Command level to be set, in the range of 0 to 3. view view: CLI view. It can be any CLI view that the Ethernet switch supports. The 3com switch 5500-EI supports only the CLI views listed in...
Page 3
CLI view Description mst-region MST region view mtlk-group Monitor link group view null NULL interface view ospf OSPF view ospf-area OSPF area view peer-key-code Public key editing view peer-public-key Public key view PIM view poe-profile PoE profile view qinq QinQ view qos-profile QoS profile view radius-template...
Page 4
Level Name Command Commands used to maintain the system and diagnose Monitor level service fault, such as debugging, terminal and reset commands. All configuration commands except for those at the manage System level level. Commands associated with the basic operation modules and support modules of the system, such as file system, Manage level FTP/TFTP/XMODEM downloading, user management, and...
Page 5
[Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm # Restore the default level of the tftp get command. To restore the default levels of the commands starting with the tftp keyword, you only need to specify the tftp keyword. [Sysname] undo command-privilege view shell tftp display history-command Syntax...
Page 6
Executing this command without the level argument will switch the current user level to level 3 by default. Note that: Users logged into the switch fall into four user levels, which correspond to the four command levels respectively. Users at a specific level can only use the commands at the same level or lower levels.
Page 7
Description Use the super authentication-mode command to specify the authentication mode used for low-to-high user level switching. Use the undo super authentication-mode command to restore the default. By default, super password authentication is adopted for low-to-high user level switching. Note that, the two authentication modes, super password authentication and HWTACACS authentication, are available at the same time to provide authentication redundancy.
Page 8
password: Password to be set. If the simple keyword is used, you must provide a plain-text password, that is, a string of 1 to 16 characters. If the cipher keyword is used, you can provide a password in either of the two ways: Input a plain-text password, that is, a string of 1 to 16 characters, which will be automatically converted into a 24-character cipher-text password.
Login Commands Login Commands authentication-mode Syntax authentication-mode { password | scheme [ command-authorization ] | none } View User interface view Parameters none: Specifies not to authenticate users. password: Authenticates users using the local password. scheme: Authenticates users locally or remotely using usernames and passwords. command-authorization: Performs command authorization on TACACS authentication server.
Page 11
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.
auto-execute command Syntax auto-execute command text undo auto-execute command View VTY user interface view Parameters text: Command to be executed automatically. Description Use the auto-execute command command to set the command that is executed automatically after a user logs in. Use the undo auto-execute command command to disable the specified command from being automatically executed.
Note that these two commands apply to users logging in through the console port and by means of Telnet. Examples # Disable copyright information displaying. ******************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ******************************************************************************** <Sysname> system-view System View: return to User View with Ctrl+Z.
Parameters 7: Sets the databits to 7. 8: Sets the databits to 8. Description Use the databits command to set the databits for the user interface. Use the undo databits command to revert to the default databits. The default databits is 8. Examples # Set the databits to 7.
Examples # Display the source IP address configured for the switch operating as the Telnet server. <Sysname> display telnet-server source-ip The source IP you specified is 192.168.1.1 display telnet source-ip Syntax display telnet source-ip View Any view Parameters None Description Use the display telnet source-ip command to display the source IP address configured for the switch operating as the Telnet client.
Page 16
In absolute user interface number scheme, the type argument is not required. In this case, user interfaces are numbered from 0 to 12. summary: Displays the summary information about a user interface. Description Use the display user-interface command to display the information about a specified user interface or all user interfaces.
Page 17
The authentication mode used for a user to switch from the current lower user level to a higher level, including S, A, SA and AS. S: Super password authentication A: HWTACACS authentication SA: Super password authentication is preferred, Super with HWTACACS authentication being a backup AS: HWTACACS authentication is preferred, with super password authentication being a backup...
display users Syntax display users [ all ] View Any view Parameters all: Displays the user information about all user interfaces. Description Use the display users command to display the user information about user interfaces. If you do not specify the all keyword, only the user information about the current user interface is displayed.
View Any view Parameters None Description Use the display web users command to display the information about the current on-line Web users. Examples # Display the information about the current on-line Web users. <Sysname> display web users Name Language Level Login Time Last Req.
Description Use the free user-interface command to free a user interface. That is, this command tears down the connection between a user and a user interface. Note that the current user interface cannot be freed. Examples # Release user interface VTY 1. <Sysname>...
Page 21
# Test the configuration remotely using Telnet. (only when login authentication is configured can the login banner be displayed). ******************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.
Welcome to legal! Press Y or ENTER to continue, N to exit. Welcome to login! Login authentication Password: Welcome to shell! <Sysname> history-command max-size Syntax history-command max-size value undo history-command max-size View User interface view Parameters value: Size of the history command buffer, ranging from 0 to 256 (in terms of commands). Description Use the history-command max-size command to set the size of the history command buffer.
Parameters minutes: Number of minutes. This argument ranges from 0 to 35,791. seconds: Number of seconds. This argument ranges from 0 to 59. Description Use the idle-timeout command to set the timeout time. The connection to a user interface is terminated if no operation is performed in the user interface within the timeout time.
After the Web file is upgraded, you need to use the boot web-package command to specify a new Web file or specify a new Web file from the boot menu after reboot for the Web server to operate properly. Refer to the File System Management part in this manual for information about the boot web-package command.
Password: Again: locked ! In this case, the user interface is locked. To operate the user interface again, you need to press Enter and provide the password as prompted. Password: <Sysname> parity Syntax parity { even | none | odd | } undo parity View AUX user interface view...
Page 26
telnet: Supports Telnet protocol. Description Use the protocol inbound command to specify the protocols supported by the user interface. Both Telnet protocol and SSH protocol are supported by default. Related commands: user-interface vty. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22 (ports for Telnet and SSH services respectively) will be enabled or disabled after corresponding configurations.
screen-length Syntax screen-length screen-length undo screen-length View User interface view Parameters screen-length: Number of lines the screen can contain. This argument ranges from 0 to 512. Description Use the screen-length command to set the number of lines the terminal screen can contain. Use the undo screen-length command to revert to the default number of lines.
Examples # Send “hello” to all user interfaces. <Sysname> send all Enter message, end with CTRL+Z or Enter; abort with CTRL+C: hello^Z Send message? [Y/N]y The current user interface will receive the following information: <Sysname> ***Message from vty1 to vty1 hello service-type Syntax...
Monitor level: Commands at this level are used to maintain the system, to debug service problems, and so on. The display and debugging commands are at monitor level. Commands at this level cannot be saved in configuration files. System level: Commands at this level are used to configure services. Commands concerning routing and network layers are at system level.
password: Password to be set. The password must be in plain text if you specify the simple keyword in the set authentication password command. If you specify the cipher keyword, the password can be in either cipher text or plain text, as described in the following. When you enter the password in plain text containing no more than 16 characters (such as 123), the system converts the password to the corresponding 24-character encrypted password.
Note the following when using the undo shell command: Terminal services cannot be disabled in AUX user interfaces. This command is unavailable in the current user interface. The execution of this command requires user confirmation. Examples # Disable terminal services in VTY 0 through VTY 4 (assuming that you log in through an AUX user interface).
View AUX user interface view Parameters 1: Sets the stopbits to 1. 1.5: Sets the stopbits to 1.5. 2: Sets the stopbits to 2. Description Use the stopbits command to set the stopbits of the user interface. Use the undo stopbits command to revert to the default stopbits. Execute these two commands in AUX user interface view only.
<SwitchA> telnet 129.102.0.1 Trying 129.102.0.1 ... Press CTRL+K to abort Connected to 129.102.0.1 ... ******************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ******************************************************************************** <SwitchB>...
System View: return to User View with Ctrl+Z. [Sysname] telnet source-interface Vlan-interface 2 telnet source-ip Syntax telnet source-ip ip-address undo telnet source-ip View System view Parameters ip-address: IP address to be set. Description Use the telnet source-ip command to specify the source IP address for a Telnet client. Use the undo telnet source-ip command to remove the source IP address.
The source interface can be a loopback interface or a VLAN interface. If the specified interface does not exist, the system prompts that this configuration fails, and the login succeeds only when there is a route between the Telnet client and the specified source interface. With the telnet-server source-interface command configured, the client can log in to the local device using only the primary IP address of the specified interface.
user-interface Syntax user-interface [ type ] first-number [ last-number ] View System view Parameters type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface). first-number: User interface index identifying the first user interface to be configured. A user interface index can be relative or absolute.
Page 37
Use the undo user privilege level command to revert to the default command level. By default, the commands at level 3 are available to the users logging in to the AUX user interface. The commands at level 0 are available to the users logging in to VTY user interfaces. Commands fall into four command levels: visit, monitor, system, and manage, which are described as follows: Visit level: Commands at this level are used to diagnose network, such as the ping, tracert, and...
Commands for User Control Commands for Controlling Logging in Users Syntax acl acl-number { inbound | outbound } undo acl acl-number { inbound | outbound } View User interface view Parameters acl-number: ACL number. This argument can identify different types of ACLs, as listed below. 2000 to 2999, for basic ACLs 3000 to 3999, for advanced ACLs 4000 to 4999, for Layer 2 ACLs...
free web-users Syntax free web-users { all | user-id user-id | user-name user-name } View User view Parameters all: Specifies all Web users. user-id: Web user ID, an eight-digit hexadecimal number. user-name: User name of the Web user. This argument can contain 1 to 80 characters. Description Use the free web-users command to disconnect a specified Web user or all Web users by force.
snmp-agent community Syntax snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]* undo snmp-agent community community-name View System view Parameters read: Specifies that the community has read-only permission in the specified view. write: Specifies that the community has read/write permission in the specified view. community-name: Community name, a string of 1 to 32 characters.
undo snmp-agent group v3 group-name [ authentication | privacy ] View System view Parameters v1: SNMPv1. v2c: SNMPv2c. v3: SNMPv3. group-name: Group name. This argument can be of 1 to 32 characters. authentication: Specifies to authenticate SNMP data without encrypting the data. privacy: Authenticates and encrypts packets.
Page 42
View System view Parameters v1: SNMPv1. v2c: SNMPv2c. v3: SNMPv3. user-name: User name, a string of 1 to 32 characters. group-name: Name of the group to which the user corresponds. This argument is a string of 1 to 32 characters. cipher: Specifies the authentication or encryption password to be in ciphertext.
Configuration File Management Commands The 3com 5500-EI series Ethernet switches support Expandable Resilient Networking (XRN), and allow you to access a file on the switch in one of the following ways: To access a file on the specified unit, you need to enter the file universal resource locator (URL) starting with unit[No.]>flash:/, where [No.] represents the unit ID of the switch.
Page 46
system: Indicates the system configuration. user-interface: Indicates the user interface configuration. interface: Displays port/interface configuration. interface-type: Port/interface type, which can be one of the following: Aux, Ethernet, GigabitEthernet, Loopback, NULL and VLAN-interface. interface-number: Port/interface number. by-linenum: Displays configuration information with line numbers. |: Uses a regular expression to filter the configuration of the switch to be displayed.
Page 47
After you finish a set of configurations, you can execute the display current-configuration command to display the parameters that take effect currently. Note that: Parameters that are the same as the default are not displayed. The configured parameter whose corresponding function does not take effect is not displayed. Related commands: save, reset saved-configuration, display saved-configuration.
Page 48
interface Ethernet1/0/17 interface Ethernet1/0/18 interface Ethernet1/0/19 interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface NULL0 return # Display the lines that include the strings matching 10* in the configuration information. (The character * means that the character 0 in the string before it can appear multiple times or does not appear.) <Sysname>...
return display saved-configuration Syntax display saved-configuration [ unit unit-id ] [ by-linenum ] View Any view Parameters unit unit-id: Specifies the unit ID of a switch. With this keyword-argument combination specified, this command can display the initial configuration file of the specified unit. by-linenum: Displays configuration information with line numbers.
undo xrn-fabric authentication-mode #GLBCFG. MUST NOT DELETE interface NULL0 user-interface aux 0 7 user-interface vty 0 4 authentication-mode none user privilege level 3 return The configuration information output above in turn is the system configuration, logical interface configuration, physical port configuration, and user interface configuration. display startup Syntax display startup [ unit unit-id ]...
Table 1-2 Description on the fields of the display startup command Field Description Current Startup The configuration file used for the current startup saved-configuration file Next main startup The main configuration file used for the next startup saved-configuration file Next backup startup The backup configuration file used for the next startup saved-configuration file Whether you can use the user-defined password to access the...
This command will permanently delete the configuration file from the switch. An error occurs when you execute this command if the configuration file to be deleted does not exist. Related commands: save. Examples # Erase the main configuration file to be used in the next startup. <Sysname>...
Page 56
the system will save the current configuration with the default name (config.cfg) in the root directory. The system supports two modes for saving the current configuration file. Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process.
<Sysname> save unit1>flash:/234.cfg The current configuration will be saved to unit1>flash:/234.cfg [Y/N]:y Now saving current configuration to the device. Saving configuration. Please wait....Unit1 save configuration unit1>flash:/234.cfg successfully startup saved-configuration Syntax startup saved-configuration cfgfile [ backup | main ] undo startup saved-configuration [ unit unit-id ] View User view...
Page 58
The configuration file must use .cfg as its extension name and the startup configuration file must be saved at the root directory in the Flash of the switch. Related commands: display startup. Examples # Configure the configuration file named config.cfg as the main configuration file to be used for the next startup of the current switch, which is not in any fabric.
Page 59
Table of Contents 1 VLAN Configuration Commands··············································································································1-1 VLAN Configuration Commands·············································································································1-1 description ·······································································································································1-1 display interface Vlan-interface ·······································································································1-1 display vlan······································································································································1-2 interface Vlan-interface····················································································································1-4 name················································································································································1-4 shutdown ·········································································································································1-5 vlan ··················································································································································1-6 Port-Based VLAN Configuration Commands··························································································1-7 display port ······································································································································1-7 port···················································································································································1-7 port access vlan·······························································································································1-8 port hybrid pvid vlan ························································································································1-9 port hybrid vlan ································································································································1-9 port link-type ··································································································································1-10 port trunk permit vlan·····················································································································1-11...
VLAN Configuration Commands VLAN Configuration Commands description Syntax description text undo description View VLAN view, VLAN interface view Parameter text: Case sensitive character string to describe the current VLAN or VLAN interface. Special characters and spaces are allowed. It has: 1 to 32 characters for a VLAN description.
Parameter vlan-id: ID of the specific VLAN interface. Description Use the display interface Vlan-interface command to display the information about the VLAN interface. VLAN interface is a virtual interface in Layer 3 mode, used to realize the layer 3 communication between different VLANs.
Page 62
to: Specifies multiple contiguous VLAN IDs. The VLAN ID after to cannot be less than that before to. all: Displays the information about all the VLANs. dynamic: Displays information about the dynamic VLANs (which are registered through GVRP protocol). static: Displays information about the static VLANs (which are created through manual configuration). Description Use the display vlan command to display the information about the specified VLANs or all VLANs.
Field Description Name VLAN name Tagged Ports Ports through which packets are sent with VLAN tag kept. Untagged Ports Port through which packets are sent with VLAN tag stripped. interface Vlan-interface Syntax interface Vlan-interface vlan-id undo interface Vlan-interface vlan-id View System view Parameter vlan-id: ID of the VLAN interface, in the range of 1 to 4,094.
undo name View VLAN view Parameter text: VLAN name, in the range of 1 character to 32 characters. It can contain special characters and spaces. Parameter Use the name command to assign a name to the current VLAN. Use the undo name command to restore to the default VLAN name. By default, the name of a VLAN is its VLAN ID, such as “VLAN 0001”.
You can use the undo shutdown command to enable a VLAN interface when its related parameters and protocols are configured. When a VLAN interface fails, you can use the shutdown command to disable the interface, and then use the undo shutdown command to enable this interface again, which may restore the interface.
Example # Enter VLAN 1 view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 1 [Sysname-vlan1] # Remove VLAN 5. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo vlan 5 Port-Based VLAN Configuration Commands display port Syntax display port { hybrid | trunk }...
Parameters interface-list: List of Ethernet ports to be added to or removed from a VLAN. Provide this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where: interface-type is port type and interface-number is port number. The port number to the right of the to keyword must be larger than or equal to the one to the left of the keyword.
undo port hybrid vlan vlan-id-list View Ethernet port view Parameters vlan-id-list: VLAN range to which the hybrid port will be added. vlan-id-list = [ vlan-id1 [ to vlan-id2 ] ]&<1-10>, where, vlan-id is in the range of 1 to 4094 and can be discrete, and &<1-10> means you can input up to ten VLAN IDs/ID ranges.
Description Use the port link-type command to set the link type of the current Ethernet port. Use the undo port link-type command to restore the default link type. By default, the link type of an Ethernet port is access. The three types of ports can coexist on an Ethernet switch. You can change the link type of an Ethernet port.
Please wait... Done. port trunk pvid vlan Syntax port trunk pvid vlan vlan-id undo port trunk pvid View Ethernet port view Parameters vlan-id: VLAN ID defined in IEEE802.1Q, in the range of 1 to 4094. It is 1 by default. Description Use the port trunk pvid vlan command to set the default VLAN ID for the trunk port.
all: Displays the protocol-related information about all ports. Description Use the display protocol-vlan interface command to display the protocol information and protocol indexes configured for specified ports. Example # Display protocol information and protocol index configured for GigabitEthernet1/0/1 and GigabitEthernet1/0/2 ports. <Sysname>...
The port hybrid protocol-vlan vlan command can be executed on hybrid ports only. Before you associate a port with the protocol-based VLAN, make sure the port belongs to the protocol-based VLAN. When the undo port hybrid protocol-vlan vlan command is being executed, the switch will prompt operation failure if the index of the specified protocol to be removed does not exist.
Page 75
protocol-index: Beginning protocol index ranging from 0 to 4. Note that this argument must be less than or equal to the protocol-end argument. If you do not specify this argument, the beginning protocol index will be determined by the system. protocol-index-end: End protocol index ranging from 0 to 4.
IP Address Configuration Commands IP Address Configuration Commands display ip interface Syntax display ip interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display ip interface command to display information about a specified or all Layer 3 interfaces.
Timestamp reply: Information request: Information reply: Netmask request: Netmask reply: Unknown type: Table 1-1 Description on the fields of the display ip interface command Field Description Vlan-interface1 current state Current physical state of VLAN-interface 1 Line protocol current state Current state of the link layer protocol IP address of the interface followed by: Internet Address Primary: Identifies a primary IP address, or...
Page 80
View Any view Parameters interface-type: Interface type. interface-number: Interface number. Description Use the display ip interface brief command to display brief information about a specified or all Layer 3 interfaces. With no argument included, the command displays information about all layer 3 interfaces; with only the interface type specified, it displays information about all layer 3 interfaces of the specified type;...
ip address Syntax ip address ip-address { mask | mask-length } [ sub ] undo ip address [ ip-address { mask | mask-length } [ sub ] ] View VLAN interface view, loopback interface view Parameters ip-address: IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation.
Page 82
Examples # Assign the primary IP address 129.12.0.1 and secondary IP address 129.12.1.1 to VLAN-interface 1 with subnet mask 255.255.255.0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 129.12.0.1 255.255.255.0 [Sysname-Vlan-interface1] ip address 129.12.1.1 255.255.255.0 sub...
IP Performance Optimization Configuration Commands IP Performance Configuration Commands display fib Syntax display fib View Any view Parameters None Description Use the display fib command to display all forwarding information base (FIB) information. Examples # Display all FIB information. <Sysname> display fib Flag: U:Usable G:Gateway...
Table 2-1 Description on the fields of the display fib command Field Description Flags: U: A route is up and available. G: Gateway route H: Local host route B: Blackhole route Flag D: Dynamic route S: Static route R: Rejected route E: Multi-path equal-cost route L: Route generated by ARP or ESIS Destination/Mask...
Description Use the display fib ip-address command to view the FIB entries matching the specified destination IP address. If no mask or mask length is specified, the FIB entry that matches the destination IP address and has the longest mask will be displayed; if the mask is specified, the FIB entry that exactly matches the specified destination IP address and mask will be displayed.
display fib ip-prefix Syntax display fib ip-prefix ip-prefix-name View Any view Parameters ip-prefix-name: IP prefix list name, in the range of 1 to 19 characters. Description Use the display fib ip-prefix command to display the FIB entries matching a specific IP prefix list. For details about IP prefix list, refer to the part discussing IP routing in this manual.
Description Use the display fib statistics command to display the total number of FIB entries. Examples # Display the total number of FIB entries. <Sysname> display fib statistics Route Entry Count : 8 display icmp statistics Syntax display icmp statistics View Any view Parameters...
Field Description Number of received destination unreachable destination unreachable packets source quench Number of received source quench packets redirects Number of received redirection packets echo reply Number of received replies parameter problem Number of received parameter problem packets timestamp Number of received time stamp packets information request Number of received information request packets mask requests...
Examples # Display the information about the socket of the TCP type. <Sysname> display ip socket socktype 1 SOCK_STREAM: Task = VTYD(18), socketid = 1, Proto = 6, LA = 0.0.0.0:23, FA = 0.0.0.0:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_SENDVPNID SO_SETKEEPALIVE, socket state = SS_PRIV SS_ASYNC Task = VTYD(18), socketid = 2, Proto = 6,...
Page 91
View Any view Parameters None Description Use the display ip statistics command to display the statistics about IP packets. Related commands: display ip interface, reset ip statistics. Examples # Display the statistics about IP packets. <Sysname> display ip statistics Input: 7120 local bad protocol...
Field Description output Total number of fragments sent dropped Total number of fragments discarded fragmented Total number of IP packets successfully fragmented couldn't Total number of IP packets that cannot be fragmented fragment Total number of IP packets reassembled Reassembling: timeouts Total number of reassembly timeout IP packets display tcp statistics...
Field Description Number of ACK packets sent; in brackets are ACK-only packets: 40 delayed ACK packets Retransmitted timeout Number of retransmission timer timeouts Number of connections broken due to connections dropped in retransmitted timeout retransmission timeouts Keepalive timeout Number of keepalive timer timeouts keepalive probe Number of keepalive probe packets sent Number of connections broken due to keepalive...
Table 2-6 Description on the fields of the display tcp status command Field Description If there is an asterisk before a connection, it means that the TCP connection is authenticated through the MD5 algorithm. TCPCB TCP control block Local Add:port Local IP address and port number Foreign Add:port Remote IP address and port number...
Field Description packets: checksum error Total number of packets with incorrect checksum shorter than header Number of packets with data shorter than header data length larger than Number of packets with data longer than packet packet no socket on port Number of unicast packets with no socket on port total broadcast or multicast Total number of received broadcast or multicast...
icmp unreach send Syntax icmp unreach send undo icmp unreach send View System view Parameters None Description Use the icmp unreach send command to enable the device to send ICMP destination unreachable packets. After enabled with this feature, the switch, upon receiving a packet with an unreachable destination, discards the packet and then sends a destination unreachable packet to the source host.
Examples # Enable the device to receive directed broadcasts to a directly connected network. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip forward-broadcast reset ip statistics Syntax reset ip statistics View User view Parameters None Description Use the reset ip statistics command to clear the statistics about IP packets.
reset udp statistics Syntax reset udp statistics View User view Parameters None Description Use the reset udp statistics command to clear the statistics about UDP packets. You can use the display udp statistics command to view the current UDP packet statistics. Examples # Clear the statistics about UDP packets.
tcp timer syn-timeout Syntax tcp timer syn-timeout time-value undo tcp timer syn-timeout View System view Parameters time-value: TCP synwait timer, in seconds, with the value ranging from 2 to 600. Description Use the tcp timer syn-timeout command to configure the TCP synwait timer. Use the undo tcp timer syn-timeout command to restore the default value of the TCP synwait timer.
Page 101
Related commands: tcp timer fin-timeout, tcp timer syn-timeout. Examples # Configure the size of the transmission and receiving buffers of the connection-oriented socket to 3 KB. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] tcp window 3 2-19...
Voice VLAN Configuration Commands Voice VLAN Configuration Commands display voice vlan error-info Syntax display voice vlan error-info View Any view Parameters None Description Use the display voice vlan error-info command to display the ports on which the voice VLAN function fails to be enabled.
PORT MODE DSCP --------------------------------------------- Ethernet1/0/1 AUTO Ethernet1/0/2 MANUAL Table 1-1 Description on the fields of the display voice vlan status command Field Description The status of global voice VLAN function: Voice Vlan status enabled or disabled. The VLAN which is currently enabled with voice Voice Vlan ID VLAN.
Parameters vlan-id: Specifies the ID of the current voice VLAN in the range of 1 to 4094. Description Use the display vlan command to display information about the specified VLAN. For the voice VLAN, this command displays all the ports in the VLAN. Related commands: voice vlan, voice vlan enable.
preferentially. If you do not want to use the default precedence marking settings of the switch for voice VLAN traffic, you can use the voice vlan qos command to change the settings. If you want to delete a VLAN with voice VLAN function enabled, you must disable the voice VLAN function first.
aging timer starts. If no recognizable voice traffic has been received before the timer expires, the port is removed from the voice VLAN. The voice VLAN aging timer does not take effect on ports working in manual voice VLAN assignment mode, because these ports are assigned to the voice VLAN statically.
Parameters None Description Use the voice vlan legacy command to realize the communication between 3Com device and other vendors’ voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’ voice device. Use the undo voice vlan legacy command to disable the voice VLAN legacy function.
00d0-1e00-0000 Pingtel phone 00e0-7500-0000 Polycom phone 00e0-bb00-0000 3Com phone Related commands: display voice vlan oui. Examples # Add MAC address 00aa-bb00-0000 to the OUI list and configure its description as ABC. <Sysname> system-view System View: return to User View with Ctrl+Z.
You cannot and need not to assign a port working in automatic voice VLAN assignment mode to the voice VLAN manually. When the port receives a packet whose source MAC address matches the OUI list, the port is assigned to the voice VLAN automatically, and the packet is tagged with the voice VLAN tag.
Examples # Modify the CoS precedence and the DSCP precedence marked for voice VLAN traffic passing through Ethernet 1/0/1 to 5 and 40 respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] voice vlan qos 5 40 voice vlan security enable Syntax voice vlan security enable...
GVRP Configuration Commands GARP Configuration Commands display garp statistics Syntax display garp statistics [ interface interface-list ] View Any view Parameters interface-list: Specifies a list of Ethernet ports for which the statistics about GARP are to be displayed. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2,...
GARP statistics on port Ethernet1/0/1 Number Of GVRP Frames Received Number Of GVRP Frames Transmitted Number Of Frames Discarded GARP statistics on port Ethernet1/0/2 Number Of GVRP Frames Received Number Of GVRP Frames Transmitted Number Of Frames Discarded Table 1-1 Description on the fields of the display garp statistics command Field Description Number of the GVRP frames received on the...
Leave timer LeaveAll timer Hold timer Related commands: garp timer, garp timer leaveall. Examples # Display the settings of the GARP timers on port Ethernet1/0/1. <Sysname> display garp timer interface Ethernet 1/0/1 GARP timers on port Ethernet1/0/1 Garp Join Time : 20 centiseconds Garp Leave Time : 60 centiseconds...
Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. Hold 10 centiseconds You can change the threshold by changing the timeout time of the Join timer.
View System view Parameters timer-value: Setting (in centiseconds) of the GARP LeaveAll timer. You need to set this argument with the Leave timer settings of other Ethernet ports as references. That is, this argument needs to be larger than the Leave timer settings of any Ethernet ports. Also note that this argument needs to be a multiple of 5 and cannot be larger than 32,765.
Description Use the reset garp statistics command to clear the GARP statistics (including statistics about packets received/sent/discarded by GVRP) on the specified or all ports. You can use the display garp statistics command to view the NDP statistics before and after the execution of the reset garp statistics command to verify the execution result.
GVRP Status : Enabled GVRP Failed Registrations GVRP Last Pdu Origin : 0000-0000-0000 GVRP Registration Type : Normal display gvrp status Syntax display gvrp status View Any view Parameters None Description Use the display gvrp status command to display the global GVRP status (enabled or disabled). Examples # Display the global GVRP status.
To enable GVRP for a port, you need to enable GVRP globally first. GVRP does not take effect automatically on ports upon being enabled globally. You can enable/disable GVRP only on trunk ports. After you enable GVRP on a trunk port, you cannot change the port to other types. Related commands: display gvrp status.
Page 122
Examples # Configure Ethernet1/0/1 to operate in fixed GVRP registration mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] gvrp registration fixed...
Port Basic Configuration Commands Port Basic Configuration Commands broadcast-suppression Syntax broadcast-suppression { ratio | pps max-pps } undo broadcast-suppression View System view, Ethernet port view Parameters ratio: Maximum ratio of the broadcast traffic allowed on a port to the total transmission capacity of the port.
The global broadcast suppression setting configured by the broadcast-suppression command in system view takes effect on all Ethernet ports in the system except for the reflection ports, stack ports and ports having their own broadcast suppression settings. If you configure broadcast-suppression command in both system view and Ethernet port view, the configuration in Ethernet port view will take effect.
Page 126
If you specify a source aggregation group ID, the system uses the port with the smallest port number in the aggregation group as the source. If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port.
Copying speed/duplex configuration... Any aggregation group port you input in the destination port list will be removed from the list and the copy command will not take effect on the port. If you want an aggregation group port to have the same configuration with the source port, you can specify the aggregation group of the port as the destination (with the destination-agg-id argument).
A port description can be the mixture of English characters and other Unicode characters. The mixed description cannot exceed the specified length. To use a type of Unicode characters or symbols in a port description, you need to install the corresponding Input Method Editor (IME) and log in to the device through remote login software that supports this character type.
Page 129
For details about regular expression, refer to the Configuration File Management module in this manual. Description Use the display brief interface command to display the brief configuration information about one or all interfaces, including: interface type, link state, link rate, duplex attribute, link type, default VLAN ID and description string.
The state of an Ethernet port can be UP, DOWN, or ADMINISTRATIVELY DOWN. The following table shows the port state transitions. Table 1-3 Port state transitions State after executing State after executing the Initial port state the undo shutdown shutdown command command DOWN DOWN...
Page 131
Flow-control is enabled The Maximum Frame Length is 9216 Broadcast MAX-pps: 500 Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 1 Mdi type: auto Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 1 Last 300 seconds input: 0 packets/sec 0 bytes/sec Last 300 seconds output:...
Page 132
Field Description PVID Default VLAN ID of the port Mdi type Network cable type Port link-type Port link type Identify the VLANs whose packets will be forwarded Tagged VLAN ID with tags on the port. Identify the VLANs whose packets will be forwarded Untagged VLAN ID without tags on the port.
Page 133
Field Description The total number of incoming illegal packets, including: Fragments: CRC error frames of less than 64 bytes (integer or non-integer). Jabber frames: CRC error frames of more than 1518 bytes if untagged or 1522 bytes if tagged (integer or non-integer). aborts Symbol error frames: frames with at least one symbol error.
Field Description The lost carrier counter applicable to serial WAN interfaces lost carrier The counter increases by 1 upon each carrier loss detected during frame transmission. The no carrier counter applicable to serial WAN interfaces - no carrier The counter increases by 1 upon each carrier detection failure for frame transmission.
Description Use the display loopback-detection command to display the loopback detection status on the port. If loopback detection is enabled, this information will also be displayed: time interval for loopback detection and the loopback ports. Examples # Display the loopback detection status on the port. <Sysname>...
Examples # Display the statistics on the packets dropped on Ethernet 1/0/1. <Sysname> display packet-drop interface Ethernet 1/0/1 Ethernet1/0/1: Packets dropped By GBP full or insufficient bandwidth: 0 Packets dropped By others: 0 # Display the summary statistics on the packets dropped on all the ports. <Sysname>...
PortName StormType LowerLimit UpperLimit Ctr-mode Status Trap Swi-num -------------------------------------------------------------------------- Eth1/0/1 broadcast 9 shutdown normal Eth1/0/1 multicast 9 shutdown control on Eth1/0/2 unicast shutdown normal Table 1-7 Description on the fields of the display storm-constrain command Field Description Flow Statistic Interval to collect traffic statistics. Interval PortName Name of an Ethernet port...
Description : Aux Interface Ethernet1/0/1 current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e290-2240 Media type is twisted pair, loopback not set Port hardware type is 100_BASE_TX 100Mbps-speed mode, full-duplex mode Link speed type is force link, link duplex type is force link Flow-control is enabled The Maximum Frame Length is 9216 Broadcast MAX-pps: 500...
duplex Syntax duplex { auto | full | half } undo duplex View Ethernet port view Parameters auto: Sets the port to auto-negotiation mode. full: Sets the port to full duplex mode. half: Sets the port to half duplex mode. Description Use the duplex command to set the duplex mode of the current port.
Examples # By default, a port is allowed to output the Up/Down log information. Execute the shutdown command or the undo shutdown command on Ethernet 1/0/1, and the system outputs Up/Down log information of Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] shutdown [Sysname-Ethernet1/0/1]...
[Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] flow-control flow-control no-pauseframe-sending Syntax flow-control no-pauseframe-sending undo flow-control View Ethernet port view Parameters None Description Use the flow-control no-pauseframe-sending command to configure flow control to operate in Rx mode on the current port. Use the undo flow-control command to disable flow control on the port. A port configured with the flow-control no-pauseframe-sending command can receive and process remote pause frames but cannot send pause frames actively when it is congested.
Parameters Interval: Interval (in seconds) to perform statistics on port information. This argument ranges from 5 to 300 (in step of 5) and is 300 by default. Description Use the flow-interval command to set the interval to perform statistics on port information. Use the undo flow-interval command to restore the default interval.
Giant frames refer to VLAN untagged frames of more than 1518 bytes and VLAN tagged frames of more than 1522 bytes. Examples # Enable the giant-frame statistics function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] giant-frame statistics enable interface Syntax interface interface-type interface-number...
undo jumboframe enable View Ethernet port view Parameters None Description Use the jumboframe enable command to set the maximum frame size allowed on a port to 9,216 bytes. Use the undo jumboframe enable command to set the maximum frame size allowed on a port to 1,536 bytes.
The port state change delay takes effect when the port goes down but not when the port goes up. The delay configured in this way does not take effect for ports in DLDP down state. For information about the DLDP down state, refer to DLDP. Examples # Set the port state change delay of Ethernet 1/0/5 to 8 seconds.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] loopback internal Loopback internal succeeded. loopback-detection control enable Syntax loopback-detection control enable undo loopback-detection control enable View Ethernet port view Parameters None Description Use the loopback-detection control enable command to enable the loopback detection control feature on the current trunk or hybrid port.
loopback-detection enable Syntax loopback-detection enable undo loopback-detection enable View System view or Ethernet port view Parameters None Description Use the loopback-detection enable command to enable the loopback detection feature on ports to detect whether external loopback occurs on a port. Use the undo loopback-detection enable command to disable the loopback detection feature on port.
By default, the global loopback detection function is enabled if the device boots with the default configuration file (config.def); By default, this function is disabled. if the device boots with null configuration, Related command: loopback-detection control enable, loopback-detection shutdown enable Examples # Enable the loopback detection feature on Ethernet 1/0/1.
loopback-detection interval-time Syntax loopback-detection interval-time time undo loopback-detection interval-time View System view Parameters time: Time interval for loopback detection, in the range of 5 to 300 (in seconds). It is 30 seconds by default. Description Use the loopback-detection interval-time command to set time interval for loopback detection. Use the undo loopback-detection interval-time command to restore the default time interval.
Examples # Configure the system to run loopback detection on all VLANs of the trunk port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] loopback-detection per-vlan enable loopback-detection shutdown enable Syntax loopback-detection shutdown enable...
Example # Enable the loopback port auto-shutdown function on port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] loopback-detection enable [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] loopback-detection shutdown enable Syntax mdi { across | auto | normal } undo mdi View Ethernet port view...
multicast-suppression Syntax multicast-suppression { ratio | pps max-pps } undo multicast-suppression View Ethernet port view Parameters ratio: Maximum ratio of the multicast traffic allowed on the port to the total transmission capacity of the port. This argument ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio, the less multicast traffic is allowed to be received.
Parameters interface-type: Port type. interface-number: Port number. For details about the parameters, see the parameter description of the interface command. Description Use the reset counters interface command to clear the statistics of the port, preparing for a new statistics collection. If you specify neither port type nor port number, the command clears statistics of all ports.
shutdown Syntax shutdown undo shutdown View Ethernet port view Parameters None Description Use the shutdown command to shut down an Ethernet port. Use the undo shutdown command to bring up an Ethernet port. By default, an Ethernet port is in up state. Examples # Shut down Ethernet 1/0/1 and then bring it up.
Vlan-interface3 is UP %Apr 13 23:14:54:897 2000 Sysname IFNET/5/UPDOWN:- 1 -Line protocol on the interface Vlan-interface3 is UP speed Syntax speed { 10 | 100 | 1000 | auto } undo speed View Ethernet port view Parameters 10: Specifies the port speed to 10 Mbps. 100: Specifies the port speed to 100 Mbps.
View Ethernet port view Parameters 10: Configures 10 Mbps as an auto-negotiation speed of the port. 100: Configures 100 Mbps as an auto-negotiation speed of the port. 1000: Configures 1,000 Mbps as an auto-negotiation speed of the port. Description Use the speed auto [ 10 | 100 | 1000 ]* command to configure auto-negotiation speed(s) for the current port.
Description storm-constrain command upper lower thresholds broadcast/multicast/unicast traffic received on the port. Use the undo storm-constrain command to cancel the threshold configuration. With traffic upper and lower thresholds specified on a port, the system periodically collects statistics about the broadcast/multicast/unicast/ traffic on the port. Once it finds that a type of traffic exceeds the specified upper threshold, it blocks this type of traffic on the port or directly shuts down the port, and outputs trap/log information according to your configuration.
If the fabric function is enabled on a port of a device, you cannot configure the storm control function on all ports of the device. If the broadcast-suppression command, multicast-suppression command or unicast suppression command is configured on a port, you cannot configure the storm control function on the port, and vice versa.
Use the undo storm-constrain enable command to disable log/trap information from being output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. By default, log/trap information is output when traffic received on the port exceeds the upper threshold or falls below the lower threshold.
View Ethernet port view Parameters ratio: Maximum ratio of the unknown unicast traffic allowed on the port to the total transmission capacity of the port. This argument ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio, the lesser unknown unicast traffic is allowed to be received.
Page 161
Description Use the virtual-cable-test command to enable the system to test the cable connected to a specific port and to display the results. The system can test these attributes of the cable: Cable status, including normal, abnormal, abnormal-open, abnormal-short and failure Cable length If the cable is in normal state, the displayed length value is the total length of the cable.
Page 162
Table of Contents 1 Link Aggregation Configuration Commands··························································································1-1 Link Aggregation Configuration Commands ···························································································1-1 display link-aggregation interface····································································································1-1 display link-aggregation summary···································································································1-2 display link-aggregation verbose·····································································································1-3 display lacp system-id ·····················································································································1-4 lacp enable ······································································································································1-5 lacp port-priority·······························································································································1-5 lacp system-priority··························································································································1-6 link-aggregation group description ··································································································1-6 link-aggregation group mode···········································································································1-7 port link-aggregation group ·············································································································1-8 reset lacp statistics ··························································································································1-9...
Link Aggregation Configuration Commands Link Aggregation Configuration Commands display link-aggregation interface Syntax display link-aggregation interface interface-type interface-number interface-type interface-number ] View Any view Parameters interface-type: Port type. interface-number: Port number. to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends.
Table 1-1 Description on the fields of the display link-aggregation interface command Field Description ID of the aggregation group to which the Selected AggID specified port belongs Local Information about the local end Port-Priority Port priority Oper key Operation key Flag Protocol status flag Remote...
-------------------------------------------------------------------------- 0x8000,0000-0000-0000 0 NonS Ethernet1/0/2 none NonS Ethernet1/0/3 Table 1-2 Description on the fields of the display link-aggregation summary command Field Description Aggregation group type: D for dynamic, S for Aggregation Group Type static, and M for manual Load sharing type: Shar for load sharing and Loadsharing Type NonS for non-load sharing Actor ID...
Examples # Display the details about aggregation group 1. <Sysname> display link-aggregation verbose 1 Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Flags: A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation, D -- Synchronization, E -- Collecting, F -- Distributing, G -- Defaulted, H -- Expired Aggregation ID: 1, AggregationType: Manual,...
Parameters None Description Use the display lacp system-id command to display the device ID of the local system, including the system priority and the MAC address. Examples # Display the device ID of the local system. <Sysname> display lacp system-id Actor System ID: 0x8000, 000f-e20f-0100 The value of the Actor System ID field is the device ID.
Parameters port-priority: Port priority, ranging from 0 to 65,535. Description Use the lacp port-priority command to set the priority of the current port. Use the undo lacp port-priority command to restore the default port priority. By default, the port priority is 32,768. You can use the display link-aggregation verbose command or the display link-aggregation interface command to check the configuration result.
undo link-aggregation group agg-id description View System view Parameters agg-id: Aggregation group ID, in the range of 1 to 416. agg-name: Aggregation group name, a string of 1 to 32 characters. Description Use the link-aggregation group description command to set a description for an aggregation group. Use the undo link-aggregation group description command to remove the description of an aggregation group.
Description Use the link-aggregation group mode command to create a manual or static aggregation group. Use the undo link-aggregation group command to remove the specified aggregation group. Related commands: display link-aggregation summary. Examples # Create manual aggregation group 22 <Sysname> system-view System View: return to User View with Ctrl+Z.
reset lacp statistics Syntax reset lacp statistics [ interface interface-type interface-number [ to interface-type interface-number ] ] View User view Parameters interface-type: Port type interface-number: Port number to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends.
Page 172
Table of Contents 1 Port Isolation Configuration Commands ································································································1-1 Port Isolation Configuration Commands ·································································································1-1 display isolate port···························································································································1-1 port isolate ·······································································································································1-1...
Port Isolation Configuration Commands Port Isolation Configuration Commands display isolate port Syntax display isolate port View Any view Parameters None Description Use the display isolate port command to display the Ethernet ports assigned to the isolation group. Examples # Display the Ethernet ports added to the isolation group. <Sysname>...
Page 174
Assigning or removing an aggregation member port to or from the isolation group can cause the other ports in the aggregation group join or leave the isolation group. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
Port Security Commands Port Security Commands display mac-address security Syntax display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] View Any view Parameters Interface interface-type interface-number: Specify a port by its type and number, of which the security MAC address information is to be displayed.
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0000-0000-0001 Security Ethernet1/0/20 NOAGED 0000-0000-0002 Security Ethernet1/0/20 NOAGED 0000-0000-0003 Security Ethernet1/0/20 NOAGED 0000-0000-0004 Security Ethernet1/0/20 NOAGED 4 mac address(es) found on port Ethernet1/0/20 --- # Display the security MAC address entries for VLAN 1. <Sysname>...
Page 178
individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1. The total number of individual ports and port ranges defined in the list must not exceed 10.
Page 179
Port mode is AutoLearn NeedtoKnow mode is disabled Intrusion mode is no action Max mac-address num is not configured Stored mac-address num is 0 Authorization is ignore Ethernet1/0/3 is link-down Port mode is AutoLearn NeedtoKnow mode is disabled Intrusion mode is BlockMacaddress Max mac-address num is not configured Stored mac-address num is 0 Authorization is ignore...
Field Description Authorization information delivered by the Authorization is ignore Remote Authentication Dial-In User Service (RADIUS) server will not be applied to the port. mac-address security Syntax In system view: mac-address security mac-address interface interface-type interface-number vlan vlan-id undo mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] In Ethernet port view: mac-address security mac-address vlan vlan-id...
Examples # Enable port security; configure the port security mode of Ethernet 1/0/1 as autolearn and create a security MAC address entry for 0001-0001-0001, setting the associated port to Ethernet 1/0/1 and assigning the MAC address to VLAN 1. <Sysname> system-view System View: return to User View with Ctrl+Z.
After a RADIUS user passes authentication, the RADIUS server authorizes the attributes configured for the user account such as the dynamic VLAN configuration. For more information, refer to AAA Command. Examples # Configure Ethernet 1/0/2 to ignore the authorization information delivered by the RADIUS server. <Sysname>...
Examples # Enable port security. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled. Please wait... Done. port-security guest-vlan Syntax port-security guest-vlan vlan-id undo port-security guest-vlan View Ethernet port view...
authentication of a user fails, the blocking MAC address feature will be triggered and packets of the user will be dropped, making the user unable to access the guest VLAN. Examples # Set the security mode of port Ethernet 1/0/1 to macAddressOrUserLoginSecure, and specify VLAN 100 as the guest VLAN of the port.
Page 185
By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.
NeedtoKnow mode is disabled Intrusion mode is BlockMacaddress Max mac-address num is 2 Stored mac-address num is 2 Authorization is permit For description on the output information, refer to Table 1-2. # Configure the intrusion protection mode on Ethernet 1/0/1 as disableport-temporarily. As a result, the port will be disconnected when intrusion protection is triggered and then re-enabled 30 seconds later.
By default, there is no limit on the number of MAC addresses allowed on the port. By configuring the maximum number of MAC addresses allowed on a port, you can: Limit the number of users accessing the network through the port. Limit the number of security MAC addresses that can be added on the port.
Description Use the port-security ntk-mode command to configure the NTK feature on the port. Use the undo port-security ntk-mode command to restore the default setting. Be default, NTK is disabled on a port, namely all frames are allowed to be sent. By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.
Description Use the port-security oui command to set an OUI value for authentication. Use the undo port-security oui command to cancel the OUI value setting. By default, no OUI value is set for authentication. The OUI value set by this command takes effect only when the security mode of the port is set to userLoginWithOUI by the port-security port-mode command.
Page 190
Table 1-3 Keyword description Keyword Security mode Description In this mode, a port can learn a specified number of MAC addresses and save those addresses as security MAC addresses. It permits only packets whose source MAC addresses are the security MAC addresses that were learned or configured manually.
Page 191
Keyword Security mode Description In this mode, MAC-based 802.1x authentication is applied on users trying to access the network through the port. The port will be enabled when the authentication succeeds and allow packets from authenticated users to pass through. userlogin-secure userLoginSecure In this mode, only one 802.1x-authenticated...
Before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of MAC addresses allowed on the port. When a port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port.
After you execute the port-security timer autolearn command, you can display security MAC address entries by the display mac-address security command. Though the aging time field displayed has a value of "NOAGED", the aging of security MAC address entries is enabled already. Examples # Set the security mode to autolearn, the maximum number of MAC address entries allowed on the port to 4, and the aging time for the learned security MAC address entries to 10 minutes.
Related commands: port-security intrusion-mode. Examples # Set the intrusion protection mode on Ethernet 1/0/1 to disableport-temporarily. It is required that when intrusion protection is triggered, the port be shut down temporarily and then go up 30 seconds later. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 195
View System view Parameters addresslearned: Enables/disables sending traps for MAC addresses learning events. dot1xlogfailure: Enables/disables sending traps for 802.1x authentication failures. dot1xlogoff: Enables/disables sending traps for 802.1x-authenticated user logoff events. dot1xlogon: Enables/disables sending traps for 802.1x-authenticated user logon events. intrusion: Enables/disables sending traps for detections of intrusion packets. ralmlogfailure: Enables/disables sending traps for MAC authentication failures.
Page 196
# Use the display port-security command to display the related configuration information. <Sysname> display port-security Equipment port-security is enabled Intrusion trap is Enabled Disableport Timeout: 20 s OUI value: Ethernet1/0/1 is link-down Port mode is AutoLearn NeedtoKnow mode is needtoknowonly Intrusion mode is disableportTemporarily Max mac-address num is 4 Stored mac-address num is 0...
Page 197
Table of Contents 1 Port-MAC-IP Binding Commands ············································································································1-1 Port-MAC-IP Binding Commands ···········································································································1-1 am user-bind····································································································································1-1 display am user-bind ·······················································································································1-2...
Page 198
Port-MAC-IP Binding Commands Port-MAC-IP Binding Commands am user-bind Syntax In system view: am user-bind mac-addr mac-address ip-addr ip-address [ interface interface-type interface-number ] undo am user-bind mac-addr mac-address ip-addr ip-address [ interface interface-type interface-number ] In Ethernet port view: am user-bind { ip-addr ip-address | mac-addr mac-address [ ip-addr ip-address ] } undo am user-bind { ip-addr ip-address | mac-addr mac-address [ ip-addr ip-address ] } View System view, Ethernet port view...
Page 199
System View: return to User View with Ctrl+Z. [Sysname] am user-bind mac-addr 000f-e200-5101 ip-addr 10.153.1.1 interface Ethernet1/0/1 # In Ethernet port view, bind the MAC address 000f-e200-5102 and IP address 10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/2. <Sysname>...
DLDP Configuration Commands DLDP Configuration Commands display dldp Syntax display dldp { unit-id | interface-type interface-number } View Any view Parameters unit-id: Unit number of a device, only can be set as 1 for switch 5500. interface-type: Port type. interface-number: Port number. Description Use the display dldp command to display the DLDP configuration of a unit or a port.
Table 1-1 Description on the fields of the display dldp command Field Description Interval for sending DLDP advertisement packets (in dldp interval seconds) dldp work-mode DLDP work mode (enhance or normal) dldp authentication-mode DLDP authentication mode (none, simple, or md5) password Password for DLDP authentication DLDP action to be performed on detecting a...
When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently. Examples # Enable DLDP on all optical ports of the switch. <Sysname>...
When you configure a DLDP authentication mode and authentication password on a port, make sure that the same DLDP authentication mode and password are set on the ports connected with a fiber cable or copper twisted pair. Otherwise, DLDP authentication fails. DLDP cannot work before DLDP authentication succeeds.
unidirectional links. On the contrary, if too short an interval is set, network traffic increases, unnecessarily consuming port bandwidth. Examples # Set the interval between sending advertisement packets to 6 seconds for all DLDP-enabled ports in the advertisement state. <Sysname> system-view System View: return to User View with Ctrl+Z.
Parameters auto: Disables automatically the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down. manual: Generates log and traps and prompts the user to disable manually the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down.
When DLDP works in normal mode, the system can identify only the unidirectional link caused by fiber cross-connection. When the DLDP protocol works in enhanced mode, the system can identify two types of unidirectional links: one is caused by fiber cross-connection and the other is caused by one fiber being not connected or being broken.
Page 208
Examples # Set the delaydown timer to 5 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp delaydown-timer 5...
MAC Address Table Management Configuration Commands This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the “Multicast Protocol” part of the manual. MAC Address Table Management Configuration Commands display mac-address aging-time Syntax display mac-address aging-time...
display mac-address Syntax display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static | blackhole ] [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] ] [ unit unit-id ] View Any view Parameters mac-address: Displays MAC address entries in a specified MAC address, in the format of H-H-H.
Page 212
000d-88f6-44ba Learned GigabitEthernet1/0/4 AGING 000d-88f7-9f7d Learned GigabitEthernet1/0/4 AGING 000d-88f7-b094 Learned GigabitEthernet1/0/4 AGING 000f-e200-00cc Learned GigabitEthernet1/0/4 AGING 000f-e200-2201 Learned GigabitEthernet1/0/4 AGING 000f-e207-f2e0 Learned GigabitEthernet1/0/4 AGING 000f-e209-ecf9 Learned GigabitEthernet1/0/4 AGING 7 mac address(es) found on port GigabitEthernet1/0/4 --- # Display the total number of MAC address entries for VLAN 2. <Sysname>...
Page 213
dynamic: Specifies a dynamic MAC address entry. blackhole: Specifies a blackhole MAC address entry. mac-address: Specifies a MAC address, in the form of H-H-H. When entering the MAC address, you can omit the leading 0s in each segment. For example, you can input f-e2-1 for 000f-00e2-0001. interface-type interface-number: Specifies the outgoing port by its type and number for the MAC address.
Use the undo mac-address max-mac-count command to cancel the limitation on the number of MAC addresses an Ethernet port can learn. By default, the number of MAC addresses an Ethernet port can learn is unlimited. When you use the mac-address max-mac-count command, the port stops learning MAC addresses after the number of MAC addresses it learned reaches the value of the count argument you provided.
Page 216
If the aging timer is set too long, MAC address entries may still exist even if they turn invalid. This causes the switch to be unable to update its MAC address table in time. In this case, the MAC address table cannot reflect the position changes of network devices in time. Examples # Set the aging time of MAC address entries to 500 seconds.
Auto Detect Configuration Commands Auto Detect Configuration Commands Refer to the Routing Protocol part of the manual for information about static routing. Refer to the VRRP part of the manual for information about VRRP. detect-group Syntax detect-group group-number undo detect-group group-number View System view Parameters...
[Sysname-detect-group-10] detect-list Syntax detect-list list-number ip address ip-address [ nexthop ip-address ] undo detect-list list-number View Detected group view Parameters list-number: Sequence number of the IP address to be detected. This argument ranges from 1 to 10. ip address ip-address: Specifies the destination IP address (in dotted decimal notation) to be detected. nexthop ip-address: Specifies the next hop IP address (in dotted decimal notation) for Auto Detect.
display detect-group Syntax display detect-group [ group-number ] View Any view Parameters group-number: Detected group number ranging from 1 to 25. Description Use the display detect-group command to display the configuration of the specified detected group or all detected groups. Examples # Display the configuration of detected group 1.
Field Description ip address IP address to be detected next hop Next hop IP address ip route-static detect-group Syntax ip route-static ip-address { mask | mask-length } { interface-type interface-number | next-hop } [ preference preference-value ] [ reject | blackhole ] detect-group group-number undo ip route-static ip-address { mask | mask-length } [ interface-type interface-number | next-hop ] [ preference preference-value ] View...
Page 222
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip route-static 192.168.1.5 24 192.168.0.2 detect-group 10 After the configuration, if detected group 10 is reachable, the static route is valid; if detected group 10 is unreachable, the static route is invalid. option Syntax option [ and | or ]...
retry Syntax retry retry-times undo retry View Detected group view Parameters retry-times: Maximum retry times during a detect operation. This argument ranges from 0 to 10 and defaults to 2. Description Use the retry command to set the maximum retry times during a detect operation. Use the undo retry command to restore the default times.
Use the undo standby detect-group command to disable the interface backup function. Examples # Specify to enable VLAN-interface 2 (the backup interface) when the detected group 10 is unreachable. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] standby detect-group 10 After the configuration, if detected group 10 is reachable, the backup interface VLAN-interface 2 will be in the disabled state, and if detected group 10 is unreachable, VLAN-interface 2 will be enabled.
undo timer wait View Detected group view Parameters seconds: Timeout waiting for an ICMP reply. This argument ranges from 1 to 30 (in seconds) and defaults to 2. Description Use the timer wait command to set a timeout waiting for an ICMP reply. Use the undo timer wait command to restore the default.
Page 226
Currently, auto detect in VRRP is only supported in S3600-EI series Ethernet switches. Examples # Specify to decrease the priority of the master switch in VRRP group 1 by 20 when the detected group 10 is unreachable. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] vrrp vrid 1 track detect-group 10 reduced 20 After this configuration, if detected group 10 is reachable, the master keeps as master, and if detected...
MSTP Configuration Commands The stp pathcost-standard legacy command was added. Refer to pathcost-standard. MSTP Configuration Commands active region-configuration Syntax active region-configuration View MST region view Parameters None Description Use the active region-configuration command to activate the settings of a multiple spanning tree (MST) region.
bpdu-drop any Syntax bpdu-drop any undo bpdu-drop any View Ethernet port view Parameters None Description Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port. Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port. By default, BPDU dropping is disabled.
MST region-related parameters mentioned above are not consistent with those of other switches in the region. The 3Com switches 5500-EI support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches which have the settings of these parameters the same are assigned to the same MST region.
Page 232
Parameters instance-id: ID of the MSTI ranging from 0 to 16. The value of 0 refers to the common and internal spanning tree (CIST). interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 233
<Sysname> display stp instance 0 interface Ethernet 1/0/1 to Ethernet 1/0/4 brief MSTID Port Role STP State Protection Ethernet1/0/1 ALTE DISCARDING LOOP Ethernet1/0/2 DESI FORWARDING NONE Ethernet1/0/3 DESI FORWARDING NONE Ethernet1/0/4 DESI FORWARDING NONE Table 1-2 Description on the fields of the display stp brief command Field Description MSTID...
Page 234
Port Role :CIST Disabled Port Port Priority :128 Port Cost(Legacy) :Config=auto / Active=200000 Desg. Bridge/Port :32768.00e0-fc12-4001 / 128.2 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=false Transmit Limit :10 packets/hello-time Protection Type :None MSTP BPDU format :Config=auto / Active=legacy Port Config Digest Snooping :disabled...
Field Description Designated bridge ID and port ID of the port Desg. Bridge/Port The port ID displayed is insignificant for a port which does not support port priority. Indicates whether the port is an edge port. Config indicates the Port Edged configured value, and Active indicates the actual value.
<Sysname> display stp abnormalport MSTID Port Block Reason --------- -------------------- ------------- Ethernet1/0/20 Root-Protection Ethernet1/0/21 Loop-Protection Table 1-4 Description on the fields of the display stp abnormalport command Field Description MSTID MSTI ID in the MST region Port Port that has been blocked The function blocking the port: Root-Protected: root guard function Block Reason...
Table 1-5 Description on the fields of the display stp portdown command Field Description Port Port that has been shut down Reason that caused the port to be blocked. BPDU-Protected: BPDU attack guard function Down Reason Formatfrequency-Protected: MSTP BPDU format frequent change protection function display stp region-configuration Syntax...
Field Description Instance Vlans Mapped VLAN-to-instance mappings in the MST region display stp root Syntax display stp root View Any view Parameters None Description Use the display stp root command to display information about the root ports in the MSTP region where the switch resides.
instance Syntax instance instance-id vlan vlan-list undo instance instance-id [ vlan vlan-list ] View MST region view Parameters instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST. vlan-list: List of VLANs. You need to provide this argument in the form of vlan-list = { vlan-id [ to vlan-id ] }&<1-10>, where &<1-10>...
Parameters name: MST region name to be set for the switch, a string of 1 to 32 characters. Description Use the region-name command to set an MST region name for a switch. Use the undo region-name command to restore the MST region name to the default value. The default MST region name of a switch is its MAC address.
Examples # Clear the spanning tree statistics on Ethernet 1/0/1 through Ethernet 1/0/3. <Sysname> reset stp interface Ethernet 1/0/1 to Ethernet 1/0/3 revision-level Syntax revision-level level undo revision-level View MST region view Parameters level: MSTP revision level to be set for the switch. This argument ranges from 0 to 65,535. Description Use the revision-level command to set the MSTP revision level for a switch.
Page 242
Parameters enable: Enables MSTP. disable: Disables MSTP. interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp command in system view to enable/disable MSTP globally.
You are recommended to enable BPDU guard for devices with edge ports configured. As Gigabit ports of a 3Com switch 5500-EI cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports.
Examples # Enable the BPDU guard function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp bpdu-protection stp bridge-diameter Syntax stp bridge-diameter bridgenum undo stp bridge-diameter View System view Parameters bridgenum: Network diameter to be set for a switched network. This argument ranges from 2 to 7. Description Use the stp bridge-diameter command to set the network diameter of a switched network.
Page 245
stp interface interface-list compliance { auto | legacy | dot1s } undo stp interface interface-list compliance View System view, Ethernet port view Parameters auto: Configures the port(s) to recognize the MSTP BPDU format automatically and accordingly determine the format of MSTP BPDUs to send. legacy: Configures the port(s) to receive and send only compatible-format MSTP BPDUs.
# Configure Ethernet 1/0/2 to Ethernet 1/0/4 to recognize and send MSTP BPDUs in dot1s format. <Sysname> system-view [Sysname] stp interface Ethernet 1/0/2 to Ethernet1/0/4 compliance dot1s stp config-digest-snooping Syntax System view, Ethernet port view: stp config-digest-snooping undo stp config-digest-snooping System view: stp interface interface-list config-digest-snooping undo stp interface interface-list config-digest-snooping...
Page 247
As some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot interwork with other switches in an MST region even if they are configured with the same MST region-related settings as other switches in the MST region. This kind of problem can be overcome by implementing the digest snooping feature. If a switch port is connected to another manufacturer’s switch that has the same MST region-related settings but adopts a proprietary spanning tree protocol, you can enable the digest snooping feature on the port that will be receiving BPDU packets from another manufacturer's switch.
Note that: If you specify the instance-id argument to be 0 or do not specify this argument, the stp cost command sets the path cost of the port in CIST. Changing the path cost of a port in an MSTI may change the role of the port in the instance and put it in state transition.
A switch sends trap messages conforming to 802.1d standard to the network management device when: The switch becomes the root bridge of an MSTI. Network topology changes are detected. Examples # Enable a switch to send trap messages conforming to 802.1d standard to the network management device when the switch becomes the root bridge of MSTI 1.
You can enable a port to turn to the forwarding state rapidly by setting it to an edge port. And you are recommended to configure the Ethernet ports directly connected to user terminals as edge ports to enable them to turn to the forwarding state rapidly. Normally, configuration BPDUs cannot reach an edge port because the port is not connected to another switch.
Page 252
Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp loop-protection command to enable the loop guard function on the current port.
# Enable the loop guard function on Ethernet 1/0/2 to Ethernet 1/0/4 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 loop-protection stp max-hops Syntax stp max-hops hops undo stp max-hops View System view...
Page 254
stp mcheck System view: stp [ interface interface-list ] mcheck View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
stp mode Syntax stp mode { stp | rstp | mstp } undo stp mode View System view Parameters stp: Specifies the STP-compatible mode. mstp: Specifies the MSTP mode. rstp: Specifies the RSTP-compatible mode. Description Use the stp mode command to set the operating mode of an MSTP-enabled switch. Use the undo stp mode command to restore the default operating mode of an MSTP-enabled switch.
Page 256
Some manufactures' switches adopt proprietary spanning tree protocols that are similar to RSTP in the way to implement rapid transition on designated ports. When a switch of this kind operates as the upstream switch of a 3Com switch 5500-EI running MSTP, the upstream designated port fails to change their states rapidly.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]stp interface Ethernet1/0/1 no-agreement-check stp pathcost-standard Syntax stp pathcost-standard { dot1d-1998 | dot1t | legacy } undo stp pathcost-standard View System view Parameters dot1d-1998: The device calculates the default path cost for ports based on IEEE 802.1d-1998. dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.
Path cost in Path cost in Path cost in Link speed Duplex state 802.1d-1998 IEEE 802.1t private standard standard standard Full-duplex 200,000 Aggregated link 2 ports 1,000 10 Gbps Aggregated link 3 ports Aggregated link 4 ports Normally, when a port operates in full-duplex mode, the corresponding path cost is slightly less than that when the port operates in half-duplex mode.
Page 259
force-false: Specifies that the link connected to the current Ethernet port is not a point-to-point link. auto: Specifies to automatically determine whether or not the link connected to the current Ethernet port is a point-to-point link. interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Set the port priority of Ethernet 1/0/1 in MSTI 2 to 16 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 instance 2 port priority 16 # Set the port priority of Ethernet 1/0/2 to Ethernet 1/0/4 in MSTI 2 to 16 in system view. <Sysname>...
Parameters None Description Use the stp portlog all command to enable log and trap message output for the ports of all instances. Use the undo stp portlog all command to disable this function. By default, log and trap message output is disabled on the ports of all instances. Examples # Enable log and trap message output for the ports of all instances.
stp region-configuration Syntax stp region-configuration undo stp region-configuration View System view Parameters None Description Use the stp region-configuration command to enter MST region view. Use the undo stp region-configuration command to restore the MST region-related settings to the default. MST region-related parameters include: region name, revision level, and VLAN-to-instance mapping table.
Page 264
View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree. This argument ranges from 2 to 7 and defaults to 7. centi-seconds: Hello time in centiseconds of the specified spanning tree. This argument ranges from 100 to 1,000 and defaults to 200.
stp root secondary Syntax stp [ instance instance-id ] root secondary [ bridge-diameter bridgenum [ hello-time centi-seconds ] ] undo stp [ instance instance-id ] root View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree.
stp root-protection Syntax Ethernet port view: stp root-protection undo stp root-protection System view: stp interface interface-list root-protection undo stp interface interface-list root-protection View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Examples # Enable the root guard function on Ethernet 1/0/1. Enable the root guard function on Ethernet 1/0/1 in Ethernet port view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp root-protection Enable the root guard function on Ethernet 1/0/1 in system view. <Sysname>...
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp tc-protection enable stp tc-protection threshold Syntax stp tc-protection threshold number undo stp tc-protection threshold View System view Parameters number: Maximum number of times that a switch can remove the MAC address table and ARP entries within each 10 seconds, in the range of 1 to 255.
stp timer forward-delay Syntax stp timer forward-delay centi-seconds undo stp timer forward-delay View System view Parameters centi-seconds: Forward delay in centiseconds to be set. This argument ranges from 400 to 3,000. Description Use the stp timer forward-delay command to set the forward delay of the switch. Use the undo stp timer forward-delay command to restore the forward delay to the default value.
Parameters centi-seconds: Hello time to be set, in the range of 100 to 1,000 (in centiseconds). Description Use the stp timer hello command to set the hello time of the switch. Use the undo stp timer hello command to restore the hello time of the switch to the default value. By default, the hello time of the switch is 200 centiseconds.
MSTP is capable of detecting link failures and automatically restoring redundant links to the forwarding state. In CIST, switches use the max age parameter to judge whether or not a received configuration BPDU times out. Spanning trees will be recalculated if a configuration BPDU received by a port times out.
can be four (or more) times of the hello time. For a steady network, the timeout time can be five to seven times of the hello time. Examples # Set the hello time factor to 7. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp timer-factor 7 stp transmit-limit Syntax...
Examples # Set the maximum number of configuration BPDUs that can be transmitted through Ethernet 1/0/1 in each hello time to 15. In Ethernet port view: <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp transmit-limit 15 In system view: <Sysname>...
You can map VLANs to the specific MSTIs rapidly by using the vlan-mapping modulo modulo command. The ID of the MSTI to which a VLAN is mapped can be figured out by using the following formula: (VLAN ID-1) % modulo + 1. In this formula, (VLAN ID-1) % modulo yields the module of (VLAN ID-1) with regards to the modulo argument.
Page 275
The VLAN-VPN tunnel function can only be enabled on STP-enabled devices. To enable the VLAN-VPN tunnel function, make sure the links between operator’s networks are trunk links. If a fabric port exists on a switch, you cannot enable the VLAN-VPN function for any port of the switch.
Page 276
Table of Contents 1 IP Routing Table Commands····················································································································1-1 IP Routing Table Commands··················································································································1-1 display ip routing-table·····················································································································1-1 display ip routing-table acl···············································································································1-3 display ip routing-table ip-address···································································································1-5 display ip routing-table ip-address1 ip-address2·············································································1-7 display ip routing-table ip-prefix·······································································································1-7 display ip routing-table protocol·······································································································1-8 display ip routing-table radix············································································································1-9 display ip routing-table statistics····································································································1-10 display ip routing-table verbose·····································································································1-11 reset ip routing-table statistics protocol ·························································································1-12...
IP Routing Table Commands IP Routing Table Commands display ip routing-table Syntax display ip routing-table [ | { begin | exclude | include } regular-expression ] View Any view Parameters regular-expression: Regular expression, a string of 1 to 256 case-sensitive characters used for specifying routing entries.
2.2.2.0/24 DIRECT 2.2.2.1 Vlan-interface2 2.2.2.1/32 DIRECT 127.0.0.1 InLoopBack0 3.3.3.0/24 DIRECT 3.3.3.1 Vlan-interface3 3.3.3.1/32 DIRECT 127.0.0.1 InLoopBack0 4.4.4.0/24 DIRECT 4.4.4.1 Vlan-interface4 4.4.4.1/32 DIRECT 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 127.0.0.1 InLoopBack0 # Display the routing information from the entry containing the character string interface4 in the current routing table.
display ip routing-table acl Syntax display ip routing-table acl acl-number [ verbose ] View Any view Parameters acl-number: Basic access control list number, in the range of 2000 to 2999. verbose: With this keyword specified, detailed information of routes in the active or inactive state that match the ACL is displayed.
Page 282
State: <Int ActiveU Retain Unicast> Age: 21:34:13 Cost: 0/0 **Destination: 192.168.1.2 Mask: 255.255.255.255 Protocol: #DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) State: <NoAdvise Int ActiveU Retain Gateway Unicast> Age: 21:34:13 Cost: 0/0 Table 1-2 Description on the fields of the display ip routing-table command Field Description Destination...
Field Description Description of route state: ActiveU An active unicast route, where “U” represents unicast. A blackhole route is similar to a reject route, but no ICMP Blackhole unreachable message is sent to the source. Delete A route is to be deleted. Gateway An indirect route.
Page 284
Parameters ip-address: Destination IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Length of a subnet mask, in the range of 0 to 32. longer-match: Specifies all the routes that lead to the destination address and match the specified mask.
verbose: With this keyword specified, detailed information of routes in the active or inactive state that match the IP prefix list is displayed. With this keyword not specified, brief information of only the routes in the active state that match the prefix list is displayed. Description Use the display ip routing-table ip-prefix command to display the information of routes matching the specified IP prefix list.
Parameters protocol: You can provide one of the following values for this argument. direct: Displays direct-connect route information ospf: Displays OSPF route information. ospf-ase: Displays OSPF ASE route information. ospf-nssa: Displays OSPF not-so-stubby area (NSSA) route information. rip: Displays RIP route information. static: Displays static route information.
Description Use the display ip routing-table radix command to display the route information in a tree structure. Examples <Sysname> display ip routing-table radix Radix tree for INET (2) inodes 7 routes 5: +-32+--{210.0.0.1 +--0+ | | +--8+--{127.0.0.0 | | | +-32+--{127.0.0.1 | +--1+ +--8+--{20.0.0.0 +-32+--{20.1.1.1...
OSPF O_ASE O_NSSA Total Table 1-4 Description on the fields of the display ip routing-table statistics command Field Description Routing protocol type O_ASE: OSPF_ASE Proto O_NSSA: OSPF NSSA AGGRE: Aggregation protocol Route Total number of routes Active Number of active routes Number of routes added after the router is rebooted or the routing table Added is cleared last time.
Page 291
OSPF O_ASE O_NSSA Total # Clear the routing statistics of all protocols from the IP routing table. <Sysname> reset ip routing-table statistics protocol all # Display the routing statistics in the IP routing table. <Sysname> display ip routing-table statistics Routing tables: Proto route active...
Static Route Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. Static Route Configuration Commands delete static-routes all Syntax delete static-routes all View System view Parameters None Description...
ip route-static Syntax ip route-static ip-address { mask | mask-length } { interface-type interface-number | next-hop } [ preference preference-value ] [ reject | blackhole ] [ detect-group group number ] [ description text ] undo ip route-static ip-address { mask | mask-length } [ interface-type interface-number | next-hop ] [ preference preference-value ] View System view...
Page 294
By default, the system can obtain the subnet route directly connected to the router. When you configure a static route, if no preference is specified for the route, the preference defaults to 60, and if the route is not specified as reject or blackhole, the route will be reachable by default. When configuring a static route, note the following points: If the destination IP address and the mask are both 0.0.0.0, what you are configuring is a default route.
RIP Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. RIP Configuration Commands checkzero Syntax checkzero undo checkzero View RIP view Parameters None Description Use the checkzero command to enable the must be zero field check for RIP-1 packets. Use the undo checkzero command to disable the must be zero field check for RIP-1 packets.
default cost Syntax default cost value undo default cost View RIP view Parameters value: Default cost, in the range of 1 to 16. Description Use the default cost command to set the default cost for redistributed routes. Use the undo default cost command to restore the default. By default, the default cost of a redistributed route is 1.
<Sysname> display rip RIP is running Checkzero is on Default cost : 1 Summary is on Preference : 100 Traffic-share-across-interface is off Period update timer : 30 Timeout timer : 180 Garbage-collection timer : 120 No peer router Network : 202.38.168.0 Table 3-1 Description on the fields of the display rip command Field...
View Any view Parameters None Description Use the display rip routing command to display RIP routing information. Examples # Display the information of the RIP routing table. <Sysname> display rip routing RIP routing table: public net A = Active I = Inactive G = Garbage collection C = Change T = Trigger RIP...
View RIP view Parameters acl-number: Number of the basic or advanced ACL used to filter routing information by destination address, in the range of 2000 to 3999. ip-prefix-name: Name of the address ip-prefix list used to filter routing information by destination address, a string of 1 to 19 characters.
Parameters acl-number: Number of the ACL used to filter routing information by destination address, in the range of 2000 to 3999. ip-prefix-name: Name of the address prefix list used to filter routing information by destination address, a string of 1 to 19 characters. gateway ip-prefix-name: Name of the address prefix list used to filter routing information by the address of the neighbor router advertising the information, a string of 1 to 19 characters.
By default, RIP is enabled to receive host routes. In some special cases, RIP receives a great number of host routes from the same network segment. These routes are of little help to addressing but occupy a lot of resources. In this case, the undo host-route command can be used to disable RIP from receiving host routes to save network resources.
View RIP view Parameters ip-address: IP address of the interface receiving RIP packets in the unicast mode on the neighbor router, in dotted decimal notation. Description Use the peer command to specify the IP address of a neighbor, where routing updates destined for the peer are unicast, rather than multicast or broadcast.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] preference 20 reset Syntax reset View RIP view Parameters None Description Use the reset command to reset the system configuration parameters of RIP. When you need to re-configure the parameters of RIP, you can use this command to restore the default. Examples # Reset the RIP system configuration.
Note that the interface-related parameters configured previously would be invalid after RIP is disabled. Examples # Enable RIP and enter RIP view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] rip authentication-mode Syntax rip authentication-mode { simple password | md5 { rfc2082 key-string key-id | rfc2453 key-string } } undo rip authentication-mode View Interface view...
Related commands: rip version. You can configure RIPv1 authentication mode in interface view, but the configuration will not take effect because RIPv1 does not support authentication. Examples # Specify the interface VLAN-interface 10 to use the simple authentication with the authentication key of aaa.
System View: return to User View with Ctrl+Z. [Sysname]interface Vlan-interface 10 [Sysname-Vlan-interface10] undo rip input rip metricin Syntax rip metricin value undo rip metricin View Interface view Parameters value: Additional metric of RIP routes received on an interface, in the range of 0 to 16. Description Use the rip metricin command to configure an additional metric for RIP routes received on an interface.
Description Use the rip metricout command to configure an additional metric for RIP routes sent out of an interface. Use the undo rip metricout command to restore the default. By default, the additional metric of RIP routes sent out of an interface is 1. With the command configured on an interface, the metric of RIP routes sent on the interface will be increased.
rip split-horizon Syntax rip split-horizon undo rip split-horizon View Interface view Parameters None Description Use the rip split-horizon command to enable the split horizon function. Use the undo rip split-horizon command to disable the split horizon function. By default, the split horizon function is enabled. The split horizon function disables an interface from sending routes received from the interface to prevent routing loops between adjacent routers.
Use the undo rip version command to restore the default. By default, the version of RIP running on an interface is RIP-1 and RIP-1 packets are sent in the broadcast mode. If RIP-2 runs on an interface, RIP packets are sent in the multicast mode by default, which reduces resource consumption.
Use the undo rip work command to disable the interface from neither receiving nor sending RIP packets. By default, all interfaces except loopback interfaces are enabled to receive and send RIP packets. The differences between the rip work, rip input, and rip output commands are as follows: The rip work command controls the receiving and sending of RIP packets on an interface.
[Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] rip version 2 [Sysname-Vlan-interface10] quit [Sysname] rip [Sysname-rip] undo summary timers Syntax timers { update update-timer | timeout timeout-timer } * undo timers { update | timeout } * View RIP view Parameters update-timer: Length of the Period Update timer in seconds, in the range of 1 to 3600. timeout-timer: Length of the Timeout timer in seconds, in the range of 1 to 3600.
Page 314
traffic-share-across-interface Syntax traffic-share-across-interface undo traffic-share-across-interface View RIP view Parameters None Description Use the traffic-share-across-interface command to enable traffic to be forwarded along multiple equivalent RIP routes. Use the undo traffic-share-across-interface command to disable this function. By default, this function is disabled. When the number of equivalent routes reaches the upper limit: If this function is enabled, the newly learned equivalent route replaces the existing equivalent route in the routing table.
OSPF Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. OSPF Configuration Commands abr-summary Syntax abr-summary ip-address mask [ advertise | not-advertise ] undo abr-summary ip-address mask View OSPF area view Parameters...
Examples # Summarize subnets 36.42.10.0/24 and 36.42.110.0/24, in OSPF area 1 with summary route 36.42.0.0/16 and advertise it to other areas. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 1 [Sysname-ospf-1-area-0.0.0.1] network 36.42.10.0 0.0.0.255 [Sysname-ospf-1-area-0.0.0.1] network 36.42.110.0 0.0.0.255 [Sysname-ospf-1-area-0.0.0.1] abr-summary 36.42.0.0 255.255.0.0 area...
Parameters ip-address: IP address of the summary route, in dotted decimal notation. mask: IP address mask, in dotted decimal notation. not-advertise: Specifies not to advertise the summary route. If this argument is not provided, the summary route will be advertised. tag value: Tag value, which is mainly used to control route advertisement through a route-policy.
Use the undo authentication-mode command to cancel the authentication attribute of this area. By default, an area does not support authentication attribute. All the routers in one area must use the same authentication mode (no authentication, simple text authentication, or MD5 cipher text authentication). If the mode of supporting authentication is configured, all routers on the same segment must use the same authentication key.
type: Default type of external routes redistributed by OSPF. The value of this argument is 1 or 2. Description Use the default command to configure the default parameters for redistributed routes, including cost, interval, limit, tag, and type. Use the undo default cost command to restore the default. By default, the cost, interval, limit, tag, and type are 1, 1, 1000, 1, and 2, respectively.
You must use the stub command on all the routers connected to a Stub area to configure the area with the stub attribute. Use the default-cost command to configure the cost of the default route advertised by an ABR to a Stub area or NSSA.
cost value: Specifies the cost value of the default route. The default route with the lowest cost value is preferred. The value of value ranges from 0 to 16777214. If no cost is specified, the default cost specified by the default cost command applies. type type-value: Specifies the type of the route.
Related commands: router id. Examples # Display the router ID. <Sysname> display router id Configured router id is 1.1.1.1 display ospf abr-asbr Syntax display ospf [ process-id ] abr-asbr View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes.
Field Description Nexthop IP address of the next hop Interface Local output interface display ospf asbr-summary Syntax display ospf [ process-id ] asbr-summary [ ip-address mask ] View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes.
The Count of Route is 0 Table 4-2 Description on the fields of the display ospf asbr-summary command. Field Description Network address of the summary route mask Subnet mask of the summary route Tag of the summary route Advertisement state of the summary route, including status DoNotAdvertise: The summary can not be advertised.
Page 326
Field Description Area type flag: Nssa: NSSA area NssaDefault: A default route is generated into the NSSA. NssaNoSummary: ABR is disabled from advertising Type-3 LSAs into NSSA. Flags NssaNoRedistribution: Prohibits advertisement of redistributed routes into NSSA. Stub: Stub area StubDefault: A default route is generated into Stub area. StubNoSummary: ABR is disabled from advertising Type-3 LSAs to Stub area.
display ospf cumulative Syntax display ospf [ process-id ] cumulative View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf cumulative command to display cumulative OSPF statistics.
Routing Table: Intra Area: 1 Inter Area: 0 ASE: 0 Table 4-4 Description on the fields of the display ospf cumulative command Field Description Type of input/output OSPF packet: Hello: Hello packet DB Description: Database Description packet Type Link-State Req: Link-State Request packet IO Statistics Link-State Update: Link-State Update packet Link-State Ack: Link-State Acknowledge packet...
Page 329
Description Use the display ospf error command to display OSPF error information. Examples # Display the OSPF error information. <Sysname> display ospf error OSPF Process 1 with Router ID 1.1.1.1 OSPF packet error statistics: 0: IP: received my own packet 0: OSPF: wrong packet type 0: OSPF: wrong version 0: OSPF: wrong checksum...
Page 330
Field Description OSPF: packet size > ip length OSPF packet size exceeds IP packet length OSPF: transmit error OSPF transmission error OSPF: interface down OSPF interface is down, unavailable OSPF: unknown neighbor OSPF neighbors are unknown HELLO: netmask mismatch Network mask mismatch HELLO: hello timer mismatch Interval of HELLO packet is mismatched HELLO: dead timer mismatch...
display ospf interface Syntax display ospf [ process-id ] interface [ interface-type interface-number ] View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. interface-type interface-number: Interface type and interface number.
Field Description Priority Priority of DR for interface election Designated Router DR on the network in which the interface resides Backup Designated Router BDR on the network in which the interface resides OSPF timers, defined as follows: Hello Interval of hello packet Timers Dead Interval of dead neighbors...
Page 333
Description Use the display ospf lsdb command to display the database information about OSPF connecting state. If no OSPF process is specified, LSDB information of all OSPF processes is displayed. Examples # Display the database information about OSPF connection state. <Sysname>...
Page 334
Field Description Location of the LSA, used to indicate in which stage of the route calculation the LSA is: Uninitialized: The LSA is not initialized or is originated by another router. Clist: The LSA is on the candidate list. SpfTree: The LSA is in the SPF tree. SumAsb List: The LSA is in the AS border reachable to the attached area.
Table 4-8 Description on the fields of the display ospf lsdb ase command Field Description type Type of the LSA ls id Link state ID of the LSA adv rtr Router ID of the router that advertises the LSA ls age Age of the LSA Length of the LSA seq#...
OSPF Process 1 with Router ID 1.1.1.1 Next hops: Address Type Refcount Intf Addr Intf Name --------------------------------------------------------------- 202.38.160.1 Direct 202.38.160.1 Vlan-interface2 202.38.160.2 Neighbor 202.38.160.1 Vlan-interface2 Table 4-9 Description on the fields of the display ospf nexthop command Field Description Next hops Detailed information of next hops Address IP address of next hop...
Page 337
Dead timer expires in 31s Neighbor has been up for 01:14:14 Table 4-10 Description on the fields of the display ospf peer command Field Description RouterID ID of a neighbor router Address IP address of the interface on a neighbor router State of a neighbor: Down: This is the initial state of a neighbor conversation.
Page 338
Field Description Priority of a neighbor router DeadTime(s) Dead time, in seconds, of neighbor router Interface Type and number of the local router interface connected to the neighbor router State of a neighbor router, including Down Init Attempt 2-Way Exstart State Exchange Loading...
Field Description In this state, OSPF router requests neighbor routers based on the Loading updated link state information from neighbor routers and its expired information, and waits for response from neighbor routers It indicates that database synchronization between the routers that have Full established neighbor relation has been completed, and their link state databases have been consistent...
display ospf retrans-queue Syntax display ospf [ process-id ] retrans-queue View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf retrans-queue command to display the information about the OSPF retransmission queue.
display ospf routing Syntax display ospf [ process-id ] routing View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf routing command to display the information about OSPF routing table.
display ospf vlink Syntax display ospf [ process-id ] vlink View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf vlink command to display the information about OSPF virtual links.
[Sysname-ospf-1] filter-policy 2000 import import-route Syntax import-route protocol [ process-id ] [ cost value | type value | tag value | route-policy route-policy-name ] * undo import-route protocol [ process-id ] View OSPF view Parameters protocol: Source routing protocol whose routes will be imported. At present, it can be direct, ospf, ospf-ase, ospf-nssa, rip, or static.
[Sysname-ospf-1] import-route rip type 2 tag 33 cost 50 log-peer-change Syntax log-peer-change undo log-peer-change View OSPF view Parameters None Description Use the log-peer-change command to enable logging of OSPF neighbor state changes. Use the undo log-peer-change command to disable logging of OSPF neighbor state changes. By default, logging of OSPF neighbor state changes is disabled.
By default, the number of OSPF ECMP routes is 3. Examples # Set the number of OSPF ECMP routes to 2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] multi-path-number 2 network Syntax network ip-address wildcard-mask undo network ip-address wildcard-mask View OSPF area view...
nssa Syntax nssa [ default-route-advertise | no-import-route | no-summary | translate-always ] * undo nssa View OSPF area view Parameters default-route-advertise: Redistributes a default route into an NSSA. no-import-route: Redistributes no routes into an NSSA. no-summary: Advertises only a default route in a Type-3 summary LSA into the NSSA area and disables the ABR from transmitting any other Type-3 LSAs to an NSSA translate-always: Specifies the ABR as the Type-7 LSAs translator of the NSSA area.
If the ABR that has the translate-always keyword configured and has a neighbor in the FULL state in the backbone area, its Type-7 LSAs translator state becomes Enabled and it will translate Type-7 LSAs into Type-5 LSAs. After an OSPF area is configured as a Stub area, the ABR in the area automatically advertises a default route into the attached NSSA area.
To run OSPF, a router must have a router ID specified. If no router ID is specified, the system will automatically select one of the router interface IP addresses as the router ID. If a router runs multiple OSPF processes, you are recommended to specify a router ID for each process by using the ospf command.
Description Use the ospf authentication-mode command to configure the authentication mode and key between adjacent routers. Use the undo ospf authentication-mode command to cancel the authentication key that has been set. By default, the interface does not authenticate the OSPF packets. The passwords for authentication keys of the routers on the same network segment must be identical.
Examples # Specify the OSPF cost on the interface as 33. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf cost 33 ospf dr-priority Syntax ospf dr-priority priority undo ospf dr-priority View Interface view Parameters priority: Designated router (DR) election priority of the interface, in the range of 0 to 255.
Parameters process-id: OSPF process ID, in the range of 1 to 65535. Description Use the ospf mib-binding command to bind MIB operations to the specified OSPF process. Use the undo ospf mib-binding command to restore the default. By default, MIB operations are bound to the first enabled OSPF process. When OSPF enables the first process, OSPF always binds MIB operation to this process.
Examples # Add the MTU of the interface VLAN-interface 3 to the MTU field in DD packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ospf mtu-enable ospf network-type Syntax ospf network-type { broadcast | nbma | p2mp [ unicast ] | p2p } undo ospf network-type View Interface view...
For a P2MP interface, If the unicast keyword is not specified, the interface sends packets to multicast addresses. If the unicast keyword is specified, the interface sends packets to unicast addresses. In this case, you must use the peer command to specify the neighbor. Note that you must use the peer command to configure the peer if the network type of the interface is NBMA or manually changed to NBMA with the ospf network-type command.
ospf timer hello Syntax ospf timer hello seconds undo ospf timer hello View Interface view Parameters seconds: Interval, in seconds, at which an interface transmits hello packet. It ranges from 1 to 255. Description Use the ospf timer hello command to configure the interval for transmitting Hello messages on an interface.
Description Use the ospf timer poll command to configure the poll interval at which the interface sends hello packets to the neighbor in the Down state. Use the undo ospf timer poll command to restore the default. By default, the poll interval is 40 seconds. On an NBMA network, if a neighbor becomes invalid, Hello packets will be transmitted at intervals of poll seconds.
System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf timer retransmit 12 ospf trans-delay Syntax ospf trans-delay seconds undo ospf trans-delay View Interface view Parameters seconds: LSA transmission delay in seconds on an interface. It ranges from 1 to 3600. Description Use the ospf trans-delay command to configure the LSA transmission delay on an interface.
Description Use the peer command to specify a neighbor and its DR priority on an NBMA network. Use the undo peer command to remove this configuration. On an NBMA network, you can configure mappings to make the network fully meshed (any two routers have a direct link in between), so OSPF can handle DR/BDR election as it does on a broadcast network.
reset ospf Syntax reset ospf { all | process-id } View User view Parameters all: Resets all OSPF processes. process-id: OSPF process ID, in the range of 1 to 65535. Description Use the reset ospf command to reset OSPF process(es). After you use this command to reset an OSPF process: Invalid LSA is cleared immediately before LSA times out.
router id Syntax router id router-id undo router id View System view Parameters router-id: Router ID, in dotted decimal notation. Description Use the router id command to configure the ID of a router running the OSPF protocol. Use the undo router id command to cancel the router ID that has been set. If the router-id command is not used, a router ID is set following these rules: If loopback interfaces configured with IP addresses exist, the greatest loopback interface IP address will be used as the router ID.
View OSPF view Parameters silent-interface-type: Interface type silent-interface-number: Interface number. Description Use the silent-interface command to disable an interface from transmitting OSPF packet. Use the undo silent-interface command to restore the default. By default, the interface is enabled to transmit OSPF packet. To prevent the router on some network from receiving the OSPF routing information, you can use this command to disable this interface from transmitting OSPF packet.
Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. ifstatechange, virifstatechange, nbrstatechange, virnbrstatechange, ifcfgerror, virifcfgerror, ifauthfail, virifauthfail, ifrxbadpkt, virifrxbadpkt, iftxretransmit, viriftxretransmit, originatelsa, maxagelsa, lsdboverflow, lsdbapproachoverflow: Types of TRAP packets that the switch produces in case of OSPF anomalies.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] spf-schedule-interval 6 stub Syntax stub [ no-summary ] undo stub View OSPF area view Parameters no-summary: Disables an ABR from transmitting Type-3 LSAs to a Stub area. Description Use the stub command to configure the type of an OSPF area as "Stub".
vlink-peer Syntax vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | simple password | md5 keyid key ] * undo vlink-peer router-id View OSPF area view Parameters route-id: Router ID of virtual link peer. hello seconds: Specifies the interval, in seconds, at which the router transmits hello packet.
Page 366
Note that, virtual link authentication adopts the MD5 cipher text or simple text authentication mode set with the authentication-mode command for Area 0. Therefore, you need to specify the authentication mode for Area 0 on both ABRs interconnected by the virtual link. Related commands: authentication-mode, display ospf.
IP Routing Policy Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. IP Routing Policy Configuration Commands apply cost Syntax apply cost value undo apply cost View Route policy view Parameters...
apply tag Syntax apply tag value undo apply tag View Route policy view Parameters value: Tag value of a route, in the range of 0 to 4294967295. Description Use the apply tag command to configure a tag for a route. Use the undo apply tag command to remove the configuration.
Examples # Display the information about the address prefix list named p1. <Sysname> display ip ip-prefix p1 name index conditions ip-prefix / mask permit 10.1.0.0/16 Table 5-1 Description on the fields of the display ip ip-prefix command Field Description name Name of an IP-prefix index Internal sequence number of an IP-prefix...
Table 5-2 Description on the fields of the display route-policy command Field Description Route-policy Name of a routing policy Information about the routing policy with the matching mode configured as permit and the node as 10. Permit 10 if-match (ip-prefix) p1 Matching conditions Apply the cost 100 to the routes satisfying the apply cost 100...
View Route policy view Parameters value: Route cost, in the range of 0 to 4294967295. Description Use the if-match cost command to configure a cost matching rule for routing information. Use the undo if-match cost command to remove the configuration. By default, no cost matching rule is defined.
System View: return to User View with Ctrl+Z. [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match interface Vlan-interface 1 if-match ip next-hop Syntax if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name } undo if-match ip next-hop [ ip-prefix ] View Route policy view Parameters...
Parameters value: Tag value, in the range of 0 to 4294967295. Description Use the if-match tag command to configure the tag matching rule for routing information. Use the undo if-match tag command to remove the matching rule. By default, no the tag matching rule for routing information is defined. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, route-policy, apply cost, apply tag.
to", and the meaning of less-equal is "less than or equal to". The range is len <= greater-equal <= less-equal <= 32. When only greater-equal is used, it denotes the prefix range [greater-equal, 32]. When only less-equal is used, it denotes the prefix range [len, less-equal]. When both greater-equal and less-equal are specified, the prefix range is [ less-equal,greater-equal ].
Page 375
node: Specifies a node index in a routing policy. node-number: Index of the node in a routing policy, in the range 0 to 2047. When this routing policy is used, the node with smaller node-number will be matched first. Description Use the route-policy command to create a routing policy or enter the Route-policy view.
Route Capacity Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. Route Capacity Configuration Commands display memory Syntax display memory [ unit unit-id ] Mode Any view Parameters unit-id: Unit ID.
Table 6-1 Description on the fields of the display memory command Field Description Unit Specifies a Unit ID System Available Memory(bytes) Free memory size, in bytes, of the switch System Used Memory(bytes) Occupied memory size, in bytes, of the switch Used Rate Memory occupation rate display memory limit...
Field Description system memory limit Lower limit of the switch memory. Automatic connection is enabled (If automatic auto-establish enabled connection is disabled, auto-establish disabled is displayed). Free Memory Size of the current free memory in bytes The times of disconnect: Number of disconnections of the routing protocol The times of reconnect Number of reconnections of the routing protocol...
When you configure the memory command, the safety-value argument in the command must be greater than the limit-value argument; otherwise, the configuration will fail. Examples # Set the lower limit of the switch free memory to 1 MB and the safety value to 3 MB. <Sysname>...
memory auto-establish enable Syntax memory auto-establish enable View System view Parameters None Description Use the memory auto-establish enable command to enable automatic connections of routing protocols when the free memory of the switch recovers to the specified value. Use the memory auto-establish disable command to disable this function. By default, when the free memory of the switch recovers to a safety value, connections of all the routing protocols will always recover (when the free memory of the switch decreases to a lower limit, the connection will be disconnected forcibly).
Common Multicast Configuration Commands Common Multicast Configuration Commands display mac-address multicast static Syntax display mac-address multicast static [ [ mac-address ] vlan vlan-id ] [ count ] View Any view Parameters mac-address: Displays the static multicast MAC entry information for the specified MAC address. Without this argument provided, this command displays the information of all static multicast MAC entries in the specified VLAN.
Field Description State of the MAC address, which includes only STATE Config static, indicating that the table entry is manually added. Ports out which the multicast packets destined PORT INDEX for the multicast MAC address are forwarded State of the aging timer. The aging timer for static multicast MAC addresses has only one AGING TIME(s) state: NOAGED, indicating that the entry never...
Table 1-2 display mpm forwarding-table command output description Field Description Total 1 entry(entries) Total number of the entries 00001 Entry number (120.0.0.2, 225.0.0.2) Source address-group address pair The incoming VLAN interface is VLAN-interface iif Vlan-interface1200 1200. 1 oif(s): One outgoing VLAN interface is listed. The first outgoing VLAN-interface is Vlan-interface32 VLAN-interface 32, with one outgoing port under...
Ethernet1/0/24 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 Static host port(s): Dynamic host port(s): Ethernet1/0/22 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/22 Table 1-3 display mpm group command output description Field Description Total 1 IP Group(s) Total number of IP multicast groups Total 1 MAC Group(s) Total number of MAC multicast groups...
Page 388
mask: Mask of the specified multicast group address or multicast source address, 255.255.255.255 by default. mask-length: Mask length of the specified multicast group address or multicast source address. For a multicast group address, this argument is in the range of 4 to 32; for a multicast source address, this argument is in the range of 0 to 32.
Table 1-4 display multicast forwarding-table command output description Field Description Multicast Forwarding Cache Table Multicast forwarding table Total 1 entries Total number of matched forwarding entries 00001 Serial number of the entry Multicast source and group addresses of the (10.0.0.4, 225.1.1.1) entry The incoming interface of the multicast forwarding table is VLAN-interface 2, and the...
Page 390
The multicast routing table is the basis of multicast data delivery. You can view the multicast routing table entries to determine whether (S, G) entries have been created with correct outgoing and incoming interfaces. Related commands: reset multicast routing-table, display multicast forwarding-table. Examples # Display the multicast routing table information.
display multicast-source-deny Syntax display multicast-source-deny [ interface interface-type [ interface-number ] ] View Any view Parameters interface-type: Port type. interface-number: Port number. Description Use the display multicast-source-deny command to display the multicast source port suppression status. With neither a port type nor a port number specified, the command displays the multicast source port suppression status of all the ports on the switch.
interface-type interface-number2, where interface-number2 must be greater than interface-number1). The total number of individual ports plus port ranges cannot exceed 10. For port types and port numbers, refer to the parameter description in the “Port Basic Configuration” part in this manual. vlan vlan-id: Specifies the VLAN to which the forwarding ports belong.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] mac-address multicast 0100-1000-1000 vlan 1 mtracert Syntax mtracert source-address [ group-address | last-hop-router-address group-address ] View Any view Parameters source-address: Specifies a multicast source. group-address: Specifies a multicast group. last-hop-router-address: Specifies the last-hop router, which is the local device by default.
Description Use the multicast route-limit command to configure the maximum number of entries the multicast routing table can hold. The switch will drop the protocol and data packets for new (S, G) entries after the limit is reached. Use the undo multicast route-limit command to restore the default. The maximum number of entries the multicast routing table can hold is 256 by default.
multicast storing-enable Syntax multicast storing-enable undo multicast storing-enable View System view Parameters None Description Use the multicast storing-enable command to enable the multicast packet buffering feature. Use the undo multicast storing-enable command to disable the multicast packet buffering feature. With the multicast packet buffering feature enabled, multicast packets delivered to the CPU are buffered while the corresponding multicast forwarding entries are being created and forwarded out according to the multicast forwarding entries after entry creation.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] multicast storing-packet 50 multicast-source-deny Syntax multicast-source-deny [ interface interface-list ] undo multicast-source-deny [ interface interface-list ] View System view, Ethernet port view Parameters interface interface-list: Enables the multicast source port suppression feature on the specified port or ports.
Page 400
Description Use the unknown-multicast drop enable command to enable the function of dropping unknown multicast packets. Use the undo unknown-multicast drop enable command to disable the function of dropping unknown multicast packets. By default, the function of dropping unknown multicast packets is disabled. Examples Enable the unknown multicast drop feature.
IGMP Configuration Commands IGMP Configuration Commands display igmp group Syntax display igmp group [ group-address | interface interface-type interface-number ] View Any view Parameters group-address: Multicast group address. With this argument provided, this command displays the information of the specified IGMP multicast group. Interface interface-type interface-number: Specifies an interface by its type and number.
Table 2-1 display igmp group command output description Field Description Group address Multicast group address The last host that reported a membership for this Last Reporter group Time elapsed since multicast group was first Uptime reported (hh: mm: ss). Remaining lifetime of the multicast group (hh: Expires mm: ss).
Table 2-2 display igmp interface command output description Field Description Vlan-interface1 (10.153.17.99): Interface name (IP address) IGMP is currently enabled on the interface. IGMP is enabled If IGMP is not enabled, no output information is displayed. IGMP version 2 (default) is running on the Current IGMP version is 2 current interface.
Description Use the igmp enable command to enable IGMP on an interface. Use the undo igmp enable command to disable IGMP on an interface. By default, IGMP is disabled on an interface. . These commands do not take effect until the multicast routing feature is enabled. You need to use this command before you can configure other IGMP features.
After the maximum number of multicast groups is reached, the interface will not join any new multicast group. If you configure the maximum number of multicast groups allowed on the interface to 1, a new group registered on the interface supersedes the existing one automatically. If the number of existing multicast groups is larger than the configured limit on the number of joined multicast groups on the interface, the system will remove the oldest entries automatically until the number of multicast groups on the interface comes down to the configured limit.
Description Use the igmp group-policy command to configure a multicast group filter on the current interface to control the access to the multicast groups in the defined group range. Use undo igmp group-policy command to remove the multicast group filter configured. By default, no filter is configured;...
Description Use the igmp group-policy vlan command to configure a multicast group filter on the current port to control the access to the multicast groups in the defined group range. Use the undo igmp group-policy vlan command to remove the configured multicast group filter. By default, no filter is configured;...
In LoopBack interface view, this command does not support the port interface-list option. Description Use the igmp host-join port command to configure one or more ports under the current VLAN interface as specified multicast group member(s), namely configure the port(s) as simulated member host(s) for a specified multicast group.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port access vlan 10 [Sysname-Ethernet1/0/1] igmp host-join 225.0.0.1 vlan 10 igmp lastmember-queryinterval Syntax igmp lastmember-queryinterval seconds undo igmp lastmember-queryinterval View Interface view Parameters seconds: Interval in seconds for the IGMP querier to send IGMP group-specific query messages upon receiving an IGMP leave message, in the range of 1 to 5.
View Interface view Parameters seconds: Maximum response time in seconds in the IGMP general query messages, ranging from 1 to Description Use the igmp max-response-time command to configure the maximum response time carried in the IGMP general query messages. Use the undo igmp max-response-time command to restore the default. The maximum response time is 10 seconds by default.
View Interface view Parameters seconds: Other querier present interval in seconds, in the range of 1 to 131,070. Description Use the igmp timer other-querier-present command to configure the other querier present interval, namely the length of time a non-querier waits before it assumes that the current IGMP querier is down. Use the undo igmp timer other-querier-present command to restore the default value.
A multicast router periodically sends IGMP general query messages onto the attached subnets to determine whether multicast group members are present on the subnets. The IGMP query interval can be tuned according to the practical conditions of the network. Related commands: igmp timer other-querier-present. Examples # Set the IGMP query interval to 150 seconds on VLAN-interface 2.
Page 414
View User view Parameters all: The first all refers to all interfaces, while the second all refers to all IGMP multicast groups. interface interface-type interface-number: Specifies an interface by its type and number. With an interface specified, the command clears the IGMP multicast group information on the specified interface.
PIM Configuration Commands PIM Configuration Commands bsr-policy Syntax bsr-policy acl-number undo bsr-policy View PIM view Parameters acl-number: ACL number to be used in the BSR filtering policy, in the range of 2000 to 2999. Description Use the bsr-policy command to limit the range of legal BSRs to prevent BSR spoofing. Use the undo bsr-policy command to restore the default.
c-bsr Syntax c-bsr interface-type interface-number hash-mask-len [ priority ] undo c-bsr View PIM view Parameters interface-type interface-number: Specifies an interface that will be configured as a C-BSR. This configuration takes effect only after PIM-SM is enabled on the interface. hash-mask-len: Length of the hash mask used for RP calculation. The effective range is 0 to 32. priority: C-BSR priority.
group-policy: Defines a group range to be served by the specified interface after it becomes the RP. acl-number: Basic ACL number, in the range of 2,000 to 2,999. Used together with the group-policy keyword, this argument defines the group range mentioned above. priority priority-value: C-RP priority, in the range of 0 to 255, 0 by default.
By default, there is no limit on the C-RP address range or the multicast address range that a C-RP serves, that is, all the C-RP-Adv messages are considered to valid. Examples # Configure a C-RP policy on the BSR so that only multicast devices on subnet 1.1.1.1/32 to become C-RPs to serve only the multicast groups in the range of 225.1.0.0/16.
Field Description Local host is BSR The local device serves as the BSR. display pim interface Syntax display pim interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display pim interface command to display the PIM configuration information. With an interface specified, the command displays the PIM configuration information on the specified interface;...
Field Description Filtering policy of the PIM neighbors on the PIM neighbor policy current interface Totally, one PIM neighbor is present on this Total 1 PIM neighbor on interface VLAN interface. PIM DR Designated router display pim neighbor Syntax display pim neighbor [ interface interface-type interface-number ] View Any view Parameters...
View Any view Parameters group-address: Multicast group address. With this argument provided, the command displays the RP information about the specified multicast group; otherwise, the command displays the RP information about all multicast groups. Description Use the display pim rp-info command to display the RP information of the multicast group. The output of this command also includes BSR and static RP information.
View System view Parameters None Description Use the pim command to enter PIM view so that you can configure PIM parameters globally. Note that this command is not used to enable PIM. Use the undo pim command to clear PIM configurations made in PIM view. Examples # Enter PIM view.
Description Use the pim neighbor-limit command to configure the upper threshold of the number of PIM neighbors on the current interface. The switch will add no more neighbors for the interface when the limit is reached. Use the undo pim neighbor-limit command to restore the default. By default, a switch can have a maximum of 128 PIM neighbors on an interface.
[Sysname-acl-basic-2000] rule deny source any [Sysname-acl-basic-2000] quit [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] pim neighbor-policy 2000 pim sm Syntax pim sm undo pim sm View Interface view Parameters None Description Use the pim sm command to enable PIM-SM on the current interface. Use the undo pim sm command to disable PIM-SM on the current interface.
Description Use the pim timer hello command to configure the PIM Hello interval on the current interface. Use the undo pim timer hello command to restore the default. By default, an interface sends Hello messages at the interval of 30 seconds. After PIM-SM is enabled on an interface, the switch periodically sends Hello messages to all the PIM-capable devices to discover PIM neighbors.
Examples # Set the PIM prune delay interval to 75 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] pim [Sysname-pim] prune delay 75 register-policy Syntax register-policy acl-number undo register-policy View PIM view Parameters acl-number: Number of IP advanced ACL that defines the rule for filtering the source and group addresses.
Parameters all: Clears all PIM neighbors. neighbor-address: Neighbor address. interface interface-type interface-number: Specifies an interface by its type and number. With an interface specified, the command clears PIM neighbors of the specified interface only. Description Use the reset pim neighbor command to clear the specified PIM neighbor, PIM neighbors on the specified VLAN interface, or all PIM neighbors.
In this command, if the group-address is a group address, and source-address is 0 (where group address can have a mask and source address has no mask), then only the (*, G) entry will be cleared. This command shall clear not only multicast route entries from PIM routing table, but also the corresponding route entries and forward entries in the multicast core routing table and MFC.
If you do not include the order order-value option in your command, the ACL will be appended to the end of the group-policy list. If you use this command multiple times on the same multicast group, the first matched traffic rate configuration in sequence will take effect.
The configured multicast source lifetime applies to all (S, G) entries in the PIM routing table and the multicast routing table rather than on a specific (S, G) entry, and the configuration changes the aging time of all the existing (S, G) entries. Examples # Set the multicast source lifetime to 3000 seconds.
Page 434
[Sysname] pim [Sysname-pim] source-policy 2000 [Sysname-pim] quit [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 10.10.1.1 0 [Sysname-acl-basic-2000] rule permit source any static-rp Syntax static-rp rp-address [ acl-number ] undo static-rp View PIM view Parameters rp-address: Static RP address. It must be a legal unicast IP address. acl-number: Specifies a basic ACL, used to control the range of multicast groups to be served by the static RP.
MSDP Configuration Commands MSDP Configuration Commands cache-sa-enable Syntax cache-sa-enable undo cache-sa-enable View MSDP view Parameters None Description Use the cache-sa-enable command to enable the SA message caching mechanism. Use the undo cache-sa-enable command to disable the SA message caching mechanism. By default, the SA message caching mechanism is enabled.
Description Use the display msdp brief command to display the brief information of the MSDP peer state. Examples # Display the brief information of the MSDP peer state. <Sysname> display msdp brief MSDP Peer Brief Information Peer's Address State Up/Down time SA Count Reset Count 20.20.20.20...
Page 437
Examples # Display the detailed information of MSDP peer 10.110.11.11. <Sysname> display msdp peer-status 10.110.11.11 MSDP Peer 20.20.20.20, AS 100 Description: Information about connection status: State: Up Up/down time: 14:41:08 Resets: 0 Connection interface: LoopBack0 (20.20.20.30) Number of sent/received messages: 867/947 Number of discarded output messages: 0 Elapsed time since last connection or counters clear: 14:42:40 Information about (Source, Group)-based SA filtering policy:...
Field Description Interface and its IP address used for setting up a Connection interface TCP connection with the remote MSDP peer Number of SA messages sent and received Number of sent/received messages through this connection Number of discarded output messages Number of discarded outgoing messages Elapsed time since last connection or counters Time passed since the information of the MSDP...
Page 439
Parameters group-address: Multicast group address. With this argument provided, the command displays the (S, G) entries for the specified multicast group. source-address: Multicast source address. With this argument provided, the command displays the (S, G) entries for the specified multicast source. as-number: AS number, in the range of 1 to 65535.
Field Description Length of time for which the cached (S, G) entry Uptime has been existing Length of time in which the cached (S, G) entry Expires will expire display msdp sa-count Syntax display msdp sa-count [ as-number ] View Any view Parameters as-number: AS number, in the range of 1 to 65535.
Field Description AS number. “?” indicates that the system was unable to obtain the AS number. Number of source Number of multicast sources from this AS Number of group Number of multicast groups from this AS import-source Syntax import-source [ acl acl-number ] undo import-source View MSDP view...
undo msdp View System view Parameters None Description Use the msdp command to enable MSDP and enter MSDP view. Use the undo msdp command to clear all configurations in MSDP view, release resources occupied by MSDP, and restore the initial state. Related commands: peer.
Page 443
Description Use the msdp-tracert command to trace the path along which an SA message travels, so as to locate message loss and minimize configuration errors. After determining the path of the SA message, you can prevent SA flooding through correct configuration. Examples # Specify the maximum number of hops to be traced and collect the detailed SA and MSDP peer information.
Page 444
Field Description Maximum number of hops is reached. Another possible value is: Return Code: Reached-max-hops Hit-src-RP: The switch of this hop is the source RP in the (S, G, RP) entry. If you use the next-hop-info keyword, the Next-Hop Router Address: 0.0.0.0 address of Peer-RPF neighbor is displayed.
peer connect-interface Syntax peer peer-address connect-interface interface-type interface-number undo peer peer-address View MSDP view Parameters peer-address: Specifies an MSDP peer by its IP address. interface-type interface-number: Specifies an interface by its type and number. The switch will use the primary address of this interface as the source IP to establish a TCP connection with the remote MSDP peer.
Description Use the peer description command to configure the descriptive text for an MSDP peer so that the administrator can easily distinguish MSDP peers. Use the undo peer description command to remove the configured descriptive text. By default, no descriptive text is configured for any MSDP peer. Related commands: display msdp peer-status.
undo peer peer-address minimum-ttl View MSDP view Parameters peer-address: IP address of the MSDP peer to which the minimum TTL setting will apply. ttl-value: Minimum required TTL value, ranging from 0 to 255. Description Use the peer minimum-ttl command to configure the minimum required TTL value for a multicast packet encapsulated in an SA message to be forwarded to the specified MSDP peer.
Examples # Configure to send an SA request message to the MSDP peer 125.10.7.6. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] msdp [Sysname-msdp] peer 125.10.7.6 request-sa-enable peer sa-cache-maximum Syntax peer peer-address sa-cache-maximum sa-limit undo peer peer-address sa-cache-maximum View MSDP view Parameters...
View MSDP view Parameters peer-address: Specifies an MSDP peer by its IP address. import: Filters the SA messages from the specified MSDP peer. export: Filters the SA messages to be forwarded to the specified MSDP peer. acl acl-number: Specifies an advanced ACL number, ranging from 3000 to 3999. If no ACL is specified, all SA messages carrying (S, G) entries will be filtered out.
Description Use the peer sa-request-policy command to filter the SA request messages from the specified MSDP peer. Use the undo peer sa-request-policy command to restore the default. By default, the switch accepts all SA request messages from any MSDP peer. If no ACL is specified, all SA requests will be ignored.
reset msdp sa-cache Syntax reset msdp sa-cache [ group-address ] View User view Parameters group-address: Multicast group address; the cached (S, G) entries matching this address are to be deleted from the SA cache. If no multicast group address is specified, all cached SA entries will be cleared.
undo shutdown peer-address View MSDP view Parameters peer-address: Specifies an MSDP peer by its IP address. Description Use the shutdown command to shut down the connection with the specified MSDP peer. Use the undo shutdown command to reactivate an MSDP peering connection. By default, the connections with all MSDP peers are active.
using the same rp-policy keyword are configured, when any of the peers receives an SA message, it will forward the SA message to the other peers. Use the rp-policy keyword for none of the MSDP peers. In this case, based on the configuration sequence, only the first static RPF peer whose connection state is UP is active.
IGMP Snooping Configuration Commands IGMP Snooping Configuration Commands display igmp-snooping configuration Syntax display igmp-snooping configuration View Any view Parameters None Description Use the display igmp-snooping configuration command to display IGMP Snooping configuration information. If IGMP Snooping is disabled on this switch, this command displays a message showing that IGMP Snooping is not enabled.
display igmp-snooping group Syntax display igmp-snooping group [ vlan vlan-id ] View Any view Parameters vlan vlan-id: Specifies the VLAN in which the multicast group information is to be displayed, where vlan-id ranges from 1 to 4094.. If you do not specify a VLAN, this command displays the multicast group information of all VLANs.
Field Description Total number of MAC multicast groups in all Total 1 MAC Group(s). VLANs ID of the VLAN whose multicast group Vlan(id): information is displayed Total 1 IP Group(s). Total number of IP multicast groups in VLAN 100 Total number of MAC multicast groups in VLAN Total 1 MAC Group(s).
Examples # Display IGMP Snooping statistics. <Sysname> display igmp-snooping statistics Received IGMP general query packet(s) number:1. Received IGMP specific query packet(s) number:0. Received IGMP V1 report packet(s) number:0. Received IGMP V2 report packet(s) number:3. Received IGMP leave packet(s) number:0. Received error IGMP packet(s) number:0. Sent IGMP specific query packet(s) number:0.
Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously in the same VLAN and on the corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...
The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).
By default, the Layer 2 multicast switch sends general query messages with the source IP address of 0.0.0.0. Related commands: igmp-snooping querier, igmp-snooping query-interval. Examples # Configure the switch to send general query messages with the source IP address 2.2.2.2 in VLAN 3. <Sysname>...
To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.
Page 462
By default, no multicast group filter is configured. The ACL rule defines a multicast address or a multicast address range (for example 224.0.0.1 to 239.255.255.255) and is used to: Allow the port(s) to join only the multicast group(s) defined in the rule by a permit statement. Inhibit the port(s) from joining the multicast group(s) defined in the rule by a deny statement.
[Sysname-acl-basic-2001] rule permit source any [Sysname-acl-basic-2001] quit Create VLAN 2 and add Ethernet1/0/2 to VLAN 2. [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/2 [Sysname-vlan2] quit Configure ACL 2001 on Ethernet1/0/2 to it to join any IGMP multicast groups except those defined in the deny rule of ACL 2001.
View System view Parameters seconds: Maximum response time in IGMP general queries, in the range of 1 to 25. Description Use the igmp-snooping max-response-time command to configure the maximum response time in IGMP general queries. Use the undo igmp-snooping max-response-time command to restore the default. By default, the maximum response time in IGMP general queries is 10 seconds.
You can configure this command only after IGMP Snooping is enabled globally. When IGMP Snooping is disabled globally, the configuration of the igmp-snooping nonflooding-enable command is also removed. If the function of dropping unknown multicast packets or the XRN fabric function is enabled, you cannot enable the IGMP Snooping non-flooding function.
igmp-snooping router-aging-time Syntax igmp-snooping router-aging-time seconds undo igmp-snooping router-aging-time View System view Parameters seconds: Aging time of router ports, in the range of 1 to 1,000, in seconds. Description Use the igmp-snooping router-aging-time command to configure the aging time of router ports. Use the undo igmp-snooping router-aging-time command to restore the default aging time.
Examples # Disable Ethernet 1/0/1 from becoming a router port. <Sysname> system-view System view, return to user view with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] igmp-snooping query-pkt-deny igmp-snooping version Syntax igmp-snooping version version-number undo igmp-snooping version View VLAN view Parameters version-number: IGMP Snooping version, in the range of 2 to 3 and defaulting to 2.
Parameters vlan vlan-id: VLAN ID, in the range of 1 to 4094. Description Use the igmp-snooping vlan-mapping vlan command to configure to transmit IGMP general and group-specific query messages in a specific VLAN. Use the undo igmp-snooping vlan-mapping command to restore the default. By default, the VLAN tag carried in IGMP general and group-specific query messages is not changed.
Unlike a static member port, a port configured as a simulated member host will age out like a dynamic member port. Related commands: igmp-snooping enable, multicast static-group interface, multicast static-group vlan Before configuring simulated joining, enable IGMP Snooping in the VLAN corresponding to the current VLAN interface.
Use the undo igmp host-join command to remove the current port as a simulated member host for the specified multicast group or source-group. Unlike a static member port, a port configured as a simulated member host will age out like a dynamic member port.
Description Use the igmp-snooping special-query source-ip command to configure the source address to be carried in IGMP group-specific queries. Use the undo igmp-snooping special-query source-ip command to restore the default. By default, the Layer 2 multicast switch sends group-specific query messages with the source IP address of 0.0.0.0.
The ports configured with this command handle Layer 2 multicast traffic only, rather than Layer 3 multicast traffic. Examples # Configure ports Ethernet 1/0/1 to Ethernet 1/0/3 under VLAN-interface 1 as static members ports for multicast group 225.0.0.1. <Sysname> system-view System View: return to User View with Ctrl+Z.
The port configured with this command handles Layer 2 multicast traffic only, rather than Layer 3 multicast traffic. Examples # Configure port Ethernet1/0/1 in VLAN 2 as a static member port for multicast group 225.0.0.1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] multicast static-group 225.0.0.1 vlan 2 multicast static-router-port...
undo multicast static-router-port vlan vlan-id View Ethernet port view Parameters vlan-id: VLAN ID the port belongs to, in the range of 1 to 4094. Description Use the multicast static-router-port vlan command to configure the current port in the specified VLAN as a static router port and specify the VLAN the port belongs to.
Examples # Clear IGMP Snooping statistics. <Sysname> reset igmp-snooping statistics service-type multicast Syntax service-type multicast undo service-type multicast View VLAN view Parameters None Description Use the service-type multicast command to configure the current VLAN as a multicast VLAN. Use the undo service-type multicast command to remove the current VLAN as a multicast VLAN. By default, no VLAN is a multicast VLAN.
802.1x Configuration Commands 802.1x Configuration Commands display dot1x Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] View Any view Parameters sessions: Displays the information about 802.1x sessions. statistics: Displays the statistics on 802.1x. interface: Display the 802.1x-related information about a specified port. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Configuration: Transmit Period 30 s, Handshake Period 15 s ReAuth Period 3600 s, ReAuth MaxTimes Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Interval between version requests is 30s Maximal request times for version information is 3 The maximal retransmitting times EAD Quick Deploy configuration: Url: http: //192.168.19.23...
Page 482
DHCP-triggered. 802.1x authentication is DHCP-launch is disabled disabled. The online user handshaking function is Handshake is enabled enabled. Whether or not to send Trap packets when detecting a supplicant system logs in through a proxy. Disable means the switch does not send Trap Proxy trap checker is disabled packets when it detects that a supplicant system logs in through a proxy.
Whether or not to send Trap packets when detecting a supplicant system in logging in through a proxy. Disable means the switch does not send Trap Proxy trap checker is disabled packets when it detects that a supplicant system logs in through a proxy. Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.
Description Use the dot1x command to enable 802.1x globally or for specified Ethernet ports. Use the undo dot1x command to disable 802.1x globally or for specified Ethernet ports. By default, 802.1x is disabled globally and also on all ports. In system view: If you do not provide the interface-list argument, the dot1x command enables 802.1x globally.
Parameters chap: Authenticates using challenge handshake authentication protocol (CHAP). pap: Authenticates using password authentication protocol (PAP). eap: Authenticates using extensible authentication protocol (EAP). Description Use the dot1x authentication-method command to set the 802.1x authentication method. Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method.
Description Use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP. Use the undo dot1x dhcp-launch command to disable an 802.1x-enabled switch from authenticating a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.
If you specify the interface-list argument, these two commands apply to the specified ports. In Ethernet port view, the interface-list argument is not available and these two commands apply to only the current Ethernet port. The guest VLAN function is available only when the switch operates in the port-based authentication mode.
To enable the proxy detecting function, you need to enable the online user handshaking function first. With the support of H3C proprietary clients, handshaking packets can be used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods.
dot1x port-control Syntax dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ] undo dot1x port-control [ interface interface-list ] View System view, Ethernet port view Parameters auto: Specifies to operate in auto access control mode. When a port operates in this mode, all the unauthenticated hosts connected to it are unauthorized.
dot1x port-method Syntax dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] View System view, Ethernet port view Parameters macbased: Performs MAC-based authentication. portbased: Performs port-based authentication. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Use the undo dot1x quiet-period command to disable the quiet-period timer. When a user fails to pass the authentication, the authenticator system (such as a 3Com switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication.
After a switch sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the switch still receives no response when the configured maximum number of authentication request transmission attempts is reached, it stops sending requests to the user.
Examples # Configure the maximum number of times that the switch sends version request packets to 6. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x retry-version-max 6 dot1x re-authenticate Syntax dot1x re-authenticate [ interface interface-list ] undo dot1x re-authenticate [ interface interface-list ] View System view, Ethernet port view...
Whether or not a user logs in through multiple network adapters (that is, when the user attempts to log in, it contains more than one active network adapters.) A switch can optionally take the following actions in response to any of the above three cases: Only disconnects the user but sends no Trap packets, which can be achieved by using the dot1x supp-proxy-check logoff command.
Page 497
undo dot1x timer { handshake-period | quiet-period | server-timeout | supp-timeout | tx-period | ver-period } View System view Parameters handshake-period handshake-period-value: Sets the handshake timer. This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval for a switch to send handshake request packets to online users.
ver-period ver-period-value: Sets the client version request timer. This timer sets the version period and is triggered after a switch sends a version request packet. The switch sends another version request packet if it does receive version response packets from the supplicant system when the timer expires.
reset dot1x statistics Syntax reset dot1x statistics [ interface interface-list ] View User view Parameters interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
dot1x timer acl-timeout Syntax dot1x timer acl-timeout acl-timeout-value undo dot1x timer acl-timeout View System view Parameters acl-timeout-value: ACL timeout period (in minutes), in the range of 1 to 1440. Description Use the dot1x timer acl-timeout command to configure the ACL timeout period. Use the undo dot1x timer acl-timeout command to restore the default.
Page 503
System View: return to User View with Ctrl+Z. [Sysname] dot1x url http://192.168.19.23...
display habp table Syntax display habp table View Any view Parameters None Description Use the display habp table command to display the MAC address table maintained by HABP. Examples # Display the MAC address table maintained by HABP. <Sysname> display habp table Holdtime Receive Port 001f-3c00-0030...
HABP counters : Packets output: 0, Input: 0 ID error: 0, Type error: 0, Version error: 0 Sent failed: 0 Table 3-3 Description on the fields of the display habp traffic command Field Description Packets output Number of the HABP packets sent Input Number of the HABP packets received ID error...
habp server vlan Syntax habp server vlan vlan-id undo habp server View System view Parameters vlan-id: VLAN ID, ranging from 1 to 4094. Description Use the habp server vlan command to configure a switch to operate as an HABP server. This command also specifies the VLAN where HABP packets are broadcast.
Page 508
Examples # Configure the switch to send HABP request packets once in every 50 seconds <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] habp timer 50...
System Guard Configuration Commands System Guard Configuration Commands display system-guard ip state Syntax display system-guard ip state View Any view Parameters None Description Use the display system-guard ip state command to view the monitoring result and parameter settings of System Guard against IP attacks. Examples # View the monitoring result and parameter settings of System Guard against IP attacks.
display system-guard ip-record Syntax display system-guard ip-record View Any view Parameters None Description Use the display system-guard ip-record command to view the information about IP packets received by the CPU in the current monitoring cycle. Examples # View the information about IP packets received by the CPU in the current monitoring cycle. <Sysname>...
Parameters None Description Use the display system-guard l3err state command to view the status of Layer 3 error control. Examples # View the status of Layer 3 error control. <Sysname> display system-guard l3err state System-guard l3err status: enabled display system-guard tcn state Syntax display system-guard tcn state View...
Use the undo system-guard ip detect-maxnum command to restore the maximum number of infected hosts that can be monitored to the default setting. By default, System Guard can monitor a maximum of 30 infected hosts. Examples # Set the maximum number of infected hosts that can be concurrently monitored to 50. <Sysname>...
The correlations among the arguments of the system-guard ip detect-threshold command can be clearly described with this example: If you set ip-record-threshold, record-times-threshold and isolate-time to 30, 1 and 3 respectively, when the system detects successively three times that over 50 IP packets (destined for an address other that an IP address of the switch) from a source IP address are received within a period of 10 seconds, the system considers to be attacked —...
System View: return to User View with Ctrl+Z. [Sysname] system-guard ip enable system-guard l3err enable Syntax system-guard l3err enable undo system-guard l3err enable View System view Parameters None Description Use the system-guard l3err enable command to enable Layer 3 error control. Use the undo system-guard l3err enable command to disable Layer 3 error control.
system-guard tcn enable Syntax system-guard tcn enable undo system-guard tcn enable View System view Parameters None Description Use the system-guard tcn enable command to enable System Guard against TCN attacks. Use the undo system-guard tcn enable command to disable System Guard against TCN attacks. With this feature enabled, System Guard monitors the TCN/TC packet receiving rate on the ports.
Page 516
Use the undo system-guard tcn rate-threshold command to restore the default threshold of TCN/TC packet receiving rate. By default, the default threshold of TCN/TC packet receiving rate is 1 pps. As the system monitoring cycle is 10 seconds, the system sends trap or log information, by default, if more than 10 TCN/TC packets are received within 10 seconds.
AAA Configuration Commands The maximum length of a domain name is changed from 24 characters to 128 characters. See domain. AAA Configuration Commands access-limit Syntax access-limit { disable | enable max-user-number } undo access-limit View ISP domain view Parameters disable: Specifies not to limit the number of access users that can be contained in current ISP domain. enable max-user-number: Specifies the maximum number of access users that can be contained in current ISP domain.
[Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] access-limit enable 500 accounting Syntax accounting none radius-scheme radius-scheme-name hwtacacs-scheme hwtacacs-scheme-name } undo accounting View ISP domain view Parameters none: Specifies not to perform user accounting. radius-scheme radius-scheme-name: Specifies to use a RADIUS accounting scheme. Here, radius-scheme-name is the name of a RADIUS scheme;...
[Sysname-isp-aabbcc.net] accounting radius-scheme radius accounting optional Syntax accounting optional undo accounting optional View ISP domain view Parameters None Description Use the accounting optional command to open the accounting-optional switch. Use the undo accounting optional command to close the accounting-optional switch so that the system performs accounting for users unconditionally.
Page 523
undo attribute { ip | mac | idle-cut | access-limit | vlan | location }* View Local user view Parameters ip ip-address: Sets the IP address of the user. mac mac-address: Sets the MAC address of the user. Here, mac-address is in H-H-H format. idle-cut second: Enables the idle-cut function for the local user and sets the allowed idle time.
authentication Syntax authentication radius-scheme radius-scheme-name local hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none } undo authentication View ISP domain view Parameters radius-scheme radius-scheme-name: Specifies to use a RADIUS authentication scheme. Here, radius-scheme-name is a string of up to 32 characters. hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS authentication scheme.
Examples # Reference the RADIUS scheme "radius1" as the authentication scheme of the ISP domain aabbcc.net. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] authentication radius-scheme radius1 # Reference the RADIUS scheme "rd" as the authentication scheme and the local scheme as the secondary authentication scheme of the ISP domain aabbcc.
The Switch 5500-EI adopts hierarchical protection for command lines so as to inhibit users at lower levels from using higher level commands to configure the switches. For details about configuring a HWTACACS authentication scheme for low-to-high user level switching, refer to Switching User Level in the Command Line Interface Operation.
System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] authorization none authorization vlan Syntax authorization vlan string undo authorization vlan View Local user view Parameters string: Number or descriptor of the authorized VLAN for the current user, a string of 1 to 32 characters. If it is a numeral string and there is a VLAN with the number configured, it specifies the VLAN.
<Sysname> display connection ------------------unit 1------------------------ Index=40 , Username=user1@domain1 MAC=000f-3d80-4ce5 , IP=0.0.0.0 On Unit 1: Total 1 connections matched, 1 listed. # Display information about the user connection with index 0. [Sysname] display connection ucibindex 0 Index=0 , Username=user1@system MAC=000f-3d80-4ce5 , IP=192.168.0.3 Access=8021X ,Auth=CHAP ,Port=Ether...
Page 531
Examples # Display configuration information about all ISP domains. <Sysname> display domain Domain = system State = Active Scheme = LOCAL Access-limit = 512 Vlan-assignment-mode = Integer Domain User Template: Idle-cut = = Enable Time = 60(min) Flow = 200(byte) Self-service URL = http://aabbcc.net Messenger Time Maxlimit = 30(min) span = 10(min) Default Domain Name: system...
IP address: 192.168.0.108 MAC address: 000d-88f6-44c1 Total 1 local user(s) Matched, 1 listed. ServiceType Mask Meaning: C--Terminal F--FTP L--LanAccess S--SSH T--Telnet Table 1-3 describes the fields in the above display output. Table 1-3 Description on the fields of the display local-user command Field Description State...
default: Manually changes the default ISP domain, which is "system" by default. There is one and only one default ISP domain. disable: Disables the configured default ISP domain. enable: Enables the configured default ISP domain. Description Use the domain command to create an ISP domain and enter its view, or enter the view of an existing ISP domain, or configure the default ISP domain.
Parameters at: Specifies “@” as the delimiter between the username and the ISP domain name. dot: Specifies “.” as the delimiter between the username and the ISP domain name. Description Use the domain delimiter command to specify the delimiter form between the username and the ISP domain name.
Page 536
Description Use the idle-cut command to set the user idle-cut function in current ISP domain. If a user’s traffic in the specified period of time is less than the specified amount, the system will disconnect the user. By default, this function is disabled. Note that if the authentication server assigns the idle-cut settings, the assigned ones take precedence over the settings configured here.
using RSA shared key for authentication, the commands they can access are determined by the levels sets on their user interfaces. Related commands: local-user. Examples # Set the level of user1 to 3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user user1 New local user added.
Examples # Add a local user named user1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user user1 New local user added. [Sysname-luser-user1] # Add a local user named 01234567891234567 (note that it will appear as 012345678912345~0000 in the view prompt).
Examples # Specify to display all local user passwords in cipher text in whatever cases. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user password-display-mode cipher-force messenger Syntax messenger time { enable limit interval | disable } undo messenger time View ISP domain view...
Page 540
undo name View VLAN view Parameters string: Assigned VLAN name, a string of up to 32 characters. Description Use the name command to set a VLAN name, which will be used for VLAN assignment. Use the undo name command to cancel the VLAN name. By default, a VLAN uses its VLAN ID (like VLAN 0001) as its assigned VLAN name.
Description Use the password command to set a password for the local user. Use the undo password command to cancel the password of the local user. Note that: With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command. With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text.
Both the radius-scheme command and the scheme command can be used to specify the RADIUS scheme to be quoted for the ISP domain. Their functions are the same and the system takes the latest configuration. Related commands: radius scheme, display domain. Examples # Configure the ISP domain aabbcc.net to use RADIUS scheme radius1 as the primary AAA scheme and use the local scheme as the secondary authentication scheme.
A user can choose the [change user password] option on the client only after passing the authentication. If the user fails the authentication, this option is in grey and is unavailable. Examples # Under the default ISP domain "system", set the URL of the web page used to modify user password on the self-service server to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.
System View: return to User View with Ctrl+Z. [Sysname] local-user user1 New local user added. [Sysname-luser-user1] service-type telnet state Syntax state { active | block } View ISP domain view, local user view Parameters active: Activates the current ISP domain (in ISP domain view) or local user (in local user view), to allow users in current ISP domain or current local user to access the network.
[Sysname] local-user user1 [Sysname-user-user1] state block vlan-assignment-mode Syntax vlan-assignment-mode { integer | string } View ISP domain view Parameters integer: Sets the VLAN assignment mode to integer. string: Sets the VLAN assignment mode to string. Description Use the vlan-assignment-mode command to set the VLAN assignment mode (integer or string) on the switch.
Page 547
Table 1-4 Commonly used servers and their dynamic VLAN assignment modes Server Dynamic VLAN assignment mode Integer CAMS For the latest CAMS version, you can determine the assignment mode by attribute value. String You can determine the assignment mode by FreeRADIUS attribute value (for example, 100 is integer;...
RADIUS Configuration Commands accounting optional Syntax accounting optional undo accounting optional View RADIUS scheme view Parameters None Description Use the accounting optional command to open the accounting-optional switch. Use the undo accounting optional command to close the accounting-optional switch so that the system performs accounting for users unconditionally.
accounting-on enable Syntax accounting-on enable [ send times | interval interval ] undo accounting-on { enable | send | interval } View RADIUS scheme view Parameters times: Maximum number of attempts to send an Accounting-On message, ranging from 1 to 256 and defaulting to 15.
NAS-IP-address and session ID) contained in the message, and ends the accounting of the users based on the last accounting update message. Once the switch receives the response from the CAMS, it stops sending Accounting-On messages. If the switch does not receive any response from the CAMS after it has tried the configured maximum number of times to send the Accounting-On message, it will not send the Accounting-On message any more.
Parameters mode1: Sets the MAC address format to XXXX-XXXX-XXXX, where each X represents a hexadecimal number. mode2: Sets the MAC address format to XX-XX-XX-XX-XX-XX. lowercase: Uses lowercase letters in the MAC address. uppercase: Uses uppercase letters in the MAC address. Description Use the calling-station-id mode command to configure the MAC address format of the Calling-Station-Id (Type 31) field in RADIUS packets.
Note that the specified unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of the RADIUS server. Otherwise, accounting cannot be performed correctly. Related commands: display radius scheme. Examples # Specify to measure data and packets in data flows to RADIUS servers in kilo-bytes and kilo-packets respectively in RADIUS scheme radius1.
Page 553
View Any view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. Description Use the display radius scheme command to display configuration information about one specific or all RADIUS schemes Related commands: radius scheme. Examples # Display configuration information about all RADIUS schemes.
Page 554
Index Index number of the RADIUS scheme Type Type of the RADIUS servers address/port number primary Primary Auth IP/Port authentication server address/port number primary Primary Acct IP/Port accounting server IP address/port number of the secondary Second Auth IP/Port authentication server IP address/port number of the secondary Second Acct IP/Port accounting server...
Description Use the display stop-accounting-buffer command to display the non-response stop-accounting requests buffered in the device. You can choose to display the buffered stop-accounting requests of a specified RADIUS scheme, session (by session ID), or user (by username). You can also specify a time range to display those generated within the specified time range.
Description Use the key command to set a shared key for RADIUS authentication/authorization messages or accounting messages. Use the undo key command to restore the corresponding default shared key setting. By default, no shared key exists. Note that: Both RADIUS client and server adopt MD5 algorithm to encrypt RADIUS messages before exchanging the messages with each other.
Description Use the local-server enable command to enable the UDP ports for local RADIUS services. Use the undo local-server command to disable the UDP ports for local RADIUS services. By default, the UDP ports for local RADIUS services are enabled. In addition to functioning as a RADIUS client to provide remote RADIUS authentication, authorization, and accounting services, the switch can act as a local RADIUS server to provide simple RADIUS server functions locally.
Page 560
The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.
The nas-ip command in RADIUS scheme view has the same function as the radius nas-ip command in system view; and the configuration in RADIUS scheme view takes precedence over that in system view. You can set the source IP address of outgoing RADIUS messages to avoid messages returned from RADIUS server from being unable to reach their destination due to physical interface trouble.
Examples # Set the IP address and UDP port number of the primary accounting server for RADIUS scheme radius1 to 10.110.1.2 and 1813 respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] primary accounting 10.110.1.2 1813 primary authentication Syntax...
Related commands: key, radius scheme, state. Examples # Set the IP address and UDP port number of the primary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.1 and 1812 respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] primary authentication 10.110.1.1 1812...
undo radius nas-ip View System view Parameters ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class-D address. Description Use the radius nas-ip command to set the source IP address of outgoing RADIUS messages. Use the undo radius nas-ip command to restore the default setting.
View System view Parameters radius-scheme-name: Name of the RADIUS scheme to be created, a string of up to 32 characters. Description Use the radius scheme command to create a RADIUS scheme and enter its view. Use the undo radius scheme command to delete a specified RADIUS scheme. By default, a RADIUS scheme named "system"...
Parameters authentication-server-down: Enables/disables the switch to send trap messages when a RADIUS authentication server turns down. accounting-server-down: Enables/disables the switch to send trap messages when a RADIUS accounting server turns down. Description Use the radius trap command to enable the switch to send trap messages when a RADIUS server turns down.
undo retry View RADIUS scheme view Parameters retry-times: Maximum number of transmission attempts of a RADIUS request, ranging from 1 to 20. Description Use the retry command to set the maximum number of transmission attempts of a RADIUS request. Use the undo retry command to restore the default maximum number of transmission attempts. By default, the maximum number of RADIUS request transmission attempts is 3.
Page 569
Parameters retry-times: Maximum allowed number of continuous real-time accounting failures, ranging from 1 to 255. Description Use the retry realtime-accounting command to set the maximum allowed number of continuous real-time accounting failures. Use the undo retry realtime-accounting command to restore the default maximum number of continuous real-time accounting failures.
[Sysname-radius-radius1] retry realtime-accounting 10 retry stop-accounting Syntax retry stop-accounting retry-times undo retry stop-accounting View RADIUS scheme view Parameters retry-times: Maximum number of transmission attempts of a buffered stop-accounting request, ranging from 10 to 65,535. Description Use the retry stop-accounting command to set the maximum number of transmission attempts of a stop-accounting request buffered due to no response.
undo secondary accounting View RADIUS scheme view Parameters ip-address: IP address of the secondary accounting server to be used, in dotted decimal notation. port-number: UDP port number of the secondary accounting server, ranging from 1 to 65535. Description Use the secondary accounting command to set the IP address and port number of the secondary RADIUS accounting server to be used by the current scheme.
Use the undo secondary authentication command to restore the default IP address and port number of the secondary RADIUS authentication/authorization server, which is 0.0.0.0 and 1812 respectively. Related commands: key, radius scheme, state. Examples # Set the IP address and UDP port number of the secondary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.2 and 1812 respectively.
[Sysname-radius-radius1] server-type extended state Syntax state { primary | secondary } { accounting | authentication } { block | active } View RADIUS scheme view Parameters primary: Specifies that the server to be set is a primary RADIUS server. secondary: Specifies that the server to be set is a secondary RADIUS server. accounting: Specifies that the server to be set is a RADIUS accounting server.
[Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] state secondary authentication active stop-accounting-buffer enable Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable View RADIUS scheme view Parameters None Description Use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting requests that get no response.
undo timer View RADIUS scheme view Parameters seconds: Response timeout time of RADIUS servers, ranging from 1 to 10 seconds. Description Use the timer command to set the response timeout time of RADIUS servers (that is, the timeout time of the response timeout timer of RADIUS servers). Use the undo timer command to restore the default response timeout timer of RADIUS servers.
Parameters minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes. Description Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active. Use the undo timer quiet command to restore the default wait time.
The setting of the real-time accounting interval depends, to some degree, on the performance of the switch and the RADIUS server. The higher the performance of the switch and the RADIUS server is, the shorter the interval can be. It is recommended to set the interval as long as possible when the number of users is relatively great (≥1000).
After sending out a RADIUS request (authentication/authorization request or accounting request) to a RADIUS server, the switch waits for a response from the server. The maximum time that the switch can wait for the response is called the response timeout time of RADIUS servers, and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers.
designed for you to specify whether or not ISP domain names are carried in the usernames to be sent to the RADIUS server. For a RADIUS scheme, if you have specified to exclude ISP domain names from usernames, you should not use this RADIUS scheme in more than one ISP domain. Otherwise, such errors may occur: the RADIUS server regards two different users having the same name but belonging to different ISP domains as the same user (because the usernames sent to it are the same).
Note that the specified unit of data flows sent to the TACACS server must be consistent with the traffic statistics unit of the TACACS server. Otherwise, accounting cannot be performed correctly. Related commands: display hwtacacs. Examples # Specify to measure data and packets in data flows to TACACS servers in kilo-bytes and kilo-packets respectively in HWTACACS scheme hwt1.
View System view Parameters ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class D address. Description Use the hwtacacs nas-ip command to set the source address of outgoing HWTACACS messages.
nas-ip Syntax nas-ip ip-address undo nas-ip View HWTACACS scheme view Parameters ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class D address. Description Use the nas-ip command to set the source address of outgoing HWTACACS messages.
View HWTACACS scheme view Parameters ip-address: IP address of the primary accounting server to be used, a valid unicast address in dotted decimal notation. port: Port number of the primary accounting server, ranging from 1 to 65535. Description Use the primary accounting command to set the IP address and port number of the primary HWTACACS accounting server to be used by the current scheme.
Parameters ip-address: IP address of the primary authentication server to be used, a valid unicast address in dotted decimal notation. port: Port number of the primary authentication server, ranging from 1 to 65535. Description Use the primary authentication command to set the IP address and port number of the primary HWTACACS authentication server to be used by the current scheme.
Description Use the primary authorization command to set the IP address and port number of the primary HWTACACS authorization server to be used by the current scheme. Use the undo primary authorization command to restore the default IP address and port number of the primary authorization server, which are 0.0.0.0 and 49 respectively.
Examples # Clear all HWTACACS protocol statistics. <Sysname> reset hwtacacs statistics all reset stop-accounting-buffer Syntax reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name View User view Parameters hwtacacs-scheme hwtacacs-scheme-name: Deletes the buffered stop-accounting requests of a specified HWTACACS scheme. Here, hwtacacs-scheme-name is the name of a HWTACACS scheme, which is a string of up to 32 characters.
Description Use the retry stop-accounting command to enable the stop-accounting request retransmission function and set the maximum number of attempts to transmit a stop-accounting request. Use the undo retry stop-accounting command to restore the default setting. By default, this function is enabled and the maximum number of transmission attempts is 100. Related commands: reset...
Examples # Set the IP address and UDP port number of the secondary accounting server for HWTACACS scheme hwt1 to 10.163.155.12 and 49 respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 secondary authentication Syntax secondary authentication ip-address [ port ]...
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 secondary authorization Syntax secondary authorization ip-address [ port ] undo secondary authorization View HWTACACS scheme view Parameters ip-address: IP address of the secondary authorization server, a valid unicast address in dotted decimal notation. port: Port number of the secondary authorization server, ranging from 1 to 65535. Description Use the secondary authorization command to set the IP address and port number of the secondary HWTACACS authorization server to be used by the current scheme.
undo timer quiet View HWTACACS scheme view Parameters minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes. Description Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active.
To control the interval at which users are charged in real time, you can set the real-time accounting interval. After the setting, the switch periodically sends online users' accounting information to TACACS accounting server at the set interval. The setting of the real-time accounting interval depends, to some degree, on the performance of the switch and the TACACS server.
Description Use the timer response-timeout command to set the response timeout time of TACACS servers. Use the undo timer response-timeout command to restore the default response timeout time of TACACS servers. By default, the response timeout time of TACACS servers is five seconds. As HWTACACS is based on TCP, both server response timeout and TCP timeout may cause disconnection from TACACS server.
Page 595
sending usernames to TACACS server. For this reason, the user-name-format command is designed for you to specify whether or not ISP domain names are carried in the usernames to be sent to TACACS server. For a HWTACACS scheme, if you have specified to exclude ISP domain names from usernames, you should not use this scheme in more than one ISP domain.
EAD Configuration Commands EAD Configuration Commands security-policy-server Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } View RADIUS scheme view Parameters ip-address: IP address of a security policy server. all: IP addresses of all security policy servers. Description Use the security-policy-server command to set the IP address of a security policy server. Use the undo security-policy-server command to remove one specified or all security policy server address settings.
MAC Address Authentication Configuration Commands The configuration of fixed password when setting the user name in MAC address mode for MAC address authentication is added. See mac-authentication authmode usernameasmacaddress. MAC Address Authentication Basic Function Configuration Commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] View Any view Parameters...
Page 600
Server response timeout value is 100s Guest VLAN re-authenticate period is 30s Max allowed user number is 1024 Current user number amounts to Current domain: not configured, use default domain Silent Mac User info: MAC ADDR From Port Port Index --- On unit 1, 1 silent mac address(es) found.
Page 601
Quiet timer sets the quiet period. A switch goes through a quiet period if a user fails to pass the Quiet period MAC address authentication. The default value is 60 seconds. Server timeout timer, which sets the timeout time Server response timeout value for the connection between a switch and the RADIUS server.
mac-authentication Syntax mac-authentication undo mac-authentication View System view, Ethernet port view Parameters None Description Use the mac-authentication command to enable MAC address authentication globally or on the current port. Use the undo mac-authentication command to disable MAC address authentication globally or on the current port.
mac-authentication interface Syntax mac-authentication interface interface-list undo mac-authentication interface interface-list View System view Parameters interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
View System view Parameters None Description Use the mac-authentication authmode usernamefixed command to set the user name in fixed mode for MAC address authentication. Use the undo mac-authentication authmode command to restore the default user name mode for MAC address authentication. By default, the MAC address mode is used.
mac-authentication authusername Syntax mac-authentication authusername username undo mac-authentication authusername View System view Parameters username: User name used in authentication, a string of 1 to 55 characters. Description Use the mac-authentication authusername command to set a user name in fixed mode. Use the undo mac-authentication authusername command to restore the default user name.
View User view Parameters interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.
Use the undo mac-authentication max-auth-num command to restore the maximum number of MAC address authentication users allowed to access the port to the default value. By default, the maximum number of MAC address authentication users allowed to access a port is 256. If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port at the same time, the smaller value of the two configured limits is adopted as the maximum number of MAC address...
Page 611
Examples # Configure the switch to re-authenticate users in Guest VLANs at the interval of 60 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-authentication timer guest-vlan-reauth 60 1-13...
Web Server: IP=30.1.1.2 Port=80 Idle-cut time: 900 sec Max-online time: 1800 sec Max-connection of device is: 512 Customized authentication-page information : Corp-Name: 3Com Corporation Platform-Name: A leading global supplier of IP-based products and solutions Phone-Num: 1-800-876-3266 Email-address: relations@3com.com File: Free IP: 1) IP=10.1.1.0...
Table 1-1 Description on the fields of display web-authentication configuration Field Description Status Global status of Web authentication IP address and port number of the Web Web Server authentication server Idle-cut time idle user checking interval Maximum online time specified for Web Max-online time authentication users Maximum number of Web authentication users...
<Sysname> display web-authentication connection all Username: 1 MAC: 000d-88f6-44c1 Interface: Ethernet1/0/1 VLAN: 2 Method: Shared State: ONLINE Online-Time(s): 8 Total 1 connection(s) matched Table 1-2 Description on the fields of display web-authentication connection Field Description Username Name of an online Web-authentication user MAC address of the user Interface Access port of the user...
Page 616
Phone number: 1-800-876-3266 Subject: A leading global supplier of IP-based products and solutions <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication customize corp-name 3Com Corporation mailto:relations@3com.com [Sysname] web-authentication customize email [Sysname] web-authentication customize phone-num 1-800-876-3266 [Sysname] web-authentication customize platform-name A leading global supplier of IP-based...
Figure 1-1 Web authentication page with customized information web-authentication cut connection Syntax web-authentication cut connection { all | mac mac-address | user-name user-name | interface interface-type interface-number } View System view Parameters all: Specifies all online users. mac mac-address: Specifies an user by the user’s MAC address. user-name user-name: Specifies a user by the user’s name, which is a string of 1 to 184 characters.
web-authentication enable Syntax web-authentication enable undo web-authentication enable View System view Parameters None Description Use the web-authentication enable command to enable Web authentication globally. Use the undo web-authentication enable command to disable Web authentication globally. Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security, port aggregation and XRN.
Description Use the web-authentication free-ip command to set a free IP address range, which can be accessed by users before they pass Web authentication. Use the undo web-authentication free-ip command to remove the setting or all such settings. By default, no free IP address range is set. Note: The to-be-set free IP address range cannot include the Web authentication server’s IP address.
Note: You can set up to eight authentication-free users. After a user gets online in shared access method, if you configure an authentication-free user whose IP address and MAC address are the same as those of the online user, the online user will be forced to get offline.
web-authentication select method Syntax web-authentication select method { shared | designated } undo web-authentication select View Port view Parameters shared: Sets the Web authentication access method on the port to shared. designated: Sets the Web authentication access method on the port to designated. Description Use the web-authentication select command to enable Web authentication on the current port and set the Web authentication access method on the port.
View System view Parameters timer: Interval for checking whether an online user is idle. It ranges from 10 to 86400 seconds. Value 0 means the idle user checking function is disabled. Description Use the web-authentication timer idle-cut command to set the idle user checking interval for Web authentication.
Use the undo web-authentication timer max-online command to restore the default. By default, the maximum online time for users is 1800 seconds. Examples # Set the maximum online time of users to 36000 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication timer max-online 36000 web-authentication web-server Syntax...
VRRP Configuration Commands VRRP Configuration Commands display vrrp Syntax display vrrp [ verbose ] [ interface vlan-interface vlan-id [ vrid virtual-router-id ] ] View Any view Parameters verbose: Displays detailed state information of VRRP. vlan-interface vlan-id: Displays VRRP state information of the specified VLAN interface. vlan-id is the VLAN interface ID.
Page 626
Table 1-1 Description on the fields of the display vrrp command Field Description Current VRRP running method, including REAL-MAC and Run Method VIRTUAL-MAC Virtual IP ping Whether you can ping the virtual IP address of the VRRP group Interface Interface where the VRRP group resides VRID ID of the virtual router Status of the current switch in the VRRP group, including Master,...
Field Description Delay Time Preemption delay Auth Type Authentication type, including NONE, SIMPLE, and MD5 Virtual IP Virtual IP address of the VRRP group Virtual MAC address corresponding to the virtual IP address of the Virtual MAC VRRP group. It is displayed only when the switch is in the state of master.
Invalid Auth Type Auth Type Mismatch Packet Length Errors Address List Errors Become Master Priority Zero Pkts Rcvd Advertise Rcvd Priority Zero Pkts Sent Invalid Type Pkts Rcvd : 0 Table 1-3 Description on the fields of the display vrrp statistics command Field Description Interface...
Description Use the reset vrrp statistics command to clear the VRRP statistics information. When you execute this command, If neither a VLAN interface nor a VRRP group is specified, the statistics information about all the VRRP groups on the switch is cleared. If only a VLAN interface is specified, the statistics information about all the VRRP groups on the specified VLAN interface is cleared.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vrrp method real-mac vrrp ping-enable Syntax vrrp ping-enable undo vrrp ping-enable View System view Parameters None Description Use the vrrp ping-enable command to enable a VRRP group to respond to ping packets destined for its virtual router IP address.
Description Use the vrrp vlan-interface vrid track command to enable the port tracking function of a VRRP group on a physical port. Use the undo vrrp vlan-interface vrid track command to disable the port tracking function. After the port tracking function of a VRRP group is enabled on a port, this function will track the link status of the port.
When the authentication type is simple, the authentication key is in plain text and can contain one to eight characters. When the authentication type is md5, the authentication key can be a string of one to eight characters in plain text, such as 1234567, or a 24-character MD5 encrypted string, such as _(TT8F]Y\5SQ=^Q`MAF4<1!!.
Use the undo vrrp vrid preempt-mode command to cancel the configuration, that is, configure the switch to work in the non-preemptive mode. By default, switches in a VRRP group operate in the preemptive mode, with the preemption delay period set to 0 seconds. If you want a switch with high priority to preempt the master, configure the switch to operate in the preemptive mode.
Parameters virtual-router-id: VRRP group ID, ranging from 1 to 255. priority: Switch priority to be set. This argument ranges from 1 to 254. Description Use the vrrp vrid priority command to set the priority of a switch in a VRRP group. Use the undo vrrp vrid priority command to restore the default priority.
for a period three times of the advertisement interval, they send VRRP advertisements to other members of the VRRP group to elect a new master. Note that configuration error occurs if switches of the same VRRP group are configured with different adver-interval values.
Examples # On VLAN-interface 2, configure to track VLAN-interface 1 and configure the priority of the master of VRRP group 1 (on VLAN-interface 2) to decrease by 50 when VLAN-interface 1 goes down. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] vrrp vrid 1 track interface vlan-interface 1 reduced 50 vrrp vrid track detect-group...
Examples # Create detected group 10 and specify to detect the IP address of 202.12.1.55. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] detect-group 10 [Sysname-detect-group-10] detect-list 1 ip address 202.12.1.55 # Specify to decrease the priority of the master of VRRP group 1 by 20 when detected group 10 is unreachable.
Page 638
It is not recommended to perform VRRP group-related configurations on the VLAN interface of a remote-probe VLAN. Otherwise, packet mirroring may be affected. Examples # Create a VRRP group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] vrrp vrid 1 virtual-ip 10.10.10.10 # Add a virtual IP address to an existing VRRP group.
ARP Configuration Commands Support for ARP attack defense is added. For specific commands, refer to ARP Attack Defense Configuration Commands. Support for local ARP proxy is added. For specific commands, refer to local-proxy-arp enable. ARP Configuration Commands arp check enable Syntax arp check enable undo arp check enable...
arp send-gratuitous enable vrrp Syntax arp send-gratuitous enable vrrp undo arp send-gratuitous enable vrrp View System view Parameters None Description Use the arp send-gratuitous enable vrrp command to enable the master switch of a VRRP backup group to send gratuitous ARP packets periodically. Upon receiving the gratuitous ARP packets, hosts on the network update their respective ARP tables.
interface-number: Number of the port to which the static ARP entry belongs. Description Use the arp static command to create a static ARP entry. Use the undo arp command to remove an ARP entry. By default, the system ARP mapping table is empty and the address mapping entries are obtained by ARP dynamically.
Examples # Configure the aging time to be 10 minutes for dynamic ARP entries. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] arp timer aging 10 display arp Syntax display arp [ dynamic | static | ip-address ] View Any view Parameters...
Page 644
Table 1-1 Description on the fields of the display arp command Field Description IP Address IP address contained in an ARP entry MAC Address MAC address contained in an ARP entry VLAN ID ID of the VLAN which an ARP entry corresponds to Port Name / AL ID Port which an ARP entry corresponds to Aging time (in minutes) of an ARP entry...
<Sysname> display arp | exclude 68 Type: S-Static D-Dynamic IP Address MAC Address VLAN ID Port Name / AL ID Aging Type 10.2.72.162 000a-000a-0aaa 1 entry found Refer to Table 1-1 for the description on the above output information. display arp count Syntax display arp count [ [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] | ip-address ]...
Parameters None Description Use the display arp timer aging command to display the setting of the ARP aging time. Related commands: arp timer aging. Examples # Display the setting of the ARP aging time. <Sysname> display arp timer aging Current ARP aging time is 20 minute(s)(default) The displayed information shows that the ARP aging time is set to 20 minutes.
gratuitous-arp-learning enable Syntax gratuitous-arp-learning enable undo gratuitous-arp-learning enable View System view Parameters None Description Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function. Then, a switch receiving a gratuitous ARP packet can add the IP and MAC addresses carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache.
Description Use the arp detection enable command to enable the ARP attack detection function on all ports in the specified VLAN. When receiving an ARP packet from a port in this VLAN, the switch will check the source IP address, source MAC address, number of the receiving port, and the VLAN of the port. If the mapping of the source IP address and source MAC address is not included in the DHCP snooping entries or IP static binding entries, or the number of the receiving port and the VLAN of the port do not match the DHCP snooping entries or IP static binding entries, the ARP packet will be discarded.
arp filter source Syntax arp filter source ip-address undo arp filter source View Ethernet port view Parameters ip-address: IP address of the gateway. Description Use the arp filter source command to configure ARP packet filtering based on the gateway’s IP address on the current port working as the downstream port connected to a host.
Description Use the arp filter binding command to configure ARP packet filtering based on the gateway’s IP and MAC addresses on the current port. After that, the port will discard ARP packets with the gateway’s IP address as the sender IP address but with the sender MAC address different from that of the gateway. Use the undo arp filter binding command to remove the configuration.
arp protective-down recover enable Syntax arp protective-down recover enable undo arp protective-down recover enable View System view Parameters None Description Use the arp protective-down recover enable command to enable the port state auto-recovery function on the switch. Use the undo arp protective-down recover enable command to disable the port state auto-recovery function of a switch.
By default, when the port state auto-recovery function is enabled, the recovery interval is 300 seconds. Note that: You need to enable the port state auto-recovery feature before you can configure the auto-recovery interval. If you use the arp protective-down recover interval command to modify the recovery time when the current port has been already shut down due to an excessive ARP packet receiving rate, the previously configured interval applies to the first port state recovery.
arp rate-limit enable Syntax arp rate-limit enable undo arp rate-limit enable View Ethernet port view Parameters None Description Use the arp rate-limit enable command to enable the ARP packet rate limit function on the port, that is, to limit the rate of ARP packets passing through the port. If a rate (the maximum ARP packet rate is 15 pps by default) is specified, exceeding ARP packets will be discarded.
ip source static import dot1x Syntax ip source static import dot1x undo ip source static import dot1x View System view Parameters None Description Use the ip source static import dot1x command to enable ARP attack detection based on IP-to-MAC mappings of authenticated 802.1x clients. Enabled with this function, switch records mappings between IP addresses (both static and dynamic IP addresses) and MAC addresses of authenticated 802.1x clients and uses the mappings for ARP attack detection after IP-to-MAC static bindings and DHCP snooping entries are checked.
Proxy ARP Configuration Commands Proxy ARP Configuration Commands arp proxy enable Syntax arp proxy enable undo arp proxy enable View VLAN interface view Parameters None Description Use the arp proxy enable command to enable common proxy ARP on the VLAN interface. Use the undo arp proxy enable command to disable common proxy ARP on the VLAN interface.
Parameters interface vlan-interface vlan-id: Displays the common and local proxy ARP state on a VLAN interface. Description Use the display arp proxy command to display common and local proxy ARP state: enabled/disabled. If interface vlan-interface vlan-id is specified, common and local proxy ARP configuration of the specified VLAN interface is displayed;...
Page 660
View VLAN interface view Parameters None Description Use the local-proxy-arp enable command to enable local proxy ARP on the VLAN interface. Use the undo local-proxy-arp enable command to disable local proxy ARP on the VLAN interface. By default, local proxy ARP is disabled on the VLAN interfaces of a switch. Examples # Enable local proxy ARP on VLAN-interface 2.
Resilient ARP Configuration Commands Resilient ARP Configuration Commands display resilient-arp Syntax display resilient-arp [ unit unit-id ] View Any view Parameters unit unit-id: Unit ID ranging from 1 to 8. If a switch belongs to a fabric, resilient ARP information on specific devices in the fabric can be displayed.
Parameters None Description Use the resilient-arp enable command to enable the Resilient ARP function. The switch will adopt different methods based on the actual status. If the main link in the fabric breaks, the switch sends resilient ARP packets through the VLAN interface on the backup link to determine whether it should act as a Layer 3 or Layer 2 device.
DHCP Server Configuration Commands IP filtering based on authenticated 802.1x clients are added. For specific commands, refer to check dot1x enable. Support for removing DHCP snooping entries is added. For specific commands, refer to reset dhcp-snooping. DHCP Server Configuration Commands accounting domain Syntax accounting domain domain-name...
bims-server Syntax bims-server ip ip-address [ port port-number ] sharekey key undo bims-server View DHCP address pool view Parameters ip ip-address: Specifies the IP address of the remote BIMS server. port port-number: Specifies the port number of the remote BIMS. The port-number argument ranges from 1 to 65534.
Description Use the bootfile-name command to specify a bootfile name in the DHCP global address pool for the client. Use the undo bootfile-name command to remove the specified bootfile name from the DHCP global address pool. By default, no bootfile name is specified. If you execute the bootfile-name command repeatedly, the latest configuration will overwrite the previous one.
To improve security and avoid malicious attacks to the unused sockets, S5500-EI Ethernet switches provide the following functions: UDP ports 67 and 68 used by DHCP are enabled/disabled only when DHCP is enabled/disabled. The implementation is as follows: After DHCP is enabled by executing the dhcp enable command, if the DHCP server and DHCP relay functions are not configured, UDP port 67 and UDP port 68 ports is kept disabled;...
Description Use the dhcp select global command to configure the specified interface(s) or all interfaces to operate in global DHCP address pool mode. Upon receiving a DHCP packet from a DHCP client through an interface operating in global DHCP address pool mode, the DHCP server chooses an IP address from a global DHCP address pool of the DHCP server and assigns the address to the DHCP client.
Page 672
Description Use the dhcp select interface command to configure the specified interface(s) to operate in DHCP interface address pool mode. Upon receiving a DHCP packet from a DHCP client through an interface operating in interface address pool mode, the DHCP server chooses an IP address from the interface address pool of the DHCP server and assigns the address to the DHCP client.
dhcp server bims-server Syntax dhcp server bims-server ip ip-address [ port port-number ] sharekey key { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server bims-server { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view Parameters...
undo dhcp server bootfile-name In system view, use the following commands to specify the bootfile name in the specified interface address pool for the client: dhcp server bootfile-name bootfile-name { all | interface interface-type interface-number } undo dhcp server bootfile-name { all | interface interface-type interface-number } View System view, VLAN interface view Parameters...
Description Use the dhcp server detect command to enable the unauthorized DHCP server detection function. With this feature enabled, upon receiving a DHCP request, the DHCP server will record the IP addresses of any DHCP servers which ever assigned an IP address to the DHCP client and the receiving interface.
interface number; the interface interface-type interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range. all: (In comparison with the ip-address argument) Specifies all DNS server IP addresses. all: (In comparison with the interface keyword) Specifies all interface address pools. Description Use the dhcp server dns-list command to specify the DNS server IP address in the DHCP interface address pool for the client.
Parameters domain-name: Domain name suffix of the DHCP clients whose IP addresses are from the specified interface address pool(s). This argument is a string of 3 to 50 characters. interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s), through which you can specify the corresponding interface address pool(s). The interface-type argument specifies an interface type;...
Page 678
dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server expired { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view, VLAN interface view...
undo dhcp server forbidden-ip low-ip-address [ high-ip-address ] View System view Parameters low-ip-address: IP address that is not available for being assigned to DHCP clients automatically (An IP address of this kind is known as a forbidden IP address). This argument also marks the lower end of the range of the forbidden IP addresses.
undo dhcp server ip-pool pool-name View System view Parameters pool-name: Name of a DHCP address pool, which uniquely identifies the address pool. This argument is a string of 1 to 35 characters. Description Use the dhcp server ip-pool command to create a global DHCP address pool and enter DHCP address pool view.
Page 681
undo dhcp server nbns-list { ip-address | all } In system view, use the following commands to configure WINS server IP addresses in multiple DHCP interface address pools for the client. dhcp server nbns-list ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server nbns-list { ip-address | all } { interface interface-type interface-number [ to interface-type interface-number ] | all }...
dhcp server netbios-type Syntax In VLAN interface view, use the following commands to configure the NetBIOS node type of the DHCP clients whose IP addresses are from the current DHCP interface address pool. dhcp server netbios-type { b-node | h-node | m-node | p-node } undo dhcp server netbios-type In system view, use the following commands to configure the NetBIOS node type of the DHCP clients whose IP addresses are from multiple DHCP interface address pools.
# Specify p-node as the NetBIOS node type of the DHCP clients whose IP addresses are from the DHCP interface address pool of VLAN-interface 1. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] dhcp server netbios-type p-node dhcp server option Syntax In VLAN interface view, use the following commands to customize DHCP options for the current DHCP interface address pool.
If you execute the dhcp server option command repeatedly, the new configuration overwrites the previous one. For commands related to Option 184, refer to dhcp server voice-config. Related commands: option. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Configure option 100 to be 0x11 and 0x22 for all DHCP interface address pools.
undo dhcp server relay information enable View System view Parameters None Description Use the dhcp server relay information enable command to enable the DHCP server to handle Option 82. Use the undo dhcp server relay information enable command to configure the DHCP server to ignore Option 82.
By default, no IP address in an address pool is statically bound. It should be noted that: An IP address can be statically bound to only one MAC address or one client ID. A MAC address or client ID can be bound with only one IP address statically. The IP address to be statically bound cannot be an interface IP address of the device.
Description Use the dhcp server tftp-server domain-name command to specify the TFTP server name in DHCP interface address pool for the client. When the client’s request contains Option 66 (TFTP server name), the DHCP server will return an IP address together with the name of the specified TFTP server from the interface address pool to the client.
address), the DHCP server will return an IP address together with the IP address of the specified TFTP server from the interface address pool to the client. Use the undo dhcp server tftp-server ip-address command to remove the TFTP server address from DHCP interface address pool for the client.
fail-over ip-address dialer-string: Specifies the failover IP address and dialer string. The dialer-string is a string of 0 to 39 characters, which can be 0 to 9, and “*”. interface interface-type interface-number [ to interface-type interface-number ]: Specifies the DHCP interface address pool (s).
ip ip-address: Specifies one IP address. Description Use the display dhcp server conflict command to display the statistics of IP address conflicts on the DHCP server. Related commands: reset dhcp server conflict. Examples # Display the statistics of IP address conflicts. <Sysname>...
Examples # Display the lease expiration information about the IP addresses in all DHCP address pools. <Sysname> display dhcp server expired all Global pool: IP address Client-identifier/ Lease expiration Type Hardware address Interface pool: IP address Client-identifier/ Lease expiration Type Hardware address --- total 0 entry --- Table 1-2 Description on the fields of the display dhcp server expired command...
display dhcp server ip-in-use Syntax display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ interface-type interface-number ] | all } View Any view Parameters ip ip-address: Specifies an IP address. pool [ pool-name ]: Specifies a global address pool. The pool-name argument, a string of 1 to 35 characters, is the name of an address pool.
Table 1-3 Description on the fields of the display dhcp server ip-in-use command Field Description Address binding information of global DHCP Global pool address pools Address binding information of interface DHCP Interface pool address pools IP address Bound IP address User ID or MAC address to which the IP address Client-identifier/Hardware address is bound...
Dhcp Decline: Dhcp Release: Dhcp Inform: Boot Reply: Dhcp Offer: Dhcp Ack: Dhcp Nak: Bad Messages: Table 1-4 Description on the fields of the display dhcp server statistics command Field Description Global Pool Statistics about global address pools Interface Pool Statistics about interface address pools Pool Number Number of address pools...
Page 695
all: Specifies all address pools. Description Use the display dhcp server tree command to display information about address pool tree. Examples # Display the information about address pool tree. <Sysname> display dhcp server tree all Global pool: Pool name: test123 network 10.0.0.0 mask 255.0.0.0 Child node:test1234 option 30 hex AA BB...
Field Description The address lease time (in terms of number of days, hours, and expired minutes) gateway-list List of the gateways configured for the DHCP client dns-list Syntax dns-list ip-address&<1-8> undo dns-list { ip-address | all } View DHCP address pool view Parameters ip-address&<1-8>: IP address of a DNS server.
View DHCP address pool view Parameters domain-name: Domain name suffix for the DHCP client of a DHCP global address pool, a string of 3 to 50 characters. Description Use the domain-name command to configure a domain name suffix in a DHCP global address pool for the DHCP client.
Related commands: dhcp server ip-pool, dhcp server expired. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Set the lease time of the IP addresses to be dynamically assigned in the DHCP global address pool 0 to 1 day, 2 hours and 3 minutes.
nbns-list Syntax nbns-list ip-address&<1-8> undo nbns-list { ip-address | all } View DHCP address pool view Parameters ip-address&<1-8>: IP address of a WINS server. &<1-8> means you can provide up to eight WINS server IP addresses. When inputting more than one IP address, separate two neighboring IP addresses with a space.
p-node: Specifies the p-typed node. Nodes of this type acquire host name-to-IP address mapping by communicating with the WINS server. m-node: Specifies the m-typed node. Nodes of this type are p-nodes with some broadcasting features. h-node: Specifies the h-typed node. Nodes of this type are b-nodes with peer-to-peer communicating features.
Page 701
Related commands: dhcp server ip-pool, dhcp server forbidden-ip. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Configure the dynamically assigned IP address range 192.168.8.0/24 for the DHCP global address pool 0. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] network 192.168.8.0 mask 255.255.255.0 option Syntax...
# Configure option 100 to be 0x11 and 0x22 for the DHCP global address pools. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] option 100 hex 11 22 reset dhcp server conflict Syntax reset dhcp server conflict { all | ip ip-address } View User view Parameters...
Description Use the reset dhcp server ip-in-use command to clear the specified or all dynamic address binding information. Related commands: display dhcp server ip-in-use. Examples # Clear the dynamic address binding information about the IP address 10.110.1.1. <Sysname> reset dhcp server ip-in-use ip 10.110.1.1 reset dhcp server statistics Syntax reset dhcp server statistics...
Use the undo static-bind client-identifier command to delete a client ID that is statically bound in a DHCP global address pool. By default, no client ID is statically bound. Note that: The static-bind client-identifier command must be used together with the static-bind ip-address command, to respectively specify a statically bound client ID and an IP address in a DHCP global address pool.
If you execute the static-bind ip-address command repeatedly, the new configuration overwrites the previous one. Related commands: dhcp server ip-pool, static-bind mac-address. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Bind the IP address 10.1.1.1 (with the subnet mask 255.255.255.0) to the MAC address 0000-e03f-0305.
Description Use the tftp-server ip-address command to specify the TFTP server IP address in a global address pool. Use the undo tftp-server ip-address command to remove the TFTP server IP address from a global address pool. By default, no TFTP server address is specified. Using the tftp-server ip-address command repeatedly will overwrite the previous configuration.
Page 708
By default, a DHCP server global address pool does not assign Option 184 and the corresponding sub-options to the client. Related commands: dhcp server voice-config. Examples # Enter system view <Sysname> system-view System View: return to User View with Ctrl+Z. # Enable the DHCP server to support Option 184 in global address pool 123.
DHCP Relay Agent Configuration Commands DHCP Relay Agent Configuration Commands address-check Syntax address-check enable address-check disable View VLAN interface view Parameters None Description Use the address-check enable command to enable IP address match checking on the DHCP relay agent. After this feature is enabled, the DHCP relay agent can cooperate with the ARP module to check whether a requesting client’s IP and MAC addresses match a binding on the DHCP relay agent;...
View System view Parameters None Description Use the dhcp relay hand enable command to enable the DHCP relay handshake function. With this feature enabled, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to periodically send a handshake message to the DHCP server to determine whether or not to update the clent’s binding entry.
By default, with the Option 82 support function enabled on the DHCP relay agent, the DHCP relay agent will adopt the replace strategy to process the request packets containing Option 82. However, if other strategies are configured before, then enabling the 82 supporting on the DHCP relay will not change the configured strategies.
# Configure the DHCP relay agent handling strategy for messages containing Option 82 sent by the DHCP client as drop. [Sysname] dhcp relay information strategy drop dhcp-security static Syntax dhcp-security static ip-address mac-address undo dhcp-security { ip-address | all | dynamic | static } View System view Parameters...
auto: Specifies the auto refreshing interval, which is automatically calculated according to the number of binding entries. Description The default handshake interval is auto, the value of 60 seconds divided by the number of binding entries. Use the dhcp-security tracker command to set the interval at which the DHCP relay agent refreshes dynamic binding entries.
To improve security and avoid malicious attack to the unused SOCKETs, S5500-EI Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows.
Examples # Enter system view <Sysname> system-view System View: return to User View with Ctrl+Z. # Enable the unauthorized-DHCP server detection function on the DHCP relay agent. [Sysname] dhcp-server detect dhcp-server ip Syntax dhcp-server groupNo ip ip-address&<1-8> undo dhcp-server groupNo View System view Parameters...
Parameters ip-address: IP address. This argument is used to display the user address entry with the specified IP address. dynamic: Displays the dynamic user address entries. static: Displays the static user address entries. tracker: Displays the interval to update the user address entries. Description Use the display dhcp-security command to display information about address binding entries on the DHCP relay agent.
Page 717
IP address of DHCP server group 0: 1.1.1.1 IP address of DHCP server group 0: 2.2.2.2 IP address of DHCP server group 0: 3.3.3.3 IP address of DHCP server group 0: 4.4.4.4 IP address of DHCP server group 0: 5.5.5.5 IP address of DHCP server group 0: 6.6.6.6 IP address of DHCP server group 0:...
Field Description Number of the DHCP-INFORM packets received DHCP_INFORM messages by the DHCP relay Number of the DHCP-RELEASE packets DHCP_RELEASE messages received by the DHCP relay BOOTP_REQUEST messages Number of the BOOTP request packets BOOTP_REPLY messages Number of the BOOTP response packets display dhcp-server interface Syntax display dhcp-server interface Vlan-interface vlan-id...
Page 719
Related commands: dhcp server, display dhcp-server. Examples # Clear the statistics information of DHCP server group 2. <Sysname> reset dhcp-server 2 2-11...
DHCP Snooping Configuration Commands DHCP Snooping Configuration Commands dhcp-snooping Syntax dhcp-snooping undo dhcp-snooping View System view Parameters None Description Use the dhcp-snooping command to enable the DHCP snooping function. Use the undo dhcp-snooping command to disable the DHCP snooping function. After DHCP snooping is disabled, all the ports can forward DHCP replies from the DHCP server without recording the IP-to-MAC bindings of the DHCP clients.
View System view Parameters None Description Use the dhcp-snooping information enable command to enable DHCP snooping Option 82. Use the undo dhcp-snooping information enable command to disable DHCP snooping Option 82. DHCP snooping Option 82 is disabled by default. Enable DHCP snooping before performing this configuration. Examples # Enable DHCP snooping Option 82.
Examples # Configure the storage format of Option 82 as ASCII. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dhcp-snooping information format ascii dhcp-snooping information packet-format Syntax dhcp-snooping information packet-format { extended | standard } View System view Parameters extended: Specifies the padding format for Option 82 as the extended format.
Use the undo dhcp-snooping information remote-id command to restore the default value of the remote ID sub-option in Option 82. By default, the remote ID sub-option in Option 82 is the MAC address of the DHCP Snooping device that received the DHCP client’s request. Examples # Configure the remote ID sub-option of Option 82 as the system name (sysname) of the DHCP snooping device.
Enable DHCP-snooping and DHCP-snooping Option 82 before performing this configuration. If a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies on those ports where a handling policy is not natively configured. Examples # Configure the keep handling policy for DHCP requests that contain Option 82 on the DHCP snooping device.
If you have configured a circuit ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former circuit ID applies to the DHCP messages from the specified VLAN, while the latter one applies to DHCP messages from other VLANs. Examples # Set the circuit ID field in Option 82 of the DHCP messages sent through Ethernet 1/0/1 to abc.
Examples # Configure the remote ID of Option 82 in DHCP packets to abc on the port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] dhcp-snooping information remote-id string abc dhcp-snooping trust Syntax dhcp-snooping trust undo dhcp-snooping trust...
Parameters unit unit-id: Displays the DHCP-snooping information on the specified device in the fabric. unit-id indicates the number of the device whose DHCP-snooping information needs to be viewed. If unit unit-id is not specified, DHCP snooping information of all units in the fabric is displayed. Description Use the display dhcp-snooping command to display the user IP-MAC address mapping entries recorded by the DHCP snooping function.
The above display information indicates that the DHCP snooping function is enabled, and the Ethernet 1/0/10 port is a trusted port. display ip source static binding Syntax display ip source static binding [ vlan vlan-id | interface interface-type interface-number ] View Any view Parameters...
Description Use the ip check dot1x enable command to enable IP filtering based on IP-to-MAC mappings of authenticated 802.1x clients. Use the undo ip check dot1x enable command to disable the function. By default, IP filtering based on IP-to-MAC mappings of authenticated 802.1x clients is disabled. Note that the ip check dot1x enable and the ip check source ip-address mac-address commands are mutually exclusive.
ip source static binding Syntax ip source static binding ip-address ip-address [ mac-address mac-address ] undo ip source static binding ip-address ip-address View Ethernet port view Parameters ip-address ip-address: Specifies the IP address to be statically bound. mac-address mac-address: Specifies the MAC address to be statically bound. Description Use the ip source static binding ip-address command to configure the static binding among source IP address, source MAC address, and the port number so as to generate static binding entries.
Page 731
Description Use the reset dhcp-snooping command to remove DHCP snooping entries from a switch. If no ip-address is specified, all DHCP snooping entries are removed. Examples # Remove all DHCP snooping entries from the switch. <Sysname> reset dhcp-snooping 3-12...
View System view Parameters interval: Interval (in seconds) for a port disabled due to the DHCP traffic exceeding the set threshold to be brought up again. This argument ranges from 10 to 86,400. Description Use the dhcp protective-down recover interval command to set an auto recovery interval. Use the undo dhcp protective-down recover interval command to restore the default interval.
You need to enable the function to limit DHCP traffic (refer to the dhcp rate-limit enable command) for a port before executing either of these two commands for the port. Examples # Configure the DHCP traffic threshold to 100 pps for port Ethernet 1/0/11. <Sysname>...
DHCP/BOOTP Client Configuration DHCP Client Configuration Commands display dhcp client Syntax display dhcp client [ verbose ] View Any view Parameters verbose: Displays the detailed address allocation information. Description Use the display dhcp client command to display the information about the address allocation of DHCP clients.
Table 5-1 Description on the fields of the display dhcp client command Field Description VLAN interface operating as a DHCP client to Vlan-interface1 obtain an IP address dynamically Current machine state The state of the client state machine Allocated IP IP address allocated to the DHCP client lease Lease period...
To improve security and avoid malicious attacks to the unused sockets, S5500-EI Ethernet switches provide the following functions: UDP ports 67 and 68 used by DHCP are enabled/disabled only when DHCP is enabled/disabled. The implementation is as follows: After the DHCP client is enabled by executing the ip address dhcp-alloc command, UDP port 68 is enabled.
Table 5-2 Description on the fields of the display bootp client command Field Description VLAN-interface 1 is configured to obtain an IP Vlan-interface1 address through BOOTP. Allocated IP IP address allocated to the VLAN interface Transaction ID Value of the XID field in BOOTP packets Mac Address MAC address of the BOOTP client Default router...
ACL Configuration Commands ACL Configuration Commands Syntax acl number acl-number [ match-order { auto | config } ] undo acl { all | number acl-number } View System view Parameters all: Specifies to remove all access control lists (ACLs). number acl-number: Specifies the number of an existing ACL or an ACL to be defined. ACL number identifies the type of an ACL as follows.
Examples # Define ACL 2000 and specify “depth-first” as the match order. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2000 match-order auto [Sysname-acl-basic-2000] # Add three rules with different numbers of zeros in the source wildcards. [Sysname-acl-basic-2000] rule 1 permit source 1.1.1.1 0.255.255.255 [Sysname-acl-basic-2000] rule 2 permit source 2.2.2.2 0.0.255.255 [Sysname-acl-basic-2000] rule 3 permit source 3.3.3.3 0.0.0.255...
Examples # Assign description string “This ACL is used for filtering all HTTP packets” to ACL 3000. <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] description This ACL is used for filtering all HTTP packets # Use the display acl command to view the configuration information of ACL 3000. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, 0 rule...
Table 1-1 Description on the fields of the display acl command Field Description The displayed information is about the basic ACL Basic ACL 2000 2000. 3 rules The ACL includes three rules. The match order of the ACL is depth-first. If this match-order is auto field is not displayed, the match order of the ACL is config.
Table 1-2 Description on the fields of the display drv qacl_resource command Field Description On the front panel, From left to right, every four columns of FE ports (total of eight FE ports) represents a block numbered starting from 0. That is, 0 indicates Ethernet 1/0/1 to Ethernet 1/0/4 and Ethernet 1/0/25 to Ethernet 1/0/28, 1 indicates Ethernet 1/0/5 to Ethernet 1/0/8 and...
former case, the unit-id argument is in the range 1 to 8; in the latter case, the unit-id argument can only be 1. Description Use the display packet-filter command to display information about packet filtering. Examples # Display information about packet filtering on all ports of a switch that is not in a fabric. <Sysname>...
Description Use the display time-range command to display the configuration and status of a time range or all the time ranges. For active time ranges, this command displays “Active”; for inactive time ranges, this command displays “Inactive”. Related commands: time-range. Examples # Display all time ranges.
Page 747
Table 1-5 Combined application of ACLs Combination mode The acl-rule argument Apply all the rules of an ACL that is of IP type (The ACL can be a basic ACL or an advanced ip-group acl-number ACL.) Apply a rule of an ACL that is of IP type ip-group acl-number rule rule-id Apply all the rules of a Layer 2 ACL link-group acl-number...
# Apply rule 2 of user-defined ACL 5000 on Ethernet 1/0/3 to filter inbound packets. Here, it is assumed that the ACL and its rule numbered 2 are already configured. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] packet-filter inbound user-group 5000 rule 2 [Sysname-Ethernet1/0/3] quit # Apply rule 1 of advanced ACL 3000 and rule 2 of Layer 2 ACL 4000 on Ethernet 1/0/4 to filter inbound packets.
# Apply rule 1 of Layer 2 ACL 4000 on all ports in VLAN 20 to filter outbound packets. Here, it is assumed that the ACL and its rule numbered 1 and the VLAN are already configured. [Sysname] packet-filter vlan 20 outbound link-group 4000 rule 1 # Apply rule 2 of user-defined ACL 5000 on all ports in VLAN 30 to filter inbound packets.
Page 750
Table 1-6 Parameters for basic IPv4 ACL rules Parameters Function Description The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal source { sour-addr Specifies a source address. notation. Setting the wildcard to sour-wildcard | any } a zero indicates a host address. The any keyword indicates any source IP address.
be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule. The content of a modified or created rule cannot be identical with the content of any existing rule; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
Page 752
protocol: Protocol carried by IP. When the protocol is represented by numeral, it ranges from 1 to 255; when the protocol is represented by name, it can be gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), and udp (17). rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-7.
Page 753
Arguments/Keyword Type Function Description time-name: specifies the name of the time Specifies the time Time range range in which the rule time-range time-name range in which the rule information is active; a string takes effect. comprising 1 to 32 characters. The sour-wildcard/dest-wildcard argument is the complement of the wildcard mask of the source/destination subnet mask.
Page 754
Keyword DSCP value in decimal DSCP value in binary 110000 111000 101110 If you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-9 as IP precedence. Table 1-9 IP precedence values and the corresponding keywords Keyword IP Precedence in decimal...
Page 755
Table 1-11 TCP/UDP-specific ACL rule information Parameters Type Function Description The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not source-port Defines the source port equal to) or range (within the operator port1 Source port information of UDP/TCP range of).
Page 757
Name ICMP type ICMP code port-unreachable Type=3 Code=3 protocol-unreachable Type=3 Code=2 reassembly-timeout Type=11 Code=1 source-quench Type=4 Code=0 source-route-failed Type=3 Code=5 timestamp-reply Type=14 Code=0 timestamp-request Type=13 Code=0 ttl-exceeded Type=11 Code=0 Parameters of the undo rule command rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
Page 759
Table 1-15 Layer 2 ACL rule information Parameters Type Function Description Specifies the link layer This argument can be Link layer encapsulation type in 802.3/802.2, 802.3, format-type encapsulation type the rule ether_ii, or snap. lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number.
Page 760
Parameters Type Function Description protocol-type: Protocol Specifies the protocol type. type protocol-type Protocol type of type of Ethernet protocol-mask Ethernet frames protocol-mask: frames for the ACL rule Protocol type mask. When layer 2 ACLs are applied to ports or VLANs of the Switch 5500-EI series, rules configured with the format-type argument and the lsap keyword are invalid.
After completing the above configuration, you can use the display acl command to view the configuration information of the ACLs. rule (for user-defined ACLs) Syntax rule [ rule-id ] { deny | permit } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ] undo rule rule-id View User-defined ACL view...
Page 762
Offset unit 2 to 5 6 to 9 10 to 13 14 to 17 18 to 21 22 to 25 26 to 29 30 to 33 6 to 9 10 to 13 14 to 17 18 to 21 22 to 25 26 to 29 30 to 33 34 to 37...
Page 763
Protocol number Offset when VLAN-VPN is Offset when VLAN-VPN is Protocol in hexadecimal not enabled on any port enabled on a port RARP 0x8035 0x0800 0x8137 AppleTalk 0x809B ICMP 0x01 IGMP 0x02 0x06 0x11 Examples # Create user-defined ACL 5000 and define rule 1 to deny all TCP packets (it is assumed that no port is enabled with the VLAN-VPN function).
In this example, the 32-byte rule string occupies eight offset units: 4 to 7 (Offset2), 8 to 11 (Offset3), 12 to 15 (Offset4), 16 to 19 (Offset5), 20 to 23 (Offset1), 24 to 27 (Offset7), 28 to 31 (Offset8), and 32 to 35 (Offset6), as shown in Table 1-16.
Examples # Define the comment “This rule is to be applied to Ethernet 1/0/1” for rule 0 of advanced ACL 3001. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule 0 comment This rule is to be applied to Ethernet 1/0/1 # Use the display acl command to view the configuration information of advanced ACL 3001.
Page 766
jointly define a period in which the absolute time range takes effect. If the start date is not specified, the time range starts from 1970/01/01 00:00. to end-time end-date: Specifies the end date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD.
Page 767
From 12:00 Jan/1/2008 to 12:00 Jun/1/2008 1-28...
QoS Commands QoS Commands burst-mode enable Syntax burst-mode enable undo burst-mode enable View System view Parameters None Description Use the burst-mode enable command to enable the burst function. Use the undo burst-mode enable command to disable the burst function. By default, the burst function is disabled. The burst function improves packet buffering and forwarding performance in the following scenarios: Dense broadcast or multicast traffic and massive burst traffic are present.
Examples # Enable the burst function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] burst-mode enable display protocol-priority Syntax display protocol-priority View Any view Parameters None Description Use the display protocol-priority command to display the list of protocol priorities you assigned with the protocol-priority command.
Field Description An IP precedence has been assigned to OSPF packets. The assigned IP precedence is 0, that is, routine in words. IP-Precedence: routine(0) For information about the IP precedence range, refer to Table 1-6. Indicate that a priority has been set for Protocol: telnet Telnet packets with the protocol-priority command.
local precedence(queue) : display qos-interface all Syntax display qos-interface { interface-type interface-number | unit-id } all View Any view Parameters interface-type interface-number: Specifies the type and number of a port, for which QoS configuration information is to be displayed. unit-id: Unit ID of the switch whose QoS-related configuration is to be displayed. Table 1-2 shows the value range for the unit-id argument.
Field Description Inbound Packet direction Matches ACL rules for traffic classifying Union effect, indicating that the ACL referenced in the Effect mode traffic-limit command takes effect together with the other ACLs applied to the port. Egress port The specified egress port Target rate Traffic policing target rate, in kbps Bucket burst size...
Parameters interface-type interface-number: Specifies the type and number of the port, of which the line rate configuration is to be displayed. unit-id: Unit ID of the switch for which line rate configuration is to be displayed. For the value range for the unit-id argument, refer to Table 1-2.
Ethernet1/0/1: mirrored-to Inbound: Matches: Acl 2000 rule 0 running Mirrored to: monitor interface Refer to Table 1-3 for the description on the output fields. display qos-interface traffic-limit Syntax display qos-interface { interface-type interface-number | unit-id } traffic-limit View Any view Parameters interface-type interface-number: Specifies the type and number of a port for which traffic policing configuration is to be displayed.
View Any view Parameters interface-type interface-number: Specifies the type and number of a port for which priority marking configuration is to be displayed. unit-id: Unit ID of the switch whose priority marking configuration is to be displayed. For the value range for the unit-id argument, refer to Table 1-2.
View Any view Parameters interface-type interface-number: Specifies the type and number of a port for which traffic accounting configuration is to be displayed. unit-id: Unit ID of the switch for which traffic accounting configuration and traffic statistics are to be displayed. For the value range for the unit-id argument, refer to Table 1-2.
Examples # Display the global queue scheduling configuration. <Sysname> display queue-scheduler Queue scheduling mode: weighted round robin weight of queue 0: 1 weight of queue 1: 2 weight of queue 2: 3 weight of queue 3: 4 weight of queue 4: 5 weight of queue 5: 9 weight of queue 6: 13 weight of queue 7: 15...
Page 781
Compared to traffic policing, line rate applies to all the inbound or outbound packets passing through a port and thus a simpler solution when you only want to limit the rate of all the inbound or outbound packets passing through a port as a whole. Related commands: display qos-interface line-rate.
Page 782
ACL combination Form of the acl-rule argument Apply a rule in a user-defined ACL user-group acl-number rule rule-id Apply a rule in an Layer 3 ACL and a rule in ip-group acl-number rule rule-id a Layer 2 ACL link-group acl-number rule rule-id Table 1-5 Description on the parameters used in Table 1-4 Parameter...
After you execute the priority command on a port, the port priority rather than the 802.1p priority of each inbound 802.1q-tagged packet is used to identify the matching local precedence for the packet (in the 802.1p-precedence-to-local precedence mapping table). Then, the packet is assigned to the output queue corresponding to the local precedence. If the priority command, the priority trust command, and the undo priority command are configured on the same port, the command configured the last applies.
Examples # Configure the switch to trust the 802.1p priority of 802.1q-tagged packets on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] priority trust protocol-priority protocol-type Syntax protocol-priority protocol-type protocol-type { ip-precedence ip-precedence | dscp dscp-value } undo protocol-priority protocol-type protocol-type View...
Page 786
Table 1-7 DSCP precedence values in words and in digits DSCP precedence (in words) DSCP precedence (in digits) af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 be (the default) Description Use the protocol-priority command to set the global IP precedence or DSCP precedence for the specified type of protocol packets generated by the current switch.
On a Switch 5500-EI, you can set priority for protocol packets of Telnet, OSPF, SNMP, and ICMP. Examples # Set the IP precedence to 3 for SNMP protocol packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] protocol-priority protocol-type snmp ip-precedence 3 # Set the DSCP precedence of Telnet packets to 30, corresponding to the keyword af33.
Page 788
cos6-map-local-prec: Local precedence to which 802.1p 6 is to be mapped, in the range 0 to 7. cos7-map-local-prec: Local precedence to which 802.1p 7 is to be mapped, in the range 0 to 7. Description cos-local-precedence-map command configure 802.1p priority-to-local precedence mapping. Use the undo qos cos-local-precedence-map command to restore the default settings.
Page 790
Use the undo queue-scheduler command to restore the default. By default, the WRR algorithm is used for all the output queues of a port. The default weights of queues 0 through 7 are 1, 2, 3, 4, 5, 9, 13, and 15, as shown in Table 1-9.
scheduling configuration only when the configuration of a port is different from the global configuration. Related commands: display queue-scheduler. Examples # Configure WRR as the queuing algorithm and set the weights of queues 0 through 7 to 2, 2, 4, 4, 6, 6, 8, and 8 globally in system view. <Sysname>...
Page 792
Parameters inbound: Specifies to clear the statistics of the inbound packets on the port. acl-rule: ACL rules to be applied. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5.
traffic-limit Syntax traffic-limit inbound acl-rule union-effect egress-port interface-type interface-number ] target-rate [ burst-bucket burst-bucket-size ] [ exceed action ] undo traffic-limit inbound acl-rule View Ethernet port view Parameters inbound: Imposes traffic limit on the packets received through the interface. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs.
Page 794
On Ethernet 1/0/1, assume that the filter command is configured to filter packets destined to IP address 2.2.2.2 and the traffic-limit command is configured to limit the rate of packets sourced from IP address 1.1.1.1 within 128 kbps. Whether packets conforming to the rate limit of 128 kbps, sourced from IP address 1.1.1.1, and destined to IP address 2.2.2.2 (referred to as packets A later) will be dropped depends on the union-effect keyword of the traffic-limit command.
The granularity of rate limit is 64 kbps. If the number you input is in the range N*64 to (N+1)*64 (N is a natural number), it will be rounded off to (N+1)*64. burst-bucket burst-bucket-size: Specifies the maximum burst traffic size (in KB) allowed. The burst-bucket-size argument ranges from 4 to 512 and defaults to 512.
Page 796
outbound: Performs priority marking on the outbound packets. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5. Note that the ACL rules referenced must be those defined with the permit keyword.
Page 797
If IP precedence or DSCP marking is configured, the traffic will be marked with new IP precedence or DSCP precedence. Do not configure 802.1p priority marking and local precedence marking for the same traffic. With 802.1p priority marking, the new 802.1p priority will be mapped to a local precedence automatically.
Do not configure 802.1p priority marking and local precedence marking for the same traffic. With 802.1p priority marking, the new 802.1p priority will be mapped to a local precedence automatically. If local precedence marking is also configured, there will be two local precedence values for the traffic, resulting in conflict.
Page 800
link-aggregation-group agg-id: Specifies the aggregation group the traffic is to be redirected to. The agg-id argument is the ID of an aggregation group, in the range 1 to 416. untagged: Specifies to remove the outer VLAN tag of a packet after the packet is redirected to a port or an aggregation group.
traffic-remark-vlanid Syntax traffic-remark-vlanid inbound acl-rule remark-vlan remark-vlanid undo traffic-remark-vlanid inbound acl-rule View Ethernet port view Parameters inbound: Maps the VLAN IDs carried in the inbound packets to a specified VLAN ID. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs.
View Ethernet port view Parameters inbound: Enables traffic accounting for the inbound packets. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5.
Page 803
Parameters queue-index: Queue number in the range of 0 to 7. qstart: Number of the packets contained in the queue, in the range 1 to 128. probability: Dropping probability in the range of 0 to 92 (in percentage). Description Use the wred command to enable the WRED function. Use the undo wred command to restore the default.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] apply qos-profile a123 interface Ethernet1/0/1 to Ethernet1/0/4 display qos-profile Syntax display qos-profile { all | name profile-name | interface interface-type interface-number | user user-name } View Any view Parameters all: Specifies all the QoS profiles.
Page 806
<Sysname> display qos-profile interface Ethernet 1/0/1 User's qos-profile applied mode: user-based Default applied qos-profile: test, 3 actions packet-filter inbound ip-group 2000 rule 0 traffic-limit inbound ip-group 3000 rule 0 64 traffic-priority inbound ip-group 4000 rule 0 cos controlled-load # Display the configuration of the QoS profile applied to Ethernet 1/0/2, assuming that the QoS profile has been applied to Ethernet 1/0/2 dynamically.
packet-filter Syntax packet-filter { inbound | outbound } acl-rule undo packet-filter { inbound | outbound } acl-rule View QoS profile view Parameters inbound: Filters the inbound packets. outbound: Filters the outbound packets. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs.
Parameters profile-name: QoS profile name, a case-insensitive string of 1 to 32 characters, starting with an English letter in the range a to z and A to Z. Note that a QoS profile name cannot be all, interface, user, undo, or name.
If the 802.1x authentication is MAC-based, you need to configure the QoS profile application mode to be user-based. If the 802.1x authentication is port-based, you need to configure the QoS profile application mode to be port-based. Examples # Configure the QoS profile application mode on Ethernet 1/0/1 to be port-based. <Sysname>...
Page 810
On Ethernet 1/0/1, assume that the filter command is configured to filter packets destined to IP address 2.2.2.2 and the traffic-limit command is configured to limit the rate of packets sourced from IP address 1.1.1.1 within 128 kbps. Whether packets conforming to the rate limit of 128 kbps, sourced from IP address 1.1.1.1, and destined to IP address 2.2.2.2 (referred to as packets A later)are dropped depends on the union-effect of the traffic-limit command.
drop: Drops the packets. remark-dscp value: Sets a new DSCP value for the packets and then forwards the packets. Description Use the traffic-limit command to add the traffic policing action to a QoS profile. Use the undo traffic-limit command to remove the traffic policing action from a QoS profile. Examples # Add traffic policing action to the QoS profile named a123 to limit the rate of the inbound packets sourced from IP address 1.1.1.1 to 128 kbps and drop the packets exceeding 128 kbps.
Page 812
local-precedence pre-value: Sets the local precedence value, in the range of 0 to 7. Description Use the traffic-priority command to add a priority marking action to a QoS profile. Use the undo traffic-priority command to remove a priority marking action from a QoS profile. Do not configure 802.1p priority marking and local precedence marking for the same traffic.
Mirroring Commands Mirroring Commands display mirroring-group Syntax display mirroring-group { group-id | all | local | remote-destination | remote-source } View Any view Parameters group-id: Specifies the mirroring group of which the configurations are to be displayed. The argument takes a value in the range of 1 to 20. all: Specifies to display the parameter settings of all mirroring groups.
Page 815
type: remote-source status: active mirroring port: Ethernet1/0/1 inbound reflector port: Ethernet1/0/2 remote-probe vlan: 10 # Display the configurations of a remote destination mirroring group on your Switch 5500-EI. <Sysname> display mirroring-group 3 mirroring-group 3: type: remote-destination status: active monitor port: Ethernet1/0/3 remote-probe vlan: 20 Table 1-1 Description on the fields of the display mirroring-group command Field...
mirroring-group Syntax mirroring-group group-id { local | remote-destination | remote-source } undo mirroring-group { group-id | all | local | remote-destination | remote-source } View System view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. all: Specifies to remove all mirroring groups.
View System view, Ethernet port view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. mirroring-port mirroring-port-list: Specifies a list of source ports. mirroring-port-list is available in system view only, and there is no such argument in Ethernet port view. mirroring-port-list is provided in the format of mirroring-port-list = { interface-type interface-number [ to interface-type interface-number ] }&<1-8>, where interface-type is the port type, and interface-number is the port number, and &<1-8>...
undo mirroring-group group-id monitor-port monitor-port View System view, Ethernet port view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. monitor-port monitor-port: Specifies the destination port for port mirroring. monitor-port is available in system view only, and there is no such argument in Ethernet port view. Description Use the mirroring-group monitor-port command to configure the destination port for a local mirroring group or a remote destination mirroring group.
Parameters group-id: Number of a port mirroring group, in the range 1 to 20. reflector-port reflector-port: Specifies the reflector port. reflector-port is available in system view only, and there is no such argument in Ethernet port view. Description Use the mirroring-group reflector-port command to specify the reflector port for a remote source mirroring group.
Page 820
Description Use the mirroring-group remote-probe vlan command to specify the remote-probe VLAN for a remote source/destination mirroring group. Use the undo mirroring-group remote-probe vlan command to remove the configuration of remote-probe VLAN for a remote source/destination mirroring group. Note that, before configuring a VLAN as the remote-probe VLAN for a remote source/destination mirroring group, you need to use the remote-probe vlan enable command to configure the VLAN as a remote-probe VLAN first.
Page 821
A copy of each packet passing through a source port will be sent to the corresponding destination port. Related commands: display mirroring-group. When you configure mirroring source port on an Ethernet port of a Switch 5500-EI, if mirroring group 1 does not exist, the switch will automatically create local mirroring group 1 and add the source port to the group;...
It is recommended that you use a destination port for port mirroring purpose only. Do not use a destination port to transmit other service packets. Related commands: display mirroring-group. When you configure mirroring destination port on an Ethernet port of a Switch 5500-EI, if mirroring group 1 does not exist, the switch will automatically create local mirroring group 1 and add the destination port to the group;...
Page 823
Related commands: mirroring-group remote-probe vlan. Examples # Configure VLAN 5 as the remote-probe VLAN. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 5 [Sysname-vlan5] remote-probe vlan enable 1-10...
Web Cache Redirection Configuration Commands Web Cache Redirection Configuration Commands display webcache Syntax display webcache View Any view Parameters None Description Use the display webcache command to view Web cache redirection configuration and the status of Web cache. Examples # Display Web cache redirection configuration and the status of Web cache. [Sysname] display webcache webcache IP address: 1.1.1.1 webcache MAC address: 000f-e20f-0000...
Filed Description webcache port Port that connects to the Web cache server webcache VLAN VLAN that the Web cache server belongs to webcache TCP port Number of the TCP port used by HTTP packets Redirected VLANs, referring to the VLANs whose HTTP packets are to be redirected to the Web cache server.
Page 827
mac-address: MAC address of the Web cache server. vlan-id: ID of the VLAN where Web cache server is to be located. port interface-type interface-number: Specifies the port through which the switch is connected to the Web cache server. interface-type interface-number is the port type and port number.
[Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] webcache address 1.1.1.1 mac 0012-0990-2250 vlan 40 webcache redirect-vlan Syntax webcache redirect-vlan vlan-id undo webcache redirect-vlan [ vlan-id ] View System view Parameters vlan-id: ID of the VLAN whose HTTP traffic is to be redirected. Description Use the webcache redirect-vlan command to configure a VLAN as a redirected VLAN, that is, specify to redirect the HTTP traffic of the VLAN to the Web cache server.
PoE Configuration Commands PoE Configuration Commands display poe disconnect Syntax display poe disconnect View Any view Parameters None Description Use the display poe disconnect command to view the current PD disconnection detection mode of the switch. Examples # Display the PD disconnection detection mode. <Sysname>...
Page 831
Examples # Display the PoE status of Ethernet 1/0/10. <Sysname> display poe interface Ethernet1/0/10 Port power enabled :enable Port power ON/OFF Port power status :Standard PD was detected Port power mode :signal Port PD class port power priority :low Port max power :15400 mW Port current power :460 mW...
Ethernet1/0/1 enable signal Standard PD was detected Ethernet1/0/2 enable signal Standard PD was detected Ethernet1/0/3 enable signal detection is in process Ethernet1/0/4 enable signal detection is in process Ethernet1/0/5 enable signal detection is in process Ethernet1/0/6 enable signal detection is in process Ethernet1/0/7 enable signal...
Description Use the display poe interface power command to view the power information of a specific port of the switch. If the interface-type interface-number argument is not specified, the command displays the power information of all ports of the switch. Examples # Display the power information of Ethernet 1/0/10.
PSE Software Version :290 PSE Hardware Version :000 PSE CPLD Version :078 PSE Power-Management mode :auto Table 1-3 display poe powersupply command output description Field Description PSE ID Identification of the PSE The enabled/disabled status of the nonstandard PSE Legacy Detection PD detection PSE Total Power Consumption Total power consumption of the PSE...
<Sysname> display poe temperature-protection The temperature protection is enabled. poe disconnect Syntax poe disconnect { ac | dc } undo poe disconnect View System view Parameters ac: Specifies the PD disconnection detection mode as ac. dc: Specifies the PD disconnection detection mode as dc. Description Use the poe disconnect command to configure a PD disconnection detection mode.
If you delete the default configuration file without specifying another one, the PoE function on a port will be disabled after you restart the device. You can use the display poe interface command to display whether PoE is enabled on a port. Examples # Enable the PoE feature on Ethernet 1/0/3.
Parameters max-power: Maximum power distributed to the port, ranging from 1,000 to 15,400, in mW. Description Use the poe max-power command to configure the maximum power that can be supplied by the current port. Use the undo poe max-power command to restore the maximum power supplied by the current port to the default value.
System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] poe mode signal poe power-management Syntax poe power-management { auto | manual } undo poe power-management View System view Parameters auto: Adopts the auto mode, namely, a PoE management mode based on PoE priority of the port. manual: Adopts the manual mode.
Description Use the poe priority command to configure the PoE priority of a port. Use the undo poe priority command to restore the default PoE priority. By default, the PoE priority of a port is low. When the available power of the PSE is too small, the PoE priority and the PoE management mode are used together to determine how to allocate PoE power for the new PDs.
You can use the display poe temperature-protection command to display whether PoE over-temperature protection is enabled on the switch. Examples # Disable PoE over-temperature protection on the switch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo poe temperature-protection enable The temperature protection is disabled.
[Sysname] poe update refresh 0400_001.S19 Update PoE board successfully update fabric Syntax update fabric { file-url | device-name file-url } View User view Parameters file-url: File path + file name of the host software in the flash memory, a string of 1 to 64 characters. The specified PSE processing software is a file with the extension .s19.
PoE Profile Configuration Commands PoE Profile Configuration Commands apply poe-profile Syntax In system view use the following commands: apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] undo apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] In Ethernet port view use the following commands: apply poe-profile profile-name undo apply poe-profile profile-name...
PoE profile is a set of PoE configurations. One PoE profile can contain multiple PoE features. When the apply poe-profile command is used to apply a PoE profile to a port, some PoE features can be applied successfully while some cannot. PoE profiles are applied to Switch 5500-EI according to the following rules: When the apply poe-profile command is used to apply a PoE profile to a port, the PoE profile is applied successfully only if one PoE feature in the PoE profile is applied properly.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] display poe-profile name profile-test Poe-profile: profile-test, 3 action poe enable poe max-power 5000 poe priority critical poe-profile Syntax poe-profile profile-name undo poe-profile profile-name View System view Parameters profile-name: Name of PoE profile, a string of 1 to 15 characters. It starts with a letter from a to z or from A to Z, and it cannot be any of reserved keywords like all, interface, user, undo, and mode.
XRN Fabric Commands XRN Fabric Commands change self-unit Syntax change self-unit to { unit-id | auto-numbering } View System view Parameters unit-id: Changes the unit ID of the current switch to a specified value which is in the range of 1 to 8. auto-numbering: Changes the numbering mode of unit ID on the current switch to automatic numbering mode.
If you do not bring up the fabric port, you cannot change the unit ID of a switch. After the unit ID of a device is changed, the unit ID-related information of this device in the configuration file of the fabric will be upgraded automatically. If the unit ID of a device changes from 2 to 4, the port description of this device in the configuration file automatically changes from 2/0/x to 4/0/x.
Page 848
Unit IDs in an XRN fabric are not always arranged in order of 1 to 8. Unit IDs in an XRN fabric can be inconsecutive. After the unit ID of a device is changed, the unit ID-related information of this device in the configuration file of the fabric will be upgraded automatically.
From the above example, you can see the original unit ID of the device with MAC address 000f-cbb7-3264 is 6. After the configuration, this unit ID changes to 4, and the priority of the device changes to 5. display ftm Syntax display ftm { information | topology-database } View...
Page 850
Table 1-1 display ftm information command output description Field Description FTM State: DISC STATE: In the topology discovery state. FTM State LISTEN STATE: In the topology discovery state, and the FTM slave device is listening. HB STATE: The fabric operates normally. Unit ID: Unit ID FTM-Master...
Page 851
Field Description Indexes of the left and right ports: Left Port : Index = 255, IsEdge: Whether the device is at either end of a bus topology IsEdge = 0 XRN fabric in which the number of member devices has reached the upper limit.
display xrn-fabric Syntax display xrn-fabric [ port ] View Any view Parameters port: Displays the fabric port information. Description Use the display xrn-fabric command to view the information of the entire fabric, including unit ID, unit name, and operation mode of the system. If the fabric information is displayed on the console port of a device, an asterisk (*) will be added to the unit ID of the current device.
View System view Parameters None Description Use the fabric member-auto-update software enable command to enable the XRN automatic fabric function for a switch. Use the undo fabric member-auto-update software enable command to disable the XRN automatic fabric function for a switch. By default, the XRN automatic fabric function for a switch is disabled.
Page 854
undo fabric save-unit-id View User view Parameters None Description Use the fabric save-unit-id command to save the unit IDs of all the units in an XRN fabric into the unit Flash and set the unit priority to 5, that is, manual numbering. Use the undo fabric save-unit-id command to remove the saved unit IDs and restore the unit priority to 10, that is, automatic numbering.
000f-e20f-5132 5 Left/ 000f-e20f-5252 5 /Right 1 000f-e20f-8922 5 Left/ 000f-cbb7-2142 5 /Right 1 000f-cbb7-3264 5 Left/ 000f-cbb7-2260 5 /Right 1 000f-cbb7-2734 5 Left/ From the above example, you can see the priority of each unit changes from 10 to 5, and the numbering mode changes from A (automatic numbering) to M (manual numbering).
Page 856
Parameters interface-type interface-number: Type and port number of a fabric port. On a Switch 5500-EI 28 port switch, only four GigabitEthernet ports can be configured as fabric ports: GigabitEthernet 1/0/25, GigabitEthernet 1/0/26, GigabitEthernet 1/0/27, and GigabitEthernet 1/0/28. On a Switch 5500-EI 52 port switch, only four GigabitEthernet ports can be configured as fabric ports: GigabitEthernet 1/0/49, GigabitEthernet 1/0/50, GigabitEthernet 1/0/51, and GigabitEthernet 1/0/52.
ftm fabric-vlan Syntax ftm fabric-vlan vlan-id undo ftm fabric-vlan View System view Parameters vlan-id: ID of the XRN fabric VLAN, in the range of 2 to 4094. The VLAN you specified must be the one that has not been created manually. Description Use the ftm fabric-vlan command to specify the VLAN that the switch uses for XRN fabric.
Description Use the xrn-fabric authentication-mode command to configure the authentication mode and password for an XRN fabric. Use the undo xrn-fabric authentication-mode command to remove the XRN fabric authentication configuration. By default, no authentication mode is configured on a switch. XRN fabric authentication is used to ensure the security of the devices accessing it.
reset ftm statistics Syntax reset ftm statistics View User view Parameters None Description Use the reset ftm statistics command to clear FTM statistics. You can use this command together with the display ftm command to view the packet statistics processed by FTM in a period of time, thus analyzing fabric operation status and locating problems.
For example, if the fabric name of the Ethernet switch is 3Com, the prompt character in user view is <3Com>. Use the undo sysname command to restore the default fabric name.
Cluster Configuration Commands NDP Configuration Commands display ndp Syntax display ndp [ interface interface-list ] View Any view Parameters interface interface-list: Specifies a port list. You need to provide the interface-list argument in the form of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10>...
ndp enable Syntax ndp enable [ interface interface-list ] undo ndp enable [ interface interface-list ] View System view, Ethernet port view Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10> means that you can provide up to ten port indexes/port index ranges for this argument.
Description Use the ndp timer aging command to set the holdtime of the NDP information. This command specifies how long an adjacent device should hold the NDP neighbor information received from the local switch before discarding the information. Use the undo timer aging command to restore the default holdtime of NDP information. By default, the holdtime of NDP information is 180 seconds.
Examples # Set the interval between sending NDP packets to 80 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ndp timer hello 80 reset ndp statistics Syntax reset ndp statistics [ interface interface-list ] View User view Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10>...
NTDP Configuration Commands display ntdp Syntax display ntdp View Any view Parameters None Description Use the display ntdp command to display the global NTDP information. The displayed information includes topology collection range (hop count), topology collection interval (NTDP timer), device/port forwarding delay of topology collection requests, and time used by the last topology collection.
Platform : 5500-EI : 100.100.1.1/24 Version: 3Com Corporation Switch 5500-EI Software Version 3Com OS V3.03.02s56e Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved. Switch 5500-EI Switch 5500-EI-V3.03.02s56e Cluster Candidate switch Peer MAC Peer Port ID Native Port ID...
: 000f-e20f-3190 Platform : 5500-EI : 16.1.1.1/24 Version: Switch 5500-EI Software Version 3Com OS V3.03.02s56e Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved. Switch 5500-EI Switch 5500-EI-V3.03.02s56e Cluster Candidate switch Peer MAC Peer Port ID Native Port ID...
View System view, Ethernet port view Parameters None Description Use the ntdp enable command to enable NTDP globally or on a port. Use the undo ntdp enable command to disable NTDP globally or on a port. By default, NTDP is enabled both globally and on ports. Note that NTDP can take effect on a port only when NTDP is enabled both globally and on the port.
ntdp hop Syntax ntdp hop hop-value undo ntdp hop View System view Parameters hop-value: Maximum hops to collect topology information, namely, the topology collection range, in the range of 1 to 16. Description Use the ntdp hop command to set the topology collection range. Use the undo ntdp hop command to restore the default topology collection range.
Parameters interval-in-minutes: Interval (in minutes) to collect topology information, ranging from 0 to 65,535. A value of 0 disables topology information collection. Description Use the ntdp timer command to configure the interval to collect topology information periodically. Use the undo ntdp timer command to restore the default interval. By default, this interval is one minute.
Network congestion may occur if large amount of topology response packets reach the collecting device in a short period. To avoid this case, each collected switch in the network delays for a period before it forwards a received topology collection request through each NTDP-enabled port. You can use the ntdp timer hop-delay command to set the delay on a collecting switch.
Cluster Configuration Commands add-member Syntax add-member [ member-number ] mac-address H-H-H [ password password ] View Cluster view Parameters member-number: Member number assigned to the candidate device to be added to the cluster. This argument ranges from 1 to 255. H-H-H: MAC address of the candidate device to be added (in hexadecimal).
View Cluster view Parameters mac-address: MAC address of the management device to be specified. name: Name of an existing cluster, a string of up to 8 characters. Note that the name of a cluster can only contain alphanumeric characters, minus signs (-), and underscores (_). Description Use the administrator-address command to specify the management device MAC address and the cluster name on a device to add the device to the cluster.
Page 879
Description Use the build command to build a cluster with a cluster name or change the cluster name. Use the undo build command to remove the cluster. You can use this command on a candidate device as well as on a management device. Executing the build command on a candidate device will change the device to a management device and assign a name to the cluster created on the device, and the member number of the management device is 0.
System View: return to User View with Ctrl+Z [Sysname] cluster [Sysname-cluster] build aaa There is no base topology, if set up from local flash file?(Y/N) #Apr 3 08:15:03:166 2000 aaa_0. 3Com CLST/5/Cluster_Trap:- 1 - OID:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpMemberStatusChange):member 00.00.00.00.00.12. a9.90.22.40 role change, NTDPIndex:0.00.00.00.00.00.12.a9.90.22.40, Role:1 [aaa_0.Sysname-cluster] cluster...
Use the undo cluster enable command to disable the cluster function. By default, the cluster function is enabled. Note that: To create a cluster on a management device through the build command or the auto-build command, you must first enable the cluster function by executing the cluster enable command. When you execute the undo cluster enable command on the management device, the cluster function is disabled on the device, and the device stops operating as a management device, and the cluster and all its members are removed.
on the management device (this is not true when you add the candidate device to the cluster using the administrator-address command). It is recommended not to change the super password of any cluster member or the management device, so as to avoid switching failure resulting from authentication failure.
Since some devices cannot forward the multicast packets with the destination MAC address of 0180-C200-000A, HGMPv2 packets cannot traverse these devices. For a cluster to work normally in this case, you can modify the multicast destination MAC address of HGMPv2 protocol packets without changing the current networking.
delete-member Syntax delete-member member-id [ to-black-list ] View Cluster view Parameters member-id: Member number of a member device, ranging from 1 to 255. to-black-list: Adds the device removed from a cluster to the blacklist to prevent it from being added to the cluster.
Page 885
View Any view Parameters None Description Use the display cluster command to display the status and statistics information of the cluster to which the current switch belongs. Executing this command on a member device will display the following information: cluster name, member number of the current switch, MAC address and status of the management device, holdtime, and interval to send handshake packets.
Handshake timer:10 sec Handshake hold-time:60 sec Administrator device mac address:000f-e20f-3901 Administrator status:Up Table 1-5 Description on the fields of the display cluster command Field Description Name of the cluster, which can be configured Cluster name through the build command Role Role of this switch Number of the management VLAN, which can be configured through the management-vlan...
Page 887
candidate switches to be automatically added into the cluster, you can set the topology collection interval to zero (by using the ntdp timer command), which specifies not to perform topology collection periodically. Examples # Display information about all candidate devices. <aaa_0.Sysname-cluster>...
Device MAC Address Status Name 5500-EI 000f-e20f-3901 Admin aaa_0.Sysname 5500-EI 3900-0000-3334 aaa_1.3Com 5500-EI 000f-e20f-3190 aaa_2.5500-3 Table 1-8 Description on the fields of the display cluster members command Field Description Member number of a device in the cluster Device Device type...
Page 889
Member status:Admin Hops to administrator device:0 IP: 100.100.1.1/24 Version: 3Com Corporation Switch 5500-EI Software Version 3Com OS V3.03.02s56e Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved. Switch 5500-EI Switch 5500-EI-OS V3.03.02s56e Member number:1 Name:aaa_1.Sysname Device:5500-EI MAC Address:000f-e200-3334...
Field Description Hops to administrator device Hops from the device to the management device Device IP address Version Software version of the device ftp cluster Syntax ftp cluster View User view Parameters None Description Use the ftp cluster command to connect to the shared FTP server of the cluster and enter FTP Client view through the management device.
ftp-server Syntax ftp-server ip-address undo ftp-server View Cluster view Parameters ip-address: IP address of the FTP server to be configured for the cluster. Description Use the ftp-server command to configure a shared FTP server for the cluster on the management device.
Parameters seconds: Neighbor information holdtime in seconds, ranging from 1 to 255. Description Use the holdtime command to configure the neighbor information holdtime of the member switches. Use the undo holdtime command to restore the default holdtime value. By default, the neighbor information holdtime is 60 seconds. Note that: If the management switch does not receive NDP information from a member device within the holdtime, it sets the state of the member device to “down”.
Description Use the ip-pool command to configure a private IP address pool on the management device. Use the undo ip-pool command to cancel the IP address pool configuration. Before creating a cluster, you must first configure a private IP address pool. When a candidate device joins a cluster, the management device dynamically assigns a private IP address in the pool to it, so that the candidate device can communicate with other devices in the cluster.
[aaa_0.Sysname-cluster] logging-host 10.10.10.9 management-vlan Syntax management-vlan vlan-id undo management-vlan View System view Parameters vlan-id: ID of the VLAN to be specified as the management VLAN. Description Use the management-vlan command to specify the management VLAN on the switch. Use the undo management-vlan command to restore the default management VLAN. By default, VLAN 1 is used as the management VLAN.
Description Use the nm-interface Vlan-interface command to configure a network management (NM) interface on a management device. After an NM interface is specified on the management device of a cluster, the network administrator can log onto the management device through the NM interface to manage the devices in the cluster. By default, the management VLAN interface is used as the NM interface.
Examples # Reboot number-2 member device. <aaa_0.Sysname> system-view System View: return to User View with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] reboot member 2 snmp-host Syntax snmp-host ip-address undo snmp-host View Cluster view Parameters ip-address: IP address of a SNMP network management station (NMS) to be configured for the cluster. Description Use the snmp-host command to configure a shared SNMP NMS for the cluster on the management device.
Parameters cluster: Downloads files through the shared TFTP server of the cluster. tftp-server: IP address or host name of the TFTP server. source-file: Name of the file to be downloaded from the shared TFTP server of the cluster. destination-file: Name of the file to which the downloaded file will be saved on the switch. Description Use the tftp get command to download a file from a specific directory on the shared TFTP server to the switch.
Description Use the tftp put command to upload a file from the switch to a specified directory on the TFTP server. You can use the tftp-server command on the management device to configure the shared TFTP server of the cluster, which is used for software version update and configuration file backup of the cluster members.
Examples # Configure shared TFTP server 1.0.0.9 on the management device for the cluster. <aaa_0.Sysname> system-view System View: return to User View with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] tftp-server 1.0.0.9 timer Syntax timer interval undo timer View Cluster view Parameters interval: Interval (in seconds) to send handshake packets. This argument ranges from 1 to 255. Description Use the timer command to set the interval between sending handshake packets.
Page 900
View Any view Parameters by-mac: Specifies to trace a device through the specified destination MAC address. mac-address: MAC address of the device to be traced. vlan vlan-id: Specifies to trace a device in the specified VLAN. vlan-id ranges from 1 to 4094. by-ip: Specifies to trace a device through the specified destination IP address.
Enhanced Cluster Feature Configuration Commands black-list Syntax black-list add-mac mac-address black-list delete-mac { all | mac-address } View Cluster view Parameters mac-address: MAC address of the device to be added to the blacklist. The format is H-H-H, for example, 0100-0498-e001. all: Deletes all MAC address in the current cluster blacklist.
display cluster base-members Syntax display cluster base-members View Any view Parameters None Description Use the display cluster base-members command to display the information about all the devices in the base cluster topology, such as member number, name, MAC address, and the current status of each device in a cluster.
Examples # Display the standard topology of the cluster. <aaa_0.Sysname> display cluster base-topology -------------------------------------------------------------------- (PeerPort) ConnectFlag (NativePort) [SysName:DeviceMac] -------------------------------------------------------------------- [aaa_0.3Com:000f-e202-2180] ├-(P_0/40)<-->(P_0/6)[Sysname:000f-e200-2200] ├-(P_0/28)<-->(P_3/0/1)[Sysname:000f-e200-1774] ├-(P_0/22)<-->(P_1/0/2)[aaa_5.3Com:000f-e200-5111] ├-(P_0/18)<-->(P_3/0/2)[Sysname S3600:000f-e218-d0d0] ├-(P_0/14)<-->(P_1/0/2)[Sysname:000f-e200-5601] └-(P_0/4)<-->(P_0/2)[Switch 5500-EI 28-Port:000f-e200-00cc] The output information of the display cluster base-topology command is in the following format: (peer port number)<-->(local port number)[peer device name:peer device MAC address]...
Description Use the display cluster black-list command to display the information of devices in the current cluster blacklist. Related commands: black-list. Examples # Display the contents of the current cluster blacklist. <aaa_0.Sysname> display cluster black-list Device ID Access Device ID Access port 000f-e200-5502 000f-e202-2180...
Field Description Name of the port on the peer device connecting to the local Peer Port ID device Name of the port on the local device connecting to the peer Native Port ID device Speed Rate of the local port connecting to the peer device Duplex Duplex mode of the local port connecting to the peer device topology accept...
Examples # Save the current cluster topology as the base topology and save it in the local flash. <aaa_0.Sysname> system-view Enter system view, return to user view with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] topology accept all save-to local-flash # Accept the device with the MAC address 0010-0f66-3022 as a member of the base cluster topology. <aaa_0.Sysname>...
topology save-to Syntax topology save-to local-flash View Cluster view Parameters None Description Use the topology save-to command to save the standard topology of the cluster to the local Flash memory. The file name used to save the standard topology is topology.top. Do not modify the file name. This command is applicable to only the management device of a cluster.
SNMP Configuration Commands SNMP Configuration Commands display snmp-agent Syntax display snmp-agent { local-engineid | remote-engineid } View Any view Parameters local-engineid: Displays the local SNMP entity engine ID. remote-engineid: Displays all the remote SNMP entity engine IDs. At present, the device does not support application of the keyword.
Page 912
Parameters read: Displays the information about the SNMP communities with read-only permission. write: Displays the information about the SNMP communities with read-write permission. Description Use the display snmp-agent community command to display the information about the SNMPv1/SNMPv2c communities with the specific access permission. SNMPv1 and SNMPv2c use community name authentication.
Field Description Storage type, which can be: volatile: Information will be lost if the system is rebooted nonVolatile: Information will not be lost if the system is rebooted Storage-type permanent: Modification is permitted, but deletion is forbidden readOnly: Read only, that is, no modification, no deletion other: Other storage types display snmp-agent group...
Table 1-2 display snmp-agent group command output description Field Description Group name SNMP group name of the user SNMP group security mode, which can be AuthPriv (authentication with privacy), Security model AuthnoPriv (authentication without privacy), and noAuthnoPriv (no authentication no privacy). Read-only MIB view corresponding to the SNMP Readview group...
Page 916
Examples # Display the statistics on SNMP packets. <Sysname> display snmp-agent statistics 1276 Messages delivered to the SNMP entity 0 Messages which were for an unsupported version 0 Messages which used a SNMP community name not known 0 Messages which represented an illegal operation for the community supplied 0 ASN.1 or BER errors in the process of decoding 1291 Messages passed from the SNMP entity 0 SNMP PDUs which had badValue error-status...
Page 917
Field Description The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for SNMP PDUs which had genErr error-status which the value of the error-status field is `genErr'. The total number of SNMP PDUs which were SNMP PDUs which had noSuchName delivered to the SNMP protocol entity and for error-status...
For the detailed configuration, refer to the snmp-agent sys-info command. By default, the contact information of A Switch 5500-EI is "3Com Corporation.", the geographical location is " Marlborough, MA 01752 USA", and the SNMP version employed is SNMPv3.
SNMPv3 display snmp-agent trap-list Syntax display snmp-agent trap-list View Any view Parameters None Description Use the display snmp-agent trap-list command to display the modules that can generate traps and whether the sending of traps is enabled on the modules. If a module contains multiple submodules, the trap function of the entire module is displayed as enabled as long as the trap function of any of the submodules is enabled.
Page 920
Parameters engineid: Engine ID, a string of 10 to 64 hexadecimal digits. user-name: SNMPv3 username, a string of 1 to 32 characters. group-name: Name of an SNMP group, a string of 1 to 32 characters. Description Use the display snmp-agent usm-user command to display the information about a specific type of SNMPv3 users.
enable snmp trap updown Syntax enable snmp trap updown undo enable snmp trap updown View Ethernet port view, interface view Parameters None Description Use the enable snmp trap updown command to enable the sending of port/interface linkUp/linkDown traps. Use the undo enable snmp trap updown command to disable the sending of linkUp/linkDown traps. By default, the sending of port/interface linkUp/linkDown traps is enabled.
Description Use the snmp-agent command to enable the SNMP agent. Use the undo snmp-agent command to disable the SNMP agent. Execution of the snmp-agent command or any of the commands used to configure the SNMP agent, you can start the SNMP agent. By default, the SNMP agent is disabled.
Description Use the snmp-agent calculate-password command to encrypt a plain-text password to generate a cipher-text one by using the specified encryption algorithm. When creating an SNMPv3 user, if you specify an authentication or privacy password as in cipher text, you need to use this command to generate a cipher text password by using the specified algorithm, and copy the generated cipher text password to use.
Description Use the snmp-agent community command to create an SNMP community. SNMPv1 and SNMPv2c use community name to restrict access rights. You can use this command to configure a community name and configure read or write access right and ACL. Use the undo snmp-agent community command to remove an SNMP community.
Page 925
write-view: Read-write view name, a string of 1 to 32 characters. By default, no write view is configured, namely, the NMS cannot perform the write operation on the MIB objects of the device. notify-view: Notification view name in which traps can be sent, a string of 1 to 32 characters. By default, no notify view is configured, namely, the agent will not send traps to the NMS.
Group name: v3group Security model: v3 AuthPriv Readview: ViewDefault Writeview: <no specified> Notifyview :<no specified> Storage-type: nonVolatile Acl:2001 snmp-agent local-engineid Syntax snmp-agent local-engineid engineid undo snmp-agent local-engineid View System view Parameters engineid: Engine ID, an even number of hexadecimal characters, in the range 10 to 64. Description Use the snmp-agent local-engineid command to set an engine ID for the local SNMP entity.
Parameters set-operation: Logs the set operations. get-operation: Logs the get operations. all: Logs both the set operations and get operations. Description Use the snmp-agent log command to enable network management operation logging. Use the undo snmp-agent log command to disable network management operation logging. By default, network management operation logging is disabled.
Page 928
view-name: View name. oid-tree: OID MIB subtree of a MIB subtree. It can be the ID of a node in OID MIB subtree (such as 1.4.5.3.1) or an OID (such as “system”). mask mask-value: Mask of a MIB subtree, an even number of hexadecimal characters, in the range 2 to 32.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]snmp-agent community read rip2read mib-view rip2 [Sysname]snmp-agent community write rip2write mib-view rip2 # Create an SNMP MIB view with the name of view-a, MIB subtree of 1.3.6.1.5.4.3.4 and subtree mask of FE.
Page 930
Multiple SNMP versions can be running the on the device at the same time to allow access of different NMSs. By default, the contact information of a Switch 5500-EI is " 3Com Corporation.", the geographical location is " Marlborough, MA 01752 USA", and the SNMP version employed is SNMPv3.
# Before the configuration of the extended trap function, the trap information is as follows when a link is down: #Apr 2 05:53:15:883 2000 3Com L2INF/2/PORT LINK STATUS CHANGE:- 1 - Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227634, ifAdminStatus is 2, ifOperStatus is 2 #Apr 2 05:53:16:094 2000 3Com IFNET/5/TRAP:- 1 -1.3.6.1.6.3.1.1.5.3(linkDown) Interface 31...
snmp-agent trap life Syntax snmp-agent trap life seconds undo snmp-agent trap life View System view Parameters seconds: SNMP trap aging time (in seconds) to be set, ranging from 1 to 2,592,000. Description Use the snmp-agent trap life command to set the SNMP trap aging time. SNMP traps exceeding the aging time will be discarded.
After a trap is generated, it will enter the trap queue to be sent. The length of a trap queue decides the maximum number of traps in the queue. When a trap queue reaches the configured length, the newly generated traps will enter the queue, and the traps generated the earliest will be discarded. Related commands: snmp-agent trap enable, snmp-agent target-host, and snmp-agent trap life.
[Sysname] snmp-agent usm-user v2c userv2c readCom Specify the SNMP version of the NMS as SNMPv2c, fill the write community name field with userv2c. Then the NMS can access the agent. # Create an SNMPv2c user userv2c in group readCom, permitting only the NMS with an IP address 1.1.1.1 to access the agent, and denying the access of other NMSs.
Page 938
priv-password: Encryption password, a string of 1 to 64 characters in plain text, a 32-bit hexadecimal number in cipher text if MD5 algorithm is used, and a 40-bit hexadecimal number in cipher text if SHA algorithm is used. acl-number: Binds a user with an ACL, where acl-number represents ACL number, in the range 2000 to 2999.
Page 939
# Add a user named testUser to the SNMPv3 group named testGroup. Set the security mode to authentication with privacy, the authentication algorithm to md5, the privacy algorithm to des56, the plain text authentication password to authkey, the plain text privacy password to prikey. <Sysname>...
RMON Configuration Commands RMON Configuration Commands display rmon alarm Syntax display rmon alarm [ entry-number ] View Any view Parameters entry-number: Alarm entry index, in the range 1 to 65535. Description Use the display rmon alarm command to display the configuration of a specified alarm entry or all the alarm entries.
Field Description Sampling interval, in seconds. The system Sampling interval performs absolute or delta sampling on the sampled node at this interval. Rising threshold. When the sampled value Rising threshold equals or exceeds the rising threshold, an alarm is triggered. Falling threshold.
Event table 1 owned by user1 is VALID. Description: null. Will cause log-trap when triggered, last triggered at 0days 00h:02m:27s. Table 2-2 display rmon event command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid.
less than(or =) 100 with alarm value 0. Alarm sample type is absolute. Table 2-3 display rmon eventlog command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid.
History control entry 1 owned by user1 is VALID Samples interface : Ethernet1/0/1<ifIndex.4227625> Sampling interval : 5(sec) with 10 buckets max Latest sampled values : Dropevents , octets : 10035 packets : 64 , broadcast packets : 35 multicast packets : 8 , CRC alignment errors : 0 undersize packets : 0 , oversize packets...
Page 945
View Any view Parameters prialarm-entry-number: Extended alarm entry Index, in the range 1 to 65,535. Description Use the display rmon prialarm command to display the configuration of an RMON extended alarm entry. If you do not specify the prialarm-entry-number argument, the configuration of all the extended alarm entries is displayed.
Field Description Linked with event Event index corresponding to an alarm The condition under which an alarm is triggered, which can be: risingOrFallingAlarm: An alarm is triggered when the rising or falling threshold is When startup enables: risingOrFallingAlarm reached. risingAlarm: An alarm is triggered when the rising threshold is reached.
Page 948
Parameters entry-number: Index of the alarm entry to be added/removed, in the range 1 to 65535. alarm-variable: Alarm variable, a string comprising 1 to 256 characters in dotted node OID format (such as 1.3.6.1.2.1.2.1.10.1). Only the variables that can be resolved to ASN.1 INTEGER data type (that is, INTEGER, Counter, Gauge, or TimeTicks) can be used as alarm variables.
Comparison Operation The sample value is smaller than the set lower Triggering the event identified by the threshold (threshold-value2) event-entry2 argument Before adding an alarm entry, you need to use the rmon event command to define the events to be referenced by the alarm entry.
description string: Specifies the event description, a string of 1 to 127 characters. log: Logs events. trap: Sends traps to the NMS. trap-community: Community name of the NMS that receives the traps, a string of 1 to 127 characters. log-trap: Logs the event and sends traps to the NMS. log-trapcommunity: Community name of the NMS that receives the traps, a character string of 1 to 127 characters.
Description Use the rmon history command to add an entry to the history control table. If you do not specify the owner text keyword/argument combination, the owner of the entry is displayed as “null”. Use the undo rmon history command to remove an entry from the history control table. You can use the rmon history command to sample a specific port.
Page 952
threshold-value2: Lower threshold, in the range 0 to 2147483647. event-entry2: Index of the event entry that corresponds to the falling threshold, in the range 0 to 65535. forever: Specifies the corresponding RMON alarm instance is valid permanently. cycle: Specifies the corresponding RMON alarm instance is valid periodically. cycle-period: Life time (in seconds) of the RMON alarm instance, in the range 0 to 2147483647.
Falling threshold: 5 Event 1 is triggered when the change ratio is larger than the rising threshold. Event 2 is triggered when the change ratio is less than the falling threshold. The alarm entry is valid forever. Entry owner: user1 <Sysname>...
Page 954
For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry was already created for a given port, you will fail to create a statistics entry with a different index for the port. You can use the display rmon statistics command to display the information about the statistics entry.
Page 955
Table of Contents 1 UDP Helper Configuration Commands····································································································1-1 UDP Helper Configuration Commands ···································································································1-1 display udp-helper server ················································································································1-1 reset udp-helper packet···················································································································1-1 udp-helper enable····························································································································1-2 udp-helper port ································································································································1-2 udp-helper server ····························································································································1-4 udp-helper ttl-keep enable···············································································································1-4...
View User view Parameters None Description Use the reset udp-helper packet command to clear UDP Helper statistics. Examples # Clear UDP Helper statistics. <Sysname> reset udp-helper packet udp-helper enable Syntax udp-helper enable undo udp-helper enable View System view Parameters None Description Use the udp-helper enable command to enable UDP Helper function.
Page 958
undo udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time } View System view Parameters port-number: Number of the UDP port with which UDP packets are to be forwarded, in the range 0 to 65535 (except for 67 and 68).
[Sysname] undo udp-helper port 53 udp-helper server Syntax udp-helper server ip-address undo udp-helper server [ ip-address ] View VLAN interface view Parameters ip-address: IP address of the destination server, in dotted decimal notation. Description Use the udp-helper server command to specify the destination server to which the UDP packets are to be forwarded.
Page 960
Description Use the udp-helper ttl-keep enable command to enable the UDP Helper TTL-keep function. With this function enabled, the UDP Helper can forward broadcasts with the TTL field being 1 without decrementing the TTL value by one. Use the undo udp-helper ttl-keep enable command to restore the default. By default, the UDP Helper TTL-keep function is disabled.
NTP Configuration Commands To protect unused sockets against attacks by malicious users and improve security, 3Com S5500-EI series Ethernet switches provide the following functions: UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled.
Page 963
Examples # View the brief information of all sessions maintained by NTP services. <Sysname> display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************* [12345]3.0.1.32 LOCL -14.3 12.9 [25]3.0.1.31 127.127.1.0 1 4408.6 38.7 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : Table 1-1 display ntp-service sessions command output description Field...
Field Description Total associations Total number of associations An S5500-EI series switch does not establish a session with its client when it works in the NTP server mode, but does so when it works in other NTP implementation modes. display ntp-service status Syntax display ntp-service status View...
Field Description Address of the remote server or ID of the reference clock after the local clock is Reference clock ID synchronized to a remote NTP server or a reference clock Nominal frequency of the local hardware clock, Nominal frequency in Hz.
Table 1-3 display ntp-service trace command output description Field Description server IP address of the NTP server The stratum level of the corresponding system stratum clock The clock offset relative to the upper-level clock, offset in milliseconds. The synchronization distance relative to the synch distance upper-level clock, in seconds Identifier of the primary reference source.
NTP service access-control rights from the highest to the lowest are peer, server, synchronization, and query. When a local NTP server receives an NTP request, it will perform an access-control right match and will use the first matched right. The ntp-service access command only provides a minimal degree of security measure. A more secure way is to perform identity authentication.
ntp-service authentication-keyid Syntax ntp-service authentication-keyid key-id authentication-mode md5 value undo ntp-service authentication-keyid key-id View System view Parameters key-id: Authentication key ID, in the range of 1 to 4294967295. You can configure up to 1024 keys. value: Authentication key string. You can input 1 to 16 simple text characters, or 24 cipher text characters.
Use the undo ntp-service broadcast-client command to remove the configuration. By default, no NTP operate mode is configured. Examples # Configure the switch to operate in the broadcast client mode and receive NTP broadcast packets through VLAN-interface 1. <Sysname> system-view System View: return to User View with Ctrl+Z.
View VLAN interface view Parameters None Description Use the ntp-service in-interface disable command to disable the interface from receiving NTP packets. Use the undo ntp-service in-interface disable command to restore the default. By default, the interface can receive NTP packets. Examples # Disable VLAN-interface 1 from receiving NTP packets.
ntp-service multicast-client Syntax ntp-service multicast-client [ ip-address ] undo ntp-service multicast-client [ ip-address ] View VLAN interface view Parameters ip-address: Multicast IP address, in the range of 224.0.1.0 to 224.0.1.255. The default IP address is 224.0.1.1. Description Use the ntp-service multicast-client command to configure an Ethernet switch to operate in the NTP multicast client mode and receive NTP multicast packets through the current interface.
Description Use the ntp-service multicast-server command to configure an Ethernet switch to operate in the NTP multicast server mode and send NTP multicast packets through the current interface. Use the undo ntp-service multicast-server command to remove the configuration. By default, no NTP operate mode is configured. Examples # Configure the switch to send NTP multicast packets through VLAN-interface 1, and set the multicast group address to 224.0.1.2, keyid to 4, and the NTP version number to 2.
[Sysname] ntp-service reliable authentication-keyid 37 ntp-service source-interface Syntax ntp-service source-interface Vlan-interface vlan-id undo ntp-service source-interface View System view Parameters vlan-interface vlan-id: Specifies an interface. The IP address of the interface serves as the source IP address of sent NTP packets. The vlan-id argument indicates the ID of the specified VLAN interface. Description Use the ntp-service source-interface command to specify a VLAN interface through which NTP packets are to be sent.
priority: Specifies the peer identified by the remote-ip argument as the preferred peer for synchronization. source-interface Vlan-interface vlan-id: Specifies an interface whose IP address serves as the source IP address of NTP packet sent to the peer. vlan-id is the VLAN interface number. version number: Specifies the NTP version number.
Page 975
authentication-keyid key-id: Specifies the key ID used for sending packets to the NTP server. The key-id argument ranges from 1 to 4294967295. priority: Specifies the server identified by the remote-ip or the server-name argument as the preferred server. source-interface Vlan-interface vlan-id: Specifies an interface whose IP address serves as the source IP address of NTP packets sent by the local switch to the server.
SSH Commands In this document, you can distinguish the local and peer as follows: if the local is an SSH server, the peer is an SSH client; if the local is an SSH client, the peer is an SSH server. SSH Commands display public-key local Syntax...
30819F300D06092A864886F70D010101050003818D0030818902818100C7C4D2E1C59A75908417C660AD1D5E B172AB6EE9AAF994DB7A1C31EB87F750EE12A57832C6070FC008A5EE2B6675FD6A430575D97350E300A20FEB 773D93D7C3565467B0CA6B95C07D3338C523743B49D82C5EC2C9458D248955846F9C32F4D25CC92D0E831E56 4BBA6FAE794EEC6FCDEDB822909CC687BEBF51F3DFC5C30D590203010001 ===================================================== Time of Key pair created: 23:48:36 2000/04/03 Key name: Sysname_Server Key type: RSA encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100BC86D8F08E101461C1231B122777DBE777645C 81C569C004EC2FEC03C205CC7E3B5DAA38DD865C6D1FB61C91B85ED63C6F35BAFBF9A6D2D2989C20051FF8FA 31A14FCF73EC1485422E5B800B55920FC121329020E82F2945FFAD81BE72663BF70203010001 # Display the public key of the current switch’s DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 08:01:23 2000/04/02...
Page 979
Description Use the display public-key peer command to display information about locally saved public keys of the SSH peers. If no key name is specified, the command displays detailed information about the locally saved public keys of all SSH peers. The display public-key peer command on the SSH server displays the locally saved public keys of SSH clients while the command on the SSH client displays the locally saved keys of the SSH servers.
display rsa local-key-pair public Syntax display rsa local-key-pair public View Any view Parameters None Description Use the display rsa local-key-pair public command to display the public keys of the current switch’s RSA key pairs. If no key pair has been generated, the system displays a message, telling you that no RSA keys are found..
D0FC303F 51072D6C B5D0054D 3673EBA0 A4748984 5EBF6EBE CF6A13B1 C7858241 A2A9AA79 0203 010001 After you complete the RSA key pair generation task: If the switch is working in SSH1-compatible mode, there should be two public keys generated (that is, the host public key and the server public key), and the display rsa local-key-pair public command should display those two public keys.
Examples # Display brief information about all peer public keys. <Sysname> display rsa peer-public-key brief Type Module Name --------------------------- 1023 1024 # Display the information about public key “abcd”. <Sysname> display rsa peer-public-key name abcd ===================================== Key name : abcd Key type : RSA Key module: 1024...
SSH Authentication retries : 3 times SFTP Server: Disable SFTP idle timeout : 10 minutes If you use the ssh server compatible-ssh1x enable command to configure the server to be compatible with SSH1.x clients, the SSH version will be displayed as 1.99. If you use the undo ssh server compatible-ssh1x command to configure the server to be not compatible with SSH1.x clients, the SSH version will be displayed as 2.0.
If an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for authentication. In case the authentication fails, you can use the display ssh server-info command to view whether the locally saved public key of the server is correct. Related commands: ssh client assign, ssh client first-time enable.
[Sysname] ssh user client authentication-type publickey # Configure SFTP as the service type for the SSH user. [Sysname] ssh user client service-type sftp # Assign the public key test for the SSH user. [Sysname] ssh user client assign publickey test # Display information about the SSH user configured on the SSH server.
Description Use the display ssh-server source-ip command to display the current source IP address or the IP address of the source interface specified for the SSH server. If neither source IP address nor source interface is specified, the command displays 0.0.0.0. Related commands: ssh-server source-ip.
ssh: Supports only SSH. Description Use the protocol inbound command to configure specific user interface(s) to support specified protocol(s). The configuration will take effect at next user login. By default, both SSH and Telnet are supported. As SSH clients access the SSH server through VTY user interfaces, you need configure the VTY user interfaces of the SSH server to support remote SSH login.
Page 988
Description Use the public-key local create command to create a local DSA key pair or RSA key pairs. Note that: Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. After entering this command, you will be prompted to provide the length of the key modulus. The length is in the range 512 to 2048 bits and defaults to 1024 bits.
307C300D06092A864886F70D0101010500036B003068026100A3B63F5B0E5470D9FE2005450342011FEDE2A9 24C71EB19E28D257E43EF7E531D7C37FBB157712A2F2AF0F5BAF3E60595496C5B3EAFF25BFB56F1E1CC7A700 4D0FF048654BFEADB21C5AF3E24FB0516393BFEEF65A83B7416F170886904C8BE30203010001 # Create a DSA key pair. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
rsa: Specifies the RSA key pair. Description Use the public-key local destroy command to destroy the key pairs generated for the current switch. If the key pair does not exist, the system displays a message, telling you no such key pair exists. Related commands: public-key local create.
SSH1, SSH2, and OpenSSH are three public key formats. You can choose one as required. For example, if you want to export the RSA host public key to a file in the SSH1 format, use the public-key local export rsa ssh1 filename command. The host public key displayed on the screen is in a format that is not transformed and cannot be used as the public key data for public key configuration.
Page 992
openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2. filename: Name of the file for saving the public key, a string of 1 to 142 characters. For file naming rules, refer to File System Management Command. Description Use the public-key local export dsa command to export the current switch’s DSA key pair to a specified file.
rEs2iVA4eBHH2jMAAAAUx3MhjHN+yO6ZO08t7TD0jtrOkV8AAACAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/Orp bsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQe y4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACA04Cd4ccxNjCMWzPAzZhj65GjyxExYS72XKWt 0S0AUs51ttRCqOHV/G8LUcdQ4pkp7XK6YGvxS0m1RPb9cIOMQZSYdHiXOq45zFA3Y8ylnWWF6EiuVUstjN8RC8Vt nTzzIbihwmSSR0R9OEGi1vnxCdA1l5wDhuEYJMgq9ipVXLA= ---- END SSH2 PUBLIC KEY ---- # Export the public key in OpenSSH format. <Sysname> system-view [Sysname] public-key local export dsa openssh key.pub public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Parameters keyname: Name of the public key, a string of 1 to 64 characters.
public-key peer import sshkey Syntax public-key peer keyname import sshkey filename undo public-key peer keyname View System view Parameters keyname: Name of the public key , a string of 1 to 64 characters. filename: Name of a public key file, a string of 1 to 142 characters. For file naming rules, refer to File System Management Command.
Input the bits in the modulus[default = 1024]: Generating keys..........++++++ ..++++++ ....++++++++ ..++++++++ ..[Sysname] public-key local export rsa ssh2 pub # Send the public key file of the SSH client to the SSH using FTP or TFTP. The configuration is omitted. # On the SSH server, import the SSH client's public key from the public key file, and then assign the public key to the SSH client.
[Sysname-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Sysname-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Sysname-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Sysname-rsa-key-code] public-key-code end [Sysname-rsa-public-key] public-key-code end Syntax public-key-code end View Public key edit view Parameters None Description Use the public-key-code end command to return from public key edit view to public key view and save the public key you input.
rsa local-key-pair create Syntax rsa local-key-pair create View System view Parameters None Description Use the rsa local-key-pair create command to generate an RSA key pair for the current switch. Note that: After entering this command, you will be prompted to provide the length of the key modulus. The length is in the range 512 to 2048 bits and defaults to 1024 bits.
Examples # Destroy the current switch’s RSA key pairs. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa local-key-pair destroy % The local-key-pair will be destroyed. % Confirm to destroy these keys? [Y/N]:y .....Done! rsa peer-public-key Syntax rsa peer-public-key keyname undo rsa peer-public-key keyname View...
rsa peer-public-key import sshkey Syntax rsa peer-public-key keyname import sshkey filename undo rsa peer-public-key keyname View System view Parameters keyname: Name of the public key to be configured, a string of 1 to 64 characters. filename: Name of a public key file, a string of 1 to 142 characters. For file naming rules, refer to File System Management Command.
System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key 123 import sshkey abc ssh authentication-type default Syntax ssh authentication-type default { all | password | password-publickey | publickey | rsa } undo ssh authentication-type default View System view Parameters all: Specifies either the password authentication or the publickey authentication for SSH users.
Examples # Specify the publickey authentication as the default authentication mode. <Sysname>system-view System View: return to User View with Ctrl+Z. [Sysname]ssh authentication-type default publickey # Create an SSH user [Sysname] ssh user user1 # Display information about configured SSH users. [Sysname] display ssh user-information Username Authentication-type...