Download Print this page

H3C S3100 Series Command Manual

H3C S3100 Series Command Manual

Hide thumbs Also See for S3100 Series:

Command manual (1186 pages)

,

Operation manual (1057 pages)

,

Installation manual (94 pages)

page of 1244

/ 1244
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual See also: Operating Manual, Installation Manual

H3C S3100 Series Ethernet Switches

Command Manual

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Document Version: 20100908-C-1.00

Product Version: Release 22XX Series

Table of Contents

Advertisement

Chapters

Table of Contents

Need help?

Need help?

Do you have a question about the S3100 Series and is the answer not in the manual?

Questions and answers

Summary of Contents for H3C S3100 Series

Page 1 H3C S3100 Series Ethernet Switches Command Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 20100908-C-1.00 Product Version: Release 22XX Series...
Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.
Page 3 This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the S3100 series Organization H3C S3100 Series Ethernet Switches Command Reference-Release 22XX Series is organized as follows: Part Description 01-CLI Commands CLI configuration commands...
Page 4 Part Description 09-Port Basic Configuration Port basic configuration commands Commands 10-Port Aggregation Commands Port aggregation configuration commands 11-Port Isolation Commands Port isolation configuration commands Port security commands 12-Port Security-Port Binding Commands Port binding commands (applicable only to the S3100-EI series) 13-DLDP Commands DLDP configuration commands (applicable only to the S3100-EI series) 14-MAC Address Table...
Page 5 Part Description Stack function configuration commands NDP configuration commands 26-Stack-Cluster Commands NTDP configuration commands Cluster configuration commands Enhanced cluster feature configuration commands PoE configuration commands 27-PoE-PoE Profile Commands PoE profile configuration commands SNMP configuration commands 28-SNMP-RMON Commands RMON configuration commands 29-NTP Commands NTP configuration commands 30-SSH Commands...
Page 6: Software Version
CFD configuration commands (applicable only to the S3100-EI series) Software Version H3C S3100 Series Ethernet Switches Operation Manual-Release 22XX Series and H3C S3100 Series Ethernet Switches Command Manual-Release 22XX Series are for the software version Release 22XX Series of the S3100-SI series and S3100-EI series switches.
Page 7 Added commands compared with the earlier Software version Part version Release 2108P04 cluster-snmp-agent usm-user v3 vlan-mapping n-to-1 36-VLAN Mapping dhcp-snooping information Commands ignore-vlanmapping dhcp-snooping ipv6 information enable dhcp-snooping ipv6 information option { 18 | 37 } 38-IPv6 Management Commands dhcp-snooping ipv6 information remote-id { ipv4-address ipv4-address | ipv6-address ipv6-address | string string | sysname } Ethernet OAM commands (applicable only to the...
Page 8 Added commands compared with the earlier Software version Part version Release 2108P04 Add commands (applicable only to the S3100-EI series) : web-authentication customize, web-authentication cut connection, web-authentication enable, web-authentication free-ip, web-authentication free-user, web-authentication max-connection, 20-Web Authentication web-authentication protocol, Commands web-authentication select method, web-authentication timer idle-cut, web-authentication timer max-online, web-authentication web-server, display...
Page 9 Added commands compared with the earlier Software version Part version Release 2108P04 ARP/IP attack defense based on 802.1x commands (applicable only to the S3100-EI series) LLDP commands 42-LLDP Commands PKI commands 43-PKI Commands SSL commands 44-SSL Commands HTTPS commands 45-HTTPS Commands Compared with Release 21XX Series, some commands are extended in Release 22XX Series.
Page 10 Software version Extended commands Part primary authentication { ip-address | ipv6 ipv6-address } [ port-number ] [ key string ] radius nas-ip ipv6 ipv6-address secondary accounting { ip-address | ipv6 ipv6-address } [ port-number ] [ key string ] secondary authentication { ip-address | ipv6 ipv6-address } [ port-number ] [ key string ] state secondary { accounting | authentication } { ip-address | ipv6 ipv6-address } { active | block }...
Page 11 Means an action or information that needs special attention to ensure successful configuration or good performance. Means a complementary description. Means techniques helpful for you to make configuration with ease. About the H3C S3100 Documentation Set The H3C S3100 documentation set includes: Category Documents...
Page 12: Obtaining Documentation
Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...
Page 13: Table Of Contents
Table of Contents 1 CLI Configuration Commands··················································································································1-1 CLI Configuration Commands·················································································································1-1 command-privilege level··················································································································1-1 display history-command·················································································································1-4 super················································································································································1-4 super authentication-mode··············································································································1-5 super password ·······························································································································1-6...
Page 14: Cli Configuration Commands
Parameters level level: Command level to be set, in the range of 0 to 3. view view: CLI view. It can be any CLI view that the Ethernet switch supports. The S3100 series support only the CLI views listed in...
Page 15 CLI view Description hwtacacs HWTACACS view IPv6 multicast VLAN view, which is supported by only the ipv6-mvlan S3100-EI series ISP domain view Scheduled task view loopback Loopback interface view luser Local user view manage-vlan Management VLAN view MLD snooping view, which is supported by only the mld-snooping S3100-EI series mst-region...
Page 16 Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage (level 3). The administrator can change the level of a command as required. For example, the administrator can change a command from a higher level to a lower level so that the lower level users can use the command.
Page 17: Display History-Command
[Sysname] command-privilege level 0 view shell tftp [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm # Restore the default level of the tftp get command. To restore the default levels of the commands starting with the tftp keyword, you only need to specify the tftp keyword.
Page 18: Super Authentication-Mode
Description Use the super command to switch from the current user level to a specified level. Executing this command without the level argument will switch the current user level to level 3 by default. Note that: Users logged into the switch fall into four user levels, which correspond to the four command levels respectively.
Page 19: Super Password
Description Use the super authentication-mode command to specify the authentication mode used for low-to-high user level switching. Use the undo super authentication-mode command to restore the default. By default, super password authentication is adopted for low-to-high user level switching. Note that the two authentication modes, super password authentication and HWTACACS authentication, are available at the same time to provide authentication redundancy.
Page 20 Input a plain-text password, that is, a string of 1 to 16 characters, which will be automatically converted into a 24-character cipher-text password. Directly input a cipher-text password, that is, a string of 1 to 24 characters, which must correspond to a plain-text password.
Page 21 Table of Contents 1 Login Commands ······································································································································1-1 Login Commands ····································································································································1-1 authentication-mode ························································································································1-1 auto-execute command ···················································································································1-3 copyright-info enable ·······················································································································1-3 databits ············································································································································1-4 display user-interface ······················································································································1-5 display users····································································································································1-7 display web users ····························································································································1-8 free user-interface ···························································································································1-9 header ···········································································································································1-10 history-command max-size ···········································································································1-12 idle-timeout ····································································································································1-13 ip http shutdown ····························································································································1-13 lock ················································································································································1-14 parity ··············································································································································1-15 protocol inbound ····························································································································1-16...
Page 22: Login Commands
Login Commands Login Commands authentication-mode Syntax authentication-mode { password | scheme [ command-authorization ] | none } View User interface view Parameters none: Specifies not to authenticate users. password: Authenticates users using the local password. scheme: Authenticates users locally or remotely using usernames and passwords. command-authorization: Performs command authorization on TACACS authentication server.
Page 23 To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.
Page 24: Auto-Execute Command
auto-execute command Syntax auto-execute command text undo auto-execute command View VTY user interface view Parameters text: Command to be executed automatically. Description Use the auto-execute command command to set the command that is executed automatically after a user logs in. Use the undo auto-execute command command to disable the specified command from being automatically executed.
Page 25: Databits
Note that these two commands apply to users logging in through the console port and by means of Telnet. Examples # Disable copyright information displaying. ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 26: Display User-Interface
Use the undo databits command to revert to the default databits. The default databits is 8. This command takes effect on AUX user interfaces only. The databits setting on the terminal and that on the device user interface must be the same for communication.
Page 27 Type Tx/Rx Modem Privi Auth Super AUX 0 9600 : Current user-interface is active. : Current user-interface is active and work in async mode. : Absolute index of user-interface. Type : Type and relative index of user-interface. Privi: The privilege of user-interface. Auth : The authentication mode of user-interface.
Page 28: Display Users
# Display the summary information about the user interface. <Sysname> display user-interface summary User interface type : [AUX] User interface type : [VTY] 1:UXXX X 1 character mode users. 5 UI never used. 1 total UI in use Table 1-2 display user-interface summary command output description Field Description User interface type...
Page 29: Display Web Users
Examples # Display the user information about the current user interface. <Sysname> display users Delay Type Ipaddress Username Userlevel VTY 0 00:00:00 192.168.0.208 : Current operation user. : Current operation user work in async mode. Table 1-3 display users command output description Field Description The numbers in the left sub-column are the absolute user interface...
Page 30: Free User-Interface
Table 1-4 display web users command output description Field Description ID of a Web user Name Name of a Web user Language Language a Web user uses Level Level of a Web user Login Time Time when a Web user logs in Last Req.
Page 31: Header
<Sysname> free user-interface vty 0 Are you sure you want to free user-interface vty0 [Y/N]? y [OK] After you perform the above operation, the user connection on user interface VTY0 is torn down. The user in it must log in again to connect to the switch. header Syntax header [ incoming | legal | login | shell ] text...
Page 32 # Test the configuration remotely using Telnet. (only when login authentication is configured can the login banner be displayed). ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.
Page 33: History-Command Max-Size
Welcome to legal! Press Y or ENTER to continue, N to exit. Welcome to login! Login authentication Password: Welcome to shell! <Sysname> history-command max-size Syntax history-command max-size value undo history-command max-size View User interface view Parameters value: Size of the history command buffer, ranging from 0 to 256 (in terms of commands). Description Use the history-command max-size command to set the size of the history command buffer of the current user interface.
Page 34: Idle-Timeout
idle-timeout Syntax idle-timeout minutes [ seconds ] undo idle-timeout View User interface view Parameters minutes: Number of minutes. This argument ranges from 0 to 35,791. seconds: Number of seconds. This argument ranges from 0 to 59. Description Use the idle-timeout command to set the timeout time. The connection to a user interface is terminated if no operation is performed in the user interface within the timeout time.
Page 35: Lock
To improve security and prevent attacks to the unused Sockets, TCP 80 port for HTTP service will be enabled or disabled after corresponding configurations. TCP 80 port is enabled only after you use the undo ip http shutdown command to enable the Web server.
Page 36: Parity
Note that if you set a password containing more than 16 characters, the system matches only the first 16 characters of the password entered for unlocking the user interface. That is, the system unlocks the user interface as long as the first 16 characters of the password entered are correct. By default, the current user interface is not locked.
Page 37: Protocol Inbound
Examples # Set to perform even checks. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] parity even protocol inbound Syntax protocol inbound { all | ssh | telnet } View VTY user interface view Parameters all: Supports both Telnet protocol and SSH protocol.
Page 38: Screen-Length
To configure a user interface to support SSH, you need to set the authentication mode to scheme for users to log in successfully. If the authentication mode is set to password or none for login users, the protocol inbound ssh command will fail. Refer to the authentication-mode command for the related configuration.
Page 39: Service-Type
View User view Parameters all: Sends messages to all user interfaces. type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface). number: User interface index. A user interface index can be relative or absolute. In relative user interface index scheme, the type argument is required.
Page 40 terminal: Makes terminal services available to users logging in through the console port. level level: Specifies the user level for Telnet users, Terminal users, or SSH users. The level argument ranges from 0 to 3 and defaults to 0. Description Use the service-type command to specify the login type and the corresponding available command level.
Page 41: Set Authentication Password
set authentication password Syntax set authentication password { cipher | simple } password undo set authentication password View User interface view Parameters cipher: Specifies to save the local password in cipher text. simple: Specifies to save the local password in plain text. password: Password to be set.
Page 42: Speed
undo shell View User interface view Parameters None Description Use the shell command to enable terminal services. Use the undo shell command to disable terminal services. By default, terminal services are disabled in all user interfaces. Note the following when using the undo shell command: Terminal services cannot be disabled in AUX user interfaces.
Page 43: Stopbits
Execute these two commands in AUX user interface view only. By default, the stopbits is 1. The S3100 series do not support communication with a terminal emulation program with stopbits set to 1.5. Changing the stop bits value of the switch to a value different from that of the terminal emulation utility does not affect the communication between them.
Page 44: Telnet
Trying 129.102.0.1 ... Press CTRL+K to abort Connected to 129.102.0.1 ... ************************************************************************** * Copyright(c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB>...
Page 45: Telnet Ipv6
Trying 3001::1 ... Press CTRL+K to abort Connected to 3001::1 ... ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** <Sysname>...
Page 46: User Privilege Level
In relative user interface index scheme, the type argument is required. In this case, AUX user interfaces is numbered AUX0; VTY user interfaces are numbered from VTY0 through VTY4. In absolute user interface index scheme, the type argument is not required. In this case, user interfaces are numbered from 0 to 5.
Page 47 Manage level: Commands at this level are for the operation of the entire system and the system supporting modules. Services are supported by these commands. Commands concerning file system, file transfer protocol (FTP), trivial file transfer protocol (TFTP), downloading using XModem, user management, and level setting are at administration level.
Page 48: Commands For User Control
Commands for User Control Commands for Controlling Logging in Users Syntax acl acl-number { inbound | outbound } undo acl acl-number { inbound | outbound } View User interface view Parameters acl-number: ACL number. This argument can identify different types of ACLs, as listed below. 2000 to 2999, for basic ACLs 3000 to 3999, for advanced ACLs 4000 to 4999, for Layer 2 ACLs...
Page 49: Ip Http Acl
Parameters all: Specifies all Web users. user-id: Web user ID, an eight-digit hexadecimal number. user-name: User name of the Web user. This argument can contain 1 to 80 characters. Description Use the free web-users command to disconnect a specified Web user or all Web users by force. Examples # Disconnect all Web users by force.
Page 50: Snmp-Agent Group
Parameters read: Specifies that the community has read-only permission in the specified view. write: Specifies that the community has read/write permission in the specified view. community-name: Community name, a string of 1 to 32 characters. acl acl-number: Specifies an ACL number for the community. The acl-number argument ranges from 2000 to 2999.
Page 51: Snmp-Agent Usm-User
group-name: Group name. This argument can be of 1 to 32 characters. authentication: Specifies to authenticate SNMP data without encrypting the data. privacy: Authenticates and encrypts packets. read-view: Name of the view to be set to read-only. This argument can be of 1 to 32 characters. write-view: Name of the view to be set to readable &...
Page 52 group-name: Name of the group to which the user corresponds. This argument is a string of 1 to 32 characters. cipher: Specifies the authentication or encryption password to be in ciphertext. authentication-mode: Requires authentication. If this keyword is not provided, neither authentication nor encryption is performed.
Page 53 Table of Contents 1 Configuration File Management Commands ··························································································1-1 File Attribute Configuration Commands ··································································································1-1 display current-configuration ···········································································································1-1 display current-configuration vlan····································································································1-5 display saved-configuration·············································································································1-6 display startup ·································································································································1-8 display this·······································································································································1-9 reset saved-configuration ················································································································1-9 save ···············································································································································1-10 startup saved-configuration ···········································································································1-12...
Page 54: Configuration File Management Commands
Configuration File Management Commands S3100 series Ethernet switches allow you to input a file path and file name in one of the following ways: In universal resource locator (URL) format and starting with “unit1>flash:/”. or “flash:/” This method is used to specify a file in the current Flash memory. For example, the URL of a file named text.txt in the root directory of the switch is unit1>flash:/text.txt or flash:/text.txt.
Page 55 interface-number: Port/interface number. by-linenum: Displays configuration information with line numbers. |: Uses a regular expression to filter the configuration of the switch to be displayed. By specifying a regular expression, you can locate and query the needed information quickly. regular-expression: A regular expression, case sensitive. It supports the following match rules: begin: Displays the line that matches the regular expression and all the subsequent lines.
Page 56 Examples # Display configuration information about all the interfaces on the current switch. <Sysname> display current-configuration interface interface Vlan-interface1 ip address 192.168.0.241 255.255.255.0 interface Aux1/0/0 interface Ethernet1/0/1 port link-aggregation group 1 interface Ethernet1/0/2 interface Ethernet1/0/3 interface Ethernet1/0/4 interface Ethernet1/0/5 interface Ethernet1/0/6 interface Ethernet1/0/7 interface Ethernet1/0/8 interface Ethernet1/0/9...
Page 57 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface GigabitEthernet1/1/1 interface GigabitEthernet1/1/2 shutdown interface GigabitEthernet1/2/1 interface GigabitEthernet1/2/2 shutdown interface NULL0 interface LoopBack0 return # Display the lines that include the strings matching 10* in the configuration information. (The character * means that the character 0 in the string before it can appear multiple times or does not appear.) <Sysname>...
Page 58: Display Current-Configuration Vlan
interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface GigabitEthernet1/1/1 interface GigabitEthernet1/1/2 interface GigabitEthernet1/2/1 interface GigabitEthernet1/2/2 # Display the configuration information starting with the string user. <Sysname> display current-configuration | include ^user user-interface aux 0 user-interface vty 0 4 display current-configuration vlan Syntax display current-configuration vlan [ vlan-id ] [ by-linenum ]...
Page 59: Display Saved-Configuration
display saved-configuration Syntax display saved-configuration [ unit unit-id ] [ by-linenum ] View Any view Parameters unit unit-id: Specifies the unit ID of a switch. It only can be 1. by-linenum: Displays configuration information with line numbers. Description Use the display saved-configuration command to display the initial configuration file of a switch. Note that: If the switch starts up without a configuration file, the system will display that no configuration file exists upon execution of the command.
Page 60 interface Ethernet1/0/6 interface Ethernet1/0/7 interface Ethernet1/0/8 interface Ethernet1/0/9 interface Ethernet1/0/10 interface Ethernet1/0/11 interface Ethernet1/0/12 interface Ethernet1/0/13 interface Ethernet1/0/14 interface Ethernet1/0/15 interface Ethernet1/0/16 interface Ethernet1/0/17 interface Ethernet1/0/18 interface Ethernet1/0/19 interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface GigabitEthernet1/1/1 interface GigabitEthernet1/1/2 shutdown interface GigabitEthernet1/2/1...
Page 61: Display Startup
user-interface aux 0 user-interface vty 0 4 authentication-mode none user privilege level 3 return The configuration information output above in turn is the system configuration, logical interface configuration, physical port configuration, and user interface configuration. display startup Syntax display startup [ unit unit-id ] View Any view Parameters...
Page 62: Display This
display this Syntax display this [ by-linenum ] View Any view Parameters by-linenum: Displays configuration information with line numbers. Description Use the display this command to display the current configuration performed in the current view. To verify the configuration performed in a view, you can use this command to display the parameters that are valid in the current view.
Page 63: Save
Description Use the reset saved-configuration command to erase the configuration file saved in the Flash of a switch. The following two situations exist: While the reset saved-configuration [ main ] command erases the configuration file with main attribute, it only erases the main attribute of a configuration file having both main and backup attribute.
Page 64 S3100 series Ethernet switches do not support the safe mode. When you are saving a configuration file using the save safely command, if the device reboots or the power fails during the saving process, the configuration file will be lost.
Page 65: Startup Saved-Configuration
Now saving current configuration to the device. Saving configuration. Please wait....Unit1 save configuration flash:/123.cfg successfully startup saved-configuration Syntax startup saved-configuration cfgfile [ backup | main ] undo startup saved-configuration [ unit unit-id ] View User view Parameters cfgfile: Path name or file name of a configuration file in the Flash, a string of 5 to 56 characters. backup: Specifies the configuration file to be the backup configuration file.
Page 66 Table of Contents 1 VLAN Configuration Commands··············································································································1-1 VLAN Configuration Commands·············································································································1-1 description ·······································································································································1-1 display interface Vlan-interface ·······································································································1-2 display vlan······································································································································1-3 interface Vlan-interface····················································································································1-4 name················································································································································1-5 shutdown ·········································································································································1-6 vlan ··················································································································································1-6 Port-Based VLAN Configuration Commands··························································································1-8 display port ······································································································································1-8 port···················································································································································1-8 port access vlan·······························································································································1-9 port hybrid pvid vlan ······················································································································1-10 port hybrid vlan ······························································································································1-10 port link-type ··································································································································1-11 port trunk permit vlan·····················································································································1-12...
Page 67: Vlan Configuration Commands
VLAN Configuration Commands VLAN Configuration Commands description Syntax description text undo description View VLAN view, VLAN interface view Parameters text: Case sensitive character string to describe the current VLAN or VLAN interface. Special characters and spaces are allowed. It has: 1 to 32 characters for a VLAN description.
Page 68: Display Interface Vlan-Interface
display interface Vlan-interface Syntax display interface Vlan-interface [ vlan-id ] View Any view Parameters vlan-id: Specifies a VLAN interface number. Description Use the display interface Vlan-interface command to display information about the specified VLAN interface or all VLAN interfaces already created if no VLAN interface is specified. The output of this command shows the state, IP address, description and other information of a VLAN interface.
Page 69: Display Vlan
Field Description 10.1.1.1/24 Primary Primary IP address of this VLAN interface Description Description string of the VLAN interface The Maximum Transmit Unit Maximum transmission unit (MTU) For information about how to configure an IP address for a VLAN interface, refer to the description on the ip address command in the IP Address and Performance Command part.
Page 70: Interface Vlan-Interface
Description: VLAN 0001 Name: VLAN 0001 Tagged Ports: Ethernet1/0/1 Untagged Ports: Ethernet1/0/2 Table 1-2 Description on the fields of the display vlan command Field Description VLAN ID VLAN ID. VLAN Type VLAN type (dynamic or static). Indicates whether the VLAN interface of the VLAN is configured with an Route Interface IP address for routing.
Page 71: Name
For the S3100-SI series switch, create the VLAN interface for the management VLAN on a switch operating as the management device in a cluster, make sure that the management VLAN ID is consistent with the cluster management VLAN ID configured with the management-vlan vlan-id command.
Page 72: Shutdown
shutdown Syntax shutdown undo shutdown View VLAN interface view Parameters None Description Use the shutdown command to administratively shut down the VLAN interface. Use the undo shutdown command to bring up the VLAN interface. By default, a VLAN interface is administratively enabled. In this case, the physical state of the VLAN interface is affected by that of the ports in the VLAN.
Page 73 Parameters vlan-id1: Specifies the ID of the VLAN you want to create or remove, in the range of 1 to 4094. to vlan-id2: In conjunction with vlan-id1, specify a VLAN ID range you want to create or remove. The vlan-id2 argument takes a value in the range of 1 to 4094, and must not be less than that of vlan-id1. all: Creates or removes all existing VLANs except those configured with other functions.
Page 74: Port-Based Vlan Configuration Commands
The above output information indicates that VLAN 7 (the voice VLAN) cannot be removed, while the other VLANs are removed successfully. Port-Based VLAN Configuration Commands display port Syntax display port { hybrid | trunk } View Any view Parameters hybrid: Displays hybrid ports. trunk: Displays trunk ports.
Page 75: Port Access Vlan
The command applies to access ports only. For information about how to assign to or remove from a VLAN trunk or hybrid ports, refer to the port hybrid vlan command and the port trunk permit vlan command . For port type configuration, refer to the command .
Page 76: Port Hybrid Pvid Vlan
port hybrid pvid vlan Syntax port hybrid pvid vlan vlan-id undo port hybrid pvid View Ethernet port view Parameters vlan-id: Specifies the default VLAN ID of the current hybrid port, in the range of 1 to 4094. The specified VLAN can be one already created or not. Description Use the port hybrid pvid vlan command to set the default VLAN ID of the hybrid port.
Page 77: Port Link-Type
of vlan-id1 to vlan-id2). Specify each VLAN ID in the range of 1 to 4094 and ensure that vlan-id2 is no less than vlan-id1. The total number of individual VLAN IDs and VLAN ID ranges defined in the list must not exceed 10.
Page 78: Port Trunk Permit Vlan
To change the link type of a port from hybrid to trunk or vice versa, you need to change the link type to access first. Examples # Configure Ethernet 1/0/1 as a trunk port. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk port trunk permit vlan...
Page 79: Port Trunk Pvid Vlan
System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] port trunk permit vlan 2 4 50 to 100 Please wait... Done. port trunk pvid vlan Syntax port trunk pvid vlan vlan-id undo port trunk pvid View Ethernet port view Parameters...
Page 80: Mac Address-Based Vlan Configuration Commands
MAC Address-Based VLAN Configuration Commands The contents of this chapter are only applicable to the S3100-EI series among S3100 series switches. display mac-vlan Syntax display mac-vlan { all | dynamic | static | vlan vlan-id } View Any view Default Level...
Page 81: Display Mac-Vlan Interface
Field Description VLAN ID VLAN ID of a MAC address-to-VLAN entry 802.1p priority corresponding to the MAC address of a MAC address-to-VLAN PRIO entry The state of a MAC address-to-VLAN entry, which can be: S, indicating that the MAC address-to-VLAN entry is configured statically. D, indicating that the MAC address-to-VLAN entry is configured STATE automatically through the authentication server...
Page 82: Mac-Vlan Mac-Address
Parameters None Description Use the mac-vlan enable command to enable MAC address-based VLAN on a port. Use the undo mac-vlan enable command to disable MAC address-based VLAN on a port. By default, MAC address-based VLAN is disabled on a port. Examples # Enable MAC address-based VLAN on Ethernet1/0/1.
Page 83: Display Protocol-Vlan Interface
The contents of this section are only applicable to the S3100-EI series among S3100 series switches. display protocol-vlan interface Syntax display protocol-vlan interface { interface-type interface-number [ to interface-type interface-number ] | all } View Any view Parameters interface-type interface-number: Specify a port by its type and number to display the protocol VLAN(s) bound with the port.
Page 84: Display Protocol-Vlan Vlan
Field Description Protocol type specified by the protocol template. Refer to the Protocol-type protocol-vlan command for detailed description. display protocol-vlan vlan Syntax display protocol-vlan vlan { vlan-id1 [ to vlan-id2 ] | all } View Any view Parameters vlan-id1: Specifies a VLAN ID in the range of 1 to 4094, of which the protocol VLAN configuration information is to be displayed.
Page 85: Port Hybrid Protocol-Vlan Vlan
port hybrid protocol-vlan vlan Syntax port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-index-end ] | all } undo port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-index-end ] | all } View Ethernet port view Parameters vlan-id: Specifies the ID of the protocol VLAN bound with the port. The value range is 1 to 4094. At least one protocol template must have been configured for the VLAN.
Page 86: Protocol-Vlan
Examples # Bind Ethernet 1/0/1 with the protocols indexed from 0 to 2 of VLAN 3 (assuming that VLAN 3 is a protocol VLAN). <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port hybrid protocol-vlan vlan 3 0 to 2 # Remove the binding between Ethernet 1/0/1 and protocols indexed from 1 to 4 of VLAN 3.
Page 87 At present, the S3100 series support only the standard templates of AppleTalk and IP, the standard template of IPX encapsulated in Ethernet II format, and the user-defined templates matching the Ethernet II encapsulation format. Protocol templates matching 802.2/802.3 encapsulation formats and their extended encapsulation formats are not supported on the S3100 series currently.
Page 88 Table of Contents 1 Static Route Configuration Commands ··································································································1-1 Static Route Configuration Commands···································································································1-1 delete static-routes all······················································································································1-1 display ip routing-table·····················································································································1-1 display ip routing-table acl···············································································································1-2 display ip routing-table ip-address···································································································1-4 display ip routing-table ip-address1 ip-address2·············································································1-6 display ip routing-table protocol·······································································································1-6 display ip routing-table radix············································································································1-7 display ip routing-table statistics······································································································1-8 display ip routing-table verbose·······································································································1-9 ip route-static ·································································································································1-10...
Page 89: Static Route Configuration Commands
Static Route Configuration Commands Static Route Configuration Commands delete static-routes all Syntax delete static-routes all View System view Parameter None Description Use the delete static-routes all command to delete all static routes. The system will request your confirmation before it deletes all the configured static routes. Related command: ip route-static and display ip routing-table.
Page 90: Display Ip Routing-Table Acl
Description Use the display ip routing-table command to display the summary information about the routing table. This command displays the summary information about a routing table, with the items of a routing entry contained in one line. The information displayed includes destination IP address/mask length, protocol, preference, cost, next hop and outbound interface.
Page 91 As this command displays the routes that match a specified basic ACL, you can use it to trace routing policies. Example # Display the summary information about the active routes that match ACL 2000. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] rule deny source any...
Page 92: Display Ip Routing-Table Ip-Address
Field Description Descriptions on the route state are as follows: ActiveU Valid unicast route. “U” stands for unicast. Blackhole route is the same as reject route except that a router Blackhole drops a packet traveling along a blackhole route without sending ICMP unreachable messages to the source of the packets.
Page 93 mask: Mask of the destination IP address, which can be in dotted decimal notation or be an integer ranging from 0 to 32. longer-match: Displays all the routes leading to the destination coupled with the default mask. verbose: Displays the detailed information about the active and inactive routes leading to the destination.
Page 94: Display Ip Routing-Table Ip-Address1 Ip-Address2
display ip routing-table ip-address1 ip-address2 Syntax display ip routing-table ip-address1 mask1 ip-address2 mask2 [ verbose ] View Any view Parameter ip-address1, ip-address2: Destination IP addresses in dotted decimal notation. ip-address1 and mask1, together with ip-address2 and mask2, determine an IP address range. The starting address of the IP address range is determined by the ip-address1 and mask1 arguments;...
Page 95: Display Ip Routing-Table Radix
verbose: Displays the detailed route information. If you do not specify this keyword, only the summary route information is displayed. Description Use the display ip routing-table protocol command to display the information about specified type of routes. Example # Display the summary information about all the direct routes. <Sysname>...
Page 96: Display Ip Routing-Table Statistics
Description Use the display ip routing-table radix command to display the information about the routes in a routing table in a hierarchical way. Example # Display the information about the routes in a routing table in a hierarchical way. <Sysname> display ip routing-table radix Radix tree for INET (2) inodes 2 routes 2: +--8+--{127.0.0.0 +-32+--{127.0.0.1...
Page 97 Total Table 1-4 Description on the fields of the display ip routing-table statistics command Field Description Proto Routing protocol route Total number of routes active Number of the active routes that are currently in use Number of the routes that are added to the routing table after the switch starts or added the routing table is cleared last time Number of the routes with deleted flags (this type of routes will be removed after a...
Page 98: Ip Route-Static
**Destination: 127.0.0.1 Mask: 255.255.255.255 Protocol: #DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) State: <NotInstall NoAdvise Int ActiveU Retain Gateway Unicast> Age: 57:12 Cost: 0/0 The statistics of the routing table are displayed first, and then the detailed descriptions of each route. Table 1-2 describes the route states and Table 1-5...
Page 99: Reset Ip Routing-Table Statistics Protocol
description text: Specifies a descriptive string for the static route. The text argument is a case-sensitive string of 1 to 60 characters (including the space). Description Use the ip route-static command to configure a static route. Use the undo ip route-static command to remove a static route. By default, the system can obtain the subnet route directly connected to the router.
Page 100 Routing tables: Proto route active added deleted DIRECT STATIC Total # Clear the routing statistics of all protocols from the IP routing table. <Sysname> reset ip routing-table statistics protocol all This will erase the specific routing counters information. Are you sure?[Y/N]y # Display the routing statistics in the IP routing table.
Page 101 Table of Contents 1 IP Address Configuration Commands·····································································································1-1 IP Address Configuration Commands·····································································································1-1 display ip interface···························································································································1-1 display ip interface brief···················································································································1-2 ip address ········································································································································1-3 2 IP Performance Configuration Commands·····························································································2-1 IP Performance Configuration Commands ·····························································································2-1 display fib·········································································································································2-1 display fib ip-address·······················································································································2-2 display fib acl ···································································································································2-3 display fib |·······································································································································2-4 display fib statistics··························································································································2-4 display icmp statistics ······················································································································2-5...
Page 102: Ip Address Configuration Commands
IP Address Configuration Commands IP Address Configuration Commands display ip interface Syntax display ip interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display ip interface command to display information about a specified or all Layer 3 interfaces.
Page 103: Display Ip Interface Brief
Timestamp reply: Information request: Information reply: Netmask request: Netmask reply: Unknown type: Table 1-1 Description on the fields of the display ip interface command Field Description Vlan-interface1 current state Current physical state of VLAN-interface 1 Line protocol current state Current state of the link layer protocol Internet Address IP address of the interface Directed broadcast address of the subnet attached...
Page 104: Ip Address
Parameters interface-type: Interface type. interface-number: Interface number. Description Use the display ip interface brief command to display brief information about a specified or all Layer 3 interfaces. With no argument included, the command displays information about all layer 3 interfaces; with only the interface type specified, it displays information about all layer 3 interfaces of the specified type;...
Page 105 View VLAN interface view, loopback interface view Parameters ip-address: IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Subnet mask length, the number of consecutive ones in the mask. It is in the range of 0 to Description Use the ip address command to specify an IP address and mask for a VLAN or loopback interface.
Page 106: Ip Performance Configuration Commands
IP Performance Configuration Commands IP Performance Configuration Commands display fib Syntax display fib View Any view Parameters None Description Use the display fib command to display all forwarding information base (FIB) information. Examples # Display all FIB information. <Sysname> display fib Flag: U:Usable G:Gateway...
Page 107: Display Fib Ip-Address
Table 2-1 Description on the fields of the display fib command Field Description Flags: U: A route is up and available. G: Gateway route H: Local host route B: Blackhole route Flag D: Dynamic route S: Static route R: Rejected route E: Multi-path equal-cost route L: Route generated by ARP or ESIS Destination/Mask...
Page 108: Display Fib Acl
Examples # Display FIB entry information which matches destination 12.158.10.0 and has a mask length no less than eight. <Sysname> display fib 12.158.10.0 longer Route Entry Count: 1 Flag: U:Usable G:Gateway H:Host B:Blackhole D:Dynamic S:Static R:Reject E:Equal cost multi-path L:Generated by ARP or ESIS Destination/Mask Nexthop Flag TimeStamp...
Page 109: Display Fib
# Display the FIB entries filtered by ACL 2001. <Sysname> display fib acl 2001 Route Entry matched by access-list 2001 Summary Counts :1 Flag: U:Usable G:Gateway H:Host B:Blackhole D:Dynamic S:Static R:Reject E:Equal cost multi-path L:Generated by ARP or ESIS Destination/Mask Nexthop Flag TimeStamp Interface...
Page 110: Display Icmp Statistics
Parameters None Description Use the display fib statistics command to display the total number of FIB entries. Examples # Display the total number of FIB entries. <Sysname> display fib statistics Route Entry Count : 8 display icmp statistics Syntax display icmp statistics View Any view Parameters...
Page 111: Display Ip Socket
Table 2-2 Description on the fields of the display icmp statistics command Field Description bad formats Number of received wrong format packets bad checksum Number of received wrong checksum packets echo Number of received echo packets Number of received destination unreachable destination unreachable packets source quench...
Page 112 task-id: ID of a task, with the value ranging from 1 to 100. socket-id: ID of a socket, with the value ranging from 0 to 3072. Description Use the display ip socket command to display socket information. Examples # Display the information about the socket of the TCP type. <Sysname>...
Page 113: Display Ip Statistics
display ip statistics Syntax display ip statistics View Any view Parameters None Description Use the display ip statistics command to display the statistics about IP packets. Related commands: display ip interface, reset ip statistics. Examples # Display the statistics about IP packets. <Sysname>...
Page 114: Display Tcp Statistics
Field Description forwarding Total number of IP packets forwarded by the local device local Total number of IP packets initiated from the local device Output: dropped Total number of IP packets discarded no route Total number of IP packets for which no route is available compress fails Total number of IP packets failed to compress input...
Page 115 packets received after close: 0 ACK packets: 481 (8776 bytes) duplicate ACK packets: 7, too much ACK packets: 0 Sent packets: Total: 665 urgent packets: 0 control packets: 5 (including 1 RST) window probe packets: 0, window update packets: 2 data packets: 618 (8770 bytes) data packets retransmitted: 0 (0 bytes) ACK-only packets: 40 (28 delayed) Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0...
Page 116: Display Tcp Status
Field Description Total Total number of packets sent urgent packets Number of urgent packets sent Number of control packets sent; in brackets are control packets retransmitted packets Number of window probe packets sent; in the window probe packets brackets are resent packets Sent packets: window update packets Number of window update packets sent...
Page 117: Display Udp Statistics
Description Use the display tcp status command to display the state of all the TCP connections so that you can monitor TCP connections in real time. Examples # Display the state of all the TCP connections. <Sysname> display tcp status *: TCP MD5 Connection TCPCB Local Add:port...
Page 118: Icmp Redirect Send
total broadcast or multicast packets : 25006 no socket broadcast or multicast packets: 24989 not delivered, input socket full: 0 input packets missing pcb cache: 1314 Sent packets: Total: 7187 Table 2-7 Description on the fields of the display udp statistics command Field Description Total...
Page 119: Icmp Unreach Send
Examples # Disable the device from sending ICMP redirection packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo icmp redirect send icmp unreach send Syntax icmp unreach send undo icmp unreach send View System view Parameters None Description Use the icmp unreach send command to enable the device to send ICMP destination unreachable...
Page 120: Reset Tcp Statistics
Description Use the reset ip statistics command to clear the statistics about IP packets. You can use the display ip statistics command to view the current IP packet statistics. Related commands: display ip interface. Examples # Clear the statistics about IP packets. <Sysname>...
Page 121: Tcp Timer Fin-Timeout
tcp timer fin-timeout Syntax tcp timer fin-timeout time-value undo tcp timer fin-timeout View System view Parameters time-value: TCP finwait timer, in seconds, with the value ranging from 76 to 3600. Description Use the tcp timer fin-timeout command to configure the TCP finwait timer. Use the undo tcp timer fin-timeout command to restore the default value of the TCP finwait timer.
Page 122: Tcp Window
When sending the SYN packet, TCP starts the synwait timer. If the response packet is not received before synwait times out, the TCP connection will be terminated. Related commands: tcp timer fin-timeout, tcp window. Examples # Configure the value of the TCP synwait timer to 80 seconds. <Sysname>...
Page 123 Table of Contents 1 Voice VLAN Configuration Commands ···································································································1-1 Voice VLAN Configuration Commands···································································································1-1 display voice vlan error-info·············································································································1-1 display voice vlan oui·······················································································································1-1 display voice vlan status··················································································································1-2 display vlan······································································································································1-3 voice vlan·········································································································································1-4 voice vlan aging·······························································································································1-5 voice vlan enable·····························································································································1-6 voice vlan legacy ·····························································································································1-6 voice vlan mac-address···················································································································1-7 voice vlan mode·······························································································································1-8 voice vlan qos··································································································································1-9 voice vlan qos trust··························································································································1-9...
Page 124: Voice Vlan Configuration Commands
Voice VLAN Configuration Commands The contents of this chapter are only applicable to the S3100-EI series among S3100 series switches. Voice VLAN Configuration Commands display voice vlan error-info Syntax display voice vlan error-info View Any view Parameters None Description Use the display voice vlan error-info command to display the ports on which the voice VLAN function fails to be enabled.
Page 125: Display Voice Vlan Status
# Display the OUI list for the voice VLAN. <Sysname> display voice vlan oui Oui Address Mask Description 0003-6b00-0000 ffff-ff00-0000 Cisco phone 000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone display voice vlan status...
Page 126: Display Vlan
-------------------------------- Ethernet1/0/2 AUTO Ethernet1/0/3 MANUAL Table 1-1 Description on the fields of the display voice vlan status command Field Description The status of global voice VLAN function: enabled or Voice Vlan status disabled. The VLAN which is currently enabled with voice Voice Vlan ID VLAN.
Page 127: Voice Vlan
Tagged Ports: Ethernet1/0/5 Untagged Ports: Ethernet1/0/6 The output indicates that Ethernet 1/0/5 and Ethernet 1/0/6 are in the voice VLAN. voice vlan Syntax voice vlan vlan-id enable undo voice vlan enable View System view Parameters vlan-id: Specifies the ID of the VLAN to be enabled with the voice VLAN function, in the range of 2 to 4094.
Page 128: Voice Vlan Aging
System View: return to User View with Ctrl+Z. [Sysname] vlan 2 [Sysname-vlan2] quit [Sysname] voice vlan 2 enable # After the voice VLAN function of VLAN 2 is enabled, if you enable the voice VLAN function for other VLANs, the system will prompt that your configuration fails. [Sysname] voice vlan 4 enable Can't change voice vlan configuration when other voice vlan is running voice vlan aging...
Page 129: Voice Vlan Enable
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] voice vlan aging 100 voice vlan enable Syntax voice vlan enable undo voice vlan enable View Ethernet port view Parameters None Description Use the voice vlan enable command to enable the voice VLAN function on the port. Use the undo voice vlan enable command to disable the voice VLAN function on the port.
Page 130: Voice Vlan Mac-Address
Parameters None Description Use the voice vlan legacy command to realize the communication between H3C device and other vendors’ voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’ voice device. Use the undo voice vlan legacy command to disable the voice VLAN legacy function.
Page 131: Voice Vlan Mode
Number OUI address Vendor 00d0-1e00-0000 Pingtel phone 00e0-7500-0000 Polycom phone 00e0-bb00-0000 3Com phone Related commands: display voice vlan oui. Examples # Add MAC address 00aa-bb00-0000 to the OUI list and configure its description as ABC. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] voice vlan mac-address 00aa-bb00-0000 mask ffff-ff00-0000 description ABC voice vlan mode Syntax...
Page 132: Voice Vlan Qos
[Sysname-Ethernet1/0/2] undo voice vlan mode auto voice vlan qos Syntax voice vlan qos cos-value dscp-value undo voice vlan qos View Interface view Default Level 2: System level Parameters cos-value: Sets the CoS precedence value for voice VLAN traffic. The default value is 6. dscp-value: Sets the DSCP value for voice VLAN traffic.
Page 133: Voice Vlan Security Enable
undo voice vlan qos View Interface view Default Level 2: System level Parameters None Description Use the voice vlan qos trust command to configure the current interface to trust the priority settings carried in incoming voice traffic. With this command configured, an interface keeps the CoS and DSCP values marked for incoming voice traffic unchanged.
Page 134 Description Use the voice vlan security enable command to enable the voice VLAN security mode. Use the undo voice vlan security enable command to disable the voice VLAN security mode. In security mode, the ports in a voice VLAN and with voice devices attached to can only forward voice data.
Page 135 Table of Contents 1 GVRP Configuration Commands ·············································································································1-1 GARP Configuration Commands ············································································································1-1 display garp statistics ······················································································································1-1 display garp timer ····························································································································1-2 garp timer ········································································································································1-3 garp timer leaveall ···························································································································1-4 reset garp statistics··························································································································1-5 GVRP Configuration Commands ············································································································1-5 display gvrp statistics·······················································································································1-5 display gvrp status···························································································································1-6 gvrp··················································································································································1-6 gvrp registration·······························································································································1-7...
Page 136: Gvrp Configuration Commands
GVRP Configuration Commands GARP Configuration Commands display garp statistics Syntax display garp statistics [ interface interface-list ] View Any view Parameters interface-list: Specifies a list of Ethernet ports for which the statistics about GARP are to be displayed. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2,...
Page 137: Display Garp Timer
Table 1-1 Description on the fields of the display garp statistics command Field Description Number of GVRP Frames Received Number of the GVRP frames received on the port Number of the GVRP frames transmitted through the Number of GVRP Frames Transmitted port Number of Frames Discarded Number of GVRP frames discarded by the port...
Page 138: Garp Timer
garp timer Syntax garp timer { hold | join | leave } timer-value undo garp timer { hold | join | leave } View Ethernet port view Parameters hold: Sets the GARP Hold timer. join: Sets the GARP Join timer. leave: Sets the GARP Leave timer.
Page 139: Garp Timer Leaveall
In networking, the following GARP timer settings are recommended: GARP hold timer: 100 centiseconds (1 second) GARP Join timer: 600 centiseconds (6 seconds) GARP Leave timer: 3000 centiseconds (30 seconds) Related commands: display garp timer. Examples # Set the GARP Join timer to 30 centiseconds for Ethernet1/0/1. <Sysname>...
Page 140: Reset Garp Statistics
Examples # Set the GARP LeaveAll timer to 100 centiseconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] garp timer leaveall 100 reset garp statistics Syntax reset garp statistics [ interface interface-list ] View User view Parameters interface-list: Specifies a list of Ethernet ports.
Page 141: Display Gvrp Status
Note that, this command displays GVRP statistics only on the trunk ports included in the list. Statistics on non-trunk ports will not be displayed. Description Use the display gvrp statistics command to display the GVRP statistics of trunk ports. This command displays the following information: GVRP status Number of the GVRP entries that fail to be registered Source MAC address of the previous GVRP PDU...
Page 142: Gvrp Registration
Parameters None Description Use the gvrp command to enable GVRP globally (in system view) or for a port (in Ethernet port view). Use the undo gvrp command to disable GVRP globally (in system view) or on a port (in Ethernet port view).
Page 143 Use the undo gvrp registration command to restore the default GVRP registration mode on a port. By default, the GVRP registration mode is normal. Note that these commands only apply to trunk ports. Related commands: display gvrp statistics Examples # Configure Ethernet1/0/1 to operate in fixed GVRP registration mode. <Sysname>...
Page 144 Table of Contents 1 Port Basic Configuration Commands······································································································1-1 Port Basic Configuration Commands······································································································1-1 broadcast-suppression ····················································································································1-1 copy configuration ···························································································································1-2 description ·······································································································································1-4 display brief interface·······················································································································1-5 display interface·······························································································································1-6 display link-delay ···························································································································1-10 display loopback-detection ············································································································1-11 display port combo ························································································································1-11 display port-group··························································································································1-12 display storm-constrain··················································································································1-13 display unit·····································································································································1-14 duplex ············································································································································1-15 enable log updown ························································································································1-16 flow-interval ···································································································································1-16...
Page 146: Port Basic Configuration Commands
Port Basic Configuration Commands Port Basic Configuration Commands broadcast-suppression Syntax broadcast-suppression { ratio | bps max-bps | pps max-pps } undo broadcast-suppression View System view, Ethernet port view Parameter ratio: Maximum ratio (in percentage) of the broadcast traffic allowed on a port to the total transmission capacity of the port.
Page 147: Copy Configuration
If you configure broadcast-suppression command in both system view and Ethernet port view, the configuration in Ethernet port view will take effect. If the broadcast traffic threshold configured by using the broadcast-suppression pps max-pps command in system view is greater than the maximum broadcast traffic rate allowed on an Ethernet port, the maximum broadcast traffic rate allowed takes effect on the port.
Page 148 If you specify a source aggregation group ID, the system uses the port with the smallest port number in the aggregation group as the source. If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port.
Page 149: Description
Any aggregation group port you input in the destination port list will be removed from the list and the copy command will not take effect on the port. If you want an aggregation group port to have the same configuration with the source port, you can specify the aggregation group of the port as the destination (with the destination-agg-id argument).
Page 150: Display Brief Interface
[Sysname-Ethernet1/0/1] description lanswitch-interface display brief interface Syntax display brief interface [ interface-type [ interface-number ] ] [ | { begin | include | exclude } regular-expression ] View Any view Parameter interface-type: Port type. interface-number: Port number. |: Specifies to use a regular expression to filter the configuration information entries to be displayed. begin: Each entry must begin with a specified character string.
Page 151: Display Interface
Speed/Duplex: A - auto-negotiation Interface Link Speed Duplex Type PVID Description ------------------------------------------------------------------------ Eth1/0/1 DOWN hybrid 1 home Table 1-1 display brief interface command output description Field Description Interface Port type Current link state of the Ethernet port: UP, DOWN or ADMINISTRATIVELY Link DOWN Speed...
Page 152 Parameter interface-type: Port type. interface-number: Port number. For details about the arguments, refer to the parameter description of the interface command. Description Use the display interface command to display port configuration. When using this command: If you specify neither port type nor port number, the command displays information about all ports. If you specify only port type, the command displays information about all ports of the specified type.
Page 153 Table 1-3 display interface command output description Field Description Current status of the Ethernet port : UP, DOWN or Ethernet1/0/1 current state ADMINISTRATIVELY DOWN IP Sending Frames' Format Ethernet frame format Hardware address Port hardware address Media type Media type Port hardware type Port hardware type 100Mbps-speed mode, full-duplex mode...
Page 154 Field Description The number of incoming giant frames giants (A giant frame is of more than 2048 bytes if untagged or more than 2052 bytes if tagged.) The number of throttles that occurred on the port - throttles (A throttle occurs when a port is shut down due to buffer or memory overload.) The number of CRC error frames received in correct length...
Page 155: Display Link-Delay
Field Description The number of transmission failures due to various aborts reasons, such as collisions The number of first transmission attempts delayed deferred because of detection of collisions The number of detected collisions collisions (Transmission of a frame will be aborted upon detection of a collision.) The number of detected late collisions (A late collision occurs if the transmission of a frame...
Page 156: Display Loopback-Detection
<Sysname> display link-delay Interface Time Delay ===================== ============== Ethernet1/0/5 display loopback-detection Syntax display loopback-detection View Any view Parameter None Description Use the display loopback-detection command to display the loopback detection status on the port. If loopback detection is enabled, this information will also be displayed: time interval for loopback detection and the loopback ports.
Page 157: Display Port-Group
You can refer to the shutdown command to change the state of the two ports. For information about combo port, refer to H3C S3100 Series Ethernet Switch Installation Manual. display port-group Syntax display port-group group-id...
Page 158: Display Storm-Constrain
display storm-constrain Syntax display storm-constrain [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] View Any view Parameters interface-type: Port type. interface-number: Port number. |: Uses a regular expression to filter the output configuration information. begin: Displays the configurations that begin with the string specified by regular-expression.
Page 159: Display Unit
Field Description on: log information is output when traffic received on the port exceeds the upper threshold or falls below the lower threshold off: log information is not output when traffic received on the port exceeds the upper threshold or falls below the lower threshold Swi-num Number of port state switchover display unit...
Page 160: Duplex
Input: 0 input errors, 0 runts, 0 giants, - throttles, 0 CRC 0 frame, - overruns, 0 aborts, 0 ignored, - parity errors Output(total): 0 packets, 0 bytes 0 broadcasts, 0 multicasts, 0 pauses Output(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Output: 0 output errors, - underruns, - buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions...
Page 161: Enable Log Updown
enable log updown Syntax enable log updown undo enable log updown View Ethernet port view Parameter None Description Use the enable log updown command to enable Up/Down log information output. Use the undo log enable updown command to disable Up/Down log information output. By default, a port is allowed to output Up/Down log information.
Page 162: Flow-Control
Description Use the flow-interval command to configure the time interval for collecting interface statistics. Use the undo flow-interval command to restore the default. When you use the display interface interface-type interface-number command to display the information of a port, the system performs statistical analysis on the traffic flow passing through the port during the specified interval and displays the average rates in the interval.
Page 163: Interface
interface Syntax interface interface-type interface-number View System view Parameter interface-type: Port type, which can be Aux, Ethernet, GigabitEthernet, loopback, null or Vlan-interface. interface-number: Port number, in the format of Unit ID/slot number/port number, where: Unit ID is fixed to 1; The slot number is 0 if the port is an Ethernet port, the slot number is 1 or 2 if the port is a GigabitEthernet port.
Page 164: Link-Delay
Only S3100-EI Series switches support this feature. The configuration of jumboframe enable command takes effect on all the ports while the configuration of undo jumboframe enable takes effect on current port. Example # Set the maximum frame size allowed on Ethernet 1/0/1 to 2048 bytes. <Sysname>...
Page 165: Loopback
[Sysname] interface Ethernet1/0/5 [Sysname-Ethernet1/0/5] link-delay 8 loopback Syntax loopback { external | internal } View Ethernet port view Parameter external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100M port, the self-loop headers are made from four cores of the 8-core cables, for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.).
Page 166: Loopback-Detection Enable
Use the undo loopback-detection control enable command to disable the loopback port control function on the trunk or hybrid port. The loopback port control function works in conjunction with the loopback detection function (refer to loopback-detection enable). If a loop is found on a VLAN of the trunk or hybrid port: With the function enabled on the trunk or hybrid port, the system will set the port to the block state (ports in this state cannot forward data packets), send log and trap messages to the terminal, and remove the corresponding MAC forwarding entry.
Page 167: Loopback-Detection Interface-List Enable
If you have not enabled the loopback port auto-shutdown function on the access port, the port will automatically resume the normal forwarding state after the loop is removed. If a loop is found on a trunk or hybrid port, the system sends log and trap messages to the terminal. If you have additionally enabled the loopback port control function or the loopback port auto-shutdown function, the system will deal with the port accordingly: If the loopback port control function is enabled on the port (with the...
Page 168: Loopback-Detection Interval-Time
Keyword to is used to specify a range of ports. The port number after to must be equal to or greater than that before to. &<1-10> means that you can specify up to 10 ports or port ranges. Description Use the loopback-detection interface-list enable command to enable the loopback detection function on a range of ports.
Page 169: Loopback-Detection Per-Vlan Enable
loopback-detection per-vlan enable Syntax loopback-detection per-vlan enable undo loopback-detection per-vlan enable View Ethernet port view Parameter None Description Use the loopback-detection per-vlan enable command to configure the system to run loopback detection on all VLANs of the current trunk or hybrid port. Use the undo loopback-detection per-vlan enable command to restore the default setting.
Page 170: Mdi
With the function disabled on the port, the system will only send log and trap messages to the terminal, and the port is still in the normal forwarding state. By default, the loopback port auto-shutdown function is enabled on ports if the device boots with the default configuration file (config.def);...
Page 171: Multicast-Suppression
An RJ-45 interface can operate in MDI or MDI-X mode. To connect two RJ-45 interfaces operating in the same MDI mode, use a crossover cable; to connect two RJ-45 interfaces operating in different MDI modes, use a straight-through cable. Description Use the mdi command to set the MDI mode for a port.
Page 172: Port
With line rate (LR) applied on one port in the inbound direction or the Traffic Policing enabled, multicast suppression cannot be enabled on any port of the device, and vice versa. Refer to the QoS part for information about LR and Traffic Policing. Example # Set the maximum amount of unknown multicast and unknown unicast bits that can be received per second by Ethernet 1/0/2 to 128 kbps.
Page 173: Port-Group
port-group Syntax port-group undo port-group View System view Parameter group-id: Number of port group, in the range of 1 to 100. Description Use the port-group command to create a port group or enter the specified port group view. By default, no port group is configured. Only S3100-EI Series Ethernet Switches support Port Group feature.
Page 174: Shutdown
The statistics of the 802.1x-enabled ports cannot be cleared. Example # Clear the statistics of Ethernet 1/0/1. <Sysname> reset counters interface ethernet1/0/1 shutdown Syntax shutdown undo shutdown View Ethernet port view Parameter None Description Use the shutdown command to shut down an Ethernet port. Use the undo shutdown command to bring up an Ethernet port.
Page 175: Speed
speed Syntax speed { 10 | 100 | 1000 | auto } undo speed View Ethernet port view Parameter 10: Specifies the port speed to 10 Mbps. 100: Specifies the port speed to 100 Mbps. 1000: Specifies the port speed to 1,000 Mbps (only available to GigabitEthernet ports). auto: Specifies the port speed to the auto-negotiation mode.
Page 176: Storm-Constrain
Examples # Configure 10 Mbps and 100 Mbps as the auto-negotiation speeds of Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] speed auto 10 100 storm-constrain Syntax storm-constrain { broadcast | multicast } max-packets min-packets { pps | kbps } undo storm-constrain { all | broadcast | multicast } View Ethernet port view...
Page 177: Storm-Constrain Control
storm-constrain control Syntax storm-constrain control { block | shutdown } undo storm-constrain control View Ethernet port view Parameters block: Blocks and stops forwarding those types of traffic exceeding the upper thresholds. shutdown: Shutdowns the port if the broadcast/multicast traffic exceeds the upper threshold, and stops receiving and forwarding all types of traffic on the port.
Page 178: Storm-Constrain Interval
undo storm-constrain enable View Ethernet port view Parameters log: Enables log information to be output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. trap: Enables trap information to be output when traffic received on the port exceeds the upper threshold or falls below the lower threshold.
Page 179: Virtual-Cable-Test
System View: return to User View with Ctrl+Z. [Sysname] storm-constrain interval 2 virtual-cable-test Syntax virtual-cable-test View Ethernet port view Parameter None Description Use the virtual-cable-test command to enable the system to test the cable connected to a specific port and to display the results. The system can test these attributes of the cable: Cable status, including normal, abnormal, abnormal-open, abnormal-short and failure Cable length If the cable is in normal state, the displayed length value is the total length of the cable.
Page 180 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet0/1] virtual-cable-test Cable status: abnormal(open), 1 metres Pair Impedance mismatch: - Pair skew: - ns Pair swap: - Pair polarity: - Insertion loss: - db Return loss: - db Near-end crosstalk: - db 1-35...
Page 181 Table of Contents 1 Link Aggregation Configuration Commands··························································································1-1 Link Aggregation Configuration Commands ···························································································1-1 display link-aggregation interface····································································································1-1 display link-aggregation summary···································································································1-2 display link-aggregation verbose·····································································································1-3 display lacp system-id ·····················································································································1-4 lacp enable ······································································································································1-5 lacp port-priority·······························································································································1-5 lacp system-priority··························································································································1-6 link-aggregation group description ··································································································1-6 link-aggregation group mode···········································································································1-7 port link-aggregation group ·············································································································1-7 reset lacp statistics ··························································································································1-8...
Page 182: Display Link-Aggregation Interface
Link Aggregation Configuration Commands Link Aggregation Configuration Commands display link-aggregation interface Syntax display link-aggregation interface interface-type interface-number interface-type interface-number ] View Any view Parameter interface-type: Port type. interface-number: Port number. to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends.
Page 183: Display Link-Aggregation Summary
Field Description Port-Priority Port priority Oper key Operation key Flag Protocol status flag Remote Information about the remote end System ID Remote device ID Port number Port number Received LACP Packets: 0 packet(s), Illegal: 0 Statistics about received, invalid, and sent LACP packet(s) packets Sent LACP Packets: 0 packet(s)
Page 184: Display Link-Aggregation Verbose
Field Description Loadsharing Type Load sharing type: Shar for load sharing and NonS for non-load sharing Actor ID Local device ID AL ID Aggregation group ID AL Type Aggregation group type: D (dynamic), S (static), or M (manual) ID of the remote device, including the system priority and system MAC address of the remote device Partner ID For a device belonging to an dynamic aggregation group or static aggregation...
Page 185: Display Lacp System
Local: Port Status Priority Flag ------------------------------------------------------------------------- Ethernet1/0/4 32768 {ACDEFG} Ethernet1/0/5 32768 {ACG} Remote: Actor Partner Priority Key SystemID Flag -------------------------------------------------------------------------- Ethernet1/0/4 32768 0x8000,0000-0000-0000 {DEF} Ethernet1/0/5 32768 0x8000,0000-0000-0000 {DEF} Table 1-3 Description on the fields of the display link-aggregation verbose command Field Description Loadsharing Type...
Page 186: Lacp Enable
lacp enable Syntax lacp enable undo lacp enable View Ethernet port view Parameter None Description Use the lacp enable command to enable LACP on the current port. Use the undo lacp enable command to disable LACP. By default, LACP is disabled on a port. Example # Enable the LACP protocol on Ethernet 1/0/1.
Page 187: Lacp System-Priority
lacp system-priority Syntax lacp system-priority system-priority undo lacp system-priority View System view Parameter system-priority: System priority, ranging from 0 to 65,535. Description Use the lacp system-priority command to set the system priority. Use the undo lacp system-priority command to restore the default system priority. By default, the system priority is 32,768.
Page 188: Link-Aggregation Group Mode
You can use the display link-aggregation verbose command to check the configuration result. Example # Set the description "abc" for aggregation group 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] link-aggregation group 1 description abc link-aggregation group mode Syntax link-aggregation group agg-id mode { manual | static } undo link-aggregation group agg-id...
Page 189: Reset Lacp Statistics
Related command: display link-aggregation verbose. Example # Add Ethernet1/0/1 to aggregation group 22. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] port link-aggregation group 22 reset lacp statistics Syntax reset lacp statistics [ interface interface-type interface-number [ to interface-type interface-number ] ] View User view Parameter...
Page 190 Table of Contents 1 Port Isolation Configuration Commands ································································································1-1 Port Isolation Configuration Commands ·································································································1-1 display isolate port···························································································································1-1 port isolate ·······································································································································1-1...
Page 191 Port Isolation Configuration Commands Port Isolation Configuration Commands display isolate port Syntax display isolate port View Any view Parameter None Description Use the display isolate port command to display the Ethernet ports assigned to the isolation group. Example # Display information about the Ethernet ports added to the isolation group. <Sysname>...
Page 192 When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group on the local device will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
Page 193 Table of Contents 1 Port Security Commands··························································································································1-1 Port Security Commands ························································································································1-1 display mac-address security ··········································································································1-1 display port-security·························································································································1-2 mac-address security ······················································································································1-5 port-security authorization ignore ····································································································1-6 port-security enable ·························································································································1-7 port-security guest-vlan ···················································································································1-8 port-security intrusion-mode ············································································································1-9 port-security max-mac-count·········································································································1-11 port-security ntk-mode···················································································································1-12 port-security oui ·····························································································································1-13 port-security port-mode ·················································································································1-14 port-security timer autolearn··········································································································1-17 port-security timer disableport ·······································································································1-18...
Page 194 Port Security Commands Port Security Commands display mac-address security Syntax display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] View Any view Parameters Interface interface-type interface-number: Specify a port by its type and number, of which the security MAC address information is to be displayed.
Page 195 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0000-0000-0001 Security Ethernet1/0/20 NOAGED 0000-0000-0002 Security Ethernet1/0/20 NOAGED 0000-0000-0003 Security Ethernet1/0/20 NOAGED 0000-0000-0004 Security Ethernet1/0/20 NOAGED 4 mac address(es) found on port Ethernet1/0/20 --- # Display the security MAC address entries for VLAN 1. <Sysname>...
Page 196 Parameters interface interface-list: Specify a list of Ethernet ports of which the port security configurations are to be displayed. For the interface-list argument, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1.
Page 197 Max mac-address num is 4 Stored mac-address num is 0 Authorization is ignore Ethernet1/0/2 is link-down Port mode is AutoLearn NeedtoKnow mode is disabled Intrusion mode is no action Max mac-address num is not configured Stored mac-address num is 0 Authorization is ignore Ethernet1/0/3 is link-down Port mode is AutoLearn...
Page 198: Mac-Address Security
Field Description The maximum number of MAC addresses Max mac-address num is 4 allowed on the port is 4. Stored mac-address num is 0 No MAC address is stored. Authorization information delivered by the Authorization is ignore Remote Authentication Dial-In User Service (RADIUS) server will not be applied to the port.
Page 199: Port-Security Authorization Ignore
Examples # Enable port security; configure the port security mode of Ethernet 1/0/1 as autolearn and create a security MAC address entry for 0001-0001-0001, setting the associated port to Ethernet 1/0/1 and assigning the MAC address to VLAN 1. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 200: Port-Security Enable
After a RADIUS user passes authentication, the RADIUS server authorizes the attributes configured for the user account such as the dynamic VLAN configuration. For more information, refer to AAA Command. Examples # Configure Ethernet 1/0/2 to ignore the authorization information delivered by the RADIUS server. <Sysname>...
Page 201: Port-Security Guest-Vlan
Examples # Enable port security. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled. Please wait... Done. port-security guest-vlan Syntax port-security guest-vlan vlan-id undo port-security guest-vlan View Ethernet port view...
Page 202: Port-Security Intrusion-Mode
authentication of a user fails, the blocking MAC address feature will be triggered and packets of the user will be dropped, making the user unable to access the guest VLAN. Examples # Set the security mode of port Ethernet 1/0/1 to macAddressOrUserLoginSecure, and specify VLAN 100 as the guest VLAN of the port.
Page 203 By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.
Page 204: Port-Security Max-Mac-Count
NeedtoKnow mode is disabled Intrusion mode is BlockMacaddress Max mac-address num is 2 Stored mac-address num is 2 Authorization is permit For description on the output information, refer to Table 1-2. # Configure the intrusion protection mode on Ethernet 1/0/1 as disableport-temporarily. As a result, the port will be disconnected when intrusion protection is triggered and then re-enabled 30 seconds later.
Page 205: Port-Security Ntk-Mode
By default, there is no limit on the number of MAC addresses allowed on the port. By configuring the maximum number of MAC addresses allowed on a port, you can: Limit the number of users accessing the network through the port. Limit the number of security MAC addresses that can be added on the port.
Page 206: Port-Security Oui
Description Use the port-security ntk-mode command to configure the NTK feature on the port. Use the undo port-security ntk-mode command to restore the default setting. Be default, NTK is disabled on a port, namely all frames are allowed to be sent. By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.
Page 207: Port-Security Port-Mode
Description Use the port-security oui command to set an OUI value for authentication. Use the undo port-security oui command to cancel the OUI value setting. By default, no OUI value is set for authentication. The OUI value set by this command takes effect only when the security mode of the port is set to userLoginWithOUI by the port-security port-mode command.
Page 208 Table 1-3 Keyword description Keyword Security mode Description In this mode, MAC addresses learned on the port become security MAC addresses. When the number of security MAC addresses exceeds the maximum number of MAC addresses configured by the port-security max-mac-count autolearn autolearn command, the port security mode...
Page 209 Keyword Security mode Description In this mode, MAC-based 802.1x authentication is applied on users trying to access the network through the port. The port will be enabled when the authentication succeeds and allow packets from authenticated users to pass through. In this mode, only one userlogin-secure userLoginSecure...
Page 210: Port-Security Timer Autolearn
Description Use the port-security port-mode command to set the security mode of the port. Use the undo port-security port-mode command to restore the default mode. By default, the port is in the noRestriction mode, namely access to the port is not restricted. Before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of MAC addresses allowed on the port.
Page 211: Port-Security Timer Disableport
Description Use the port-security timer autolearn command to configure the aging time for the security MAC address entries that are learned by the port automatically. Use the undo port-security timer autolearn command to restore the default. By default, the aging time is 0, that is, the security MAC address entries are not aged. After you execute the port-security timer autolearn command, you can display security MAC address entries by the display mac-address security command.
Page 212: Port-Security Timer Guest-Vlan-Reauth
The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled. Related commands: port-security intrusion-mode. Examples # Set the intrusion protection mode on Ethernet 1/0/1 to disableport-temporarily. It is required that when intrusion protection is triggered, the port be shut down temporarily and then go up 30 seconds later.
Page 213: Port-Security Trap
port-security trap Syntax port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } View System view Parameters...
Page 214 When you use the display port-security command to display global information, the system will display which types of trap messages are allowed to send. Related commands: display port-security. Examples # Allow the sending of intrusion packet-detected trap messages. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 215: Port Binding Commands
Port Binding Commands Currently, only the S3100-EI series support port binding. Port Binding Commands am user-bind Syntax In system view: am user-bind mac-addr mac-address { ip-addr ip-address | ipv6 ipv6-address } [ interface interface-type interface-number ] undo am user-bind mac-addr mac-address { ip-addr ip-address | ipv6 ipv6-address } [ interface interface-type interface-number ] In Ethernet port view: am user-bind { mac-addr mac-address [ ip-addr ip-address | ipv6 ipv6-address ] | ip-addr ip-address...
Page 216: Display Am User-Bind
After the binding, the switch forwards only the packets from the bound MAC address and IP address when received on the port. By default, no user MAC address or IP address is bound to a port. An IP address can be bound with only one port at a time. A MAC address can be bound with only one port at a time.
Page 217: Display Am User-Bind Ipv6
Parameters interface interface-type interface-number: Specify the port to be bound. The interface-type interface-number arguments indicate the port type and port number. ip-addr ip-address: Specify the IP address to be bound. mac-addr mac-address: Specify the MAC address to be bound. The mac-address argument is in the form of H-H-H.
Page 218 Description Use the display am user-bind ipv6 command to display IPv6 bindings. Related commands: am user-bind. Examples # Display bindings of all ports. <Sysname> display am user-bind ipv6 Following User address bind have been configured: Ipv6 Port 000f-e200-5101 1::ef:1 Ethernet1/0/1 000f-e200-5102 1::ef:2 Ethernet1/0/2...
Page 219 Table of Contents 1 DLDP Configuration Commands··············································································································1-1 DLDP Configuration Commands·············································································································1-1 display dldp······································································································································1-1 dldp ··················································································································································1-2 dldp authentication-mode ················································································································1-3 dldp interval ·····································································································································1-4 dldp reset·········································································································································1-5 dldp unidirectional-shutdown···········································································································1-5 dldp work-mode ·······························································································································1-6 dldp delaydown-timer ······················································································································1-7...
Page 220: Dldp Configuration Commands
DLDP Configuration Commands Currently, only S3100-EI series Ethernet switches support the DLDP feature. DLDP Configuration Commands display dldp Syntax display dldp { unit-id | interface-type interface-number } View Any view Parameters unit-id: Unit number of a device. interface-type: Port type. interface-number: Port number.
Page 221: Dldp
neighbor mac address : 000f-e20f-7201 neighbor port index : 98 neighbor state : two way neighbor aged time : 24 Table 1-1 Description on the fields of the display dldp command Field Description Interval for sending DLDP advertisement packets (in dldp interval seconds) dldp work-mode...
Page 222: Dldp Authentication-Mode
Use the dldp enable command to enable DLDP on the current port. Use the dldp disable command to disable DLDP on the current port. The dldp command can apply to a non-optical port as well as an optical port. By default, DLDP is disabled. When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently.
Page 223: Dldp Interval
Use the undo dldp authentication-mode to remove the DLDP authentication mode and password on the current port. By default, the authentication mode on the current port is none. Note that: When you configure a DLDP authentication mode and authentication password on a port, make sure that the same DLDP authentication mode and password are set on the ports connected with a fiber cable or copper twisted pair.
Page 224: Dldp Reset
Note that: The interval takes effect on all DLDP-enabled ports. It is recommended that you set the interval shorter than one-third of the STP convergence time (usually 30 seconds). If too long an interval is set, an STP loop may occur before DLDP shuts down unidirectional links.
Page 225: Dldp Work-Mode
View System view Parameters auto: Disables automatically the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down. manual: Generates log and traps and prompts the user to disable manually the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down.
Page 226: Dldp Delaydown-Timer
When DLDP works in normal mode, the system can identify only the unidirectional link caused by fiber cross-connection. When the DLDP protocol works in enhanced mode, the system can identify two types of unidirectional links: one is caused by fiber cross-connection and the other is caused by one fiber being not connected or being broken.
Page 227 Examples # Set the delaydown timer to 5 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp delaydown-timer 5...
Page 228 Table of Contents 1 MAC Address Table Management Configuration Commands ······························································1-1 MAC Address Table Management Configuration Commands································································1-1 display mac-address aging-time······································································································1-1 display mac-address························································································································1-2 display port-mac ······························································································································1-3 mac-address····································································································································1-4 mac-address max-mac-count··········································································································1-5 mac-address max-mac-count 0·······································································································1-6 mac-address timer···························································································································1-7 mac-address-mapping·····················································································································1-7 port-mac ··········································································································································1-8...
Page 229: Mac Address Table Management Configuration Commands
MAC Address Table Management Configuration Commands This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the “Multicast Protocol” part of the manual. MAC Address Table Management Configuration Commands display mac-address aging-time Syntax display mac-address aging-time...
Page 230: Display Mac-Address
display mac-address Syntax display mac-address [ display-option ] View Any view Parameters display-option: Option used to display specific MAC address table information, as described in Table 1-1. Table 1-1 Description on the display-option argument Value Description Displays information about a specified MAC address mac-address [ vlan vlan-id ] entry.
Page 231 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 000f-e20f-0101 Learned Ethernet1/0/1 AGING # Display the MAC address entries for the port Ethernet 1/0/4. <Sysname> display mac-address interface Ethernet 1/0/4 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 000d-88f6-44ba Learned Ethernet1/0/4 AGING...
Page 232: Mac-Address
Examples # Display the start port MAC address. <Sysname> display port-mac Port MAC start address : 000f-e200-0001 mac-address Syntax In system view: mac-address { static | dynamic | blackhole } mac-address interface interface-type interface-number vlan vlan-id undo mac-address [ mac-address-attribute ] In Ethernet port view: mac-address { static | dynamic | blackhole } mac-address vlan vlan-id undo mac-address { static | dynamic | blackhole } mac-address vlan vlan-id...
Page 233: Mac-Address Max-Mac-Count
Syntax Description mac-address [ interface interface-type Removes a specified MAC address entry. interface-number ] vlan vlan-id Description Use the mac-address command to add or modify a MAC address entry. Use the undo mac-address command to remove one or more MAC address entries. In Ethernet port view, the MAC address entry configured with the mac-address command in Ethernet port view takes the current Ethernet port as the outgoing port.
Page 234: Mac-Address Max-Mac-Count 0
When you use the mac-address max-mac-count command, the port stops learning MAC addresses after the number of MAC addresses it learned reaches the value of the count argument you provided. You can use the undo command to cancel this limit so that the port can learn MAC addresses without the number limitation.
Page 235: Mac-Address Timer
mac-address timer Syntax mac-address timer { aging age | no-aging } undo mac-address timer aging View System view Parameters aging age: Specifies the aging time (in seconds) for dynamic MAC address entries. The age argument ranges from 10 to 1000000. no-aging: Specifies not to age dynamic MAC address entries.
Page 236: Port-Mac
Use the undo mac-address-mapping command to disable this feature. The MAC address replication feature is disabled on any port by default. The contents of this section are only applicable to the S3100-EI series among S3100 series switches. Examples # Configure MAC address replication on Ethernet1/0/1 to copy the MAC address entries of VLAN 4 to the MAC address table of VLAN 10.
Page 237 Examples # Set the start port MAC address to 000f-e200-0001. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-mac 000f-e200-0001...
Page 238 Table of Contents 1 MSTP Configuration Commands ·············································································································1-1 MSTP Configuration Commands ············································································································1-1 active region-configuration ··············································································································1-1 bpdu-drop any ·································································································································1-1 check region-configuration ··············································································································1-2 display stp········································································································································1-3 display stp abnormalport ·················································································································1-7 display stp portdown························································································································1-8 display stp region-configuration·······································································································1-9 display stp root ······························································································································1-10 instance ·········································································································································1-10 region-name ··································································································································1-11 reset stp·········································································································································1-12 revision-level··································································································································1-12 stp ··················································································································································1-13...
Page 239 stp transmit-limit ····························································································································1-44 vlan-mapping modulo ····················································································································1-45 vlan-vpn tunnel ······························································································································1-46...
Page 240: Mstp Configuration Commands
MSTP Configuration Commands MSTP Configuration Commands active region-configuration Syntax active region-configuration View MST region view Parameters None Description Use the active region-configuration command to activate the settings of a multiple spanning tree (MST) region. Configuring MST region-related parameters (especially the VLAN-to-instance mapping table) can result in network topology jitter.
Page 241: Check Region-Configuration
View Ethernet port view Parameters None Description Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port. Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port. By default, BPDU dropping is disabled. In a STP-enabled network, some malicious users may send BPDU packets to the switch continuously in order to destabilize the network.
Page 242: Display Stp
The H3C series support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches which have the settings of these parameters the same are assigned to the same MST region.
Page 243 View Any view Parameters instance-id: ID of the MSTI ranging from 0 to 16. The value of 0 refers to the common and internal spanning tree (CIST). interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 244 Examples # Display the brief state information of MSTI 0 on Ethernet 1/0/1 through Ethernet 1/0/4. <Sysname> display stp instance 0 interface Ethernet 1/0/1 to Ethernet 1/0/4 brief MSTID Port Role STP State Protection Ethernet1/0/1 ALTE DISCARDING LOOP Ethernet1/0/2 DESI FORWARDING NONE Ethernet1/0/3...
Page 245 ----[Port2(Ethernet1/0/2)][DOWN]---- Port Protocol :enabled Port Role :CIST Disabled Port Port Priority :128 Port Cost(Legacy) :Config=auto / Active=200000 Desg. Bridge/Port :32768.00e0-fc12-4001 / 128.2 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=false Transmit Limit :10 packets/hello-time Protection Type :None MSTP BPDU format :Config=auto / Active=legacy Port Config Digest Snooping...
Page 246: Display Stp Abnormalport
Field Description Path cost of the port. The field in the bracket indicates the standard used for port path cost calculation, which can be Port Cost(Legacy) legacy, dot1d-1998, or dot1t. Config indicates the configured value, and Active indicates the actual value. Designated bridge ID and port ID of the port Desg.
Page 247: Display Stp Portdown
Examples # Display the ports that are blocked by STP guard functions. <Sysname> display stp abnormalport MSTID Port Block Reason --------- -------------------- ------------- Ethernet1/0/20 Root-Protection Ethernet1/0/21 Loop-Protection Table 1-4 Description on the fields of the display stp abnormalport command Field Description MSTID MSTI ID in the MST region...
Page 248: Display Stp Region-Configuration
Field Description Reason that caused the port to be blocked. BPDU-Protected: BPDU attack guard function Down Reason Formatfrequency-Protected: MSTP BPDU format frequent change protection function display stp region-configuration Syntax display stp region-configuration View Any view Parameters None Description Use the display stp region-configuration command to display the activated MST region configuration, including the region name, region revision level, and VLAN-to-instance mappings configured for the switch.
Page 249: Display Stp Root
display stp root Syntax display stp root View Any view Parameters None Description Use the display stp root command to display information about the root ports in the MSTP region where the switch resides. Examples # Display information about the root ports in the MSTP region where the switch resides. <Sysname>...
Page 250: Region-Name
Parameters instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST. vlan-list: List of VLANs. You need to provide this argument in the form of vlan-list = { vlan-id [ to vlan-id ] }&<1-10>, where &<1-10> means that you can provide up to 10 VLAN IDs/VLAN ID ranges for this argument.
Page 251: Reset Stp
MST region name, along with VLAN-to-instance mapping table and MSTP revision level, determines the MST region which a switch belongs to. Related commands: instance, revision-level, check region-configuration, vlan-mapping modulo, active region-configuration. Examples # Set the MST region name of the switch to hello. <Sysname>...
Page 252: Stp
undo revision-level View MST region view Parameters level: MSTP revision level to be set for the switch. This argument ranges from 0 to 65,535. Description Use the revision-level command to set the MSTP revision level for a switch. Use the undo revision-level command to restore the revision level to the default value. By default, the MSTP revision level of a switch is 0.
Page 253 Description Use the stp command in system view to enable/disable MSTP globally. Use the undo stp command in system view to restore the MSTP state to the default globally. Use the stp command in Ethernet port view to enable/disable MSTP on a port. Use the undo stp command in Ethernet port view to restore the MSTP state to the default on a port.
Page 254: Stp Bpdu-Protection
stp bpdu-protection Syntax stp bpdu-protection undo stp bpdu-protection View System view Parameters None Description Use the stp bpdu-protection command to enable the BPDU guard function on the switch. Use the undo stp bpdu-protection command to restore to the default state of the BPDU guard function.
Page 255: Stp Compliance
View System view Parameters bridgenum: Network diameter to be set for a switched network. This argument ranges from 2 to 7. Description Use the stp bridge-diameter command to set the network diameter of a switched network. The network diameter of a switched network is represented by the maximum possible number of switches between any two terminal devices in a switched network.
Page 256: Stp Config-Digest-Snooping
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the format of interface-list ={ interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Page 257 undo stp interface interface-list config-digest-snooping View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 258: Stp Cost
When the digest snooping feature is enabled on a port, the port turns to the discarding state. That is, the port stops sending BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.
Page 259 System view: stp interface interface-list [ instance instance-id ] cost cost undo stp interface interface-list [ instance instance-id ] cost View System view, Ethernet port view Parameters instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST. cost: Path cost to be set for the port.
Page 260: Stp Dot1D-Trap
[Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 2 cost 200 Set the path cost of Ethernet 1/0/1 in MSTI 2 to 200 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 instance 2 cost 200 # Set the path cost of Ethernet 1/0/2 to Ethernet 1/0/4 in MSTI 2 to 400 in system view.
Page 261: Stp Edged-Port
Examples # Enable a switch to send trap messages conforming to 802.1d standard to the network management device when the switch becomes the root bridge of MSTI 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp instance 1 dot1d-trap newroot enable stp edged-port Syntax Ethernet port view:...
Page 262: Stp Loop-Protection
Normally, configuration BPDUs cannot reach an edge port because the port is not connected to another switch. But when the BPDU guard function is disabled on an edge port, configuration BPDUs sent deliberately by a malicious user may reach the port. If an edge port receives a BPDU, it turns to a non-edge port.
Page 263 Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp loop-protection command to enable the loop guard function on the current port.
Page 264: Stp Max-Hops
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 loop-protection stp max-hops Syntax stp max-hops hops undo stp max-hops View System view Parameters hops: Maximum hop count to be set. This argument ranges from 1 to 40. Description Use the stp max-hops command to set the maximum hop count for the MST region the current switch belongs to.
Page 265 System view: stp [ interface interface-list ] mcheck View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 266: Stp Mode
stp mode Syntax stp mode { stp | rstp | mstp } undo stp mode View System view Parameters stp: Specifies the STP-compatible mode. mstp: Specifies the MSTP mode. rstp: Specifies the RSTP-compatible mode. Description Use the stp mode command to set the operating mode of an MSTP-enabled switch. Use the undo stp mode command to restore the default operating mode of an MSTP-enabled switch.
Page 267 H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will then actively send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.
Page 268: Stp Pathcost-Standard
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]stp interface Ethernet1/0/1 no-agreement-check stp pathcost-standard Syntax stp pathcost-standard { dot1d-1998 | dot1t | legacy } undo stp pathcost-standard View System view Parameters dot1d-1998: The device calculates the default path cost for ports based on IEEE 802.1d-1998. dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.
Page 269: Stp Point-To-Point
Path cost in Path cost in Path cost in Link speed Duplex state 802.1d-1998 IEEE 802.1t private standard standard standard Full-duplex 2,000 Aggregated link 2 ports 1,000 10 Gbps Aggregated link 3 ports Aggregated link 4 ports Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.
Page 270 force-false: Specifies that the link connected to the current Ethernet port is not a point-to-point link. auto: Specifies to automatically determine whether or not the link connected to the current Ethernet port is a point-to-point link. interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 271: Stp Port Priority
# Configure the links connected to Ethernet 1/0/2 to Ethernet 1/0/4 as point-to-point links in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 point-to-point force-true stp port priority Syntax Ethernet port view: stp [ instance instance-id ] port priority priority...
Page 272: Stp Portlog
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 2 port priority 16 Set the port priority of Ethernet 1/0/1 in MSTI 2 to 16 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 instance 2 port priority 16 # Set the port priority of Ethernet 1/0/2 to Ethernet 1/0/4 in MSTI 2 to 16 in system view.
Page 273: Stp Priority
View System view Parameters None Description Use the stp portlog all command to enable log and trap message output for the ports of all instances. Use the undo stp portlog all command to disable this function. By default, log and trap message output is disabled on the ports of all instances. Examples # Enable log and trap message output for the ports of all instances.
Page 274: Stp Region-Configuration
[Sysname] stp instance 1 priority 4096 stp region-configuration Syntax stp region-configuration undo stp region-configuration View System view Parameters None Description Use the stp region-configuration command to enter MST region view. Use the undo stp region-configuration command to restore the MST region-related settings to the default.
Page 275 undo stp [ instance instance-id ] root View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree. This argument ranges from 2 to 7 and defaults to 7.
Page 276: Stp Root Secondary
stp root secondary Syntax stp [ instance instance-id ] root secondary [ bridge-diameter bridgenum [ hello-time centi-seconds ] ] undo stp [ instance instance-id ] root View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree.
Page 277: Stp Root-Protection
stp root-protection Syntax Ethernet port view: stp root-protection undo stp root-protection System view: stp interface interface-list root-protection undo stp interface interface-list root-protection View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 278: Stp Tc-Protection
Examples # Enable the root guard function on Ethernet 1/0/1. Enable the root guard function on Ethernet 1/0/1 in Ethernet port view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp root-protection Enable the root guard function on Ethernet 1/0/1 in system view. <Sysname>...
Page 279: Stp Tc-Protection Threshold
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp tc-protection enable stp tc-protection threshold Syntax stp tc-protection threshold number undo stp tc-protection threshold View System view Parameters number: Maximum number of times that a switch can remove the MAC address table and ARP entries within each 10 seconds, in the range of 1 to 255.
Page 280: Stp Timer Forward-Delay
stp timer forward-delay Syntax stp timer forward-delay centi-seconds undo stp timer forward-delay View System view Parameters centi-seconds: Forward delay in centiseconds to be set. This argument ranges from 400 to 3,000. Description Use the stp timer forward-delay command to set the forward delay of the switch. Use the undo stp timer forward-delay command to restore the forward delay to the default value.
Page 281: Stp Timer Max-Age
Parameters centi-seconds: Hello time to be set, in the range of 100 to 1,000 (in centiseconds). Description Use the stp timer hello command to set the hello time of the switch. Use the undo stp timer hello command to restore the hello time of the switch to the default value. By default, the hello time of the switch is 200 centiseconds.
Page 282: Stp Timer-Factor
MSTP is capable of detecting link failures and automatically restoring redundant links to the forwarding state. In CIST, switches use the max age parameter to judge whether or not a received configuration BPDU times out. Spanning trees will be recalculated if a configuration BPDU received by a port times out.
Page 283 can be four (or more) times of the hello time. For a steady network, the timeout time can be five to seven times of the hello time. Examples # Set the hello time factor to 7. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp timer-factor 7 stp transmit-limit Syntax...
Page 284 Examples # Set the maximum number of configuration BPDUs that can be transmitted through Ethernet 1/0/1 in each hello time to 15. In Ethernet port view: <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp transmit-limit 15 In system view: <Sysname>...
Page 285 You can map VLANs to the specific MSTIs rapidly by using the vlan-mapping modulo modulo command. The ID of the MSTI to which a VLAN is mapped can be figured out by using the following formula: (VLAN ID-1) % modulo + 1. In this formula, (VLAN ID-1) % modulo yields the module of (VLAN ID-1) with regards to the modulo argument.
Page 286 The VLAN-VPN tunnel function can only be enabled on STP-enabled devices. To enable the VLAN-VPN tunnel function, make sure the links between operator’s networks are trunk links. Currently, only S3100-SI series Ethernet Switches support the VLAN-VPN tunnel feature. Examples # Enable the VLAN-VPN tunnel function for the switch. <Sysname>...
Page 287 Table of Contents 1 IGMP Snooping Configuration Commands ····························································································1-1 IGMP Snooping Configuration Commands·····························································································1-1 display igmp-snooping configuration ·······························································································1-1 display igmp-snooping group ··········································································································1-2 display igmp-snooping statistics······································································································1-3 igmp-snooping ·································································································································1-4 igmp-snooping fast-leave ················································································································1-5 igmp-snooping general-query source-ip··························································································1-6 igmp-snooping group-limit ···············································································································1-7 igmp-snooping group-policy ············································································································1-8 igmp-snooping host-aging-time ·····································································································1-10 igmp-snooping nonflooding-enable ·······························································································1-10 igmp-snooping querier···················································································································1-11 igmp-snooping query-interval ········································································································1-12...
Page 288 mld-snooping fast-leave ················································································································2-10 mld-snooping general-query source-ip··························································································2-11 mld-snooping group-limit ···············································································································2-12 mld-snooping host-aging-time ·······································································································2-12 mld-snooping host-join ··················································································································2-13 mld-snooping last-listener-query-interval ······················································································2-14 mld-snooping max-response-time ·································································································2-15 mld-snooping overflow-replace ·····································································································2-15 mld-snooping proxying enable ······································································································2-16 mld-snooping querier·····················································································································2-17 mld-snooping query-interval ··········································································································2-17 mld-snooping report source-ip·······································································································2-18 mld-snooping router-aging-time ····································································································2-19 mld-snooping special-query source-ip···························································································2-20 mld-snooping static-group ·············································································································2-21 mld-snooping static-router-port ·····································································································2-22 mld-snooping version ····················································································································2-22...
Page 289 IPv6 Multicast User Control Policy Configuration Commands······························································4-14 mld-snooping access-policy ··········································································································4-14 5 Common Multicast Configuration Commands ·······················································································5-1 Common Multicast Configuration Commands ························································································5-1 display mac-address multicast static·······························································································5-1 display multicast-source-deny ·········································································································5-2 mac-address multicast interface······································································································5-2 mac-address multicast vlan ·············································································································5-3 multicast-source-deny ·····················································································································5-4 unknown-multicast drop enable·······································································································5-5...
Page 290: Igmp Snooping Configuration Commands
IGMP Snooping Configuration Commands Only the S3100-EI series support the IGMP Snooping querier feature. The related commands are as follows: igmp-snooping querier igmp-snooping query-interval igmp-snooping general-query source-ip IGMP Snooping Configuration Commands display igmp-snooping configuration Syntax display igmp-snooping configuration View Any view Parameters None Description...
Page 291 <Sysname> display igmp-snooping configuration Enable IGMP Snooping. The router port timeout is 105 second(s). The max response timeout is 10 second(s). The host port timeout is 260 second(s). The above-mentioned information shows: IGMP Snooping is enabled, the aging time of the router port is 105 seconds, the maximum response time in IGMP queries is 10 seconds, and the aging time of multicast member ports is 260 seconds.
Page 292: Display Igmp-Snooping Statistics
Table 1-1 display igmp-snooping group command output description Field Description Total 1 IP Group(s). Total number of IPv6 multicast groups Total 1 IP Source(s). Total number of IPv6 multicast sources Total 1 MAC Group(s). Total number of MAC multicast groups Port flags: D-Dynamic port, Port flags: D for dynamic port, S for static port, C for port copied from a (*, G) S-Static port, C-Copy port...
Page 293: Igmp-Snooping
Examples # Display IGMP Snooping statistics. <Sysname> display igmp-snooping statistics Received IGMP general query packet(s) number:1. Received IGMP specific query packet(s) number:0. Received IGMP V1 report packet(s) number:0. Received IGMP V2 report packet(s) number:3. Received IGMP leave packet(s) number:0. Received error IGMP packet(s) number:0. Sent IGMP specific query packet(s) number:0.
Page 294: Igmp-Snooping Fast-Leave
Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view; otherwise the IGMP Snooping setting will not take effect. If IGMP Snooping and VLAN VPN are enabled on a VLAN at the same time, IGMP queries are likely to fail to pass the VLAN.
Page 295: Igmp-Snooping General-Query Source
The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).
Page 296: Igmp-Snooping Group-Limit
Related commands: igmp-snooping querier, igmp-snooping query-interval. Examples # Configure the switch to send general query messages with the source IP address 2.2.2.2 in VLAN 3. <Sysname> system-view System view, return to user view with Ctrl+Z. [Sysname] igmp-snooping enable [Sysname] vlan 3 [Sysname-vlan3] igmp-snooping enable [Sysname-vlan3] igmp-snooping querier [Sysname-vlan3] igmp-snooping general-query source-ip 2.2.2.2...
Page 297: Igmp-Snooping Group-Policy
To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.
Page 298 A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. If no ACL rule is configured, all the multicast groups will be filtered. Since most devices broadcast unknown multicast packets by default, this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function.
Page 299: Igmp-Snooping Host-Aging-Time
Configure ACL 2001 on Ethernet1/0/2 to it to join any IGMP multicast groups except those defined in the deny rule of ACL 2001. [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] igmp-snooping group-policy 2001 vlan 2 igmp-snooping host-aging-time Syntax igmp-snooping host-aging-time seconds undo igmp-snooping host-aging-time View System view Parameters...
Page 300: Igmp-Snooping Querier
Use the undo igmp-snooping nonflooding-enable command to disable the IGMP Snooping non-flooding function. By default, the IGMP Snooping non-flooding function is disabled, namely unknown multicast packets are flooded in the VLAN. The difference between the IGMP Snooping non-flooding function and the function of dropping unknown multicast packets is in that the former passes unknown multicast packets to the router ports while the latter directly discards unknown multicast packets.
Page 301: Igmp-Snooping Query-Interval
Description Use the igmp-snooping querier command to enable the IGMP Snooping querier feature on the current VLAN. Use the undo igmp-snooping querier command to restore the default. By default, the IGMP Snooping querier feature is disabled. This command takes effect only if IGMP Snooping is enabled globally and also enabled in the current VLAN.
Page 302: Igmp-Snooping Router-Aging-Time
[Sysname-vlan3] igmp-snooping enable [Sysname-vlan3] igmp-snooping querier [Sysname-vlan3] igmp-snooping query-interval 100 igmp-snooping router-aging-time Syntax igmp-snooping router-aging-time seconds undo igmp-snooping router-aging-time View System view Parameters seconds: Aging time of router ports, in the range of 1 to 1,000, in seconds. Description Use the igmp-snooping router-aging-time command to configure the aging time of router ports. Use the undo igmp-snooping router-aging-time command to restore the default aging time.
Page 303: Igmp-Snooping Version
By default, the Layer 2 multicast switch sends group-specific query messages with the source IP address of 0.0.0.0. Related commands: igmp-snooping querier. Examples # Configure the switch to send group-specific query messages with the source IP address 2.2.2.2 in VLAN 3. <Sysname>...
Page 304: Igmp Host-Join
View System view Parameters vlan vlan-id: VLAN ID, in the range of 1 to 4094. Description Use the igmp-snooping vlan-mapping vlan command to configure to transmit IGMP general and group-specific query messages in a specific VLAN. Use the undo igmp-snooping vlan-mapping command to restore the default. By default, the VLAN tag carried in IGMP general and group-specific query messages is not changed.
Page 305: Multicast Static-Group Interface
Before configuring a port as a simulated host, enable IGMP Snooping in VLAN view first. The current port must belong to the specified VLAN; otherwise this configuration does not take effect. Examples # Configure Ethernet 1/0/1 in VLAN 1 as a simulated member host for multicast source 1.1.1.1 and multicast group 225.0.0.1.
Page 306: Multicast Static-Group Vlan
Examples # Configure ports Ethernet 1/0/1 to Ethernet 1/0/3 under VLAN-interface 1 as static members ports for multicast group 225.0.0.1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] multicast static-group 225.0.0.1 interface Ethernet 1/0/1 to Ethernet 1/0/3 multicast static-group vlan Syntax...
Page 307: Multicast Static-Router-Port
multicast static-router-port Syntax multicast static-router-port interface-type interface-number undo multicast static-router-port interface-type interface-number View VLAN view Parameters interface-type interface-number: Specifies a port by its type and number. Description Use the multicast static-router-port command to configure the specified port in the current VLAN as a static router port.
Page 308: Reset Igmp-Snooping Statistics
If the current port does not belong to any multicast VLAN but it belongs to the specified VLAN, the configuration takes effect in the specified VLAN. If the current port belongs to a multicast VLAN, the configuration takes effect only in the multicast VLAN no matter the port belongs to the specified VLAN or not.
Page 309 because multicast streams are transmitted only within the multicast VLAN. In addition, because the multicast VLAN is isolated from user VLANs, this method also enhances the information security. One port belongs to only one multicast VLAN. The port connected to a user terminal must be a hybrid port. The multicast member port must be in the same multicast VLAN with the router port.
Page 310: Mld Snooping Configuration Commands
MLD Snooping Configuration Commands MLD Snooping Configuration Commands Only the S3100-EI series support MLD Snooping configuration commands. display mld-snooping group Syntax display mld-snooping group [ vlan vlan-id ] [ verbose ] View Any view Default Level 1: Monitor level Parameters vlan vlan-id: Displays the MLD snooping multicast group information in the specified VLAN, where vlan-id is in the range of 1 to 4094.
Page 311: Display Mld-Snooping Statistics
Eth1/0/1 (D) ( 00:01:30 ) IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 1 port. Eth1/0/2 (D) ( 00:03:23 ) MAC group(s): MAC group address:3333-0000-0101 Host port(s):total 1 port. Eth1/0/2 Table 2-1 display mld-snooping group command output description Field...
Page 312: Dot1P-Priority (Mld-Snooping View)
Examples # View the statistics information of all kinds of MLD messages learned by MLD snooping. <Sysname> display mld-snooping statistics Received MLD general queries:0. Received MLDv1 specific queries:0. Received MLDv1 reports:0. Received MLD dones:0. Sent MLDv1 specific queries:0. Received MLDv2 reports:0. Received MLDv2 reports with right and wrong records:0.
Page 313: Drop-Unknown (Mld-Snooping View)
Examples # Set 802.1p precedence for MLD messages to 3 globally. <Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] dot1p-priority 3 drop-unknown (MLD-Snooping view) Syntax drop-unknown undo drop-unknown View MLD-Snooping view Default Level 2: System level Parameters None Description Use the drop-unknown command to enable dropping unknown IPv6 multicast data globally. Use the undo drop-unknown command to disable dropping unknown IPv6 multicast data globally.
Page 314: Fast-Leave (Mld-Snooping View)
Description Use the entry-limit command to configure the maximum number of entries in the MLD snooping forwarding table globally. Use the undo fast-leave command to restore the default. By default, the maximum number of entries in the MLD snooping forwarding table is 512. Examples # Configure the MLD snooping forwarding table to contain at most 512 entries.
Page 315: Host-Aging-Time (Mld-Snooping View)
host-aging-time (MLD-Snooping view) Syntax host-aging-time interval undo host-aging-time View MLD-Snooping view Default Level 2: System level Parameters interval: Dynamic member port aging time, in units of seconds. The effective range is 200 to 1,000. Description Use the host-aging-time command to configure the aging time of dynamic member ports globally. Use the undo host-aging-time command to restore the default setting.
Page 316: Max-Response-Time (Mld-Snooping View)
Examples # Set the MLD last listener query interval to 3 seconds globally. <Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] last-listener-query-interval 3 max-response-time (MLD-Snooping view) Syntax max-response-time interval undo max-response-time View MLD-Snooping view Default Level 2: System level Parameters interval: Maximum response time for MLD general queries, in units of seconds. The effective range is 1 to 25.
Page 317: Mld-Snooping Done Source
Parameters None Description Use the mld-snooping command to enable MLD snooping globally and enter MLD-Snooping view. Use the undo mld-snooping command to disable MLD snooping globally. By default, MLD snooping is disabled. Related commands: mld-snooping enable. Examples # Enable MLD snooping globally and enter MLD-Snooping view. <Sysname>...
Page 318: Mld-Snooping Dot1P-Priority
Examples # Enable MLD snooping in VLAN 2 and configure the source IPv6 address of MLD done messages sent by the MLD snooping proxy in VLAN 2 to FE80:0:0:1::1. <Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] quit [Sysname] vlan 2 [Sysname-vlan2] mld-snooping enable [Sysname-vlan2] mld-snooping done source-ip fe80:0:0:1::1 mld-snooping dot1p-priority Syntax...
Page 319: Mld-Snooping Fast-Leave
View VLAN view Default Level 2: System level Parameters None Description Use the mld-snooping enable command to enable MLD snooping in the current VLAN. Use the undo mld-snooping enable command to disable MLD snooping in the current VLAN. By default, MLD snooping is disabled in a VLAN. MLD snooping must be enabled globally before it can be enabled in a VLAN Related commands: mld-snooping.
Page 320: Mld-Snooping General-Query Source
Note that: This command works on MLD snooping–enabled VLANs. If you do not specify any VLAN when using this command in Ethernet interface view, the command will take effect for all VLANs the interface belongs to; if you specify a VLAN or multiple VLANs, the command will take effect only if the interface belongs to the specified VLAN(s).
Page 321: Mld-Snooping Group-Limit
[Sysname-vlan2] mld-snooping enable [Sysname-vlan2] mld-snooping general-query source-ip fe80:0:0:1::1 mld-snooping group-limit Syntax mld-snooping group-limit limit [ vlan vlan-list ] undo mld-snooping group-limit [ vlan vlan-list ] View Ethernet interface view Default Level 2: System level Parameters limit: Maximum number of IPv6 multicast groups that can be joined on a port, in the range of 1 to 512. vlan vlan-list: Defines one or multiple VLANs.
Page 322: Mld-Snooping Host-Join
Parameters interval: Dynamic member port aging time, in seconds. The effective range is 200 to 1,000. Description Use the mld-snooping host-aging-time command to configure the aging time of dynamic member ports in the current VLAN. Use the undo mld-snooping host-aging-time command to restore the system default. By default, the dynamic member port aging time is 260 seconds.
Page 323: Mld-Snooping Last-Listener-Query-Interval
This command works on MLD snooping–enabled VLANs, and the version of MLD on the simulated host depends on the version of MLD snooping running in the VLAN. The source-ip ipv6-source-address option in the command is meaningful only for MLD snooping version 2.
Page 324: Mld-Snooping Max-Response-Time
[Sysname-mld-snooping] quit [Sysname] vlan 2 [Sysname-vlan2] mld-snooping enable [Sysname-vlan2] mld-snooping last-listener-query-interval 3 mld-snooping max-response-time Syntax mld-snooping max-response-time interval undo mld-snooping max-response-time View VLAN view Default Level 2: System level Parameters interval: Maximum response time for MLD general queries, in units of seconds. The effective range is 1 to 25.
Page 325: Mld-Snooping Proxying Enable
Parameters vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID.
Page 326: Mld-Snooping Querier
Before configuring this command in a VLAN, enable MLD Snooping in the VLAN. Related commands: mld-snooping enable. Examples # Enable MLD Snooping and then MLD Snooping Proxying in VLAN 2. <Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] quit [Sysname] vlan 2 [Sysname-vlan2] mld-snooping enable [Sysname-vlan2] mld-snooping proxying enable mld-snooping querier Syntax...
Page 327: Mld-Snooping Report Source
View VLAN view Default Level 2: System level Parameters interval: MLD query interval in seconds, namely the length of time the device waits between sending MLD general queries. The effective range is 2 to 300. Description Use the mld-snooping query-interval command to configure the MLD query interval. Use the undo mld-snooping query-interval command to restore the system default.
Page 328: Mld-Snooping Router-Aging-Time
Description Use the mld-snooping report source-ip command to configure the source IPv6 address of the MLD reports sent by the MLD Snooping proxy. Use the undo mld-snooping report source-ip command to restore the default. By default, the source IPv6 address of the MLD reports sent by the MLD Snooping proxy is FE80::02FF:FFFF:FE00:0001.
Page 329: Mld-Snooping Special-Query Source
Examples # Enable MLD snooping and set the aging time of dynamic router ports to 100 seconds in VLAN 2. <Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] quit [Sysname] vlan 2 [Sysname-vlan2] mld-snooping enable [Sysname-vlan2] mld-snooping router-aging-time 100 mld-snooping special-query source-ip Syntax mld-snooping special-query source-ip { ipv6-address | current-interface } undo mld-snooping special-query source-ip View...
Page 330: Mld-Snooping Static-Group
mld-snooping static-group Syntax mld-snooping static-group ipv6-group-address [ source-ip ipv6-source-address ] vlan vlan-id undo mld-snooping static-group ipv6-group-address [ source-ip ipv6-source-address ] vlan vlan-id View Ethernet interface view Default Level 2: System level Parameters ipv6-group-address: Address of a IPv6 multicast group the port(s) will be configured to join as static member port(s).
Page 331: Mld-Snooping Static-Router-Port
mld-snooping static-router-port Syntax mld-snooping static-router-port vlan vlan-id undo mld-snooping static-router-port vlan vlan-id View Ethernet interface view Default Level 2: System level Parameters vlan vlan-id: Specifies a VLAN in which one or more static router ports are to be configured, where vlan-id is in the range of 1 to 4094.
Page 332: Overflow-Replace (Mld-Snooping View)
Use the undo mld-snooping version command to restore the default setting. By default, the MLD version is 1. Note that: This command can take effect only if MLD snooping is enabled in the VLAN. Related commands: mld-snooping enable. Examples # Enable MLD snooping in VLAN 2, and set the MLD snooping version to version 2. <Sysname>...
Page 333: Report-Aggregation (Mld-Snooping View)
report-aggregation (MLD-Snooping view) Syntax report-aggregation undo report-aggregation View MLD-Snooping view Default Level 2: System level Parameters None Description Use the mld-snooping report-aggregation command to enable MLD report suppression. Use the undo mld-snooping report-aggregation command to disable MLD report suppression. By default, MLD report suppression is enabled. This command works on MLD snooping–enabled VLANs.
Page 334: Reset Mld-Snooping Statistics
This command works on MLD snooping–enabled VLANs. This command cannot clear MLD snooping multicast group information of static joining. Examples # Clear all MLD snooping multicast group information. <Sysname> reset mld-snooping group all reset mld-snooping statistics Syntax reset mld-snooping statistics View User view Default Level...
Page 335 Examples # Set the aging time of dynamic router ports globally to 100 seconds. <Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] router-aging-time 100 2-26...
Page 336: Ipv6 Multicast Vlan Configuration Commands
IPv6 Multicast VLAN Configuration Commands IPv6 Multicast VLAN Configuration Commands Only the S3100-EI series support IPv6 multicast VLAN configuration commands. display multicast-vlan ipv6 Syntax display multicast-vlan ipv6 [ vlan-id ] View Any view Default Level 1: Monitor level Parameters vlan-id: VLAN ID of an IPv6 multicast VLAN, in the range of 1 to 4094. If this argument is not provided, the information about all IPv6 multicast VLANs will be displayed.
Page 337: Multicast-Vlan Ipv6
multicast-vlan ipv6 Syntax multicast-vlan ipv6 vlan-id undo multicast-vlan ipv6 { all | vlan-id } View System view Default Level 2: System level Parameters vlan-id: Specifies a VLAN by its ID, in the range of 1 to 4094. all: Deletes all IPv6 multicast VLANs. Description Use the multicast-vlan ipv6 command to configure the specified VLAN as an IPv6 multicast VLAN and enter IPv6 multicast VLAN view.
Page 338: Port Multicast-Vlan Ipv6
Default Level 2: System level Parameters interface-list: Specifies a port in the form of interface-type interface-number, or a port range in the form of interface-type start-interface-number to interface-type end-interface-number, where the end interface number must be greater than the start interface number. all: Deletes all the ports in the current IPv6 multicast VLAN.
Page 339 <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port multicast-vlan ipv6 100...
Page 340: Multicast User Control Policy Commands
Multicast User Control Policy Commands Only the S3100-EI series support multicast user control policy commands. IPv4 Multicast User Control Policy Configuration Commands igmp-snooping access-policy Syntax igmp-snooping access-policy acl-number undo igmp-snooping access-policy { acl-number | all } View QoS profile view Default Level 2: System level Parameters...
Page 341: Ipv6 Acl Configuration Commands
IPv6 ACL Configuration Commands acl ipv6 Syntax acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] undo acl ipv6 { all | name acl6-name | number acl6-number } View System view Default Level 2: System level Parameters number acl6-number: Specifies the number of the IPv6 ACL, which must be in the following ranges:...
Page 342: Acl Ipv6 Copy
<Sysname> system-view [Sysname] acl ipv6 number 2002 name flow [Sysname-acl6-basic-2002-flow] # Enter the view of an IPv6 ACL that has no name by specifying its number. <Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] # Enter the view of an IPv6 ACL that has a name by specifying its number. <Sysname>...
Page 343: Acl Ipv6 Name
The source IPv6 ACL and the destination IPv6 ACL must be of the same type. The new ACL does not take the name of the source IPv6 ACL. Examples # Copy ACL 2008 to generate ACL 2009. <Sysname> system-view [Sysname] acl ipv6 copy 2008 to 2009 acl ipv6 name Syntax acl ipv6 name acl6-name...
Page 344: Display Acl Ipv6
By default, an IPv6 ACL has no ACL description. Examples # Configure a description for IPv6 ACL 2000. <Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] description This acl is used in eth 0 # Configure a description for IPv6 ACL 3000. <Sysname>...
Page 345: Reset Acl Ipv6 Counter
Field Description ACL's step is 5 The rules in this ACL are numbered in steps of 5. There have been five matches for the rule. Only IPv6 ACL matches performed by software are counted. 5 times matched This field is not displayed when no match is found. The description of ACL rule 0 is "This rule is used in GE 1/0/1."...
Page 346 View Basic IPv6 ACL view Default Level 2: System level Parameters rule-id: IPv6 ACL rule number, in the range 0 to 65534. deny: Drops matched packets. permit: Allows matched packets to pass. counting: Counts the matches of the IPv6 ACL rule. fragment: Indicates that the rule applies to only non-first fragments.
Page 347: Rule (Advanced Ipv6 Acl View)
[Sysname-acl6-basic-2000] rule 8 deny source fe80:5060::8050/96 rule (advanced IPv6 ACL view) Syntax rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] |...
Page 348 Parameters Function Description This function requires that the module using the Specifies to log matched logging ACL (for example, a firewall using the ACL) packets support logging. Indicates that the rule applies to Without this keyword, the rule applies to all fragment only non-first fragments.
Page 349 Table 4-4 ICMPv6-specific parameters for advanced IPv6 ACL rules Parameters Function Description The icmpv6-type argument ranges from 0 to 255. icmpv6-type The icmpv6-code argument ranges from 0 to { icmpv6-type Specifies the ICMPv6 message 255. icmpv6-code | type and code. The icmpv6-message argument specifies a icmpv6-message } message name.
Page 350: Rule Comment (For Ipv6)
multiple of the step that is bigger than the current biggest number. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
Page 351: Step (For Ipv6)
[Sysname] acl ipv6 number 3000 [Sysname-acl6-adv-3000] rule 0 permit tcp source 2030:5060::9050/64 [Sysname-acl6-adv-3000] rule 0 comment This rule is used in eth 1/1 step (for IPv6) Syntax step step-value undo step View Basic IPv6 ACL view, advanced IPv6 ACL view Default Level 2: System level Parameters...
Page 352: Mld-Snooping Group-Policy
Parameters Acl6-number: Basic or advanced IPv6 ACL number, in the range of 2000 to 3999. The source address or address range specified in the advanced IPv6 ACL rule is used to match the IPv6 multicast source address(es) specified in MLDv2 reports, rather than the source address in the IPv6 packets. The system assumes that an MLDv1 report or an MLDv2 IS_EX or TO_EX report that does not carry an IPv6 multicast source address carries an IPv6 multicast source address of 0::0.
Page 353: Ipv6 Multicast User Control Policy Configuration Commands
Parameters acl6-number: Basic or advanced IPv6 ACL number, in the range of 2000 to 3999. The IPv6 source address or address range specified in the advanced IPv6 ACL rule is the IPv6 multicast source address(es) specified in MLDv2 reports, rather than the source address in the IPv6 packets. The system assumes that an MLDv1 report or an MLDv2 IS_EX or TO_EX report that does not carry an IPv6 multicast source address carries an IPv6 multicast source address of 0::0.
Page 354 View QoS profile view Default Level 2: System level Parameters acl6-number: Basic or advanced IPv6 ACL number, in the range of 2000 to 3999. The source address or address range specified in the advanced ACL is used to match the multicast source address(es) specified in MLDv2 reports, rather than the source address in the IP packets.
Page 355: Common Multicast Configuration Commands
Common Multicast Configuration Commands Only the S3100-EI series support multicast source port suppression. The related commands are multicast-source-deny display multicast-source-deny. Only the S3100-EI series Ethernet switches support the pon-ignore keyword of the command unknown-multicast drop enable. Common Multicast Configuration Commands display mac-address multicast static Syntax display mac-address multicast static [ [ mac-address ] vlan vlan-id ] [ count ]...
Page 356: Display Multicast-Source-Deny
Table 5-1 display mac-address multicast static command output description Field Description MAC ADDR MAC address VLAN ID The VLAN in which the MAC address is manually added State of the MAC address, which includes only Config static, indicating that STATE the table entry is manually added.
Page 357: Mac-Address Multicast Vlan
View System view Parameters mac-address: Multicast MAC address, in the form of H-H-H. interface interface-list: Specifies forwarding ports for the specified multicast MAC group address. With the interface-list argument, you can define one or more individual ports (in the form of interface-type interface-number) and/or one or more port ranges (in the form of interface-type interface-number1 to interface-type interface-number2, where interface-number2 must be greater than interface-number1).
Page 358: Multicast-Source-Deny
Each multicast MAC address entry contains the multicast address, forwarding port, and VLAN ID information. Related commands: display mac-address multicast static. Examples # Create a multicast MAC address entry on Ethernet 1/0/1 in VLAN 1, with the multicast address of 0100-1000-1000.
Page 359: Unknown-Multicast Drop Enable
# Enable the multicast source port suppression feature on Ethernet 1/0/1 through Ethernet 1/0/10 and on Ethernet 1/0/12. [Sysname] multicast-source-deny interface Ethernet 1/0/1 to Ethernet 1/0/10 Ethernet 1/0/12 # Enable the multicast source port suppression feature on Ethernet 1/0/13. [Sysname] interface Ethernet 1/0/13 [Sysname-Ethernet1/0/13] multicast-source-deny unknown-multicast drop enable Syntax...
Page 360 [Sysname] unknown-multicast drop enable...
Page 361 Table of Contents 1 802.1x Configuration Commands ············································································································1-1 802.1x Configuration Commands ···········································································································1-1 display dot1x····································································································································1-1 dot1x ················································································································································1-4 dot1x authentication-method ···········································································································1-5 dot1x auth-fail vlan ··························································································································1-6 dot1x dhcp-launch ···························································································································1-7 dot1x guest-vlan ······························································································································1-8 dot1x handshake ·····························································································································1-9 dot1x handshake secure ···············································································································1-10 dot1x mandatory-domain···············································································································1-10 dot1x max-user······························································································································1-11 dot1x port-control···························································································································1-12 dot1x port-method ·························································································································1-13 dot1x quiet-period··························································································································1-14...
Page 362 system-guard enable ·······················································································································4-3 system-guard permit························································································································4-4 system-guard timer-interval ·············································································································4-5 5 System-Guard Configuration Commands (For S3100-SI) ·····································································5-1 System-guard Configuration Commands································································································5-1 display system-guard config············································································································5-1 system-guard enable ·······················································································································5-2 system-guard mode·························································································································5-2 system-guard permit························································································································5-3...
Page 363: 802.1X Configuration Commands
802.1x Configuration Commands 802.1x Configuration Commands display dot1x Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] View Any view Parameter sessions: Displays the information about 802.1x sessions. statistics: Displays the statistics on 802.1x. interface: Display the 802.1x-related information about a specified port. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 364 ReAuth Period 3600 s, ReAuth MaxTimes Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Interval between version requests is 30s Maximal request times for version information is 3 The maximal retransmitting times EAD Quick Deploy configuration: Url: http: //192.168.19.23 Free-ip: 192.168.19.0 255.255.255.0...
Page 365 Field Description Handshake is enabled The online user handshaking function is enabled. Whether or not to send Trap packets when detecting a supplicant system logs in through a proxy. Disable means the switch does not send Trap packets Proxy trap checker is disabled when it detects that a supplicant system logs in through a proxy.
Page 366: Dot1X
Field Description Whether or not to disconnect a supplicant system when detecting it in logging in through a proxy. Disable means the switch does not disconnect a Proxy logoff checker is disabled supplicant system when it detects that the latter logs in through a proxy.
Page 367: Dot1X Authentication-Method
In Ethernet port view, the interface-list argument is not available and the command enables 802.1x for only the current Ethernet port. 802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port. Configurations of 8021.x and the maximum number of MAX addresses that can be learnt are mutually exclusive.
Page 368: Dot1X Auth-Fail Vlan
Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method. The default 802.1x authentication method is CHAP. PAP applies a two-way handshaking procedure. In this method, passwords are transmitted in plain text. CHAP applies a three-way handshaking procedure. In this method, user names are transmitted rather than passwords.
Page 369: Dot1X Dhcp-Launch
Failing authentication means being denied by the authentication server due to reasons such as wrong password. Authentication failures caused by authentication timeout or network connection problems do not fall into this category. You must enable MAC VLAN for an MAFV to take effect. After an MAFV takes effect, if you change the port access method from macbased to portbased, the established MAFV entries will be removed.
Page 370: Dot1X Guest-Vlan
System View: return to User View with Ctrl+Z. [Sysname] dot1x dhcp-launch dot1x guest-vlan Syntax dot1x guest-vlan vlan-id [ interface interface-list ] undo dot1x guest-vlan [ interface interface-list ] View System view, Ethernet port view Parameter vlan-id: VLAN ID of a Guest VLAN, in the range 1 to 4094. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 371: Dot1X Handshake
Handshaking packets need the support of the H3C-proprietary client. They are used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.
Page 372: Dot1X Handshake Secure
dot1x handshake secure Syntax dot1x handshake secure undo dot1x handshake secure View Ethernet port view Parameter None Description Use the dot1x handshake secure command to enable the handshaking packet secure function, preventing the device from attacks resulted from simulating clients. Use the undo dot1x handshake secure command to disable the handshaking packet secure function.
Page 373: Dot1X Max-User
Description Use the dot1x mandatory-domain command to specify the mandatory authentication domain for users accessing the port. Use the undo dot1x mandatory-domain command to remove the mandatory authentication domain. By default, no mandatory authentication domain is specified. Note that: When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.
Page 374: Dot1X Port-Control
Related command: display dot1x. Example # Configure the maximum number of users that Ethernet1/01 port can accommodate to be 32. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x max-user 32 interface Ethernet 1/0/1 dot1x port-control Syntax dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ] undo dot1x port-control [ interface interface-list ] View...
Page 375: Dot1X Port-Method
Related command: display dot1x. Example # Specify Ethernet1/0/1 port to operate in unauthorized-force access control mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x port-control unauthorized-force interface Ethernet 1/0/1 dot1x port-method Syntax dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] View System view, Ethernet port view...
Page 376: Dot1X Quiet-Period
Use the undo dot1x quiet-period command to disable the quiet-period timer. When a user fails to pass the authentication, the authenticator system (such as an H3C series Ethernet switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication.
Page 377: Dot1X Retry
dot1x retry Syntax dot1x retry max-retry-value undo dot1x retry View System view Parameter max-retry-value: Maximum number of times that a switch sends authentication request packets to a user. This argument ranges from 1 to 10. Description Use the dot1x retry command to specify the maximum number of times that a switch sends authentication request packets to a user.
Page 378: Dot1X Re-Authenticate
Description Use the dot1x retry-version-max command to set the maximum number of times that a switch sends version request packets to a user. Use the undo dot1x retry-version-max command to revert to the default value. By default, a switch sends version request packets to a user for up to 3 times. After a switch sends a version request packet to a user, it sends another version request packet if it does receive response from the user after a specific period of time (as determined by the client version request timer).
Page 379: Dot1X Supp-Proxy-Check
In Ethernet port view, the interface-list argument is not available and 8021.x re-authentication is enabled on the current port only. 802.1x must be enabled globally and on the current port before 802.1x re-authentication can be configured on a port. Example # Enable 802.1x re-authentication on port Ethernet 1/0/1.
Page 380 IE proxy after the user passes the authentication. The 802.1x proxy checking function needs the cooperation of H3C's 802.1x client program. The proxy checking function takes effect only after the client version checking function is enabled on the switch (using the dot1x version-check command).
Page 381: Dot1X Timer
System View: return to User View with Ctrl+Z. [Sysname] dot1x supp-proxy-check logoff [Sysname] dot1x supp-proxy-check logoff interface Ethernet 1/0/1 to Ethernet 1/0/8 # Configure the switch to send Trap packets if the users connected to Ethernet1/0/9 port is detected logging in through proxies. [Sysname] dot1x supp-proxy-check trap [Sysname] dot1x supp-proxy-check trap interface Ethernet 1/0/9 dot1x timer...
Page 382 sends another request/challenge packet to the supplicant system if the switch does not receive the response from the supplicant system when this timer times out.. The supp-timeout-value argument ranges from 10 to 120 (in seconds). By default, the supplicant system timer is set to 30 seconds. tx-period tx-period-value: Sets the transmission timer.
Page 383: Dot1X Timer Reauth-Period
dot1x timer reauth-period Syntax dot1x timer reauth-period reauth-period-value undo dot1x timer reauth-period View System view Parameter reauth-period reauth-period-value: Specifies re-authentication interval, in seconds. After this timer expires, the switch initiates 802.1x re-authentication. The value of the reauth-period-value argument ranges from 60 to 7,200. Description Use the dot1x timer reauth-period command to configure the interval for 802.1x re-authentication.
Page 384: Dot1X Version-Check
Examples # Enable the unicast trigger function for Ethernet 1/0/1. <Sysname> system-view [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] dot1x unicast-trigger dot1x version-check Syntax dot1x version-check [ interface interface-list ] undo dot1x version-check [ interface interface-list ] View System view, Ethernet port view Parameter interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet...
Page 385: Reset Dot1X Statistics
reset dot1x statistics Syntax reset dot1x statistics [ interface interface-list ] View User view Parameter interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 386: Quick Ead Deployment Configuration Commands
Quick EAD Deployment Configuration Commands The command introduced in this chapter is only supported by the S3100-EI series switches. Quick EAD Deployment Configuration Commands dot1x free-ip Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip [ ip-address { mask-address | mask-length } ] View System view Parameters...
Page 387: Dot1X Timer Acl-Timeout
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x free-ip 192.168.19.23 24 dot1x timer acl-timeout Syntax dot1x timer acl-timeout acl-timeout-value undo dot1x timer acl-timeout View System view Parameters acl-timeout-value: ACL timeout period (in minutes), in the range of 1 to 1440. Description Use the dot1x timer acl-timeout command to configure the ACL timeout period.
Page 388 Examples # Configure the URL for HTTP redirection. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x url http://192.168.19.23...
Page 389: Habp Configuration Commands
HABP Configuration Commands HABP Configuration Commands display habp Syntax display habp View Any view Parameter None Description Use the display habp command to display HABP configuration and status. Example # Display HABP configuration and status. <Sysname> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 20 seconds Bypass VLAN: 2...
Page 390: Display Habp Traffic
View Any view Parameter None Description Use the display habp table command to display the MAC address table maintained by HABP. Example # Display the MAC address table maintained by HABP. <Sysname> display habp table Holdtime Receive Port 001f-3c00-0030 Ethernet1/0/1 Table 3-2 Description on the fields of the display habp table command Field Description...
Page 391: Habp Enable
Table 3-3 Description on the fields of the display habp traffic command Field Description Packets output Number of the HABP packets sent Input Number of the HABP packets received ID error Number of the HABP packets with ID errors Type error Number of the HABP packets with type errors Version error Number of the HABP packets with version errors...
Page 392: Habp Timer
Parameter vlan-id: VLAN ID, ranging from 1 to 4094. Description Use the habp server vlan command to configure a switch to operate as an HABP server. This command also specifies the VLAN where HABP packets are broadcast. Use the undo habp server vlan command to revert to the default HABP mode. By default, a switch operates as an HABP client.
Page 393: System-Guard Configuration Commands (For S3100
System-Guard Configuration Commands (For S3100-EI) The command introduced in this chapter is only supported by the S3100-EI series switches. System-Guard Configuration Commands display system-guard attack-record Syntax display system-guard attack-record View Any view Parameter None Description Use the display system-guard attack-record command to display the record of detected attacks. Example # Display the record of detected attacks.
Page 394: Display System-Guard State
Table 4-1 Description on the fields of display system-guard attack-record Field Description Target No Number of the attack record Range Control range of the attack Packet type Type of the attack packet Port Number of the port being attacked MAC address Source MAC address of the attack packet IP address Source IP address of the attack packet...
Page 395: System-Guard Detect-Threshold
Table 4-2 Description on the fields of the display system-guard state command Field Description System-guard Status The enable/disable status of the system-guard function Permitted Interfaces Interfaces enabled with the system-guard function The threshold for the number of packets when an attack is Detect Threshold detected Isolated Time...
Page 396: System-Guard Permit
View System view Parameter None Description Use the system-guard enable command to enable the system-guard feature. Use the undo system-guard enable command to disable the system-guard feature. By default, the system-guard feature is disabled. Related command: display system-guard state. Example # Enable the system-guard feature.
Page 397: System-Guard Timer-Interval
Example # Apply the system-guard function to Ethernet1/0/1 through Ethernet1/0/10 ports. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] system-guard permit Ethernet 1/0/1 to Ethernet 1/0/10 system-guard timer-interval Syntax system-guard timer-interval isolate-timer undo system-guard timer-interval View System view Parameter isolate-timer: Length of the isolation after an attack is detected, in the range of 1 to 10,000 in minutes.
Page 398: System-Guard Configuration Commands (For S3100
System-Guard Configuration Commands (For S3100-SI) The command introduced in this chapter is only supported by the S3100-SI series switches. System-guard Configuration Commands display system-guard config Syntax display system-guard config View Any view Parameter None Description Use the display system-guard config command to display current system-guard configuration and the attacked ports.
Page 399: System-Guard Enable
system-guard enable Syntax system-guard enable undo system-guard enable View System view Parameter None Description Use the system-guard enable command to enable the system-guard function. Use the undo system-guard enable command to disable the system-guard function. By default, the system-guard function is disabled. Example # Enable the system-guard function.
Page 400: System-Guard Permit
Use the undo system-guard mode command to revert to the default system-guard configuration. Related command: display system-guard config. Example # Implement the system-guard function by means of port rate limit, with the checking interval being 5 seconds, the threshold being 100, and the timeout time being 30 seconds. <Sysname>...
Page 401 After system-guard is enabled on a port, if the number of packets the port received and sent to the CPU in a specified interval exceeds the specified threshold, the system considers that the port is under attack and begins to limit the packet receiving rate on the port (this function is also called inbound rate limit).
Page 402 Table of Contents 1 AAA Configuration Commands················································································································1-1 AAA Configuration Commands ···············································································································1-1 access-limit······································································································································1-1 accounting ·······································································································································1-1 accounting lan-access ·····················································································································1-2 accounting login·······························································································································1-3 accounting optional··························································································································1-4 attribute············································································································································1-5 authentication ··································································································································1-6 authentication lan-access ················································································································1-7 authentication login··························································································································1-8 authentication super ························································································································1-9 authorization ··································································································································1-10 authorization login ·························································································································1-11 authorization vlan ··························································································································1-11 cut connection ·······························································································································1-12 display connection ·························································································································1-13 display domain·······························································································································1-15...
Page 403 display local-server statistics·········································································································1-38 display radius scheme ···················································································································1-39 display radius statistics··················································································································1-41 display stop-accounting-buffer ······································································································1-42 key ·················································································································································1-43 local-server ····································································································································1-44 local-server nas-ip ·························································································································1-45 nas-ip ·············································································································································1-46 primary accounting ························································································································1-47 primary authentication ···················································································································1-48 radius client ···································································································································1-49 radius nas-ip ··································································································································1-50 radius scheme ·······························································································································1-51 radius trap······································································································································1-52 reset radius statistics ·····················································································································1-53 reset stop-accounting-buffer··········································································································1-53 retry················································································································································1-54 retry realtime-accounting ···············································································································1-55...
Page 404 timer quiet······································································································································1-77 timer realtime-accounting ··············································································································1-78 timer response-timeout··················································································································1-79 user-name-format ··························································································································1-79 2 EAD Configuration Commands················································································································2-1 EAD Configuration Commands···············································································································2-1 security-policy-server·······················································································································2-1...
Page 405: Aaa Configuration Commands
AAA Configuration Commands AAA Configuration Commands access-limit Syntax access-limit { disable | enable max-user-number } undo access-limit View ISP domain view Parameters disable: Specifies not to limit the number of access users that can be contained in current ISP domain. enable max-user-number: Specifies the maximum number of access users that can be contained in current ISP domain.
Page 406: Accounting Lan-Access
View ISP domain view Parameters local: Performs local accounting. It is not used for charging purposes, but for collecting statistics and limiting the number of local user connections. none: Specifies not to perform user accounting. radius-scheme radius-scheme-name: Specifies to use a RADIUS accounting scheme. Here, radius-scheme-name is the name of a RADIUS scheme;...
Page 407: Accounting Login
View ISP domain view Parameters local: Performs local accounting. It is not used for charging purposes, but for collecting statistics and limiting the number of local user connections. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Page 408: Accounting Optional
none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the accounting login command to configure the accounting method for login users. Use the undo accounting login command to restore the default. By default, the default accounting method is used for login users.
Page 409: Attribute
The accounting optional command is commonly used in the cases where only authentication is needed and accounting is not needed. If you configure the accounting optional command in ISP domain view, it is effective to all users in the domain; if you configure it in RADIUS scheme view, it is effective to users the RADIUS scheme is used for.
Page 410: Authentication
Use the undo attribute command to cancel attribute settings of the user. You may use display local-user command to view the settings of the attributes. Examples # Create local user user1 and set the IP address attribute of user1 to 10.110.50.1, allowing only the user using the IP address of 10.110.50.1 to use the account user1 for authentication.
Page 411: Authentication Lan-Access
If you execute the authentication hwtacacs-scheme hwtacacs-scheme-name local command, the local scheme is used as the secondary authentication scheme in case no TACACS server is available. That is, if the communication between the switch and a TACACS server is normal, no local authentication will be performed;...
Page 412: Authentication Login
Description Use the authentication lan-access command to configure the authentication method for LAN access users. Use the undo authentication lan-access command to restore the default. By default, the default authentication method is used for LAN access users. Note that the RADIUS scheme specified for the current ISP domain must have been configured. Related commands: authentication, radius scheme.
Page 413: Authentication Super
HWTACACS scheme must exist. The S3100 series switches adopt hierarchical protection for command lines so as to inhibit users at lower levels from using higher level commands to configure the switches. For details about configuring a HWTACACS authentication scheme for low-to-high user level switching, refer to Switching User Level in the Command Line Interface Operation.
Page 414: Authorization
Examples # Set the HWTACACS scheme to ht for user level switching in the current ISP domain aabbcc.net. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] authentication super hwtacacs-scheme ht authorization Syntax authorization { local | none | hwtacacs-scheme hwtacacs-scheme-name [ local ] } undo authorization...
Page 415: Authorization Login
authorization login Syntax authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none } undo authorization login View ISP domain view Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters. local: Performs local authorization.
Page 416: Cut Connection
Parameters string: Number or descriptor of the authorized VLAN for the current user, a string of 1 to 32 characters. If it is a numeral string and there is a VLAN with the number configured, it specifies the VLAN. If it is a numeral string but no VLAN is present with the number, it specifies the VLAN using it as the VLAN descriptor.
Page 417: Display Connection
interface interface-type interface-number: Cuts down all user connections under a specified port. Here, interface-type is a port type and interface-number is a port number. ip ip-address: Cuts down all user connections with a specified IP address. ipv6 ipv6-address: Cuts down all user connections with a specified IPv6 address. mac mac-address: Cuts down the user connection with a specified MAC address.
Page 418 ip ip-address: Displays all user connections with a specified IP address. ipv6 ipv6-address: Displays all user connections with a specified IPv6 address. mac mac-address: Displays the user connection with a specified MAC address. Here, mac-address is in hexadecimal format (in the form of H-H-H). radius-scheme radius-scheme-name: Displays all user connections using a specified RADIUS scheme.
Page 419: Display Domain
Table 1-1 Description of the Port NO field 31 to 28 bit 27 to 24 bit 23 to 20 bit 19 to 12 bit 11 to 0 bit UNIT ID Slot number Sub-slot number Port number VLAN ID display domain Syntax display domain [ isp-name ] View...
Page 420: Display Local-User
Field Description Vlan-assignment-mode VLAN assignment mode, which can be Integer or String. Domain user template settings, that is, attribute settings for all users Domain User Template in the domain. Idle-Cut Status of the idle-cut function Self-service URL Self-service URL for password changing Settings of the messenger time service, which is for reminding online users of their remaining online time.
Page 421: Domain
Examples # Display information about all local users. <Sysname> display local-user The contents of local user test: State: Active ServiceType Mask: L Idle-cut: Enable Idle TimeOut: 3600 seconds Access-limit: Enable Current AccessNum: 1 Max AccessNum: 1024 Bind location: 127.0.0.1/1/0/2 (NAS/UNITID/SUBSLOT/PORT) Vlan ID: Authorization VLAN: IP address:...
Page 422 View System view Parameters isp-name: Name of an ISP domain, a string of up to 128 characters. This string cannot contain the following characters: /\:*?<>|. If the domain name includes one or more “~” characters and the last “~” is followed by numerals, it must be followed by at least five numerals to avoid confusion.
Page 423: Domain Delimiter
domain delimiter Syntax domain delimiter { at | dot } undo domain delimiter View System view Parameters at: Specifies “@” as the delimiter between the username and the ISP domain name. dot: Specifies “.” as the delimiter between the username and the ISP domain name. Description Use the domain delimiter command to specify the delimiter form between the username and the ISP domain name.
Page 424 Parameters disable: Disables the idle-cut function for the domain. enable: Enables the idle-cut function for the domain. minute: Maximum idle time in minutes, ranging from 1 to 120. flow: Minimum traffic in bytes, ranging from 1 to 10,240,000. Description Use the idle-cut command to set the user idle-cut function in current ISP domain. If a user’s traffic in the specified period of time is less than the specified amount, the system will disconnect the user.
Page 425: Local-User
If the configured authentication method is none or password authentication, the command level that a user can access after login is determined by the level of the user interface. If the configured authentication method requires a username and a password, the command level that a user can access after login is determined by the privilege level of the user.
Page 426: Local-User Password-Display-Mode
Examples # Add a local user named user1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user user1 New local user added. [Sysname-luser-user1] # Add a local user named 01234567891234567 (note that it will appear as 012345678912345~0000 in the view prompt).
Page 427: Messenger
System View: return to User View with Ctrl+Z. [Sysname] local-user password-display-mode cipher-force messenger Syntax messenger time { enable limit interval | disable } undo messenger time View ISP domain view Parameters limit: Time limit in minutes, ranging from 1 to 60. The switch will send prompt messages at regular intervals to users whose remaining online time is less than this limit.
Page 428: Password
Parameters string: Assigned VLAN name, a string of up to 32 characters. Description Use the name command to set a VLAN name, which will be used for VLAN assignment. Use the undo name command to cancel the VLAN name. By default, a VLAN uses its VLAN ID (like VLAN 0001) as its assigned VLAN name. This command is used in conjunction with the dynamic VLAN assignment function.
Page 429: Radius-Scheme
With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt the password, the system treats it as a password in cipher text.
Page 430: Scheme
scheme Syntax scheme { local | none | radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] } undo scheme [ none | radius-scheme | hwtacacs-scheme ] View ISP domain view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. hwtacacs-scheme-name: Name of a HWTACACS scheme, a string of up to 32 characters.
Page 431: Scheme Lan-Access
[Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] scheme radius-scheme raduis1 local scheme lan-access Syntax scheme lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo scheme lan-access View ISP domain view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. local: Specifies to use local authentication.
Page 432: Scheme Login
scheme login Syntax scheme login { local | none | radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] } undo scheme login View ISP domain view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. local: Specifies to use local authentication.
Page 433: Self-Service-Url
self-service-url Syntax self-service-url { disable | enable url-string } undo self-service-url View ISP domain view Parameters url-string: URL of the web page used to modify user password on the self-service server. It is a string of 1 to 64 characters. This string cannot contain any question mark "?". If the actual URL of the self-service server contains a question mark, you should change it to an elect bar "|".
Page 434: State
View Local user view Parameters ftp: Specifies that this is an FTP user. lan-access: Specifies that this is a LAN access user (who is generally an Ethernet access user, for example, 802.1x user). telnet: Authorizes the user to access the Telnet service. ssh: Authorizes the user to access the SSH service.
Page 435: Vlan-Assignment-Mode
Description Use the state command to set the status of current ISP domain (in ISP domain view) or current local user (in local user view). By default, an ISP domain/local user is in the active state once it is created. After an ISP domain is set to the block state, except for online users, users in this domain are inhibited from accessing the network.
Page 436 The dynamic VLAN assignment feature enables a switch to dynamically add the ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access. In actual applications, to use this feature together with Guest VLAN, you are recommended to set port control to port-based mode.
Page 437: Radius Configuration Commands
Examples # Set the VLAN assignment mode of the domain aabbcc.net to string. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] vlan-assignment-mode string RADIUS Configuration Commands accounting optional Syntax accounting optional undo accounting optional View RADIUS scheme view...
Page 438: Accounting Start-Mode
accounting start-mode Syntax accounting start-mode { with-ip | without-ip } View RADIUS scheme view Parameters with-ip: Specifies the mode in which the device must obtain the IP address of a requesting client and add the IP address to an accounting start request before this request can be sent to the RADIUS server. without-ip: Specifies the mode in which the device sends the RADIUS server an accounting start request without the IP address of the requesting client.
Page 439 After configuring the accounting-on enable command, you need to execute the save command so that the command can take effect when the switch restarts. This function requires the cooperation of the H3C CAMS system. Related commands: nas-ip. Examples # Enable the user re-authentication at restart function for the RADIUS scheme named radius1.
Page 440: Attribute-Ignore
[Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute-ignore standard type 28 # Configure RADIUS scheme radius1 to ignore H3C’s attribute 22. The vendor ID of H3C is 25506. [Sysname-radius-radius1] attribute-ignore vendor 25506 type 22 # Disable the RADIUS scheme from ignoring the standard RADIUS attributes, making the scheme to accept all standard RADIUS attributes assigned to it.
Page 441: Calling-Station-Id Mode
[Sysname-radius-radius1] undo attribute-ignore standard # Disable the RADIUS scheme from ignoring H3C’s attributes, making the scheme to accept all H3C’s RADIUS attributes assigned to it. [Sysname-radius-radius1] undo attribute-ignore vendor 25506 # Disable the RADIUS scheme from ignoring any attributes, making the scheme to accept all RADIUS attributes assigned to it.
Page 442: Display Local-Server Statistics
View RADIUS scheme view Parameters data: Sets the data unit of outgoing RADIUS flows, which can be byte, giga-byte, kilo-byte, or mega-byte. packet: Sets the packet unit of outgoing RADIUS flows, which can be one-packet, giga-packet, kilo-packet, or mega-packet. Description Use the data-flow-format command to set the units of RADIUS data flows to RADIUS servers.
Page 443: Display Radius Scheme
<Sysname> display local-server statistics On Unit 1: The localserver packet statistics: Receive: Send: Discard: Receive Packet Error: Auth Receive: Auth Send: Acct Receive: Acct Send: display radius scheme Syntax display radius scheme [ radius-scheme-name ] View Any view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. Description Use the display radius scheme command to display configuration information about one specific or all RADIUS schemes...
Page 444 Primary Acc State=active, Second Acc State=block ------------------------------------------------------------------ Total 1 RADIUS scheme(s). 1 listed Table 1-5 Description on the fields of the display radius scheme command Field Description SchemeName Name of the RADIUS scheme Index Index number of the RADIUS scheme Type Type of the RADIUS servers IP address/port number of the primary authentication...
Page 445 display radius statistics Syntax display radius statistics View Any view Parameters None Description Use the display radius statistics command to display the RADIUS message statistics. Related commands: radius scheme. Examples # Display RADIUS message statistics. <Sysname> display radius statistics state statistic(total=1048): DEAD=1048 AuthProc=0 AuthSucc=0...
Page 446: Display Stop-Accounting-Buffer
Session ctrl pkt , Num=0 , Err=0 , Succ=0 Set policy result , Num=0 , Err=0 , Succ=0 RADIUS sent messages statistic: Auth accept , Num=0 Auth reject , Num=0 EAP auth replying , Num=0 Account success , Num=0 Account failure , Num=0 Cut req , Num=0...
Page 447: Key
You can choose to display the buffered stop-accounting requests of a specified RADIUS scheme, session (by session ID), or user (by username). You can also specify a time range to display those generated within the specified time range. The displayed information helps you diagnose and resolve RADIUS problems.
Page 448: Local-Server
The two parties verify the validity of the RADIUS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have same shared key. The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server.
Page 449 Examples # Enable UDP ports for local RADIUS services. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-server enable local-server nas-ip Syntax local-server nas-ip ip-address key password undo local-server nas-ip ip-address View System view Parameters nas-ip ip-address: Specifies the IP address of a network access server (NAS) that can use the local RADIUS services.
Page 450 [Sysname] local-server nas-ip 10.110.1.2 key aabbcc nas-ip Syntax nas-ip { ip-address | ipv6 ipv6-address } undo nas-ip View RADIUS scheme view Parameters ip-address: Source IP address for RADIUS messages, an IP address of this device. This address can neither be the all 0's address nor be a Class-D address. ipv6 ipv6-address: Specifies an IPv6 address.
Page 451: Primary Accounting
System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 [Sysname-radius-radius1] nas-ip ipv6 1:1::2:2 primary accounting Syntax primary accounting { ip-address | ipv6 ipv6-address } [ port-number ] [ key string ] undo primary accounting View RADIUS scheme view Parameters ip-address: IP address of the primary accounting server to be used, in dotted decimal notation.
Page 452: Primary Authentication
# Specify the IP address of the primary accounting server for RADIUS scheme radius1 as 10.110.1.2, the UDP port of the server as 1813, and the shared key of accounting packets as key1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key key1 primary authentication Syntax primary authentication { ip-address | ipv6 ipv6-address } [ port-number ] [ key string ]...
Page 453: Radius Client
key string is not configured here, the shared key configured in the key command in RADIUS scheme view will be used. The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails. Related commands: key, radius scheme, state. Examples # Set the IP address and UDP port number of the primary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.1 and 1812 respectively.
Page 454: Radius Nas
Examples # Disable the RADIUS authentication and accounting ports. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo radius client enable radius nas-ip Syntax radius nas-ip { ip-address | ipv6 ipv6-address } undo radius nas-ip View System view Parameters ip-address: Source IP address to be set, an IP address of this device.
Page 455: Radius Scheme
You can set only one source IP address by using this command. When you re-execute this command again, the newly set source IP address will overwrite the old one. Related commands: nas-ip. Examples # Set source address 129.10.10.1 for outgoing RADIUS messages. <Sysname>...
Page 456: Radius Trap
Examples # Create a RADIUS scheme named radius1 and enter its view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] radius trap Syntax radius trap { authentication-server-down | accounting-server-down } undo radius trap { authentication-server-down | accounting-server-down } View System view...
Page 457: Reset Radius Statistics
reset radius statistics Syntax reset radius statistics View User view Parameters None Description Use the reset radius statistics command to clear RADIUS message statistics. Related commands: display radius scheme. Examples # Clear RADIUS message statistics. <Sysname> reset radius statistics reset stop-accounting-buffer Syntax reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }...
Page 458: Retry
Examples # Delete the stop-accounting requests buffered for user user0001@aabbcc.net. <Sysname> reset stop-accounting-buffer user-name user0001@aabbcc.net # Delete the stop-accounting requests buffered from 0:0:0 08/31/2002 to 23:59:59 08/31/2002. <Sysname> reset stop-accounting-buffer time-range 00:00:00-08/31/2002 23:59:59-08/31/2002 retry Syntax retry retry-times undo retry View RADIUS scheme view Parameters retry-times: Maximum number of transmission attempts of a RADIUS request, ranging from 1 to 20.
Page 459: Retry Realtime-Accounting
retry realtime-accounting Syntax retry realtime-accounting retry-times undo retry realtime-accounting View RADIUS scheme view Parameters retry-times: Maximum allowed number of continuous real-time accounting failures, ranging from 1 to 255. Description Use the retry realtime-accounting command to set the maximum allowed number of continuous real-time accounting failures.
Page 460: Retry Stop-Accounting
Examples # Set the maximum allowed number of continuous real-time accounting failures for RADIUS scheme radius1 to 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] retry realtime-accounting 10 retry stop-accounting Syntax retry stop-accounting retry-times undo retry stop-accounting...
Page 461: Secondary Accounting
secondary accounting Syntax secondary accounting { ip-address | ipv6 ipv6-address } [ port-number ] [ key string ] undo secondary accounting View RADIUS scheme view Parameters ip-address: IP address of the secondary accounting server to be used, in dotted decimal notation. ipv6 ipv6-address: IPv6 address of the secondary accounting server.
Page 462: Server-Type
View RADIUS scheme view Parameters ip-address: IP address of the secondary authentication/authorization server to be used, in dotted decimal notation. ipv6 ipv6-address: IPv6 address of the secondary authentication/authorization server. port-number: UDP port number of the secondary authentication/authorization server, ranging from 1 to 65535.
Page 463: State Primary
Parameters extended: Specifies to support H3C's RADIUS server (which is generally a CAMS), that is, use the procedure and message format of private RADIUS protocol to interact with an H3C's RADIUS server. standard: Specifies to support standard RADIUS server, that is, use the procedure and message format of a standard RADIUS protocol (RFC 2865/2866 or above) to interact with a standard RADIUS server.
Page 464: State Secondary
When the switch fails to communicate with the primary server due to some server trouble, the switch will turn to the secondary server and exchange messages with the secondary server. After the primary server remains in the block state for a set time (set by the timer quiet command), the switch will try to communicate with the primary server again when it receives a RADIUS request.
Page 465: Stop-Accounting-Buffer Enable
Examples # Set the status of the secondary accounting server with IPv6 address 1:1::2:5 to block. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1]state secondary accounting ipv6 1:1::2:5 block stop-accounting-buffer enable Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable...
Page 466: Timer
timer Syntax timer seconds undo timer View RADIUS scheme view Parameters seconds: Response timeout time of RADIUS servers, ranging from 1 to 10 seconds. Description Use the timer command to set the response timeout time of RADIUS servers (that is, the timeout time of the response timeout timer of RADIUS servers).
Page 467: Timer Realtime-Accounting
View RADIUS scheme view Parameters minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes. Description Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active. Use the undo timer quiet command to restore the default wait time.
Page 468: Timer Response-Timeout
server is, the shorter the interval can be. It is recommended to set the interval as long as possible when the number of users is relatively great (≥1000). Table 1-6 lists the recommended intervals for different numbers of users. Table 1-6 Numbers of users and recommended intervals Number of users Real-time accounting interval 1 to 99...
Page 469 switch gets no answer before the response timeout timer expires, it needs to retransmit the request to ensure that the user can obtain RADIUS service. Appropriately setting the timeout time of this timer according to your network situation can improve the performance of your system.
Page 470: Hwtacacs Configuration Commands
For an 802.1x user, if you have specified to use EAP authentication, the switch will encapsulate and send the contents from the client directly to the server. In this case, the configuration of the user-name-format command is not effective. Related commands: radius scheme. Examples # Specify to exclude ISP domain names from the usernames to be sent to RADIUS server in RADIUS scheme radius1.
Page 471: Display Hwtacacs
System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname- hwtacacs-hwt1] data-flow-format data kilo-byte [Sysname- hwtacacs-hwt1] data-flow-format packet kilo-packet display hwtacacs Syntax display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] View Any view Parameters hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 characters. This name is case-insensitive.
Page 472: Hwtacacs Nas
Traffic-unit Packet traffic-unit : one-packet display stop-accounting-buffer Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name View Any view Parameters hwtacacs-scheme hwtacacs-scheme-name: Displays the buffered stop-accounting requests of a specified HWTACACS scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters. Description Use the display stop-accounting-buffer command to display stop-accounting requests buffered in the switch.
Page 473: Hwtacacs Scheme
You can specify the source address of outgoing HWTACACS messages to avoid messages returned from server from being unable to reach their destination due to physical interface trouble. It is recommended to use a Loopback interface address as the source IP address. You can specify only one source IP address by using this command.
Page 474 View HWTACACS scheme view Parameters accounting: Sets a shared key for HWTACACS accounting messages. authentication: Sets a shared key for HWTACACS authentication messages. authorization: Sets a shared key for HWTACACS authorization messages. string: Shared key to be set, a string of up to 16 characters. Description Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting messages.
Page 475: Primary Accounting
You can set only one source IP address by using this command. When you re-execute this command again, the newly set source IP address will overwrite the old one. Related commands: display hwtacacs. Examples # Set source IP address 10.1.1.1 for outgoing HWTACACS messages in HWTACACS scheme hwt1. <Sysname>...
Page 476: Primary Authentication
primary authentication Syntax primary authentication ip-address [ port ] undo primary authentication View HWTACACS scheme view Parameters ip-address: IP address of the primary authentication server to be used, a valid unicast address in dotted decimal notation. port: Port number of the primary authentication server, ranging from 1 to 65535. Description Use the primary authentication command to set the IP address and port number of the primary HWTACACS authentication server to be used by the current scheme.
Page 477: Reset Hwtacacs Statistics
Parameters ip-address: IP address of the primary authorization server to be used, a valid unicast address in dotted decimal notation. port: Port number of the primary authorization server, ranging from 1 to 65535. Description Use the primary authorization command to set the IP address and port number of the primary HWTACACS authorization server to be used by the current scheme.
Page 478: Reset Stop-Accounting-Buffer
Examples # Clear all HWTACACS protocol statistics. <Sysname> reset hwtacacs statistics all reset stop-accounting-buffer Syntax reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name View User view Parameters hwtacacs-scheme hwtacacs-scheme-name: Deletes the buffered stop-accounting requests of a specified HWTACACS scheme. Here, hwtacacs-scheme-name is the name of a HWTACACS scheme, which is a string of up to 32 characters.
Page 479: Secondary Accounting
Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer. Examples # Enable the stop-accounting request retransmission function and set the maximum number of transmission attempts of a request to 50. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] retry stop-accounting 50 secondary accounting Syntax...
Page 480: Secondary Authentication
secondary authentication Syntax secondary authentication ip-address [ port ] undo secondary authentication View HWTACACS scheme view Parameters ip-address: IP address of the secondary authentication server to be used, a valid unicast address in dotted decimal notation. port: Port number of the secondary authentication server, ranging from 1 to 65535. Description Use the secondary authentication command to set the IP address and port number of the secondary HWTACACS authentication server to be used by the current scheme.
Page 481 Parameters ip-address: IP address of the secondary authorization server, a valid unicast address in dotted decimal notation. port: Port number of the secondary authorization server, ranging from 1 to 65535. Description Use the secondary authorization command to set the IP address and port number of the secondary HWTACACS authorization server to be used by the current scheme.
Page 482 Examples # Configure the switch to wait 10 minutes before it tries to restore the status of the primary server to active. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer quiet timer realtime-accounting Syntax timer realtime-accounting minutes undo timer realtime-accounting...
Page 483 Examples # Set the real-time accounting interval in HWTACACS scheme hwt1 to 51 minutes. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer realtime-accounting 51 timer response-timeout Syntax timer response-timeout seconds undo timer response-timeout View HWTACACS scheme view Parameters...
Page 484 without-domain: Specifies to exclude ISP domain names from the usernames to be sent to TACACS server. Description Use the user-name-format command to set the format of the usernames to be sent to TACACS server. By default, the usernames sent to TACACS server in a HWTACACS scheme carry ISP domain names. Note that: Generally, an access user is named in the userid@isp-name format.
Page 485 EAD Configuration Commands Only the S3100-EI series switches support the EAD configuration. EAD Configuration Commands security-policy-server Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } View RADIUS scheme view Parameters ip-address: IP address of a security policy server. all: IP addresses of all security policy servers. Description Use the security-policy-server command to set the IP address of a security policy server.
Page 486 primary authentication 1.1.11.29 1812 secondary authentication 127.0.0.1 1645 security-policy-server 192.168.0.1 user-name-format without-domain …...
Page 487 Table of Contents 1 MAC Address Authentication Configuration Commands ·····································································1-1 MAC Address Authentication Basic Function Configuration Commands ···············································1-1 display mac-authentication ··············································································································1-1 mac-authentication ··························································································································1-3 mac-authentication interface ···········································································································1-4 mac-authentication authmode usernameasmacaddress ································································1-5 mac-authentication authmode usernamefixed ················································································1-6 mac-authentication authpassword···································································································1-7 mac-authentication authusername ··································································································1-7 mac-authentication domain ·············································································································1-8 mac-authentication timer ·················································································································1-8 mac-authentication timer offline-detect ···························································································1-9 reset mac-authentication ···············································································································1-10...
Page 488: Mac Address Authentication Basic Function Configuration Commands
MAC Address Authentication Configuration Commands MAC Address Authentication Basic Function Configuration Commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] View Any view Parameters interface interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 489 --- 1 silent mac address(es) found. --- Ethernet1/0/1 is link-up MAC address authentication is Enabled max-auth-num is 256 Guest VLAN is 2 Authenticate success: 1, failed: 0 Current online user number is 1 MAC Addr Authenticate state AuthIndex 000d-88f8-4e71 MAC_AUTHENTICATOR_SUCCESS ……(The following is omitted) Table 1-1 Description on the fields of the display mac-authentication command Field...
Page 490: Mac-Authentication
Field Description The maximum number of users supported by the Max allowed user number switch. It is 1,024 by default. Current user number amounts to The current number of users The current domain. It is not configured by Current domain default.
Page 491: Mac-Authentication Interface
Parameters None Description Use the mac-authentication command to enable MAC address authentication globally or on the current port. Use the undo mac-authentication command to disable MAC address authentication globally or on the current port. By default, MAC address authentication is disabled both globally and on a port. When being executed in system view, the mac-authentication command enables MAC address authentication globally.
Page 492: Mac-Authentication Authmode Usernameasmacaddress
Parameters interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Page 493: Mac-Authentication Authmode Usernamefixed
Parameters usernameformat: Specifies the input format of the username and password. with-hyphen: Uses hyphened MAC addresses as usernames and passwords, for example, 00-05-e0-1c-02-e3. without-hyphen: Uses MAC addresses without hyphens as usernames and passwords, for example, 0005e01c02e3. lowercase: Uses lowercase MAC addresses as usernames and passwords. uppercase: Uses uppercase MAC addresses as usernames and passwords.
Page 494: Mac-Authentication Authpassword
Examples # Use the user name in fixed mode for MAC address authentication. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-authentication authmode usernamefixed mac-authentication authpassword Syntax mac-authentication authpassword password undo mac-authentication authpassword View System view Parameters password: Password to be set, a string comprising 1 to 63 characters.
Page 495: Mac-Authentication Domain
By default, the user name in fixed mode is “mac”. Examples # Set the user name to vipuser in fixed mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-authentication authusername vipuser mac-authentication domain Syntax mac-authentication domain isp-name undo mac-authentication domain View System view...
Page 496: Mac-Authentication Timer Offline-Detect
Parameters offline-detect-value: Offline detect timer, which specifies the idle timeout interval (in seconds) for users. At this interval, the switch checks whether there is traffic from each user. If receiving no traffic from a user within two consecutive intervals, the switch logs the user out and notifies the RADIUS server. The value range for the offline-detect-value argument is 0 to 3000000.
Page 497: Mac Address Authentication Enhanced Function Configuration Commands
The offline detect timer configured in system view applies to all MAC authentication-enabled ports. The offline detect timer configured in Ethernet port view applies to the current port only. You can set the offline detect timer to different values on different Ethernet ports. The offline detect timer configured in Ethernet port view takes precedence over the one configured in system view.
Page 498: Mac-Authentication Guest-Vlan
View Ethernet interface view Parameters authfail-vlan-id: ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. The VLAN must already exist. Description Use the mac-authentication auth-fail vlan command to specify an Auth-Fail VLAN for MAC authentication.
Page 499: Mac-Authenticiaon Intrusion-Mode Block-Mac
Description Use the mac-authentication guest-vlan command to configure a MAC authentication guest VLAN for the current port. If the client connected to the port fails in the MAC authentication, the port will be added to the guest VLAN, and thus the users accessing the port can access network resources in the guest VLAN.
Page 500: Mac-Authentication Max-Auth-Num
Parameter None Description Use the mac-authenticiaon intrusion-mode block-mac enable command to enable the quiet MAC function on a port. When this function is enabled, the MAC address connected to this port will be set as a quiet MAC address if its authentication fails. When this function is disabled, the MAC address will not become quiet no matter whether the authentication is failed.
Page 501: Mac-Authentication Timer Guest-Vlan-Reauth
If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port at the same time, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
Page 502 1-15...
Page 503 Table of Contents 1 Web Authentication Configuration Commands ·····················································································1-1 Web Authentication Configuration Commands·······················································································1-1 display web-authentication configuration ························································································1-1 display web-authentication connection····························································································1-2 web-authentication auth-fail vlan·····································································································1-3 web-authentication customize ·········································································································1-4 web-authentication cut connection ··································································································1-5 web-authentication enable ··············································································································1-6 web-authentication free-ip ···············································································································1-6 web-authentication free-user···········································································································1-7 web-authentication max-connection································································································1-8 web-authentication move-mode ······································································································1-9 web-authentication protocol ············································································································1-9 web-authentication select method·································································································1-10...
Page 504: Web Authentication Configuration Commands
Web Authentication Configuration Commands Web Authentication Configuration Commands Currently, only the S3100-EI series support Web authentication. display web-authentication configuration Syntax display web-authentication configuration View Any view Parameters None Description Use the display web-authentication configuration command to display all Web authentication configurations, including global configurations and configurations on individual ports.
Page 505: Display Web-Authentication Connection
Table 1-1 Description on the fields of display web-authentication configuration Field Description Status Global status of Web authentication Protocol Access protocol for Web authentication, HTTP or HTTPS Web Server IP address and port number of the Web authentication server Idle-cut time idle user checking interval Max-online time Maximum online time specified for Web authentication users...
Page 506: Web-Authentication Auth-Fail Vlan
State: ONLINE Online-Time(s): 8 Total 1 connection(s) matched Table 1-2 Description on the fields of display web-authentication connection Field Description Username Name of an online Web-authentication user MAC address of the user Interface Access port of the user VLAN VLAN the user belongs to Access method of the user, shared, designated, or Method extended.
Page 507: Web-Authentication Customize
By default, no customized information is configured to be displayed on Web authentication pages. Examples # Customize information to be displayed on Web authentication pages as follows: Company name: H3C Technologies E-mail: customer_service@h3c.com Phone number: +86-571-86760000...
Page 508: Web-Authentication Cut Connection
Subject: A leading global supplier of IP-based products and solutions <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication customize corp-name H3C Technologies [Sysname] web-authentication customize email customer_service@h3c.com [Sysname] web-authentication customize phone-num +86-571-86760000 [Sysname] web-authentication customize platform-name A leading global supplier of IP-based...
Page 509 interface-type interface-number: Specifies all users on a port. Description Use the web-authentication cut connection command to forcibly log out the specified or all users. Examples # Forcibly log out all online users on Ethernet 1/0/2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication cut connection interface Ethernet1/0/2 web-authentication enable Syntax...
Page 510: Web-Authentication Free-User
Description Use the web-authentication free-ip command to set a free IP address range, which can be accessed by users before they pass Web authentication. Use the undo web-authentication free-ip command to remove the setting or all such settings. By default, no free IP address range is set. The to-be-set free IP address range cannot include the Web authentication server’s IP address.
Page 511: Web-Authentication Max-Connection
By defualt, no web authentication-free user is configured. Note that: In system view, if you provide the interface interface-list parameter, the command configures a web authentication-free user on the specified ports; otherwise, the command configures a web authentication-free user globally. In Ethernet interface view, the command configures a web authentication-free user for the port and the interface-list argument is not available.
Page 512: Web-Authentication Move-Mode
web-authentication move-mode Syntax web-authentication move-mode { auto | secure } undo web-authentication move-mode View System view Parameters auto: Auto mode. In this mode, a web authenticated user can move between ports in the same access VLAN without needing re-authentication and the switch keeps the user in authenticated state on the new port after transition.
Page 513: Web-Authentication Select Method
Description Use the web-authentication protocol command to specify the access protocol for Web authentication. If you specify the access protocol as HTTPS, authentication information exchanged between the switch and its clients will be in ciphertext. Use the undo web-authentication protocol command to restore the default. By default, HTTP is used between the switch and its clients.
Page 514: Web-Authentication Timer Idle-Cut
Extended: In this method, a hybrid port allows multiple Web authentication users to get online at the same time. This configuration takes effect only when Web authentication is enabled globally. If Web authentication is not enabled globally, this configuration will only be saved. It is not allowed to enable Web authentication on a port in an aggregation group.
Page 515: Web-Authentication Timer Max-Online
Examples # Set the idle user checking interval to 500 seconds for Web authentication. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] web-authentication timer idle-cut 500 web-authentication timer max-online Syntax web-authentication timer max-online timer undo web-authentication timer max-online View System view Parameters...
Page 516: Web-Authentication Web-Server
Use the undo web-authentication web-proxy port command to delete all proxy server ports configured for web authentication. By default, no proxy server port is configured. Note that: Up to eight proxy server ports can be configured. The port configured using this command cannot be the one used in the web-authentication web-server ip ip-address port port-number command;...
Page 517 Table of Contents 1 ARP Configuration Commands················································································································1-1 ARP Configuration Commands···············································································································1-1 arp check enable ·····························································································································1-1 arp detection enable ························································································································1-1 arp detection trust····························································································································1-2 arp protective-down recover enable ································································································1-3 arp protective-down recover interval ·······························································································1-3 arp rate-limit·····································································································································1-4 arp rate-limit enable·························································································································1-5 arp restricted-forwarding enable······································································································1-5 arp static ··········································································································································1-6 arp timer aging·································································································································1-7 display arp ·······································································································································1-7 display arp | ·····································································································································1-9...
Page 518: Arp Configuration Commands
ARP Configuration Commands ARP Configuration Commands arp check enable Syntax arp check enable undo arp check enable View System view Parameters None Description Use the arp check enable command to enable the ARP entry checking function on a switch. Use the undo arp check enable command to disable the ARP entry checking function. With the ARP entry checking function enabled, the switch cannot learn any ARP entry with a multicast MAC address.
Page 519: Arp Detection Trust
VLAN. By default, ARP attack detection is disabled on the switch. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Enable ARP attack detection on all ports in VLAN 1.
Page 520: Arp Protective-Down Recover Enable
ARP packet receiving rate after a specified period. By default, the port state auto-recovery function is disabled. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Enable the port state auto-recovery function of the switch.
Page 521: Arp Rate-Limit
By default, when the port state auto-recovery function is enabled, the recovery interval is 300 seconds. Note that: Among S3100 series switches, only S3100-EI series switches support the two commands. You need to enable the port state auto-recovery feature before you can configure the auto-recovery interval.
Page 522: Arp Rate-Limit Enable
Use the undo arp rate-limit enable command to disable the ARP packet rate limit function on the port. By default, the ARP packet rate limit function is disabled, that is, ARP packet rate is not limited on a port. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Enable the ARP packet rate limit function on Ethernet 1/0/11.
Page 523: Arp Static
Use the undo arp restricted-forwarding enable command to disable ARP restricted forwarding. By default, ARP restricted forwarding is disabled. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Related commands: arp detection enable, arp detection trust Syntax # Enable ARP restricted forwarding in VLAN 1.
Page 524: Arp Timer Aging
Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically. As for the arp static command, the value of the vlan-id argument must be the ID of an existing VLAN, and the port identified by the interface-type and interface-number arguments must belong to the VLAN.
Page 525 View Any view Parameters dynamic: Displays dynamic ARP entries. static: Displays static ARP entries. ip-address: IP address. ARP entries containing the IP address are to be displayed. Description Use the display arp command to display specific ARP entries. If you execute this command with no keyword/argument specified, all the ARP entries are displayed. Related commands: arp static, reset arp.
Page 526 display arp | Syntax display arp [ dynamic | static] | { begin | exclude | include } regular-expression View Any view Parameters dynamic: Displays dynamic ARP entries. static: Displays static ARP entries. |: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Configuration File Management Command in this manual.
Page 527: Display Arp Count
display arp count Syntax display arp count [ [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] | ip-address ] View Any view Parameters dynamic: Counts the dynamic ARP entries. static: Counts the static ARP entries. |: Uses a regular expression as the match criterion.
Page 528: Display Arp Timer Aging
If ARP attack detection is disabled, the statistics of ARP trusted port state and discarded invalid ARP packets will not be displayed. Note that among S3100 series switches, only S3100-EI series switches support the command. Examples # Display ARP detection statistics on Ethernet 1/0/10.
Page 529: Reset Arp
View System view Parameters None Description Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function. Then, a switch receiving a gratuitous ARP packet can add the IP and MAC addresses carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache.
Page 530 Table of Contents 1 DHCP Server Configuration Commands ·································································································1-1 DHCP Server Configuration Commands ································································································1-1 accounting domain ··························································································································1-1 bims-server······································································································································1-2 dhcp enable ·····································································································································1-2 dhcp select global····························································································································1-3 dhcp select interface························································································································1-4 dhcp server bims-server ··················································································································1-6 dhcp server detect ···························································································································1-6 dhcp server dns-list ·························································································································1-7 dhcp server domain-name···············································································································1-8 dhcp server expired ·························································································································1-9 dhcp server forbidden-ip················································································································1-11 dhcp server ip-pool ························································································································1-12...
Page 531 2 DHCP Snooping Configuration Commands ···························································································2-1 DHCP Snooping Configuration Commands····························································································2-1 dhcp-snooping ·································································································································2-1 dhcp-snooping information enable ··································································································2-1 dhcp-snooping information format···································································································2-2 dhcp-snooping information packet-format ·······················································································2-3 dhcp-snooping information remote-id······························································································2-3 dhcp-snooping information strategy ································································································2-4 dhcp-snooping information vlan circuit-id ························································································2-5 dhcp-snooping information vlan remote-id ······················································································2-6 dhcp-snooping server-guard enable································································································2-7 dhcp-snooping server-guard method ······························································································2-7 dhcp-snooping server-guard source-mac························································································2-8...
Page 532: Dhcp Server Configuration Commands
DHCP Server Configuration Commands DHCP Server Configuration Commands The contents of this chapter are only applicable to the S3100-EI series among S3100 Series Ethernet Switches. accounting domain Syntax accounting domain domain-name undo accounting domain View DHCP address pool view Parameters domain-name: Name of a domain, a string of 1 to 24 characters.
Page 533: Bims-Server
bims-server Syntax bims-server ip ip-address [ port port-number ] sharekey key undo bims-server View DHCP address pool view Parameters ip ip-address: Specifies the IP address of the remote BIMS server. port port-number: Specifies the port number of the remote BIMS. The port-number argument ranges from 1 to 65534.
Page 534: Dhcp Select Global
Description Use the dhcp enable command to enable DHCP. Use the undo dhcp enable command to disable DHCP. By default, DHCP is enabled. You need to enable DHCP before performing other DHCP-related configurations. To improve security and avoid malicious attacks to the unused sockets, S3100 Ethernet switches provide the following functions: UDP ports 67 and 68 used by DHCP are enabled/disabled only when DHCP is enabled/disabled.
Page 535: Dhcp Select Interface
Parameters interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s) to operate in global address pool mode. The interface-type argument specifies an interface type; the interface-number argument specifies an interface number; the interface interface-type interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range.
Page 536 Parameters interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s) to operate in interface address pool mode. The argument interface-type indicates interface type, interface-number indicates interface number. interface-type interface-number [ to interface-type interface-number ] specifies an interface range. all: Specifies all interfaces to operate in interface address pool mode.
Page 537: Dhcp Server Bims-Server
[Sysname] dhcp select interface all dhcp server bims-server Syntax dhcp server bims-server ip ip-address [ port port-number ] sharekey key { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server bims-server { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view...
Page 538: Dhcp Server Dns-List
undo dhcp server detect View System view Parameters None Description Use the dhcp server detect command to enable the unauthorized DHCP server detection function. With this feature enabled, upon receiving a DHCP request, the DHCP server will record the IP addresses of any DHCP servers which ever assigned an IP address to the DHCP client and the receiving interface.
Page 539: Dhcp Server Domain-Name
Parameters ip-address&<1-8>: IP address of a DNS server. &<1-8> means you can provide up to eight DNS server IP addresses. When inputting more than one DNS server IP address, separate two neighboring IP addresses with a space. interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s), through which you can specify the corresponding interface address pools.
Page 540: Dhcp Server Expired
undo dhcp server domain-name { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view, VLAN interface view Parameters domain-name: Domain name suffix of the DHCP clients whose IP addresses are from the specified interface address pool(s). This argument is a string of 3 to 50 characters. interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s), through which you can specify the corresponding interface address pool(s).
Page 541 dhcp server expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited } undo dhcp server expired In system view, use the following commands to configure the lease time of the IP addresses in multiple DHCP interface address pools.
Page 542 [Sysname] dhcp server expired day 2 interface Vlan-interface 2 to Vlan-interface 5 dhcp server forbidden-ip Syntax dhcp server forbidden-ip low-ip-address [ high-ip-address ] undo dhcp server forbidden-ip low-ip-address [ high-ip-address ] View System view Parameters low-ip-address: IP address that is not available for being assigned to DHCP clients automatically (An IP address of this kind is known as a forbidden IP address).
Page 543: Dhcp Server Ip-Pool
# Forbid the IP addresses in the range 10.110.1.1 to 10.110.1.63 to be automatically assigned. [Sysname] dhcp server forbidden-ip 10.110.1.1 10.110.1.63 dhcp server ip-pool Syntax dhcp server ip-pool pool-name undo dhcp server ip-pool pool-name View System view Parameters pool-name: Name of a DHCP address pool, which uniquely identifies the address pool. This argument is a string of 1 to 35 characters.
Page 544: Dhcp Server Nbns-List
[Sysname-dhcp-pool-0] dhcp server nbns-list Syntax In VLAN interface view, use the following commands to configure WINS server IP address(es) in the current DHCP interface address pool for the client. dhcp server nbns-list ip-address&<1-8> undo dhcp server nbns-list { ip-address | all } In system view, use the following commands to configure WINS server IP addresses in multiple DHCP interface address pools for the client.
Page 545: Dhcp Server Netbios-Type
System View: return to User View with Ctrl+Z. # Configure the WINS server IP address 10.12.1.99 in all the DHCP interface address pools for the DHCP client. [Sysname] dhcp server nbns-list 10.12.1.99 all dhcp server netbios-type Syntax In VLAN interface view, use the following commands to configure the NetBIOS node type of the DHCP clients whose IP addresses are from the current DHCP interface address pool.
Page 546: Dhcp Server Option
Use the undo dhcp server netbios-type command to restore the default NetBIOS node type. By default, no NetBIOS node type is specified. After the WINS server IP address is configured for the client in the DHCP interface address pool, the client uses the hybrid node (h-node). Related commands: netbios-type, dhcp server nbns-list.
Page 547: Dhcp Server Ping
interface-type argument specifies an interface type; the interface-number argument specifies an interface number; the interface interface-type interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range. all: Specifies all interface address pools. Description Use the dhcp server option command to customize DHCP options for the specified DHCP interface address pool(s).
Page 548: Dhcp Server Relay Information Enable
System View: return to User View with Ctrl+Z. # Set the maximum number of the echo request packets to 10, and the response timeout time to 300 milliseconds. [Sysname] dhcp server ping packets 10 [Sysname] dhcp server ping timeout 300 dhcp server relay information enable Syntax dhcp server relay information enable...
Page 549: Dhcp Server Voice-Config
client-identifier: Client ID of a static binding, a string of 4 to 160 characters in the format H-H-H…, each H indicates 4 hex digits except the last H that indicates 2 or 4 hex digits. For example, aabb-cccc-dd is a valid ID, while aabb-c-dddd and aabb-cc-dddd are both invalid. mac-address: MAC address to which the IP address is statically bound.
Page 550 dhcp server voice-config { ncp-ip ip-address | as-ip ip-address | voice-vlan vlan-id { enable | disable } | fail-over ip-address dialer-string } { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server voice-config [ ncp-ip | as-ip | voice-vlan | fail-over ] { interface interface-type interface-number [ to interface-type interface-number ] | all } View VLAN interface view...
Page 551: Display Dhcp Server Conflict
# Enable the DHCP server to support all the sub-options of Option 184 in VLAN-interface 1. The NCP IP address is 1.1.1.1 and the IP address of the alternate server is 2.2.2.2. The voice VLAN is enabled, with the ID being 3. The fail-over IP address is 3.3.3.3 and the dial number string is 99*. [Sysname-Vlan-interface1] dhcp select interface [Sysname-Vlan-interface1] dhcp server voice-config ncp-ip 1.1.1.1 [Sysname-Vlan-interface1] dhcp server voice-config as-ip 2.2.2.2...
Page 552 View Any view Parameters ip ip-address: Specifies an IP address. pool [ pool-name ]: Specifies a global address pool. The pool-name argument, a string of 1 to 35 characters, is the name of an address pool. If you do not provide this argument, this command applies to all global address pools.
Page 553: Display Dhcp Server Ip-In-Use
Table 1-2 Description on the fields of the display dhcp server expired command Field Description The information about the expired IP addresses Global pool of global address pools The information about the expired IP addresses Interface pool of interface address pools IP address Bound IP addresses User ID or MAC addresses to which IP...
Page 554 pool [ pool-name ]: Specifies a global address pool. The pool-name argument, a string of 1 to 35 characters, is the name of an address pool. If you do not provide this argument, this command applies to all global address pools. interface [ interface-type interface-number ]: Specifies a VLAN interface.
Page 555: Display Dhcp Server Statistics
display dhcp server statistics Syntax display dhcp server statistics View Any view Parameters None Description Use the display dhcp server statistics command to display the statistics on a DHCP server. Related commands: reset dhcp server statistics. Examples # Display the statistics on a DHCP server. <Sysname>...
Page 556: Display Dhcp Server Tree
Pool Number Number of address pools Auto Number of the automatically bound IP addresses Manual Number of the manually bound IP addresses Expire Number of the expired IP addresses Boot Request: Dhcp Discover: Dhcp Request: Statistics about the DHCP packets received from DHCP clients Dhcp Decline: Dhcp Release:...
Page 557: Dns-List
expired 1 0 0 Pool name: test1234 network 10.1.1.0 mask 255.255.255.0 Parent node:test123 option 30 hex AA BB expired 1 0 0 Interface pool: Pool name: Vlan-interface2 network 192.168.2.0 mask 255.255.255.0 gateway-list 192.168.2.1 expired 1 0 0 Table 1-5 Description on the fields of the display dhcp server tree command Field Description Global pool...
Page 558 Parameters ip-address&<1-8>: IP address of a DNS server. &<1-8> string means you can provide up to eight DNS server IP addresses. When inputting more than one IP address, separate two neighboring IP addresses with a space. all: Specifies all configured DNS server IP addresses. Description Use the dns-list command to configure one or multiple DNS server IP addresses in a DHCP global address pool for the DHCP client.
Page 559 Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Configure the domain name suffix mydomain.com in the DHCP global address pool 0 for the DHCP client. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] domain-name mydomain.com expired Syntax expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }...
Page 560: Nbns-List
gateway-list Syntax gateway-list ip-address&<1-8> undo gateway-list { ip-address | all } View DHCP address pool view Parameters ip-address&<1-8>: IP address of a gateway. &<1-8> means you can provide up to eight gateway IP addresses. When inputting more than one IP address, separate two neighboring IP addresses with a space.
Page 561: Netbios-Type
all: Specifies all configured WINS server IP addresses. Description Use the nbns-list command to configure one or multiple WINS server IP addresses in the DHCP global address pool for the DHCP client. Use the undo nbns-list command to remove one or all WINS server IP addresses configured for the DHCP client.
Page 562: Network
By default, no NetBIOS node type is specified in a DHCP global address pool for the DHCP client. After the WINS server IP address is configured for the client in the DHCP global address pool, the client uses the hybrid node (h-node). Related commands: dhcp server ip-pool, dhcp server netbios-type, nbns-list.
Page 563: Reset Dhcp Server Conflict
option Syntax option code { ascii ascii-string | hex hex-string&<1-10> | ip-address ip-address&<1-8> } undo option code View DHCP address pool view Parameters code: Customized option number ranging from 2 to 254. Note that this argument cannot be 3, 6, 15, 44, 46, 50 through 55, 57 through 61, 66, 67, 82, 150, 184, or 217.
Page 564: Reset Dhcp Server Ip-In-Use
Parameters ip ip-address: Specifies an IP address, whose conflict statistics will be cleared. all: Clears all address conflict statistics. Description Use the reset dhcp server conflict command to clear address conflict statistics. Related commands: display dhcp server conflict. Examples # Clear all address conflict statistics. <Sysname>...
Page 565: Static-Bind Client-Identifier
View User view Parameters None Description Use the reset dhcp server statistics command to clear the statistics on a DHCP server, such as the number of DHCP unrecognized packets/request packets/response packets. Related commands: display dhcp server statistics. Examples # Clear the statistics on a DHCP server. <Sysname>...
Page 566: Static-Bind Ip-Address
<Sysname> system-view System View: return to User View with Ctrl+Z. # Bind the host aaaa-bbbb with the IP address 10.1.1.1. The mask is 255.255.255.0. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 [Sysname-dhcp-pool-0] static-bind client-identifier aaaa-bbbb static-bind ip-address Syntax static-bind ip-address ip-address [mask mask ] undo static-bind ip-address...
Page 567: Static-Bind Mac-Address
static-bind mac-address Syntax static-bind mac-address mac-address undo static-bind mac-address View DHCP address pool view Parameters mac-address: MAC address of the host to which the IP address is to be bound. You need to provide this argument in the form of H-H-H. Description Use the static-bind mac-address command to specify a MAC address to which an IP address will be bound statically in a DHCP global address pool.
Page 568 View DHCP address pool view Parameters ncp-ip ip-address: Specifies the IP address of the primary network calling processor. as-ip ip-address: Specifies the IP address of the backup network calling processor. voice-vlan vlan-id: Specifies the voice VLAN ID, in the range of 2 to 4094. disable: Disables the specified VLAN, meaning DHCP clients will not take this VLAN as their voice VLAN.
Page 569: Dhcp Snooping Configuration Commands
DHCP Snooping Configuration Commands DHCP Snooping Configuration Commands dhcp-snooping Syntax dhcp-snooping undo dhcp-snooping View System view Parameters None Description Use the dhcp-snooping command to enable the DHCP snooping function. Use the undo dhcp-snooping command to disable the DHCP snooping function. After DHCP snooping is disabled, all the ports can forward DHCP replies from the DHCP server without recording the IP-to-MAC bindings of the DHCP clients.
Page 570: Dhcp-Snooping Information Format
Option 82 as HEX or ASCII. By default, the Option 82 is in HEX format. Note that among S3100 series switches, only S3100-EI series switches support the two commands. The dhcp-snooping information format command applies only to the default content of the Option 82 field.
Page 571: Dhcp-Snooping Information Packet-Format
Option 82 as the extended or standard one. By default, the padding format for Option 82 is the extended one. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Configure the padding format for Option 82 as the standard one.
Page 572: Dhcp-Snooping Information Strategy
By default, the remote ID sub-option in Option 82 is the MAC address of the DHCP Snooping device that received the DHCP client’s request. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Configure the remote ID sub-option of Option 82 as the system name (sysname) of the DHCP snooping device.
Page 573 Enable DHCP-snooping and DHCP-snooping Option 82 before performing this configuration. If a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies on those ports where a handling policy is not natively configured. Examples # Configure the keep handling policy for DHCP requests that contain Option 82 on the DHCP snooping device.
Page 574 Ethernet port view, the former circuit ID applies to the DHCP messages from the specified VLAN, while the latter one applies to DHCP messages from other VLANs. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Set the circuit ID field in Option 82 of the DHCP messages sent through Ethernet 1/0/1 to abc.
Page 575: Dhcp-Snooping Server-Guard Enable
Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Configure the remote ID of Option 82 in DHCP packets to abc on the port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 576: Dhcp-Snooping Server-Guard Source-Mac
By default, the unauthorized DHCP server detection handling method is trap. Note that: Among S3100 series switches, only S3100-SI series switches support the two commands. A port shut down administratively is in the closed state and cannot receive or forward packets;...
Page 577: Dhcp-Snooping Trust
By default, the source MAC address of DHCP-DISCOVER messages is the bridge MAC address of the switch. Note that among S3100 series switches, only S3100-SI series switches support the two commands. Examples # Specify the source MAC address for DHCP-DISCOVER messages as 000f-e200-3100.
Page 578: Display Dhcp-Snooping
display dhcp-snooping Syntax display dhcp-snooping [ unit unit-id ] View Any view Parameters unit unit-id: Indicates the number of the device whose DHCP-snooping information needs to be viewed, the value is 1. Description Use the display dhcp-snooping command to display the user IP-MAC address mapping entries recorded by the DHCP snooping function.
Page 579: Display Dhcp-Snooping Trust
Description Use the display dhcp-snooping server-guard command to display information about unauthorized DHCP server detection. Note that among S3100 series switches, only S3100-SI series switches support this command. Examples # Display information about unauthorized DHCP server detection. <Sysname> display dhcp-snooping server-guard DHCP-Snooping is enabled.
Page 580: Display Ip Source Static Binding
If you specify a VLAN, all the IP static binding entries for the specified VLAN will be displayed. If you specify a port, all the IP static binding entries for the specified port will be displayed. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Display all IP static binding entries configured.
Page 581 By default, the filtering of the IP packets received through a port based on the source IP address or source MAC address of the packets is disabled. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Enable the filtering of the IP packets received through port Ethernet 1/0/11 based on the source IP address of the packets.
Page 582: Ip Source Static Binding
IP address cannot pass the IP filtering. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Related commands: ip check source ip-address. Examples # Configure static binding among source IP address 1.1.1.1, source MAC address 0015-e20f-0101, and...
Page 583 Description Use the reset dhcp-snooping command to remove DHCP snooping entries from a switch. If no ip-address is specified, all DHCP snooping entries are removed. Examples # Remove all DHCP snooping entries from the switch. <Sysname> reset dhcp-snooping 2-15...
Page 584: Rate Limit Configuration Commands
Rate Limit Configuration Commands Among S3100 series Ethernet switches, only S3100-EI series switches support the DHCP Rate Limit function. Rate Limit Configuration Commands dhcp protective-down recover enable Syntax dhcp protective-down recover enable undo dhcp protective-down recover enable View System view...
Page 585: Dhcp Protective-Down Recover Interval
dhcp protective-down recover interval Syntax dhcp protective-down recover interval interval undo dhcp protective-down recover interval View System view Parameters interval: Interval (in seconds) for a port disabled due to the DHCP traffic exceeding the set threshold to be brought up again. This argument ranges from 10 to 86,400. Description Use the dhcp protective-down recover interval command to set an auto recovery interval.
Page 586: Dhcp Rate-Limit Enable
Description Use the dhcp rate-limit command to configure the maximum rate of DHCP traffic for the port. When the number of DHCP packets received on the port per second exceeds the specified threshold, the switch will discard the exceeding DHCP packets. Use the undo dhcp rate-limit command to restore the default.
Page 587 [Sysname-Ethernet1/0/11] dhcp rate-limit enable...
Page 588: Dhcp/Bootp Client Configuration
Description Use the display dhcp client command to display the information about the address allocation of DHCP clients. Note that S3100 series Ethernet switches that operate as DHCP clients support a maximum lease duration of 24 days currently. Examples # Display the information about the address allocation of DHCP clients.
Page 589: Ip Address Dhcp-Alloc
Table 4-1 Description on the fields of the display dhcp client command Field Description VLAN interface operating as a DHCP client to Vlan-interface1 obtain an IP address dynamically Current machine state The state of the client state machine Allocated IP IP address allocated to the DHCP client lease Lease period...
Page 590: Bootp Client Configuration Commands
To improve security and avoid malicious attacks to the unused sockets, S3100 Ethernet switches provide the following functions: UDP ports 67 and 68 used by DHCP are enabled/disabled only when DHCP is enabled/disabled. The implementation is as follows: After the DHCP client is enabled by executing the ip address dhcp-alloc command, UDP port 68 is enabled.
Page 591: Ip Address Bootp-Alloc
Table 4-2 Description on the fields of the display bootp client command Field Description VLAN-interface 1 is configured to obtain an IP Vlan-interface1 address through BOOTP. Allocated IP IP address allocated to the VLAN interface Transaction ID Value of the XID field in BOOTP packets Mac Address MAC address of the BOOTP client Default router...
Page 592 Table of Contents 1 ACL Configuration Commands ················································································································1-1 ACL Configuration Commands ···············································································································1-1 acl ····················································································································································1-1 description ·······································································································································1-2 display acl········································································································································1-3 display acl remaining entry··············································································································1-4 display ipv6-acl-template ·················································································································1-5 display packet-filter··························································································································1-5 display time-range ···························································································································1-6 ipv6-acl-template ·····························································································································1-7 packet-filter ······································································································································1-8 packet-filter vlan ····························································································································1-10 rule (for Basic ACLs) ·····················································································································1-11 rule (for Advanced ACLs) ··············································································································1-13 rule (for Layer 2 ACLs) ··················································································································1-19 rule (for IPv6 ACLs) ·······················································································································1-22...
Page 593: Acl Configuration Commands
ACL Configuration Commands H3C S3100-SI Series Ethernet switches support basic ACLs and advanced ACLs; S3100-EI Series Ethernet switches support basic ACLs, advanced ACLs, and Layer 2 ACLs, and IPv6 ACLs. ACL Configuration Commands Syntax acl number acl-number [ match-order { auto | config } ]...
Page 594: Description
By default, ACL rules are matched in the order they are defined. Only after the rules in an existing ACL are fully removed can you modify the match order of the ACL. In ACL view, you can use the rule command to add rules to the ACL. Related commands: rule.
Page 595: Display Acl
Examples # Assign description string “This ACL is used for filtering all HTTP packets” to ACL 3000. <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] description This ACL is used for filtering all HTTP packets # Use the display acl command to view the configuration information of ACL 3000. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, 0 rule...
Page 596: Display Acl Remaining Entry
According to the output, you can determine the number of resources consumed by a certain type of ACL rules and whether the exhaustion of resources causes the failure to assign ACL rules. Only H3C S3100-EI series switches support this command. Example # Display information about the remaining ACL resources.
Page 597: Display Ipv6-Acl-Template
Field Description Remaining Number Number of remaining resources Start Port Name Start port number and end port number corresponding to the entry End Port Name display ipv6-acl-template Syntax display ipv6-acl-template View Any view Parameter None Description Use the display ipv6-acl-template command to display the IPv6 ACL template configuration information.
Page 598: Display Time-Range
Displays information about packet filtering on the VLAN specified by vlan-id. Description Use the display packet-filter command to display information about packet filtering. Only H3C S3100-EI series switches support this command. Example # Display information about packet filtering on the switch.
Page 599: Ipv6-Acl-Template
Description Use the display time-range command to display the configuration and status of a time range or all the time ranges. For active time ranges, this command displays “Active”; for inactive time ranges, this command displays “Inactive”. Related commands: time-range. Examples # Display all time ranges.
Page 600: Packet-Filter
If there is already a template, you need to remove it to configure a new one. If the template is referenced by an IPv6 ACL rule that has been applied, you cannot remove it. Only H3C S3100-EI series switches support this command. Example # Configure an IPv6 ACL template to match the source address and destination address fields in IPv6 packets.
Page 601 Use the undo packet-filter command to cancel the assignment of an ACL. Only H3C S3100-EI series switches support this command. Examples # Apply all rules of basic ACL 2000 on Ethernet 1/0/1 to filter inbound packets. Here, it is assumed that the ACL and its rules are already configured.
Page 602: Packet-Filter Vlan
When you need to apply an ACL to all ports in a VLAN, you can use the packet-filter vlan command to achieve the goal in one operation. Only H3C S3100-EI series switches support this command. An ACL assigned to a VLAN takes effect only for the packets tagged with 802.1Q header. For more information about 802.1Q header, refer to the VLAN part.
Page 603: Rule (For Basic Acls)
rule (for Basic ACLs) Syntax rule [ rule-id ] { deny | permit} [ rule-string ] undo rule rule-id [ fragment | source | time-range ]* View Basic ACL view Parameters Parameters of the rule command rule-id: ACL rule ID, in the range of 0 to 65534. deny: Drops the matched packets.
Page 604 When you assign basic ACLs to the hardware for packet filtering, the fragment keyword is not supported on a H3C S3100-EI Series Ethernet switch. Description Use the rule command to define an ACL rule. Use the undo rule command to remove an ACL rule or specified settings of an ACL rule.
Page 605: Rule (For Advanced Acls)
rule (for Advanced ACLs) Syntax rule [ rule-id ] { deny | permit } protocol [ rule-string ] undo rule rule-id [ destination | destination-port | dscp | fragment | icmp-type | igmp-type | precedence | source | source-port | time-range | tos | ttl ]* View Advanced ACL view Parameters...
Page 606 Arguments/Keywords Type Function Description Indicates that the Fragment rule applies only fragment — information to non-tail fragments. Specifies the TTL The ttl argument can be a number in information for the ACL rule. the range 0 to 255. Specifies the time-name: specifies the name of the Time range time range in...
Page 607 Keyword DSCP value in decimal DSCP value in binary 110000 111000 101110 If you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-9 as IP precedence. Table 1-9 IP Precedence values and the corresponding keywords Keyword IP Precedence in decimal...
Page 608 Table 1-11 TCP/UDP-specific ACL rule information Parameters Type Function Description The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not equal to) or range (within the range of). Only the range operator requires two port numbers as the operands.
Page 609 Table 1-13 ICMP-specific ACL rule information Parameters Type Function Description icmp-type: ICMP message type, Type and Specifies the type and icmp-type ranging from 0 to 255 message code message code icmp-type information of information of ICMP icmp-code: ICMP message code, icmp-code ICMP packets packets in the ACL rule...
Page 610 Parameters of the undo rule command rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID of an ACL rule by using the display acl command. source: Removes the settings concerning the source address in the ACL rule. source-port: Removes the settings concerning the source port in the ACL rule.
Page 611: Rule (For Layer 2 Acls)
If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
Page 612 Table 1-16 Layer 2 ACL rule information Parameters Type Function Description Specifies the link Link layer layer This argument can be 802.3/802.2, format-type encapsulation encapsulation 802.3, ether_ii, or snap. type type in the rule lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal Specifies the number.
Page 613 Parameters Type Function Description Specifies the protocol-type: Protocol type. type protocol-type Protocol type of protocol type of protocol-mask Ethernet frames Ethernet frames protocol-mask: Protocol type mask. for the ACL rule Note the following when assigning an Layer 2 ACL to the hardware: The 802.3/802.2 and 802.3 keywords are not supported.
Page 614: Rule (For Ipv6 Acls)
rule (for IPv6 ACLs) Syntax rule [ rule-id ] { deny | permit } [ dscp rule-string rule-mask ] [ ip-protocol rule-string rule-mask ] [ src-ip ipv6-address prefix-length ] [ dest-ip ipv6-address prefix-length ] [ [ src-port rule-string rule-mask | dest-port rule-string rule-mask ] * | [ icmpv6-type rule-string rule-mask | icmpv6-code rule-string rule-mask ] * ] [ time-range time-name ] undo rule rule-id View...
Page 615: Rule Comment
Use the undo rule command to remove an ACL rule. To remove an ACL rule, you need to specify the ID of the ACL rule. You can use the display acl command to view the ID of an ACL rule. Note that: You can modify any existent rule of an IPv6 ACL.
Page 616: Time-Range
text: Comment for the ACL rule, a string of 1 to 127 characters. Blank spaces and special characters are acceptable. Description Use the rule comment command to define a comment for the ACL rule. Use the undo rule comment command to remove the comment defined for the ACL rule. You can give rules comments to provide relevant information such as their application purposes and the ports they are applied to, so that you can easily identity and distinguish ACL rules by their comments.
Page 617 Numeral (0 to 6) Mon, Tue, Wed, Thu, Fri, Sat, and Sun Working days (Monday through Friday) Off days (Saturday and Sunday) Daily, namely everyday of the week from start-time start-date: Specifies the start date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD.
Page 618 Time-range : tr1 ( Inactive ) 08:00 to 12:00 working-day Time-range : tr2 ( Inactive ) From 12:00 Jan/1/2008 to 12:00 Jun/1/2008 1-26...
Page 619 Table of Contents 1 QoS Commands·········································································································································1-1 QoS Commands······································································································································1-1 burst-mode enable···························································································································1-1 display priority-trust ·························································································································1-1 display qos cos-local-precedence-map ···························································································1-2 display qos dscp-local-precedence-map ·························································································1-2 display qos ip-precedence-local-precedence-map··········································································1-4 display qos-global····························································································································1-5 display qos-interface all ···················································································································1-6 display qos-interface line-rate ·········································································································1-7 display qos-interface mirrored-to·····································································································1-7 display qos-interface traffic-limit ······································································································1-8 display qos-interface traffic-priority··································································································1-9 display qos-interface traffic-redirect ······························································································1-10 display qos-interface traffic-remark-vlanid·····················································································1-11...
Page 620 traffic-statistic vlan ·························································································································1-43 2 QoS Profile Configuration Commands····································································································2-1 QoS Profile Configuration Commands····································································································2-1 apply qos-profile ······························································································································2-1 display qos-profile····························································································································2-2 packet-filter ······································································································································2-4 qos-profile········································································································································2-4 qos-profile port-based······················································································································2-5 traffic-limit ········································································································································2-6 traffic-priority····································································································································2-7...
Page 621: Qos Commands
QoS Commands QoS Commands burst-mode enable Syntax burst-mode enable undo burst-mode enable View System view Parameter None Description Use the burst-mode enable command to enable the burst function. Use the undo burst-mode enable command to disable the burst function. By default, the burst function is disabled. Example # Enable the burst function.
Page 622: Display Qos Cos-Local-Precedence-Map
Examples # Display the priority trust mode on the current switch. <Sysname> display priority-trust Priority trust mode: dscp display qos cos-local-precedence-map Syntax display qos cos-local-precedence-map View Any view Parameter None Description display cos-local-precedence-map command display CoS-precedence-to-local-precedence mapping table. Related command: qos cos-local-precedence-map. Example # Display the CoS-precedence-to-local-precedence mapping table.
Page 623 Example # Display the DSCP-precedence-to-local-precedence mapping table. <Sysname> display qos dscp-local-precedence-map dscp-local-precedence-map: dscp : local-precedence(queue) ---------------------------------------------- 10 : 11 : 12 : 13 : 14 : 15 : 16 : 17 : 18 : 19 : 20 : 21 : 22 : 23 : 24 :...
Page 624: Display Qos Ip-Precedence-Local-Precedence-Map
60 : 61 : 62 : 63 : display qos ip-precedence-local-precedence-map Syntax display qos ip-precedence-local-precedence-map View Any view Parameter None Description display ip-precedence-local-precedence-map command display IP-precedence-to-local-precedence mapping table. Related command: qos ip-precedence-local-precedence-map. Only H3C S3100-SI series switches support this command.
Page 625: Display Qos-Global
Use the display qos-global command to display the QoS-related configuration performed for all the packets. Only H3C S3100-EI series switches support this command. Example # Display all the QoS configurations performed for all the packets on an S3100-EI series switch.
Page 626: Display Qos-Interface All
Table 1-1 Description on the fields of the display qos-global command Field Description Inbound Packet direction Matches ACL rules for traffic classifying Target rate Traffic policing target rate Conform action Action conducted to packet conforming to the traffic specification Exceed action Action conducted to packets exceeding the traffic specification The function of collecting traffic policing statistics information is meter-statistic running...
Page 627: Display Qos-Interface Line-Rate
weight of queue 3: 1 Table 1-2 Description on the fields of the display qos-interface all command Field Description line-rate Port with rate limiting configured Inbound direction. That is, rate limiting is performed to the Inbound inbound packets 1024 Kbps The target rate Queue scheduling mode Queue scheduling algorithm adopted...
Page 628: Display Qos-Interface Traffic-Limit
Use the display qos-interface mirrored-to command to display the traffic mirroring configuration of a port or all the ports on the device. Related command: mirrored-to. Only H3C S3100-EI series switches support this command. Example # Display the traffic mirroring configuration of Ethernet 1/0/1 on an S3100-EI series switch.
Page 629: Display Qos-Interface Traffic-Priority
Unit ID, which is fixed to 1. With this argument specified, the traffic policing configuration of all the ports on the device is displayed. Only H3C S3100-EI series switches support this command. Description Use the display qos-interface traffic-limit command to display the traffic policing configuration of a port or all the ports on the device.
Page 630: Display Qos-Interface Traffic-Redirect
Use the display qos-interface traffic-priority command to display the priority marking configuration of a port or all the ports on the device. Related command: traffic-priority. Only H3C S3100-EI series switches support this command. Example # Display the priority marking configuration of Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch).
Page 631: Display Qos-Interface Traffic-Remark-Vlanid
Use the display qos-interface traffic-redirect command to display the traffic redirecting configuration of a port or all the ports on the device. Related command: traffic-redirect. Only H3C S3100-EI series switches support this command. Example # Display the traffic redirecting configuration of Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch).
Page 632: Display Qos-Interface Traffic-Shape
Unit ID, which is fixed to 1. With this argument specified, the traffic shaping configuration of all the ports is displayed. Description Use the display qos-interface traffic-shape command to display the traffic shaping configuration of a port or all the ports on the device. Related command: traffic-shape. Only H3C S3100-EI series switches support this command. 1-12...
Page 633: Display Qos-Interface Traffic-Statistic
Example # Display the traffic shaping configuration of Ethernet 1/0/1. <Sysname> display qos-interface Ethernet 1/0/1 traffic-shape Ethernet1/0/1 QID: status max-rate(kbps) burst-size(byte) ---------------------------------------------------- Enable Enable Enable Disable Table 1-7 Description on the fields of the display qos-interface traffic-shape command Field Description Ethernet1/0/1 Port with traffic shaping configured Queue ID...
Page 634: Display Qos-Port-Group
Only H3C S3100-EI series switches support this command. Example # Display the traffic accounting configuration information and traffic statistics on Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch). <Sysname> display qos-interface Ethernet 1/0/1 traffic-statistic Ethernet1/0/1: traffic-statistic...
Page 635: Display Qos-Vlan
Only H3C S3100-EI series switches support this command. Example # Display all the QoS-related configurations of port group 1 (assuming that the current device is an S3100-EI series switch). <Sysname> display qos-port-group 1 all Port-group 1 traffic-limit Inbound: Matches: Acl 3001 rule 0...
Page 636: Display Queue-Scheduler
Example # Display all the QoS-related configuration performed for VLAN 1 (assuming that the current device is an S3100-EI series switch). <Sysname> display qos-vlan 1 all Vlan 1 traffic-limit Inbound: Matches: Acl 3001 rule 0 running Target rate: 128 Kbps Exceed action: drop meter-statistic not running Refer to...
Page 637 View Ethernet port view Parameter inbound: Limits the inbound packet rate. outbound: Limits the outbound packet rate. target-rate: Total target rate (in kbps). The range of this argument varies with port type as follows: Fast Ethernet port: 64 to 99,968; GigabitEthernet port: 64 to 1,000,000.
Page 638 View System view, Port group, Ethernet port view Parameter inbound: Duplicates inbound packets. acl-rule: ACL rules to be applied. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-9 Table 1-10. Note that the ACL rules referenced must be those defined with the permit keyword specified.
Page 639: Mirrored-To Vlan
Only H3C S3100-EI series switches support this command. Example # Mirror packets that match ACL 2000 on port Ethernet 1/0/1 to Ethernet 1/0/4 through traffic mirroring (assuming that the current device is an S3100-EI series switch). <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 640: Priority
Note that, the same ACL cannot be simultaneously referenced in both traffic mirroring configuration and traffic redirecting configuration for a VLAN. Only H3C S3100-EI series switches support this command. The traffic mirroring function configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 641: Priority Trust
Parameter priority-level: Port priority, ranging from 0 to 7. Description Use the priority command to configure the priority of an Ethernet port. Use the undo priority command to restore the default port priority. By default, the priority of an Ethernet port is 0. Example # Set the priority of Ethernet 1/0/1 to 6.
Page 642 By default, a switch trusts the 802.1p priority of the received packets. A port of an S3100 series switch can accommodate four output queues. The output queue to which a received packet is to be added to is determined by its local precedence: DSCP precedence: Ranges from 0 to 63.
Page 643: Qos Cos-Local-Precedence-Map
Related command: display priority-trust. Example # Configure the switch to trust the DSCP precedence of the received packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] priority-trust dscp # Display the configuration result. [Sysname] display priority-trust Priority trust mode: dscp qos cos-local-precedence-map Syntax qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec...
Page 644: Qos Dscp-Local-Precedence-Map
CoS value Local precedence Related command: display qos cos-local-precedence-map. Example # Configure the CoS-precedence-to-local-precedence mapping relationship as follows: 0 to 0, 1 to 0, 2 to 1, 3 to 1, 4 to 2, 5 to 2, 6 to 3, and 7 to 3. <Sysname>...
Page 645 The default DSCP-precedence-to-local-precedence mapping tables as shown in Table 1-12. Table 1-12 The default DSCP-precedence-to-local-precedence mapping table DSCP Local precedence 0 to 15 16 to 31 32 to 47 48 to 63 Related command: display qos dscp-local-precedence-map. Example # Modify the DSCP-precedence-to-local-precedence mapping table according to Table 1-13.
Page 646 14 : 15 : 16 : 17 : 18 : 19 : 20 : 21 : 22 : 23 : 24 : 25 : 26 : 27 : 28 : 29 : 30 : 31 : 32 : 33 : 34 : 35 : 36 :...
Page 647: Qos Ip-Precedence-Local-Precedence-Map
62 : 63 : qos ip-precedence-local-precedence-map Syntax ip-precedence-local-precedence-map ip0-map-local-prec ip1-map-local-prec ip2-map-local-prec ip3-map-local-prec ip4-map-local-prec ip5-map-local-prec ip6-map-local-prec ip7-map-local-prec undo qos cos-local-precedence-map View System view Parameter ip0-map-local-prec: Local precedence to which IP 0 is to be mapped, in the range 0 to 3. ip1-map-local-prec: Local precedence to which IP 1 is to be mapped, in the range 0 to 3.
Page 648: Queue-Scheduler
Related command: display qos ip-precedence-local-precedence-map. Only H3C S3100-SI series switches support this command. Example # Configure the IP-precedence-to-local-precedence mapping relationship as follows: 0 to 1, 1 to 1, 2 to 0, 3 to 0, 4 to 2, 5 to 2, 6 to 3, and 7 to 3 (assuming that the current device is an S3100-SI series switch).
Page 649: Reset Traffic-Limit
By default, the WRR queue scheduling algorithm is adopted, and the weight assigned to queue 0, queue 1, queue 2, and queue 3 is 1, 2, 3, and 4. The port of an S3100 series switch can accommodate four output queues. You can configure the queue scheduling algorithm as needed:...
Page 650: Reset Traffic-Limit Vlan
ACL rules, or packets that match specific ACL rules and are of a port group or pass a port. Related command: traffic-limit. Only H3C S3100-EI series switches support this command. Example # Clear the traffic policing statistics on packets matching ACL 2000 and passing Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch).
Page 651: Reset Traffic-Statistic
Only H3C S3100-EI series switches support this command. Example # Clear the statistics on packets that match ACL 2000 and are of VLAN 1 (assuming that the current device is an S3100-EI series switch). <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 652: Reset Traffic-Statistic Vlan
Use the reset traffic-statistics vlan command to clear the statistics on packets that are of a VLAN and match specific ACL rules. Related command: traffic-statistic vlan. Only H3C S3100-EI series switches support this command. Example # Clear the statistics on packets that match ACL 2000 and are of VLAN 1 (assuming that the current device is an S3100-EI series switch).
Page 653 acl-rule: ACL rules to be applied. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-9 Table 1-10. Note that the ACL rules referenced must be those defined with the permit keyword specified. target-rate: Target traffic rate of traffic policing ( in kbps).
Page 654 Use the undo traffic-limit command to cancel the configuration. By default, traffic policing is disabled globally, on all port groups, and all ports. Only H3C S3100-EI series switches support this command. With broadcast suppression, multicast suppression, or line rate for the inbound direction enabled on a device, you cannot configure traffic policing on the device.
Page 655: Traffic-Limit Vlan
Related command: display qos-interface traffic-limit, reset traffic-limit. Example # Perform traffic policing for packets matching ACL 4000 on Ethernet 1/0/1. Limit the rate within 128 kbps and drop the packets exceeding the traffic limit (assuming that the current device is an S3100-EI series switch).
Page 656: Traffic-Priority
Use the undo traffic-limit vlan command to disable traffic policing on a VLAN. By default, traffic policing is disabled on a VLAN. Only H3C S3100-EI series switches support this command. Traffic policing configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 657: Traffic-Priority Vlan
By default, priority marking is disabled globally, on all port groups, and all ports. Related command: display qos-interface traffic-priority. Only H3C S3100-EI series switches support this command. Example # Set the 802.1p precedence to 1 for packets matching ACL 4000 and passing Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch).
Page 658 VLAN. By default, priority marking is disabled on a VLAN. Related command: display qos-vlan. Only H3C S3100-EI series switches support this command. The priority marking function configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 659 By default, traffic redirecting is disabled globally, on all port groups, and all ports. Only H3C S3100-EI series switches support this command. Packets redirected to the CPU are not forwarded.
Page 660: Traffic-Redirect Vlan
Note that, the same ACL cannot be simultaneously referenced in both traffic mirroring configuration and traffic redirecting configuration for a VLAN. Only H3C S3100-EI series switches support this command. The traffic redirecting function configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 661: Traffic-Remark-Vlanid
Example # Redirect the packets that match ACL 2000 rules and are of VLAN 1 to Ethernet 1/0/7 (assuming that the current device is an S3100-EI series switch). <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 1.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-redirect vlan 1 inbound ip-group 2000 interface Ethernet1/0/7...
Page 662: Traffic-Shape
By default, traffic shaping is disabled. Related command: display qos-interface traffic-shape. Only H3C S3100-EI series switches support this command. Example # Configure traffic shaping on Ethernet 1/0/1, with the maximum rate being 640 kbps and the burst size being 16 KB.
Page 663: Traffic-Statistic
Note that, for the same ACL rule, the traffic accounting function and the meter statistic keyword of the traffic-limit command are mutually exclusive in system view, Ethernet port view, or port group view. Only H3C S3100-EI series switches support this command. Related command: display qos-interface traffic-statistic, reset traffic-statistic.
Page 664 Note that, for the same ACL rule, the traffic accounting function and the meter statistic keyword of the traffic-limit command are mutually exclusive in a VLAN. Only H3C S3100-EI series switches support this command. The traffic accounting function configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 665: Qos Profile Configuration Commands
QoS Profile Configuration Commands Only H3C S3100-EI series switches support this configuration. QoS Profile Configuration Commands apply qos-profile Syntax In system view apply qos-profile profile-name interface interface-list undo apply qos-profile profile-name interface interface-list In Ethernet port view apply qos-profile profile-name...
Page 666: Display Qos-Profile
System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] apply qos-profile a123 # Apply the QoS profile named a123 to Ethernet 1/0/1 through Ethernet 1/0/4. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] apply qos-profile a123 interface Ethernet 1/0/1 to Ethernet 1/0/4 display qos-profile Syntax display qos-profile { all | name profile-name | interface interface-type interface-number | user...
Page 667 # Display the configuration of the QoS profile applied to Ethernet 1/0/1, assuming that the QoS profile has been applied to Ethernet 1/0/1 manually. <Sysname> display qos-profile interface Ethernet 1/0/1 User's qos-profile applied mode: user-based Default applied qos-profile: test, 3 actions packet-filter inbound ip-group 2000 rule 0 traffic-limit inbound ip-group 3000 rule 0 64 traffic-priority inbound ip-group 4000 rule 0 cos controlled-load...
Page 668: Packet-Filter
packet-filter Syntax packet-filter inbound acl-rule undo packet-filter inbound acl-rule View QoS profile view Parameter inbound: Filters the inbound packets. acl-rule: ACL rules to be applied. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-9 Table 1-10.
Page 669: Qos-Profile Port-Based
Description Use the qos-profile command to create a QoS profile and enter QoS profile view. If the QoS profile already exists, this command leads you to the corresponding QoS profile view. Use the undo qos-profile command to remove a QoS profile. A QoS profile currently applied to a port cannot be removed or modified.
Page 670: Traffic-Limit
[Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] qos-profile port-based traffic-limit Syntax traffic-limit inbound acl-rule target-rate [ burst-bucket burst-bucket-size ] [ conform con-action ] [ exceed exceed-action ] [ meter-statistic ] undo traffic-limit inbound acl-rule [ meter-statistic ] View QoS profile view Parameter inbound: Performs traffic policing on the inbound packets.
Page 671: Traffic-Priority
Example # Add a traffic policing action to the QoS profile named a123 to limit the rate of the inbound packets matching ACL 2000 to 128 kbps and drop the packets exceeding 128 kbps. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] qos-profile a123 [Sysname-qos-profile-a123] traffic-limit inbound ip-group 2000 128 exceed drop...
Page 672 Table of Contents 1 Mirroring Commands ································································································································1-1 Mirroring Commands·······························································································································1-1 display mirroring-group····················································································································1-1 mirroring-group ································································································································1-2 mirroring-group mirroring-port ·········································································································1-3 mirroring-group monitor-port ···········································································································1-4 mirroring-group reflector-port ··········································································································1-5 mirroring-group remote-probe vlan··································································································1-6 mirroring-port ···································································································································1-6 monitor-port ·····································································································································1-7 remote-probe vlan enable ···············································································································1-8...
Page 673: Mirroring Commands
Mirroring Commands Mirroring Commands display mirroring-group Syntax display mirroring-group { group-id | all | local | remote-destination | remote-source } View Any view Parameters group-id: Specifies the mirroring group of which the configurations are to be displayed, the value of which can only be 1.
Page 674 Ethernet1/0/1 inbound reflector port: Ethernet1/0/2 remote-probe vlan: 10 # Display the configurations of a remote destination mirroring group on your S3100-EI series Ethernet switch. <Sysname> display mirroring-group 1 mirroring-group 1: type: remote-destination status: active monitor port: Ethernet1/0/3 remote-probe vlan: 20 Table 1-1 Description on the fields of the display mirroring-group command Field Description...
Page 675: Mirroring-Group Mirroring-Port
The mirroring group you created can take effect only after you configure other parameters for it. Note that, an S3100 series Ethernet switch supports configuring only one destination port in local port mirroring or one reflector port in remote port mirroring. That is, on an S3100 switch, there can be only one effective local mirroring group or one effective remote source mirroring group.
Page 676: Mirroring-Group Monitor-Port
Description Use the mirroring-group mirroring-port command to configure the source ports for a local mirroring group or a remote source mirroring group. Use the undo mirroring-group mirroring-port command to remove the source ports of a local mirroring group or a remote source mirroring group. Note that: The S3100-SI series do not support the both keyword in the source port configuration for a remote source mirroring group.
Page 677: Mirroring-Group Reflector-Port
You cannot configure a member port of an aggregation group, or a port enabled with LACP or STP as the destination port. Before configuring a destination port for a local mirroring group, make sure that the corresponding mirroring group has already been created. It is recommended that you use a destination port for port mirroring purpose only.
Page 678: Mirroring-Group Remote-Probe Vlan
[Sysname] mirroring-group 1 reflector-port Ethernet 1/0/2 mirroring-group remote-probe vlan Syntax mirroring-group group-id remote-probe vlan remote-probe-vlan-id undo mirroring-group group-id remote-probe vlan remote-probe-vlan-id View System view Parameters group-id: Number of a port mirroring group, the value of which can only be 1. remote-probe vlan remote-probe-vlan-id: Specifies the remote-probe VLAN for the mirroring group.
Page 679: Monitor-Port
Related commands: display mirroring-group. When you configure mirroring source port on an Ethernet port of an S3100 series Ethernet switch, if mirroring group 1 does not exist, the switch will automatically create local mirroring group 1 and add the source port to the group;...
Page 680: Remote-Probe Vlan Enable
It is recommended that you use a destination port for port mirroring purpose only. Do not use a destination port to transmit other service packets. Related commands: display mirroring-group. When you configure mirroring destination port on an Ethernet port, if mirroring group 1 does not exist, the switch creates the local mirroring group 1 and adds the port to the group;...
Page 681 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 5 [Sysname-vlan5] remote-probe vlan enable...
Page 682 Table of Contents 1 Stack Function Configuration Commands······························································································1-1 Stack Function Configuration Commands ······························································································1-1 display stacking ·······························································································································1-1 stack-port enable ·····························································································································1-2 stacking ···········································································································································1-3 stacking enable································································································································1-4 stacking ip-pool································································································································1-4 2 Cluster Configuration Commands ···········································································································2-1 NDP Configuration Commands···············································································································2-1 display ndp ······································································································································2-1 ndp enable·······································································································································2-3 ndp timer aging································································································································2-3 ndp timer hello ·································································································································2-4 reset ndp statistics···························································································································2-5 NTDP Configuration Commands ············································································································2-6...
Page 683 ftp cluster ·······································································································································2-34 ftp-server ·······································································································································2-34 holdtime ·········································································································································2-35 ip-pool ············································································································································2-36 logging-host ···································································································································2-37 management-vlan··························································································································2-38 reboot member ······························································································································2-38 snmp-host······································································································································2-39 tftp get············································································································································2-40 tftp put············································································································································2-40 tftp-server ······································································································································2-41 timer···············································································································································2-42 tracemac········································································································································2-43 Enhanced Cluster Feature Configuration Commands ··········································································2-44 black-list·········································································································································2-44 display cluster base-members·······································································································2-45 display cluster base-topology ········································································································2-45 display cluster black-list·················································································································2-46 display cluster current-topology·····································································································2-47 display ntdp single-device mac-address ·······················································································2-49 topology accept ·····························································································································2-50...
Page 684: Stack Function Configuration Commands
Stack Function Configuration Commands Stack Function Configuration Commands display stacking Syntax display stacking [ members ] View Any view Parameter members: Displays the information about the members of a stack. Do not specify this keyword when you execute this command on a slave switch. Description Use the display stacking command to display the information about the main switch or the slave switches of a stack.
Page 685 MAC Address:000f-e20f-3124 Member status:Admin IP: 129.10.1.15 /16 Member number: 1 Name:stack_1.Sysname Device: S3100 MAC Address: 000f-e20f-3130 Member status:Up IP: 129.10.1.16/16 Member number: 2 Name:stack_2.Sysname Device: S3100 MAC Address: 000f-e20f-3135 Member status:Up IP: 129.10.1.17/16 Table 1-1 Description on the fields of the display stacking command Field Description Numbers of the switches in the stack...
Page 686: Stacking
By default, the stack-port function on a stack port is enabled, indicating that a switch can send/forward the stack join-in requests through the port. On the S3100 series switches, only GE SFP ports that are installed with stack modules can be used as stack ports.
Page 687: Stacking Enable
stacking enable Syntax stacking enable undo stacking enable View System view Parameter None Description Use the stacking enable command to create a stack. Use the undo stacking enable command to remove a stack. The stacking enable command triggers a main switch to add the switches connected to its stack ports to the stack.
Page 688 Parameter from-ip-address: Start address of the stack IP address pool. ip-address-number: Number of the IP addresses in the stack IP address pool, in the range of 1 to 16. ip-mask: Mask of the stack IP address. Description Use the stacking ip-pool command to create a stack IP address pool. Use the undo stacking ip-pool command to restore the default stack IP address pool.
Page 689: Cluster Configuration Commands
Cluster Configuration Commands NDP Configuration Commands display ndp Syntax display ndp [ interface interface-list ] View Any view Parameters interface interface-list: Specifies a port list. You need to provide the interface-list argument in the form of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10>...
Page 690 MAC Address : 000f-e20f-1234 Host Name : 1234_2.Sysname Port Name : Ethernet1/0/1 Software Ver: V100R002B01D001 Device Name : H3C S3100 Port Duplex : AUTO Product Ver : 3100 BootROM Ver : 506 Table 2-1 Description on the fields of the two commands Field...
Page 691: Ndp Enable
ndp enable Syntax ndp enable [ interface interface-list ] undo ndp enable [ interface interface-list ] View System view, Ethernet port view Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10> means that you can provide up to ten port indexes/port index ranges for this argument.
Page 692: Ndp Timer Hello
Description Use the ndp timer aging command to set the holdtime of the NDP information. This command specifies how long an adjacent device should hold the NDP neighbor information received from the local switch before discarding the information. Use the undo timer aging command to restore the default holdtime of NDP information. By default, the holdtime of NDP information is 180 seconds.
Page 693 Examples # Set the interval between sending NDP packets to 80 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ndp timer hello 80 reset ndp statistics Syntax reset ndp statistics [ interface interface-list ] View User view Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10>...
Page 694: Ntdp Configuration Commands
NTDP Configuration Commands display ntdp Syntax display ntdp View Any view Parameters None Description Use the display ntdp command to display the global NTDP information. The displayed information includes topology collection range (hop count), topology collection interval (NTDP timer), device/port forwarding delay of topology collection requests, and time used by the last topology collection.
Page 695 : 00e0-fc11-1111 Platform : S3100 : 192.168.0.234/24 Version H3C Comware Platform Software Comware Software, Version 3.10 Copyright(c) 2004-2010 Hangzhou H3C Technologies Co.,Ltd.All rights reserved. S3100 3100-0002 Cluster Administrator switch of cluster 1234 Stack Candidate switch Peer MAC Peer Port ID...
Page 696 : 00e0-fc3d-9da8 Platform : H3C S3026 Version H3C Comware Platform Software Comware Software, Version 3.10 Copyright(c) 2004-2010 Hangzhou H3C Technologies Co.,Ltd.All rights reserved. S3100 3100-0002 Cluster Member switch of cluster 1234 , Administrator MAC: 00e0-fc11-1111 Stack Candidate switch Peer MAC...
Page 697: Ntdp Enable
Field Description Cluster The role of the collected device for the cluster MAC address of a neighbor device connected to Peer MAC the collected device Index of the port on the neighbor device Peer Port ID connected to the collected device Index of the port on the collected device Native Port ID connected to the neighbor device...
Page 698: Ntdp Hop
Parameters None Description Use the ntdp explore command to manually start a topology collection process. NTDP is able to periodically collect topology information. In addition, you can use this command to manually start a topology collection process at any moment. If you do this, NTDP collects NDP information from all devices in a specific network range (which can be set through the ntdp hop command) as well as the connection information of all its neighbors.
Page 699: Ntdp Timer
Examples # Set the topology collection range to 5 hops. <aaa_0.Sysname> system-view System View: return to User View with Ctrl+Z. [aaa_0.Sysname] ntdp hop 5 ntdp timer Syntax ntdp timer interval-in-minutes undo ntdp timer View System view Parameters interval-in-minutes: Interval (in minutes) to collect topology information, ranging from 0 to 65,535. A value of 0 disables topology information collection.
Page 700: Ntdp Timer Hop-Delay
ntdp timer hop-delay Syntax ntdp timer hop-delay time undo ntdp timer hop-delay View System view Parameters time: Device forwarding delay in milliseconds. This argument ranges from 1 to 1,000. Description Use the ntdp timer hop-delay command to set the delay for devices to forward topology collection requests.
Page 701: Cluster Configuration Commands
Description Use the ntdp timer port-delay command to configure the topology request forwarding delay between two ports, that is, the interval at which the device forwards the topology requests through the NTDP-enabled ports one after another. Use the undo ntdp timer port-delay command to restore the default port forwarding delay. By default, the port forwarding delay is 20 ms.
Page 702: Administrator-Address
If you do not specify the member number when adding a new cluster member, the management device assigns the next available member number to the new member. If you want to specify the member manually, you need to specify a number that is never used by a member device of the cluster. After you add a candidate device to the cluster, the super password of the device automatically changes to the super password of the management device.
Page 703: Auto-Build
Examples # Remove the current member device from the cluster. <aaa_1.Sysname> system-view System View: return to User View with Ctrl+Z [aaa_1.Sysname] cluster [aaa_1.Sysname-cluster] undo administrator-address auto-build Syntax auto-build [ recover ] View Cluster view Parameters recover: Recovers all member devices. Description Use the auto-build command to start an automatic cluster building process.
Page 704 #Apr 3 08:12:32:832 2000 aaa_0.Sysname CLST/5/Cluster_Trap:- 1 - OID:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpMemberStatusChange):member 00.00.00.00.00.12. a9.90.22.40 role change, NTDPIndex:0.00.00.00.00.00.12.a9.90.22.40, Role:1 Candidate list: Name Hops MAC Address Device Sysname 0016-e0c0-c201 H3C S3100-28F-EI 000f-e221-616e H3C S3100-28F-EI 000f-e202-2180 H3C S3100-28P-SI SwitchA 0016-e0be-e200 H3C S5600-26C 000f-e200-1774 H3C S5600-26F 000f-e200-5600...
Page 705: Build
Member 000f-e200-2420 is joined in cluster aaa. %Apr 3 08:12:37:996 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 000f-e202-2180 is joined in cluster aaa. %Apr 3 08:12:38:113 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 0016-e0c0-c201 is joined in cluster aaa. %Apr 3 08:12:38:139 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 000f-e200-5104 is joined in cluster aaa.
Page 706 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S3100 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
Page 707: Cluster
cluster Syntax cluster View System view Parameters None Description Use the cluster command to enter cluster view. Examples # Enter cluster view. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] cluster [Sysname-cluster] cluster enable Syntax cluster enable undo cluster enable View System view...
Page 708 When you execute undo cluster enable command on a device that does not belong to any cluster, the cluster function is disabled on the device, and thus you cannot create a cluster on the device or add the device to an existing cluster. Examples # Enable the cluster function on the switch.
Page 709: Cluster-Local-User
When you execute this command on the management device with an inexistent member number or a MAC address that is not in the member list, an error will occur. In this case, you can enter quit to end the switching. Examples # Switch from the management device to number-6 member device and then switch back to the management device.
Page 710: Cluster-Mac
<aaa_0.Sysname> system-view System View: return to User View with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] cluster-local-user public password simple 123 cluster-mac Syntax cluster-mac H-H-H undo cluster-mac View Cluster view Parameters H-H-H: Multicast MAC address to be set for the cluster, in hexadecimal format. This argument can be one of the following addresses: 0180-C200-0000, 0180-C200-000A, 0180-C200-0020 to 0180-C200-002F.
Page 711: Cluster-Mac Syn-Interval
cluster-mac syn-interval Syntax cluster-mac syn-interval time-interval View Cluster view Parameters time-interval: Interval to send multicast MAC synchronization packets, ranging from 0 to 30 minutes. Description Use the cluster-mac syn-interval command to set the interval for the management device to send HGMP V2 multicast MAC synchronization packets periodically.
Page 712: Cluster-Snmp-Agent Group V3
write: Indicates that the community has read-write access right to MIB objects, that is, an SNMP NMS is capable of configuring the devices when it uses this community name to access the agent. community-name: Community name, a string of 1 to 27 characters. view-name: MIB view name, a string of 1 to 32 characters.
Page 713: Cluster-Snmp-Agent Mib-View Included
group-name: Group name, a string of 1 to 32 characters. authentication: Specifies the security model of the SNMP group as authentication only (without privacy). privacy: Specifies the security model of the SNMP group as authentication and privacy. read-view read-view: Read view, a string of 1 to 32 characters. The default read view is ViewDefault. write-view write-view: Write view, a string of 1 to 32 characters.
Page 714: Cluster-Snmp-Agent Usm-User V3
View Cluster view Parameters view-name: View name, a string of 1 to 32 characters. The default view is ViewDefault. oid-tree: MIB subtree, identified by the OID of the subtree root node or the name of the subtree root node. The value is a string of 1 to 255 characters. included: Indicates that all nodes of the MIB tree are included in the current view.
Page 715 View Cluster view Parameters v3: SNMPv3. username: User name, a string of 1 to 32 characters. groupname: Group name, a string of 1 to 32 characters. authentication-mode: Specifies the security model as authentication. If you do not provide this keyword, the security model defaults to no authentication no privacy. md5: Specifies the authentication protocol as MD5.
Page 716: Delete-Member
delete-member Syntax delete-member member-id [ to-black-list ] View Cluster view Parameters member-id: Member number of a member device, ranging from 1 to 255. to-black-list: Adds the device removed from a cluster to the blacklist to prevent it from being added to the cluster.
Page 717 View Any view Parameters None Description Use the display cluster command to display the status and statistics information of the cluster to which the current switch belongs. Executing this command on a member device will display the following information: cluster name, member number of the current switch, MAC address and status of the management device, holdtime, and interval to send handshake packets.
Page 718: Display Cluster Candidates
You can only use this command on a management device. Note that, after a cluster is set up on an S3100 series switch, the switch will collect the topology information of the network at the topology collection interval you set and automatically add the candidate devices it discovers into the cluster.
Page 719 Hostname : 3100-3 : 000f-e20f-3190 Platform : S3100 : 16.1.1.1/24 # Display detailed information about all candidate devices. <aaa_0.Sysname-cluster> display cluster candidates verbose Hostname : H3C : 3100-0000-3334 Platform : S3100 : 16.1.1.11/24 Hostname : 3100-3 : 000f-e20f-3190 Platform : S3100 : 16.1.1.1/24...
Page 720: Display Cluster Members
Field Description Platform Platform of the candidate device display cluster members Syntax display cluster members [ member-number | verbose ] View Any view Parameters member-number: Member number of a device, ranging from 0 to 255. verbose: Displays detailed information about all the devices in a cluster. Description Use the display cluster members command to display information about one specific or all devices in a cluster.
Page 721 Hops to administrator device:0 IP: 100.100.1.1/24 Version: H3C Comware Platform Software. Comware Software, Version 3.10 Copyright(c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved. S3100 3100-0002 Member number:1 Name:aaa_1.Sysname Device:S3100 MAC Address:3900-0000-3334 Member status:Up Hops to administrator device:2 IP: 16.1.1.11/24 Version: H3C Comware Platform Software.
Page 722: Ftp Cluster
ftp cluster Syntax ftp cluster View User view Parameters None Description Use the ftp cluster command to connect to the shared FTP server of the cluster and enter FTP Client view through the management device. You can use the ftp-server command on the management device to configure the shared FTP server of the cluster, which is used for software version update and configuration file backup of the cluster members.
Page 723: Holdtime
View Cluster view Parameters ip-address: IP address of the FTP server to be configured for the cluster. Description Use the ftp-server command to configure a shared FTP server for the cluster on the management device. Use the undo ftp-server command to remove the shared FTP server setting. By default, the management device acts as the shared FTP server of the cluster.
Page 724: Ip-Pool
By default, the neighbor information holdtime is 60 seconds. Note that: If the management switch does not receive NDP information from a member device within the holdtime, it sets the state of the member device to “down”. When the management device receives the NDP information from the device again, the device will be re-added to the cluster automatically.
Page 725: Logging-Host
Examples # Configure a private IP address pool for a cluster. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] cluster [Sysname-cluster] ip-pool 10.200.0.1 20 logging-host Syntax logging-host ip-address undo logging-host View Cluster view Parameters ip-address: IP address of the device to be configured as the log host of a cluster. Description Use the logging-host command to configure a shared log host for a cluster on the management device.
Page 726: Management-Vlan
management-vlan Syntax management-vlan vlan-id undo management-vlan View System view Parameters vlan-id: ID of the VLAN to be specified as the management VLAN. Description Use the management-vlan command to specify the management VLAN on the switch. Use the undo management-vlan command to restore the default management VLAN. By default, VLAN 1 is used as the management VLAN.
Page 727: Snmp-Host
Description Use the reboot member command to reboot a specified member device on the management device. When a member device is in trouble due to some configuration errors, you can use the remote control function on the management device to maintain the member device remotely. For example, from the management device, you can delete the configuration file on a member device and reboot the member device, and recover the device to the normal state with the backup configuration.
Page 728: Tftp Get
[aaa_0.Sysname-cluster] snmp-host 1.0.0.9 tftp get Syntax tftp { cluster | tftp-server } get source-file [ destination-file ] View User view Parameters cluster: Downloads files through the shared TFTP server of the cluster. tftp-server: IP address or host name of the TFTP server. source-file: Name of the file to be downloaded from the shared TFTP server of the cluster.
Page 729: Tftp-Server
Parameters cluster: Uploads files through the shared TFTP server of the cluster. tftp-server: IP address or host name of the TFTP server. source-file: File name to be uploaded to the shared TFTP server. destination-file: Name of the file to which the uploaded file will be saved in the storage directory of the TFTP server.
Page 730: Timer
By default, no shared TFTP server is configured. After the IP address of the shared TFTP server is configured, NAT is enabled on the management device immediately. When a member device uses the tftp cluster get or tftp cluster put command to download or upload a file from the shared TFTP server, the management device translates the private IP address of the member device to a public network address, forwards the requests of the member device to the TFTP server, and forwards the responses of TFTP server to the member device according...
Page 731: Tracemac
tracemac Syntax tracemac { by-mac mac-address vlan vlan-id | by-ip ip-address } [ nondp ] View Any view Parameters by-mac: Specifies to trace a device through the specified destination MAC address. mac-address: MAC address of the device to be traced. vlan vlan-id: Specifies to trace a device in the specified VLAN.
Page 732: Enhanced Cluster Feature Configuration Commands
Tracing MAC address 000f-e232-0005 in vlan 1 1 000f-e232-0001 H3C01 Ethernet1/0/2 2 000f-e232-0002 H3C02 Ethernet1/0/7 3 000f-e232-0003 H3C03 Ethernet1/0/4 4 000f-e232-0005 H3C05 Local Enhanced Cluster Feature Configuration Commands black-list Syntax black-list add-mac mac-address black-list delete-mac { all | mac-address } View Cluster view Parameters...
Page 733: Display Cluster Base-Members
[aaa_0.Sysname-cluster] black-list add-mac 0010-3500-e001 # Delete all addresses in the current cluster blacklist. [aaa_0.Sysname-cluster] black-list delete-mac all display cluster base-members Syntax display cluster base-members View Any view Parameters None Description Use the display cluster base-members command to display the information about all the devices in the base cluster topology, such as member number, name, MAC address, and the current status of each device in a cluster.
Page 734: Display Cluster Black-List
Parameters mac-address mac-address: Displays the structure of the standard topology three layers above or below the node specified by the MAC address. member member-id: Displays the structure of the standard topology three layers above or below the node specified by the member ID. Description Use the display cluster base-topology command to display the standard topology of the cluster.
Page 735: Display Cluster Current-Topology
Parameters None Description Use the display cluster black-list command to display the information of devices in the current cluster blacklist. Related commands: black-list. Examples # Display the contents of the current cluster blacklist. <aaa_0.Sysname> display cluster black-list Device ID Access Device ID Access port 000f-e200-5502 000f-e202-2180...
Page 736 <aaa_0.Sysname> display cluster current-topology -------------------------------------------------------------------- (PeerPort) ConnectFlag (NativePort) [SysName:DeviceMac] -------------------------------------------------------------------- ConnectFlag: <--> normal connect ---> odd connect **** in blacklist ???? lost device ++++ new device -┤├- STP discarding -------------------------------------------------------------------- [aaa_0.H3C:000f-e202-2180] ├-(P_0/40)<-->(P_0/6)[Sysname:000f-e200-2200] ├-(P_0/28)<-->(P_3/0/1)[Sysname:000f-e200-1774] ├-(P_0/24)****(P_1/0/6)[clie:000f-e200-5502] ├-(P_0/22)<-->(P_1/0/2)[aaa_5.H3C:000f-e200-5111] ├-(P_0/18)<-->(P_3/0/2)[Sysname S7503S3600:000f-e218-d0d0] ├-(P_0/14)<-->(P_1/0/2)[Sysname:000f-e200-5601] ├-(P_0/10)<-->(P_1/0/1)[aaa_7.S5500-28C-SI:0012-a990-2241] ├-(P_0/4)<-->(P_0/2)[2024CS3600:000f-e200-00cc] └-(P_0/1)****(P_0/1)[Sysname:00e0-fd34-bc66] 2-48...
Page 737 : H3C : 000f-e200-3956 Platform : H3C S3100-28P-EI Version: H3C Comware Platform Software. Comware Software, Version 3.10 Copyright(c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved. S3100-28P-EI S3100-EI-1545 Cluster Candidate switch Peer MAC Peer Port ID Native Port ID...
Page 738: Topology Accept
Field Description Cluster Role the device plays in the cluster Peer MAC MAC address of the peer device Peer Port ID Name of the port on the peer device connecting to the local device Native Port ID Name of the port on the local device connecting to the peer device Speed Rate of the local port connecting to the peer device Duplex...
Page 739: Topology Restore-From
<aaa_0.Sysname> system-view Enter system view, return to user view with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] topology accept all save-to local-flash # Accept the device with the MAC address 0010-0f66-3022 as a member of the base cluster topology. <aaa_0.Sysname> system-view Enter system view, return to user view with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] topology accept mac-address 0010-0f66-3022 topology restore-from...
Page 740 View Cluster view Parameters None Description Use the topology save-to command to save the standard topology of the cluster to the local Flash memory. The file name used to save the standard topology is topology.top. Do not modify the file name. This command is applicable to only the management device of a cluster.
Page 741 Table of Contents 1 PoE Configuration Commands ················································································································1-1 PoE Configuration Commands ···············································································································1-1 display poe interface························································································································1-1 display poe interface power·············································································································1-3 display poe powersupply ·················································································································1-3 display poe temperature-protection·································································································1-5 poe enable·······································································································································1-5 poe legacy enable ···························································································································1-5 poe max-power································································································································1-6 poe mode·········································································································································1-7 poe power-management··················································································································1-7 poe priority·······································································································································1-8 poe temperature-protection ·············································································································1-9 poe update·······································································································································1-9 2 PoE Profile Configuration Commands ····································································································2-1...
Page 742: Display Poe Interface
PoE Configuration Commands PoE Configuration Commands display poe interface Syntax display poe interface [ interface-type interface-number ] View Any view Parameter interface-type interface-number: Port type and port number. Description Use the display poe interface command to view the PoE status of a specific port or all ports of the switch.
Page 743 Table 1-1 Description on the fields of the display poe interface command Field Description Port power enabled PoE is enabled on the port Port power ON/OFF The power on the port is on/off PoE status on the port: user command set port to off: PoE to the port is turned off by the user Port power status Standard PD was detected: A standard PD is detected Legacy PD was detected: A non-standard PD is detected...
Page 744: Display Poe Interface Power
Field Description PoE priority of the port: critical: Highest PRIORITY high: High low: Low PoE status on the port: user command set port to off: PoE to the port is turned off by the user Standard PD was detected: A standard PD is detected Legacy PD was detected: A non-standard PD is detected STATUS PD detection is in process: PDs are being detected...
Page 745 View Any view Parameter None Description Use the display poe powersupply command to view the parameters of the power sourcing equipment (PSE). Example # Display the PSE parameters. <Sysname> display poe powersupply Unit 1 PSE ID PSE Legacy Detection :disable PSE Total Power Consumption :0 mW PSE Available Power :128000 mW...
Page 746: Poe Enable
display poe temperature-protection Syntax display poe temperature-protection View Any view Parameter None Description Use the display poe temperature-protection command to display the enable/disable status of the PoE over-temperature protection function on the switch. Related commands: poe temperature-protection enable. Example # Display the enable/disable status of the PoE over-temperature protection function on the switch. <Sysname>...
Page 747: Poe Max-Power
undo poe legacy enable View System view Parameter None Description Use the poe legacy enable command to enable the PD compatibility detection function. Use the undo poe legacy enable command to disable the PD compatibility detection function. PDs compliant with IEEE 802.3af standards are called standard PDs. By default, the PD compatibility detection function is disabled.
Page 748: Poe Mode
Use the undo poe mode command to restore the PoE mode on the current port to the default mode. By default, signal mode is adopted on a port. Note that the S3100 series switches do not support the spare mode currently. Example # Set the PoE mode on Ethernet 1/0/3 to signal.
Page 749: Poe Priority
Example # Configure the PoE management mode on a port to auto, that is, adopt the PoE management mode based on the PoE priority of the port. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] poe power-management auto Auto Power Management is enabled poe priority Syntax...
Page 750: Poe Temperature-Protection
poe temperature-protection Syntax poe temperature-protection enable undo poe temperature-protection enable View System view Parameter None Description Use the poe temperature-protection enable command to enable PoE over-temperature protection on the switch. Use the undo poe temperature-protection enable command to disable PoE over-temperature protection on the switch.
Page 751 full: The full update mode is used when the PSE processing software is damaged. The full update mode is to delete the original damaged software in the PSE completely and then reload the PoE processing software. filename: Update file name, with a length of 1 to 64 characters and with the extension .s19. Description Use the poe update command to update the PSE processing software online.
Page 752: Poe Profile Configuration Commands
PoE Profile Configuration Commands PoE Profile Configuration Commands apply poe-profile Syntax In system view use the following commands: apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] undo apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] In Ethernet port view use the following commands: apply poe-profile profile-name undo apply poe-profile profile-name...
Page 753: Display Poe-Profile
PoE profile is a set of PoE configurations. One PoE profile can contain multiple PoE features. When the apply poe-profile command is used to apply a PoE profile to a port, some PoE features can be applied successfully while some cannot. PoE profiles are applied to S3100 series Ethernet switches according to the following rules: When the apply poe-profile command is used to apply a PoE profile to a port, the PoE profile is applied successfully only if one PoE feature in the PoE profile is applied properly.
Page 754: Poe-Profile
[Sysname] display poe-profile name profile-test Poe-profile: profile-test, 3 action poe enable poe max-power 5000 poe priority critical poe-profile Syntax poe-profile profile-name undo poe-profile profile-name View System view Parameter profile-name: Name of PoE profile, a string with 1 to 15 characters. It starts with a letter from a to z or from A to Z, and it cannot be any of reserved keywords like all, interface, user, undo, and mode.
Page 755 Table of Contents 1 SNMP Configuration Commands ·············································································································1-1 SNMP Configuration Commands············································································································1-1 display snmp-agent ·························································································································1-1 display snmp-agent community·······································································································1-1 display snmp-agent group ···············································································································1-3 display snmp-agent mib-view ··········································································································1-4 display snmp-agent statistics ··········································································································1-5 display snmp-agent sys-info ············································································································1-8 display snmp-agent trap-list ············································································································1-9 display snmp-agent usm-user ·········································································································1-9 enable snmp trap updown ·············································································································1-10 snmp-agent····································································································································1-11 snmp-agent calculate-password····································································································1-12...
Page 756: Snmp Configuration Commands
SNMP Configuration Commands SNMP Configuration Commands display snmp-agent Syntax display snmp-agent { local-engineid | remote-engineid } View Any view Parameters local-engineid: Displays the local SNMP entity engine ID. remote-engineid: Displays all the remote SNMP entity engine IDs. At present, the device does not support application of the keyword.
Page 757 Parameters read: Displays the information about the SNMP communities with read-only permission. write: Displays the information about the SNMP communities with read-write permission. Description Use the display snmp-agent community command to display the information about the SNMPv1/SNMPv2c communities with the specific access permission. SNMPv1 and SNMPv2c use community name authentication.
Page 758: Display Snmp-Agent Group
Field Description Storage type, which can be: volatile: Information will be lost if the system is rebooted nonVolatile: Information will not be lost if the system is rebooted Storage-type permanent: Modification is permitted, but deletion is forbidden readOnly: Read only, that is, no modification, no deletion other: Other storage types display snmp-agent group...
Page 759: Display Snmp-Agent Mib-View
Table 1-2 display snmp-agent group command output description Field Description Group name SNMP group name of the user SNMP group security mode, which can be AuthPriv (authentication with privacy), Security model AuthnoPriv (authentication without privacy), and noAuthnoPriv (no authentication no privacy). Read-only MIB view corresponding to the SNMP Readview group...
Page 760: Display Snmp-Agent Statistics
View name:ViewDefault MIB Subtree:iso Subtree mask: Storage-type: nonVolatile View Type:included View status:active View name:ViewDefault MIB Subtree:snmpUsmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault MIB Subtree:snmpVacmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault MIB Subtree:snmpModules.18 Subtree mask: Storage-type: nonVolatile View Type:excluded...
Page 761 Examples # Display the statistics on SNMP packets. <Sysname> display snmp-agent statistics 1276 Messages delivered to the SNMP entity 0 Messages which were for an unsupported version 0 Messages which used a SNMP community name not known 0 Messages which represented an illegal operation for the community supplied 0 ASN.1 or BER errors in the process of decoding 1291 Messages passed from the SNMP entity 0 SNMP PDUs which had badValue error-status...
Page 762 Field Description The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for SNMP PDUs which had genErr error-status which the value of the error-status field is `genErr'. The total number of SNMP PDUs which were SNMP PDUs which had noSuchName delivered to the SNMP protocol entity and for error-status...
Page 763: Display Snmp-Agent Sys-Info
For the detailed configuration, refer to the snmp-agent sys-info command. By default, the contact information of an S3100 Ethernet switch is "Hangzhou H3C Technologies Co., Ltd.", the geographical location is "Hangzhou China", and the SNMP version employed is SNMPv3.
Page 764: Display Snmp-Agent Trap-List
SNMPv3 display snmp-agent trap-list Syntax display snmp-agent trap-list View Any view Parameters None Description Use the display snmp-agent trap-list command to display the modules that can generate traps and whether the sending of traps is enabled on the modules. If a module contains multiple submodules, the trap function of the entire module is displayed as enabled as long as the trap function of any of the submodules is enabled.
Page 765: Enable Snmp Trap Updown
group-name: Name of an SNMP group, a string of 1 to 32 characters. Description Use the display snmp-agent usm-user command to display the information about a specific type of SNMPv3 users. If you execute this command with no keyword specified, the information about all the SNMPv3 users is displayed, including username, group name, engine ID, storage type and user status.
Page 766: Snmp-Agent
View Ethernet port view, interface view Parameters None Description Use the enable snmp trap updown command to enable the sending of port/interface linkUp/linkDown traps. Use the undo enable snmp trap updown command to disable the sending of linkUp/linkDown traps. By default, the sending of port/interface linkUp/linkDown traps is enabled. Note that you need to enable the generation of port/interface linkUp/linkDown traps both on the port/interface and globally if you want a port/interface to generate port/interface linkUp/linkDown traps when the state of the port/interface changes.
Page 767: Snmp-Agent Calculate-Password
By default, the SNMP agent is disabled. Examples # Start the SNMP agent. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent An S3100 Ethernet switch provides the following functions to prevent attacks through unused UDP ports. Starting the SNMP agent opens UDP port used by SNMP agents and the UDP port used by SNMP trap respectively.
Page 768: Snmp-Agent Community
The generated password is related to engine ID: password generated under an engine ID can only take effect on this engine ID. Related commands: snmp-agent usm-user v3. SNMP agent must be enabled for you to encrypt a plain-text password. Examples # Use the local engine ID and the md5 algorithm to encrypt plain-text password aaaa.
Page 769: Snmp-Agent Group
Typically, “public” is used as a read community name, and “private” is used as a write community name. For the security purposes, you are recommended to configure another community name except these two. Examples # Create an SNMP community named comaccess, which has read-only permission to MIB objects. <Sysname>...
Page 770 acl-number: ID of a basic ACL, in the range 2000 to 2999. Using basic ACL can restrict the source addresses of SNMP messages, namely, permitting or refusing the SNMP messages with specific source addresses, thus restricting access between the NMS and the agent. Description Use the snmp-agent group command to create an SNMP group, and set the security mode and corresponding SNMP view of the group.
Page 771: Snmp-Agent Local-Engineid
Storage-type: nonVolatile Acl:2001 snmp-agent local-engineid Syntax snmp-agent local-engineid engineid undo snmp-agent local-engineid View System view Parameters engineid: Engine ID, an even number of hexadecimal characters, in the range 10 to 64. Description Use the snmp-agent local-engineid command to set an engine ID for the local SNMP entity. Use the undo snmp-agent local-engineid command to restore the default engine ID.
Page 772: Snmp-Agent Mib-View
Description Use the snmp-agent log command to enable network management operation logging. Use the undo snmp-agent log command to disable network management operation logging. By default, network management operation logging is disabled. After SNMP logging is enabled, when NMS performs specified operations on the SNMP agent, the SNMP agent records and then saves the information related to the operations into the information center of the device.
Page 773 mask mask-value: Mask of a MIB subtree, an even number of hexadecimal characters, in the range 2 to 32. An odd number of characters are invalid. Description Use snmp-agent mib-view command to create or update the information about a MIB view to limit the MIB objects the NMS can access.
Page 774: Snmp-Agent Packet Max-Size
# Create an SNMP MIB view with the name of view-a, MIB subtree of 1.3.6.1.5.4.3.4 and subtree mask of FE. MIB nodes with the OID of 1.3.6.1.5.4.3.x are included in this view, with x indicating any integer number. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 775: Snmp-Agent Target-Host
Multiple SNMP versions can be running the on the device at the same time to allow access of different NMSs. By default, the contact information of an S3100 Ethernet switch is "Hangzhou H3C Technologies Co., Ltd.", the geographical location is "Hangzhou China", and the SNMP version employed is SNMPv3.
Page 776 View System view Parameters trap: Enables the host to receive SNMP traps. address: Specifies the destination for the SNMP traps. udp-domain: Specifies to use UDP to communicate with the target host. ip-address: The IPv4 address of the host that is to receive the traps. ipv6 ipv6-address: Specifies the IPv6 address of the trap target host.
Page 777: Snmp-Agent Trap Enable
Specifies to send SNMP linkUp traps when a port becomes up. warmstart: Specifies to send SNMP warm start traps when SNMP is newly launched. system: Specifies to send H3C-SYS-MAN-MIB (proprietary MIB) traps. Description Use the snmp-agent trap enable command to enable a device to send SNMP traps that are of specified types.
Page 778: Snmp-Agent Trap Life
# Before the configuration of the extended trap function, the trap information is as follows when a link is down: #Apr 2 05:53:15:883 2000 H3C L2INF/2/PORT LINK STATUS CHANGE:- 1 - Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227634, ifAdminStatus is 2, ifOperStatus is 2 #Apr 2 05:53:16:094 2000 H3C IFNET/5/TRAP:- 1 -1.3.6.1.6.3.1.1.5.3(linkDown) Interface 31...
Page 779: Snmp-Agent Trap Queue-Size
View System view Parameters seconds: SNMP trap aging time (in seconds) to be set, ranging from 1 to 2,592,000. Description Use the snmp-agent trap life command to set the SNMP trap aging time. SNMP traps exceeding the aging time will be discarded. Use the undo snmp-agent trap life command to restore the default SNMP trap aging time.
Page 780: Snmp-Agent Trap Source
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent trap queue-size 200 snmp-agent trap source Syntax snmp-agent trap source interface-type interface-number undo snmp-agent trap source View System view Parameters interface-type interface-number: Interface type and interface number. The source IP address of the trap is the IP address of this interface.
Page 781: Snmp-Agent Usm-User { V1 | V2C
snmp-agent usm-user { v1 | v2c } Syntax snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] undo snmp-agent usm-user { v1 | v2c } user-name group-name View System view Parameters v1: Creates an SNMPv1 user. v2c: Creates an SNMPv2c user.
Page 782: Snmp-Agent Usm-User V3
<Sysname> system-view [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0 [Sysname-acl-basic-2001] rule deny source any [Sysname-acl-basic-2001] quit [Sysname] snmp-agent sys-info version v2c [Sysname] snmp-agent group v2c readCom [Sysname] snmp-agent usm-user v2c userv2c readCom acl 2001 Specify the SNMP version of the NMS with an IP address 1.1.1.1 as SNMPv2c, fill the write community name field with userv2c.
Page 783 the SNMP messages with specific source addresses, thus restricting access between the NMS and the agent. local: Specifies a local entity user. engineid-string: Engine ID associated with the user, an even number of hexadecimal characters, in the range 10 to 64. Description Use the snmp-agent usm-user command to add a user to an SNMP group.
Page 784 [Sysname] snmp-agent usm-user v3 testUser testGroup authentication-mode md5 authkey privacy-mode des56 prikey On the NMS, set the version to SNMPv3, the username to testUser, the authentication algorithm to MD5, the authentication password to authkey, the privacy algorithm to DES, and the privacy password to prikey, and establish a connection with the device.
Page 785: Rmon Configuration Commands
RMON Configuration Commands RMON Configuration Commands display rmon alarm Syntax display rmon alarm [ entry-number ] View Any view Parameters entry-number: Alarm entry index, in the range 1 to 65535. Description Use the display rmon alarm command to display the configuration of a specified alarm entry or all the alarm entries.
Page 786: Display Rmon Event
Field Description Sampling interval, in seconds. The system Sampling interval performs absolute or delta sampling on the sampled node at this interval. Rising threshold. When the sampled value Rising threshold equals or exceeds the rising threshold, an alarm is triggered. Falling threshold.
Page 787: Display Rmon Eventlog
Event table 1 owned by user1 is VALID. Description: null. Will cause log-trap when triggered, last triggered at 0days 00h:02m:27s. Table 2-2 display rmon event command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid.
Page 788: Display Rmon History
less than(or =) 100 with alarm value 0. Alarm sample type is absolute. Table 2-3 display rmon eventlog command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid.
Page 789: Display Rmon Prialarm
History control entry 1 owned by user1 is VALID Samples interface : Ethernet1/0/1<ifIndex.4227625> Sampling interval : 5(sec) with 10 buckets max Latest sampled values : Dropevents , octets : 10035 packets : 64 , broadcast packets : 35 multicast packets : 8 , CRC alignment errors : 0 undersize packets : 0 , oversize packets...
Page 790 View Any view Parameters prialarm-entry-number: Extended alarm entry Index, in the range 1 to 65,535. Description Use the display rmon prialarm command to display the configuration of an RMON extended alarm entry. If you do not specify the prialarm-entry-number argument, the configuration of all the extended alarm entries is displayed.
Page 791: Display Rmon Statistics
Field Description Linked with event Event index corresponding to an alarm The condition under which an alarm is triggered, which can be: risingOrFallingAlarm: An alarm is triggered when the rising or falling threshold is When startup enables: risingOrFallingAlarm reached. risingAlarm: An alarm is triggered when the rising threshold is reached.
Page 792: Rmon Alarm
Interface : Ethernet1/0/1<ifIndex.4227625> etherStatsOctets : 30561 , etherStatsPkts : 217 etherStatsBroadcastPkts : 102 , etherStatsMulticastPkts : 25 etherStatsUndersizePkts , etherStatsOversizePkts etherStatsFragments , etherStatsJabbers etherStatsCRCAlignErrors : 0 , etherStatsCollisions etherStatsDropEvents (insufficient resources): 0 Packets received according to length: : 177 65-127 : 27 128-255 256-511: 0...
Page 793 Parameters entry-number: Index of the alarm entry to be added/removed, in the range 1 to 65535. alarm-variable: Alarm variable, a string comprising 1 to 256 characters in dotted node OID format (such as 1.3.6.1.2.1.2.1.10.1). Only the variables that can be resolved to ASN.1 INTEGER data type (that is, INTEGER, Counter, Gauge, or TimeTicks) can be used as alarm variables.
Page 794: Rmon Event
Comparison Operation The sample value is smaller than the set lower Triggering the event identified by the threshold (threshold-value2) event-entry2 argument Before adding an alarm entry, you need to use the rmon event command to define the events to be referenced by the alarm entry.
Page 795 description string: Specifies the event description, a string of 1 to 127 characters. log: Logs events. trap: Sends traps to the NMS. trap-community: Community name of the NMS that receives the traps, a string of 1 to 127 characters. log-trap: Logs the event and sends traps to the NMS. log-trapcommunity: Community name of the NMS that receives the traps, a character string of 1 to 127 characters.
Page 796: Rmon Prialarm
Description Use the rmon history command to add an entry to the history control table. If you do not specify the owner text keyword/argument combination, the owner of the entry is displayed as “null”. Use the undo rmon history command to remove an entry from the history control table. You can use the rmon history command to sample a specific port.
Page 797 threshold-value2: Lower threshold, in the range 0 to 2147483647. event-entry2: Index of the event entry that corresponds to the falling threshold, in the range 0 to 65535. forever: Specifies the corresponding RMON alarm instance is valid permanently. cycle: Specifies the corresponding RMON alarm instance is valid periodically. cycle-period: Life time (in seconds) of the RMON alarm instance, in the range 0 to 2147483647.
Page 798: Rmon Statistics
Falling threshold: 5 Event 1 is triggered when the change ratio is larger than the rising threshold. Event 2 is triggered when the change ratio is less than the falling threshold. The alarm entry is valid forever. Entry owner: user1 <Sysname>...
Page 799 For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry was already created for a given port, you will fail to create a statistics entry with a different index for the port. You can use the display rmon statistics command to display the information about the statistics entry.
Page 800 Table of Contents 1 NTP Configuration Commands ················································································································1-1 NTP Configuration Commands ···············································································································1-1 display ntp-service sessions············································································································1-1 display ntp-service status ················································································································1-2 display ntp-service trace··················································································································1-3 ntp-service access···························································································································1-4 ntp-service authentication enable····································································································1-5 ntp-service authentication-keyid······································································································1-6 ntp-service broadcast-client ············································································································1-6 ntp-service broadcast-server···········································································································1-7 ntp-service in-interface disable········································································································1-8 ntp-service max-dynamic-sessions ·································································································1-8 ntp-service multicast-client ··············································································································1-9 ntp-service multicast-server ············································································································1-9 ntp-service reliable authentication-keyid ·······················································································1-10...
Page 801: Ntp Configuration Commands
NTP Configuration Commands To protect unused sockets against attacks by malicious users and improve security, H3C S3100 series Ethernet switches provide the following functions: UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled.
Page 802: Display Ntp-Service Status
Total associations Total number of associations An S3100 series switch does not establish a session with its client when it works in the NTP server mode, but does so when it works in other NTP implementation modes. display ntp-service status...
Page 803 Parameter None Description Use the display ntp-service status command to display the status of NTP services. Example # View the status of the NTP service of the local switch. <Sysname> display ntp-service status Clock status: synchronized Clock stratum: 4 Reference clock ID: 1.1.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18...
Page 804: Ntp-Service Access
View Any view Parameter None Description Use the display ntp-service trace command to display the brief information of each NTP time server along the time synchronization chain from the local switch to the reference clock source. Example # View the brief information of each NTP time server along the time synchronization chain from the local switch to the reference clock source.
Page 805 synchronization: Synchronization right. This level of right permits the peer device to synchronize its clock to the local switch but does not permit the peer device to perform control query. server: Server right. This level of right permits the peer device to perform synchronization and control query to the local switch but does not permit the local switch to synchronize its clock to the peer device.
Page 806: Ntp-Service Authentication-Keyid
Refer to the ntp-service reliable authentication-keyid and ntp-service authentication-keyid commands for related configuration. Example # Enable the NTP authentication. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ntp-service authentication enable ntp-service authentication-keyid Syntax ntp-service authentication-keyid key-id authentication-mode md5 value undo ntp-service authentication-keyid key-id View System view...
Page 807: Ntp-Service Broadcast-Server
Parameter None Description Use the ntp-service broadcast-client command to configure an Ethernet switch to operate in the NTP broadcast client mode and receive NTP broadcast messages through the current interface. Use the undo ntp-service broadcast-client command to remove the configuration. By default, no NTP operate mode is configured.
Page 808: Ntp-Service Max-Dynamic-Sessions
ntp-service in-interface disable Syntax ntp-service in-interface disable undo ntp-service in-interface disable View VLAN interface view Parameter None Description Use the ntp-service in-interface disable command to disable the interface from receiving NTP messages. Use the undo ntp-service in-interface disable command to restore the default. By default, the interface can receive NTP messages.
Page 809: Ntp-Service Multicast-Client
ntp-service multicast-client Syntax ntp-service multicast-client [ ip-address ] undo ntp-service multicast-client [ ip-address ] View VLAN interface view Parameter ip-address: Multicast IP address, in the range of 224.0.1.0 to 239.255.255.255. The default IP address is 224.0.1.1. Description Use the ntp-service multicast-client command to configure an Ethernet switch to operate in the NTP multicast client mode and receive NTP multicast messages through the current interface.
Page 810: Ntp-Service Reliable Authentication-Keyid
Description Use the ntp-service multicast-server command to configure an Ethernet switch to operate in the NTP multicast server mode and send NTP multicast messages through the current interface. Use the undo ntp-service multicast-server command to remove the configuration. By default, no NTP operate mode is configured. Example # Configure the switch to send NTP multicast messages through Vlan-interface1, and set the multicast group address to 224.0.1.2, keyid to 4, and the NTP version number to 2.
Page 811: Ntp-Service Source-Interface
ntp-service source-interface Syntax ntp-service source-interface Vlan-interface vlan-id undo ntp-service source-interface View System view Parameter vlan-interface vlan-id: Specifies an interface. The IP address of the interface serves as the source IP address of sent NTP messages. The vlan-id argument indicates the ID of the specified VLAN interface, ranging from 1 to 4094.
Page 812: Ntp-Service Unicast-Server
source-interface Vlan-interface vlan-id: Specifies an interface whose IP address serves as the source IP address of NTP message sent to the peer. vlan-id is the VLAN interface number. version number: Specifies the NTP version number. The version number ranges from 1 to 3 and defaults to 3.
Page 813 priority: Specifies the server identified by the remote-ip or the server-name argument as the preferred server. source-interface Vlan-interface vlan-id: Specifies an interface whose IP address serves as the source IP address of NTP packets sent by the local switch to the server. version number: Specifies the NTP version number.
Page 814 Table of Contents 1 SSH Commands·········································································································································1-1 SSH Commands ·····································································································································1-1 display public-key local····················································································································1-1 display public-key peer ····················································································································1-2 display rsa local-key-pair public ······································································································1-4 display rsa peer-public-key··············································································································1-5 display ssh server····························································································································1-6 display ssh server-info·····················································································································1-7 display ssh user-information············································································································1-8 peer-public-key end ·························································································································1-9 protocol inbound ······························································································································1-9 public-key local create ···················································································································1-10 public-key local destroy ·················································································································1-12 public-key local export rsa ·············································································································1-13 public-key local export dsa ············································································································1-14...
Page 815: Ssh Commands
SSH Commands SSH Commands display public-key local Syntax display public-key local { dsa | rsa } public View Any view Parameters dsa: Displays the public key of the current switch’s DSA key pair. rsa: Displays the public key part of the current switch’s RSA key pair(s). Description Use the display public-key local command to display the public key part of the current switch’s key pairs.
Page 816: Display Public-Key Peer
75FD6A430575D97350E300A20FEB773D93D7C3565467B0CA6B95C07D3338C523743B49D82C 5EC2C9458D248955846F9C32F4D25CC92D0E831E564BBA6FAE794EEC6FCDEDB822909CC687 BEBF51F3DFC5C30D590203010001 ===================================================== Time of Key pair created: 23:48:36 2000/04/03 Key name: Sysname_Server Key type: RSA encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100BC86D8F08E101461C1231B12 2777DBE777645C81C569C004EC2FEC03C205CC7E3B5DAA38DD865C6D1FB61C91B85ED63C6F 35BAFBF9A6D2D2989C20051FF8FA31A14FCF73EC1485422E5B800B55920FC121329020E82F 2945FFAD81BE72663BF70203010001 # Display the public key of the current switch’s DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 08:01:23 2000/04/02...
Page 817 Description Use the display public-key peer command to display information about locally saved public keys of SSH peers. If no key name is specified, the command displays detailed information about the locally saved public keys of all SSH peers. Sometimes the public key modulo displayed with the display public-key peer command is one bit smaller than the actual modulo.
Page 818: Display Rsa Local-Key-Pair Public
display rsa local-key-pair public Syntax display rsa local-key-pair public View Any view Parameters None Description Use the display rsa local-key-pair public command to display the public key part of the current switch’s RSA key pair(s). If no key pair has been generated, the system prompts “% RSA keys not found”.
Page 819: Display Rsa Peer-Public-Key
D0FC303F 51072D6C B5D0054D 3673EBA0 A4748984 5EBF6EBE CF6A13B1 C7858241 A2A9AA79 0203 010001 After the RSA key pair is generated, the display rsa local-key-pair public command displays two public keys (the host public key and server public key) when the S3100-EI switch is working in SSH1-compatible, but only one public key (the host public key) when the switch is working in SSH2 mode.
Page 820: Display Ssh Server
1023 1024 # Display the information about public key “abcd”. <Sysname> display rsa peer-public-key name abcd ===================================== Key name : abcd Key type : RSA Key module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100B0EEC8768E310AE2 EE44D65A2F944E2E6F32290D1ECBBFFF22AA11712151FC29F1C1CD6D7937723F77103576C4 1A03DB32F32C46DEDA68566E89B53CD4DF8F9899B138C578F7666BFB5E6FE1278A84EC8562 A12ACBE2A43AF61394276CE5AAF5AF01DA8B0F33E08335E0C3820911B90BF4D19085CADCE0 B50611B9F6696D31930203010001 display ssh server Syntax display ssh server { session | status } View Any view...
Page 821: Display Ssh Server-Info
SSH connection timeout : 60 seconds SSH Authentication retries : 3 times SFTP Server: Disable SFTP idle timeout : 10 minutes If you use the ssh server compatible-ssh1x enable command to configure the server to be compatible with SSH1.x clients, the SSH version will be displayed as 1.99. If you use the undo ssh server compatible-ssh1x command to configure the server to be not compatible with SSH1.x clients, the SSH version will be displayed as 2.0.
Page 822: Display Ssh User-Information
If an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for authentication. In case the authentication fails, you can use the display ssh server-info command to view whether the locally saved public key of the server is correct. Related commands: ssh client assign, ssh client first-time enable.
Page 823: Peer-Public-Key End
peer-public-key end Syntax peer-public-key end View Public key view Parameters None Description Use the peer-public-key end command to return from public key view to system view. Related commands: rsa peer-public-key, public-key-code begin, public-key peer. Examples # Exit public key view. <Sysname>...
Page 824: Public-Key Local Create
As SSH clients access the SSH server through VTY user interfaces, you need configure the VTY user interfaces of the SSH server to support remote SSH login. If you have configured a user interface to support SSH protocol, to ensure a successful login to the user interface, you must configure AAA authentication for the user interface by using the authentication-mode scheme command.
Page 825 The configuration of this command can survive a reboot. You only need to configure it once. Related commands: public-key local destroy, display public-key local. Examples # Create an RSA key pair of 512 bits. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048).
Page 826: Public-Key Local Destroy
NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 1024]:512 Generating keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+..+.......+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* ..# Display the public key of the DSA key pair. [Sysname]display public-key local dsa public ===================================================== Time of Key pair created: 03:17:33...
Page 827: Public-Key Local Export Rsa
Examples # Destroy the RSA key pair of the current switch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]public-key local destroy dsa % Confirm to destroy these keys? [Y/N]:y ..# Destroy the DSA key pair of the current switch. <Sysname>system-view System View: return to User View with Ctrl+Z.
Page 828: Public-Key Local Export Dsa
Related commands: public-key local create, rsa local-key-pair create. Examples # Generate an RSA key pair. <Sysname> system-view [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
Page 829 Description Use the public-key local export dsa command to display the public key of the current switch’s DSA key pair on the screen or export it to a specified file. If you specify a filename, the public key will be exported to the file and the file will be saved. If you do not specify any filename, the public key will be displayed on the screen.
Page 830: Public-Key Peer
---- END SSH2 PUBLIC KEY ---- # Export the public key in OpenSSH format. <Sysname> system-view [Sysname] public-key local export dsa openssh key.pub public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Parameters keyname: Name of the public key, a string of 1 to 64 characters. Description Use the public-key peer command to enter public key view.
Page 831: Public-Key-Code Begin
View System view Parameters keyname: Name of the public key , a string of 1 to 64 characters. filename: Name of a public key file, a string of 1 to 142 characters. For file naming rules, refer to File System Management Command. Description Use the public-key peer import sshkey command to import a peer public key from the public key file.
Page 832: Public-Key-Code End
Related commands: rsa peer-public-key, public-key peer, public-key-code end. Examples # Enter public key edit view and input a public key. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key Switch003 RSA public key view: return to System View with "peer-public-key end". [Sysname-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end".
Page 833: Rsa Local-Key-Pair Create
[Sysname-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end". [Sysname-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [Sysname-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [Sysname-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [Sysname-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Sysname-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Sysname-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Sysname-rsa-key-code] public-key-code end [Sysname-rsa-public-key] rsa local-key-pair create Syntax rsa local-key-pair create View System view Parameters None Description...
Page 834: Rsa Local-Key-Pair Destroy
......++++++ ..++++++ .........++++++++ ...++++++++ ..Done! # Display the public key part of the current switch’s RSA key pair(s). [Sysname] display rsa local-key-pair public ===================================================== Time of Key pair created: 02:31:51 2000/04/09 Key name: Sysname_Host Key type: RSA encryption Key ===================================================== Key code: 308188 028180...
Page 835: Rsa Peer-Public-Key
View System view Parameters None Description Use the rsa local-key-pair destroy command to destroy the current switch’s RSA key pair. Related commands: rsa local-key-pair create. Examples # Destroy the current switch’s RSA key pair. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa local-key-pair destroy % The local-key-pair will be destroyed.
Page 836: Rsa Peer-Public-Key Import Sshkey
Examples # Enter Switch002 public key view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key Switch002 RSA public key view: return to System View with "peer-public-key end". [Sysname-rsa-public-key] rsa peer-public-key import sshkey Syntax rsa peer-public-key keyname import sshkey filename undo rsa peer-public-key keyname View System view...
Page 837: Ssh Authentication-Type Default
Examples # Transform the format of client public key file abc and configure a public key named 123. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key 123 import sshkey abc ssh authentication-type default Syntax ssh authentication-type default { all | password | password-publickey | publickey | rsa } undo ssh authentication-type default View System view...
Page 838: Ssh Client Assign
[Sysname] ssh user user1 # Display information about SSH users. [Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type user1 publickey null stelnet ssh client assign Syntax ssh client { server-ip | server-name } assign { publickey | rsa-key } keyname undo ssh client { server-ip | server-name } assign { publickey | rsa-key } View System view...
Page 839: Ssh Client First-Time Enable
If a pair of SSH peers are both switches that support both DSA and RSA, you must configure the DSA public key of the server on the client. Related command: ssh client first-time enable. Examples # Specify the name of the DSA public key of the server (whose IP address is 192.168.0.1) as pub.ppk on the client.
Page 840: Ssh Server Authentication-Retries
By default, the client is enabled to run first-time authentication. Examples # Disable the client to run first-time authentication. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo ssh client first-time ssh server authentication-retries Syntax ssh server authentication-retries times undo ssh server authentication-retries View System view...
Page 841: Ssh Server Compatible-Ssh1X Enable
ssh server compatible-ssh1x enable Syntax ssh server compatible-ssh1x enable undo ssh server compatible-ssh1x View System view Parameters None Description Use the ssh server compatible-ssh1x enable command to make the server compatible with SSH1.x clients. Use the undo ssh server compatible-ssh1x command to make the server incompatible with SSH1.x clients.
Page 842: Ssh Server Timeout
Description Use the ssh server rekey-interval command to set the interval to update the RSA server keys regularly. Use the undo ssh server rekey-interval command to cancel the current configuration. By default, the update interval is zero, which indicates the system does not update the server keys. This command only takes effect on users whose client version is SSH1.
Page 843: Ssh User
ssh user Syntax ssh user username undo ssh user username View System view Parameters username: SSH user name, a string of 1 to 184 characters. It cannot contain any of these characters: slash (/), backslash (\), colon (:), asterisk (*), question mark (?), less than sign (<), greater than sign (>), and the vertical bar sign (|).
Page 844: Ssh User Assign
# Display SSH user information. [Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type password null stelnet ssh user assign Syntax ssh user username assign { publickey | rsa-key } keyname undo ssh user username assign { publickey | rsa-key } View System view Parameters...
Page 845: Ssh User Authentication-Type
[Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type publickey 127.0.0.1 stelnet ssh user authentication-type Syntax ssh user username authentication-type { all | password | password-publickey | publickey | rsa } undo ssh user username authentication-type View System view Parameters username: SSH user name, a string of 1 to 184 characters. It cannot contain any of these characters: slash (/), backslash (\), colon (:), asterisk (*), question mark (?), less than sign (<), greater than sign (>), and the vertical bar sign (|).
Page 846: Ssh User Service-Type
You need to specify the authentication mode for an SSH user. Otherwise, the user will not be able to log in to the SSH server. Related commands: display ssh user-information. Examples # Specify the publickey authentication for SSH users. <Sysname>system-view System View: return to User View with Ctrl+Z.
Page 847: Ssh2
Examples # Specify that user kk can access SFTP service. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ssh user kk service-type sftp # Display SSH user information. [Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type publickey null sftp ssh2...
Page 848 md5_96: HMAC-MD5-96 algorithm. DES (data encryption standard) is a standard data encryption algorithm. AES (advanced encryption standard) is an advanced encryption standard algorithm. Description Use the ssh2 command to start the SSH client to establish a connection with an SSH server, and at the same time specify the preferred key exchange algorithm, encryption algorithms and HMAC algorithms between the server and client.
Page 849 Table of Contents 1 File System Management Configuration Commands ············································································1-1 File System Configuration Commands ···································································································1-1 cd ·····················································································································································1-1 copy ·················································································································································1-2 delete ···············································································································································1-3 dir·····················································································································································1-4 execute ············································································································································1-6 file prompt········································································································································1-6 fixdisk···············································································································································1-7 format···············································································································································1-8 mkdir ················································································································································1-8 more·················································································································································1-9 move ··············································································································································1-10 pwd ················································································································································1-10 rename ··········································································································································1-11 reset recycle-bin ····························································································································1-11 rmdir···············································································································································1-13 undelete·········································································································································1-13 File Attribute Configuration Commands ································································································1-14...
Page 850: File System Management Configuration
File System Management Configuration Commands S3100 series Ethernet switches allow you to input a file path and file name in one of the following ways: In universal resource locator (URL) format and starting with “unit1>flash:/”. or “flash:/” This method is used to specify a file in the current Flash memory. For example, the URL of a file named text.txt in the root directory of the switch is unit1>flash:/text.txt or flash:/text.txt.
Page 851: Copy
Description Use the cd command to enter a specified directory on the Ethernet switch. The default directory when a user logs onto the switch is the root directory of Flash memory. Example # Enter the directory named test from the root directory. <Sysname>...
Page 852: Delete
delete Syntax delete [ /unreserved ] file-url delete { running-files | standby-files } [ /unreserved ] View User view Parameter /unreserved: Specifies to delete a file completely. file-url: Path name or file name of a file in the Flash memory. You can use the * character in this argument as a wildcard.
Page 853: Dir
Delete the backup web file? [Y/N]: The corresponding files will be deleted after you choose yes. For deleted files whose names are the same, only the latest deleted file is stored in the recycle bin and can be restored. Example # Delete the file test/test.txt.
Page 854 If executed with the file-url argument, the command will display information about files and folders in the specified directory. If executed without the file-url argument, the command will display information about files and folders in the current working directory. In the output information, files with the main, backup or main/backup attribute are tagged with special characters: main: (*) backup: (b)
Page 855: Execute
execute Syntax execute filename View System view Parameter filename: Batch file, with the extension .bat. Description Use the execute command to execute the specified batch file. Executing a batch file is to execute a set of commands in the batch file one by one. Note that: A batch file cannot contain any invisible character.
Page 856: Fixdisk
View User view Parameter device: Name of a device which must be “unit1>flash:” or “flash:” for S3100 series Ethernet switches. Description Use the fixdisk command to restore space on the Flash memory. In case that space on the Flash memory may become unavailable for reasons such as abnormal operations, you can run this command to restore the space.
Page 857: Format
View User view Parameter device: Name of a device which must be “unit1>flash:” or “flash:” for S3100 series Ethernet switches. Description Use the format command to format the Flash memory. The format operation clears all the files on the Flash memory, and the operation is irretrievable.
Page 858: More
<Sysname> mkdir test ..%Created dir unit1>flash:/test. # Create subdirectory mytest in the directory test. <Sysname> mkdir test/mytest %Created dir unit1>flash:/test/mytest. more Syntax more file-url View User view Parameter file-url: Path name or file name of a file in the Flash memory. Description Use the more command to display the contents of a specified file.
Page 859: Move
move Syntax move fileurl-source fileurl-dest View User view Parameter fileurl-source: Name of the source file. fileurl-dest: Name of the target file. Description Use the move command to move a file to a specified directory. If the target file name is the same as an existing file, the existing file will be overwritten after the command is executed successfully.
Page 860: Rename
<Sysname> pwd unit1>flash: rename Syntax rename fileurl-source fileurl-dest View User view Parameter fileurl-source: Original path name or file name of a file in the Flash memory. fileurl-dest: Target path name or file name. Description Use the rename command to rename a file or a directory. If the target file name or directory name is the same with any existing file name or directory name, you will fail to perform the rename operation.
Page 861 The files deleted by the delete command without the /unreserved keyword are moved to the recycle bin. To delete them permanently, you can use the reset recycle-bin command. Example # There are three files flash:/a.cfg, flash:/b.cfg, and flash:/test/c.cfg in the recycle bin. Permanently delete file flash:/a.cfg and flash:/b.cfg.
Page 862: Rmdir
<Sysname> dir /all Directory of flash:/test/ drw- Dec 03 2007 18:19:09 subtest -rw- 2386 Dec 03 2007 18:43:41 [c.cfg] 7239 KB total (1934 KB free) // The above information indicates that file flash:/test/c.cfg in directory flash:/test is not deleted and is still in the recycle bin.
Page 863: File Attribute Configuration Commands
Undelete unit1>flash:/sample.bak ?[Y/N]:y % Undeleted file unit1>flash:/sample.bak. File Attribute Configuration Commands boot attribute-switch Syntax boot attribute-switch { all | app | configuration | web } View User view Parameter all: Specifies all the files, including app files, configuration files and Web files. app: Specifies app files.
Page 864: Boot Boot-Loader Backup-Attribute
<Sysname> boot boot-loader boot.bin The specified file will be booted next time on unit 1! boot boot-loader backup-attribute Syntax boot boot-loader backup-attribute file-url View User view Parameter file-url: Path or the name of the app file in the Flash memory, a string comprising 1 to 64 characters. Description Use the boot boot-loader backup-attribute command to configure an app file of the device to be with the backup attribute.
Page 865: Display Boot-Loader
The configuration of the main or backup attribute for a Web file takes effect immediately without restarting the device. After you upgrade a Web file, you need to specify the new Web file in the Boot menu after restarting the switch or specify a new Web file by using the boot web-package command. Otherwise, the Web server cannot function normally.
Page 866: Display Web Package
Example # Display information about the Web file used by the device. <Sysname>display web package The current using web package is: flash:/h3c-http3.1.5-0040.web The main web package is: unit1>flash:/h3c-http3.1.5-0040.web The backup web package is: unit1>flash:/ startup bootrom-access enable...
Page 867 Next backup startup saved-configuration file: NULL Bootrom-access enable state: enabled 1-18...
Page 868 Table of Contents 1 FTP and SFTP Configuration Commands·······························································································1-1 FTP Server Configuration Commands····································································································1-1 display ftp-server ·····························································································································1-1 display ftp-user ································································································································1-2 ftp disconnect ··································································································································1-3 ftp server enable······························································································································1-3 ftp timeout········································································································································1-4 FTP Client Configuration Commands ·····································································································1-5 ascii··················································································································································1-5 binary ···············································································································································1-6 bye ···················································································································································1-6 cd ·····················································································································································1-7 cdup ·················································································································································1-7 close ················································································································································1-8 delete ···············································································································································1-8 dir·····················································································································································1-8...
Page 869 dir···················································································································································1-22 exit ·················································································································································1-22 get··················································································································································1-23 help ················································································································································1-23 ls ····················································································································································1-24 mkdir ··············································································································································1-24 put··················································································································································1-25 pwd ················································································································································1-25 quit ·················································································································································1-26 remove···········································································································································1-26 rename ··········································································································································1-27 rmdir···············································································································································1-27 sftp ·················································································································································1-28 2 TFTP Configuration Commands ··············································································································2-1 TFTP Configuration Commands ·············································································································2-1 tftp { ascii | binary } ··························································································································2-1 tftp get··············································································································································2-1 tftp put··············································································································································2-3 tftp-server acl···································································································································2-3...
Page 870 FTP and SFTP Configuration Commands FTP Server Configuration Commands display ftp-server Syntax display ftp-server View Any view Parameters None Description Use the display ftp-server command to display the FTP server-related settings of a switch when it operates as an FTP server, including startup status, number of users, and so on. You can use this command to verify FTP server-related configurations.
Page 871: Display Ftp-User
The H3C S3100 series Ethernet switch supports one user access at one time when it serves as the FTP server. display ftp-user Syntax display ftp-user View Any view Parameters None Description Use the display ftp-user command to display the information of the FTP users that have logged in to the switch, including the user name, host IP address, port number, idle timeout time, and authorized directory.
Page 872: Ftp Server Enable
Use the ftp disconnect command to terminate the connection between a specified user and the FTP server. With an H3C S3100 series Ethernet switch acting as the FTP server, if you attempt to disconnect a user that is uploading/downloading data to/from the FTP server, the S3100 Ethernet switch will disconnect the user after the data transmission is completed.
Page 873: Ftp Timeout
Use the ftp server enable command to enable the FTP server function of the switch. Use the undo ftp server command to disable the FTP server function of the switch. By default, the FTP server function is disabled on the H3C S3100 series switch to avoid potential security risks.
Page 874: Ftp Client Configuration Commands
If an FTP connection between an FTP server and an FTP client breaks down abnormally, but the FTP server cannot be aware of this, the FTP server will keep this connection. This will occupy system resources and affect other FTP users’ log in. You can set an idle timeout time so that the FTP server considers an FTP connection invalid and terminates it if no data exchange occurs on it in idle timeout time.
Page 875: Binary
Examples # Specify to transfer text files in ASCII mode. [ftp] ascii 200 Type set to A. binary Syntax binary View FTP client view Parameters None Description Use the binary command to specify that program files be transferred in binary mode, which is used for transferring program files.
Page 876: Cdup
Syntax cd path View FTP client view Parameters path: Path of the target directory. Description Use the cd command to change the working directory on the remote FTP server. Note that you can use this command to enter only authorized directories. Related commands: pwd.
Page 877: Close
close Syntax close View FTP client view Parameters None Description Use the close command to terminate an FTP connection without quitting FTP client view. This command has the same effect as that of the disconnect command. Examples # Terminate the FTP connection without quitting FTP client view. [ftp] close 221 Server closing.
Page 878 Description Use the dir command to query specified files on a remote FTP server, or to display file information in the current directory. The output information, which includes the name, size and creation time of files, will be saved in a local file. If you do not specify the filename argument, the information about all the files in the current directory is displayed.
Page 879: Disconnect
disconnect Syntax disconnect View FTP client view Parameters None Description Use the disconnect command to terminate an FTP connection without quitting FTP client view. This command has the same effect as that of the close command. Examples # Terminate the FTP connection without quitting FTP client view. [ftp] disconnect 221 Server closing.
Page 880: Get
[ftp] Syntax get remotefile [ localfile ] View FTP client view Parameters remotefile: Name of a file to be downloaded. localfile: File name used when a file is downloaded and saved to the local device. If this argument is not specified, the source file name is used when a file is saved and downloaded to the local device.
Page 881 Description Use the lcd command to display the local working directory on the FTP client. If you have logged in to the FTP server, you cannot modify the local working directory of the FTP client; to modify the local working directory, you need to terminate the connection with the FTP server, quit FTP client view, execute the cd command in user view, and reconnect to the FTP server.
Page 882: Mkdir
a.txt myopenssh public temp.c swithc001 226 Transfer complete. FTP: 200 byte(s) received in 0.145 second(s) 1.00Kbyte(s)/sec. mkdir Syntax mkdir pathname View FTP client view Parameters pathname: Name of the directory to be created. Description Use the mkdir command to create a directory on an FTP server. This command is available only to the FTP clients that are assigned the permission to create directories on FTP servers.
Page 883: Passive
Examples # Establish a control connection with the FTP server whose IP address is 1.1.1.1 in FTP client view. [ftp]open 1.1.1.1 Trying ... Press CTRL+K to abort Connected. 220 FTP service ready. User(none):abc 331 Password required for abc Password: 230 User logged in. passive Syntax passive...
Page 884: Put
Syntax put localfile [ remotefile ] View FTP client view Parameters localfile: Name of a local file to be uploaded. remotefile: File name used after a file is uploaded and saved on an FTP server. Description Use the put command to upload a local file on an FTP client to an FTP server. If you do not specify the remotefile argument, the local file is saved on the FTP server with its original name.
Page 885: Remotehelp
This command works only when the FTP server provides the help information about FTP protocol commands. This command is always valid when an H3C series Ethernet switch operates as the FTP server. If you use other FTP server software, refer to related instructions to know whether the FTP server provides help information about FTP protocol commands.
Page 886: Rename
rename Syntax rename remote-source remote-dest View FTP client view Parameters remote-source: Name of a file on a remote host. remote-dest: Destination file name. Description Use the rename command to rename a file on a remote FTP server. If the destination file name conflicts with the name of an existing file or directory, you will fail to rename the file.
Page 887: Verbose
Parameters username: Username used to log in to an FTP server. password: Password used to log in to an FTP server. Description Use the user command to log in to an FTP server with the specified username and password. Examples # Log in to the FTP server using the user account with the username tom and the password 111.
Page 888: Sftp Server Configuration Commands
For the description of the numbers at the beginning of FTP output information, refer to the corresponding section in RFC 959. SFTP Server Configuration Commands sftp server enable Syntax sftp server enable undo sftp server View System view Parameters None Description Use the sftp server enable command to enable the SFTP server.
Page 889: Sftp Client Configuration Commands
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] sftp timeout 500 SFTP Client Configuration Commands Syntax View SFTP client view Parameters None Description Use the bye command to terminate a connection with the remote SFTP server and return to system view.
Page 890: Cdup
Examples # Change the working path to new1. sftp-client>cd new1 Received status: Success Current Directory is: /new1 sftp-client> cdup Syntax cdup View SFTP client view Parameters None Description Use the cdup command to change the working path on the remote SFTP server and return to the parent directory.
Page 891: Dir
/test.txt Are you sure to delete it?(Y/N):y This operation may take a long time.Please wait... Received status: Success File successfully Removed Syntax dir [ -a | -l ] [ remote-path ] View SFTP client view Parameters -a: Displays the file and folder names in a specified directory. -l: Displays the details about files and folders in a specified directory in a list.
Page 892: Get
Description Use the exit command to terminate a connection with the remote SFTP server and return to system view. This command has the same effect as that of the commands bye and quit. Examples # Terminate a connection with the remote SFTP server. sftp-client>...
Page 893: Mkdir
If no command is specified, this command displays all the command names. Examples # View the help information about the get command. sftp-client> help get get remote-path [local-path] Download file.Default local-path is the same with remote-path Syntax ls [ -a | -l ] [ remote-path ] View SFTP client view Parameters...
Page 894: Put
Parameters remote-path: Name of a directory on the remote SFTP server. Description Use the mkdir command to create a directory on the remote SFTP server. Examples # Create a directory named hj on the remote SFTP server. sftp-client>mkdir hj Received status: Success New directory created Syntax put local-file [ remote-file ]...
Page 895: Quit
Examples # Display the working directory on the remote SFTP server. sftp-client> pwd quit Syntax quit View SFTP client view Parameters None Description Use the quit command to terminate a connection with the remote SFTP server and return to system view.
Page 896: Rename
Received status: Success File successfully Removed rename Syntax rename oldname newname View SFTP client view Parameters oldname: Old file name. newname: New file name. Description Use the rename command to rename a specified file on the remote SFTP server. Examples # Change the file name temp.bat to temp.txt.
Page 897: Sftp
sftp Syntax sftp { host-ip | host-name } [ port-num ] [identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] * View System view...
Page 898 [Sysname]sftp 10.1.1.2 Input Username: kk Trying 10.1.1.2... Press CTRL+K to abort Connected to 10.1.1.2 ... The Server is not authenticated. Do you continue access it?(Y/N):y Do you want to save the server's public key?(Y/N):y Enter password: sftp-client> 1-29...
Page 899: Tftp Configuration Commands
TFTP Configuration Commands TFTP Configuration Commands When accessing a TFTP server configured with an IPv6 address, use the tftp ipv6 command. For details, refer to the IPv6 Management part in this manual. tftp { ascii | binary } Syntax tftp { ascii | binary } View System view Parameters...
Page 900 TFTP client. To enter another working directory, you need to modify the working directory on the TFTP server and relog in. The H3C S3100 series switch supports the TFTP file size negotiation function, namely, before downloading a file, the switch requests the size of the file to be downloaded to the TFTP server, thus to ensure whether there is enough space on the Flash for file downloading.
Page 901: Tftp-Server Acl
tftp put Syntax tftp tftp-server put source-file [ dest-file ] View User view Parameters tftp-server: IP address or the host name of a TFTP server, a string of 1 to 20 characters. If the switch belongs to a cluster, the value cluster means to connect to the TFTP server of the cluster. For the configuration of the TFTP server of a cluster, refer to the Cluster part in this manual.
Page 902 Examples # Specify to adopt ACL 2000 on the TFTP client. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] tftp-server acl 2000...
Page 903 Table of Contents 1 Information Center Configuration Commands ·······················································································1-1 Information Center Configuration Commands ························································································1-1 display channel································································································································1-1 display info-center ···························································································································1-1 display logbuffer ······························································································································1-3 display logbuffer summary ··············································································································1-4 display trapbuffer ·····························································································································1-5 info-center channel name················································································································1-5 info-center console channel ············································································································1-6 info-center enable····························································································································1-7 info-center logbuffer·························································································································1-7 info-center loghost ···························································································································1-8 info-center loghost source ···············································································································1-9 info-center monitor channel ·············································································································1-9...
Page 904: Information Center Configuration Commands
Information Center Configuration Commands Information Center Configuration Commands display channel Syntax display channel [ channel-number | channel-name ] View Any view Parameter channel-number: Channel number, ranging from 0 to 9, corresponding to the 10 channels of the system. channel-name: Channel name, by default, the name of channel 0 to channel 9 is (in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent, channel6, channel7, channel8, channel9.
Page 905 Example # Display the operation status of information center, the configuration of information channels, the format of time stamp of the current system. <Sysname> display info-center Information Center: enabled Log host: the interface name of the source address : Vlan-interface1 192.168.0.2, channel number : 2, channel name : loghost language : english, host facility local : 7 Console:...
Page 906: Display Logbuffer
display logbuffer Syntax display logbuffer [ unit unit-id ] [ level severity | size buffersize ]* [ | { begin | exclude | include } regular-expression ] View Any view Parameter unit-id: Unit ID of the device, the value can only be 1. level severity: Specifies an information severity level.
Page 907: Display Logbuffer Summary
Dropped messages : 0 Overwritten messages : 0 Current messages : 91 %Jun 19 18:03:24:55 2006 Sysname IC/7/SYS_RESTART: System restarted -- The rest is omitted here. Table 1-3 display logbuffer command output description Field Description Indicates the current state of the log buffer and its Logging buffer configuration and contents contents, which could be enabled or disabled.
Page 908: Display Trapbuffer
display trapbuffer Syntax display trapbuffer [ unit unit-id ] [ size buffersize ] View Any view Parameter unit-id: Unit ID of the device, the value can only be 1. size buffersize: Specifies the size of the trap buffer (number of messages the buffer holds) you want to display.
Page 909: Info-Center Console Channel
channel-name: Channel name, up to 30 characters in length. The name must start with an English letter, containing no special character but numbers and English letters only. Description Use the info-center channel name command to name the channel whose number is channel-number as channel-name.
Page 910: Info-Center Enable
[Sysname] info-center console channel 0 info-center enable Syntax info-center enable undo info-center enable View System view Parameter None Description Use the info-center enable command to enable the information center. Use the undo info-center enable command to disable the information center. The switch can output system information to the log host, the console, and other destinations only when the information center is enabled.
Page 911: Info-Center Loghost
Use the undo info-center logbuffer command to disable information output to the log buffer. By default, information output to the log buffer is enabled with channel 4 (logbuffer) as the default channel and a maximum buffer size of 512. This command works only when the information center is enabled. Related command: info-center enable, display info-center.
Page 912: Info-Center Loghost Source
Related command: info-center enable, display info-center. Example # Configure the system to output system information to the Unix log host whose IP address is 202.38.160.1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] info-center loghost 202.38.160.1 info-center loghost source Syntax info-center loghost source interface-type interface-number undo info-center loghost source...
Page 913: Info-Center Snmp Channel
Description Use the info-center monitor channel command to set the channel through which information is output to user terminals. Use the undo info-center monitor channel command to restore the default channel through which information is output to user terminals. By default, output of system information to the monitor is enabled with a default channel name of monitor and a default channel number of 1.
Page 914: Info-Center Source
info-center source Syntax info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug } { level severity | state state } ]* undo info-center source { modu-name | default } channel { channel-number | channel-name } View System view Parameter...
Page 915 After you separately set the output rules for a module, you must use the module-name argument to modify or remove the rules. The new configuration by using the default keyword is invalid on the module. You can configure to output the log, trap and debugging information to the trap buffer, but the trap buffer only receives the trap information and discards the log and debugging information.
Page 916 info-center synchronous Syntax info-center synchronous undo info-center synchronous View System view Parameter None Description Use the info-center synchronous command to enable synchronous information output, so that if system information (such as log information) is output when the user is inputting information, the command prompt and the input information are echoed after the output (note that, the command prompt is echoed in command edit state but is not echoed in interactive state).
Page 917: Info-Center Timestamp Loghost
Parameter log: Specifies log information. trap: Specifies trap information. debugging: Specifies debugging information. boot: Specifies to adopt the time elapsed since system boot, which is in the format of “xxxxxx.yyyyyy”, where xxxxxx is the high 32 bits and yyyyyy the low 32 bits of the elapsed milliseconds. date: The current system date and time, in the format of “Mmm dd hh:mm:ss:sss yyyy”.
Page 918 Use the undo info-center timestamp loghost command to restore the default setting of time stamp format. By default, the date time stamp is adopted. Example # Set the no-year-date time stamp for the output information sent to the log host. <Sysname>...
Page 919: Info-Center Trapbuffer
info-center trapbuffer Syntax info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ]* undo info-center trapbuffer [ channel | size ] View System view Parameter size: Sets the size of the trap buffer. buffersize: Size of the trap buffer, represented by the number of messages it holds. It ranges from 0 to 1,024 and defaults to 256.
Page 920: Reset Trapbuffer
<Sysname> reset logbuffer reset trapbuffer Syntax reset trapbuffer [ unit unit-id ] View User view Parameter unit-id: Unit ID of the device, the value can only be 1. Description Use the reset trapbuffer command to clear information recorded in the trap buffer. Example # Clear information recorded in the trap buffer.
Page 921 View User view Parameter None Description Use the terminal logging command to enable log terminal display. Use the undo terminal logging command to disable log terminal display. By default, log terminal display is enabled for console users and terminal users. Example # Disable log terminal display.
Page 922: Terminal Trapping
terminal trapping Syntax terminal trapping undo terminal trapping View User view Parameter None Description Use the terminal trapping command to enable trap terminal display. Use the undo terminal trapping command to disable trap terminal display. By default, trap terminal display is enabled. Example # Enable trap terminal display.
Page 923 Table of Contents 1 Basic System Configuration and Debugging Commands·····································································1-1 Basic System Configuration Commands ································································································1-1 clock datetime··································································································································1-1 clock summer-time ··························································································································1-1 clock timezone·································································································································1-2 quit ···················································································································································1-3 return ···············································································································································1-3 sysname ··········································································································································1-4 system-view·····································································································································1-4 System Status and Information Display Commands ··············································································1-5 display clock ····································································································································1-5 display debugging····························································································································1-6 display version·································································································································1-6 System Debugging Commands ··············································································································1-7 debugging········································································································································1-7...
Page 924 display transceiver interface··········································································································3-10 display transceiver manuinfo interface ··························································································3-11 port auto-power-down····················································································································3-12 reboot·············································································································································3-13 schedule reboot at ·························································································································3-13 schedule reboot delay ···················································································································3-14 schedule reboot regularity ·············································································································3-15 system-monitor enable ··················································································································3-16 xmodem get···································································································································3-17 4 Scheduled Task Configuration Commands····························································································4-1 Scheduled Task Configuration Commands ····························································································4-1 display job········································································································································4-1 job ····················································································································································4-1 time ··················································································································································4-2 view··················································································································································4-4...
Page 925: Basic System Configuration And Debugging
Basic System Configuration and Debugging Commands Basic System Configuration Commands clock datetime Syntax clock datetime HH:MM:SS { YYYY/MM/DD | MM/DD/YYYY } View User view Parameter HH:MM:SS: Current time, where HH ranges from 0 to 23, MM and SS range from 0 to 59. YYYY/MM/DD or MM/DD/YYYY: Current date, where YYYY represents year ranging from 2000 to 2099, MM represents month ranging from 1 to 12, and DD represents day ranging from 1 to 31.
Page 926: Clock Timezone
one-off: Sets the summer time for only one year (the specified year). repeating: Sets the summer time for every year starting from the specified year. start-time: Start time of the summer time, in the form of HH:MM:SS. start-date: Start date of the summer time, in the form of YYYY/MM/DD or MM/DD/YYYY. end-time: End time of the summer time, in the form of HH:MM:SS.
Page 927: Quit
After the setting, you can use the display clock command to check the setting. The log information time and the debugging information time adopts the local time after the time zone and the summer time have been adjusted. Related command: clock summer-time, display clock. Example # Set the local time zone named z5, which is five hours earlier than the UTC time.
Page 928 System view Parameter sysname: System name of the Ethernet switch. It is a string of 1 to 30 characters. By default, it is H3C. Description Use the sysname command to set the system name of an Ethernet switch. Use the undo sysname command to restore the default system name of the Ethernet switch.
Page 929: System Status And Information Display Commands
Parameter None Description Use the system-view command to enter system view from user view. Related command: quit, return. Example # Enter system view from user view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] System Status and Information Display Commands display clock Syntax display clock...
Page 930: Display Debugging
<Sysname> display version H3C Comware Platform Software. Comware Software, Version 3.10, Alpha 2101 Copyright (c) 2004-2007 Hangzhou H3C Technologies Co., Ltd. All rights reserved. H3C S3100-26TP-EI-W uptime is 0 week, 0 day, 19 hours, 40 minutes H3C S3100-26TP-EI-W with 1 Processor...
Page 931: System Debugging Commands
bytes SDRAM bytes Flash Memory Config Register points to FLASH Hardware Version is REV.A Bootrom Version is 506 CPLD Version is 001 [Subslot 0] 24FE Hardware Version is REV.A [Subslot 1] Hardware Version is REV.A [Subslot 2] Hardware Version is REV.A System Debugging Commands debugging Syntax...
Page 932 display diagnostic-information Syntax display diagnostic-information View Any view Parameter None Description Use the display diagnostic-information command to display system diagnostic information, or save system diagnostic information to a file with the extension .diag in the Flash memory. Example # Save system diagnostic information to the file default.diag. <Sysname>...
Page 933: Command Alias Configuration Commands
Note that: To display the debugging information on the terminal, you need to configure both the terminal debugging and terminal monitor commands. If you execute the undo terminal monitor command, you will disable the monitoring of the log, trap, and debugging information on the current terminal. Thereby, no log, trap, or debugging information will be displayed on the terminal.
Page 934 View System view Default Level 2: System level Parameters cmdkey: The complete form of the first keyword of an existing non-undo command or the second keyword of an undo command for which an alias will be configured. alias: Specifies the command alias, which can be neither the same with the first keyword nor with the starting part of an existing command on the switch.
Page 935 Examples # Display the defined command aliases and the corresponding commands. <Sysname> display command-alias Command alias is enabled index alias command key show display 1-11...
Page 936: Network Connectivity Test Commands
Network Connectivity Test Commands Network Connectivity Test Commands ping Syntax ping [ -a ip-address ] [ -c count ] [ -d ] [ -f ] [ -h ttl ] [ -i interface-type interface-number ] [ ip ] [ -n ] [ - p pattern ] [ -q ] [ -s packetsize ] [ -t timeout ] [ -tos tos ] [ -v ] host View Any view...
Page 937 -t timeout: Specifies the timeout time (in milliseconds) before an ICMP ECHO-REPLY packet is received after an ICMP ECHO-REQUEST packet is sent. The timeout argument ranges from 0 to 65535 ms and defaults to 2,000 ms. -tos tos: Specifies the ToS value of the ICMP ECHO-REQUEST packets in the range 0 to 255. By default, this value is 0.
Page 938: Tracert
tracert Syntax tracert [ -a source-ip ] [ -f first-ttl ] [ -m max-ttl ] [ -p port ] [ -q num-packet ] [ -w timeout ] string View Any view Parameter -a source-ip: Specifies the source interface IP address used by this command. -f first-ttl: Specifies the initial TTL value of the packets to be sent, so as to only display the addresses of those gateways on the path whose hop counts are not smaller than the hop count specified by the first-ttl argument.
Page 939 <Sysname> tracert 18.26.0.115 tracert to 18.26.0.115 (18.26.0.115), 30 hops max,40 bytes packet 1 128.3.112.1 (128.3.112.1) 0 ms 0 ms 0 ms 2 128.32.216.1 (128.32.216.1) 19 ms 19 ms 19 ms 3 128.32.206.1 (128.32.206.1) 39 ms 19 ms 19 ms 4 128.32.136.23 (128.32.136.23) 19 ms 39 ms 39 ms 5 128.32.168.22 (128.32.168.22) 20 ms 39 ms 39 ms 6 128.32.197.4 (128.32.197.4) 59 ms 119 ms 39 ms 7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 39 ms...
Page 940: Device Management Commands
Device Management Commands Device Management Commands boot boot-loader Syntax boot boot-loader [ backup-attribute ] { file-url | device-name } View User view Parameter backup-attribute: Specifies the backup attribute for a file. file-url: Path plus name of a host software file in the Flash, a string of 1 to 64 characters. device-name: File name, in the form of unit[NO.]>flash:, which is used to indicate that the specified file is stored in the Flash memory of a specified switch.
Page 941: Display Boot-Loader
Example # Update the Boot ROM of the switch using the file named Switch.btm. <Sysname> boot bootrom Switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! display boot-loader Syntax display boot-loader [ unit unit-id ] View Any view Parameter...
Page 942: Display Device
Description Use the display cpu command to display the CPU usage. Example # Display the CPU usage of this switch. <Sysname> display cpu Unit 1 Board 0 CPU busy status: 16% in last 5 seconds 16% in last 1 minute 16% in last 5 minutes Table 3-2 Description for the fields of the display cpu command Field...
Page 943: Display Environment
Parameter None Description Use the display environment command to view the environment temperature of the switch. Note that only PoE-enabled S3100 series Ethernet switches support this command currently. Example # Display the environment temperature of the switch. <Sysname> display environment...
Page 944: Display Memory
ID number of a fan. Description Use the display fan command to view the working states of fans in a switch. Note that only PoE-enabled S3100 series Ethernet switches support this command currently. Example # Display the working states of the fans.
Page 945: Display Transceiver Alarm Interface
display power Syntax display power [ unit unit-id [ power-id ] ] View Any view Parameter unit-id: Unit ID of a switch, the value can only be 1. power-id: Power ID. Description Use the display power command to display the working state of the power supply of the switch. Example # Display the working state of the power supply.
Page 946 Parameters interface-type interface-number: Interface type and interface number. Description Use the display transceiver alarm interface command to display the current alarm information of a single or all transceivers. If no error occurs, None is displayed. Table 3-5 shows the alarm information that may occur for the four types of transceivers. Table 3-5 Description on the fields of display transceiver alarm interface Field Remarks...
Page 947 Field Remarks TX bias low TX bias current is low. TX power high TX power is high. TX power low TX power is low. Module not ready Module is not ready. APD supply fault APD (Avalanche Photo Diode) supply fault TEC fault TEC (Thermoelectric Cooler) fault Wavelength of optical signal exceeds the manufacturer’s...
Page 948: Display Transceiver Diagnosis Interface
Transceiver type not supported by port Transceiver type is not supported on the port. hardware For pluggable transceivers supported by S3100 series Ethernet switches, refer to H3C S3100 Series Ethernet Switches Installation Manual. Examples # Display the alarm information of the transceiver on interface GigabitEthernet 1/1/2.
Page 949: Display Transceiver Interface
Examples # Display the currently measured value of digital diagnosis parameters of the anti-spoofing pluggable optical transceiver customized by H3C on interface GigabitEthernet 1/2/2. <Sysname> display transceiver diagnosis interface gigabitethernet 1/2/2 GigabitEthernet1/2/2 transceiver diagnostic information: Current diagnostic parameters: Temp(°C) Voltage(V)
Page 950: Display Transceiver Manuinfo Interface
[ interface-type interface-number ] View Any view Parameters interface-type interface-number: Interface type and interface number. Description Use the display transceiver manuinfo interface command to display part of the electrical label information of a single or all anti-spoofing pluggable transceivers customized by H3C. 3-11...
Page 951 Examples # Display part of the electrical label information of the anti-spoofing pluggable transceiver customized by H3C on interface GigabitEthernet 1/2/2. <Sysname> display transceiver manuinfo interface gigabitethernet 1/2/2 GigabitEthernet1/2/2 transceiver manufacture information: Manu. Serial Number : 213410A0000054000251 Manufacturing Date : 2006-09-01...
Page 952: Reboot
reboot Syntax reboot [ unit unit-id ] View User view Parameter unit-id: Unit ID of a switch, the value can only be 1. Description Use the reboot command to restart a specified Ethernet switch. Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed.
Page 953: Schedule Reboot Delay
mm/dd/yyyy or yyyy/mm/dd: Reboot date, where yyyy (year) ranges from 2,000 to 2,099, mm (month) ranges from 1 to 12, and the range of dd (day) depends on the specific month. You cannot set the date 30 days later than the system current date. Description Use the schedule reboot at command to schedule a reboot on the current switch and set the reboot date and time.
Page 954: Schedule Reboot Regularity
Parameter hh:mm: Reboot waiting delay, where hh ranges from 0 to 720, and mm ranges from 0 to 59. The value of hh:mm can be up to 720:00. mm: Reboot waiting delay, ranging from 0 to 43,200 minutes. Description Use the schedule reboot delay command to schedule a reboot on the switch, and set the reboot waiting delay.
Page 955 period: Reboot period of the switch, in the format period = { daily | { monday | tuesday | wednesday | thursday | friday | saturday | sunday }* }. daily indicates the reboot period is one day, that is, the switch reboots at a specified time every day.
Page 956 Use the undo system-monitor enable command to disable real-time monitoring of the running status of the system. This function enables you to dynamically record the system running status, such as CPU, thus facilitating analysis and solution of the problems of the device. By default, real-time monitoring of the running status of the system is enabled.
Page 957: Scheduled Task Configuration Commands
Scheduled Task Configuration Commands Scheduled Task Configuration Commands display job Syntax display job [ job-name ] View Any view Default Level 1: Monitor level Parameters job-name: Name of a scheduled task, a string of 1 to 32 characters. When executed without the job-name argument, the command displays configuration of all the scheduled tasks;...
Page 958 View System view Default Level 3: Manage level Parameters job-name: Name of a scheduled task, a string of 1 to 32 characters. You can configure multiple scheduled tasks, with each task uniquely identified by the string. You can create up to 100 scheduled tasks.
Page 959 one-off: Specifies that the specified command(s) are executed for once, that is, the specified command(s) are executed when the time is reached, and will not be executed when the time is reached next time. repeating: Executes a specified command(s) repeatedly. at time: Time when a specified command is executed, in the format of hh:mm.
Page 960 [Sysname-job-phone] time 5 one-off delay 5:00 command undo poe enable view Syntax view view undo view View Scheduled task view Default Level 3: Manage level Parameters view: View name, a string of 1 to 90 characters, used to specify in which view the specified command(s) in a scheduled task will be executed.
Page 961 Table of Contents 1 VLAN-VPN Configuration Commands ·····································································································1-1 VLAN-VPN Configuration Commands ····································································································1-1 display port vlan-vpn························································································································1-1 vlan-vpn enable ·······························································································································1-2 vlan-vpn tpid ····································································································································1-2 2 Selective QinQ Configuration Commands ······························································································2-1 Selective QinQ Configuration Commands ······························································································2-1 raw-vlan-id inbound ·························································································································2-1 vlan-vpn vid ·····································································································································2-2 vlan-vpn selective enable ················································································································2-3 3 BPDU Tunnel Configuration Commands ································································································3-1 BPDU Tunnel Configuration Commands ································································································3-1 bpdu-tunnel······································································································································3-1...
Page 962: Vlan-Vpn Configuration Commands
VLAN-VPN Configuration Commands VLAN-VPN Configuration Commands display port vlan-vpn Syntax display port vlan-vpn View Any view Parameters None Description Use the display port vlan-vpn command to display the information about VLAN-VPN configuration of the current system. Related commands: vlan-vpn enable, vlan-vpn inner-cos-trust, vlan-vpn tpid. Examples # Display the VLAN-VPN configuration of the current system.
Page 963: Vlan-Vpn Enable
vlan-vpn enable Syntax vlan-vpn enable undo vlan-vpn View Ethernet port view Parameters None Description Use the vlan-vpn enable command to enable the VLAN-VPN feature for a port. Use the undo vlan-vpn command to disable the VLAN-VPN feature for a port. By default, the VLAN-VPN feature is disabled.
Page 964 Syntax vlan-vpn tpid value undo vlan-vpn tpid View System view Parameters value: User-defined TPID value (in hexadecimal format), in the range 0x0001 to 0xFFFF. Description Use the vlan-vpn tpid command to set the global TPID value. With the TPID value set , the port fills the value to the TPID field of the outer tag to be added for a packet and, upon receiving a packet, compares the TPID value with the TPID field of the packet to determine whether the packet carries a VLAN tag or not.
Page 965: Selective Qinq Configuration Commands
Selective QinQ Configuration Commands This chapter is only applicable to S3100-EI series switches. Selective QinQ Configuration Commands raw-vlan-id inbound Syntax raw-vlan-id inbound vlan-id-list undo raw-vlan-id inbound { all | vlan-id-list } View QinQ view Parameters vlan-id-list: Lists of VLAN IDs. After receiving packets of these VLANs, the switch will encapsulate the packets with the specified outer VLAN tag.
Page 966: Vlan-Vpn Vid
A packet cannot be tagged with different outer VLAN tags. To change the outer VLAN tag of a packet, you need to remove the existing outer VLAN tag configuration and configure a new outer VLAN tag. Before configuring this command in QinQ view, you need to use the vlan-vpn vid command to configure the outer VLAN tag to be used in the selective QinQ policy.
Page 967: Vlan-Vpn Selective Enable
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan-vpn vid 20 [Sysname-vid-20] raw-vlan-id inbound 2 to 14 vlan-vpn selective enable Syntax vlan-vpn selective enable undo vlan-vpn selective enable View Ethernet port view Parameter None Description Use the vlan-vpn selective enable command to enable the selective QinQ feature on a port. With the selective QinQ feature enabled, packets carrying specific inner VLAN tags are tagged with specific outer VLAN tags according to the VLAN tag mapping rules defined.
Page 968: Bpdu Tunnel Configuration Commands
BPDU Tunnel Configuration Commands This chapter is only applicable to the S3100-EI series Ethernet switches. BPDU Tunnel Configuration Commands bpdu-tunnel Syntax bpdu-tunnel protocol-type undo bpdu-tunnel { protocol-type | all } View Ethernet port view Parameters protocol-type: Protocol type, packets of which will be transmitted through a BPDU tunnel, This argument can be a keyword listed in Table 3-1.
Page 969: Bpdu-Tunnel Tunnel-Dmac
Value Description Enable/Disable BPDU tunnel for VLAN trunk protocol (VTP). Enable/Disable BPDU tunnel for uni-directional udld link direction (UDLD). all: Disables BPDU tunnel for all protocol packets. Description Use the bpdu-tunnel command to enable BPDU tunnel on a port, so that packets of the specified protocol will be transparently transmitted through the BPDU tunnel on the port.
Page 970: Display Bpdu-Tunnel
View System view Parameters mac-address: Destination MAC address to be assigned to the protocol packets transmitted along a BPDU tunnel. This argument must be a multicast MAC address. Description Use the bpdu-tunnel tunnel-dmac command to configure the destination MAC address for protocol packets transmitted along a BPDU tunnel.
Page 971 Description Use the display bpdu-tunnel command to display the private multicast MAC address configured for protocol packets transmitted along the BPDU tunnel(s). Related commands: bpdu-tunnel tunnel-dmac. Examples # Display the private multicast MAC address configured for packets transmitted along the BPDU tunnel(s).
Page 972 Table of Contents 1 VLAN Mapping Configuration Commands······························································································1-1 One-to-One VLAN Mapping Configuration Commands··········································································1-1 vlan-mapping ···································································································································1-1 vlan-mapping enable ·······················································································································1-2 Many-to-One VLAN Mapping Configuration Commands········································································1-3 vlan-mapping n-to-1·························································································································1-3 dhcp-snooping information ignore-vlanmapping ·············································································1-4...
Page 973 VLAN Mapping Configuration Commands VLAN mapping is only applicable to S3100-EI series switches among the S3100 series. One-to-One VLAN Mapping Configuration Commands vlan-mapping Syntax vlan-mapping vlan old-vlan-id remark new-vlan-id undo vlan-mapping vlan old-vlan-id View System view, Ethernet port view Parameter vlan old-vlan-id: Specifies the original VLAN ID for one-to-one VLAN mapping.
Page 974 You cannot enable one-to-one VLAN mapping on a member port of a link aggregation group. One-to-one VLAN mapping and the protocol-based VLAN function are mutually exclusive on the same port. One-to-one VLAN mapping is mutually exclusive with many-to-one VLAN mapping. With many-to-one VLAN mapping enabled on a port, you cannot enable one-to-one VLAN mapping on any other port.
Page 975 By default, one-to-one VLAN mapping is disabled. With a port-level one-to-one VLAN mapping rule configured for a port, one-to-one VLAN mapping is enabled on the port at the same time. In this case, the vlan-mapping enable command cannot be used to enable one-to-one VLAN mapping again. One-to-one VLAN mapping and the protocol-based VLAN function are mutually exclusive on the same port.
Page 976 Many-to-one VLAN mapping is mutually exclusive with one-to-one VLAN mapping. With many-to-one VLAN mapping enabled on any port, you cannot enable one-to-one VLAN mapping on any other port. Examples # Define a many-to-one VLAN mapping rule on Ethernet 1/0/1 to map original VLANs 1000 through 1002 to VLAN 1010.
Page 977 # Enable port Ethernet 1/0/1 to add Option 82 carrying the original VLAN information to the DHCP requests. <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] dhcp-snooping information ignore-vlanmapping...
Page 978 Table of Contents 1 HWPing Commands ··································································································································1-1 HWPing Client Commands ·····················································································································1-1 adv-factor·········································································································································1-1 count ················································································································································1-1 datafill ··············································································································································1-2 datasize ···········································································································································1-3 description ·······································································································································1-4 destination-ip ···································································································································1-4 destination-port································································································································1-5 display hwping ·································································································································1-5 display hwping statistics ················································································································1-11 dns-server······································································································································1-12 dns resolve-target··························································································································1-13 filename ·········································································································································1-14 filesize············································································································································1-14 frequency·······································································································································1-15 ftp-operation ··································································································································1-16 history keep-time ···························································································································1-16 history-record enable·····················································································································1-17 history-records·······························································································································1-18 http-operation ································································································································1-18...
Page 979 ttl ····················································································································································1-32 username·······································································································································1-33 HWPing Server Commands··················································································································1-34 hwping-server enable ····················································································································1-34 hwping-server tcpconnect ·············································································································1-34 hwping-server udpecho ·················································································································1-35...
Page 980: Count
HWPing Commands HWPing Client Commands adv-factor Syntax adv-factor adv-number undo adv-factor View HWPing test group view Parameters adv-number: Advantage factor, used to count Mos and ICPIF value in a jitter voice test. It is in the range 0 to 20 and defaults to 0. Description Use the adv-factor command to configure the advantage factor which is used to count Mos and ICPIF value in a jitter voice test.
Page 981: Datafill
Description Use the count command to set the number of probes in each HWPing test. Use the undo count command to restore the default. For tests except jitter test, only one packet is sent in a probe. In a jitter test, you can use the jitter-packetnum command to set the number of packets to be sent in a probe.
Page 982: Datasize
Test type Code type Reserved bytes jitter None First 68 bytes jitter G.711 A-Law First 16 bytes jitter G.711 muHmm-Law First 16 bytes jitter G.729 A-Law First 16 bytes Examples # Configure a packet padding string 12 ab cd. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 983: Description
description Syntax description string undo description View HWPing test group view Parameters string: Brief description about a test operation. By default, no description is configured. Description Use the description command to briefly describe a test operation. Use the undo description command to delete the configured description. Examples # Describe a test group as “icmp-test”.
Page 984 System View: return to User View with Ctrl+Z [Sysname] hwping administrator icmp [Sysname-hwping-administrator-icmp] test-type icmp [Sysname-hwping-administrator-icmp] destination-ip 169.254.10.3 destination-port Syntax destination-port port-number undo destination-port View HWPing test group view Parameters port-number: Destination port number for an HWPing test, in the range of 1 to 50000. Description Use the destination-port command to configure a destination port number for an HWPing test.
Page 985 jitter: Displays the jitter test information. administrator-name: Name of the administrator who created the HWPing test operation, a string of 1 to 32 characters. operation-tag: Operation tag, a string of 1 to 32 characters. Description Use the display hwping command to display the result of the last HWPing test or the history of HWPing tests.
Page 986 Field Description Other operation errors Number of other errors Operation timeout number Number of time-out occurrences in a test Connection fail number Number of failures to connect with the remote end Drop operation number Number of system resource allocation failures # Display the history records of HWPing tests.
Page 987 Last succeeded test time: 2000-4-2 3:45:36.8 Extend result: SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Http result:...
Page 988 Extend result: SD Maximal delay: 10 DS Maximal delay: 10 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Jitter result: RTT Number:100...
Page 989 Field Description Negative DS Number Number of negative jitter delays from the destination to the source Sum of absolute values of negative jitter delays from the source to the Negative SD Sum destination Sum of absolute values of negative jitter delays from the destination to the Negative DS Sum source Negative SD average...
Page 990: Display Hwping Statistics
The description on a specific field is available for the test results of all types of tests, so that not the description on the output information of all types of tests is provided here. display hwping statistics Syntax display hwping statistics [ administrator-name operation-tag ] View Any view Parameters...
Page 991 Negative SD Square Sum:0 Negative DS Square Sum:0 SD lost packets number:0 DS lost packet number:0 SD packet lost in test:0% DS packet lost in test:0% Unknown result lost packet number:0 Table 1-8 Description on fields in the output of the display hwping statistic command Field Description Start time...
Page 992: Dns Resolve-Target
undo dns-server View HWPing test group view Parameters ip-address: IP address to be assigned to a domain name server (DNS). Description Use the dns-server command to configure the IP address of a DNS server. Use the undo dns-server command to remove the IP address of a DNS server. By default, no DNS server IP address is configured.
Page 993: Filename
This command applies to DNS tests only. Examples # Configure the domain name to be resolved as www.test.com. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping administrator dns [Sysname-hwping-administrator-dns] test-type dns [Sysname-hwping-administrator-dns] dns resolve-target www.test.com filename Syntax filename file-name undo filename...
Page 994: Frequency
undo filesize View HWPing test group view Parameters size: File size, in the range 1 to 10000 Kbytes. Description Use the filesize command to configure the size of the file to be uploaded in an FTP test. Use the undo filesize command to restore the default. By default, the file size is 1000 Kbytes.
Page 995: History Keep-Time
The frequency command does not apply to DHCP tests. Examples # Set the automatic test interval to 10 seconds in an ICMP test. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping administrator icmp [Sysname-hwping-administrator-icmp] test-type icmp [Sysname-hwping-administrator-icmp] destination-ip 169.254.10.3 [Sysname-hwping-administrator-icmp] frequency 10 ftp-operation...
Page 996: History-Record Enable
View HWPing test group view Parameters keep-time: Retaining time of the history record for a test group, which is in the range 1 to 1440 in minutes and defaults to 120 minutes. Description Use the history keep-time command to configure the retaining time of the history record for a test group.
Page 997 history-records Syntax history-records number undo history-records View HWPing test group view Parameters Number: Maximum number of history records that can be saved in a test group, in the range of 0 to 50, and 50 by default. Description Use the history-records command to set the maximum number of history records that can be saved in a test group.
Page 998: Hwping
<Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping administrator http [Sysname-hwping-administrator-http] test-type http [Sysname-hwping-administrator-http] http-operation post http-string Syntax http-string string version undo http-string View HWPing test group view Parameters string: HTTP operation string used to specify the webpage to be accessed. It can consist of 1 to 230 characters.
Page 999: Hwping-Agent Clear
Description Use the hwping command to create an HWPing test group and enter HWPing test group view. If the specified HWPing test group already exists, this command leads you to HWPing test group view directly. Use the undo hwping command to delete an HWPing test group. Examples # Create an HWPing test group of which the administrator name is administrator and operation tag is icmp.
Page 1000: Hwping-Agent Max-Requests
Examples # Enable HWPing client. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping-agent enable hwping-agent max-requests Syntax hwping-agent max-requests max-number undo hwping-agent max-requests View System view Parameters max-number: Maximum number of concurrent tests, in the range of 1 to 5. Description Use the hwping-agent max-requests command to set the allowed maximum number of concurrent tests.
Page 1001 By default, the interval between sending jitter test packets is 20 milliseconds. Related commands: jitter-packetnum. The jitter-interval command applies to jitter tests only. Examples # Set the interval between sending jitter test packets to 30 milliseconds. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping administrator jitter [Sysname-hwping-administrator-jitter] test-type jitter [Sysname-hwping-administrator-jitter] jitter-interval 30...