About This Manual Organization 3Com Switch 4510G Family Command Reference Guide is organized as follows: Volume 00-Command Command Index Index Ethernet Port 01-Access LLDP Volume GVRP IP Addressing 02-IP DHCP Relay Agent Services Volume sFlow IP Routing Table 03-IP Routing...
Page 4
Conventions The manual uses the following conventions: Command conventions Convention Boldface italic { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * &<1-n>...
Page 5
Related Documentation In addition to this manual, each 3com Switch 4510G documentation set includes the following: Manual 3Com Switch 4510G Family Configuration Guide-Release 2202 3Com Switch 4510G Family Getting Started Guide Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.
Page 6
Appendix A Command Index The command index includes all the commands in the Command Manual, which are arranged alphabetically. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z access-limit access-limit enable accounting...
Page 22
display voice vlan oui display voice vlan state display web users dldp authentication-mode dldp delaydown-timer dldp enable dldp interval dldp reset dldp unidirectional-shutdown dldp work-mode dns domain dns proxy enable dns resolve dns server dns server ipv6 domain domain default enable domain ring dot1x dot1x authentication-method...
Page 27
interface bridge-aggregation interface vlan-interface ip (PKI entity view) ip address ip address ip address bootp-alloc ip address dhcp-alloc ip check source ip forward-broadcast (interface view) ip forward-broadcast (system view) ip host ip http acl ip http enable ip http port ip https acl ip https certificate access-control-policy ip https enable...
Page 34
oam mode open open ipv6 operation (FTP test type view) operation (HTTP test type view) operation interface organization organization-unit output-delay overflow-replace (IGMP-Snooping view) overflow-replace (MLD-Snooping view) packet-filter packet-filter ipv6 parity passive password password (FTP test type view) patch active patch deactive patch delete patch install patch load...
Page 35
pki delete-certificate pki domain pki entity pki import-certificate pki request-certificate domain pki retrieval-certificate pki retrieval-crl domain pki validate-certificate pki-domain port port port port (IPv6 multicast VLAN view) port (multicast VLAN view) port access vlan port hybrid ip-subnet-vlan vlan port hybrid protocol-vlan port hybrid pvid vlan port hybrid vlan port link-aggregation group...
Ethernet Port Configuration Commands Ethernet Port Configuration Commands broadcast-suppression Syntax broadcast-suppression { ratio | pps max-pps } undo broadcast-suppression View Ethernet port view, port group view Default Level 2: System level Parameters ratio: Maximum percentage of broadcast traffic to the total transmission capability of an Ethernet port. The smaller the ratio, the less broadcast traffic is allowed to pass through the interface.
If you execute this command in Ethernet port view, the configuration takes effect only on the current interface. If you execute this command in port-group view, the configuration takes effect on all the ports in the port group. When broadcast traffic exceeds the broadcast traffic threshold, the system begins to discard broadcast packets until the broadcast traffic drops below the threshold to ensure operation of network services.
letters), special English characters, spaces, and other characters or symbols that conform to the Unicode standard. A port description can be the mixture of English characters and other Unicode characters. The mixed description cannot exceed the specified length. To use a type of Unicode characters or symbols in a port description, you need to install the corresponding Input Method Editor (IME) and log in to the device through remote login software that supports this character type.
|: Uses a regular expression to filter output information. For detailed description on regular expression, refer to Basic System Configuration in the System Volume. begin: Displays the line that matches the regular expression and all the subsequent lines. exclude: Displays the lines that do not match the regular expression. include: Displays the lines that match the regular expression.
Page 59
The brief information of interface(s) under route mode: Interface Link Protocol-link Protocol type Loop0 UP(spoofing) NULL0 UP(spoofing) Vlan999 # Display the brief information of all UP interfaces. <Sysname> display brief interface | include UP The brief information of interface(s) under route mode: Interface Link Protocol-link Protocol type...
Field Duplex PVID display interface Syntax display interface [ interface-type [ interface-number ] ] View Any view Default Level 1: Monitor level Parameters interface-type: Type of a specified interface. interface-number: Number of a specified interface. Description Use the display interface command to display the current state of a specified interface and related information.
Page 61
Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 100 Mdi type: auto Link delay is 0(sec) Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 100 Port priority: 0 Peak value of input: 96132560 bytes/sec, at 2007-10-26 07:05:06 Peak value of output: 0 bytes/sec, at 2000-04-26 12:00:12 Last 300 seconds input: 6 packets/sec 678 bytes/sec Last 300 seconds output: 1 packets/sec 179 bytes/sec...
Page 62
Field Multicast MAX-ratio PVID Mdi type Link delay Port link-type Tagged VLAN ID Untagged VLAN ID Peak value of input Peak value of output Last 300 seconds input: 0 packets/sec 0 bytes/sec Last 300 seconds output: 0 packets/sec 0 bytes/sec Input (total): 61745144 packets, 12152212250 bytes 0 unicasts, 47519150...
Field lost carrier - no carrier “-“ indicates that the corresponding entry is not supported. display loopback-detection Syntax display loopback-detection View Any view Default Level 1: Monitor level Parameters None Description Use the display loopback-detection command to display loopback detection information on a port. If loopback detection is already enabled, this command will also display the detection interval and information on the ports currently detected with a loopback.
display packet-drop interface Syntax display packet-drop interface [ interface-type [ interface-number ] ] View Any view Default Level 1: Monitor level Parameters interface-type: Type of a specified interface. interface-number: Number of a specified interface. Description Use the display packet-drop interface command to display information about dropped packets on an interface or multiple interfaces.
Description Use the display packet-drop summary command to display information about dropped packets on all interfaces. Examples # Display information about dropped packets on all interfaces. <Sysname> display packet-drop summary All interfaces: Packets dropped by GBP full or insufficient bandwidth: 301 Packets dropped by FFP: 261 Packets dropped by STP non-forwarding state: 321 Packets dropped by Rate-limit: 143...
GigabitEthernet1/0/47 GigabitEthernet1/0/48 Table 1-5 display port combo command output description Field Combo ports of the device, represented by Combo port number, which is Combo-group generated by the system. Active Inactive Ports of the Combo ports that are inactive As for the optical port and the electrical port of a Combo port, the one with the smaller port number is active by default.
Member of group1: GigabitEthernet1/0/3 GigabitEthernet1/0/6 Member of group2: None Table 1-6 display port-group manual command output description Field Member of group display storm-constrain Syntax display storm-constrain [ broadcast | multicast ] [ interface interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters broadcast: Displays the information about storm constrain for broadcast packets.
Field PortName Abbreviated port name Type of the packets for which storm constrain function is enabled, which Type can be broadcast (for broadcast packets), and multicast (for multicast packets). LowerLimit Lower threshold (in pps, Kbps or percentage) UpperLimit Upper threshold (in pps, Kbps or percentage) Action to be taken when the upper threshold is reached, which can be CtrMode block, shutdown, and N/A.
Related commands: speed. 10-Gigabit Ethernet ports do not support this command. Examples # Configure the interface GigabitEthernet 1/0/1 to work in full-duplex mode. <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] duplex full flow-control Syntax flow-control undo flow-control View Ethernet port view Default Level 2: System level Parameters...
[Sysname] interface GigabitEthernet 1/0/1 [Sysname- GigabitEthernet1/0/1] flow-control flow-interval Syntax flow-interval interval undo flow-interval View Ethernet port view Default Level 2: System level Parameters interval: Interval at which the interface collects statistics. It ranges from 5 to 300 seconds and must be a multiple of 5.
Description Use the group-member command to assign an Ethernet port or a list of Ethernet ports to the manual port group. Use the undo group-member command to remove an Ethernet port or a list of Ethernet ports from the manual port group. By default, there is no Ethernet port in a manual port group.
Default Level 2: System level Parameters .None Description Use the jumboframe enable command to allow jumbo frames with the length of 9216 bytes to pass through an Ethernet port. Use the undo jumboframe enable command to prevent frames longer than 1522 bytes from passing through an Ethernet port.
Description Use the link-delay command to configure the suppression time of physical-link-state changes on an Ethernet port. Use the undo link-delay command to restore the default suppression time. By default, the physical-link-state change suppression time is not configured. Examples # Set the up/down suppression time of the physical connection of an Ethernet port to 8 seconds. <Sysname>...
<Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] loopback internal loopback-detection control enable Syntax loopback-detection control enable undo loopback-detection control enable View Ethernet port view Default Level 2: System level Parameters None Description Use the loopback-detection control enable command to enable loopback detection for a Trunk port or Hybrid port.
View System view, Ethernet port view Default Level 2: System level Parameters None Description Use the loopback-detection enable command to enable loopback detection globally or on a specified port. Use the undo loopback-detection enable command to disable loopback detection globally or on a specified port.
View System view Default Level 2: System level Parameters time: Time interval for performing port loopback detection, in the range 5 to 300 (in seconds). Description Use the loopback-detection interval-time command to configure time interval for performing port loopback detection. Use the undo loopback-detection interval-time command to restore the default time interval for port loopback detection, which is 30 seconds.
Examples # Enable loopback detection in all the VLANs to which the Hybrid port GigabitEthernet 1/1 belongs. <Sysname> system-view [Sysname] loopback-detection enable [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] loopback-detection enable [Sysname-GigabitEthernet1/0/1] port link-type trunk [Sysname-GigabitEthernet1/0/1] loopback-detection per-vlan enable Syntax mdi { across | auto | normal } undo mdi View Ethernet port view...
multicast-suppression Syntax multicast-suppression { ratio | pps max-pps } undo multicast-suppression View Ethernet port view, port group view Default Level 2: System level Parameters ratio: Maximum percentage of multicast traffic to the total transmission capability of an Ethernet port, in the range 1 to 100.
If you set different suppression ratios in Ethernet port view or port-group view for multiple times, the latest configuration takes effect. Do not use the multicast-suppression command along with the storm-constrain command. Otherwise, the multicast storm suppression ratio configured may get invalid. Examples # For Ethernet port GigabitEthernet 1/0/1, allow multicast traffic equivalent to 20% of the total transmission capability of GigabitEthernet 1/0/1 to pass.
<Sysname> system-view [Sysname] port-group manual group1 [Sysname-port-group-manual-group1] reset counters interface Syntax reset counters interface [ interface-type [ interface-number ] ] View User view Default Level 2: System level Parameters interface-type: Interface type. interface-number: Interface number. Description Use the reset counters interface command to clear the statistics of an interface. Before sampling network traffic within a specific period of time on an interface, you need to clear the existing statistics.
interface-number: Number of a specified interface. Description Use the reset packet-drop interface command to clear statistics of dropped packets on an interface or multiple interfaces. Sometimes when you want to collect the statistics of dropped packets on an interface, you need to clear the old statistics on the interface first. If you do not specify an interface type or interface number, this command clears statistics of dropped packets on all the interfaces on the device.
If the auto negotiation rate range specified on the local port and that on the peer are the same, for example, 100 Mbps and 1000 Mbps are specified on both ends, the result of the interface rate auto negotiation is the larger value, that is, 1000 Mbps in the example. This function is available for auto-negotiation-capable Gigabit Layer-2 Ethernet electrical ports only..
For a 10-Gigabit port, the value range is 1 to 14881000. When the threshold is set in kbps: For a Gigabit port, the value range is 1 to 1000000. For a 10-Gigabit port, the value range is 1 to 10000000. When the threshold is set in percentages, that is, keyword ratio is used, the value range is 1 to 100.
undo storm-constrain control View Ethernet port view Default Level 2: System level Parameters block: Blocks the traffic of a specific type on a port when the traffic detected exceeds the upper threshold. shutdown: Shuts down a port when a type of traffic exceeds the corresponding upper threshold. A port shut down by the storm constrain function stops forwarding all types of packets.
Default Level 2: System level Parameters seconds: Interval for generating traffic statistics, in the range 1 to 300 (in seconds). Description Use the storm-constrain interval command to set the interval for generating traffic statistics. Use the undo storm-constrain interval command to restore the default. By default, the interval for generating traffic statistics is 10 seconds.
Page 90
Note that: When a suppression granularity larger than 1 is specified on the device, the value of the pps keyword should be no smaller than and an integral multiple of the granularity. The unicast suppression threshold value configured through this keyword on an Ethernet port may not be the one that actually takes effect.
virtual-cable-test Syntax virtual-cable-test View Ethernet port view Default Level 2: System level Parameters None Description Use the virtual-cable-test command to test the cable connected to the Ethernet port once and to display the testing result. The tested items include: Note that: When the cable is functioning properly, the cable length in the test result represents the total cable length;...
Link Aggregation Configuration Commands Link Aggregation Configuration Commands description Syntax description text undo description View Layer-2 aggregate interface view Default Level 2: System level Parameters text: Description of an Ethernet interface, a string of 1 to 80 characters. Currently, the device supports the following types of characters or symbols: standard English characters (numbers and case-sensitive letters), special English characters, spaces, and other characters or symbols that conform to the Unicode standard.
Examples # Set the description of interface Bridge-aggregation 1 to link-aggregation interface. <Sysname> system-view [Sysname] interface bridge-aggregation 1 [Sysname-Bridge-Aggregation1] description link-aggregation interface display lacp system-id Syntax display lacp system-id View Any view Default Level 1: Monitor level Parameters None Description Use the display lacp system-id command to display the system ID of the local system (that is, the actor).
Page 94
View Any view Default Level 1: Monitor level Parameters bridge-aggregation: Displays the load sharing mode of the aggregation group corresponding to the specified Layer 2 aggregate interface. interface-number: Specifies the number of an existing aggregate interface. Description Use the display link-aggregation load-sharing mode command to display load sharing mode for link aggregation groups.
Page 96
Description Use the display link-aggregation member-port command to display the detailed link aggregation information of the specified interface(s) or all interfaces if no interface is specified. For an interface in a static aggregation group, only its port number and operational key are displayed, because it is not aware of the information of the partner.
Table 2-3 display link-aggregation member-port command output description Field Flags Aggregation Interface Local: Port Number Port Priority Oper-key Flag Remote: System ID Port Number Port Priority Oper-key Flag Received LACP Packets Illegal Sent LACP Packets display link-aggregation summary Syntax display link-aggregation summary View Any view Description...
Page 98
Default Level 1: Monitor level Parameters None Description Use the display link-aggregation summary command to display the summary information of all aggregation groups. You may find out that information about the remote system for a static link aggregation group is either replaced by none or not displayed at all.
undo interface bridge-aggregation interface-number View System view Default Level 2: System level Parameters interface-number: Layer-2 aggregate interface number. The value range is 1 to 128 Description Use the interface bridge-aggregation command to create a Layer-2 aggregate interface and enter the Layer-2 aggregate interface view. Use the undo interface bridge-aggregation command to remove a Layer-2 aggregate interface.
Examples # Set the LACP priority of GigabitEthernet 1/0/1 to 64. <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] lacp port-priority 64 lacp system-priority Syntax lacp system-priority system-priority undo lacp system-priority View System view Default Level 2: System level Parameters system-priority: LACP priority of the local system, in the range of 0 to 65535. Description Use the lacp system-priority command to set the LACP priority of the local system.
Parameters destination-ip: Specifies to perform load sharing in link aggregation groups based on destination IP address. destination-mac: Specifies to perform load sharing in load-sharing link aggregation groups based on destination MAC address. destination-port: Specifies to perform load sharing in load-sharing link aggregation groups based on destination port.
View Layer 2 aggregate interface view Default Level 2: System level Parameters destination-ip: Specifies to perform load sharing in link aggregation groups based on destination IP address. destination-mac: Specifies to perform load sharing in load-sharing link aggregation groups based on destination MAC address.
Default Level 2: System level Parameters None Description Use the link-aggregation mode dynamic command to configure an aggregation group to work in dynamic aggregation mode. Use the undo link-aggregation mode command to restore the default. By default, an aggregation group works in static aggregation mode. If there is any member port in an aggregation group, you cannot modify the aggregation mode of the aggregation group.
View User view Default Level 1: Monitor level Parameters interface-type interface-number: Interface type and interface number. to: Specifies an interface range in the form of interface-type interface-number to interface-type interface-number, where the start interface number must be smaller than the end interface number. Note that both the start interface and the end interface are inclusive.
Port Isolation Configuration Commands Port Isolation Configuration Commands display port-isolate group Syntax display port-isolate group View Any view Default Level 1: Monitor level Parameters None Description Use the display port-isolate group command to display information about the default isolation group (isolation group 1).
port-isolate enable Syntax port-isolate enable undo port-isolate enable View Ethernet interface view, Layer-2 aggregate interface view, port group view Default Level 2: System level Parameters None Description Use the port-isolate enable command to add a port in Ethernet interface view or a group of ports in port group view to an isolation group as isolated ports.
Page 112
# Assign Layer-2 aggregate interface Bridge-aggregation 1 and its member ports to the isolation group on a single-isolation-group device. <Sysname> system-view [Sysname] interface bridge-aggregation 1 [Sysname-Bridge-Aggregation1] quit [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-aggregation group 1 [Sysname-GigabitEthernet1/0/1] quit [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] port link-aggregation group 1 [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface bridge-aggregation 1...
MSTP Configuration Commands MSTP Configuration Commands active region-configuration Syntax active region-configuration View MST region view Default Level 2: System level Parameters None Description Use the active region-configuration command to activate your MST region configuration. Note that: The configuration of MST region–related parameters, especially the VLAN-to-instance mapping table, will cause MSTP to launch a new spanning tree calculation process, which may result in network topology instability.
In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is enabled on a port, the port will not receive or forward any BPDU packets. In this way, the switch is protected against the BPDU packet attack and the STP calculation correctness is ensured.
Description Use the check region-configuration command to view MST region configuration information not activated yet, including the region name, revision level, and VLAN-to-instance mapping settings. Note that: Two or more MSTP-enabled devices belong to the same MST region only if they are configured to have the same format selector, MST region name, the same VLAN-to-instance mapping entries in the MST region and the same MST region revision level, and they are interconnected via a physical link.
Page 116
Default Level 1: Monitor level Parameters instance instance-id: Displays the status and statistics information of a particular MSTI. The minimum value of instance-id is 0, representing the common internal spanning tree (CIST), and the maximum value of instance-id is 32. interface interface-list: Displays the MSTP status and statistics information on the ports specified by a port list, in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10>...
Page 117
MSTI global parameters: MSTI ID, bridge priority of the MSTI, regional root, internal path cost, MSTI root port, and master bridge. MSTI port parameters: Port status, role, priority, path cost, designated bridge, designated port, remaining hops, and whether rapid state transition enabled (for designated ports). The statistics information includes: The number of TCN BPDUs, configuration BPDUs, RST BPDUs and MST BPDUs sent from each port...
Page 118
<Sysname> display stp -------[CIST Global Info][Mode MSTP]------- CIST Bridge :32768.000f-e200-2200 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :0.00e0-fc0e-6554 / 200200 CIST RegRoot/IRPC :32768.000f-e200-2200 / 0 CIST RootPortId :128.48 BPDU-Protection :disabled Bridge Config- Digest-Snooping :disabled TC or TCN received :2 Time since last TC :0 days 0h:5m:42s ----[Port1(GigabitEthernet1/0/1)][FORWARDING]---- Port Protocol...
Page 119
CIST Bridge-Prio. :32768 MAC address :000f-e200-8048 Max age(s) Forward delay(s) Hello time(s) Max hops Table 4-3 display stp command output description Field CIST Bridge CIST bridge ID Major parameters for the bridge: Hello: Hello timer Bridge Times MaxAge: Max Age timer FWDly: Forward delay timer Max Hop: Max hops within the MST region CIST Root/ERPC...
Field Protection Type MST BPDU Format Port Config- Digest-Snooping Rapid transition Num of Vlans Mapped PortTimes BPDU Sent BPDU Received MSTI RegRoot/IRPC MSTI RootPortId MSTI Root Type Master Bridge Cost to Master TC received Protocol Status Protocol Std. Version CIST Bridge-Prio. MAC address Max age(s) Forward delay(s)
View Any view Default Level 1: Monitor level Parameters None Description Use the display stp abnormal-port command to view the information about abnormally blocked ports. Any of the following reasons may cause a port to be abnormally blocked: Root guard function Loop guard function MSTP BPDU format incompatibility protection function Examples...
Parameters None Description Use the display stp down-port command to display the information about ports blocked by STP protection functions. These functions include: BPDU attack guard function MSTP BPDU format frequent change protection function Examples # View the information about ports blocked by STP protection functions. <Sysname>...
Description Use the display stp history command to view the historic port role calculation information of the specified MSTI or all MSTIs. Note that: If you do not specify an MSTI ID, this command will display the historic port role calculation information of all MSTIs.
Parameters None Description Use the display stp region-configuration command to view the currently effective configuration information of the MST region, including the region name, revision level, and user-configured VLAN-to-instance mappings. Related commands: instance, region-name, revision-level, vlan-mapping modulo. Examples # View the currently effective MST region configuration information. <Sysname>...
Description Use the display stp root command to view the root bridge information of all MSTIs. Examples # View the root bridge information of all MSTIs. <Sysname> display stp root MSTID Root Bridge ID 0.00e0-fc0e-6554 Table 4-8 display stp root command output description Field MSTID Root Bridge ID...
Description Use the display stp tc command to view the statistics of TC/TCN BPDUs received and sent by all ports in an MSTI or all MSTIs. Note that: If you do not specify an MSTI ID, this command will display the statistics of TC/TCN BPDUs received and sent by all ports in all MSTIs.
Description Use the instance command to map the specified VLANs to the specified MSTI. Use the undo instance command to remap the specified VLAN or all VLANs to the CIST (MSTI 0). By default, all VLANs are mapped to the CIST. Notice that: If you specify no VLAN in the undo instance command, all VLANs mapped to the specified MSTI will be remapped to the CIST.
Related commands: region-configuration, check region-configuration, active region-configuration. Examples # Set the MST region name of the device to hello. <Sysname> system-view [Sysname] stp region-configuration [Sysname-mst-region] region-name hello reset stp Syntax reset stp [ interface interface-list ] View User view Default Level 1: Monitor level Parameters interface interface-list: Specifies a port list, in the format of interface-list = { interface-type...
View MST region view Default Level 2: System level Parameters level: MSTP revision level, in the range of 0 to 65535. Description Use the region-level command to configure the MSTP revision level. Use the undo region-level command to restore the default MSTP revision level. By default, the MSTP revision level is 0.
Description Use the stp bpdu-protection command to enable the BPDU guard function. Use the undo stp bpdu-protection command to disable the BPDU guard function. By default, the BPDU guard function is disabled. Examples # Enable the BPDU guard function. <Sysname> system-view [Sysname] stp bpdu-protection stp bridge-diameter Syntax...
stp compliance Syntax stp compliance { auto | dot1s | legacy } undo stp compliance View Ethernet interface view, port group view, Layer 2 aggregate interface view Default Level 2: System level Parameters auto: Configures the port(s) to recognize the MSTP BPDU format automatically and accordingly determine the format of MSTP BPDUs to send.
View System view, Ethernet interface view, port group view, Layer 2 aggregate interface view Default Level 2: System level Parameters None Description Use the stp config-digest-snooping command to enable Digest Snooping. Use the undo stp config-digest-snooping command to disable Digest Snooping. The feature is disabled by default.
Parameters instance instance-id: Sets the path cost of the port(s) in a particular MSTI. The minimum value of instance-id is 0, representing the CIST, and the maximum value of instance-id is 32. cost: Path cost of the port, the effective range of which depends on the path cost calculation standard adopted.
Default Level 2: System level Parameters enable: Configures the current port(s) to be an edge port or edge ports. disable: Configures the current port(s) to be a non-edge port or non-edge ports. Description Use the stp edged-port enable command to configure the port(s) as an edge port or ports. Use the undo stp edged-port command to restore the default.
Parameters None Description Use the stp enable command to enable MSTP globally in system view, on a port in interface view, or on multiple ports in port group view. Use the undo stp enable command to disable MSTP globally or on the port(s). By default, MSTP is enabled on all ports and globally.
Description Use the stp loop-protection command to enable the loop guard function on the port(s). Use the undo stp loop-protection command to restore the system default. By default, the loop guard function is disabled. Note that: Configured in Ethernet interface view, the setting takes effect on the current interface only; configured in port group view, the setting takes effect on all ports in the port group.
stp mcheck Syntax stp mcheck View System view, Ethernet interface view, Layer 2 aggregate interface view Default Level 2: System level Parameters None Description Use the stp mcheck command to carry out the mCheck operation globally or on the current port. If a port on a device running MSTP (or RSTP) connects to a device running STP, this port will automatically migrate to the STP-compatible mode.
undo stp mode View System view Default Level 2: System level Parameters stp: Configures the MSTP-enabled device to work in STP-compatible mode. rstp: Configures an MSTP-enabled device to work in RSTP mode. mstp: Configures an MSTP-enabled device to work in MSTP mode. Description Use the stp mode command to configure the MSTP work mode of the device.
Configured in Ethernet interface view, the setting takes effect on the current interface only; configured in port group view, the setting takes effect on all member ports in the port group. Configured in Layer 2 aggregate interface view, the setting takes effect only on the aggregate interface;...
Table 4-10 Link speed vs. path cost Link speed Duplex state — Single Port Aggregate Link 2 Ports 10 Mbps Aggregate Link 3 Ports Aggregate Link 4 Ports Single Port Aggregate Link 2 Ports 100 Mbps Aggregate Link 3 Ports Aggregate Link 4 Ports Single Port Aggregate Link 2 Ports...
Description Use the stp point-to-point command to configure the link type of the current port(s). Use the undo stp point-to-point command to restore the system default. The default setting is auto; namely the MSTP-enabled device automatically detects whether a port connects to a point-to-point link.
Description Use the stp port priority command to set the priority of the port(s). Use the undo stp port priority command to restore the system default. Port priority affects the role of a port in an MSTI. By default, the port priority is 128. Note that: Configured in Ethernet interface view, the setting takes effect on the current interface only;...
Use the undo stp port-log command to disable output of port state transition information for the specified MSTI or all MSTIs. This function is enabled by default. Examples # Enable output of port state transition information for MSTI 2. <Sysname> system-view [Sysname] stp port-log instance 2 %Aug 16 00:49:41:856 2006 Sysname MSTP/3/PDISC: Instance 2's GigabitEthernet1/0/1 has been set to discarding state!
stp region-configuration Syntax stp region-configuration undo stp region-configuration View System view Default Level 2: System level Parameters None Description Use the stp region-configuration command to enter MST region view. Use the undo stp region-configuration command to restore the default MST region configurations. By default, the default settings are used for all the three MST region parameters.
Description Use the stp root primary command to configure the current device as the root bridge. Use the undo stp root command to restore the system default. By default, a device is not a root bridge in any MSTI. Note that: There is only one root bridge in effect in an MSTI.
After specifying the current device as a secondary root bridge, you cannot change the priority of the device. Related commands: stp priority, stp root primary. Examples # Specify the current device as a secondary root bridge of MSTI 0. <Sysname> system-view [Sysname] stp instance 0 root secondary stp root-protection Syntax...
2: System level Parameters number: Maximum number of immediate forwarding address entry flushes that the switch can perform within a certain period of time after it receives the first TC-BPDU. The value range for the argument is 1 to 255.
By default, the device can perform a maximum of six forwarding address entry flushes within 10 seconds after it receives the first TC-BPDU. Examples # Set the maximum number of forwarding address entry flushes that the device can perform within 10 seconds after it receives the first TC-BPDU to 10.
Examples # Set the forward delay timer of the device to 2,000 centiseconds. <Sysname> system-view [Sysname] stp timer forward-delay 2000 stp timer hello Syntax stp timer hello time undo stp timer hello View System view Default Level 2: System level Parameters time: Hello time in centiseconds, ranging from 100 to 1000 at the step of 100.
stp timer max-age Syntax stp timer max-age time undo stp timer max-age View System view Default Level 2: System level Parameters time: Max age in centiseconds, ranging from 600 to 4000 at the step of 100. Description Use the stp timer max-age command to set the max age timer of the device. Use the undo stp timer max-age command to restore the system default.
View System view Default Level 2: System level Parameters factor: Timeout factor, in the range of 1 to 20. Description Use the stp timer-factor command to set the timeout factor, which decides the timeout time. Timeout time = timeout factor × 3 × hello time. Use the undo stp timer-factor command to restore the default.
Description Use the stp transmit-limit command to set the maximum transmission rate of the port(s), that is, the maximum number of BPDUs the port(s) can send within each hello time. Use the undo stp transmit-limit command to restore the system default. By default, the maximum transmission rate of all ports of the device is 10, that is, each port can send up to 10 BPDUs within each hello time.
Page 153
This command maps each VLAN to the MSTI whose ID is (VLAN ID–1) %modulo + 1, where (VLAN ID-1) %modulo is the modulo operation for (VLAN ID–1). If the modulo value is 15, for example, then VLAN 1 will be mapped to MSTI 1, VLAN 2 to MSTI 2, VLAN 15 to MSTI 15, VLAN 16 to MSTI 1, and so on.
LLDP Configuration Commands LLDP Configuration Commands display lldp local-information Syntax display lldp local-information [ global | interface interface-type interface-number ] View Any view Default level 1: Monitor level Parameters global: Displays the global LLDP information to be transmitted. interface interface-type interface-number: Displays the LLDP information to be sent out the interface specified by its type and number.
Page 155
FirmwareRev : 109 SoftwareRev : 5.20 Alpha 2101 SerialNum : NONE Manufacturer name : Manufacturer name Model name : Model name Asset tracking identifier : Unknown LLDP local-information of port 1[GigabitEthernet1/0/1]: Port ID subtype : Interface name Port ID : GigabitEthernet1/0/1 Port description : GigabitEthernet1/0/1 Interface Management address type Management address...
Page 156
Table 5-1 display lldp local-information command output description Field Global LLDP local-information Chassis ID System name System description System capabilities supported System capabilities enabled MED information Device class MED inventory information of master board HardwareRev FirmwareRev SoftwareRev SerialNum Manufacturer name Model name Asset tracking identifier LLDP local-information of port 1...
Page 157
Field Management address interface ID Management address OID Port VLAN ID(PVID) Port and protocol VLAN ID(PPVID) Port and protocol VLAN supported Port and protocol VLAN enabled VLAN name of VLAN 1 Auto-negotiation supported Auto-negotiation enabled OperMau PoE supported Link aggregation supported Link aggregation enabled Aggregation port ID Maximum frame Size...
display lldp neighbor-information Syntax display lldp neighbor-information [ brief | interface interface-type interface-number [ brief ] | list [ system-name system-name ] ] View Any view Default level 1: Monitor level Parameters brief: Displays the brief LLDP information sent by the neighboring devices. If the brief keyword is not specified, this command displays the detailed LLDP information sent by the neighboring devices.
Page 159
System capabilities enabled Management address type Management address Management address interface type : IfIndex Management address interface ID Management address OID Port VLAN ID(PVID): 1 Port and protocol VLAN ID(PPVID) : 1 Port and protocol VLAN supported : Yes Port and protocol VLAN enabled VLAN name of VLAN 1: VLAN 0001 Auto-negotiation supported : Yes Auto-negotiation enabled...
Page 160
Management address Management address interface type : IfIndex Management address interface ID Management address OID Port VLAN ID(PVID): 1 Port and protocol VLAN ID(PPVID) : 1 Port and protocol VLAN supported : Yes Port and protocol VLAN enabled VLAN name of VLAN 1: VLAN 0001 Auto-negotiation supported : Yes Auto-negotiation enabled : Yes...
Page 161
Field Chassis type Chassis ID Port ID type Port ID Port description System name System description System capabilities supported System capabilities enabled Management address type Management address Management address interface type Management address interface ID Management address OID Port VLAN ID Port and protocol VLAN ID(PPVID) Port and protocol VLAN supported...
Page 162
Field Auto-negotiation supported Auto-negotiation enabled OperMau Power port class PSE power supported PSE power enabled PSE pairs control ability Power pairs Port power classification Link aggregation supported Link aggregation enabled Aggregation port ID Maximum frame Size Location format Location Information PoE PSE power source PoE service type Port PSE Priority...
Field Unknown organizationally-defined TLV OUI TLV subtype Index TLV information Local Interface display lldp statistics Syntax display lldp statistics [ global | interface interface-type interface-number ] View Any view Default level 1: Monitor level Parameters global: Displays the global LLDP statistics. interface interface-type interface-number: Specifies a port by its type and number.
The number of LLDP TLVs discarded The number of LLDP TLVs unrecognized The number of LLDP neighbor information aged out : 0 The number of CDP frames transmitted The number of CDP frames received The number of CDP frames discarded The number of CDP error frames Table 5-3 display lldp statistics command output description Field...
Page 165
Default level 1: Monitor level Parameters interface interface-type interface-number: Specifies a port by its type and number. Description Use the display lldp status command to display the LLDP status of a port. If no port is specified, this command displays the LLDP status of all the ports. Examples # Display the LLDP status of all the ports.
Field Reinit delay Transmit delay Trap interval Fast start times Port 1 Port status of LLDP Admin status Trap Flag Rolling interval Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown display lldp tlv-config Syntax display lldp tlv-config [ interface interface-type interface-number ]...
Page 167
Examples # Display the advertisable TLVs of port GigabitEthernet1/0/1. <Sysname> display lldp tlv-config interface GigabitEthernet 1/0/1 LLDP tlv-config of port 1[GigabitEthernet1/0/1]: NAME Basic optional TLV: Port Description TLV System Name TLV System Description TLV System Capabilities TLV Management Address TLV IEEE 802.1 extend TLV: Port VLAN ID TLV Port And Protocol VLAN ID TLV...
Field IEEE 802.3 extended TLV LLDP-MED extend TLV lldp admin-status Syntax lldp admin-status { disable | rx | tx | txrx } undo lldp admin-status View Ethernet interface view, port group view Default level 2: System level Parameters disable: Specifies the Disable mode. A port in this mode does not send or receive LLDPDUs. rx: Specifies the Rx mode.
lldp check-change-interval Syntax lldp check-change-interval interval undo lldp check-change-interval View Ethernet interface view, port group view Default level 2: System level Parameters interval: LLDP polling interval to be set, in the range 1 to 30 (in seconds). Description Use the lldp check-change-interval command to enable LLDP polling and set the polling interval. Use the undo lldp check-change-interval command to restore the default.
Description Use the lldp compliance admin-status cdp command to configure the operation mode of CDP-compatible LLDP on a port or port group. By default, CDP-compatible LLDP operates in disable mode. To have your device work with Cisco IP phones, you must enable CDP-compatible LLDP globally and then configure CDP-compatible LLDP to work in TxRx mode on the specified port(s).
lldp enable Syntax lldp enable undo lldp enable View System view, Ethernet interface view, port group view Default level 2: System level Parameters None Description Use the lldp enable command to enable LLDP. Use the undo lldp enable command to disable LLDP. By default, LLDP is disabled globally and enabled on a port.
Use the undo lldp encapsulation command to restore the default encapsulation format for LLDPDUs. By default, Ethernet II encapsulation applies. The command does not apply to LLDP-CDP packets, which use only SNAP encapsulation. Examples # Configure the encapsulation format for LLDPDUs as SNAP on GigabitEthernet1/0/1. <Sysname>...
lldp hold-multiplier Syntax lldp hold-multiplier value undo lldp hold-multiplier View System view Default level 2: System level Parameters value: TTL multiplier, in the range 2 to 10. Description Use the lldp hold-multiplier command to set the TTL multiplier. Use the undo lldp hold-multiplier command to restore the default. The TTL multiplier defaults to 4.
Parameters None Description Use the lldp management-address-format string command to configure the encapsulation format of the management address as strings in TLVs. Use the undo lldp management-address-format command to restore the default. By default, the management address is encapsulated in the form of numbers in TLVs. Examples # Configure GigabitEthernet1/0/1 to encapsulate the management address in the form of strings in management address TLVs.
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] lldp management-address-tlv 192.6.0.1 lldp notification remote-change enable Syntax lldp notification remote-change enable undo lldp notification remote-change enable View Ethernet interface view, port group view Default level 2: System level Parameters None Description Use the lldp notification remote-change enable command to enable trap for a port or all the ports in a port group.
Description Use the lldp timer notification-interval command to set the interval to send LLDP trap messages. Use the undo lldp timer notification-interval command to restore the default. By default, the interval to send LLDP trap messages is 5 seconds. Examples # Set the interval to send LLDP trap messages to 8 seconds.
Default level 2: System level Parameters delay: Delay period to send LLDPDUs, in the range 1 to 8192 (in seconds). Description Use the lldp timer tx-delay command to set the delay period to send LLDPDUs. Use the undo lldp timer tx-delay command to restore the default. By default, the delay period to send LLDPDUs is 2 seconds.
Page 179
Inserts the address information about the intermediate device in location identification TLVs . device-type: Device type value. A value of 0 specifies DHCP server; a value of 1 specifies switch, and a value of 2 specifies LLDP-MED endpoint. country-code: Country code, confirming to ISO 3166.
VLAN Configuration Commands VLAN Configuration Commands description Syntax description text undo description View VLAN view, VLAN interface view Default Level 2: System level Parameters text: Case-sensitive string that describes the current VLAN or VLAN interface. Spaces can be included in the description. For a VLAN, this is a string of 1 to 32 characters.
display interface vlan-interface Syntax display interface vlan-interface [ vlan-interface-id ] View Any view Default Level 1: Monitor level Parameters vlan-interface-id: VLAN interface number, in the range of the numbers of existing VLANs on the device. Description Use the display interface vlan-interface command to display information about a specified or all VLAN interfaces if no interface is specified.
Field Description The Maximum Transmit Unit Internet protocol processing : IP Packet Frame Type Hardware address IPv6 Packet Frame Type display vlan Syntax display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | reserved | static ] View Any view Default Level...
Default Level 2: System level Parameters vlan-interface-id: VLAN interface number, in the range of 1 to 4094. Description Use the interface vlan-interface command to create a VLAN interface and enter its view or enter the view of an existing VLAN interface. Before you can create the VLAN interface of a VLAN, create the VLAN first.
VLAN configuration to ports that have passed the authentication. Some servers can send IDs or names of the issued VLANs to the switch. When there are a large number of VLANs, you can use VLAN names rather than VLAN IDs to better locate VLANs.
Examples # Configure the name of VLAN 2 as test vlan. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] name test vlan shutdown Syntax shutdown undo shutdown View VLAN interface view Default Level 2: System level Parameters None Description Use the shutdown command to shut down a VLAN interface. Use the undo shutdown command to bring up a VLAN interface.
Page 187
View System view Default Level 2: System level Parameters vlan-id1, vlan-id2: VLAN ID, in the range 1 to 4094. vlan-id1 to vlan-id2: Specifies a VLAN range. A VLAN ID is in the range 1 to 4094. Note that vlan-id2 must be equal to or greater than vlan-id1. all: Creates or removes all VLANs except reserved VLANs.
Port-Based VLAN Configuration Commands display port Syntax display port { hybrid | trunk } View Any view Default Level 1: Monitor level Parameters hybrid: Displays hybrid ports. trunk: Displays trunk ports. Description Use the display port command to display information about the hybrid or trunk ports on the device, including the port names, default VLAN IDs, and allowed VLAN IDs.
port Syntax port interface-list undo port interface-list View VLAN view Default Level 2: System level Parameters interface interface-list: Specifies an Ethernet port list or Layer-2 aggregate interface list, in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10>...
Parameters vlan-id: VLAN ID, in the range of 1 to 4094. Be sure that the VLAN specified by the VLAN ID already exists. Description Use the port access vlan command to assign the current access port(s) to the specified VLAN. Use the undo port access vlan command to restore the default.
Parameters vlan-id: VLAN ID, in the range of 1 to 4094. Description Use the port hybrid pvid vlan command to configure the default VLAN ID of the hybrid port. Use the undo port hybrid pvid command to restore the default. By default, the default VLAN of a hybrid port is VLAN 1.
Page 192
View Ethernet interface view, port group view, Layer-2 aggregate interface view Default Level 2: System level Parameters vlan-id-list: VLANs that the hybrid ports will be assigned to. This argument is expressed in the format of [ vlan-id1 [ to vlan-id2 ] ]&<1-10>, where vlan-id ranges from 1 to 4094 and &<1-10> indicates that you can specify up to 10 VLAN IDs or VLAN ID ranges.
[Sysname-port-group-manual-2] port link-type hybrid [Sysname-port-group-manual-2] port hybrid vlan 2 untagged Configuring GigabitEthernet1/0/1... Done. Configuring GigabitEthernet1/0/2... Done. Configuring GigabitEthernet1/0/3... Done. Configuring GigabitEthernet1/0/4... Done. Configuring GigabitEthernet1/0/5... Done. Configuring GigabitEthernet1/0/6... Done. # Assign the hybrid Layer-2 aggregate interface Bridge-aggregation 1 and its member ports to VLAN 2, and configure them to send packets of VLAN 2 with tags removed.
configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports. If it fails to do that on an aggregation member port, it simply skips the port and moves to the next port.
Page 195
all: Permits all VLANs to pass through the trunk port(s). On GVRP-enabled trunk ports, you must configure the port trunk permit vlan all command to ensure that the traffic of all dynamically registered VLANs can pass through. However, When GVRP is disabled on a port, you are discouraged to configure the command on the port.
Configuring GigabitEthernet1/0/3... Done. Among the output fields above, the message “Please wait... Done” indicates that the configuration on Bridge-aggregation 1 succeeded; “Error: Failed to configure on interface GigabitEthernet1/0/2! This port is not a Trunk port!” indicates that the configuration failed on GigabitEthernet 1/0/2 because GigabitEthernet 1/0/2 was not a trunk port;...
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type trunk [Sysname-GigabitEthernet1/0/1] port trunk pvid vlan 100 # Configure VLAN 100 as the default VLAN of the trunk Layer-2 aggregate interface Bridge-aggregation 1, assuming Bridge-aggregation 1 does not have member ports. <Sysname>...
If mac-address mac-addr is specified while mask is not specified, only the MAC address-to-VLAN entry containing the specified MAC address is displayed. Examples # Display all the MAC address-to-VLAN entries. <Sysname> display mac-vlan all The following MAC-VLAN address exist: S: Static D: Dynamic MAC ADDR MASK...
Description Use the display mac-vlan interface command to display all the ports with MAC address-based VLAN enabled. Related commands: mac-vlan enable. Examples # Display all the interfaces with MAC address-based VLAN enabled. <Sysname> display mac-vlan interface MAC VLAN is enabled on following ports: --------------------------------------- GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3 mac-vlan enable...
View System view Default Level 2: System level Parameters mac-address mac-address: Specifies a MAC address. vlan vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. priority pri: Specifies the 802.1p priority value corresponding to the specified MAC address. This argument is in the range of 0 to 7.
created on a port, MAC address-to-VLAN entries configured with the mask keyword specified are matched preferentially, and the left VLAN entries (VLAN entries based on a single MAC address and IP subnet-based VLANs) are matched as configured by the vlan precedence command. Examples # Configure to match VLANs based on MAC addresses preferentially on GigabitEthernet 1/0/1.
Field Protocol Type display protocol-vlan vlan Syntax display protocol-vlan vlan { vlan-id1 [ to vlan-id2 ] | all } View Any view Default Level 2: System level Parameters vlan-id1: ID of the protocol-based VLAN for which information is to be displayed, in the range of 1 to 4094.
port hybrid protocol-vlan Syntax port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-end ] | all } undo port hybrid protocol-vlan { vlan vlan-id { protocol-index [ to protocol-end ] | all } | all } View Ethernet interface view, port group view, Layer-2 aggregate interface view Default Level 2: System level Parameters...
[Sysname-vlan2] quit [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type hybrid [Sysname-GigabitEthernet1/0/1] port hybrid vlan 2 untagged Please wait... Done [Sysname-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 2 0 # Associate the hybrid Layer-2 aggregate interface Bridge-aggregation 1 with protocol 0 in VLAN 2, assuming that Bridge-aggregation 1 does not have member ports.
Page 205
Default Level 2: System level Parameters at: Specifies the AppleTalk based VLAN. ipv4: Specifies the IPv4 based VLAN. ipv6: Specifies the IPv6 based VLAN. ipx: Specifies the IPX based VLAN. The keywords ethernetii, llc, raw, and snap are encapsulation formats for IPX. mode: Configures a user-defined protocol template for the VLAN, which could also have four encapsulation formats, namely, ethernetii, llc, raw, and snap.
Use the undo protocol-vlan command to remove the configured protocol template. By default, no VLAN is bound with any protocol template. Related commands: display protocol-vlan vlan. Do not configure a VLAN as both a protocol-based VLAN and a voice VLAN. Examples # Configure VLAN 3 as an IPv4 based VLAN.
Parameters interface-list: Specifies an Ethernet port list in the format of interface-list = { interface-type interface-number interface-number represents the port type and port number and &<1-10> indicates that you can specify up to 10 ports or port ranges. all: Displays IP subnet-based VLAN information about all the ports with IP subnet-based VLAN configured.
all: Specifies all the VLANs. Description Use the display ip-subnet-vlan vlan command to display the IP subnet information and IP subnet indexes on the specified VLAN(s). Related commands: display vlan. Examples # Display the IP subnet information of all VLANs. <Sysname>...
ip-subnet-end: End IP subnet index, in the range of 0 to 11. This argument must be greater than or equal to the beginning IP subnet index. all: Removes all the associations between VLANs and IP subnets or IP addresses. Description Use the ip-subnet-vlan command to associate the current VLAN with a specified IP subnet or IP address.
Page 210
configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports. If it fails to do that on an aggregation member port, it simply skips the port and moves to the next port.
Isolate-User-VLAN Configuration Commands Isolate-User-VLAN Configuration Commands display isolate-user-vlan Syntax display isolate-user-vlan [ isolate-user-vlan-id ] View Any view Default Level 1: Monitor level Parameters isolate-user-vlan-id: Isolate-user-VLAN ID, in the range of 1 to 4094. Description Use the display isolate-user-vlan command to display the mapping between an isolate-user-vlan and secondary VLAN(s), and the information of these VLANs.
Page 214
View System view Default Level 2: System level Parameters isolate-user-vlan-id: Isolate-user-VLAN ID, in the range 1 to 4094. secondary secondary-vlan-id [ to secondary-vlan-id ]: Specifies a secondary VLAN ID or a secondary VLAN ID range. The secondary-vlan-id argument is a secondary VLAN ID, in the range 1 to 4094. Description Use the isolate-user-vlan command to associate an isolate-user-VLAN with the specified secondary VLAN(s).
[Sysname-vlan4] port gigabitethernet 1/0/4 [Sysname-vlan4] quit [Sysname] isolate-user-vlan 2 secondary 3 to 4 isolate-user-vlan enable Syntax isolate-user-vlan enable undo isolate-user-vlan enable View VLAN view Default Level 2: System level Parameters None Description Use the isolate-user-vlan enable command to configure the current VLAN as an isolate-user-VLAN. Use the undo isolate-user-vlan enable command to remove the isolate-user-VLAN configuration for the current VLAN.
Table 8-2 display voice vlan state command output description Field Maximum of Voice VLANs Current Voice VLANs Voice VLAN security mode Voice VLAN aging time Voice VLAN enabled port and its mode PORT VLAN MODE voice vlan aging Syntax voice vlan aging minutes undo voice vlan aging View System view...
You can enable the voice VLAN feature on a hybrid or trunk port operating in automatic voice VLAN assignment mode but not on an access port operating in automatic voice VLAN assignment mode. You can configure different voice VLANs for different ports. An Switch 4510G ts up to eight voice VLANs globally.
Page 220
Parameters mac-address: Source MAC address of voice traffic, in the format of H-H-H, such as 1234-1234-1234. mask oui-mask: Specifies the valid length of the OUI address by a mask in the format of H-H-H, formed by consecutive Fs and 0s, for example, FFFF-0000-0000. To filter the voice device of a specific vendor, set the mask to FFFF-FF00-0000.
GARP statistics on port GigabitEthernet1/0/1 Number of GVRP Frames Received Number of GVRP Frames Transmitted Number of Frames Discarded GARP statistics on port GigabitEthernet1/0/2 Number of GVRP Frames Received Number of GVRP Frames Transmitted Number of Frames Discarded display garp timer Syntax display garp timer [ interface interface-list ] View...
display gvrp local-vlan interface Syntax display gvrp local-vlan interface interface-type interface-number View Any view Default Level 0: Visit level Parameters interface interface-type interface-number: Specifies an interface by its type and number. Description Use the display gvrp local-vlan interface command to display the local VLAN information maintained by GVRP on the specified port.
GVRP state of VLAN 2 on port GigabitEthernet1/0/1 Applicant state machine Registrar state machine display gvrp statistics Syntax display gvrp statistics [ interface interface-list ] View Any view Default Level 1: Monitor level Parameters interface interface-list: Defines one or multiple Ethernet ports. You can provide up to 10 Ethernet port lists, by each of which you can specify an individual port in the form of interface-type interface-number, or a port range in the form of interface-type interface-number1 to interface-type interface-number2, where the end-port number specified by interface-number2 must be greater than the start-port number...
display gvrp status Syntax display gvrp status View Any view Default Level 1: Monitor level Parameters None Description Use the display gvrp status command to display the global enable/disable state of GVRP. Examples # Display the global GVRP enable/disable state. <Sysname>...
Operations of adding VLAN to TRUNK Operations of deleting VLAN from TRUNK garp timer hold Syntax garp timer hold timer-value undo garp timer hold View Ethernet interface view, Layer-2 aggregate interface view, port group view Default Level 2: System level Parameters timer-value: Hold timer setting (in centiseconds), which must be a multiple of 5 in the range of 10 (inclusive) and half of the Join timer setting (inclusive).
View Ethernet interface view, Layer-2 aggregate interface view, port group view Default Level 2: System level Parameters timer-value: Join timer setting (in centiseconds), which must be a multiple of 5 in the range of two times the Hold timer (inclusive) and half of the Leave timer (inclusive). When the Hold timer and the Leave timer are set to their default, the value range for the Join timer is 20 (inclusive) to 25 (inclusive).
aggregate interface, or all ports in a port group. Use the undo garp timer leave command to restore the default of the GARP Leave timer. This may fail if the default is beyond the valid value range for the Leave timer. By default, the Leave timer is set to 60 centiseconds.
gvrp Syntax gvrp undo gvrp View System view, Ethernet interface view, Layer-2 aggregate interface view, port group view Default Level 2: System level Parameters None Description Use the gvrp command to enable GVRP globally (in system view), on a port (in Ethernet or Layer-2 aggregate interface view), or on all ports in a port group (in port group view).
Parameters fixed: Sets the registration type to fixed. forbidden: Sets the registration type to forbidden. normal: Sets the registration type to normal. Description Use the gvrp registration command to configure the GVRP registration type on a port (in Ethernet or Layer-2 aggregate interface view) or all ports in a port group (in port group view).
Page 233
The cleared statistics include the statistics about GVRP packets sent, received and dropped. You can use this command in conjunction with the display garp statistics command to display GARP statistics. Related commands: display gvrp statistics. Examples # Clear the GARP statistics on all ports. <Sysname>...
(SVLANs), also called outer VLANs, refer to the VLANs that a service provider uses to carry VLAN tagged traffic for customers. The selective QinQ feature of the Switch 4510G series can be achieved through the cooperation between QoS policies. For the configuration commands of traffic classes, traffic behaviors, and other QoS policy-related functions, see QoS Commands in the QoS Volume.
The nest action cannot be applied to a VLAN or globally. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Configure an outer VLAN tag for a traffic behavior. <Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] nest top-most vlan-id 100 raw-vlan-id inbound Syntax raw-vlan-id inbound { all | vlan-list }...
[Sysname] port-group manual 1 [Sysname-port-group-manual-1] group-member gigabitethernet 1/0/1 to gigabitethernet 1/0/6 [Sysname-port-group-manual-1] qinq enable qinq ethernet-type Syntax qinq ethernet-type hex-value undo qinq ethernet-type View System view Default Level 2: System level Parameters hex-value: Hexadecimal protocol type value, in the range of 0x0001 to 0xFFFF. However, do not set it to any of the protocol type values listed in Table 10-1 Common protocol type values Protocol type...
Configuration made in system view takes effect on all ports. Examples # Set the TPID value to 0x8200 globally. <Sysname> system-view [Sysname] qinq ethernet-type 8200 qinq vid Syntax qinq vid vlan-id undo qinq vid vlan-id View Ethernet interface view, Layer-2 aggregate interface view, port group view Default Level 2: System level Parameters...
Page 239
[Sysname] port-group manual 1 [Sysname-port-group-manual-1] group-member gigabitethernet 1/0/1 to gigabitethernet 1/0/6 [Sysname-port-group-manual-1] qinq vid 10 10-6...
Use the undo bpdu-tunnel dot1q command to disable BPDU tunneling for a protocol on the port or ports. By default, BPDU tunneling for any protocol is disabled. Note that: Settings made in Ethernet interface view or Layer 2 aggregate interface view take effect only on the current port;...
Page 242
Parameters mac-address: Destination multicast MAC address for BPDUs, in the format of H-H-H. The allowed values 0x0100-0CCD-CDD0, 0x010F-E200-0003. Description Use the bpdu-tunnel tunnel-dmac command to configure the destination multicast MAC address for BPDUs. Use the undo bpdu-tunnel tunnel-dmac command to restore the default value. By default, the destination multicast MAC address for BPDUs is 0x010F-E200-0003.
Port Mirroring Configuration Commands Port Mirroring Configuration Commands display mirroring-group Syntax display mirroring-group { groupid | all | local | remote-destination | remote-source } View Any view Default Level 2: System level Parameters groupid: Number of the port mirroring group to be displayed, in the range of 1 to 4. all: Displays all port mirroring groups.
monitor egress port: GigabitEthernet1/0/11 remote-probe vlan: 200 Table 12-1 Description on the fields of the display mirroring-group command Field mirroring-group type status mirroring port monitor port monitor egress port remote-probe vlan mirroring-group Syntax mirroring-group groupid { local | remote-destination | remote-source } undo mirroring-group { groupid | all | local | remote-destination | remote-source } View System view...
create the remote source mirroring group on the device where the mirroring port is located and create the remote destination mirroring group on the device where the monitor port is located. Examples # Create a local port mirroring group numbered 1. <Sysname>...
You cannot add a mirroring port for a remote destination mirroring group. When removing a mirroring port from a mirroring group, make sure the traffic direction you specified in the undo mirroring-group mirroring-port command matches the actual monitored direction of the port. Examples # Configure mirroring ports in port mirroring group 1, assuming that the mirroring group already exists.
The outbound port cannot be a member port of the current mirroring group. It is not recommended to configure STP, RSTP, MSTP, 802.1X, IGMP Snooping, static ARP and MAC address learning on the outbound mirroring port; otherwise, the mirroring function may be affected.
The destination mirroring port can be an access, trunk, or hybrid port. It must be assigned to the remote mirroring VLAN. A remote source port mirroring group cannot contain destination ports. Before configuring the destination port for a port mirroring group, make sure the port mirroring group exists.
monitor-port Syntax [ mirroring-group groupid ] monitor-port undo [ mirroring-group groupid ] monitor-port View Ethernet port view Default Level 2: System level Parameters groupid: Number of a local or remote destination mirroring group, in the range of 1 to 4. Description Use the monitor-port command to assign the current port to a local or remote destination mirroring group as the monitor port.
IP Addressing Configuration Commands IP Addressing Configuration Commands display ip interface Syntax display ip interface [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display ip interface command to display information about a specified or all Layer 3 interfaces.
Page 257
Router advert: Router solicit: Time exceed: IP header bad: Timestamp request: Timestamp reply: Information request: Information reply: Netmask request: Netmask reply: Unknown type: Table 1-1 display ip interface command output description Field current state Line protocol current state Internet Address Broadcast address The Maximum Transmit Unit input packets, bytes, multicasts...
<Sysname> display ip interface brief vlan-interface *down: administratively down (s): spoofing Interface Vlan-interface1 Vlan-interface2 Table 1-2 display ip interface brief command output description Field *down: administratively down (s) : spoofing Interface Physical Protocol IP Address Description ip address Syntax ip address ip-address { mask | mask-length } [ sub ] undo ip address [ ip-address { mask | mask-length } [ sub ] ] View Interface view...
Page 260
mask-length: Subnet mask length, the number of consecutive ones in the mask. sub: Secondary IP address for the interface. Description Use the ip address command to assign an IP address and mask to the interface. Use the undo ip address command to remove all IP addresses from the interface. Use the undo ip address ip-address { mask | mask-length } command to remove the primary IP address.
ARP Configuration Commands ARP Configuration Commands arp check enable Syntax arp check enable undo arp check enable View System view Default Level 2: System level Parameters None Description Use the arp check enable command to enable ARP entry check. With this function enabled, the device cannot learn any ARP entry with a multicast MAC address.
Default Level 2: System level Parameters number: Maximum number of dynamic ARP entries that a interface can learn. The value is in the range 0 to 256. Description Use the arp max-learning-num command to configure the maximum number of dynamic ARP entries that a interface can learn.
The vlan-id argument is used to specify the corresponding VLAN of an ARP entry and must be the ID of an existing VLAN. In addition, the Ethernet interface following the argument must belong to that VLAN. The VLAN interface of the VLAN must have been created. Related commands: reset arp, display arp.
Page 264
Default Level 1: Monitor level Parameters all: Displays all ARP entries. dynamic: Displays dynamic ARP entries. static: Displays static ARP entries. slot slot-number: Displays the ARP entries for the specified device. If the device is in an IRF, the slot-number argument represents the member ID of the device; if the device is not in any IRF, the slot-number argument represents the device ID.
Field Aging Type Vpn-instance Name # Display the number of all ARP entries. <Sysname> display arp all count Total entry(ies): 4 display arp ip-address Syntax display arp ip-address [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default Level...
display arp timer aging Syntax display arp timer aging View Any view Default Level 2: System level Parameters None Description Use the display arp timer aging command to display the aging time for dynamic ARP entries. Related commands: arp timer aging. Examples # Display the aging time for dynamic ARP entries.
Description Use the reset arp command to clear ARP entries except authorized ARP entries from the ARP mapping table. With interface interface-type interface-number or slot slot-number specified, the command clears only dynamic ARP entries of the interface or the specified device in the IRF. Related commands: arp static, display arp.
Page 268
View System view Default Level 2: System level Parameters None Description Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function. Use the undo gratuitous-arp-learning enable command to disable the function. By default, the function is enabled. With this function enabled, a device receiving a gratuitous ARP packet can add the source IP and MAC addresses carried in the packet to its own dynamic ARP table if it finds no ARP entry in the cache corresponding to the source IP address of the ARP packet exists;...
Proxy ARP Configuration Commands Proxy ARP Configuration Commands display local-proxy-arp Syntax display local-proxy-arp [ interface vlan-interface vlan-id ] View Any view Default Level 2: System level Parameters interface vlan-interface vlan-id: Displays the local proxy ARP status of the specified VLAN interface. Description Use the display local-proxy-arp command to display the status of the local proxy ARP.
Description Use the display proxy-arp command to display the proxy ARP status. If an interface is specified, proxy ARP status of the specified interface is displayed; if no interface is specified, proxy ARP status of all interfaces is displayed. Related commands: proxy-arp enable. Examples # Display the proxy ARP status on VLAN-interface 1.
Page 271
View VLAN interface view Default Level 2: System level Parameters None Description Use the proxy-arp enable command to enable proxy ARP. Use the undo proxy-arp enable command to disable proxy ARP. By default, proxy ARP is disabled. Related commands: display proxy-arp. Examples # Enable proxy ARP on VLAN-interface 2.
Parameters limit-value: Specifies the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds. It ranges from 2 to 1024. Description Use the arp source-suppression limit command to set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds.
View System view Default Level 2: System level Parameters None Description Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement function. Use the undo arp anti-attack active-ack enable command to restore the default. By default, the ARP active acknowledgement function is disabled. Typically, this feature is configured on gateway devices to identify invalid ARP packets.
Default Level 2: System level Parameters filter: Specifies the filter mode. monitor: Specifies the monitor mode. Description Use the arp anti-attack source-mac command to enable source MAC address based ARP attack detection and specify the detection mode. Use the undo arp anti-attack source-mac command to restore the default. By default, source MAC address based ARP attack detection is disabled.
By default, the aging timer for protected MAC addresses is 300 seconds (five minutes). Examples # Configure the aging timer for protected MAC addresses as 60 seconds. <Sysname> system-view [Sysname] arp anti-attack source-mac aging-time 60 arp anti-attack source-mac exclude-mac Syntax arp anti-attack source-mac exclude-mac mac-address&<1-n>...
Default Level 2: System level Parameters threshold-value: Threshold for source MAC address based ARP attack detection, in the range 10 to 100. Description Use the arp anti-attack source-mac threshold command to configure the threshold for source MAC address based ARP attack detection. If the number of ARP packets sent from a MAC address within five seconds exceeds this threshold, the device considers this an attack.
undo arp rate-limit View Layer 2 Ethernet port view Default Level 2: System level Parameters disable: Disables ARP packet rate limit. rate pps: ARP packet rate in pps, in the range 50 to 500. drop: Discards the exceeded packets. Description Use the arp rate-limit command to configure or disable ARP packet rate limit.
undo arp detection static-bind [ ip-address ] View System view Default Level 2: System level Parameters ip-address: IP address of the static binding. mac-address: MAC address of the static binding, in the format of H-H-H. Description Use the arp detection static-bind command to configure a static IP-to-MAC binding. Use the undo arp detection static-bind command to remove the configure static binding.
Parameters None Description Use the arp detection trust command to configure the port as an ARP trusted port. Use the undo arp detection trust command to configure the port as an ARP untrusted port. By default, the port is an ARP untrusted port. Examples # Configure GigabitEthernet 1/0/1 as an ARP trusted port.
Examples # Enable the checking of the MAC addresses and IP addresses of ARP packets. <Sysname> system-view [Sysname] arp detection validate dst-mac src-mac ip display arp detection Syntax display arp detection View Any view Default Level 1: Monitor level Parameters None Description Use the display arp detection command to display the VLAN(s) enabled with ARP detection.
Parameters interface interface-type interface-number: Displays the ARP detection statistics of a specified interface. Description Use the display arp detection statistics command to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed.
Page 286
Description Use the reset arp detection statistics command to clear ARP detection statistics of a specified interface. If no interface is specified, the statistics of all the interfaces will be cleared. Examples # Clear the ARP detection statistics of all the interfaces. <Sysname>...
Default Level 2: System level Parameters circuit-id: Padding content for the user-defined circuit ID sub-option, a case-sensitive string of 3 to 63 characters. Description Use the dhcp relay information circuit-id string command to configure the padding content for the user-defined circuit ID sub-option. Use the undo dhcp relay information circuit-id string command to restore the default.
Examples # Enable Option 82 support on the relay agent. <Sysname> system-view [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] dhcp relay information enable dhcp relay information format Syntax dhcp relay information format { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } undo dhcp relay information format [ verbose node-identifier ] View...
Using the undo dhcp relay information format command without the keyword verbose node-identifier restores the default normal padding format, or with the keyword verbose node-identifier restores the mac mode of the verbose padding format. If configuring the handling strategy of the DHCP relay agent as replace, you need to configure a padding format of Option 82.
This command applies to configuring the non-user-defined remote ID sub-option only. After you configure the padding content for the remote ID sub-option using the dhcp relay information remote-id string command, ASCII is adopted as the code type. Examples # Configure the code type for the non-user-defined remote ID sub-option as ascii. <Sysname>...
Examples # Configure the padding content for the remote ID sub-option as device001. <Sysname> system-view [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] dhcp relay information remote-id string device001 dhcp relay information strategy Syntax dhcp relay information strategy { drop | keep | replace } undo dhcp relay information strategy View Interface view...
Default Level 2: System level Parameters client-ip: DHCP client IP address. Description Use the dhcp relay release ip command to request the DHCP server to release a specified client IP address. Examples # Request the DHCP server to release the IP address 1.1.1.1. <Sysname>...
When using the dhcp relay security static command to bind an interface to a static client entry, make sure that the interface is configured as a DHCP relay agent; otherwise, entry conflicts may occur. The undo dhcp relay security interface command is used to remove all the dynamic client entries from the interface.
dhcp relay server-detect Syntax dhcp relay server-detect undo dhcp relay server-detect View System view Default Level 2: System level Parameters None Description Use the dhcp relay server-detect command to enable unauthorized DHCP server detection. Use the undo dhcp relay server-detect command to disable unauthorized DHCP server detection. By default, unauthorized DHCP server detection is disabled.
ip ip-address: DHCP server IP address. Description Use the dhcp relay server-group command to specify a DHCP server for a DHCP server group. Use the undo dhcp relay server-group command to remove a DHCP server from a DHCP server group, if no ip ip-address is specified, all servers in the DHCP server group and the server group itself will be removed.
The DHCP server group referenced in this command should have been configured by using the dhcp relay server-group command. Related commands: dhcp relay server-group. Examples # Correlate VLAN-interface 1 to DHCP server group 1. <Sysname> system-view [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] dhcp relay server-select 1 dhcp select relay Syntax...
display dhcp relay Syntax display dhcp relay { all | interface interface-type interface-number } View Any view Default Level 1: Monitor level Parameters all: Displays information of DHCP server groups that all interfaces correspond to. interface interface-type interface-number: Displays information of the DHCP server group that a specified interface corresponds to.
interface interface-type interface-number: Displays the Option 82 configuration information of a specified interface. Description Use the display dhcp relay information command to display Option 82 configuration information on the DHCP relay agent. Examples # Display the Option 82 configuration information of all interfaces. <Sysname>...
Examples # Display information about all bindings. <Sysname> display dhcp relay security IP Address MAC Address 10.1.1.1 00e0-0000-0001 Static 10.1.1.5 00e0-0000-0000 Static 2 dhcp-security item(s) found Table 5-2 display dhcp relay security command output description Field IP Address Client IP address MAC Address Client MAC address Type...
all: Displays the information of all DHCP server groups. Description Use the display dhcp relay server-group command to display the configuration information of a specified or all DHCP server groups. Examples # Display IP addresses of DHCP servers in DHCP server group 1. <Sysname>...
Page 304
Bad packets received: DHCP packets received from clients: DHCPDISCOVER packets received: DHCPREQUEST packets received: DHCPINFORM packets received: DHCPRELEASE packets received: DHCPDECLINE packets received: BOOTPREQUEST packets received: DHCP packets received from servers: DHCPOFFER packets received: DHCPACK packets received: DHCPNAK packets received: BOOTPREPLY packets received: DHCP packets relayed to servers: DHCPDISCOVER packets relayed:...
BOOTPREQUEST Server -> Client: DHCPOFFER DHCPACK DHCPNAK BOOTPREPLY reset dhcp relay statistics Syntax reset dhcp relay statistics [ server-group group-id ] View User view Default Level 1: Monitor level Parameters server-group group-id: Specifies a server group ID (in the range of 0 to 19) about which to remove statistics from the relay agent.
DHCP Client Configuration Commands The DHCP client configuration is supported only on VLAN interfaces. When multiple VLAN interfaces having the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be the Windows 2000 Server or Windows 2003 Server.
Field DNS server Domain name Boot server Client ID T1 will timeout in 1 day 11 hours 58 minutes 52 seconds. ip address dhcp-alloc Syntax ip address dhcp-alloc [ client-identifier mac interface-type interface-number ] undo ip address dhcp-alloc View Interface view Default Level 2: System level Parameters...
Page 309
[Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address dhcp-alloc...
DHCP Snooping Configuration Commands The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.
<Sysname> system-view [Sysname] dhcp-snooping dhcp-snooping information circuit-id format-type Syntax dhcp-snooping information circuit-id format-type { ascii | hex } undo dhcp-snooping information circuit-id format-type View Layer 2 Ethernet port view Default Level 2: System level Parameters ascii: Specifies the code type for the circuit ID sub-option as ascii. hex: Specifies the code type for the circuit ID sub-option as hex.
Default Level 2: System level Parameters vlan vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. circuit-id: Padding content for the user-defined circuit ID sub-option, a case-sensitive string of 3 to 63 characters. Description Use the dhcp-snooping information circuit-id string command to configure the padding content for the user-defined circuit ID sub-option.
Description Use the dhcp-snooping information enable command to configure DHCP snooping to support Option 82. Use the undo dhcp-snooping information enable command to disable this function. By default, DHCP snooping does not support Option 82. Examples # Configure DHCP snooping to support Option 82. <Sysname>...
Note that when you use the undo dhcp-snooping information format command, if the verbose node-identifier argument is not specified, the padding format will be restored to normal; if the verbose node-identifier argument is specified, the padding format will be restored to verbose with MAC address as the node identifier.
dhcp-snooping information remote-id string Syntax dhcp-snooping information [ vlan vlan-id ] remote-id string { remote-id | sysname } undo dhcp-snooping information [ vlan vlan-id ] remote-id string View Layer 2 Ethernet port view Default Level 2: System level Parameters vlan vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. remote-id: Padding content for the user-defined circuit ID sub-option, a case-sensitive string of 1 to 63 characters.
Default Level 2: System level Parameters no-user-binding: Specifies the port not to record the clients’ IP-to-MAC bindings in DHCP requests it receives. The command without this keyword records the IP-to-MAC bindings of clients. Description Use the dhcp-snooping trust command to configure a port as a trusted port. Use the undo dhcp-snooping trust command to restore the default state of a port.
Examples # Display all DHCP snooping entries. <Sysname> display dhcp-snooping DHCP Snooping is enabled. The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address ==== =============== 10.1.1.1 00e0-fc00-0006 1 dhcp-snooping item(s) found Table 7-1 display dhcp snooping command output description Field Type IP Address...
Default Level 1: Monitor level Parameters all: Clears all DHCP snooping entries. ip ip-address: Clears the DHCP snooping entries of the specified IP address. Description Use the reset dhcp-snooping command to clear DHCP snooping entries. For an IRF, DHCP snooping entries on all devices will be cleared after you execute this command. Examples # Clear all DHCP snooping entries.
BOOTP Client Configuration Commands BOOTP client configuration can only be used on VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server. You are not recommended to enable both the DHCP client and the DHCP snooping on the same device.
Vlan-interface1 BOOTP client information: Allocated IP: 169.254.0.2 255.255.0.0 Transaction ID = 0x3d8a7431 Mac Address 00e0-fc0a-c3ef Table 8-1 display bootp client command output description Field Vlan-interface1 BOOTP client information Allocated IP Transaction ID Mac Address ip address bootp-alloc Syntax ip address bootp-alloc undo ip address bootp-alloc View Interface view...
Page 324
[Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address bootp-alloc...
DNS Configuration Commands This document only covers IPv4 DNS configuration commands. For introduction to IPv6 DNS configuration commands, refer to IPv6 Basics Commands in the IP Services Volume. DNS Configuration Commands display dns domain Syntax display dns domain [ dynamic ] View Any view Default Level...
Table 9-1 display dns domain command output description Field Sequence number Type of domain name suffix: S represents a statically configured domain Type name suffix, and D represents a domain name suffix obtained dynamically through DHCP. Domain-name Domain name suffix display dns dynamic-host Syntax display dns dynamic-host...
A domain name in the display dns dynamic-host command contains 21 characters at most. If a domain name consists of more than 21 characters, only the first 21 characters are displayed. display dns server Syntax display dns server [ dynamic ] View Any view Default Level...
display ip host Syntax display ip host View Any view Default Level 1: Monitor level Parameters None Description Use the display ip host command to display the host names and corresponding IP addresses in the static domain name resolution table. Examples # Display the host names and corresponding IP addresses in the static domain name resolution table.
Default Level 2: System level Parameters domain-name: Domain name suffix, consisting of character strings separated by a dot (for example, aabbcc.com). Each separated string contains no more than 63 characters. A domain name suffix may include case-insensitive letters, digits, hyphens (-), underscores (_), and dots (.), with a total length of 238 characters.
<Sysname> system-view [Sysname] dns proxy enable dns resolve Syntax dns resolve undo dns resolve View System view Default Level 2: System level Parameters None Description Use the dns resolve command to enable dynamic domain name resolution. Use the undo dns resolve command to disable dynamic domain name resolution. Dynamic domain name resolution is disabled by default.
No DNS server is specified by default. You can configure a maximum of six DNS servers, including those with IPv6 addresses. Related commands: display dns server. Examples # Specify the DNS server 172.16.1.1. <Sysname> system-view [Sysname] dns server 172.16.1.1 ip host Syntax ip host hostname ip-address undo ip host hostname [ ip-address ]...
Page 332
View User view Default Level 2: System level Parameters None Description Use the reset dns dynamic-host command to clear the dynamic domain name resolution information. Related commands: display dns dynamic-host. Examples # Clear the dynamic domain name resolution information. <Sysname> reset dns dynamic-host...
socket state = SS_PRIV SS_NBIO SS_ASYNC Task = RSVP(73), socketid = 1, Proto = 46, LA = 0.0.0.0, FA = 0.0.0.0, sndbuf = 4194304, rcvbuf = 4194304, sb_cc = 0, rb_cc = 0, socket option = 0, socket state = SS_PRIV SS_NBIO SS_ASYNC Table 10-3 display ip socket command output description Field SOCK_STREAM...
Page 341
Description Use the display ip statistics command to display statistics of IP packets. Related commands: display ip interface (in IP Addressing Commands of the IP Services Volume), reset ip statistics. Examples # Display statistics of IP packets. <Sysname> display ip statistics Input: bad protocol bad checksum...
Field Initiated connections accepted connections established connections Closed connections Packets dropped with MD5 authentication Packets permitted with MD5 authentication display tcp status Syntax display tcp status View Any view Default Level 1: Monitor level Parameters None Description Use the display tcp status command to display status of all TCP connections for monitoring TCP connections.
Field State display udp statistics Syntax display udp statistics View Any view Default Level 1: Monitor level Parameters None Description Use the display udp statistics command to display statistics of UDP packets. Related commands: reset udp statistics. Examples # Display statistics of UDP packets. <Sysname>...
Field broadcast/multicast(no socket on port) not delivered, input socket full input packets missing pcb cache Sent Total packets: ip forward-broadcast (interface view) Syntax ip forward-broadcast [ acl acl-number ] undo ip forward-broadcast View Interface view Default Level 2: System level Parameters acl acl-number: Access control list number, in the range 2000 to 3999.
ip forward-broadcast (system view) Syntax ip forward-broadcast undo ip forward-broadcast View System view Default Level 1: Monitor level Parameters None Description Use the ip forward-broadcast command to enable the device to receive directed broadcasts. Use the undo ip forward-broadcast command to disable the device from receiving directed broadcasts.
Examples # Enable sending of ICMP redirect packets. <Sysname> system-view [Sysname] ip redirects enable ip ttl-expires enable Syntax ip ttl-expires enable undo ip ttl-expires View System view Default Level 2: System level Parameters None Description Use the ip ttl-expires enable command to enable the sending of ICMP timeout packets. Use the undo ip ttl-expires command to disable sending ICMP timeout packets.
Parameters None Description Use the ip unreachables enable command to enable the sending of ICMP destination unreachable packets. Use the undo ip unreachables command to disable sending ICMP destination unreachable packets. Sending ICMP destination unreachable packets is disabled by default. Examples # Enable sending ICMP destination unreachable packets.
Default Level 2: System level Parameters time-value: Length of the TCP finwait timer in seconds, in the range 76 to 3,600. Description Use the tcp timer fin-timeout command to configure the length of the TCP finwait timer. Use the undo tcp timer fin-timeout command to restore the default. By default, the length of the TCP finwait timer is 675 seconds.
[Sysname] tcp timer syn-timeout 80 tcp window Syntax tcp window window-size undo tcp window View System view Default Level 2: System level Parameters window-size: Size of the send/receive buffer in KB, in the range 1 to 32. Description Use the tcp window command to configure the size of the TCP send/receive buffer. Use the undo tcp window command to restore the default.
Default Level 2: System level Parameters None Description Use the reset udp-helper packet command to clear the statistics of UDP packets forwarded. Related commands: display udp-helper server. Examples # Clear the statistics of the forwarded UDP packets. <Sysname> reset udp-helper packet udp-helper enable Syntax udp-helper enable...
undo udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time } View System view Default Level 2: System level Parameters port-number: UDP port number with which packets need to be forwarded, in the range of 1 to 65535 (except 67 and 68).
Page 356
Parameters ip-address: IP address of the destination server, in dotted decimal notation. Description Use the udp-helper server command to specify the destination server which UDP packets need to be forwarded to. Use the undo udp-helper server command to remove the destination server. No destination server is configured by default.
IPv6 Basics Configuration Commands IPv6 Basics Configuration Commands display dns ipv6 dynamic-host Syntax display dns ipv6 dynamic-host View Any view Default Level 1: Monitor level Parameters None Description Use the display dns ipv6 dynamic-host command to display IPv6 dynamic domain name information, including the domain name, IPv6 address, and TTL of the DNS entries.
For a domain name displayed with the display dns ipv6 dynamic-host command, no more than 21 characters can be displayed. If the domain name exceeds the maximum length, the first 21 characters will be displayed. display dns ipv6 server Syntax display dns ipv6 server [ dynamic ] View Any view...
display ipv6 fib Syntax display ipv6 fib [ slot-number ] [ ipv6-address ] View Any view Default Level 1: Monitor level Parameters ipv6-address: Displays the IPv6 FIB entries for an IPv6 address. slot-number: Displays the IPv6 forwarding information base (FIB) entries of a specified device in an IRF.
Field Flag Label Tunnel ID TimeStamp Interface display ipv6 host Syntax display ipv6 host View Any view Default Level 1: Monitor level Parameters None Description Use the display ipv6 host command to display the mappings between host names and IPv6 addresses in the static domain name resolution table.
Field Flag indicating the type of mapping between a host name and an IPv6 Flags address. Static indicates a static mapping. IPv6Address IPv6 address of a host display ipv6 interface Syntax display ipv6 interface [ interface-type [ interface-number ] ] [ verbose ] View Any view Default Level...
Page 362
InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: Table 12-5 display ipv6 interface verbose command output description (on a switch) Field Vlan-interface2 current state Line protocol current state Description Physical state of the interface: Administratively DOWN: Indicates that the VLAN interface is administratively down;...
Page 363
Field IPv6 is enabled link-local address Global unicast address(es) Joined group address(es) ND DAD is enabled, number of DAD attempts ND reachable time ND retransmit interval Hosts use stateless autoconfig for addresses InReceives InTooShorts InTruncatedPkts InHopLimitExceeds InBadHeaders InBadOptions ReasmReqds ReasmOKs InFragDrops InFragTimeouts OutFragFails...
Page 364
Field InTooBigErrors OutFragOKs OutFragCreates InMcastPkts InMcastNotMembers OutMcastPkts InAddrErrors InDiscards OutDiscards # Display the brief IPv6 information of all interfaces for which IPv6 addresses can be configured. <Sysname> display ipv6 interface *down: administratively down (s): spoofing Interface Vlan-interface1 Vlan-interface2 Vlan-interface100 Table 12-6 display ipv6 interface command output description Field *down: The interface is down, that is, the interface is closed by using the shutdown...
Field Link protocol state of the interface: Protocol IPv6 address of the interface. Only the first of configured IPv6 addresses is IPv6 Address displayed. (If no address is configured for the interface, “Unassigned” will be displayed.) display ipv6 neighbors Syntax display ipv6 neighbors { { ipv6-address | all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } [ | { begin | exclude | include } regular-expression ] View...
You can use the reset ipv6 neighbors command to clear specific IPv6 neighbor information. Related commands: ipv6 neighbor, reset ipv6 neighbors. Examples # Display all neighbor information. <Sysname> display ipv6 neighbors all Type: S-Static IPv6 Address FE80::200:5EFF:FE32:B800 Table 12-7 display ipv6 neighbors command output description Field IPv6 Address Link-layer...
Parameters all: Displays the total number of all neighbor entries, including neighbor entries acquired dynamically and configured statically. dynamic: Displays the total number of all neighbor entries acquired dynamically. static: Displays the total number of neighbor entries configured statically. slot slot-number: Displays the total number of neighbor entries of a specified device in an IRF. If no IRF is formed, the total number of neighbor entries of the current device is displayed only.
Field sb_cc rb_cc socket option socket state display ipv6 statistics Syntax display ipv6 statistics [ slot slot-number ] View Any view Default Level 1: Monitor level Parameters slot slot-number: Displays statistics of IPv6 packets and ICMPv6 packets on a specified device in an IRF.
Field dropped initiated dropped display tcp ipv6 status Syntax display tcp ipv6 status View Any view Default Level 1: Monitor level Parameters None Description Use the display tcp ipv6 command to display the IPv6 TCP connection status, including IP address of the IPv6 TCP control block, local and peer IPv6 addresses, and status of the IPv6 TCP connection.
Field State display udp ipv6 statistics Syntax display udp ipv6 statistics View Any view Default Level 1: Monitor level Parameters None Description Use the display udp ipv6 statistics command to display the statistics of IPv6 UDP packets. You can use the reset udp ipv6 statistics command to clear the statistics of all IPv6 UDP packets. Examples # Display the statistics information of IPv6 UDP packets.
Table 12-13 display udp ipv6 statistics command output description Field Total checksum error shorter than header data length larger than packet unicast(no socket on port) broadcast/multicast(no socket on port) not delivered, input socket full input packet missing pcb cache dns server ipv6 Syntax dns server ipv6 ipv6-address [ interface-type interface-number ] undo dns server ipv6 ipv6-address [ interface-type interface-number ]...
ipv6 Syntax ipv6 undo ipv6 View System view Default Level 2: System level Parameters None Description Use the ipv6 command to enable IPv6. Use the undo ipv6 command to disable IPv6. By default, IPv6 is disabled. Examples # Enable IPv6. <Sysname>...
By default, no site-local address or global unicast address is configured for an interface. Note that except the link-local address automatically configured, all IPv6 addresses will be removed from the interface if you carry out the undo ipv6 address command without any parameter specified. Examples # Set the aggregatable global IPv6 unicast address of VLAN-interface 100 to 2001::1 with prefix length Method I:...
aggregatable global unicast address configured, the interface still has a link-local address. If the interface has no IPv6 site-local address or aggregatable global unicast address configured, it will have no link-local address. Manual assignment takes precedence over automatic generation. That is, if you first adopt automatic generation and then manual assignment, the manually assigned link-local address will overwrite the automatically generated one.
Examples # Configure an IPv6 address in the EUI-64 format for VLAN-interface 100. The prefix length of the address is the same as that of 2001::1/64, and the interface ID is generated based on the MAC address of the device. <Sysname>...
ipv6 hoplimit-expires enable Syntax ipv6 hoplimit-expires enable undo ipv6 hoplimit-expires View System view Default Level 2: System level Parameters None Description Use the ipv6 hoplimit-expires enable command to enable the sending of ICMPv6 time exceeded packets. Use the undo ipv6 hoplimit-expires command to disable the sending of ICMPv6 time exceeded packets.
ipv6-address: IPv6 address. Description Use the ipv6 host command to configure the mappings between host names and IPv6 addresses. Use the undo ipv6 host command to remove the mappings between host names and IPv6 addresses. Each host name can correspond to only one IPv6 address. Related commands: display ipv6 host.
undo ipv6 icmpv6 multicast-echo-reply View System view Default Level 2: System level Parameters None Description Use the ipv6 icmpv6 multicast-echo-reply enable command to enable the sending of multicast echo replies. Use the undo ipv6 icmpv6 multicast-echo-reply command to disable the sending of multicast echo replies.
Default Level 2: System level Parameters value: Number of attempts to send an NS message for DAD, in the range of 0 to 600. The default value is “1”. When it is set to 0, DAD is disabled. Description Use the ipv6 nd dad attempts command to configure the number of attempts to send an NS message for DAD.
ipv6 nd ns retrans-timer Syntax ipv6 nd ns retrans-timer value undo ipv6 nd ns retrans-timer View Interface view Default Level 2: System level Parameters value: Interval for retransmitting an NS message in milliseconds, in the range of 1,000 to 4,294,967,295. Description Use the ipv6 nd ns retrans-timer command to set the interval for retransmitting an NS message.
Description Use the ipv6 nd nud reachable-time command to configure the neighbor reachable time on an interface. This time value serves as not only the neighbor reachable time on the local interface, but also the value of the Reachable Timer field in RA messages sent by the local interface. Use the undo ipv6 nd nud reachable-time command to restore the default neighbor reachable time and to specify the value of the Reachable Timer field in RA messages as 0, so that the number of hops is determined by the requesting device itself.
ipv6 nd ra interval Syntax ipv6 nd ra interval max-interval-value min-interval-value undo ipv6 nd ra interval View Interface view Default Level 2: System level Parameters max-interval-value: Maximum interval for advertising RA messages in seconds, in the range of 4 to 1,800.
View Interface view Default Level 2: System level Parameters ipv6-address: IPv6 address or IPv6 address prefix. prefix-length: Prefix length of the IPv6 address. ipv6-prefix: IPv6 address prefix. valid-lifetime: Valid lifetime of a prefix in seconds, in the range of 0 to 4,294,967,295. preferred-lifetime: Preferred lifetime of a prefix used for stateless autoconfiguration in seconds, in the range of 0 to 4,294,967,295.
Parameters value: Router lifetime in seconds, in the range of 0 to 9,000. When it is set to 0, the device does not serve as the default router. Description Use the ipv6 nd ra router-lifetime command to configure the router lifetime in RA messages. Use the undo ipv6 nd ra router-lifetime command to restore the default.
If the first method is used, the neighbor entry is in the INCMP state. After the device obtains the corresponding Layer 2 port information through resolution, the neighbor entry will go into the REACH state. If the second method is used, the corresponding VLAN interface must exist and the port specified by port-type port-number must belong to the VLAN specified by vlan-id.
ipv6 pathmtu Syntax ipv6 pathmtu ipv6-address [ value ] undo ipv6 pathmtu ipv6-address View System view Default Level 2: System level Parameters ipv6-address: IPv6 address. value: PMTU of a specified IPv6 address in bytes. It ranges from 1280 to 10000. Description Use the ipv6 pathmtu command to configure a static PMTU for a specified IPv6 address.
By default, the aging time is 10 minutes. Note that the aging time is invalid for a static PMTU. Related commands: display ipv6 pathmtu. Examples # Set the aging time for a dynamic PMTU to 40 minutes. <Sysname> system-view [Sysname] ipv6 pathmtu age 40 reset dns ipv6 dynamic-host Syntax reset dns ipv6 dynamic-host...
Parameters all: Clears static and dynamic neighbor information on all interfaces. dynamic: Clears dynamic neighbor information on all interfaces. interface interface-type interface-number: Clears dynamic neighbor information on a specified interface. slot slot-number: Clears dynamic neighbor information on a specified device in an IRF. If no IRF is formed, only the dynamic neighbor information of the current device is cleared.
reset ipv6 statistics Syntax reset ipv6 statistics [ slot slot-number ] View User view Default Level 2: System level Parameters slot slot number: Clears the statistics of IPv6 packets and ICMPv6 packets on a specified device in an IRF. If no IRF is formed, related information on the current device is cleared only. The slot-number argument indicates the member ID of the device.
<Sysname> reset tcp ipv6 statistics reset udp ipv6 statistics Syntax reset udp ipv6 statistics View User view Default Level 2: System level Parameters None Description Use the reset udp ipv6 statistics command to clear the statistics of all IPv6 UDP packets. You can use the display udp ipv6 statistics command to display the statistics of IPv6 UDP packets.
<Sysname> system-view [Sysname] tcp ipv6 timer fin-timeout 800 tcp ipv6 timer syn-timeout Syntax tcp ipv6 timer syn-timeout wait-time undo tcp ipv6 timer syn-timeout View System view Default Level 2: System level Parameters wait-time: Length of the synwait timer for IPv6 TCP connections in seconds, in the range of 2 to 600. Description Use the tcp ipv6 timer syn-timeout command to set the synwait timer for IPv6 TCP connections Use the undo tcp ipv6 timer syn-timeout command to restore the default.
Page 400
By default, the size of the IPv6 TCP send/receive buffer is 8 KB. Examples # Set the size of the IPv6 TCP send/receive buffer to 4 KB. <Sysname> system-view [Sysname] tcp ipv6 window 4 12-44...
sFlow Configuration Commands sFlow Configuration Commands display sflow Syntax display sflow [slot slot-number ] View Any view Default Level 2: System level Parameters slot slot-number: Displays the sFlow configuration information of the specified IRF member device. The slot-number argument is the member number of the device in the IRF, which you can display with the display irf command.
Field sFlow Global Information Agent Collector Interval(s) sFlow Port Information Interface Direction Rate Mode Status sflow agent ip Syntax sflow agent ip ip-address undo sflow agent ip View System view Default Level 2: System level Parameters ip-address: IP address of the sFlow agent. Description Use the sflow agent ip command to configure the IP address of the sFlow agent.
sFlow does not work if the sFlow agent has no IP address configured, or the IP address of the sFlow agent is removed. Examples # Configure the IP address of the sFlow agent. <Sysname> system-view [Sysname] sflow agent ip 10.10.10.1 sflow collector ip Syntax sflow collector ip ip-address [ port portnum ]...
undo sflow enable { inbound | outbound } View Ethernet port view Default Level 2: System level Parameters inbound: Samples inbound packets. outbound: Samples outbound packets. Description Use the sflow enable command to enable sFlow in the inbound or outbound direction on the port. Use the undo sflow enable command to disable sFlow in the inbound or outbound direction on the port.
By default, the packet sampling mode is random. Note that this command should be used after sFlow is enabled on the current port. Currently, the determine mode is not supported on Switch 4510G Family. Examples # Configure the interface to sample a fixed number of inbound packets.
sflow sampling-rate Syntax sflow sampling-rate rate undo sflow sampling-rate View Ethernet port view Default Level 2: System level Parameters rate: Number of packets, in the range of 1000 to 500000. Description Use the sflow sampling-rate command to specify the number of packets out of which the interface will sample a packet.
Page 407
1 IP Routing Table Commands····················································································································1-1 IP Routing Table Commands··················································································································1-1 display ip routing-table·····················································································································1-1 display ip routing-table acl···············································································································1-4 display ip routing-table ip-address···································································································1-7 display ip routing-table ip-prefix·······································································································1-9 display ip routing-table protocol·····································································································1-10 display ip routing-table statistics····································································································1-11 display ipv6 routing-table···············································································································1-12 display ipv6 routing-table acl ·········································································································1-13 display ipv6 routing-table ipv6-address ·························································································1-14 display ipv6 routing-table ipv6-address1 ipv6-address2 ·······························································1-15 display ipv6 routing-table ipv6-prefix ·····························································································1-16...
IP Routing Table Commands The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. IP Routing Table Commands display ip routing-table Syntax display ip routing-table [ verbose | | { begin | exclude | include } regular-expression ]...
Page 411
Use the display ip routing-table verbose command to display detailed information about all routes in the routing table. This command displays detailed information about all active and inactive routes, including the statistics of the entire routing table and information for each route. Examples # Display brief information about active routes in the routing table.
Page 412
RelyNextHop: 0.0.0.0 Tunnel ID: 0x0 State: Active NoAdv Tag: 0 Destination: 127.0.0.0/8 Protocol: Direct Preference: 0 NextHop: 127.0.0.1 RelyNextHop: 0.0.0.0 Tunnel ID: 0x0 State: Active NoAdv Tag: 0 Destination: 127.0.0.1/32 Protocol: Direct Preference: 0 NextHop: 127.0.0.1 RelyNextHop: 0.0.0.0 Tunnel ID: 0x0 State: Active NoAdv Tag: 0 Displayed first are statistics for the whole routing table, followed by detailed description of each route...
Field Route status: Active Delete Gateway Holddown NoAdv State NotInstall Reject Static Unicast Inactive Invalid WaitQ TunE GotQ Time for which the route has been in the routing table, in the sequence of hour, minute, and second from left to right. Route tag display ip routing-table acl Syntax...
Default Level 1: Monitor level Parameters acl-number: Basic ACL number, in the range of 2000 to 2999. verbose: Displays detailed routing table information, including that for inactive routes. With this argument absent, the command displays only brief information about active routes. Description Use the display ip routing-table acl command to display information about routes permitted by a specified basic ACL.
Page 415
Summary Count: 6 Destination: 10.1.1.0/24 Protocol: Direct Preference: 0 NextHop: 10.1.1.2 RelyNextHop: 0.0.0.0 Tunnel ID: 0x0 State: Active Adv Tag: 0 Destination: 10.1.1.2/32 Protocol: Direct Preference: 0 NextHop: 127.0.0.1 RelyNextHop: 0.0.0.0 Tunnel ID: 0x0 State: Active NoAdv Tag: 0 Destination: 10.1.2.0/24 Protocol: Direct Preference: 0 NextHop: 10.1.2.1...
Protocol: Direct Preference: 0 NextHop: 127.0.0.1 RelyNextHop: 0.0.0.0 Tunnel ID: 0x0 State: Active NoAdv Tag: 0 For the description of the command output above, see display ip routing-table ip-address Syntax display ip routing-table ip-address [ mask-length | mask ] [ longer-match ] [ verbose ] display ip routing-table ip-address1 { mask-length | mask } ip-address2 { mask-length | mask } [ verbose ] View...
Page 417
display ip routing-table ip-address longer-match The system ANDs the input destination IP address with the subnet mask in each route entry; and ANDs the destination IP address in each route entry with its corresponding subnet mask. If the two operations yield the same result for multiple entries that are active, the one with longest mask length is displayed.
# Display route entries by specifying a destination IP address and mask and the longer-match keyword. [Sysname] display ip routing-table 11.1.1.1 24 longer-match Routing Table : Public Summary Count : 1 Destination/Mask Proto Pre Cost 11.1.1.0/24 Static 60 For detailed description of the above output, see # Display route entries for destination addresses in the range 1.1.1.0 to 5.5.5.0.
# Display brief information about active routes permitted by the prefix list test. [Sysname] display ip routing-table ip-prefix test Routes Matched by Prefix list : test Summary Count : 2 Destination/Mask Proto Pre Cost 2.2.2.0/24 Direct 0 2.2.2.1/32 Direct 0 For detailed description of the above output, see # Display detailed information about both active and inactive routes permitted by IP prefix list test.
inactive: Displays information about only inactive routes. With this argument absent, the command displays information about both active and inactive routes. verbose: Displays detailed routing table information. With this argument absent, the command displays brief routing table information. Description Use the display ip routing-table protocol command to display routing information of a specified routing protocol.
View Any view Default Level 1: Monitor level Parameters None Description Use the display ip routing-table statistics command to display the route statistics of the routing table. Examples # Display route statistics in the routing table. <Sysname> display ip routing-table statistics Proto route active...
Parameters None Description Use the display ipv6 routing-table command to display brief routing table information, including destination IP address and prefix, protocol type, priority, metric, next hop and outbound interface. The command displays only active routes, namely, the brief information about the current optimal routes.
Description Use the display ipv6 routing-table acl command to display routing information permitted by the IPv6 ACL. If the specified IPv6 ACL is not available, all routing information is displayed. Examples # Display brief routing information permitted by ACL 2000. <Sysname>...
If the two operations yield the same result for an entry and the entry is active with a prefix length less than or equal to the input prefix length, the entry is displayed. Only route entries that exactly match the input destination address and prefix length are displayed. display ipv6 routing-table ipv6-address prefix-length longer-match The system ANDs the input destination IPv6 address with the input prefix length;...
Parameters ipv6-address1/ipv6-address2: An IPv6 address range from IPv6 address1 to IPv6 address2. prefix-length1/prefix-length2: Prefix length, in the range 0 to 128. verbose: Displays both active and inactive verbose routing information. Without this keyword, only brief active routing information is displayed. Description Use the display ipv6 routing-table ipv6-address1 ipv6-address2 command to display routes with destinations falling into the specified IPv6 address range.
Description Use the display ipv6 routing-table ipv6-prefix command to display routes permitted by the IPv6 prefix list. Examples # Display brief active routing information permitted by the IPv6 prefix list test2. <Sysname> display ipv6 routing-table ipv6-prefix test2 Routes Matched by Prefix list test2 : Summary Count : 1 Destination: 100::/64 NextHop...
display ipv6 routing-table verbose Syntax display ipv6 routing-table verbose View Any view Default Level 1: Monitor level Parameters None Description Use the display ipv6 routing-table verbose command to display detailed information about all active and inactive routes, including the statistics of the entire routing table and information for each route. Examples # Display detailed information about all active and inactive routes.
Field Protocol State of the route, Active, Inactive, Adv (advertised), or NoAdv (not State advertised) Cost Cost of the route Tunnel ID Tunnel ID Label Label Time that has elapsed since the route was generated reset ip routing-table statistics protocol Syntax reset ip routing-table statistics protocol { protocol | all } View...
Page 430
Parameters protocol: Clears statistics for the routing protocol, which can be direct, ripng, or static. all: Clears statistics for all IPv6 routing protocols. Description Use the reset ipv6 routing-table statistics command to clear the route statistics of the routing table. Examples # Clear statistics for all routing protocols.
Static Routing Configuration Commands The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Static Routing Configuration Commands delete static-routes all Syntax delete static-routes all View System view Default Level 2: System level Parameters None.
Related commands: display ip routing-table, ip route-static default-preference. To configure track monitoring for an existing static route, simply associate the static route with a track entry. For a non-existent static route, configure it and associate it with a Track entry. If a static route needs route recursion, the associated track entry must monitor the nexthop of the recursive route instead of that of the static route;...
Page 434
Examples # Set the default preference of static routes to 120. <Sysname> system-view [Sysname] ip route-static default-preference 120...
RIP Configuration Commands The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. RIP Configuration Commands checkzero Syntax checkzero undo checkzero View RIP view Default Level 2: System level Parameters None Description Use the checkzero command to enable the zero field check on RIPv1 messages.
default cost (RIP view) Syntax default cost value undo default cost View RIP view Default Level 2: System level Parameters value: Default metric of redistributed routes, in the range of 0 to 16. Description Use the default cost command to configure the default metric for redistributed routes. Use the undo default cost command to restore the default.
Description Use the default-route originate cost command to configure all the interfaces under the RIP process to advertise a default route with the specified metric to RIP neighbors. Use the undo default-route command to disable all the interfaces under the RIP process from sending a default route.
Page 438
Maximum number of balanced paths : 1 Update time 30 sec(s) Timeout time Suppress time : 120 sec(s) Garbage-collect time : 120 sec(s) update output delay : TRIP retransmit time : TRIP response packets retransmit count : Silent interfaces : None Default routes : Only Default route cost : 3 Verify-source : Enabled Networks :...
Field Default route cost Verify-source Networks Configured peers Triggered updates sent Number of routes changes Number of replies to queries display rip database Syntax display rip process-id database View Any view Default Level 1: Monitor level Parameters process-id: RIP process ID, in the range of 1 to 65535. Description Use the display rip database command to display active routes in the database of the specified RIP process, which are sent in normal RIP routing updates.
Field Rip-interface imported display rip interface Syntax display rip process-id interface [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters process-id: RIP process ID, in the range of 1 to 65535. interface-type interface-number: Specifies an interface. Description Use the display rip interface command to display the RIP interface information of the RIP process.
Table 3-5 display rip route statistics command output description Field Peer IP address of a neighbor Aging Total number of aging routes learned from the specified neighbor Permanent Total number of permanent routes learned from the specified neighbor Total number of routes in the garbage-collection state learned from the specified Garbage neighbor Total...
host-route Syntax host-route undo host-route View RIP view Default Level 2: System level Parameters None Description Use the host-route command to enable host route reception. Use the undo host-route command to disable host route reception. By default, receiving host routes is enabled. In some cases, a router may receive many host routes from the same network segment.
Default Level 2: System level Parameters protocol: Specifies a routing protocol from which to redistribute routes. At present, it can be direct, rip, or static. process-id: Process ID, in the range of 1 to 65535. The default is 1. It is available only when the protocol is rip.
Default Level 2: System level Parameters network-address: IP address of a network segment, which can be the IP network address of any interface. Description Use the network command to enable RIP on the interface attached to the specified network. Use the undo network command to disable RIP on the interface attached to the specified network. RIP is disabled on an interface by default.
By default, an interface sends up to three RIP packets every 20 milliseconds. Examples # Configure all the interfaces under RIP process 1 to send up to 10 RIP packets every 30 milliseconds. <Sysname> system-view [Sysname] rip 100 [Sysname-rip-1] output-delay 30 output-count 10 peer Syntax peer ip-address...
View RIP view Default Level 2: System level Parameters route-policy-name: Routing policy name with 1 to 19 characters. value: Priority for RIP route, in the range of 1 to 255. The smaller the value, the higher the priority. Description Use the preference command to specify the RIP route priority. Use the undo preference route-policy command to restore the default.
Examples # Clear statistics in RIP process 100. <Sysname> reset rip 100 statistics Syntax rip [ process-id ] undo rip [ process-id ] View System view Default Level 2: System level Parameters process-id: RIP process ID, in the range of 1 to 65535. The default is 1. Description Use the rip command to create a RIP process and enter RIP view.
Parameters md5: MD5 authentication mode. rfc2453: Uses the message format defined in RFC 2453 (IETF standard). rfc2082: Uses the message format defined in RFC 2082. key-id: MD5 key number, in the range of 1 to 255. key-string: MD5 key string with 1 to 16 characters in plain text format, or 1 to 24 characters in cipher text format.
Description Use the rip default-route command to configure the RIP interface to advertise a default route with the specified metric. Use the undo rip default-route command to disable the RIP interface from sending a default route. By default, a RIP interface can advertise a default route if the RIP process is configured with default route advertisement.
<Sysname> system-view [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] undo rip input rip metricin Syntax rip metricin [ route-policy route-policy-name ] value undo rip metricin View Interface view Default Level 2: System level Parameters route-policy route-policy-name: Specifies the name of a routing policy used to add an additional metric for the routes matching it.
[Sysname-route-policy] apply cost 6 [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] rip metricin route-policy abc 2 rip metricout Syntax rip metricout [ route-policy route-policy-name ] value undo rip metricout View Interface view Parameters value: Additional metric of sent routes, in the range of 1 to 16. Description Use the rip metricout command to add a metric to sent routes.
rip mib-binding Syntax rip mib-binding process-id undo rip mib-binding View System view Default Level 2: System level Parameters process-id: RIP process ID, in the range of 1 to 65535. Description Use the rip mib-binding command to bind MIB operations with a specified RIP process, so that the RIP process can receive SNMP requests.
Use the undo rip output command to disable the interface from sending RIP messages. Sending RIP messages is enabled on an interface by default. Related commands: rip input. Examples # Disable VLAN-interface 10 from receiving RIP messages. <Sysname> system-view [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] undo rip output rip poison-reverse Syntax...
Default Level 2: System level Parameters None Description Use the rip split-horizon command to enable the split horizon function. Use the undo rip split-horizon command to disable the split horizon function. The split horizon function is enabled by default. The split horizon function is necessary for preventing routing loops. Therefore, you are not recommended to disable it.
Description Use the rip summary-address command to configure RIPv2 to advertise a summary route through the interface. Use the undo rip summary-address command to remove the configuration. Note that the summary address is valid only when the automatic summarization is disabled. Related commands: summary.
[Sysname-rip-100] network 131.108.0.0 summary Syntax summary undo summary View RIP view Default Level 2: System level Parameters None Description Use the summary command to enable automatic RIPv2 summarization. Natural masks are used to advertise summary routes so as to reduce the size of routing tables. Use the undo summary command to disable automatic RIPv2 summarization so that all subnet routes can be broadcast.
Parameters garbage-collect-value: Garbage-collect timer time in seconds, in the range of 1 to 3600. suppress-value: Suppress timer time in seconds, in the range of 0 to 3600. timeout-value: Timeout timer time in seconds, in the range of 1 to 3600. update-value: Update timer time in seconds, in the range of 1 to 3600.
Default Level 2: System level Parameters None Description Use the validate-source-address command to enable the source IP address validation on incoming RIP routing updates. Use the undo validate-source-address command to disable the source IP address validation. The source IP address validation is enabled by default. RIP checks whether the source IP address of the packet is on the same network segment as the interface IP address;...
Page 463
If an interface has an RIP version specified, the RIP version takes precedence over the global RIP version. If no RIP version is specified for the interface and the global version is RIPv1, the interface inherits RIPv1, and it can send RIPv1 broadcasts, and receive RIPv1 broadcasts and unicasts. If no RIP version is specified for the interface and the global version is RIPv2, the interface operates in the RIPv2 multicast mode, and it can send RIPv2 multicasts, and receive RIPv2 broadcasts, multicasts and unicasts.
IPv6 Static Routing Configuration Commands Throughout this chapter, the term “router” refers to a router in a generic sense or a Layer 3 switch running routing protocols. IPv6 Static Routing Configuration Commands delete ipv6 static-routes all Syntax delete ipv6 static-routes all...
RIPng Configuration Commands The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. RIPng Configuration Commands checkzero Syntax checkzero undo checkzero View RIPng view Default Level 2: System level Parameters None Description Use the checkzero command to enable the zero field check on RIPng packets.
default cost (RIPng view) Syntax default cost cost undo default cost View RIPng view Default Level 2: System level Parameters cost: Default metric of redistributed routes, in the range of 0 to 16. Description Use the default cost command to specify the default metric of redistributed routes. Use the undo default cost command to restore the default.
Description Use the display ripng command to display the running status and configuration information of a RIPng process. If process-id is not specified, information of all RIPng processes will be displayed. Examples # Display the running status and configuration information of all configured RIPng processes. <Sysname>...
Page 469
Parameters process-id: RIPng process ID, in the range of 1 to 65535. Description Use the display ripng database command to display all active routes in the advertising database of the specified RIPng process, which are sent in normal RIPng update messages. Examples # Display the active routes in the database of RIPng process 100.
display ripng interface Syntax display ripng process-id interface [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters process-id: RIPng process ID, in the range of 1 to 65535. interface-type interface-number: Specifies an interface. Description Use the display ripng interface command to display the interface information of the RIPng process. If no interface is specified, information about all interfaces of the RIPng process will be displayed.
Field Default route Summary address The summarized IPv6 prefix and the summary IPv6 prefix on the interface display ripng route Syntax display ripng process-id route View Any view Default Level 1: Monitor level Parameters process-id: RIPng process ID, in the range of 1 to 65535. Description Use the display ripng route command to display all RIPng routes and timers associated with each route of a RIPng process.
Default Level 2: System level Parameters protocol: Specifies a routing protocol from which to redistribute routes. Currently, it can be direct or static. process-id: Process ID, in the range of 1 to 65535. The default is 1.This argument is available only when the protocol is ripng.
Use the undo preference route-policy command to restore the default. By default, the priority of a RIPng route is 100. Using the route-policy keyword can set a priority for routes filtered in by the routing policy: If a priority is set in the routing policy, the priority applies to matched routes, and the priority set by the preference command applies to routes not matched.
ripng default-route Syntax ripng default-route { only | originate } [ cost cost ] undo ripng default-route View Interface view Default Level 2: System level Parameters only: Indicates that only the IPv6 default route (::/0) is advertised through the interface. originate: Indicates that the IPv6 default route (::/0) is advertised without suppressing other routes.
Default Level 2: System level Parameters process-id: RIPng process ID, in the range of 1 to 65535. Description Use the ripng enable command to enable RIPng on the specified interface. Use the undo ripng enable command to disable RIPng on the specified interface. By default, RIPng is disabled on an interface.
ripng metricout Syntax ripng metricout value undo ripng metricout View Interface view Default Level 2: System level Parameters value: Additional metric to advertised routes, in the range of 1 to 16. Description Use the ripng metricout command to configure an additional metric for RIPng routes advertised by an interface.
Use the undo rip poison-reverse command to disable the poison reverse function. By default, the poison reverse function is disabled. Examples Enable the poison reverse function for RIPng update messages on VLAN-interface 100. <Sysname> system-view [Sysname] interface vlan-interface 100 [Sysname-Vlan-interface100] ripng poison-reverse ripng split-horizon Syntax ripng split-horizon...
[Sysname] interface vlan-interface 100 [Sysname-Vlan-interface100] ripng split-horizon ripng summary-address Syntax ripng summary-address ipv6-address prefix-length undo ripng summary-address ipv6-address prefix-length View Interface view Default Level 2: System level Parameters ipv6-address: Destination IPv6 address of the summary route. prefix-length: Prefix length of the destination IPv6 address of the summary route, in the range of 0 to 128.
Page 481
Default Level 2: System level Parameters garbage-collect-value: Interval of the garbage-collect timer in seconds, in the range of 1 to 86400. suppress-value: Interval of the suppress timer in seconds, in the range of 0 to 86400. timeout-value: Interval of the timeout timer in seconds, in the range of 1 to 86400. update-value: Interval of the update timer in seconds, in the range of 1 to 86400.
Route Policy Configuration Commands The common configuration commands of route policy are applicable to both IPv4 and IPv6. Common Route Policy Configuration Commands apply cost Syntax apply cost [ + | - ] value undo apply cost View Route policy view Default Level 2: System level Parameters...
[Sysname-route-policy] apply cost 120 apply preference Syntax apply preference preference undo apply preference View Route policy view Default Level 2: System level Parameters preference: Routing protocol preference, in the range of 1 to 255. Description Use the apply preference command to set a preference for a routing protocol. Use the undo apply preference command to remove the clause configuration.
Parameters value: Tag value, in the range 0 to 4294967295. Description Use the apply tag command to set a specified tag value for RIP routing information. Use the undo apply tag command to remove the clause configuration. No routing tag is set for RIP routing information by default. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip-address next-hop, apply cost.
Table 6-1 display route-policy command output description. Field Route-policy Permit if-match ip-prefix abc apply cost 120 if-match cost Syntax if-match cost value undo if-match cost View Route policy view Default Level 2: System level Parameters cost: Cost in the range 0 to 4294967295. Description Use the if-match cost command to match routing information having the specified cost.
View Route policy view Default Level 2: System level Parameters interface-type: Interface type interface-number: Interface number &<1-16>: Indicates the argument before it can be entered up to 16 times. Description Use the if-match interface command to specify interface(s) for matching against the outbound interface of routing information.
Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, route-policy, apply ip-address next-hop, apply cost, apply tag. Examples # Configure node 10 in permit mode of route policy policy1 to permit RIP routing information with a tag of 8.
View Any view Default Level 1: Monitor level Parameters ip-prefix-name: IP prefix list name, a string of 1 to 19 characters. Description Use the display ip ip-prefix command to display the statistics of an IPv4 prefix list. If no ip-prefix-name is specified, statistics for all IPv4 prefix lists will be displayed. Related commands: ip ip-prefix.
Default Level 2: System level Parameters acl-number: ACL number from 2000 to 3999. Description Use the if-match acl command to configure an ACL match criterion. Use the undo if-match acl command to remove the match criterion. No ACL match criterion is configured by default. Related commands: if-match interface, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip-address next-hop, apply cost, apply tag.
Examples # Configure node 10 of route policy policy1 to permit routing information whose next hop address matches IP prefix list p1. <Sysname> system-view [Sysname] route-policy policy1 permit node 10 [Sysname-route-policy] if-match ip next-hop ip-prefix p1 if-match ip-prefix Syntax if-match ip-prefix ip-prefix-name undo if-match ip-prefix View Route policy view...
Page 492
Default Level 2: System level Parameters ip-prefix-name: IPv4 prefix list name, a string of 1 to 19 characters. index-number: Index number, in the range 1 to 65535, for uniquely specifying an item of the IPv4 prefix list. An index with a smaller number is matched first. permit: Specifies the matching mode for the IPv4 prefix list item as permit, that is, if a route matches the item, the route passes the IPv4 prefix list without needing to match against the next item;...
reset ip ip-prefix Syntax reset ip ip-prefix [ ip-prefix-name ] View User view Default Level 2: System level Parameters ip-prefix-name: IP prefix list name, a string of 1 to 19 characters. Description Use the reset ip ip-prefix command to clear the statistics of a specified IPv4 prefix list. If no ip-prefix-name is specified, the statistics of all IPv4 prefix lists will be cleared.
Page 496
undo ip ipv6-prefix ipv6-prefix-name [ index index-number ] View System view Default Level 2: System level Parameters ipv6-prefix-name: IPv6 prefix list name, a string of 1 to 19 characters, for uniquely specifying an IPv6 prefix list. index-number: Index number, in the range 1 to 65535, for uniquely specifying an IPv6 prefix list item. An item with a smaller index-number will be matched first.
<Sysname> system-view [Sysname] ip ipv6-prefix abc permit :: 0 greater-equal 32 less-equal 64 # Deny IPv6 addresses with the prefix being 3FFE:D00::/32, and prefix length being greater than or equal to 32 bits. <Sysname> system-view [Sysname] ip ipv6-prefix abc deny 3FEE:D00:: 32 less-equal 128 reset ip ipv6-prefix Syntax reset ip ipv6-prefix [ ipv6-prefix-name ]...
IGMP Snooping Configuration Commands IGMP Snooping Configuration Commands display igmp-snooping group Syntax display igmp-snooping group [ vlan vlan-id ] [ slot slot-number ] [ verbose ] View Any view Default Level 1: Monitor level Parameters vlan vlan-id: Displays the IGMP Snooping multicast group information in the specified VLAN, where vlan-id is in the range of 1 to 4094.
Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host port(s):total 1 port. GE1/0/2 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 1 port. GE1/0/2 Table 1-1 display igmp-snooping group command output description Field Total 1 IP Group(s).
Parameters None Description Use the display igmp-snooping statistics command to view the statistics information of IGMP messages learned by IGMP Snooping. Examples # View the statistics information of IGMP messages learned by IGMP Snooping. <Sysname> display igmp-snooping statistics Received IGMP general queries:0. Received IGMPv1 reports:0.
Description Use the fast-leave command to enable fast leave processing globally. With this function enabled, when the switch receives an IGMP leave message on a port, it directly removes that port from the multicast forwarding entry of the specific group.
vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a VLAN ID is 1 to 4094.
Use the undo host-aging-time command to restore the default setting. By default, the aging time of dynamic member ports is 260 seconds. This command works on IGMP Snooping–enabled VLANs. Related commands: igmp-snooping host-aging-time. Examples # Set the aging time of dynamic member ports globally to 300 seconds. <Sysname>...
View VLAN view Default Level 2: System level Parameters None Description Use the igmp-snooping drop-unknown command to enable the function of dropping unknown multicast data in the current VLAN,so that such multicast data will only be forwarded to router ports. Use the undo igmp-snooping drop-unknown command to disable the function of dropping unknown multicast data in the current VLAN.
Use the igmp-snooping fast-leave command to enable fast leave processing on the current port or group of ports. With this function enabled, when the switch receives an IGMP leave message on a port, it directly removes that port from the multicast forwarding entry of the specific group.
View Ethernet port view, Layer 2 aggregate port view, port group view Default Level 2: System level Parameters limit: Maximum number of multicast groups that can be joined on a port. The effective range is 1 to 1000. vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID.
Parameters acl-number: Basic or advanced ACL number, in the range of 2000 to 3999. The source address or address range specified in the advanced ACL rule is used to match the multicast source address(es) specified in IGMPv3 reports, rather than the source address in the IP packets. The system assumes that an IGMPv1 or IGMPv2 report or an IGMPv3 IS_EX and TO_EX report that does not carry a multicast source address carries a multicast source address of 0.0.0.0.
undo igmp-snooping host-aging-time View VLAN view Default Level 2: System level Parameters interval: Dynamic member port aging time, in seconds. The effective range is 200 to 1,000. Description Use the igmp-snooping host-aging-time command to configure the aging time of dynamic member ports in the current VLAN.
Description Use the igmp-snooping host-join command to configure the current port(s) as simulated member host(s), namely configure the current port as a member host for the specified multicast group or source and group. Use the undo igmp-snooping host-join command to remove the current port(s) as simulated member host(s) for the specified multicast group or source and group.
Description Use the igmp-snooping last-member-query-interval command to configure the interval between IGMP last-member queries in the VLAN. Use the undo igmp-snooping last-member-query-interval command to restore the default setting. By default, the IGMP last-member query interval is 1 second. This command takes effect only if IGMP Snooping is enabled in the VLAN. Related commands: last-member-query-interval.
igmp-snooping overflow-replace Syntax igmp-snooping overflow-replace [ vlan vlan-list ] undo igmp-snooping overflow-replace [ vlan vlan-list ] View Ethernet port view, Layer 2 aggregate port view, port group view Default Level 2: System level Parameters vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID.
undo igmp-snooping querier View VLAN view Default Level 2: System level Parameters None Description Use the igmp-snooping querier command to enable the IGMP Snooping querier function. Use the undo igmp-snooping querier command to disable the IGMP Snooping querier function. By default, the IGMP Snooping querier function is disabled. Note that: This command takes effect only if IGMP Snooping is enabled in the VLAN.
By default, the IGMP general query interval is 60 seconds. This command takes effect only if IGMP Snooping is enabled in the VLAN. Related commands: max-response-time. Examples # Set the interval between IGMP general queries to 20 seconds in VLAN 2. <Sysname>...
View Ethernet port view, port group view Default Level 2: System level Parameters None Description Use the igmp-snooping source-deny command to enable multicast source port filtering. Use the undo igmp-snooping source-deny command to disable multicast source port filtering. By default, multicast source port filtering is disabled. This command works on IGMP Snooping–enabled VLANs.
igmp-snooping version Syntax igmp-snooping version version-number undo igmp-snooping version View VLAN view Default Level 2: System level Parameters version-number: IGMP snooping version, in the range of 2 to 3. Description Use the igmp-snooping version command to configure the IGMP Snooping version. Use the undo igmp-snooping version command to restore the default setting.
Parameters interval: Interval between IGMP last-member queries, in seconds. The effective range is 1 to 5. Description Use the last-member-query-interval command to configure the interval between IGMP last-member queries globally. Use the undo last-member-query-interval command to restore the default setting. By default, the interval between IGMP last-member queries is 1 second.
overflow-replace (IGMP-Snooping view) Syntax overflow-replace [ vlan vlan-list ] undo overflow-replace [ vlan vlan-list ] View IGMP-Snooping view Default Level 2: System level Parameters vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID.
Default Level 2: System level Parameters None Description Use the report-aggregation command to enable IGMP report suppression. Use the undo report-aggregation command to disable IGMP report suppression. By default, IGMP report suppression is enabled. This command works on IGMP Snooping–enabled VLANs. Examples # Disable IGMP report suppression.
reset igmp-snooping statistics Syntax reset igmp-snooping statistics View User view Default Level 2: System level Parameters None Description Use the reset igmp-snooping statistics command to clear the statistics information of IGMP messages learned by IGMP Snooping. Examples # Clear the statistics information of all kinds of IGMP messages learned by IGMP Snooping. <Sysname>...
<Sysname> system-view [Sysname] igmp-snooping [Sysname-igmp-snooping] router-aging-time 100 source-deny (IGMP-Snooping view) Syntax source-deny port interface-list undo source-deny port interface-list View IGMP-Snooping view Default Level 2: System level Parameters interface-list: Specifies one or multiple ports. You can provide up to ten port lists, by each of which you can specify an individual port in the form of interface-type interface-number, or a port range in the form of interface-type start-interface-number to interface-type end-interface-number, where the end interface number must be greater than the start interface number.
Multicast VLAN Configuration Commands Multicast VLAN Configuration Commands display multicast-vlan Syntax display multicast-vlan [ vlan-id ] View Any view Default Level 1: Monitor level Parameters vlan-id: VLAN ID of a multicast VLAN, in the range of 1 to 4094. If this argument is not provided, the information about all multicast VLANs will be displayed.
multicast-vlan Syntax multicast-vlan vlan-id undo multicast-vlan { all | vlan-id } View System view Default Level 2: System level Parameters vlan-id: Specifies a VLAN by its ID, in the range of 1 to 4094. all: Deletes all multicast VLANs. Description Use the multicast-vlan command to configure the specified VLAN as a multicast VLAN and enter multicast VLAN view.
undo port { all | interface-list } View Multicast VLAN view Default Level 2: System level Parameters interface-list: Specifies a port in the form of interface-type interface-number, or a port range in the form of interface-type start-interface-number to interface-type end-interface-number, where the end interface number must be greater than the start interface number.
Description Use the port multicast-vlan command to assign the current port(s) to the specified multicast VLAN. Use the undo port multicast-vlan command to restore the system default. By default, a port does not belong to any multicast VLAN. Note that a port can belong to only one multicast VLAN. Examples # Assign GigabitEthernet1/0/1 to multicast VLAN 100.
MLD Snooping Configuration Commands MLD Snooping Configuration Commands display mld-snooping group Syntax display mld-snooping group [ vlan vlan-id ] [ slot slot-number ] [ verbose ] View Any view Default Level 1: Monitor level Parameters vlan vlan-id: Displays the MLD Snooping multicast group information in the specified VLAN, where vlan-id is in the range of 1 to 4094.
Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 1 port. GE1/0/2 MAC group(s): MAC group address:3333-0000-0101 Host port(s):total 1 port. GE1/0/2 Table 3-1 display mld-snooping group command output description Field...
Parameters None Description Use the display mld-snooping statistics command to view the statistics information of MLD messages learned by MLD Snooping. Examples # View the statistics information of all kinds of MLD messages learned by MLD Snooping. <Sysname> display mld-snooping statistics Received MLD general queries:0.
Description Use the fast-leave command to enable fast leave processing globally. With this function enabled, when the switch receives an MLD leave message on a port, it directly removes that port from the forwarding table entry for the specific group.
vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a VLAN ID is 1 to 4094.
Description Use the host-aging-time command to configure the aging time of dynamic member ports globally. Use the undo host-aging-time command to restore the default setting. By default, the aging time of dynamic member ports is 260 seconds. This command works on MLD Snooping–enabled VLANs Related commands: mld-snooping host-aging-time.
max-response-time (MLD-Snooping view) Syntax max-response-time interval undo max-response-time View MLD-Snooping view Default Level 2: System level Parameters interval: Maximum response time for MLD general queries, in units of seconds. The effective range is 1 to 25. Description Use the max-response-time command to configure the maximum response time for MLD general queries globally.
Description Use the mld-snooping command to enable MLD Snooping globally and enter MLD-Snooping view. Use the undo mld-snooping command to disable MLD Snooping globally. By default, MLD Snooping is disabled. Related commands: mld-snooping enable. Examples # Enable MLD Snooping globally and enter MLD-Snooping view. <Sysname>...
Use the mld-snooping fast-leave command to enable fast leave processing on the current port or group of ports. With this function enabled, when the switch receives an MLD leave message on a port, it directly removes that port from the forwarding table entry for the specific group.
undo mld-snooping general-query source-ip View VLAN view Default Level 2: System level Parameters current-interface: Sets the source IPv6 link-local address of MLD general queries to the IPv6 address of the current VLAN interface. If the current VLAN interface does not have an IPv6 address, the default IPv6 address FE80::02FF:FFFF:FE00:0001 will be used as the source IPv6 address of MLD general queries.
to end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a VLAN ID is 1 to 4094. Description Use the mld-snooping group-limit command to configure the maximum number of IPv6 multicast groups that can be joined on a port.
Description Use the mld-snooping group-policy command to configure an IPv6 multicast group filter on the current port(s), namely to control the IPv6 multicast groups hosts on the port(s) can join. Use the undo mld-snooping group-policy command to remove the configured IPv6 multicast group filter on the current port(s).
Description Use the mld-snooping host-aging-time command to configure the aging time of dynamic member ports in the current VLAN. Use the undo mld-snooping host-aging-time command to restore the system default. By default, the dynamic member port aging time is 260 seconds. This command takes effect only if MLD Snooping is enabled in the VLAN.
The source-ip ipv6-source-address option in the command is meaningful only for MLD Snooping version 2. If MLD Snooping version 1 is running, although you can include source-ip ipv6-source-address in your command, the simulated host responses with only an MLDv1 report when receiving a query message.
Examples # Set the MLD last-listener query interval to 3 seconds in VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] mld-snooping last-listener-query-interval 3 mld-snooping max-response-time Syntax mld-snooping max-response-time interval undo mld-snooping max-response-time View VLAN view Default Level 2: System level Parameters interval: Maximum response time for MLD general queries, in units of seconds.
Default Level 2: System level Parameters vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID.
Parameters None Description Use the mld-snooping querier command to enable the MLD Snooping querier function. Use the undo mld-snooping querier command to disable the MLD Snooping querier function. By default, the MLD Snooping querier function is disabled. Note that: This command takes effect only if MLD Snooping is enabled in the VLAN. This command does not take effect in a sub-VLAN of an IPv6 multicast VLAN.
Default Level 2: System level Parameters None Description Use the mld-snooping source-deny command to enable IPv6 multicast source port filtering. Use the undo mld-snooping source-deny command to disable IPv6 multicast source port filtering. By default, IPv6 multicast source port filtering is disabled. Examples # Enable source port filtering for IPv6 multicast data on GigabitEthernet 1/0/1.
Examples # Enable the static router port function on GigabitEthernet 1/0/1 in VLAN 2. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname- GigabitEthernet 1/0/1] mld-snooping static-router-port vlan 2 mld-snooping version Syntax mld-snooping version version-number undo mld-snooping version View VLAN view Default Level 2: System level Parameters version-number: MLD snooping version, in the range of 1 to 2.
View MLD-Snooping view Default Level 2: System level Parameters vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID.
Description Use the mld-snooping report-aggregation command to enable MLD report suppression. Use the undo mld-snooping report-aggregation command to disable MLD report suppression. By default, MLD report suppression is enabled. This command works on MLD Snooping–enabled VLANs. Examples # Disable MLD report suppression. <Sysname>...
View User view Default Level 2: System level Parameters None Description Use the reset mld-snooping statistics command to clear the statistics information of MLD messages learned by MLD Snooping. Examples # Clear the statistics information of all kinds of MLD messages learned by MLD Snooping. <Sysname>...
source-deny (MLD-Snooping view) Syntax source-deny port interface-list undo source-deny port interface-list View MLD-Snooping view Default Level 2: System level Parameters interface-list: Port list. You can specify multiple ports or port ranges by providing the this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] }, where interface-type is port type and interface-number is port number.
IPv6 Multicast VLAN Configuration Commands IPv6 Multicast VLAN Configuration Commands display multicast-vlan ipv6 Syntax display multicast-vlan ipv6 [ vlan-id ] View Any view Default Level 1: Monitor level Parameters vlan-id: VLAN ID of an IPv6 multicast VLAN, in the range of 1 to 4094. If this argument is not provided, the information about all IPv6 multicast VLANs will be displayed.
multicast-vlan ipv6 Syntax multicast-vlan ipv6 vlan-id undo multicast-vlan ipv6 { all | vlan-id } View System view Default Level 2: System level Parameters vlan-id: Specifies a VLAN by its ID, in the range of 1 to 4094. all: Deletes all IPv6 multicast VLANs. Description Use the multicast-vlan ipv6 command to configure the specified VLAN as an IPv6 multicast VLAN and enter IPv6 multicast VLAN view.
port (IPv6 multicast VLAN view) Syntax port interface-list undo port { all | interface-list } View IPv6 multicast VLAN view Default Level 2: System level Parameters interface-list: Specifies a port in the form of interface-type interface-number, or a port range in the form of interface-type start-interface-number to interface-type end-interface-number, where the end interface number must be greater than the start interface number.
Parameters vlan-id: VLAN ID of the IPv6 multicast VLAN you want to assign the current port(s) to, in the range of 1 to 4094. Description Use the port multicast-vlan ipv6 command to assign the current port(s) to the specified IPv6 multicast VLAN.
Page 561
Examples # Configure VLAN 10 through VLAN 15 as sub-VLANs of IPv6 multicast VLAN 100. <Sysname> system-view [Sysname] multicast-vlan ipv6 100 [Sysname-ipv6-mvlan-100] subvlan 10 to 15...
QoS Policy Configuration Commands Commands for Defining Classes display traffic classifier Syntax display traffic classifier user-defined [ classifier-name ] View Any view Default Level 1: Monitor level Parameters classifier-name: Class name. Description Use the display traffic classifier command to display the information about a class. If no class name is provided, this command displays the information about all the user-defined classes.
0 to 7. Even though you can provide up to eight space-separated CoS values for this argument, the Switch 4510G series switches support only one CoS value in a rule. If you configure multiple CoS values in a rule, the rule cannot be issued.
Page 566
1-4. Even though you can provide up to eight space-separated DSCP values for this argument, the Switch 4510G series switches support only one DSCP value in a rule. If you configure multiple DSCP values in a rule, the rule cannot be issued.
Page 567
Suppose the logical relationship between classification rules is and. Note the following when using the if-match command to define matching rules. If multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the actual logical relationship between these rules is or when the policy is applied. If multiple matching rules with the customer-vlan-id or service-vlan-id keyword specified are defined in a class, the actual logical relationship between these rules is or when the policy is applied.
<Sysname> system-view [Sysname] traffic classifier class8 [Sysname-classifier-class8] if-match protocol ip # Define a rule for class9 to match the packets with the customer network 802.1p precedence 2. <Sysname> system-view [Sysname] traffic classifier class9 [Sysname-classifier-class9] if-match customer-dot1p 2 # Define a rule for class10 to match the packets with the service provider network 802.1p precedence <Sysname>...
Examples # Create a class named class 1. <Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] Traffic Behavior Configuration Commands accounting Syntax accounting undo accounting View Traffic behavior view Default Level 2: System Level Parameters None Description Use the accounting command to configure the traffic accounting action for a traffic behavior. Use the undo accounting command to remove the traffic accounting action.
Page 570
Parameters cir committed-information-rate: Specifies the committed information rate (CIR) in kbps. The committed-information-rate argument ranges from 64 to 32000000 and must be a multiple of 64. committed-burst-size: committed-burst-size argument ranges from 4000 to 16000000, the default is 4000. ebs excess-burst-size: Specifies excess burst size (EBS) in bytes. The excess-burst-size argument ranges from 0 to 16000000, the default is 4000.
[Sysname] traffic behavior database [Sysname-behavior-database] car cir 6400 red discard display traffic behavior Syntax display traffic behavior user-defined [ behavior-name ] View Any view Default Level 1: Monitor level Parameters behavior-name: Name of a user defined traffic behavior. Description Use the display traffic behavior command to display the information about a user defined traffic behavior.
Field Green Action Red Action Yellow Action filter Syntax filter { deny | permit } undo filter View Traffic behavior view Default Level 2: System Level Parameters deny: Drops packets. permit: Forwards packets. Description Use the filter command to configure traffic filtering action for a traffic behavior. Use the undo filter command to remove the traffic filtering action.
Default Level 2: System Level Parameters cpu: Redirects traffic to the CPU. interface interface-type interface-number: Redirects traffic to an interface identified by its type and number. Description Use the redirect command to configure traffic redirecting action for a traffic behavior. Use the undo redirect command to remove the traffic redirecting action.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dot1p 2 remark drop-precedence Syntax remark drop-precedence drop-precedence-value undo remark drop-precedence View Traffic behavior view Default Level 2: System Level Parameters drop-precedence-value: Drop precedence to be set for packets, in the range 0 to 2. Description Use the remark drop-precedence command to configure the action of setting drop precedence for a traffic behavior.
Page 575
Table 1-4 DSCP keywords and values Keyword default af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 Description Use the remark dscp command to configure the action of setting DSCP precedence for a traffic behavior. Use the undo remark dscp command to remove the action of setting DSCP precedence. Related commands: qos policy, traffic behavior, classifier behavior.
remark ip-precedence Syntax remark ip-precedence ip-precedence-value undo remark ip-precedence View Traffic behavior view Default Level 2: System Level Parameters ip-precedence-value: IP precedence to be set for packets, in the range of 0 to 7. Description Use the remark ip-precedence command to configure the action of setting IP precedence for a traffic behavior.
Use the undo remark local-precedence command to remove the action of remarking local precedence. Note that, when the remark dot1p command is used together with the remark local-precedence command, the 802.1p precedence to be set for packets must be the same as the local precedence to be set for packets.
QoS Policy Configuration Commands classifier behavior Syntax classifier classifier-name behavior behavior-name undo classifier classifier-name View Policy view Default Level 2: System Level Parameters classifier-name: Name of an existing class, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a class name.
Parameters policy-name: Policy name, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a policy name. If no policy is specified, the configuration of all user defined policies is displayed. classifier-name: Name of a class in the policy, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a class name.
Page 580
Parameters inbound: Displays the QoS policy applied globally in the inbound direction of all ports. slot slot-number: Displays the global QoS policy configuration of the specified device in the IRF. If the slot-number argument is not specified, the global QoS policy configuration of all devices in the IRF is displayed.
Field Green Action Red Action Yellow Action Green display qos policy interface Syntax display qos policy interface [ interface-type interface-number ] [ inbound ] View Any view Default Level 1: Monitor level Parameters interface-type: Port type. interface-number: Port number. inbound: Specifies the inbound direction. Description Use the display qos policy interface command to display the configuration and statistics information about the policy applied on a port.
Field Green Action Red Action Yellow Action Green qos apply policy Syntax qos apply policy policy-name inbound undo qos apply policy inbound View Ethernet interface view, port group view Default Level 2: System Level Parameters inbound: Specifies the inbound direction. policy-name: Specifies a QoS policy name, a case-sensitive string of 1 to 31 characters.
Default Level 2: System Level Parameters policy-name: Policy name, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a QoS policy name. inbound: Applies the QoS policy to the incoming packets on all ports. Description Use the qos apply policy global command to apply a QoS policy globally. A QoS policy applied globally takes effect on all inbound traffic depending on the direction in which the policy is applied.
qos vlan-policy Syntax qos vlan-policy policy-name vlan vlan-id-list inbound undo qos vlan-policy vlan vlan-id-list inbound View System view Default Level 2: System Level Parameters policy-name: Policy name, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a policy name.
Parameters inbound: Specifies the inbound direction. Description Use the reset qos vlan-policy command to clear the statistics of a global QoS policy. If no direction is specified, all global QoS policy statistics are cleared. Examples # Clear the statistics of the global QoS policy in the inbound direction. <Sysname>...
Default Level 2: System Level Parameters import-value-list: List of input parameters, in the range of 0 to 7. export-value: Output parameter in the mapping table, in the range of 0 to 2. all: Removes all the parameters in the priority mapping table. Description Use the import command to configure entries for a priority mapping table, that is, to define one or more mapping rules.
Note that, if a port receives packets without an 802.1q tag, the switch takes the priority of the receiving port as the 802.1p precedence of the packets and then searches the dot1p-dp/lp mapping table for the local/drop precedence for the packets according to the priority of the receiving port.
Field Port priority trust type qos trust Syntax qos trust { dot1p | dscp } undo qos trust View Ethernet interface view, port group view Default Level 2: System Level Parameters dscp: Specifies to trust DSCP precedence carried in the packet and adopt this priority for priority mapping.
qos gts Syntax qos gts queue queue-number cir committed-information-rate [ cbs committed-burst-size ] undo qos gts queue queue-number View Ethernet interface view, port group view Default Level 2: System level Parameters queue queue-number: Specifies a queue by its number, which ranges from 0 to 7. cir committed-information-rate: Specifies the committed information rate (CIR) in kbps, which must be a multiple of 64, and CIR ranges from 64 to 16777216.
View Any view Default Level 1: Monitor level Parameters interface-type: Port type. interface-number: Port number. Description Use the display qos lr interface command to display the line rate configuration information of the specified port or all ports if no port is specified. Examples # Display the line rate configuration and statistics information of all the interfaces.
Page 596
GigabitEthernet port: 64 to 1000000 Ten-GigabitEthernet port: 64 to 10000000 Note that the committed-information-rate argument must be a multiple of 64. cbs committed-burst-size: Specifies the committed burst size in bytes. The committed-burst-size argument ranges from 4000 to 16000000. If the cbs keyword is not used, the system uses the default committed burst size, that is, 62.5 ms x committed-information-rate, or 16000000 if the multiplication is more than 16000000.
Default Level 1: Monitor level Parameters interface-type: Port type. interface-number: Port number. Description Use the display qos wfq interface command to display the configuration of Weighted Fair Queuing (WFQ) queues of a port. If no port number is specified, the command displays the configurations of WFQ queues of all ports. Related commands: qos wfq.
Page 599
View Any view Default Level 1: Monitor level Parameters interface-type: Port type. interface-number: Port number. Description Use the display qos wrr interface command to display the configuration of weighted round robin (WRR) queues of a port. If no port number is specified, the command displays the configurations of WRR queues of all ports. Related commands: qos wrr.
qos bandwidth queue Syntax qos bandwidth queue queue-id min bandwidth-value undo qos bandwidth queue queue-id [ min bandwidth-value ] View Ethernet interface view, port group view Default Level 2: System level Parameters queue-id: Queue ID, in the range of 0 to 7. bandwidth-value: Minimum guaranteed bandwidth (in kbps), that is, the minimum bandwidth guaranteed for a queue when the port is congested.
Default Level 2: System Level Parameters None Description Use the qos sp command to configure SP queuing on the current port. Use the undo qos sp command to restore the default queuing algorithm on the port. By default, all the ports adopt the WRR queue scheduling algorithm, with the weight values assigned to queue 0 through queue 7 being 1, 2, 3, 4, 5, 9, 13, and 15.
[Sysname-GigabitEthernet1/0/1] qos wfq qos wfq weight Syntax qos wfq queue-id weight schedule-value undo qos wfq queue-id weight View Ethernet interface view, port group view Default Level 2: System Level Parameters queue-id: ID of the queue, in the range of 0 to 7. weight schedule-value: Specifies the scheduling weight of a queue, ranges from 0 to 15, and each queue is allocated with part of the allocable bandwidth based on its scheduling weight.
View Ethernet interface view, port group view Default Level 2: System Level Parameters None Description Use the qos wrr command to enable weighted round robin (WRR) on a port or port group. Use the undo qos wrr command to restore the default. By default, all the ports adopt the WRR queue scheduling algorithm, with the weight values assigned to queue 0 through queue 7 being 1, 2, 3, 4, 5, 9, 13, and 15.
Page 604
By default, all the ports adopt the WRR queue scheduling algorithm, with the weight values assigned to queue 0 through queue 7 being 1, 2, 3, 4, 5, 9, 13, and 15. As required, you can configure part of the queues on the port to adopt the SP queue-scheduling algorithm and parts of queues to adopt the WRR queue-scheduling algorithm.
Traffic Mirroring Configuration Commands Traffic Mirroring Configuration Commands mirror-to Syntax mirror-to { cpu | interface interface-type interface-number } undo mirror-to { cpu | interface interface-type interface-number } View Traffic behavior view Default Level 2: System Level Parameters cpu: Redirects packets to the CPU. interface interface-type interface-number: Port type and port number of the destination port for the traffic mirroring action.
User Profile Configuration Commands User Profile Configuration Commands display user-profile Syntax display user-profile View Any view Default Level 2: System level Parameters None Description Use the display user-profile command to display information of all the user profiles that have been created.
user-profile enable Syntax user-profile profile-name enable undo user-profile profile-name enable View System view Default Level 2: System level Parameters profile-name: Use profile name, a string of 1 to 31 characters, case sensitive. It can only contain English letters, numbers, underlines, and must start with an English letter. Description Use the user-profile enable command to enable a user profile.
Parameters profile-name: Use profile name, a string of 1 to 31 characters, case sensitive. It can only contain English letters, numbers, underlines, and must start with an English letter. A user profile name must be globally unique. dot1x: Uses 802.1X authentication when users access the device. Refer to 802.1X Configuration in the Security Volume for the detailed information about 802.1X.
AAA Configuration Commands AAA Configuration Commands access-limit enable Syntax access-limit enable max-user-number undo access-limit enable View ISP domain view Default Level 2: System level Parameters max-user-number: Maximum number of user connections for the current ISP domain. The valid range from 1 to 2147483646. Description Use the access-limit enable command to enable the limit on the number of user connections in an ISP domain and set the allowed maximum number.
View Local user view Default Level 3: Manage level Parameters max-user-number: Maximum number of user connections using the current username, in the range 1 to 1024. Description Use the access-limit command to enable the limit on the number of user connections using the current username and set the allowed maximum number.
By default, the default accounting method that the accounting default command prescribes is used for command line users. Note that: The HWTACACS scheme specified for the current ISP domain must have been configured. Currently, only HWTACACS schemes support command line accounting. Related commands: accounting default, hwtacacs scheme.
Local accounting is only for managing the local user connection number; it does not provide the statistics function. The local user connection number management is only for local accounting; it does not affect local authentication and authorization. Related commands: authentication default, authorization default, hwtacacs scheme, radius scheme.
<Sysname> system-view [Sysname] domain system [Sysname-isp-system] accounting lan-access local # Configure the default ISP domain system to use RADIUS accounting scheme rd for LAN access users and use local accounting as the backup. <Sysname> system-view [Sysname] domain system [Sysname-isp-system] accounting lan-access radius-scheme rd local accounting login Syntax accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none |...
[Sysname-isp-system] accounting login local # Configure the default ISP domain system to use RADIUS accounting scheme rd for login users and use local accounting as the backup. <Sysname> system-view [Sysname] domain system [Sysname-isp-system] accounting login radius-scheme rd local accounting optional Syntax accounting optional undo accounting optional...
undo authentication default View ISP domain view Default Level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
View ISP domain view Default Level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the authentication lan-access command to configure the authentication method for LAN access users.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the corresponding default rights. Description Use the authorization command command to configure the authorization method for command line users. Use the undo authorization command command to restore the default. By default, the default authorization method is used for command line users.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the corresponding default rights. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the authorization default command to configure the authorization method for all types of users. Use the undo authorization default command to restore the default.
Parameters local: Performs local authorization. none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default rights. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the authorization lan-access command to configure the authorization method for LAN access users.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default rights. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Page 629
Default Level 3: Manage level Parameters acl: Specifies the authorized ACL of the local user(s). acl-number: Authorized ACL for the local user(s), in the range 2000 to 5999. callback-number: Specifies the authorization PPP callback number of the local user(s). callback-number: Authorization PPP callback number for the local user(s), a case-sensitive string of 1 to 64 characters.
command in Login Commands of the System Volume. If the authentication method requires users to provide usernames and passwords, the levels of commands that a user can access after login depends on the level of the user. For an SSH user authenticated with an RSA public key, available commands depend on the level specified on the user interface.
Use the undo bind-attribute command to remove binding attributes of a local user. By default, no binding attribute is configured for a local user. Note that: Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the checking will fail and the user will fail the authentication as a result.
mac mac-address: Specifies a user connection by MAC address. The MAC address must be in the format of H-H-H. ucibindex ucib-index: Specifies a user connection by connection index. The value ranges from 0 to 4294967295. user-name user-name: Specifies a user connection by username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name.
ucibindex ucib-index: Specifies all user connections using the specified connection index. The value ranges from 0 to 4294967295. user-name user-name: Specifies all user connections using the specified username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. If you enter a username without any domain name, the system assumes that the default domain name is used for the username.
Page 634
Default Level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. Description Use the display domain command to display the configuration information of a specified ISP domain or all ISP domains. Related commands: access-limit enable, domain, state.
Field State Access-limit Accounting method Default authentication scheme Default authorization scheme Default accounting scheme Lan-access authentication scheme Lan-access authorization scheme Lan-access accounting scheme Domain User Template Idle-cut Self-service Default Domain Name Total 2 domain(s). display local-user Syntax display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] View Any view...
Page 636
slot slot-number: Specifies all local users on a specified member device in an IRF. The slot-number argument indicates the member device ID. Description Use the display local-user command to display information about specified or all local users. Related commands: local-user. Examples # Display the information of local user bbb on the specified Unit ID.
Field Authorization attributes Idle TimeOut Callback-number Work Directory VLAN ID Expiration date display user-group Syntax display user-group [ group-name ] View Any view Default Level 2: System level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the display user-group command to display configuration information about one or all user groups.
domain Syntax domain isp-name undo domain isp-name View System view Default Level 3: Manage level Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or Description Use the domain isp-name command to create an ISP domain and/or enter ISP domain view.
Parameters isp-name: Name of the default ISP domain, a string of 1 to 24 characters. Description Use the domain default enable command to configure the system default ISP domain. Use the undo domain default enable command to restore the default. By default, there is a default ISP domain named system.
When some users need to access the network temporarily, you can create a guest account and specify an expiration time for the account. When a user uses the guest account for local authentication and passes the authentication, the access device checks whether the current system time is within the expiration time.
View ISP domain view Default Level 2: System level Parameters minute: Maximum idle duration allowed, in the range 1 to 120 minutes. Description Use the idle-cut enable command to enable the idle cut function and set the maximum idle duration allowed.
telnet refers to users using Telnet. terminal refers to users logging in through the console port or AUX port. Description Use the local-user command to add a local user and enter local user view. Use the undo local-user command to remove the specified local users. By default, no local user is configured.
Examples # Specify to display the passwords of all users in cipher text. <Sysname> system-view [Sysname] local-user password-display-mode cipher-force password Syntax password { cipher | simple } password undo password View Local user view Default Level 2: System level Parameters cipher: Specifies to display the password in cipher text.
[Sysname-luser-user1] password simple 123456 self-service-url enable Syntax self-service-url enable url-string undo self-service-url enable View ISP domain view Default Level 2: System level Parameters url-string: URL of the self-service server for changing user password, a string of 1 to 64 characters. It must start with http:// and contain no question mark.
Parameters active: Places the current ISP domain or local user in the active state, allowing the users in the current ISP domain or the current local user to request network services. block: Places the current ISP domain or local user in the blocked state, preventing users in the current ISP domain or the current local user from requesting network services.
Page 647
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Currently, you can configure authorization attributes for a user group. Note that: A user group with one or more local users cannot be removed.
display radius scheme Syntax display radius scheme [ radius-scheme-name ] [ slot slot-number ] View Any view Default Level 2: System level Parameters radius-scheme-name: RADIUS scheme name. slot slot-number: Specifies the specified member device in an IRF. The slot-number argument indicates the member device ID.
Page 650
Packet unit ------------------------------------------------------------------ Total 1 RADIUS scheme(s) Table 2-1 display radius scheme command output description Field SchemeName Index Type Primary Auth IP/ Port/ State Primary Acct IP/ Port/ State Second Auth IP/ Port/ State Second Acct IP/ Port/ State Auth Server Encryption Key Acct Server Encryption Key Accounting-On packet disable send times...
display radius statistics Syntax display radius statistics [ slot slot-number ] View Any view Default Level 2: System level Parameters slot slot-number: Specifies the specified member device in an IRF. The slot-number argument indicates the member device ID. Description Use the display radius statistics command to display statistics about RADIUS packets. Related commands: radius scheme.
Page 652
PKT acct_timeout Num = 1509 Realtime Account timer Num = 0 PKT response Num = 23 Session ctrl pkt Num = 0 Normal author request Num = 0 Set policy result Num = 0 RADIUS sent messages statistic: Auth accept Num = 10 Auth reject Num = 14...
Page 653
Field Resend total Total RADIUS received packets statistic Code Running statistic RADIUS received messages statistic Normal auth request EAP auth request Account request Account off request PKT auth timeout PKT acct_timeout Realtime Account timer PKT response Session ctrl pkt Normal author request Succ Set policy result RADIUS sent messages statistic...
Field Discarded No-response-acct-stop packet for buffer overflow display stop-accounting-buffer Syntax display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ] View Any view Default Level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
undo nas-ip View RADIUS scheme view Default Level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address. Description Use the nas-ip command to set the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.
Parameters ip-address: IP address of the primary accounting server. port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535 and defaults to 1813. Description Use the primary accounting command to specify the primary RADIUS accounting server. Use the undo primary accounting command to remove the configuration.
Use the undo primary authentication command to remove the configuration. By default, no primary RADIUS authentication/authorization server is specified. Note that: After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). Ensure that at least one authentication/authorization server and one accounting server are configured, and that the RADIUS service port settings on the device are consistent with the port settings on the RADIUS servers.
The end account packets of online users cannot be sent out and buffered. This may cause a problem that the RADIUS server still has the user record after a user goes offline for a period of time. The authentication, authorization and accounting turn to the local scheme after the RADIUS request fails if the RADIUS scheme and the local authentication, authorization and accounting scheme are configured.
Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1. <Sysname> system-view [Sysname] radius nas-ip 129.10.10.1 radius scheme Syntax radius scheme radius-scheme-name undo radius scheme radius-scheme-name View System view Default Level 3: Manage level Parameters...
Parameters slot slot-number: Specifies the specified member device in an IRF. The slot-number argument indicates the member device ID. Description Use the reset radius statistics command to clear RADIUS statistics. Related commands: display radius scheme. Examples # Clear RADIUS statistics. <Sysname>...
<Sysname> reset stop-accounting-buffer user-name user0001@aabbcc.net # Clear the buffered stop-accounting requests in the time range from 0:0:0 to 23:59:59 on August 31, 2006. <Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006 retry Syntax retry retry-times undo retry View RADIUS scheme view Default Level 2: System level Parameters retry-times: Maximum number of transmission attempts, in the range 1 to 20.
[Sysname-radius-radius1] retry 5 retry realtime-accounting Syntax retry realtime-accounting retry-times undo retry realtime-accounting View RADIUS scheme view Default Level 2: System level Parameters retry-times: Maximum number of accounting request transmission attempts. It ranges from 1 to 255 and defaults to 5. Description Use the retry realtime-accounting command to set the maximum number of accounting request transmission attempts.
retry stop-accounting (RADIUS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting View RADIUS scheme view Default Level 2: System level Parameters retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 10 to 65,535 and defaults to 500. Description Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.
View RADIUS scheme view Default Level 2: System level Parameters ip-address: IP address of the secondary accounting server, in dotted decimal notation. The default is 0.0.0.0. port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and defaults to 1813.
Parameters ip-address: IP address of the secondary authentication/authorization server, in dotted decimal notation. The default is 0.0.0.0. port-number: UDP port number of the secondary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812. Description secondary authentication/authorization server. Use the undo secondary authentication command to remove the configuration.
Page 668
By default, no security policy server is specified. Note that: You can specify up to eight security policy servers for a RADIUS scheme. You can use the commands to change the settings only when no user is using the RADIUS scheme.
[Sysname-radius-radius1] server-type standard state Syntax state { primary | secondary } { accounting | authentication } { active | block } View RADIUS scheme view Default Level 2: System level Parameters primary: Sets the status of the primary RADIUS server. secondary: Sets the status of the secondary RADIUS server.
Examples # Set the status of the secondary server in RADIUS scheme radius1 to active. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] state secondary authentication active stop-accounting-buffer enable (RADIUS scheme view) Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable View RADIUS scheme view Default Level 2: System level Parameters...
timer quiet (RADIUS scheme view) Syntax timer quiet minutes undo timer quiet View RADIUS scheme view Default Level 2: System level Parameters minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5. Description Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.
Note that: For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command is for setting the interval. The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher performance.
so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval. A proper value for the RADIUS server response timeout timer can help improve the system performance.
Page 674
When 802.1X users use EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the device does not change the usernames from clients when forwarding them to the RADIUS server. If the RADIUS scheme is for wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail.
Page 676
View Any view Default Level 2: System level Parameters hwtacacs-scheme-name: HWTACACS scheme name. statistics: Displays complete statistics about the HWTACACS server. slot slot-number: Specifies the specified member device in an IRF. The slot-number argument indicates the member device ID. Description Use the display hwtacacs command to display configuration information or statistics of the specified or all HWTACACS schemes.
Page 677
Packet traffic-unit -------------------------------------------------------------------- Table 3-1 display hwtacacs command output description Field HWTACACS-server template name Primary-authentication-server Primary-authorization-server Primary-accounting-server Secondary-authentication-server Secondary-authorization-server Secondary-accounting-server Current-authentication-server Current-authorization-server Current-accounting-server NAS-IP-address key authentication key authorization key accounting Quiet-interval Realtime-accounting-interval Response-timeout-interval Acct-stop-PKT retransmit times Username format Data traffic-unit Packet traffic-unit : one-packet Description...
display stop-accounting-buffer Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] View Any view Default Level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters. slot slot-number: Specifies the specified member device in an IRF. The slot-number argument indicates the member device ID.
Description Use the hwtacacs nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server. Use the undo hwtacacs nas-ip command to remove the configuration. By default, the source IP address of a packet sent to the server is the IP address of the outbound port.
Default Level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address. Description Use the nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.
port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49. Description Use the primary accounting command to specify the primary HWTACACS accounting server. Use the undo primary accounting command to remove the configuration. By default, no primary HWTACACS accounting server is specified. Note that: The IP addresses of the primary and secondary accounting servers cannot be the same.
The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent. If you configure the command for more than one time, the last configuration takes effect. You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters. slot slot-number: Specifies the specified member device in an IRF. The slot-number argument indicates the member device ID. Description Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests that get no responses.
Default Level 2: System level Parameters ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0. port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49. Description Use the secondary authentication command to specify the secondary HWTACACS authentication server.
Description Use the secondary authorization command to specify the secondary HWTACACS authorization server. Use the undo secondary authorization command to remove the configuration. By default, no secondary HWTACACS authorization server is specified. Note that: The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet. Related commands: stop-accounting-buffer. Examples # In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests getting no responses.
View HWTACACS scheme view Default Level 2: System level Parameters minutes: Real-time accounting interval in minutes. It is a multiple of 3 in the range 3 to 60 and defaults to 12. Description Use the timer realtime-accounting command to set the real-time accounting interval. Use the undo timer realtime-accounting command to restore the default.
Default Level 2: System level Parameters seconds: HWTACACS server response timeout period in seconds. It ranges from 1 to 300 and defaults to 5. Description Use the timer response-timeout command to set the HWTACACS server response timeout timer. Use the undo timer command to restore the default. As HWTACACS is based on TCP, the timeout of the server response timeout timer and/or the TCP timeout timer will cause the device to be disconnected from the HWTACACS server.
Page 692
domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a HWTACACS server. If a HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain, thus avoiding the confused situation where the HWTACACS server regards two users in different ISP domains but with the same userid as one.
802.1X Configuration Commands 802.1X Configuration Commands display dot1x Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] View Any view Default Level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics. interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &...
Page 694
Reauth Period The maximal retransmitting times EAD quick deploy configuration: URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout: The maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is disabled Handshake secure is disabled Periodic reauthentication is disabled...
Page 695
Field Quiet Period Quiet Period Timer is disabled Supp Timeout Server Timeout The maximal retransmitting times EAD quick deploy configuration Free IP EAD timeout The maximum 802.1X user resource number per slot Total current used 802.1X resource number GigabitEthernet1/0/1 is link-up 802.1X protocol is disabled Handshake is disabled Handshake secure is disabled...
802.1X must be enabled both globally in system view and for the intended ports in system view or interface view. Otherwise, it does not function. You can configure 802.1X parameters either before or after enabling 802.1X. Related commands: display dot1x. Examples # Enable 802.1X for ports GigabitEthernet 1/0/1, and GigabitEthernet 1/0/5 to GigabitEthernet 1/0/7.
Description Use the dot1x authentication-method command to set the 802.1X authentication method. Use the undo dot1x authentication-method command to restore the default. By default, CHAP is used. The password authentication protocol (PAP) transports passwords in clear text. The challenge handshake authentication protocol (CHAP) transports only usernames over the network.
interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument.
dot1x handshake Syntax dot1x handshake undo dot1x handshake View Interface view Default Level 2: System level Parameters None Description Use the dot1x handshake command to enable the online user handshake function so that the device can periodically send handshake messages to the client to check whether a user is online. Use the undo dot1x handshake command to disable the function.
Description Use the dot1x mandatory-domain command to specify the mandatory authentication domain for users accessing the port. Use the undo dot1x mandatory-domain command to remove the mandatory authentication domain. By default, no mandatory authentication domain is specified. Note that: When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.
Default Level 2: System level Parameters user-number: Maximum number of users to be supported simultaneously. The valid settings and the default may vary by device. interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &...
Description Use the dot1x multicast-trigger command to enable the multicast trigger function of 802.1X to send multicast trigger messages to the clients periodically. Use the undo dot1x multicast-trigger command to disable this function. By default, the multicast trigger function is enabled. Related commands: display dot1x.
Description Use the dot1x port-control command to set the access control mode for specified or all ports. Use the undo dot1x port-control command to restore the default. The default access control mode is auto. Related commands: display dot1x. Examples # Set the access control mode of port GigabitEthernet 1/0/1 to unauthorized-force. <Sysname>...
Description Use the dot1x port-method command to set the access control method for specified or all ports. Use the undo dot1x port-method command to restore the default. The default access control method is macbased. Related commands: display dot1x. Examples # Set the access control method to portbased for port GigabitEthernet 1/0/1. <Sysname>...
dot1x re-authenticate Syntax dot1x re-authenticate undo dot1x re-authenticate View Ethernet interface view Default Level 2: System level Parameters None Description Use the dot1x re-authenticate command to enable the periodic re-authentication function. Use the undo dot1x re-authenticate command to restore the default. By default, this function is disabled.
Parameters max-retry-value: Maximum number of attempts to send an authentication request to a supplicant, in the range 1 to 10. Description Use the dot1x retry command to set the maximum number of attempts to send an authentication request to a supplicant. Use the undo dot1x retry command to restore the default.
tx-period-value: Setting for the username request timeout timer in seconds. It ranges from 10 to 120 and defaults to 30. Description Use the dot1x timer command to set 802.1X timers. Use the undo dot1x timer command to restore the defaults. Several timers are used in the 802.1X authentication process to guarantee that the supplicants, the authenticators, and the RADIUS server interact with each other in a reasonable manner.
Page 709
View User view Default Level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and &...
dot1x timer ead-timeout Syntax dot1x timer ead-timeout ead-timeout-value undo dot1x timer ead-timeout View System view Default Level 2: System level Parameters ead-timeout-value: EAD rule timeout time, in the range 1 minute to 1440 minutes. Description Use the dot1x timer ead-timeout command to set the EAD rule timeout time. Use the undo dot1x timer ead-timeout command to restore the default.
Page 712
By default, no redirect URL is defined. Note that: The redirect URL and the free IP must be in the same network segment; otherwise, the URL may be inaccessible. You can configure the dot1x url command for more than once but only the last one takes effect. Related commands: display dot1x, dot1x free-ip.
habp server vlan Syntax habp server vlan vlan-id undo habp server View System view Default Level 2: System level Parameters vlan-id: ID of the VLAN in which HABP packets are to be transmitted, in the range 1 to 4094. Description Use the habp server vlan command to configure HABP to work in server mode and specify the VLAN in which HABP packets are to be transmitted.
Page 717
This command is required only on the HABP server. Examples # Set the interval to send HABP request packets to 50 seconds. <Sysname> system-view [Sysname] habp timer 50...
MAC Authentication Configuration Commands MAC Authentication Configuration Commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] View Any view Default Level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10>...
Page 719
GigabitEthernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Current online user number is 0 MAC Addr Authenticate state ……(part of the output omitted) Table 7-1 display mac-authentication command output description Field MAC address authentication is enabled User name format is MAC address, like xxxxxxxxxxxx Fixed username:...
mac-authentication Syntax In system view: mac-authentication [ interface interface-list ] undo mac-authentication [ interface interface-list ] In Ethernet interface view: mac-authentication undo mac-authentication View System view, Ethernet interface view Default Level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10>...
View System view Default Level 2: System level Parameters offline-detect offline-detect-value: Specifies the offline detect interval, in the range 60 to 65,535 seconds. quiet quiet-value: Specifies the quiet period, in the range 1 to 3,600 seconds. server-timeout server-timeout-value: Specifies the server timeout period, in the range 100 to 300 seconds.
Page 723
Default Level 2: System level Parameters fixed: Uses the MAC authentication username type of fixed username. account name: Specifies the fixed username. The name argument is a case-insensitive string of 1 to 55 characters and defaults to mac. password { cipher | simple } password: Specifies the password for the fixed username. Specify the cipher keyword to display the password in cipher text or the simple keyword to display the password in plain text.
reset mac-authentication statistics Syntax reset mac-authentication statistics [ interface interface-list ] View User view Default Level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges.
Port Security Configuration Commands Port Security Configuration Commands display port-security Syntax display port-security [ interface interface-list ] View Any view Default Level 2: System level Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10>...
Page 726
Index is 2, OUI value is 003c12 GigabitEthernet1/0/1 is link-down Port mode is UserloginWithOUI NeedtoKnow mode is needtoknowonly Intrusion mode is disableport Max MAC address number is 50 Stored MAC address number is 0 Authorization is ignored GigabitEthernet1/0/2 is link-down Port mode is noRestriction NeedtoKnow mode is disabled Intrusion mode is no action...
display port-security mac-address block Syntax display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] View Any view Default Level 2: System level Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its number, which is in the range 1 to 4094.
# Display information about all blocked MAC addresses of port GigabitEthernet 1/0/1. <Sysname> display port-security mac-address block interface GigabitEthernet1/0/1 MAC ADDR From Port 000d-88f8-0577 GigabitEthernet1/0/1 --- On slot 2, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses of port GigabitEthernet 1/0/1 in VLAN 1.
Page 729
With no keyword or argument specified, the command displays information about all secure MAC addresses. Related commands: port-security mac-address security. Examples # Display information about all secure MAC addresses. <Sysname> display port-security mac-address security MAC ADDR VLAN ID 0002-0002-0002 1 000d-88f8-0577 1 --- 2 mac address(es) found --- # Display only the count of the secure MAC addresses.
Field xxx mac address(es) found port-security authorization ignore Syntax port-security authorization ignore undo port-security authorization ignore View Layer 2 Ethernet interface view Default Level 2: System level Parameters None Description Use the port-security authorization ignore command to configure a port to ignore the authorization information from the RADIUS server.
Parameters None Description Use the port-security enable command to enable port security. Use the undo port-security enable command to disable port security. By default, port security is disabled. Note that: Port security cannot be enabled when 802.1X or MAC authentication is enabled globally. Enabling port security resets the following configurations on a port to the defaults bracketed, making them dependent completely on the port security mode: 802.1X (disabled), port access control method (macbased), and port access control mode (auto)
disableport-temporarily: Disables the port for a specified period of time whenever it receives an illegal frame. Use the port-security timer disableport command to set the period. Description Use the port-security intrusion-mode command to configure the intrusion protection feature, so that the interface performs configured security policies in response to received illegal packets.
By default, no secure MAC address is configured. Note that: The port must belong to the specified VLAN. You can configure a secure MAC address only if port security is enabled and the specified port operates in autoLearn mode. The undo port-security mac-address security command can be used in system view only. Related commands: display port-security.
Description Use the port-security max-mac-count command to set the maximum number of secure MAC addresses allowed on the port. Use the undo port-security max-mac-count command to restore the default setting. By default, the maximum number of secure MAC addresses is not limited. Note that: You cannot change the maximum number of secure MAC addresses for a port working in the autoLearn mode.
The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic. Related commands: display port-security. Examples # Set the NTK mode of port GigabitEthernet 1/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.
Examples # Enable port security and configure the port security mode of port GigabitEthernet 1/0/1 as secure. <Sysname> system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port-security port-mode secure # Change the port security mode of port GigabitEthernet 1/0/1 to userLogin. [Sysname-GigabitEthernet1/0/1] undo port-security port-mode [Sysname-GigabitEthernet1/0/1] port-security port-mode userlogin port-security timer disableport...
IP Source Guard Configuration Commands IP Source Guard Configuration Commands display ip check source Syntax display ip check source [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] View Any view Default Level 1: Monitor level Parameters interface interface-type interface-number: Displays the dynamic bindings of the interface specified by its type and number.
Table 9-1 display ip check source command output description Field Total entries found Vlan Port Status display user-bind Syntax display user-bind [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] View Any view Default Level 1: Monitor level Parameters interface interface-type interface-number: Displays the static bindings of the interface specified by its type and number.
SSH2.0 Configuration Commands SSH2.0 Server Configuration Commands display ssh server Syntax display ssh server { session | status } View Any view Default Level 1: Monitor level Parameters session: Displays the session information of the SSH server. status: Displays the status information of the SSH server. Description Use the display ssh server command on an SSH server to display SSH server status information or session information.
SFTP server Idle-Timeout: 10 minute(s) Table 10-1 display ssh server status command output description Field SSH Server SSH version SSH authentication-timeout SSH server key generating interval SSH authentication retries SFTP server SFTP server Idle-Timeout # Display the SSH server session information. <Sysname>...
Parameters username: SSH username, a string of 1 to 80 characters. Description Use the display ssh user-information command on an SSH server to display information about one or all SSH users. With the username argument not specified, the command displays information about all SSH users. Related commands: ssh user.
Parameters times: Maximum number of authentication attempts, in the range 1 to 5. Description Use the ssh server authentication-retries command to set the maximum number of SSH connection authentication attempts, which takes effect at next login. Use the undo ssh server authentication-retries command to restore the default. By default, the maximum number of SSH connection authentication attempts is 3.
Examples # Set the SSH user authentication timeout period to 10 seconds. <Sysname> system-view [Sysname] ssh server authentication-timeout 10 ssh server compatible-ssh1x enable Syntax ssh server compatible-ssh1x enable undo ssh server compatible-ssh1x View System view Default Level 2: System level Parameters None Description...
Parameters None Description Use the ssh server enable command to enable SSH server. Use the undo ssh server enable command to disable SSH server. By default, SSH server is disabled. Examples # Enable SSH server. <Sysname> system-view [Sysname] ssh server enable ssh server rekey-interval Syntax ssh server rekey-interval hours...
Authentication method and public key configuration takes effect only for users logging in after the configuration. If an SFTP user has been assigned a public key, it is necessary to set a working folder for the user. The working folder of an SFTP user is subject to the user authentication method. For a user using only password authentication, the working folder is the AAA authorized one.
display ssh server-info Syntax display ssh server-info View Any view Default Level 1: Monitor level Parameters None Description Use the display ssh server-info command on a client to display mappings between SSH servers and their host public keys saved on the client. When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication.
ssh client authentication server Syntax ssh client authentication server server assign publickey keyname undo ssh client authentication server server assign publickey View System view Default Level 2: System level Parameters server: IP address or name of the server, a string of 1 to 80 characters. keyname: Name of the host public key of the server, a string of 1 to 64 characters.
Parameters None Description Use the ssh client first-time enable command to enable the first authentication function. Use the undo ssh client first-time command to disable the function. By default, the function is enabled. With first-time authentication, when an SSH client not configured with the server host public key accesses the server for the first time, the user can continue accessing the server, and save the host public key on the client.
Related commands: display ssh client source. Examples # Specify the source IPv6 address as 2:2::2:2 for the SSH client. <Sysname> system-view [Sysname] ssh client ipv6 source ipv6 2:2::2:2 ssh client source Syntax ssh client source { ip ip-address | interface interface-type interface-number } undo ssh client source View System view...
Page 756
Default Level 0: Visit level Parameters server: IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters. port-number: Port number of the server, in the range 0 to 65535. The default is 22. identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa. prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
Preferred encryption algorithm from server to client: AES128 Preferred HMAC algorithm from client to server: MD5 Preferred HMAC algorithm from server to client: SHA1-96. <Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 SFTP Server Configuration Commands sftp server enable Syntax sftp server enable...
Parameters time-out-value: Timeout period in minutes. It ranges from 1 to 35,791. Description Use the sftp server idle-timeout command to set the idle timeout period for SFTP user connections. Use the undo sftp server idle-timeout command to restore the default. By default, the idle timeout period is 10 minutes.
View SFTP client view Default Level 3: Manage level Parameters remote-path: Name of a path on the server. Description Use the cd command to change the working path on a remote SFTP server. With the argument not specified, the command displays the current working path. You can use the cd ..
Current Directory is: delete Syntax delete remote-file&<1-10> View SFTP client view Default Level 3: Manage level Parameters remote-file&<1-10>: Name of a file on the server. &<1-10> means that you can provide up to 10 filenames, which are separated by space. Description Use the delete command to delete the specified file(s) from a server.
Description Use the dir command to display file and folder information under a specified directory. With the –a and –l keyword not specified, the command displays detailed information of files and folders under the specified directory in a list form. With the remote-path not specified, the command displays the file and folder information of the current working directory.
exit Syntax exit View SFTP client view Default Level 3: Manage level Parameters None Description Use the exit command to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and quit commands. Examples # Terminate the connection with the remote SFTP server.
sftp-client> get temp1.c temp.c Remote file:/temp1.c ---> Local file: temp.c Downloading file successfully ended help Syntax help [ all | command-name ] View SFTP client view Default Level 3: Manage level Parameters all: Displays a list of all commands. command-name: Name of a command. Description Use the help command to display a list of all commands or the help information of an SFTP client command.
Description Use the ls command to display file and folder information under a specified directory. With the –a and –l keyword not specified, the command displays detailed information of files and folders under the specified directory in a list form. With the remote-path not specified, the command displays the file and folder information of the current working directory.
View SFTP client view Default Level 3: Manage level Parameters local-file: Name of a local file. remote-file: Name for the file on a remote SFTP server. Description Use the put command to upload a local file to a remote SFTP server. If you do not specify the remote-file argument, the file will be saved remotely with the same name as the local one.
quit Syntax quit View SFTP client view Default Level 3: Manage level Parameters None Description Use the quit command to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and exit commands. Examples # Terminate the connection with the remote SFTP server.
/temp.c Are you sure to delete it? [Y/N]:y This operation may take a long time.Please wait... File successfully Removed rename Syntax rename oldname newname View SFTP client view Default Level 3: Manage level Parameters oldname: Original file name or directory name. newname: New file name or directory name.
an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. By default, the encryption algorithm is DSA. Examples # Connect to SFTP server 10.1.1.2, using the following algorithms: Preferred key exchange algorithm: dh-group1. Preferred encryption algorithm from server to client: aes128.
undo sftp client source View System view Default Level 3: Manage level Parameters ip ip-address: Specifies a source IPv4 address. interface interface-type interface-number: Specifies a source interface by its type and number. Description Use the sftp client source command to specify the source IPv4 address or interface of an SFTP client.
Note that the attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore the dn keyword is not available for the attribute. Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc.
certificate request entity Syntax certificate request entity entity-name undo certificate request entity View PKI domain view Default Level 2: System level Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Description Use the certificate request entity command to specify the entity for certificate request. Use the undo certificate request entity command to remove the configuration.
Use the undo certificate request from command to remove the configuration. By default, no authority is specified for a PKI domain view. Examples # Specify that the entity requests a certificate from the CA. <Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request from ca certificate request mode Syntax...
certificate request polling Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } View PKI domain view Default Level 2: System level Parameters count: Maximum number of attempts to poll the status of the certificate request, in the range 1 to 100. minutes: Polling interval, in the range 5 to 168 minutes.
Parameters url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http: //server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution currently.
[Sysname-pki-entity-1] common-name test country Syntax country country-code-str undo country View PKI entity view Default Level 2: System level Parameters country-code-str: Country code for the entity, a 2-character case-insensitive string. Description Use the country command to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China.
By default, CRL checking is enabled. CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate may occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted. Examples # Disable CRL checking.
View PKI domain view Default Level 2: System level Parameters url-string: URL of the CRL distribution point, a case-insensitive string of 1 to 127 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address and does not support domain name resolution currently. Description Use the crl url command to specify the URL of the CRL distribution point.
Examples # Display the local certificate. <Sysname> display pki certificate local domain 1 Certificate: Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: md5WithRSAEncryption Issuer: emailAddress=myca@aabbcc.net C=CN ST=Country A L=City X O=abc OU=bjs CN=new-ca Validity Not Before: Jan 13 08:57:21 2004 GMT Not After : Jan 20 09:07:21 2005 GMT Subject: C=CN...
Field Validity Subject Subject Public Key Info X509v3 extensions X509v3 CRL Distribution Points display pki certificate access-control-policy Syntax display pki certificate access-control-policy { policy-name | all } View Any view Default Level 1: Monitor level Parameters policy-name: Name of the certificate attribute-based access control policy, a string of 1 to 16 characters.
display pki certificate attribute-group Syntax display pki certificate attribute-group { group-name | all } View Any view Default Level 1: Monitor level Parameters group-name: Name of a certificate attribute group, a string of 1 to 16 characters. all: Specifies all certificate attribute groups. Description Use the display pki certificate attribute-group command to display information about a specified or all certificate attribute groups.
Page 785
View Any view Default Level 2: System level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters. Description Use the display pki crl domain command to display the locally saved CRLs. Related commands: pki retrieval-crl, pki domain. Examples # Display the locally saved CRLs.
Field X509v3 Authority Key Identifier keyid Revoked Certificates Serial Number Revocation Date fqdn Syntax fqdn name-str undo fqdn View PKI entity view Default Level 2: System level Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters.
View PKI entity view Default Level 2: System level Parameters ip-address: IP address for an entity. Description Use the ip command to configure the IP address of an entity. Use the undo ip command to remove the configuration. By default, no IP address is specified for an entity. Examples # Configure the IP address of an entity as 11.0.0.1.
[Sysname] pki domain 1 [Sysname-pki-domain-1] ldap-server ip 169.254.0.30 locality Syntax locality locality-name undo locality View PKI entity view Default Level 2: System level Parameters locality-name: Name for the geographical locality, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the locality command to configure the geographical locality of an entity, which can be, for example, a city name.
Description Use the organization command to configure the name of the organization to which the entity belongs. Use the undo organization command to remove the configuration. By default, no organization name is specified for an entity. Examples # Configure the name of the organization to which an entity belongs as org-name. <Sysname>...
View System view Default Level 2: System level Parameters policy-name: Name of the certificate attribute-based access control policy, a case-insensitive string of 1 to 16 characters. It cannot be “a”, “al” or “all”. all: Specifies all certificate attribute-based access control policies. Description Use the pki certificate access-control-policy command to create a certificate attribute-based access control policy and enter its view.
Use the undo pki certificate attribute-group command to delete one or all certificate attribute groups. By default, no certificate attribute group exists. Examples # Create a certificate attribute group named mygroup and enter its view. <Sysname> system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] pki delete-certificate Syntax...
Parameters domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters. Description Use the pki domain command to create a PKI domain and enter PKI domain view or enter the view of an existing PKI domain. Use the undo pki domain command to remove a PKI domain. By default, no PKI domain exists.
pki import-certificate Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] View System view Default Level 2: System level Parameters ca: Specifies the CA certificate. local: Specifies the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters.
password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request. filename: Name of the file for saving the PKCS#10 certificate request, a case-insensitive string of 1 to 127 characters. Description Use the pki request-certificate domain command to request a local certificate from a CA through SCEP.
Related commands: pki domain. Examples # Retrieve the CA certificate from the certificate issuing server. <Sysname> system-view [Sysname] pki retrieval-certificate ca domain 1 pki retrieval-crl domain Syntax pki retrieval-crl domain domain-name View System view Default Level 2: System level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters.
domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Description Use the pki validate-certificate command to verify the validity of a certificate. The focus of certificate validity verification is to check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked.
[Sysname-pki-domain-1] D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (access control policy view) Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } View Access control policy view Default Level 2: System level Parameters id: Number of the certificate attribute access control rule, in the range 1 to 16. The default is the smallest unused number in this range.
Page 798
View PKI entity view Default Level 2: System level Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the state command to specify the name of the state or province where an entity resides. Use the undo state command to remove the configuration.
SSL Configuration Commands SSL Configuration Commands ciphersuite Syntax ciphersuite [ rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * View SSL server policy view Default Level 2: System level Parameters rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.
client-verify enable Syntax client-verify enable undo client-verify enable View SSL server policy view Default Level 2: System level Parameters None Description Use the client-verify enable command to enable certificate-based SSL client authentication, that is, to enable the SSL server to perform certificate-based authentication of the client during the SSL handshake process.
Description Use the close-mode wait command to set the SSL connection close mode to wait. In this mode, after sending a close-notify message to a client, the server does not close the connection until it receives a close-notify message from the client. Use the undo close-mode wait command to restore the default.
Table 12-1 display ssl client-policy command output description Field SSL Client Policy SSL Version PKI Domain Prefer Ciphersuite display ssl server-policy Syntax display ssl server-policy { policy-name | all } View Any view Default Level 1: Monitor level Parameters policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters. all: Displays information about all SSL server policies.
Table 12-2 display ssl server-policy command output description Field SSL Server Policy PKI Domain Ciphersuite Handshake Timeout Close-mode Session Timeout Session Cachesize Client-verify handshake timeout Syntax handshake timeout time undo handshake timeout View SSL server policy view Default Level 2: System level Parameters time: Handshake timeout time in seconds, in the range 180 to 7,200.
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] handshake timeout 3000 pki-domain Syntax pki-domain domain-name undo pki-domain View SSL server policy view, SSL client policy view Default Level 2: System level Parameters domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters. Description Use the pki-domain command to specify a PKI domain for an SSL server policy or SSL client policy.
Default Level 2: System level Parameters rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.
By default, the maximum number of cached sessions is 500 and the caching timeout time is 3,600 seconds. The process of the session parameters negotiation and session establishment by using the SSL handshake protocol is quite complicated. SSL allows reusing the negotiated session parameters to establish sessions.
ssl server-policy Syntax ssl server-policy policy-name undo ssl server-policy { policy-name | all } View System view Default Level 2: System level Parameters policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters, which cannot be “a”, “al” and “all”. all: Specifies all SSL server policies.
Page 808
Description Use the version command to specify the SSL protocol version for an SSL client policy. Use the undo version command to restore the default. By default, the SSL protocol version for an SSL client policy is TLS 1.0. Related commands: display ssl client-policy. Examples # Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0.
Public Key Configuration Commands Public Key Configuration Commands display public-key local public Syntax display public-key local { dsa | rsa } public View Any view Default Level 1: Monitor level Parameters dsa: DSA key pair. rsa: RSA key pair. Description Use the display public-key local public command to display the public key information of the local key pair(s).
Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12B2B 1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE751EE0EC EF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2007/10/25 Key name: HOST_KEY Key type: DSA Encryption Key ===================================================== Key code:...
With neither the brief keyword nor the name publickey-name combination specified, the command displays detailed information about all locally saved public keys of peers. You can use the public-key peer command or the public-key peer import sshkey command to get a local copy of the public keys of a peer.
<Sysname> system-view [Sysname] public-key peer key1 [Sysname-pkey-public-key] peer-public-key end [Sysname] public-key-code begin Syntax public-key-code begin View Public key view Default Level 2: System level Parameters None Description Use the public-key-code begin command to enter public key code view. After entering public key code view, you can input the key in a correct format. Spaces and carriage returns are allowed between characters.
View Public key code view Default Level 2: System level Parameters None Description Use the public-key-code end command to return from public key code view to public key view and to save the configured public key. The system verifies the key before saving it. If the key contains invalid characters, the system displays an error message and discards the key.
rsa: RSA key pair. Description Use the public-key local create command to create local key pair(s). Note that: When using this command to create DSA or RSA key pairs, you will be prompted to provide the length of the key modulus. The modulus length is in the range 512 to 2048 bits, and defaults to 1024 bits.
Default Level 2: System level Parameters dsa: DSA key pair. rsa: RSA key pair. Description Use the public-key local destroy command to destroy the local key pair(s). Related commands: public-key local create. Examples # Destroy the local RSA key pairs. <Sysname>...
Related commands: public-key local create, public-key local destroy. Examples # Export the local DSA public key in OpenSSH format to a file named key.pub. <Sysname> system-view [Sysname] public-key local export dsa openssh key.pub # Display the local DSA public key in SSH2.0 format. <Sysname>...
filename: Name of the file for storing the public key. For detailed information about file name, refer to File System Management in the System Volume. Description Use the public-key local export rsa command to display the local RSA public key on the screen or export them to a specified file.
Parameters keyname: Public key name, a case-sensitive string of 1 to 64 characters. Description Use the public-key peer command to configure the public key name and enter public key view. Use the undo public-key peer command to remove a configured peer public key. After entering public key view, you can configure the public key of the peer with the public-key-code begin and public-key-code end commands.
IRF. Description Use the display acl resource command to display the usage of ACL resources on a switch. Examples # Display the ACL uses on the switch.
View Any view Default Level 1: Monitor level Parameters time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion. all: Specifies all existing time ranges.
Page 823
Parameters time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion. start-time: Start time of a periodic time range, in hh:mm format (24-hour clock), where hh is hours and mm is minutes.
December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command. You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.
Description Use the acl command to enter IPv4 ACL view. If the ACL does not exist, it is created first. Use the undo acl command to remove a specified IPv4 ACL or all IPv4 ACLs. By default, the match order is config. Note that: You can specify a name for an IPv4 ACL only when you create the ACL.
View System view Default Level 2: System level Parameters source-acl-number: Number of an existing IPv4 ACL, which must be in the following ranges: 2000 to 2999 for basic IPv4 ACLs 3000 to 3999 for advanced IPv4 ACLs 4000 to 4999 for Ethernet frame header ACLs name source-acl-name: Name of an existing IPv4 ACL, a case insensitive string of 1 to 32 characters.
Parameters acl-name: Name of the IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion. Description Use the acl name command to enter the view of an existing IPv4 ACL by specifying its name. Examples # Enter the view of the IPv4 ACL named flow.
[Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] description This acl is used in geth 1/0/1 display acl Syntax display acl { acl-number | all | name acl-name } View Any view Default Level 1: Monitor level Parameters acl-number: IPv4 ACL number, which must be in the following ranges: 2000 to 2999 for basic IPv4 ACLs 3000 to 3999 for advanced IPv4 ACLs 4000 to 4999 for Ethernet frame header ACLs...
Field rule 5 comment This rule is used in geth 1/0/1 reset acl counter Syntax reset acl counter { acl-number | all | name acl-name } View User view Default Level 2: System level Parameters acl-number: IPv4 ACL number, which must be in the following ranges: 2000 to 2999 for basic IPv4 ACLs 3000 to 3999 for advanced IPv4 ACLs 4000 to 4999 for Ethernet frame header ACLs...
Page 830
Default Level 2: System level Parameters rule-id: Basic IPv4 ACL rule number, in the range 0 to 65534. deny: Drops matched packets. permit: Allows matched packets to pass. fragment: Indicates that the rule applies to only non-first fragments. A rule without this keyword applies to all fragments and non-fragments.
For a basic IPv4 ACL rule to be referenced by a QoS policy for traffic classification, the logging keyword is not supported. Related commands: display acl. Examples # Create a rule to deny packets with the source IP address 1.1.1.1. <Sysname>...
Page 832
Table 14-4 Match criteria and other rule information for advanced IPv4 ACL rules Parameters source { sour-addr Specifies a source sour-wildcard | any } address. destination { dest-addr Specifies a destination dest-wildcard | any } address. Specifies an IP precedence precedence precedence value.
Page 833
If the two values are the same, the switch will convert the operator range to eq. Note that if you specify a combination of lt 1 or gt 65534, the switch will convert it to eq 0 or eq 65535. Parameters specific to TCP.
If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise, the command removes only the specified criteria. Before performing the undo rule command, you may use the display acl command to view the ID of the rule. When defining ACL rules, you do not need to assign them IDs;...
Page 836
Default Level 2: System level Parameters rule-id: Ethernet frame header ACL rule number, in the range 0 to 65534. deny: Drops matched packets. permit: Allows matched packets to pass. cos vlan-pri: Defines an 802.1p priority. The vlan-pri argument can be a number in the range 0 to 7 or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
If the ACL match order is auto, rules are displayed in the depth-first match order rather than by rule number. For an Ethernet frame header ACL to be referenced by a QoS policy for traffic classification, the lsap keyword is not supported. Related commands: display acl.
[Sysname-acl-basic-2000] rule 0 comment This rule is used in geth 1/0/1 # Create a rule in ACL 3000 and define the rule description. <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 permit ip source 1.1.1.1 0 [Sysname-acl-adv-3000] rule 0 comment This rule is used in geth 1/0/1 # Create a rule in ACL 4000 and define the rule description.
IPv6 ACL Configuration Commands acl ipv6 Syntax acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] undo acl ipv6 { all | name acl6-name | number acl6-number } View System view Default Level 2: System level Parameters number acl6-number: Specifies the number of the IPv6 ACL, which must be in the following ranges:...
# Create IPv6 ACL 2002, giving the ACL a name of flow. <Sysname> system-view [Sysname] acl ipv6 number 2002 name flow [Sysname-acl6-basic-2002-flow] # Enter the view of an IPv6 ACL that has no name by specifying its number. <Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] # Enter the view of an IPv6 ACL that has a name by specifying its number.
Description Use the acl ipv6 copy command to create an IPv6 ACL by copying an existing IPv6 ACL. The new ACL is of the same ACL type and has the same match order, rules, rule numbering step and descriptions. Note that: The source IPv6 ACL and the destination IPv6 ACL must be of the same type.
Default Level 2: System level Parameters text: ACL description, a case-sensitive string of 1 to 127 characters. Description Use the description command to configure a description for an IPv6 ACL to, for example, describe the purpose of the ACL. Use the undo description command to remove the IPv6 ACL description. By default, an IPv6 ACL has no ACL description.
Description Use the reset acl ipv6 counter command to clear statistics on a specified IPv6 ACL or all basic and advanced IPv6 ACLs. Examples # Clear the statistics on IPv6 ACL 2001, which is referenced by upper layer software. <Sysname> reset acl ipv6 counter 2001 # Clear the statistics on IPv6 ACL flow, which is referenced by upper layer software.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest multiple of the step that is bigger than the current biggest number. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
Page 846
Parameters rule-id: IPv6 ACL rule number, in the range 0 to 65534. deny: Drops matched packets. permit: Allows matched packets to pass. protocol: Protocol carried over IPv6. It can be a number in the range 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17).
Page 847
Note that if you specify a combination of lt 1 or gt 65534, the switch will convert it to eq 0 or eq 65535. Parameters specific to TCP.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest multiple of the step that is bigger than the current biggest number. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
Description Use the rule comment command to configure a description for an existing IPv6 ACL rule or modify the description of an IPv6 ACL rule. You may use the rule description to, for example, describe the purpose of the ACL rule. Use the undo rule comment command to remove the IPv6 ACL rule description.
<Sysname> system-view [Sysname] acl ipv6 number 3000 [Sysname-acl6-adv-3000] step 2 ACL Application Commands acl logging frequence Syntax acl logging frequence frequence undo acl logging frequence View System view Default Level 2: System level Parameters frequence: Interval in minutes for packet filtering statistics. It must be an integer in the range of 0 to 1440 and a multiple of five.
Parameters frequence: Interval in minutes for packet filtering statistics. It must be an integer in the range of 0 to 1440 and a multiple of five. Description Use the acl ipv6 logging frequence command to set the interval for IPv6 packet filtering statistics. At the specified interval, the device outputs the statistics information, including the number of filtered packets, and the ACL rules used.
Note that you can apply only one IPv4 ACL or one Ethernet frame header ACL on an interface. To modify the ACL configured on an interface, you need to remove the previous configuration first and then configure a new ACL. Examples # Apply basic IPv4 ACL 2001 to the inbound direction of interface GigabitEthernet 1/0/1.
Page 854
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] packet-filter ipv6 2500 outbound # Apply advanced IPv6 ACL 3000 to the outbound direction of interface VLAN interface 20 <Sysname> system-view [Sysname] interface Vlan-interface 20 [Sysname-Vlan-interface20] packet-filter ipv6 3000 outbound 14-35...
Page 855
1 Smart Link Configuration Commands·····································································································1-1 Smart Link Configuration Commands ·····································································································1-1 display smart-link flush ····················································································································1-1 display smart-link group···················································································································1-2 flush enable ·····································································································································1-3 port···················································································································································1-3 port smart-link group························································································································1-4 preemption delay ·····························································································································1-5 preemption mode·····························································································································1-6 protected-vlan··································································································································1-7 reset smart-link statistics ·················································································································1-8 smart-link flush enable·····················································································································1-8 smart-link group·······························································································································1-9 2 Monitor Link Configuration Commands··································································································2-1 Monitor Link Configuration Commands···································································································2-1 display monitor-link group ···············································································································2-1 monitor-link group····························································································································2-2...
Smart Link Configuration Commands Smart Link Configuration Commands display smart-link flush Syntax display smart-link flush View Any view Default Level 1: Monitor level Parameters None Description Use the display smart-link flush command to display information about the received flush messages. Examples # Display information about the received flush messages.
display smart-link group Syntax display smart-link group { group-id | all } View Any view Default Level 1: Monitor level Parameters group-id: Smart link group ID. The minimum value is 1, while the maximum value is 26. all: Displays information about all smart link groups. Description Use the display smart-link group command to display information about the specified or all smart link groups.
Field State Flush-count Last-flush-time flush enable Syntax flush enable [ control-vlan vlan-id ] undo flush enable View Smart link group view Default Level 2: System level Parameters control-vlan vlan-id: Specifies the control VLAN used for transmitting flush messages. The vlan-id argument ranges from 1 to 4094.
Default Level 2: System level Parameters interface-type interface-number: Port type and port number. master: Specifies a port as the master port. slave: Specifies a port as the slave port. Description Use the port command to assign the specified port as the master or slave port of the current smart link group.
master: Specifies the port as the master port. slave: Specifies the port as the slave port. Description Use the port smart-link group command to configure the current port as a member of the specified smart link group. Use the port smart-link group command to remove the port from the specified smart link group. Note that: Disable STP and RRPP on the ports you want to add to the smart link group, and make sure that the ports are not member ports of any aggregation group or service loopback group.
Parameters delay-time: Preemption delay (in seconds), in the range of 0 to 300. Description Use the preemption delay command to set the preemption delay. When role preemption is enabled, after the preemption delay is set, the master port waits for some time before taking over, so as to collaborate with the switchover of upstream devices.
[Sysname-smlk-group1] preemption mode role protected-vlan Syntax protected-vlan reference-instance instance-id-list undo protected-vlan [ reference-instance instance-id-list ] View Smart link group view Default Level 2: System level Parameters reference-instance instance-id-list: Specifies the MSTIs to be referenced in the form of instance-id-list = { instance-id [ to instance-id ] }&<1-10>, where the range of the instance-id argument is as specified in the command configuring MSTIs and &<1-10>...
[Sysname] smart-link group 1 [Sysname-smlk-group1] protected-vlan reference-instance 1 to 10 12 reset smart-link statistics Syntax reset smart-link statistics View User view Default Level 2: System level Parameters None Description Use the reset smart-link statistics command to clear the statistics about flush messages. Examples # Clear the statistics about flush messages.
Note that: If no VLAN is specified, VLAN 1 applies. This command cannot be used on member port of an aggregation group or service loopback group. Related commands: flush enable. Examples # Enable GigabitEthernet 1/0/1 to process the flush messages received in VLAN 1. <Sysname>...
Monitor Link Configuration Commands Monitor Link Configuration Commands display monitor-link group Syntax display monitor-link group { group-id | all } View Any view Default Level 1: Monitor level Parameters group-id: Monitor link group ID, in the range 1 to 16. all: Specifies all monitor link groups.
Field Member Role Status monitor-link group Syntax monitor-link group group-id undo monitor-link group group-id View System view Default Level 2: System level Parameters group-id: Monitor link group ID, in the range 1 to 16. Description Use the monitor-link group command to create a monitor link group and enter monitor link group view. If the specified monitor link group already exists, you enter monitor link group view directly.
Default Level 2: System level Parameters interface-type interface-number: Port type and port number. uplink: Specifies an uplink port. downlink: Specifies a downlink port. Description Use the port command to assign a port to the monitor link group. Use the undo port command to remove a port from the monitor link group. Both Ethernet ports and Layer-2 aggregate interfaces can be assigned to a monitor link group.
Page 870
downlink: Specifies a downlink port. Description Use the port monitor-link group command to assign the port to the specified monitor link group. Use the undo port monitor-link group command to remove the port from the specified monitor link group. Both Ethernet ports and Layer-2 aggregate interfaces can be assigned to a monitor link group. A port can be assigned to only one monitor link group.
RRPP Configuration Commands RRPP Configuration Commands control-vlan Syntax control-vlan vlan-id undo control-vlan View RRPP domain view Default Level 2: System level Parameters vlan-id: Specifies a VLAN as the primary control VLAN for the RRPP domain, in the range 2 to 4093. This VLAN must be one not created yet.
Table 3-1 display rrpp brief command output description Field Flags for Node Mode RRPP Protocol Status Number of RRPP Domains Domain ID Control VLAN Protected VLAN Hello Timer Fail Timer Ring ID Ring Level Node Mode Primary/Common Port Secondary/Edge Port Enable Status display rrpp ring-group Syntax...
Default Level 1: Monitor Level Parameters ring-group-id: RRPP ring group ID, in the range 1 to 8. Description Use the display rrpp ring-group command to display the RRPP ring group configuration. If no ring group ID is specified, the configuration of all ring groups is displayed. If an RRPP ring ID is specified, the configuration of the specified RRPP ring group on the current device is displayed.
Page 875
Parameters domain-id: RRPP domain ID, in the range 1 to 8. ring-id: RRPP ring ID, in the range 1 to 64. Description Use the display rrpp statistics command to display RRPPDU statistics. Note that: If an RRPP ring ID is specified, the RRPPDU statistics for the specified RRPP ring in the specified RRPP domain on the current device are displayed.
Page 876
Secondary port: GigabitEthernet1/0/4 Packet Link Common Direct Hello Down Flush FDB Flush FDB Hello ------------------------------------------------------------------------------ Send 16878 Ring ID Ring Level Node Mode : Edge Active Status : No Common port : GigabitEthernet1/0/3 Packet Link Common Direct Hello Down Flush FDB Flush FDB Hello ------------------------------------------------------------------------------ Send Common port...
Field Secondary Port Common Port Edge Port Packet Direct Hello Link-Down Common Flush FDB Complete Flush FDB Edge Hello Major Fault Packet Total display rrpp verbose Syntax display rrpp verbose domain domain-id [ ring ring-id ] View Any view Default Level 1: Monitor level Parameters domain-id: RRPP domain ID, in the range 1 to 8.
Page 878
Examples # Display the detailed information of ring 1 in RRPP domain 1. <Sysname> display rrpp verbose domain 1 ring 1 Domain ID Control VLAN : Major 5 Protected VLAN: Reference Instance 0 to 2, 4 Hello Timer : 1 sec Fail Timer : 3 sec Ring ID Ring Level Node Mode...
Page 879
Field List of VLANs protected by the RRPP domain. MSTIs are displayed Protected VLAN here. To get the VLANs corresponding to these MSTIs, use the display stp region-configuration command. Hello Timer Hello Timer value in seconds Fail Timer Fail Timer value in seconds Ring ID RRPP ring ID RRPP ring level:...
domain ring Syntax domain domain-id ring ring-id-list undo domain domain-id [ ring ring-id-list ] View RRPP ring group view Default Level 2: System level Parameters domain-id: RRPP domain ID, in the range of 1 to 8. ring-id-list: RRPP subring ID list expressed in the format of ring-id-list={ ring-id [ to ring-id ] }&<1-10>, where the ring-id argument is an RRPP subring ID in the range of 1 to 64 and &<1-10>...
<Sysname> system-view [Sysname] rrpp domain 1 [Sysname-rrpp-domain1] control-vlan 100 [Sysname-rrpp-domain1] protected-vlan reference-instance 2 to 3 reset rrpp statistics Syntax reset rrpp statistics domain domain-id [ ring ring-id ] View User view Default Level 1: Monitor level Parameters domain-id: RRPP domain ID, in the range 1 to 8. ring-id: RRPP ring ID, in the range 1 to 64.
Page 883
Parameters ring-id: RRPP ring ID, in the range 1 to 64. master: Specifies the device as the master node of the RRPP ring. transit: Specifies the device as the transit node of the RRPP ring. primary-port: Specifies the port as a primary port. interface-type interface-number: Specifies a port by its type and number.
Page 884
# Specify the device as the transit node of primary ring 10 in RRPP domain 1, GigabitEthernet 1/0/1 as the primary port and GigabitEthernet 1/0/2 as the secondary port. <Sysname> system-view [Sysname] rrpp domain 1 [Sysname-rrpp-domain1] control-vlan 100 [Sysname-rrpp-domain1] protect-vlan reference-instance 0 1 2 [Sysname-rrpp-domain1] ring secondary-port gigabitethernet 1/0/2 level 0...
ring enable Syntax ring ring-id enable undo ring ring-id enable View RRPP domain view Default Level 2: System level Parameters ring-id: RRPP ring ID, in the range 1 to 64. Description Use the ring enable command to enable the RRPP ring. Use the undo ring enable command to disable the RRPP ring.
Default Level 2: System level Parameters domain-id: RRPP domain ID, in the range 1 to 8. Description Use the rrpp domain command to create an RRPP domain and enter its view. Use the undo rrpp domain command to remove an RRPP domain. Note that: When you delete an RRPP domain, the control VLANs and protected VLANs of it are deleted at the same time.
Examples # Enable the RRPP protocol. <Sysname> system-view [Sysname] rrpp enable rrpp ring-group Syntax rrpp ring-group ring-group-id undo rrpp ring-group ring-group-id View System view Default Level 2: System level Parameters ring-group-id: RRPP ring group ID, in the range 1 to 8. Description Use the rrpp ring-group command to create an RRPP ring group and enter RRPP ring group view.
Page 888
View RRPP domain view Default Level 2: System level Parameters hello-value: Hello timer value, in the range 1 to 10 seconds. fail-value: Fail timer value, in the range 3 to 30 seconds. Description Use the timer command to configure the Hello timer value and the Fail timer value for the RRPP domain.
DLDP Configuration Commands DLDP Configuration Commands display dldp Syntax display dldp [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters interface-type interface-number: Port type and port number. Description Use the display dldp command to display the DLDP configuration of a port. If you do not provide the interface-type or interface-number arguments, this command displays the DLDP configuration of all the DLDP-enabled ports.
Page 890
Interface GigabitEthernet1/0/51 DLDP port state : advertisement DLDP link state : up The neighbor number of the port is 1. Neighbor mac address : 0000-0000-1100 Neighbor port index : 81 Neighbor state : two way Neighbor aged time : 12 # Display the DLDP configuration of GigabitEthernet 1/0/50.
display dldp statistics Syntax display dldp statistics [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters interface-type interface-number: Port type and port number. Description Use the display dldp statistics command to display the statistics on the DLDP packets passing through a port.
Examples # Configure to perform plain text authentication, setting the password as abc (assuming that Device A and Device B are connected by the DLDP link). Configuration on Device A <DeviceA> system-view [DeviceA] dldp authentication-mode simple abc Configuration on Device B <DeviceB>...
Default Level 2: System level Parameters None Description Use the dldp enable command to enable DLDP. Use the undo dldp enable command to disable DLDP. By default, DLDP is disabled both globally and on each port. Note that: When executed in system view, these two commands enables/disables DLDP globally; when executed in Ethernet port view, these two commands enables/disables DLDP on the current port;...
Parameters time: Interval for sending Advertisement packets, in the range 1 to 100 (in seconds). Description Use the dldp interval command to set the interval for sending Advertisement packets. Use the undo dldp interval command to restore the default. By default, the interval for sending Advertisement packets is 5 seconds. Note that: These two commands apply to all DLDP-enabled ports.
# Reset DLDP state for GigabitEthernet 1/0/50 (assuming that GigabitEthernet 1/0/50 is shut down by DLDP). <Sysname> system-view [Sysname] interface gigabitethernet 1/0/50 [Sysname-GigabitEthernet1/0/50] dldp reset # Reset DLDP state for all the ports in port group 1 shut down by DLDP. <Sysname>...
View System view Default Level 2: System level Parameters enhance: Specifies the enhanced DLDP mode. normal: Specifies the normal DLDP mode. Description Use the dldp work-mode command to set the DLDP mode. Use the undo dldp work-mode command to restore the default DLDP mode. By default, a device operates in normal DLDP mode.
Ethernet OAM Configuration Commands OAM Configuration Commands display oam Syntax display oam { local | remote } [ interface interface-type interface-number ] View Any view Default Level 2: System level Parameters local: Displays the Ethernet OAM connection information of the local end. remote: Displays the Ethernet OAM connection information of the remote end.
Page 899
Remote Evaluating : COMPLETE Packets statistic : Packets Send -------------------------------------------------------------------------- OAMPDU OAMInformation OAMEventNotification OAMUniqueEventNotification OAMDuplicateEventNotification -- Table 5-1 display oam local command output description Field Port Link Status EnableStatus Local_oam_mode Local_pdu Local_mux_action Local_par_action OAMLocalFlagsField Link Fault Dying Gasp Critical Event Receive Description Port index...
Page 900
Field Local Evaluating Remote Evaluating Packets statistic OAMPDU OAMInformation OAMEventNotification OAMUniqueEventNotification OAMDuplicateEventNotificatio # Display the Ethernet OAM information of the peer port GigabitEthernet 1/0/1. <Sysname> display oam remote interface gigabitethernet 1/0/1 Port : GigabitEthernet1/0/1 Link Status : Up Information of the latest received OAM packet: OAMRemoteMACAddress : 00e0-fd73-6502 OAMRemotePDUConfiguration : 1500...
Table 5-2 display oam remote port command output description Field Port Link Status Information of the latest received OAM packet OAMRemoteMACAddress OAMRemotePDUConfiguratio OAMRemoteState Remote_mux_action Remote_par_action OAMRemoteConfiguration OAM Mode Unidirectional Support Loopback Support Link Events Variable Retrieval OAMRemoteFlagsField Link Fault Dying Gasp Critical Event Local Evaluating Remote Evaluating...
Page 902
Default Level 2: System level Parameters None Description Use the display oam configuration command to display global Ethernet OAM configuration, including the periods and thresholds for Ethernet OAM link error event detection. Related commands: oam errored-symbol period, oam errored-symbol threshold, oam errored-frame period, oam errored-frame threshold, oam errored-frame-period period, oam errored-frame-period errored-frame-seconds threshold.
If you do not specify the interface keyword, this command displays the statistics on the critical Ethernet OAM link events occurred on all the ports of the switch. Examples # Display the statistics on critical Ethernet OAM link events occurred on all the ports.
display oam link-event Syntax display oam link-event { local | remote } [ interface interface-type interface-number ] View Any view Default Level 2: System level Parameters local: Displays the statistics on the local Ethernet OAM link error events. remote: Displays the statistics on the peer Ethernet OAM link error events. interface interface-type interface-number: Specify a port by its type and number.
Page 905
Errored Frame Second Summary Threshold : 1 Errored Frame Second Summary Error Running Total : 292 Table 5-5 display oam link-event local command output description Field Port Link Status OAMLocalErrFrameEvent OAMLocalErrFramePeriodEve OAMLocalErrFrameSecsSum maryEvent : (ms = milliseconds) # Display Ethernet OAM link event statistics of the remote ends of all the ports. <Sysname>...
oam errored-frame period Syntax oam errored-frame period period-value undo oam errored-frame period View System view Default Level 2: System level Parameters period-value: Errored frame detection interval, ranging from 1 to 60 (in seconds). Description Use the oam errored-frame period command to set the errored frame detection interval. Use the undo oam errored-frame period command to restore the default.
oam errored-frame-period threshold Syntax oam errored-frame-period threshold threshold-value undo oam errored-frame-period threshold View System view Default Level 2: System level Parameters threshold-value: Errored frame period event triggering threshold, ranging from 0 to 4294967295. Description Use the oam errored-frame-period threshold command to set the errored frame period event triggering threshold.
Use the undo oam errored-frame-seconds period command to restore the default. By default, the errored frame seconds detection interval is 60 seconds. Related commands: oam errored-frame-seconds threshold, display oam link-event, display oam configuration. Examples # Set the errored frame seconds detection interval to 100 seconds. <Sysname>...
View System view Default Level 2: System level Parameters period-value: Errored symbol detection interval, ranging from 1 to 60 (in seconds). Description Use the oam errored-symbol period command to set the errored symbol detection interval. Use the undo oam errored-symbol period command to restore the default. By default, the errored symbol detection interval is one second.
Examples # Set the errored symbol event triggering threshold to 100. <Sysname> system-view [Sysname] oam errored-symbol threshold 100 oam loopback Syntax oam loopback undo oam loopback View Ethernet port view Default Level 2: System level Parameters None Description Use the oam loopback command to enable Ethernet OAM loopback testing on an Ethernet port. Use the undo loopback command to disable Ethernet OAM remote loopback.
Default Level 2: System level Parameters active: Specifies the active Ethernet OAM mode. passive: Specifies the passive Ethernet OAM mode. Description Use the oam mode command to set the Ethernet OAM operating mode for an Ethernet port. By default, an Ethernet OAM-enabled Ethernet port operates in the active Ethernet OAM mode. Note that, to change the Ethernet OAM operating mode of an Ethernet OAM-enabled Ethernet port, you need to disable Ethernet OAM on the port first..
Connectivity Fault Detection Configuration Commands Connectivity Fault Detection Configuration Commands cfd cc enable Syntax cfd cc service-instance instance-id mep mep-id enable undo cfd cc service-instance instance-id mep mep-id enable View Ethernet port view Default level 2: System level Parameters service-instance instance-id: Specifies the service instance ID, ranging from 1 to 32767. mep mep-id: Specifies the ID of an MEP, ranging from 1 to 8191.
View System view Default level 2: System level Parameters interval-field-value: Value of the interval field in CCM messages, ranging from 4 to 7. service-instance instance-id: Specifies the service instance ID, ranging from 1 to 32767. Description Use the cfd cc interval command to set the value of the interval field in the CCM messages. Use the undo cfd cc interval command to restore the value to the default value.
[Sysname] cfd linktrace service-instance 1 mep 1101 target-mep 2001 Linktrace to MEP 2001 with the sequence number 1101-43361 : MAC Address 0010-FC00-6512 Table 6-2 cfd linktrace command output description Field Linktrace to MEP mep-id with the sequence number sequence-number MAC Address Forwarded Relay Action cfd linktrace auto-detection...
Note that: After LT messages automatic sending is enabled, if a MEP fails to receive the CCMs from the remote MEP, the link between the two is regarded as faulty and LTMs will be sent out. (The destination of the LTMs is the remote MEP, and the maximum value of TTL is 255.) Based on the LTRs that echo back, the fault source can be located.
Reply from 0010-FC00-6512: sequence number=1101-43404 Reply from 0010-FC00-6512: sequence number=1101-43405 Reply from 0010-FC00-6512: sequence number=1101-43406 Reply from 0010-FC00-6512: sequence number=1101-43407 Reply from 0010-FC00-6512: sequence number=1101-43408 Send:5 Received:5 Table 6-3 cfd loopback command output description Field Loopback to mac-address with the sequence number start from sequence-number Reply from mac-address sequence number...
Related commands: cfd md. Examples # Create an MA named test_ma in an MD named test_md, and configure the MD to serve VLAN 100. <Sysname> system-view [Sysname] cfd md test_md level 3 [Sysname] cfd ma test_ma md test_md vlan 100 cfd md Syntax cfd md md-name level level-value...
View Ethernet port view Default level 2: System level Parameters mep mep-id: ID of MEP, ranging from 1 to 8191. service-instance instance-id: Specifies the service instance ID, ranging from 1 to 32767. inbound: Creates an inward-facing MEP. outbound: Creates an outward-facing MEP. Description Use the cfd mep command to create a MEP on a port.
Use the undo cfd mep enable command to disable the MEP. By default, MEP is disabled on a port and cannot respond to LTM and LBM messages unless you enable it. Related commands: cfd mep. Examples # Enable MEP 3 in service instance 5. <Sysname>...
Table 6-4 Rules for generating MIPs MIP exists on low level MA Each of the following actions or cases can cause MIPs to be created or deleted after you have configured this command: Enabling CFD (use the cfd enable command) Creating or deleting the MEPs on a port Changes occur to the VLAN attribute of a port The rule specified in the cfd mip-rule command changes...
display cfd linktrace-reply Syntax display cfd linktrace-reply [ service-instance instance-id [ mep mep-id ] ] View Any view Default level 2: System level Parameters service-instance instance-id: Specifies the service instance ID, ranging from 1 to 32767. mep mep-id: Specifies the ID of a MEP, ranging from 1 to 8191. Description Use the display cfd linktrace-reply command to display the LTR information received by a MEP.
Field Indicates whether the forwarding device found the destination MAC address in its MAC address table Relay Action display cfd linktrace-reply auto-detection Syntax display cfd linktrace-reply auto-detection [ size size-value ] View Any view Default level 2: System level Parameters size size-value: Specifies the times of recent auto-detections, ranging from 1 to 100.
MAC Address 00E0-FC27-6502 Table 6-6 display cfd linktrace-reply auto-detection command output description Field Service instance MEP ID Time Target MEP ID MAC Address Forwarded Relay Action display cfd ma Syntax display cfd ma [ [ ma-name ] md md-name ] View Any view Default level...
If only MD is specified, this command will display the configurations of all MAs in that MD. Examples # Display the MA configuration information. <Sysname> display cfd ma 3 maintenance domain(s) configured. Maintenance domain: mdtest_5 1 maintenance association(s) belong(s) to maintenance domain mdtest_5: Maintenance association: matest_5 Service instance: 5 Maintenance domain: mdtest_6...
Default level 2: System level Parameters None Description Use the display cfd md command to display the MD configuration information. Examples # Display the MD configuration information. <Sysname> display cfd md CFD is enabled. 8 maintenance domain(s) configured: Level: 0 Maintenance domain: mdtest_0 Level: 1 Maintenance domain: mdtest_1...
Page 931
Description Use the display cfd mep command to display the attribute and operating information of MEP(s). Examples # Display the attribute and operating information of MEP 50 in service instance 1. <Sysname> display cfd mep 50 service-instance 1 Interface: GigabitEthernet1/0/2 Maintenance domain: mdtest_1 Maintenance association: matest_1 Level: 1...
Page 932
Field Maintenance domain MD that a MEP belongs to Maintenance association MA that a MEP belongs to Level Level of the MD VLAN VLAN that the MA belongs to Direction Direction of the MEPs Administrative state State of MEP, either Active or Inactive CCM send Whether the MEP sends CCM State of FNG (Fault Notification Generator), which can be:...
Field One or more streams of cross-connect CCMs is received. The last-received CCM: Some other MEPs are transmitting the RDI bit. display cfd mp Syntax display cfd mp [ interface interface-type interface-number ] View Any view Default level 1: Monitor level Parameters interface interface-type interface-number: Specifies a port by its type and number.
Examples # Display the information of remote MEP 10 in service instance 4. <Sysname> display cfd remote-mep service-instance 4 mep 10 MEP ID MAC Address 00E0-FC00-6565 00E0-FC27-6502 00E0-FC00-6510 00E0-FC52-BAA0 0010-FC00-6502 Table 6-11 display cfd remote-mep command output description Field MEP ID MAC Address State Time...
Page 937
Parameters None Description Use the display cfd status command to display the status of CFD (enabled or disabled). Examples # Display the status of CFD. <Sysname> display cfd status CFD is enabled. 6-23...
Page 938
Track Configuration Commands Track Configuration Commands display track Syntax display track { track-entry-number | all } View Any view Default Level 1: Monitor level Parameters track-entry-number: Displays information about the specified Track object, in the range 1 to 1024. all: Displays information about all the Track objects. Description Use the display track command to display Track object information.
Field NQA Entry Reaction track nqa Syntax track track-entry-number nqa entry admin-name operation-tag reaction item-num undo track track-entry-number View System view Default Level 2: System level Parameters track-entry-number: Track object ID, in the range 1 to 1024. entry admin-name operation-tag: Specifies the NQA test group to be associated with the Track object. admin-name is the name of the administrator creating the NQA operation, a string of 1 to 32 characters, case-insensitive.
Page 940
1 Commands for Logging into an Ethernet Switch···················································································1-1 Commands for Logging into an Ethernet Switch ····················································································1-1 activation-key···································································································································1-1 authentication-mode ························································································································1-2 auto-execute command ···················································································································1-3 command accounting ······················································································································1-4 command authorization ···················································································································1-5 databits ············································································································································1-5 display telnet client configuration ····································································································1-6 display user-interface ······················································································································1-7 display users····································································································································1-8 display web users ····························································································································1-9...
Commands for Logging into an Ethernet Switch Commands for Logging into an Ethernet Switch activation-key Syntax activation-key character undo activation-key View AUX interface view Default Level 3: Manage level Parameters character: Shortcut key for starting terminal sessions, a character or its ASCII decimal equivalent in the range 0 to 127;...
After you specify to perform local password authentication, when a user logs in through the Console port, a user can log into the switch even if the password is not configured on the switch. But for a VTY user interface, a password is needed for a user to log into the switch through it under the same...
By default, users logging in through the Console port are not authenticated. For VTY user interface, if you want to set the login authentication mode to none or password, you must first verify that the SSH protocol is not supported by the user interface. Otherwise, your configuration will fail.
Before executing the auto-execute command command and save your configuration, make sure you can log into the switch in other modes and cancel the configuration. Examples # Configure the telnet 10.110.100.1 command to be executed automatically after users log into VTY 0.
Examples # Enable command accounting for VTY 0. Then the HWTACACS server records the commands executed by the users logging in from VTY 0. <Sysname> system-view [Sysname] user-interface vty 0 [Sysname-ui-vty0] command accounting command authorization Syntax command authorization undo command authorization View User interface view Default Level...
Use the undo databits command to revert to the default data bits. The default data bits is 8. 3COM switch 4510G only support data bits 7 and 8. To establish the connection again, you need to modify the configuration of the termination emulation utility running on your PC accordingly.
Description Use the display telnet client configuration command to display the source IP address or source interface configured for the current device. Example # Display the source IP address or source interface configured for the current device. <Sysname> display telnet client configuration The source IP address is 1.1.1.1.
Privi: The privilege of user-interface. Auth : The authentication mode of user-interface. Int : The physical location of UIs. : Authenticate use AAA. : Authentication use local database. : Current UI need not authentication. : Authenticate use current UI's password. Table 1-1 Descriptions on the fields of the display user-interface command Filed Type...
VTY 0 00:11:45 TEL 3 VTY 1 00:16:35 TEL 3 VTY 2 00:16:54 TEL 3 VTY 3 00:00:00 TEL 3 Following are more details. VTY 0 Location: 192.168.0.123 VTY 1 Location: 192.168.0.43 VTY 2 Location: 192.168.0.2 VTY 3 User name: user Location: 192.168.0.33 : Current operation user.
Login language used by the web user Level of the web user State of the web user Number of tasks that the web user runs Time when the web user logged in Last time when the web user accessed the switch 1-10 08:41:50 08:45:59...
By default, you can use <Ctrl + C> to terminate a task. You can use the display current-configuration command to verify the shortcut key you have defined. Examples # Define <Q> as the escape key. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] escape-key Q To verify the configuration, do the following:...
Switch 4510G only support none keyword. Examples # Configure software flow control on AUX port. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] flow-control none free user-interface Syntax free user-interface [ type ] number...
history-command max-size Syntax history-command max-size value undo history-command max-size View User interface view Default Level 2: System level Parameters value: Size of the history command buffer. This argument ranges from 0 to 256 and defaults to 10. That is, the history command buffer can store 10 commands by default. Description Use the history-command max-size command to set the size of the history command buffer.
Description Use the idle-timeout command to set the timeout time. The connection to a user interface is terminated if no operation is performed in the user interface within the specified period. Use the undo idle-timeout command to revert to the default timeout time. You can use the idle-timeout 0 command to disable the timeout function.
Use the undo parity command to revert to the default check mode. No check is performed by default. 3COM switch 4510G support the even, none, and odd check modes only. connection again, you need to modify the configuration of the termination emulation utility running on your PC accordingly.
protocol inbound Syntax protocol inbound { all | ssh | telnet } View VTY interface view Default Level 3: Manage level Parameters all: Supports both Telnet protocol and SSH protocol. ssh: Supports SSH protocol. telnet: Supports Telnet protocol. Description Use the protocol inbound command to configure the user interface to support specified protocols. Both Telnet and SSH protocols are supported by default.
Default Level 2: System level Parameters screen-length: Number of lines the screen can contain. This argument ranges from 0 to 512 and defaults to 24. Description Use the screen-length command to set the number of lines the terminal screen can contain. Use the undo screen-length command to revert to the default number of lines.
<Sysname> send all Enter message, end with CTRL+Z or Enter; abort with CTRL+C: hello^Z Send message? [Y/N]y <Sysname> ***Message from vty0 to vty0 hello <Sysname> set authentication password Syntax set authentication password { cipher | simple } password undo set authentication password View User interface view Default Level...
Note the following when using the undo shell command: This command is available in all user interfaces except the AUX user interface, because the AUX port (also the Console) is exclusively used for configuring the switch. This command is unavailable in the current user interface.
After you use the speed command to configure the transmission speed of the AUX user interface, you must change the corresponding configuration of the terminal emulation program running on the PC, to keep the configuration consistent with that on the switch. Examples # Set the transmission speed of the AUX user interface to 9600 bps.
The switch 4510G do not support communication with a terminal emulation program with stopbits set to 1.5. Changing the stop bits value of the switch to a value different from that of the terminal emulation utility does not affect the communication between them.
Use the undo sysname command to revert to the default system name. The CLI prompt reflects the system name of a switch. For example, if the system name of a switch is “4510G”, then the prompt of user view is <4510G >.
Connected to 129.102.0.1 ... ****************************************************************************** * Copyright (c) 2004-2009 3Com Corp. and its licensors. All rights reserved. * * This software is protected by copyright law and international treaties. * Without the prior written permission of 3Com Corporation and its licensors,* * any reproduction republication, redistribution, decompiling, reverse * engineering is strictly prohibited.
* engineering is strictly prohibited. Any unauthorized use of this software * * or any portion of it may result in severe civil and criminal penalties, and* * will be prosecuted to the maximum extent possible under the applicable law.* ****************************************************************************** <Sysname>...
None Description Use the telnet server enable command to make the switch to operate as a Telnet Server. Use the undo telnet server enable command disable the switch from operating as a Telnet server. By default, a switch does not operate as a Telnet server.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] terminal type vt100 user-interface Syntax user-interface [ type ] first-number [ last-number ] View System view Default Level 2: System level Parameters type: User interface type. first-number: User interface index, which identifies the first user interface to be configured.
Page 976
Description Use the user privilege level command to configure the command level available to the users logging into the user interface. Use the undo user privilege level command to revert to the default command level. By default, the commands of level 3 are available to the users logging into the AUX user interface. The commands of level 0 are available to the users logging into VTY user interfaces.
Note that if you use Layer 2 ACL rules, you can only choose the inbound keyword in the command here. Examples # Apply ACL 2000 to filter users Telnetting to the current switch (assuming that ACL 2,000 already exists.) <Sysname> system-view System View: return to User View with Ctrl+Z.
free web-users Syntax free web-users { all | user-id userid | user-name username } View User view Parameter userid: Web user ID. username: User name of the Web user. This argument can contain 1 to 80 characters. all: Specifies all Web users. Description Use the free web-users command to disconnect a specified Web user or all Web users by force.
Basic System Configuration Commands Basic System Configuration Commands clock datetime Syntax clock datetime time date View User view Default Level 3: Manage level Parameters time: Current time in the format of HH:MM:SS, where HH is hours in the range 0 to 23, MM is minutes in the range 0 to 59, and SS is seconds in the range 0 to 59.
Page 980
undo clock summer-time View System view Default Level 3: Manage level Parameters zone-name: Name of the daylight saving time, a string of 1 to 32 characters. It is case sensitive. start-time: Start time, in the format of HH:MM:SS (hours/minutes/seconds). The zeros in the argument can be omitted except for indicating 0 hours.
clock summer-time repeating Syntax clock summer-time zone-name repeating start-time start-date end-time end-date add-time undo clock summer-time View System view Default Level 3: Manage level Parameters zone-name: Name of the daylight saving time, a string of 1 to 32 characters. start-time: Start time, in the format of HH:MM:SS (hours/minutes/seconds). The zeros in the argument can be omitted except for indicating 0 hours.
After the configuration takes effect, use the display clock command to view the result. The information such as log file and debug adopts the local time modified by time-zone and daylight saving time. Note that: The time range from “start-time” in “start-date” to “end-time” in “end-date” must be longer than one day and shorter than one year.
Examples # Set the name of the local time zone to Z5, five hours ahead of UTC time. <Sysname> system-view [Sysname] clock timezone z5 add 5 command-alias enable Syntax command-alias enable undo command-alias enable View System view Default Level 2: System level Parameters None Description...
Parameters cmdkey: The complete form of the first keyword of a command for which an alias will be configured. alias: Specifies the command alias, which cannot be the same with the first keyword of an existing command. Description Use the command-alias mapping command to configure command aliases. Use the undo command-alias mapping command to delete command aliases.
Page 985
By default, each command in a view has its specified level. For the details, refer to the related part of Basic System Configuration in this manual. Command level falls into four levels: visit, monitor, system, and manage, which are identified by 0 through 3. The administrator can assign a privilege level for a user according to his need.
copyright-info enable Syntax copyright-info enable undo copyright-info enable View System view Default Level 3: Manage level Parameters None Description Use the copyright-info enable command to enable the display of copyright information. Use the undo copyright-info enable command to disable the display of copyright information. By default, the display of copyright information is enabled.
User interface aux0 is available. Please press ENTER. display clipboard Syntax display clipboard View Any view Default Level 1: Monitor level Parameters None Description Use the display clipboard command to view the contents of the clipboard. To copy the specified content to the clipboard: Move the cursor to the starting position of the content and press the <Esc+Shift+,>...
Parameters None Description Use the display clock command to view the current system time and date. The current system time and date are decided by the clock datetime, clock summer-time one-off (or clock summer-time repeating), clock timezone. Refer to Configuring the system clock in the operation manual for the detailed rules.
Page 989
View Any view Default Level 2: System level Parameters configuration [ configuration ]: Specifies to display non-interface configuration. If no parameter is used, all the non-interface configuration is displayed; if parameters are used, display the specified information. For example: isp: Displays the ISP configuration. ospf: Displays the ospf configuration.
user privilege level 3 return display default-configuration Syntax display default-configuration View Any view Default Level 2: System level Parameters None Description Use the display default-configuration command to display the factory defaults of a device. The command displays all commands to be executed when the device boots with the factory defaults. Related commands: display current-configuration, display saved-configuration.
each module’s running status in the system. The display diagnostic-information command collects prompt information of the commands display clock, display version, display device, and display current-configuration. Examples # Save the statistics of each module's running status in the system. <Sysname> display diagnostic-information Save or display diagnostic information (Y=save, N=display)?[Y/N]y Please input the file name(*.diag)[flash:/default.diag]:aa.diag Diagnostic information is outputting to flash:/aa.diag.
CTRL_V Paste text from the clipboard. CTRL_W Delete the word left of the cursor. CTRL_X Delete all characters up to the cursor. CTRL_Y Delete all characters after the cursor. CTRL_Z Return to the User View. CTRL_] Kill incoming connection or redirect connection. ESC_B Move the cursor one word back.
user-interface aux 0 user-interface vty 0 history-command max-size 256 user-interface vty 1 4 return display version Syntax display version View Any view Default Level 1: Monitor level Parameters None Description Use the display version command to view system version information. By viewing system version information, you can learn about the current software version, rack type and the information related to the interface boards.
Page 995
login: Sets the login banner at authentication. motd: Banner displayed before login. If authentication is required, the banner is displayed before authentication. shell: Sets the banner displayed when a non Modem login user enters user view. text: Banner message, which can be input in two formats. Refer to Basic System Configuration for the detailed information.
Page 996
* will be prosecuted to the maximum extent possible under the applicable law.* ****************************************************************************** Welcome to legal(header legal) Press Y or ENTER to continue, N to exit. Welcome to motd(header motd) Welcome to login(header login) Login authentication Password: Welcome to shell(header shell) <Sysname>...
Page 997
Ctrl+L corresponds to display ip routing-table Ctrl+O corresponds to undo debugging all You can customize this scheme as needed however. Examples # Assign the hot key Ctrl+T to the display tcp status command. <Sysname> system-view [Sysname] hotkey ctrl_t display tcp status # Display the configuration of hotkeys.
Page 998
Use the quit command to exit to a lower-level view. If the current view is user view, the quit command terminates the current connection and quit the system. Examples # Switch from GigabitEthernet1/0/1 interface view to system view, and then to user view. [Sysname-GigabitEthernet1/0/1] quit [Sysname] quit <Sysname>...
Examples # Return to user view from GigabitEthernet1/0/1 view. [Sysname-GigabitEthernet1/0/1] return <Sysname> screen-length disable Syntax screen-length disable undo screen-length disable View User view Default Level 1: Monitor level Parameters None Description Use the screen-length disable command to disable the multiple-screen output function of the current user.
Users can switch to a lower user privilege level unconditionally. However, no password is needed only for AUX login user level switching; to switch to a higher user privilege level, and log in from VTY user interfaces, users need to enter the password needed for the security’s sake. If the entered password is incorrect or no password is configured, the switching fails.