H3C s3600 series Command Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. H3C S3600 Series
  6. Command manual

H3C s3600 series Command Manual

Hide thumbs Also See for s3600 series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

See also: Operating Manual , Installation Manual
H3C S3600 Series Ethernet Switches
Command Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: 20090618-C-1.02
Product Version: Release 1602

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the s3600 series and is the answer not in the manual?

Questions and answers

Related Manuals for H3C s3600 series

Summary of Contents for H3C s3600 series

  • Page 1 H3C S3600 Series Ethernet Switches Command Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 20090618-C-1.02 Product Version: Release 1602...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.

  • Page 3: Table Of Contents

    About This Manual Organization H3C S3600 Series Ethernet Switches Command Manual-Release 1602 is organized as follows: Part Contents Introduces the commands used for switching between the 1 CLI command levels and command level setting. Introduces the commands used for logging into the Ethernet 2 Login switch.
  • Page 4 Part Contents Introduces the commands used for QoS and QoS profile 26 QoS-QoS Profile configuration. Introduces the commands used for Web cache redirection 27 Web Cache Redirection configuration. 28 Mirroring Introduces the commands used for port mirroring. 29 IRF Fabric Introduces the commands used for IRF fabric configuration.
  • Page 5 It provides information for the system installation. Installation Manual Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. The following are the columns from which you can obtain different categories of product documentation: [Products &...
  • Page 6 Documentation Feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
  • Page 7 Table of Contents 1 CLI Configuration Commands··················································································································1-1 CLI Configuration Commands·················································································································1-1 command-privilege level··················································································································1-1 display history-command·················································································································1-3 super················································································································································1-4 super authentication-mode··············································································································1-5 super password ·······························································································································1-5...

  • Page 8: Cli Configuration Commands

    Parameters level level: Command level to be set, in the range of 0 to 3. view view: CLI view. It can be any CLI view that the Ethernet switch supports. The S3600 series support only the CLI views listed in...
  • Page 9 CLI view Description hwping HWPing test group view hwtacacs HWTACACS view ISP domain view loopback Loopback interface view luser Local user view manage-vlan Management VLAN view MSDP view, which is supported by only the S3600-EI msdp series mst-region MST region view mtlk-group Monitor link group view null...

  • Page 10: Display History-Command

    change a command from a higher level to a lower level so that the lower level users can use the command. The default levels of commands are described in the following table: Table 1-2 Default levels of commands Level Name Command Commands used to diagnose network, such as ping, tracert, and Visit level...

  • Page 11: Super

    <Sysname> display history-command system-view quit display history-command super Syntax super [ level ] View User view Parameters level: User level, in the range of 0 to 3. Description Use the super command to switch from the current user level to a specified level. Executing this command without the level argument will switch the current user level to level 3 by default.

  • Page 12: Super Authentication-Mode

    super authentication-mode Syntax super authentication-mode { super-password | scheme }* undo super authentication-mode View User interface view Parameters super-password: Adopts super password authentication for low-to-high user level switching. scheme: Adopts Huawei terminal access controller access control system (HWTACACS) authentication for low-to-high user level switching. Description Use the super authentication-mode command to specify the authentication mode used for low-to-high user level switching.
  • Page 13 undo super password [ level level ] View System view Parameters level level: User level, in the range of 1 to 3. It is 3 by default. cipher: Stores the password in the configuration file in ciphered text. simple: Stores the password in the configuration file in plain text. password: Password to be set.
  • Page 14 Table of Contents 1 Login Commands ······································································································································1-1 Login Commands ····································································································································1-1 authentication-mode ························································································································1-1 auto-execute command ···················································································································1-3 copyright-info enable ·······················································································································1-4 databits ············································································································································1-4 display telnet-server source-ip ········································································································1-5 display telnet source-ip····················································································································1-6 display user-interface ······················································································································1-6 display users····································································································································1-9 display web users ····························································································································1-9 free user-interface ·························································································································1-10 header ···········································································································································1-11 history-command max-size ···········································································································1-13 idle-timeout ····································································································································1-13 ip http shutdown ····························································································································1-14...

  • Page 15: Login Commands

    Login Commands The commands use to enable/disable copyright information displaying are newly added. Refer to copyright-info enable for related information. Login Commands authentication-mode Syntax authentication-mode { password | scheme [ command-authorization ] | none } View User interface view Parameters none: Specifies not to authenticate users.
  • Page 16 For a VTY user interface, to specify the none keyword or password keyword for login users, make sure that SSH is not enabled in the user interface. Otherwise, the configuration fails. Refer to the protocol inbound command for related configuration. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations.

  • Page 17: Auto-Execute Command

    [Sysname-ui-vty0] quit # Configure the local authentication username and password. [Sysname] local-user guest [Sysname-luser-guest] password simple 123456 [Sysname-luser-guest] service-type telnet level 2 After the configuration, when a user logs in to the switch through VTY0, the user must enter the configured username and password.

  • Page 18: Copyright-Info Enable

    Note that these two commands apply to users logging in through the console port and by means of Telnet. Examples # Disable copyright information displaying. ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** <Sysname> system-view System View: return to User View with Ctrl+Z.

  • Page 19: Display Telnet-Server Source

    View AUX user interface view Parameters 7: Sets the databits to 7. 8: Sets the databits to 8. Description Use the databits command to set the databits for the user interface. Use the undo databits command to revert to the default databits. The default databits is 8.

  • Page 20: Display Telnet Source

    When you use the display telnet-server source-ip command to display the source IP address, the primary IP address of an interface will be displayed even if you have specified a secondary IP address of the interface as the source IP address. Examples # Display the source IP address configured for the switch operating as the Telnet server.
  • Page 21 Parameters type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface). number: User interface index. A user interface index can be relative or absolute. In relative user interface number scheme, the type argument is required. In this case, AUX user interfaces are numbered from AUX0 through AUX7;...
  • Page 22 Filed Description Privi Available command level Auth Authentication mode Physical position of the user interface The authentication mode used for a user to switch from the current lower user level to a higher level, including S, A, SA and AS. S: Super password authentication A: HWTACACS authentication Super...

  • Page 23: Display Users

    display users Syntax display users [ all ] View Any view Parameters all: Displays the user information about all user interfaces. Description Use the display users command to display the user information about user interfaces. If you do not specify the all keyword, only the user information about the current user interface is displayed.

  • Page 24: Free User-Interface

    View Any view Parameters None Description Use the display web users command to display the information about the current on-line Web users. Examples # Display the information about the current on-line Web users. <Sysname> display web users Name Language Level Login Time Last Req.

  • Page 25: Header

    Description Use the free user-interface command to free a user interface. That is, this command tears down the connection between a user and a user interface. Note that the current user interface cannot be freed. Examples # Release user interface VTY 1. <Sysname>...
  • Page 26 # Test the configuration remotely using Telnet. (only when login authentication is configured can the login banner be displayed). ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.

  • Page 27: History-Command Max-Size

    Welcome to legal! Press Y or ENTER to continue, N to exit. Welcome to login! Login authentication Password: Welcome to shell! <Sysname> history-command max-size Syntax history-command max-size value undo history-command max-size View User interface view Parameters value: Size of the history command buffer, ranging from 0 to 256 (in terms of commands). Description Use the history-command max-size command to set the size of the history command buffer.

  • Page 28: Ip Http Shutdown

    Parameters minutes: Number of minutes. This argument ranges from 0 to 35,791. seconds: Number of seconds. This argument ranges from 0 to 59. Description Use the idle-timeout command to set the timeout time. The connection to a user interface is terminated if no operation is performed in the user interface within the timeout time.

  • Page 29: Lock

    After the Web file is upgraded, you need to use the boot web-package command to specify a new Web file or specify a new Web file from the boot menu after reboot for the Web server to operate properly. Refer to the File System Management part in this manual for information about the boot web-package command.

  • Page 30: Parity

    Again: locked ! In this case, the user interface is locked. To operate the user interface again, you need to press Enter and provide the password as prompted. Password: <Sysname> parity Syntax parity { even | none | odd | } undo parity View AUX user interface view...

  • Page 31: Screen-Length

    Description Use the protocol inbound command to specify the protocols supported by the user interface. Both Telnet protocol and SSH protocol are supported by default. Related commands: user-interface vty. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22 (ports for Telnet and SSH services respectively) will be enabled or disabled after corresponding configurations.

  • Page 32: Send

    Parameters screen-length: Number of lines the screen can contain. This argument ranges from 0 to 512. Description Use the screen-length command to set the number of lines the terminal screen can contain. Use the undo screen-length command to revert to the default number of lines. By default, the terminal screen can contain up to 24 lines.

  • Page 33: Service-Type

    <Sysname> ***Message from vty1 to vty1 hello service-type Syntax service-type { ftp | lan-access | { ssh | telnet | terminal }* [ level level ] } undo service-type { ftp | lan-access | { ssh | telnet | terminal }* } View Local user view Parameters...

  • Page 34: Set Authentication Password

    system, file transfer protocol (FTP), trivial file transfer protocol (TFTP), downloading using XModem, user management, and level setting are at administration level. Refer to CLI for detailed introduction to the command level. Examples # Configure commands at level 0 are available to the users logging in using the user name of zbr. <Sysname>...

  • Page 35: Shell

    Description Use the set authentication password command to set the local password. Use the undo set authentication password command to remove the local password. Note that only plain text passwords are expected when users are authenticated. By default, password authentication is performed when a user logs in through a modem or Telnet. If no password is set, the user cannot establish a connection with the switch.

  • Page 36: Speed

    System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] undo shell % Disable ui-vty0-4 , are you sure ? [Y/N]y speed Syntax speed speed-value undo speed View AUX user interface view Parameters speed-value: Transmission speed (in bps). This argument can be 300, 600, 1200, 2400, 4800, 9600, 19,200, 38,400, 57,600, and 115,200.

  • Page 37: Telnet

    Execute these two commands in AUX user interface view only. By default, the stopbits is 1. The S3600 series do not support communication with a terminal emulation program with stopbits set to 1.5. Changing the stop bits value of the switch to a value different from that of the terminal emulation utility does not affect the communication between them.

  • Page 38: Telnet Ipv6

    Trying 129.102.0.1 ... Press CTRL+K to abort Connected to 129.102.0.1 ... ************************************************************************** * Copyright(c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB>...

  • Page 39: Telnet Source-Interface

    telnet source-interface Syntax telnet source-interface interface-type interface-number undo telnet source-interface View System view Parameters interface-type interface-number: Interface type and interface number. Description Use the telnet source-interface command to specify the source interface for a Telnet client. Use the undo telnet source-interface command to remove the specified source interface. The source interface can be a loopback interface or a VLAN interface.

  • Page 40: Telnet-Server Source-Interface

    Note that when the telnet source-ip command is executed, if the IP address specified is not an IP address of the local device, your configuration fails. Examples # Set the source IP address to 192.168.1.1 for the Telnet client. <Sysname> system-view System View: return to User View with Ctrl+Z.

  • Page 41: User-Interface

    Parameters ip-address: Source IP address to be set. Description Use the telnet-server source-ip command to specify the source Telnet server IP address. Use the undo telnet-server source-ip command to remove the source Telnet server IP address. With the telnet-server source-ip command configured, the client can log in to the local device using the specified IP address only, and the login succeeds only when there is a route between the client and specified source IP address.

  • Page 42: User Privilege Level

    Description Use the user-interface command to enter one or more user interface views to perform configuration. Examples # Enter VTY0 user interface. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] user privilege level Syntax user privilege level level undo user privilege level...
  • Page 43 Examples # Configure that commands at level 1 are available to the users logging in to VTY 0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] user privilege level 1 # You can verify the above configuration by Telnetting to VTY 0 and displaying the available commands, as listed in the following.

  • Page 44: Commands For User Control

    Commands for User Control Commands for Controlling Logging in Users Syntax acl acl-number { inbound | outbound } undo acl acl-number { inbound | outbound } View User interface view Parameters acl-number: ACL number. This argument can identify different types of ACLs, as listed below. 2000 to 2999, for basic ACLs 3000 to 3999, for advanced ACLs 4000 to 4999, for Layer 2 ACLs...

  • Page 45: Ip Http Acl

    View User view Parameters all: Specifies all Web users. user-id: Web user ID, an eight-digit hexadecimal number. user-name: User name of the Web user. This argument can contain 1 to 80 characters. Description Use the free web-users command to disconnect a specified Web user or all Web users by force. Examples # Disconnect all Web users by force.

  • Page 46: Snmp-Agent Group

    View System view Parameters read: Specifies that the community has read-only permission in the specified view. write: Specifies that the community has read/write permission in the specified view. community-name: Community name, a string of 1 to 32 characters. acl acl-number: Specifies an ACL number for the community. The acl-number argument ranges from 2000 to 2999.

  • Page 47: Snmp-Agent Usm-User

    Parameters v1: SNMPv1. v2c: SNMPv2c. v3: SNMPv3. group-name: Group name. This argument can be of 1 to 32 characters. authentication: Specifies to authenticate SNMP data without encrypting the data. privacy: Authenticates and encrypts packets. read-view: Name of the view to be set to read-only. This argument can be of 1 to 32 characters. write-view: Name of the view to be set to readable &...
  • Page 48 v2c: SNMPv2c. v3: SNMPv3. user-name: User name, a string of 1 to 32 characters. group-name: Name of the group to which the user corresponds. This argument is a string of 1 to 32 characters. cipher: Specifies the authentication or encryption password to be in ciphertext. authentication-mode: Requires authentication.

  • Page 49: Configuration File Management

    Table of Contents 1 Configuration File Management Commands ··························································································1-1 File Attribute Configuration Commands ··································································································1-1 display current-configuration ···········································································································1-1 display current-configuration vlan····································································································1-6 display saved-configuration·············································································································1-6 display startup ·································································································································1-9 display this·····································································································································1-10 reset saved-configuration ··············································································································1-11 save ···············································································································································1-12 startup saved-configuration ···········································································································1-14...

  • Page 50: Configuration File Management Commands

    Configuration File Management Commands The S3600 series Ethernet switches support Intelligent Resilient Framework (IRF), and allow you to access a file on the switch in one of the following ways: To access a file on the specified unit, you need to enter the file universal resource locator (URL) starting with unit[No.]>flash:/, where [No.] represents the unit ID of the switch.

  • Page 51: Vlan

    system: Indicates the system configuration. user-interface: Indicates the user interface configuration. interface: Displays port/interface configuration. interface-type: Port/interface type, which can be one of the following: Aux, Ethernet, GigabitEthernet, Loopback, NULL and VLAN-interface. interface-number: Port/interface number. by-linenum: Displays configuration information with line numbers. |: Uses a regular expression to filter the configuration of the switch to be displayed.
  • Page 52 After you finish a set of configurations, you can execute the display current-configuration command to display the parameters that take effect currently. Note that: Parameters that are the same as the default are not displayed. The configured parameter whose corresponding function does not take effect is not displayed. Related commands: save, reset saved-configuration, display saved-configuration.
  • Page 53 port access vlan 20 dhcp-snooping trust arp detection trust interface Ethernet1/0/13 port access vlan 20 arp detection trust interface Ethernet1/0/14 port access vlan 20 interface Ethernet1/0/15 interface Ethernet1/0/16 interface Ethernet1/0/17 interface Ethernet1/0/18 interface Ethernet1/0/19 interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface GigabitEthernet1/1/1...
  • Page 54 <Sysname> display current-configuration | include 10* vlan 1 interface Vlan-interface1 ip address 192.168.0.36 255.255.255.0 interface Aux1/0/0 interface Ethernet1/0/1 interface Ethernet1/0/2 interface Ethernet1/0/3 port hybrid vlan 1 3 untagged port hybrid protocol-vlan vlan 3 1 interface Ethernet1/0/4 mirroring-group 1 monitor-port interface Ethernet1/0/5 port trunk permit vlan 1 25 interface Ethernet1/0/6 interface Ethernet1/0/7...

  • Page 55: Display Current-Configuration Vlan

    display current-configuration vlan Syntax display current-configuration vlan [ vlan-id ] [ by-linenum ] View Any view Parameters vlan vlan-id: VLAN ID, in the range 1 to 4094. by-linenum: Displays configuration information with line numbers. Description Use the display current-configuration vlan command to display the current VLAN configuration of the switch.
  • Page 56 Parameters unit unit-id: Specifies the unit ID of a switch. With this keyword-argument combination specified, this command can display the initial configuration file of the specified unit. by-linenum: Displays configuration information with line numbers. Description Use the display saved-configuration command to display the initial configuration file of a switch. Note that: If the switch starts up without a configuration file, the system will display that no configuration file exists upon execution of the command.
  • Page 57 port hybrid protocol-vlan vlan 3 1 port hybrid protocol-vlan vlan 3 2 interface Ethernet1/0/4 mirroring-group 1 monitor-port interface Ethernet1/0/5 port link-type trunk port trunk permit vlan 1 25 interface Ethernet1/0/6 interface Ethernet1/0/7 interface Ethernet1/0/8 interface Ethernet1/0/9 voice vlan enable interface Ethernet1/0/10 port link-type hybrid port hybrid vlan 1 3 to 4 untagged port hybrid protocol-vlan vlan 4 0...

  • Page 58: Display Startup

    interface Ethernet1/0/23 interface Ethernet1/0/24 interface GigabitEthernet1/1/1 interface GigabitEthernet1/1/2 interface GigabitEthernet1/1/3 interface GigabitEthernet1/1/4 #TOPOLOGYCFG. MUST NOT DELETE undo irf-fabric authentication-mode #GLBCFG. MUST NOT DELETE interface NULL0 user-interface aux 0 4 idle-timeout 0 0 user-interface aux 5 7 user-interface vty 0 4 authentication-mode none user privilege level 3 set authentication password simple 1...

  • Page 59: Display This

    If the switch is not a unit of a fabric, this command displays the startup configuration file information of the current switch no matter whether you have specified the unit-id argument or not. If the switch is a unit of a fabric, without unit-id specified, this command displays the startup configuration file information of all the units in the fabric;...

  • Page 60: Reset Saved-Configuration

    Description Use the display this command to display the current configuration performed in the current view. To verify the configuration performed in a view, you can use this command to display the parameters that are valid in the current view. Note that: Effective parameters that are the same as the default are not displayed.

  • Page 61: Save

    Description Use the reset saved-configuration command to erase the configuration file saved in the Flash of a switch. The following two situations exist: While the reset saved-configuration [ main ] command erases the configuration file with main attribute, it only erases the main attribute of a configuration file having both main and backup attribute.
  • Page 62 backup: Saves the configuration to the backup configuration file. main: Saves the configuration to the main configuration file. Description Use the save command to save the current configuration to a configuration file in the Flash. When you use this command to save the configuration file, If the main and backup keywords are not specified, the current configuration will be saved to the main configuration file.

  • Page 63: Startup Saved-Configuration

    Examples # Save the current configuration to 123.cfg as the main configuration file for the next startup. <Sysname> save main The configuration will be written to the device. Are you sure?[Y/N]y Please input the file name(*.cfg)(To leave the existing filename unchanged press the enter key):123.cfg Now saving current configuration to the device.
  • Page 64 If the switch has not joined any fabric, the startup saved-configuration command specifies the configuration file to be used for the next startup of the switch; if the switch has joined a fabric, this command specifies the configuration file to be used for the next startup of all the switches in the fabric.
  • Page 65 Table of Contents 1 VLAN Configuration Commands··············································································································1-1 VLAN Configuration Commands·············································································································1-1 description ·······································································································································1-1 display interface Vlan-interface ·······································································································1-2 display vlan······································································································································1-3 interface Vlan-interface····················································································································1-5 name················································································································································1-5 shutdown ·········································································································································1-6 vlan ··················································································································································1-7 Port-Based VLAN Configuration Commands··························································································1-9 display port ······································································································································1-9 port···················································································································································1-9 port access vlan·····························································································································1-10 port hybrid pvid vlan ······················································································································1-11 port hybrid vlan ······························································································································1-11 port link-type ··································································································································1-12 port trunk permit vlan·····················································································································1-13...

  • Page 66: Vlan Configuration Commands

    VLAN Configuration Commands VLAN Configuration Commands description Syntax description text undo description View VLAN view, VLAN interface view Parameters text: Case sensitive character string to describe the current VLAN or VLAN interface. Special characters and spaces are allowed. It has: 1 to 32 characters for a VLAN description.

  • Page 67: Display Interface Vlan-Interface

    display interface Vlan-interface Syntax display interface Vlan-interface [ vlan-id ] View Any view Parameters vlan-id: Specifies a VLAN interface number. Description Use the display interface Vlan-interface command to display information about the specified VLAN interface or all VLAN interfaces already created if no VLAN interface is specified. The output of this command shows the state, IP address, description and other information of a VLAN interface.

  • Page 68: Display Vlan

    Table 1-1 Description on the fields of the display interface Vlan-interface command Field Description The state of the VLAN interface, which can be one of the following: Administratively DOWN: This VLAN interface has been manually disabled with the shutdown command. DOWN: The administrative state of this VLAN Vlan-interface2 current state interface is up, but its physical state is down.
  • Page 69 Parameters vlan-id1: Specifies the ID of a VLAN of which information is to be displayed, in the range of 1 to 4094. to vlan-id2: In conjunction with vlan-id1, define a VLAN range to display information about all existing VLANs in the range. The vlan-id2 argument takes a value in the range of 1 to 4094, and must not be less than that of vlan-id1.

  • Page 70: Interface Vlan-Interface

    Field Description Description Description of the VLAN. Name VLAN name. Tagged Ports Ports out of which packets are sent tagged. Untagged Ports Ports out of which packets are sent untagged. interface Vlan-interface Syntax interface Vlan-interface vlan-id undo interface Vlan-interface vlan-id View System view Parameters...

  • Page 71: Shutdown

    View VLAN view Parameters text: VLAN name, a description of 1 to 32 characters. It can contain special characters and spaces. Description Use the name command to assign a name to the current VLAN. Use the undo name command to restore the default VLAN name. When 802.1x or MAC address authentication is configured on the switch, a RADIUS server may be used to deploy VLANs (either named or numbered) on the ports that have passed authentication.

  • Page 72: Vlan

    You can use the undo shutdown command to enable a VLAN interface when its related parameters and protocols are configured. When a VLAN interface fails, you can use the shutdown command to disable the interface, and then use the undo shutdown command to enable this interface again, which may restore the interface.

  • Page 73: Voice Vlan

    Description Use the vlan command to create VLANs. If you create only one VLAN, you enter the view of the VLAN upon its creation; if the specified VLAN already exists, you enter its VLAN view directly. Use the undo vlan command to remove VLANs. By default, only VLAN 1 exists in the system.

  • Page 74: Port-Based Vlan Configuration Commands

    Port-Based VLAN Configuration Commands display port Syntax display port { hybrid | trunk } View Any view Parameters hybrid: Displays hybrid ports. trunk: Displays trunk ports. Description Use the display port command to display the existing hybrid or trunk ports, if any. For information about port type configuration, refer to the port link-type command.

  • Page 75: Port Access Vlan

    The command applies to access ports only. For information about how to assign to or remove from a VLAN trunk or hybrid ports, refer to the port hybrid vlan command and the port trunk permit vlan command. For port type configuration, refer to the port link-type command.

  • Page 76: Port Hybrid Pvid Vlan

    port hybrid pvid vlan Syntax port hybrid pvid vlan vlan-id undo port hybrid pvid View Ethernet port view Parameters vlan-id: Specifies the default VLAN ID of the current hybrid port, in the range of 1 to 4094. The specified VLAN can be one already created or not. Description Use the port hybrid pvid vlan command to set the default VLAN ID of the hybrid port.

  • Page 77: Port Link-Type

    Parameters vlan-id-list: List of the VLANs that the current hybrid port will be assigned to or removed from. In this list, you can specify individual VLAN IDs (each in the form of vlan-id) and VLAN ID ranges (each in the form of vlan-id1 to vlan-id2).

  • Page 78: Port Trunk Permit Vlan

    Description Use the port link-type command to set the link type of the Ethernet port. Use the undo port link-type command to restore the default link type. The default link type of an Ethernet port is access. To change the link type of a port from hybrid to trunk or vice versa, you need to change the link type to access first.

  • Page 79: Port Trunk Pvid Vlan

    On a trunk port, only traffic of the default VLAN can pass through untagged. You can perform the command multiple times. The VLANs specified each time does not overwrite those configured before, if any. Related commands: port link-type. Examples # Assign the trunk port Ethernet 1/0/1 to VLAN 2, VLAN 4, and VLAN 50 through VLAN 100. <Sysname>...

  • Page 80: Protocol-Based Vlan Configuration Commands

    Examples # Set the default VLAN ID of the trunk port Ethernet 1/0/1 to 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] port trunk pvid vlan 100 Protocol-Based VLAN Configuration Commands display protocol-vlan interface Syntax display protocol-vlan interface { interface-type interface-number [ to interface-type interface-number ]...

  • Page 81: Display Protocol-Vlan Vlan

    llc dsap 0xac ssap 0xbd Table 1-3 Description on the fields of the display vlan command Field Description Interface Interface bound with at least one protocol VLAN VLAN ID ID of a protocol VLAN bound with the interface Protocol-Index Protocol template index Protocol type specified by the protocol template.

  • Page 82: Port Hybrid Protocol-Vlan Vlan

    snap etype 0x0abcd Table 1-4 Description on the fields of the display protocol-vlan vlan command Field Description VLAN ID Protocol VLAN ID VLAN type. Here, it refers to Protocol-based VLAN Type VLAN Protocol-Index Protocol template index Protocol type specified in the protocol template. Protocol-Type Refer to the protocol-vlan command for detailed description.

  • Page 83: Protocol-Vlan

    The port hybrid protocol-vlan vlan command is available on hybrid ports only. Before you bind a port with a protocol VLAN, assign the port to the VLAN with the port hybrid vlan command. Otherwise, the binding will fail. To bind a protocol template to a port in a VLAN successfully, you must ensure that the protocol template has been created in the VLAN.
  • Page 84 ipx: Creates the IPX-based protocol template. The ethernetii, llc, raw and snap keywords represent four IPX encapsulation formats. For more information about encapsulation formats, refer to the accompanying operation manual. mode: Configures a user-defined protocol template. ethernetii etype-id: Creates the protocol template that matches the Ethernet II encapsulation format and the corresponding protocol type value of the packet.
  • Page 85 [Sysname-vlan3] protocol-vlan ip Because the IP protocol is closely associated with the ARP protocol, you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port, in case that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure.
  • Page 86 Table of Contents 1 IP Address Configuration Commands·····································································································1-1 IP Address Configuration Commands·····································································································1-1 display ip interface···························································································································1-1 display ip interface brief···················································································································1-2 ip address ········································································································································1-4 2 IP Performance Configuration Commands·····························································································2-1 IP Performance Configuration Commands ·····························································································2-1 display fib·········································································································································2-1 display fib ip-address·······················································································································2-2 display fib acl ···································································································································2-3 display fib |·······································································································································2-4 display fib ip-prefix···························································································································2-5 display fib statistics··························································································································2-5...

  • Page 87: Ip Address Configuration Commands

    IP Address Configuration Commands IP Address Configuration Commands display ip interface Syntax display ip interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display ip interface command to display information about a specified or all Layer 3 interfaces.

  • Page 88: Display Ip Interface Brief

    Information request: Information reply: Netmask request: Netmask reply: Unknown type: Table 1-1 Description on the fields of the display ip interface command Field Description Vlan-interface1 current state Current physical state of VLAN-interface 1 Line protocol current state Current state of the link layer protocol IP address of the interface followed by: Internet Address Primary: Identifies a primary IP address, or...
  • Page 89 View Any view Parameters interface-type: Interface type. interface-number: Interface number. Description Use the display ip interface brief command to display brief information about a specified or all Layer 3 interfaces. With no argument included, the command displays information about all layer 3 interfaces; with only the interface type specified, it displays information about all layer 3 interfaces of the specified type;...

  • Page 90: Ip Address

    ip address Syntax ip address ip-address { mask | mask-length } [ sub ] undo ip address [ ip-address { mask | mask-length } [ sub ] ] View VLAN interface view, loopback interface view Parameters ip-address: IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation.
  • Page 91 Examples # Assign the primary IP address 129.12.0.1 and secondary IP address 129.12.1.1 to VLAN-interface 1 with subnet mask 255.255.255.0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 129.12.0.1 255.255.255.0 [Sysname-Vlan-interface1] ip address 129.12.1.1 255.255.255.0 sub...

  • Page 92: Ip Performance Configuration Commands

    IP Performance Configuration Commands IP Performance Configuration Commands display fib Syntax display fib View Any view Parameters None Description Use the display fib command to display all forwarding information base (FIB) information. Examples # Display all FIB information. <Sysname> display fib Flag: U:Usable G:Gateway...

  • Page 93: Display Fib Ip-Address

    Table 2-1 Description on the fields of the display fib command Field Description Flags: U: A route is up and available. G: Gateway route H: Local host route B: Blackhole route Flag D: Dynamic route S: Static route R: Rejected route E: Multi-path equal-cost route L: Route generated by ARP or ESIS Destination/Mask...

  • Page 94: Display Fib Acl

    Description Use the display fib ip-address command to view the FIB entries matching the specified destination IP address. If no mask or mask length is specified, the FIB entry that matches the destination IP address and has the longest mask will be displayed; if the mask is specified, the FIB entry that exactly matches the specified destination IP address and mask will be displayed.

  • Page 95: Display Fib

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule permit source 211.71.75.0 0.0.0.255 [Sysname-acl-basic-2001] display acl 2001 Basic ACL 2001, 1 rule Acl's step is 1 rule 0 permit source 211.71.75.0 0.0.0.255 # Display the FIB entries filtered by ACL 2001. <Sysname>...

  • Page 96: Display Fib Ip-Prefix

    display fib ip-prefix Syntax display fib ip-prefix ip-prefix-name View Any view Parameters ip-prefix-name: IP prefix list name, in the range of 1 to 19 characters. Description Use the display fib ip-prefix command to display the FIB entries matching a specific IP prefix list. For details about IP prefix list, refer to the part discussing IP routing in this manual.

  • Page 97: Display Icmp Statistics

    Description Use the display fib statistics command to display the total number of FIB entries. Examples # Display the total number of FIB entries. <Sysname> display fib statistics Route Entry Count : 8 display icmp statistics Syntax display icmp statistics View Any view Parameters...

  • Page 98: Display Ip Socket

    Field Description Number of received destination unreachable destination unreachable packets source quench Number of received source quench packets redirects Number of received redirection packets echo reply Number of received replies parameter problem Number of received parameter problem packets timestamp Number of received time stamp packets information request Number of received information request packets mask requests...

  • Page 99: Display Ip Statistics

    Examples # Display the information about the socket of the TCP type. <Sysname> display ip socket socktype 1 SOCK_STREAM: Task = VTYD(18), socketid = 1, Proto = 6, LA = 0.0.0.0:23, FA = 0.0.0.0:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_SENDVPNID SO_SETKEEPALIVE, socket state = SS_PRIV SS_ASYNC Task = VTYD(18), socketid = 2, Proto = 6,...
  • Page 100 View Any view Parameters None Description Use the display ip statistics command to display the statistics about IP packets. Related commands: display ip interface, reset ip statistics. Examples # Display the statistics about IP packets. <Sysname> display ip statistics Input: 7120 local bad protocol...

  • Page 101: Display Tcp Statistics

    Field Description input Total number of fragments received output Total number of fragments sent dropped Total number of fragments discarded Fragment: fragmented Total number of IP packets successfully fragmented couldn't Total number of IP packets that cannot be fragmented fragment Total number of IP packets reassembled Reassembling: timeouts...
  • Page 102 urgent packets: 0 control packets: 5 (including 1 RST) window probe packets: 0, window update packets: 2 data packets: 618 (8770 bytes) data packets retransmitted: 0 (0 bytes) ACK-only packets: 40 (28 delayed) Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0 Keepalive timeout: 0, keepalive probe: 0, Keepalive timeout, so connections disconnected : Initiated connections: 0, accepted connections: 0, established connections: 0 Closed connections: 0 (dropped: 0, initiated dropped: 0)

  • Page 103: Display Tcp Status

    Field Description Total Total number of packets sent urgent packets Number of urgent packets sent Number of control packets sent; in brackets are control packets retransmitted packets Number of window probe packets sent; in the window probe packets brackets are resent packets Sent packets: window update packets Number of window update packets sent...

  • Page 104: Display Udp Statistics

    Description Use the display tcp status command to display the state of all the TCP connections so that you can monitor TCP connections in real time. Examples # Display the state of all the TCP connections. <Sysname> display tcp status *: TCP MD5 Connection TCPCB Local Add:port...

  • Page 105: Icmp Redirect Send

    total broadcast or multicast packets : 25006 no socket broadcast or multicast packets: 24989 not delivered, input socket full: 0 input packets missing pcb cache: 1314 Sent packets: Total: 7187 Table 2-7 Description on the fields of the display udp statistics command Field Description Total...

  • Page 106: Icmp Unreach Send

    Examples # Disable the device from sending ICMP redirection packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo icmp redirect send icmp unreach send Syntax icmp unreach send undo icmp unreach send View System view Parameters None Description Use the icmp unreach send command to enable the device to send ICMP destination unreachable...

  • Page 107: Reset Ip Statistics

    Description Use the ip forward-broadcast command to enable the device to receive directed broadcasts to a directly connected network. Use the undo ip forward-broadcast command to disable the device from receiving directed broadcasts to a directly connected network. By default, the device is disabled from receiving directed broadcasts to a directly connected network. Examples # Enable the device to receive directed broadcasts to a directly connected network.

  • Page 108: Reset Udp Statistics

    Description Use the reset tcp statistics command to clear the statistics about TCP packets. You can use the display tcp statistics command to view the current TCP packet statistics. Examples # Clear the statistics about TCP packets. <Sysname> reset tcp statistics reset udp statistics Syntax reset udp statistics...

  • Page 109: Tcp Timer Syn-Timeout

    Related commands: tcp timer syn-timeout, tcp window. Examples # Configure the value of the TCP finwait timer to 800 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] tcp timer fin-timeout 800 tcp timer syn-timeout Syntax tcp timer syn-timeout time-value undo tcp timer syn-timeout View System view...
  • Page 110 Description Use the tcp window command to configure the size of the transmission and receiving buffers of the connection-oriented socket. Use the undo tcp window command to restore the default size of the transmission and receiving buffers of the connection-oriented socket. By default, the size of the transmission and receiving buffers is 8 KB.
  • Page 111 Table of Contents 1 Voice VLAN Configuration Commands ···································································································1-1 Voice VLAN Configuration Commands···································································································1-1 display voice vlan error-info·············································································································1-1 display voice vlan oui·······················································································································1-1 display voice vlan status··················································································································1-2 display vlan······································································································································1-3 voice vlan·········································································································································1-4 voice vlan aging·······························································································································1-5 voice vlan enable·····························································································································1-6 voice vlan legacy ·····························································································································1-6 voice vlan mac-address···················································································································1-7 voice vlan mode·······························································································································1-8 voice vlan security enable ···············································································································1-8...

  • Page 112: Voice Vlan Configuration Commands

    Voice VLAN Configuration Commands Voice VLAN Configuration Commands display voice vlan error-info Syntax display voice vlan error-info View Any view Parameters None Description Use the display voice vlan error-info command to display the ports on which the voice VLAN function fails to be enabled.

  • Page 113: Display Voice Vlan Status

    # Display the OUI list for the voice VLAN. <Sysname> display voice vlan oui Oui Address Mask Description 0003-6b00-0000 ffff-ff00-0000 Cisco phone 000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone display voice vlan status...

  • Page 114: Display Vlan

    Table 1-1 Description on the fields of the display voice vlan status command Field Description The status of global voice VLAN function: enabled or Voice Vlan status disabled. Voice Vlan ID The VLAN which is currently enabled with voice VLAN. The status of voice VLAN security mode: enabled or Voice Vlan security mode disabled.

  • Page 115: Voice Vlan

    Untagged Ports: Ethernet1/0/6 The output indicates that Ethernet 1/0/5 and Ethernet 1/0/6 are in the voice VLAN. voice vlan Syntax voice vlan vlan-id enable undo voice vlan enable View System view Parameters vlan-id: Specifies the ID of the VLAN to be enabled with the voice VLAN function, in the range of 2 to 4094.

  • Page 116: Voice Vlan Aging

    # After the voice VLAN function of VLAN 2 is enabled, if you enable the voice VLAN function for other VLANs, the system will prompt that your configuration fails. [Sysname] voice vlan 4 enable Can't change voice vlan configuration when other voice vlan is running voice vlan aging Syntax voice vlan aging minutes...

  • Page 117: Voice Vlan Enable

    Use the voice vlan legacy command to enable the voice VLAN legacy function. This function realizes the communication between H3C device and other vendors’ voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’ voice device.

  • Page 118: Voice Vlan Mac-Address

    The OUI list can contain up to 16 OUI address entries. Table 1-2 Default OUI addresses of a switch Number OUI address Vendor 0003-6b00-0000 Cisco phone 000f-e200-0000 H3C Aolynk phone 00d0-1e00-0000 Pingtel phone 00e0-7500-0000 Polycom phone 00e0-bb00-0000 3Com phone Related commands: display voice vlan oui.

  • Page 119: Voice Vlan Mode

    Examples # Add MAC address 00aa-bb00-0000 to the OUI list and configure its description as ABC. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] voice vlan mac-address 00aa-bb00-0000 mask ffff-ff00-0000 description ABC voice vlan mode Syntax voice vlan mode auto undo voice vlan mode auto View Ethernet port view...
  • Page 120 undo voice vlan security enable View System view Parameters None Description Use the voice vlan security enable command to enable the voice VLAN security mode. Use the undo voice vlan security enable command to disable the voice VLAN security mode. In security mode, the ports in a voice VLAN and with voice devices attached to can only forward voice data.
  • Page 121 Table of Contents 1 GVRP Configuration Commands ·············································································································1-1 GARP Configuration Commands ············································································································1-1 display garp statistics ······················································································································1-1 display garp timer ····························································································································1-2 garp timer ········································································································································1-3 garp timer leaveall ···························································································································1-4 reset garp statistics··························································································································1-5 GVRP Configuration Commands ············································································································1-6 display gvrp statistics·······················································································································1-6 display gvrp status···························································································································1-7 gvrp··················································································································································1-7 gvrp registration·······························································································································1-8...

  • Page 122: Gvrp Configuration Commands

    GVRP Configuration Commands GARP Configuration Commands display garp statistics Syntax display garp statistics [ interface interface-list ] View Any view Parameters interface-list: Specifies a list of Ethernet ports for which the statistics about GARP are to be displayed. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2,...

  • Page 123: Display Garp Timer

    GARP statistics on port Ethernet1/0/1 Number Of GVRP Frames Received Number Of GVRP Frames Transmitted Number Of Frames Discarded GARP statistics on port Ethernet1/0/2 Number Of GVRP Frames Received Number Of GVRP Frames Transmitted Number Of Frames Discarded Table 1-1 Description on the fields of the display garp statistics command Field Description Number of GVRP Frames Received...

  • Page 124: Garp Timer

    Hold timer Related commands: garp timer, garp timer leaveall. Examples # Display the settings of the GARP timers on port Ethernet1/0/1. <Sysname> display garp timer interface Ethernet 1/0/1 GARP timers on port Ethernet1/0/1 Garp Join Time : 20 centiseconds Garp Leave Time : 60 centiseconds Garp LeaveAll Time : 1000 centiseconds...

  • Page 125: Garp Timer Leaveall

    Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout Hold 10 centiseconds time of the Join timer. You can change the threshold by changing the timeout time of the Join timer. This lower threshold is greater than This upper threshold is less than or equal to twice the timeout time of...

  • Page 126: Reset Garp Statistics

    Parameters timer-value: Setting (in centiseconds) of the GARP LeaveAll timer. You need to set this argument with the Leave timer settings of other Ethernet ports as references. That is, this argument needs to be larger than the Leave timer settings of any Ethernet ports. Also note that this argument needs to be a multiple of 5 and cannot be larger than 32,765.

  • Page 127: Gvrp Configuration Commands

    Executing the reset garp statistics command without any parameter clears the GARP statistics of all ports. Related commands: display garp statistics. Examples # Clear GARP statistics of all ports. <Sysname> reset garp statistics GVRP Configuration Commands display gvrp statistics Syntax display gvrp statistics [ interface interface-list ] View Any view...

  • Page 128: Display Gvrp Status

    display gvrp status Syntax display gvrp status View Any view Parameters None Description Use the display gvrp status command to display the global GVRP status (enabled or disabled). Examples # Display the global GVRP status. <Sysname> display gvrp status GVRP is enabled The above information indicates that GVRP is enabled globally.

  • Page 129: Gvrp Registration

    Examples # Enable GVRP globally. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] gvrp GVRP is enabled globally. # Enable GVRP on Ethernet 1/0/1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] gvrp GVRP is enabled on port Ethernet1/0/5. gvrp registration Syntax gvrp registration { fixed | forbidden | normal } undo gvrp registration...

  • Page 130: Port Basic Configuration

    Table of Contents 1 Port Basic Configuration Commands······································································································1-1 Port Basic Configuration Commands······································································································1-1 broadcast-suppression ····················································································································1-1 copy configuration ···························································································································1-2 description ·······································································································································1-4 display brief interface·······················································································································1-5 display interface·······························································································································1-7 display link-delay ···························································································································1-11 display loopback-detection ············································································································1-11 display packet-drop ·······················································································································1-12 display storm-constrain··················································································································1-13 display unit·····································································································································1-14 duplex ············································································································································1-15 enable log updown ························································································································1-16 flow-control ····································································································································1-17 flow interval····································································································································1-18 giant-frame statistics enable··········································································································1-18...

  • Page 131: Port Basic Configuration Commands

    Port Basic Configuration Commands The displaying and maintaining of the statistics of dropped packets on a port or all ports was added to this manual. For related commands, refer to display packet-drop reset packet-drop interface. The configuration of disabling port Up/Down log output was added to this manual. For related command, refer to enable log updown.

  • Page 132: Copy Configuration

    Description Use the broadcast-suppression command to limit broadcast traffic allowed to be received on each port (in system view) or on a specified port (in Ethernet port view). Use the undo broadcast-suppression command to restore the default broadcast suppression setting. The broadcast-suppression command is used to enable broadcast suppression.

  • Page 133: Link Aggregation

    Parameters interface-type: Port type. interface-number: Port number. source-agg-id: Source aggregation group number, in the range of 1 to 416. The port with the smallest port number in the aggregation group is used as the source port. destination-agg-id: Destination aggregation group number, in the range of 1 to 416. interface-list: Destination port list, interface-list = interface-type interface-number [ to interface-type interface-number ] &<1-10.

  • Page 134: Description

    Examples # Copy the configurations of Ethernet 1/0/1 to Ethernet 1/0/2 and Ethernet 1/0/3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] copy configuration source ethernet 1/0/1 destination ethernet 1/0/2 ethernet 1/0/3 Note: The following will be removed from destination port list: Aggregation port(s), Voice vlan port(s).

  • Page 135: Display Brief Interface

    View Ethernet port view Parameters text: Port description, a string of 1 to 80 characters. Description Use the description command to configure a description for the port. Use the undo description command to remove the port description. By default, no description is configured for a port. You can use the display brief interface command to display the configured description.
  • Page 136 Description Use the display brief interface command to display the brief configuration information about one or all interfaces, including: interface type, link state, link rate, duplex attribute, link type, default VLAN ID and description string. Currently, for the port types other than Ethernet port, this command only displays the link state, and shows "--"...

  • Page 137: Display Interface

    Table 1-3 Port state transitions State after executing State after executing the Initial port state the undo shutdown shutdown command command DOWN DOWN Not connected to ADMINISTRATIVELY any cable DOWN DOWN ADMINISTRATIVELY DOWN DOWN DOWN Connected to a cable ADMINISTRATIVELY DOWN display interface Syntax...
  • Page 138 Broadcast MAX-pps: 500 Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 1 Mdi type: auto Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 1 Last 300 seconds input: 0 packets/sec 0 bytes/sec Last 300 seconds output: 0 packets/sec 0 bytes/sec Input(total):...
  • Page 139 Field Description Port link-type Port link type Identify the VLANs whose packets will be forwarded Tagged VLAN ID with tags on the port. Identify the VLANs whose packets will be forwarded Untagged VLAN ID without tags on the port. Last 300 seconds input: 0 packets/sec 0 bytes/sec Average input and output rates (in pps and Bps) in the last 300 seconds...
  • Page 140 Field Description The total number of incoming illegal packets, including: Fragments: CRC error frames of less than 64 bytes (integer or non-integer). Jabber frames: CRC error frames of more than 1518 bytes if untagged or 1522 bytes if tagged (integer or non-integer). aborts Symbol error frames: frames with at least one symbol error.

  • Page 141: Display Link-Delay

    Field Description The lost carrier counter applicable to serial WAN interfaces lost carrier The counter increases by 1 upon each carrier loss detected during frame transmission. The no carrier counter applicable to serial WAN interfaces - no carrier The counter increases by 1 upon each carrier detection failure for frame transmission.

  • Page 142: Display Packet-Drop

    Description Use the display loopback-detection command to display the loopback detection status on the port. If loopback detection is enabled, this information will also be displayed: time interval for loopback detection and the loopback ports. Examples # Display the loopback detection status on the port. <Sysname>...

  • Page 143: Display Storm-Constrain

    Examples # Display the statistics on the packets dropped on Ethernet 1/0/1. <Sysname> display packet-drop interface Ethernet 1/0/1 Ethernet1/0/1: Packets dropped By GBP full or insufficient bandwidth: 0 Packets dropped By others: 0 # Display the summary statistics on the packets dropped on all the ports. <Sysname>...

  • Page 144: Display Unit

    PortName StormType LowerLimit UpperLimit Ctr-mode Status Trap Swi-num -------------------------------------------------------------------------- Eth1/0/1 broadcast 9 shutdown normal Eth1/0/1 multicast 9 shutdown control on Eth1/0/2 unicast shutdown normal Table 1-7 Description on the fields of the display storm-constrain command Field Description Flow Statistic Interval Interval to collect traffic statistics.

  • Page 145: Duplex

    Description : Aux Interface Ethernet1/0/1 current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e290-2240 Media type is twisted pair, loopback not set Port hardware type is 100_BASE_TX 100Mbps-speed mode, full-duplex mode Link speed type is force link, link duplex type is force link Flow-control is enabled The Maximum Frame Length is 9216 Broadcast MAX-pps: 500...

  • Page 146: Enable Log Updown

    undo duplex View Ethernet port view Parameters auto: Sets the port to auto-negotiation mode. full: Sets the port to full duplex mode. half: Sets the port to half duplex mode. Description Use the duplex command to set the duplex mode of the current port. Use the undo duplex command to restore the default duplex mode, that is, auto-negotiation.

  • Page 147: Flow-Control

    System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] shutdown [Sysname-Ethernet1/0/1] %Apr 5 07:25:37:634 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 - Ethernet1/0/1 is DOWN [Sysname-Ethernet1/0/1] undo shutdown [Sysname-Ethernet1/0/1] %Apr 5 07:25:56:244 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 - Ethernet1/0/1 is UP # Disable Ethernet 1/0/1 from outputting Up/Down log information and execute the shutdown command or the undo shutdown command on Ethernet 1/0/1.

  • Page 148: Flow Interval

    [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] flow-control flow interval Syntax flow-interval interval undo flow-interval View Ethernet port view Parameters Interval: Interval (in seconds) to perform statistics on port information. This argument ranges from 5 to 300 (in step of 5) and is 300 by default. Description Use the flow-interval command to set the interval to perform statistics on port information.

  • Page 149: Interface

    Description Use the giant-frame statistics enable command to enable the giant-frame statistics function. Use the undo giant-frame statistics enable command to disable the giant-frame statistics function. By default, the giant-frame statistics function is not enabled. After enabling the giant-frame statistics function, you can use the display interface command to view the statistics about giant frames.

  • Page 150: Jumboframe Enable

    System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] jumboframe enable Syntax jumboframe enable undo jumboframe enable View Ethernet port view Parameters None Description Use the jumboframe enable command to set the maximum frame size allowed on a port to 9,216 bytes.

  • Page 151: Loopback

    During a short period after you connect your switch to another device, the connecting port may go up and down frequently due to hardware compatibility, resulting in service interruption. To avoid situations like this, you may set a port state change delay. The port state change delay takes effect when the port goes down but not when the port goes up.

  • Page 152: Loopback-Detection Control Enable

    By default, no loopback test is performed on the Ethernet port. Examples # Perform an internal loop test on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] loopback internal Loopback internal succeeded. loopback-detection control enable Syntax loopback-detection control enable...

  • Page 153: Loopback-Detection Enable

    [Sysname-Ethernet1/0/1] loopback-detection control enable loopback-detection enable Syntax loopback-detection enable undo loopback-detection enable View System view or Ethernet port view Parameters None Description Use the loopback-detection enable command to enable the loopback detection feature on ports to detect whether external loopback occurs on a port. Use the undo loopback-detection enable command to disable the loopback detection feature on port.

  • Page 154: Loopback-Detection Interval-Time

    loopback-detection interval-time Syntax loopback-detection interval-time time undo loopback-detection interval-time View System view Parameters time: Time interval for loopback detection, in the range of 5 to 300 (in seconds). It is 30 seconds by default. Description Use the loopback-detection interval-time command to set time interval for loopback detection. Use the undo loopback-detection interval-time command to restore the default time interval.

  • Page 155: Mdi

    System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] loopback-detection per-vlan enable Syntax mdi { across | auto | normal } undo mdi View Ethernet port view Parameters across: Sets the MDI mode to medium dependent interface (MDI). normal: Sets the MDI mode to media dependent interface-X mode (MDI-X).

  • Page 156: Reset Counters Interface

    undo multicast-suppression View Ethernet port view Parameters ratio: Maximum ratio of the multicast traffic allowed on the port to the total transmission capacity of the port. This argument ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio, the less multicast traffic is allowed to be received.

  • Page 157: Reset Packet-Drop Interface

    Description Use the reset counters interface command to clear the statistics of the port, preparing for a new statistics collection. If you specify neither port type nor port number, the command clears statistics of all ports. If specify only port type, the command clears statistics of all ports of this type. If specify both port type and port number, the command clears statistics of the specified port.

  • Page 158: Speed

    Parameters None Description Use the shutdown command to shut down an Ethernet port. Use the undo shutdown command to bring up an Ethernet port. By default, an Ethernet port is in up state. Examples # Shut down Ethernet 1/0/1 and then bring it up. <Sysname>...

  • Page 159: Speed Auto

    View Ethernet port view Parameters 10: Specifies the port speed to 10 Mbps. 100: Specifies the port speed to 100 Mbps. 1000: Specifies the port speed to 1,000 Mbps (only available to GigabitEthernet ports). auto: Specifies the port speed to the auto-negotiation mode. Description Use the speed command to set the port speed.

  • Page 160: Storm-Constrain

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] speed auto 10 1000 storm-constrain Syntax storm-constrain { broadcast | multicast | unicast } max-packets min-packets pps undo storm-constrain { all | broadcast | multicast | unicast } View Ethernet port view Parameters...

  • Page 161: Storm-Constrain Control

    storm-constrain control Syntax storm-constrain control { block | shutdown } undo storm-constrain control View Ethernet port view Parameters block: Blocks and stops forwarding those types of traffic exceeding the upper thresholds. shutdown: Shutdowns the port if the broadcast/multicast/unicast traffic exceeds the upper threshold, and stops receiving and forwarding all types of traffic on the port.

  • Page 162: Storm-Constrain Enable

    storm-constrain enable Syntax storm-constrain enable { log | trap } undo storm-constrain enable View Ethernet port view Parameters log: Enables log information to be output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. trap: Enables trap information to be output when traffic received on the port exceeds the upper threshold or falls below the lower threshold.

  • Page 163: Unicast-Suppression

    Use the undo storm-constrain interval command to restore the default setting. By default, the interval is 10 seconds. Related commands: display storm-constrain, storm-constrain. Examples # Set the interval to collect traffic statistics to 2 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] storm-constrain interval 2 unicast-suppression Syntax...

  • Page 164: Virtual-Cable-Test

    # Set the maximum number of unknown unicast packets that can be received per second by Ethernet 1/0/1 to 1,000. [Sysname-Ethernet1/0/1] unicast-suppression pps 1000 virtual-cable-test Syntax virtual-cable-test View Ethernet port view Parameters None Description Use the virtual-cable-test command to enable the system to test the cable connected to a specific port and to display the results.
  • Page 165 Examples # Enable the system to test the cable connected to Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] virtual-cable-test Cable status: normal, 0 meter(s) Pair Impedance mismatch: - Pair skew: - ns Pair swap: - Pair polarity: - Insertion loss: - db...
  • Page 166 Table of Contents 1 Link Aggregation Configuration Commands··························································································1-1 Link Aggregation Configuration Commands ···························································································1-1 display link-aggregation interface····································································································1-1 display link-aggregation summary···································································································1-2 display link-aggregation verbose·····································································································1-3 display lacp system-id ·····················································································································1-4 lacp enable ······································································································································1-5 lacp port-priority·······························································································································1-5 lacp system-priority··························································································································1-6 link-aggregation group description ··································································································1-6 link-aggregation group mode···········································································································1-7 port link-aggregation group ·············································································································1-8 reset lacp statistics ··························································································································1-8...

  • Page 167: Link Aggregation Configuration Commands

    Link Aggregation Configuration Commands Link Aggregation Configuration Commands display link-aggregation interface Syntax display link-aggregation interface interface-type interface-number interface-type interface-number ] View Any view Parameters interface-type: Port type. interface-number: Port number. to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends.

  • Page 168: Display Link-Aggregation Summary

    Table 1-1 Description on the fields of the display link-aggregation interface command Field Description ID of the aggregation group to which the Selected AggID specified port belongs Local Information about the local end Port-Priority Port priority Oper key Operation key Flag Protocol status flag Remote...

  • Page 169: Display Link-Aggregation Verbose

    -------------------------------------------------------------------------- 0x8000,0000-0000-0000 0 NonS Ethernet1/0/2 none NonS Ethernet1/0/3 Table 1-2 Description on the fields of the display link-aggregation summary command Field Description Aggregation group type: D for dynamic, S for static, and Aggregation Group Type M for manual Load sharing type: Shar for load sharing and NonS for Loadsharing Type non-load sharing Actor ID...

  • Page 170: Display Lacp System

    Examples # Display the details about aggregation group 1. <Sysname> display link-aggregation verbose 1 Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Flags: A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation, D -- Synchronization, E -- Collecting, F -- Distributing, G -- Defaulted, H -- Expired Aggregation ID: 1, AggregationType: Manual,...

  • Page 171: Lacp Enable

    Description Use the display lacp system-id command to display the device ID of the local system, including the system priority and the MAC address. Examples # Display the device ID of the local system. <Sysname> display lacp system-id Actor System ID: 0x8000, 000f-e20f-0100 The value of the Actor System ID field is the device ID.

  • Page 172: Lacp System-Priority

    Description Use the lacp port-priority command to set the priority of the current port. Use the undo lacp port-priority command to restore the default port priority. By default, the port priority is 32,768. You can use the display link-aggregation verbose command or the display link-aggregation interface command to check the configuration result.

  • Page 173: Link-Aggregation Group Mode

    Parameters agg-id: Aggregation group ID, in the range of 1 to 416. agg-name: Aggregation group name, a string of 1 to 32 characters. Description Use the link-aggregation group description command to set a description for an aggregation group. Use the undo link-aggregation group description command to remove the description of an aggregation group.

  • Page 174: Port Link-Aggregation Group

    Examples # Create manual aggregation group 22 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] link-aggregation group 22 mode manual port link-aggregation group Syntax port link-aggregation group agg-id undo port link-aggregation group View Ethernet port view Parameters agg-id: Aggregation group ID, in the range of 1 to 416.
  • Page 175 Description Use the reset lacp statistics command to clear LACP statistics on specified port(s), or on all ports if no port is specified. Related commands: display link-aggregation interface. Examples # Clear LACP statistics on all Ethernet ports. <Sysname> reset lacp statistics...

  • Page 176: Port Isolation

    Table of Contents 1 Port Isolation Configuration Commands ································································································1-1 Port Isolation Configuration Commands ·································································································1-1 display isolate port···························································································································1-1 port isolate ·······································································································································1-1...
  • Page 177 Port Isolation Configuration Commands Port Isolation Configuration Commands display isolate port Syntax display isolate port View Any view Parameters None Description Use the display isolate port command to display the Ethernet ports assigned to the isolation group. Examples # Display the Ethernet ports added to the isolation group. <Sysname>...
  • Page 178 Assigning an isolated port to an aggregation group causes all the ports in the aggregation group on the local unit to join the isolation group. The S3600 series Ethernet switches support cross-device port isolation if IRF fabric is enabled. By default, the isolation group contains no port.
  • Page 179 Table of Contents 1 Port Security Commands··························································································································1-1 Port Security Commands ························································································································1-1 display mac-address security ··········································································································1-1 display port-security·························································································································1-3 mac-address security ······················································································································1-5 port-security enable ·························································································································1-6 port-security intrusion-mode ············································································································1-7 port-security authorization ignore ····································································································1-9 port-security max-mac-count·········································································································1-10 port-security ntk-mode···················································································································1-11 port-security oui ·····························································································································1-12 port-security port-mode ·················································································································1-13 port-security timer disableport ·······································································································1-16 port-security trap····························································································································1-17 2 Port Binding Commands ··························································································································2-1...

  • Page 180: Port Security Commands

    Port Security Commands port security modes, macAddressAndUserLoginSecure macAddressAndUserLoginSecureExt, were introduced. For details, refer to port-security port-mode. Port Security Commands display mac-address security Syntax display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] View Any view Parameters Interface interface-type interface-number: Specify a port by its type and number, of which the security MAC address information is to be displayed.
  • Page 181 0000-0000-0002 Security Ethernet1/0/20 NOAGED 0000-0000-0003 Security Ethernet1/0/20 NOAGED 0000-0000-0004 Security Ethernet1/0/20 NOAGED 0000-0000-0001 Security Ethernet1/0/22 NOAGED 0000-0000-0007 Security Ethernet1/0/22 NOAGED 6 mac address(es) found # Display the security MAC address entries for port Ethernet 1/0/20. <Sysname> display mac-address security interface Ethernet 1/0/20 MAC ADDR VLAN ID STATE...

  • Page 182: Display Port-Security

    display port-security Syntax display port-security [ interface interface-list ] View Any view Parameters interface interface-list: Specify a list of Ethernet ports of which the port security configurations are to be displayed. For the interface-list argument, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1.
  • Page 183 (The rest of the information is omitted.) # Display the port security configurations of ports Ethernet 1/0/1 to Ethernet 1/0/3. <Sysname> display port-security interface Ethernet 1/0/1 to Ethernet 1/0/3 Ethernet1/0/1 is link-up Port mode is AutoLearn NeedtoKnow mode is needtoknowonly Intrusion mode is BlockMacaddress Max mac-address num is 4 Stored mac-address num is 0...

  • Page 184: Mac-Address Security

    Field Description Port mode is AutoLearn The security mode of the port is autolearn. NeedtoKnow mode is The NTK (Need To Know) mode is ntkonly. needtoknowonly Intrusion mode is BlockMacaddress The intrusion detection mode is BlockMacaddress. The maximum number of MAC addresses allowed on the Max mac-address num is 4 port is 4.

  • Page 185: Port-Security Enable

    The mac-address security command can be configured successfully only when port security is enabled and the security mode is autolearn. To create a security MAC address entry successfully, you must make sure that the specified VLAN is carried on the specified port. Examples # Enable port security;...

  • Page 186: Port-Security Intrusion-Mode

    Use the undo port-security enable command to disable port security. By default, port security is disabled. Enabling port security resets the following configurations on the ports to the defaults (as shown in parentheses below): 802.1x (disabled), port access control method (macbased), and port access control mode (auto) MAC authentication (disabled) In addition, you cannot perform the above-mentioned configurations manually because these configurations change with the port security mode automatically.
  • Page 187 By default, intrusion protection is not configured. By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.

  • Page 188: Port-Security Authorization Ignore

    Ethernet1/0/1 is link-up Port mode is Secure NeedtoKnow mode is disabled Intrusion mode is BlockMacaddress Max mac-address num is 2 Stored mac-address num is 2 Authorization is permit For description on the output information, refer to Table 1-2. # Configure the intrusion protection mode on Ethernet 1/0/1 as disableport-temporarily. As a result, the port will be disconnected when intrusion protection is triggered and then re-enabled 30 seconds later.

  • Page 189: Port-Security Max-Mac-Count

    Use the undo port-security authorization ignore command to restore the default configuration. By default, the port uses (does not ignore) the authorization information delivered by the RADIUS server. You can use the display port-security command to check whether the port will use the authorization information delivered by the RADIUS server.

  • Page 190: Port-Security Ntk-Mode

    By configuring the maximum number of MAC addresses allowed on a port, you can: Limit the number of users accessing the network through the port. Limit the number of security MAC addresses that can be added on the port. When the maximum number of MAC addresses allowed on a port is reached, the port will not allow more users to access the network through this port.

  • Page 191: Port-Security Oui

    Use the undo port-security ntk-mode command to restore the default setting. Be default, NTK is disabled on a port, namely all frames are allowed to be sent. By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.

  • Page 192: Port-Security Port-Mode

    By default, no OUI value is set for authentication. The OUI value set by this command takes effect only when the security mode of the port is set to userLoginWithOUI by the port-security port-mode command. The OUI value set by this command cannot be a multicast MAC address. Related commands: port-security port-mode.
  • Page 193 Keyword Security mode Description In this mode, users trying to assess the network through the port must first pass MAC address authentication and then macAddressAndUs mac-and-userlogin-secure 802.1x authentication. erLoginSecure In this mode, only one user can access the network through the port at a time. This mode is similar to the macAddressAndUserLoginSecure mac-and-userlogin-secure...
  • Page 194 Keyword Security mode Description This mode is similar to the userLoginSecureEx userLoginSecure mode, except that in this userlogin-secure-ext mode, there can be more than one 802.1x-authenticated user on the port. MAC address authentication and 802.1x authentication can coexist on a port, with 802.1x authentication having higher priority.

  • Page 195: Port-Security Timer Disableport

    Before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of MAC addresses allowed on the port. When a port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port.

  • Page 196: Port-Security Trap

    By default, the system disables a port for 20 seconds. The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled. Related commands: port-security intrusion-mode. Examples # Set the intrusion protection mode on Ethernet 1/0/1 to disableport-temporarily.
  • Page 197 RADIUS authenticated login using MAC-address (RALM) refers to MAC-based RADIUS authentication. Description Use the port-security trap command to enable the sending of specified type(s) of trap messages. Use the undo port-security trap command to disable the sending of specified type(s) of trap messages.

  • Page 198: Port Binding Commands

    Port Binding Commands Port Binding Commands am user-bind Syntax In system view: am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number undo am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number In Ethernet port view: am user-bind mac-addr mac-address ip-addr ip-address undo am user-bind mac-addr mac-address ip-addr ip-address View System view, Ethernet port view...

  • Page 199: Display Am User-Bind

    Examples # In system view, bind the MAC address 000f-e200-5101 and IP address 10.153.1.1 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] am user-bind mac-addr 000f-e200-5101 ip-addr 10.153.1.1 interface Ethernet1/0/1 # In Ethernet pot view, bind the MAC address 000f-e200-5102 and IP address 10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/2.
  • Page 200 MAC address 000f-e200-5101 and IP address 10.153.1.1 are bound to Ethernet 1/0/1. MAC address 000f-e200-5102 and IP address 10.153.1.2 are bound to Ethernet 1/0/2.
  • Page 201 Table of Contents 1 DLDP Configuration Commands··············································································································1-1 DLDP Configuration Commands·············································································································1-1 display dldp······································································································································1-1 dldp ··················································································································································1-2 dldp authentication-mode ················································································································1-3 dldp interval ·····································································································································1-4 dldp reset·········································································································································1-5 dldp unidirectional-shutdown···········································································································1-5 dldp work-mode ·······························································································································1-6 dldp delaydown-timer ······················································································································1-7...

  • Page 202: Display Dldp

    DLDP Configuration Commands DLDP Configuration Commands display dldp Syntax display dldp { unit-id | interface-type interface-number } View Any view Parameters unit-id: Unit number of a device. interface-type: Port type. interface-number: Port number. Description Use the display dldp command to display the DLDP configuration of a unit or a port. Examples # Display the DLDP configuration of unit 1.

  • Page 203: Dldp

    Table 1-1 Description on the fields of the display dldp command Field Description dldp interval Interval for sending DLDP advertisement packets dldp work-mode DLDP work mode dldp authentication-mode DLDP authentication mode cipher DLDP authentication password DLDP action to be performed on detecting a unidirectional dldp unidirectional-shutdown link dldp delaydown-timer...

  • Page 204: Dldp Authentication-Mode

    When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently. Examples # Enable DLDP for all the optical ports of the switch. <Sysname>...

  • Page 205: Dldp Interval

    When you configure a DLDP authentication mode and authentication password on a port, make sure that the same DLDP authentication mode and password are set on both the local port and the peer port. Otherwise, DLDP authentication fails. DLDP cannot work before DLDP authentication succeeds. Examples # Set the DLDP authentication mode and password to plain text and abc on the ports fiber-connect devices A and B.

  • Page 206: Dldp Reset

    Examples # Set the interval for sending DLDP advertisement packets to 6 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp interval 6 dldp reset Syntax dldp reset View System view, Ethernet port view Parameters None Description In system view: Use the dldp reset command to reset the DLDP status of all the ports disabled by DLDP.

  • Page 207: Dldp Work-Mode

    manual: Prompts the user to disable manually the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down. After the port is disabled, it can only send and receive Recover Probe and Recover Echo packets. Description Use the dldp unidirectional-shutdown command to set the DLDP handling mode for unidirectional links.

  • Page 208: Dldp Delaydown-Timer

    Examples # Configure DLDP to work in enhanced mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp work-mode enhance dldp delaydown-timer Syntax dldp delaydown-timer delaydown-time undo dldp delaydown-timer View System view Parameters delaydown-time: Delaydown timer to be set (in seconds). This argument ranges from 1 to 5. Description Use the dldp delaydown-timer command to set the delaydown timer.

  • Page 209: Mac Address Table

    Table of Contents 1 MAC Address Table Management Configuration Commands ······························································1-1 MAC Address Table Management Configuration Commands································································1-1 display mac-address aging-time······································································································1-1 display mac-address························································································································1-2 display port-mac ······························································································································1-4 mac-address····································································································································1-4 mac-address aging destination-hit enable·······················································································1-5 mac-address max-mac-count··········································································································1-6 mac-address timer···························································································································1-7 port-mac ··········································································································································1-8...

  • Page 210: Mac Address Table Management Configuration Commands

    MAC Address Table Management Configuration Commands This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the “Multicast Protocol” part of the manual. The function of destination MAC address triggered update was introduced. For detailed description, refer to the description of the command mac-address aging destination-hit enable.

  • Page 211: Display Mac-Address

    <Sysname> display mac-address aging-time Mac address aging time: no-aging The output information indicates that dynamic MAC address entries do not age out. display mac-address Syntax display mac-address [ display-option ] View Any view Parameters display-option: Option used to display specific MAC address table information, as described in Table 1-1.
  • Page 212 Description Use the display mac-address command to display information about MAC address entries in the MAC address table, including: MAC address, VLAN and port corresponding to the MAC address, the type (static or dynamic) of a MAC address entry, whether a MAC address is within the aging time and so on. Examples # Display information about MAC address 000f-e20f-0101.

  • Page 213: Display Port-Mac

    display port-mac Syntax display port-mac View Any view Parameters None Description Use the display port-mac command to display the configured start port MAC address for the Ethernet ports on the switch, that is, the MAC address of Ethernet 1/0/1. Related commands: port-mac. Examples # Display the start port MAC address.

  • Page 214: Mac-Address Aging Destination-Hit Enable

    mac-address-attribute: Specifies the criteria for removing MAC address entries. Available syntax options for the argument are described in Table 1-3. Table 1-3 Available syntax options for the mac-address-attribute argument Syntax Description { static | dynamic | blackhole } interface Removes the static, dynamic, or blackhole MAC interface-type interface-number address entries concerning a specified port.

  • Page 215: Mac-Address Max-Mac-Count

    View System view Parameters None Description Use the mac-address aging destination-hit enable command to enable the destination MAC address triggered update function. Use the undo mac-address aging destination-hit enable command to disable the function. With the destination MAC address triggered update function, the switch, when forwarding packets, updates the MAC address entries for the destination MAC addresses.

  • Page 216: Mac-Address Timer

    To prevent illegal devices from accessing the network through a port, you can configure static MAC addresses and disable MAC address learning for the port. Thus, only the packets destined for the configured MAC addresses can be forwarded out the port. Related commands: mac-address, mac-address timer.

  • Page 217: Port-Mac

    port-mac Syntax port-mac start-mac-address undo port-mac View System view Parameters start-mac-address: Start MAC address for the Ethernet ports on the switch, in the format of H-H-H. It must be a valid unicast address. Description Use the port-mac command to configure the start MAC address for the Ethernet ports on the device. This MAC address is assigned to port Ethernet 1/0/1, and is called the start port MAC address.

  • Page 218: Auto Detect

    Table of Contents 1 Auto Detect Configuration Commands ···································································································1-1 Auto Detect Configuration Commands ···································································································1-1 detect-group ····································································································································1-1 detect-list ·········································································································································1-2 display detect-group ························································································································1-2 ip route-static detect-group··············································································································1-3 option ···············································································································································1-4 retry··················································································································································1-5 standby detect-group·······················································································································1-6 timer loop·········································································································································1-7 timer wait ·········································································································································1-7 vrrp vrid track detect-group ·············································································································1-8...

  • Page 219: Auto Detect Configuration Commands

    Auto Detect Configuration Commands Auto Detect Configuration Commands Refer to the Routing Protocol part of the manual for information about static routing. Refer to the VRRP part of the manual for information about VRRP. detect-group Syntax detect-group group-number undo detect-group group-number View System view Parameters...

  • Page 220: Detect-List

    detect-list Syntax detect-list list-number ip address ip-address [ nexthop ip-address ] undo detect-list list-number View Detected group view Parameters list-number: Sequence number of the IP address to be detected. This argument ranges from 1 to 10. ip address ip-address: Specifies the destination IP address (in dotted decimal notation) to be detected. nexthop ip-address: Specifies the next hop IP address for Auto Detect.

  • Page 221: Ip Route-Static Detect-Group

    Description Use the display detect-group command to display the configuration of the specified detected group or all detected groups. Examples # Display the configuration of detected group 1. <Sysname> display detect-group 1 detect-group 1 : detect loop time(s) : 15 ping wait time(s) : 2 detect retry times : 2 detect ip option : and...
  • Page 222 View System view Parameters ip-address: IP address in dotted decimal notation. mask: Subnet mask. mask-length: Length of the subnet mask, that is, the number of successive bits in the subnet mask whose values are 1. interface-type interface-number: Interface type and interface number. next-hop: Next hop IP address in dotted decimal notation.

  • Page 223: Retry

    Parameters and: Specifies the relationship between detected objects as logic AND, which means that the detecting result is reachable only when all the detected objects contained in the detected group are reachable. or: Specifies the relationship between detected objects as logic OR, which means that the detecting result is reachable if one of the detected objects contained in the detected group is reachable.

  • Page 224: Standby Detect-Group

    Description Use the retry command to set the maximum retry times during a detect operation. Use the undo retry command to restore the default times. By default, the maximum retry times during a detect operation is two. Examples # Specify the maximum number of retires to 3 for detected group 10. <Sysname>...

  • Page 225: Timer Loop

    timer loop Syntax timer loop interval undo timer loop View Detected group view Parameters seconds: Detecting interval. This argument ranges form 1 to 86,400 (in seconds) and defaults to 15. Description Use the timer loop command to set the detecting interval, that is, the frequency to perform auto detect operations.

  • Page 226: Vrrp Vrid Track Detect-Group

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] detect-group 10 [Sysname-detect-group-10] timer wait 3 vrrp vrid track detect-group Syntax vrrp vrid virtual-router-id track detect-group group-number [ reduced value-reduced ] undo vrrp vrid virtual-router-id track detect-group [ group-number ] View VLAN interface view Parameters...
  • Page 227 After this configuration, if detected group 10 is reachable, the master keeps as master, and if detected group 10 is unreachable, the master decreases its priority by 20 and becomes a backup.

  • Page 228: Mstp

    Table of Contents 1 MSTP Configuration Commands ·············································································································1-1 MSTP Configuration Commands ············································································································1-1 active region-configuration ··············································································································1-1 bpdu-drop any ·································································································································1-2 check region-configuration ··············································································································1-2 display stp········································································································································1-3 display stp abnormalport ·················································································································1-7 display stp portdown························································································································1-8 display stp region-configuration·······································································································1-8 display stp root ································································································································1-9 instance ·········································································································································1-10 region-name ··································································································································1-11 reset stp·········································································································································1-11 revision-level··································································································································1-12 stp ··················································································································································1-13...
  • Page 229 stp portlog all ·································································································································1-40 stp priority ······································································································································1-41 stp region-configuration ·················································································································1-41 stp root primary······························································································································1-42 stp root secondary ·························································································································1-43 stp root-protection··························································································································1-44 stp tc-protection ·····························································································································1-45 stp tc-protection threshold ·············································································································1-45 stp timer forward-delay ··················································································································1-46 stp timer hello ································································································································1-47 stp timer max-age··························································································································1-48 stp timer-factor·······························································································································1-49 stp transmit-limit ····························································································································1-50 vlan-mapping modulo ····················································································································1-50 vlan-vpn tunnel ······························································································································1-51...

  • Page 230: Mstp Configuration Commands

    MSTP Configuration Commands The following commands were added: The commands concerning STP maintenance. Refer to stp portlog stp portlog all. The commands for displaying information about STP. Refer to display stp abnormalport, display portdown, and display stp root. The command concerning sending trap messages conforming to 802.1d standard. Refer to dot1d-trap.

  • Page 231: Bpdu-Drop Any

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] active region-configuration bpdu-drop any Syntax bpdu-drop any undo bpdu-drop any View Ethernet port view Parameters None Description Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port. Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port.

  • Page 232: Display Stp

    The H3C series support only the MST region name, VLAN-to-MSTI mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
  • Page 233 View Any view Parameters instance-id: ID of the MSTI ranging from 0 to 16. The value of 0 refers to the common and internal spanning tree (CIST). interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
  • Page 234 Examples # Display the brief state information of MSTI 0 on Ethernet 1/0/1 through Ethernet 1/0/4. <Sysname> display stp instance 0 interface Ethernet 1/0/1 to Ethernet 1/0/4 brief MSTID Port Role STP State Protection Ethernet1/0/1 ALTE DISCARDING LOOP Ethernet1/0/2 DESI FORWARDING NONE Ethernet1/0/3...
  • Page 235 Protection Type :None MSTP BPDU format :Config=auto / Active=legacy Port Config Digest Snooping :disabled Num of Vlans Mapped :1 PortTimes :Hello 2s MaxAge 20s FwDly 15s MsgAge 0s RemHop 20 BPDU Sent TCN: 0, Config: 0, RST: 0, MST: 0 BPDU Received TCN: 0, Config: 0, RST: 0, MST: 0 Table 1-3 display stp command output description...

  • Page 236: Display Stp Abnormalport

    Field Description Transmit Limit The maximum number of packets sent within each Hello time Protection type on the port, including Root guard and Loop Protection Type guard Format of the MST BPDUs that the port can send, which can be MST BPDU format legacy or 802.1s.

  • Page 237: Display Stp Portdown

    Table 1-4 Description on the fields of the display stp abnormalport command Field Description MSTID MSTI ID in the MST region Port Port that has been blocked Block Reason The function blocking the port display stp portdown Syntax display stp portdown View Any view Parameters...

  • Page 238: Display Stp Root

    Description Use the display stp region-configuration command to display the activated MST region configuration, including the region name, region revision level, and VLAN-to-STI mappings configured for the switch. Related commands: stp region-configuration. Examples # Display the configuration of the MST region. <Sysname>...

  • Page 239: Instance

    -------- -------------------- ------------ ------------- ----------- 32768.00e0-fc53-d908 Ethernet1/0/18 Table 1-7 Description on the fields of the display stp root command Field Description MSTID MSTI ID in the MST region Root Bridge ID ID of the root bridge ExtPathCost Cost of the external path from the switch to the root bridge IntPathCost Cost of the internal path from the switch to the root bridge Root port (If a port on the current device is an MSTI root port, the port...

  • Page 240: Region-Name

    Examples # Map VLAN 2 to MSTI 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] instance 1 vlan 2 region-name Syntax region-name name undo region-name View MST region view Parameters name: MST region name to be set for the switch, a string of 1 to 32 characters. Description Use the region-name command to set an MST region name for a switch.

  • Page 241: Revision-Level

    Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the reset stp command to clear spanning tree statistics.

  • Page 242: Stp

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] revision-level 5 Syntax stp { enable | disable } undo stp View System view, Ethernet port view Parameters enable: Enables MSTP globally or on a port. disable: Disables MSTP globally or on a port.

  • Page 243: Stp Bridge-Diameter

    View System view Parameters None Description Use the stp bpdu-protection command to enable the BPDU guard function on the switch. Use the undo stp bpdu-protection command to restore to the default state of the BPDU guard function. By default, the BPDU guard function is disabled. Normally, the access ports of the devices operating on the access layer are directly connected to terminals (such as PCs) or file servers.

  • Page 244: Stp Compliance

    Parameters bridgenum: Network diameter to be set for a switched network. This argument ranges from 2 to 7. Description Use the stp bridge-diameter command to set the network diameter of a switched network. The network diameter of a switched network is represented by the maximum possible number of switches between any two terminal devices in a switched network.

  • Page 245: Stp Config-Digest-Snooping

    Legacy mode. Ports in this mode recognize/send packets in legacy format. 802.1s mode. Ports in this mode recognize/send packets in dot1s format. A port acts as follows according to the format of MSTP packets forwarded by a peer switch or router. When a port operates in the automatic mode: The port automatically determines the format (legacy or dot1s) of received MSTP packets and then determines the format of the packets to be sent accordingly, thus communicating with the peer...
  • Page 246 According to IEEE 802.1s, two interconnected switches can interwork with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration. With MSTP enabled, interconnected switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them.

  • Page 247: Stp Cost

    [Sysname] stp config-digest-snooping stp cost Syntax stp [ instance instance-id ] cost cost undo stp [ instance instance-id ] cost View Ethernet port view Parameters instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST. cost: Path cost to be set for the port.

  • Page 248: Stp Dot1D-Trap

    stp dot1d-trap Syntax stp dot1d-[ instance instance-id ] trap [ newroot | topologychange ] enable undo stp [ instance instance-id ] dot1d-trap [ newroot | topologychange ] enable View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to CIST. With this argument specified, the trap messages sent are only of the MSTI identified by this argument.

  • Page 249: Stp Interface

    Description Use the stp edged-port enable command to configure the current Ethernet port as an edge port. Use the stp edged-port disable command to configure the current Ethernet port as a non-edge port. Use the undo stp edged-port command to restore the current Ethernet port to its default state. By default, all Ethernet ports of a switch are non-edge ports.

  • Page 250: Stp Interface Compliance

    disable: Disables MSTP on the specified ports. Description Use the stp interface command to enable or disable MSTP on specified ports in system view. By default, MSTP is enabled on the ports of a switch if MSTP is globally enabled on the switch, and MSTP is disabled on the ports if MSTP is globally disabled.

  • Page 251: Stp Interface Config-Digest-Snooping

    By default, a port recognizes and sends MSTP packets in the automatic mode. A port can be configured to recognize and send MSTP packets in the following modes. Automatic mode. Ports in this mode determine the format of the MSTP packets to be sent according to the format of the received packets.
  • Page 252 &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp interface config-digest-snooping command to enable the digest snooping feature on specific ports. Use the undo stp interface config-digest-snooping command to disable the digest snooping feature on specific ports.

  • Page 253: Stp Interface Cost

    When the digest snooping feature is enabled on a port, the port turns to the discarding state. That is, the port stops sending BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.

  • Page 254: Stp Interface Edged-Port

    With the IEEE 802.1t standard selected, the path cost of an Ethernet port ranges from 1 to 200000000. With the proprietary standard selected, the path cost of an Ethernet port ranges from 1 to 200000. Description Use the stp interface cost command to set the path cost(s) of the specified port(s) in a specified MSTI in system view.

  • Page 255: Stp Interface Loop-Protection

    Use the stp interface edged-port disable command to configure the specified Ethernet ports as non-edge ports in system view. Use the undo stp interface edged-port command to restore the specified Ethernet ports to the default state. By default, all Ethernet ports of a switch are non-edge ports. An edge port is a port that is directly connected to a user terminal instead of another switch or a network segment.

  • Page 256: Stp Interface Mcheck

    Use the undo stp interface loop-protection command to restore the default state of the loop guard function in system view. The loop guard function is disabled by default. Related commands: stp loop-protection. With the loop guard function enabled, the root guard function and the edge port configuration are mutually exclusive.

  • Page 257: Stp Interface No-Agreement-Check

    H3C series switches running MSTP, the upstream designated port fails to change their states rapidly. The rapid transition feature is developed on the H3C series switches to avoid this case. When an H3C series switch running MSTP is connected in the upstream direction to a manufacture's switch adopting proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the H3C series switch operating as the downstream switch.

  • Page 258: Stp Interface Point-To-Point

    The rapid transition feature can be enabled on root ports or alternate ports only. You can enable the rapid transition feature on the designated port, however, the feature does not take effect on the port. Examples # Enable the rapid transition feature for Ethernet 1/0/1. <Sysname>...

  • Page 259: Stp Interface Port Priority

    These two commands apply to CIST and MSTIs. If you configure the link to which a port is connected to be a point-to-point link (or a non-point-to-point link), the configuration applies to all MSTIs (that is, the port is configured to connect to a point-to-point link (or a non-point-to-point link) in all MSTIs). If the actual physical link is not a point-to-point link and you configure the link to which the port is connected to be a point-to-point link, loops may temporarily occur.

  • Page 260: Stp Interface Root-Protection

    Examples # Set the port priority of Ethernet 1/0/3 in MSTI 2 to 16. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/3 instance 2 port priority 16 stp interface root-protection Syntax stp interface interface-list root-protection undo stp interface interface-list root-protection View System view...

  • Page 261: Stp Interface Transmit-Limit

    Examples # Enable the root guard function for Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 root-protection stp interface transmit-limit Syntax stp interface interface-list transmit-limit packetnum undo stp interface interface-list transmit-limit View System view Parameters...

  • Page 262: Stp Max-Hops

    View Ethernet port view Parameters None Description Use the stp loop-protection command to enable the loop guard function on the current port. Use the undo stp loop-protection command to restore the loop guard function to the default state on the current port. By default, the loop guard function is disabled.

  • Page 263: Stp Mcheck

    The maximum hop count configured on the region roots of an MST region limits the size of the MST region. A configuration BPDU contains a field that maintains the remaining hops of the configuration BPDU. And a switch discards the configuration BPDUs whose remaining hops are 0. After a configuration BPDU reaches a root bridge of a spanning tree in a MST region, the value of the remaining hops field in the configuration BPDU is decreased by 1 every time the configuration BPDU passes one switch.

  • Page 264: Stp Mode

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp mcheck stp mode Syntax stp mode { stp | rstp | mstp } undo stp mode View System view Parameters stp: Specifies the STP-compatible mode. mstp: Specifies the MSTP mode.

  • Page 265: Stp Pathcost-Standard

    H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will then actively send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.
  • Page 266 View System view Parameters dot1d-1998: Uses the IEEE 802.1D-1998 standard to calculate the default path costs of ports. dot1t: Uses the IEEE 802.1t standard to calculate the default path costs of ports. legacy: Uses the proprietary standard to calculate the default path costs of ports. Description Use the stp pathcost-standard command to set the standard to be used to calculate the default path costs of the links connected to the switch.

  • Page 267: Stp Point-To-Point

    Examples # Configure to use the IEEE 802.1D-1998 standard to calculate the default path costs of ports. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp pathcost-standard dot1d-1998 # Configure to use the IEEE 802.1t standard to calculate the default path costs of ports. <Sysname>...

  • Page 268: Stp Port Priority

    Examples # Configure the link connected to Ethernet 1/0/3 as a point-to-point link. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] stp point-to-point force-true stp port priority Syntax stp [ instance instance-id ] port priority priority undo stp [ instance instance-id ] port priority View Ethernet port view...

  • Page 269: Stp Portlog All

    undo stp [ instance instance-id ] portlog View System view Parameters instance instance-id: Specifies an MSTI ID, ranging from 0 to 16. The value of 0 indicates the CIST. Description Use the stp portlog command to enable log and trap message output for the ports of a specified instance.

  • Page 270: Stp Priority

    stp priority Syntax stp [ instance instance-id ] priority priority undo stp [ instance instance-id ] priority View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. priority: Switch priority to be set. This argument ranges from 0 to 61,440 and must be a multiple of 4,096 (such as 0, 4,096, and 8,192).

  • Page 271: Stp Root Primary

    MST region-related parameters include: region name, revision level, and VLAN-to-MSTI mapping table. By default: MST region name is the first MAC address of the switch All VLANs are mapped to the CIST in the VLAN-to-MSTI mapping table The MSTP revision level is 0 You can modify the three parameters after entering MST region view by using the stp region-configuration command.

  • Page 272: Stp Root Secondary

    You can specify the current switch as the root bridge of an MSTI regardless of the priority of the switch. You can also specify the network diameter of the switched network by using the stp root primary command. The switch will then figure out the following three time parameters: hello time, forward delay, and max age.

  • Page 273: Stp Root-Protection

    By default, a switch does not operate as a secondary root bridge. If you do not specify the instance-id argument, the two commands apply to only the CIST. You can configure one or more secondary root bridges for an MSTI. If the switch operating as the root bridge fails or is turned off, the secondary root bridge with the least MAC address becomes the root bridge.

  • Page 274: Stp Tc-Protection

    Related commands: stp interface root-protection. Examples # Enable the root guard function on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp root-protection stp tc-protection Syntax stp tc-protection enable stp tc-protection disable View System view Parameters...

  • Page 275: Stp Timer Forward-Delay

    undo stp tc-protection threshold View System view Parameters number: Maximum number of times that a switch can remove the MAC address table and ARP entries within each 10 seconds, in the range of 1 to 255. Description Use the stp tc-protection threshold command to set the maximum number of times that a switch can remove the MAC address table and ARP entries within each 10 seconds.

  • Page 276: Stp Timer Hello

    Parameters centi-seconds: Forward delay in centiseconds to be set. This argument ranges from 400 to 3,000. Description Use the stp timer forward-delay command to set the forward delay of the switch. Use the undo stp timer forward-delay command to restore the forward delay to the default value. By default, the forward delay of the switch is 1,500 centiseconds.

  • Page 277: Stp Timer Max-Age

    A root bridge regularly sends out configuration BPDUs to maintain the stability of existing spanning trees. If the switch does not receive BPDU packets in a specified period, spanning trees will be recalculated because BPDU packets time out. When a switch becomes a root bridge, it regularly sends BPDUs at the interval specified by the hello time you have configured on it.

  • Page 278: Stp Timer-Factor

    2 × (forward delay – 1 second) >= max age, Max age >= 2 × (hello time + 1 second). You are recommended to specify the network diameter of the switched network and the hello time parameter by using the stp root primary or stp root secondary command. After that, the three proper time-related parameters are automatically determined by MSTP.

  • Page 279: Stp Transmit-Limit

    stp transmit-limit Syntax stp transmit-limit packetnum undo stp transmit-limit View Ethernet port view Parameters packetnum: Maximum number of configuration BPDUs a port can transmit in each hello time. This argument ranges from 1 to 255. Description Use the stp transmit-limit command to set the maximum number of configuration BPDUs the current port can transmit in each hello time.

  • Page 280: Vlan-Vpn Tunnel

    MSTP uses a VLAN-to-MSTI mapping table to describe VLAN-to-MSTI mappings. You can use this command to establish the VLAN-to-MSTI mapping table and map VLANs to MSTIs in a specific way. Note that a VLAN cannot be mapped to multiple different MSTIs at the same time. A VLAN-to-MSTI mapping becomes invalid when you map the VLAN to another MSTI.
  • Page 281 By default, the VLAN-VPN tunnel function is disabled. The VLAN-VPN tunnel function can only be enabled on STP-enabled devices. To enable the VLAN-VPN tunnel function, make sure the links between operator’s networks are trunk links. If a fabric port exists on a switch, you cannot enable the VLAN-VPN function for any port of the switch.
  • Page 282 Table of Contents 1 IP Routing Table Commands····················································································································1-1 IP Routing Table Commands··················································································································1-1 display ip routing-table·····················································································································1-1 display ip routing-table acl···············································································································1-3 display ip routing-table ip-address···································································································1-5 display ip routing-table ip-address1 ip-address2·············································································1-7 display ip routing-table ip-prefix·······································································································1-7 display ip routing-table protocol·······································································································1-8 display ip routing-table radix············································································································1-9 display ip routing-table statistics····································································································1-10 display ip routing-table verbose·····································································································1-11 reset ip routing-table statistics protocol ·························································································1-12...
  • Page 283 4 OSPF Configuration Commands··············································································································4-1 OSPF Configuration Commands ············································································································4-1 abr-summary ···································································································································4-1 area··················································································································································4-2 asbr-summary··································································································································4-2 authentication-mode ························································································································4-3 default··············································································································································4-4 default-cost ······································································································································4-5 default-route-advertise·····················································································································4-6 display router id ·······························································································································4-7 display ospf abr-asbr ·······················································································································4-8 display ospf asbr-summary ·············································································································4-9 display ospf brief····························································································································4-10 display ospf cumulative ·················································································································4-13 display ospf error ···························································································································4-14 display ospf interface·····················································································································4-17 display ospf lsdb ····························································································································4-18 display ospf nexthop······················································································································4-21...
  • Page 284 snmp-agent trap enable ospf·········································································································4-48 spf-schedule-interval ·····················································································································4-49 stub ················································································································································4-49 vlink-peer ·······································································································································4-50 5 IP Routing Policy Configuration Commands··························································································5-1 IP Routing Policy Configuration Commands···························································································5-1 apply cost ········································································································································5-1 apply tag ··········································································································································5-2 display ip ip-prefix····························································································································5-2 display route-policy··························································································································5-3 if-match { acl | ip-prefix } ··················································································································5-4 if-match cost ····································································································································5-4 if-match interface ·····························································································································5-5 if-match ip next-hop ·························································································································5-6 if-match tag······································································································································5-6...

  • Page 285: Ip Routing Table Commands

    IP Routing Table Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. The S3600-SI series do not support OSPF. The feature of specifying the ABR of an NSSA area as the Type-7 LSAs translator is added. For the command used, refer to nssa.
  • Page 286 Description Use the display ip routing-table command to display the routing table summary. This command displays the summary of the routing table. Each line represents one route, containing destination address/mask length, protocol, preference, cost, next hop, and output interface. This command displays only the currently used routes, that is, the optimal routes. Examples # Display the summary of the current routing table.

  • Page 287: Display Ip Routing-Table Acl

    127.0.0.0/8 DIRECT 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 127.0.0.1 InLoopBack0 Table 1-1 Description on the fields of the display ip routing-table command Field Description Destination/Mask Destination address/mask length Protocol Routing protocol Route preference Cost Route cost Nexthop Next hop address Output interface, through which the data packets destined for Interface the destination network segment are sent display ip routing-table acl...

  • Page 288: Destination Address

    192.168.1.2/32 DIRECT 127.0.0.1 InLoopBack0 For descriptions of the above fields, refer to Table 1-1. # Display the detailed information of routes that match ACL 2100. <Sysname> display ip routing-table acl 2100 verbose Routes matched by access-list 2100: + = Active Route, - = Last Active, # = Both * = Next hop in use Summary count: 3 **Destination: 192.168.1.0...

  • Page 289: Display Ip Routing-Table Ip-Address

    Field Description Description of route state: ActiveU An active unicast route, where “U” represents unicast. A blackhole route is similar to a reject route, but no ICMP Blackhole unreachable message is sent to the source. Delete A route is to be deleted. Gateway An indirect route.
  • Page 290 Parameters ip-address: Destination IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Length of a subnet mask, in the range of 0 to 32. longer-match: Specifies all the routes that lead to the destination address and match the specified mask.

  • Page 291: Display Ip Routing-Table Ip-Address1 Ip-Address2

    display ip routing-table ip-address1 ip-address2 Syntax display ip routing-table ip-address1 { mask1 | mask-length1 } ip-address2 { mask2 | mask-length2 } [ verbose ] View Any view Parameters ip-address1, ip-address2: Destination IP address in dotted decimal notation. ip-address1 {mask1 | mask-length1} and ip-address2 {mask2 | mask-length2} determine one address range together.

  • Page 292: Display Ip Routing-Table Protocol

    verbose: With this keyword specified, detailed information of routes in the active or inactive state that match the IP prefix list is displayed. With this keyword not specified, brief information of only the routes in the active state that match the prefix list is displayed. Description Use the display ip routing-table ip-prefix command to display the information of routes matching the specified IP prefix list.

  • Page 293: Display Ip Routing-Table Radix

    Parameters protocol: You can provide one of the following values for this argument. direct: Displays direct-connect route information ospf: Displays OSPF route information. ospf-ase: Displays OSPF ASE route information. ospf-nssa: Displays OSPF not-so-stubby area (NSSA) route information. rip: Displays RIP route information. static: Displays static route information.

  • Page 294: Display Ip Routing-Table Statistics

    Description Use the display ip routing-table radix command to display the route information in a tree structure. Examples <Sysname> display ip routing-table radix Radix tree for INET (2) inodes 7 routes 5: +-32+--{210.0.0.1 +--0+ | | +--8+--{127.0.0.0 | | | +-32+--{127.0.0.1 | +--1+ +--8+--{20.0.0.0 +-32+--{20.1.1.1...

  • Page 295: Display Ip Routing-Table Verbose

    O_ASE O_NSSA Total Table 1-4 Description on the fields of the display ip routing-table statistics command Field Description Routing protocol type O_ASE: OSPF_ASE Proto O_NSSA: OSPF NSSA AGGRE: Aggregation protocol Route Total number of routes Active Number of active routes Number of routes added after the router is rebooted or the routing table Added is cleared last time.

  • Page 296: Reset Ip Routing-Table Statistics Protocol

    **Destination: 1.1.1.1 Mask: 255.255.255.255 Protocol: #DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) State: <NoAdvise Int ActiveU Retain Gateway Unicast> Age: 20:17:42 Cost: 0/0 **Destination: 2.2.2.0 Mask: 255.255.255.0 Protocol: #DIRECT Preference: 0 *NextHop: 2.2.2.1 Interface: 2.2.2.1(Vlan-interface2) State: <Int ActiveU Retain Unicast> Age: 20:08:05 Cost: 0/0 For descriptions of route states, see...
  • Page 297 O_ASE O_NSSA Total # Clear the routing statistics of all protocols from the IP routing table. <Sysname> reset ip routing-table statistics protocol all # Display the routing statistics in the IP routing table. <Sysname> display ip routing-table statistics Routing tables: Proto route active...

  • Page 298: Static Route Configuration Commands

    Static Route Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. Static Route Configuration Commands delete static-routes all Syntax delete static-routes all View System view Parameters None Description...
  • Page 299 undo ip route-static ip-address { mask | mask-length } [ interface-type interface-number | next-hop ] [ preference preference-value ] View System view Parameters ip-address: Destination IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Mask length, in the range of 0 to 32. interface-type interface-number: Next-hop outbound interface.
  • Page 300 You cannot configure an interface address of the local switch as the next hop address of a static route. You can configure a different preference to implement flexible route management policy. Related commands: display ip routing-table. Examples # Configure the next hop of the default route as 129.102.0.2. <Sysname>...

  • Page 301: Rip Configuration Commands

    RIP Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. RIP Configuration Commands checkzero Syntax checkzero undo checkzero View RIP view Parameters None Description Use the checkzero command to enable the must be zero field check for RIP-1 packets. Use the undo checkzero command to disable the must be zero field check for RIP-1 packets.

  • Page 302: Default Cost

    default cost Syntax default cost value undo default cost View RIP view Parameters value: Default cost, in the range of 1 to 16. Description Use the default cost command to set the default cost for redistributed routes. Use the undo default cost command to restore the default. By default, the default cost of a redistributed route is 1.

  • Page 303: Display Rip Interface

    RIP is running Checkzero is on Default cost : 1 Summary is on Preference : 100 Traffic-share-across-interface is off Period update timer : 30 Timeout timer : 180 Garbage-collection timer : 120 No peer router Network : 202.38.168.0 Table 3-1 Description on the fields of the display rip command Field Description RIP is running...

  • Page 304: Display Rip Routing

    Description Use the display rip interface command to display RIP interface information. Examples # Display RIP interface information. <Sysname> display rip interface RIP Interface: public net Address Interface MetrIn/Out Input Output Split-horizon 1.0.0.1 Vlan-interface100 Table 3-2 Description on the fields of the display rip interface command Field Description IP address of the interface running RIP (You need to use the network...

  • Page 305: Filter-Policy Export

    A = Active I = Inactive G = Garbage collection C = Change T = Trigger RIP Destination/Mask Cost NextHop SourceGateway 192.168.110.0/24 31.31.31.8 31.31.31.8 200.1.1.0/24 31.31.31.8 31.31.31.8 130.1.0.0/16 31.31.31.8 31.31.31.8 Table 3-3 Description on the fields of the display rip routing command Field Description Destination/Mask...

  • Page 306: Filter-Policy Import

    process-id: Process ID of the routing protocol whose routing information is to be filtered, in the range of 1 to 65535. This argument is valid only for ospf, ospf-ase, and ospf-nssa. Description Use the filter-policy export command to enable RIP to filter the outgoing routing information. Use the undo filter-policy export command to disable RIP from filtering the outgoing routing information.

  • Page 307: Host-Route

    Description Use the filter-policy gateway command to enable RIP to filter the routing information advertised by a specified address. Use the undo filter-policy gateway command to disable RIP from filtering the routing information advertised by a specified address. Use the filter-policy import command to enable RIP to filter the incoming routing information. Use the undo filter-policy import command to disable RIP from filtering the incoming routing information.

  • Page 308: Import-Route

    [Sysname-rip] undo host-route import-route Syntax import-route protocol [process-id ] [ cost value | route-policy route-policy-name ]* undo import-route protocol [ process-id ] View RIP view Parameters protocol: Source routing protocol from which routes are redistributed by RIP. At present, RIP can redistribute routes from protocols: direct, ospf, ospf-ase, ospf-nssa and static.

  • Page 309: Network

    network Syntax network network-address undo network network-address View RIP view Parameters network-address: Network/IP address of an interface, in dotted decimal notation. Description Use the network command to enable RIP on an interface attached to the specified network segment. Use the undo network command to disable RIP on the interface attached to the specified network segment.

  • Page 310: Preference

    Description Use the peer command to specify the IP address of a neighbor, where routing updates destined for the peer are unicast, rather than multicast or broadcast. Use the undo peer command to remove the IP address of a neighbor. By default, no neighbor is specified.

  • Page 311: Reset

    reset Syntax reset View RIP view Parameters None Description Use the reset command to reset the system configuration parameters of RIP. When you need to re-configure the parameters of RIP, you can use this command to restore the default. Examples # Reset the RIP system configuration.

  • Page 312: Rip Authentication-Mode

    Note that the interface-related parameters configured previously would be invalid after RIP is disabled. Examples # Enable RIP and enter RIP view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] rip authentication-mode Syntax rip authentication-mode { simple password | md5 { rfc2082 key-string key-id | rfc2453 key-string } } undo rip authentication-mode View Interface view...

  • Page 313: Rip Input

    You can configure RIPv1 authentication mode in interface view, but the configuration will not take effect because RIPv1 does not support authentication. Examples # Specify the interface VLAN-interface 10 to use the simple authentication with the authentication key of aaa. <Sysname>...

  • Page 314: Rip Metricin

    rip metricin Syntax rip metricin value undo rip metricin View Interface view Parameters value: Additional metric of RIP routes received on an interface, in the range of 0 to 16. Description Use the rip metricin command to configure an additional metric for RIP routes received on an interface. Use the undo rip metricin command to restore the default.

  • Page 315: Rip Output

    By default, the additional metric of RIP routes sent out of an interface is 1. With the command configured on an interface, the metric of RIP routes sent on the interface will be increased. Related commands: rip metricin. Examples # Set the additional metric of RIP routes sent out of the interface VLAN-interface 10 to 2. <Sysname>...

  • Page 316: Rip Version

    Parameters None Description Use the rip split-horizon command to enable the split horizon function. Use the undo rip split-horizon command to disable the split horizon function. By default, the split horizon function is enabled. The split horizon function disables an interface from sending routes received from the interface to prevent routing loops between adjacent routers.

  • Page 317: Rip Work

    Table 3-4 Receive mode of RIP packets RIP-1 broadcast RIP-2 broadcast RIP-2 multicast RIP version packet packet packet RIP-1 √ √ — RIP-2 broadcast mode √ √ — RIP-2 multicast mode — — √ Table 3-5 Send mode of RIP packets RIP-1 broadcast RIP-2 broadcast RIP-2 multicast...

  • Page 318: Summary

    Related commands: rip input, rip output. Examples # Disable the interface VLAN-interface 10 from receiving or sending RIP packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] undo rip work summary Syntax summary undo summary View RIP view...

  • Page 319: Timers

    timers Syntax timers { update update-timer | timeout timeout-timer } * undo timers { update | timeout } * View RIP view Parameters update-timer: Length of the Period Update timer in seconds, in the range of 1 to 3600. timeout-timer: Length of the Timeout timer in seconds, in the range of 1 to 3600. Description Use the timers command to modify the lengths of the three RIP timers: Period Update, Timeout, and Garbage-collection (which is usually set to a length four times that of the Period Update timer).
  • Page 320 View RIP view Parameters None Description Use the traffic-share-across-interface command to enable traffic to be forwarded along multiple equivalent RIP routes. Use the undo traffic-share-across-interface command to disable this function. By default, this function is disabled. When the number of equivalent routes reaches the upper limit: If this function is enabled, the newly learned equivalent route replaces the existing equivalent route in the routing table.

  • Page 321: Ospf Configuration Commands

    OSPF Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. The S3600-SI series do not support OSPF OSPF Configuration Commands abr-summary Syntax abr-summary ip-address mask [ advertise | not-advertise ] undo abr-summary ip-address mask View OSPF area view...

  • Page 322: Area

    Examples # Summarize subnets 36.42.10.0/24 and 36.42.110.0/24, in OSPF area 1 with summary route 36.42.0.0/16 and advertise it to other areas. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 1 [Sysname-ospf-1-area-0.0.0.1] network 36.42.10.0 0.0.0.255 [Sysname-ospf-1-area-0.0.0.1] network 36.42.110.0 0.0.0.255 [Sysname-ospf-1-area-0.0.0.1] abr-summary 36.42.0.0 255.255.0.0 area...

  • Page 323: Authentication-Mode

    Parameters ip-address: IP address of the summary route, in dotted decimal notation. mask: IP address mask, in dotted decimal notation. not-advertise: Specifies not to advertise the summary route. If this argument is not provided, the summary route will be advertised. tag value: Tag value, which is mainly used to control route advertisement through a route-policy.

  • Page 324: Default

    Use the undo authentication-mode command to cancel the authentication attribute of this area. By default, an area does not support authentication attribute. All the routers in one area must use the same authentication mode (no authentication, simple text authentication, or MD5 cipher text authentication). If the mode of supporting authentication is configured, all routers on the same segment must use the same authentication key.

  • Page 325: Default-Cost

    type: Default type of external routes redistributed by OSPF. The value of this argument is 1 or 2. Description Use the default command to configure the default parameters for redistributed routes, including cost, interval, limit, tag, and type. Use the undo default cost command to restore the default. By default, the cost, interval, limit, tag, and type are 1, 1, 1000, 1, and 2, respectively.

  • Page 326: Default-Route-Advertise

    You must use the stub command on all the routers connected to a Stub area to configure the area with the stub attribute. Use the default-cost command to configure the cost of the default route advertised by an ABR to a Stub area or NSSA.

  • Page 327: Display Router

    cost value: Specifies the cost value of the default route. The default route with the lowest cost value is preferred. The value of value ranges from 0 to 16777214. If no cost is specified, the default cost specified by the default cost command applies. type type-value: Specifies the type of the route.

  • Page 328: Display Ospf Abr-Asbr

    Related commands: router id. Examples # Display the router ID. <Sysname> display router id Configured router id is 1.1.1.1 display ospf abr-asbr Syntax display ospf [ process-id ] abr-asbr View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes.

  • Page 329: Display Ospf Asbr-Summary

    Field Description Nexthop IP address of the next hop Interface Local output interface display ospf asbr-summary Syntax display ospf [ process-id ] asbr-summary [ ip-address mask ] View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes.

  • Page 330: Display Ospf Brief

    The Count of Route is 0 Table 4-2 Description on the fields of the display ospf asbr-summary command. Field Description Network address of the summary route mask Subnet mask of the summary route Tag of the summary route Advertisement state of the summary route, including status DoNotAdvertise: The summary can not be advertised.
  • Page 331 Priority: 1 Designated Router: 192.168.0.153 Backup Designated Router: 192.168.0.154 Timers: Hello 10, Dead 40, Poll 40, Retransmit 5, Transmit Delay 1 Area 0.0.0.2: Authtype: none Flags: <Nssa> SPF scheduled: <> 7/5 translator state: Enabled Interface: 30.1.1.1 (Vlan-interface2) Cost: 10 State: BackupDR Type: Broadcast Priority: 1 Designated Router: 30.1.1.2...
  • Page 332 Field Description Area type flag: Nssa: NSSA area NssaDefault: A default route is generated into the NSSA. NssaNoSummary: ABR is disabled from advertising Type-3 LSAs into NSSA. Flags NssaNoRedistribution: Prohibits advertisement of redistributed routes into NSSA. Stub: Stub area StubDefault: A default route is generated into Stub area. StubNoSummary: ABR is disabled from advertising Type-3 LSAs to Stub area.

  • Page 333: Display Ospf Cumulative

    display ospf cumulative Syntax display ospf [ process-id ] cumulative View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf cumulative command to display cumulative OSPF statistics.

  • Page 334: Display Ospf Error

    rtr: 1 net: 0 sumasb: 0 sumnet: 1 Routing Table: Intra Area: 1 Inter Area: 0 ASE: 0 Table 4-4 Description on the fields of the display ospf cumulative command Field Description Type of input/output OSPF packet: Hello: Hello packet DB Description: Database Description packet Type Link-State Req: Link-State Request packet...
  • Page 335 Description Use the display ospf error command to display OSPF error information. Examples # Display the OSPF error information. <Sysname> display ospf error OSPF Process 1 with Router ID 1.1.1.1 OSPF packet error statistics: 0: IP: received my own packet 0: OSPF: wrong packet type 0: OSPF: wrong version 0: OSPF: wrong checksum...
  • Page 336 Field Description OSPF: packet size > ip length OSPF packet size exceeds IP packet length OSPF: transmit error OSPF transmission error OSPF: interface down OSPF interface is down, unavailable OSPF: unknown neighbor OSPF neighbors are unknown HELLO: netmask mismatch Network mask mismatch HELLO: hello timer mismatch Interval of HELLO packet is mismatched HELLO: dead timer mismatch...

  • Page 337: Display Ospf Interface

    display ospf interface Syntax display ospf [ process-id ] interface [ interface-type interface-number ] View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. interface-type interface-number: Interface type and interface number.

  • Page 338: Display Ospf Lsdb

    Field Description Priority Priority of DR for interface election Designated Router DR on the network in which the interface resides Backup Designated Router BDR on the network in which the interface resides OSPF timers, defined as follows: Hello Interval of hello packet Timers Dead Interval of dead neighbors...
  • Page 339 Description Use the display ospf lsdb command to display the database information about OSPF connecting state. If no OSPF process is specified, LSDB information of all OSPF processes is displayed. Examples # Display the database information about OSPF connection state. <Sysname>...
  • Page 340 Field Description Location of the LSA, used to indicate in which stage of the route calculation the LSA is: Uninitialized: The LSA is not initialized or is originated by another router. Clist: The LSA is on the candidate list. SpfTree: The LSA is in the SPF tree. SumAsb List: The LSA is in the AS border reachable to the attached area.

  • Page 341: Display Ospf Nexthop

    Field Description Options of the LSA: O: Opaque LSA advertisement and reception capability E: AS External LSA reception capability EA: External extended LSA reception and forwarding capability Options DC: On-demand link support N: NSSA external LSA support P: Capability of an NSSA ABR to translate Type-7 LSAs into Type-5 LSAs.

  • Page 342: Display Ospf Peer

    Table 4-9 Description on the fields of the display ospf nexthop command Field Description Next hops Detailed information of next hops Address IP address of next hop Type Type of next hop Refcount Reference count of the next hop, namely, number of routes using the next hop Intf Addr IP address of the interface to the next hop Intf Name...
  • Page 343 Field Description State of a neighbor: Down: This is the initial state of a neighbor conversation. Init: In this state, the router has seen a Hello packet from the neighbor. However, the router has not established bidirectional communication with the neighbor (the router itself did not appear in the neighbor's hello packet).
  • Page 344 Field Description State of a neighbor router, including Down Init Attempt 2-Way Exstart State Exchange Loading Full If the neighbor router is a designated router, DR will be attached to the state. If the neighbor route is a backup designated router, BDR will be attached. If the neighbor route is neither a DR, nor a BDR, only the state is displayed.

  • Page 345: Display Ospf Request-Queue

    Field Description It indicates that database synchronization between the routers that have Full established neighbor relation has been completed, and their link state databases have been consistent Total Total number of neighbors in various states display ospf request-queue Syntax display ospf [ process-id ] request-queue View Any view Parameters...

  • Page 346: Display Ospf Retrans-Queue

    display ospf retrans-queue Syntax display ospf [ process-id ] retrans-queue View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf retrans-queue command to display the information about the OSPF retransmission queue.

  • Page 347: Display Ospf Vlink

    View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf routing command to display the information about OSPF routing table. Examples # Display OSPF routing information.
  • Page 348 View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf vlink command to display the information about OSPF virtual links. Examples # Display OSPF virtual link information.

  • Page 349: Filter-Policy Export

    Field Description OSPF timers, including Hello: Hello interval Timers Dead: Dead neighbor interval Poll: Poll interval Retransmit: Interval for retransmitting LSA Transmit Delay Delay time of transmitting LSA filter-policy export Syntax filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol ] undo filter-policy { acl-number | ip-prefix ip-prefix-name} export [ protocol ] View OSPF view...

  • Page 350: Filter-Policy Import

    [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] ospf [Sysname-ospf-1] filter-policy 2000 export filter-policy import Syntax filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix-list-name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name | gateway ip-prefix-name } import View OSPF view Parameters...

  • Page 351: Import-Route

    import-route Syntax import-route protocol [ process-id ] [ cost value | type value | tag value | route-policy route-policy-name ] * undo import-route protocol [ process-id ] View OSPF view Parameters protocol: Source routing protocol whose routes will be imported. At present, it can be direct, ospf, ospf-ase, ospf-nssa, rip, or static.

  • Page 352: Log-Peer-Change

    log-peer-change Syntax log-peer-change undo log-peer-change View OSPF view Parameters None Description Use the log-peer-change command to enable logging of OSPF neighbor state changes. Use the undo log-peer-change command to disable logging of OSPF neighbor state changes. By default, logging of OSPF neighbor state changes is disabled. Note that: With the logging enabled, the system will output log information when a neighbor changes to the Full state or to the Down state.

  • Page 353: Network

    Examples # Set the number of OSPF ECMP routes to 2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] multi-path-number 2 network Syntax network ip-address wildcard-mask undo network ip-address wildcard-mask View OSPF area view Parameters ip-address: IP address of the network segment where the interface resides, in dotted decimal notation.
  • Page 354 View OSPF area view Parameters default-route-advertise: Redistributes a default route into an NSSA. no-import-route: Redistributes no routes into an NSSA. no-summary: Advertises only a default route in a Type-3 summary LSA into the NSSA area and disables the ABR from transmitting any other Type-3 LSAs to an NSSA translate-always: Specifies the ABR as the Type-7 LSAs translator of the NSSA area.

  • Page 355: Ospf

    After an OSPF area is configured as a Stub area, the ABR in the area automatically advertises a default route into the attached NSSA area. After an area is configured as an NSSA area, however, no ABR or ASBR in the area will automatically advertise a default route into the attached NSSA. Examples # Configure area 1 as NSSA area.

  • Page 356: Ospf Authentication-Mode

    To run OSPF, a router must have a router ID specified. If no router ID is specified, the system will automatically select one of the router interface IP addresses as the router ID. If a router runs multiple OSPF processes, you are recommended to specify a router ID for each process by using the ospf command.

  • Page 357: Ospf Cost

    Examples # Configure area 1 where the network segment 131.119.0.0 of interface VLAN-interface 10 resides to support MD5 cipher text authentication. Set the authentication key identifier to 15 and the authentication key to abc. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 1 [Sysname-ospf-1-area-0.0.0.1] network 131.119.0.0 0.0.255.255...

  • Page 358: Ospf Mib-Binding

    undo ospf dr-priority View Interface view Parameters priority: Designated router (DR) election priority of the interface, in the range of 0 to 255. Description Use the ospf dr-priority command to configure the DR election priority of the interface. Use the undo ospf dr-priority command to restore the default. By default, the DR election priority of an interface is 1.

  • Page 359: Ospf Mtu-Enable

    Examples # Bind MIB operations to OSPF process 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf mib-binding 100 ospf mtu-enable Syntax ospf mtu-enable undo ospf mtu-enable View Interface view Parameters None Description Use the ospf mtu-enable command to add the interface MTU to the MTU field in DD packets. Use the undo ospf mtu-enable command to restore the default.
  • Page 360 View Interface view Parameters broadcast: Specifies the network type as broadcast. nbma: Specifies the network type as NBMA. p2mp: Specifies the network type as point-to-multipoint. unicast: Sends packets to unicast addresses. p2p: Specifies the network type as point-to-point. Description Use the ospf network-type command to configure the network type for an interface. Use the undo ospf network-type command to restore the default network type.

  • Page 361: Ospf Timer Dead

    [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf network-type nbma ospf timer dead Syntax ospf timer dead seconds undo ospf timer dead View Interface view Parameters seconds: Dead interval of the OSPF neighbor. It is in seconds and ranges from 1 to 65535. Description Use the ospf timer dead command to configure the dead interval of the OSPF neighbor.

  • Page 362: Ospf Timer Poll

    Description Use the ospf timer hello command to configure the interval for transmitting Hello messages on an interface. Use the undo ospf timer hello command to restore the interval to the default. By default, the Hello interval is 10 seconds for an interface of p2p or broadcast 30 seconds for an interface of p2mp or nbma Hello packets are periodically sent to find and maintain neighbors and used for DR/BDR election.

  • Page 363: Ospf Timer Retransmit

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 20 [Sysname-Vlan-interface20] ospf timer poll 130 ospf timer retransmit Syntax ospf timer retransmit interval undo ospf timer retransmit View Interface view Parameters interval: Interval, in seconds, for retransmitting LSA on an interface. It ranges from 1 to 3600. Description Use the ospf timer retransmit command to configure the interval for retransmitting an LSA on an interface.

  • Page 364: Peer

    Parameters seconds: LSA transmission delay in seconds on an interface. It ranges from 1 to 3600. Description Use the ospf trans-delay command to configure the LSA transmission delay on an interface. Use the undo ospf trans-delay command to restore the default. By default, the LSA transmission delay on an interface is 1 second.

  • Page 365: Preference

    [Sysname] ospf 1 [Sysname-ospf-1] peer 10.1.1.1 preference Syntax preference [ ase ] value undo preference [ ase ] View OSPF view Parameters value: OSPF protocol preference, in the range of 1 to 255. ase: Indicates the preference of a redistributed external route of the AS. Description Use the preference command to configure the preference of the OSPF protocol.

  • Page 366: Reset Ospf Statistics

    After you use this command to reset an OSPF process: Invalid LSA is cleared immediately before LSA times out. A new Router ID takes effect if the Router ID changes. DR and BDR are re-elected conveniently. OSPF configuration before the restart will not lose. After this command is issued, the system will prompt you to confirm whether to re-enable OSPF.

  • Page 367: Silent-Interface

    Use the undo router id command to cancel the router ID that has been set. If the router-id command is not used, a router ID is set following these rules: If loopback interfaces configured with IP addresses exist, the greatest loopback interface IP address will be used as the router ID.

  • Page 368: Snmp-Agent Trap Enable Ospf

    Examples # Disable interface VLAN-interface 20 from transmitting OSPF packet. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] silent-interface Vlan-interface 20 snmp-agent trap enable ospf Syntax snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa | nbrstatechange | originatelsa virifauthfail virifcfgerror...

  • Page 369: Spf-Schedule-Interval

    Adjusting SPF calculation interval restrains frequent network changes, which may occupy too many bandwidth resources and router resources. Examples # Set the OSPF route calculation interval of H3C to 6 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z.

  • Page 370: Vlink-Peer

    To configure an area as a stub area, all routers attached to it must be configured with this command. If the router is an ABR, it will send a default route to the connected Stub area. Use the default-cost command to configure the default route cost. In addition, you can specify the no-summary argument in the stub command to disable the receiving of Type-3 LSAs by the Stub area connected to the ABR (such a stub area is known as a totally stub area).
  • Page 371 keyid: MD5 authentication key ID. It ranges from 1 to 255. It must be equal to the authentication key ID of the virtually linked peer. key: MD5 authentication key. If you use simple text authentication key, you can input a string containing 1 to 16 characters.

  • Page 372: Ip Routing Policy Configuration Commands

    IP Routing Policy Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. IP Routing Policy Configuration Commands apply cost Syntax apply cost value undo apply cost View Route policy view Parameters...

  • Page 373: Apply Tag

    apply tag Syntax apply tag value undo apply tag View Route policy view Parameters value: Tag value of a route, in the range of 0 to 4294967295. Description Use the apply tag command to configure a tag for a route. Use the undo apply tag command to remove the configuration.

  • Page 374: Display Route-Policy

    Examples # Display the information about the address prefix list named p1. <Sysname> display ip ip-prefix p1 name index conditions ip-prefix / mask permit 10.1.0.0/16 Table 5-1 Description on the fields of the display ip ip-prefix command Field Description name Name of an IP-prefix index Internal sequence number of an IP-prefix...

  • Page 375: If-Match { Acl | Ip-Prefix

    Table 5-2 Description on the fields of the display route-policy command Field Description Route-policy Name of a routing policy Information about the routing policy with the matching mode configured as permit and the node as 10. Permit 10 if-match (ip-prefix) p1 Matching conditions Apply the cost 100 to the routes satisfying the apply cost 100...

  • Page 376: If-Match Interface

    View Route policy view Parameters value: Route cost, in the range of 0 to 4294967295. Description Use the if-match cost command to configure a cost matching rule for routing information. Use the undo if-match cost command to remove the configuration. By default, no cost matching rule is defined.

  • Page 377: If-Match Ip Next-Hop

    [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match interface Vlan-interface 1 if-match ip next-hop Syntax if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name } undo if-match ip next-hop [ ip-prefix ] View Route policy view Parameters acl acl-number: Number of a basic ACL used for filtering, in the range of 2000 to 2999.

  • Page 378: Ip Ip-Prefix

    Parameters value: Tag value, in the range of 0 to 4294967295. Description Use the if-match tag command to configure the tag matching rule for routing information. Use the undo if-match tag command to remove the matching rule. By default, no the tag matching rule for routing information is defined. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, route-policy, apply cost, apply tag.

  • Page 379: Route-Policy

    to", and the meaning of less-equal is "less than or equal to". The range is len <= greater-equal <= less-equal <= 32. When only greater-equal is used, it denotes the prefix range [greater-equal, 32]. When only less-equal is used, it denotes the prefix range [len, less-equal]. When both greater-equal and less-equal are specified, the prefix range is [ less-equal,greater-equal ].
  • Page 380 node: Specifies a node index in a routing policy. node-number: Index of the node in a routing policy, in the range 0 to 2047. When this routing policy is used, the node with smaller node-number will be matched first. Description Use the route-policy command to create a routing policy or enter the Route-policy view.

  • Page 381: Route Capacity Configuration Commands

    Route Capacity Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. The S3600-SI series do not support route capacity configuration. Route Capacity Configuration Commands display memory Syntax display memory [ unit unit-id ] Mode...

  • Page 382: Display Memory Limit

    Field Description Used Rate Memory occupation rate display memory limit Syntax display memory limit Mode Any view Parameters None Description Use the display memory limit command to display the memory setting and state information of the switch. This command displays the current memory limit configuration, free memory, and state information about connections, such as times of disconnection, times of reconnection, and whether the current state is normal.

  • Page 383: Memory

    Field Description The times of reconnect Number of reconnections of the routing protocol Current memory state, including The current state Normal Exigence memory Syntax memory { safety safety-value | limit limit-value }* undo memory [ safety | limit ] View System view Parameters safety-value: Safety free memory of the switch , in Mbytes.

  • Page 384: Memory Auto-Establish Disable

    Examples # Set the lower limit of the switch free memory to 1 MB and the safety value to 3 MB. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] memory safety 3 limit 1 memory auto-establish disable Syntax memory auto-establish disable View...
  • Page 385 Description Use the memory auto-establish enable command to enable automatic connections of routing protocols when the free memory of the switch recovers to the specified value. Use the memory auto-establish disable command to disable this function. By default, when the free memory of the switch recovers to a safety value, connections of all the routing protocols will always recover (when the free memory of the switch decreases to a lower limit, the connection will be disconnected forcibly).
  • Page 386 Table of Contents 1 Common Multicast Configuration Commands ·······················································································1-1 Common Multicast Configuration Commands ························································································1-1 display mac-address multicast static·······························································································1-1 display mpm forwarding-table ·········································································································1-2 display mpm group ··························································································································1-3 display multicast forwarding-table ···································································································1-4 display multicast routing-table ·········································································································1-6 display multicast-source-deny ·········································································································1-7 mac-address multicast interface······································································································1-8 mac-address multicast vlan ·············································································································1-9 mtracert ···········································································································································1-9 multicast route-limit························································································································1-11...
  • Page 387 display pim bsr-info··························································································································3-4 display pim interface························································································································3-4 display pim neighbor························································································································3-5 display pim routing-table··················································································································3-6 display pim rp-info ···························································································································3-8 pim ···················································································································································3-9 pim bsr-boundary·····························································································································3-9 pim dm ···········································································································································3-10 pim neighbor-limit ··························································································································3-11 pim neighbor-policy ·······················································································································3-11 pim sm ···········································································································································3-12 pim timer hello ·······························································································································3-13 register-policy ································································································································3-13 reset pim neighbor·························································································································3-14 reset pim routing-table···················································································································3-15 spt-switch-threshold·······················································································································3-15 source-lifetime ·······························································································································3-17...
  • Page 388 display igmp-snooping group ··········································································································5-2 display igmp-snooping statistics······································································································5-3 igmp-snooping ·································································································································5-4 igmp-snooping fast-leave ················································································································5-5 igmp-snooping general-query source-ip··························································································5-6 igmp-snooping group-limit ···············································································································5-7 igmp-snooping group-policy ············································································································5-8 igmp-snooping host-aging-time ·····································································································5-10 igmp-snooping max-response-time ·······························································································5-10 igmp-snooping nonflooding-enable ·······························································································5-11 igmp-snooping querier···················································································································5-12 igmp-snooping query-interval ········································································································5-13 igmp-snooping router-aging-time ··································································································5-13 igmp-snooping version ··················································································································5-14 igmp-snooping vlan-mapping ········································································································5-15 igmp host-join port ·························································································································5-15 igmp host-join ································································································································5-16...

  • Page 389: Common Multicast Configuration Commands

    Common Multicast Configuration Commands The following are new features in this set of manuals: Enabling multicast packet buffering. The related commands are multicast storing-enable multicast storing-packet. Configuring multicast source lifetime. The related command is source-lifetime. Configuring IGMPv3 Snooping functions. The related commands are igmp-snooping version igmp host-join.

  • Page 390: Display Mpm Forwarding-Table

    Related commands: mac-address multicast interface, mac-address multicast vlan. Examples # Display the information of all static multicast MAC entries in VLAN 1. <Sysname> display mac-address multicast static vlan 1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0100-0001-0001 Config static Ethernet1/0/1 NOAGED Ethernet1/0/2...

  • Page 391: Display Mpm Group

    <Sysname> display mpm forwarding-table Total 1 entry(entries) 00001. (120.0.0.2, 225.0.0.2) iif Vlan-interface1200 1 oif(s): Vlan-interface32 Ethernet1/0/19 Total 1 entry(entries) Listed Table 1-2 display mpm forwarding-table command output description Field Description Total 1 entry(entries) Total number of the entries 00001 Entry number (120.0.0.2, 225.0.0.2) Source address-group address pair iif Vlan-interface1200...

  • Page 392: Display Multicast Forwarding-Table

    Total 1 MAC Group(s). Vlan(id):1200. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): Ethernet1/0/24 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 Static host port(s): Dynamic host port(s): Ethernet1/0/22 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/22...
  • Page 393 Parameters group-address: Multicast group address, in the range of 224.0.0.0 to 239.255.255.255. With this argument provided, the command displays the forwarding entries for the specified multicast group. source-address: Multicast source address. With this argument provided, the command displays the forwarding entries for the specified multicast source. mask: Mask of the specified multicast group address or multicast source address, 255.255.255.255 by default.

  • Page 394: Display Multicast Routing-Table

    Field Description (10.0.0.4, 225.1.1.1) Multicast source and group addresses of the entry The incoming interface of the multicast forwarding table is VLAN-interface 2, and the multicast iif Vlan-interface2, 0 oifs forwarding table does not have an outgoing interface. 122 packets of totally 183,000 bytes match the (S, Matched 122 pkts(183000 bytes), Wrong If 0 G) entry, and 0 error packets match the (S, G) entry.

  • Page 395: Display Multicast-Source-Deny

    Multicast Routing Table Total 3 entries (4.4.4.4, 224.2.149.17) Uptime: 00:15:16, Timeout in 272 sec Upstream interface: Vlan-interface1(4.4.4.6) Downstream interface list: Vlan-interface2(2.2.2.4), Protocol 0x1: IGMP (4.4.4.4, 224.2.254.84) Uptime: 00:15:16, Timeout in 272 sec Upstream interface: Vlan-interface1(4.4.4.6) Downstream interface list: NULL (4.4.4.4, 239.255.2.2) Uptime: 00:02:57, Timeout in 123 sec Upstream interface: Vlan-interface1(4.4.4.6) Downstream interface list: NULL...

  • Page 396: Mac-Address Multicast Interface

    Parameters interface-type: Port type. interface-number: Port number. Description Use the display multicast-source-deny command to display the multicast source port suppression status. With neither a port type nor a port number specified, the command displays the multicast source port suppression status of all the ports on the switch. With only a port type specified, the command displays the multicast source port suppression status of all ports of that type.

  • Page 397: Mac-Address Multicast Vlan

    Each multicast MAC address entry contains multicast address, forward port, VLAN ID, and so on. Related commands: display mac-address multicast static. Examples # Create a multicast MAC address entry, with the multicast MAC address of 0100-5e0a-0805 and a forwarding port of Ethernet 1/0/1 in VLAN 1. <Sysname>...
  • Page 398 View Any view Parameters source-address: Specifies a multicast source. group-address: Specifies a multicast group. last-hop-router-address: Specifies the last-hop router, which is the local device by default. Description Use the mtracert command to trace the path down which the multicast traffic flows to the receiver hosts.

  • Page 399: Multicast Route-Limit

    Table 1-6 mtracert command output description Field Description From last-hop router(192.168.2.2), Reverse path from the last-hop router (192.168.2.2) to the trace reverse path to source multicast source (192.168.4.1) 192.168.4.1 via RPF rules Outgoing interface address of each hop, starting from the -1 5.5.5.8 last-hop router Incoming interface address...

  • Page 400: Multicast Routing-Enable

    Examples # Set the maximum number of entries the multicast routing table can hold to 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] multicast route-limit 100 multicast routing-enable Syntax multicast routing-enable undo multicast routing-enable View System view Parameters None Description...

  • Page 401: Multicast Storing-Packet

    With the multicast packet buffering feature enabled, multicast packets delivered to the CPU are buffered while the corresponding multicast forwarding entries are being created and forwarded out according to the multicast forwarding entries after entry creation. By default, this function is not enabled. Examples # Enable the multicast packet buffering feature.

  • Page 402: Reset Multicast Forwarding-Table

    interface-type interface-number) and/or one or more port ranges (in the form of interface-type interface-number1 to interface-type interface-number2, where interface-number2 must be greater than interface-number1). The total number of individual ports plus port ranges cannot exceed 10. For port types and port numbers, refer to the parameter description in the “Port Basic Configuration” part in this manual.

  • Page 403: Reset Multicast Routing-Table

    all: Clears all the forwarding entries or the statistics information of all the forwarding entries. Without this keyword, the command clears the forwarding entries or the statistics information of the forwarding entries defined by the following parameters. group-address: Multicast group address in the range of 224.0.0.0 to 239.255.255.255. source-address: Multicast source address.

  • Page 404: Unknown-Multicast Drop Enable

    incoming-interface interface-type interface-number: Clears the routing entries that match the specified incoming interface. Description Use the reset multicast routing-table command to clear the routing entries in the multicast core routing table and remove the corresponding forwarding entries in the MFC forwarding table. The position of the group-address and source-address arguments are interchangeable.

  • Page 405: Igmp Configuration Commands

    IGMP Configuration Commands IGMP Configuration Commands display igmp group Syntax display igmp group [ group-address | interface interface-type interface-number ] View Any view Parameters group-address: Multicast group address. With this argument provided, this command displays the information of the specified IGMP multicast group. Interface interface-type interface-number: Specifies an interface by its type and number.

  • Page 406: Display Igmp Interface

    display igmp interface Syntax display igmp interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. With this argument provided, the command displays the IGMP configuration and running information on the specified interface;...

  • Page 407: Igmp Enable

    Field Description Value of maximum query response time for The maximum response time for IGMP general IGMP(in seconds): 10 queries is 10 seconds (default). Value of robust count for IGMP: 2 The IGMP robustness variable is 2 (default). Value of startup query interval for IGMP(in The IGMP startup query interval is 15 seconds seconds): 15 (default).

  • Page 408: Igmp Group-Limit

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] multicast routing-enable [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] igmp enable igmp group-limit Syntax igmp group-limit limit undo igmp group-limit View Interface view Parameters limit: The maximum number of multicast groups that can be joined on the interface, in the range of 0 to 256.

  • Page 409: Igmp Group-Policy

    igmp group-policy Syntax igmp group-policy acl-number [ 1 | 2 | port interface-list ] undo igmp group-policy [ port interface-list ] View Interface view Parameters acl-number: Basic ACL number, defining a multicast group range. The value ranges from 2,000 to 2,999.

  • Page 410: Igmp Group-Policy Vlan

    Examples # Configure a multicast group filter on VLAN-interface 10 so that the hosts on the subnet attached to the interface can join only multicast group 225.1.1.1 and the interface accepts only IGMPv2 reports. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 225.1.1.1 0 [Sysname-acl-basic-2000] quit...

  • Page 411: Igmp Host-Join Port

    [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port access vlan 10 [Sysname-Ethernet1/0/1] igmp group-policy 2000 vlan 10 igmp host-join port Syntax igmp host-join group-address port interface-list undo igmp host-join group-address port interface-list View Interface view Parameters group-address: Address of the multicast group to join. port interface-list: Configures the specified port or ports under the current VLAN interface as simulated member host(s) for the specified multicast group.

  • Page 412: Igmp Host-Join Vlan

    igmp host-join vlan Syntax igmp host-join group-address vlan vlan-id undo igmp host-join group-address vlan vlan-id View Ethernet port view Parameters group-address: Address of the multicast group to join. vlan vlan-id: Specifies the VLAN to which the port belongs. The effective range for vlan-id is 1 to 4094. Description Use the igmp host-join vlan command to configure the current Ethernet port as a simulated member host to join the specified multicast group.

  • Page 413: Igmp Max-Response-Time

    Use the undo igmp lastmember-queryinterval command to restore the default. The IGMP last-member query interval is 1 second by default. Related commands: igmp robust-count, display igmp interface. Examples # Set the IGMP last-member query interval to 3 seconds on VLAN-interface 10. <Sysname>...

  • Page 414: Igmp Robust-Count

    View Interface view Parameters interface-type interface-number: Specifies the interface for which the current interface will act as the IGMP proxy interface. Description Use the igmp proxy command to configure the current interface as the IGMP proxy interface for another interface on the Layer 3 switch. Use the undo igmp proxy command to restore the default.

  • Page 415: Igmp Timer Other-Querier-Present

    By default, an IGMP querier sends two IGMP group-specific query messages after receiving an IGMP Leave message. Related commands: igmp lastmember-queryinterval, display igmp interface. Examples # Set the IGMP robustness variable to 3 on VLAN-interface 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] igmp robust-count 3 igmp timer other-querier-present...

  • Page 416: Igmp Timer Query

    igmp timer query Syntax igmp timer query seconds undo igmp timer query View Interface view Parameters seconds: IGMP query interval, namely the interval between IGMP general query messages, in the range of 1 to 65,535 seconds. Description Use the igmp timer query command to configure the interval between IGMP general query messages. Use the undo igmp timer query command to restore the default.

  • Page 417: Reset Igmp Group

    The default IGMP version is IGMP version 2. The device cannot automatically switch between different IGMP versions, so all the devices on a subnet must run the same version of IGMP. Examples # Run IGMPv1 on VLAN-interface 10. <Sysname> system-view System View: return to User View with Ctrl+Z.

  • Page 418: Pim Configuration Commands

    PIM Configuration Commands PIM Configuration Commands bsr-policy Syntax bsr-policy acl-number undo bsr-policy View PIM view Parameters acl-number: ACL number to be used in the BSR filtering policy, in the range of 2000 to 2999. Description Use the bsr-policy command to limit the range of legal BSRs to prevent BSR spoofing. Use the undo bsr-policy command to restore the default.
  • Page 419 View PIM view Parameters interface-type interface-number: Specifies an interface that will be configured as a C-BSR. This configuration takes effect only after PIM-SM is enabled on the interface. hash-mask-len: Length of the hash mask used for RP calculation. The effective range is 0 to 32. priority: C-BSR priority.

  • Page 420: Crp-Policy

    Description Use the c-rp command to configure an interface as a C-RP. Use the undo c-rp command to remove the configuration. By default, no C-RP is configured. For the configuration of a C-RP, a relatively large bandwidth should be reserved for the switch and other devices in the PIM domain.

  • Page 421: Display Pim Bsr-Info

    [Sysname] multicast routing-enable [Sysname] pim [Sysname-pim] crp-policy 3000 [Sysname-pim] quit [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 permit source 1.1.1.1 0 destination 225.1.0.0 0.0.255.255 display pim bsr-info Syntax display pim bsr-info View Any view Parameters None Description Use the display pim bsr-info command to display the BSR information. Related commands: c-bsr, c-rp.

  • Page 422: Display Pim Neighbor

    View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display pim interface command to display the PIM configuration information. With an interface specified, the command displays the PIM configuration information on the specified interface;...

  • Page 423: Display Pim Routing-Table

    View Any view Parameters interface interface-type interface-number: Specifies an interface by its type and number. Description Use the display pim neighbor command to display the PIM neighbor information. With an interface specified, the command displays the PIM neighbor information on the specified interface;...
  • Page 424 mask: Mask of the multicast group address, multicast source address, or RP address, 255.255.255.255 by default. mask-length: Mask length of the multicast group address, multicast source address, or RP address, in the range of 0 to 32. The system default is 32. incoming-interface: Displays multicast routing entries containing the specified incoming interface.

  • Page 425: Display Pim Rp-Info

    Field Description Flag of (S, G) or (*, G) entry in the PIM routing table: SPT: The (S, G) entry is on the SPT. RPT: The (S, G) or (*, G) entry is on the RPT. Flag WC: Indicates the (*, G) entry. LOC: The switch is connected with the multicast source directly.

  • Page 426: Pim

    Expires: 00:01:40 Table 3-5 display pim rp-info command output description Field Description PIM-SM RP-SET information: RP-Set BSR is: IP address of the BSR Group/MaskLen Multicast group range served by the RP IP address of the RP Version PIM version Priority RP priority Uptime Length of time for which the RP has existed...
  • Page 427 View Interface view Parameters None Description Use the pim bsr-boundary command to configure the current interface as the BSR service boundary, namely, the PIM-SM domain border. Use the undo pim bsr-boundary command to remove the configured PIM-SM domain border. By default, no PIM-SM domain border is configured on the switch. After you use this command to set a PIM-SM domain border on an interface, no bootstrap message can cross this border in either direction.

  • Page 428: Pim Neighbor-Limit

    Related commands: multicast routing-enable. Examples # Enable PIM-DM on VLAN-interface 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] multicast routing-enable [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] pim dm pim neighbor-limit Syntax pim neighbor-limit limit undo pim neighbor-limit View Interface view Parameters...
  • Page 429 View Interface view Parameters acl-number: Basic ACL number, in the range of 2,000 to 2,999. Description Use the pim neighbor-policy command to configure a PIM neighbor filter on the current interface. Use the undo pim neighbor-policy command to disable PIM neighbor filtering on the current interface. With a PIM neighbor filter configured, only the switches that pass the filtering rule in the ACL can become PIM neighbors of the current VLAN interface.

  • Page 430: Pim Timer Hello

    Related commands: multicast routing-enable. Examples # Enable the PIM-SM protocol on VLAN-interface 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] multicast routing-enable [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] pim sm pim timer hello Syntax pim timer hello seconds undo pim timer hello View Interface view...

  • Page 431: Reset Pim Neighbor

    View PIM view Parameters acl-number: Number of IP advanced ACL that defines the rule for filtering the source and group addresses. The value ranges from 3000 to 3999. Only register messages that match the permit statement can be accepted by the RP. Description Use the register-policy command to configure a rule for filtering register messages.

  • Page 432: Reset Pim Routing-Table

    <Sysname> reset pim neighbor 25.5.4.3 reset pim routing-table Syntax reset pim routing-table { all | { group-address [ mask { mask-length | mask } ] | source-address [ mask { mask-length | mask } ] | incoming-interface interface-type interface-number } * } View User view Parameters...
  • Page 433 undo spt-switch-threshold [ group-policy acl-number ] View PIM view Parameters infinity: Specifies to disable RPT-to-SPT switchover. group-policy acl-number: Applies the configuration to multicast groups that match the specified group policy, where acl-number indicates a basic ACL number, ranging from 2000 to 2999. If no group policy is specified, the configuration applies to all multicast groups.

  • Page 434: Source-Lifetime

    source-lifetime Syntax source-lifetime interval undo source-lifetime View PIM view Parameters interval: Multicast source lifetime in seconds, with an effective range of 210 to 31536000. Description Use the source-lifetime command to configure the multicast source lifetime, also known as (S, G) aging time.
  • Page 435 Description Use the source-policy command to configure the switch to filter the received multicast data packets as per the source address(es) or source and group addresses defined in the ACL rule. Use the undo source-policy command to remove the configuration. If a basic ACL is employed in the command, the switch filters all the received multicast data packets as per the defined resource address(es).
  • Page 436 A static RP functions as a backup for the dynamically elected RP to improve network robustness. When the RP elected through the BSR mechanism functions, the static RP does not take effect. The same RP address must be configured on all the devices in the PIM domain. The new configuration overwrites the existing one if you execute the command for a second time.

  • Page 437: Msdp Configuration Commands

    MSDP Configuration Commands MSDP Configuration Commands cache-sa-enable Syntax cache-sa-enable undo cache-sa-enable View MSDP view Parameters None Description Use the cache-sa-enable command to enable the SA message caching mechanism. Use the undo cache-sa-enable command to disable the SA message caching mechanism. By default, the SA message caching mechanism is enabled.

  • Page 438: Display Msdp Peer-Status

    Description Use the display msdp brief command to display the brief information of the MSDP peer state. Examples # Display the brief information of the MSDP peer state. <Sysname> display msdp brief MSDP Peer Brief Information Peer's Address State Up/Down time SA Count Reset Count 20.20.20.20...
  • Page 439 MSDP Peer 20.20.20.20, AS 100 Description: Information about connection status: State: Up Up/down time: 14:41:08 Resets: 0 Connection interface: LoopBack0 (20.20.20.30) Number of sent/received messages: 867/947 Number of discarded output messages: 0 Elapsed time since last connection or counters clear: 14:42:40 Information about (Source, Group)-based SA filtering policy: Import policy: none Export policy: none...

  • Page 440: Display Msdp Sa-Cache

    Field Description Elapsed time since last connection or Time passed since the information of the MSDP peer counters clear was last cleared SA message filtering list information Import policy: Filter list for receiving SA messages Information about (Source, from the specified MSDP peer Group)-based SA filtering policy Export policy: Filter list for forwarding SA messages from the specified MSDP peer...
  • Page 441 as-number: AS number, in the range of 1 to 65535. Description Use the display msdp sa-cache command to display (S, G) entries in the SA cache. Note that: This command gives the corresponding output only after the cache-sa-enable command is executed.

  • Page 442: Display Msdp Sa-Count

    display msdp sa-count Syntax display msdp sa-count [ as-number ] View Any view Parameters as-number: AS number, in the range of 1 to 65535. Description Use the display msdp sa-count command to display the number of (S, G) entries in the SA cache. The debugging output of this command is available only after the cache-sa-enable command is configured.

  • Page 443: Import-Source

    import-source Syntax import-source [ acl acl-number ] undo import-source View MSDP view Parameters acl-number: Basic or advanced IP ACL number, ranging from 2000 to 3999. An ACL controls SA message advertisement by filtering sources (with a basic ACL) and filtering sources or groups (with an advanced ACL).

  • Page 444: Msdp-Tracert

    Description Use the msdp command to enable MSDP and enter MSDP view. Use the undo msdp command to clear all configurations in MSDP view, release resources occupied by MSDP, and restore the initial state. Related commands: peer. Examples # Enable MSDP and enter MSDP view. <Sysname>...
  • Page 445 <Sysname> msdp-tracert 10.10.1.1 225.2.2.2 20.20.20.20 max-hops 10 sa-info peer-info MSDP tracert: press CTRL_C to break D-bit: set if have this (S,G) in cache but with a different RP RP-bit: set if this router is an RP NC-bit: set if this router is not caching SA's C-bit: set if this (S,G,RP) tuple is in the cache MSDP trace route path information:...

  • Page 446: Peer Connect-Interface

    Field Description Length of time for which the cached (S, G) entry has SA cache entry uptime been existing, in hours:minutes:seconds Length of time in which the cached (S, G) entry will SA cache entry expiry time expire, in hours:minutes:seconds The time of the peering session between the local switch Peering Uptime: 10 minutes and a Peer-RPF neighbor...

  • Page 447: Peer Description

    Parameters peer-address: Specifies an MSDP peer by its IP address. interface-type interface-number: Specifies an interface by its type and number. The switch will use the primary address of this interface as the source IP to establish a TCP connection with the remote MSDP peer.

  • Page 448: Peer Mesh-Group

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] msdp [Sysname-msdp] peer 125.10.7.6 description router CstmrA peer mesh-group Syntax peer peer-address mesh-group name undo peer peer-address mesh-group View MSDP view Parameters peer-address: IP address of the MSDP peer to be added into the mesh group. name: Name of the mesh group, case-sensitive and containing 1 to 32 characters.

  • Page 449: Peer Request-Sa-Enable

    Use the undo peerminimum-ttl command to restore the system default. By default, the minimum required TTL value is 0. Related commands: peer. Examples # Set the minimum required TTL value of encapsulated multicast packet to 10 so that only those multicast data packets with a TTL value greater than or equal to 10 can be forwarded to the MSDP peer 110.10.10.1.

  • Page 450: Peer Sa-Policy

    View MSDP view Parameters peer-address: Specifies an MSDP peer by its IP address. sa-limit: Maximum number of (S, G) entries that can be cached, ranging from 1 to 2,048. Description Use the peer sa-cache-maximum command to configure the maximum number of (S, G) entries learned from the specified MSDP peer that the device can cache.

  • Page 451: Peer Sa-Request-Policy

    Related commands: peer. Examples # Configure a filtering rule so that only those SA messages permitted by the ACL 3100 are forwarded to the MSDP peer 125.10.7.6. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 3100 [Sysname-acl-adv-3100] rule permit ip source 170.15.0.0 0.0.255.255 destination 225.1.0.0 0.0.255.255 [Sysname-acl-adv-3100] quit...

  • Page 452: Reset Msdp Peer

    [Sysname-acl-basic-2001] rule permit source 225.1.1.0 0.0.0.255 [Sysname-acl-basic-2001] quit [Sysname] msdp [Sysname-msdp] peer 175.58.6.5 sa-request-policy acl 2001 reset msdp peer Syntax reset msdp peer peer-address View User view Parameters peer-address: Specifies an MSDP peer by its IP address. Description Use the reset msdp peer command to reset the TCP connection with the specified MSDP peer and clear all statistics information about that MSDP peer.

  • Page 453: Reset Msdp Statistics

    reset msdp statistics Syntax reset msdp statistics [ peer-address ] View User view Parameters peer-address: Address of the MSDP peer whose statistics information will be cleared. If no MSDP peer address is specified, the statistics information of all MSDP peers will be cleared. Description Use the reset msdp statistics command to clear the statistics information of one or all MSDP peers without resetting the MSDP peer(s).

  • Page 454: Static-Rpf-Peer

    static-rpf-peer Syntax static-rpf-peer peer-address [ rp-policy ip-prefix-name ] undo static-rpf-peer peer-address View MSDP view Parameters peer-address: Address of the static RPF peer to receive SA messages. rp-policy ip-prefix-name: Specifies a filtering policy based on RP addresses to filter RPs in SA messages, where ip-prefix-name is the IP address prefix list containing 1 to 19 characters.

  • Page 455: Timer Retry

    timer retry Syntax timer retry seconds undo timer retry View MSDP view Parameters seconds: Connection request retry interval in seconds, ranging from 1 to 60. Description Use the timer retry command to configure the connection request retry interval. Use the undo timer retry command to restore the default. By default, the connection request retry interval is 30 seconds.

  • Page 456: Igmp Snooping Configuration Commands

    IGMP Snooping Configuration Commands IGMP Snooping Configuration Commands display igmp-snooping configuration Syntax display igmp-snooping configuration View Any view Parameters None Description Use the display igmp-snooping configuration command to display IGMP Snooping configuration information. If IGMP Snooping is disabled on this switch, this command displays a message showing that IGMP Snooping is not enabled.

  • Page 457: Display Igmp-Snooping Group

    display igmp-snooping group Syntax display igmp-snooping group [ vlan vlan-id ] View Any view Parameters vlan vlan-id: Specifies the VLAN in which the multicast group information is to be displayed, where vlan-id ranges from 1 to 4094.. If you do not specify a VLAN, this command displays the multicast group information of all VLANs.

  • Page 458: Display Igmp-Snooping Statistics

    Table 5-1 display igmp-snooping group command output description Field Description Total 1 IP Group(s). Total number of IP multicast groups in all VLANs Total 1 MAC Group(s). Total number of MAC multicast groups in all VLANs Vlan(id): ID of the VLAN whose multicast group information is displayed Total 1 IP Group(s).

  • Page 459: Igmp-Snooping

    Examples # Display IGMP Snooping statistics. <Sysname> display igmp-snooping statistics Received IGMP general query packet(s) number:1. Received IGMP specific query packet(s) number:0. Received IGMP V1 report packet(s) number:0. Received IGMP V2 report packet(s) number:3. Received IGMP leave packet(s) number:0. Received error IGMP packet(s) number:0. Sent IGMP specific query packet(s) number:0.

  • Page 460: Igmp-Snooping Fast-Leave

    Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously in the same VLAN and on the corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...

  • Page 461: Igmp-Snooping General-Query Source

    The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).

  • Page 462: Igmp-Snooping Group-Limit

    Related commands: igmp-snooping querier, igmp-snooping query-interval. Examples # Configure the switch to send general query messages with the source IP address 2.2.2.2 in VLAN 3. <Sysname> system-view System view, return to user view with Ctrl+Z. [Sysname] igmp-snooping enable [Sysname] vlan 3 [Sysname-vlan3] igmp-snooping enable [Sysname-vlan3] igmp-snooping querier [Sysname-vlan3] igmp-snooping general-query source-ip 2.2.2.2...

  • Page 463: Igmp-Snooping Group-Policy

    To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.
  • Page 464 Allow the port(s) to join only the multicast group(s) defined in the rule by a permit statement. Inhibit the port(s) from joining the multicast group(s) defined in the rule by a deny statement. A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. If no ACL rule is configured, all the multicast groups will be filtered.

  • Page 465: Igmp-Snooping Host-Aging-Time

    [Sysname-vlan2] port Ethernet 1/0/2 [Sysname-vlan2] quit Configure ACL 2001 on Ethernet1/0/2 to it to join any IGMP multicast groups except those defined in the deny rule of ACL 2001. [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] igmp-snooping group-policy 2001 vlan 2 igmp-snooping host-aging-time Syntax igmp-snooping host-aging-time seconds undo igmp-snooping host-aging-time...

  • Page 466: Igmp-Snooping Nonflooding-Enable

    Description Use the igmp-snooping max-response-time command to configure the maximum response time in IGMP general queries. Use the undo igmp-snooping max-response-time command to restore the default. By default, the maximum response time in IGMP general queries is 10 seconds. An appropriate setting of the maximum response time in IGMP queries allows hosts to respond to queries quickly and thus the querier can learn the existence of multicast members quickly.

  • Page 467: Igmp-Snooping Querier

    If the function of dropping unknown multicast packets or the IRF fabric function is enabled, you cannot enable the IGMP Snooping non-flooding function. The IGMP Snooping non-flooding function and the multicast source port suppression function cannot take effect at the same time. If both are configured, only the multicast source port suppression function takes effect.

  • Page 468: Igmp-Snooping Query-Interval

    System view, return to user view with Ctrl+Z. [Sysname] igmp-snooping enable [Sysname] vlan 3 [Sysname-vlan3] igmp-snooping enable [Sysname-vlan3] igmp-snooping querier igmp-snooping query-interval Syntax igmp-snooping query-interval seconds undo igmp-snooping query-interval View VLAN view Parameters seconds: IGMP query interval, ranging from 1 to 300, in seconds. Description Use the igmp-snooping query-interval command to configure the IGMP query interval, namely the interval at which the switch sends IGMP general queries.

  • Page 469: Igmp-Snooping Version

    View System view Parameters seconds: Aging time of router ports, in the range of 1 to 1,000, in seconds. Description Use the igmp-snooping router-aging-time command to configure the aging time of router ports. Use the undo igmp-snooping router-aging-time command to restore the default aging time. By default, the aging time of router ports is 105 seconds.

  • Page 470: Igmp-Snooping Vlan-Mapping

    [Sysname -vlan100] igmp-snooping enable [Sysname -vlan100] igmp-snooping version 3 igmp-snooping vlan-mapping Syntax igmp-snooping vlan-mapping vlan vlan-id undo igmp-snooping vlan-mapping View System view Parameters vlan vlan-id: VLAN ID, in the range of 1 to 4094. Description Use the igmp-snooping vlan-mapping vlan command to configure to transmit IGMP general and group-specific query messages in a specific VLAN.

  • Page 471: Igmp Host-Join

    port ranges cannot exceed 10. For port types and port numbers, refer to the parameter description in the “Port Basic Configuration” part in this manual. Description Use the igmp host-join port command to configure one or more ports under the current VLAN interface as simulated member hosts to join the specified multicast group or source and group.

  • Page 472: Multicast Static-Group Interface

    source-address: Address of the multicast source to join. You can specify a multicast source address only when IGMPv3 Snooping is running in a VLAN. vlan vlan-id: ID of the VLAN to which the port belongs, in the range of 1 to 4094. Description Use the igmp host-join command to configure the current port as a simulated multicast group member host to join the specified multicast group or source and group.

  • Page 473: Multicast Static-Group Vlan

    Parameters group-address: IP address of the multicast group to join, in the range of 224.0.0.0 to 239.255.255.255. interface interface-list: Specifies a port list. With the interface-list argument, you can define one or more individual ports (in the form of interface-type interface-number) and/or one or more port ranges (in the form of interface-type interface-number1 to interface-type interface-number2, where interface-number2 must be greater than interface-number1).

  • Page 474: Multicast Static-Router-Port

    Description Use the multicast static-group vlan command to configure the current port in the specified VLAN as a static member port for the specified multicast group. Use the undo multicast static-group vlan command to remove the current port in the specified VLAN as a static member port for the specified multicast group.

  • Page 475: Multicast Static-Router-Port Vlan

    [Sysname] vlan 10 [Sysname-vlan10] multicast static-router-port Ethernet1/0/1 multicast static-router-port vlan Syntax multicast static-router-port vlan vlan-id undo multicast static-router-port vlan vlan-id View Ethernet port view Parameters vlan-id: VLAN ID the port belongs to, in the range of 1 to 4094. Description Use the multicast static-router-port vlan command to configure the current port in the specified VLAN as a static router port.

  • Page 476: Service-Type Multicast

    <Sysname> reset igmp-snooping statistics service-type multicast Syntax service-type multicast undo service-type multicast View VLAN view Parameters None Description Use the service-type multicast command to configure the current VLAN as a multicast VLAN. Use the undo service-type multicast command to remove the current VLAN as a multicast VLAN. By default, no VLAN is a multicast VLAN.
  • Page 477 Table of Contents 1 802.1x Configuration Commands ············································································································1-1 802.1x Configuration Commands ···········································································································1-1 display dot1x····································································································································1-1 dot1x ················································································································································1-4 dot1x authentication-method ···········································································································1-5 dot1x dhcp-launch ···························································································································1-6 dot1x guest-vlan ······························································································································1-7 dot1x handshake ·····························································································································1-8 dot1x handshake secure ·················································································································1-9 dot1x max-user······························································································································1-10 dot1x port-control···························································································································1-11 dot1x port-method ·························································································································1-12 dot1x quiet-period··························································································································1-13 dot1x retry······································································································································1-13 dot1x retry-version-max·················································································································1-14 dot1x re-authenticate·····················································································································1-15...
  • Page 478 system-guard ip enable ···················································································································4-5 system-guard l3err enable···············································································································4-6 system-guard tcn enable ·················································································································4-7 system-guard tcn rate-threshold······································································································4-7...

  • Page 479: 802.1X Configuration Commands

    802.1x Configuration Commands The online user handshaking configuration is added. See dot1x handshake for related information. The configuration of 802.1x re-authentication is added. See dot1x re-authenticate. The configuration of the 802.1x re-authentication interval is added. See dot1x timer reauth-period. The configuration of quick EAD deployment is added. See Quick EAD Deployment Configuration Commands.
  • Page 480 Examples # Display 802.1x-related information. <Sysname> display dot1x Global 802.1X protocol is enabled CHAP authentication is enabled DHCP-launch is disabled Handshake is enabled Proxy trap checker is disabled Proxy logoff checker is disabled EAD Quick Deploy is enabled Configuration: Transmit Period 30 s, Handshake Period 15 s...
  • Page 481 1. Authenticated user : MAC address: 000d-88f6-44c1 Controlled User(s) amount to 1 Ethernet1/0/2 …… Table 1-1 Description on the fields of the display dot1x command Field Description 802.1x protocol (802.1x for short) is enabled on the Equipment 802.1X protocol is enabled switch.

  • Page 482: Dot1X

    Field Description Total maximum 802.1x user resource The maximum number of 802.1x users that a switch can number accommodate Total current used 802.1x resource The number of online supplicant systems number Ethernet1/0/1 is link-down Ethernet 1/0/1 port is down. 802.1X protocol is disabled 802.1x is disabled on the port Whether or not to send Trap packets when detecting a supplicant system in logging in through a proxy.

  • Page 483: Dot1X Authentication-Method

    Parameters interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

  • Page 484: Dot1X Dhcp-Launch

    undo dot1x authentication-method View System view Parameters chap: Authenticates using challenge handshake authentication protocol (CHAP). pap: Authenticates using password authentication protocol (PAP). eap: Authenticates using extensible authentication protocol (EAP). Description Use the dot1x authentication-method command to set the 802.1x authentication method. Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method.

  • Page 485: Dot1X Guest-Vlan

    Parameters None Description Use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP. Use the undo dot1x dhcp-launch command to disable an 802.1x-enabled switch from authenticating a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

  • Page 486: Dot1X Handshake

    If you do not provide the interface-list argument, these two commands apply to all the ports of the switch. If you specify the interface-list argument, these two commands apply to the specified ports. In Ethernet port view, the interface-list argument is not available and these two commands apply to only the current Ethernet port.

  • Page 487: Dot1X Handshake Secure

    With the support of H3C proprietary clients, handshaking packets can be used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.

  • Page 488: Dot1X Max-User

    Examples # Enable the handshaking packet protection function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] dot1x handshake secure dot1x max-user Syntax dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] View System view, Ethernet port view Parameters...

  • Page 489: Dot1X Port-Control

    dot1x port-control Syntax dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ] undo dot1x port-control [ interface interface-list ] View System view, Ethernet port view Parameters auto: Specifies to operate in auto access control mode. When a port operates in this mode, all the unauthenticated hosts connected to it are unauthorized.

  • Page 490: Dot1X Port-Method

    dot1x port-method Syntax dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] View System view, Ethernet port view Parameters macbased: Performs MAC-based authentication. portbased: Performs port-based authentication. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.

  • Page 491: Dot1X Quiet-Period

    Use the undo dot1x quiet-period command to disable the quiet-period timer. When a user fails to pass the authentication, the authenticator system (such as a H3C series Ethernet switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication.

  • Page 492: Dot1X Retry-Version-Max

    By default, a switch sends authentication request packets to a user for up to 2 times. After a switch sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the switch still receives no response when the configured maximum number of authentication request transmission attempts is reached, it stops sending requests to the user.

  • Page 493: Dot1X Re-Authenticate

    dot1x re-authenticate Syntax dot1x re-authenticate [ interface interface-list ] undo dot1x re-authenticate [ interface interface-list ] View System view, Ethernet port view Parameters interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.

  • Page 494: Dot1X Supp-Proxy-Check

    Re-authentication is enabled on port Ethernet1/0/1 dot1x supp-proxy-check Syntax dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] View System view, Ethernet port view Parameters logoff: Disconnects a user upon detecting it logging in through a proxy or through multiple network adapters.

  • Page 495: Dot1X Timer

    IE proxy after the user passes the authentication. The 802.1x proxy checking function needs the cooperation of H3C's 802.1x client program. The proxy checking function takes effect only after the client version checking function is enabled on the switch (using the dot1x version-check command).
  • Page 496 Parameters handshake-period handshake-period-value: Sets the handshake timer. This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval for a switch to send handshake request packets to online users. If you set the number of retries to N by using the dot1x retry command, an online user is considered offline when the switch does not receive response packets from it in a period N times of the handshake-period.

  • Page 497: Dot1X Timer Reauth-Period

    Description Use the dot1x timer command to set a specified 802.1x timer. Use the undo dot1x timer command to restore a specified 802.1x timer to the default setting. During an 802.1x authentication process, multiple timers are triggered to ensure that the supplicant systems, the authenticator systems, and the Authentication servers interact with each other in an orderly way.

  • Page 498: Dot1X Version-Check

    dot1x version-check Syntax dot1x version-check [ interface interface-list ] undo dot1x version-check [ interface interface-list ] View System view, Ethernet port view Parameters interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
  • Page 499 Parameters interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

  • Page 500: Quick Ead Deployment Configuration Commands

    Quick EAD Deployment Configuration Commands Quick EAD Deployment Configuration Commands dot1x free-ip Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip [ ip-address { mask-address | mask-length } ] View System view Parameters ip-address: Free IP address, in dotted decimal notation. mask-address: Subnet mask of the free IP address, in dotted decimal notation.

  • Page 501: Dot1X Timer Acl-Timeout

    dot1x timer acl-timeout Syntax dot1x timer acl-timeout acl-timeout-value undo dot1x timer acl-timeout View System view Parameters acl-timeout-value: ACL timeout period (in minutes), in the range of 1 to 1440. Description Use the dot1x timer acl-timeout command to configure the ACL timeout period. Use the undo dot1x timer acl-timeout command to restore the default.
  • Page 502 System View: return to User View with Ctrl+Z. [Sysname] dot1x url http://192.168.19.23...

  • Page 503: Habp Configuration Commands

    HABP Configuration Commands HABP Configuration Commands display habp Syntax display habp View Any view Parameters None Description Use the display habp command to display HABP configuration and status. Examples # Display HABP configuration and status. <Sysname> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 20 seconds Bypass VLAN: 2...

  • Page 504: Display Habp Table

    display habp table Syntax display habp table View Any view Parameters None Description Use the display habp table command to display the MAC address table maintained by HABP. Examples # Display the MAC address table maintained by HABP. <Sysname> display habp table Holdtime Receive Port 001f-3c00-0030...

  • Page 505: Habp Enable

    HABP counters : Packets output: 0, Input: 0 ID error: 0, Type error: 0, Version error: 0 Sent failed: 0 Table 3-3 Description on the fields of the display habp traffic command Field Description Packets output Number of the HABP packets sent Input Number of the HABP packets received ID error...

  • Page 506: Habp Timer

    undo habp server View System view Parameters vlan-id: VLAN ID, ranging from 1 to 4094. Description Use the habp server vlan command to configure a switch to operate as an HABP server. This command also specifies the VLAN where HABP packets are broadcast. Use the undo habp server vlan command to revert to the default HABP mode.
  • Page 507 [Sysname] habp timer 50...

  • Page 508: System Guard Configuration Commands

    System Guard Configuration Commands System Guard Configuration Commands display system-guard ip state Syntax display system-guard ip state View Any view Parameters None Description Use the display system-guard ip state command to view the monitoring result and parameter settings of System Guard against IP attacks. Examples # View the monitoring result and parameter settings of System Guard against IP attacks.

  • Page 509: Display System-Guard Ip-Record

    display system-guard ip-record Syntax display system-guard ip-record View Any view Parameters None Description Use the display system-guard ip-record command to view the information about IP packets received by the CPU in the current monitoring cycle. Examples # View the information about IP packets received by the CPU in the current monitoring cycle. <Sysname>...

  • Page 510: Display System-Guard Tcn State

    Parameters None Description Use the display system-guard l3err state command to view the status of Layer 3 error control. Examples # View the status of Layer 3 error control. <Sysname> display system-guard l3err state System-guard l3err status: enabled display system-guard tcn state Syntax display system-guard tcn state View...

  • Page 511: System-Guard Ip Detect-Threshold

    Use the undo system-guard ip detect-maxnum command to restore the maximum number of infected hosts that can be monitored to the default setting. By default, System Guard can monitor a maximum of 30 infected hosts. Examples # Set the maximum number of infected hosts that can be concurrently monitored to 50. <Sysname>...

  • Page 512: System-Guard Ip Enable

    The correlations among the arguments of the system-guard ip detect-threshold command can be clearly described with this example: If you set ip-record-threshold, record-times-threshold and isolate-time to 30, 1 and 3 respectively, when the system detects successively three times that over 50 IP packets (destined for an address other that an IP address of the switch) from a source IP address are received within a period of 10 seconds, the system considers to be attacked —...

  • Page 513: System-Guard L3Err Enable

    [Sysname] system-guard ip enable system-guard l3err enable Syntax system-guard l3err enable undo system-guard l3err enable View System view Parameters None Description Use the system-guard l3err enable command to enable Layer 3 error control. Use the undo system-guard l3err enable command to disable Layer 3 error control. By default, this feature is enabled.

  • Page 514: System-Guard Tcn Enable

    system-guard tcn enable Syntax system-guard tcn enable undo system-guard tcn enable View System view Parameters None Description Use the system-guard tcn enable command to enable System Guard against TCN attacks. Use the undo system-guard tcn enable command to disable System Guard against TCN attacks. With this feature enabled, System Guard monitors the TCN/TC packet receiving rate on the ports.
  • Page 515 Use the undo system-guard tcn rate-threshold command to restore the default threshold of TCN/TC packet receiving rate. By default, the default threshold of TCN/TC packet receiving rate is 1 pps. As the system monitoring cycle is 10 seconds, the system sends trap or log information, by default, if more than 10 TCN/TC packets are received within 10 seconds.
  • Page 516 Table of Contents 1 AAA Configuration Commands················································································································1-1 AAA Configuration Commands ···············································································································1-1 access-limit······································································································································1-1 accounting ·······································································································································1-2 accounting optional··························································································································1-3 attribute············································································································································1-3 authentication ··································································································································1-4 authentication super ························································································································1-6 authorization ····································································································································1-7 authorization vlan ····························································································································1-7 cut connection ·································································································································1-8 display connection ···························································································································1-9 display domain·······························································································································1-10 display local-user···························································································································1-12 domain ···········································································································································1-13 domain delimiter ····························································································································1-14 idle-cut ···········································································································································1-15 level ···············································································································································1-16 local-user ·······································································································································1-17...
  • Page 517 primary authentication ···················································································································1-39 radius client ···································································································································1-40 radius nas-ip ··································································································································1-41 radius scheme ·······························································································································1-42 radius trap······································································································································1-43 reset radius statistics ·····················································································································1-44 reset stop-accounting-buffer··········································································································1-44 retry················································································································································1-45 retry realtime-accounting ···············································································································1-45 retry stop-accounting ·····················································································································1-47 secondary accounting····················································································································1-47 secondary authentication···············································································································1-48 server-type·····································································································································1-49 state ···············································································································································1-49 stop-accounting-buffer enable·······································································································1-50 timer···············································································································································1-51 timer quiet······································································································································1-52 timer realtime-accounting ··············································································································1-53 timer response-timeout··················································································································1-54 user-name-format ··························································································································1-54 HWTACACS Configuration Commands································································································1-55...

  • Page 518: Aaa Configuration Commands

    AAA Configuration Commands The maximum length of a domain name is changed from 24 characters to 128 characters. See domain. The configuration of ISP domain delimiter is added. See domain delimiter. The configuration of HWTACACS authentication scheme for user level switching is added. See authentication super.

  • Page 519: Accounting

    Examples # Allow ISP domain aabbcc.net to contain at most 500 access users. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] access-limit enable 500 accounting Syntax accounting none radius-scheme radius-scheme-name hwtacacs-scheme hwtacacs-scheme-name } undo accounting View...

  • Page 520: Accounting Optional

    New Domain added. [Sysname-isp-aabbcc.net] accounting radius-scheme radius accounting optional Syntax accounting optional undo accounting optional View ISP domain view Parameters None Description Use the accounting optional command to open the accounting-optional switch. Use the undo accounting optional command to close the accounting-optional switch so that the system performs accounting for users unconditionally.

  • Page 521: Authentication

    View Local user view Parameters ip ip-address: Sets the IP address of the user. mac mac-address: Sets the MAC address of the user. Here, mac-address is in H-H-H format. idle-cut second: Enables the idle-cut function for the local user and sets the allowed idle time. Here, second is the allowed idle time, which ranges from 60 to 7,200 seconds.
  • Page 522 View ISP domain view Parameters radius-scheme radius-scheme-name: Specifies to use a RADIUS authentication scheme. Here, radius-scheme-name is a string of up to 32 characters. hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS authentication scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters. local: Specifies to use local authentication scheme.

  • Page 523: Authentication Super

    HWTACACS scheme must exist. The S3600 series switches adopt hierarchical protection for command lines so as to inhibit users at lower levels from using higher level commands to configure the switches. For details about configuring a HWTACACS authentication scheme for low-to-high user level switching, refer to Switching User Level in the Command Line Interface Operation.

  • Page 524: Authorization

    New Domain added. [Sysname-isp-aabbcc.net] authentication super hwtacacs-scheme ht authorization Syntax authorization { none | hwtacacs-scheme hwtacacs-scheme-name } undo authorization View ISP domain view Parameters none: Specifies not to use any authorization scheme. hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS scheme. Here, hwtacacs-scheme-name is the name of an HWTACACS scheme;...

  • Page 525: Cut Connection

    Description Use the authorization vlan command to specify an authorized VLAN for a local user. A user passing the authentication of the local RADIUS server can access network resources in the authorized VLAN. Use the undo authorization vlan command to remove the configuration. By default, no authorized VLAN is specified for a local user.

  • Page 526: Display Connection

    vlan vlan-id: Cuts down all user connections of a specified VLAN. Here, vlan-id ranges from 1 to 4094. ucibindex ucib-index: Cuts down the user connection with a specified connection index. Here, ucib-index ranges from 0 to 2071. user-name user-name: Cuts down the connection of a specified user. Here, user-name is a string of up to 184 characters..

  • Page 527: Display Domain

    ucibindex ucib-index: Displays the user connection with a specified connection index. Here, ucib-index ranges from 0 to 2071. user-name user-name: Displays the connection of a specified user. Here, user-name is a character string in the format of pure-username@domain-name. The pure-username cannot be longer than 55 characters, the domain-name cannot be longer than 24 characters, and the entire user-name cannot be longer than 184 characters.
  • Page 528 View Any view Parameters isp-name: Name of an ISP domain, a string of up to 128 characters. This must be the name of an existing ISP domain. Description Use the display domain command to display configuration information about one specific or all ISP domains.

  • Page 529: Display Local-User

    Field Description Settings of the messenger time service, which is for reminding online users of their remaining online time. Messenger Time The setting in this example indicates that the system starts to remind an online user (at an interval of 10 minutes) when the remaining online time is 30 minutes.

  • Page 530: Domain

    State: Active ServiceType Mask: L Idle-cut: Enable Idle TimeOut: 3600 seconds Access-limit: Enable Current AccessNum: 1 Max AccessNum: 1024 Bind location: 127.0.0.1/1/0/2 (NAS/UNITID/SUBSLOT/PORT) Vlan ID: Authorization VLAN: IP address: 192.168.0.108 MAC address: 000d-88f6-44c1 Total 1 local user(s) Matched, 1 listed. ServiceType Mask Meaning: C--Terminal F--FTP L--LanAccess...

  • Page 531: Domain Delimiter

    Parameters isp-name: Name of an ISP domain, a string of up to 128 characters. This string cannot contain the following characters: /\:*?<>|. If the domain name includes one or more “~” characters and the last “~” is followed by numerals, it must be followed by at least five numerals to avoid confusion. This is because any domain name longer than 16 characters will appear in the form of “system prompt-the first 15 characters of the domain name~4-digit index”...

  • Page 532: Idle-Cut

    View System view Parameters at: Specifies “@” as the delimiter between the username and the ISP domain name. dot: Specifies “.” as the delimiter between the username and the ISP domain name. Description Use the domain delimiter command to specify the delimiter form between the username and the ISP domain name.

  • Page 533: Level

    Description Use the idle-cut command to set the user idle-cut function in current ISP domain. If a user’s traffic in the specified period of time is less than the specified amount, the system will disconnect the user. By default, this function is disabled. Note that if the authentication server assigns the idle-cut settings, the assigned ones take precedence over the settings configured here.

  • Page 534: Local-User

    Examples # Set the level of user1 to 3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user user1 New local user added. [Sysname-luser-user1] level 3 local-user Syntax local-user user-name undo local-user { user-name | all [ service-type { ftp | lan-access | ssh | telnet | terminal } ] } View System view Parameters...

  • Page 535: Local-User Password-Display-Mode

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]local-user 01234567891234567 New local user added. [Sysname-luser-012345678912345~0000] local-user password-display-mode Syntax local-user password-display-mode { cipher-force | auto } undo local-user password-display-mode View System view Parameters cipher-force: Adopts the forcible cipher mode so that all local users' the passwords will be displayed in cipher text.

  • Page 536: Name

    Parameters limit: Time limit in minutes, ranging from 1 to 60. The switch will send prompt messages at regular intervals to users whose remaining online time is less than this limit. interval: Interval to send prompt messages (in minutes). This argument ranges from 5 to 60 and must be a multiple of 5.

  • Page 537: Password

    Examples # Set the name of VLAN 100 to test. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 100 [Sysname-vlan100] name test password Syntax password { simple | cipher } password undo password View Local user view Parameters simple: Specifies the password in plain text.

  • Page 538: Radius-Scheme

    [Sysname] local-user user1 New local user added. [Sysname-luser-user1] password simple 20030422 radius-scheme Syntax radius-scheme radius-scheme-name View ISP domain view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. Description Use the radius-scheme command to configure a RADIUS scheme for current ISP domain. After an ISP domain is initially created, it uses the local AAA scheme instead of any RADIUS scheme by default.

  • Page 539: Self-Service-Url

    Description Use the scheme command to configure an AAA scheme for current ISP domain. Use the undo scheme command to restore the default AAA scheme configuration for the ISP domain. By default, the ISP domain uses the local AAA scheme. Note that: When you execute the scheme command to reference a RADIUS scheme in current ISP domain, the referenced RADIUS scheme must already exist.

  • Page 540: Service-Type

    Parameters url-string: URL of the web page used to modify user password on the self-service server. It is a string of 1 to 64 characters. This string cannot contain any question mark "?". If the actual URL of the self-service server contains a question mark, you should change it to an elect bar "|".

  • Page 541: State

    ssh: Authorizes the user to access the SSH service. terminal: Authorizes the user to access the terminal service (that is, allows the user to log into the switch through the Console port). level level: Specifies the level of the Telnet, terminal or SSH user. Here, level is an integer ranging from 0 to 3 and defaulting to 0.

  • Page 542: Vlan-Assignment-Mode

    You may use the display domain command or the display local-user command to view the status information. Examples # Set the ISP domain aabbcc.net to the block state, so that all its offline users cannot access the network. <Sysname> system-view System View: return to User View with Ctrl+Z.
  • Page 543 switch first creates a VLAN with the assigned ID, and then adds the port to the newly created VLAN. String: If the RADIUS authentication server assigns string type of VLAN IDs, you can set the VLAN assignment mode to string on the switch. Then, upon receiving a string ID assigned by the RADIUS authentication server, the switch compares the ID with existing VLAN names on the switch.

  • Page 544: Radius Configuration Commands

    RADIUS Configuration Commands accounting optional Syntax accounting optional undo accounting optional View RADIUS scheme view Parameters None Description Use the accounting optional command to open the accounting-optional switch. Use the undo accounting optional command to close the accounting-optional switch so that the system performs accounting for users unconditionally.
  • Page 545 Parameters times: Maximum number of attempts to send an Accounting-On message, ranging from 1 to 256 and defaulting to 15. If the maximum number has been reached but the switch still receives no response from the CAMS, the switch stops sending Accounting-On messages. interval: Interval to send Accounting-On messages (in seconds), ranging from 1 to 30 and defaulting to Description Use the accounting-on enable command to enable the user re-authentication at restart function.

  • Page 546: Calling-Station-Id Mode

    After configuring the accounting-on enable command, you need to execute the save command so that the command can take effect when the switch restarts. This function requires the cooperation of the H3C CAMS system. Related commands: nas-ip. Examples # Enable the user re-authentication at restart function for the RADIUS scheme named radius1.

  • Page 547: Data-Flow-Format

    data-flow-format Syntax data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega-packet | one-packet } undo data-flow-format View RADIUS scheme view Parameters data: Sets the data unit of outgoing RADIUS flows, which can be byte, giga-byte, kilo-byte, or mega-byte.

  • Page 548: Display Radius Scheme

    Description Use the display local-server statistics command to display the RADIUS message statistics about local RADIUS server. Related commands: local-server. Examples # Display the RADIUS message statistics about local RADIUS server. <Sysname> display local-server statistics On Unit 1: The localserver packet statistics: Receive: Send: Discard:...
  • Page 549 Retry sending times of noresponse acct-stop-PKT =500 Quiet-interval(min) Username format =without-domain Data flow unit =Byte Packet unit calling_station_id format =XXXX-XXXX-XXXX in lowercase unit 1 : Primary Auth State=active, Second Auth State=block Primary Acc State=active, Second Acc State=block ------------------------------------------------------------------ Total 1 RADIUS scheme(s). 1 listed Table 1-5 Description on the fields of the display radius scheme command Field Description...

  • Page 550: Display Radius Statistics

    Field Description Packet unit Packet unit of data flow MAC address format of the Calling-Station-Id calling_station_id format (Type 31) field in RADIUS packets Primary Auth State Status of the primary authentication server Second Auth State Status of the secondary authentication server Primary Acc State Status of the primary accounting server Second Acc State...

  • Page 551: Display Stop-Accounting-Buffer

    Normal auth request , Num=0 , Err=0 , Succ=0 EAP auth request , Num=0 , Err=0 , Succ=0 Account request , Num=0 , Err=0 , Succ=0 Account off request , Num=0 , Err=0 , Succ=0 PKT auth timeout , Num=0 , Err=0 , Succ=0 PKT acct_timeout...

  • Page 552: Key

    parameters here are used to display all the buffered stop-accounting requests generated from start-time to stop-time. user-name user-name: Displays the buffered stop-accounting requests of a specified user. Here, user-name is a string of up to 184 characters. Description Use the display stop-accounting-buffer command to display the non-response stop-accounting requests buffered in the device.

  • Page 553: Local-Server

    Description Use the key command to set a shared key for RADIUS authentication/authorization messages or accounting messages. Use the undo key command to restore the corresponding default shared key setting. By default, no shared key exists. Note that: Both RADIUS client and server adopt MD5 algorithm to encrypt RADIUS messages before exchanging the messages with each other.

  • Page 554: Local-Server Nas

    Use the undo local-server command to disable the UDP ports for local RADIUS services. By default, the UDP ports for local RADIUS services are enabled. In addition to functioning as a RADIUS client to provide remote RADIUS authentication, authorization, and accounting services, the switch can act as a local RADIUS server to provide simple RADIUS server functions locally.
  • Page 555 When serving as a local RADIUS server, the switch does not support EAP authentication (that is cannot 802.1x authentication method using dot1x authentication-method eap command). Related commands: radius scheme, state, local-server enable. Examples # Allow the local RADIUS server to provide services to NAS 10.110.1.2 with shared key aabbcc. <Sysname>...

  • Page 556: Primary Accounting

    System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] nas-ip 10.1.1.1 primary accounting Syntax primary accounting ip-address [ port-number ] undo primary accounting View RADIUS scheme view Parameters ip-address: IP address of the primary accounting server to be used, in dotted decimal notation. port-number: UDP port number of the primary accounting server, ranging from 1 to 65535.

  • Page 557: Radius Client

    Parameters ip-address: IP address of the primary authentication/authorization server to be used, in dotted decimal notation. port-number: UDP port number of the primary authentication/authorization server, ranging from 1 to 65535. Description Use the primary authentication command to set the IP address and port number of the primary RADIUS authentication/authorization server used by the current RADIUS scheme.

  • Page 558: Radius Nas

    Parameters None Description Use the radius client enable command to enable RADIUS authentication and accounting ports. Use the undo radius client command to disable RADIUS authentication and accounting ports. By default, RADIUS authentication and accounting ports are enabled. If you want to use the switch as a RADIUS client, you need to ensure that the ports for RADIUS authentication and accounting are open.

  • Page 559: Radius Scheme

    Note that: You can set the source IP address of outgoing RADIUS messages to avoid messages returned from RADIUS server from being unable to reach their destination due to physical interface trouble. It is recommended to use a Loopback interface address as the source IP address. You can set only one source IP address by using this command.

  • Page 560: Radius Trap

    Examples # Create a RADIUS scheme named radius1 and enter its view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] radius trap Syntax radius trap { authentication-server-down | accounting-server-down } undo radius trap { authentication-server-down | accounting-server-down } View System view...

  • Page 561: Reset Radius Statistics

    reset radius statistics Syntax reset radius statistics View User view Parameters None Description Use the reset radius statistics command to clear RADIUS message statistics. Related commands: display radius scheme. Examples # Clear RADIUS message statistics. <Sysname> reset radius statistics reset stop-accounting-buffer Syntax reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }...

  • Page 562: Retry

    Examples # Delete the stop-accounting requests buffered for user user0001@aabbcc.net. <Sysname> reset stop-accounting-buffer user-name user0001@aabbcc.net # Delete the stop-accounting requests buffered from 0:0:0 08/31/2002 to 23:59:59 08/31/2002. <Sysname> reset stop-accounting-buffer time-range 00:00:00-08/31/2002 23:59:59-08/31/2002 retry Syntax retry retry-times undo retry View RADIUS scheme view Parameters retry-times: Maximum number of transmission attempts of a RADIUS request, ranging from 1 to 20.
  • Page 563 undo retry realtime-accounting View RADIUS scheme view Parameters retry-times: Maximum allowed number of continuous real-time accounting failures, ranging from 1 to 255. Description Use the retry realtime-accounting command to set the maximum allowed number of continuous real-time accounting failures. Use the undo retry realtime-accounting command to restore the default maximum number of continuous real-time accounting failures.

  • Page 564: Retry Stop-Accounting

    New Radius scheme [Sysname-radius-radius1] retry realtime-accounting 10 retry stop-accounting Syntax retry stop-accounting retry-times undo retry stop-accounting View RADIUS scheme view Parameters retry-times: Maximum number of transmission attempts of a buffered stop-accounting request, ranging from 10 to 65,535. Description Use the retry stop-accounting command to set the maximum number of transmission attempts of a stop-accounting request buffered due to no response.

  • Page 565: Secondary Authentication

    View RADIUS scheme view Parameters ip-address: IP address of the secondary accounting server to be used, in dotted decimal notation. port-number: UDP port number of the secondary accounting server, ranging from 1 to 65535. Description Use the secondary accounting command to set the IP address and port number of the secondary RADIUS accounting server to be used by the current scheme.

  • Page 566: Server-Type

    RADIUS scheme view Parameters extended: Specifies to support H3C's RADIUS server (which is generally a CAMS), that is, use the procedure and message format of private RADIUS protocol to interact with an H3C's RADIUS server. standard: Specifies to support standard RADIUS server, that is, use the procedure and message format of a standard RADIUS protocol (RFC 2865/2866 or above) to interact with a standard RADIUS server.

  • Page 567: Stop-Accounting-Buffer Enable

    View RADIUS scheme view Parameters primary: Specifies that the server to be set is a primary RADIUS server. secondary: Specifies that the server to be set is a secondary RADIUS server. accounting: Specifies that the server to be set is a RADIUS accounting server. authentication: Specifies that the server to be set is a RADIUS authentication/authorization server.

  • Page 568: Timer

    View RADIUS scheme view Parameters None Description Use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting requests that get no response. Use the undo stop-accounting-buffer enable command to disable the switch from buffering the stop-accounting requests that get no response. By default, the switch is enabled to buffer the stop-accounting requests that get no response.

  • Page 569: Timer Quiet

    By default, the response timeout time of RADIUS servers is 3 seconds. Note that: After sending out a RADIUS request (authentication/authorization request or accounting request) to a RADIUS server, the switch waits for a response from the server. The maximum time that the switch can wait for the response is called the response timeout time of RADIUS servers, and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers.

  • Page 570: Timer Realtime-Accounting

    System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] timer quiet 10 timer realtime-accounting Syntax timer realtime-accounting minutes undo timer realtime-accounting View RADIUS scheme view Parameters minutes: Real-time accounting interval, in minutes. It ranges from 3 to 60 and must be a multiple of 3. Description Use the timer realtime-accounting command to set the real-time accounting interval.

  • Page 571: Timer Response-Timeout

    [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] timer realtime-accounting 51 timer response-timeout Syntax timer response-timeout seconds undo timer response-timeout View RADIUS scheme view Parameters seconds: Response timeout time of RADIUS servers, ranging from 1 to 10 seconds. Description Use the timer response-timeout command to set the response timeout time of RADIUS servers. Use the undo timer response-timeout command to restore the default response timeout time of RADIUS servers.

  • Page 572: Hwtacacs Configuration Commands

    View RADIUS scheme view Parameters with-domain: Specifies to include ISP domain names in the usernames to be sent to RADIUS server. without-domain: Specifies to exclude ISP domain names from the usernames to be sent to RADIUS server. Description Use the user-name-format command to set the format of the usernames to be sent to RADIUS server By default, except for the default RADIUS scheme "system", the usernames sent to RADIUS servers in any RADIUS scheme carry ISP domain names.

  • Page 573: Display Hwtacacs

    undo data-flow-format { data | packet } View HWTACACS scheme view Parameters data: Sets the data unit of outgoing HWTACACS data flows, which can be byte, giga-byte, kilo-byte, or mega-byte. packet: Sets the packet unit of outgoing HWTACACS data flows, which can be one-packet, giga-packet, kilo-packet, or mega-packet.

  • Page 574: Display Stop-Accounting-Buffer

    Related commands: hwtacacs scheme. Examples # Display configuration information of HWTACACS scheme ht1. <Sysname> display hwtacacs ht1 -------------------------------------------------------------------- HWTACACS-server template name : ht1 Primary-authentication-server : 172.31.1.11:49 Primary-authorization-server : 172.31.1.11:49 Primary-accounting-server : 172.31.1.11:49 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 172.31.1.11:49 Current-authorization-server...

  • Page 575: Hwtacacs Nas

    Examples # Display stop-accounting requests buffered for HWTACACS scheme hwt1. <Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1 hwtacacs nas-ip Syntax hwtacacs nas-ip ip-address undo hwtacacs nas-ip View System view Parameters ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class D address.

  • Page 576: Key

    Parameters hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 characters. Description Use the hwtacacs scheme command to create an HWTACACS scheme and enter its view. Use the undo hwtacacs scheme command to delete an HWTACACS scheme. By default, no HWTACACS scheme exists. If the fabric function is enabled on the switch, you cannot create an HWTACACS scheme because they are exclusive to each other.

  • Page 577: Primary Accounting

    Examples # Use hello as the shared key for HWTACACS accounting messages in HWTACACS scheme hwt1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting hello nas-ip Syntax nas-ip ip-address undo nas-ip View HWTACACS scheme view Parameters...

  • Page 578: Primary Authentication

    View HWTACACS scheme view Parameters ip-address: IP address of the primary accounting server to be used, a valid unicast address in dotted decimal notation. port: Port number of the primary accounting server, ranging from 1 to 65535. Description Use the primary accounting command to set the IP address and port number of the primary HWTACACS accounting server to be used by the current scheme.

  • Page 579: Primary Authorization

    Use the undo primary authentication command to restore the default IP address and port number of the primary HWTACACS authentication server, which are 0.0.0.0 and 49 respectively. Note that: You are not allowed to set the same IP address for both primary and secondary authentication servers.

  • Page 580: Reset Hwtacacs Statistics

    Examples # Set the IP address and UDP port number of the primary authorization server for HWTACACS scheme hwt1 to 10.163.155.13 and 49 respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 reset hwtacacs statistics Syntax reset hwtacacs statistics { accounting | authentication | authorization | all }...

  • Page 581: Retry Stop-Accounting

    Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer. Examples # Delete the stop-accounting requests buffered for HWTACACS scheme hwt1. <Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1 retry stop-accounting Syntax retry stop-accounting retry-times undo retry stop-accounting View HWTACACS scheme view Parameters retry-times: Maximum number of transmission attempts of a stop-accounting request, ranging from 1 to 300.

  • Page 582: Secondary Authentication

    Parameters ip-address: IP address of the secondary accounting server to be used, a valid unicast address in dotted decimal notation. port: Port number of the secondary accounting server, ranging from 1 to 65535. Description Use the secondary accounting command to set the IP address and port number of the secondary HWTACACS accounting server to be used by the current scheme.

  • Page 583: Secondary Authorization

    You are not allowed to set the same IP address for both primary and secondary authentication servers. If you do this, your setting will fail. If you re-execute the command, the new setting overwrites the old one. You can remove an authentication server setting only when there is no active TCP connection that is sending authentication messages to the server.

  • Page 584: Timer Quiet

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 timer quiet Syntax timer quiet minutes undo timer quiet View HWTACACS scheme view Parameters minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes. Description Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active.

  • Page 585: Timer Response-Timeout

    Use the undo timer realtime-accounting command to restore the default real-time accounting interval. By default, the real-time accounting interval is 12 minutes. Note that: To control the interval at which users are charged in real time, you can set the real-time accounting interval.

  • Page 586: User-Name-Format

    By default, the response timeout time of TACACS servers is five seconds. As HWTACACS is based on TCP, both server response timeout and TCP timeout may cause disconnection from TACACS server. Related commands: display hwtacacs. Examples # Set the response timeout time of TACACS servers to 30 seconds for HWTACACS scheme hwt1. <Sysname>...
  • Page 587 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain 1-70...

  • Page 588: Ead Configuration Commands

    EAD Configuration Commands EAD Configuration Commands security-policy-server Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } View RADIUS scheme view Parameters ip-address: IP address of a security policy server. all: IP addresses of all security policy servers. Description Use the security-policy-server command to set the IP address of a security policy server. Use the undo security-policy-server command to remove one specified or all security policy server address settings.
  • Page 589 Table of Contents 1 Web Authentication Configuration Commands ·····················································································1-1 Web Authentication Configuration Commands·······················································································1-1 display web-authentication configuration ························································································1-1 display web-authentication connection····························································································1-2 web-authentication cut connection ··································································································1-3 web-authentication enable ··············································································································1-3 web-authentication free-ip ···············································································································1-4 web-authentication free-user···········································································································1-5 web-authentication max-connection································································································1-6 web-authentication select method···································································································1-6 web-authentication timer idle-cut·····································································································1-7 web-authentication web-server ·······································································································1-8...

  • Page 590: Web Authentication Configuration Commands

    Web Authentication Configuration Commands Web Authentication Configuration Commands display web-authentication configuration Syntax display web-authentication configuration View Any view Parameters None Description Use the display web-authentication configuration command to display all Web authentication configurations, including global configurations and configurations on individual ports. Examples # Display Web authentication configuration information.

  • Page 591: Display Web-Authentication Connection

    Table 1-1 Description on the fields of display web-authentication configuration Field Description Status Global status of Web authentication Web Server IP address and port number of the Web authentication server Idle-cut time idle user checking interval Free IP Free IP address range information Free User Authentication-free user information Configuration information about Web-authentication-enabled...

  • Page 592: Web-Authentication Cut Connection

    Table 1-2 Description on the fields of display web-authentication connection Field Description Username Name of an online Web-authentication user MAC address of the user Interface Access port of the user VLAN VLAN the user belongs to Method Access method of the user, Shared or Designated. State User status Online-Time(s)

  • Page 593: Web-Authentication Free

    Parameters None Description Use the web-authentication enable command to enable Web authentication globally. Use the undo web-authentication enable command to disable Web authentication globally. Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security, port aggregation and IRF.

  • Page 594: Web-Authentication Free-User

    The to-be-set free IP address range cannot include the Web authentication server’s IP address. At most four free IP address range can be set. Examples # Set IP address range 10.1.1.0/24 as a free address range. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication free-ip 10.1.1.0 24 web-authentication free-user Syntax...

  • Page 595: Web-Authentication Max-Connection

    Examples # Set the user with IP address 192.168.0.108 and MAC address 0010-0020-0030 as an authentication-free user. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication free-user ip 192.168.0.108 mac 0010-0020-0030 web-authentication max-connection Syntax web-authentication max-connection number undo web-authentication max-connection View Port view...

  • Page 596: Web-Authentication Timer Idle-Cut

    designated: Sets the Web authentication access method on the port to designated. Description Use the web-authentication select command to enable Web authentication on the current port and set the Web authentication access method on the port. Use the undo web-authentication select command to disable Web authentication on the port. There are two Web authentication access methods: shared: In this mode, the port allows multiple Web authentication users to be online at the same time.

  • Page 597: Web-Authentication Web-Server

    Use the undo web-authentication timer idle-cut command to restore the default. By default, the idle user checking interval is 900 seconds for Web authentication. The idle user checking interval is the interval at which the system checks whether a user is idle. When a user is found idle, if the corresponding MAC address entry has not been aged out, the system keeps the user online;...
  • Page 598 Before enabling Web authentication globally, you should first set the IP address of the Web authentication server. Examples # Set the IP address and port number of the Web authentication server to 192.168.0.56 and 80. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication web-server ip 192.168.0.56 port 80...
  • Page 599 Table of Contents 1 MAC Address Authentication Configuration Commands ·····································································1-1 MAC Address Authentication Basic Function Configuration Commands ···············································1-1 display mac-authentication ··············································································································1-1 mac-authentication ··························································································································1-4 mac-authentication interface ···········································································································1-5 mac-authentication authmode usernameasmacaddress ································································1-6 mac-authentication authmode usernamefixed ················································································1-6 mac-authentication authpassword···································································································1-7 mac-authentication authusername ··································································································1-8 mac-authentication domain ·············································································································1-8 mac-authentication timer ·················································································································1-9 reset mac-authentication ·················································································································1-9 MAC Address Authentication Enhanced Function Configuration Commands······································1-10...

  • Page 600: Mac Address Authentication Basic Function Configuration Commands

    MAC Address Authentication Configuration Commands The configuration of fixed password when setting the user name in MAC address mode for MAC address authentication is added. See mac-authentication authmode usernameasmacaddress. The configuration of MAC Address Authentication Enhanced Function is added. See MAC Address Authentication Enhanced Function Configuration Commands.
  • Page 601 Offline detect period is 300s Quiet period is 60 second(s). Server response timeout value is 100s Guest VLAN re-authenticate period is 30s Max allowed user number is 1024 Current user number amounts to Current domain: not configured, use default domain Silent Mac User info: MAC ADDR From Port...
  • Page 602 Field Description Quiet timer sets the quiet period. A switch goes through Quiet period a quiet period if a user fails to pass the MAC address authentication. The default value is 60 seconds. Server timeout timer, which sets the timeout time for the Server response timeout value connection between a switch and the RADIUS server.

  • Page 603: Mac-Authentication

    mac-authentication Syntax mac-authentication undo mac-authentication View System view, Ethernet port view Parameters None Description Use the mac-authentication command to enable MAC address authentication globally or on the current port. Use the undo mac-authentication command to disable MAC address authentication globally or on the current port.

  • Page 604: Mac-Authentication Interface

    mac-authentication interface Syntax mac-authentication interface interface-list undo mac-authentication interface interface-list View System view Parameters interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...

  • Page 605: Mac-Authentication Authmode Usernameasmacaddress

    mac-authentication authmode usernameasmacaddress Syntax mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } ] { lowercase | uppercase } | fixedpassword password ] undo mac-authentication authmode usernameasmacaddress usernameformat fixedpassword ] View System view Parameters usernameformat: Specifies the input format of the username and password. with-hyphen: Uses hyphened MAC addresses as usernames and passwords, for example, 00-05-e0-1c-02-e3.

  • Page 606: Mac-Authentication Authpassword

    View System view Parameters None Description Use the mac-authentication authmode usernamefixed command to set the user name in fixed mode for MAC address authentication. Use the undo mac-authentication authmode command to restore the default user name mode for MAC address authentication. By default, the MAC address mode is used.

  • Page 607: Mac-Authentication Authusername

    mac-authentication authusername Syntax mac-authentication authusername username undo mac-authentication authusername View System view Parameters username: User name used in authentication, a string of 1 to 55 characters. Description Use the mac-authentication authusername command to set a user name in fixed mode. Use the undo mac-authentication authusername command to restore the default user name.

  • Page 608: Mac-Authentication Timer

    Examples # Configure the domain for MAC address authentication to be aabbcc. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-authentication domain aabbcc mac-authentication timer Syntax mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } undo mac-authentication timer { offline-detect | quiet | server-timeout } View System view...

  • Page 609: Mac Address Authentication Enhanced Function Configuration Commands

    View User view Parameters interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.

  • Page 610: Mac-Authentication Max-Auth-Num

    If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.

  • Page 611: Mac-Authentication Timer Guest-Vlan-Reauth

    Use the undo mac-authentication max-auth-num command to restore the maximum number of MAC address authentication users allowed to access the port to the default value. By default, the maximum number of MAC address authentication users allowed to access a port is 256. If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port at the same time, the smaller value of the two configured limits is adopted as the maximum number of MAC address...
  • Page 612 Examples # Configure the switch to re-authenticate users in Guest VLANs at the interval of 60 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-authentication timer guest-vlan-reauth 60 1-13...

  • Page 613: Vrrp

    Table of Contents 1 VRRP Configuration Commands ·············································································································1-1 VRRP Configuration Commands ············································································································1-1 display vrrp ······································································································································1-1 display vrrp statistics ·······················································································································1-3 reset vrrp statistics···························································································································1-5 vrrp method ·····································································································································1-5 vrrp ping-enable·······························································································································1-6 vrrp vlan-interface vrid track ············································································································1-7 vrrp vrid authentication-mode··········································································································1-8 vrrp vrid preempt-mode ···················································································································1-9 vrrp vrid priority······························································································································1-10 vrrp vrid timer advertise ·················································································································1-10 vrrp vrid track interface ··················································································································1-11 vrrp vrid track detect-group ···········································································································1-12...

  • Page 614: Vrrp Configuration Commands

    VRRP Configuration Commands Keywords in some commands are modified. See display vrrp, display vrrp statistics, reset vrrp statistics, vrrp vrid authentication-mode, and vrrp vrid track interface. Keyword verbose is added to the display vrrp command to display the detailed information of the VRRP group(s).
  • Page 615 If you specify a VLAN interface only, the command will display the state information of all VRRP groups on the specified VLAN interface. If you specify both a VLAN interface and a VRRP group, the command will display the state information of the specified VRRP group on the specified VLAN interface.

  • Page 616: Display Vrrp Statistics

    Table 1-2 Description on the fields of the display vrrp verbose command Field Description Current VRRP running method, including REAL-MAC and Run Method VIRTUAL-MAC Virtual Ip Ping Whether you can ping the virtual IP address of the VRRP group Interface Interface where the VRRP group resides VRID VRRP group ID...
  • Page 617 If only a VLAN interface is specified, the statistics information about all the VRRP groups on the specified VLAN interface is displayed. If both a VLAN interface and a VRRP group are specified, the statistics information about the specified VRRP group on the specified VLAN interface is displayed. You can clear the VRRP statistics by using the reset vrrp statistics command.

  • Page 618: Reset Vrrp Statistics

    Field Description Invalid Type Pkts Rcvd Number of the packet type errors reset vrrp statistics Syntax reset vrrp statistics [ interface vlan-interface vlan-id [ vrid virtual-router-id ] ] View User view Parameters vlan-interface vlan-id: Specifies a VLAN interface by its ID. vlan-id is the ID of a VLAN interface. vrid virtual-router-id: Specifies a VRRP group.

  • Page 619: Vrrp Ping-Enable

    virtual-mac: Maps the virtual MAC address of the VRRP group to the virtual IP address of the VRRP group. Description Use the vrrp method command to configure the MAC-Virtual IP address mapping for VRRP groups. You can configure to map the real MAC address of the switch to the virtual IP address of a VRRP group or configure to map the virtual MAC address of a VRRP group to the virtual IP address of the VRRP group.

  • Page 620: Vrrp Vlan-Interface Vrid Track

    [Sysname] vrrp ping-enable vrrp vlan-interface vrid track Syntax vrrp vlan-interface vlan-id vrid virtual-router-id track [ reduced value-reduced ] undo vrrp vlan-interface vlan-id vrid virtual-router-id track View Ethernet port view Parameters virtual-router-id: VRRP group ID, ranging from 1 to 255. vlan-id: VLAN ID. value-reduced: Value by which the priority of a switch is to decrease.

  • Page 621: Vrrp Vrid Authentication-Mode

    vrrp vrid authentication-mode Syntax vrrp vrid virtual-router-id authentication-mode authentication-type authentication-key undo vrrp vrid virtual-router-id authentication-mode View VLAN interface view Parameters virtual-router-id: VRRP group ID, ranging from 1 to 255. authentication-type: Authentication type, which can be: simple: Indicates to perform simple text authentication. md5: Indicates to perform the authentication by using MD5 algorithm.

  • Page 622: Vrrp Vrid Preempt-Mode

    You can also set the delay period for preemption as needed. For S3600 series, you can enable the preemptive mode for switches in a VRRP group: In a VRRP group where the preemptive mode is not enabled, once a switch in the VRRP group becomes the master, other switches, even if they are with a higher priority later, do not preempt the master as long as the master is not down.

  • Page 623: Vrrp Vrid Priority

    System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] vrrp vrid 1 preempt-mode # Set the preemption delay period. [Sysname-Vlan-interface2] vrrp vrid 1 preempt-mode timer delay 5 # Configure the switch to operate in non-preemptive mode. [Sysname-Vlan-interface2] undo vrrp vrid 1 preempt-mode vrrp vrid priority Syntax...

  • Page 624: Vrrp Vrid Track Interface

    View VLAN interface view Parameters virtual-router-id: VRRP group ID, ranging from 1 to 255. adver-interval: Interval (in seconds) at which the master of a VRRP group sends VRRP advertisement packets, in seconds. This argument ranges from 1 to 255 and defaults to 1. Description Use the vrrp vrid timer advertise command to set the interval for the master of a VRRP group to send VRRP advertisements.

  • Page 625: Vrrp Vrid Track Detect-Group

    The VLAN interface tracking function extends the use of the backup function. With this function enabled on a switch, the backup function can take effect not only when the VLAN interface where a VRRP group resides fails, but also when some other VLAN interfaces on the switch fail. You can utilize the VLAN interface tracking function by specifying monitored VLAN interfaces.

  • Page 626: Vrrp Vrid Virtual

    The auto detect result of the detected group can control the priority of a switch in a VRRP group. In this way, the automatic switching between the master and the backup is implemented. Decrease the priority of a switch in a VRRP group when the result of the detected group is unreachable.
  • Page 627 Use the undo vrrp vrid virtual-ip command to remove an existing VRRP group, or remove a virtual IP address from the virtual IP address list of an existing VRRP group. A VRRP group is removed if all its virtual IP addresses are removed. By default, no VRRP group is created.
  • Page 628 Table of Contents 1 ARP Configuration Commands················································································································1-1 ARP Configuration Commands···············································································································1-1 arp check enable ·····························································································································1-1 arp detection enable ························································································································1-2 arp detection trust····························································································································1-2 arp protective-down recover enable ································································································1-3 arp protective-down recover interval ·······························································································1-4 arp rate-limit·····································································································································1-4 arp rate-limit enable·························································································································1-5 arp restricted-forwarding enable······································································································1-6 arp send-gratuitous enable vrrp ······································································································1-6 arp static ··········································································································································1-7 arp timer aging·································································································································1-8 display arp ·······································································································································1-8...

  • Page 629: Arp Configuration Commands

    ARP Configuration Commands The ARP packet rate limit feature is a new feature in the manual. For related commands, refer to arp protective-down recover enable, arp protective-down recover interval, rate-limit, and rate-limit enable. The ARP detection feature is a new feature in this manual. For related commands, refer to detection enable, arp detection...

  • Page 630: Arp Detection Enable

    Examples # Disable the ARP entry checking function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo arp check enable arp detection enable Syntax arp detection enable undo arp detection enable View VLAN view Parameters None Description Use the arp detection enable command to enable the ARP attack detection function on all ports in the specified VLAN.

  • Page 631: Arp Protective-Down Recover Enable

    Parameters None Description Use the arp detection trust command to specify the current port as a trusted port, that is, ARP packets received on this port are regarded as legal ARP packets and will not be checked. Use the undo arp detection trust command to specify the current port as an untrusted port in ARP detection.

  • Page 632: Arp Protective-Down Recover Interval

    arp protective-down recover interval Syntax arp protective-down recover interval interval undo arp protective-down recover interval View System view Parameters interval: Recovery time (in seconds) of a port which is shut down due to an excessive ARP packet receiving rate. The effective range is 10 to 86,400. Description Use the arp protective-down recover interval command to specify a recovery interval.

  • Page 633: Arp Rate-Limit Enable

    Description Use the arp rate-limit command to specify the maximum ARP packet receiving rate on the port. If a rate is specified, exceeding packets will be discarded. Use the undo arp rate-limit command to restore the default. By default, after a port is enabled with the ARP packet rate limit function, the maximum ARP packet receiving rate on the port is 15 pps.

  • Page 634: Arp Restricted-Forwarding Enable

    arp restricted-forwarding enable Syntax arp restricted-forwarding enable undo arp restricted-forwarding enable View VLAN view Parameters None Description Use the arp restricted-forwarding enable command to enable ARP restricted forwarding so that the legal ARP requests received from the specified VLAN are forwarded through configured trusted ports only, and the legal ARP responses are forwarded according to the MAC addresses in the packets, or through trusted ports if the MAC address table contains no such destination MAC addresses.

  • Page 635: Arp Static

    By default, this function is disabled. Note that: Among S3600 series Ethernet switches, only S3600-EI series switches support this command. Before enabling the master switch of a VRRP backup group to send gratuitous ARP packets periodically, you need to create the VRRP backup group and perform corresponding configurations.

  • Page 636: Arp Timer Aging

    Examples # Create a static ARP mapping entry, with the IP address of 202.38.10.2, the MAC address of 000f-e20f-0000. The ARP mapping entry belongs to Ethernet 1/0/1 which belongs to VLAN 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] arp static 202.38.10.2 000f-e20f-0000 1 Ethernet 1/0/1 arp timer aging Syntax...
  • Page 637 Description Use the display arp command to display specific ARP entries. If you execute this command with no keyword/argument specified, all the ARP entries are displayed. Related commands: arp static, reset arp. Examples # Display all the ARP entries. <Sysname> display arp Type: S-Static D-Dynamic IP Address...

  • Page 638: Display Arp Count

    View Any view Parameters dynamic: Displays dynamic ARP entries. static: Displays static ARP entries. |: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Configuration File Management Command in this manual. begin: Displays the first ARP entry containing the specified string and all subsequent ARP entries.

  • Page 639: Display Arp Detection Statistics Interface

    Parameters dynamic: Counts the dynamic ARP entries. static: Counts the static ARP entries. |: Uses a regular expression as the match criterion. For detailed information about regular expressions, refer to Configuration File Management Command in this manual. begin: Displays the number of ARP entries counted from the first one containing the specified string. exclude: Displays the number of ARP entries that do not contain the specified string.

  • Page 640: Display Arp Timer Aging

    INVALID ARP PACKETS : 31 Table 1-2 Description on the fields of the display arp detection statistics interface command Field Description ARP DETECTION ARP attack detection state: enabled/disabled ARP PORT TRUST ARP trusted port state: enabled/disabled Number of discarded invalid ARP packets (those failed to pass INVALID ARP PACKETS ARP attack detection) display arp timer aging...

  • Page 641: Gratuitous-Arp-Learning Enable

    Use the undo gratuitous-arp period-resending enable command to disable this function. By default, this function is enabled, the gratuitous ARP packets are sent at an interval of 30 seconds. After you enable a VLAN interface to send gratuitous ARP packets periodically, hosts on the network will timely update the ARP entry corresponding to the VLAN interface’s IP address, thus preventing it from being aged out.
  • Page 642 View User view Parameters dynamic: Clears dynamic ARP entries. static: Clears static ARP entries. interface interface-type interface-number: Clears ARP entries of the specified port. Description Use the reset arp command to clear specific ARP entries. Related commands: arp static, display arp. Examples # Clear static ARP entries.

  • Page 643: Proxy Arp Configuration Commands

    Proxy ARP Configuration Commands Proxy ARP Configuration Commands arp proxy enable Syntax arp proxy enable undo arp proxy enable View VLAN interface view Parameters None Description Use the arp proxy enable command to enable proxy ARP on the VLAN interface. Use the undo arp proxy enable command to disable proxy ARP on the VLAN interface.
  • Page 644 If interface Vlan-interface vlan-id is specified, proxy ARP configuration of the specified VLAN interface is displayed; otherwise, proxy ARP configuration of all the VLAN interfaces is displayed. Related commands: arp proxy enable. Examples # Display the proxy ARP status on all VLAN interfaces. <Sysname>...

  • Page 645: Resilient Arp Configuration Commands

    Resilient ARP Configuration Commands The contents of this chapter are only applicable to the S3600-EI series among S3600 Series Ethernet Switches. Resilient ARP Configuration Commands display resilient-arp Syntax display resilient-arp [ unit unit-id ] View Any view Parameters unit unit-id: Unit ID ranging from 1 to 8. If a switch belongs to a fabric, resilient ARP information on specific devices in the fabric can be displayed.

  • Page 646: Resilient-Arp Enable

    resilient-arp enable Syntax resilient-arp enable undo resilient-arp enable View System view Parameters None Description Use the resilient-arp enable command to enable the Resilient ARP function. The switch will adopt different methods based on the actual status. If the main link in the fabric breaks, the switch sends resilient ARP packets through the VLAN interface on the backup link to determine whether it should act as a Layer 3 or Layer 2 device.
  • Page 647 Note that this command is used to enable a VLAN interface to send Resilient ARP packets, while all VLAN interfaces can receive Resilient ARP packets. Related commands: display resilient-arp. Examples # Configure the Resilient ARP packets to be sent from the VLAN-interface 2. <Sysname>...
  • Page 648 Table of Contents 1 DHCP Server Configuration Commands ·································································································1-1 DHCP Server Configuration Commands ································································································1-1 accounting domain ··························································································································1-1 bims-server······································································································································1-2 bootfile-name···································································································································1-3 dhcp enable ·····································································································································1-3 dhcp select global····························································································································1-4 dhcp select interface························································································································1-5 dhcp server bims-server ··················································································································1-7 dhcp server bootfile-name···············································································································1-7 dhcp server detect ···························································································································1-8 dhcp server dns-list ·························································································································1-9 dhcp server domain-name·············································································································1-10 dhcp server expired ·······················································································································1-11 dhcp server forbidden-ip················································································································1-12...
  • Page 649 static-bind ip-address ····················································································································1-38 static-bind mac-address ················································································································1-39 tftp-server domain-name ···············································································································1-40 tftp-server ip-address·····················································································································1-40 voice-config ···································································································································1-41 2 DHCP Relay Agent Configuration Commands ·······················································································2-1 DHCP Relay Agent Configuration Commands ·······················································································2-1 address-check ·································································································································2-1 dhcp-relay hand·······························································································································2-1 dhcp relay information enable ·········································································································2-2 dhcp relay information strategy ·······································································································2-3 dhcp-security static··························································································································2-4 dhcp-security tracker ·······················································································································2-4 dhcp-server······································································································································2-5...
  • Page 650 display bootp client ··························································································································5-3 ip address bootp-alloc ·····················································································································5-4...

  • Page 651: Dhcp Server Configuration Commands

    DHCP packet rate limit is a new feature in this manual. For specific commands, see Rate Limit Configuration Commands. The contents of this chapter are only applicable to the S3600-EI series among S3600 Series Ethernet Switches. DHCP Server Configuration Commands accounting domain...

  • Page 652: Bims-Server

    Use the undo accounting domain command to disable the DHCP accounting function. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Enter DHCP address pool view. [Sysname] dhcp server ip-pool test # Enable the DHCP accounting function (assuming that domain 123 already exists). [Sysname-dhcp-pool-test] accounting domain 123 bims-server Syntax...

  • Page 653: Bootfile-Name

    bootfile-name Syntax bootfile-name bootfile-name undo bootfile-name View DHCP address pool view Parameters bootfile-name: Boot file name (with the extension name .cfg), a string of 1 to 63 characters. Description Use the bootfile-name command to specify a bootfile name in the DHCP global address pool for the client.

  • Page 654: Dhcp Select Global

    Among S3600 series switches, only S3600-EI switches support this command. DHCP is always enabled on S3600-SI series switches. You need to enable DHCP before performing other DHCP-related configurations. To improve security and avoid malicious attacks to the unused sockets, S3600 Ethernet switches provide the following functions: UDP ports 67 and 68 used by DHCP are enabled/disabled only when DHCP is enabled/disabled.

  • Page 655: Dhcp Select Interface

    interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range. all: Specifies all interfaces to operate in global address pool mode. Description Use the dhcp select global command to configure the specified interface(s) or all interfaces to operate in global DHCP address pool mode.
  • Page 656 type, interface-number indicates interface number. interface-type interface-number [ to interface-type interface-number ] specifies an interface range. all: Specifies all interfaces to operate in interface address pool mode. Description Use the dhcp select interface command to configure the specified interface(s) to operate in DHCP interface address pool mode.

  • Page 657: Dhcp Server Bims-Server

    dhcp server bims-server Syntax dhcp server bims-server ip ip-address [ port port-number ] sharekey key { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server bims-server { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view Parameters...

  • Page 658: Dhcp Server Detect

    undo dhcp server bootfile-name In system view, use the following commands to specify the bootfile name in the specified interface address pool for the client: dhcp server bootfile-name bootfile-name { all | interface interface-type interface-number } undo dhcp server bootfile-name { all | interface interface-type interface-number } View System view, VLAN interface view Parameters...

  • Page 659: Dhcp Server Dns-List

    Description Use the dhcp server detect command to enable the unauthorized DHCP server detection function. With this feature enabled, upon receiving a DHCP request, the DHCP server will record the IP addresses of any DHCP servers which ever assigned an IP address to the DHCP client and the receiving interface.

  • Page 660: Dhcp Server Domain-Name

    interface number; the interface interface-type interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range. all: (In comparison with the ip-address argument) Specifies all DNS server IP addresses. all: (In comparison with the interface keyword) Specifies all interface address pools. Description Use the dhcp server dns-list command to specify the DNS server IP address in the DHCP interface address pool for the client.

  • Page 661: Dhcp Server Expired

    Parameters domain-name: Domain name suffix of the DHCP clients whose IP addresses are from the specified interface address pool(s). This argument is a string of 3 to 50 characters. interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s), through which you can specify the corresponding interface address pool(s). The interface-type argument specifies an interface type;...

  • Page 662: Dhcp Server Forbidden

    dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server expired { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view, VLAN interface view...

  • Page 663: Dhcp Server Ip-Pool

    undo dhcp server forbidden-ip low-ip-address [ high-ip-address ] View System view Parameters low-ip-address: IP address that is not available for being assigned to DHCP clients automatically (An IP address of this kind is known as a forbidden IP address). This argument also marks the lower end of the range of the forbidden IP addresses.

  • Page 664: Dhcp Server Nbns-List

    undo dhcp server ip-pool pool-name View System view Parameters pool-name: Name of a DHCP address pool, which uniquely identifies the address pool. This argument is a string of 1 to 35 characters. Description Use the dhcp server ip-pool command to create a global DHCP address pool and enter DHCP address pool view.
  • Page 665 undo dhcp server nbns-list { ip-address | all } In system view, use the following commands to configure WINS server IP addresses in multiple DHCP interface address pools for the client. dhcp server nbns-list ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server nbns-list { ip-address | all } { interface interface-type interface-number [ to interface-type interface-number ] | all }...

  • Page 666: Dhcp Server Netbios-Type

    dhcp server netbios-type Syntax In VLAN interface view, use the following commands to configure the NetBIOS node type of the DHCP clients whose IP addresses are from the current DHCP interface address pool. dhcp server netbios-type { b-node | h-node | m-node | p-node } undo dhcp server netbios-type In system view, use the following commands to configure the NetBIOS node type of the DHCP clients whose IP addresses are from multiple DHCP interface address pools.

  • Page 667: Dhcp Server Option

    # Specify p-node as the NetBIOS node type of the DHCP clients whose IP addresses are from the DHCP interface address pool of VLAN-interface 1. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] dhcp server netbios-type p-node dhcp server option Syntax In VLAN interface view, use the following commands to customize DHCP options for the current DHCP interface address pool.

  • Page 668: Dhcp Server Ping

    If you execute the dhcp server option command repeatedly, the new configuration overwrites the previous one. For commands related to Option 184, refer to dhcp server voice-config. Related commands: option. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Configure option 100 to be 0x11 and 0x22 for all DHCP interface address pools.

  • Page 669: Dhcp Server Relay Information Enable

    dhcp server relay information enable Syntax dhcp server relay information enable undo dhcp server relay information enable View System view Parameters None Description Use the dhcp server relay information enable command to enable the DHCP server to handle Option Use the undo dhcp server relay information enable command to configure the DHCP server to ignore Option 82.

  • Page 670: Dhcp Server Tftp-Server Domain-Name

    Description Use the dhcp server static-bind command to statically bind an IP address of the current DHCP interface address pool to a MAC address. When the client with the MAC address or ID requests an IP address, the DHCP server will find the IP address from the binding in the interface address pool for the client.

  • Page 671: Dhcp Server Tftp-Server Ip-Address

    Parameters domain-name: TFTP server name, a string in the range 3 to 50 characters. all: Specifies all interface address pools. interface interface-type interface-number: Specifies an interface address pool. Description Use the dhcp server tftp-server domain-name command to specify the TFTP server name in DHCP interface address pool for the client.

  • Page 672: Dhcp Server Voice-Config

    interface interface-type interface-number: Specifies an interface address pool. Description Use the dhcp server tftp-server ip-address command to specify the TFTP server address in DHCP interface address pool for the client. When the client’s request contains Option 150 (TFTP server IP address), the DHCP server will return an IP address together with the IP address of the specified TFTP server from the interface address pool to the client.

  • Page 673: Display Dhcp Server Conflict

    disable: Disables the specified VLAN, meaning DHCP clients will not take this VLAN as their voice VLAN. enable: Enables the specified VLAN, meaning DHCP clients will take this VLAN as their voice VLAN. fail-over ip-address dialer-string: Specifies the failover IP address and dialer string. The dialer-string is a string of 0 to 39 characters, which can be 0 to 9, and “*”.

  • Page 674: Display Dhcp Server Expired

    View Any view Parameters all: Specifies all IP addresses. ip ip-address: Specifies one IP address. Description Use the display dhcp server conflict command to display the statistics of IP address conflicts on the DHCP server. Related commands: reset dhcp server conflict. Examples # Display the statistics of IP address conflicts.

  • Page 675: Display Dhcp Server Free

    Description Use the display dhcp server expired command to display the lease expiration information about one IP address, or the lease expiration information about all IP addresses in one or all DHCP address pools. When all the IP addresses in an address pool are assigned, the DHCP server assigns the expired IP addresses to DHCP clients.

  • Page 676: Display Dhcp Server Ip-In-Use

    Examples # Display the free IP addresses. <Sysname> display dhcp server free-ip IP Range from 192.168.3.3 192.168.3.255 display dhcp server ip-in-use Syntax display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ interface-type interface-number ] | all } View Any view Parameters...

  • Page 677: Display Dhcp Server Statistics

    Table 1-3 Description on the fields of the display dhcp server ip-in-use command Field Description Global pool Address binding information of global DHCP address pools Address binding information of interface DHCP address Interface pool pools IP address Bound IP address Client-identifier/Hardware address User ID or MAC address to which the IP address is bound Lease expiration...

  • Page 678: Display Dhcp Server Tree

    Dhcp Release: Dhcp Inform: Boot Reply: Dhcp Offer: Dhcp Ack: Dhcp Nak: Bad Messages: Table 1-4 Description on the fields of the display dhcp server statistics command Field Description Global Pool Statistics about global address pools Interface Pool Statistics about interface address pools Pool Number Number of address pools Auto...
  • Page 679 Description Use the display dhcp server tree command to display information about address pool tree. Examples # Display the information about address pool tree. <Sysname> display dhcp server tree all Global pool: Pool name: test123 network 10.0.0.0 mask 255.0.0.0 Child node:test1234 option 30 hex AA BB expired 1 0 0 Pool name: test1234...

  • Page 680: Dns-List

    Field Description The address lease time (in terms of number of days, hours, and expired minutes) gateway-list List of the gateways configured for the DHCP client dns-list Syntax dns-list ip-address&<1-8> undo dns-list { ip-address | all } View DHCP address pool view Parameters ip-address&<1-8>: IP address of a DNS server.

  • Page 681: Expired

    View DHCP address pool view Parameters domain-name: Domain name suffix for the DHCP client of a DHCP global address pool, a string of 3 to 50 characters. Description Use the domain-name command to configure a domain name suffix in a DHCP global address pool for the DHCP client.

  • Page 682: Gateway-List

    Related commands: dhcp server ip-pool, dhcp server expired. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Set the lease time of the IP addresses to be dynamically assigned in the DHCP global address pool 0 to 1 day, 2 hours and 3 minutes.

  • Page 683: Nbns-List

    nbns-list Syntax nbns-list ip-address&<1-8> undo nbns-list { ip-address | all } View DHCP address pool view Parameters ip-address&<1-8>: IP address of a WINS server. &<1-8> means you can provide up to eight WINS server IP addresses. When inputting more than one IP address, separate two neighboring IP addresses with a space.

  • Page 684: Network

    p-node: Specifies the p-typed node. Nodes of this type acquire host name-to-IP address mapping by communicating with the WINS server. m-node: Specifies the m-typed node. Nodes of this type are p-nodes with some broadcasting features. h-node: Specifies the h-typed node. Nodes of this type are b-nodes with peer-to-peer communicating features.
  • Page 685 Related commands: dhcp server ip-pool, dhcp server forbidden-ip. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Configure the dynamically assigned IP address range 192.168.8.0/24 for the DHCP global address pool 0. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] network 192.168.8.0 mask 255.255.255.0 option Syntax...

  • Page 686: Reset Dhcp Server Conflict

    # Configure option 100 to be 0x11 and 0x22 for the DHCP global address pools. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] option 100 hex 11 22 reset dhcp server conflict Syntax reset dhcp server conflict { all | ip ip-address } View User view Parameters...

  • Page 687: Reset Dhcp Server Statistics

    Description Use the reset dhcp server ip-in-use command to clear the specified or all dynamic address binding information. Related commands: display dhcp server ip-in-use. Examples # Clear the dynamic address binding information about the IP address 10.110.1.1. <Sysname> reset dhcp server ip-in-use ip 10.110.1.1 reset dhcp server statistics Syntax reset dhcp server statistics...

  • Page 688: Static-Bind Ip-Address

    Use the undo static-bind client-identifier command to delete a client ID that is statically bound in a DHCP global address pool. By default, no client ID is statically bound. Note that: The static-bind client-identifier command must be used together with the static-bind ip-address command, to respectively specify a statically bound client ID and an IP address in a DHCP global address pool.

  • Page 689: Static-Bind Mac-Address

    If you execute the static-bind ip-address command repeatedly, the new configuration overwrites the previous one. Related commands: dhcp server ip-pool, static-bind mac-address. Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Bind the IP address 10.1.1.1 (with the subnet mask 255.255.255.0) to the MAC address 0000-e03f-0305.

  • Page 690: Tftp-Server Domain-Name

    # Bind the IP address 10.1.1.1 (with the subnet mask 255.255.255.0) to the MAC address 0000-e03f-0305. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 [Sysname-dhcp-pool-0] static-bind mac-address 0000-e03f-0305 tftp-server domain-name Syntax tftp-server domain-name domain-name undo tftp-server domain-name View DHCP address pool view Parameters...

  • Page 691: Voice-Config

    Description Use the tftp-server ip-address command to specify the TFTP server IP address in a global address pool. Use the undo tftp-server ip-address command to remove the TFTP server IP address from a global address pool. By default, no TFTP server address is specified. Using the tftp-server ip-address command repeatedly will overwrite the previous configuration.
  • Page 692 By default, a DHCP server global address pool does not assign Option 184 and the corresponding sub-options to the client. Related commands: dhcp server voice-config. Examples # Enter system view <Sysname> system-view System View: return to User View with Ctrl+Z. # Enable the DHCP server to support Option 184 in global address pool 123.

  • Page 693: Dhcp Relay Agent Configuration Commands

    Use the address-check disable command to disable IP address match checking on the DHCP relay agent. By default, IP address match checking on the DHCP relay agent is disabled. Note that among S3600 series switches, only S3600-EI series switches support the two commands. Examples # Enter system view.

  • Page 694: Dhcp Relay Information Enable

    By default, the DHCP relay handshake function is enabled. Note that: Among S3600 series switches, only S3600-EI series switches support the two commands. Currently, the DHCP relay agent handshake function on a S3600-EI series switch can only interoperate with a Windows 2000 DHCP server.

  • Page 695: Dhcp Relay Information Strategy

    By default, with the Option 82 support function enabled on the DHCP relay agent, the DHCP relay agent will adopt the replace strategy to process the request packets containing Option 82. However, if other strategies are configured before, then enabling the 82 supporting on the DHCP relay will not change the configured strategies.

  • Page 696: Dhcp-Security Static

    Use the undo dhcp-security command to remove one or all address binding entries, or all address binding entries of a specified type. Note that among S3600 series switches, only S3600-EI series switches support the two commands. Related commands: display dhcp-security.

  • Page 697: Dhcp-Server

    Use the undo dhcp-security tracker command to restore the default interval. By default, the refreshing interval is automatically calculated according to the number of binding entries. Note that among S3600 series switches, only S3600-EI series switches support these two commands. Examples # Enter system view.

  • Page 698: Dhcp-Server Detect

    Related commands: dhcp-server ip, display dhcp-server, display dhcp-server interface vlan-interface. To improve security and avoid malicious attack to the unused SOCKETs, S3600 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled.

  • Page 699: Dhcp-Server

    By default, the unauthorized DHCP server detection function is disabled Related commands: dhcp server, display dhcp-server. Examples # Enter system view <Sysname> system-view System View: return to User View with Ctrl+Z. # Enable the unauthorized-DHCP server detection function on the DHCP relay agent. [Sysname] dhcp-server detect dhcp-server ip Syntax...

  • Page 700: Display Dhcp-Server

    Description Use the display dhcp-security command to display information about address binding entries on the DHCP relay agent. Note that among S3600 series switches, only S3600-EI series switches support this command. Examples # Display information about all address binding entries.
  • Page 701 Examples # Display information about DHCP server group 0. <Sysname> display dhcp-server 0 IP address of DHCP server group 0: 1.1.1.1 IP address of DHCP server group 0: 2.2.2.2 IP address of DHCP server group 0: 3.3.3.3 IP address of DHCP server group 0: 4.4.4.4 IP address of DHCP server group 0: 5.5.5.5...

  • Page 702: Display Dhcp-Server Interface

    Field Description Number of the DHCP-DISCOVER packets DHCP_DISCOVER messages received by the DHCP relay Number of the DHCP-REQUEST packets DHCP_REQUEST messages received by the DHCP relay Number of the DHCP-INFORM packets received DHCP_INFORM messages by the DHCP relay Number of the DHCP-RELEASE packets DHCP_RELEASE messages received by the DHCP relay BOOTP_REQUEST messages...
  • Page 703 Description Use the reset dhcp-server command to clear the statistics information of the specified DHCP server group. Related commands: dhcp server, display dhcp-server. Examples # Clear the statistics information of DHCP server group 2. <Sysname> reset dhcp-server 2 2-11...

  • Page 704: Dhcp Snooping Configuration Commands

    DHCP Snooping Configuration Commands DHCP Snooping Configuration Commands dhcp-snooping Syntax dhcp-snooping undo dhcp-snooping View System view Parameters None Description Use the dhcp-snooping command to enable the DHCP snooping function. Use the undo dhcp-snooping command to disable the DHCP snooping function. After DHCP snooping is disabled, all the ports can forward DHCP replies from the DHCP server without recording the IP-to-MAC bindings of the DHCP clients.

  • Page 705: Dhcp-Snooping Information Format

    View System view Parameters None Description Use the dhcp-snooping information enable command to enable DHCP snooping Option 82. Use the undo dhcp-snooping information enable command to disable DHCP snooping Option 82. DHCP snooping Option 82 is disabled by default. Enable DHCP snooping before performing this configuration. Examples # Enable DHCP snooping Option 82.

  • Page 706: Dhcp-Snooping Information Packet-Format

    Examples # Configure the storage format of Option 82 as ASCII. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dhcp-snooping information format ascii dhcp-snooping information packet-format Syntax dhcp-snooping information packet-format { extended | standard } View System view Parameters extended: Specifies the padding format for Option 82 as the extended format.

  • Page 707: Dhcp-Snooping Information Strategy

    Use the undo dhcp-snooping information remote-id command to restore the default value of the remote ID sub-option in Option 82. By default, the remote ID sub-option in Option 82 is the MAC address of the DHCP Snooping device that received the DHCP client’s request. Examples # Configure the remote ID sub-option of Option 82 as the system name (sysname) of the DHCP snooping device.

  • Page 708: Dhcp-Snooping Information Vlan Circuit

    Enable DHCP-snooping and DHCP-snooping Option 82 before performing this configuration. If a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies on those ports where a handling policy is not natively configured. Examples # Configure the keep handling policy for DHCP requests that contain Option 82 on the DHCP snooping device.

  • Page 709: Dhcp-Snooping Information Vlan Remote

    If you have configured a circuit ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former circuit ID applies to the DHCP messages from the specified VLAN, while the latter one applies to DHCP messages from other VLANs. Examples # Set the circuit ID field in Option 82 of the DHCP messages sent through Ethernet 1/0/1 to abc.

  • Page 710: Dhcp-Snooping Trust

    Examples # Configure the remote ID of Option 82 in DHCP packets to abc on the port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] dhcp-snooping information remote-id string abc dhcp-snooping trust Syntax dhcp-snooping trust undo dhcp-snooping trust...

  • Page 711: Display Dhcp-Snooping Trust

    Parameters unit unit-id: Displays the DHCP-snooping information on the specified device in the fabric. unit-id indicates the number of the device whose DHCP-snooping information needs to be viewed. If unit unit-id is not specified, DHCP snooping information of all units in the fabric is displayed. Description Use the display dhcp-snooping command to display the user IP-MAC address mapping entries recorded by the DHCP snooping function.

  • Page 712: Display Ip Source Static Binding

    The above display information indicates that the DHCP snooping function is enabled, and the Ethernet 1/0/10 port is a trusted port. display ip source static binding Syntax display ip source static binding [ vlan vlan-id | interface interface-type interface-number ] View Any view Parameters...

  • Page 713: Ip Source Static Binding

    Description Use the ip check source ip-address command to enable the filtering of the IP packets received through the current port based on the source IP address of the packets. Use the undo ip check source ip-address command to disable the filtering of the IP packets received through the current port based on the source IP address of the packets.
  • Page 714 Related commands: ip check source ip-address. Examples # Configure static binding among source IP address 1.1.1.1, source MAC address 0015-e20f-0101, and Ethernet 1/0/3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] source static binding ip-address 1.1.1.1...

  • Page 715: Rate Limit Configuration Commands

    Rate Limit Configuration Commands Rate Limit Configuration Commands dhcp protective-down recover enable Syntax dhcp protective-down recover enable undo dhcp protective-down recover enable View System view Parameters None Description Use the dhcp protective-down recover enable command to enable port state auto-recovery on the switch.

  • Page 716: Dhcp Rate-Limit

    Parameters interval: Interval (in seconds) for a port disabled due to the DHCP traffic exceeding the set threshold to be brought up again. This argument ranges from 10 to 86,400. Description Use the dhcp protective-down recover interval command to set an auto recovery interval. Use the undo dhcp protective-down recover interval command to restore the default interval.

  • Page 717: Dhcp Rate-Limit Enable

    Examples # Configure the DHCP traffic threshold to 100 pps for port Ethernet 1/0/11. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/11 [Sysname-Ethernet1/0/11] dhcp rate-limit enable [Sysname-Ethernet1/0/11] dhcp rate-limit 100 dhcp rate-limit enable Syntax dhcp rate-limit enable undo dhcp rate-limit enable View...

  • Page 718: Dhcp/Bootp Client Configuration

    Description Use the display dhcp client command to display the information about the address allocation of DHCP clients. Note that S3600 series Ethernet switches that operate as DHCP clients support a maximum lease duration of 24 days currently. Examples # Display the information about the address allocation of DHCP clients.

  • Page 719: Ip Address Dhcp-Alloc

    Field Description lease Lease period Renewal timer setting Rebinding timer setting Lease from….to…. The starting and end time of the lease period Server IP IP address of the DHCP server selected Transaction ID Transaction ID Default router Gateway address Next timeout will happen after 0 days 11 hours The timer expires in 11 hours, 56 minutes, and 1 56 minutes 1 seconds.

  • Page 720: Bootp Client Configuration Commands

    Examples # Configure VLAN-interface 1 to obtain an IP address through DHCP. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address dhcp-alloc BOOTP Client Configuration Commands display bootp client Syntax display bootp client [ interface Vlan-interface vlan-id ] View Any view Parameters...
  • Page 721 ip address bootp-alloc Syntax ip address bootp-alloc undo ip address bootp-alloc View VLAN interface view Parameters None Description Use the ip address bootp-alloc command to configure a VLAN interface to obtain an IP address through BOOTP. Use the undo ip address bootp-alloc command to cancel the configuration. By default, a VLAN interface does not use BOOTP to obtain an IP address.
  • Page 722 Table of Contents 1 ACL Configuration Commands ················································································································1-1 ACL Configuration Commands ···············································································································1-1 acl ····················································································································································1-1 description ·······································································································································1-2 display acl········································································································································1-3 display drv qacl_resource················································································································1-4 display packet-filter··························································································································1-5 display time-range ···························································································································1-6 packet-filter ······································································································································1-7 packet-filter vlan ······························································································································1-8 rule (for Basic ACLs) ·······················································································································1-9 rule (for Advanced ACLs) ··············································································································1-11 rule (for Layer 2 ACLs) ··················································································································1-18 rule (for user-defined ACLs) ··········································································································1-20 rule comment·································································································································1-23...

  • Page 723: Acl Configuration Commands

    ACL Configuration Commands The command used to apply ACL rules to a VLAN is newly added, which is described in packet-filter vlan. The command used to configure VLAN information for Layer 2 ACLs is newly added, which is described in rule (for Layer 2 ACLs).

  • Page 724: Description

    Description Use the acl command to define an ACL and enter the corresponding ACL view. Use the undo acl command to remove all the rules of the specified ACL or all the ACLs. By default, ACL rules are matched in the order they are defined. Only after the rules in an existing ACL are fully removed can you modify the match order of the ACL.

  • Page 725: Display Acl

    You can give ACLs descriptions to provide relevant information such as their application purposes and the ports they are applied to, so that you can easily identity and distinguish ACLs by their descriptions. By default, no description string is assigned for an ACL. Examples # Assign description string “This ACL is used for filtering all HTTP packets”...

  • Page 726: Display Drv Qacl_Resource

    Table 1-1 Description on the fields of the display acl command Field Description The displayed information is about the basic ACL Basic ACL 2000 2000. 3 rules The ACL includes three rules. The match order of the ACL is depth-first. If this match-order is auto field is not displayed, the match order of the ACL is config.

  • Page 727: Display Packet-Filter

    Table 1-2 Description on the fields of the display drv qacl_resource command Field Description On the front panel, From left to right, every four columns of FE ports (total of eight FE ports) represents a block numbered starting from 0. That is, 0 indicates Ethernet 1/0/1 to Ethernet 1/0/8, 1 indicates Ethernet 1/0/9 to Ethernet 1/0/16, and block 2 indicates Ethernet 1/0/17 to Ethernet 1/0/24.

  • Page 728: Display Time-Range

    Ethernet1/0/1 Inbound: Acl 2000 rule 0 running Ethernet1/0/2 Outbound: Acl 2001 rule 0 not running Table 1-3 Description on the fields of the display packet-filter command Field Description Ethernet1/0/1 Port on which packet filtering is performed Inbound Direction of the packet filtering, Inbound or Outbound. Acl 2000 rule 0 ACL and its rule(s) applied Status of the rule, which can be...

  • Page 729: Packet-Filter

    Table 1-4 Description on the fields of the display time-range command. Field Description Current time is 17:01:34 May/21/2007 Monday Current system time Time-range Name of the time range Status of the time range, which can be: Active: The time range is active currently. Active Inactive: The time range is not inactive now.

  • Page 730: Packet-Filter Vlan

    The link-group acl-number keyword specifies a Layer 2 ACL. The acl-number argument ranges from 4000 to 4999. The user-group acl-number keyword specifies a user-defined ACL. The acl-number argument ranges from 5000 to 5999. The rule rule-id keyword specifies a rule of an ACL. The rule argument ranges from 0 to 65534. If you do not specify this argument, all the rules of the ACL are applied.

  • Page 731: Rule (For Basic Acls)

    Parameters vlan-id: VLAN ID. inbound: Specifies to filter packets received by the ports in the VLAN. outbound: Specifies to filter packets to be transmitted by the ports in the VLAN. acl-rule: ACL rules to be applied, which can be a combination of the rules of multiple ACLs, as described Table 1-5.
  • Page 732 Parameters Parameters of the rule command rule-id: ACL rule ID, in the range of 0 to 65534. deny: Drops the matched packets. permit: Permits the matched packets. rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-6.

  • Page 733: Rule (For Advanced Acls)

    With the config match order specified for the basic ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the basic ACL, you cannot modify any existent rule; otherwise the system prompts error information. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.
  • Page 734 deny: Drops the matched packets. permit: Permits the matched packets. protocol: Protocol carried by IP. When the protocol is represented by numeral, it ranges from 1 to 255; when the protocol is represented by name, it can be gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), and udp (17).
  • Page 735 Arguments/Keywords Type Function Description time-name: specifies the name of the time Specifies the time Time range range in which the rule time-range time-name range in which the rule information is active; a string takes effect. comprising 1 to 32 characters. The sour-wildcard/dest-wildcard argument is the complement of the wildcard mask of the source/destination subnet mask.
  • Page 736 Keyword DSCP value in decimal DSCP value in binary 101110 If you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-9 as IP precedence. Table 1-9 IP precedence values and the corresponding keywords Keyword IP Precedence in decimal...
  • Page 737 TCP connection For a rule of an advanced ACL that is applied to ports or VLANs of the H3C S3600 series Ethernet switches, if it contains TCP or UDP port information, the operator argument can only be eq.
  • Page 738 Table 1-12 TCP or UDP port values Type Value CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80) biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90),...
  • Page 739 Name ICMP type ICMP code source-quench Type=4 Code=0 Type=3 Code=5 source-route-failed timestamp-reply Type=14 Code=0 timestamp-request Type=13 Code=0 ttl-exceeded Type=11 Code=0 Parameters of the undo rule command rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID of an ACL rule by using the display acl command.

  • Page 740: Rule (For Layer 2 Acls)

    If the ACL is created with the auto keyword specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered. Examples # Create advanced ACL 3000 and define rule 1 to deny packets with the source IP address of 192.168.0.1 and DSCP priority of 46.
  • Page 741 Ethernet frames frames for the ACL protocol-mask: Protocol rule type mask. When layer 2 ACLs are applied to ports or VLANs of the H3C S3600 series Ethernet switches, rules configured with the format-type argument and the lsap keyword are invalid. 1-19...

  • Page 742: Rule (For User-Defined Acls)

    Description Use the rule command to define an ACL rule. Use the undo rule command to remove an ACL rule. To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
  • Page 743 Offset1 to Offset8. With the S3600 series, a user-defined rule string may or may not contain spaces and can be up to 32 bytes in length. It can occupy up to eight mask offset units and any two of the offset units cannot belong to the same offset group.
  • Page 744 You can modify any existent rule of a user-defined ACL. If you modify only the time range and/or action, the unmodified parts of the rule remain the same. If you modify the rule-string rule-mask offset combinations, however, the new combinations will replace all of the original ones. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.

  • Page 745: Rule Comment

    processes internally, c0a80001 is the representation of 192.168.0.1 in hexadecimal, and 32 is the offset of the source IP address field in an ARP packet that the switch processes internally. [Sysname] acl number 5001 [Sysname-acl-user-5001] rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32 [Sysname-acl-user-5001] quit # Create user-defined ACL 5002 and define rule 1, specifying a 32-byte rule string, a rule mask of all Fs, and an offset of 4.

  • Page 746: Time-Range

    Parameters rule-id: ID of the ACL rule, in the range of 0 to 65534. text: Comment for the ACL rule, a string of 1 to 127 characters. Blank spaces and special characters are acceptable. Description Use the rule comment command to define a comment for the ACL rule. Use the undo rule comment command to remove the comment defined for the ACL rule.
  • Page 747 end-time: End time of a periodic time range, in the form of hh:mm. The end time must be greater than the start time. days-of-the-week: Day of the week when the periodic time range is active. You can provide this argument in one of the following forms. Numeral (0 to 6) Mon, Tue, Wed, Thu, Fri, Sat, and Sun Working days (Monday through Friday)
  • Page 748 # Display the configuration information of the time ranges. [Sysname] display time-range all Current time is 17:37:23 Nov/27/2007 Tuesday Time-range : tr1 ( Inactive ) 08:00 to 12:00 working-day Time-range : tr2 ( Inactive ) From 12:00 Jan/1/2008 to 12:00 Jun/1/2008 1-26...
  • Page 749 Table of Contents 1 QoS Commands·········································································································································1-1 QoS Commands······································································································································1-1 burst-mode enable···························································································································1-1 display protocol-priority····················································································································1-2 display qos cos-local-precedence-map ···························································································1-3 display qos-interface all ···················································································································1-4 display qos-interface line-rate ·········································································································1-6 display qos-interface mirrored-to·····································································································1-7 display qos-interface traffic-limit ······································································································1-7 display qos-interface traffic-priority··································································································1-8 display qos-interface traffic-redirect ································································································1-9 display qos-interface traffic-remark-vlanid·······················································································1-9 display qos-interface traffic-statistic ······························································································1-10 display queue-scheduler ···············································································································1-11 line-rate··········································································································································1-11...

  • Page 750: Qos Commands

    QoS Commands The following commands were added: VLAN mapping related commands: display qos-interface traffic-remark-vlanid and section traffic-remark-vlanid. Commands related to port rate limiting and traffic policing: line-rate and section traffic-limit. VLAN-based priority marking command: traffic-priority vlan. The command for redirecting traffic to an aggregation group and removing outer VLAN tags when redirecting traffic to the specified port/aggregation group.

  • Page 751: Display Protocol-Priority

    Use the display protocol-priority command to display the list of protocol priorities you assigned with the protocol-priority command. An S3600 series switch supports setting priorities for certain protocol packets generated by it. The supported protocols are Telnet, SNMP, ICMP, and OSPF. Depending on your configuration, the IP or DSCP precedence is displayed for a specified protocol.

  • Page 752: Display Qos Cos-Local-Precedence-Map

    Table 1-1 Description on the fields of the display protocol-priority command Field Description Indicate that a priority has been set for OSPF packets with the Protocol: ospf protocol-priority command. An IP precedence has been assigned to OSPF packets. The assigned IP precedence is 0, that is, routine in words.

  • Page 753: Display Qos-Interface All

    display qos-interface all Syntax display qos-interface { interface-type interface-number | unit-id } all View Any view Parameters interface-type interface-number: Specifies the type and number of a port, for which QoS configuration information is to be displayed. unit-id: Unit ID of the switch whose QoS-related configuration is to be displayed. Table 1-2 shows the value range for the unit-id argument.
  • Page 754 Inbound: Matches: Acl 2000 rule 0 running 6 packets inprofile 0 packet outprofile Ethernet1/0/1: mirrored-to Inbound: Matches: Acl 2000 rule 0 running Mirrored to: monitor interface Ethernet1/0/1: line-rate Inbound: 64 Kbps Burst bucket size: 16 Kbyte Ethernet1/0/1: Queue scheduling mode: weighted round robin weight of queue 0: 1 weight of queue 1: 2 weight of queue 2: 3...

  • Page 755: Display Qos-Interface Line-Rate

    Field Description Action to take for exceeding packets: drop: Drops the packets. Exceed action remark-dscp: Re-marks the DSCP precedence of the packets and forwards the packets. Priority marking action, which can be: cos: Sets 802.1p precedence for packets. Priority action dscp: Sets DSCP precedence for packets.

  • Page 756: Display Qos-Interface Mirrored

    <Sysname> display qos-interface Ethernet 1/0/1 line-rate Ethernet1/0/1: line-rate Inbound: 128 Kbps Burst bucket size: 16 Kbyte Refer to Table 1-3 for the description on the output fields. display qos-interface mirrored-to Syntax display qos-interface { interface-type interface-number | unit-id } mirrored-to View Any view Parameters...

  • Page 757: Display Qos-Interface Traffic-Priority

    unit-id: Unit ID of the switch whose traffic policing configuration is to be displayed. For the value range for the unit-id argument, refer to Table 1-2. Description Use the display qos-interface traffic-limit command to display the traffic policing configuration of a port or a unit.

  • Page 758: Display Qos-Interface Traffic-Redirect

    Matches: Acl 2000 rule 0 running Priority action: dscp ef Refer to Table 1-3 for the description on the output fields. display qos-interface traffic-redirect Syntax display qos-interface { interface-type interface-number | unit-id } traffic-redirect View Any view Parameters interface-type interface-number: Specifies the type and number of a port for which traffic redirecting configuration is to be displayed.

  • Page 759: Display Qos-Interface Traffic-Statistic

    Description Use the display qos-interface traffic-remark-vlanid command to display the VLAN mapping configuration of a port or a unit. Related commands: traffic-remark-vlanid. Examples # Display the VLAN mapping configuration of Ethernet 1/0/1. <Sysname> display qos-interface Ethernet1/0/1 traffic-remark-vlanid Ethernet1/0/1: traffic-remark-vlanid Inbound: Matches: Acl 4000 rule 0 running Remark vlan: 101...

  • Page 760: Display Queue-Scheduler

    display queue-scheduler Syntax display queue-scheduler View Any view Parameters None Description Use the display queue-scheduler command to display the global queue scheduling configuration. This command does not display the weight or bandwidth set for a queue in port view. To display the setting, you can perform the display this command in port view.
  • Page 761 GigabitEthernet port: 64 to 1,000,000. The granularity of port rate limit is 64 kbps. Assume that the value you provide for the target-rate argument is in the range N*64 to (N+1)*64 (N is a natural number), it will be rounded off to (N+1)*64. burst-bucket burst-bucket-size: Specifies the maximum burst traffic size (in KB).
  • Page 762 Table 1-4 Ways of applying combined ACL rules ACL combination Form of the acl-rule argument Apply a basic or advanced Layer 3 ACL ip-group acl-number Apply a rule in an Layer 3 ACL ip-group acl-number rule rule-id Apply all the rules in a Layer 2 ACL link-group acl-number Apply a rule in a Layer 2 ACL link-group acl-number rule rule-id...

  • Page 763: Priority

    Examples # Configure traffic mirroring on Ethernet 1/0/1, duplicating the inbound packets sourced from IP address 1.1.1.1 to Ethernet 1/0/4. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 1.1.1.1 0 [Sysname-acl-basic-2000] quit [Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] monitor-port...

  • Page 764: Priority Trust

    Use the undo priority command to restore the default. By default, port priority is trusted and the priority of an Ethernet port is 0. After you execute the priority command on a port, the port priority rather than the 802.1p priority of each inbound 802.1q-tagged packet is used to identify the matching local precedence for the packet (in the 802.1p-precedence-to-local precedence mapping table).

  • Page 765: Protocol-Priority Protocol-Type

    [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] priority trust protocol-priority protocol-type Syntax protocol-priority protocol-type protocol-type { ip-precedence ip-precedence | dscp dscp-value } undo protocol-priority protocol-type protocol-type View System view Parameters protocol-type protocol-type: Specifies the protocol type, which could be Telnet, SNMP, ICMP, or OSPF. ip-precedence ip-precedence: Specifies an IP precedence in digits for the specified protocol, in the range 0 to 7.
  • Page 766 DSCP precedence (in words) DSCP precedence (in digits) af32 af33 af41 af42 af43 be (the default) Description Use the protocol-priority command to set the global IP precedence or DSCP precedence for the specified type of protocol packets generated by the current switch. Use the undo protocol-priority command to cancel the configuration.

  • Page 767: Qos Cos-Local-Precedence-Map

    [Sysname] protocol-priority protocol-type telnet dscp af33 qos cos-local-precedence-map Syntax qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec undo qos cos-local-precedence-map View System view Parameters cos0-map-local-prec: Local precedence to which 802.1p 0 is to be mapped, in the range 0 to 7. cos1-map-local-prec: Local precedence to which 802.1p 1 is to be mapped, in the range 0 to 7.

  • Page 768: Queue-Scheduler

    Examples # Configure the 802.1p priority-to-local precedence mapping table as follows: 0 to 0, 1 to 1, 2 to 2, 3 to 3, 4 to 4, 5 to 5, 6 to 6, and 7 to 7. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] qos cos-local-precedence-map 0 1 2 3 4 5 6 7 # Display the current 802.1p priority-to-local precedence mapping table.
  • Page 769 queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight: Customizes the weights to be assigned to queues 0 through 7. The value ranges from 0 to 15 in both system view and Ethernet port view. A value of 0 means the corresponding queue adopts the SP algorithm for queue scheduling.

  • Page 770: Reset Traffic-Statistic

    The display queue-scheduler command cannot display the queue weights (or bandwidth values) specified in Ethernet port view. To do that, use the display this command in the corresponding port view or the display current-configuration interface command in any view. Note that the two commands display the queue scheduling configuration only when the configuration of a port is different from the global configuration.

  • Page 771: Traffic-Limit

    acl-rule: ACL rules to be applied. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5. Description Use the reset traffic-statistic command to clear the statistics on packets matching specific ACL rules. Related commands: traffic-statistic, display qos-interface traffic-statistic.
  • Page 772 Parameters inbound: Imposes traffic limit on the packets received through the interface. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5.
  • Page 773 When you configure the traffic policing on a port, an ACL rule can only be applied to one egress port. If you configure the same ACL rule for different egress ports, only the last configuration takes effect. To apply the same ACL rule to multiple egress ports, you need to specify different ACL numbers or rule numbers for the ACL rule.

  • Page 774: Traffic-Priority

    traffic-priority Syntax traffic-priority { inbound | outbound } acl-rule { { dscp dscp-value | ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }* undo traffic-priority { inbound | outbound } acl-rule View Ethernet port view Parameters...
  • Page 775 If 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned to the output queue corresponding to the local precedence. If local precedence marking is configured, the traffic will be assigned to the output queue corresponding to the re-marked local precedence.

  • Page 776: Traffic-Priority Vlan

    traffic-priority vlan Syntax traffic-priority vlan vlan-id { inbound | outbound } acl-rule { { dscp dscp-value | ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }* undo traffic-priority vlan vlan-id { inbound | outbound } acl-rule View System view Parameters...

  • Page 777: Traffic-Redirect

    Examples # Set the 802.1p priority to 1 for the packets received on any ports in VLAN 2 and destined to MAC address 000F-E200-1234. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule permit cos 3 dest 000f-e200-1234 ffff-ffff-ffff [Sysname-acl-ethernetframe-4000] quit [Sysname] traffic-priority vlan 2 inbound link-group 4000 cos 1 traffic-redirect...

  • Page 778: Traffic-Remark-Vlanid

    Packets redirected to the CPU are not forwarded. If the traffic is redirected to a Combo port in down state, the system automatically redirects the traffic to the port corresponding to the Combo port in up state. Refer to Port Basic Configuration module of this manual for information about Combo ports.

  • Page 779: Traffic-Statistic

    Description Use the traffic-remark-vlanid command to enable VLAN mapping and set the target VLAN ID for packets matching specific ACL rules. Use the undo traffic-remark-vlanid command to disable VLAN mapping for packets matching specific ACL rules. Related commands: display qos-interface traffic-remark-vlanid. Examples # Enable VLAN mapping on Ethernet 1/0/1 to map the VLAN IDs of the inbound packets sourced from VLAN 5 to VLAN ID 1001.

  • Page 780: Wred

    [Sysname-acl-basic-2000] quit [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] traffic-statistic inbound ip-group 2000 # Display traffic statistics of Ethernet 1/0/1. [Sysname-Ethernet1/0/1] display qos-interface Ethernet 1/0/1 traffic-statistic Ethernet1/0/1: traffic-statistic Inbound: Matches: Acl 2000 rule 0 running 20787 packets inprofile 11464 packets outprofile wred Syntax wred queue-index qstart probability undo wred queue-index...

  • Page 781: Qos Profile Configuration Commands

    QoS Profile Configuration Commands QoS Profile Configuration Commands apply qos-profile Syntax In system view apply qos-profile profile-name interface interface-list undo apply qos-profile profile-name interface interface-list In Ethernet port view apply qos-profile profile-name undo apply qos-profile profile-name View System view, Ethernet port view Parameters profile-name: QoS profile name, a case-insensitive string of 1 to 32 characters and starting with English letters [a-z, A-Z].

  • Page 782: Display Qos-Profile

    display qos-profile Syntax display qos-profile { all | name profile-name | interface interface-type interface-number | user user-name } View Any view Parameters all: Specifies all the QoS profiles. name profile-name: Specifies a QoS profile by its name, for which information is to be displayed. The profile-name argument is a case-insensitive string of 1 to 32 characters and must begin with an English letter (a to z, and A to Z).

  • Page 783: Packet-Filter

    # Display the configuration of the QoS profile applied to Ethernet 1/0/2, assuming that the QoS profile has been applied to Ethernet 1/0/2 dynamically. <H3C> display qos-profile interface Ethernet 1/0/2 User's qos-profile applied mode: port-based User abc@net applied qos-profile: test, 3 actions...

  • Page 784: Qos-Profile

    Parameters inbound: Filters the inbound packets. outbound: Filters the outbound packets. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5.

  • Page 785: Qos-Profile Port-Based

    Examples # Create a QoS profile named a123. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] qos-profile a123 [Sysname-qos-profile-a123] qos-profile port-based Syntax qos-profile port-based undo qos-profile port-based View Ethernet port view Parameters None Description Use the qos-profile port-based command to configure the QoS profile application mode on a port to be port-based.
  • Page 786 View QoS profile view Parameters inbound: Imposes traffic limit on the packets received through the interface. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5.

  • Page 787: Traffic-Priority

    When you configure the traffic policing over a port, an ACL rule can only be applied to one egress port. If you configure the same ACL rule for different egress ports, only the last configuration takes effect. To apply the same ACL rule to multiple egress ports, you need to specify different ACL numbers or rule numbers for the ACL rule.
  • Page 788 View QoS profile view Parameters inbound: Performs priority marking on the inbound packets. outbound: Performs priority marking on the outbound packets. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-4 Table 1-5.

  • Page 789: Web Cache Redirection

    Table of Contents 1 Web Cache Redirection Configuration Commands ···············································································1-1 Web Cache Redirection Configuration Commands ················································································1-1 display webcache ····························································································································1-1 webcache address···························································································································1-2 webcache redirect-vlan····················································································································1-4...
  • Page 790 Web Cache Redirection Configuration Commands Web cache redirection is available on S3600-EI series switches only. Web Cache Redirection Configuration Commands display webcache Syntax display webcache View Any view Parameters None Description Use the display webcache command to view Web cache redirection configuration and the status of Web cache.
  • Page 791 Table 1-1 Description on the fields of the display webcache command Filed Description webcache IP address IP address of the Web cache server webcache MAC address MAC address of the Web cache server webcache port Port that connects to the Web cache server webcache VLAN VLAN that the Web cache server belongs to webcache TCP port...
  • Page 792 vlan-id: ID of the VLAN where Web cache server is to be located. port interface-type interface-number: Specifies the port through which the switch is connected to the Web cache server. interface-type interface-number is the port type and port number. tcpport tcpport-number: Specifies the number of the TCP port used by HTTP packets. The default is Description Use the webcache address command to configure a Web cache server.
  • Page 793 webcache redirect-vlan Syntax webcache redirect-vlan vlan-id undo webcache redirect-vlan [ vlan-id ] View System view Parameters vlan-id: ID of the VLAN whose HTTP traffic is to be redirected. Description Use the webcache redirect-vlan command to configure a VLAN as a redirected VLAN, that is, specify to redirect the HTTP traffic of the VLAN to the Web cache server.

  • Page 794: Mirroring

    Table of Contents 1 Mirroring Commands ································································································································1-1 Mirroring Commands·······························································································································1-1 display mirror ···································································································································1-1 display mirroring-group····················································································································1-2 mirroring-group ································································································································1-4 mirroring-group mirroring-port ·········································································································1-4 mirroring-group monitor-port ···········································································································1-6 mirroring-group reflector-port ··········································································································1-7 mirroring-group remote-probe vlan··································································································1-8 mirroring-port ···································································································································1-8 monitor-port ·····································································································································1-9 remote-probe vlan enable ·············································································································1-10...

  • Page 795: Mirroring Commands

    Mirroring Commands Mirroring Commands display mirror Syntax display mirror View Any view Parameters None Description Use the display mirror command to display the port mirroring configurations. Related commands: mirroring-port, monitor-port. This command is available only on the S3600-SI series Ethernet switches. Examples # Display the port mirroring settings on your S3600-SI series Ethernet switch.

  • Page 796: Display Mirroring-Group

    Field Description The direction of the mirrored packets, which can be one of the following: both: means packets received on and sent from the source port are both mirrored. inbound: means packets received on the source port are mirrored. outbound means packets sent from the source port are mirrored. display mirroring-group Syntax display mirroring-group { group-id | all | local | remote-destination | remote-source }...
  • Page 797 # Display the configurations of a remote source mirroring group on your S3600-EI series Ethernet switch. <Sysname> display mirroring-group 2 mirroring-group 2: type: remote-source status: active mirroring port: Ethernet1/0/1 inbound reflector port: Ethernet1/0/2 remote-probe vlan: 10 # Display the configurations of a remote destination mirroring group on your S3600-EI series Ethernet switch.

  • Page 798: Mirroring-Group

    mirroring-group Syntax mirroring-group group-id { local | remote-destination | remote-source } undo mirroring-group { group-id | all | local | remote-destination | remote-source } View System view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. all: Specifies to remove all mirroring groups.
  • Page 799 View System view, Ethernet port view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. mirroring-port mirroring-port-list: Specifies a list of source ports. mirroring-port-list is available in system view only, and there is no such argument in Ethernet port view. mirroring-port-list is provided in format mirroring-port-list interface-type...

  • Page 800: Mirroring-Group Monitor-Port

    mirroring-group monitor-port Syntax mirroring-group group-id monitor-port monitor-port undo mirroring-group group-id monitor-port monitor-port View System view, Ethernet port view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. monitor-port monitor-port: Specifies the destination port for port mirroring. monitor-port is available in system view only, and there is no such argument in Ethernet port view.

  • Page 801: Mirroring-Group Reflector-Port

    mirroring-group reflector-port Syntax mirroring-group group-id reflector-port reflector-port undo mirroring-group group-id reflector-port reflector-port View System view, Ethernet port view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. reflector-port reflector-port: Specifies the reflector port. reflector-port is available in system view only, and there is no such argument in Ethernet port view.

  • Page 802: Mirroring-Group Remote-Probe Vlan

    mirroring-group remote-probe vlan Syntax mirroring-group group-id remote-probe vlan remote-probe-vlan-id undo mirroring-group group-id remote-probe vlan remote-probe-vlan-id View System view Parameters group-id: Number of a port mirroring group, in the range 1 to 20. remote-probe vlan remote-probe-vlan-id: Specifies the remote-probe VLAN for the mirroring group. Description Use the mirroring-group remote-probe vlan command to specify the remote-probe VLAN for a remote source/destination mirroring group.

  • Page 803: Monitor-Port

    View Ethernet port view Parameters both: Specifies to mirror all packets received on and sent from the port. inbound: Specifies to mirror the packets received on the port. outbound: Specifies to mirror the packets sent from the port. Description Use the mirroring-port command to configure the source port in Ethernet port view. Use the undo mirroring-port command to remove the configuration of the source port in Ethernet port view.

  • Page 804: Remote-Probe Vlan Enable

    View Ethernet port view Parameters None Description Use the monitor-port command to configure the destination port in Ethernet port view. Use the undo monitor-port command to remove the configuration of the destination port in Ethernet port view. Note that: You cannot configure a member port of an aggregation group, a fabric port, a member port of an aggregation group, or a port enabled with LACP and STP as the mirroring destination port.
  • Page 805 Parameters None Description Use the remote-probe vlan enable command to configure the current VLAN as the remote-probe VLAN. Use the undo remote-probe vlan enable command to restore the remote-probe VLAN to a normal VLAN. Note that: You cannot configure a default VLAN, a management VLAN, or a dynamic VLAN as the remote-probe VLAN.

  • Page 806: Irf Fabric

    Table of Contents 1 IRF Fabric Commands·······························································································································1-1 IRF Fabric Commands ····························································································································1-1 change self-unit ·······························································································································1-1 change unit-id ··································································································································1-2 display ftm ·······································································································································1-4 display irf-fabric ·······························································································································1-7 fabric member-auto-update software enable···················································································1-8 fabric save-unit-id ····························································································································1-9 fabric-port enable···························································································································1-11 ftm fabric-vlan ································································································································1-12 irf-fabric authentication-mode········································································································1-12 port link-type irf-fabric ····················································································································1-13 reset ftm statistics··························································································································1-14 set unit name ·································································································································1-14 sysname ········································································································································1-15...

  • Page 807: Irf Fabric Commands

    IRF Fabric Commands IRF Fabric Commands change self-unit Syntax change self-unit to { unit-id | auto-numbering } View System view Parameters unit-id: Changes the unit ID of the current switch to a specified value which is in the range of 1 to 8. auto-numbering: Changes the numbering mode of unit ID on the current switch to automatic numbering mode.
  • Page 808 If you do not bring up the fabric port, you cannot change the unit ID of a switch. After the unit ID of a device is changed, the unit ID-related information of this device in the configuration file of the fabric will be upgraded automatically. If the unit ID of a device changes from 2 to 4, the port description of this device in the configuration file automatically changes from 2/0/x to 4/0/x.
  • Page 809 Unit IDs in an IRF fabric are not always arranged in order of 1 to 8. Unit IDs in an IRF fabric can be inconsecutive. After the unit ID of a device is changed, the unit ID-related information of this device in the configuration file of the fabric will be upgraded automatically.

  • Page 810: Display Ftm

    From the above example, you can see the original unit ID of the device with MAC address 000f-cbb7-3264 is 6. After the configuration, this unit ID changes to 4, and the priority of the device changes to 5. display ftm Syntax display ftm { information | topology-database } View...
  • Page 811 Table 1-1 display ftm information command output description Field Description FTM State: DISC STATE: In the topology discovery state. FTM State LISTEN STATE: In the topology discovery state, and the FTM slave device is listening. HB STATE: The fabric operates normally. Unit ID: Unit ID FTM-Master...
  • Page 812 Field Description Indexes of the left and right ports: Left Port : Index = 255, IsEdge: Whether the device is at either end of a bus topology IRF IsEdge = 0 fabric in which the number of member devices has reached the upper limit.

  • Page 813: Display Irf-Fabric

    display irf-fabric Syntax display irf-fabric [ port | status ] View Any view Parameters port: Displays the fabric port information. status: Displays operation status of the current fabric, including fabric name and unit ID. Description Use the display irf-fabric command to view the information of the entire fabric, including unit ID, unit name, and operation mode of the system.

  • Page 814: Fabric Member-Auto-Update Software Enable

    By default, the IRF automatic fabric function for a switch is disabled. H3C S3600 series switches provide the IRF automatic fabric function, which enables a candidate switch to automatically download the software and change the fabric name in case that the software version and fabric name of the candidate device and that of the device in the fabric are different, thus reducing the manual maintenance workload.
  • Page 815 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] fabric member-auto-update software enable fabric save-unit-id Syntax fabric save-unit-id undo fabric save-unit-id View User view Parameters None Description Use the fabric save-unit-id command to save the unit IDs of all the units in an IRF fabric into the unit Flash and set the unit priority to 5, that is, manual numbering.
  • Page 816 Unit 7 saved unit ID successfully. Unit 8 saved unit ID successfully. # Display the saved unit IDs of the current fabric. <Sysname> display ftm topology-database Total number of units in fabric : 8, My Unit ID : 4 UID CPU-Mac Priority Stack-Port Board-ID A/M 000f-e20f-5002 5 /Right 1...

  • Page 817: Fabric-Port Enable

    The four ports on an S3600 series Ethernet switch fall into two groups according to their port numbers: GigabitEthernet 1/1/1 and GigabitEthernet 1/1/2 form the first group.

  • Page 818: Ftm Fabric-Vlan

    ftm fabric-vlan Syntax ftm fabric-vlan vlan-id undo ftm fabric-vlan View System view Parameters vlan-id: ID of the IRF fabric VLAN, in the range of 2 to 4094. The VLAN you specified must be the one that has not been created manually. Description Use the ftm fabric-vlan command to specify the VLAN that the switch uses for IRF fabric.

  • Page 819: Port Link-Type Irf-Fabric

    Description Use the irf-fabric authentication-mode command to configure the authentication mode and password for an IRF fabric. Use the undo irf-fabric authentication-mode command to remove the IRF fabric authentication configuration. By default, no authentication mode is configured on a switch. IRF fabric authentication is used to ensure the security of the devices accessing it.

  • Page 820: Reset Ftm Statistics

    reset ftm statistics Syntax reset ftm statistics View User view Parameters None Description Use the reset ftm statistics command to clear FTM statistics. You can use this command together with the display ftm command to view the packet statistics processed by FTM in a period of time, thus analyzing fabric operation status and locating problems.

  • Page 821: Sysname

    By default, the fabric name of an S3600 Series Ethernet switch is H3C. Examples # Change the fabric name of the device to hello.
  • Page 822 Table of Contents 1 HGMP V2 Configuration Commands ·······································································································1-1 NDP Configuration Commands···············································································································1-1 display ndp ······································································································································1-1 ndp enable·······································································································································1-2 ndp timer aging································································································································1-3 ndp timer hello ·································································································································1-4 reset ndp statistics···························································································································1-5 NTDP Configuration Commands ············································································································1-5 display ntdp ·····································································································································1-5 display ntdp device-list ····················································································································1-6 ntdp enable······································································································································1-8 ntdp explore·····································································································································1-9 ntdp hop···········································································································································1-9 ntdp timer·······································································································································1-10...
  • Page 823 tracemac········································································································································1-37 Enhanced Cluster Feature Configuration Commands ··········································································1-38 black-list·········································································································································1-38 display cluster base-members·······································································································1-39 display cluster base-topology ········································································································1-40 display cluster black-list·················································································································1-41 display cluster current-topology·····································································································1-42 display ntdp single-device mac-address ·······················································································1-43 topology accept ·····························································································································1-44 topology restore-from ····················································································································1-45 topology save-to ····························································································································1-46...

  • Page 824: Hgmp V2 Configuration Commands

    HGMP V2 Configuration Commands NDP Configuration Commands display ndp Syntax display ndp [ interface interface-list ] View Any view Parameters interface interface-list: Specifies a port list. You need to provide the interface-list argument in the form of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10>...

  • Page 825: Ndp Enable

    # Display NDP information about Ethernet 1/0/1. <aaa_0.Sysname> display ndp interface Ethernet 1/0/1 Interface: Ethernet1/0/1 Status: Enabled, Pkts Snd: 15835, Pkts Rvd: 2879, Pkts Err: 0 Neighbor 1: Aging Time: 147(s) MAC Address : 000f-e20f-1234 Port Name : Ethernet1/0/1 Software Ver: V100R002B01D001 Device Name : Sysname S3600-28TP-SI Port Duplex : AUTO Product Ver : 3600-0001...

  • Page 826: Ndp Timer Aging

    View System view, Ethernet port view Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10> means that you can provide up to ten port indexes/port index ranges for this argument. The interface-number argument is in the format of unit ID/slot number/port number.

  • Page 827: Ndp Timer Hello

    You can specify how long the adjacent devices should hold the NDP information received from the local switch. When an adjacent device receives an NDP packet from the local switch, it learns how long it should keep the NDP information of the switch according to the holdtime carried in the NDP packet, and discards the NDP information when the holdtime expires.

  • Page 828: Reset Ndp Statistics

    reset ndp statistics Syntax reset ndp statistics [ interface interface-list ] View User view Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10> means that you can provide up to ten port indexes/port index ranges for this argument.

  • Page 829: Display Ntdp Device-List

    Description Use the display ntdp command to display the global NTDP information. The displayed information includes topology collection range (hop count), topology collection interval (NTDP timer), device/port forwarding delay of topology collection requests, and time used by the last topology collection. Examples # Display the global NTDP information.
  • Page 830 : 000f-e20f-1234 Platform : S3600 : 100.100.1.1/24 Version: H3C Comware Platform Software. Comware Software, Version 3.10 Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. S3600-28P-EI S3600-EI-1545 Cluster Candidate switch Peer MAC Peer Port ID Native Port ID Speed Duplex...

  • Page 831: Ntdp Enable

    H3C Comware Platform Software. Comware Software, Version 3.10 Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. S3600-28P-EI S3600-EI-1545 Cluster Candidate switch Peer MAC Peer Port ID Native Port ID Speed Duplex 000f-e20f-1234 Ethernet3/0/21 Ethernet1/0/22 FULL 5600-0000-3334 GigabitEthernet1/0/32 Ethernet1/0/4...

  • Page 832: Ntdp Explore

    Use the undo ntdp enable command to disable NTDP globally or on a port. By default, NTDP is enabled both globally and on ports. Note that NTDP can take effect on a port only when NTDP is enabled both globally and on the port. Examples # Enable NTDP globally, and then enable NTDP on port Ethernet 1/0/1.

  • Page 833: Ntdp Timer

    Parameters hop-value: Maximum hops to collect topology information, namely, the topology collection range, in the range of 1 to 16. Description Use the ntdp hop command to set the topology collection range. Use the undo ntdp hop command to restore the default topology collection range. By default, the topology collection range is three hops.

  • Page 834: Ntdp Timer Hop-Delay

    Note that: Only the management switch can collect topology periodically, and a member switch cannot. However, you can use the ndp explore command on the member switch to start a topology collection process manually. After a cluster is set up, the management switch will collect the topology information of the network at the topology collection interval you set and automatically add the candidate switches it discovers into the cluster.

  • Page 835: Ntdp Timer Port-Delay

    [aaa_0.Sysname] ntdp timer hop-delay 300 ntdp timer port-delay Syntax ntdp timer port-delay time undo ntdp timer port-delay View System view Parameters time: Port forwarding delay in milliseconds. This argument ranges from 1 to 100. Description Use the ntdp timer port-delay command to configure the topology request forwarding delay between two ports, that is, the interval at which the device forwards the topology requests through the NTDP-enabled ports one after another.

  • Page 836: Administrator-Address

    Parameters member-number: Member number assigned to the candidate device to be added to the cluster. This argument ranges from 1 to 255. H-H-H: MAC address of the candidate device to be added (in hexadecimal). password: Super password of the candidate device, a string of 1 to 256 characters. Password authentication is required when you add a candidate device to a cluster.
  • Page 837 Description Use the administrator-address command to specify the management device MAC address and the cluster name on a device to add the device to the cluster. Use the undo administrator-address command to remove the management device MAC address from the MAC address list of a member device, that is, remove the member device from the cluster. Normally, this command is used for debugging and restoring purpose.
  • Page 838 Collecting candidate list, please wait... #Apr 3 08:12:32:832 2000 aaa_0.Sysname CLST/5/Cluster_Trap:- 1 - OID:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpMemberStatusChange):member 00.00.00.00.00.12. a9.90.22.40 role change, NTDPIndex:0.00.00.00.00.00.12.a9.90.22.40, Role:1 Candidate list: Name Hops MAC Address Device 0016-e0c0-c201 H3C S3600-28F-EI 000f-e221-616e H3C S3600-28F-EI 000f-e202-2180 H3C S3600-28P-SI SwitchA 0016-e0be-e200 H3C S5600-26C 000f-e200-1774 H3C S5600-26F 000f-e200-5600...

  • Page 839: Build

    Member 000f-e200-2200 is joined in cluster aaa. %Apr 3 08:12:37:831 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 000f-e200-0000 is joined in cluster aaa. %Apr 3 08:12:37:847 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 000f-e200-7800 is joined in cluster aaa. %Apr 3 08:12:37:863 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 000f-e200-2420 is joined in cluster aaa.
  • Page 840 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S3600 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.

  • Page 841: Cluster

    OID:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpMemberStatusChange):member 00.00.00.00.00.12. a9.90.22.40 role change, NTDPIndex:0.00.00.00.00.00.12.a9.90.22.40, Role:1 [aaa_0.Sysname-cluster] cluster Syntax cluster View System view Parameters None Description Use the cluster command to enter cluster view. Examples # Enter cluster view. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] cluster [Sysname-cluster] cluster enable...
  • Page 842 When you execute the undo cluster enable command on the management device, the cluster function is disabled on the device, and the device stops operating as a management device, and the cluster and all its members are removed. When you execute the undo cluster enable command on a member device, the cluster function is disabled on the device, and the device leaves the cluster.

  • Page 843: Cluster-Mac

    After you switch from a member device to the management device, the privilege level on the management device view will be determined by the configuration on the management device. If all the Telnet resources on the requested device are used up, the switching to the device will not succeed.

  • Page 844: Cluster-Mac Syn-Interval

    Examples # Configure multicast MAC address 0180-C200-0028 for HGMPv2 protocol packets. <aaa_0.Sysname> system-view System View: return to User View with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] cluster-mac 0180-C200-0028 cluster-mac syn-interval Syntax cluster-mac syn-interval time-interval View Cluster view Parameters time-interval: Interval to send multicast MAC synchronization packets, ranging from 0 to 30 minutes. Description Use the cluster-mac syn-interval command to set the interval for the management device to send HGMP V2 multicast MAC synchronization packets periodically.

  • Page 845: Display Cluster

    Parameters member-id: Member number of a member device, ranging from 1 to 255. to-black-list: Adds the device removed from a cluster to the blacklist to prevent it from being added to the cluster. Description Use the delete-member command to remove a member device from the cluster. Note that a cluster will collect the topology information at the topology collection interval.
  • Page 846 Executing this command on a member device will display the following information: cluster name, member number of the current switch, MAC address and status of the management device, holdtime, and interval to send handshake packets. Executing this command on a management device will display the following information: cluster name, number of the member devices in the cluster, cluster status, holdtime, and interval to send handshake packets.

  • Page 847: Display Cluster Candidates

    You can only use this command on a management device. Note that, after a cluster is set up on an S3600 series switch, the switch will collect the topology information of the network at the topology collection interval you set and automatically add the candidate devices it discovers into the cluster.
  • Page 848 Hostname : 3600-3 : 000f-e20f-3190 Platform : S3600 : 16.1.1.1/24 # Display detailed information about all candidate devices. <aaa_0.Sysname-cluster> display cluster candidates verbose Hostname : H3C : 3600-0000-3334 Platform : S3600 : 16.1.1.11/24 Hostname : 3600-3 : 000f-e20f-3190 Platform : S3600 : 16.1.1.1/24...

  • Page 849: Display Cluster Members

    Device name # Display detailed information about all devices in a cluster. <aaa_0.Sysname-cluster> display cluster members verbose Member number:0 Name:aaa_0.Sysname Device:S3600 MAC Address:000f-e20f-3901 Member status:Admin Hops to administrator device:0 IP: 100.100.1.1/24 Version: H3C Comware Platform Software. Comware Software, Version 3.10 1-26...

  • Page 850: Ftp Cluster

    Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. S3600-28P-EI S3600-EI-1545 Member number:1 Name:aaa_1.Sysname Device:S3600 MAC Address:3900-0000-3334 Member status:Up Hops to administrator device:2 IP: 16.1.1.11/24 Version: H3C Comware Platform Software. Comware Software, Version 3.10 Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
  • Page 851 View User view Parameters None Description Use the ftp cluster command to connect to the shared FTP server of the cluster and enter FTP Client view through the management device. You can use the ftp-server command on the management device to configure the shared FTP server of the cluster, which is used for software version update and configuration file backup of the cluster members.

  • Page 852: Holdtime

    Description Use the ftp-server command to configure a shared FTP server for the cluster on the management device. Use the undo ftp-server command to remove the shared FTP server setting. By default, the management device acts as the shared FTP server of the cluster. After you configure the IP address of the shared FTP server on the management device, the member devices in the cluster can access the shared FTP sever through the management device to back up configuration and download software.

  • Page 853: Ip-Pool

    If the management device receives NDP information form a member device within the holdtime, the member device stays in the normal state and does not need to be added to the cluster again. Note that, you need only execute the command on a management device, which will advertise the holdtime value to all member devices in the cluster.

  • Page 854: Logging-Host

    logging-host Syntax logging-host ip-address undo logging-host View Cluster view Parameters ip-address: IP address of the device to be configured as the log host of a cluster. Description Use the logging-host command to configure a shared log host for a cluster on the management device.

  • Page 855: Nm-Interface Vlan-Interface

    When specifying the management VLAN, note that: The management VLANs on all the devices in a cluster must be the same. You can specify the management VLAN on a device only when no cluster is created on the device. You cannot change the management VLAN on a device that already joins a cluster. If you want to change the management VLAN on a device where a cluster has already been created, you must first remove the cluster configuration on the device, then re-specify a VLAN as the management VLAN, and finally re-created the cluster.

  • Page 856: Reboot Member

    System View: return to User View with Ctrl+Z. [Sysname] cluster [Sysname-cluster] nm-interface Vlan-interface 2 reboot member Syntax reboot member { member-number | mac-address H-H-H } [ eraseflash ] View Cluster view Parameters member-number: Member number of a member device, ranging from 1 to 255. mac-address H-H-H: Specifies the MAC address of the member device to be rebooted.

  • Page 857: Tftp Get

    Description Use the snmp-host command to configure a shared SNMP NMS for the cluster on the management device. Use the undo snmp-host command to remove the shared SNMP NMS setting. By default, no shared SNMP NMS is configured. After setting the IP address of an SNMP NMS for the cluster, the member devices in the cluster can send trap messages to the SNMP NMS through the management device.

  • Page 858: Tftp Put

    You need to specify the cluster keyword completely in the command. For description of other parameters of the tftp command, refer to the FTP-SFTP-TFTP part of the manual. Examples # Download file LANSwitch.app from the shared TFTP server of the cluster to the switch and save it as vs.app.

  • Page 859: Tftp-Server

    <123_1.Sysname> tftp cluster put config.cfg temp.cfg tftp-server Syntax tftp-server ip-address undo tftp-server View Cluster view Parameters ip-address: IP address of a TFTP server to be configured for the cluster. Description Use the tftp-server command to configure a shared TFTP server for the cluster on the management device.
  • Page 860 Description Use the timer command to set the interval between sending handshake packets. Use the undo timer command to restore the default value of the interval. By default, the interval between sending handshake packets is 10 seconds. In a cluster, the management device keeps connections with the member devices through handshake packets.
  • Page 861 When using the destination IP address to trace a device, the switch looks up the ARP entry corresponding to the IP address, and then looks up the MAC address entry according to the ARP entry. If the queried IP address has a corresponding ARP entry, but the corresponding MAC address of the IP address does not exist in the MAC address table, the trace of the device fails.
  • Page 862 Description Use the black-list add-mac command to add the specified MAC address to the cluster blacklist, so that the device with the specified MAC address cannot join the cluster. Use the black-list delete-mac command to remove all the MAC addresses or the specified MAC address from the current cluster blacklist, so that all devices or the device with the specified MAC address can join the cluster.
  • Page 863 Examples # Display the standard topology of the cluster. <aaa_0.Sysname> display cluster base-topology -------------------------------------------------------------------- (PeerPort) ConnectFlag (NativePort) [SysName:DeviceMac] -------------------------------------------------------------------- [aaa_0.H3C:000f-e202-2180] ├-(P_0/40)<-->(P_0/6)[Sysname:000f-e200-2200] 1-40...
  • Page 864 ├-(P_0/28)<-->(P_3/0/1)[Sysname:000f-e200-1774] ├-(P_0/22)<-->(P_1/0/2)[aaa_5.H3C:000f-e200-5111] ├-(P_0/18)<-->(P_3/0/2)[Sysname S3600:000f-e218-d0d0] ├-(P_0/14)<-->(P_1/0/2)[Sysname:000f-e200-5601] └-(P_0/4)<-->(P_0/2)[S3600-28P-SI:000f-e200-00cc] The output information of the display cluster base-topology command is in the following format: (peer port number)<-->(local port number)[peer device name:peer device MAC address] For example, (P_0/40)<-->(P_0/6)[Sysname:000f-e200-2200] means that the peer device uses its port Ethernet 1/0/40 to connect to port Ethernet 1/0/6 of the local device;...
  • Page 865 display cluster current-topology Syntax display cluster current-topology [ mac-address mac-address1 [ to-mac-address mac-address2 ] | member-id member-id1 [ to-member-id member-id2 ] ] View Any view Parameters mac-address mac-address1: Displays the topology structure three layers above or below the node specified by the MAC address. If to-mac-address is specified, mac-address1 is the start point of the route in the specified route topology displayed.
  • Page 866 NTDP and is not in any cluster, you have to use the display ntdp single-device mac-address command. Examples # Display the detailed information about the switch with the MAC address 000f-e200-3956. <Sysname> display ntdp single-device mac-address 000f-e200-3956 Hostname : H3C : 000f-e200-3956 Platform : H3C S3600-28P-EI Version: 1-43...
  • Page 867 H3C Comware Platform Software. Comware Software, Version 3.10 Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. S3600-28P-EI S3600-EI-1545 Cluster Candidate switch Peer MAC Peer Port ID Native Port ID Speed Duplex 000f-e239-1333 Ethernet1/0/4 Ethernet1/0/10 FULL Table 1-12 Description on the fields of the display ntdp single-device command...
  • Page 868 mac-address mac-address: Accepts adding the device with the specified MAC address to the standard topology of the cluster. member-id member-id: Accepts adding the device with the specified member ID to the standard topology of the cluster. administrator: Accepts adding the administrative device to the standard topology of the cluster. Description Use the topology accept command to accept the topology of the current cluster as the standard topology, and save the standard topology to the Flash memory of the administrative device so that the...
  • Page 869 Description Use the topology restore-from command to restore the standard topology of the cluster from the Flash memory of the administrative device when errors occur to the topology, and advertise the topology to the member devices of the cluster to ensure normal operation of the cluster. You can only use this command on the cluster administrative device.
  • Page 870 <aaa_0.Sysname>system-view System View: return to User View with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] # Save the standard topology of the cluster to the local Flash. [aaa_0.Sysname-cluster] topology save-to local-flash Base topology backup to file OK 1-47...
  • Page 871 Table of Contents 1 PoE Configuration Commands ················································································································1-1 PoE Configuration Commands ···············································································································1-1 display poe interface························································································································1-1 display poe interface power·············································································································1-3 display poe powersupply ·················································································································1-4 display poe temperature-protection·································································································1-5 poe enable·······································································································································1-5 poe legacy enable ···························································································································1-6 poe max-power································································································································1-7 poe mode·········································································································································1-7 poe power-management··················································································································1-8 poe priority·······································································································································1-9 poe temperature-protection ·············································································································1-9 poe update·····································································································································1-10 update fabric··································································································································1-11...

  • Page 872: Poe Configuration Commands

    PoE Configuration Commands The newly added function is upgrading the PoE module of the fabric switch remotely. See update fabric for details. PoE Configuration Commands display poe interface Syntax display poe interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Port type and port number.
  • Page 873 Port peak power :552 mW Port average power :547 mW Port current :10 mA Port voltage :51 V Table 1-1 display poe interface command output description Field Description Port power enabled PoE is enabled on the port Port power ON/OFF The power on the port is on/off PoE status on the port: user command set port to off: PoE to the port is turned off by the...

  • Page 874: Display Poe Interface Power

    Table 1-2 display poe interface command output description Field Description PORT INDEX Port index POWER Power status on the port: ON/OFF ENABLE PoE enabled/disabled status on the port PoE mode on the port: MODE signal: PoE through the signal cable spare: PoE through the spare cable PoE priority of the port: critical: Highest...

  • Page 875: Display Poe Powersupply

    Ethernet1/0/3 Ethernet1/0/4 Ethernet1/0/5 Ethernet1/0/6 Ethernet1/0/7 Ethernet1/0/8 Ethernet1/0/9 Ethernet1/0/10 12400 …… <Omitted> display poe powersupply Syntax display poe powersupply View Any view Parameters None Description Use the display poe powersupply command to view the parameters of the power sourcing equipment (PSE). Examples # Display the PSE parameters.

  • Page 876: Display Poe Temperature-Protection

    Field Description Power Average Value Average power value of the PSE Power Software Version Version of the PSE software Power Hardware Version Version of the PSE hardware Version of the PSE complex programmable PSE CPLD Version logical device (CPLD) PoE management mode on the port when the PSE is overloaded: The auto keyword indicates that the auto mode...

  • Page 877: Poe Legacy Enable

    Parameters None Description Use the poe enable command to enable the PoE feature on a port. Use the undo poe enable command to disable the PoE feature on a port. By default, the PoE feature on a port is enabled by the default configuration file when the device is delivered.

  • Page 878: Poe Max-Power

    poe max-power Syntax poe max-power max-power undo poe max-power View Ethernet port view Parameters max-power: Maximum power distributed to the port, ranging from 1,000 to 15,400, in mW. Description Use the poe max-power command to configure the maximum power that can be supplied by the current port.

  • Page 879: Poe Power-Management

    Use the undo poe mode command to restore the PoE mode on the current port to the default mode. By default, signal mode is adopted on a port. Note that the S3600 series Ethernet switches do not support the spare mode currently. Examples # Set the PoE mode on Ethernet 1/0/3 to signal.

  • Page 880: Poe Priority

    poe priority Syntax poe priority { critical | high | low } undo poe priority View Ethernet port view Parameters critical: Sets the port priority to critical. high: Sets the port priority to high. low: Sets the port priority to low. Description Use the poe priority command to configure the PoE priority of a port.

  • Page 881: Poe Update

    Parameters None Description Use the poe temperature-protection enable command to enable PoE over-temperature protection on the switch. Use the undo poe temperature-protection enable command to disable PoE over-temperature protection on the switch. The PoE over-temperature protection operates as follows: The switch disables the PoE feature on all ports when its internal temperature exceeds 65°C (149°F) for self-protect, and restores the PoE feature settings on all its ports when the temperature drops below 60°C (140°F).
  • Page 882 Use the full mode only when the refresh mode fails. In normal cases, use the refresh mode. When the PSE processing software is damaged (that is, all the PoE commands cannot be successfully executed), you can use the full mode to update and restore the software. When the online upgrading procedure is interrupted for some unexpected reason, for example, the device is restarted due to some errors.
  • Page 883 2591972 warning: the verification is completed, start the file transmission? [Y/N] y The fabric is being updated, 100% The poe2046.s19 is stored on unit 1 successfully! The poe2046.s19 is stored on unit 2 successfully! Do you want to set poe2046.s19 to be running agent next time to boot?[Y/N] y The poe2046.s19 is configured successfully! 1-12...

  • Page 884: Poe Profile Configuration Commands

    PoE Profile Configuration Commands PoE Profile Configuration Commands apply poe-profile Syntax In system view use the following commands: apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] undo apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] In Ethernet port view use the following commands: apply poe-profile profile-name undo apply poe-profile profile-name...

  • Page 885: Display Poe-Profile

    PoE profile is a set of PoE configurations. One PoE profile can contain multiple PoE features. When the apply poe-profile command is used to apply a PoE profile to a port, some PoE features can be applied successfully while some cannot. PoE profiles are applied to S3600 series Ethernet switches according to the following rules: When the apply poe-profile command is used to apply a PoE profile to a port, the PoE profile is applied successfully only if one PoE feature in the PoE profile is applied properly.

  • Page 886: Poe-Profile

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] display poe-profile name profile-test Poe-profile: profile-test, 3 action poe enable poe max-power 5000 poe priority critical poe-profile Syntax poe-profile profile-name undo poe-profile profile-name View System view Parameters profile-name: Name of PoE profile, a string of 1 to 15 characters. It starts with a letter from a to z or from A to Z, and it cannot be any of reserved keywords like all, interface, user, undo, and mode.

  • Page 887: Udp Helper

    Table of Contents 1 UDP Helper Configuration Commands····································································································1-1 UDP Helper Configuration Commands ···································································································1-1 display udp-helper server ················································································································1-1 reset udp-helper packet···················································································································1-1 udp-helper enable····························································································································1-2 udp-helper port ································································································································1-3 udp-helper server ····························································································································1-4...

  • Page 888: Udp Helper Configuration Commands

    UDP Helper Configuration Commands UDP Helper Configuration Commands display udp-helper server Syntax display udp-helper server [ interface Vlan-interface vlan-id ] View Any view Parameters vlan-id: VLAN interface number. Description Use the display udp-helper server command to display the UDP broadcast relay forwarding information.

  • Page 889: Udp-Helper Enable

    By default, UDP Helper is disabled. Note that: On an S3600 Series Ethernet Switch, the reception of directed broadcast packets to a directly connected network is disabled by default. As a result, UDP Helper is available only when the ip forward-broadcast command is configured in system view.

  • Page 890: Udp-Helper Port

    udp-helper port Syntax udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time } undo udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time } View System view Parameters port-number: Number of the UDP port with which UDP packets are to be forwarded, in the range 0 to 65535 (except for 67 and 68).

  • Page 891: Udp-Helper Server

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] udp-helper port 100 # Disable forwarding of UDP broadcasts with a destination UDP port number of 53. [Sysname] undo udp-helper port 53 udp-helper server Syntax udp-helper server ip-address undo udp-helper server [ ip-address ] View VLAN interface view Parameters...
  • Page 892 Table of Contents 1 SNMP Configuration Commands ·············································································································1-1 SNMP Configuration Commands············································································································1-1 display snmp-agent ·························································································································1-1 display snmp-agent community·······································································································1-2 display snmp-agent group ···············································································································1-3 display snmp-agent mib-view ··········································································································1-4 display snmp-agent statistics ··········································································································1-5 display snmp-agent sys-info ············································································································1-8 display snmp-agent trap-list ············································································································1-9 display snmp-agent usm-user ·······································································································1-10 enable snmp trap updown ·············································································································1-11 snmp-agent····································································································································1-12 snmp-agent calculate-password····································································································1-12...

  • Page 893: Snmp Configuration Commands

    SNMP Configuration Commands The configuration of creating a MIB view with the mask of a MIB subtree is added. See section snmp-agent mib-view for details. The configuration of encrypting a plain-text password is added. See section snmp-agent calculate-password. The configuration of adding “interface description” and “interface type” into a linkUp/linkDown trap is added.

  • Page 894: Display Snmp-Agent Community

    Examples # Display the local SNMP entity engine ID. <Sysname> display snmp-agent local-engineid SNMP local EngineID: 800007DB000FE20F12346877 SNMP local EngineID in the above information represents the local SNMP entity engine ID. display snmp-agent community Syntax display snmp-agent community [ read | write ] View Any view Parameters...

  • Page 895: Display Snmp-Agent Group

    Table 1-1 display snmp-agent community command output description Field Description Community name SNMPv1 and SNMPv2c use community name Community name authentication. A community name functions like a password; it is used to restrict access between the NMS and the agent. Group name If you use the snmp-agent community command to configure a community name for...

  • Page 896: Display Snmp-Agent Mib-View

    Examples # Display the information about all the SNMP groups. <Sysname> display snmp-agent group Group name: v3group Security model: v3 noAuthnoPriv Readview: ViewDefault Writeview: ViewDefault Notifyview : ViewDefault Storage-type: nonVolatile Table 1-2 display snmp-agent group command output description Field Description Group name SNMP group name of the user SNMP group security mode, which can be...

  • Page 897: Display Snmp-Agent Statistics

    Description Use the display snmp-agent mib-view command to display the MIB view configuration of the current Ethernet switch, including view name, MIB subtree, subtree mask, and so on. For the description of the configuration items of MIB view, refer to the related description in the snmp-agent mib-view command.
  • Page 898 Parameters None Description Use the display snmp-agent statistics command to display the statistics on SNMP packets. The statistics are collected from the time when the switch is started, and the statistics will not be cleared if the SNMP is restarted. If you execute the command when SNMP agent is not started, the device prompts “SNMP Agent disabled”.
  • Page 899 Field Description The total number of SNMP messages delivered Messages which represented an illegal to the SNMP protocol entity which represented operation for the community supplied an SNMP operation which was not allowed by the SNMP community named in the message. The total number of ASN.1 or BER errors ASN.1 or BER errors in the process of decoding encountered by the SNMP protocol entity when...

  • Page 900: Display Snmp-Agent Sys-Info

    For the detailed configuration, refer to the snmp-agent sys-info command. By default, the contact information of an S3600 Ethernet switch is "Hangzhou H3C Technologies Co., Ltd.", the geographical location is "Hangzhou China", and the SNMP version employed is SNMPv3.

  • Page 901: Display Snmp-Agent Trap-List

    The contact person for this managed node: Hangzhou H3C Technologies Co., Ltd. The physical location of this node: Hangzhou China SNMP version running in the system: SNMPv3 display snmp-agent trap-list Syntax display snmp-agent trap-list View Any view Parameters None Description Use the display snmp-agent trap-list command to display the modules that can generate traps and whether the sending of traps is enabled on the modules.

  • Page 902: Display Snmp-Agent Usm-User

    display snmp-agent usm-user Syntax display snmp-agent usm-user [ engineid engineid | username user-name | group group-name ]* View Any view Parameters engineid: Engine ID, a string of 10 to 64 hexadecimal digits. user-name: SNMPv3 username, a string of 1 to 32 characters. group-name: Name of an SNMP group, a string of 1 to 32 characters.

  • Page 903: Enable Snmp Trap Updown

    Field Description Storage type, which can be: volatile: Information will be lost if the system is rebooted nonVolatile: Information will not be lost if the system is rebooted Storage-type permanent: Modification is permitted, but deletion is forbidden readOnly: Read only, that is, no modification, no deletion other: Other storage types UserStatus SNMP user status...

  • Page 904: Snmp-Agent

    snmp-agent Syntax snmp-agent undo snmp-agent View System view Parameters None Description Use the snmp-agent command to enable the SNMP agent. Use the undo snmp-agent command to disable the SNMP agent. Execution of the snmp-agent command or any of the commands used to configure the SNMP agent, you can start the SNMP agent.

  • Page 905: Snmp-Agent Community

    Parameters plain-password: The plain-text password to be encrypted, in the range 1 to 64 characters. mode: Specifies the authentication algorithm used to encrypt a plain text password. md5: Uses HMAC MD5 algorithm. sha: Uses HMAC SHA algorithm, which is securer than MD5 algorithm. local-engineid: Uses the local engine ID to calculate the key.

  • Page 906: Snmp-Agent Group

    Parameters read: Specifies that the community to be created has read-only permission to MIB objects. Communities of this type can only query MIBs for device information. write: Specifies that the community to be created has read-write permission to MIB objects. Communities of this type are capable of configuring devices.
  • Page 907 View System view Parameters v1: Specifies SNMPv1. v2c: Specifies SNMPv2c. v3: Specifies SNMPv3. group-name: Name of the SNMP group to be created, a string of 1 to 32 characters. authentication: Configures to authenticate but do not encrypt the packets. privacy: Configures to authenticate and encrypt the packets. read-view: Read-only view name, a string of 1 to 32 characters.

  • Page 908: Snmp-Agent Local-Engineid

    [Sysname] rule 0 permit source 192.168.0.108 0 [Sysname] snmp-agent group v3 v3group privacy acl 2001 In this case, when you use the display snmp-agent group command to display group information, you can see that two groups with the name v3group are created, but their security modes are noAuthnoPriv and AuthPriv respectively.

  • Page 909: Snmp-Agent Log

    [Sysname] snmp-agent local-engineid 123456789A snmp-agent log Syntax snmp-agent log { set-operation | get-operation | all } undo snmp-agent log { set-operation | get-operation | all } View System view Parameters set-operation: Logs the set operations. get-operation: Logs the get operations. all: Logs both the set operations and get operations.

  • Page 910: Snmp-Agent Mib-View

    snmp-agent mib-view Syntax snmp-agent mib-view { included | excluded } view-name oid-tree [ mask mask-value ] undo snmp-agent mib-view view-name View System view Parameters included: Specifies that the MIB view includes this MIB subtree. excluded: Specifies that the MIB view excludes this MIB subtree. view-name: View name.

  • Page 911: Snmp-Agent Packet Max-Size

    You need to define the MIB view access right of the community name or group in the configuration of an SNMP community name or group name. For the configurations, refer to the snmp-agent community and snmp-agent group commands. Examples # Create an SNMP MIB view with the name of rip2, and MIB subtree of 1.3.6.1.2.1.23 to configure MIB view for the NMS to display or configure rip2.

  • Page 912: Snmp-Agent Sys-Info

    Multiple SNMP versions can be running the on the device at the same time to allow access of different NMSs. By default, the contact information of an S3600 Ethernet switch is "Hangzhou H3C Technologies Co., Ltd.", the geographical location is "Hangzhou China", and the SNMP version employed is SNMPv3.

  • Page 913: Snmp-Agent Target-Host

    You can use the display snmp-agent sys-info command to display the current SNMP system information. Examples # Specify the contact information for system maintenance as Dial System Operator # 1234. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent sys-info contact Dial System Operator # 1234 snmp-agent target-host Syntax...

  • Page 914: Snmp-Agent Trap Enable

    Specifies to send SNMP linkUp traps when a port becomes up. warmstart: Specifies to send SNMP warm start traps when SNMP is newly launched. system: Specifies to send H3C-SYS-MAN-MIB (proprietary MIB) traps. vrrp [ authfailure | newmaster ]: Specifies to send VRRP traps.

  • Page 915: Snmp-Agent Trap Ifmib

    # Before the configuration of the extended trap function, the trap information is as follows when a link is down: #Apr 2 05:53:15:883 2000 H3C L2INF/2/PORT LINK STATUS CHANGE:- 1 - Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227634, ifAdminStatus is 2, ifOperStatus is 2 #Apr 2 05:53:16:094 2000 H3C IFNET/5/TRAP:- 1 -1.3.6.1.6.3.1.1.5.3(linkDown) Interface 31...

  • Page 916: Snmp-Agent Trap Life

    # After the configuration of the extended trap function, the trap information is as follows when a link is down: #Apr 2 05:55:00:642 2000 H3C L2INF/2/PORT LINK STATUS CHANGE:- 1 - Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227634, ifAdminStatus is 2, ifOperStatus is 2,ifDescr='Ethernet1/0/2', ifType=6 #Apr 2 05:55:00:893 2000 H3C IFNET/5/TRAP:- 1 -1.3.6.1.6.3.1.1.5.3(linkDown) Interface 31...

  • Page 917: Snmp-Agent Trap Source

    View System view Parameters size: The maximum number of traps that can be stored in the queue, an integer ranging from 1 to 1,000. Description Use the snmp-agent trap queue-size command to set the length of the queue of the SNMP traps to be sent to the destination.

  • Page 918: Snmp-Agent Usm-User { V1 | V2C

    You can configure this command to track a specific event by the source addresses of SNMP traps. Before configuring an interface as the source interface for the SNMP traps sent, make sure the interface is assigned an IP address. Related commands: snmp-agent trap enable, snmp-agent target-host. Examples # Configure VLAN-interface 1 as the source interface for the SNMP traps sent.

  • Page 919: Snmp-Agent Usm-User V3

    adding a new community name. If you fill the newly created username into the community name field of the NMS, the NMS can establish a connection with the SNMP. To make the configured user take effect, you must create a group first. Related commands: snmp-agent group, snmp-agent community, and snmp-agent local-engineid.
  • Page 920 sha: Uses HMAC SHA algorithm for authentication, which is securer than MD5. auth-password: Authentication password, a string of 1 to 64 characters in plain text, a 32-bit hexadecimal number in cipher text if MD5 algorithm is used, and a 40-bit hexadecimal number in cipher text if SHA algorithm is used.
  • Page 921 Examples # Add a user named testUser to the SNMPv3 group named testGroup. Set the security mode to authentication without privacy, the authentication algorithm to md5, and authentication password authkey. <Sysname> system-view [Sysname] snmp-agent group v3 testGroup authentication [Sysname] snmp-agent usm-user v3 testUser testGroup authentication-mode md5 authkey On the NMS, set the version to SNMPv3, the username to testUser, the authentication algorithm to MD5, and the authentication password to authkey, and establish a connection with the device.

  • Page 922: Rmon Configuration Commands

    RMON Configuration Commands RMON Configuration Commands display rmon alarm Syntax display rmon alarm [ entry-number ] View Any view Parameters entry-number: Alarm entry index, in the range 1 to 65535. Description Use the display rmon alarm command to display the configuration of a specified alarm entry or all the alarm entries.

  • Page 923: Display Rmon Event

    Field Description Sampling interval, in seconds. The system Sampling interval performs absolute or delta sampling on the sampled node at this interval. Rising threshold. When the sampled value Rising threshold equals or exceeds the rising threshold, an alarm is triggered. Falling threshold.

  • Page 924: Display Rmon Eventlog

    Event table 1 owned by user1 is VALID. Description: null. Will cause log-trap when triggered, last triggered at 0days 00h:02m:27s. Table 2-2 display rmon event command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid.

  • Page 925: Display Rmon History

    Table 2-3 display rmon eventlog command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid. Time when the event is triggered. The event can Generates eventLog 1.1 at 0days 00h:02m:27s be triggered for multiple times.

  • Page 926: Display Rmon Prialarm

    Sampling interval : 5(sec) with 10 buckets max Latest sampled values : Dropevents , octets : 10035 packets : 64 , broadcast packets : 35 multicast packets : 8 , CRC alignment errors : 0 undersize packets : 0 , oversize packets fragments , jabbers collisions...
  • Page 927 Parameters prialarm-entry-number: Extended alarm entry Index, in the range 1 to 65,535. Description Use the display rmon prialarm command to display the configuration of an RMON extended alarm entry. If you do not specify the prialarm-entry-number argument, the configuration of all the extended alarm entries is displayed.

  • Page 928: Display Rmon Statistics

    Field Description The condition under which an alarm is triggered, which can be: risingOrFallingAlarm: An alarm is triggered when the rising or falling threshold is When startup enables: risingOrFallingAlarm reached. risingAlarm: An alarm is triggered when the rising threshold is reached. FallingAlarm: An alarm is triggered when the falling threshold is reached.

  • Page 929: Rmon Alarm

    etherStatsBroadcastPkts : 102 , etherStatsMulticastPkts : 25 etherStatsUndersizePkts , etherStatsOversizePkts etherStatsFragments , etherStatsJabbers etherStatsCRCAlignErrors : 0 , etherStatsCollisions etherStatsDropEvents (insufficient resources): 0 Packets received according to length: : 177 65-127 : 27 128-255 256-511: 0 512-1023: 0 1024-1518: 11 Table 2-6 display rmon statistics command output description Field Description Statistics entry...
  • Page 930 alarm-variable: Alarm variable, a string comprising 1 to 256 characters in dotted node OID format (such as 1.3.6.1.2.1.2.1.10.1). Only the variables that can be resolved to ASN.1 INTEGER data type (that is, INTEGER, Counter, Gauge, or TimeTicks) can be used as alarm variables. sampling-time: Sampling interval (in seconds), in the range 5 to 65,535.

  • Page 931: Rmon Event

    Before adding an alarm entry, you need to use the rmon event command to define the events to be referenced by the alarm entry. Make sure the node to be monitored exists before executing the rmon alarm command. Examples # Add the alarm entry numbered 1 as follows: The node to be monitored: 1.3.6.1.2.1.16.1.1.1.4.1 Sampling interval: 10 seconds Upper threshold: 50...

  • Page 932: Rmon History

    log-trap: Logs the event and sends traps to the NMS. log-trapcommunity: Community name of the NMS that receives the traps, a character string of 1 to 127 characters. none: Specifies that the event triggers no action. owner text: Specifies the owner of the event entry, a string of 1 to 127 characters. Description Use the rmon event command to add an entry to the event table.

  • Page 933: Rmon Prialarm

    system samples the port periodically and stores the samples for later retrieval. The sampled information includes utilization, the number of errors, and total number of packets. You can use the display rmon history command to display the statistics of the history control table. Examples # Create the history control entry numbered 1 for Ethernet 1/0/1, with the table size being 10, the sampling interval being 5 seconds, and the owner being user1.
  • Page 934 Description Use the rmon prialarm command to create an extended entry in an extended RMON alarm table. If you do not specify the owner text keyword/argument combination, the owner of the entry is displayed as “null”. Use the undo rmon prialarm command to remove an extended alarm entry. Before adding an extended alarm entry, you need to use the rmon event command to define the events to be referenced by the entry.

  • Page 935: Rmon Statistics

    [Sysname-Ethernet1/0/1] rmon statistics 1 [Sysname-Ethernet1/0/1] quit [Sysname] rmon prialarm ((.1.3.6.1.2.1.16.1.1.1.4.1)*100) test changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 # Remove the extended alarm entry numbered 2 from the extended alarm table. [Sysname] undo rmon prialarm 2 rmon statistics Syntax rmon statistics entry-number [ owner text ]...
  • Page 936 System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] rmon statistics 20 2-15...
  • Page 937 Table of Contents 1 NTP Configuration Commands ················································································································1-1 NTP Configuration Commands ···············································································································1-1 display ntp-service sessions············································································································1-1 display ntp-service status ················································································································1-3 display ntp-service trace··················································································································1-4 ntp-service access···························································································································1-5 ntp-service authentication enable····································································································1-6 ntp-service authentication-keyid······································································································1-7 ntp-service broadcast-client ············································································································1-7 ntp-service broadcast-server···········································································································1-8 ntp-service in-interface disable········································································································1-8 ntp-service max-dynamic-sessions ·································································································1-9 ntp-service multicast-client ············································································································1-10 ntp-service multicast-server ··········································································································1-10 ntp-service reliable authentication-keyid ·······················································································1-11...

  • Page 938: Ntp Configuration Commands

    NTP Configuration Commands To protect unused sockets against attacks by malicious users and improve security, H3C S3600 series Ethernet switches provide the following functions: UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled.
  • Page 939 Examples # View the brief information of all sessions maintained by NTP services. <Sysname> display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************* [12345]3.0.1.32 LOCL -14.3 12.9 [25]3.0.1.31 127.127.1.0 1 4408.6 38.7 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : Table 1-1 display ntp-service sessions command output description Field...

  • Page 940: Display Ntp-Service Status

    Total associations Total number of associations An S3600 series switch does not establish a session with its client when it works in the NTP server mode, but does so when it works in other NTP implementation modes. display ntp-service status...

  • Page 941: Display Ntp-Service Trace

    Field Description Address of the remote server or ID of the reference clock after the local clock is Reference clock ID synchronized to a remote NTP server or a reference clock Nominal frequency of the local hardware clock, Nominal frequency in Hz.

  • Page 942: Ntp-Service Access

    Table 1-3 display ntp-service trace command output description Field Description server IP address of the NTP server The stratum level of the corresponding system stratum clock The clock offset relative to the upper-level clock, offset in milliseconds. The synchronization distance relative to the synch distance upper-level clock, in seconds Identifier of the primary reference source.

  • Page 943: Ntp-Service Authentication Enable

    NTP service access-control rights from the highest to the lowest are peer, server, synchronization, and query. When a local NTP server receives an NTP request, it will perform an access-control right match and will use the first matched right. The ntp-service access command only provides a minimal degree of security measure. A more secure way is to perform identity authentication.

  • Page 944: Ntp-Service Authentication-Keyid

    ntp-service authentication-keyid Syntax ntp-service authentication-keyid key-id authentication-mode md5 value undo ntp-service authentication-keyid key-id View System view Parameters key-id: Authentication key ID, in the range of 1 to 4294967295. You can configure up to 1024 keys. value: Authentication key string. You can input 1 to 16 simple text characters, or 24 cipher text characters.

  • Page 945: Ntp-Service Broadcast-Server

    Use the undo ntp-service broadcast-client command to remove the configuration. By default, no NTP operate mode is configured. Examples # Configure the switch to operate in the broadcast client mode and receive NTP broadcast packets through VLAN-interface 1. <Sysname> system-view System View: return to User View with Ctrl+Z.

  • Page 946: Ntp-Service Max-Dynamic-Sessions

    undo ntp-service in-interface disable View VLAN interface view Parameters None Description Use the ntp-service in-interface disable command to disable the interface from receiving NTP packets. Use the undo ntp-service in-interface disable command to restore the default. By default, the interface can receive NTP packets. Examples # Disable VLAN-interface 1 from receiving NTP packets.

  • Page 947: Ntp-Service Multicast-Client

    ntp-service multicast-client Syntax ntp-service multicast-client [ ip-address ] undo ntp-service multicast-client [ ip-address ] View VLAN interface view Parameters ip-address: Multicast IP address, in the range of 224.0.1.0 to 224.0.1.255. The default IP address is 224.0.1.1. Description Use the ntp-service multicast-client command to configure an Ethernet switch to operate in the NTP multicast client mode and receive NTP multicast packets through the current interface.

  • Page 948: Ntp-Service Reliable Authentication-Keyid

    Description Use the ntp-service multicast-server command to configure an Ethernet switch to operate in the NTP multicast server mode and send NTP multicast packets through the current interface. Use the undo ntp-service multicast-server command to remove the configuration. By default, no NTP operate mode is configured. Examples # Configure the switch to send NTP multicast packets through VLAN-interface 1, and set the multicast group address to 224.0.1.2, keyid to 4, and the NTP version number to 2.

  • Page 949: Ntp-Service Source-Interface

    [Sysname] ntp-service reliable authentication-keyid 37 ntp-service source-interface Syntax ntp-service source-interface Vlan-interface vlan-id undo ntp-service source-interface View System view Parameters vlan-interface vlan-id: Specifies an interface. The IP address of the interface serves as the source IP address of sent NTP packets. The vlan-id argument indicates the ID of the specified VLAN interface. Description Use the ntp-service source-interface command to specify a VLAN interface through which NTP packets are to be sent.

  • Page 950: Ntp-Service Unicast-Server

    View System view Parameters remote-ip: IP address of the NTP symmetric-passive peer. This argument can be a unicast address only, and cannot be a broadcast address, a multicast address, or the IP address of the local reference clock. peer-name: Symmetric-passive peer host name, a string comprising 1 to 20 characters. authentication-keyid key-id: Specifies the key ID used for sending packets to the peer.
  • Page 951 undo ntp-service unicast-server { remote-ip | server-name } View System view Parameters remote-ip: IP address of an NTP server. This argument can be a unicast address only, and cannot be a broadcast address, multicast group address, or IP address of the local clock. server-name: NTP server name, a string comprising 1 to 20 characters.
  • Page 952 Table of Contents 1 SSH Commands·········································································································································1-1 SSH Commands ·····································································································································1-1 display public-key local····················································································································1-1 display public-key peer ····················································································································1-2 display rsa local-key-pair public ······································································································1-4 display rsa peer-public-key··············································································································1-5 display ssh server····························································································································1-6 display ssh server-info·····················································································································1-7 display ssh user-information············································································································1-8 display ssh2 source-ip ·····················································································································1-9 display ssh-server source-ip············································································································1-9 peer-public-key end ·······················································································································1-10 protocol inbound ····························································································································1-10 public-key local create ···················································································································1-11...

  • Page 953: Ssh Commands

    SSH Commands The DSA support feature is newly added. For specific commands, see display public-key local, display public-key peer, public-key local create, public-key local destroy, public-key local export rsa, public-key local export dsa, public-key peer, public-key peer import sshkey. SSH Commands display public-key local Syntax display public-key local { dsa | rsa } public...

  • Page 954: Display Public-Key Peer

    75FD6A430575D97350E300A20FEB773D93D7C3565467B0CA6B95C07D3338C523743B49D82C 5EC2C9458D248955846F9C32F4D25CC92D0E831E564BBA6FAE794EEC6FCDEDB822909CC687 BEBF51F3DFC5C30D590203010001 ===================================================== Time of Key pair created: 23:48:36 2000/04/03 Key name: Sysname_Server Key type: RSA encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100BC86D8F08E101461C1231B12 2777DBE777645C81C569C004EC2FEC03C205CC7E3B5DAA38DD865C6D1FB61C91B85ED63C6F 35BAFBF9A6D2D2989C20051FF8FA31A14FCF73EC1485422E5B800B55920FC121329020E82F 2945FFAD81BE72663BF70203010001 # Display the public key of the current switch’s DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 08:01:23 2000/04/02...
  • Page 955 Description Use the display public-key peer command to display information about locally saved public keys of SSH peers. If no key name is specified, the command displays detailed information about the locally saved public keys of all SSH peers. Sometimes the public key modulo displayed with the display public-key peer command is one bit smaller than the actual modulo.

  • Page 956: Display Rsa Local-Key-Pair Public

    display rsa local-key-pair public Syntax display rsa local-key-pair public View Any view Parameters None Description Use the display rsa local-key-pair public command to display the public key part of the current switch’s RSA key pair(s). If no key pair has been generated, the system prompts “% RSA keys not found”.

  • Page 957: Display Rsa Peer-Public-Key

    D0FC303F 51072D6C B5D0054D 3673EBA0 A4748984 5EBF6EBE CF6A13B1 C7858241 A2A9AA79 0203 010001 After you complete the RSA key pair generation task: If the switch is working in SSH1-compatible mode, there should be two public keys generated (that is, the host public key and the server public key), and the display rsa local-key-pair public command should display those two public keys.

  • Page 958: Display Ssh Server

    Type Module Name --------------------------- 1023 1024 # Display the information about public key “abcd”. <Sysname> display rsa peer-public-key name abcd ===================================== Key name : abcd Key type : RSA Key module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100B0EEC8768E310AE2 EE44D65A2F944E2E6F32290D1ECBBFFF22AA11712151FC29F1C1CD6D7937723F77103576C4 1A03DB32F32C46DEDA68566E89B53CD4DF8F9899B138C578F7666BFB5E6FE1278A84EC8562 A12ACBE2A43AF61394276CE5AAF5AF01DA8B0F33E08335E0C3820911B90BF4D19085CADCE0 B50611B9F6696D31930203010001 display ssh server Syntax display ssh server { session | status }...

  • Page 959: Display Ssh Server-Info

    If you use the ssh server compatible-ssh1x enable command to configure the server to be compatible with SSH1.x clients, the SSH version will be displayed as 1.99. If you use the undo ssh server compatible-ssh1x command to configure the server to be not compatible with SSH1.x clients, the SSH version will be displayed as 2.0.

  • Page 960: Display Ssh User-Information

    If an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for authentication. In case the authentication fails, you can use the display ssh server-info command to view whether the locally saved public key of the server is correct. Related commands: ssh client assign, ssh client first-time enable.
  • Page 961 display ssh2 source-ip Syntax display ssh2 source-ip View Any view Parameters None Description Use the display ssh2 source-ip command to display the current source IP address or the IP address of the source interface specified for the SSH client. If neither source IP address nor source interface is specified, the command displays 0.0.0.0.

  • Page 962: Peer-Public-Key End

    peer-public-key end Syntax peer-public-key end View Public key view Parameters None Description Use the peer-public-key end command to return from public key view to system view. Related commands: rsa peer-public-key, public-key-code begin, public-key peer. Examples # Exit public key view. <Sysname>...

  • Page 963: Public-Key Local Create

    As SSH clients access the SSH server through VTY user interfaces, you need configure the VTY user interfaces of the SSH server to support remote SSH login. If you have configured a user interface to support SSH protocol, to ensure a successful login to the user interface, you must configure AAA authentication for the user interface by using the authentication-mode scheme command.
  • Page 964 The configuration of this command can survive a reboot. You only need to configure it once. Related commands: public-key local destroy, display public-key local. Examples # Create an RSA key pair of 512 bits. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048).

  • Page 965: Public-Key Local Destroy

    NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 1024]:512 Generating keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+..+.......+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* ..# Display the public key of the DSA key pair. [Sysname]display public-key local dsa public ===================================================== Time of Key pair created: 03:17:33...

  • Page 966: Public-Key Local Export Rsa

    Examples # Destroy the RSA key pair of the current switch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]public-key local destroy dsa % Confirm to destroy these keys? [Y/N]:y ..# Destroy the DSA key pair of the current switch. <Sysname>system-view System View: return to User View with Ctrl+Z.

  • Page 967: Public-Key Local Export Dsa

    Examples # Generate an RSA key pair. <Sysname> system-view [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 1024]: Generating keys...
  • Page 968 If you specify a filename, the public key will be exported to the file and the file will be saved. If you do not specify any filename, the public key will be displayed on the screen. SSH1, SSH2, and OpenSSH are three public key file formats. You can choose one as required. The host public key displayed on the screen is in a format that is not transformed and cannot be used as the public key data for public key configuration.

  • Page 969: Public-Key Peer

    [Sysname] public-key local export dsa openssh key.pub public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Parameters keyname: Name of the public key, a string of 1 to 64 characters. Description Use the public-key peer command to enter public key view. Use the undo public-key peer command to delete the configuration of peer public key.

  • Page 970: Public-Key-Code Begin

    Parameters keyname: Name of the public key , a string of 1 to 64 characters. filename: Name of a public key file, a string of 1 to 142 characters. For file naming rules, refer to File System Management Command. Description Use the public-key peer import sshkey command to import a peer public key from the public key file.

  • Page 971: Public-Key-Code End

    Examples # Enter public key edit view and input a public key. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key Switch003 RSA public key view: return to System View with "peer-public-key end". [Sysname-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end".

  • Page 972: Rsa Local-Key-Pair Create

    [Sysname-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [Sysname-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [Sysname-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [Sysname-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Sysname-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Sysname-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Sysname-rsa-key-code] public-key-code end [Sysname-rsa-public-key] rsa local-key-pair create Syntax rsa local-key-pair create View System view Parameters None Description Use the rsa local-key-pair create command to generate an RSA key pair for the current switch. Note that: After entering this command, you will be prompted to provide the length of the key pair.

  • Page 973: Rsa Local-Key-Pair Destroy

    ...++++++++ ..Done! # Display the public key part of the current switch’s RSA key pair(s). [Sysname] display rsa local-key-pair public ===================================================== Time of Key pair created: 02:31:51 2000/04/09 Key name: Sysname_Host Key type: RSA encryption Key ===================================================== Key code: 308188 028180 F0C0EDA9 FA2E2FAC 4B16CA34 677F1861 A13E89BE 6AAAC326 4E17268D EFADED1A FCA39047 52F18422...

  • Page 974: Rsa Peer-Public-Key

    Parameters None Description Use the rsa local-key-pair destroy command to destroy the current switch’s RSA key pair. Related commands: rsa local-key-pair create. Examples # Destroy the current switch’s RSA key pair. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa local-key-pair destroy % The local-key-pair will be destroyed.

  • Page 975: Rsa Peer-Public-Key Import Sshkey

    <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key Switch002 RSA public key view: return to System View with "peer-public-key end". [Sysname-rsa-public-key] rsa peer-public-key import sshkey Syntax rsa peer-public-key keyname import sshkey filename undo rsa peer-public-key keyname View System view Parameters...

  • Page 976: Ssh Authentication-Type Default

    Examples # Transform the format of client public key file abc and configure a public key named 123. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key 123 import sshkey abc ssh authentication-type default Syntax ssh authentication-type default { all | password | password-publickey | publickey | rsa } undo ssh authentication-type default View System view...

  • Page 977: Ssh Client Assign

    # Display information about SSH users. [Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type user1 publickey null stelnet ssh client assign Syntax ssh client { server-ip | server-name } assign { publickey | rsa-key } keyname undo ssh client { server-ip | server-name } assign { publickey | rsa-key } View System view Parameters...

  • Page 978: Ssh Client First-Time Enable

    If a pair of SSH peers are both switches that support both DSA and RSA, you must configure the DSA public key of the server on the client. Related command: ssh client first-time enable. Examples # Specify the name of the DSA public key of the server (whose IP address is 192.168.0.1) as pub.ppk on the client.

  • Page 979: Ssh Server Authentication-Retries

    Examples # Disable the client to run first-time authentication. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo ssh client first-time ssh server authentication-retries Syntax ssh server authentication-retries times undo ssh server authentication-retries View System view Parameters times: Authentication retry times, in the range of 1 to 5.

  • Page 980: Ssh Server Rekey-Interval

    undo ssh server compatible-ssh1x View System view Parameters None Description Use the ssh server compatible-ssh1x enable command to make the server compatible with SSH1.x clients. Use the undo ssh server compatible-ssh1x command to make the server incompatible with SSH1.x clients. By default, the server is compatible with SSH1.x clients.

  • Page 981: Ssh Server Timeout

    Related commands: display ssh server. Examples # Configure to update the server's keys every 3 hours. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ssh server rekey-interval 3 ssh server timeout Syntax ssh server timeout seconds undo ssh server timeout View System view Parameters...

  • Page 982: Ssh User Assign

    the string before the @ sign) cannot be more than 55 characters, and the domain name part cannot be more than 128 characters. Description Use the ssh user command to create an SSH user. Use the undo ssh user to delete a specified SSH user. An SSH user created with this command uses the default authentication type specified by the ssh authentication-type default command.

  • Page 983: Ssh User Authentication-Type

    Parameters username: SSH user name, a string of 1 to 184 characters. It cannot contain any of these characters: slash (/), backslash (\), colon (:), asterisk (*), question mark (?), less than sign (<), greater than sign (>), and the vertical bar sign (|). In addition, the @ sign can appear up to once, the username part (that is, the string before the @ sign) cannot be more than 55 characters, and the domain name part cannot be more than 128 characters.
  • Page 984 Parameters username: SSH user name, a string of 1 to 184 characters. It cannot contain any of these characters: slash (/), backslash (\), colon (:), asterisk (*), question mark (?), less than sign (<), greater than sign (>), and the vertical bar sign (|). In addition, the @ sign can appear up to once, the username part (that is, the string before the @ sign) cannot be more than 55 characters, and the domain name part cannot be more than 128 characters.

  • Page 985: Ssh User Service-Type

    [Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type publickey null stelnet ssh user service-type Syntax ssh user username service-type { stelnet | sftp | all } undo ssh user username service-type View System view Parameters username: SSH user name, a string of 1 to 184 characters. It cannot contain any of these characters: slash (/), backslash (\), colon (:), asterisk (*), question mark (?), less than sign (<), greater than sign (>), and the vertical bar sign (|).
  • Page 986 des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] * View System view Parameters host-ip: Server IP address. host-name: Server name, a string of 1 to 20 characters. port-num: Server port number.

  • Page 987: Ssh2 Source-Interface

    Note that when logging into the SSH server using publickey authentication, an SSH client needs to read its own private key for authentication. As two algorithms (RSA or DSA) are available, the identity-key keyword must be used to specify one algorithm in order to get the correct private key. Examples # Log into SSH server 10.214.50.51 with: dh_exchange_group as the preferred key exchange algorithm,...

  • Page 988: Ssh-Server Source-Interface

    View System view Parameters ip-address: Source IP address. Description Use the ssh2 source-ip command to specify a source IP address for the SSH client. If the specified IP address is not an address of the device, the command fails. Use the undo ssh2 source-ip command to cancel the source IP address setting. Then, a local device address determined by the system is used to access an SSH server.
  • Page 989 ssh-server source-ip Syntax ssh-server source-ip ip-address undo ssh-server source-ip View System view Parameters ip-address: IP address to be set as the source IP address. Description Use the ssh-server source-ip command to specify a source IP address for the SSH server. If the specified IP address is not an IP address of the device, the command fails.
  • Page 990 Table of Contents 1 File System Management Configuration Commands ············································································1-1 File System Configuration Commands ···································································································1-1 cd ·····················································································································································1-1 copy ·················································································································································1-2 delete ···············································································································································1-3 dir·····················································································································································1-4 execute ············································································································································1-6 file prompt········································································································································1-7 fixdisk···············································································································································1-8 format···············································································································································1-9 mkdir ················································································································································1-9 more···············································································································································1-10 move ··············································································································································1-11 pwd ················································································································································1-11 rename ··········································································································································1-12 reset recycle-bin ····························································································································1-12 rmdir···············································································································································1-15 undelete·········································································································································1-15 update fabric··································································································································1-16...

  • Page 991: File System Configuration Commands

    File System Management Configuration Commands The S3600 series Ethernet switches support Intelligent Resilient Framework (IRF), and allow you to access a file on a switch in one of the following ways: To access a file on the specified unit, you need to specify the file in universal resource locator (URL) format and starting with unit[No.]>flash:/, where [No.] represents the unit ID of the switch.

  • Page 992: Copy

    Parameters directory: Target directory. Description Use the cd command to enter a specified directory on the Ethernet switch. The default directory when a user logs onto the switch is the root directory of Flash memory. Examples # Enter the directory test from the root directory. <Sysname>...

  • Page 993: Delete

    %Copy file unit1>flash:/config.cfg to unit1>flash:/test/config.cfg...Done. delete Syntax delete [ /unreserved ] file-url delete { running-files | standby-files } [ /fabric ] [ /unreserved ] View User view Parameters /unreserved: Specifies to delete a file completely. file-url: Path name or file name of a file in the Flash memory. You can use the * character in this argument as a wildcard.

  • Page 994: Dir

    Delete the running config file? [Y/N]: Delete the running web file? [Y/N]: Delete the backup image file? [Y/N]: Delete the backup config file? [Y/N]: Delete the backup web file? [Y/N]: The corresponding files will be deleted after you choose yes. For deleted files whose names are the same, only the latest deleted file is stored in the recycle bin and can be restored.
  • Page 995 View User view Parameters /all: Specifies to display the information about all the files, including those stored in the recycle bin. /fabric: Specifies to display the information about all the specified files in the fabric. file-url: Path name or the name of a file in the Flash memory. You can use the * character as a wildcard. For example, the dir *.txt command displays the information about all the files with the extension of .txt in the current directory.

  • Page 996: Execute

    15367 KB total (3720 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute # Display information about all the files (including the files in the recycle bin) in the root directory of the file system of the fabric.

  • Page 997: File Prompt

    Parameters filename: Batch file, with the extension .bat. Description Use the execute command to execute the specified batch file. Executing a batch file is to execute a set of commands in the batch file one by one. Note that: A batch file cannot contain any invisible character. If any invisible character is found, the system will abort the execution of the batch file, that is, the remaining commands in the batch file will not be executed, but the executed operations will not be cancelled.

  • Page 998: Fixdisk

    If the prompt mode is set to alert, the following messages will be displayed when you delete a file: <Sysname> delete unit1>flash:/te.txt Delete unit1>flash:/te.txt?[Y/N]:y ..%Delete file unit1>flash:/te.txt...Done. The system waits for you to confirm for 30 seconds. If you do not input any confirmation in 30 seconds, the system cancels this file operation, as shown in the following: <Sysname>...

  • Page 999: Format

    format Syntax format device View User view Parameters device: Name of a device. Description Use the format command to format the Flash memory. The format operation clears all the files on the Flash memory, and the operation is irretrievable. Examples # Format the Flash memory.
  • Page 1000 To use this command to create a subdirectory, the specified directory must exist. For instance, to create subdirectory flash:/test/mytest, the test directory must exist. Otherwise, you will fail to create the subdirectory. Examples # Create a directory in the current directory, with the name being test. <Sysname>...

Table of Contents