrrp Ping-Enable
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vrrp method real-mac vrrp ping-enable Syntax vrrp ping-enable undo vrrp ping-enable View System view Parameters None Description Use the vrrp ping-enable command to enable a VRRP group to respond to ping packets destined for its virtual router IP address.
Page 631: Vrrp Vrid Authentication-Mode
Description Use the vrrp vlan-interface vrid track command to enable the port tracking function of a VRRP group on a physical port. Use the undo vrrp vlan-interface vrid track command to disable the port tracking function. After the port tracking function of a VRRP group is enabled on a port, this function will track the link status of the port.
Page 632: Vrrp Vrid Preempt-Mode
When the authentication type is simple, the authentication key is in plain text and can contain one to eight characters. When the authentication type is md5, the authentication key can be a string of one to eight characters in plain text, such as 1234567, or a 24-character MD5 encrypted string, such as _(TT8F]Y\5SQ=^Q`MAF4<1!!.
Page 633: Vrrp Vrid Priority
Use the undo vrrp vrid preempt-mode command to cancel the configuration, that is, configure the switch to work in the non-preemptive mode. By default, switches in a VRRP group operate in the preemptive mode, with the preemption delay period set to 0 seconds. If you want a switch with high priority to preempt the master, configure the switch to operate in the preemptive mode.
Page 634: Vrrp Vrid Timer Advertise
Parameters virtual-router-id: VRRP group ID, ranging from 1 to 255. priority: Switch priority to be set. This argument ranges from 1 to 254. Description Use the vrrp vrid priority command to set the priority of a switch in a VRRP group. Use the undo vrrp vrid priority command to restore the default priority.
Page 635: Vrrp Vrid Track Interface
for a period three times of the advertisement interval, they send VRRP advertisements to other members of the VRRP group to elect a new master. Note that configuration error occurs if switches of the same VRRP group are configured with different adver-interval values.
Page 636: Vrrp Vrid Track Detect-Group
Examples # On VLAN-interface 2, configure to track VLAN-interface 1 and configure the priority of the master of VRRP group 1 (on VLAN-interface 2) to decrease by 50 when VLAN-interface 1 goes down. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] vrrp vrid 1 track interface vlan-interface 1 reduced 50 vrrp vrid track detect-group...
Page 637: Vrrp Vrid Virtual-Ip
Examples # Create detected group 10 and specify to detect the IP address of 202.12.1.55. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] detect-group 10 [Sysname-detect-group-10] detect-list 1 ip address 202.12.1.55 # Specify to decrease the priority of the master of VRRP group 1 by 20 when detected group 10 is unreachable.
Page 638 It is not recommended to perform VRRP group-related configurations on the VLAN interface of a remote-probe VLAN. Otherwise, packet mirroring may be affected. Examples # Create a VRRP group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] vrrp vrid 1 virtual-ip 10.10.10.10 # Add a virtual IP address to an existing VRRP group.
Page 639 Table of Contents 1 ARP Configuration Commands················································································································1-1 ARP Configuration Commands···············································································································1-1 arp check enable ·····························································································································1-1 arp send-gratuitous enable vrrp ······································································································1-2 arp static ··········································································································································1-2 arp timer aging·································································································································1-3 display arp ·······································································································································1-4 display arp | ·····································································································································1-5 display arp count ·····························································································································1-6 display arp timer aging ····················································································································1-6 gratuitous-arp period-resending enable ··························································································1-7 gratuitous-arp-learning enable ········································································································1-8 reset arp ··········································································································································1-8...
Page 640: Arp Configuration Commands
ARP Configuration Commands Support for ARP attack defense is added. For specific commands, refer to ARP Attack Defense Configuration Commands. Support for local ARP proxy is added. For specific commands, refer to local-proxy-arp enable. ARP Configuration Commands arp check enable Syntax arp check enable undo arp check enable...
Page 641: Arp Send-Gratuitous Enable Vrrp
arp send-gratuitous enable vrrp Syntax arp send-gratuitous enable vrrp undo arp send-gratuitous enable vrrp View System view Parameters None Description Use the arp send-gratuitous enable vrrp command to enable the master switch of a VRRP backup group to send gratuitous ARP packets periodically. Upon receiving the gratuitous ARP packets, hosts on the network update their respective ARP tables.
Page 642: Arp Timer Aging
interface-number: Number of the port to which the static ARP entry belongs. Description Use the arp static command to create a static ARP entry. Use the undo arp command to remove an ARP entry. By default, the system ARP mapping table is empty and the address mapping entries are obtained by ARP dynamically.
Page 643: Display Arp
Examples # Configure the aging time to be 10 minutes for dynamic ARP entries. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] arp timer aging 10 display arp Syntax display arp [ dynamic | static | ip-address ] View Any view Parameters...
Page 644 Table 1-1 Description on the fields of the display arp command Field Description IP Address IP address contained in an ARP entry MAC Address MAC address contained in an ARP entry VLAN ID ID of the VLAN which an ARP entry corresponds to Port Name / AL ID Port which an ARP entry corresponds to Aging time (in minutes) of an ARP entry...
Page 645: Display Arp Count
<Sysname> display arp | exclude 68 Type: S-Static D-Dynamic IP Address MAC Address VLAN ID Port Name / AL ID Aging Type 10.2.72.162 000a-000a-0aaa 1 entry found Refer to Table 1-1 for the description on the above output information. display arp count Syntax display arp count [ [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] | ip-address ]...
Page 646: Gratuitous-Arp Period-Resending Enable
Parameters None Description Use the display arp timer aging command to display the setting of the ARP aging time. Related commands: arp timer aging. Examples # Display the setting of the ARP aging time. <Sysname> display arp timer aging Current ARP aging time is 20 minute(s)(default) The displayed information shows that the ARP aging time is set to 20 minutes.
Page 647: Gratuitous-Arp-Learning Enable
gratuitous-arp-learning enable Syntax gratuitous-arp-learning enable undo gratuitous-arp-learning enable View System view Parameters None Description Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function. Then, a switch receiving a gratuitous ARP packet can add the IP and MAC addresses carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache.
Page 648 Examples # Clear static ARP entries. <Sysname> reset arp static...
Page 649: Arp Attack Defense Configuration Commands
ARP Attack Defense Configuration Commands ARP Attack Defense Configuration Commands arp anti-attack valid-check enable Syntax arp anti-attack valid-check enable undo arp anti-attack valid-check enable View System view Parameters None Description Use the arp anti-attack valid-check enable command to enable ARP source MAC address consistency check.
Page 650: Arp Detection Trust
Description Use the arp detection enable command to enable the ARP attack detection function on all ports in the specified VLAN. When receiving an ARP packet from a port in this VLAN, the switch will check the source IP address, source MAC address, number of the receiving port, and the VLAN of the port. If the mapping of the source IP address and source MAC address is not included in the DHCP snooping entries or IP static binding entries, or the number of the receiving port and the VLAN of the port do not match the DHCP snooping entries or IP static binding entries, the ARP packet will be discarded.
Page 651: Arp Filter Source
arp filter source Syntax arp filter source ip-address undo arp filter source View Ethernet port view Parameters ip-address: IP address of the gateway. Description Use the arp filter source command to configure ARP packet filtering based on the gateway’s IP address on the current port working as the downstream port connected to a host.
Page 652: Arp Max-Learning-Num
Description Use the arp filter binding command to configure ARP packet filtering based on the gateway’s IP and MAC addresses on the current port. After that, the port will discard ARP packets with the gateway’s IP address as the sender IP address but with the sender MAC address different from that of the gateway. Use the undo arp filter binding command to remove the configuration.
Page 653: Arp Protective-Down Recover Enable
arp protective-down recover enable Syntax arp protective-down recover enable undo arp protective-down recover enable View System view Parameters None Description Use the arp protective-down recover enable command to enable the port state auto-recovery function on the switch. Use the undo arp protective-down recover enable command to disable the port state auto-recovery function of a switch.
Page 654: Arp Rate-Limit
By default, when the port state auto-recovery function is enabled, the recovery interval is 300 seconds. Note that: You need to enable the port state auto-recovery feature before you can configure the auto-recovery interval. If you use the arp protective-down recover interval command to modify the recovery time when the current port has been already shut down due to an excessive ARP packet receiving rate, the previously configured interval applies to the first port state recovery.
Page 655: Arp Rate-Limit Enable
arp rate-limit enable Syntax arp rate-limit enable undo arp rate-limit enable View Ethernet port view Parameters None Description Use the arp rate-limit enable command to enable the ARP packet rate limit function on the port, that is, to limit the rate of ARP packets passing through the port. If a rate (the maximum ARP packet rate is 15 pps by default) is specified, exceeding ARP packets will be discarded.
Page 656: Display Arp Detection Statistics Interface
Related commands: arp detection enable, arp detection trust Syntax # Enable ARP restricted forwarding in VLAN 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 1 [Sysname-vlan1] arp restricted-forwarding enable display arp detection statistics interface Syntax display arp detection statistics interface interface-type interface-number View Any view...
Page 657: Ip Source Static Import Dot1X
ip source static import dot1x Syntax ip source static import dot1x undo ip source static import dot1x View System view Parameters None Description Use the ip source static import dot1x command to enable ARP attack detection based on IP-to-MAC mappings of authenticated 802.1x clients. Enabled with this function, switch records mappings between IP addresses (both static and dynamic IP addresses) and MAC addresses of authenticated 802.1x clients and uses the mappings for ARP attack detection after IP-to-MAC static bindings and DHCP snooping entries are checked.
Page 658: Proxy Arp Configuration Commands
Proxy ARP Configuration Commands Proxy ARP Configuration Commands arp proxy enable Syntax arp proxy enable undo arp proxy enable View VLAN interface view Parameters None Description Use the arp proxy enable command to enable common proxy ARP on the VLAN interface. Use the undo arp proxy enable command to disable common proxy ARP on the VLAN interface.
Page 659: Local-Proxy-Arp Enable
Parameters interface vlan-interface vlan-id: Displays the common and local proxy ARP state on a VLAN interface. Description Use the display arp proxy command to display common and local proxy ARP state: enabled/disabled. If interface vlan-interface vlan-id is specified, common and local proxy ARP configuration of the specified VLAN interface is displayed;...
Page 660 View VLAN interface view Parameters None Description Use the local-proxy-arp enable command to enable local proxy ARP on the VLAN interface. Use the undo local-proxy-arp enable command to disable local proxy ARP on the VLAN interface. By default, local proxy ARP is disabled on the VLAN interfaces of a switch. Examples # Enable local proxy ARP on VLAN-interface 2.
Page 661: Resilient Arp Configuration Commands
Resilient ARP Configuration Commands Resilient ARP Configuration Commands display resilient-arp Syntax display resilient-arp [ unit unit-id ] View Any view Parameters unit unit-id: Unit ID ranging from 1 to 8. If a switch belongs to a fabric, resilient ARP information on specific devices in the fabric can be displayed.
Page 662: Resilient-Arp Interface Vlan-Interface
Parameters None Description Use the resilient-arp enable command to enable the Resilient ARP function. The switch will adopt different methods based on the actual status. If the main link in the fabric breaks, the switch sends resilient ARP packets through the VLAN interface on the backup link to determine whether it should act as a Layer 3 or Layer 2 device.
Page 663 [Sysname] resilient-arp interface vlan-interface 2...
Page 664 Table of Contents 1 DHCP Server Configuration Commands ·································································································1-1 DHCP Server Configuration Commands ································································································1-1 accounting domain ··························································································································1-1 bims-server······································································································································1-2 bootfile-name···································································································································1-2 dhcp enable ·····································································································································1-3 dhcp select global····························································································································1-4 dhcp select interface························································································································1-5 dhcp server bims-server ··················································································································1-7 dhcp server bootfile-name···············································································································1-7 dhcp server detect ···························································································································1-8 dhcp server dns-list ·························································································································1-9 dhcp server domain-name·············································································································1-10 dhcp server expired ·······················································································································1-11 dhcp server forbidden-ip················································································································1-12...
Page 665 static-bind ip-address ····················································································································1-38 static-bind mac-address ················································································································1-39 tftp-server domain-name ···············································································································1-40 tftp-server ip-address·····················································································································1-40 voice-config ···································································································································1-41 2 DHCP Relay Agent Configuration Commands ·······················································································2-1 DHCP Relay Agent Configuration Commands ·······················································································2-1 address-check ·································································································································2-1 dhcp-relay hand·······························································································································2-1 dhcp relay information enable ·········································································································2-2 dhcp relay information strategy ·······································································································2-3 dhcp-security static··························································································································2-4 dhcp-security tracker ·······················································································································2-4 dhcp-server······································································································································2-5...
Page 666 ip address dhcp-alloc·······················································································································5-2 BOOTP Client Configuration Commands ·······························································································5-3 display bootp client ··························································································································5-3 ip address bootp-alloc ·····················································································································5-4...
Page 667: Dhcp Server Configuration Commands
DHCP Server Configuration Commands IP filtering based on authenticated 802.1x clients are added. For specific commands, refer to check dot1x enable. Support for removing DHCP snooping entries is added. For specific commands, refer to reset dhcp-snooping. DHCP Server Configuration Commands accounting domain Syntax accounting domain domain-name...
Page 668: Bims-Server
bims-server Syntax bims-server ip ip-address [ port port-number ] sharekey key undo bims-server View DHCP address pool view Parameters ip ip-address: Specifies the IP address of the remote BIMS server. port port-number: Specifies the port number of the remote BIMS. The port-number argument ranges from 1 to 65534.
Page 669: Dhcp Enable
Description Use the bootfile-name command to specify a bootfile name in the DHCP global address pool for the client. Use the undo bootfile-name command to remove the specified bootfile name from the DHCP global address pool. By default, no bootfile name is specified. If you execute the bootfile-name command repeatedly, the latest configuration will overwrite the previous one.
Page 670: Dhcp Select Global
To improve security and avoid malicious attacks to the unused sockets, S5500-EI Ethernet switches provide the following functions: UDP ports 67 and 68 used by DHCP are enabled/disabled only when DHCP is enabled/disabled. The implementation is as follows: After DHCP is enabled by executing the dhcp enable command, if the DHCP server and DHCP relay functions are not configured, UDP port 67 and UDP port 68 ports is kept disabled;...
Page 671: Dhcp Select Interface
Description Use the dhcp select global command to configure the specified interface(s) or all interfaces to operate in global DHCP address pool mode. Upon receiving a DHCP packet from a DHCP client through an interface operating in global DHCP address pool mode, the DHCP server chooses an IP address from a global DHCP address pool of the DHCP server and assigns the address to the DHCP client.
Page 672 Description Use the dhcp select interface command to configure the specified interface(s) to operate in DHCP interface address pool mode. Upon receiving a DHCP packet from a DHCP client through an interface operating in interface address pool mode, the DHCP server chooses an IP address from the interface address pool of the DHCP server and assigns the address to the DHCP client.
Page 673: Dhcp Server Bims-Server
dhcp server bims-server Syntax dhcp server bims-server ip ip-address [ port port-number ] sharekey key { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server bims-server { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view Parameters...
Page 674: Dhcp Server Detect
undo dhcp server bootfile-name In system view, use the following commands to specify the bootfile name in the specified interface address pool for the client: dhcp server bootfile-name bootfile-name { all | interface interface-type interface-number } undo dhcp server bootfile-name { all | interface interface-type interface-number } View System view, VLAN interface view Parameters...
Page 675: Dhcp Server Dns-List
Description Use the dhcp server detect command to enable the unauthorized DHCP server detection function. With this feature enabled, upon receiving a DHCP request, the DHCP server will record the IP addresses of any DHCP servers which ever assigned an IP address to the DHCP client and the receiving interface.
Page 676: Dhcp Server Domain-Name
interface number; the interface interface-type interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range. all: (In comparison with the ip-address argument) Specifies all DNS server IP addresses. all: (In comparison with the interface keyword) Specifies all interface address pools. Description Use the dhcp server dns-list command to specify the DNS server IP address in the DHCP interface address pool for the client.
Page 677: Dhcp Server Expired
Parameters domain-name: Domain name suffix of the DHCP clients whose IP addresses are from the specified interface address pool(s). This argument is a string of 3 to 50 characters. interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s), through which you can specify the corresponding interface address pool(s). The interface-type argument specifies an interface type;...
Page 678 dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server expired { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view, VLAN interface view...
Page 679: Dhcp Server Forbidden
undo dhcp server forbidden-ip low-ip-address [ high-ip-address ] View System view Parameters low-ip-address: IP address that is not available for being assigned to DHCP clients automatically (An IP address of this kind is known as a forbidden IP address). This argument also marks the lower end of the range of the forbidden IP addresses.
Page 680: Dhcp Server Nbns-List
undo dhcp server ip-pool pool-name View System view Parameters pool-name: Name of a DHCP address pool, which uniquely identifies the address pool. This argument is a string of 1 to 35 characters. Description Use the dhcp server ip-pool command to create a global DHCP address pool and enter DHCP address pool view.
Page 681 undo dhcp server nbns-list { ip-address | all } In system view, use the following commands to configure WINS server IP addresses in multiple DHCP interface address pools for the client. dhcp server nbns-list ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server nbns-list { ip-address | all } { interface interface-type interface-number [ to interface-type interface-number ] | all }...
Page 682: Dhcp Server Netbios-Type
dhcp server netbios-type Syntax In VLAN interface view, use the following commands to configure the NetBIOS node type of the DHCP clients whose IP addresses are from the current DHCP interface address pool. dhcp server netbios-type { b-node | h-node | m-node | p-node } undo dhcp server netbios-type In system view, use the following commands to configure the NetBIOS node type of the DHCP clients whose IP addresses are from multiple DHCP interface address pools.
Page 683: Dhcp Server Option
# Specify p-node as the NetBIOS node type of the DHCP clients whose IP addresses are from the DHCP interface address pool of VLAN-interface 1. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] dhcp server netbios-type p-node dhcp server option Syntax In VLAN interface view, use the following commands to customize DHCP options for the current DHCP interface address pool.
Page 684: Dhcp Server Ping
If you execute the dhcp server option command repeatedly, the new configuration overwrites the previous one. For commands related to Option 184, refer to dhcp server voice-config. Related commands: option. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Configure option 100 to be 0x11 and 0x22 for all DHCP interface address pools.
Page 685: Dhcp Server Static-Bind
undo dhcp server relay information enable View System view Parameters None Description Use the dhcp server relay information enable command to enable the DHCP server to handle Option 82. Use the undo dhcp server relay information enable command to configure the DHCP server to ignore Option 82.
Page 686: Dhcp Server Static-Bind
By default, no IP address in an address pool is statically bound. It should be noted that: An IP address can be statically bound to only one MAC address or one client ID. A MAC address or client ID can be bound with only one IP address statically. The IP address to be statically bound cannot be an interface IP address of the device.
Page 687: Dhcp Server Tftp-Server Ip-Address
Description Use the dhcp server tftp-server domain-name command to specify the TFTP server name in DHCP interface address pool for the client. When the client’s request contains Option 66 (TFTP server name), the DHCP server will return an IP address together with the name of the specified TFTP server from the interface address pool to the client.
Page 688: Dhcp Server Voice-Config
address), the DHCP server will return an IP address together with the IP address of the specified TFTP server from the interface address pool to the client. Use the undo dhcp server tftp-server ip-address command to remove the TFTP server address from DHCP interface address pool for the client.
Page 689: Display Dhcp Server Conflict
fail-over ip-address dialer-string: Specifies the failover IP address and dialer string. The dialer-string is a string of 0 to 39 characters, which can be 0 to 9, and “*”. interface interface-type interface-number [ to interface-type interface-number ]: Specifies the DHCP interface address pool (s).
Page 690: Display Dhcp Server Expired
ip ip-address: Specifies one IP address. Description Use the display dhcp server conflict command to display the statistics of IP address conflicts on the DHCP server. Related commands: reset dhcp server conflict. Examples # Display the statistics of IP address conflicts. <Sysname>...
Page 691: Display Dhcp Server Free-Ip
Examples # Display the lease expiration information about the IP addresses in all DHCP address pools. <Sysname> display dhcp server expired all Global pool: IP address Client-identifier/ Lease expiration Type Hardware address Interface pool: IP address Client-identifier/ Lease expiration Type Hardware address --- total 0 entry --- Table 1-2 Description on the fields of the display dhcp server expired command...
Page 692: Display Dhcp Server Ip-In-Use
display dhcp server ip-in-use Syntax display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ interface-type interface-number ] | all } View Any view Parameters ip ip-address: Specifies an IP address. pool [ pool-name ]: Specifies a global address pool. The pool-name argument, a string of 1 to 35 characters, is the name of an address pool.
Page 693: Display Dhcp Server Statistics
Table 1-3 Description on the fields of the display dhcp server ip-in-use command Field Description Address binding information of global DHCP Global pool address pools Address binding information of interface DHCP Interface pool address pools IP address Bound IP address User ID or MAC address to which the IP address Client-identifier/Hardware address is bound...
Page 694: Display Dhcp Server Tree
Dhcp Decline: Dhcp Release: Dhcp Inform: Boot Reply: Dhcp Offer: Dhcp Ack: Dhcp Nak: Bad Messages: Table 1-4 Description on the fields of the display dhcp server statistics command Field Description Global Pool Statistics about global address pools Interface Pool Statistics about interface address pools Pool Number Number of address pools...
Page 695 all: Specifies all address pools. Description Use the display dhcp server tree command to display information about address pool tree. Examples # Display the information about address pool tree. <Sysname> display dhcp server tree all Global pool: Pool name: test123 network 10.0.0.0 mask 255.0.0.0 Child node:test1234 option 30 hex AA BB...
Page 696: Dns-List
Field Description The address lease time (in terms of number of days, hours, and expired minutes) gateway-list List of the gateways configured for the DHCP client dns-list Syntax dns-list ip-address&<1-8> undo dns-list { ip-address | all } View DHCP address pool view Parameters ip-address&<1-8>: IP address of a DNS server.
Page 697: Expired
View DHCP address pool view Parameters domain-name: Domain name suffix for the DHCP client of a DHCP global address pool, a string of 3 to 50 characters. Description Use the domain-name command to configure a domain name suffix in a DHCP global address pool for the DHCP client.
Page 698: Gateway-List
Related commands: dhcp server ip-pool, dhcp server expired. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Set the lease time of the IP addresses to be dynamically assigned in the DHCP global address pool 0 to 1 day, 2 hours and 3 minutes.
Page 699: Nbns-List
nbns-list Syntax nbns-list ip-address&<1-8> undo nbns-list { ip-address | all } View DHCP address pool view Parameters ip-address&<1-8>: IP address of a WINS server. &<1-8> means you can provide up to eight WINS server IP addresses. When inputting more than one IP address, separate two neighboring IP addresses with a space.
Page 700: Network
p-node: Specifies the p-typed node. Nodes of this type acquire host name-to-IP address mapping by communicating with the WINS server. m-node: Specifies the m-typed node. Nodes of this type are p-nodes with some broadcasting features. h-node: Specifies the h-typed node. Nodes of this type are b-nodes with peer-to-peer communicating features.
Page 701 Related commands: dhcp server ip-pool, dhcp server forbidden-ip. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Configure the dynamically assigned IP address range 192.168.8.0/24 for the DHCP global address pool 0. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] network 192.168.8.0 mask 255.255.255.0 option Syntax...
Page 702: Reset Dhcp Server Conflict
# Configure option 100 to be 0x11 and 0x22 for the DHCP global address pools. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] option 100 hex 11 22 reset dhcp server conflict Syntax reset dhcp server conflict { all | ip ip-address } View User view Parameters...
Page 703: Reset Dhcp Server Statistics
Description Use the reset dhcp server ip-in-use command to clear the specified or all dynamic address binding information. Related commands: display dhcp server ip-in-use. Examples # Clear the dynamic address binding information about the IP address 10.110.1.1. <Sysname> reset dhcp server ip-in-use ip 10.110.1.1 reset dhcp server statistics Syntax reset dhcp server statistics...
Page 704: Static-Bind Ip-Address
Use the undo static-bind client-identifier command to delete a client ID that is statically bound in a DHCP global address pool. By default, no client ID is statically bound. Note that: The static-bind client-identifier command must be used together with the static-bind ip-address command, to respectively specify a statically bound client ID and an IP address in a DHCP global address pool.
Page 705: Static-Bind Mac-Address
If you execute the static-bind ip-address command repeatedly, the new configuration overwrites the previous one. Related commands: dhcp server ip-pool, static-bind mac-address. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Bind the IP address 10.1.1.1 (with the subnet mask 255.255.255.0) to the MAC address 0000-e03f-0305.
Page 706: Tftp-Server Domain-Name
# Bind the IP address 10.1.1.1 (with the subnet mask 255.255.255.0) to the MAC address 0000-e03f-0305. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 [Sysname-dhcp-pool-0] static-bind mac-address 0000-e03f-0305 tftp-server domain-name Syntax tftp-server domain-name domain-name undo tftp-server domain-name View DHCP address pool view Parameters...
Page 707: Voice-Config
Description Use the tftp-server ip-address command to specify the TFTP server IP address in a global address pool. Use the undo tftp-server ip-address command to remove the TFTP server IP address from a global address pool. By default, no TFTP server address is specified. Using the tftp-server ip-address command repeatedly will overwrite the previous configuration.
Page 708 By default, a DHCP server global address pool does not assign Option 184 and the corresponding sub-options to the client. Related commands: dhcp server voice-config. Examples # Enter system view <Sysname> system-view System View: return to User View with Ctrl+Z. # Enable the DHCP server to support Option 184 in global address pool 123.
Page 709: Dhcp Relay Agent Configuration Commands
DHCP Relay Agent Configuration Commands DHCP Relay Agent Configuration Commands address-check Syntax address-check enable address-check disable View VLAN interface view Parameters None Description Use the address-check enable command to enable IP address match checking on the DHCP relay agent. After this feature is enabled, the DHCP relay agent can cooperate with the ARP module to check whether a requesting client’s IP and MAC addresses match a binding on the DHCP relay agent;...
Page 710: Dhcp Relay Information Enable
View System view Parameters None Description Use the dhcp relay hand enable command to enable the DHCP relay handshake function. With this feature enabled, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to periodically send a handshake message to the DHCP server to determine whether or not to update the clent’s binding entry.
Page 711: Dhcp Relay Information Strategy
By default, with the Option 82 support function enabled on the DHCP relay agent, the DHCP relay agent will adopt the replace strategy to process the request packets containing Option 82. However, if other strategies are configured before, then enabling the 82 supporting on the DHCP relay will not change the configured strategies.
Page 712: Dhcp-Security Static
# Configure the DHCP relay agent handling strategy for messages containing Option 82 sent by the DHCP client as drop. [Sysname] dhcp relay information strategy drop dhcp-security static Syntax dhcp-security static ip-address mac-address undo dhcp-security { ip-address | all | dynamic | static } View System view Parameters...
Page 713: Dhcp-Server
auto: Specifies the auto refreshing interval, which is automatically calculated according to the number of binding entries. Description The default handshake interval is auto, the value of 60 seconds divided by the number of binding entries. Use the dhcp-security tracker command to set the interval at which the DHCP relay agent refreshes dynamic binding entries.
Page 714: Dhcp-Server Detect
To improve security and avoid malicious attack to the unused SOCKETs, S5500-EI Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows.
Page 715: Dhcp-Server Ip
Examples # Enter system view <Sysname> system-view System View: return to User View with Ctrl+Z. # Enable the unauthorized-DHCP server detection function on the DHCP relay agent. [Sysname] dhcp-server detect dhcp-server ip Syntax dhcp-server groupNo ip ip-address&<1-8> undo dhcp-server groupNo View System view Parameters...
Page 716: Display Dhcp-Server
Parameters ip-address: IP address. This argument is used to display the user address entry with the specified IP address. dynamic: Displays the dynamic user address entries. static: Displays the static user address entries. tracker: Displays the interval to update the user address entries. Description Use the display dhcp-security command to display information about address binding entries on the DHCP relay agent.
Page 717 IP address of DHCP server group 0: 1.1.1.1 IP address of DHCP server group 0: 2.2.2.2 IP address of DHCP server group 0: 3.3.3.3 IP address of DHCP server group 0: 4.4.4.4 IP address of DHCP server group 0: 5.5.5.5 IP address of DHCP server group 0: 6.6.6.6 IP address of DHCP server group 0:...
Page 718: Display Dhcp-Server Interface
Field Description Number of the DHCP-INFORM packets received DHCP_INFORM messages by the DHCP relay Number of the DHCP-RELEASE packets DHCP_RELEASE messages received by the DHCP relay BOOTP_REQUEST messages Number of the BOOTP request packets BOOTP_REPLY messages Number of the BOOTP response packets display dhcp-server interface Syntax display dhcp-server interface Vlan-interface vlan-id...
Page 719 Related commands: dhcp server, display dhcp-server. Examples # Clear the statistics information of DHCP server group 2. <Sysname> reset dhcp-server 2 2-11...
Page 720: Dhcp Snooping Configuration Commands
DHCP Snooping Configuration Commands DHCP Snooping Configuration Commands dhcp-snooping Syntax dhcp-snooping undo dhcp-snooping View System view Parameters None Description Use the dhcp-snooping command to enable the DHCP snooping function. Use the undo dhcp-snooping command to disable the DHCP snooping function. After DHCP snooping is disabled, all the ports can forward DHCP replies from the DHCP server without recording the IP-to-MAC bindings of the DHCP clients.
Page 721: Dhcp-Snooping Information Format
View System view Parameters None Description Use the dhcp-snooping information enable command to enable DHCP snooping Option 82. Use the undo dhcp-snooping information enable command to disable DHCP snooping Option 82. DHCP snooping Option 82 is disabled by default. Enable DHCP snooping before performing this configuration. Examples # Enable DHCP snooping Option 82.
Page 722: Dhcp-Snooping Information Packet-Format
Examples # Configure the storage format of Option 82 as ASCII. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dhcp-snooping information format ascii dhcp-snooping information packet-format Syntax dhcp-snooping information packet-format { extended | standard } View System view Parameters extended: Specifies the padding format for Option 82 as the extended format.
Page 723: Dhcp-Snooping Information Strategy
Use the undo dhcp-snooping information remote-id command to restore the default value of the remote ID sub-option in Option 82. By default, the remote ID sub-option in Option 82 is the MAC address of the DHCP Snooping device that received the DHCP client’s request. Examples # Configure the remote ID sub-option of Option 82 as the system name (sysname) of the DHCP snooping device.
Page 724: Dhcp-Snooping Information Vlan Circuit-Id
Enable DHCP-snooping and DHCP-snooping Option 82 before performing this configuration. If a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies on those ports where a handling policy is not natively configured. Examples # Configure the keep handling policy for DHCP requests that contain Option 82 on the DHCP snooping device.
Page 725: Dhcp-Snooping Information Vlan Remote-Id
If you have configured a circuit ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former circuit ID applies to the DHCP messages from the specified VLAN, while the latter one applies to DHCP messages from other VLANs. Examples # Set the circuit ID field in Option 82 of the DHCP messages sent through Ethernet 1/0/1 to abc.
Page 726: Dhcp-Snooping Trust
Examples # Configure the remote ID of Option 82 in DHCP packets to abc on the port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] dhcp-snooping information remote-id string abc dhcp-snooping trust Syntax dhcp-snooping trust undo dhcp-snooping trust...
Page 727: Display Dhcp-Snooping Trust
Parameters unit unit-id: Displays the DHCP-snooping information on the specified device in the fabric. unit-id indicates the number of the device whose DHCP-snooping information needs to be viewed. If unit unit-id is not specified, DHCP snooping information of all units in the fabric is displayed. Description Use the display dhcp-snooping command to display the user IP-MAC address mapping entries recorded by the DHCP snooping function.
Page 728: Display Ip Source Static Binding
The above display information indicates that the DHCP snooping function is enabled, and the Ethernet 1/0/10 port is a trusted port. display ip source static binding Syntax display ip source static binding [ vlan vlan-id | interface interface-type interface-number ] View Any view Parameters...
Page 729: Ip Check Source Ip-Address
Description Use the ip check dot1x enable command to enable IP filtering based on IP-to-MAC mappings of authenticated 802.1x clients. Use the undo ip check dot1x enable command to disable the function. By default, IP filtering based on IP-to-MAC mappings of authenticated 802.1x clients is disabled. Note that the ip check dot1x enable and the ip check source ip-address mac-address commands are mutually exclusive.
Page 730: Ip Source Static Binding
ip source static binding Syntax ip source static binding ip-address ip-address [ mac-address mac-address ] undo ip source static binding ip-address ip-address View Ethernet port view Parameters ip-address ip-address: Specifies the IP address to be statically bound. mac-address mac-address: Specifies the MAC address to be statically bound. Description Use the ip source static binding ip-address command to configure the static binding among source IP address, source MAC address, and the port number so as to generate static binding entries.
Page 731 Description Use the reset dhcp-snooping command to remove DHCP snooping entries from a switch. If no ip-address is specified, all DHCP snooping entries are removed. Examples # Remove all DHCP snooping entries from the switch. <Sysname> reset dhcp-snooping 3-12...
Page 732: Rate Limit Configuration Commands
Rate Limit Configuration Commands Rate Limit Configuration Commands dhcp protective-down recover enable Syntax dhcp protective-down recover enable undo dhcp protective-down recover enable View System view Parameters None Description Use the dhcp protective-down recover enable command to enable port state auto-recovery on the switch.
Page 733: Dhcp Rate-Limit
View System view Parameters interval: Interval (in seconds) for a port disabled due to the DHCP traffic exceeding the set threshold to be brought up again. This argument ranges from 10 to 86,400. Description Use the dhcp protective-down recover interval command to set an auto recovery interval. Use the undo dhcp protective-down recover interval command to restore the default interval.
Page 734: Dhcp Rate-Limit Enable
You need to enable the function to limit DHCP traffic (refer to the dhcp rate-limit enable command) for a port before executing either of these two commands for the port. Examples # Configure the DHCP traffic threshold to 100 pps for port Ethernet 1/0/11. <Sysname>...
Page 735: Dhcp/Bootp Client Configuration
DHCP/BOOTP Client Configuration DHCP Client Configuration Commands display dhcp client Syntax display dhcp client [ verbose ] View Any view Parameters verbose: Displays the detailed address allocation information. Description Use the display dhcp client command to display the information about the address allocation of DHCP clients.
Page 736: Ip Address Dhcp-Alloc
Table 5-1 Description on the fields of the display dhcp client command Field Description VLAN interface operating as a DHCP client to Vlan-interface1 obtain an IP address dynamically Current machine state The state of the client state machine Allocated IP IP address allocated to the DHCP client lease Lease period...
Page 737: Bootp Client Configuration Commands
To improve security and avoid malicious attacks to the unused sockets, S5500-EI Ethernet switches provide the following functions: UDP ports 67 and 68 used by DHCP are enabled/disabled only when DHCP is enabled/disabled. The implementation is as follows: After the DHCP client is enabled by executing the ip address dhcp-alloc command, UDP port 68 is enabled.
Page 738: Ip Address Bootp-Alloc
Table 5-2 Description on the fields of the display bootp client command Field Description VLAN-interface 1 is configured to obtain an IP Vlan-interface1 address through BOOTP. Allocated IP IP address allocated to the VLAN interface Transaction ID Value of the XID field in BOOTP packets Mac Address MAC address of the BOOTP client Default router...
Page 739 Table of Contents 1 ACL Configuration Commands ················································································································1-1 ACL Configuration Commands ···············································································································1-1 acl ····················································································································································1-1 description ·······································································································································1-2 display acl········································································································································1-3 display drv qacl_resource················································································································1-4 display packet-filter··························································································································1-5 display time-range ···························································································································1-6 packet-filter ······································································································································1-7 packet-filter vlan ······························································································································1-9 rule (for Basic ACLs) ·····················································································································1-10 rule (for Advanced ACLs) ··············································································································1-12 rule (for Layer 2 ACLs) ··················································································································1-19 rule (for user-defined ACLs) ··········································································································1-22 rule comment·································································································································1-25...
Page 740: Acl Configuration Commands
ACL Configuration Commands ACL Configuration Commands Syntax acl number acl-number [ match-order { auto | config } ] undo acl { all | number acl-number } View System view Parameters all: Specifies to remove all access control lists (ACLs). number acl-number: Specifies the number of an existing ACL or an ACL to be defined. ACL number identifies the type of an ACL as follows.
Page 741: Description
Examples # Define ACL 2000 and specify “depth-first” as the match order. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2000 match-order auto [Sysname-acl-basic-2000] # Add three rules with different numbers of zeros in the source wildcards. [Sysname-acl-basic-2000] rule 1 permit source 1.1.1.1 0.255.255.255 [Sysname-acl-basic-2000] rule 2 permit source 2.2.2.2 0.0.255.255 [Sysname-acl-basic-2000] rule 3 permit source 3.3.3.3 0.0.0.255...
Page 742: Display Acl
Examples # Assign description string “This ACL is used for filtering all HTTP packets” to ACL 3000. <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] description This ACL is used for filtering all HTTP packets # Use the display acl command to view the configuration information of ACL 3000. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, 0 rule...
Page 743: Display Drv Qacl_Resource
Table 1-1 Description on the fields of the display acl command Field Description The displayed information is about the basic ACL Basic ACL 2000 2000. 3 rules The ACL includes three rules. The match order of the ACL is depth-first. If this match-order is auto field is not displayed, the match order of the ACL is config.
Page 744: Display Packet-Filter
Table 1-2 Description on the fields of the display drv qacl_resource command Field Description On the front panel, From left to right, every four columns of FE ports (total of eight FE ports) represents a block numbered starting from 0. That is, 0 indicates Ethernet 1/0/1 to Ethernet 1/0/4 and Ethernet 1/0/25 to Ethernet 1/0/28, 1 indicates Ethernet 1/0/5 to Ethernet 1/0/8 and...
Page 745: Display Time-Range
former case, the unit-id argument is in the range 1 to 8; in the latter case, the unit-id argument can only be 1. Description Use the display packet-filter command to display information about packet filtering. Examples # Display information about packet filtering on all ports of a switch that is not in a fabric. <Sysname>...
Page 746: Packet-Filter
Description Use the display time-range command to display the configuration and status of a time range or all the time ranges. For active time ranges, this command displays “Active”; for inactive time ranges, this command displays “Inactive”. Related commands: time-range. Examples # Display all time ranges.
Page 747 Table 1-5 Combined application of ACLs Combination mode The acl-rule argument Apply all the rules of an ACL that is of IP type (The ACL can be a basic ACL or an advanced ip-group acl-number ACL.) Apply a rule of an ACL that is of IP type ip-group acl-number rule rule-id Apply all the rules of a Layer 2 ACL link-group acl-number...
Page 748: Packet-Filter Vlan
# Apply rule 2 of user-defined ACL 5000 on Ethernet 1/0/3 to filter inbound packets. Here, it is assumed that the ACL and its rule numbered 2 are already configured. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] packet-filter inbound user-group 5000 rule 2 [Sysname-Ethernet1/0/3] quit # Apply rule 1 of advanced ACL 3000 and rule 2 of Layer 2 ACL 4000 on Ethernet 1/0/4 to filter inbound packets.
Page 749: Rule (For Basic Acls)
# Apply rule 1 of Layer 2 ACL 4000 on all ports in VLAN 20 to filter outbound packets. Here, it is assumed that the ACL and its rule numbered 1 and the VLAN are already configured. [Sysname] packet-filter vlan 20 outbound link-group 4000 rule 1 # Apply rule 2 of user-defined ACL 5000 on all ports in VLAN 30 to filter inbound packets.
Page 750 Table 1-6 Parameters for basic IPv4 ACL rules Parameters Function Description The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal source { sour-addr Specifies a source address. notation. Setting the wildcard to sour-wildcard | any } a zero indicates a host address. The any keyword indicates any source IP address.
Page 751: Rule (For Advanced Acls)
be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule. The content of a modified or created rule cannot be identical with the content of any existing rule; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
Page 752 protocol: Protocol carried by IP. When the protocol is represented by numeral, it ranges from 1 to 255; when the protocol is represented by name, it can be gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), and udp (17). rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-7.
Page 753 Arguments/Keyword Type Function Description time-name: specifies the name of the time Specifies the time Time range range in which the rule time-range time-name range in which the rule information is active; a string takes effect. comprising 1 to 32 characters. The sour-wildcard/dest-wildcard argument is the complement of the wildcard mask of the source/destination subnet mask.
Page 754 Keyword DSCP value in decimal DSCP value in binary 110000 111000 101110 If you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-9 as IP precedence. Table 1-9 IP precedence values and the corresponding keywords Keyword IP Precedence in decimal...
Page 755 Table 1-11 TCP/UDP-specific ACL rule information Parameters Type Function Description The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not source-port Defines the source port equal to) or range (within the operator port1 Source port information of UDP/TCP range of).
Page 756 Table 1-12 TCP or UDP port values Type Value CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80) biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90),...
Page 757 Name ICMP type ICMP code port-unreachable Type=3 Code=3 protocol-unreachable Type=3 Code=2 reassembly-timeout Type=11 Code=1 source-quench Type=4 Code=0 source-route-failed Type=3 Code=5 timestamp-reply Type=14 Code=0 timestamp-request Type=13 Code=0 ttl-exceeded Type=11 Code=0 Parameters of the undo rule command rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
Page 758: Rule (For Layer 2 Acls)
If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
Page 759 Table 1-15 Layer 2 ACL rule information Parameters Type Function Description Specifies the link layer This argument can be Link layer encapsulation type in 802.3/802.2, 802.3, format-type encapsulation type the rule ether_ii, or snap. lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number.
Page 760 Parameters Type Function Description protocol-type: Protocol Specifies the protocol type. type protocol-type Protocol type of type of Ethernet protocol-mask Ethernet frames protocol-mask: frames for the ACL rule Protocol type mask. When layer 2 ACLs are applied to ports or VLANs of the Switch 5500-EI series, rules configured with the format-type argument and the lsap keyword are invalid.
Page 761: Rule (For User-Defined Acls)
After completing the above configuration, you can use the display acl command to view the configuration information of the ACLs. rule (for user-defined ACLs) Syntax rule [ rule-id ] { deny | permit } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ] undo rule rule-id View User-defined ACL view...
Page 762 Offset unit 2 to 5 6 to 9 10 to 13 14 to 17 18 to 21 22 to 25 26 to 29 30 to 33 6 to 9 10 to 13 14 to 17 18 to 21 22 to 25 26 to 29 30 to 33 34 to 37...
Page 763 Protocol number Offset when VLAN-VPN is Offset when VLAN-VPN is Protocol in hexadecimal not enabled on any port enabled on a port RARP 0x8035 0x0800 0x8137 AppleTalk 0x809B ICMP 0x01 IGMP 0x02 0x06 0x11 Examples # Create user-defined ACL 5000 and define rule 1 to deny all TCP packets (it is assumed that no port is enabled with the VLAN-VPN function).
Page 764: Rule Comment
In this example, the 32-byte rule string occupies eight offset units: 4 to 7 (Offset2), 8 to 11 (Offset3), 12 to 15 (Offset4), 16 to 19 (Offset5), 20 to 23 (Offset1), 24 to 27 (Offset7), 28 to 31 (Offset8), and 32 to 35 (Offset6), as shown in Table 1-16.
Page 765: Time-Range
Examples # Define the comment “This rule is to be applied to Ethernet 1/0/1” for rule 0 of advanced ACL 3001. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule 0 comment This rule is to be applied to Ethernet 1/0/1 # Use the display acl command to view the configuration information of advanced ACL 3001.
Page 766 jointly define a period in which the absolute time range takes effect. If the start date is not specified, the time range starts from 1970/01/01 00:00. to end-time end-date: Specifies the end date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD.
Page 767 From 12:00 Jan/1/2008 to 12:00 Jun/1/2008 1-28...
Page 768 Table of Contents 1 QoS Commands·········································································································································1-1 QoS Commands······································································································································1-1 burst-mode enable···························································································································1-1 display protocol-priority····················································································································1-2 display qos cos-local-precedence-map ···························································································1-3 display qos-interface all ···················································································································1-4 display qos-interface line-rate ·········································································································1-6 display qos-interface mirrored-to·····································································································1-7 display qos-interface traffic-limit ······································································································1-8 display qos-interface traffic-priority··································································································1-8 display qos-interface traffic-redirect ································································································1-9 display qos-interface traffic-remark-vlanid·····················································································1-10 display qos-interface traffic-statistic ······························································································1-10 display queue-scheduler ···············································································································1-11 line-rate··········································································································································1-12...
Page 769: Qos Commands
QoS Commands QoS Commands burst-mode enable Syntax burst-mode enable undo burst-mode enable View System view Parameters None Description Use the burst-mode enable command to enable the burst function. Use the undo burst-mode enable command to disable the burst function. By default, the burst function is disabled. The burst function improves packet buffering and forwarding performance in the following scenarios: Dense broadcast or multicast traffic and massive burst traffic are present.
Page 770: Display Protocol-Priority
Examples # Enable the burst function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] burst-mode enable display protocol-priority Syntax display protocol-priority View Any view Parameters None Description Use the display protocol-priority command to display the list of protocol priorities you assigned with the protocol-priority command.
Page 771: Display Qos Cos-Local-Precedence-Map
Field Description An IP precedence has been assigned to OSPF packets. The assigned IP precedence is 0, that is, routine in words. IP-Precedence: routine(0) For information about the IP precedence range, refer to Table 1-6. Indicate that a priority has been set for Protocol: telnet Telnet packets with the protocol-priority command.
Page 772: Display Qos-Interface All
local precedence(queue) : display qos-interface all Syntax display qos-interface { interface-type interface-number | unit-id } all View Any view Parameters interface-type interface-number: Specifies the type and number of a port, for which QoS configuration information is to be displayed. unit-id: Unit ID of the switch whose QoS-related configuration is to be displayed. Table 1-2 shows the value range for the unit-id argument.
Page 773 Priority action: dscp cs6 Ethernet1/0/1: traffic-redirect Inbound: Matches: Acl 2000 rule 0 running Redirected to: interface Ethernet1/0/2 Ethernet1/0/1: traffic-statistic Inbound: Matches: Acl 2000 rule 0 running 6 packets inprofile 0 packet outprofile Ethernet1/0/1: mirrored-to Inbound: Matches: Acl 2000 rule 0 running Mirrored to: monitor interface Ethernet1/0/1: line-rate...
Page 774: Display Qos-Interface Line-Rate
Field Description Inbound Packet direction Matches ACL rules for traffic classifying Union effect, indicating that the ACL referenced in the Effect mode traffic-limit command takes effect together with the other ACLs applied to the port. Egress port The specified egress port Target rate Traffic policing target rate, in kbps Bucket burst size...
Page 775: Display Qos-Interface Mirrored-To
Parameters interface-type interface-number: Specifies the type and number of the port, of which the line rate configuration is to be displayed. unit-id: Unit ID of the switch for which line rate configuration is to be displayed. For the value range for the unit-id argument, refer to Table 1-2.
Page 776: Display Qos-Interface Traffic-Limit
Ethernet1/0/1: mirrored-to Inbound: Matches: Acl 2000 rule 0 running Mirrored to: monitor interface Refer to Table 1-3 for the description on the output fields. display qos-interface traffic-limit Syntax display qos-interface { interface-type interface-number | unit-id } traffic-limit View Any view Parameters interface-type interface-number: Specifies the type and number of a port for which traffic policing configuration is to be displayed.
Page 777: Display Qos-Interface Traffic-Redirect
View Any view Parameters interface-type interface-number: Specifies the type and number of a port for which priority marking configuration is to be displayed. unit-id: Unit ID of the switch whose priority marking configuration is to be displayed. For the value range for the unit-id argument, refer to Table 1-2.
Page 778: Display Qos-Interface Traffic-Remark-Vlanid
Examples # Display the traffic redirecting configuration of Ethernet 1/0/1. <Sysname> display qos-interface Ethernet1/0/1 traffic-redirect Ethernet1/0/1: traffic-redirect Inbound: Matches: Acl 3000 rule 0 running Redirected to: interface Ethernet1/0/2 Refer to Table 1-3 for the description on the output fields. display qos-interface traffic-remark-vlanid Syntax display qos-interface { interface-type interface-number | unit-id } traffic-remark-vlanid View...
Page 779: Display Queue-Scheduler
View Any view Parameters interface-type interface-number: Specifies the type and number of a port for which traffic accounting configuration is to be displayed. unit-id: Unit ID of the switch for which traffic accounting configuration and traffic statistics are to be displayed. For the value range for the unit-id argument, refer to Table 1-2.
Page 780: Line-Rate
Examples # Display the global queue scheduling configuration. <Sysname> display queue-scheduler Queue scheduling mode: weighted round robin weight of queue 0: 1 weight of queue 1: 2 weight of queue 2: 3 weight of queue 3: 4 weight of queue 4: 5 weight of queue 5: 9 weight of queue 6: 13 weight of queue 7: 15...
Page 781 Compared to traffic policing, line rate applies to all the inbound or outbound packets passing through a port and thus a simpler solution when you only want to limit the rate of all the inbound or outbound packets passing through a port as a whole. Related commands: display qos-interface line-rate.
Page 782 ACL combination Form of the acl-rule argument Apply a rule in a user-defined ACL user-group acl-number rule rule-id Apply a rule in an Layer 3 ACL and a rule in ip-group acl-number rule rule-id a Layer 2 ACL link-group acl-number rule rule-id Table 1-5 Description on the parameters used in Table 1-4 Parameter...
Page 783: Priority
[Sysname-acl-basic-2000] rule permit source 1.1.1.1 0 [Sysname-acl-basic-2000] quit [Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] monitor-port [Sysname-Ethernet1/0/4] quit [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] mirrored-to inbound ip-group 2000 monitor-interface [Sysname-Ethernet1/0/1] quit # Configure traffic mirroring on Ethernet 1/0/2, duplicating the inbound packets matching ACL 2000 to the CPU.
Page 784: Priority Trust
After you execute the priority command on a port, the port priority rather than the 802.1p priority of each inbound 802.1q-tagged packet is used to identify the matching local precedence for the packet (in the 802.1p-precedence-to-local precedence mapping table). Then, the packet is assigned to the output queue corresponding to the local precedence. If the priority command, the priority trust command, and the undo priority command are configured on the same port, the command configured the last applies.
Page 785: Protocol-Priority Protocol-Type
Examples # Configure the switch to trust the 802.1p priority of 802.1q-tagged packets on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] priority trust protocol-priority protocol-type Syntax protocol-priority protocol-type protocol-type { ip-precedence ip-precedence | dscp dscp-value } undo protocol-priority protocol-type protocol-type View...
Page 786 Table 1-7 DSCP precedence values in words and in digits DSCP precedence (in words) DSCP precedence (in digits) af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 be (the default) Description Use the protocol-priority command to set the global IP precedence or DSCP precedence for the specified type of protocol packets generated by the current switch.
Page 787: Qos Cos-Local-Precedence-Map
On a Switch 5500-EI, you can set priority for protocol packets of Telnet, OSPF, SNMP, and ICMP. Examples # Set the IP precedence to 3 for SNMP protocol packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] protocol-priority protocol-type snmp ip-precedence 3 # Set the DSCP precedence of Telnet packets to 30, corresponding to the keyword af33.
Page 788 cos6-map-local-prec: Local precedence to which 802.1p 6 is to be mapped, in the range 0 to 7. cos7-map-local-prec: Local precedence to which 802.1p 7 is to be mapped, in the range 0 to 7. Description cos-local-precedence-map command configure 802.1p priority-to-local precedence mapping. Use the undo qos cos-local-precedence-map command to restore the default settings.
Page 789: Queue-Scheduler
queue-scheduler Syntax In system view queue-scheduler { strict-priority | wfq queue0-width queue1-width queue2-width queue3-width queue4-width queue5-width queue6-width queue7-width queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight } undo queue-scheduler In Ethernet port view queue-scheduler queue0-width queue1-width queue2-width queue3-width queue4-width queue5-width queue6-width queue7-width queue0-weight...
Page 790 Use the undo queue-scheduler command to restore the default. By default, the WRR algorithm is used for all the output queues of a port. The default weights of queues 0 through 7 are 1, 2, 3, 4, 5, 9, 13, and 15, as shown in Table 1-9.
Page 791: Reset Traffic-Statistic
scheduling configuration only when the configuration of a port is different from the global configuration. Related commands: display queue-scheduler. Examples # Configure WRR as the queuing algorithm and set the weights of queues 0 through 7 to 2, 2, 4, 4, 6, 6, 8, and 8 globally in system view. <Sysname>...
Page 792 Parameters inbound: Specifies to clear the statistics of the inbound packets on the port. acl-rule: ACL rules to be applied. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5.
Page 793: Traffic-Limit
traffic-limit Syntax traffic-limit inbound acl-rule union-effect egress-port interface-type interface-number ] target-rate [ burst-bucket burst-bucket-size ] [ exceed action ] undo traffic-limit inbound acl-rule View Ethernet port view Parameters inbound: Imposes traffic limit on the packets received through the interface. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs.
Page 794 On Ethernet 1/0/1, assume that the filter command is configured to filter packets destined to IP address 2.2.2.2 and the traffic-limit command is configured to limit the rate of packets sourced from IP address 1.1.1.1 within 128 kbps. Whether packets conforming to the rate limit of 128 kbps, sourced from IP address 1.1.1.1, and destined to IP address 2.2.2.2 (referred to as packets A later) will be dropped depends on the union-effect keyword of the traffic-limit command.
Page 795: Traffic-Priority
The granularity of rate limit is 64 kbps. If the number you input is in the range N*64 to (N+1)*64 (N is a natural number), it will be rounded off to (N+1)*64. burst-bucket burst-bucket-size: Specifies the maximum burst traffic size (in KB) allowed. The burst-bucket-size argument ranges from 4 to 512 and defaults to 512.
Page 796 outbound: Performs priority marking on the outbound packets. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5. Note that the ACL rules referenced must be those defined with the permit keyword.
Page 797 If IP precedence or DSCP marking is configured, the traffic will be marked with new IP precedence or DSCP precedence. Do not configure 802.1p priority marking and local precedence marking for the same traffic. With 802.1p priority marking, the new 802.1p priority will be mapped to a local precedence automatically.
Page 798: Traffic-Priority Vlan
traffic-priority vlan Syntax traffic-priority vlan vlan-id { inbound | outbound } acl-rule { { dscp dscp-value | ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }* undo traffic-priority vlan vlan-id { inbound | outbound } acl-rule View System view Parameters...
Page 799: Traffic-Redirect
Do not configure 802.1p priority marking and local precedence marking for the same traffic. With 802.1p priority marking, the new 802.1p priority will be mapped to a local precedence automatically. If local precedence marking is also configured, there will be two local precedence values for the traffic, resulting in conflict.
Page 800 link-aggregation-group agg-id: Specifies the aggregation group the traffic is to be redirected to. The agg-id argument is the ID of an aggregation group, in the range 1 to 416. untagged: Specifies to remove the outer VLAN tag of a packet after the packet is redirected to a port or an aggregation group.
Page 801: Traffic-Statistic
traffic-remark-vlanid Syntax traffic-remark-vlanid inbound acl-rule remark-vlan remark-vlanid undo traffic-remark-vlanid inbound acl-rule View Ethernet port view Parameters inbound: Maps the VLAN IDs carried in the inbound packets to a specified VLAN ID. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs.
Page 802: Wred
View Ethernet port view Parameters inbound: Enables traffic accounting for the inbound packets. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5.
Page 803 Parameters queue-index: Queue number in the range of 0 to 7. qstart: Number of the packets contained in the queue, in the range 1 to 128. probability: Dropping probability in the range of 0 to 92 (in percentage). Description Use the wred command to enable the WRED function. Use the undo wred command to restore the default.
Page 804: Qos Profile Configuration Commands
QoS Profile Configuration Commands QoS Profile Configuration Commands apply qos-profile Syntax In system view apply qos-profile profile-name interface interface-list undo apply qos-profile profile-name interface interface-list In Ethernet port view apply qos-profile profile-name undo apply qos-profile profile-name View System view, Ethernet port view Parameters profile-name: QoS profile name, a case-insensitive string of 1 to 32 characters and starting with English letters [a-z, A-Z].
Page 805: Display Qos-Profile
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] apply qos-profile a123 interface Ethernet1/0/1 to Ethernet1/0/4 display qos-profile Syntax display qos-profile { all | name profile-name | interface interface-type interface-number | user user-name } View Any view Parameters all: Specifies all the QoS profiles.
Page 806 <Sysname> display qos-profile interface Ethernet 1/0/1 User's qos-profile applied mode: user-based Default applied qos-profile: test, 3 actions packet-filter inbound ip-group 2000 rule 0 traffic-limit inbound ip-group 3000 rule 0 64 traffic-priority inbound ip-group 4000 rule 0 cos controlled-load # Display the configuration of the QoS profile applied to Ethernet 1/0/2, assuming that the QoS profile has been applied to Ethernet 1/0/2 dynamically.
Page 807: Packet-Filter
packet-filter Syntax packet-filter { inbound | outbound } acl-rule undo packet-filter { inbound | outbound } acl-rule View QoS profile view Parameters inbound: Filters the inbound packets. outbound: Filters the outbound packets. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs.
Page 808: Qos-Profile Port-Based
Parameters profile-name: QoS profile name, a case-insensitive string of 1 to 32 characters, starting with an English letter in the range a to z and A to Z. Note that a QoS profile name cannot be all, interface, user, undo, or name.
Page 809: Traffic-Limit
If the 802.1x authentication is MAC-based, you need to configure the QoS profile application mode to be user-based. If the 802.1x authentication is port-based, you need to configure the QoS profile application mode to be port-based. Examples # Configure the QoS profile application mode on Ethernet 1/0/1 to be port-based. <Sysname>...
Page 810 On Ethernet 1/0/1, assume that the filter command is configured to filter packets destined to IP address 2.2.2.2 and the traffic-limit command is configured to limit the rate of packets sourced from IP address 1.1.1.1 within 128 kbps. Whether packets conforming to the rate limit of 128 kbps, sourced from IP address 1.1.1.1, and destined to IP address 2.2.2.2 (referred to as packets A later)are dropped depends on the union-effect of the traffic-limit command.
Page 811: Traffic-Priority
drop: Drops the packets. remark-dscp value: Sets a new DSCP value for the packets and then forwards the packets. Description Use the traffic-limit command to add the traffic policing action to a QoS profile. Use the undo traffic-limit command to remove the traffic policing action from a QoS profile. Examples # Add traffic policing action to the QoS profile named a123 to limit the rate of the inbound packets sourced from IP address 1.1.1.1 to 128 kbps and drop the packets exceeding 128 kbps.
Page 812 local-precedence pre-value: Sets the local precedence value, in the range of 0 to 7. Description Use the traffic-priority command to add a priority marking action to a QoS profile. Use the undo traffic-priority command to remove a priority marking action from a QoS profile. Do not configure 802.1p priority marking and local precedence marking for the same traffic.
Page 813 Table of Contents 1 Mirroring Commands ···································································································· 1-1 Mirroring Commands ··································································································· 1-1 display mirroring-group ························································································· 1-1 mirroring-group····································································································· 1-3 mirroring-group mirroring-port ··············································································· 1-3 mirroring-group monitor-port ················································································· 1-4 mirroring-group reflector-port ················································································ 1-5 mirroring-group remote-probe vlan ········································································ 1-6 mirroring-port ······································································································· 1-7 monitor-port ········································································································· 1-8 remote-probe vlan enable ·····················································································...
Page 814: Mirroring Commands
Mirroring Commands Mirroring Commands display mirroring-group Syntax display mirroring-group { group-id | all | local | remote-destination | remote-source } View Any view Parameters group-id: Specifies the mirroring group of which the configurations are to be displayed. The argument takes a value in the range of 1 to 20. all: Specifies to display the parameter settings of all mirroring groups.
Page 815 type: remote-source status: active mirroring port: Ethernet1/0/1 inbound reflector port: Ethernet1/0/2 remote-probe vlan: 10 # Display the configurations of a remote destination mirroring group on your Switch 5500-EI. <Sysname> display mirroring-group 3 mirroring-group 3: type: remote-destination status: active monitor port: Ethernet1/0/3 remote-probe vlan: 20 Table 1-1 Description on the fields of the display mirroring-group command Field...
Page 816: Mirroring-Group Mirroring-Port
mirroring-group Syntax mirroring-group group-id { local | remote-destination | remote-source } undo mirroring-group { group-id | all | local | remote-destination | remote-source } View System view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. all: Specifies to remove all mirroring groups.
Page 817: Mirroring-Group Monitor-Port
View System view, Ethernet port view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. mirroring-port mirroring-port-list: Specifies a list of source ports. mirroring-port-list is available in system view only, and there is no such argument in Ethernet port view. mirroring-port-list is provided in the format of mirroring-port-list = { interface-type interface-number [ to interface-type interface-number ] }&<1-8>, where interface-type is the port type, and interface-number is the port number, and &<1-8>...
Page 818: Mirroring-Group Reflector-Port
undo mirroring-group group-id monitor-port monitor-port View System view, Ethernet port view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. monitor-port monitor-port: Specifies the destination port for port mirroring. monitor-port is available in system view only, and there is no such argument in Ethernet port view. Description Use the mirroring-group monitor-port command to configure the destination port for a local mirroring group or a remote destination mirroring group.
Page 819: Mirroring-Group Remote-Probe Vlan
Parameters group-id: Number of a port mirroring group, in the range 1 to 20. reflector-port reflector-port: Specifies the reflector port. reflector-port is available in system view only, and there is no such argument in Ethernet port view. Description Use the mirroring-group reflector-port command to specify the reflector port for a remote source mirroring group.
Page 820 Description Use the mirroring-group remote-probe vlan command to specify the remote-probe VLAN for a remote source/destination mirroring group. Use the undo mirroring-group remote-probe vlan command to remove the configuration of remote-probe VLAN for a remote source/destination mirroring group. Note that, before configuring a VLAN as the remote-probe VLAN for a remote source/destination mirroring group, you need to use the remote-probe vlan enable command to configure the VLAN as a remote-probe VLAN first.
Page 821 A copy of each packet passing through a source port will be sent to the corresponding destination port. Related commands: display mirroring-group. When you configure mirroring source port on an Ethernet port of a Switch 5500-EI, if mirroring group 1 does not exist, the switch will automatically create local mirroring group 1 and add the source port to the group;...
Page 822: Remote-Probe Vlan Enable
It is recommended that you use a destination port for port mirroring purpose only. Do not use a destination port to transmit other service packets. Related commands: display mirroring-group. When you configure mirroring destination port on an Ethernet port of a Switch 5500-EI, if mirroring group 1 does not exist, the switch will automatically create local mirroring group 1 and add the destination port to the group;...
Page 823 Related commands: mirroring-group remote-probe vlan. Examples # Configure VLAN 5 as the remote-probe VLAN. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 5 [Sysname-vlan5] remote-probe vlan enable 1-10...
Page 824 Table of Contents 1 Web Cache Redirection Configuration Commands ······················································ 1-1 Web Cache Redirection Configuration Commands ······················································· 1-1 display webcache ································································································· 1-1 webcache address ································································································ 1-2 webcache redirect-vlan ························································································· 1-4...
Page 825: Web Cache Redirection Configuration Commands
Web Cache Redirection Configuration Commands Web Cache Redirection Configuration Commands display webcache Syntax display webcache View Any view Parameters None Description Use the display webcache command to view Web cache redirection configuration and the status of Web cache. Examples # Display Web cache redirection configuration and the status of Web cache. [Sysname] display webcache webcache IP address: 1.1.1.1 webcache MAC address: 000f-e20f-0000...
Page 826: Webcache Address
Filed Description webcache port Port that connects to the Web cache server webcache VLAN VLAN that the Web cache server belongs to webcache TCP port Number of the TCP port used by HTTP packets Redirected VLANs, referring to the VLANs whose HTTP packets are to be redirected to the Web cache server.
Page 827 mac-address: MAC address of the Web cache server. vlan-id: ID of the VLAN where Web cache server is to be located. port interface-type interface-number: Specifies the port through which the switch is connected to the Web cache server. interface-type interface-number is the port type and port number.
Page 828: Webcache Redirect-Vlan
[Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] webcache address 1.1.1.1 mac 0012-0990-2250 vlan 40 webcache redirect-vlan Syntax webcache redirect-vlan vlan-id undo webcache redirect-vlan [ vlan-id ] View System view Parameters vlan-id: ID of the VLAN whose HTTP traffic is to be redirected. Description Use the webcache redirect-vlan command to configure a VLAN as a redirected VLAN, that is, specify to redirect the HTTP traffic of the VLAN to the Web cache server.
Page 829 Table of Contents 1 PoE Configuration Commands ················································································································1-1 PoE Configuration Commands ···············································································································1-1 display poe disconnect ····················································································································1-1 display poe interface························································································································1-1 display poe interface power·············································································································1-3 display poe powersupply ·················································································································1-4 display poe temperature-protection·································································································1-5 poe disconnect ································································································································1-6 poe enable·······································································································································1-6 poe legacy enable ···························································································································1-7 poe max-power································································································································1-7 poe mode·········································································································································1-8 poe power-management··················································································································1-9 poe priority·······································································································································1-9...
Page 830: Poe Configuration Commands
PoE Configuration Commands PoE Configuration Commands display poe disconnect Syntax display poe disconnect View Any view Parameters None Description Use the display poe disconnect command to view the current PD disconnection detection mode of the switch. Examples # Display the PD disconnection detection mode. <Sysname>...
Page 831 Examples # Display the PoE status of Ethernet 1/0/10. <Sysname> display poe interface Ethernet1/0/10 Port power enabled :enable Port power ON/OFF Port power status :Standard PD was detected Port power mode :signal Port PD class port power priority :low Port max power :15400 mW Port current power :460 mW...
Page 832: Display Poe Interface Power
Ethernet1/0/1 enable signal Standard PD was detected Ethernet1/0/2 enable signal Standard PD was detected Ethernet1/0/3 enable signal detection is in process Ethernet1/0/4 enable signal detection is in process Ethernet1/0/5 enable signal detection is in process Ethernet1/0/6 enable signal detection is in process Ethernet1/0/7 enable signal...
Page 833: Display Poe Powersupply
Description Use the display poe interface power command to view the power information of a specific port of the switch. If the interface-type interface-number argument is not specified, the command displays the power information of all ports of the switch. Examples # Display the power information of Ethernet 1/0/10.
Page 834: Display Poe Temperature-Protection
PSE Software Version :290 PSE Hardware Version :000 PSE CPLD Version :078 PSE Power-Management mode :auto Table 1-3 display poe powersupply command output description Field Description PSE ID Identification of the PSE The enabled/disabled status of the nonstandard PSE Legacy Detection PD detection PSE Total Power Consumption Total power consumption of the PSE...
Page 835: Poe Disconnect
<Sysname> display poe temperature-protection The temperature protection is enabled. poe disconnect Syntax poe disconnect { ac | dc } undo poe disconnect View System view Parameters ac: Specifies the PD disconnection detection mode as ac. dc: Specifies the PD disconnection detection mode as dc. Description Use the poe disconnect command to configure a PD disconnection detection mode.
Page 836: Poe Legacy Enable
If you delete the default configuration file without specifying another one, the PoE function on a port will be disabled after you restart the device. You can use the display poe interface command to display whether PoE is enabled on a port. Examples # Enable the PoE feature on Ethernet 1/0/3.
Page 837: Poe Mode
Parameters max-power: Maximum power distributed to the port, ranging from 1,000 to 15,400, in mW. Description Use the poe max-power command to configure the maximum power that can be supplied by the current port. Use the undo poe max-power command to restore the maximum power supplied by the current port to the default value.
Page 838: Poe Power-Management
System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] poe mode signal poe power-management Syntax poe power-management { auto | manual } undo poe power-management View System view Parameters auto: Adopts the auto mode, namely, a PoE management mode based on PoE priority of the port. manual: Adopts the manual mode.
Page 839: Poe Temperature-Protection
Description Use the poe priority command to configure the PoE priority of a port. Use the undo poe priority command to restore the default PoE priority. By default, the PoE priority of a port is low. When the available power of the PSE is too small, the PoE priority and the PoE management mode are used together to determine how to allocate PoE power for the new PDs.
Page 840: Poe Update
You can use the display poe temperature-protection command to display whether PoE over-temperature protection is enabled on the switch. Examples # Disable PoE over-temperature protection on the switch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo poe temperature-protection enable The temperature protection is disabled.
Page 841: Update Fabric
[Sysname] poe update refresh 0400_001.S19 Update PoE board successfully update fabric Syntax update fabric { file-url | device-name file-url } View User view Parameters file-url: File path + file name of the host software in the flash memory, a string of 1 to 64 characters. The specified PSE processing software is a file with the extension .s19.
Page 842: Poe Profile Configuration Commands
PoE Profile Configuration Commands PoE Profile Configuration Commands apply poe-profile Syntax In system view use the following commands: apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] undo apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] In Ethernet port view use the following commands: apply poe-profile profile-name undo apply poe-profile profile-name...
Page 843: Display Poe-Profile
PoE profile is a set of PoE configurations. One PoE profile can contain multiple PoE features. When the apply poe-profile command is used to apply a PoE profile to a port, some PoE features can be applied successfully while some cannot. PoE profiles are applied to Switch 5500-EI according to the following rules: When the apply poe-profile command is used to apply a PoE profile to a port, the PoE profile is applied successfully only if one PoE feature in the PoE profile is applied properly.
Page 844: Poe-Profile
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] display poe-profile name profile-test Poe-profile: profile-test, 3 action poe enable poe max-power 5000 poe priority critical poe-profile Syntax poe-profile profile-name undo poe-profile profile-name View System view Parameters profile-name: Name of PoE profile, a string of 1 to 15 characters. It starts with a letter from a to z or from A to Z, and it cannot be any of reserved keywords like all, interface, user, undo, and mode.
Page 845 Table of Contents 1 XRN Fabric Commands·····························································································································1-1 XRN Fabric Commands ··························································································································1-1 change self-unit ·······························································································································1-1 change unit-id ··································································································································1-2 display ftm ·······································································································································1-4 display xrn-fabric ·····························································································································1-7 fabric member-auto-update software enable···················································································1-7 fabric save-unit-id ····························································································································1-8 fabric-port enable···························································································································1-10 ftm fabric-vlan ································································································································1-12 xrn-fabric authentication-mode······································································································1-12 port link-type xrn-fabric ··················································································································1-13 reset ftm statistics··························································································································1-14 set unit name ·································································································································1-14 sysname ········································································································································1-15...
Page 846: Xrn Fabric Commands
XRN Fabric Commands XRN Fabric Commands change self-unit Syntax change self-unit to { unit-id | auto-numbering } View System view Parameters unit-id: Changes the unit ID of the current switch to a specified value which is in the range of 1 to 8. auto-numbering: Changes the numbering mode of unit ID on the current switch to automatic numbering mode.
Page 847: Change Unit-Id
If you do not bring up the fabric port, you cannot change the unit ID of a switch. After the unit ID of a device is changed, the unit ID-related information of this device in the configuration file of the fabric will be upgraded automatically. If the unit ID of a device changes from 2 to 4, the port description of this device in the configuration file automatically changes from 2/0/x to 4/0/x.
Page 848 Unit IDs in an XRN fabric are not always arranged in order of 1 to 8. Unit IDs in an XRN fabric can be inconsecutive. After the unit ID of a device is changed, the unit ID-related information of this device in the configuration file of the fabric will be upgraded automatically.
Page 849: Display Ftm
From the above example, you can see the original unit ID of the device with MAC address 000f-cbb7-3264 is 6. After the configuration, this unit ID changes to 4, and the priority of the device changes to 5. display ftm Syntax display ftm { information | topology-database } View...
Page 850 Table 1-1 display ftm information command output description Field Description FTM State: DISC STATE: In the topology discovery state. FTM State LISTEN STATE: In the topology discovery state, and the FTM slave device is listening. HB STATE: The fabric operates normally. Unit ID: Unit ID FTM-Master...
Page 851 Field Description Indexes of the left and right ports: Left Port : Index = 255, IsEdge: Whether the device is at either end of a bus topology IsEdge = 0 XRN fabric in which the number of member devices has reached the upper limit.
Page 852: Display Xrn-Fabric
display xrn-fabric Syntax display xrn-fabric [ port ] View Any view Parameters port: Displays the fabric port information. Description Use the display xrn-fabric command to view the information of the entire fabric, including unit ID, unit name, and operation mode of the system. If the fabric information is displayed on the console port of a device, an asterisk (*) will be added to the unit ID of the current device.
Page 853: Fabric Save-Unit-Id
View System view Parameters None Description Use the fabric member-auto-update software enable command to enable the XRN automatic fabric function for a switch. Use the undo fabric member-auto-update software enable command to disable the XRN automatic fabric function for a switch. By default, the XRN automatic fabric function for a switch is disabled.
Page 854 undo fabric save-unit-id View User view Parameters None Description Use the fabric save-unit-id command to save the unit IDs of all the units in an XRN fabric into the unit Flash and set the unit priority to 5, that is, manual numbering. Use the undo fabric save-unit-id command to remove the saved unit IDs and restore the unit priority to 10, that is, automatic numbering.
Page 855: Fabric-Port Enable
000f-e20f-5132 5 Left/ 000f-e20f-5252 5 /Right 1 000f-e20f-8922 5 Left/ 000f-cbb7-2142 5 /Right 1 000f-cbb7-3264 5 Left/ 000f-cbb7-2260 5 /Right 1 000f-cbb7-2734 5 Left/ From the above example, you can see the priority of each unit changes from 10 to 5, and the numbering mode changes from A (automatic numbering) to M (manual numbering).
Page 856 Parameters interface-type interface-number: Type and port number of a fabric port. On a Switch 5500-EI 28 port switch, only four GigabitEthernet ports can be configured as fabric ports: GigabitEthernet 1/0/25, GigabitEthernet 1/0/26, GigabitEthernet 1/0/27, and GigabitEthernet 1/0/28. On a Switch 5500-EI 52 port switch, only four GigabitEthernet ports can be configured as fabric ports: GigabitEthernet 1/0/49, GigabitEthernet 1/0/50, GigabitEthernet 1/0/51, and GigabitEthernet 1/0/52.
Page 857: Ftm Fabric-Vlan
ftm fabric-vlan Syntax ftm fabric-vlan vlan-id undo ftm fabric-vlan View System view Parameters vlan-id: ID of the XRN fabric VLAN, in the range of 2 to 4094. The VLAN you specified must be the one that has not been created manually. Description Use the ftm fabric-vlan command to specify the VLAN that the switch uses for XRN fabric.
Page 858: Port Link-Type Xrn-Fabric
Description Use the xrn-fabric authentication-mode command to configure the authentication mode and password for an XRN fabric. Use the undo xrn-fabric authentication-mode command to remove the XRN fabric authentication configuration. By default, no authentication mode is configured on a switch. XRN fabric authentication is used to ensure the security of the devices accessing it.
Page 859: Reset Ftm Statistics
reset ftm statistics Syntax reset ftm statistics View User view Parameters None Description Use the reset ftm statistics command to clear FTM statistics. You can use this command together with the display ftm command to view the packet statistics processed by FTM in a period of time, thus analyzing fabric operation status and locating problems.
Page 860: Sysname
For example, if the fabric name of the Ethernet switch is 3Com, the prompt character in user view is <3Com>. Use the undo sysname command to restore the default fabric name.
Page 861 Table of Contents 1 Cluster Configuration Commands ···········································································································1-1 NDP Configuration Commands···············································································································1-1 display ndp ······································································································································1-1 ndp enable·······································································································································1-3 ndp timer aging································································································································1-3 ndp timer hello ·································································································································1-4 reset ndp statistics···························································································································1-5 NTDP Configuration Commands ············································································································1-6 display ntdp ·····································································································································1-6 display ntdp device-list ····················································································································1-7 ntdp enable······································································································································1-8 ntdp explore·····································································································································1-9 ntdp hop·········································································································································1-10 ntdp timer·······································································································································1-10 ntdp timer hop-delay······················································································································1-11...
Page 862 tracemac········································································································································1-37 Enhanced Cluster Feature Configuration Commands ··········································································1-39 black-list·········································································································································1-39 display cluster base-members·······································································································1-40 display cluster base-topology ········································································································1-40 display cluster black-list·················································································································1-41 display cluster current-topology·····································································································1-42 display ntdp single-device mac-address ·······················································································1-43 topology accept ·····························································································································1-45 topology restore-from ····················································································································1-46 topology save-to ····························································································································1-47...
Page 863: Cluster Configuration Commands
Cluster Configuration Commands NDP Configuration Commands display ndp Syntax display ndp [ interface interface-list ] View Any view Parameters interface interface-list: Specifies a port list. You need to provide the interface-list argument in the form of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10>...
Page 864 Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0 Interface: Ethernet1/0/3 Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0 ……(Omitted) # Display NDP information about Ethernet 1/0/1. <aaa_0.Sysname> display ndp interface Ethernet 1/0/1 Interface: Ethernet1/0/1 Status: Enabled, Pkts Snd: 15835, Pkts Rvd: 2879, Pkts Err: 0 Neighbor 1: Aging Time: 147(s)
Page 865: Ndp Enable
ndp enable Syntax ndp enable [ interface interface-list ] undo ndp enable [ interface interface-list ] View System view, Ethernet port view Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10> means that you can provide up to ten port indexes/port index ranges for this argument.
Page 866: Ndp Timer Hello
Description Use the ndp timer aging command to set the holdtime of the NDP information. This command specifies how long an adjacent device should hold the NDP neighbor information received from the local switch before discarding the information. Use the undo timer aging command to restore the default holdtime of NDP information. By default, the holdtime of NDP information is 180 seconds.
Page 867: Reset Ndp Statistics
Examples # Set the interval between sending NDP packets to 80 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ndp timer hello 80 reset ndp statistics Syntax reset ndp statistics [ interface interface-list ] View User view Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10>...
Page 868: Ntdp Configuration Commands
NTDP Configuration Commands display ntdp Syntax display ntdp View Any view Parameters None Description Use the display ntdp command to display the global NTDP information. The displayed information includes topology collection range (hop count), topology collection interval (NTDP timer), device/port forwarding delay of topology collection requests, and time used by the last topology collection.
Page 869: Display Ntdp Device-List
Platform : 5500-EI : 100.100.1.1/24 Version: 3Com Corporation Switch 5500-EI Software Version 3Com OS V3.03.02s56e Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved. Switch 5500-EI Switch 5500-EI-V3.03.02s56e Cluster Candidate switch Peer MAC Peer Port ID Native Port ID...
Page 870: Ntdp Enable
: 000f-e20f-3190 Platform : 5500-EI : 16.1.1.1/24 Version: Switch 5500-EI Software Version 3Com OS V3.03.02s56e Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved. Switch 5500-EI Switch 5500-EI-V3.03.02s56e Cluster Candidate switch Peer MAC Peer Port ID Native Port ID...
Page 871: Ntdp Explore
View System view, Ethernet port view Parameters None Description Use the ntdp enable command to enable NTDP globally or on a port. Use the undo ntdp enable command to disable NTDP globally or on a port. By default, NTDP is enabled both globally and on ports. Note that NTDP can take effect on a port only when NTDP is enabled both globally and on the port.
Page 872: Ntdp Hop
ntdp hop Syntax ntdp hop hop-value undo ntdp hop View System view Parameters hop-value: Maximum hops to collect topology information, namely, the topology collection range, in the range of 1 to 16. Description Use the ntdp hop command to set the topology collection range. Use the undo ntdp hop command to restore the default topology collection range.
Page 873: Ntdp Timer Hop-Delay
Parameters interval-in-minutes: Interval (in minutes) to collect topology information, ranging from 0 to 65,535. A value of 0 disables topology information collection. Description Use the ntdp timer command to configure the interval to collect topology information periodically. Use the undo ntdp timer command to restore the default interval. By default, this interval is one minute.
Page 874: Ntdp Timer Port-Delay
Network congestion may occur if large amount of topology response packets reach the collecting device in a short period. To avoid this case, each collected switch in the network delays for a period before it forwards a received topology collection request through each NTDP-enabled port. You can use the ntdp timer hop-delay command to set the delay on a collecting switch.
Page 875: Cluster Configuration Commands
Cluster Configuration Commands add-member Syntax add-member [ member-number ] mac-address H-H-H [ password password ] View Cluster view Parameters member-number: Member number assigned to the candidate device to be added to the cluster. This argument ranges from 1 to 255. H-H-H: MAC address of the candidate device to be added (in hexadecimal).
Page 876: Auto-Build
View Cluster view Parameters mac-address: MAC address of the management device to be specified. name: Name of an existing cluster, a string of up to 8 characters. Note that the name of a cluster can only contain alphanumeric characters, minus signs (-), and underscores (_). Description Use the administrator-address command to specify the management device MAC address and the cluster name on a device to add the device to the cluster.
Page 877 Collecting candidate list, please wait... #Apr 3 08:12:32:832 2000 aaa_0.Sysname CLST/5/Cluster_Trap:- 1 - OID:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpMemberStatusChange):member 00.00.00.00.00.12. a9.90.22.40 role change, NTDPIndex:0.00.00.00.00.00.12.a9.90.22.40, Role:1 Candidate list: Name Hops MAC Address Device 3Com 0016-e0c0-c201 Switch 5500-EI 28-Port 3Com 000f-e221-616e Switch 4500 26-Port 3Com 000f-e202-2180 Switch 5500-EI 52-Port 1-15...
Page 878: Build
SwitchA 0016-e0be-e200 Switch 5500-EI 28-Port 3Com 000f-e200-1774 Switch 4500 50-Port 3Com 000f-e200-5600 Switch 5500-EI 52-Port 3Com 000f-e200-5104 Switch 5500-EI 28-Port 3Com 000f-e200-2420 Switch 5500-EI 28-Port Processing...please wait %Apr 3 08:12:37:813 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 000f-e200-2200 is joined in cluster aaa.
Page 879 Description Use the build command to build a cluster with a cluster name or change the cluster name. Use the undo build command to remove the cluster. You can use this command on a candidate device as well as on a management device. Executing the build command on a candidate device will change the device to a management device and assign a name to the cluster created on the device, and the member number of the management device is 0.
Page 880: Cluster
System View: return to User View with Ctrl+Z [Sysname] cluster [Sysname-cluster] build aaa There is no base topology, if set up from local flash file?(Y/N) #Apr 3 08:15:03:166 2000 aaa_0. 3Com CLST/5/Cluster_Trap:- 1 - OID:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpMemberStatusChange):member 00.00.00.00.00.12. a9.90.22.40 role change, NTDPIndex:0.00.00.00.00.00.12.a9.90.22.40, Role:1 [aaa_0.Sysname-cluster] cluster...
Page 881: Cluster Switch-To
Use the undo cluster enable command to disable the cluster function. By default, the cluster function is enabled. Note that: To create a cluster on a management device through the build command or the auto-build command, you must first enable the cluster function by executing the cluster enable command. When you execute the undo cluster enable command on the management device, the cluster function is disabled on the device, and the device stops operating as a management device, and the cluster and all its members are removed.
Page 882: Cluster-Mac
on the management device (this is not true when you add the candidate device to the cluster using the administrator-address command). It is recommended not to change the super password of any cluster member or the management device, so as to avoid switching failure resulting from authentication failure.
Page 883: Cluster-Mac Syn-Interval
Since some devices cannot forward the multicast packets with the destination MAC address of 0180-C200-000A, HGMPv2 packets cannot traverse these devices. For a cluster to work normally in this case, you can modify the multicast destination MAC address of HGMPv2 protocol packets without changing the current networking.
Page 884: Delete-Member
delete-member Syntax delete-member member-id [ to-black-list ] View Cluster view Parameters member-id: Member number of a member device, ranging from 1 to 255. to-black-list: Adds the device removed from a cluster to the blacklist to prevent it from being added to the cluster.
Page 885 View Any view Parameters None Description Use the display cluster command to display the status and statistics information of the cluster to which the current switch belongs. Executing this command on a member device will display the following information: cluster name, member number of the current switch, MAC address and status of the management device, holdtime, and interval to send handshake packets.
Page 886: Display Cluster Candidates
Handshake timer:10 sec Handshake hold-time:60 sec Administrator device mac address:000f-e20f-3901 Administrator status:Up Table 1-5 Description on the fields of the display cluster command Field Description Name of the cluster, which can be configured Cluster name through the build command Role Role of this switch Number of the management VLAN, which can be configured through the management-vlan...
Page 887 candidate switches to be automatically added into the cluster, you can set the topology collection interval to zero (by using the ntdp timer command), which specifies not to perform topology collection periodically. Examples # Display information about all candidate devices. <aaa_0.Sysname-cluster>...
Page 888: Display Cluster Members
Device MAC Address Status Name 5500-EI 000f-e20f-3901 Admin aaa_0.Sysname 5500-EI 3900-0000-3334 aaa_1.3Com 5500-EI 000f-e20f-3190 aaa_2.5500-3 Table 1-8 Description on the fields of the display cluster members command Field Description Member number of a device in the cluster Device Device type...
Page 889 Member status:Admin Hops to administrator device:0 IP: 100.100.1.1/24 Version: 3Com Corporation Switch 5500-EI Software Version 3Com OS V3.03.02s56e Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved. Switch 5500-EI Switch 5500-EI-OS V3.03.02s56e Member number:1 Name:aaa_1.Sysname Device:5500-EI MAC Address:000f-e200-3334...
Page 890: Ftp Cluster
Field Description Hops to administrator device Hops from the device to the management device Device IP address Version Software version of the device ftp cluster Syntax ftp cluster View User view Parameters None Description Use the ftp cluster command to connect to the shared FTP server of the cluster and enter FTP Client view through the management device.
Page 891: Ftp-Server
ftp-server Syntax ftp-server ip-address undo ftp-server View Cluster view Parameters ip-address: IP address of the FTP server to be configured for the cluster. Description Use the ftp-server command to configure a shared FTP server for the cluster on the management device.
Page 892: Ip-Pool
Parameters seconds: Neighbor information holdtime in seconds, ranging from 1 to 255. Description Use the holdtime command to configure the neighbor information holdtime of the member switches. Use the undo holdtime command to restore the default holdtime value. By default, the neighbor information holdtime is 60 seconds. Note that: If the management switch does not receive NDP information from a member device within the holdtime, it sets the state of the member device to “down”.
Page 893: Logging-Host
Description Use the ip-pool command to configure a private IP address pool on the management device. Use the undo ip-pool command to cancel the IP address pool configuration. Before creating a cluster, you must first configure a private IP address pool. When a candidate device joins a cluster, the management device dynamically assigns a private IP address in the pool to it, so that the candidate device can communicate with other devices in the cluster.
Page 894: Management-Vlan
[aaa_0.Sysname-cluster] logging-host 10.10.10.9 management-vlan Syntax management-vlan vlan-id undo management-vlan View System view Parameters vlan-id: ID of the VLAN to be specified as the management VLAN. Description Use the management-vlan command to specify the management VLAN on the switch. Use the undo management-vlan command to restore the default management VLAN. By default, VLAN 1 is used as the management VLAN.
Page 895: Reboot Member
Description Use the nm-interface Vlan-interface command to configure a network management (NM) interface on a management device. After an NM interface is specified on the management device of a cluster, the network administrator can log onto the management device through the NM interface to manage the devices in the cluster. By default, the management VLAN interface is used as the NM interface.
Page 896: Snmp-Host
Examples # Reboot number-2 member device. <aaa_0.Sysname> system-view System View: return to User View with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] reboot member 2 snmp-host Syntax snmp-host ip-address undo snmp-host View Cluster view Parameters ip-address: IP address of a SNMP network management station (NMS) to be configured for the cluster. Description Use the snmp-host command to configure a shared SNMP NMS for the cluster on the management device.
Page 897: Tftp Put
Parameters cluster: Downloads files through the shared TFTP server of the cluster. tftp-server: IP address or host name of the TFTP server. source-file: Name of the file to be downloaded from the shared TFTP server of the cluster. destination-file: Name of the file to which the downloaded file will be saved on the switch. Description Use the tftp get command to download a file from a specific directory on the shared TFTP server to the switch.
Page 898: Tftp-Server
Description Use the tftp put command to upload a file from the switch to a specified directory on the TFTP server. You can use the tftp-server command on the management device to configure the shared TFTP server of the cluster, which is used for software version update and configuration file backup of the cluster members.
Page 899: Timer
Examples # Configure shared TFTP server 1.0.0.9 on the management device for the cluster. <aaa_0.Sysname> system-view System View: return to User View with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] tftp-server 1.0.0.9 timer Syntax timer interval undo timer View Cluster view Parameters interval: Interval (in seconds) to send handshake packets. This argument ranges from 1 to 255. Description Use the timer command to set the interval between sending handshake packets.
Page 900 View Any view Parameters by-mac: Specifies to trace a device through the specified destination MAC address. mac-address: MAC address of the device to be traced. vlan vlan-id: Specifies to trace a device in the specified VLAN. vlan-id ranges from 1 to 4094. by-ip: Specifies to trace a device through the specified destination IP address.
Page 901: Enhanced Cluster Feature Configuration Commands
Enhanced Cluster Feature Configuration Commands black-list Syntax black-list add-mac mac-address black-list delete-mac { all | mac-address } View Cluster view Parameters mac-address: MAC address of the device to be added to the blacklist. The format is H-H-H, for example, 0100-0498-e001. all: Deletes all MAC address in the current cluster blacklist.
Page 902: Display Cluster Base-Members
display cluster base-members Syntax display cluster base-members View Any view Parameters None Description Use the display cluster base-members command to display the information about all the devices in the base cluster topology, such as member number, name, MAC address, and the current status of each device in a cluster.
Page 903: Display Cluster Black-List
Examples # Display the standard topology of the cluster. <aaa_0.Sysname> display cluster base-topology -------------------------------------------------------------------- (PeerPort) ConnectFlag (NativePort) [SysName:DeviceMac] -------------------------------------------------------------------- [aaa_0.3Com:000f-e202-2180] ├-(P_0/40)<-->(P_0/6)[Sysname:000f-e200-2200] ├-(P_0/28)<-->(P_3/0/1)[Sysname:000f-e200-1774] ├-(P_0/22)<-->(P_1/0/2)[aaa_5.3Com:000f-e200-5111] ├-(P_0/18)<-->(P_3/0/2)[Sysname S3600:000f-e218-d0d0] ├-(P_0/14)<-->(P_1/0/2)[Sysname:000f-e200-5601] └-(P_0/4)<-->(P_0/2)[Switch 5500-EI 28-Port:000f-e200-00cc] The output information of the display cluster base-topology command is in the following format: (peer port number)<-->(local port number)[peer device name:peer device MAC address]...
Page 904: Display Cluster Current-Topology
Description Use the display cluster black-list command to display the information of devices in the current cluster blacklist. Related commands: black-list. Examples # Display the contents of the current cluster blacklist. <aaa_0.Sysname> display cluster black-list Device ID Access Device ID Access port 000f-e200-5502 000f-e202-2180...
Page 905: Display Ntdp Single-Device Mac-Address
<--> normal connect ---> odd connect **** in blacklist ???? lost device ++++ new device -┤├- STP discarding -------------------------------------------------------------------- [aaa_0.Sysname:000f-e202-2180] ├-(P_0/40)<-->(P_0/6)[Sysname:000f-e200-2200] ├-(P_0/28)<-->(P_3/0/1)[Sysname:000f-e200-1774] ├-(P_0/24)****(P_1/0/6)[clie:000f-e200-5502] ├-(P_0/22)<-->(P_1/0/2)[aaa_5.3Com:000f-e200-5111] ├-(P_0/18)<-->(P_3/0/2)[Sysname:000f-e218-d0d0] ├-(P_0/14)<-->(P_1/0/2)[Sysname:000f-e200-5601] ├-(P_0/10)<-->(P_1/0/1)[aaa_7.5500-EI:0012-a990-2241] ├-(P_0/4)<-->(P_0/2)[Switch 5500-EI:000f-e200-00cc] └-(P_0/1)****(P_0/1)[Sysname:00e0-fd34-bc66] display ntdp single-device mac-address Syntax display ntdp single-device mac-address mac-address 1-43...
Page 906 : 000f-e200-3956 Platform : Switch 5500-EI Version: 3Com Corporation Switch 5500-EI Software Version 3Com OS V3.03.02s56e Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved. Switch 5500-EI 28-Port Switch 5500-EI V3.03.02s56e Cluster Candidate switch Peer MAC Peer Port ID...
Page 907: Topology Accept
Field Description Name of the port on the peer device connecting to the local Peer Port ID device Name of the port on the local device connecting to the peer Native Port ID device Speed Rate of the local port connecting to the peer device Duplex Duplex mode of the local port connecting to the peer device topology accept...
Page 908: Topology Restore-From
Examples # Save the current cluster topology as the base topology and save it in the local flash. <aaa_0.Sysname> system-view Enter system view, return to user view with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] topology accept all save-to local-flash # Accept the device with the MAC address 0010-0f66-3022 as a member of the base cluster topology. <aaa_0.Sysname>...
Page 909: Topology Save-To
topology save-to Syntax topology save-to local-flash View Cluster view Parameters None Description Use the topology save-to command to save the standard topology of the cluster to the local Flash memory. The file name used to save the standard topology is topology.top. Do not modify the file name. This command is applicable to only the management device of a cluster.
Page 910 Table of Contents 1 SNMP Configuration Commands ·············································································································1-1 SNMP Configuration Commands············································································································1-1 display snmp-agent ·························································································································1-1 display snmp-agent community·······································································································1-1 display snmp-agent group ···············································································································1-3 display snmp-agent mib-view ··········································································································1-4 display snmp-agent statistics ··········································································································1-5 display snmp-agent sys-info ············································································································1-8 display snmp-agent trap-list ············································································································1-9 display snmp-agent usm-user ·········································································································1-9 enable snmp trap updown ·············································································································1-11 snmp-agent····································································································································1-11 snmp-agent calculate-password····································································································1-12...
Page 911: Snmp Configuration Commands
SNMP Configuration Commands SNMP Configuration Commands display snmp-agent Syntax display snmp-agent { local-engineid | remote-engineid } View Any view Parameters local-engineid: Displays the local SNMP entity engine ID. remote-engineid: Displays all the remote SNMP entity engine IDs. At present, the device does not support application of the keyword.
Page 912 Parameters read: Displays the information about the SNMP communities with read-only permission. write: Displays the information about the SNMP communities with read-write permission. Description Use the display snmp-agent community command to display the information about the SNMPv1/SNMPv2c communities with the specific access permission. SNMPv1 and SNMPv2c use community name authentication.
Page 913: Display Snmp-Agent Group
Field Description Storage type, which can be: volatile: Information will be lost if the system is rebooted nonVolatile: Information will not be lost if the system is rebooted Storage-type permanent: Modification is permitted, but deletion is forbidden readOnly: Read only, that is, no modification, no deletion other: Other storage types display snmp-agent group...
Page 914: Display Snmp-Agent Mib-View
Table 1-2 display snmp-agent group command output description Field Description Group name SNMP group name of the user SNMP group security mode, which can be AuthPriv (authentication with privacy), Security model AuthnoPriv (authentication without privacy), and noAuthnoPriv (no authentication no privacy). Read-only MIB view corresponding to the SNMP Readview group...
Page 915: Display Snmp-Agent Statistics
View name:ViewDefault MIB Subtree:iso Subtree mask: Storage-type: nonVolatile View Type:included View status:active View name:ViewDefault MIB Subtree:snmpUsmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault MIB Subtree:snmpVacmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault MIB Subtree:snmpModules.18 Subtree mask: Storage-type: nonVolatile View Type:excluded...
Page 916 Examples # Display the statistics on SNMP packets. <Sysname> display snmp-agent statistics 1276 Messages delivered to the SNMP entity 0 Messages which were for an unsupported version 0 Messages which used a SNMP community name not known 0 Messages which represented an illegal operation for the community supplied 0 ASN.1 or BER errors in the process of decoding 1291 Messages passed from the SNMP entity 0 SNMP PDUs which had badValue error-status...
Page 917 Field Description The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for SNMP PDUs which had genErr error-status which the value of the error-status field is `genErr'. The total number of SNMP PDUs which were SNMP PDUs which had noSuchName delivered to the SNMP protocol entity and for error-status...
Page 918: Display Snmp-Agent Sys-Info
For the detailed configuration, refer to the snmp-agent sys-info command. By default, the contact information of A Switch 5500-EI is "3Com Corporation.", the geographical location is " Marlborough, MA 01752 USA", and the SNMP version employed is SNMPv3.
Page 919: Display Snmp-Agent Trap-List
SNMPv3 display snmp-agent trap-list Syntax display snmp-agent trap-list View Any view Parameters None Description Use the display snmp-agent trap-list command to display the modules that can generate traps and whether the sending of traps is enabled on the modules. If a module contains multiple submodules, the trap function of the entire module is displayed as enabled as long as the trap function of any of the submodules is enabled.
Page 920 Parameters engineid: Engine ID, a string of 10 to 64 hexadecimal digits. user-name: SNMPv3 username, a string of 1 to 32 characters. group-name: Name of an SNMP group, a string of 1 to 32 characters. Description Use the display snmp-agent usm-user command to display the information about a specific type of SNMPv3 users.
Page 921: Enable Snmp Trap Updown
enable snmp trap updown Syntax enable snmp trap updown undo enable snmp trap updown View Ethernet port view, interface view Parameters None Description Use the enable snmp trap updown command to enable the sending of port/interface linkUp/linkDown traps. Use the undo enable snmp trap updown command to disable the sending of linkUp/linkDown traps. By default, the sending of port/interface linkUp/linkDown traps is enabled.
Page 922: Snmp-Agent Calculate-Password
Description Use the snmp-agent command to enable the SNMP agent. Use the undo snmp-agent command to disable the SNMP agent. Execution of the snmp-agent command or any of the commands used to configure the SNMP agent, you can start the SNMP agent. By default, the SNMP agent is disabled.
Page 923: Snmp-Agent Community
Description Use the snmp-agent calculate-password command to encrypt a plain-text password to generate a cipher-text one by using the specified encryption algorithm. When creating an SNMPv3 user, if you specify an authentication or privacy password as in cipher text, you need to use this command to generate a cipher text password by using the specified algorithm, and copy the generated cipher text password to use.
Page 924: Snmp-Agent Group
Description Use the snmp-agent community command to create an SNMP community. SNMPv1 and SNMPv2c use community name to restrict access rights. You can use this command to configure a community name and configure read or write access right and ACL. Use the undo snmp-agent community command to remove an SNMP community.
Page 925 write-view: Read-write view name, a string of 1 to 32 characters. By default, no write view is configured, namely, the NMS cannot perform the write operation on the MIB objects of the device. notify-view: Notification view name in which traps can be sent, a string of 1 to 32 characters. By default, no notify view is configured, namely, the agent will not send traps to the NMS.
Page 926: Snmp-Agent Local-Engineid
Group name: v3group Security model: v3 AuthPriv Readview: ViewDefault Writeview: <no specified> Notifyview :<no specified> Storage-type: nonVolatile Acl:2001 snmp-agent local-engineid Syntax snmp-agent local-engineid engineid undo snmp-agent local-engineid View System view Parameters engineid: Engine ID, an even number of hexadecimal characters, in the range 10 to 64. Description Use the snmp-agent local-engineid command to set an engine ID for the local SNMP entity.
Page 927: Snmp-Agent Mib-View
Parameters set-operation: Logs the set operations. get-operation: Logs the get operations. all: Logs both the set operations and get operations. Description Use the snmp-agent log command to enable network management operation logging. Use the undo snmp-agent log command to disable network management operation logging. By default, network management operation logging is disabled.
Page 928 view-name: View name. oid-tree: OID MIB subtree of a MIB subtree. It can be the ID of a node in OID MIB subtree (such as 1.4.5.3.1) or an OID (such as “system”). mask mask-value: Mask of a MIB subtree, an even number of hexadecimal characters, in the range 2 to 32.
Page 929: Snmp-Agent Packet Max-Size
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]snmp-agent community read rip2read mib-view rip2 [Sysname]snmp-agent community write rip2write mib-view rip2 # Create an SNMP MIB view with the name of view-a, MIB subtree of 1.3.6.1.5.4.3.4 and subtree mask of FE.
Page 930 Multiple SNMP versions can be running the on the device at the same time to allow access of different NMSs. By default, the contact information of a Switch 5500-EI is " 3Com Corporation.", the geographical location is " Marlborough, MA 01752 USA", and the SNMP version employed is SNMPv3.
Page 931: Snmp-Agent Target-Host
snmp-agent target-host Syntax snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number ] params securityname security-string [ v1 | v2c | v3 [authentication | privacy ] ] undo snmp-agent target-host ip-address securityname security-string View System view Parameters trap: Enables the host to receive SNMP traps. address: Specifies the destination for the SNMP traps.
Page 932: Snmp-Agent Trap Enable
[Sysname] snmp-agent trap enable standard [Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public snmp-agent trap enable Syntax snmp-agent trap enable [ configuration | flash | ospf [ process-id ] [ ospf-trap-list ] | standard [ authentication | coldstart | linkdown | linkup | warmstart ]* | system | vrrp [ authfailure | newmaster ] ] undo snmp-agent trap enable [ configuration | flash | ospf [ process-id ] [ ospf-trap-list ] | standard [ authentication | coldstart | linkdown | linkup | warmstart ]* | system | vrrp [ authfailure |...
Page 933: Snmp-Agent Trap Ifmib
# Before the configuration of the extended trap function, the trap information is as follows when a link is down: #Apr 2 05:53:15:883 2000 3Com L2INF/2/PORT LINK STATUS CHANGE:- 1 - Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227634, ifAdminStatus is 2, ifOperStatus is 2 #Apr 2 05:53:16:094 2000 3Com IFNET/5/TRAP:- 1 -1.3.6.1.6.3.1.1.5.3(linkDown) Interface 31...
Page 934: Snmp-Agent Trap Life
snmp-agent trap life Syntax snmp-agent trap life seconds undo snmp-agent trap life View System view Parameters seconds: SNMP trap aging time (in seconds) to be set, ranging from 1 to 2,592,000. Description Use the snmp-agent trap life command to set the SNMP trap aging time. SNMP traps exceeding the aging time will be discarded.
Page 935: Snmp-Agent Trap Source
After a trap is generated, it will enter the trap queue to be sent. The length of a trap queue decides the maximum number of traps in the queue. When a trap queue reaches the configured length, the newly generated traps will enter the queue, and the traps generated the earliest will be discarded. Related commands: snmp-agent trap enable, snmp-agent target-host, and snmp-agent trap life.
Page 936: Snmp-Agent Usm-User { V1 | V2C
Examples # Configure VLAN-interface 1 as the source interface for the SNMP traps sent. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent trap source Vlan-interface 1 snmp-agent usm-user { v1 | v2c } Syntax snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] undo snmp-agent usm-user { v1 | v2c } user-name group-name View System view...
Page 937: Snmp-Agent Usm-User V3
[Sysname] snmp-agent usm-user v2c userv2c readCom Specify the SNMP version of the NMS as SNMPv2c, fill the write community name field with userv2c. Then the NMS can access the agent. # Create an SNMPv2c user userv2c in group readCom, permitting only the NMS with an IP address 1.1.1.1 to access the agent, and denying the access of other NMSs.
Page 938 priv-password: Encryption password, a string of 1 to 64 characters in plain text, a 32-bit hexadecimal number in cipher text if MD5 algorithm is used, and a 40-bit hexadecimal number in cipher text if SHA algorithm is used. acl-number: Binds a user with an ACL, where acl-number represents ACL number, in the range 2000 to 2999.
Page 939 # Add a user named testUser to the SNMPv3 group named testGroup. Set the security mode to authentication with privacy, the authentication algorithm to md5, the privacy algorithm to des56, the plain text authentication password to authkey, the plain text privacy password to prikey. <Sysname>...
Page 940: Rmon Configuration Commands
RMON Configuration Commands RMON Configuration Commands display rmon alarm Syntax display rmon alarm [ entry-number ] View Any view Parameters entry-number: Alarm entry index, in the range 1 to 65535. Description Use the display rmon alarm command to display the configuration of a specified alarm entry or all the alarm entries.
Page 941: Display Rmon Event
Field Description Sampling interval, in seconds. The system Sampling interval performs absolute or delta sampling on the sampled node at this interval. Rising threshold. When the sampled value Rising threshold equals or exceeds the rising threshold, an alarm is triggered. Falling threshold.
Page 942: Display Rmon Eventlog
Event table 1 owned by user1 is VALID. Description: null. Will cause log-trap when triggered, last triggered at 0days 00h:02m:27s. Table 2-2 display rmon event command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid.
Page 943: Display Rmon History
less than(or =) 100 with alarm value 0. Alarm sample type is absolute. Table 2-3 display rmon eventlog command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid.
Page 944: Display Rmon Prialarm
History control entry 1 owned by user1 is VALID Samples interface : Ethernet1/0/1<ifIndex.4227625> Sampling interval : 5(sec) with 10 buckets max Latest sampled values : Dropevents , octets : 10035 packets : 64 , broadcast packets : 35 multicast packets : 8 , CRC alignment errors : 0 undersize packets : 0 , oversize packets...
Page 945 View Any view Parameters prialarm-entry-number: Extended alarm entry Index, in the range 1 to 65,535. Description Use the display rmon prialarm command to display the configuration of an RMON extended alarm entry. If you do not specify the prialarm-entry-number argument, the configuration of all the extended alarm entries is displayed.
Page 946: Display Rmon Statistics
Field Description Linked with event Event index corresponding to an alarm The condition under which an alarm is triggered, which can be: risingOrFallingAlarm: An alarm is triggered when the rising or falling threshold is When startup enables: risingOrFallingAlarm reached. risingAlarm: An alarm is triggered when the rising threshold is reached.
Page 947: Rmon Alarm
Interface : Ethernet1/0/1<ifIndex.4227625> etherStatsOctets : 30561 , etherStatsPkts : 217 etherStatsBroadcastPkts : 102 , etherStatsMulticastPkts : 25 etherStatsUndersizePkts , etherStatsOversizePkts etherStatsFragments , etherStatsJabbers etherStatsCRCAlignErrors : 0 , etherStatsCollisions etherStatsDropEvents (insufficient resources): 0 Packets received according to length: : 177 65-127 : 27 128-255 256-511: 0...
Page 948 Parameters entry-number: Index of the alarm entry to be added/removed, in the range 1 to 65535. alarm-variable: Alarm variable, a string comprising 1 to 256 characters in dotted node OID format (such as 1.3.6.1.2.1.2.1.10.1). Only the variables that can be resolved to ASN.1 INTEGER data type (that is, INTEGER, Counter, Gauge, or TimeTicks) can be used as alarm variables.
Page 949: Rmon Event
Comparison Operation The sample value is smaller than the set lower Triggering the event identified by the threshold (threshold-value2) event-entry2 argument Before adding an alarm entry, you need to use the rmon event command to define the events to be referenced by the alarm entry.
Page 950: Rmon History
description string: Specifies the event description, a string of 1 to 127 characters. log: Logs events. trap: Sends traps to the NMS. trap-community: Community name of the NMS that receives the traps, a string of 1 to 127 characters. log-trap: Logs the event and sends traps to the NMS. log-trapcommunity: Community name of the NMS that receives the traps, a character string of 1 to 127 characters.
Page 951: Rmon Prialarm
Description Use the rmon history command to add an entry to the history control table. If you do not specify the owner text keyword/argument combination, the owner of the entry is displayed as “null”. Use the undo rmon history command to remove an entry from the history control table. You can use the rmon history command to sample a specific port.
Page 952 threshold-value2: Lower threshold, in the range 0 to 2147483647. event-entry2: Index of the event entry that corresponds to the falling threshold, in the range 0 to 65535. forever: Specifies the corresponding RMON alarm instance is valid permanently. cycle: Specifies the corresponding RMON alarm instance is valid periodically. cycle-period: Life time (in seconds) of the RMON alarm instance, in the range 0 to 2147483647.
Page 953: Rmon Statistics
Falling threshold: 5 Event 1 is triggered when the change ratio is larger than the rising threshold. Event 2 is triggered when the change ratio is less than the falling threshold. The alarm entry is valid forever. Entry owner: user1 <Sysname>...
Page 954 For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry was already created for a given port, you will fail to create a statistics entry with a different index for the port. You can use the display rmon statistics command to display the information about the statistics entry.
Page 955 Table of Contents 1 UDP Helper Configuration Commands····································································································1-1 UDP Helper Configuration Commands ···································································································1-1 display udp-helper server ················································································································1-1 reset udp-helper packet···················································································································1-1 udp-helper enable····························································································································1-2 udp-helper port ································································································································1-2 udp-helper server ····························································································································1-4 udp-helper ttl-keep enable···············································································································1-4...
Page 956: Udp Helper Configuration Commands
UDP Helper Configuration Commands UDP Helper Configuration Commands display udp-helper server Syntax display udp-helper server [ interface Vlan-interface vlan-id ] View Any view Parameters vlan-id: VLAN interface number. Description Use the display udp-helper server command to display the UDP broadcast relay forwarding information.
Page 957: Udp-Helper Enable
View User view Parameters None Description Use the reset udp-helper packet command to clear UDP Helper statistics. Examples # Clear UDP Helper statistics. <Sysname> reset udp-helper packet udp-helper enable Syntax udp-helper enable undo udp-helper enable View System view Parameters None Description Use the udp-helper enable command to enable UDP Helper function.
Page 958 undo udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time } View System view Parameters port-number: Number of the UDP port with which UDP packets are to be forwarded, in the range 0 to 65535 (except for 67 and 68).
Page 959: Udp-Helper Server
[Sysname] undo udp-helper port 53 udp-helper server Syntax udp-helper server ip-address undo udp-helper server [ ip-address ] View VLAN interface view Parameters ip-address: IP address of the destination server, in dotted decimal notation. Description Use the udp-helper server command to specify the destination server to which the UDP packets are to be forwarded.
Page 960 Description Use the udp-helper ttl-keep enable command to enable the UDP Helper TTL-keep function. With this function enabled, the UDP Helper can forward broadcasts with the TTL field being 1 without decrementing the TTL value by one. Use the undo udp-helper ttl-keep enable command to restore the default. By default, the UDP Helper TTL-keep function is disabled.
Page 961 Table of Contents 1 NTP Configuration Commands ················································································································1-1 NTP Configuration Commands ···············································································································1-1 display ntp-service sessions············································································································1-1 display ntp-service status ················································································································1-3 display ntp-service trace··················································································································1-4 ntp-service access···························································································································1-5 ntp-service authentication enable····································································································1-6 ntp-service authentication-keyid······································································································1-7 ntp-service broadcast-client ············································································································1-7 ntp-service broadcast-server···········································································································1-8 ntp-service in-interface disable········································································································1-8 ntp-service max-dynamic-sessions ·································································································1-9 ntp-service multicast-client ············································································································1-10 ntp-service multicast-server ··········································································································1-10 ntp-service reliable authentication-keyid ·······················································································1-11...
Page 962: Ntp Configuration Commands
NTP Configuration Commands To protect unused sockets against attacks by malicious users and improve security, 3Com S5500-EI series Ethernet switches provide the following functions: UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled.
Page 963 Examples # View the brief information of all sessions maintained by NTP services. <Sysname> display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************* [12345]3.0.1.32 LOCL -14.3 12.9 [25]3.0.1.31 127.127.1.0 1 4408.6 38.7 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : Table 1-1 display ntp-service sessions command output description Field...
Page 964: Display Ntp-Service Status
Field Description Total associations Total number of associations An S5500-EI series switch does not establish a session with its client when it works in the NTP server mode, but does so when it works in other NTP implementation modes. display ntp-service status Syntax display ntp-service status View...
Page 965: Display Ntp-Service Trace
Field Description Address of the remote server or ID of the reference clock after the local clock is Reference clock ID synchronized to a remote NTP server or a reference clock Nominal frequency of the local hardware clock, Nominal frequency in Hz.
Page 966: Ntp-Service Access
Table 1-3 display ntp-service trace command output description Field Description server IP address of the NTP server The stratum level of the corresponding system stratum clock The clock offset relative to the upper-level clock, offset in milliseconds. The synchronization distance relative to the synch distance upper-level clock, in seconds Identifier of the primary reference source.
Page 967: Ntp-Service Authentication Enable
NTP service access-control rights from the highest to the lowest are peer, server, synchronization, and query. When a local NTP server receives an NTP request, it will perform an access-control right match and will use the first matched right. The ntp-service access command only provides a minimal degree of security measure. A more secure way is to perform identity authentication.
Page 968: Ntp-Service Authentication-Keyid
ntp-service authentication-keyid Syntax ntp-service authentication-keyid key-id authentication-mode md5 value undo ntp-service authentication-keyid key-id View System view Parameters key-id: Authentication key ID, in the range of 1 to 4294967295. You can configure up to 1024 keys. value: Authentication key string. You can input 1 to 16 simple text characters, or 24 cipher text characters.
Page 969: Ntp-Service Broadcast-Server
Use the undo ntp-service broadcast-client command to remove the configuration. By default, no NTP operate mode is configured. Examples # Configure the switch to operate in the broadcast client mode and receive NTP broadcast packets through VLAN-interface 1. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 970: Ntp-Service Max-Dynamic-Sessions
View VLAN interface view Parameters None Description Use the ntp-service in-interface disable command to disable the interface from receiving NTP packets. Use the undo ntp-service in-interface disable command to restore the default. By default, the interface can receive NTP packets. Examples # Disable VLAN-interface 1 from receiving NTP packets.
Page 971: Ntp-Service Multicast-Client
ntp-service multicast-client Syntax ntp-service multicast-client [ ip-address ] undo ntp-service multicast-client [ ip-address ] View VLAN interface view Parameters ip-address: Multicast IP address, in the range of 224.0.1.0 to 224.0.1.255. The default IP address is 224.0.1.1. Description Use the ntp-service multicast-client command to configure an Ethernet switch to operate in the NTP multicast client mode and receive NTP multicast packets through the current interface.
Page 972: Ntp-Service Reliable Authentication-Keyid
Description Use the ntp-service multicast-server command to configure an Ethernet switch to operate in the NTP multicast server mode and send NTP multicast packets through the current interface. Use the undo ntp-service multicast-server command to remove the configuration. By default, no NTP operate mode is configured. Examples # Configure the switch to send NTP multicast packets through VLAN-interface 1, and set the multicast group address to 224.0.1.2, keyid to 4, and the NTP version number to 2.
Page 973: Ntp-Service Source-Interface
[Sysname] ntp-service reliable authentication-keyid 37 ntp-service source-interface Syntax ntp-service source-interface Vlan-interface vlan-id undo ntp-service source-interface View System view Parameters vlan-interface vlan-id: Specifies an interface. The IP address of the interface serves as the source IP address of sent NTP packets. The vlan-id argument indicates the ID of the specified VLAN interface. Description Use the ntp-service source-interface command to specify a VLAN interface through which NTP packets are to be sent.
Page 974: Ntp-Service Unicast-Server
priority: Specifies the peer identified by the remote-ip argument as the preferred peer for synchronization. source-interface Vlan-interface vlan-id: Specifies an interface whose IP address serves as the source IP address of NTP packet sent to the peer. vlan-id is the VLAN interface number. version number: Specifies the NTP version number.
Page 975 authentication-keyid key-id: Specifies the key ID used for sending packets to the NTP server. The key-id argument ranges from 1 to 4294967295. priority: Specifies the server identified by the remote-ip or the server-name argument as the preferred server. source-interface Vlan-interface vlan-id: Specifies an interface whose IP address serves as the source IP address of NTP packets sent by the local switch to the server.
Page 976 Table of Contents 1 SSH Commands·········································································································································1-1 SSH Commands ·····································································································································1-1 display public-key local····················································································································1-1 display public-key peer ····················································································································1-2 display rsa local-key-pair public ······································································································1-4 display rsa peer-public-key··············································································································1-5 display ssh server····························································································································1-6 display ssh server-info·····················································································································1-7 display ssh user-information············································································································1-8 display ssh2 source-ip ·····················································································································1-9 display ssh-server source-ip············································································································1-9 peer-public-key end ·······················································································································1-10 protocol inbound ····························································································································1-10 public-key local create ···················································································································1-11...
Page 977: Ssh Commands
SSH Commands In this document, you can distinguish the local and peer as follows: if the local is an SSH server, the peer is an SSH client; if the local is an SSH client, the peer is an SSH server. SSH Commands display public-key local Syntax...
Page 978: Display Public-Key Peer
30819F300D06092A864886F70D010101050003818D0030818902818100C7C4D2E1C59A75908417C660AD1D5E B172AB6EE9AAF994DB7A1C31EB87F750EE12A57832C6070FC008A5EE2B6675FD6A430575D97350E300A20FEB 773D93D7C3565467B0CA6B95C07D3338C523743B49D82C5EC2C9458D248955846F9C32F4D25CC92D0E831E56 4BBA6FAE794EEC6FCDEDB822909CC687BEBF51F3DFC5C30D590203010001 ===================================================== Time of Key pair created: 23:48:36 2000/04/03 Key name: Sysname_Server Key type: RSA encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100BC86D8F08E101461C1231B122777DBE777645C 81C569C004EC2FEC03C205CC7E3B5DAA38DD865C6D1FB61C91B85ED63C6F35BAFBF9A6D2D2989C20051FF8FA 31A14FCF73EC1485422E5B800B55920FC121329020E82F2945FFAD81BE72663BF70203010001 # Display the public key of the current switch’s DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 08:01:23 2000/04/02...
Page 979 Description Use the display public-key peer command to display information about locally saved public keys of the SSH peers. If no key name is specified, the command displays detailed information about the locally saved public keys of all SSH peers. The display public-key peer command on the SSH server displays the locally saved public keys of SSH clients while the command on the SSH client displays the locally saved keys of the SSH servers.
Page 980: Display Rsa Local-Key-Pair Public
display rsa local-key-pair public Syntax display rsa local-key-pair public View Any view Parameters None Description Use the display rsa local-key-pair public command to display the public keys of the current switch’s RSA key pairs. If no key pair has been generated, the system displays a message, telling you that no RSA keys are found..
Page 981: Display Rsa Peer-Public-Key
D0FC303F 51072D6C B5D0054D 3673EBA0 A4748984 5EBF6EBE CF6A13B1 C7858241 A2A9AA79 0203 010001 After you complete the RSA key pair generation task: If the switch is working in SSH1-compatible mode, there should be two public keys generated (that is, the host public key and the server public key), and the display rsa local-key-pair public command should display those two public keys.
Page 982: Display Ssh Server
Examples # Display brief information about all peer public keys. <Sysname> display rsa peer-public-key brief Type Module Name --------------------------- 1023 1024 # Display the information about public key “abcd”. <Sysname> display rsa peer-public-key name abcd ===================================== Key name : abcd Key type : RSA Key module: 1024...
Page 983: Display Ssh Server-Info
SSH Authentication retries : 3 times SFTP Server: Disable SFTP idle timeout : 10 minutes If you use the ssh server compatible-ssh1x enable command to configure the server to be compatible with SSH1.x clients, the SSH version will be displayed as 1.99. If you use the undo ssh server compatible-ssh1x command to configure the server to be not compatible with SSH1.x clients, the SSH version will be displayed as 2.0.
Page 984: Display Ssh User-Information
If an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for authentication. In case the authentication fails, you can use the display ssh server-info command to view whether the locally saved public key of the server is correct. Related commands: ssh client assign, ssh client first-time enable.
Page 985: Display Ssh2 Source-Ip
[Sysname] ssh user client authentication-type publickey # Configure SFTP as the service type for the SSH user. [Sysname] ssh user client service-type sftp # Assign the public key test for the SSH user. [Sysname] ssh user client assign publickey test # Display information about the SSH user configured on the SSH server.
Page 986: Peer-Public-Key End
Description Use the display ssh-server source-ip command to display the current source IP address or the IP address of the source interface specified for the SSH server. If neither source IP address nor source interface is specified, the command displays 0.0.0.0. Related commands: ssh-server source-ip.
Page 987: Public-Key Local Create
ssh: Supports only SSH. Description Use the protocol inbound command to configure specific user interface(s) to support specified protocol(s). The configuration will take effect at next user login. By default, both SSH and Telnet are supported. As SSH clients access the SSH server through VTY user interfaces, you need configure the VTY user interfaces of the SSH server to support remote SSH login.
Page 988 Description Use the public-key local create command to create a local DSA key pair or RSA key pairs. Note that: Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. After entering this command, you will be prompted to provide the length of the key modulus. The length is in the range 512 to 2048 bits and defaults to 1024 bits.
Page 989: Public-Key Local Destroy
307C300D06092A864886F70D0101010500036B003068026100A3B63F5B0E5470D9FE2005450342011FEDE2A9 24C71EB19E28D257E43EF7E531D7C37FBB157712A2F2AF0F5BAF3E60595496C5B3EAFF25BFB56F1E1CC7A700 4D0FF048654BFEADB21C5AF3E24FB0516393BFEEF65A83B7416F170886904C8BE30203010001 # Create a DSA key pair. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
Page 990: Public-Key Local Export Rsa
rsa: Specifies the RSA key pair. Description Use the public-key local destroy command to destroy the key pairs generated for the current switch. If the key pair does not exist, the system displays a message, telling you no such key pair exists. Related commands: public-key local create.
Page 991: Public-Key Local Export Dsa
SSH1, SSH2, and OpenSSH are three public key formats. You can choose one as required. For example, if you want to export the RSA host public key to a file in the SSH1 format, use the public-key local export rsa ssh1 filename command. The host public key displayed on the screen is in a format that is not transformed and cannot be used as the public key data for public key configuration.
Page 992 openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2. filename: Name of the file for saving the public key, a string of 1 to 142 characters. For file naming rules, refer to File System Management Command. Description Use the public-key local export dsa command to export the current switch’s DSA key pair to a specified file.
Page 993: Public-Key Peer
rEs2iVA4eBHH2jMAAAAUx3MhjHN+yO6ZO08t7TD0jtrOkV8AAACAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/Orp bsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQe y4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACA04Cd4ccxNjCMWzPAzZhj65GjyxExYS72XKWt 0S0AUs51ttRCqOHV/G8LUcdQ4pkp7XK6YGvxS0m1RPb9cIOMQZSYdHiXOq45zFA3Y8ylnWWF6EiuVUstjN8RC8Vt nTzzIbihwmSSR0R9OEGi1vnxCdA1l5wDhuEYJMgq9ipVXLA= ---- END SSH2 PUBLIC KEY ---- # Export the public key in OpenSSH format. <Sysname> system-view [Sysname] public-key local export dsa openssh key.pub public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Parameters keyname: Name of the public key, a string of 1 to 64 characters.
Page 994: Public-Key Peer Import Sshkey
public-key peer import sshkey Syntax public-key peer keyname import sshkey filename undo public-key peer keyname View System view Parameters keyname: Name of the public key , a string of 1 to 64 characters. filename: Name of a public key file, a string of 1 to 142 characters. For file naming rules, refer to File System Management Command.
Page 995: Public-Key-Code Begin
Input the bits in the modulus[default = 1024]: Generating keys..........++++++ ..++++++ ....++++++++ ..++++++++ ..[Sysname] public-key local export rsa ssh2 pub # Send the public key file of the SSH client to the SSH using FTP or TFTP. The configuration is omitted. # On the SSH server, import the SSH client's public key from the public key file, and then assign the public key to the SSH client.
Page 996: Public-Key-Code End
[Sysname-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Sysname-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Sysname-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Sysname-rsa-key-code] public-key-code end [Sysname-rsa-public-key] public-key-code end Syntax public-key-code end View Public key edit view Parameters None Description Use the public-key-code end command to return from public key edit view to public key view and save the public key you input.
Page 997: Rsa Local-Key-Pair Create
rsa local-key-pair create Syntax rsa local-key-pair create View System view Parameters None Description Use the rsa local-key-pair create command to generate an RSA key pair for the current switch. Note that: After entering this command, you will be prompted to provide the length of the key modulus. The length is in the range 512 to 2048 bits and defaults to 1024 bits.
Page 998: Rsa Local-Key-Pair Destroy
Key type: RSA encryption Key ===================================================== Key code: 308188 028180 F0C0EDA9 FA2E2FAC 4B16CA34 677F1861 A13E89BE 6AAAC326 4E17268D EFADED1A FCA39047 52F18422 B8C875DF 3626150D 4057EE12 371D5E62 57D34A16 5045A403 FA805F72 B2780C9A 041ED99E 2841F600 AB30DB10 821EF338 1FA54FE5 3DC79E46 74E45127 3D4CA70F 253645DA 57524DC3 513BAC53 2C1B7F8F 2481FA79 D4AA15C7 0203 010001...
Page 999: Rsa Peer-Public-Key
Examples # Destroy the current switch’s RSA key pairs. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa local-key-pair destroy % The local-key-pair will be destroyed. % Confirm to destroy these keys? [Y/N]:y .....Done! rsa peer-public-key Syntax rsa peer-public-key keyname undo rsa peer-public-key keyname View...
Page 1000: Rsa Peer-Public-Key Import Sshkey
rsa peer-public-key import sshkey Syntax rsa peer-public-key keyname import sshkey filename undo rsa peer-public-key keyname View System view Parameters keyname: Name of the public key to be configured, a string of 1 to 64 characters. filename: Name of a public key file, a string of 1 to 142 characters. For file naming rules, refer to File System Management Command.
Page 1001: Ssh Authentication-Type Default
System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key 123 import sshkey abc ssh authentication-type default Syntax ssh authentication-type default { all | password | password-publickey | publickey | rsa } undo ssh authentication-type default View System view Parameters all: Specifies either the password authentication or the publickey authentication for SSH users.
Page 1002: Ssh Client Assign
Examples # Specify the publickey authentication as the default authentication mode. <Sysname>system-view System View: return to User View with Ctrl+Z. [Sysname]ssh authentication-type default publickey # Create an SSH user [Sysname] ssh user user1 # Display information about configured SSH users. [Sysname] display ssh user-information Username Authentication-type...

This manual is also suitable for:

5500-ei series

3Com 5500-EI PWR Reference Manual

Table of Contents

1 Login Commands

2 Commands for User Control

Configuration File Management Commands

VLAN Configuration Commands

IP Address Configuration Commands

Voice VLAN Configuration Commands

Gvrp Configuration Commands

Examples # Configure Ethernet1/0/1 to Operate in Fixed Gvrp Registration Mode.

Link Aggregation Configuration Commands

Port Security Commands

Dldp Configuration Commands

Examples # Set the Delaydown Timer to 5 Seconds.

Auto Detect Configuration Commands

Mstp Configuration Commands

Table of Contents

1 IP Routing Table Commands

2 Static Route Configuration Commands

3 RIP Configuration Commands

4 OSPF Configuration Commands

5 IP Routing Policy Configuration Commands

6 Route Capacity Configuration Commands

Quick Links

Chapters

Related Manuals for 3Com 5500-EI PWR

Summary of Contents for 3Com 5500-EI PWR