3Com Switch 4500 PWR 26-Port Manual

Other manuals for Switch 4500 PWR 26-Port: Getting Started, Configuration Manual, Configuration Manual, Configuration Manual

Page of 942

Download

Print this page

Bookmark us

3Com Switch 4500 Family

Command Reference Guide

Switch

4500

26-Port

Switch

4500

50-Port

Switch 4500 PWR 26-Port

Switch 4500 PWR 50-Port

Product Version: V03.03.00

Manual Version:

6W101-20090811

www.3com.com

3Com Corporation

350 Campus Drive, Marlborough,

MA, USA 01752 3064

1 2 3 4 5 6 7 Next › »

Summary of Switch 4500 PWR 26-Port

Page 1
3com switch 4500 family command reference guide switch 4500 26-port switch 4500 50-port switch 4500 pwr 26-port switch 4500 pwr 50-port product version: v03.03.00 manual version: 6w101-20090811 www.3com.Com 3com corporation 350 campus drive, marlborough, ma, usa 01752 3064.
Page 2
Copyright © 2006-2009, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3com corporation. 3com corporation reserv...
Page 3
About this manual organization 3com switch 4500 family command reference guide is organized as follows: part contents 1 login introduces the commands used for logging into the ethernet switch and the commands used for configuring cli. 2 configuration file management introduces the commands used for ...
Page 4
Part contents 27 udp helper introduces the commands used for configuring udp helper 28 snmp-rmon introduces the snmp-related and rmon-related commands. 29 ntp introduces the ntp-related commands. 30 ssh introduces the commands used for configuring ssh2.0 31 file system management introduces the comm...
Page 5
Gui conventions convention description button names are inside angle brackets. For example, click . [ ] window names, menu items, data table and field names are inside square brackets. For example, pop up the [new user] window. / multi-level menus are separated by forward slashes. For example, [file...
Page 6: Table of Contents
I table of contents 1 login commands ······································································································································1-1 login commands···············································································································...
Page 7
Ii ip http acl ·········································································································································2-2 snmp-agent community ···················································································································2-2 snmp...
Page 9
1-2 to improve security and prevent attacks to the unused sockets, tcp 23 and tcp 22, ports for telnet and ssh services respectively, will be enabled or disabled after corresponding configurations. Z if the authentication mode is none, tcp 23 will be enabled, and tcp 22 will be disabled. Z if the au...
Page 10
1-3 auto-execute command syntax auto-execute command text undo auto-execute command view vty user interface view parameters text : command to be executed automatically. Description use the auto-execute command command to set the command that is executed automatically after a user logs in. Use the un...
Page 11
1-4 undo copyright-info enable view system view parameters none description use the copyright-info enable command to enable copyright information displaying. Use the undo copyright-info enable command to disable copyright information displaying. By default, copyright information displaying is enable...
Page 12
1-5 use the undo databits command to revert to the default databits. The default databits is 8. Z this command takes effect on aux user interfaces only. Z the databits setting on the terminal and that on the device user interface must be the same for communication. Examples # set the databits to 7. ...
Page 13
1-6 examples # display the source ip address configured for the switch operating as the telnet server. Display telnet-server source-ip the source ip you specified is 192.168.1.1 display telnet source-ip syntax display telnet source-ip view any view parameters none description use the display telnet ...
Page 14
1-7 z in absolute user interface number scheme, the type argument is not required. In this case, user interfaces are numbered from 0 to 12. Summary : displays the summary information about a user interface. Description use the display user-interface command to display the information about a specifi...
Page 15
1-8 # display the summary information about the user interface. Display user-interface summary user interface type : [aux] 0:xxxx xxxx user interface type : [vty] 8:uxxx x 1 character mode users. (u) 12 ui never used. (x) 1 total ui in use table 1-2 display user-interface summary command output desc...
Page 16
1-9 examples # display the user information about the current user interface. Display users ui delay type ipaddress username userlevel + 8 vty 0 00:00:00 tel 192.168.0.208 3 + : current operation user. F : current operation user work in async mode. Table 1-3 display users command output description ...
Page 17
1-10 table 1-4 display web users command output description field description id id of a web user name name of a web user language language a web user uses level level of a web user login time time when a web user logs in last req. Time time when the latest request is made free user-interface syntax...
Page 18
1-11 + : current operation user. F : current operation user work in async mode. Free user-interface vty 0 are you sure you want to free user-interface vty0 [y/n]? Y [ok] after you perform the above operation, the user connection on user interface vty0 is torn down. The user in it must log in again t...
Page 19
1-12 this command is valid to users logging in through aux and vty user interfaces, without affecting users logging in through the web interface. Note the following: z if you specify any one of the four keywords without providing the text argument, the specified keyword will be regarded as the login...
Page 20
1-13 ******************************************************************************** * copyright(c) 2004-2008 3com corp. And its licensors. All rights reserved. * * without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * *****************************...
Page 21
1-14 system view: return to user view with ctrl+z. [sysname] user-interface aux 0 [sysname-ui-aux0] history-command max-size 20 idle-timeout syntax idle-timeout minutes [ seconds ] undo idle-timeout view user interface view parameters minutes : number of minutes. This argument ranges from 0 to 35,79...
Page 22
1-15 by default, the web server is launched. To improve security and prevent attacks to the unused sockets, tcp 80 port for http service will be enabled or disabled after corresponding configurations. Z tcp 80 port is enabled only after you use the undo ip http shutdown command to enable the web ser...
Page 23
1-16 to unlock a user interface, press enter and then enter the password as prompted. Note that if you set a password containing more than 16 characters, the system matches only the first 16 characters of the password entered for unlocking the user interface. That is, the system unlocks the user int...
Page 24
1-17 z this command takes effect on aux user interfaces only. Z the check mode on the terminal and that on the device user interface must be the same for communication. Examples # set to perform even checks. System-view system view: return to user view with ctrl+z. [sysname] user-interface aux 0 [sy...
Page 25
1-18 to improve security and prevent attacks to the unused sockets, tcp 23 and tcp 22 (ports for telnet and ssh services respectively) will be enabled or disabled after corresponding configurations. Z if the authentication mode is none, tcp 23 will be enabled, and tcp 22 will be disabled. Z if the a...
Page 26
1-19 you can use the screen-length 0 command to disable the function to display information in pages. Examples # set the number of lines the terminal screen can contain to 20. System-view system view: return to user view with ctrl+z. [sysname] user-interface aux 0 [sysname-ui-aux0] screen-length 20 ...
Page 28
1-21 [sysname-luser-zbr] service-type telnet level 0 # to verify the above configuration, you can quit the system, log in again using the user name of zbr, and then list the available commands, as listed in the following. ? User view commands: cluster run cluster command display display current syst...
Page 29
1-22 by default, password authentication is performed when a user logs in through a modem or telnet. If no password is set, the user cannot establish a connection with the switch. Examples # set the local password of vty 0 to “123”. System-view system view: return to user view with ctrl+z. [sysname]...
Page 30
1-23 speed syntax speed speed-value undo speed view aux user interface view parameters speed-value : transmission speed (in bps). This argument can be 300, 600, 1200, 2400, 4800, 9600, 19,200, 38,400, 57,600, and 115,200. Description use the speed command to set the transmission speed of the user in...
Page 31
1-24 2 : sets the stopbits to 2. Description use the stopbits command to set the stopbits of the user interface. Use the undo stopbits command to revert to the default stopbits. Execute these two commands in aux user interface view only. By default, the stopbits is 1. Z the switch 4500 does not supp...
Page 32
1-25 examples # telnet from ethernet switch switch a to switch b whose ip address is 129.102.0.1. Telnet 129.102.0.1 trying 129.102.0.1 ... Press ctrl+k to abort connected to 129.102.0.1 ... ******************************************************************************** * copyright(c) 2004-2008 3co...
Page 33
1-26 telnet source-interface syntax telnet source-interface interface-type interface-number undo telnet source-interface view system view parameters interface-type interface-number: interface type and interface number. Description use the telnet source-interface command to specify the source interfa...
Page 34
1-27 with the telnet source-ip command configured, the specified ip address functions as the source ip address when a device logs into a telnet server as a telnet client, and the login succeeds only when there is a route between the specified source ip address and the telnet server. Note that when t...
Page 35
1-28 view system view parameters ip-address : source ip address to be set. Description use the telnet-server source-ip command to specify the source telnet server ip address. Use the undo telnet-server source-ip command to remove the source telnet server ip address. With the telnet-server source-ip ...
Page 36
1-29 last-number : user interface number identifying the last user interface to be configured. The value of this argument must be larger than that of the first-number argument. Description use the user-interface command to enter one or more user interface views to perform configuration. Examples # e...
Page 37
1-30 examples # configure that commands at level 1 are available to the users logging in to vty 0. System-view system view: return to user view with ctrl+z. [sysname] user-interface vty 0 [sysname-ui-vty0] user privilege level 1 # you can verify the above configuration by telnetting to vty 0 and dis...
Page 38
1-31 cli view description acl-ethernetframe layer 2 acl view acl-user user-defined acl view aux aux 1/0/0 port view, that is, console port view cluster cluster view detect-group detected group view ethernet 100m ethernet port view ftp-client ftp client view gigabitethernet gigabitethernet port view ...
Page 39
1-32 the default levels of commands are described in the following table: table 1-6 default levels of commands level name command 0 visit level commands used to diagnose network, such as ping , tracert, and telnet commands. 1 monitor level commands used to maintain the system and diagnose service fa...
Page 40
1-33 # restore the default level of the tftp get command. To restore the default levels of the commands starting with the tftp keyword, you only need to specify the tftp keyword. [sysname] undo command-privilege view shell tftp display history-command syntax display history-command view any view par...
Page 41
1-34 executing this command without the level argument will switch the current user level to level 3 by default. Note that: z users logged into the switch fall into four user levels, which correspond to the four command levels respectively. Users at a specific level can only use the commands at the ...
Page 42
1-35 description use the super password command to set a switching password for a specified user level, which will be used when users switch from a lower user level to the specified user level. Use the undo super password command to restore the default configuration. By default, no such password is ...
Page 44
2-2 parameters all : specifies all web users. User-id : web user id, an eight-digit hexadecimal number. User-name : user name of the web user. This argument can contain 1 to 80 characters. Description use the free web-users command to disconnect a specified web user or all web users by force. Exampl...
Page 45
2-3 parameters read : specifies that the community has read-only permission in the specified view. Write : specifies that the community has read/write permission in the specified view. Community-name : community name, a string of 1 to 32 characters. Acl acl-number : specifies an acl number for the c...
Page 46
2-4 group-name : group name. This argument can be of 1 to 32 characters. Authentication : specifies to authenticate snmp data without encrypting the data. Privacy : authenticates and encrypts packets. Read-view : name of the view to be set to read-only. This argument can be of 1 to 32 characters. Wr...
Page 47
2-5 group-name : name of the group to which the user corresponds. This argument is a string of 1 to 32 characters. Cipher :specifies the authentication or encryption password to be in ciphertext. Authentication-mode : requires authentication. If this keyword is not provided, neither authentication n...
Page 48: Table of Contents
I table of contents 1 configuration file management commands ··························································································1-1 file attribute configuration commands··································································································1-1 displa...
Page 49
1-1 1 configuration file management commands the 4500 series ethernet switches support expandable resilient networking (xrn), and allow you to access a file on the switch in one of the following ways: z to access a file on the specified unit, you need to enter the file universal resource locator (ur...
Page 50
1-2 z system : indicates the system configuration. Z user-interface : indicates the user interface configuration. Interface : displays port/interface configuration. Interface-type : port/interface type, which can be one of the following: aux, ethernet, gigabitethernet, loopback, null and vlan-interf...
Page 51
1-3 after you finish a set of configurations, you can execute the display current-configuration command to display the parameters that take effect currently. Note that: z parameters that are the same as the default are not displayed. Z the configured parameter whose corresponding function does not t...
Page 52
1-4 interface ethernet1/0/16 # interface ethernet1/0/17 # interface ethernet1/0/18 # interface ethernet1/0/19 # interface ethernet1/0/20 # interface ethernet1/0/21 # interface ethernet1/0/22 # interface ethernet1/0/23 # interface ethernet1/0/24 # interface gigabitethernet1/0/25 # interface gigabitet...
Page 53
1-5 interface ethernet1/0/9 interface ethernet1/0/10 interface ethernet1/0/11 interface ethernet1/0/12 interface ethernet1/0/13 interface ethernet1/0/14 interface ethernet1/0/15 interface ethernet1/0/16 interface ethernet1/0/17 interface ethernet1/0/18 interface ethernet1/0/19 interface ethernet1/0/...
Page 54
1-6 examples # display the vlan configuration information of the current switch. Display current-configuration vlan # vlan 1 # vlan 5 to 69 # vlan 70 description vlan 70 # vlan 71 to 100 # return display saved-configuration syntax display saved-configuration [ unit unit-id ] [ by-linenum ] view any ...
Page 55
1-7 # domain system # vlan 1 # interface vlan-interface1 ip address 192.168.0.39 255.255.255.0 #loccfg. Must not delete # interface aux1/0/0 # interface ethernet1/0/1 # interface ethernet1/0/2 # interface ethernet1/0/3 # interface ethernet1/0/4 # interface ethernet1/0/5 # interface ethernet1/0/6 # i...
Page 56
1-8 # interface ethernet1/0/20 # interface ethernet1/0/21 # interface ethernet1/0/22 # interface ethernet1/0/23 # interface ethernet1/0/24 # interface gigabitethernet1/0/25 # interface gigabitethernet1/0/26 # interface gigabitethernet1/0/27 shutdown # interface gigabitethernet1/0/28 shutdown #topolo...
Page 57
1-9 parameters unit unit-id : specifies the unit id of a switch. With this keyword-argument combination specified, this command can display the startup configuration file information of the specified unit. Description use the display startup command to display the startup configuration of a switch. ...
Page 58
1-10 view any view parameters by-linenum : displays configuration information with line numbers. Description use the display this command to display the current configuration performed in the current view. To verify the configuration performed in a view, you can use this command to display the param...
Page 59
1-11 view user view parameters backup : erases the backup configuration file. Main : erases the main configuration file. Description use the reset saved-configuration command to erase the configuration file saved in the flash of a switch. The following two situations exist: z while the reset saved-c...
Page 60
1-12 view any view parameters cfgfile : path name or file name of a configuration file in the flash, a string of 5 to 56 characters. Safely : saves the current configuration in the safe mode. Backup : saves the configuration to the backup configuration file. Main : saves the configuration to the mai...
Page 61
1-13 z it is recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. Z if you use the save command after a fabric is formed on the switch, the units in the fabric save their own startup configurati...
Page 62
1-14 description use the startup saved-configuration command to specify a configuration file to be the main configuration file or the backup configuration file to be used for the next startup of the switch. Use the undo startup saved-configuration command to specify a switch to use null configuratio...
Page 63: Table of Contents
I table of contents 1 vlan configuration commands··············································································································1-1 vlan configuration commands·············································································································1...
Page 64: Vlan Configuration Commands
1-1 1 vlan configuration commands vlan configuration commands description syntax description text undo description view vlan view, vlan interface view parameter text : case sensitive character string to describe the current vlan or vlan interface. Special characters and spaces are allowed. It has: z...
Page 65
1-2 parameter vlan -id: id of the specific vlan interface. Description use the display interface vlan-interface command to display the information about the vlan interface. Vlan interface is a virtual interface in layer 3 mode, used to realize the layer 3 communication between different vlans. Each ...
Page 66
1-3 to : specifies multiple contiguous vlan ids. The vlan id after to cannot be less than that before to. All : displays the information about all the vlans. Dynamic : displays information about the dynamic vlans (which are registered through gvrp protocol). Static : displays information about the s...
Page 67
1-4 field description name vlan name tagged ports ports through which packets are sent with vlan tag kept. Untagged ports port through which packets are sent with vlan tag stripped. Interface vlan-interface syntax interface vlan-interface vlan-id undo interface vlan-interface vlan-id view system vie...
Page 68
1-5 undo name view vlan view parameter text : vlan name, in the range of 1 character to 32 characters. It can contain special characters and spaces. Parameter use the name command to assign a name to the current vlan. Use the undo name command to restore to the default vlan name. By default, the nam...
Page 69
1-6 you can use the undo shutdown command to enable a vlan interface when its related parameters and protocols are configured. When a vlan interface fails, you can use the shutdown command to disable the interface, and then use the undo shutdown command to enable this interface again, which may rest...
Page 70
1-7 example # enter vlan 1 view. System-view system view: return to user view with ctrl+z. [sysname] vlan 1 [sysname-vlan1] # remove vlan 5. System-view system view: return to user view with ctrl+z. [sysname] undo vlan 5 port-based vlan configuration commands display port syntax display port { hybri...
Page 71
1-8 parameters interface-list : list of ethernet ports to be added to or removed from a vlan. Provide this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &, where: z interface-type is port type and interface-number is port number. ...
Page 72
1-9 examples # assign gigabitethernet 1/0/1 to vlan 3. System-view system view: return to user view with ctrl+z. [sysname] vlan 3 [sysname-vlan3] quit [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] port access vlan 3 [sysname-gigabitethernet1/0/1] port hybrid pvid vlan synt...
Page 73
1-10 undo port hybrid vlan vlan-id-list view ethernet port view parameters vlan-id-list : vlan range to which the hybrid port will be added. Vlan-id-list = [ vlan-id1 [ to vlan-id2 ] ]&, where, vlan-id is in the range of 1 to 4094 and can be discrete, and & means you can input up to ten vlan ids/id ...
Page 74
1-11 description use the port link-type command to set the link type of the current ethernet port. Use the undo port link-type command to restore the default link type. By default, the link type of an ethernet port is access. The three types of ports can coexist on an ethernet switch. You can change...
Page 75
1-12 please wait... Done. Port trunk pvid vlan syntax port trunk pvid vlan vlan-id undo port trunk pvid view ethernet port view parameters vlan-id : vlan id defined in ieee802.1q, in the range of 1 to 4094. It is 1 by default. Description use the port trunk pvid vlan command to set the default vlan ...
Page 76: Table of Contents
I table of contents 1 ip address configuration commands·····································································································1-1 ip address configuration commands·····································································································1-1 di...
Page 77
1-1 1 ip address configuration commands ip address configuration commands display ip host syntax display ip host view any view parameters none description use the display ip host command to display mappings between host names and ip addresses in the static dns database. Examples # display mappings b...
Page 78
1-2 view any view parameters interface-type interface-number : specifies an interface by its type and number. Description use the display ip interface command to display information about a specified or all layer 3 interfaces. If no argument is specified, information about all layer 3 interfaces is ...
Page 79
1-3 table 1-2 description on the fields of the display ip interface command field description current state current physical state of the interface, which can be z administrative down: indicates that the interface is administratively down; that is, the interface is shut down with the shutdown comman...
Page 80
1-4 display ip interface brief syntax display ip interface brief [ interface-type [ interface-number ]] view any view parameters interface-type :interface type. Interface-number : interface number. Description use the display ip interface brief command to display brief information about a specified ...
Page 81
1-5 field description physical physical state of the interface, which can be z *down: indicates that the interface is administratively down; that is, the interface is shut down with the shutdown command. Z down: indicates that the interface is administratively up but its physical state is down, whic...
Page 82
1-6 z a newly specified ip address overwrites the previous one if there is any. Z the ip address of a vlan interface must not be on the same network segment as that of a loopback interface on a device. Related commands: display ip interface. Examples # assign the ip address 129.12.0.1 to vlan-interf...
Page 83: Commands
2-1 2 ip performance optimization configuration commands ip performance optimization configuration commands display fib syntax display fib view any view parameters none description use the display fib command to display all forwarding information base (fib) information. Examples # display all fib in...
Page 84
2-2 table 2-1 description on the fields of the display fib command field description flag flags: u: usable route. G: gateway route h: host route b: blackhole route d: dynamic route s: static route r: rejected route e: multi-path equal-cost route l: route generated by arp or esis destination/mask des...
Page 85
2-3 description use the display fib ip-address command to view the fib entries matching the specified destination ip address. If no mask or mask length is specified, the fib entry that matches the destination ip address and has the longest mask will be displayed; if the mask is specified, the fib en...
Page 86
2-4 system-view system view: return to user view with ctrl+z. [sysname] acl number 2001 [sysname-acl-basic-2001] rule permit source 211.71.75.0 0.0.0.255 [sysname-acl-basic-2001] display acl 2001 basic acl 2001, 1 rule acl's step is 1 rule 0 permit source 211.71.75.0 0.0.0.255 # display the fib entr...
Page 87
2-5 display fib ip-prefix syntax display fib ip-prefix ip-prefix-name view any view parameters ip-prefix-name : ip prefix list name, in the range of 1 to 19 characters. Description use the display fib ip-prefix command to display the fib entries matching a specific ip prefix list. For details about ...
Page 88
2-6 description use the display fib statistics command to display the total number of fib entries. Examples # display the total number of fib entries. Display fib statistics route entry count : 8 display icmp statistics syntax display icmp statistics view any view parameters none description use the...
Page 89
2-7 field description destination unreachable number of received destination unreachable packets source quench number of received source quench packets redirects number of received redirection packets echo reply number of received replies parameter problem number of received parameter problem packet...
Page 90
2-8 examples # display the tcp socket information. Display ip socket socktype 1 sock_stream: task = vtyd(18), socketid = 1, proto = 6, la = 0.0.0.0:23, fa = 0.0.0.0:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = so_acceptconn so_keepalive so_sendvpnid so_setkeepalive, socket ...
Page 91
2-9 display ip statistics syntax display ip statistics view any view parameters none description use the display ip statistics command to display the statistics about ip packets. Related commands: display ip interface, reset ip statistics. Examples # display the statistics about ip packets. Display ...
Page 92
2-10 field description dropped total number of ip packets discarded no route total number of ip packets for which no route is available compress fails total number of ip packets failed to compress input total number of fragments received output total number of fragments sent dropped total number of ...
Page 93
2-11 duplicate ack packets: 7, too much ack packets: 0 sent packets: total: 665 urgent packets: 0 control packets: 5 (including 1 rst) window probe packets: 0, window update packets: 2 data packets: 618 (8770 bytes) data packets retransmitted: 0 (0 bytes) ack-only packets: 40 (28 delayed) retransmit...
Page 94
2-12 field description window probe packets number of window probe packets sent; in the brackets are resent packets window update packets number of window update packets sent data packets number of data packets sent data packets retransmitted number of data packets retransmitted ack-only packets: 40...
Page 95
2-13 display tcp status *: tcp md5 connection tcpcb local add:port foreign add:port state 03e37dc4 0.0.0.0:4001 0.0.0.0:0 listening 04217174 100.0.0.204:23 100.0.0.253:65508 established table 2-6 description on the fields of the display tcp status command field description * if there is an asterisk ...
Page 96
2-14 table 2-7 description on the fields of the display udp statistics command field description total total number of received udp packets checksum error total number of packets with incorrect checksum shorter than header number of packets with data shorter than header data length larger than packe...
Page 97
2-15 icmp unreach send syntax icmp unreach send undo icmp unreach send view system view parameters none description use the icmp unreach send command to enable the device to send icmp destination unreachable packets. After enabled with this feature, the switch, upon receiving a packet with an unreac...
Page 98
2-16 reset tcp statistics syntax reset tcp statistics view user view parameters none description use the reset tcp statistics command to clear the statistics about tcp packets. You can use the display tcp statistics command to view the current tcp packet statistics. Examples # clear the statistics a...
Page 99
2-17 parameters time-value : tcp finwait timer, in seconds, with the value ranging from 76 to 3600. Description use the tcp timer fin-timeout command to configure the tcp finwait timer. Use the undo tcp timer fin-timeout command to restore the default value of the tcp finwait timer. By default, the ...
Page 100
2-18 tcp window syntax tcp window window-size undo tcp window view system view parameters window-size : size of the send/receive buffer, in kilobytes (kb), in the range of 1 to 32. Description use the tcp window command to configure the size of the tcp send/receive buffer,. Use the undo tcp window c...
Page 101: Table of Contents
I table of contents 1 voice vlan configuration commands ···································································································1-1 voice vlan configuration commands···································································································1-1 displ...
Page 102
1-1 1 voice vlan configuration commands voice vlan configuration commands display voice vlan error-info syntax display voice vlan error-info view any view parameters none description use the display voice vlan error-info command to display the ports on which the voice vlan function fails to be enabl...
Page 103
1-2 parameters none description use the display voice vlan oui command to display the organizationally unique identifier (oui) list used for identifying voice traffic. The output of the command displays the oui addresses, their masks, and descriptions. By default, there are five pre-defined oui addr...
Page 104
1-3 port mode -------------------------------- ethernet1/0/2 auto ethernet1/0/3 manual table 1-1 description on the fields of the display voice vlan status command field description voice vlan status the status of global voice vlan function: enabled or disabled. Voice vlan id the vlan which is curre...
Page 105
1-4 vlan type: static route interface: not configured description: vlan 0006 name: vlan 0006 tagged ports: ethernet1/0/5 untagged ports: ethernet1/0/6 the output indicates that ethernet 1/0/5 and ethernet 1/0/6 are in the voice vlan. Voice vlan syntax voice vlan vlan-id enable undo voice vlan enable...
Page 106
1-5 examples # create vlan 2, and enable the voice vlan function on it. System-view system view: return to user view with ctrl+z. [sysname] vlan 2 [sysname-vlan2] quit [sysname] voice vlan 2 enable # after the voice vlan function of vlan 2 is enabled, if you enable the voice vlan function for other ...
Page 107
1-6 recommended to set a small voice vlan aging timer in a network with only a few voice applications. Related commands: display voice vlan status. Examples # set the aging time of the voice vlan to 100 minutes. System-view system view: return to user view with ctrl+z. [sysname] voice vlan aging 100...
Page 108
1-7 parameters none description use the voice vlan legacy command to realize the communication between 3com device and other vendors’ voice device by automatically adding the voice vlan tag to the voice data coming from other vendors’ voice device. Use the undo voice vlan legacy command to disable t...
Page 109
1-8 table 1-2 default oui addresses of a switch number oui address vendor 1 0003-6b00-0000 cisco phone 2 000f-e200-0000 h3c aolynk phone 3 00d0-1e00-0000 pingtel phone 4 00e0-7500-0000 polycom phone 5 00e0-bb00-0000 3com phone related commands: display voice vlan oui. Examples # add mac address 00aa...
Page 110
1-9 examples # configure the voice vlan assignment mode on ethernet1/0/2 to manual. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/2 [sysname-ethernet1/0/2] undo voice vlan mode auto voice vlan security enable syntax voice vlan security enable undo voice v...
Page 111: Table of Contents
I table of contents 1 port basic configuration commands······································································································1-1 port basic configuration commands······································································································1-1 ...
Page 113
1-2 the global broadcast suppression setting configured by the broadcast-suppression command in system view takes effect on all ethernet ports in the system except for the reflection ports, stack ports and ports having their own broadcast suppression settings. If you configure broadcast-suppression ...
Page 114
1-3 z if you specify a source aggregation group id, the system uses the port with the smallest port number in the aggregation group as the source. Z if you specify a destination aggregation group id, the configuration of the source port will be copied to all ports in the aggregation group and all po...
Page 115
1-4 z any aggregation group port you input in the destination port list will be removed from the list and the copy command will not take effect on the port. If you want an aggregation group port to have the same configuration with the source port, you can specify the aggregation group of the port as...
Page 117
1-6 table 1-2 description on the fields of the display brief interface command field description interface port type link current link state: up, down or administratively down speed link rate duplex duplex attribute type link type: access, hybrid or trunk pvid default vlan id description port descri...
Page 118
1-7 z if you specify only port type, the command displays information about all ports of the specified type. Z if you specify both port type and port number, the command displays information about the specified port. Examples # display the configuration information of ethernet 1/0/1. Display interfa...
Page 119
1-8 field description media type media type port hardware type port hardware type 100mbps-speed mode, full-duplex mode current speed mode and duplex mode link speed type is force link, link duplex type is force link link speed and duplex status ( force or auto-negotiation) flow-control is enabled st...
Page 120
1-9 field description - throttles the number of throttles that occurred on the port (a throttle occurs when a port is shut down due to buffer or memory overload.) crc the number of crc error frames received in correct length frame the number of incoming crc error frames with non-integer number of by...
Page 121
1-10 field description collisions the number of detected collisions (transmission of a frame will be aborted upon detection of a collision.) late collisions the number of detected late collisions (a late collision occurs if the transmission of a frame defers due to detection of collision after its f...
Page 122
1-11 view any view parameters none description use the display loopback-detection command to display the loopback detection status on the port. If loopback detection is enabled, this information will also be displayed: time interval for loopback detection and the loopback ports. Examples # display t...
Page 123
1-12 display port combo combo-group active inactive 1 gigabitethernet1/0/25 gigabitethernet1/0/27 2 gigabitethernet1/0/26 gigabitethernet1/0/28 table 1-6 display port combo command output description field description combo-group combo ports of the device, represented by combo port number, which is ...
Page 124
1-13 multicast max-ratio: 100% allow jumbo frame to pass pvid: 1 mdi type: auto port link-type: access tagged vlan id : none untagged vlan id : 1 last 300 seconds input: 0 packets/sec 0 bytes/sec last 300 seconds output: 0 packets/sec 0 bytes/sec input(total): 0 packets, 0 bytes 0 broadcasts, 0 mult...
Page 125
1-14 description use the duplex command to set the duplex mode of the current port. Use the undo duplex command to restore the default duplex mode, that is, auto-negotiation. By default, the port is in auto-negotiation mode. Related commands: speed. Examples # set the ethernet 1/0/1 port to auto-neg...
Page 126
1-15 flow interval syntax flow-interval interval undo flow-interval view ethernet port view parameters interval : interval (in seconds) to perform statistics on port information. This argument ranges from 5 to 300 (in step of 5) and is 300 by default. Description use the flow-interval command to set...
Page 127
1-16 description use the giant-frame statistics enable command to enable the giant-frame statistics function. Use the undo giant-frame statistics enable command to disable the giant-frame statistics function. By default, the giant-frame statistics function is not enabled. After enabling the giant-fr...
Page 128
1-17 system-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] jumboframe enable syntax jumboframe enable undo jumboframe enable view ethernet port view parameters none description use the jumboframe enable command to set the maximum frame s...
Page 129
1-18 by default, the port state change delay is 0 seconds, that is, the port state changes without any delay. During a short period after you connect your switch to another device, the connecting port may go up and down frequently due to hardware compatibility, resulting in service interruption. To ...
Page 130
1-19 description use the loopback command to perform a loopback test on the current ethernet port to check whether the ethernet port works normally. The loopback test terminates automatically after running for a specific period. By default, no loopback test is performed on the ethernet port. Example...
Page 131
1-20 system-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] port link-type trunk [sysname-ethernet1/0/1] loopback-detection control enable loopback-detection enable syntax loopback-detection enable undo loopback-detection enable view syst...
Page 132
1-21 loopback-detection interval-time syntax loopback-detection interval-time time undo loopback-detection interval-time view system view parameters time : time interval for loopback detection, in the range of 5 to 300 (in seconds). It is 30 seconds by default. Description use the loopback-detection...
Page 134
1-23 undo multicast-suppression view ethernet port view parameters ratio : maximum ratio of the multicast traffic allowed on the port to the total transmission capacity of the port. This argument ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio, the less multicast traff...
Page 135
1-24 description use the reset counters interface command to clear the statistics of the port, preparing for a new statistics collection. If you specify neither port type nor port number, the command clears statistics of all ports. If specify only port type, the command clears statistics of all port...
Page 136
1-25 %apr 13 23:13:54:057 2000 sysname ifnet/5/updown:- 1 -line protocol on the interface vlan-interface3 is down # enable ethernet 1/0/1. [sysname-ethernet1/0/1] undo shutdown #apr 13 23:14:54:454 2000 sysname l2inf/2/port link status change:- 1 - trap 1.3.6.1.6.3.1.1.5.4(linkup): portindex is 4227...
Page 138
1-27 description use the unicast-suppression command to limit the unknown unicast traffic allowed to be received on the current port. Use the undo broadcast-suppression command to restore the default unknown unicast suppression setting on the port. When incoming unknown unicast traffic exceeds the u...
Page 139
1-28 z if the cable is in normal state, the displayed length value is the total length of the cable. Z if the cable is in any other state, the displayed length value is the length from the port to the faulty point. Z pair impedance mismatch z pair skew z pair swap z pair polarity z insertion loss z ...
Page 140: Table of Contents
I table of contents 1 link aggregation configuration commands··························································································1-1 link aggregation configuration commands ···························································································1-1 display li...
Page 141
1-1 1 link aggregation configuration commands link aggregation configuration commands display link-aggregation interface syntax display link-aggregation interface interface-type interface-number [ to interface-type interface-number ] view any view parameters interface-type : port type. Interface-num...
Page 142
1-2 table 1-1 description on the fields of the display link-aggregation interface command field description selected aggid id of the aggregation group to which the specified port belongs local information about the local end port-priority port priority oper key operation key flag protocol status fla...
Page 143
1-3 -------------------------------------------------------------------------- 1 s 0x8000,0000-0000-0000 0 1 nons ethernet1/0/2 2 m none 0 1 nons ethernet1/0/3 table 1-2 description on the fields of the display link-aggregation summary command field description aggregation group type aggregation gro...
Page 144
1-4 examples # display the details about aggregation group 1. Display link-aggregation verbose 1 loadsharing type: shar -- loadsharing, nons -- non-loadsharing flags: a -- lacp_activity, b -- lacp_timeout, c -- aggregation, d -- synchronization, e -- collecting, f -- distributing, g -- defaulted, h ...
Page 145
1-5 parameters none description use the display lacp system-id command to display the device id of the local system, including the system priority and the mac address. Examples # display the device id of the local system. Display lacp system-id actor system id: 0x8000, 000f-e20f-0100 the value of th...
Page 146
1-6 parameters port-priority : port priority, ranging from 0 to 65,535. Description use the lacp port-priority command to set the priority of the current port. Use the undo lacp port-priority command to restore the default port priority. By default, the port priority is 32,768. You can use the displ...
Page 147
1-7 undo link-aggregation group agg-id description view system view parameters agg-id : aggregation group id, in the range of 1 to 416. Agg-name : aggregation group name, a string of 1 to 32 characters. Description use the link-aggregation groupdescription command to set a description for an aggrega...
Page 148
1-8 description use the link-aggregation group mode command to create a manual or static aggregation group. Use the undo link-aggregation group command to remove the specified aggregation group. Related commands: display link-aggregation summary. Examples # create manual aggregation group 22 system-...
Page 149
1-9 reset lacp statistics syntax reset lacp statistics [ interface interface-type interface-number [ to interface-type interface-number ] ] view user view parameters interface-type : port type interface-number : port number to : specifies a port index range, with the two interface-type interface-num...
Page 150: Table of Contents
I table of contents 1 port isolation configuration commands ································································································1-1 port isolation configuration commands ·································································································1-1 d...
Page 151
1-1 1 port isolation configuration commands port isolation configuration commands display isolate port syntax display isolate port view any view parameters none description use the display isolate port command to display the ethernet ports assigned to the isolation group. Examples # display the ethe...
Page 152
1-2 z assigning or removing an aggregation member port to or from the isolation group can cause the other ports in the aggregation group join or leave the isolation group. Z for ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation grou...
Page 153: Table of Contents
I table of contents 1 port security commands··························································································································1-1 port security commands ···········································································································...
Page 154: Port Security Commands
1-1 1 port security commands port security commands display mac-address security syntax display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] view any view parameters interface interface-type interface-number: specify a port by its type and number, of ...
Page 155
1-2 mac addr vlan id state port index aging time(s) 0000-0000-0001 1 security ethernet1/0/20 noaged 0000-0000-0002 1 security ethernet1/0/20 noaged 0000-0000-0003 1 security ethernet1/0/20 noaged 0000-0000-0004 1 security ethernet1/0/20 noaged --- 4 mac address(es) found on port ethernet1/0/20 --- #...
Page 156
1-3 individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1. The total number of individual ports and port ranges de...
Page 157
1-4 port mode is autolearn needtoknow mode is disabled intrusion mode is no action max mac-address num is not configured stored mac-address num is 0 authorization is ignore ethernet1/0/3 is link-down port mode is autolearn needtoknow mode is disabled intrusion mode is blockmacaddress max mac-address...
Page 158
1-5 field description authorization is ignore authorization information delivered by the remote authentication dial-in user service (radius) server will not be applied to the port. Mac-address security syntax in system view: mac-address security mac-address interface interface-type interface-number ...
Page 159
1-6 examples # enable port security; configure the port security mode of ethernet 1/0/1 as autolearn and create a security mac address entry for 0001-0001-0001, setting the associated port to ethernet 1/0/1 and assigning the mac address to vlan 1. System-view system view: return to user view with ct...
Page 160
1-7 after a radius user passes authentication, the radius server authorizes the attributes configured for the user account such as the dynamic vlan configuration. For more information, refer to aaa command . Examples # configure ethernet 1/0/2 to ignore the authorization information delivered by the...
Page 161
1-8 examples # enable port security. System-view system view: return to user view with ctrl+z. [sysname] port-security enable notice: the port-control of 802.1x will be restricted to auto when port-security is enabled. Please wait... Done. Port-security intrusion-mode syntax port-security intrusion-...
Page 162
1-9 after executing the port-security intrusion-mode blockmac command, you can only use the display port-security command to view blocked mac addresses. Related commands: display port-security, port-security timer disableport. Examples # configure the intrusion protection mode on ethernet 1/0/1 as b...
Page 163
1-10 # configure the intrusion protection mode on ethernet 1/0/1 as disableport. As a result, when intrusion protection is triggered, the port will be disconnected permanently. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] port-s...
Page 164
1-11 z the port-security max-mac-count command is irrelevant to the maximum number of mac addresses that can be learned on a port configured in mac address management. Z when there are online users on a port, you cannot perform the port-security max-mac-count command on the port. Examples # set the ...
Page 165
1-12 by checking the destination mac addresses of the data frames to be sent from a port, the ntk feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data. Examples # set the ntk feature to ntk-w...
Page 166
1-13 by default, no oui value is set for authentication. Z the oui value set by this command takes effect only when the security mode of the port is set to userloginwithoui by the port-security port-mode command. Z the oui value set by this command cannot be a multicast mac address. Related commands...
Page 167
1-14 keyword security mode description mac-and-userlogin-sec ure macaddressanduser loginsecure in this mode, users trying to assess the network through the port must first pass mac address authentication and then 802.1x authentication. In this mode, only one user can access the network through the p...
Page 168
1-15 keyword security mode description userlogin-secure-ext userloginsecureext this mode is similar to the userloginsecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port. Userlogin-secure-or-m ac macaddressoruserl oginsecure mac address authenticatio...
Page 169
1-16 z before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of mac addresses allowed on the port. Z when a port operates in the autolearn mode, you cannot change the maximum number of mac addresses allowed on the port....
Page 170
1-17 the port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled. Related commands: port-security intrusion-mode. Examples # set the intrusion protection mode...
Page 171
1-18 radius authenticated login using mac-address (ralm) refers to mac-based radius authentication. Description use the port-security trap command to enable the sending of specified type(s) of trap messages. Use the undo port-security trap command to disable the sending of specified type(s) of trap ...
Page 172
1-19 for description of the output information, refer to table 1-2 ..
Page 173: Table of Contents
I table of contents 1 dldp configuration commands··············································································································1-1 dldp configuration commands·············································································································1...
Page 175
1-2 table 1-1 description on the fields of the display dldp command field description dldp interval interval for sending dldp advertisement packets (in seconds) dldp work-mode dldp work mode (enhance or normal) dldp authentication-mode dldp authentication mode (none, simple, or md5) password passwor...
Page 176
1-3 when you use the dldp enable/dldp disable command in system view to enable/disable dldp on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently. Examples # enable dldp on all optical ports of the switch. System-view sy...
Page 177
1-4 when you configure a dldp authentication mode and authentication password on a port, make sure that the same dldp authentication mode and password are set on the ports connected with a fiber cable or copper twisted pair. Otherwise, dldp authentication fails. Dldp cannot work before dldp authenti...
Page 178
1-5 unidirectional links. On the contrary, if too short an interval is set, network traffic increases, unnecessarily consuming port bandwidth. Examples # set the interval between sending advertisement packets to 6 seconds for all dldp-enabled ports in the advertisement state. System-view system view...
Page 179
1-6 parameters auto : disables automatically the corresponding port when dldp detects an unidirectional link or finds in the enhanced mode that the peer port is down. Manual : generates log and traps and prompts the user to disable manually the corresponding port when dldp detects an unidirectional ...
Page 180
1-7 z when dldp works in normal mode, the system can identify only the unidirectional link caused by fiber cross-connection. Z when the dldp protocol works in enhanced mode, the system can identify two types of unidirectional links: one is caused by fiber cross-connection and the other is caused by ...
Page 181
1-8 examples # set the delaydown timer to 5 seconds. System-view system view: return to user view with ctrl+z. [sysname] dldp delaydown-timer 5.
Page 182: Table of Contents
I table of contents 1 mac address table management configuration commands ······························································1-1 mac address table management configuration commands································································1-1 display mac-address aging-time···········...
Page 183: Commands
1-1 1 mac address table management configuration commands this chapter describes the management of static, dynamic, and blackhole mac address entries. For information about the management of multicast mac address entries, refer to the “multicast protocol” part of the manual. Mac address table manage...
Page 185
1-3 000d-88f6-44ba 1 learned gigabitethernet1/0/4 aging 000d-88f7-9f7d 1 learned gigabitethernet1/0/4 aging 000d-88f7-b094 1 learned gigabitethernet1/0/4 aging 000f-e200-00cc 1 learned gigabitethernet1/0/4 aging 000f-e200-2201 1 learned gigabitethernet1/0/4 aging 000f-e207-f2e0 1 learned gigabitethe...
Page 186
1-4 dynamic : specifies a dynamic mac address entry. Blackhole : specifies a blackhole mac address entry. Mac -address: specifies a mac address, in the form of h-h-h. When entering the mac address, you can omit the leading 0s in each segment. For example, you can input f-e2-1 for 000f-00e2-0001. Int...
Page 187
1-5 system view: return to user view with ctrl+z. [sysname] mac-address static 000f-e20f-0101 interface gigabitethernet 1/0/1 vlan 2 mac-address aging destination-hit enable syntax mac-address aging destination-hit enable undo mac-address aging destination-hit enable view system view parameters none...
Page 188
1-6 use the undo mac-address max-mac-count command to cancel the limitation on the number of mac addresses an ethernet port can learn. By default, the number of mac addresses an ethernet port can learn is unlimited. When you use the mac-address max-mac-count command, the port stops learning mac addr...
Page 189
1-7 z if the aging timer is set too long, mac address entries may still exist even if they turn invalid. This causes the switch to be unable to update its mac address table in time. In this case, the mac address table cannot reflect the position changes of network devices in time. Examples # set the...
Page 190: Table of Contents
I table of contents 1 auto detect configuration commands ···································································································1-1 auto detect configuration commands ···································································································1-1 de...
Page 191
1-1 1 auto detect configuration commands auto detect configuration commands z refer to the routing protocol part of the manual for information about static routing. Z refer to the vrrp part of the manual for information about vrrp. Detect-group syntax detect-group group-number undo detect-group grou...
Page 192
1-2 [sysname-detect-group-10] detect-list syntax detect-list list-number ip address ip-address [nexthop ip-address ] undo detect-list list-number view detected group view parameters list-number : sequence number of the ip address to be detected. This argument ranges from 1 to 10. Ip address ip-addre...
Page 193
1-3 display detect-group syntax display detect-group [ group-number ] view any view parameters group-number : detected group number ranging from 1 to 25. Description use the display detect-group command to display the configuration of the specified detected group or all detected groups. Examples # d...
Page 195
1-5 system-view system view: return to user view with ctrl+z. [sysname] ip route-static 192.168.1.5 24 192.168.0.2 detect-group 10 after the configuration, if detected group 10 is reachable, the static route is valid; if detected group 10 is unreachable, the static route is invalid. Option syntax op...
Page 196
1-6 retry syntax retry retry-times undo retry view detected group view parameters retry-times : maximum retry times during a detect operation. This argument ranges from 0 to 10 and defaults to 2. Description use the retry command to set the maximum retry times during a detect operation. Use the undo...
Page 197
1-7 use the undo standby detect-group command to disable the interface backup function. Examples # specify to enable vlan-interface 2 (the backup interface) when the detected group 10 is unreachable . System-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 2 [sys...
Page 198
1-8 undo timer wait view detected group view parameters seconds : timeout waiting for an icmp reply. This argument ranges from 1 to 30 (in seconds) and defaults to 2. Description use the timer wait command to set a timeout waiting for an icmp reply. Use the undo timer wait command to restore the def...
Page 199: Table of Contents
I table of contents 1 mstp configuration commands ·············································································································1-1 mstp configuration commands ············································································································1...
Page 200
Ii vlan-mapping modulo ····················································································································1-44.
Page 201: Mstp Configuration Commands
1-1 1 mstp configuration commands mstp configuration commands active region-configuration syntax active region-configuration view mst region view parameters none description use the active region-configuration command to activate the settings of a multiple spanning tree (mst) region. Configuring mst...
Page 202
1-2 parameters none description use the check region-configuration command to display the mst region-related configuration which is being modified currently, including region name, revision level, and vlan-to-instance mapping table. As specified in the mstp protocol, the configurations of mst region...
Page 204
1-4 4) msti port parameters: port state, role, priority, path cost, designated bridge, designated port, remaining hops, and the number of vlans mapped to the current msti. The statistical information includes: the numbers of the tcn bpdus, the configuration bpdus, the rst bpdus, and the mst bpdus tr...
Page 205
1-5 bpdu-protection :disabled tc-protection :enabled / threshold=6 bridge config digest snooping :disabled tc or tcn received :0 time since last tc :0 days 1h:33m:54s ----[port2(ethernet1/0/2)][down]---- port protocol :enabled port role :cist disabled port port priority :128 port cost(legacy) :confi...
Page 206
1-6 field description port protocol indicates whether stp is enabled on the port port role port role, which can be alternate, backup, root, designated, master, or disabled port priority port priority port cost(legacy) path cost of the port. The field in the bracket indicates the standard used for po...
Page 207
1-7 parameters none description use the display stp abnormalport command to display the ports that are blocked by stp guard functions. Examples # display the ports that are blocked by stp guard functions. Display stp abnormalport mstid port block reason --------- -------------------- ------------- 0...
Page 208
1-8 ethernet1/0/20 bpdu-protection table 1-5 description on the fields of the display stp portdown command field description port port that has been shut down down reason reason that caused the port to be blocked. Z bpdu-protected: bpdu attack guard function z formatfrequency-protected: mstp bpdu fo...
Page 209
1-9 field description revision level revision level of the mst region, which can be configured using the revision-level command and defaults to 0. Instance vlans mapped vlan-to-instance mappings in the mst region display stp root syntax display stp root view any view parameters none description use ...
Page 210
1-10 instance syntax instance instance-id vlan vlan-list undo instance instance-id[ vlan vlan-list ] view mst region view parameters instance-id : id of an msti ranging from 0 to 16. The value of 0 refers to the cist. Vlan-list : list of vlans. You need to provide this argument in the form of vlan-l...
Page 211
1-11 parameters name : mst region name to be set for the switch, a string of 1 to 32 characters. Description use the region-name command to set an mst region name for a switch. Use the undo region-name command to restore the mst region name to the default value. The default mst region name of a swit...
Page 212
1-12 examples # clear the spanning tree statistics on ethernet 1/0/1 through ethernet 1/0/3. Reset stp interface ethernet 1/0/1 to ethernet 1/0/3 revision-level syntax revision-level level undo revision-level view mst region view parameters level : mstp revision level to be set for the switch. This ...
Page 213
1-13 parameters enable : enables mstp. Disable : disables mstp. Interface-list : ethernet port list. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &, where & means that you...
Page 214
1-14 # disable mstp on ethernet 1/0/1 to ethernet 1/0/4 in system view. System-view system view: return to user view with ctrl+z. [sysname] stp interface ethernet 1/0/1 to ethernet 1/0/4 disable stp bpdu-protection syntax stp bpdu-protection undo stp bpdu-protection view system view parameters none ...
Page 215
1-15 examples # enable the bpdu guard function. System-view system view: return to user view with ctrl+z. [sysname] stp bpdu-protection stp bridge-diameter syntax stp bridge-diameter bridgenum undo stp bridge-diameter view system view parameters bridgenum : network diameter to be set for a switched ...
Page 217
1-17 # configure ethernet 1/0/2 to ethernet 1/0/4 to recognize and send mstp bpdus in dot1s format. System-view [sysname] stp interface ethernet 1/0/2 to ethernet1/0/4 compliance dot1s stp config-digest-snooping syntax z system view, ethernet port view: stp config -digest-snooping undo stp config -d...
Page 218
1-18 as some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot interwork with other switches in an mst region even if they are configured with the same mst region-related settings as other switches in the mst region. This kind of problem can be overcome by implemen...
Page 219
1-19 # enable the digest snooping feature on ethernet 1/0/2 to ethernet 1/0/4. System-view [sysname] stp interface ethernet 1/0/2 to ethernet1/0/4 config-digest-snooping [sysname] stp config-digest-snooping stp cost syntax z ethernet port view: stp [ instance instance-id ] cost cost undo stp [ insta...
Page 220
1-20 z if you specify the instance-id argument to be 0 or do not specify this argument, the stp cost command sets the path cost of the port in cist. Z changing the path cost of a port in an msti may change the role of the port in the instance and put it in state transition. Z ports with different ra...
Page 221
1-21 z the switch becomes the root bridge of an msti. Z network topology changes are detected. Examples # enable a switch to send trap messages conforming to 802.1d standard to the network management device when the switch becomes the root bridge of msti 1. System-view system view: return to user vi...
Page 222
1-22 recommended to configure the ethernet ports directly connected to user terminals as edge ports to enable them to turn to the forwarding state rapidly. Normally, configuration bpdus cannot reach an edge port because the port is not connected to another switch. But when the bpdu guard function is...
Page 223
1-23 parameters interface-list : ethernet port list. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &, where & means that you can provide up to 10 port indexes/port index ra...
Page 224
1-24 # enable the loop guard function on ethernet 1/0/2 to ethernet 1/0/4 in system view. System-view system view: return to user view with ctrl+z. [sysname] stp interface ethernet 1/0/2 to ethernet 1/0/4 loop-protection stp max-hops syntax stp max-hops hops undo stp max-hops view system view parame...
Page 225
1-25 stp mcheck z system view: stp [ interface interface-list] mcheck view system view, ethernet port view parameters interface-list : ethernet port list. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interfa...
Page 227
1-27 undo stp interface interface-type interface-number no-agreement-check view system view, ethernet port view parameters interface-type : port type. Interface-number : port number. Description z use the stp no-agreement-check command to enable the rapid transition feature on the current port in et...
Page 229
1-29 link speed operating mode (half-/full-duplex) 802.1d-1998 ieee 802.1t 10 gbps full-duplex aggregated link 2 ports aggregated link 3 ports aggregated link 4 ports 2 1 1 1 200,000 1,000 666 500 normally, when a port operates in full-duplex mode, the corresponding path cost is slightly less than t...
Page 230
1-30 interface-list : ethernet port list. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &, where & means that you can provide up to 10 port indexes/port index ranges for th...
Page 231
1-31 stp port priority syntax z ethernet port view: stp [ instance instance-id ] port priority priority undo stp [ instance instance-id ] port priority z system view: stp interface interface-list instance instance-id port priority priority undo stp interface interface-list instance instance-id port ...
Page 232
1-32 system view: return to user view with ctrl+z. [sysname] stp interface ethernet 1/0/1 instance 2 port priority 16 # set the port priority of ethernet 1/0/2 to ethernet 1/0/4 in msti 2 to 16 in system view. System-view system view: return to user view with ctrl+z. [sysname] stp interface ethernet...
Page 233
1-33 description use the stp portlog all command to enable log and trap message output for the ports of all instances. Use the undo stp portlog all command to disable this function. By default, log and trap message output is disabled on the ports of all instances. Examples # enable log and trap mess...
Page 234
1-34 undo stp region-configuration view system view parameters none description use the stp region-configuration command to enter mst region view. Use the undo stp region-configuration command to restore the mst region-related settings to the default. Mst region-related parameters include: region na...
Page 235
1-35 bridgenum : network diameter of the specified spanning tree. This argument ranges from 2 to 7 and defaults to 7. Centi-seconds : hello time in centiseconds of the specified spanning tree. This argument ranges from 100 to 1,000 and defaults to 200. Description use the stp root primary command to...
Page 236
1-36 parameters instance-id : msti id ranging from 0 to 16. The value of 0 refers to the cist. Bridgenum : network diameter of the specified spanning tree. This argument ranges from 2 to 7 and defaults to 7. Centi-seconds : hello time in centiseconds of the specified spanning tree. This argument ran...
Page 237
1-37 parameters interface-list : ethernet port list. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &, where & means that you can provide up to 10 port indexes/port index ra...
Page 238
1-38 system-view system view: return to user view with ctrl+z. [sysname] stp interface ethernet 1/0/2 to ethernet 1/0/4 root-protection stp tc-protection syntax stp tc-protection enable stp tc-protection disable view system view parameters none description use the stp tc-protection enable command to...
Page 239
1-39 parameters number : maximum number of times that a switch can remove the mac address table and arp entries within each 10 seconds, in the range of 1 to 255. Description use the stp tc-protection threshold command to set the maximum number of times that a switch can remove the mac address table ...
Page 240
1-40 description use the stp timer forward-delay command to set the forward delay of the switch. Use the undo stp timer forward-delay command to restore the forward delay to the default value. By default, the forward delay of the switch is 1,500 centiseconds. To prevent the occurrence of temporary l...
Page 241
1-41 bpdus at the interval specified by the hello time you have configured on it. The other none-root-bridge switches adopt the interval specified by the hello time. As for the configuration of the three time-related parameters (namely, the hello time, forward delay, and max age parameters), the fol...
Page 242
1-42 you are recommended to specify the network diameter of the switched network and the hello time parameter by using the stp root primary or stp root secondary command. After that, the three proper time-related parameters are automatically determined by mstp. Related commands: stp timer forward-de...
Page 243
1-43 stp transmit-limit syntax z ethernet port view: stp transmit-limit packetnum undo stptransmit-limit z system view: stp interface interface-list transmit-limit packetnum undo stp interface interface-list transmit-limit view system view, ethernet port view parameters packetnum : maximum number of...
Page 244
1-44 [sysname] stp interface ethernet 1/0/1 transmit-limit 15 # set the maximum number of configuration bpdus that can be transmitted through ethernet 1/0/2, ethernet 1/0/3 and ethernet 1/0/4 in each hello time to 15 in system view. System-view system view: return to user view with ctrl+z. [sysname]...
Page 245
1-45 [sysname] stp region-configuration [sysname-mst-region] vlan-mapping modulo 16.
Page 246: Table of Contents
I table of contents 1 ip routing table commands····················································································································1-1 ip routing table commands············································································································...
Page 247
Ii traffic-share-across-interface·········································································································3-20 4 ip routing policy configuration commands··························································································4-1 ip routing policy con...
Page 249
1-2 examples # display the summary of the current routing table. Display ip routing-table routing table: public net destination/mask protocol pre cost nexthop interface 1.1.1.0/24 direct 0 0 1.1.1.1 vlan-interface1 1.1.1.1/32 direct 0 0 127.0.0.1 inloopback0 2.2.2.0/24 direct 0 0 2.2.2.1 vlan-interf...
Page 250
1-3 field description protocol routing protocol pre route preference cost route cost nexthop next hop address interface output interface, through which the data packets destined for the destination network segment are sent display ip routing-table acl syntax display ip routing-table acl acl-number [...
Page 251
1-4 display ip routing-table acl 2100 verbose routes matched by access-list 2100: + = active route, - = last active, # = both * = next hop in use summary count: 3 **destination: 192.168.1.0 mask: 255.255.255.0 protocol: #direct preference: 0 *nexthop: 192.168.1.2 interface: 192.168.1.2(vlan-interfac...
Page 252
1-5 field description description of route state: activeu an active unicast route, where “u” represents unicast. Blackhole a blackhole route is similar to a reject route, but no icmp unreachable message is sent to the source. Delete a route is to be deleted. Gateway an indirect route. Hidden an exis...
Page 253
1-6 parameters ip-address :destination ip address, in dotted decimal notation. Mask: subnet mask, in dotted decimal notation. Mask-length : length of a subnet mask, in the range of 0 to 32. Longer-match : specifies all the routes that lead to the destination address and match the specified mask. If ...
Page 255
1-8 verbose : with this keyword specified, detailed information of routes in the active or inactive state that match the ip prefix list is displayed. With this keyword not specified, brief information of only the routes in the active state that match the prefix list is displayed. Description use the...
Page 256
1-9 parameters protocol : you can provide one of the following values for this argument. Z direct :displays direct-connect route information z rip : displays rip route information. Z static : displays static route information. Inactive : with this argument provided, this command displays the inactiv...
Page 258
1-11 table 1-4 description on the fields of the display ip routing-table statistics command field description proto routing protocol type route total number of routes active number of active routes added number of routes added after the router is rebooted or the routing table is cleared last time. D...
Page 259
1-12 protocol: #direct preference: 0 *nexthop: 2.2.2.1 interface: 2.2.2.1(vlan-interface2) state: age: 20:08:05 cost: 0/0 for descriptions of route states, see table 1-2 . Table 1-5 lists the statistics of the routing table. Table 1-5 description on the fields of the display ip routing-table verbose...
Page 260
1-13 routing tables: proto route active added deleted direct 4 4 0 0 static 0 0 0 0 rip 0 0 0 0 total 4 4 0 0 the above information shows that the routing statistics in the ip routing table is cleared..
Page 261
2-1 2 static route configuration commands the term router in this chapter refers to a router in a generic sense or an ethernet switch running a routing protocol. Static route configuration commands delete static-routes all syntax delete static-routes all view system view parameters none description ...
Page 263
2-3 by default, the system can obtain the subnet route directly connected to the router. When you configure a static route, if no preference is specified for the route, the preference defaults to 60, and if the route is not specified as reject or blackhole, the route will be reachable by default. Wh...
Page 264: Rip Configuration Commands
3-1 3 rip configuration commands the term router in this chapter refers to a router in a generic sense or an ethernet switch running a routing protocol. Rip configuration commands checkzero syntax checkzero undo checkzero view rip view parameters none description use the checkzero command to enable ...
Page 265
3-2 default cost syntax default cost value undo default cost view rip view parameters value : default cost, in the range of 1 to 16. Description use the default cost command to set the default cost for redistributed routes. Use the undo default cost command to restore the default. By default, the de...
Page 266
3-3 display rip rip is running checkzero is on default cost : 1 summary is on preference : 100 traffic-share-across-interface is off period update timer : 30 timeout timer : 180 garbage-collection timer : 120 no peer router network : 202.38.168.0 table 3-1 description on the fields of the display ri...
Page 267
3-4 display rip interface syntax display rip interface view any view parameters none description use the display rip interface command to display rip interface information. Examples # display rip interface information. Display rip interface rip interface: public net address interface ver metrin/out ...
Page 268
3-5 view any view parameters none description use the display rip routing command to display rip routing information. Examples # display the information of the rip routing table. Display rip routing rip routing table: public net a = active i = inactive g = garbage collection c = change t = trigger r...
Page 269
3-6 view rip view parameters acl-number : number of the basic or advanced acl used to filter routing information by destination address, in the range of 2000 to 3999. Ip-prefix-name : name of the address ip-prefix list used to filter routing information by destination address, a string of 1 to 19 ch...
Page 270
3-7 parameters acl-number: number of the acl used to filter routing information by destination address, in the range of 2000 to 3999. Ip-prefix-name : name of the address prefix list used to filter routing information by destination address, a string of 1 to 19 characters. Gateway ip-prefix-name: na...
Page 271
3-8 by default, rip is enabled to receive host routes. In some special cases, rip receives a great number of host routes from the same network segment. These routes are of little help to addressing but occupy a lot of resources. In this case, the undo host-route command can be used to disable rip fr...
Page 272
3-9 network syntax network network-address undo network network-address view rip view parameters network-address : network/ip address of an interface, in dotted decimal notation. Description use the network command to enable rip on an interface attached to the specified network segment. Use the undo...
Page 273
3-10 description use the peer command to specify the ip address of a neighbor, where routing updates destined for the peer are unicast, rather than multicast or broadcast. Use the undo peer command to remove the ip address of a neighbor. By default, no neighbor is specified. This command is used for...
Page 274
3-11 reset syntax reset view rip view parameters none description use the reset command to reset the system configuration parameters of rip. When you need to re-configure the parameters of rip, you can use this command to restore the default. Examples # reset the rip system configuration. System-vie...
Page 275
3-12 note that the interface-related parameters configured previously would be invalid after rip is disabled. Examples # enable rip and enter rip view. System-view system view: return to user view with ctrl+z. [sysname] rip [sysname-rip] rip authentication-mode syntax rip authentication-mode { simpl...
Page 276
3-13 related commands: rip version. You can configure ripv1 authentication mode in interface view, but the configuration will not take effect because ripv1 does not support authentication. Examples # specify the interface vlan-interface 10 to use the simple authentication with the authentication key...
Page 277
3-14 system view: return to user view with ctrl+z. [sysname]interface vlan-interface 10 [sysname-vlan-interface10] undo rip input rip metricin syntax rip metricin value undo rip metricin view interface view parameters value : additional metric of rip routes received on an interface, in the range of ...
Page 278
3-15 description use the rip metricout command to configure an additional metric for rip routes sent out of an interface. Use the undo rip metricout command to restore the default. By default, the additional metric of rip routes sent out of an interface is 1. With the command configured on an interf...
Page 279
3-16 rip split-horizon syntax rip split-horizon undo rip split-horizon view interface view parameters none description use the rip split-horizon command to enable the split horizon function. Use the undo rip split-horizon command to disable the split horizon function. By default, the split horizon f...
Page 280
3-17 use the undo rip version command to restore the default. By default, the version of rip running on an interface is rip-1 and rip-1 packets are sent in the broadcast mode. If rip-2 runs on an interface, rip packets are sent in the multicast mode by default, which reduces resource consumption. Ta...
Page 281
3-18 use the undo rip work command to disable the interface from neither receiving nor sending rip packets. By default, all interfaces except loopback interfaces are enabled to receive and send rip packets. The differences between the rip work, rip input, and rip output commands are as follows: z th...
Page 283
3-20 traffic-share-across-interface syntax traffic-share-across-interface undo traffic-share-across-interface view rip view parameters none description use the traffic-share-across-interface command to enable traffic to be forwarded along multiple equivalent rip routes. Use the undo traffic-share-ac...
Page 284
4-1 4 ip routing policy configuration commands the term router in this chapter refers to a router in a generic sense or an ethernet switch running a routing protocol. Ip routing policy configuration commands apply cost syntax apply cost value undo apply cost view route policy view parameters value :...
Page 285
4-2 apply tag syntax apply tag value undo apply tag view route policy view parameters value : tag value of a route, in the range of 0 to 4294967295. Description use the apply tag command to configure a tag for a route. Use the undo apply tag command to remove the configuration. By default, no tag is...
Page 286
4-3 examples # display the information about the address prefix list named p1. Display ip ip-prefix p1 name index conditions ip-prefix / mask ge le p1 10 permit 10.1.0.0/16 17 18 table 4-1 description on the fields of the display ip ip-prefix command field description name name of an ip-prefix index...
Page 287
4-4 table 4-2 description on the fields of the display route-policy command field description route-policy name of a routing policy information about the routing policy with the matching mode configured as permit and the node as 10. If-match (ip-prefix) p1 matching conditions permit 10 apply cost 10...
Page 288
4-5 view route policy view parameters value : route cost, in the range of 0 to 4294967295. Description use the if-match cost command to configure a cost matching rule for routing information. Use the undo if-match cost command to remove the configuration. By default, no cost matching rule is defined...
Page 290
4-7 parameters value : tag value, in the range of 0 to 4294967295. Description use the if-match tag command to configure the tag matching rule for routing information. Use the undo if-match tag command to remove the matching rule. By default, no the tag matching rule for routing information is defin...
Page 291
4-8 to", and the meaning of less-equal is "less than or equal to". The range is len greater-equal less-equal greater-equal is used, it denotes the prefix range [greater-equal, 32]. When only less-equal is used, it denotes the prefix range [len, less-equal]. When both greater-equal and less-equal are...
Page 292
4-9 node : specifies a node index in a routing policy. Node-number : index of the node in a routing policy, in the range 0 to 2047. When this routing policy is used, the node with smaller node-number will be matched first. Description use the route-policy command to create a routing policy or enter ...
Page 293: Table of Contents
I table of contents 1 common multicast configuration commands ·······················································································1-1 common multicast configuration commands ························································································1-1 display mac-add...
Page 294
1-1 1 common multicast configuration commands common multicast configuration commands display mac-address multicast static syntax display mac-address multicast [ static [ [ mac-address ] vlan vlan-id ] [ count ] ] view any view parameters mac-address :displays the static multicast mac entry informat...
Page 295
1-2 field description state state of the mac address, which includes only config static , indicating that the table entry is manually added. Port index ports out which the multicast packets destined for the multicast mac address are forwarded aging time(s) state of the aging timer. The aging timer f...
Page 296
1-3 view system view parameters mac-address : multicast mac address, in the form of h-h-h. Interface interface-list: specifies forwarding ports for the specified multicast mac group address. With the interface-list argument, you can define one or more individual ports (in the form of interface-type ...
Page 297
1-4 use the undo mac-address multicast vlan command to remove the specified multicast mac address entry or all multicast mac address entries on the current port. Each multicast mac address entry contains the multicast address, forwarding port, and vlan id information. Related commands: display mac-a...
Page 298
1-5 examples # enable the multicast source port suppression feature on all the ports of the switch. System-view system view: return to user view with ctrl+z. [sysname] multicast-source-deny # enable the multicast source port suppression feature on ethernet 1/0/1 through ethernet 1/0/10 and on ethern...
Page 299
2-1 2 igmp snooping configuration commands igmp snooping configuration commands display igmp-snooping configuration syntax display igmp-snooping configuration view any view parameters none description use the display igmp-snooping configuration command to display igmp snooping configuration informat...
Page 300
2-2 display igmp-snooping group syntax display igmp -snooping group [ vlan vlan-id ] view any view parameters vlan vlan-id : specifies the vlan in which the multicast group information is to be displayed, where vlan-id ranges from 1 to 4094.. If you do not specify a vlan, this command displays the m...
Page 301
2-3 field description total 1 mac group(s). Total number of mac multicast groups in all vlans vlan(id): id of the vlan whose multicast group information is displayed total 1 ip group(s). Total number of ip multicast groups in vlan 100 total 1 mac group(s). Total number of mac multicast groups in vla...
Page 302
2-4 examples # display igmp snooping statistics. Display igmp-snooping statistics received igmp general query packet(s) number:1. Received igmp specific query packet(s) number:0. Received igmp v1 report packet(s) number:0. Received igmp v2 report packet(s) number:3. Received igmp leave packet(s) num...
Page 303
2-5 z although both layer 2 and layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously in the same vlan and on the corresponding vlan interface. Z before enabling igmp snooping in a vlan, be sure to enable igmp snooping globally in system view; otherwis...
Page 304
2-6 z the fast leave processing function works for a port only if the host attached to the port runs igmpv2 or igmpv3. Z the configuration performed in system view takes effect on all ports of the switch if no vlan is specified; if one or more vlans are specified, the configuration takes effect on a...
Page 305
2-7 by default, the layer 2 multicast switch sends general query messages with the source ip address of 0.0.0.0. Related commands: igmp-snooping querier, igmp-snooping query-interval. Examples # configure the switch to send general query messages with the source ip address 2.2.2.2 in vlan 3. System-...
Page 306
2-8 z to prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. Z when the number of multicast groups exceeds the configured limit, the switch removes ...
Page 307
2-9 the acl rule defines a multicast address or a multicast address range (for example 224.0.0.1 to 239.255.255.255) and is used to: z allow the port(s) to join only the multicast group(s) defined in the rule by a permit statement. Z inhibit the port(s) from joining the multicast group(s) defined in...
Page 308
2-10 [sysname-acl-basic-2001] quit z create vlan 2 and add ethernet1/0/2 to vlan 2. [sysname] vlan 2 [sysname-vlan2] port ethernet 1/0/2 [sysname-vlan2] quit z configure acl 2001 on ethernet1/0/2 to it to join any igmp multicast groups except those defined in the deny rule of acl 2001. [sysname] int...
Page 309
2-11 parameters seconds : maximum response time in igmp general queries, in the range of 1 to 25. Description use the igmp-snooping max-response-time command to configure the maximum response time in igmp general queries. Use the undo igmp-snooping max-response-time command to restore the default. B...
Page 310
2-12 z if the function of dropping unknown multicast packets or the xrn fabric function is enabled, you cannot enable the igmp snooping non-flooding function. Z the igmp snooping non-flooding function and the multicast source port suppression function cannot take effect at the same time. If both are...
Page 311
2-13 system-view system view, return to user view with ctrl+z. [sysname] igmp-snooping enable [sysname] vlan 3 [sysname-vlan3] igmp-snooping enable [sysname-vlan3] igmp-snooping querier igmp-snooping query-interval syntax igmp -snooping query-interval seconds undo igmp -snooping query-interval view ...
Page 312
2-14 view system view parameters seconds : aging time of router ports, in the range of 1 to 1,000, in seconds. Description use the igmp-snooping router-aging-time command to configure the aging time of router ports. Use the undo igmp-snooping router-aging-time command to restore the default aging ti...
Page 313
2-15 [sysname] vlan 100 [sysname -vlan100] igmp-snooping enable [sysname -vlan100] igmp-snooping version 3 igmp-snooping vlan-mapping syntax igmp-snooping vlan-mapping vlan vlan-id undo igmp-snooping vlan-mapping view system view parameters vlan vlan-id : vlan id, in the range of 1 to 4094. Descript...
Page 314
2-16 description use the igmp host-join command to configure the current port as a specified multicast group or source and group member, namely configure the port as simulated member host for a specified multicast group or source and group member. Use the undo igmp host-join command to remove the cu...
Page 315
2-17 interface interface-list: specifies a port list. With the interface-list argument, you can define one or more individual ports (in the form of interface-type interface-number) and/or one or more port ranges (in the form of interface-type interface-number1 to interface-type interface-number2, wh...
Page 316
2-18 description use the multicast static-group vlan command to configure the current port as a static member port for the specified multicast group and specify the vlan the port belongs to. Use the undo multicast static-group vlan command to remove the current port in the specified vlan as a static...
Page 317
2-19 description use the multicast static-router-port command to configure the specified port in the current vlan as a static router port. Use the undo multicast static-router-port command to remove the specified port in the current vlan as a static router port. By default, a port is not a static ro...
Page 318
2-20 system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] multicast static-router-port vlan 10 reset igmp-snooping statistics syntax reset igmp-snooping statistics view user view parameters none description use the reset igmp-snooping statistics co...
Page 319
2-21 z one port belongs to only one multicast vlan. Z the port connected to a user terminal must be a hybrid port. Z the multicast member port must be in the same multicast vlan with the router port. Otherwise, the port cannot receive multicast packets. Z if a router port is in a multicast vlan, the...
Page 320: Table of Contents
I table of contents 1 802.1x configuration commands ············································································································1-1 802.1x configuration commands ··········································································································...
Page 321
Ii system-guard l3err enable···············································································································4-6 system-guard tcn enable ·················································································································4-7 system-guard tcn...
Page 323
1-2 configuration: transmit period 30 s, handshake period 15 s reauth period 3600 s, reauth maxtimes 2 quiet period 60 s, quiet period timer is disabled supp timeout 30 s, server timeout 100 s interval between version requests is 30s maximal request times for version information is 3 the maximal ret...
Page 324
1-3 field description dhcp-launch is disabled dhcp-triggered. 802.1x authentication is disabled. Handshake is enabled the online user handshaking function is enabled. Proxy trap checker is disabled whether or not to send trap packets when detecting a supplicant system logs in through a proxy. Z disa...
Page 325
1-4 field description 802.1x protocol is disabled 802.1x is disabled on the port proxy trap checker is disabled whether or not to send trap packets when detecting a supplicant system in logging in through a proxy. Z disable means the switch does not send trap packets when it detects that a supplican...
Page 326
1-5 port and interface-number is the number of the port. The string “&” means that up to 10 port lists can be provided. Description use the dot1x command to enable 802.1x globally or for specified ethernet ports. Use the undo dot1x command to disable 802.1x globally or for specified ethernet ports. ...
Page 327
1-6 view system view parameters chap : authenticates using challenge handshake authentication protocol (chap). Pap : authenticates using password authentication protocol (pap). Eap : authenticates using extensible authentication protocol (eap). Description use the dot1x authentication-method command...
Page 328
1-7 parameters none description use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic ip address through dhcp. Use the undo dot1x dhcp-launch command to disable an 802.1x-enable...
Page 329
1-8 in system view, z if you do not provide the interface-list argument, these two commands apply to all the ports of the switch. Z if you specify the interface-list argument, these two commands apply to the specified ports. In ethernet port view, the interface-list argument is not available and the...
Page 330
1-9 z to enable the proxy detecting function, you need to enable the online user handshaking function first. Z with the support of h3c proprietary clients, handshaking packets can be used to test whether or not a user is online. Z as clients that are not of h3c do not support the online user handsha...
Page 331
1-10 in ethernet port view, the interface-list argument is not available and the commands apply to only the current port. Related commands: display dot1x. Examples # configure the maximum number of users that ethernet 1/01 port can accommodate to be 32. System-view system view: return to user view w...
Page 332
1-11 in ethernet port view, the interface-list argument is not available and the commands apply to only the current ethernet port. Related commands: display dot1x. Examples # specify ethernet 1/0/1 to operate in unauthorized-force access control mode. System-view system view: return to user view wit...
Page 333
1-12 in ethernet port view, the interface-list argument is not available and the commands apply to only the current ethernet port. Related commands: display dot1x. Examples # specify to authenticate users connected to ethernet 1/0/1 by port numbers. System-view system view: return to user view with ...
Page 334
1-13 parameters max-retry-value : maximum number of times that a switch sends authentication request packets to a user. This argument ranges from 1 to 10. Description use the dot1x retry command to specify the maximum number of times that a switch sends authentication request packets to a user. Use ...
Page 335
1-14 related commands: display dot1x, dot1x timer. Examples # configure the maximum number of times that the switch sends version request packets to 6. System-view system view: return to user view with ctrl+z. [sysname] dot1x retry-version-max 6 dot1x re-authenticate syntax dot1x re-authenticate [ i...
Page 336
1-15 examples # enable 802.1x re-authentication on port ethernet 1/0/1. System-view system view: return to user view with ctrl+z. [sysname] dot1x 802.1x is enabled globally. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] dot1x 802.1x is enabled on port ethernet1/0/1 already. [sysname-eth...
Page 337
1-16 the proxy checking function takes effect on a port only when the function is enabled both globally and on the port. 802.1x proxy checking checks for: z users logging in through proxies z users logging in through ie proxies z whether or not a user logs in through multiple network adapters (that ...
Page 339
1-18 authenticates the 802.1x client who cannot request for authentication actively. The switch sends multicast request/identity packets periodically through the port enabled with 802.1x function. In this case, this timer sets the interval to send the multicast request/identity packets. The tx-perio...
Page 340
1-19 use the undo dot1x timer reauth-period command to restore the default 802.1x re-authentication interval. By default, the 802.1x re-authentication interval is 3,600 seconds. Examples # set the 802.1x re-authentication interval to 150 seconds. System-view system view: return to user view with ctr...
Page 341
1-20 reset dot1x statistics syntax reset dot1xstatistics [ interface interface-list ] view user view parameters interface-list : ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &, in which interface-type specifies the type...
Page 343
2-2 dot1x timer acl-timeout syntax dot1x timer acl-timeout acl-timeout-value undo dot1x timer acl-timeout view system view parameters acl-timeout-value : acl timeout period (in minutes), in the range of 1 to 1440. Description use the dot1x timer acl-timeout command to configure the acl timeout perio...
Page 344
2-3 system view: return to user view with ctrl+z. [sysname] dot1x url http://192.168.19.23.
Page 345: Habp Configuration Commands
3-1 3 habp configuration commands habp configuration commands display habp syntax display habp view any view parameters none description use the display habp command to display habp configuration and status. Examples # display habp configuration and status. Display habp global habp information: habp...
Page 346
3-2 display habp table syntax display habp table view any view parameters none description use the display habp table command to display the mac address table maintained by habp. Examples # display the mac address table maintained by habp. Display habp table mac holdtime receive port 001f-3c00-0030 ...
Page 347
3-3 habp counters : packets output: 0, input: 0 id error: 0, type error: 0, version error: 0 sent failed: 0 table 3-3 description on the fields of the display habp traffic command field description packets output number of the habp packets sent input number of the habp packets received id error numb...
Page 348
3-4 habp server vlan syntax habp server vlan vlan-id undo habp server view system view parameters vlan-id : vlan id, ranging from 1 to 4094. Description use the habp server vlan command to configure a switch to operate as an habp server. This command also specifies the vlan where habp packets are br...
Page 349
3-5 examples # configure the switch to send habp request packets once in every 50 seconds system-view system view: return to user view with ctrl+z. [sysname] habp timer 50
Page 350
4-1 4 system guard configuration commands system guard configuration commands display system-guard ip state syntax display system-guard ip state view any view parameters none description use the display system-guard ip state command to view the monitoring result and parameter settings of system guar...
Page 351
4-2 display system-guard ip-record syntax display system-guard ip-record view any view parameters none description use the display system-guard ip-record command to view the information about ip packets received by the cpu in the current monitoring cycle. Examples # view the information about ip pac...
Page 352
4-3 parameters none description use the display system-guard l3err state command to view the status of layer 3 error control. Examples # view the status of layer 3 error control. Display system-guard l3err state system-guard l3err status: enabled display system-guard tcn state syntax display system-...
Page 353
4-4 use the undo system-guard ip detect-maxnum command to restore the maximum number of infected hosts that can be monitored to the default setting. By default, system guard can monitor a maximum of 30 infected hosts. Examples # set the maximum number of infected hosts that can be concurrently monit...
Page 354
4-5 the correlations among the arguments of the system-guard ip detect-threshold command can be clearly described with this example: if you set ip-record-threshold, record-times-threshold and isolate-time to 30, 1 and 3 respectively, when the system detects successively three times that over 50 ip p...
Page 355
4-6 system view: return to user view with ctrl+z. [sysname] system-guard ip enable system-guard l3err enable syntax system-guard l3err enable undo system-guard l3err enable view system view parameters none description use the system-guard l3err enable command to enable layer 3 error control. Use the...
Page 356
4-7 system-guard tcn enable syntax system-guard tcn enable undo system-guard tcn enable view system view parameters none description use the system-guard tcn enable command to enable system guard against tcn attacks. Use the undo system-guard tcn enable command to disable system guard against tcn at...
Page 357
4-8 use the undo system-guard tcn rate-threshold command to restore the default threshold of tcn/tc packet receiving rate. By default, the default threshold of tcn/tc packet receiving rate is 1 pps. As the system monitoring cycle is 10 seconds, the system sends trap or log information, by default, i...
Page 358: Table of Contents
I table of contents 1 aaa configuration commands················································································································1-1 aaa configuration commands ·············································································································...
Page 359
Ii primary authentication ···················································································································1-41 radius client ···································································································································1-42 radi...
Page 362
1-3 accounting optional syntax accounting optional undo accounting optional view isp domain view parameters none description use the accounting optional command to open the accounting-optional switch. Use the undo accounting optional command to close the accounting-optional switch so that the system...
Page 363
1-4 view local user view parameters ip ip-address : sets the ip address of the user. Mac mac-address : sets the mac address of the user. Here, mac-address is in h-h-h format. Idle-cut second: enables the idle-cut function for the local user and sets the allowed idle time. Here, second is the allowed...
Page 365
1-6 new domain added. [sysname-isp-aabbcc.Net] authentication radius-scheme radius1 # reference the radius scheme "rd" as the authentication scheme and the local scheme as the secondary authentication scheme of the isp domain aabbcc. System-view system view: return to user view with ctrl+z. [sysname...
Page 366
1-7 view local user view parameters string : number or descriptor of the authorized vlan for the current user, a string of 1 to 32 characters. If it is a numeral string and there is a vlan with the number configured, it specifies the vlan. If it is a numeral string but no vlan is present with the nu...
Page 369
1-10 acl group=disable car=disable priority=disable start=2000-04-03 02:51:53 ,current=2000-04-03 02:52:22 ,online=00h00m29s on unit 1:total 1 connections matched, 1 listed. Total 1 connections matched, 1 listed. Here, port no=0x10003001 means (by the binary bits): table 1-1 description of the port ...
Page 370
1-11 default domain name: system total 1 domain(s).1 listed. Table 1-2 description on the fields of the display domain command field description domain domain name state status of the domain, which can be active or block . Scheme aaa scheme that the domain uses access-limit maximum number of local u...
Page 371
1-12 vlan vlan-id: displays the local users belonging to a specified vlan. Here, vlan-id ranges from 1 to 4094. Service-type : displays the local users of a specified type. You can specify one of the following user types: ftp, lan-access (generally, this type of users are ethernet access users, for ...
Page 372
1-13 field description servicetype mask service type mask: t means telnet service. S means ssh service. C means client service. Lm means lan-access service. F means ftp service. None means no defined service. Idle-cut status of the idle-cut function access-limit limit on the number of access users c...
Page 373
1-14 description use the domain command to create an isp domain and enter its view, or enter the view of an existing isp domain, or configure the default isp domain. Use the undo domain command to delete a specified isp domain. The isp domain "system" is used as the default isp domain before you man...
Page 374
1-15 description use the idle-cut command to set the user idle-cut function in current isp domain. If a user’s traffic in the specified period of time is less than the specified amount, the system will disconnect the user. By default, this function is disabled. Note that if the authentication server...
Page 375
1-16 using rsa shared key for authentication, the commands they can access are determined by the levels sets on their user interfaces. Related commands: local-user. Examples # set the level of user1 to 3. System-view system view: return to user view with ctrl+z. [sysname] local-user user1 new local ...
Page 376
1-17 examples # add a local user named user1. System-view system view: return to user view with ctrl+z. [sysname] local-user user1 new local user added. [sysname-luser-user1] # add a local user named 01234567891234567 (note that it will appear as 012345678912345~0000 in the view prompt). System-view...
Page 378
1-19 undo name view vlan view parameters string : assigned vlan name, a string of up to 32 characters. Description use the name command to set a vlan name, which will be used for vlan assignment. Use the undo name command to cancel the vlan name. By default, a vlan uses its vlan id (like vlan 0001) ...
Page 379
1-20 description use the password command to set a password for the local user. Use the undo password command to cancel the password of the local user. Note that: z with the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless ...
Page 385
1-26 table 1-4 commonly used servers and their dynamic vlan assignment modes server dynamic vlan assignment mode cams integer for the latest cams version, you can determine the assignment mode by attribute value. Acs string freeradius you can determine the assignment mode by attribute value (for exa...
Page 386
1-27 radius configuration commands accounting optional syntax accounting optional undo accounting optional view radius scheme view parameters none description use the accounting optional command to open the accounting-optional switch. Use the undo accounting optional command to close the accounting-...
Page 388
1-29 nas-ip-address and session id) contained in the message, and ends the accounting of the users based on the last accounting update message. 4) once the switch receives the response from the cams, it stops sending accounting-on messages. 5) if the switch does not receive any response from the cam...
Page 389
1-30 parameters mode1 : sets the mac address format to xxxx-xxxx-xxxx, where each x represents a hexadecimal number. Mode2 : sets the mac address format to xx-xx-xx-xx-xx-xx. Lowercase : uses lowercase letters in the mac address. Uppercase : uses uppercase letters in the mac address. Description use...
Page 390
1-31 note that the specified unit of data flows sent to the radius server must be consistent with the traffic statistics unit of the radius server. Otherwise, accounting cannot be performed correctly. Related commands: display radius scheme. Examples # specify to measure data and packets in data flo...
Page 391
1-32 view any view parameters radius-scheme-name : name of a radius scheme, a string of up to 32 characters. Description use the display radius scheme command to display configuration information about one specific or all radius schemes related commands: radius scheme. Examples # display configurati...
Page 392
1-33 field description index index number of the radius scheme type type of the radius servers primary auth ip/port ip address/port number of the primary authentication server primary acct ip/port ip address/port number of the primary accounting server second auth ip/port ip address/port number of t...
Page 393
1-34 display radius statistics syntax display radius statistics view any view parameters none description use the display radius statistics command to display the radius message statistics. Related commands: radius scheme. Examples # display radius message statistics. Display radius statistics state...
Page 394
1-35 portal access , num=0 , err=0 , succ=0 update ack , num=0 , err=0 , succ=0 portal access ack , num=0 , err=0 , succ=0 session ctrl pkt , num=0 , err=0 , succ=0 set policy result , num=0 , err=0 , succ=0 radius sent messages statistic: auth accept , num=0 auth reject , num=0 eap auth replying , ...
Page 395
1-36 description use the display stop-accounting-buffer command to display the non-response stop-accounting requests buffered in the device. Z you can choose to display the buffered stop-accounting requests of a specified radius scheme, session (by session id), or user (by username). You can also sp...
Page 396
1-37 description use the key command to set a shared key for radius authentication/authorization messages or accounting messages. Use the undo key command to restore the corresponding default shared key setting. By default, no shared key exists. Note that: z both radius client and server adopt md5 a...
Page 397
1-38 description use the local-server enable command to enable the udp ports for local radius services. Use the undo local-server command to disable the udp ports for local radius services. By default, the udp ports for local radius services are enabled. In addition to functioning as a radius client...
Page 398
1-39 z the message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the radius scheme view of the radius scheme on the specified nas that uses this swi...
Page 399
1-40 the nas-ip command in radius scheme view has the same function as the radius nas-ip command in system view; and the configuration in radius scheme view takes precedence over that in system view. You can set the source ip address of outgoing radius messages to avoid messages returned from radius...
Page 400
1-41 examples # set the ip address and udp port number of the primary accounting server for radius scheme radius1 to 10.110.1.2 and 1813 respectively. System-view system view: return to user view with ctrl+z. [sysname] radius scheme radius1 new radius scheme [sysname-radius-radius1] primary accounti...
Page 401
1-42 related commands: key, radius scheme, state. Examples # set the ip address and udp port number of the primary authentication/authorization server for radius scheme radius1 to 10.110.1.1 and 1812 respectively. System-view system view: return to user view with ctrl+z. [sysname] radius scheme radi...
Page 402
1-43 undo radius nas-ip view system view parameters ip-address : source ip address to be set, an ip address of this device. This address can neither be the all 0's address nor be a class-d address. Description use the radius nas-ip command to set the source ip address of outgoing radius messages. Us...
Page 403
1-44 view system view parameters radius-scheme-name : name of the radius scheme to be created, a string of up to 32 characters. Description use the radius scheme command to create a radius scheme and enter its view. Use the undo radius scheme command to delete a specified radius scheme. By default, ...
Page 404
1-45 parameters authentication-server-down : enables/disables the switch to send trap messages when a radius authentication server turns down. Accounting-server-down : enables/disables the switch to send trap messages when a radius accounting server turns down. Description use the radius trap comman...
Page 406
1-47 undo retry view radius scheme view parameters retry-times : maximum number of transmission attempts of a radius request, ranging from 1 to 20. Description use the retry command to set the maximum number of transmission attempts of a radius request. Use the undo retry command to restore the defa...
Page 407
1-48 parameters retry-times : maximum allowed number of continuous real-time accounting failures, ranging from 1 to 255. Description use the retry realtime-accounting command to set the maximum allowed number of continuous real-time accounting failures. Use the undo retry realtime-accounting command...
Page 408
1-49 [sysname-radius-radius1] retry realtime-accounting 10 retry stop-accounting syntax retry stop-accounting retry-times undo retry stop-accounting view radius scheme view parameters retry-times : maximum number of transmission attempts of a buffered stop-accounting request, ranging from 10 to 65,5...
Page 409
1-50 undo secondary accounting view radius scheme view parameters ip-address : ip address of the secondary accounting server to be used, in dotted decimal notation. Port-number : udp port number of the secondary accounting server, ranging from 1 to 65535. Description use the secondary accounting com...
Page 410
1-51 use the undo secondary authentication command to restore the default ip address and port number of the secondary radius authentication/authorization server, which is 0.0.0.0 and 1812 respectively. Related commands: key, radius scheme, state. Examples # set the ip address and udp port number of ...
Page 412
1-53 [sysname] radius scheme radius1 new radius scheme [sysname-radius-radius1] state secondary authentication active stop-accounting-buffer enable syntax stop-accounting-buffer enable undo stop-accounting-buffer enable view radius scheme view parameters none description use the stop-accounting-buff...
Page 413
1-54 undo timer view radius scheme view parameters seconds : response timeout time of radius servers, ranging from 1 to 10 seconds. Description use the timer command to set the response timeout time of radius servers (that is, the timeout time of the response timeout timer of radius servers). Use th...
Page 414
1-55 parameters minutes : wait time before primary server state restoration, ranging from 1 to 255 minutes. Description use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active. ...
Page 415
1-56 z the setting of the real-time accounting interval depends, to some degree, on the performance of the switch and the radius server. The higher the performance of the switch and the radius server is, the shorter the interval can be. It is recommended to set the interval as long as possible when ...
Page 416
1-57 z after sending out a radius request (authentication/authorization request or accounting request) to a radius server, the switch waits for a response from the server. The maximum time that the switch can wait for the response is called the response timeout time of radius servers, and the corres...
Page 417
1-58 designed for you to specify whether or not isp domain names are carried in the usernames to be sent to the radius server. Z for a radius scheme, if you have specified to exclude isp domain names from usernames, you should not use this radius scheme in more than one isp domain. Otherwise, such e...
Page 419
2-2 security-policy-server 192.168.0.1 user-name-format without-domain ….
Page 420: Table of Contents
I table of contents 1 mac address authentication configuration commands ·····································································1-1 mac address authentication basic function configuration commands ···············································1-1 display mac-authentication·············...
Page 421: Commands
1-1 1 mac address authentication configuration commands mac address authentication basic function configuration commands display mac-authentication syntax display mac-authentication [ interface interface-list ] view any view parameters interface interface-list: list of ethernet ports. You can specif...
Page 422
1-2 0016-e0be-e201 ethernet1/0/2 1(vlan:1) --- 1 silent mac address(es) found. --- ethernet1/0/1 is link-up mac address authentication is enabled max-auth-num is 256 guest vlan is 2 authenticate success: 1, failed: 0 current online user number is 1 mac addr authenticate state authindex 000d-88f8-4e7...
Page 423
1-3 field description max allowed user number the maximum number of users supported by the switch. It is 1,024 by default. Current user number amounts to the current number of users current domain the current domain. It is not configured by default. Silent mac user info the information about the sil...
Page 424
1-4 parameters none description use the mac-authentication command to enable mac address authentication globally or on the current port. Use the undo mac-authentication command to disable mac address authentication globally or on the current port. By default, mac address authentication is disabled b...
Page 425
1-5 parameters interface-list : list of ethernet ports. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &, where & means that you can provide up to 10 port indexes/port index...
Page 426
1-6 parameters usernameformat : specifies the input format of the username and password. With-hyphen : uses hyphened mac addresses as usernames and passwords, for example, 00-05-e0-1c-02-e3. Without-hyphen : uses mac addresses without hyphens as usernames and passwords, for example, 0005e01c02e3. Lo...
Page 427
1-7 examples # use the user name in fixed mode for mac address authentication. System-view system view: return to user view with ctrl+z. [sysname] mac-authentication authmode usernamefixed mac-authentication authpassword syntax mac-authentication authpassword password undo mac-authentication authpas...
Page 428
1-8 by default, the user name in fixed mode is “mac”. Examples # set the user name to vipuser in fixed mode. System-view system view: return to user view with ctrl+z. [sysname] mac-authentication authusername vipuser mac-authentication domain syntax mac-authenticationdomain isp-name undo mac-authent...
Page 429
1-9 parameters offline-detect-value : offline detect timer (in seconds) setting. This argument ranges from 1 to 65,535 and defaults to 300. The offline detect timer sets the time interval for a switch to test whether a user goes offline. Quiet-value : quiet timer (in seconds) setting. This argument ...
Page 430
1-10 reset mac-authentication statistics interface ethernet 1/0/1 mac address authentication enhanced function configuration commands mac-authentication guest-vlan syntax mac-authentication guest-vlan vlan-id undo mac-authentication guest-vlan view ethernet port view parameters vlan-id : id of the g...
Page 431
1-11 z if more than one client are connected to a port, you cannot configure a guest vlan for this port. Z when a guest vlan is configured for a port, only one mac address authentication user can access the port. Even if you set the limit on the number of mac address authentication users to more tha...
Page 432
1-12 use the undo mac-authentication max-auth-num command to restore the maximum number of mac address authentication users allowed to access the port to the default value. By default, the maximum number of mac address authentication users allowed to access a port is 256. Z if both the limit on the ...
Page 433
1-13 examples # configure the switch to re-authenticate users in guest vlans at the interval of 60 seconds. System-view system view: return to user view with ctrl+z. [sysname] mac-authentication timer guest-vlan-reauth 60
Page 434: Table of Contents
I table of contents 1 arp configuration commands················································································································1-1 arp configuration commands··············································································································...
Page 435: Arp Configuration Commands
1-1 1 arp configuration commands arp configuration commands arp anti-attack valid-check enable syntax arp anti-attack valid-check enable undo arp anti-attack valid-check enable view system view parameters none description use the arp anti-attack valid-check enable command to enable arp source mac ad...
Page 436
1-2 use the undo arp check enable command to disable the arp entry checking function. With the arp entry checking function enabled, the switch cannot learn any arp entry with a multicast mac address. Configuring such a static arp entry is not allowed either; otherwise, the system prompts error infor...
Page 437
1-3 related commands: reset arp, display arp. Examples # create a static arp mapping entry, with the ip address of 202.38.10.2, the mac address of 000f-e20f-0000. The arp mapping entry belongs to ethernet 1/0/1 which belongs to vlan 1. System-view system view: return to user view with ctrl+z. [sysna...
Page 438
1-4 description use the display arp command to display specific arp entries. If you execute this command with no keyword/argument specified, all the arp entries are displayed. Related commands: arp static, reset arp. Examples # display all the arp entries. Display arp type: s-static d-dynamic ip add...
Page 441
1-7 gratuitous-arp period-resending enable syntax gratuitous-arp period-resending enable undo gratuitous-arp period-resending enable view vlan interface view parameters none description use the gratuitous-arp period-resending enable command to enable the vlan interface to send gratuitous arp packets...
Page 442
1-8 in the packet to its own dynamic arp table if it finds no corresponding arp entry for the arp packet in the cache. Use the undo gratuitous-arp-learning enable command to disable the gratuitous arp packet learning function. By default, the gratuitous arp packet learning function is disabled. Exam...
Page 443: Table of Contents
I table of contents 1 dhcp relay agent configuration commands ·······················································································1-1 dhcp relay agent configuration commands ·······················································································1-1 address-check ··...
Page 444
1-1 1 dhcp relay agent configuration commands dhcp relay agent configuration commands address-check syntax address-check enable address-check disable view vlan interface view parameters none description use the address-check enable command to enable ip address match checking on the dhcp relay agent....
Page 445
1-2 view system view parameters none description use the dhcp relay hand enable command to enable the dhcp relay handshake function. With this feature enabled, the dhcp relay agent uses the ip address of a client and the mac address of the dhcp relay interface to periodically send a handshake messag...
Page 446
1-3 by default, with the option 82 support function enabled on the dhcp relay agent, the dhcp relay agent will adopt the replace strategy to process the request packets containing option 82. However, if other strategies are configured before, then enabling the 82 supporting on the dhcp relay will no...
Page 448
1-5 parameters interval : refreshing interval in seconds, in the range of 1 to 120. Auto : specifies the auto refreshing interval, which is automatically calculated according to the number of binding entries. Description the default handshake interval is auto, the value of 60 seconds divided by the ...
Page 449
1-6 to improve security and avoid malicious attack to the unused sockets, s4500 ethernet switches provide the following functions: z udp 67 and udp 68 ports used by dhcp are enabled only when dhcp is enabled. Z udp 67 and udp 68 ports are disabled when dhcp is disabled. The corresponding implementat...
Page 450
1-7 related commands: dhcp server, display dhcp-server. Examples # enter system view system-view system view: return to user view with ctrl+z. # enable the unauthorized-dhcp server detection function on the dhcp relay agent. [sysname] dhcp-server detect dhcp-server ip syntax dhcp-server groupno ip i...
Page 451
1-8 parameters ip-address : ip address. This argument is used to display the user address entry with the specified ip address. Dynamic : displays the dynamic user address entries. Static : displays the static user address entries. Tracker : displays the interval to update the user address entries. D...
Page 452
1-9 ip address of dhcp server group 0: 1.1.1.1 ip address of dhcp server group 0: 2.2.2.2 ip address of dhcp server group 0: 3.3.3.3 ip address of dhcp server group 0: 4.4.4.4 ip address of dhcp server group 0: 5.5.5.5 ip address of dhcp server group 0: 6.6.6.6 ip address of dhcp server group 0: 7.7...
Page 453
1-10 field description dhcp_inform messages number of the dhcp-inform packets received by the dhcp relay dhcp_release messages number of the dhcp-release packets received by the dhcp relay bootp_request messages number of the bootp request packets bootp_reply messages number of the bootp response pa...
Page 454
1-11 related commands: dhcp server, display dhcp-server. Examples # clear the statistics information of dhcp server group 2. Reset dhcp-server 2.
Page 455
2-1 2 dhcp snooping configuration commands dhcp snooping configuration commands dhcp-snooping syntax dhcp-snooping undo dhcp-snooping view system view parameters none description use the dhcp-snooping command to enable the dhcp snooping function. Use the undo dhcp-snooping command to disable the dhc...
Page 456
2-2 view system view parameters none description use the dhcp-snooping information enable command to enable dhcp snooping option 82. Use the undo dhcp-snooping information enable command to disable dhcp snooping option 82. Dhcp snooping option 82 is disabled by default. Enable dhcp snooping before p...
Page 458
2-4 description use the dhcp-snooping information remote-id command to configure the remote id sub-option in option 82. Use the undo dhcp-snooping information remote-id command to restore the default value of the remote id sub-option in option 82. By default, the remote id sub-option in option 82 is...
Page 459
2-5 z enable dhcp-snooping and dhcp-snooping option 82 before performing this configuration. Z if a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies ...
Page 460
2-6 if you have configured a circuit id with the vlan vlan-id argument specified, and the other one without the argument in ethernet port view, the former circuit id applies to the dhcp messages from the specified vlan, while the latter one applies to dhcp messages from other vlans. Examples # set t...
Page 461
2-7 examples # configure the remote id of option 82 in dhcp packets to abc on the port ethernet 1/0/1. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet1/0/1 [sysname-ethernet1/0/1] dhcp-snooping information remote-id string abc dhcp-snooping trust syntax dhcp-sn...
Page 462
2-8 display dhcp-snooping syntax display dhcp-snooping [ unit unit-id ] view any view parameters unit unit-id: displays the dhcp-snooping information on the specified device in the fabric. Unit-id indicates the number of the device whose dhcp-snooping information needs to be viewed. If unit unit-id ...
Page 463
2-9 examples # display the state of the dhcp snooping function and the trusted ports. Display dhcp-snooping trust dhcp-snooping is enabled. Dhcp-snooping trust become effective. Interface trusted ===================== ================= ethernet1/0/10 trusted the above display information indicates t...
Page 464
3-1 3 dhcp/bootp client configuration dhcp client configuration commands display dhcp client syntax display dhcp client [ verbose ] view any view parameters verbose : displays the detailed address allocation information. Description use the display dhcp client command to display the information abou...
Page 465
3-2 table 3-1 description on the fields of the display dhcp client command field description vlan-interface1 vlan interface operating as a dhcp client to obtain an ip address dynamically current machine state the state of the client state machine allocated ip ip address allocated to the dhcp client ...
Page 466
3-3 to improve security and avoid malicious attacks to the unused sockets, s4500 ethernet switches provide the following functions: z udp ports 67 and 68 used by dhcp are enabled/disabled only when dhcp is enabled/disabled. The implementation is as follows: z after the dhcp client is enabled by exec...
Page 467
3-4 table 3-2 description on the fields of the display bootp client command field description vlan-interface1 vlan-interface 1 is configured to obtain an ip address through bootp. Allocated ip ip address allocated to the vlan interface transaction id value of the xid field in bootp packets mac addre...
Page 468: Table of Contents
I table of contents 1 acl configuration commands ················································································································1-1 acl configuration commands ············································································································...
Page 470
1-2 examples # define acl 2000 and specify “depth-first” as the match order. System-view system view: return to user view with ctrl+z. [sysname] acl number 2000 match-order auto [sysname-acl-basic-2000] # add three rules with different numbers of zeros in the source wildcards. [sysname-acl-basic-200...
Page 471
1-3 examples # assign description string “this acl is used for filtering all http packets” to acl 3000. System-view [sysname] acl number 3000 [sysname-acl-adv-3000] description this acl is used for filtering all http packets # use the display acl command to view the configuration information of acl ...
Page 472
1-4 table 1-1 description on the fields of the display acl command field description basic acl 2000 the displayed information is about the basic acl 2000. 3 rules the acl includes three rules. Match-order is auto the match order of the acl is depth-first. If this field is not displayed, the match or...
Page 473
1-5 table 1-2 description on the fields of the display drv qacl_resource command field description block on the front panel, z from left to right, every four columns of fe ports (total of eight fe ports) represents a block numbered starting from 0. That is, 0 indicates ethernet 1/0/1 to ethernet 1/0...
Page 474
1-6 description use the display packet-filter command to display information about packet filtering. Examples # display information about packet filtering on all ports of a switch that is not in a fabric. Display packet-filter unitid 1 ethernet1/0/1 inbound: acl 2000 rule 0 running ethernet1/0/2 out...
Page 475
1-7 examples # display all time ranges. Display time-range all current time is 17:01:34 may/21/2007 monday time-range : tr ( active ) 12:00 to 18:00 working-day time-range : tr1 ( inactive ) from 12:00 jan/1/2008 to 12:00 jun/1/2008 table 1-4 description on the fields of the display time-range comma...
Page 476
1-8 combination mode the acl-rule argument apply all the rules of a layer 2 acl link-group acl-number apply a rule of a layer 2 acl link-group acl-number rule rule-id apply all the rules of a user-defined acl user-group acl-number apply a rule of a user-defined acl user-group acl-number rule rule-id...
Page 477
1-9 # apply rule 1 of advanced acl 3000 and rule 2 of layer 2 acl 4000 on ethernet 1/0/4 to filter inbound packets. Here, it is assumed that the acls and their rules are already configured. [sysname] interface ethernet 1/0/4 [sysname-ethernet1/0/4] packet-filter inbound ip-group 3000 rule 1 link-gro...
Page 478
1-10 # apply rule 1 of advanced acl 3000 and rule 2 of layer 2 acl 4000 on all ports in vlan 40 to filter inbound packets. Here, it is assumed that the acls and their rules and the vlan are already configured. [sysname] packet-filter vlan 40 inbound ip-group 3000 rule 1 link-group 4000 rule 2 after ...
Page 479
1-11 sour-wildcard is the complement of the wildcard mask of the source subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0. Parameters of the undo rule command rule-id : rule id, which must the id of an existing acl rule. You can obtain the id of an acl ru...
Page 480
1-12 # create basic acl 2001 and define rule 1 to deny packets that are non-tail fragments. [sysname] acl number 2001 [sysname-acl-basic-2001] rule 1 deny fragment [sysname-acl-basic-2001] quit # create basic acl 2002 and define rule 1 to deny all packets during the period specified by time range tr...
Page 482
1-14 the sour-wildcard/dest-wildcard argument is the complement of the wildcard mask of the source/destination subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0. If you specify the dscp keyword, you can directly input a value ranging from 0 to 63 or input...
Page 483
1-15 table 1-9 ip precedence values and the corresponding keywords keyword ip precedence in decimal ip precedence in binary routine 0 000 priority 1 001 immediate 2 010 flash 3 011 flash-override 4 100 critical 5 101 internet 6 110 network 7 111 if you specify the tos keyword, you can directly input...
Page 484
1-16 table 1-11 tcp/udp-specific acl rule information parameters type function description source-port operator port1 [ port2 ] source port defines the source port information of udp/tcp packets destination-port operator port1 [ port2 ] destination port defines the destination port information of ud...
Page 485
1-17 table 1-12 tcp or udp port values type value tcp chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (...
Page 486
1-18 name icmp type icmp code port-unreachable type=3 code=3 protocol-unreachable type=3 code=2 reassembly-timeout type=11 code=1 source-quench type=4 code=0 source-route-failed type=3 code=5 timestamp-reply type=14 code=0 timestamp-request type=13 code=0 ttl-exceeded type=11 code=0 parameters of th...
Page 487
1-19 z if you do not specify the rule-id argument when creating an acl rule, the rule will be numbered automatically. If the acl has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, t...
Page 488
1-20 table 1-15 layer 2 acl rule information parameters type function description format-type link layer encapsulation type specifies the link layer encapsulation type in the rule this argument can be 802.3/802.2, 802.3, ether_ii, or snap. Lsap lsap-code lsap-wildcard lsap field specifies the lsap f...
Page 489
1-21 parameters type function description type protocol-type protocol-mask protocol type of ethernet frames specifies the protocol type of ethernet frames for the acl rule protocol-type : protocol type. Protocol-mask : protocol type mask. When layer 2 acls are applied to ports or vlans of the switch...
Page 491
1-23 offset unit 2 to 5 6 to 9 10 to 13 14 to 17 18 to 21 22 to 25 26 to 29 30 to 33 6 to 9 10 to 13 14 to 17 18 to 21 22 to 25 26 to 29 30 to 33 34 to 37 12 to 15 16 to 19 20 to 23 24 to 27 28 to 31 32 to 35 36 to 39 40 to 43 20 to 23 24 to 27 28 to 31 32 to 35 36 to 39 40 to 43 44 to 47 48 to 51 3...
Page 492
1-24 protocol protocol number in hexadecimal offset when vlan-vpn is not enabled on any port offset when vlan-vpn is enabled on a port rarp 0x8035 16 20 ip 0x0800 16 20 ipx 0x8137 16 20 appletalk 0x809b 16 20 icmp 0x01 27 31 igmp 0x02 27 31 tcp 0x06 27 31 udp 0x11 27 31 examples # create user-define...
Page 493
1-25 in this example, the 32-byte rule string occupies eight offset units: 4 to 7 (offset2), 8 to 11 (offset3), 12 to 15 (offset4), 16 to 19 (offset5), 20 to 23 (offset1), 24 to 27 (offset7), 28 to 31 (offset8), and 32 to 35 (offset6), as shown in table 1-16 . The rule can be assigned successfully. ...
Page 494
1-26 examples # define the comment “this rule is to be applied to ethernet 1/0/1” for rule 0 of advanced acl 3001. System-view system view: return to user view with ctrl+z. [sysname] acl number 3001 [sysname-acl-adv-3001] rule 0 comment this rule is to be applied to ethernet 1/0/1 # use the display ...
Page 495
1-27 jointly define a period in which the absolute time range takes effect. If the start date is not specified, the time range starts from 1970/01/01 00:00. To end-time end-date: specifies the end date of an absolute time range, in the form of hh:mm mm/dd/yyyy or hh:mm yyyy/mm/dd. The start-time sta...
Page 496
1-28 from 12:00 jan/1/2008 to 12:00 jun/1/2008.
Page 497: Table of Contents
I table of contents 1 qos commands·········································································································································1-1 qos commands·················································································································...
Page 498: Qos Commands
1-1 1 qos commands qos commands display protocol-priority syntax display protocol-priority view any view parameters none description use the display protocol-priority command to display the list of protocol priorities you assigned with the protocol-priority command. A switch 4500 supports setting pr...
Page 499
1-2 field description protocol: telnet indicate that a priority has been set for telnet packets with the protocol-priority command. Dscp: be(0) a dscp precedence has been assigned to telnet packets. The assigned value is 0, that is, be in words. For information about the dscp precedence range, refer...
Page 500
1-3 view any view parameters interface-type interface-number : specifies the type and number of a port, for which qos configuration information is to be displayed. Unit-id : unit id of the switch whose qos-related configuration is to be displayed. Table 1-2 shows the value range for the unit-id argu...
Page 501
1-4 mirrored to: monitor interface ethernet1/0/1: line-rate inbound: 64 kbps burst bucket size: 16 kbyte ethernet1/0/1: queue scheduling mode: weighted round robin weight of queue 0: 1 weight of queue 1: 2 weight of queue 2: 3 weight of queue 3: 4 weight of queue 4: 5 weight of queue 5: 9 weight of ...
Page 502
1-5 field description priority action priority marking action, which can be: z cos: sets 802.1p precedence for packets. Z dscp: sets dscp precedence for packets. Z ip-precedence: sets ip precedence for packets. Z local-precedence: sets local precedence for packets. Redirected to z “interface” indica...
Page 504
1-7 parameters interface-type interface-number : specifies the type and number of a port for which traffic policing configuration is to be displayed. Unit-id : unit id of the switch whose traffic policing configuration is to be displayed. For the value range for the unit-id argument, refer to table ...
Page 505
1-8 related commands: traffic-priority. Examples # display the priority marking configuration of ethernet 1/0/1. Display qos-interface ethernet1/0/1 traffic-priority ethernet1/0/1: traffic-priority inbound: matches: acl 2000 rule 0 running priority action: dscp ef refer to table 1-3 for the descript...
Page 506
1-9 view any view parameters none description use the display queue-scheduler command to display the global queue scheduling configuration. This command does not display the weight or bandwidth set for a queue in port view. To display the setting, you can perform the display this command in port vie...
Page 507
1-10 the granularity of port rate limit is 64 kbps. Assume that the value you provide for the target-rate argument is in the range n*64 to (n+1)*64 (n is a natural number), it will be rounded off to (n+1)*64. Burst-bucket burst-bucket-size: specifies the maximum burst traffic size (in kb). This is t...
Page 508
1-11 acl-rule : acl rules to be used for traffic classification. This argument can be a combination of multiple acls. For more information about this argument, refer to table 1-4 and table 1-5 . Note that the acl rules referenced must be those defined with the permit keyword. Table 1-4 ways of apply...
Page 509
1-12 z if you mirror traffic to a port, you must configure a monitor port with the mirroring-group monitor-port command or the monitor-port command. For information about the two commands, refer to the part talking about mirroring. Z traffic mirroring and local port mirroring share the same monitor ...
Page 510
1-13 view ethernet port view parameters priority-level : port priority, ranging from 0 to 7. Description use the priority command to configure trusting port priority and set the priority of the port. Use the undo priority command to restore the default. By default, port priority is trusted and the p...
Page 511
1-14 by default, port priority is trusted and the priority of a port is 0. After you execute the priority trust command on a port, the 802.1p priority of each inbound 802.1q-tagged packet is used to identify the matching local precedence for the packet (in the 802.1p-precedence-to-local precedence m...
Page 512
1-15 ip precedence (in words) ip precedence (in digits) network 7 dscp dscp-value : specifies an dscp precedence in digits for the specified protocol, in the range of 0 to 63. Alternatively, you can specify the dscp precedence in words; available keywords are listed in table 1-7 . Table 1-7 dscp pre...
Page 513
1-16 by default, the ip precedence and the dscp precedence are 0 for all protocol packets generated by the current switch. Related commands: display protocol-priority. On a switch 4500, you can set priority for protocol packets of telnet, snmp, and icmp. Examples # set the ip precedence to 3 for snm...
Page 514
1-17 description use the qos cos-local-precedence-map command to configure the 802.1p priority-to-local precedence mapping. Use the undo qos cos-local-precedence-map command to restore the default settings. Table 1-8 lists the default 802.1p priority-to-local precedence mapping. Table 1-8 the defaul...
Page 516
1-19 queue id weight 4 5 5 9 6 13 7 15 a port of a switch 4500 supports eight output queues, to which these queue scheduling algorithms are applicable: sp, wrr, and wfq. With wrr (or wfq) adopted, if you set the weight or the bandwidth of one or multiple queues to 0, the device will add the queue or...
Page 517
1-20 [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] queue-scheduler wrr 1 2 3 4 5 6 7 8 # display the global queue scheduling configuration. [sysname-ethernet1/0/1] display queue-scheduler queue scheduling mode: weighted round robin weight of queue 0: 2 weight of queue 1: 2 weight of que...
Page 518
1-21 on ethernet 1/0/1, assume that the filter command is configured to filter packets destined to ip address 2.2.2.2 and the traffic-limit command is configured to limit the rate of packets sourced from ip address 1.1.1.1 within 128 kbps. Whether packets conforming to the rate limit of 128 kbps, so...
Page 519
1-22 system-view system view: return to user view with ctrl+z. [sysname] acl number 4000 [sysname-acl-ethernetframe-4000] rule permit source 200 [sysname-acl-ethernetframe-4000] quit [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] traffic-limit inbound link-group 4000 128 burst-bucket 64 ...
Page 520
1-23 802.1p priority (in words) 802.1p priority (in digits) video 5 voice 6 network-management 7 local-precedence pre-value: sets the local precedence. The pre-value argument ranges from 0 to 7. Description use the traffic-priority command to configure priority marking on a port. Use the undo traffi...
Page 521
1-24 system-view system view: return to user view with ctrl+z. [sysname] acl number 3000 [sysname-acl-adv-3000] rule permit udp source-port eq dns [sysname-acl-adv-3000] quit [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] traffic-priority inbound ip-group 3000 dscp cs2 # set the 802.1p p...
Page 522
1-25 local-precedence pre-value: sets the local precedence, which is in the range 0 to 7. Description use the traffic-priority vlan command to configure priority marking for the packets received or transmitted by any ports in the specified vlan. Use the undo traffic-priority vlan command to cancel t...
Page 523
1-26 remark-vlan remark-vlanid : specified the target vlan id, to which the vlan ids of the packets matching specific acl rules are to be mapped. Description use the traffic-remark-vlanid command to enable vlan mapping and set the target vlan id for packets matching specific acl rules. Use the undo ...
Page 524
1-27 examples # enable the wred function for queue 2 on ethernet 1/0/1, specifying to drop packets at random when the number of packets in queue 2 exceeds 64 and setting the dropping probability to 20%. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet1/0/1 [sysn...
Page 525: Table of Contents
I table of contents 1 mirroring commands ···································································································· 1-1 mirroring commands ··································································································· 1-1 display mirroring-group ·······...
Page 527
1-2 type: remote-source status: active mirroring port: ethernet1/0/1 inbound reflector port: ethernet1/0/2 remote-probe vlan: 10 # display the configurations of a remote destination mirroring group on your ethernet switch. Display mirroring-group 3 mirroring-group 3: type: remote-destination status:...
Page 529
1-4 view system view, ethernet port view parameters group-id : number of a port mirroring group, in the range 1 to 20. Mirroring-port mirroring-port-list : specifies a list of source ports. Mirroring-port-list is available in system view only, and there is no such argument in ethernet port view. Mir...
Page 530
1-5 undo mirroring-group group-id monitor-port monitor-port view system view, ethernet port view parameters group-id : number of a port mirroring group, in the range 1 to 20. Monitor-port monitor-port : specifies the destination port for port mirroring. Monitor-port is available in system view only,...
Page 531
1-6 parameters group-id : number of a port mirroring group, in the range 1 to 20. Reflector-port reflector-port : specifies the reflector port. Reflector-port is available in system view only, and there is no such argument in ethernet port view. Description use the mirroring-groupreflector-port comm...
Page 532
1-7 description use the mirroring-group remote-probe vlan command to specify the remote-probe vlan for a remote source/destination mirroring group. Use the undo mirroring-group remote-probe vlan command to remove the configuration of remote-probe vlan for a remote source/destination mirroring group....
Page 533
1-8 z a copy of each packet passing through a source port will be sent to the corresponding destination port. Related commands: display mirroring-group. When you configure mirroring source port on an ethernet port of a switch 4500, if mirroring group 1 does not exist, the switch will automatically c...
Page 534
1-9 z it is recommended that you use a destination port for port mirroring purpose only. Do not use a destination port to transmit other service packets. Related commands: display mirroring-group. When you configure mirroring destination port on an ethernet port of a switch 4500, if mirroring group ...
Page 535
1-10 related commands: mirroring-group remote-probe vlan. Examples # configure vlan 5 as the remote-probe vlan. System-view system view: return to user view with ctrl+z. [sysname] vlan 5 [sysname-vlan5] remote-probe vlan enable.
Page 536: Table of Contents
I table of contents 1 xrn fabric commands·····························································································································1-1 xrn fabric commands ··············································································································...
Page 538
1-2 z if you do not bring up the fabric port, you cannot change the unit id of a switch. Z after the unit id of a device is changed, the unit id-related information of this device in the configuration file of the fabric will be upgraded automatically. If the unit id of a device changes from 2 to 4, ...
Page 539
1-3 z unit ids in an xrn fabric are not always arranged in order of 1 to 8. Z unit ids in an xrn fabric can be inconsecutive. Z after the unit id of a device is changed, the unit id-related information of this device in the configuration file of the fabric will be upgraded automatically. If the unit...
Page 541
1-5 table 1-1 display ftm information command output description field description ftm state ftm state: z disc state: in the topology discovery state. Z listen state: in the topology discovery state, and the ftm slave device is listening. Z hb state: the fabric operates normally. Unit id unit id: z ...
Page 542
1-6 field description advertise : advertise ack : heart beat : left check : right check : auto update : numbers of various negotiation packets: z advertise z advertise ack z heart beat: heat beat packet, which is used to advertise topology connections to the units by the ftm-master after convergence...
Page 543
1-7 field description priority priority value: z 10 means the switch adopts automatic numbering z 5 means the switch adopts manual numbering manual numbering has a higher priority than automatic numbering. Fabric-port fabric port, in a bus topology structure, the units at both ends of the bus have o...
Page 544
1-8 # display the fabric port of the current device. Display xrn-fabric port gigabitethernet1/0/25 fabric peer: unknown fabric status: unknown fabric mode: unknown-speed mode, unknown-duplex mode input: 0 packets, 0 bytes, 0 input errors output: 7343 packets, 2250406 bytes, 0 output errors fabric sa...
Page 545
1-9 ed unitid(4) in flash! Unit 1 saved unit id successfully. Unit 2 saved unit id successfully. Unit 3 saved unit id successfully. Unit 4 saved unit id successfully. Unit 5 saved unit id successfully. Unit 6 saved unit id successfully. Unit 7 saved unit id successfully. Unit 8 saved unit id success...
Page 546
1-10 6 000f-cbb7-3264 10 left/ 1 a 7 000f-cbb7-2260 10 /right 1 a 8 000f-cbb7-2734 10 left/ 1 a from the above example, you can see the priority of each unit restores to 10 and the numbering mode changes from m (manual numbering) to a (automatic numbering). Fabric-port enable syntax fabric-port inte...
Page 547
1-11 z establishing an xrn system requires a high consistency of the configuration of each device. Hence, before you bring up the fabric port, do not perform any configuration for the port, and do not enable some functions that affect the xrn for other ports or globally. Otherwise, you cannot bring ...
Page 549
1-13 description use the port link-type command to configure an ethernet port as the fabric port. This command has the same function with the fabric-port enable command, and is available only in gigabit port view. By default, no port is configured as the fabric port. Note that: after you use the por...
Page 550
1-14 parameters unit-id : unit id of a device. Unit-name : name of the specified unit, a string of 1 to 64 characters. Description use the set unit name command to set a name for a device. Device name visually identifies a device by showing its location, role in the fabric, and connected networks, t...
Page 551
1-15 by default, the fabric name of a switch 4500 series ethernet switch is 4500. Examples # change the fabric name of the device to hello. Display xrn-fabric fabric name is 4500, system mode is l3. Unit name unit id first 1 second 2(*) system-view system view: return to user view with ctrl+z. [sysn...
Page 552: Table of Contents
I table of contents 1 cluster configuration commands ···········································································································1-1 ndp configuration commands··············································································································...
Page 553
Ii reboot member ······························································································································1-40 snmp-host······································································································································1-41 tftp...
Page 554
1-1 1 cluster configuration commands ndp configuration commands display ndp syntax display ndp [ interface interface-list ] view any view parameters interface interface-list : specifies a port list. You need to provide the interface-list argument in the form of { interface-type interface-number [ to...
Page 555
1-2 status: enabled, pkts snd: 0, pkts rvd: 0, pkts err: 0 interface: ethernet1/0/3 status: enabled, pkts snd: 0, pkts rvd: 0, pkts err: 0 ……(omitted) # display ndp information about ethernet 1/0/1. Display ndp interface ethernet 1/0/1 interface: ethernet1/0/1 status: enabled, pkts snd: 15835, pkts ...
Page 556
1-3 ndp enable syntax ndp enable [ interface interface-list ] undo ndp enable [ interface interface-list ] view system view, ethernet port view parameters interface-list : ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &, where to is u...
Page 557
1-4 description use the ndp timer aging command to set the holdtime of the ndp information. This command specifies how long an adjacent device should hold the ndp neighbor information received from the local switch before discarding the information. Use the undo timer aging command to restore the de...
Page 558
1-5 examples # set the interval between sending ndp packets to 80 seconds. System-view system view: return to user view with ctrl+z. [sysname] ndp timer hello 80 reset ndp statistics syntax reset ndp statistics [ interface interface-list ] view user view parameters interface-list : ethernet port lis...
Page 559
1-6 ntdp configuration commands display ntdp syntax display ntdp view any view parameters none description use the display ntdp command to display the global ntdp information. The displayed information includes topology collection range (hop count), topology collection interval (ntdp timer), device/...
Page 560
1-7 display ntdp device-list syntax display ntdp device-list [ verbose ] view any view parameters verbose : displays the detailed information of devices in a cluster. Description use the display ntdp device-list command to display the cluster device information collected by ntdp. Examples # display ...
Page 561
1-8 peer mac peer port id native port id speed duplex 000f-e20f-3190 ethernet1/0/22 ethernet3/0/21 100 full ----------------------------------------------------------------------------- hostname : 4500-3 mac : 000f-e20f-3190 hop : 1 platform : switch 4500 ip : 16.1.1.1/24 version: 3com corporation s...
Page 562
1-9 field description duplex duplex mode of the neighbor device port ntdp enable syntax ntdp enable undo ntdp enable view system view, ethernet port view parameters none description use the ntdp enable command to enable ntdp globally or on a port. Use the undo ntdp enable command to disable ntdp glo...
Page 563
1-10 information from all devices in a specific network range (which can be set through the ntdp hop command) as well as the connection information of all its neighbors. Through this information, the management device or the network management software knows the topology in the network range, and th...
Page 564
1-11 ntdp timer syntax ntdp timer interval-in-minutes undo ntdp timer view system view parameters interval-in-minutes : interval (in minutes) to collect topology information, ranging from 0 to 65,535. A value of 0 disables topology information collection. Description use the ntdp timer command to co...
Page 565
1-12 parameters time : device forwarding delay in milliseconds. This argument ranges from 1 to 1,000. Description use the ntdp timer hop-delay command to set the delay for devices to forward topology collection requests. Use the undo ntdp timer hop-delay command to restore the default device forward...
Page 566
1-13 you can use the command on a collecting switch. The delay value you set by the ntdp timer port-delay command is carried in the topology collection requests sent by the collecting switch, and is used by collected devices to determine the topology collection request forwarding delay between two p...
Page 567
1-14 system view: return to user view with ctrl+z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] add-member 6 mac-address 000f-e20f-35e7 password 123456 administrator-address syntax administrator-address mac-address name name undo administrator-address view cluster view parameters mac-address : ma...
Page 568
1-15 view cluster view parameters recover : recovers all member devices. Description use the auto-build command to start an automatic cluster building process. You can execute this command on a management device or on a switch to be configured as a management device. When you execute this command on...
Page 569
1-16 collecting candidate list, please wait... #apr 3 08:12:32:832 2000 aaa_0.Sysname clst/5/cluster_trap:- 1 - oid:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpmemberstatuschange):member 00.00.00.00.00.12. A9.90.22.40 role change, ntdpindex:0.00.00.00.00.00.12.A9.90.22.40, role:1 candidate list: name hops mac ad...
Page 570
1-17 build syntax build name undo build view cluster view parameters name : name to be set for the cluster, a string of up to 8 characters, which can only be alphanumeric characters, minus signs (-), and underscores (_). Description use the build command to build a cluster with a cluster name or cha...
Page 571
1-18 to reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the switch 4500 series ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: z opening udp port 40000 (used for cluster) only when t...
Page 572
1-19 cluster syntax cluster view system view parameters none description use the cluster command to enter clusterview. Examples # enter cluster view. System-view system view: return to user view with ctrl+z [sysname] cluster [sysname-cluster] cluster enable syntax cluster enable undo cluster enable ...
Page 573
1-20 z when you execute undo cluster enable command on a device that does not belong to any cluster, the cluster function is disabled on the device, and thus you cannot create a cluster on the device or add the device to an existing cluster. Examples # enable the cluster function on the switch. Syst...
Page 574
1-21 when you execute this command on the management device with an inexistent member number or a mac address that is not in the member list, an error will occur. In this case, you can enter quit to end the switching. Examples # switch from the management device to number-6 member device and then sw...
Page 575
1-22 system-view system view: return to user view with ctrl+z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] cluster-local-user public password simple 123 cluster-mac syntax cluster -mac h-h-h undo cluster -mac view cluster view parameters h-h-h : multicast mac address to be set for the cluster, i...
Page 576
1-23 cluster-mac syn-interval syntax cluster -mac syn-interval time-interval view cluster view parameters time-interval : interval to send multicast mac synchronization packets, ranging from 0 to 30 minutes. Description use the cluster-mac syn-interval command to set the interval for the management ...
Page 577
1-24 write : indicates that the community has read-write access right to mib objects, that is, an snmp nms is capable of configuring the devices when it uses this community name to access the agent. Community-name : community name, a string of 1 to 27 characters. View-name : mib view name, a string ...
Page 578
1-25 authentication : specifies the security model of the snmp group as authentication only (without privacy). Privacy : specifies the security model of the snmp group as authentication and privacy. Read-view read-view : read view, a string of 1 to 32 characters. The default read view is viewdefault...
Page 579
1-26 parameters view-name : view name, a string of 1 to 32 characters. The default view is viewdefault. Oid-tree : mib subtree, identified by the oid of the subtree root node or the name of the subtree root node. The value is a string of 1 to 255 characters. Included : indicates that all nodes of th...
Page 580
1-27 groupname : group name, a string of 1 to 32 characters. Authentication-mode : specifies the security model as authentication. If you do not provide this keyword, the security model defaults to no authentication no privacy. Md5 : specifies the authentication protocol as md5. Md5 generates a 128-...
Page 581
1-28 parameters member-id : member number of a member device, ranging from 1 to 255. To-black-list : adds the device removed from a cluster to the blacklist to prevent it from being added to the cluster. Description use the delete-member command to remove a member device from the cluster. Note that ...
Page 582
1-29 description use the display cluster command to display the status and statistics information of the cluster to which the current switch belongs. Executing this command on a member device will display the following information: cluster name, member number of the current switch, mac address and s...
Page 583
1-30 handshake timer:10 sec handshake hold-time:60 sec administrator device mac address:000f-e20f-3901 administrator status:up table 1-5 description on the fields of the display cluster command field description cluster name name of the cluster, which can be configured through the build command role...
Page 584
1-31 candidate switches to be automatically added into the cluster, you can set the topology collection interval to zero (by using the ntdp timer command), which specifies not to perform topology collection periodically. Examples # display information about all candidate devices. Display cluster can...
Page 585
1-32 table 1-7 description on the fields of display cluster candidates verbose field description hostname name of the candidate device mac mac address of the candidate device hop hops from the management device to the candidate device ip ip address of the candidate device platform platform of the ca...
Page 586
1-33 # display detailed information about all devices in a cluster. Display cluster members verbose member number:0 name:aaa_0.Sysname device:switch 4500 mac address:000f-e20f-3901 member status:admin hops to administrator device:0 ip: 100.100.1.1/24 version: 3com corporation switch 4500 26-port sof...
Page 587
1-34 field description name device name device device type mac address device mac address member status device status hops to administrator device hops from the device to the management device ip device ip address version software version of the device ftp cluster syntax ftp cluster view user view p...
Page 588
1-35 user(none):hello 331 password required for hello. Password: 230 user logged in. Ftp-server syntax ftp-server ip-address undo ftp-server view cluster view parameters ip-address : ip address of the ftp server to be configured for the cluster. Description use the ftp-server command to configure a ...
Page 589
1-36 view cluster view parameters seconds : neighbor information holdtime in seconds, ranging from 1 to 255. Description use the holdtime command to configure the neighbor information holdtime of the member switches. Use the undo holdtime command to restore the default holdtime value. By default, th...
Page 590
1-37 description use the ip-pool command to configure a private ip address pool on the management device. Use the undo ip-pool command to cancel the ip address pool configuration. Before creating a cluster, you must first configure a private ip address pool. When a candidate device joins a cluster, ...
Page 591
1-38 [aaa_0.Sysname-cluster] logging-host 10.10.10.9 management-vlan syntax management -vlan vlan-id undo management -vlan view system view parameters vlan-id : id of the vlan to be specified as the management vlan. Description use the management-vlan command to specify the management vlan on the sw...
Page 592
1-39 parameters none description use the management-vlan synchronization enable command to enable the management vlan synchronization function for the cluster. Use the undo management-vlan synchronization enable command to disable the function. By default, the management vlan synchronization functio...
Page 593
1-40 z by default, the management vlan interface is used as the nm interface. Z there is only one nm interface on a management device; any newly configured nm interface will overwrite the old one. Examples # configure vlan-interface 2 as the nm interface. System-view system view: return to user view...
Page 594
1-41 snmp-host syntax snmp-host ip-address undo snmp-host view cluster view parameters ip-address : ip address of a snmp network management station (nms) to be configured for the cluster. Description use the snmp-host command to configure a shared snmp nms for the cluster on the management device. U...
Page 595
1-42 description use the tftp get command to download a file from a specific directory on the shared tftp server to the switch. You can use the tftp-server command on the management device to configure the shared tftp server of the cluster, which is used for software version update and configuration...
Page 596
1-43 related commands: tftp get,tftp-server. You need to specify the cluster keyword completely in the command. Examples # upload file config.Cfg on the switch to the shared tftp server of the cluster and save it as temp.Cfg. Tftp cluster put config.Cfg temp.Cfg tftp-server syntax tftp-server ip-add...
Page 597
1-44 timer syntax timer interval undo timer view cluster view parameters interval : interval (in seconds) to send handshake packets. This argument ranges from 1 to 255. Description use the timer command to set the interval between sending handshake packets. Use the undo timer command to restore the ...
Page 598
1-45 description use the tracemac command to trace a device in a cluster through the specified destination mac address or ip address, and to display the path from the current device to the destination device. Z when using the destination ip address to trace a device, the switch looks up the arp entr...
Page 599
1-46 parameters mac-address : mac address of the device to be added to the blacklist. The format is h-h-h, for example, 000f-e298-e001. All : deletes all mac address in the current cluster blacklist. Description use the black-list add-mac command to add the specified mac address to the cluster black...
Page 600
1-47 description use the display cluster base-members command to display the information about all the devices in the base cluster topology, such as member number, name, mac address, and the current status of each device in a cluster. Examples # display the information about all the devices in the b...
Page 602
1-49 table 1-11 description on the fields of the display cluster black-list command field description device id id of the device in the blacklist, expressed by the mac address of the device access device id id of the device (in the cluster) that is connected with a device in the blacklist, expressed...
Page 603
1-50 examples # display the topology of the current cluster. Display cluster current-topology -------------------------------------------------------------------- (peerport) connectflag (nativeport) [sysname:devicemac] -------------------------------------------------------------------- connectflag:...
Page 604
1-51 to display information about a device that is enabled with only ntdp and is not in any cluster, you have to use the display ntdp single-device mac-address command. Examples # display the detailed information about the switch with the mac address 000f-e200-3956. Display ntdp single-device mac-ad...
Page 606
1-53 topology restore-from syntax topology restore-from local-flash view cluster view parameters local-flash : restores the standard topology of the cluster from the local flash memory. Description use the topology restore-from command to restore the standard topology of the cluster from the flash m...
Page 607
1-54 this command is applicable to only the management device of a cluster. Related commands: topology restore-from. Examples # enter cluster view. System-view system view: return to user view with ctrl+z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] # save the standard topology of the cluster to...
Page 608: Table of Contents
I table of contents 1 poe configuration commands ················································································································1-1 poe configuration commands ············································································································...
Page 609: Poe Configuration Commands
1-1 1 poe configuration commands poe configuration commands display poe disconnect syntax display poe disconnect view any view parameters none description use the display poe disconnect command to view the current pd disconnection detection mode of the switch. Examples # display the pd disconnection...
Page 610
1-2 examples # display the poe status of ethernet 1/0/10. Display poe interface ethernet1/0/10 port power enabled :enable port power on/off :on port power status :standard pd was detected port power mode :signal port pd class :0 port power priority :low port max power :15400 mw port current power :4...
Page 611
1-3 ethernet1/0/1 on enable signal low standard pd was detected ethernet1/0/2 on enable signal low standard pd was detected ethernet1/0/3 off enable signal low detection is in process ethernet1/0/4 off enable signal low detection is in process ethernet1/0/5 off enable signal low detection is in proc...
Page 612
1-4 description use the display poe interface power command to view the power information of a specific port of the switch. If the interface-type interface-number argument is not specified, the command displays the power information of all ports of the switch. Examples # display the power informatio...
Page 613
1-5 pse software version :290 pse hardware version :000 pse cpld version :078 pse power-management mode :auto table 1-3 display poe powersupply command output description field description pse id identification of the pse pse legacy detection the enabled/disabled status of the nonstandard pd detecti...
Page 615
1-7 if you delete the default configuration file without specifying another one, the poe function on a port will be disabled after you restart the device. You can use the display poe interface command to display whether poe is enabled on a port. Examples # enable the poe feature on ethernet 1/0/3. S...
Page 616
1-8 parameters max-power : maximum power distributed to the port, ranging from 1,000 to 15,400, in mw. Description use the poe max-power command to configure the maximum power that can be supplied by the current port. Use the undo poe max-power command to restore the maximum power supplied by the cu...
Page 618
1-10 description use the poe priority command to configure the poe priority of a port. Use the undo poe priority command to restore the default poe priority. By default, the poe priority of a port is low. When the available power of the pse is too small, the poe priority and the poe management mode ...
Page 619
1-11 you can use the display poe temperature-protection command to display whether poe over-temperature protection is enabled on the switch. Examples # disable poe over-temperature protection on the switch. System-view system view: return to user view with ctrl+z. [sysname] undo poe temperature-prot...
Page 621
2-1 2 poe profile configuration commands poe profile configuration commands apply poe-profile syntax in system view use the following commands: apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] undo apply poe-profile profile-name interfac...
Page 622
2-2 poe profile is a set of poe configurations. One poe profile can contain multiple poe features. When the apply poe-profile command is used to apply a poe profile to a port, some poe features can be applied successfully while some cannot. Poe profiles are applied to switch 4500 according to the fo...
Page 623
2-3 system-view system view: return to user view with ctrl+z. [sysname] display poe-profile name profile-test poe-profile: profile-test, 3 action poe enable poe max-power 5000 poe priority critical poe-profile syntax poe-profile profile-name undo poe-profile profile-name view system view parameters ...
Page 624: Table of Contents
I table of contents 1 udp helper configuration commands····································································································1-1 udp helper configuration commands···································································································1-1 displ...
Page 625
1-1 1 udp helper configuration commands udp helper configuration commands display udp-helper server syntax display udp-helper server [ interface vlan-interface vlan-id ] view any view parameters vlan-id : vlan interface number. Description use the display udp-helper server command to display the udp...
Page 626
1-2 view user view parameters none description use the reset udp-helper packet command to clear udp helper statistics. Examples # clear udp helper statistics. Reset udp-helper packet udp-helper enable syntax udp-helper enable undo udp-helper enable view system view parameters none description use th...
Page 627
1-3 parameters port-number : number of the udp port with which udp packets are to be forwarded, in the range 0 to 65535 (except for 67 and 68). Dns : forwards domain name system (dns) data packets. The corresponding udp port number is 53. Netbios-ds : forwards netbios data packets. The corresponding...
Page 628
1-4 udp-helper server syntax udp-helper server ip-address undo udp-helper server [ ip-address ] view vlan interface view parameters ip-address : ip address of the destination server, in dotted decimal notation. Description use the udp-helper server command to specify the destination server to which ...
Page 629: Table of Contents
I table of contents 1 snmp configuration commands ·············································································································1-1 snmp configuration commands············································································································1-...
Page 631
1-2 parameters read : displays the information about the snmp communities with read-only permission. Write : displays the information about the snmp communities with read-write permission. Description use the display snmp-agent community command to display the information about the snmpv1/snmpv2c co...
Page 632
1-3 field description storage-type storage type, which can be: z volatile: information will be lost if the system is rebooted z nonvolatile: information will not be lost if the system is rebooted z permanent: modification is permitted, but deletion is forbidden z readonly: read only, that is, no mod...
Page 633
1-4 table 1-2 display snmp-agent group command output description field description group name snmp group name of the user security model snmp group security mode, which can be authpriv (authentication with privacy), authnopriv (authentication without privacy), and noauthnopriv (no authentication no...
Page 634
1-5 view name:viewdefault mib subtree:iso subtree mask: storage-type: nonvolatile view type:included view status:active view name:viewdefault mib subtree:snmpusmmib subtree mask: storage-type: nonvolatile view type:excluded view status:active view name:viewdefault mib subtree:snmpvacmmib subtree mas...
Page 635
1-6 examples # display the statistics on snmp packets. Display snmp-agent statistics 1276 messages delivered to the snmp entity 0 messages which were for an unsupported version 0 messages which used a snmp community name not known 0 messages which represented an illegal operation for the community s...
Page 636
1-7 field description snmp pdus which had generr error-status the total number of snmp pdus which were delivered to the snmp protocol entity and for which the value of the error-status field is `generr'. Snmp pdus which had nosuchname error-status the total number of snmp pdus which were delivered t...
Page 637
1-8 field description forwarded confirmed class pdus dropped silently the total number of confirmed class pdus (such as getrequest-pdus, getnextrequest-pdus, getbulkrequest-pdus, setrequest-pdus, and informrequest-pdus) delivered to the snmp entity which were silently dropped because the transmissio...
Page 638
1-9 snmpv3 display snmp-agent trap-list syntax display snmp-agent trap-list view any view parameters none description use the display snmp-agent trap-list command to display the modules that can generate traps and whether the sending of traps is enabled on the modules. If a module contains multiple ...
Page 639
1-10 parameters engineid : engine id, a string of 10 to 64 hexadecimal digits. User-name : snmpv3 username, a string of 1 to 32 characters. Group-name : name of an snmp group, a string of 1 to 32 characters. Description use the display snmp-agent usm-user command to display the information about a s...
Page 640
1-11 enable snmp trap updown syntax enable snmp trap updown undo enable snmp trap updown view ethernet port view, interface view parameters none description use the enable snmp trap updown command to enable the sending of port/interface linkup/linkdown traps. Use the undo enable snmp trap updown com...
Page 641
1-12 description use the snmp-agent command to enable the snmp agent. Use the undo snmp-agent command to disable the snmp agent. Execution of the snmp-agent command or any of the commands used to configure the snmp agent, you can start the snmp agent. By default, the snmp agent is disabled. Examples...
Page 642
1-13 description use the snmp-agent calculate-password command to encrypt a plain-text password to generate a cipher-text one by using the specified encryption algorithm. When creating an snmpv3 user, if you specify an authentication or privacy password as in cipher text, you need to use this comman...
Page 643
1-14 description use the snmp-agent community command to create an snmp community. Snmpv1 and snmpv2c use community name to restrict access rights. You can use this command to configure a community name and configure read or write access right and acl. Use the undo snmp-agent community command to re...
Page 644
1-15 write-view : read-write view name, a string of 1 to 32 characters. By default, no write view is configured, namely, the nms cannot perform the write operation on the mib objects of the device. Notify-view : notification view name in which traps can be sent, a string of 1 to 32 characters. By de...
Page 645
1-16 group name: v3group security model: v3 authpriv readview: viewdefault writeview: notifyview : storage-type: nonvolatile acl:2001 snmp-agent local-engineid syntax snmp-agent local-engineid engineid undo snmp-agent local-engineid view system view parameters engineid : engine id, an even number of...
Page 646
1-17 parameters set-operation : logs the set operations. Get-operation : logs the get operations. All : logs both the set operations and get operations. Description use the snmp-agent log command to enable network management operation logging. Use the undo snmp-agent log command to disable network m...
Page 647
1-18 view-name : view name. Oid-tree : oid mib subtree of a mib subtree. It can be the id of a node in oid mib subtree (such as 1.4.5.3.1) or an oid (such as “system”). Mask mask-value: mask of a mib subtree, an even number of hexadecimal characters, in the range 2 to 32. An odd number of characters...
Page 648
1-19 system-view system view: return to user view with ctrl+z. [sysname]snmp-agent community read rip2read mib-view rip2 [sysname]snmp-agent community write rip2write mib-view rip2 # create an snmp mib view with the name of view-a, mib subtree of 1.3.6.1.5.4.3.4 and subtree mask of fe. Mib nodes wit...
Page 649
1-20 view system view parameters sys-contact : contact information for system maintenance, a string of up to 200 characters. Sys-location : geographical location of the device, a string of up to 200 characters. Version : specifies the snmp version to be employed. V1 : specifies snmpv1. V2c : specifi...
Page 652
1-23 snmp-agent trap ifmib syntax snmp-agent trap ifmib link extended undo snmp-agent trap ifmib link extended view system view parameters none description use the snmp-agent trap ifmib link extended command to configure the extended trap. “interface description” and “interface type” are added into ...
Page 653
1-24 snmp-agent trap life syntax snmp-agent trap life seconds undo snmp-agent trap life view system view parameters seconds : snmp trap aging time (in seconds) to be set, ranging from 1 to 2,592,000. Description use the snmp-agent trap life command to set the snmp trap aging time. Snmp traps exceedi...
Page 654
1-25 after a trap is generated, it will enter the trap queue to be sent. The length of a trap queue decides the maximum number of traps in the queue. When a trap queue reaches the configured length, the newly generated traps will enter the queue, and the traps generated the earliest will be discarde...
Page 656
1-27 [sysname] snmp-agent usm-user v2c userv2c readcom specify the snmp version of the nms as snmpv2c, fill the write community name field with userv2c. Then the nms can access the agent. # create an snmpv2c user userv2c in group readcom, permitting only the nms with an ip address 1.1.1.1 to access ...
Page 657
1-28 acl-number : binds a user with an acl, where acl-number represents acl number, in the range 2000 to 2999. Using acls can restrict the source addresses of snmp messages, namely, permitting or refusing the snmp messages with specific source addresses, thus restricting access between the nms and t...
Page 658
1-29 system-view [sysname] snmp-agent group v3 testgroup privacy [sysname] snmp-agent usm-user v3 testuser testgroup authentication-mode md5 authkey privacy-mode des56 prikey on the nms, set the version to snmpv3, the username to testuser, the authentication algorithm to md5 , the authentication pas...
Page 659: Rmon Configuration Commands
2-1 2 rmon configuration commands rmon configuration commands display rmon alarm syntax display rmon alarm [ entry-number ] view any view parameters entry -number: alarm entry index, in the range 1 to 65535. Description use the display rmon alarm command to display the configuration of a specified a...
Page 660
2-2 field description sampling interval sampling interval, in seconds. The system performs absolute or delta sampling on the sampled node at this interval. Rising threshold rising threshold. When the sampled value equals or exceeds the rising threshold, an alarm is triggered. Falling threshold falli...
Page 661
2-3 event table 1 owned by user1 is valid. Description: null. Will cause log-trap when triggered, last triggered at 0days 00h:02m:27s. Table 2-2 display rmon event command output description field description event table index of an entry in the rmon event table valid the status of the entry identif...
Page 662
2-4 less than(or =) 100 with alarm value 0. Alarm sample type is absolute. Table 2-3 display rmon eventlog command output description field description event table index of an entry in the rmon event table valid the status of the entry identified by the index is valid. Generates eventlog 1.1 at 0day...
Page 663
2-5 history control entry 1 owned by user1 is valid samples interface : ethernet1/0/1 sampling interval : 5(sec) with 10 buckets max latest sampled values : dropevents : 0 , octets : 10035 packets : 64 , broadcast packets : 35 multicast packets : 8 , crc alignment errors : 0 undersize packets : 0 , ...
Page 664
2-6 view any view parameters prialarm -entry-number: extended alarm entry index, in the range 1 to 65,535. Description use the display rmon prialarm command to display the configuration of an rmon extended alarm entry. If you do not specify the prialarm-entry-number argument, the configuration of al...
Page 665
2-7 field description linked with event event index corresponding to an alarm when startup enables: risingorfallingalarm the condition under which an alarm is triggered, which can be: z risingorfallingalarm: an alarm is triggered when the rising or falling threshold is reached. Z risingalarm: an ala...
Page 666
2-8 interface : ethernet1/0/1 etherstatsoctets : 30561 , etherstatspkts : 217 etherstatsbroadcastpkts : 102 , etherstatsmulticastpkts : 25 etherstatsundersizepkts : 0 , etherstatsoversizepkts : 0 etherstatsfragments : 0 , etherstatsjabbers : 0 etherstatscrcalignerrors : 0 , etherstatscollisions : 0 ...
Page 667
2-9 parameters entry -number: index of the alarm entry to be added/removed, in the range 1 to 65535. Alarm -variable: alarm variable, a string comprising 1 to 256 characters in dotted node oid format (such as 1.3.6.1.2.1.2.1.10.1). Only the variables that can be resolved to asn.1 integer data type (...
Page 668
2-10 comparison operation the sample value is smaller than the set lower threshold (threshold-value2) triggering the event identified by the event -entry2 argument z before adding an alarm entry, you need to use the rmon event command to define the events to be referenced by the alarm entry. Z make ...
Page 669
2-11 description string: specifies the event description, a string of 1 to 127 characters. Log : logs events. Trap : sends traps to the nms. Trap -community: community name of the nms that receives the traps, a string of 1 to 127 characters. Log -trap: logs the event and sends traps to the nms. Log ...
Page 670
2-12 description use the rmon history command to add an entry to the history control table. If you do not specify the owner text keyword/argument combination, the owner of the entry is displayed as “null”. Use the undo rmon history command to remove an entry from the history control table. You can u...
Page 671
2-13 threshold -value2: lower threshold, in the range 0 to 2147483647. Event -entry2: index of the event entry that corresponds to the falling threshold, in the range 0 to 65535. Forever : specifies the corresponding rmon alarm instance is valid permanently. Cycle : specifies the corresponding rmon ...
Page 672
2-14 z falling threshold: 5 z event 1 is triggered when the change ratio is larger than the rising threshold. Z event 2 is triggered when the change ratio is less than the falling threshold. Z the alarm entry is valid forever. Z entry owner: user1 system-view system view: return to user view with ct...
Page 673
2-15 for each port, only one rmon statistics entry can be created. That is, if an rmon statistics entry was already created for a given port, you will fail to create a statistics entry with a different index for the port. You can use the display rmon statistics command to display the information abo...
Page 674: Table of Contents
I table of contents 1 ntp configuration commands ················································································································1-1 ntp configuration commands ············································································································...
Page 675: Ntp Configuration Commands
1-1 1 ntp configuration commands to protect unused sockets against attacks by malicious users and improve security, 3com s4500 series ethernet switches provide the following functions: z udp port 123 is opened only when the ntp feature is enabled. Z udp port 123 is closed as the ntp feature is disab...
Page 676
1-2 examples # view the brief information of all sessions maintained by ntp services. Display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************* [12345]3.0.1.32 locl 1 95 64 42 -14.3 12.9 2.7 [25]3.0...
Page 677
1-3 field description total associations total number of associations an s4500 series switch does not establish a session with its client when it works in the ntp server mode, but does so when it works in other ntp implementation modes. Display ntp-service status syntax display ntp-service status vi...
Page 678
1-4 field description reference clock id address of the remote server or id of the reference clock after the local clock is synchronized to a remote ntp server or a reference clock nominal frequency nominal frequency of the local hardware clock, in hz. Actual frequency actual frequency of the local ...
Page 679
1-5 table 1-3 display ntp-service trace command output description field description server ip address of the ntp server stratum the stratum level of the corresponding system clock offset the clock offset relative to the upper-level clock, in milliseconds. Synch distance the synchronization distance...
Page 680
1-6 ntp service access-control rights from the highest to the lowest are peer, server, synchronization, and query. When a local ntp server receives an ntp request, it will perform an access-control right match and will use the first matched right. The ntp-service access command only provides a minim...
Page 681
1-7 ntp-service authentication-keyid syntax ntp-service authentication-keyid key-id authentication-mode md5 value undo ntp-service authentication-keyid key-id view system view parameters key-id : authentication key id, in the range of 1 to 4294967295. You can configure up to 1024 keys. Value : authe...
Page 682
1-8 use the undo ntp-service broadcast-client command to remove the configuration. By default, no ntp operate mode is configured. Examples # configure the switch to operate in the broadcast client mode and receive ntp broadcast packets through vlan-interface 1. System-view system view: return to use...
Page 683
1-9 view vlan interface view parameters none description use the ntp-service in-interface disable command to disable the interface from receiving ntp packets. Use the undo ntp-service in-interface disable command to restore the default. By default, the interface can receive ntp packets. Examples # d...
Page 684
1-10 ntp-service multicast-client syntax ntp-service multicast-client [ ip-address ] undo ntp-service multicast -client [ ip-address ] view vlan interface view parameters ip-address : multicast ip address, in the range of 224.0.1.0 to 224.0.1.255. The default ip address is 224.0.1.1. Description use...
Page 685
1-11 description use the ntp-service multicast-server command to configure an ethernet switch to operate in the ntp multicast server mode and send ntp multicast packets through the current interface. Use the undo ntp-service multicast-server command to remove the configuration. By default, no ntp op...
Page 686
1-12 [sysname] ntp-service reliable authentication-keyid 37 ntp-service source-interface syntax ntp-service source-interface vlan-interface vlan-id undo ntp-service source-interface view system view parameters vlan-interface vlan-id : specifies an interface. The ip address of the interface serves as...
Page 687
1-13 priority : specifies the peer identified by the remote-ip argument as the preferred peer for synchronization. Source-interfacevlan-interface vlan-id : specifies an interface whose ip address serves as the source ip address of ntp packet sent to the peer. Vlan-id is the vlan interface number. Ve...
Page 688
1-14 authentication-keyid key-id : specifies the key id used for sending packets to the ntp server. The key-id argument ranges from 1 to 4294967295. Priority : specifies the server identified by the remote-ip or the server-name argument as the preferred server. Source-interface vlan-interface vlan-i...
Page 689: Table of Contents
I table of contents 1 ssh commands·········································································································································1-1 ssh commands ················································································································...
Page 690: Ssh Commands
1-1 1 ssh commands in this document, you can distinguish the local and peer as follows: if the local is an ssh server, the peer is an ssh client; if the local is an ssh client, the peer is an ssh server. Ssh commands display public-key local syntax display public-key local rsa public view any view p...
Page 691
1-2 30819f300d06092a864886f70d010101050003818d0030818902818100c7c4d2e1c59a75908417c660ad1d5e b172ab6ee9aaf994db7a1c31eb87f750ee12a57832c6070fc008a5ee2b6675fd6a430575d97350e300a20feb 773d93d7c3565467b0ca6b95c07d3338c523743b49d82c5ec2c9458d248955846f9c32f4d25cc92d0e831e56 4bba6fae794eec6fcdedb822909cc...
Page 692
1-3 --------------------------- rsa 1023 idrsa rsa 1024 18 # display the information about the public key named pubkey-name. Display public-key peer name pubkey-name ===================================== key name : pubkey-name key type : rsa key module: 1024 ===================================== key...
Page 694
1-5 ===================================== key name : abcd key type : rsa key module: 1024 ===================================== key code: 30819f300d06092a864886f70d010101050003818d0030818902818100b0eec8768e310ae2ee44d65a2f944e 2e6f32290d1ecbbfff22aa11712151fc29f1c1cd6d7937723f77103576c41a03db32f32c4...
Page 695
1-6 field description ver ssh version encry encryption algorithm used by ssh state session status retry number of connection retries sertype service type username user name display ssh server-info syntax display ssh server-info view any view parameters none description use the display ssh server-inf...
Page 696
1-7 display ssh user-information syntax display ssh user-information [ username ] view any view parameters username : ssh user name, a string of 1 to 184 characters. It cannot contain any of these characters: slash (/), backslash (\), colon (:), asterisk (*), question mark (?), less than sign (), an...
Page 697
1-8 parameters none description use the display ssh2 source-ip command to display the current source ip address or the ip address of the source interface specified for the ssh client. If neither source ip address nor source interface is specified, the command displays 0.0.0.0. Related commands: ssh2...
Page 698
1-9 description use the peer-public-key end command to return from public key view to system view. Related commands: rsa peer-public-key, public-key-code begin, public-key peer. Examples # exit public key view. System-view system view: return to user view with ctrl+z. [sysname] rsa peer-public-key s...
Page 699
1-10 z if you have configured a user interface to support ssh protocol, to ensure a successful login to the user interface, you must configure aaa authentication for the user interface by using the authentication-mode scheme command. Z for a user interface, if you have executed the authentication-mo...
Page 700
1-11 the range of public key size is (512 ~ 2048). Notes: if the key modulus is greater than 512, it will take a few minutes. Input the bits in the modulus[default = 1024]: generating keys... ...++++++ ...................................................................++++++ ...........................
Page 702
1-13 .................++++++++ .....++++++++ ....... # display the host public key in the openssh format. [sysname]public-key local export rsa openssh ssh-rsa aaaab3nzac1yc2eaaaadaqabaaaagmspi+xikhkao6e9lwlkwn+en9eqw/6fiyeilvkcpia0 6it4esyq4oldeiz9woroidqx3roo4fmatr/qcsk3c9whe1qz/4sovl1ehddgzqcumkks...
Page 703
1-14 pkey public key view: return to system view with "peer-public-key end". [sysname-peer-public-key] public-key peer import sshkey syntax public-key peer keyname import sshkey filename undo public-key peer keyname view system view parameters keyname : name of the public key , a string of 1 to 64 c...
Page 704
1-15 notes: if the key modulus is greater than 512, it will take a few minutes. Input the bits in the modulus[default = 1024]: generating keys... ...............................................++++++ ......++++++ .................++++++++ .....++++++++ ....... [sysname] public-key local export rsa s...
Page 705
1-16 [sysname-rsa-key-code] 1991c164b0df178c55fa833591c7d47d5381d09ce82913 [sysname-rsa-key-code] d7edf9c08511d83ca4ed2b30b809808eb0d1f52d045de4 [sysname-rsa-key-code] 0861b74a0e135523ccd74cac61f8e58c452b2f3f2da0dc [sysname-rsa-key-code] c48e3306367fe187bdd944018b3b69f3cbb0a573202c16 [sysname-rsa-ke...
Page 706
1-17 rsa local-key-pair create syntax rsa local-key-pair create view system view parameters none description use the rsa local-key-pair create command to generate an rsa key pair for the current switch. Note that: z after entering this command, you will be prompted to provide the length of the key m...
Page 707
1-18 028180 f0c0eda9 fa2e2fac 4b16ca34 677f1861 a13e89be 6aaac326 4e17268d efaded1a fca39047 52f18422 b8c875df 3626150d 4057ee12 371d5e62 57d34a16 5045a403 fa805f72 b2780c9a 041ed99e 2841f600 ab30db10 821ef338 1fa54fe5 3dc79e46 74e45127 3d4ca70f 253645da 57524dc3 513bac53 2c1b7f8f 2481fa79 d4aa15c7 ...
Page 708
1-19 parameters keyname : name of the public key to be configured , a string of 1 to 64 characters. Description use the rsa peer-public-key command to enter public key view. Use the undo rsa peer-public-key command to remove the setting. After using this command, you can use the public-key-code begi...
Page 709
1-20 after execution of this command, the system automatically transforms the public key file into pkcs format, and imports the peer public key. This requires that you get a copy of the public key file from the peer through ftp/tftp. Z only public key files in the format of ssh1 or ssh2 are supporte...
Page 710
1-21 use the undo ssh authentication-type default command to remove the specified default authentication mode. That is, no default authentication mode is specified for ssh users. In this case, when an ssh user is added, you must specify an authentication mode for the user at the same time. By defaul...
Page 711
1-22 both the publickey and rsa-key keywords indicate specifying the publickey key. They are implemented with the same method. Description use the ssh client assign command to specify the name of the public key of the server on the client so that the client can authenticate whether the server to be ...
Page 712
1-23 description use the ssh client first-time enable command to enable the client to run first-time authentication for the ssh server it accesses for the first time. Use the undo ssh client first-time command to disable the client from running first-time authentication. By default, the client is en...
Page 713
1-24 if you have used the ssh user authentication-type command to configure the authentication type of a user to password-publickey, you must set the authentication retry times to a number greater than or equal to 2 (so that the user can access the switch). Related commands: display ssh server. Exam...
Page 717
1-28 after the configuration, the subsequent authentications are implemented automatically without asking you to enter the password. Z password-publickey authentication takes the advantages of both the password authentication and publickey authentication. An ssh user must pass both types of authenti...
Page 718
1-29 description use the ssh user service-type command to configure service type for a user so that the user can access specified service(s). Use the undo ssh user service-type command to remove the service type specified for an ssh user. The default service type for an ssh user is stelnet. Related ...
Page 719
1-30 z aes128 : aes_128 encryption algorithm. Prefer_ctos_hmac : specifies the preferred client-to-server hmac (hash-based message authentication code) algorithm, which is sha1_96 by default. Prefer_stoc_hmac : specifies the preferred server-to-client hmac algorithm, which is sha1_96 by default. Z s...
Page 720
1-31 description use the ssh2 source-interface command to specify a source interface for the ssh client. If the specified interface does not exist, the command fails. Use the undo ssh2 source-interface command to cancel the source interface setting. You can configure an ip address by specifying the ...
Page 721
1-32 view system view parameters interface-type : source interface type. Interface-number : source interface number. Description use the ssh-server source-interface command to specify a source interface for the ssh server. If the specified interface does not exist, the command fails. Use the undo ss...
Page 722
1-33 system-view system view: return to user view with ctrl+z. [sysname] ssh-server source-ip 192.168.0.1.
Page 723: Table of Contents
I table of contents 1 file system management configuration commands ············································································1-1 file system configuration commands ···································································································1-1 cd············...
Page 724: Commands
1-1 1 file system management configuration commands the 3com 4500 series ethernet switches support expandable resilient networking (xrn), and allow you to access a file on a switch in one of the following ways: z to access a file on the specified unit, you need to specify the file in universal resou...
Page 725
1-2 parameters directory : target directory. Description use the cd command to enter a specified directory on the ethernet switch. The default directory when a user logs onto the switch is the root directory of flash memory. Examples # enter the directory test from the root directory. Cd test # retu...
Page 727
1-4 delete the running config file? [y/n]: delete the running web file? [y/n]: delete the backup image file? [y/n]: delete the backup config file? [y/n]: delete the backup web file? [y/n]: the corresponding files will be deleted after you choose yes. For deleted files whose names are the same, only ...
Page 728
1-5 view user view parameters /all : specifies to display the information about all the files, including those stored in the recycle bin. /fabric : specifies to display the information about all the specified files in the fabric. File -url: path name or the name of a file in the flash memory. You ca...
Page 729
1-6 7239 kb total (1720 kb free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute # display information about all the files (including the files in the recycle bin) in the root directory of the file system of the fabric. Dir /all /fabric directory of unit...
Page 730
1-7 parameters filename : batch file, with the extension .Bat. Description use the execute commandto execute the specified batch file. Executing a batch file is to execute a set of commands in the batch file one by one. Note that: z a batch file cannot contain any invisible character. If any invisib...
Page 731
1-8 z if the prompt mode is set to alert, the following messages will be displayed when you delete a file: delete unit1>flash:/te.Txt delete unit1>flash:/te.Txt?[y/n]:y ...... %delete file unit1>flash:/te.Txt...Done. The system waits for you to confirm for 30 seconds. If you do not input any confirm...
Page 732
1-9 format syntax format device view user view parameters device : name of a device. Description use the format command to format the flash memory. The format operation clears all the files on the flash memory, and the operation is irretrievable. Examples # format the flash memory. Format unit1>flas...
Page 733
1-10 z to use this command to create a subdirectory, the specified directory must exist. For instance, to create subdirectory flash:/test/mytest, the test directory must exist. Otherwise, you will fail to create the subdirectory. Examples # create a directory in the current directory, with the name ...
Page 734
1-11 # vlan 2 # return move syntax move fileurl-source fileurl-dest view user view parameters fileurl -source: name of the source file. Fileurl -dest: name of the target file. Description use the move command to move a file to a specified directory. If the target file name is the same as an existing...
Page 735
1-12 view user view parameters none description use the pwd command to display the current working path of the login user. Examples # display the current working path. Pwd unit1>flash: rename syntax rename fileurl-source fileurl-dest view user view parameters fileurl -source: original path name or f...
Page 736
1-13 parameters file -url: path name or file name of a file in the flash memory. This argument supports the wildcard “*”. For example, *.Txt means all the files with an extension of txt. /force : specifies not to prompt for confirmation before deleting files. /fabric : specifies to clear the recycle...
Page 737
1-14 7239 kb total (2730 kb free) //the above information indicates that in directory flash:, there are two files a.Cfg and b.Cfg in the recycle bin. Z delete the files in directory flash: that are already in the recycle bin. Reset recycle-bin clear flash:/~/a.Cfg ?[y/n]:y clearing files from flash ...
Page 738
1-15 rmdir syntax rmdir directory view user view parameters directory : name of a directory. Description use the rmdir command to delete a directory. As only empty directories can be deleted, you need to clear a directory before deleting it. Examples # delete the directory named dd. Rmdir dd rmdir u...
Page 739
1-16 update fabric syntax update fabric file-name view user view parameters file-name : name of the file to be upgraded, a string comprising 1 to 64 characters. Description use the update fabric command to use an app file, boot rom or web file on a device in the fabric to upgrade all the units in th...
Page 740
1-17 fabric name is fab, system mode is l3. Fabric authentication : no authentication, number of units in stack: 1. Unit name unit id first 1(*) first 2 first 8 update fabric test.Bin this will update the fabric. Continue? [y/n] y the software is verifying ... The result of verification is : unit id...
Page 741
1-18 the boot, web and configuration file's backup-attribute and main-attribute will exchange. Are you sure? [y/n] y the boot, web and configuration file's backup-attribute and main-attribute successfully exchanged on unit 1! The boot, web and configuration file's backup-attribute and main-attribute...
Page 742
1-19 view user view parameters file -url: path or the name of the app file in the flash memory, a string comprising 1 to 64 characters. Fabric : specifies to apply the configuration to the whole fabric. Description use the boot boot-loader backup-attribute command to configure an app file of the fab...
Page 743
1-20 description use the boot web-package command to configure a web file in the fabric to be with the main or backup attribute. Z before configuring the main or backup attribute for a web file in the fabric, make sure the file exists on all devices in the fabric. Z the configuration of the main or ...
Page 744
1-21 the main boot app is: test.Bin the backup boot app is: testbak.Bin display web package syntax display web package view any view parameters none description use the display web package command to display information about the web file used by the device, including the name of the currently used ...
Page 745
1-22 examples # specify to prompt users to use customized passwords to enter the boot menu. Startup bootrom-access enable display startup unit 1 mainboard: current startup saved-configuration file: flash:/config.Cfg next main startup saved-configuration file: flash:/config.Cfg next backup startup sa...
Page 746
1-23 # back up the current configuration of the whole fabric to the file aaa.Cfg on the tftp server whose ip address is 1.1.1.253. Backup fabric current-configuration to 1.1.1.253 aaa.Cfg backup current configuration to 1.1.1.253. Please wait... File will be transferred in binary mode. Copying file ...
Page 747
1-24 unit 7: restore startup current configuration finished! # restore the startup configuration of the whole fabric from the file bbb.Cfg on the tftp server with the ip address 1.1.1.253. Restore fabric startup-configuration from 1.1.1.253 bbb.Cfg restore startup configuration from 1.1.1.253. Pleas...
Page 748: Table of Contents
I table of contents 1 ftp and sftp configuration commands ·······························································································1-1 ftp server configuration commands····································································································1-1 displa...
Page 749
Ii sftp client configuration commands·································································································1-26 bye·················································································································································1-26 cd······...
Page 750
1-1 1 ftp and sftp configuration commands ftp server configuration commands display ftp-server syntax display ftp-server view any view parameters none description use the display ftp-server command to display the ftp server-related settings of a switch when it operates as an ftp server, including st...
Page 751
1-2 the 3com switch 4500 supports one user access at one time when it serves as the ftp server. Display ftp-server source-ip syntax display ftp-server source-ip view any view parameters none description use the display ftp-server source-ip command to display the source ip address set for an ftp serv...
Page 752
1-3 description use the display ftp-user command to display the information of the ftp users that have logged in to the switch, including the user name, host ip address, port number, idle timeout time, and authorized directory. For how to create an ftp user on an ftp server, refer to the aaa part of...
Page 753
1-4 description use the ftp disconnect command to terminate the connection between a specified user and the ftp server. With a 3com switch 4500 acting as the ftp server, if you attempt to disconnect a user that is uploading/downloading data to/from the ftp server, the switch 4500 will disconnect the...
Page 754
1-5 to protect unused sockets from being attacked by malicious users, the 3com switch 4500 provides the following functions: z tcp 21 is enabled only when you start the ftp server. Z tcp 21 is disabled after you shut down the ftp server. Related commands: display ftp-server. Examples # enable the ft...
Page 755
1-6 ftp-server source-interface syntax ftp-server source-interface interface-type interface-number undo ftp-server source-interface view system view parameters interface-type : type of the interface serving as the source interface of an ftp server. The interface type can be a loopback interface or a...
Page 756
1-7 use the undo ftp-server source-ip command to cancel the source ip address setting. By default, no source ip address is specified for an ftp server, and an ftp client can use any reachable address on the ftp server as the destination address to connect to an ftp server. Examples # specify 192.168...
Page 757
1-8 200 type set to a. Binary syntax binary view ftp client view parameters none description use the binary command to specify that program files be transferred in binary mode, which is used for transferring program files. By default, files are transferred in ascii mode. Related commands: ascii. Exa...
Page 758
1-9 cd syntax cd path view ftp client view parameters path : path of the target directory. Description use the cd command to change the working directory on the remote ftp server. Note that you can use this command to enter only authorized directories. Related commands: pwd. Examples # change the wo...
Page 759
1-10 # display the current directory. [ftp] pwd 257 "flash:" is current directory. Close syntax close view ftp client view parameters none description use the close command to terminate an ftp connection without quitting ftp client view. This command has the same effect as that of the disconnect com...
Page 760
1-11 dir syntax dir [ filename [ localfile ] ] view ftp client view parameters filename : name of the file to be queried. Localfile : name of the local file where the query result is to be saved. Description use the dir command to query specified files on a remote ftp server, or to display file info...
Page 761
1-12 -rwxrwxrwx 1 noone nogroup 5286666 oct 18 2006 switch5.Bin -rwxrwxrwx 1 noone nogroup 306 may 13 11:17 swithc001 226 transfer complete. Ftp: 1025 byte(s) received in 0.019 second(s) 53.00k byte(s)/sec. # display information about file config.Cfg and save the information to file temp1. [ftp] dir...
Page 762
1-13 for the ftp client, the configured source ip address will be displayed. If neither a source ip address nor source interface is specified for the ftp client, 0.0.0.0 will be displayed. If no source ip address is specified for the ftp client, the switch searches the entry with the destination as ...
Page 763
1-14 view user view parameters cluster : connects to the configured ftp server of a cluster. For the configuration of the ftp server of a cluster, refer to the cluster part of this manual. Remote-server : host name or ip address of an ftp server, a string of 1 to 20 characters. Interface-type : type...
Page 764
1-15 ftp source-interface syntax ftp source-interface interface-type interface-number undo ftp source-interface view system view parameters interface-type : type of the source interface, which can be vlan interface or loopback interface. Interface-number : number of the source interface. Description...
Page 765
1-16 description use the ftp source-ip command to specify the source ip address of that the switch uses every time it connects to an ftp server, and the configuration will be saved to the configuration file of the system. The value of argument ip-address must be an ip address on the device where the...
Page 766
1-17 examples # download file temp.C. [ftp] get temp.C 227 entering passive mode (2,2,2,2,4,12). 125 ascii mode data connection already open, transfer starting for temp.C. ..226 transfer complete. Ftp: 15 byte(s) received in 2.568 second(s) 0.00 byte(s)/sec. Lcd syntax lcd view ftp client view param...
Page 767
1-18 the ls command only displays file names on an ftp server. To query other file-related information, for example, file size, creation date and so on, use the dir command. Related commands: pwd. Examples # display the names of all the files in the current directory on the remote ftp server. [ftp] ...
Page 769
1-20 description use the passive command to set the data transfer mode to the passive mode. Use the undo passive command to set the data transfer mode to the active mode. By default, the passive mode is adopted. The differences between the passive mode and the active mode are: z when working in the ...
Page 770
1-21 pwd syntax pwd view ftp client view parameters none description use the pwd command to display the working directory on an ftp server. Related commands: cd, cdup, dir, ls. Examples # display the working directory on the ftp server. [ftp] pwd 257 "flash:/temp" is current directory. Quit syntax q...
Page 771
1-22 view ftp client view parameters protocol -command: ftp protocol command. Description use the remotehelp command to display the help information about an ftp protocol command. This command works only when the ftp server provides the help information about ftp protocol commands. Z this command is...
Page 772
1-23 250 file renamed successfully rmdir syntax rmdir pathname view ftp client view parameters pathname : name of a directory on an ftp server. Description use the rmdir command to remove a specified directory on an ftp server. Note that you can only use this command to remove directories that are e...
Page 773
1-24 verbose syntax verbose undo verbose view ftp client view parameters none description use the verbose command to enable the verbose function, which displays execution information of user operations and all ftp responses. Use the undo verbose command to disable the verbose function. The verbose f...
Page 774
1-25 view system view parameters none description use the sftp server enable command to enable the sftp server. Use the undo sftp server command to disable the sftp server. By default, the sftp server is disabled. Examples # enable the sftp server. System-view system view: return to user view with c...
Page 775
1-26 sftp client configuration commands bye syntax bye view sftp client view parameters none description use the bye command to terminate a connection with the remote sftp server and return to system view. This command has the same effect as that of the commands exit and quit. Examples # terminate t...
Page 776
1-27 examples # change the working path to new1. Sftp-client>cd new1 received status: success current directory is: /new1 sftp-client> cdup syntax cdup view sftp client view parameters none description use the cdup command to change the working path on the remote sftp server and return to the parent...
Page 778
1-29 display sftp source-ip syntax display sftp source-ip view any view parameters none description use the display sftp source-ip command to display the source ip address specified for the current sftp client. If you have specified a source interface for the sftp client, this command displays the i...
Page 779
1-30 get syntax get remote-file [ local-file ] view sftp client view parameters remote-file : name of a file on the remote sftp server. Local-file : name of a local file. Description use the get command to download a file from the remote server. By default, the remote file name is used for the file ...
Page 781
1-32 examples # create a directory named hj on the remote sftp server. Sftp-client>mkdir hj received status: success new directory created put syntax put local-file [ remote-file ] view sftp client view parameters local-file : name of a local file. Remote-file : name of a file on the remote sftp ser...
Page 782
1-33 sftp-client> pwd / quit syntax quit view sftp client view parameters none description use the quit command to terminate a connection with the remote sftp server and return to system view. This command has the same effect as that of the commands bye and exit. Examples # terminate a connection wi...
Page 783
1-34 this operation may take a long time.Please wait... Received status: success file successfully removed rename syntax rename oldname newname view sftp client view parameters oldname : old file name. Newname : new file name. Description use the rename command to rename a specified file on the remo...
Page 785
1-36 if you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the sftp server. Since both rsa and dsa are available for public key authentication, you need to use the identity-key key word to specify the algorithms to...
Page 786
1-37 sftp source-ip syntax sftp source-ip ip-address undo sftp source-ip view system view parameters ip-address : source ip address to be set. Description use the sftp source-ip command to specify a source ip address for the sftp client. If the specified ip address is not the ip address of the local...
Page 787: Tftp Configuration Commands
2-1 2 tftp configuration commands tftp configuration commands when accessing a tftp server configured with an ipv6 address, use the tftp ipv6 command. For details, refer to the ipv6 management part in this manual. Display tftp source-ip syntax display tftp source-ip view any view parameters none des...
Page 789
2-3 description use the tftp get command to download a file from a tftp server, and save it to the local storage device. Different from the ftp function, the working directory of a tftp server cannot be changed or specified on a tftp client. To enter another working directory, you need to modify the...
Page 790
2-4 parameters tftp-server : ip address or the host name of a tftp server, a string of 1 to 20 characters. If the switch belongs to a cluster, the value cluster means to connect to the tftp server of the cluster. For the configuration of the tftp server of a cluster, refer to the cluster part in thi...
Page 791
2-5 description use the tftp tftp-server source-interface command to connect to a tftp server through the specified source interface, and perform download or upload operations. If the specified source interface does not exist, a prompt appears to show the command fails to be executed. Examples # con...
Page 792
2-6 view system view parameters interface-type interface-number : source interface that the switch uses every time it connects to the tftp server. Description use the tftp source-interface command to specify the source interface of a tftp client that the tftp client uses every time it connects to a ...
Page 793
2-7 examples # specify 192.168.0.1 as the source ip address that the tftp client uses every time it connects to a tftp server. System-view system view: return to user view with ctrl+z. [sysname] tftp source-ip 192.168.0.1 tftp-server acl syntax tftp-server acl acl-number undo tftp-server acl view sy...
Page 794: Table of Contents
I table of contents 1 information center configuration commands ·······················································································1-1 information center configuration commands ························································································1-1 display cha...
Page 796
1-2 description use the display info-center command to display the operation status of information center, the configuration of information channels, the format of time stamp and the information output in case of fabric. Related commands: info-center enable, info-center loghost, info-center logbuffe...
Page 797
1-3 field description snmp agent information about snmp agent, including name and number of its information channel log buffer information about the log buffer, including its state (enabled or disabled), its maximum size, current size, current messages, information channel name and number, number of...
Page 799
1-5 field description overwritten messages the number of overwritten messages (when the buffer size is not big enough to hold all messages, the latest messages overwrite the old ones). Current messages the number of the current messages display logbuffer summary syntax display logbuffer summary [ le...
Page 800
1-6 absence of the size buffersize argument indicates that all trap information is displayed. Examples # display the status of the trap buffer and the records in the trap buffer. Display trapbuffer trapping buffer configuration and contents:enabled allowed max buffer size : 1024 actual buffer size :...
Page 802
1-8 parameters none description use the info-center enable command to enable the information center. Use the undo info-center enable command to disable the information center. The switch can output system information to the log host, the console, and other destinations only when the information cent...
Page 803
1-9 related commands: info-center enable, display info-center. Examples # configure the system to output information to the log buffer with the size of 50. System-view system view: return to user view with ctrl+z. [sysname] info-center logbuffer size 50 info-center loghost syntax info-center loghost...
Page 804
1-10 examples # configure the system to output system information to the unix log host whose ip address is 202.38.160.1. System-view system view: return to user view with ctrl+z. [sysname] info-center loghost 202.38.160.1 info-center loghost source syntax info-center loghost source interface-type in...
Page 805
1-11 channel -name: channel name, by default, the name of channel 0 to channel 9 is (in turn) console, monitor , loghost, trapbuffer, logbuffer, snmpagent, channel6, channel7, channel8, channel9. Description use the info-center monitor channel command to set the channel through which information is ...
Page 807
1-13 z after you separately set the output rules for a module, you must use the module-name argument to modify or remove the rules. The new configuration by using the default keyword is invalid on the module. Z you can configure to output the log, trap and debugging information to the trap buffer, b...
Page 808
1-14 # set the output channel for the log information of vlan module to snmpagent and to output information with severity being emergencies. Log information of other modules and all the other system information cannot be output to this channel. System-view [sysname] info-center source default channe...
Page 811
1-17 parameters date : specifies to adopt the current system date and time, in the format of mmm dd hh:mm:ss:ms yyyy. No-year-date : specifies to adopt the current system date and time excluding the year, in the format of mmm dd hh:mm:ss:ms. None : specifies not to include time stamp in the output i...
Page 812
1-18 related commands: info-center enable, display info-center. Examples # enable the system to output trap information to the trap buffer, whose size is set to 30. System-view system view: return to user view with ctrl+z. [sysname] info-center trapbuffer size 30 reset logbuffer syntax reset logbuff...
Page 813
1-19 terminal debugging syntax terminal debugging undo terminal debugging view user view parameters none description use the terminal debugging command to enable debugging terminal display. Use the undo terminal debugging command to disable debugging terminal display. By default, debugging terminal ...
Page 814
1-20 terminal monitor syntax terminal monitor undo terminal monitor view user view parameters none description use the terminal monitor command to enable the debugging/log/trap information terminal display function. Use the undo terminal monitor command to disable the function. By default, this func...
Page 815
1-21 by default, trap terminal display is enabled. Examples # enable trap terminal display. Terminal trapping.
Page 816: Table of Contents
I table of contents 1 basic system configuration and debugging commands·····································································1-1 basic system configuration commands ································································································1-1 clock datetime······...
Page 817
Ii.
Page 819
1-2 view user view parameters zone-name : name of the summer time, a string of 1 to 32 characters. One-off : sets the summer time for only one year (the specified year). Repeating : sets the summer time for every year starting from the specified year. Start-time : start time of the summer time, in t...
Page 820
1-3 parameters zone-name : name of the time zone, in length of 1 to 32 characters. Add : specifies to add a time value based on the universal time coordinated (utc) time to generate a later time. Minus : specifies to subtract a time value based on the utc time to generate an earlier time. Hh:mm:ss :...
Page 821
1-4 examples # return from system view to user view. System-view system view: return to user view with ctrl+z. [sysname] quit # return to system view from ethernet port view. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] quit [sy...
Page 822
1-5 view system view parameters sysname : system name of the ethernet switch. It is a string of 1 to 30 characters. By default, it is 3com. Description use the sysname command to set the system name of an ethernet switch. Use the undo sysname command to restore the default system name of the etherne...
Page 823
1-6 view any view parameters none description use the display clock command to display the current date, time, timezone and summertime of the system, so that you can adjust them if they are wrong. The maximum date and time that can be displayed by this command is 23:59:59 9999/12/31. Related command...
Page 824
1-7 description use the display debugging command to display enabled debugging on a specified device or the whole fabric. Examples # display enabled debugging on unit 1. Display debugging unit 1 ip icmp debugging is on rip packet debugging switch is on rip receive debugging switch is on rip send deb...
Page 826
1-9 parameters none description use the display diagnostic-information command to display or save the running statistics of the system function modules. If you choose to save the statistics, the system will save the statistics to a file with the extension .Diag in the flash memory. Examples # save t...
Page 827
1-10 note that: z to display the debugging information on the terminal, you need to configure both the terminal debugging and terminal monitor commands. Z if you execute the undo terminal monitor command, you will disable the monitoring of the log, trap, and debugging information on the current term...
Page 828
2-1 2 network connectivity test commands network connectivity test commands ping syntax ping [ -a ip-address ] [-c count ] [ -d ] [ -f ] [ -h ttl ] [ -i interface-type interface-number ] [ ip ] [ -n ] [ - p pattern ] [ -q ] [ -s packetsize ] [ -t timeout ] [ -tos tos ] [ -v ] string view any view pa...
Page 829
2-2 -t timeout : specifies the timeout time (in milliseconds) before an icmp echo-reply packet is received after an icmp echo-request packet is sent. The timeout argument ranges from 0 to 65535 ms and defaults to 2,000 ms. -tos tos: specifies the tos value of the icmp echo-request packets in the ran...
Page 830
2-3 0% packet loss round-trip min/avg/max = 1/2/3 ms the above output information indicates that the destination host is reachable. Each probe packet from the source device has got a reply, with the minimum/average/maximum packet roundtrip time being 1ms/2ms/3ms. Tracert syntax tracert [ -a source-i...
Page 831
2-4 the executing procedure of the tracert command is as follows: first, the source sends a packet with the ttl of 1, and the first hop device returns an icmp error message indicating that it cannot forward this packet because of ttl timeout. Then, the source resends a packet with the ttl of 2, and ...
Page 833
3-2 parameters file -ulr: path plus name of a boot rom file (that is, a .Btm file) in the flash, a string of 1 to 64 characters. Device-name : file name, beginning with a device name in the form of unit[no.]>flash, used to indicates that the specified file is stored in the flash memory of a specifie...
Page 834
3-3 display cpu syntax display cpu [ unit unit-id ] view any view parameters unit-id : unit id of a switch. Description use the display cpu command to display the cpu usage. Examples # display the cpu usage of this switch. Display cpu unit 1 board 0 cpu busy status: 12% in last 5 seconds 12% in last...
Page 835
3-4 description use the display device command to display the information, such as the module type and operating status, about each board (main board and sub-board) of a specified switch. You can use this command to display the following information about each board, including slot number, sub-slot ...
Page 836
3-5 examples # display the working states of the fans. Display fan unit 1 fan 1 state: normal the above information indicates that the fan works normally. Display memory syntax display memory [ unit unit-id ] view any view parameters unit-id : unit id of a switch. Description use the display memory ...
Page 837
3-6 parameters unit-id : unit id of a switch. Power-id : power id. Description use the display power command to display the working state of the power supply of the switch. Examples # display the working state of the power supply. Display power unit 1 power 1 state : normal type : ac the above infor...
Page 838
3-7 description use the display transceiver alarm interface command to display the current alarm information of a single or all transceivers. If no error occurs, none is displayed. Table 3-5 shows the alarm information that may occur for the four types of transceivers. Table 3-5 description on the f...
Page 839
3-8 field remarks tx power low tx power is low. Module not ready module is not ready. Apd supply fault apd (avalanche photo diode) supply fault tec fault tec (thermoelectric cooler) fault wavelength unlocked wavelength of optical signal exceeds the manufacturer’s tolerance. Temp high temperature is ...
Page 840
3-9 field remarks transceiver info i/o error transceiver information read and write error transceiver info checksum error transceiver information checksum error transceiver type and port configuration mismatch transceiver type does not match port configuration. Transceiver type not supported by port...
Page 841
3-10 table 3-7 description on the fields of display transceiver diagnosis interface field description transceiver diagnostic information digital diagnosis information of the transceiver carried by an interface current diagnostic parameters current diagnostic parameters temp.(°c) digital diagnosis pa...
Page 842
3-11 table 3-8 description on the fields of the display transceiver interface command field description transceiver information transceiver information of the interface transceiver type transceiver type connector type type of the connectors of the transceiver: z optical connectors, including sc (sc ...
Page 843
3-12 description use the display transceiver manuinfo interface command to display part of the electrical label information of a single or all anti-spoofing pluggable transceivers customized by h3c. Examples # display part of the electrical label information of the anti-spoofing pluggable transceive...
Page 844
3-13 examples # directly restart this switch without saving the current configuration. Reboot start to check configuration with next startup configuration file, please wait...... This command will reboot the device. Current configuration will be lost in next startup if you continue. Continue? [y/n] ...
Page 845
3-14 z after you execute the schedule reboot at command with a specified future date, the switch will reboot at the specified time with at most one minute delay. Z after you execute the schedule reboot at command without specifying a date, the switch will reboot at the specified time on the current ...
Page 846
3-15 z after you execute the command, the system will prompt you to confirm. Enter "y" or "y" for your setting to take effect. Your setting will overwrite the previous one (if there is a setting already exists). Z if you adjust the system time by the clock command after executing the schedule reboot...
Page 847
3-16 after you execute the command, the system will prompt you to confirm. Enter "y" or "y" for your setting to take effect. Your setting will overwrite the previous one (if available). If you adjust the system time by the clock command after executing the schedule reboot regularity command, the con...
Page 849
3-18 device-name : file name, in the form of unit[no.]>flash:, which is used to indicate that the specified file is stored in the flash of a specified switch. Description use the xmodem get command to download files from the local device connected with the console port of a switch through xmodem. Th...
Page 850: Table of Contents
I table of contents 1 vlan-vpn configuration commands ·····································································································1-1 vlan-vpn configuration commands ····································································································1-1 displ...
Page 851
1-1 1 vlan-vpn configuration commands vlan-vpn configuration commands display port vlan-vpn syntax display port vlan-vpn view any view parameters none description use the display port vlan-vpn command to display the information about vlan-vpn configuration of the current system. Related commands: vl...
Page 852
1-2 field description vlan-vpn inner-cos-trust the status of the inner-to-outer tag priority replicating feature, enable (enabled) or disable (disabled). You can use the vlan-vpn inner-cos-trust command to configure the feature. Vlan-vpn tpid tpid value of the port, which can be configured through t...
Page 853
1-3 examples # enable the vlan-vpn feature for ethernet 1/0/1 port. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] vlan-vpn enable vlan-vpn inner-cos-trust syntax vlan-vpn inner-cos-trust enable undo vlan-vpn inner-cos-trust view ...
Page 854
1-4 view ethernet port view parameters inner-priority : 802.1p priority of the inner vlan tag in a packet. This argument can be in the range 0 to 7 or a keyword listed in table 1-2 . Outer-priority : priority for the outer vlan tag in a packet. This argument can be in the range 0 to 7 or a keyword l...
Page 855
1-5 system-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] vlan-vpn priority 3 remark 5 vlan-vpn tpid syntax vlan-vpn tpid value undo vlan-vpn tpid view ethernet port view parameters value : user-defined tpid value (in hexadecimal format)...
Page 856
1-6 besides the default tpid value, you can configure only one tpid value on an switch 4500 switch. Examples # set the tpid value to 0x9100 for ethernet 1/0/2 port. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/2 [sysname-ethernet1/0/2] vlan-vpn tpid 9100
Page 858
2-2 vlan 4093 is a special vlan reserved for the xrn fabric feature. It can not serve as the destination vlan of the inter-vlan mac address replicating feature to receive mac address entries from the other vlans. Examples # enable the inter-vlan mac address replicating feature for ethernet1/0/1 to r...
Page 859
2-3 a packet cannot be tagged with different outer vlan tags. To change the outer vlan tag of a packet, you need to remove the existing outer vlan tag configuration and configure a new outer vlan tag. Before configuring this command in qinq view, you need to use the vlan-vpn vid command to configure...
Page 860
2-4 if xrn fabric is enabled on a device, the selective qinq policy cannot be configured on any port of the device. By default, no selective qinq policy is configured on a port. After specifying an outer vlan tag and enter qinq view, you need to use the raw-vlan-id inbound command to specify which v...
Page 861: Table of Contents
I table of contents 1 remote-ping commands ···························································································································1-1 remote-ping commands··············································································································...
Page 862: Remote-Ping Commands
1-1 1 remote-ping commands remote-ping commands count syntax count times undo count view remote-ping test group view parameter times : number of the test packets to be sent in each test. It is in the range 1 to 15 and defaults to 1. Description use the count command to configure the number of packet...
Page 863
1-2 view remote-ping test group view parameter ip-address : destination ip address in a test. Description use the destination-ip command to configure the destination ip address in the test. Use the undo destination-ip command to remove the configured destination ip address. By default, no destinatio...
Page 864
1-3 remote-ping entry(admin administrator, tag icmp) test result: destination ip address:1.1.1.99 send operation times: 10 receive response times: 10 min/max/average round trip time: 2/5/2 square-sum of round trip time: 66 last complete test time: 2000-4-2 7:59:54.7 extend result: sd maximal delay: ...
Page 865
1-4 2 1 1 0 2004-11-25 16:28:55.0 3 1 1 0 2004-11-25 16:28:55.0 4 1 1 0 2004-11-25 16:28:55.0 5 1 1 0 2004-11-25 16:28:55.0 6 2 1 0 2004-11-25 16:28:55.0 7 1 1 0 2004-11-25 16:28:55.0 8 1 1 0 2004-11-25 16:28:55.0 9 1 1 0 2004-11-25 16:28:55.9 10 1 1 0 2004-11-25 16:28:55.9 table 1-2 description on ...
Page 866
1-5 view remote-ping test group view parameter interval : automatic test interval. It ranges from 0 to 65535 seconds and defaults to 0 seconds which means no automatic test. Description use the frequency command to configure an automatic test interval. Use the undo frequency command to disable autom...
Page 867
1-6 example # create an remote-ping test group, where the administrator name is “administrator” and the test operation tag is “icmp”. System-view system view: return to user view with ctrl+z. [sysname] remote-ping administrator icmp [sysname-remote-ping-administrator-icmp] remote-ping-agent enable s...
Page 868
1-7 description use the test-enable command to execute an remote-ping test. Use the undo test-enable command to disable an remote-ping test. After you execute the test-enable command, the system does not display the test result. You may view the test result information by executing the display remot...
Page 869
1-8 timeout syntax timeout time undo timeout view remote-ping test group view parameter time : timeout time. It ranges from 1 to 60 seconds and defaults to 3 seconds. Description use the timeout command to configure a timeout time for a test. Use the undo timeout command to restore to the default ti...
Page 870: Table of Contents
I table of contents 1 ipv6 configuration commands ················································································································1-1 basic ipv6 configuration commands ····································································································...
Page 871: Ipv6 Configuration Commands
1-1 1 ipv6 configuration commands basic ipv6 configuration commands display ipv6 fib syntax display ipv6 fib view any view parameters none description use the display ipv6 fib command to display all the ipv6 fib entries. The switch looks up a matching ipv6 fib entry for forwarding an ipv6 packet. Ex...
Page 872
1-2 nexthop : 2008::3610 flag : gsu timestamp : date- 5/7/2006, time- 14:35:32 interface : vlan-interface1 table 1-1 description on the fields of the display ipv6 fib command field description total number of routes total number of routes in the fib destination destination address to which a packet ...
Page 873
1-3 table 1-2 description on the fields of the display ipv6 host command field description host host name age time for the entry to live, displayed as 0 in the case of static configuration. Flags flag indicating whether the entry is configured statically or acquired dynamically ipv6address (es) ipv6...
Page 874
1-4 nd reachable time is 30000 milliseconds nd retransmit interval is 1000 milliseconds hosts use stateless autoconfig for addresses table 1-3 description on the fields of the display ipv6 interface command field description vlan-interface1 current state vlan interface link state: z administratively...
Page 875
1-5 table 1-4 description on the fields of the display ipv6 interface brief command field description *down: administratively down the interface is down, that is, the interface is disabled by using the shutdown command. (s) : spoofing spoofing attribute of the interface, that is, the link protocol s...
Page 876
1-6 z include : displays the neighbor entries matching the specified regular expression. The regular expression supports various special characters. For details, refer to the display current-configuration command in configuration file management command. Description use the display ipv6 neighbors co...
Page 878
1-8 examples # display summary information about the routing table. Display ipv6 route-table routing table: destinations : 4 routes : 4 destination: ::1/128 protocol: direct nexthop : ::1 interface : inloopback0 destination: 2008::/64 protocol: direct nexthop : 2008::32 interface : vlan-interface1 d...
Page 879
1-9 interface : inloopback0 state : active table 1-7 description on the fields of the display ipv6 route-table verbose command field description destinations number of reachable destination networks/hosts routes number of routing entries destination destination network/host ipv6 address. Prefixlengt...
Page 880
1-10 socket state = ss_priv ss_async sock_dgram: sock_raw: table 1-8 description on the fields of the display ipv6 socket command field description sock_stream socket type, which can be: z sock_stream: refers to tcp. Z sock_dgram: refers to udp. Z sock_raw: refers to raw ip. Task task name and id of...
Page 881
1-11 ipv6 protocol: sent packets: total: 580 local sent out: 550 forwarded: 0 raw packets: 30 discarded: 0 routing failed: 0 fragments: 0 fragments failed: 0 received packets: total: 572 local host: 572 hopcount exceeded: 0 format error: 0 option error: 0 protocol error: 0 fragments: 0 reassembled: ...
Page 882
1-12 field description sent packets: total: 580 local sent out: 550 forwarded: 0 raw packets: 0 discarded: 0 routing failed: 0 fragments: 0 fragments failed: 0 statistics of sent ipv6 packets, including: z total number of sent packets z number of packets sent locally z number of forwarded packets z ...
Page 883
1-13 field description received packets: total: 126 checksum error: 0 too short: 0 bad code: 0 unreached: 10 too big: 0 hopcount exceeded: 0 reassembly timeout: 0 parameter problem: 0 unknown error type: 0 echoed: 17 echo replied: 30 neighbor solicit: 34 neighbor advert: 35 router solicit: 0 router ...
Page 884
1-14 window probe packets: 0, window update packets: 0 checksum error: 0, offset error: 0, short error: 0 duplicate packets: 0 (0 bytes), partially duplicate packets: 0 (0 bytes) out-of-order packets: 3 (0 bytes) packets with data after window: 0 (0 bytes) packets after close: 0 ack packets: 239 (61...
Page 885
1-15 field description sent packets: total: 331 urgent packets: 0 control packets: 5 (including 0 rst) window probe packets: 0, window update packets: 0 data packets: 306 (6135 bytes) data packets retransmitted: 0 (0 bytes) ack only packets: 20 (14 delayed) statistics of sent packets, including: z t...
Page 886
1-16 examples # view the ipv6 tcp connection status. Display tcp ipv6 status tcp6cb local address foreign address state 83a9fba4 ::->23 ::->0 listening table 1-11 description on the fields of the display tcp ipv6 status command field description tcp6cb ipv6 address of the tcp control block (hexadeci...
Page 887
1-17 table 1-12 description on the fields of the display udp ipv6 statistics command field description total total number of received/sent packets checksum error total number of packets with an invalid checksum shorter than header total number of ipv6 udp packets whose total length is less than that...
Page 888
1-18 method i: system-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ipv6 address 2001::1/64 method ii: system-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ipv6 add...
Page 889
1-19 examples # configure the vlan-interface 1 to automatically generate a link-local address. System-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ipv6 address auto link-local ipv6 address eui-64 syntax ipv6 address ipv6-address/pr...
Page 890
1-20 ipv6 is enabled, link-local address is fe80::2e0:fcff:fe00:3100 global unicast address(es): 2001::2e0:fcff:fe00:3100, subnet is 2001::/64 joined group address(es): ff02::1:ff00:3100 ff02::1 mtu is 1500 bytes nd dad is enabled, number of dad attempts: 1 nd reachable time is 30000 milliseconds nd...
Page 891
1-21 examples # configure a link-local address for the vlan-interface 1. System-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ipv6 address fe80::1 link-local ipv6 host syntax ipv6 host hostname ipv6-address undo ipv6 host hostname [...
Page 892
1-22 interval : update period of the token bucket in milliseconds, in the range of 0 to 2,147,483,647. Description use the ipv6 icmp-error command to configure the maximum number of ipv6 icmp error packets sent within a specified time. Use the undo ipv6 icmp-error command to restore the update perio...
Page 893
1-23 ipv6 nd hop-limit syntax ipv6 nd hop-limit value undo ipv6 nd hop-limit view system view parameters value : number of hops, in the range of 0 to 255. Description use the ipv6 nd hop-limit command to configure the hop limit of icmpv6 reply packets. Use the undo ipv6 nd hop-limit command to resto...
Page 894
1-24 system view: return to user view with ctrl+z. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ipv6 nd ns retrans-timer 10000 ipv6 nd nud reachable-time syntax ipv6 nd nud reachable-time value undo ipv6 nd nud reachable-time view vlan interface view parameters value : neighbor rea...
Page 895
1-25 interface-type interface-number : vlan interface type and interface number corresponding to a static neighbor entry. Description use the ipv6 neighbor command to configure a static neighbor entry. Use the undo ipv6 neighbor command to remove a static neighbor entry. Note that: you can configure...
Page 896
1-26 examples # set the maximum number of neighbors that can be dynamically learned on the interface vlan-interface 1. System-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ipv6 neighbors max-learning-num 10 ipv6 route-static syntax ...
Page 898
1-28 reset tcp ipv6 statistics syntax reset tcp ipv6 statistics view user view parameters none description use the reset tcp ipv6 statistics command to clear the statistics of all ipv6 tcp packets. You can use the display tcp ipv6 statistics command to display the statistics of ipv6 tcp packets. Exa...
Page 899
1-29 parameters wait-time : length of the finwait timer of ipv6 tcp packets in seconds, in the range of 76 to 3,600. Description use the tcp ipv6 timer fin-timeout command to set the finwait timer of ipv6 tcp packets use the undo tcp ipv6 timer fin-timeout command to restore the finwait timer length...
Page 900
1-30 parameters size : size of ipv6 tcp receiving/sending buffer in kb (kilobyte), in the range of 1 to 32. Description use the tcp ipv6 window command to set the size of ipv6 tcp receiving/sending buffer. Use the undo tcp ipv6 window command to restore the size of ipv6 tcp receiving/sending buffer ...
Page 902
2-2 examples # test whether destination 2001::1 is accessible. Ping ipv6 2001::1 ping 2001::1 : 56 data bytes, press ctrl_c to break reply from 2001::1 bytes=56 sequence=1 hop limit=64 time = 20 ms reply from 2001::1 bytes=56 sequence=2 hop limit=64 time = 0 ms reply from 2001::1 bytes=56 sequence=3...
Page 903
2-3 telnet ipv6 syntax telnet ipv6 remote-system [ -i interface-type interface-number ] [ port-number ] view user view parameters remote-system : ipv6 address or host name (a string a 1 to 46 characters) of the destination device. -i interface-type interface-number: specifies the type and number of ...
Page 904
2-4 view user view parameters remote-system : ipv6 address or host name (a string a 1 to 46 characters) of the destination device. -i interface-type interface-number: specifies the type and number of an interface. This argument takes effect only when the address of the tftp server is a link-local ad...
Page 905
2-5 -w timeout: specifies the timeout in milliseconds of waiting icmpv6 echoes, ranging from 1 to 65,535, with the default of 5,000 milliseconds. Remote-system : ipv6 address or host name (a string a 1 to 46 characters) of the destination device. Description use the tracert ipv6 command to trace the...
Page 906: Table of Contents
I table of contents 1 access management configuration commands ··························································· 1-1 access management configuration commands ···························································· 1-1 am enable ·························································...
Page 907
1-1 1 access management configuration commands access management configuration commands am enable syntax am enable undo am enable view system view parameters none description use the am enable command to enable the access management function. Use the undo am enable command to disable the function. B...
Page 908
1-2 view ethernet port view parameters all : specifies all the ip addresses (or ip address pools). Address-list : ip address list. You need to provide this argument in the format of start-ip-address [ ip-address-number ] & , where start-ip-address is the start ip address of an ip address range in th...
Page 909
1-3 undo am trap enable view system view parameters none description use the am trap enable command to enable the access management trap function. Use the undo am trap enable command to disable the access management trap function. By default, the access management trap function is disabled. Examples...
Page 910
1-4 ethernet1/0/2 status : enabled ip pools : (null) table 1-1 description on the fields of the display am command field description status access management state of a port: enabled or disabled ip pools access management ip pools. Null means the access management ip pool is not configured. Each ip ...
Page 911: Appendix A Command Index
A-1 appendix a command index the command index includes all the commands in the command manual, which are arranged alphabetically. A b c d e f g h i j k l m n o p q r s t u v w x y z a access-limit 17-aaa command 1-1 accounting 17-aaa command 1-2 accounting optional 17-aaa command 1-3 accounting opt...
Page 912
A-2 authentication-mode 01-login command 1-1 authorization 17-aaa command 1-6 authorization vlan 17-aaa command 1-6 auto-build 25-cluster command 1-14 auto-execute command 01-login command 1-3 b backup current-configuration 31-file system management command 1-22 binary 32-ftp-sftp-tftp command 1-8 b...
Page 913
A-3 checkzero 14-routing protocol command 3-1 clock datetime 34-system maintenance and debugging command 1-1 clock summer-time 34-system maintenance and debugging command 1-1 clock timezone 34-system maintenance and debugging command 1-2 close 32-ftp-sftp-tftp command 1-10 cluster 25-cluster command...
Page 914
A-4 delete 32-ftp-sftp-tftp command 1-27 delete static-routes all 14-routing protocol command 2-1 delete-member 25-cluster command 1-27 description 03-vlan command 1-1 description 06-port basic configuration command 1-4 description 21-acl command 1-2 destination-ip 36-remote-ping command 1-1 detect-...
Page 916
A-6 display dhcp-server 20-dhcp commands 1-8 display dhcp-server interface 20-dhcp commands 1-10 display dhcp-snooping 20-dhcp commands 2-8 display dhcp-snooping trust 20-dhcp commands 2-8 display diagnostic-information 34-system maintenance and debugging command 1-8 display dldp 10-dldp command 1-1...
Page 917
A-7 display icmp statistics 04-ip address and performance optimization command 2-6 display igmp-snooping configuration 15-multicast command 2-1 display igmp-snooping group 15-multicast command 2-2 display igmp-snooping statistics 15-multicast command 2-3 display info-center 33-information center com...
Page 918
A-8 display ipv6 route-table 37-ipv6 management command 1-7 display ipv6 socket 37-ipv6 management command 1-9 display ipv6 statistics 37-ipv6 management command 1-10 display isolate port 08-port isolation command 1-1 display lacp system-id 07-link aggregation command 1-4 display link-aggregation in...
Page 919
A-9 display packet-filter 21-acl command 1-5 display poe disconnect 26-poe-poe profile command 1-1 display poe interface 26-poe-poe profile command 1-1 display poe interface power 26-poe-poe profile command 1-3 display poe powersupply 26-poe-poe profile command 1-4 display poe temperature-protection...
Page 920
A-10 display rmon eventlog 28-snmp-rmon command 2-3 display rmon history 28-snmp-rmon command 2-4 display rmon prialarm 28-snmp-rmon command 2-5 display rmon statistics 28-snmp-rmon command 2-7 display route-policy 14-routing protocol command 4-3 display rsa local-key-pair public 30-ssh command 1-3 ...
Page 921
A-11 display stp root 13-mstp command 1-9 display system-guard ip state 16-802.1x and system guard command 4-1 display system-guard ip-record 16-802.1x and system guard command 4-2 display system-guard l3err state 16-802.1x and system guard command 4-2 display system-guard tcn state 16-802.1x and sy...
Page 922
A-12 display version 34-system maintenance and debugging command 1-7 display vlan 03-vlan command 1-2 display vlan 05-voice vlan command 1-3 display voice vlan error-info 05-voice vlan command 1-1 display voice vlan oui 05-voice vlan command 1-1 display voice vlan status 05-voice vlan command 1-2 di...
Page 923
A-13 dot1x timer 16-802.1x and system guard command 1-17 dot1x timer acl-timeout 16-802.1x and system guard command 2-2 dot1x timer reauth-period 16-802.1x and system guard command 1-18 dot1x url 16-802.1x and system guard command 2-2 dot1x version-check 16-802.1x and system guard command 1-19 duple...
Page 924
A-14 ftp source-interface 32-ftp-sftp-tftp command 1-15 ftp source-ip 32-ftp-sftp-tftp command 1-15 ftp timeout 32-ftp-sftp-tftp command 1-5 ftp-server 25-cluster command 1-35 ftp-server source-interface 32-ftp-sftp-tftp command 1-6 ftp-server source-ip 32-ftp-sftp-tftp command 1-6 g get 32-ftp-sftp...
Page 925
A-15 if-match interface 14-routing protocol command 4-5 if-match ip next-hop 14-routing protocol command 4-6 if-match tag 14-routing protocol command 4-6 igmp host-join 15-multicast command 2-15 igmp-snooping 15-multicast command 2-4 igmp-snooping fast-leave 15-multicast command 2-5 igmp-snooping ge...
Page 926
A-16 info-center trapbuffer 33-information center command 1-17 instance 13-mstp command 1-10 interface 06-port basic configuration command 1-16 interface vlan-interface 03-vlan command 1-4 ip address 04-ip address and performance optimization command 1-5 ip address bootp-alloc 20-dhcp commands 3-4 i...
Page 927
A-17 k key 17-aaa command 1-36 l lacp enable 07-link aggregation command 1-5 lacp port-priority 07-link aggregation command 1-5 lacp system-priority 07-link aggregation command 1-6 lcd 32-ftp-sftp-tftp command 1-17 level 17-aaa command 1-15 line-rate 22-qos command 1-9 link-aggregation group descrip...
Page 928
A-18 mac-address max-mac-count 11-mac address table management command 1-5 mac-address multicast interface 15-multicast command 1-2 mac-address multicast vlan 15-multicast command 1-3 mac-address security 09-port security command 1-5 mac-address timer 11-mac address table management command 1-6 mac-...
Page 929
A-19 mkdir 32-ftp-sftp-tftp command 1-18 mkdir 32-ftp-sftp-tftp command 1-31 monitor-port 23-mirroring command 1-8 more 31-file system management command 1-10 move 31-file system management command 1-11 multicast static-group interface 15-multicast command 2-16 multicast static-group vlan 15-multica...
Page 930
A-20 ntp-service in-interface disable 29-ntp command 1-8 ntp-service max-dynamic-sessions 29-ntp command 1-9 ntp-service multicast-client 29-ntp command 1-10 ntp-service multicast-server 29-ntp command 1-10 ntp-service reliable authentication-keyid 29-ntp command 1-11 ntp-service source-interface 29...
Page 931
A-21 poe update 26-poe-poe profile command 1-11 poe-profile 26-poe-poe profile command 2-3 port 03-vlan command 1-7 port access vlan 03-vlan command 1-8 port hybrid pvid vlan 03-vlan command 1-9 port hybrid vlan 03-vlan command 1-9 port isolate 08-port isolation command 1-1 port link-aggregation gro...
Page 932
A-22 public-key local export rsa 30-ssh command 1-12 public-key peer 30-ssh command 1-13 public-key peer import sshkey 30-ssh command 1-14 public-key-code begin 30-ssh command 1-15 public-key-code end 30-ssh command 1-16 put 32-ftp-sftp-tftp command 1-20 put 32-ftp-sftp-tftp command 1-32 pwd 31-file...
Page 933
A-23 remote-probe vlan enable 23-mirroring command 1-9 remove 32-ftp-sftp-tftp command 1-33 rename 31-file system management command 1-12 rename 32-ftp-sftp-tftp command 1-22 rename 32-ftp-sftp-tftp command 1-34 reset 14-routing protocol command 3-11 reset arp 19-arp commands 1-8 reset counters inte...
Page 934
A-24 reset udp statistics 04-ip address and performance optimization command 2-16 reset udp-helper packet 27-udp helper commands 1-1 restore startup-configuration 31-file system management command 1-23 retry 12-auto detect command 1-6 retry 17-aaa command 1-46 retry realtime-accounting 17-aaa comman...
Page 935
A-25 rsa peer-public-key import sshkey 30-ssh command 1-19 rule (for advanced acls) 21-acl command 1-12 rule (for basic acls) 21-acl command 1-10 rule (for layer 2 acls) 21-acl command 1-19 rule (for user-defined acls) 21-acl command 1-22 rule comment 21-acl command 1-25 s save 02-configuration file...
Page 936
A-26 sftp timeout 32-ftp-sftp-tftp command 1-25 shell 01-login command 1-22 shutdown 03-vlan command 1-5 shutdown 06-port basic configuration command 1-24 snmp-agent 28-snmp-rmon command 1-11 snmp-agent calculate-password 28-snmp-rmon command 1-12 snmp-agent community 01-login command 2-2 snmp-agent...
Page 937
A-27 ssh server authentication-retries 30-ssh command 1-23 ssh server timeout 30-ssh command 1-24 ssh user 30-ssh command 1-24 ssh user assign 30-ssh command 1-26 ssh user authentication-type 30-ssh command 1-27 ssh user service-type 30-ssh command 1-28 ssh2 30-ssh command 1-29 ssh2 source-interface...
Page 938
A-28 stp pathcost-standard 13-mstp command 1-28 stp point-to-point 13-mstp command 1-29 stp port priority 13-mstp command 1-31 stp portlog 13-mstp command 1-32 stp portlog all 13-mstp command 1-32 stp priority 13-mstp command 1-33 stp region-configuration 13-mstp command 1-33 stp root primary 13-mst...
Page 939
A-29 system-view 34-system maintenance and debugging command 1-5 t tcp ipv6 timer fin-timeout 37-ipv6 management command 1-28 tcp ipv6 timer syn-timeout 37-ipv6 management command 1-29 tcp ipv6 window 37-ipv6 management command 1-29 tcp timer fin-timeout 04-ip address and performance optimization co...
Page 940
A-30 tftp put 32-ftp-sftp-tftp command 2-3 tftp source-interface 32-ftp-sftp-tftp command 2-5 tftp source-ip 32-ftp-sftp-tftp command 2-6 tftp tftp-server source-interface 32-ftp-sftp-tftp command 2-4 tftp tftp-server source-ip 32-ftp-sftp-tftp command 2-5 tftp-server 25-cluster command 1-43 tftp-se...
Page 941
A-31 udp-helper port 27-udp helper commands 1-2 udp-helper server 27-udp helper commands 1-4 undelete 31-file system management command 1-15 unicast-suppression 06-port basic configuration command 1-26 unknown-multicast drop enable 15-multicast command 1-5 update fabric 26-poe-poe profile command 1-...
Page 942
A-32 w wred 22-qos command 1-26 x xmodem get 34-system maintenance and debugging command 3-17 xrn-fabric authentication-mode 24-xrn fabric command 1-12 y z.