DL manuals
H3C
Switch
S3600 Series
Command Manual

H3C S3600 Series Command Manual - Commands For User Control

Other manuals for S3600 Series: Installation Manual, Operation Manual

Page of 1277

Download

Print this page

Bookmark us

2-1

Commands for User Control

Commands for Controlling Logging in Users

acl

Syntax

acl acl-number { inbound | outbound }

undo acl acl-number { inbound | outbound }

View

User interface view

Parameters

acl-number: ACL number. This argument can identify different types of ACLs, as listed below.

2000 to 2999, for basic ACLs

3000 to 3999, for advanced ACLs

4000 to 4999, for Layer 2 ACLs

inbound: Applies the ACL for the users Telnetting to the local switch from the current user interface.

outbound: Applies the ACL for the users Telnetting to other devices from the current user interface.

This keyword is unavailable to Layer 2 ACLs.

Description

Use the acl command to apply an ACL for Telnet users.

Use the undo acl command to cancel the configuration.

By default, no ACL is applied.

Examples

# Apply ACL 2000 (a basic ACL) for the users Telnetting to the current switch (assuming that ACL 2000

already exists.)

system-view

System View: return to User View with Ctrl+Z.

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] acl 2000 inbound

free web-users

Syntax

free web-users { all | user-id user-id | user-name user-name }

« ‹ Prev 41 42 43 44 45 46 47 Next › »

Summary of S3600 Series

Page 1
H3c s3600 series ethernet switches command manual hangzhou h3c technologies co., ltd. Http://www.H3c.Com manual version: 20090618-c-1.02 product version: release 1602.
Page 2
Copyright © 2007-2009, hangzhou h3c technologies co., ltd. And its licensors all rights reserved no part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of hangzhou h3c technologies co., ltd. Trademarks h3c, , aolynk, , h 3 care, , top g, , i...
Page 3
About this manual organization h3c s3600 series ethernet switches command manual-release 1602 is organized as follows: part contents 1 cli introduces the commands used for switching between the command levels and command level setting. 2 login introduces the commands used for logging into the ethern...
Page 4
Part contents 26 qos-qos profile introduces the commands used for qos and qos profile configuration. 27 web cache redirection introduces the commands used for web cache redirection configuration. 28 mirroring introduces the commands used for port mirroring. 29 irf fabric introduces the commands used...
Page 6
Documentation feedback you can e-mail your comments about product documentation to info@h3c.Com. We appreciate your comments..
Page 7: Table of Contents
I table of contents 1 cli configuration commands··················································································································1-1 cli configuration commands············································································································...
Page 8: Cli Configuration Commands
1-1 1 cli configuration commands the super authentication-mode command is added. For details, see super authentication-mode . Cli configuration commands command-privilege level syntax command-privilege level level view view command undo command-privilege view view command view system view parameters...
Page 9
1-2 cli view description hwping hwping test group view hwtacacs hwtacacs view isp isp domain view loopback loopback interface view luser local user view manage-vlan management vlan view msdp msdp view, which is supported by only the s3600-ei series mst-region mst region view mtlk-group monitor link ...
Page 10
1-3 change a command from a higher level to a lower level so that the lower level users can use the command. The default levels of commands are described in the following table: table 1-2 default levels of commands level name command 0 visit level commands used to diagnose network, such as ping, tra...
Page 11
1-4 display history-command system-view quit display history-command super syntax super [ level ] view user view parameters level: user level, in the range of 0 to 3. Description use the super command to switch from the current user level to a specified level. Executing this command without the leve...
Page 13
1-6 undo super password [ level level] view system view parameters level level: user level, in the range of 1 to 3. It is 3 by default. Cipher: stores the password in the configuration file in ciphered text. Simple: stores the password in the configuration file in plain text. Password: password to b...
Page 14: Table of Contents
I table of contents 1 login commands ······································································································································1-1 login commands ··············································································································...
Page 16
1-2 for a vty user interface, to specify the none keyword or password keyword for login users, make sure that ssh is not enabled in the user interface. Otherwise, the configuration fails. Refer to the protocol inbound command for related configuration. To improve security and prevent attacks to the ...
Page 17
1-3 [sysname-ui-vty0] quit # configure the local authentication username and password. [sysname] local-user guest [sysname-luser-guest] password simple 123456 [sysname-luser-guest] service-type telnet level 2 after the configuration, when a user logs in to the switch through vty0, the user must ente...
Page 18
1-4 y/n]y after the above configuration, when a user logs onto the device through vty 0, the device automatically executes the configured command and logs off the current user. Copyright-info enable syntax copyright-info enable undo copyright-info enable view system view parameters none description ...
Page 19
1-5 view aux user interface view parameters 7: sets the databits to 7. 8: sets the databits to 8. Description use the databits command to set the databits for the user interface. Use the undo databits command to revert to the default databits. The default databits is 8. Examples # set the databits t...
Page 20
1-6 when you use the display telnet-server source-ip command to display the source ip address, the primary ip address of an interface will be displayed even if you have specified a secondary ip address of the interface as the source ip address. Examples # display the source ip address configured for...
Page 21
1-7 parameters type: user interface type, which can be aux (for aux user interface) and vty (for vty user interface). Number: user interface index. A user interface index can be relative or absolute. Z in relative user interface number scheme, the type argument is required. In this case, aux user in...
Page 22
1-8 filed description privi available command level auth authentication mode int physical position of the user interface super the authentication mode used for a user to switch from the current lower user level to a higher level, including s, a, sa and as. S: super password authentication a: hwtacac...
Page 23
1-9 display users syntax display users [ all ] view any view parameters all: displays the user information about all user interfaces. Description use the display users command to display the user information about user interfaces. If you do not specify the all keyword, only the user information abou...
Page 24
1-10 view any view parameters none description use the display web users command to display the information about the current on-line web users. Examples # display the information about the current on-line web users. Display web users id name language level login time last req. Time 00800003 admin e...
Page 25
1-11 description use the free user-interface command to free a user interface. That is, this command tears down the connection between a user and a user interface. Note that the current user interface cannot be freed. Examples # release user interface vty 1. Free user-interface vty 1 are you sure yo...
Page 26
1-12 by default, no banner is configured. Note the following: z if you specify any one of the four keywords without providing the text argument, the specified keyword will be regarded as the login information. Z the banner configured with the header incoming command is displayed after a modem user l...
Page 27
1-13 welcome to legal! Press y or enter to continue, n to exit. Welcome to login! Login authentication password: welcome to shell! History-command max-size syntax history-command max-size value undo history-command max-size view user interface view parameters value: size of the history command buffe...
Page 28
1-14 parameters minutes: number of minutes. This argument ranges from 0 to 35,791. Seconds: number of seconds. This argument ranges from 0 to 59. Description use the idle-timeout command to set the timeout time. The connection to a user interface is terminated if no operation is performed in the use...
Page 29
1-15 after the web file is upgraded, you need to use the boot web-package command to specify a new web file or specify a new web file from the boot menu after reboot for the web server to operate properly. Refer to the file system management part in this manual for information about the boot web-pac...
Page 31
1-17 description use the protocol inbound command to specify the protocols supported by the user interface. Both telnet protocol and ssh protocol are supported by default. Related commands: user-interface vty. To improve security and prevent attacks to the unused sockets, tcp 23 and tcp 22 (ports fo...
Page 32
1-18 parameters screen-length: number of lines the screen can contain. This argument ranges from 0 to 512. Description use the screen-length command to set the number of lines the terminal screen can contain. Use the undo screen-length command to revert to the default number of lines. By default, th...
Page 34
1-20 system, file transfer protocol (ftp), trivial file transfer protocol (tftp), downloading using xmodem, user management, and level setting are at administration level. Refer to cli for detailed introduction to the command level. Examples # configure commands at level 0 are available to the users...
Page 35
1-21 description use the set authentication password command to set the local password. Use the undo set authentication password command to remove the local password. Note that only plain text passwords are expected when users are authenticated. By default, password authentication is performed when ...
Page 36
1-22 system view: return to user view with ctrl+z. [sysname] user-interface vty 0 4 [sysname-ui-vty0-4] undo shell % disable ui-vty0-4 , are you sure ? [y/n]y speed syntax speed speed-value undo speed view aux user interface view parameters speed-value: transmission speed (in bps). This argument can...
Page 37
1-23 use the undo stopbits command to revert to the default stopbits. Execute these two commands in aux user interface view only. By default, the stopbits is 1. Z the s3600 series do not support communication with a terminal emulation program with stopbits set to 1.5. Z changing the stop bits value ...
Page 38
1-24 trying 129.102.0.1 ... Press ctrl+k to abort connected to 129.102.0.1 ... ************************************************************************** * copyright(c) 2004-2008 hangzhou h3c tech. Co., ltd. All rights reserved. * * without the owner's prior written consent, * * no decompiling or re...
Page 39
1-25 telnet source-interface syntax telnet source-interface interface-type interface-number undo telnet source-interface view system view parameters interface-type interface-number: interface type and interface number. Description use the telnet source-interface command to specify the source interfa...
Page 40
1-26 note that when the telnet source-ip command is executed, if the ip address specified is not an ip address of the local device, your configuration fails. Examples # set the source ip address to 192.168.1.1 for the telnet client. System-view system view: return to user view with ctrl+z. [sysname]...
Page 41
1-27 parameters ip-address: source ip address to be set. Description use the telnet-server source-ip command to specify the source telnet server ip address. Use the undo telnet-server source-ip command to remove the source telnet server ip address. With the telnet-server source-ip command configured...
Page 42
1-28 description use the user-interface command to enter one or more user interface views to perform configuration. Examples # enter vty0 user interface. System-view system view: return to user view with ctrl+z. [sysname] user-interface vty 0 [sysname-ui-vty0] user privilege level syntax user privil...
Page 43
1-29 examples # configure that commands at level 1 are available to the users logging in to vty 0. System-view system view: return to user view with ctrl+z. [sysname] user-interface vty 0 [sysname-ui-vty0] user privilege level 1 # you can verify the above configuration by telnetting to vty 0 and dis...
Page 45
2-2 view user view parameters all: specifies all web users. User-id: web user id, an eight-digit hexadecimal number. User-name: user name of the web user. This argument can contain 1 to 80 characters. Description use the free web-users command to disconnect a specified web user or all web users by f...
Page 46
2-3 view system view parameters read: specifies that the community has read-only permission in the specified view. Write: specifies that the community has read/write permission in the specified view. Community-name: community name, a string of 1 to 32 characters. Acl acl-number: specifies an acl num...
Page 47
2-4 parameters v1: snmpv1. V2c: snmpv2c. V3: snmpv3. Group-name: group name. This argument can be of 1 to 32 characters. Authentication: specifies to authenticate snmp data without encrypting the data. Privacy: authenticates and encrypts packets. Read-view: name of the view to be set to read-only. T...
Page 48
2-5 v2c: snmpv2c. V3: snmpv3. User-name: user name, a string of 1 to 32 characters. Group-name: name of the group to which the user corresponds. This argument is a string of 1 to 32 characters. Cipher:specifies the authentication or encryption password to be in ciphertext. Authentication-mode: requi...
Page 49: Table of Contents
I table of contents 1 configuration file management commands ··························································································1-1 file attribute configuration commands ··································································································1-1 displ...
Page 50
1-1 1 configuration file management commands the s3600 series ethernet switches support intelligent resilient framework (irf), and allow you to access a file on the switch in one of the following ways: z to access a file on the specified unit, you need to enter the file universal resource locator (u...
Page 51
1-2 z system: indicates the system configuration. Z user-interface: indicates the user interface configuration. Interface: displays port/interface configuration. Interface-type: port/interface type, which can be one of the following: aux, ethernet, gigabitethernet, loopback, null and vlan-interface....
Page 52
1-3 after you finish a set of configurations, you can execute the display current-configuration command to display the parameters that take effect currently. Note that: z parameters that are the same as the default are not displayed. Z the configured parameter whose corresponding function does not t...
Page 53
1-4 port access vlan 20 dhcp-snooping trust arp detection trust # interface ethernet1/0/13 port access vlan 20 arp detection trust # interface ethernet1/0/14 port access vlan 20 # interface ethernet1/0/15 # interface ethernet1/0/16 # interface ethernet1/0/17 # interface ethernet1/0/18 # interface et...
Page 55
1-6 display current-configuration vlan syntax display current-configuration vlan [ vlan-id ] [ by-linenum ] view any view parameters vlan vlan-id: vlan id, in the range 1 to 4094. By-linenum: displays configuration information with line numbers. Description use the display current-configuration vlan...
Page 56
1-7 parameters unit unit-id: specifies the unit id of a switch. With this keyword-argument combination specified, this command can display the initial configuration file of the specified unit. By-linenum: displays configuration information with line numbers. Description use the display saved-configu...
Page 57
1-8 port hybrid protocol-vlan vlan 3 1 port hybrid protocol-vlan vlan 3 2 # interface ethernet1/0/4 mirroring-group 1 monitor-port # interface ethernet1/0/5 port link-type trunk port trunk permit vlan 1 25 # interface ethernet1/0/6 # interface ethernet1/0/7 # interface ethernet1/0/8 # interface ethe...
Page 58
1-9 # interface ethernet1/0/23 # interface ethernet1/0/24 # interface gigabitethernet1/1/1 # interface gigabitethernet1/1/2 # interface gigabitethernet1/1/3 # interface gigabitethernet1/1/4 #topologycfg. Must not delete # undo irf-fabric authentication-mode #glbcfg. Must not delete # interface null0...
Page 59
1-10 z if the switch is not a unit of a fabric, this command displays the startup configuration file information of the current switch no matter whether you have specified the unit-id argument or not. Z if the switch is a unit of a fabric, without unit-id specified, this command displays the startup...
Page 60
1-11 description use the display this command to display the current configuration performed in the current view. To verify the configuration performed in a view, you can use this command to display the parameters that are valid in the current view. Note that: z effective parameters that are the sam...
Page 61
1-12 description use the reset saved-configuration command to erase the configuration file saved in the flash of a switch. The following two situations exist: z while the reset saved-configuration [ main ] command erases the configuration file with main attribute, it only erases the main attribute o...
Page 62
1-13 backup: saves the configuration to the backup configuration file. Main: saves the configuration to the main configuration file. Description use the save command to save the current configuration to a configuration file in the flash. When you use this command to save the configuration file, z if...
Page 63
1-14 examples # save the current configuration to 123.Cfg as the main configuration file for the next startup. Save main the configuration will be written to the device. Are you sure?[y/n]y please input the file name(*.Cfg)(to leave the existing filename unchanged press the enter key):123.Cfg now sa...
Page 64
1-15 z if the switch has not joined any fabric, the startup saved-configuration command specifies the configuration file to be used for the next startup of the switch; if the switch has joined a fabric, this command specifies the configuration file to be used for the next startup of all the switches...
Page 65: Table of Contents
I table of contents 1 vlan configuration commands··············································································································1-1 vlan configuration commands·············································································································1...
Page 66: Vlan Configuration Commands
1-1 1 vlan configuration commands vlan configuration commands description syntax description text undo description view vlan view, vlan interface view parameters text: case sensitive character string to describe the current vlan or vlan interface. Special characters and spaces are allowed. It has: z...
Page 67
1-2 display interface vlan-interface syntax display interface vlan-interface [ vlan-id ] view any view parameters vlan-id: specifies a vlan interface number. Description use the display interface vlan-interface command to display information about the specified vlan interface or all vlan interfaces ...
Page 68
1-3 table 1-1 description on the fields of the display interface vlan-interface command field description vlan-interface2 current state the state of the vlan interface, which can be one of the following: z administratively down: this vlan interface has been manually disabled with the shutdown comman...
Page 69
1-4 parameters vlan-id1: specifies the id of a vlan of which information is to be displayed, in the range of 1 to 4094. To vlan-id2: in conjunction with vlan-id1, define a vlan range to display information about all existing vlans in the range. The vlan-id2 argument takes a value in the range of 1 t...
Page 70
1-5 field description description description of the vlan. Name vlan name. Tagged ports ports out of which packets are sent tagged. Untagged ports ports out of which packets are sent untagged. Interface vlan-interface syntax interface vlan-interface vlan-id undo interface vlan-interface vlan-id view...
Page 71
1-6 view vlan view parameters text: vlan name, a description of 1 to 32 characters. It can contain special characters and spaces. Description use the name command to assign a name to the current vlan. Use the undo name command to restore the default vlan name. When 802.1x or mac address authenticati...
Page 72
1-7 you can use the undo shutdown command to enable a vlan interface when its related parameters and protocols are configured. When a vlan interface fails, you can use the shutdown command to disable the interface, and then use the undo shutdown command to enable this interface again, which may rest...
Page 73
1-8 description use the vlan command to create vlans. If you create only one vlan, you enter the view of the vlan upon its creation; if the specified vlan already exists, you enter its vlan view directly. Use the undo vlan command to remove vlans. By default, only vlan 1 exists in the system. Z vlan...
Page 75
1-10 the command applies to access ports only. For information about how to assign to or remove from a vlan trunk or hybrid ports, refer to the port hybrid vlan command and the port trunk permit vlan command. For port type configuration, refer to the port link-type command. Related commands: display...
Page 76
1-11 port hybrid pvid vlan syntax port hybrid pvid vlan vlan-id undo port hybrid pvid view ethernet port view parameters vlan-id: specifies the default vlan id of the current hybrid port, in the range of 1 to 4094. The specified vlan can be one already created or not. Description use the port hybrid...
Page 77
1-12 parameters vlan-id-list: list of the vlans that the current hybrid port will be assigned to or removed from.In this list, you can specify individual vlan ids (each in the form of vlan-id) and vlan id ranges (each in the form of vlan-id1 to vlan-id2). Specify each vlan id in the range of 1 to 40...
Page 78
1-13 description use the port link-type command to set the link type of the ethernet port. Use the undo port link-type command to restore the default link type. The default link type of an ethernet port is access. To change the link type of a port from hybrid to trunk or vice versa, you need to chan...
Page 79
1-14 on a trunk port, only traffic of the default vlan can pass through untagged. You can perform the command multiple times. The vlans specified each time does not overwrite those configured before, if any. Related commands: port link-type. Examples # assign the trunk port ethernet 1/0/1 to vlan 2,...
Page 80
1-15 examples # set the default vlan id of the trunk port ethernet 1/0/1 to 100. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] port link-type trunk [sysname-ethernet1/0/1] port trunk pvid vlan 100 protocol-based vlan configuratio...
Page 81
1-16 100 4 llc dsap 0xac ssap 0xbd table 1-3 description on the fields of the display vlan command field description interface interface bound with at least one protocol vlan vlan id id of a protocol vlan bound with the interface protocol-index protocol template index protocol-type protocol type spe...
Page 82
1-17 1 snap etype 0x0abcd table 1-4 description on the fields of the display protocol-vlan vlan command field description vlan id protocol vlan id vlan type vlan type. Here, it refers to protocol-based vlan protocol-index protocol template index protocol-type protocol type specified in the protocol ...
Page 83
1-18 z the port hybrid protocol-vlan vlan command is available on hybrid ports only. Z before you bind a port with a protocol vlan, assign the port to the vlan with the port hybrid vlan command. Otherwise, the binding will fail. Z to bind a protocol template to a port in a vlan successfully, you mus...
Page 84
1-19 ipx: creates the ipx-based protocol template. The ethernetii, llc, raw and snap keywords represent four ipx encapsulation formats. For more information about encapsulation formats, refer to the accompanying operation manual. Mode: configures a user-defined protocol template. Ethernetii etype-id...
Page 85
1-20 [sysname-vlan3] protocol-vlan ip because the ip protocol is closely associated with the arp protocol, you are recommended to configure the arp protocol type when configuring the ip protocol type and associate the two protocol types with the same port, in case that arp packets and ip packets are...
Page 86: Table of Contents
I table of contents 1 ip address configuration commands·····································································································1-1 ip address configuration commands·····································································································1-1 di...
Page 87
1-1 1 ip address configuration commands ip address configuration commands display ip interface syntax display ip interface [ interface-type interface-number] view any view parameters interface-type interface-number: specifies an interface by its type and number. Description use the display ip interf...
Page 88
1-2 information request: 0 information reply: 0 netmask request: 0 netmask reply: 0 unknown type: 0 table 1-1 description on the fields of the display ip interface command field description vlan-interface1 current state current physical state of vlan-interface 1 line protocol current state current s...
Page 89
1-3 view any view parameters interface-type:interface type. Interface-number: interface number. Description use the display ip interface brief command to display brief information about a specified or all layer 3 interfaces. With no argument included, the command displays information about all layer...
Page 91
1-5 examples # assign the primary ip address 129.12.0.1 and secondary ip address 129.12.1.1 to vlan-interface 1 with subnet mask 255.255.255.0. System-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ip address 129.12.0.1 255.255.255.0...
Page 92
2-1 2 ip performance configuration commands ip performance configuration commands display fib syntax display fib view any view parameters none description use the display fib command to display all forwarding information base (fib) information. Examples # display all fib information. Display fib fla...
Page 93
2-2 table 2-1 description on the fields of the display fib command field description flag flags: u: a route is up and available. G: gateway route h: local host route b: blackhole route d: dynamic route s: static route r: rejected route e: multi-path equal-cost route l: route generated by arp or esis...
Page 94
2-3 description use the display fib ip-address command to view the fib entries matching the specified destination ip address. If no mask or mask length is specified, the fib entry that matches the destination ip address and has the longest mask will be displayed; if the mask is specified, the fib en...
Page 95
2-4 system-view system view: return to user view with ctrl+z. [sysname] acl number 2001 [sysname-acl-basic-2001] rule permit source 211.71.75.0 0.0.0.255 [sysname-acl-basic-2001] display acl 2001 basic acl 2001, 1 rule acl's step is 1 rule 0 permit source 211.71.75.0 0.0.0.255 # display the fib entr...
Page 96
2-5 display fib ip-prefix syntax display fib ip-prefix ip-prefix-name view any view parameters ip-prefix-name: ip prefix list name, in the range of 1 to 19 characters. Description use the display fib ip-prefix command to display the fib entries matching a specific ip prefix list. For details about i...
Page 97
2-6 description use the display fib statistics command to display the total number of fib entries. Examples # display the total number of fib entries. Display fib statistics route entry count : 8 display icmp statistics syntax display icmp statistics view any view parameters none description use the...
Page 98
2-7 field description destination unreachable number of received destination unreachable packets source quench number of received source quench packets redirects number of received redirection packets echo reply number of received replies parameter problem number of received parameter problem packet...
Page 99
2-8 examples # display the information about the socket of the tcp type. Display ip socket socktype 1 sock_stream: task = vtyd(18), socketid = 1, proto = 6, la = 0.0.0.0:23, fa = 0.0.0.0:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = so_acceptconn so_keepalive so_sendvpnid so...
Page 100
2-9 view any view parameters none description use the display ip statistics command to display the statistics about ip packets. Related commands: display ip interface, reset ip statistics. Examples # display the statistics about ip packets. Display ip statistics input: sum 7120 local 112 bad protoco...
Page 101
2-10 field description input total number of fragments received output total number of fragments sent dropped total number of fragments discarded fragmented total number of ip packets successfully fragmented fragment: couldn't fragment total number of ip packets that cannot be fragmented sum total n...
Page 102
2-11 urgent packets: 0 control packets: 5 (including 1 rst) window probe packets: 0, window update packets: 2 data packets: 618 (8770 bytes) data packets retransmitted: 0 (0 bytes) ack-only packets: 40 (28 delayed) retransmitted timeout: 0, connections dropped in retransmitted timeout: 0 keepalive t...
Page 103
2-12 field description total total number of packets sent urgent packets number of urgent packets sent control packets number of control packets sent; in brackets are retransmitted packets window probe packets number of window probe packets sent; in the brackets are resent packets window update pack...
Page 104
2-13 description use the display tcp status command to display the state of all the tcp connections so that you can monitor tcp connections in real time. Examples # display the state of all the tcp connections. Display tcp status *: tcp md5 connection tcpcb local add:port foreign add:port state 03e3...
Page 105
2-14 total broadcast or multicast packets : 25006 no socket broadcast or multicast packets: 24989 not delivered, input socket full: 0 input packets missing pcb cache: 1314 sent packets: total: 7187 table 2-7 description on the fields of the display udp statistics command field description total tota...
Page 106
2-15 examples # disable the device from sending icmp redirection packets. System-view system view: return to user view with ctrl+z. [sysname] undo icmp redirect send icmp unreach send syntax icmp unreach send undo icmp unreach send view system view parameters none description use the icmp unreach se...
Page 107
2-16 description use the ip forward-broadcast command to enable the device to receive directed broadcasts to a directly connected network. Use the undo ip forward-broadcast command to disable the device from receiving directed broadcasts to a directly connected network. By default, the device is dis...
Page 108
2-17 description use the reset tcp statistics command to clear the statistics about tcp packets. You can use the display tcp statistics command to view the current tcp packet statistics. Examples # clear the statistics about tcp packets. Reset tcp statistics reset udp statistics syntax reset udp sta...
Page 109
2-18 related commands: tcp timer syn-timeout, tcp window. Examples # configure the value of the tcp finwait timer to 800 seconds. System-view system view: return to user view with ctrl+z. [sysname] tcp timer fin-timeout 800 tcp timer syn-timeout syntax tcp timer syn-timeout time-value undo tcp timer...
Page 110
2-19 description use the tcp window command to configure the size of the transmission and receiving buffers of the connection-oriented socket. Use the undo tcp window command to restore the default size of the transmission and receiving buffers of the connection-oriented socket. By default, the size...
Page 111: Table of Contents
I table of contents 1 voice vlan configuration commands ···································································································1-1 voice vlan configuration commands···································································································1-1 displ...
Page 112
1-1 1 voice vlan configuration commands voice vlan configuration commands display voice vlan error-info syntax display voice vlan error-info view any view parameters none description use the display voice vlan error-info command to display the ports on which the voice vlan function fails to be enabl...
Page 113
1-2 description use the display voice vlan oui command to display the organizationally unique identifier (oui) list used for identifying voice traffic. The output of the command displays the oui addresses, their masks, and descriptions. By default, there are five pre-defined oui addresses in the sys...
Page 114
1-3 table 1-1 description on the fields of the display voice vlan status command field description voice vlan status the status of global voice vlan function: enabled or disabled. Voice vlan id the vlan which is currently enabled with voice vlan. Voice vlan security mode the status of voice vlan sec...
Page 115
1-4 untagged ports: ethernet1/0/6 the output indicates that ethernet 1/0/5 and ethernet 1/0/6 are in the voice vlan. Voice vlan syntax voice vlan vlan-id enable undo voice vlan enable view system view parameters vlan-id: specifies the id of the vlan to be enabled with the voice vlan function, in the...
Page 116
1-5 # after the voice vlan function of vlan 2 is enabled, if you enable the voice vlan function for other vlans, the system will prompt that your configuration fails. [sysname] voice vlan 4 enable can't change voice vlan configuration when other voice vlan is running voice vlan aging syntax voice vl...
Page 117
1-6 [sysname] voice vlan aging 100 voice vlan enable syntax voice vlan enable undo voice vlan enable view ethernet port view parameters none description use the voice vlan enable command to enable the voice vlan function on the port. Use the undo voice vlan enable command to disable the voice vlan f...
Page 118
1-7 by default, the voice vlan legacy function is disabled. Examples # enable the voice vlan legacy function on ethernet1/0/1. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] voice vlan legacy voice vlan mac-address syntax voice vl...
Page 119
1-8 examples # add mac address 00aa-bb00-0000 to the oui list and configure its description as abc. System-view system view: return to user view with ctrl+z. [sysname] voice vlan mac-address 00aa-bb00-0000 mask ffff-ff00-0000 description abc voice vlan mode syntax voice vlan mode auto undo voice vla...
Page 120
1-9 undo voice vlan security enable view system view parameters none description use the voice vlan security enable command to enable the voice vlan security mode. Use the undo voice vlan security enable command to disable the voice vlan security mode. In security mode, the ports in a voice vlan and...
Page 121: Table of Contents
I table of contents 1 gvrp configuration commands ·············································································································1-1 garp configuration commands ············································································································1...
Page 122: Gvrp Configuration Commands
1-1 1 gvrp configuration commands garp configuration commands display garp statistics syntax display garp statistics [ interface interface-list ] view any view parameters interface-list: specifies a list of ethernet ports for which the statistics about garp are to be displayed.In this list, you can ...
Page 123
1-2 garp statistics on port ethernet1/0/1 number of gvrp frames received : 0 number of gvrp frames transmitted : 0 number of frames discarded : 0 garp statistics on port ethernet1/0/2 number of gvrp frames received : 0 number of gvrp frames transmitted : 0 number of frames discarded : 0 table 1-1 de...
Page 124
1-3 z hold timer related commands: garp timer, garp timer leaveall. Examples # display the settings of the garp timers on port ethernet1/0/1. Display garp timer interface ethernet 1/0/1 garp timers on port ethernet1/0/1 garp join time : 20 centiseconds garp leave time : 60 centiseconds garp leaveall...
Page 125
1-4 table 1-2 relations between the timers timer lower threshold upper threshold hold 10 centiseconds this upper threshold is less than or equal to one-half of the timeout time of the join timer. You can change the threshold by changing the timeout time of the join timer. Join this lower threshold i...
Page 126
1-5 parameters timer-value: setting (in centiseconds) of the garp leaveall timer. You need to set this argument with the leave timer settings of other ethernet ports as references. That is, this argument needs to be larger than the leave timer settings of any ethernet ports. Also note that this argu...
Page 127
1-6 executing the reset garp statistics command without any parameter clears the garp statistics of all ports. Related commands: display garp statistics. Examples # clear garp statistics of all ports. Reset garp statistics gvrp configuration commands display gvrp statistics syntax display gvrp stati...
Page 128
1-7 display gvrp status syntax display gvrp status view any view parameters none description use the display gvrp status command to display the global gvrp status (enabled or disabled). Examples # display the global gvrp status. Display gvrp status gvrp is enabled the above information indicates tha...
Page 129
1-8 examples # enable gvrp globally. System-view system view: return to user view with ctrl+z. [sysname] gvrp gvrp is enabled globally. # enable gvrp on ethernet 1/0/1. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] gvrp gvrp is enabled on port ethernet1/0/5. Gvrp registration syntax gvr...
Page 130: Table of Contents
I table of contents 1 port basic configuration commands······································································································1-1 port basic configuration commands······································································································1-1 ...
Page 131
1-1 1 port basic configuration commands z the displaying and maintaining of the statistics of dropped packets on a port or all ports was added to this manual. For related commands, refer to display packet-drop and reset packet-drop interface . Z the configuration of disabling port up/down log output...
Page 132
1-2 description use the broadcast-suppression command to limit broadcast traffic allowed to be received on each port (in system view) or on a specified port (in ethernet port view). Use the undo broadcast-suppression command to restore the default broadcast suppression setting. The broadcast-suppres...
Page 133
1-3 parameters interface-type: port type. Interface-number: port number. Source-agg-id: source aggregation group number, in the range of 1 to 416. The port with the smallest port number in the aggregation group is used as the source port. Destination-agg-id: destination aggregation group number, in ...
Page 134
1-4 examples # copy the configurations of ethernet 1/0/1 to ethernet 1/0/2 and ethernet 1/0/3. System-view system view: return to user view with ctrl+z. [sysname] copy configuration source ethernet 1/0/1 destination ethernet 1/0/2 ethernet 1/0/3 note: the following will be removed from destination p...
Page 135
1-5 view ethernet port view parameters text: port description, a string of 1 to 80 characters. Description use the description command to configure a description for the port. Use the undo description command to remove the port description. By default, no description is configured for a port. You ca...
Page 136
1-6 description use the display brief interface command to display the brief configuration information about one or all interfaces, including: interface type, link state, link rate, duplex attribute, link type, default vlan id and description string. Currently, for the port types other than ethernet...
Page 137
1-7 table 1-3 port state transitions initial port state state after executing the shutdown command state after executing the undo shutdown command down down not connected to any cable administratively down down down down up up connected to a cable administratively down administratively down up displ...
Page 138
1-8 broadcast max-pps: 500 unicast max-ratio: 100% multicast max-ratio: 100% allow jumbo frame to pass pvid: 1 mdi type: auto port link-type: access tagged vlan id : none untagged vlan id : 1 last 300 seconds input: 0 packets/sec 0 bytes/sec last 300 seconds output: 0 packets/sec 0 bytes/sec input(t...
Page 139
1-9 field description port link-type port link type tagged vlan id identify the vlans whose packets will be forwarded with tags on the port. Untagged vlan id identify the vlans whose packets will be forwarded without tags on the port. Last 300 seconds input: 0 packets/sec 0 bytes/sec last 300 second...
Page 140
1-10 field description aborts the total number of incoming illegal packets, including: z fragments: crc error frames of less than 64 bytes (integer or non-integer). Z jabber frames: crc error frames of more than 1518 bytes if untagged or 1522 bytes if tagged (integer or non-integer). Z symbol error ...
Page 141
1-11 field description lost carrier the lost carrier counter applicable to serial wan interfaces the counter increases by 1 upon each carrier loss detected during frame transmission. - no carrier the no carrier counter applicable to serial wan interfaces the counter increases by 1 upon each carrier ...
Page 142
1-12 description use the display loopback-detection command to display the loopback detection status on the port. If loopback detection is enabled, this information will also be displayed: time interval for loopback detection and the loopback ports. Examples # display the loopback detection status o...
Page 143
1-13 examples # display the statistics on the packets dropped on ethernet 1/0/1. Display packet-drop interface ethernet 1/0/1 ethernet1/0/1: packets dropped by gbp full or insufficient bandwidth: 0 packets dropped by others: 0 # display the summary statistics on the packets dropped on all the ports....
Page 144
1-14 portname stormtype lowerlimit upperlimit ctr-mode status trap log swi-num -------------------------------------------------------------------------- eth1/0/1 broadcast 9 99 shutdown normal on off 3 eth1/0/1 multicast 9 99 shutdown control on off 1 eth1/0/2 unicast 9 99 shutdown normal off on 0 ...
Page 145
1-15 description : aux interface ethernet1/0/1 current state : down ip sending frames' format is pktfmt_ethnt_2, hardware address is 000f-e290-2240 media type is twisted pair, loopback not set port hardware type is 100_base_tx 100mbps-speed mode, full-duplex mode link speed type is force link, link ...
Page 146
1-16 undo duplex view ethernet port view parameters auto: sets the port to auto-negotiation mode. Full: sets the port to full duplex mode. Half: sets the port to half duplex mode. Description use the duplex command to set the duplex mode of the current port. Use the undo duplex command to restore th...
Page 147
1-17 system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] shutdown [sysname-ethernet1/0/1] %apr 5 07:25:37:634 2000 sysname l2inf/5/port link status change:- 1 - ethernet1/0/1 is down [sysname-ethernet1/0/1] undo shutdown [sysname-ethernet1/0/1] %a...
Page 148
1-18 [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] flow-control flow interval syntax flow-interval interval undo flow-interval view ethernet port view parameters interval: interval (in seconds) to perform statistics on port information. This argument ranges from 5 to 300 (in step of 5) ...
Page 149
1-19 description use the giant-frame statistics enable command to enable the giant-frame statistics function. Use the undo giant-frame statistics enable command to disable the giant-frame statistics function. By default, the giant-frame statistics function is not enabled. After enabling the giant-fr...
Page 150
1-20 system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] jumboframe enable syntax jumboframe enable undo jumboframe enable view ethernet port view parameters none description use the jumboframe enable command to set the maximum frame size allowed ...
Page 151
1-21 during a short period after you connect your switch to another device, the connecting port may go up and down frequently due to hardware compatibility, resulting in service interruption. To avoid situations like this, you may set a port state change delay. Z the port state change delay takes ef...
Page 152
1-22 by default, no loopback test is performed on the ethernet port. Examples # perform an internal loop test on ethernet 1/0/1. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] loopback internal loopback internal succeeded. Loopbac...
Page 153
1-23 [sysname-ethernet1/0/1] loopback-detection control enable loopback-detection enable syntax loopback-detection enable undo loopback-detection enable view system view or ethernet port view parameters none description use the loopback-detection enable command to enable the loopback detection featu...
Page 154
1-24 loopback-detection interval-time syntax loopback-detection interval-time time undo loopback-detection interval-time view system view parameters time: time interval for loopback detection, in the range of 5 to 300 (in seconds). It is 30 seconds by default. Description use the loopback-detection ...
Page 156
1-26 undo multicast-suppression view ethernet port view parameters ratio: maximum ratio of the multicast traffic allowed on the port to the total transmission capacity of the port. This argument ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio, the less multicast traffi...
Page 157
1-27 description use the reset counters interface command to clear the statistics of the port, preparing for a new statistics collection. If you specify neither port type nor port number, the command clears statistics of all ports. If specify only port type, the command clears statistics of all port...
Page 158
1-28 parameters none description use the shutdown command to shut down an ethernet port. Use the undo shutdown command to bring up an ethernet port. By default, an ethernet port is in up state. Examples # shut down ethernet 1/0/1 and then bring it up. System-view system view: return to user view wit...
Page 159
1-29 view ethernet port view parameters 10: specifies the port speed to 10 mbps. 100: specifies the port speed to 100 mbps. 1000: specifies the port speed to 1,000 mbps (only available to gigabitethernet ports). Auto: specifies the port speed to the auto-negotiation mode. Description use the speed c...
Page 163
1-33 use the undo storm-constrain interval command to restore the default setting. By default, the interval is 10 seconds. Related commands: display storm-constrain, storm-constrain. Examples # set the interval to collect traffic statistics to 2 seconds. System-view system view: return to user view ...
Page 164
1-34 # set the maximum number of unknown unicast packets that can be received per second by ethernet 1/0/1 to 1,000. [sysname-ethernet1/0/1] unicast-suppression pps 1000 virtual-cable-test syntax virtual-cable-test view ethernet port view parameters none description use the virtual-cable-test comman...
Page 165
1-35 examples # enable the system to test the cable connected to ethernet 1/0/1. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] virtual-cable-test cable status: normal, 0 meter(s) pair impedance mismatch: - pair skew: - ns pair sw...
Page 166: Table of Contents
I table of contents 1 link aggregation configuration commands··························································································1-1 link aggregation configuration commands ···························································································1-1 display li...
Page 167
1-1 1 link aggregation configuration commands link aggregation configuration commands display link-aggregation interface syntax display link-aggregation interface interface-type interface-number [ to interface-type interface-number ] view any view parameters interface-type: port type. Interface-numb...
Page 168
1-2 table 1-1 description on the fields of the display link-aggregation interface command field description selected aggid id of the aggregation group to which the specified port belongs local information about the local end port-priority port priority oper key operation key flag protocol status fla...
Page 169
1-3 -------------------------------------------------------------------------- 1 s 0x8000,0000-0000-0000 0 1 nons ethernet1/0/2 2 m none 0 1 nons ethernet1/0/3 table 1-2 description on the fields of the display link-aggregation summary command field description aggregation group type aggregation gro...
Page 170
1-4 examples # display the details about aggregation group 1. Display link-aggregation verbose 1 loadsharing type: shar -- loadsharing, nons -- non-loadsharing flags: a -- lacp_activity, b -- lacp_timeout, c -- aggregation, d -- synchronization, e -- collecting, f -- distributing, g -- defaulted, h ...
Page 171
1-5 description use the display lacp system-id command to display the device id of the local system, including the system priority and the mac address. Examples # display the device id of the local system. Display lacp system-id actor system id: 0x8000, 000f-e20f-0100 the value of the actor system i...
Page 172
1-6 description use the lacp port-priority command to set the priority of the current port. Use the undo lacp port-priority command to restore the default port priority. By default, the port priority is 32,768. You can use the display link-aggregation verbose command or the display link-aggregation ...
Page 173
1-7 parameters agg-id: aggregation group id, in the range of 1 to 416. Agg-name: aggregation group name, a string of 1 to 32 characters. Description use the link-aggregation groupdescription command to set a description for an aggregation group. Use the undo link-aggregation groupdescription command...
Page 174
1-8 examples # create manual aggregation group 22 system-view system view: return to user view with ctrl+z. [sysname] link-aggregation group 22 mode manual port link-aggregation group syntax port link-aggregation group agg-id undo port link-aggregation group view ethernet port view parameters agg-id...
Page 175
1-9 description use the reset lacp statistics command to clear lacp statistics on specified port(s), or on all ports if no port is specified. Related commands: display link-aggregation interface. Examples # clear lacp statistics on all ethernet ports. Reset lacp statistics.
Page 176: Table of Contents
I table of contents 1 port isolation configuration commands ································································································1-1 port isolation configuration commands ·································································································1-1 d...
Page 177
1-1 1 port isolation configuration commands port isolation configuration commands display isolate port syntax display isolate port view any view parameters none description use the display isolate port command to display the ethernet ports assigned to the isolation group. Examples # display the ethe...
Page 178
1-2 z assigning or removing an aggregation member port to or from the isolation group can cause the other ports in the aggregation group join or leave the isolation group. Z for ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation grou...
Page 179: Table of Contents
I table of contents 1 port security commands··························································································································1-1 port security commands ···········································································································...
Page 180: Port Security Commands
1-1 1 port security commands two port security modes, macaddressanduserloginsecure and macaddressanduserloginsecureext, were introduced. For details, refer to port-security port-mode . Port security commands display mac-address security syntax display mac-address security [ interface interface-type ...
Page 181
1-2 0000-0000-0002 1 security ethernet1/0/20 noaged 0000-0000-0003 1 security ethernet1/0/20 noaged 0000-0000-0004 1 security ethernet1/0/20 noaged 0000-0000-0001 2 security ethernet1/0/22 noaged 0000-0000-0007 2 security ethernet1/0/22 noaged --- 6 mac address(es) found --- # display the security m...
Page 182
1-3 display port-security syntax display port-security [ interface interface-list ] view any view parameters interface interface-list: specify a list of ethernet ports of which the port security configurations are to be displayed. For the interface-list argument, you can specify individual ports and...
Page 183
1-4 (the rest of the information is omitted.) # display the port security configurations of ports ethernet 1/0/1 to ethernet 1/0/3. Display port-security interface ethernet 1/0/1 to ethernet 1/0/3 ethernet1/0/1 is link-up port mode is autolearn needtoknow mode is needtoknowonly intrusion mode is blo...
Page 184
1-5 field description port mode is autolearn the security mode of the port is autolearn. Needtoknow mode is needtoknowonly the ntk (need to know) mode is ntkonly. Intrusion mode is blockmacaddress the intrusion detection mode is blockmacaddress. Max mac-address num is 4 the maximum number of mac add...
Page 185
1-6 z the mac-address security command can be configured successfully only when port security is enabled and the security mode is autolearn. Z to create a security mac address entry successfully, you must make sure that the specified vlan is carried on the specified port. Examples # enable port secu...
Page 186
1-7 use the undo port-security enable command to disable port security. By default, port security is disabled. Enabling port security resets the following configurations on the ports to the defaults (as shown in parentheses below): z 802.1x (disabled), port access control method (macbased), and port...
Page 187
1-8 by default, intrusion protection is not configured. By checking the source mac addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal mac address) or events and takes a pre-set ...
Page 188
1-9 ethernet1/0/1 is link-up port mode is secure needtoknow mode is disabled intrusion mode is blockmacaddress max mac-address num is 2 stored mac-address num is 2 authorization is permit for description on the output information, refer to table 1-2 . # configure the intrusion protection mode on eth...
Page 189
1-10 use the undo port-security authorization ignore command to restore the default configuration. By default, the port uses (does not ignore) the authorization information delivered by the radius server. You can use the display port-security command to check whether the port will use the authorizat...
Page 190
1-11 by configuring the maximum number of mac addresses allowed on a port, you can: z limit the number of users accessing the network through the port. Z limit the number of security mac addresses that can be added on the port. When the maximum number of mac addresses allowed on a port is reached, t...
Page 191
1-12 use the undo port-security ntk-mode command to restore the default setting. Be default, ntk is disabled on a port, namely all frames are allowed to be sent. By checking the destination mac addresses of the data frames to be sent from a port, the ntk feature ensures that only successfully authen...
Page 192
1-13 by default, no oui value is set for authentication. Z the oui value set by this command takes effect only when the security mode of the port is set to userloginwithoui by the port-security port-mode command. Z the oui value set by this command cannot be a multicast mac address. Related commands...
Page 193
1-14 keyword security mode description mac-and-userlogin-secure macaddressandus erloginsecure in this mode, users trying to assess the network through the port must first pass mac address authentication and then 802.1x authentication. In this mode, only one user can access the network through the po...
Page 194
1-15 keyword security mode description userlogin-secure-ext userloginsecureex t this mode is similar to the userloginsecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port. Userlogin-secure-or-mac macaddressoruser loginsecure mac address authenticatio...
Page 195
1-16 z before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of mac addresses allowed on the port. Z when a port operates in the autolearn mode, you cannot change the maximum number of mac addresses allowed on the port....
Page 196
1-17 by default, the system disables a port for 20 seconds. The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled. Related commands: port-security intru...
Page 197
1-18 radius authenticated login using mac-address (ralm) refers to mac-based radius authentication. Description use the port-security trap command to enable the sending of specified type(s) of trap messages. Use the undo port-security trap command to disable the sending of specified type(s) of trap ...
Page 198: Port Binding Commands
2-1 2 port binding commands port binding commands am user-bind syntax in system view: am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number undo am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number in ethernet port vi...
Page 199
2-2 examples # in system view, bind the mac address 000f-e200-5101 and ip address 10.153.1.1 (supposing they are mac and ip addresses of a legal user) to ethernet 1/0/1. System-view system view: return to user view with ctrl+z. [sysname] am user-bind mac-addr 000f-e200-5101 ip-addr 10.153.1.1 interf...
Page 200
2-3 z mac address 000f-e200-5101 and ip address 10.153.1.1 are bound to ethernet 1/0/1. Z mac address 000f-e200-5102 and ip address 10.153.1.2 are bound to ethernet 1/0/2..
Page 201: Table of Contents
I table of contents 1 dldp configuration commands··············································································································1-1 dldp configuration commands·············································································································1...
Page 203
1-2 table 1-1 description on the fields of the display dldp command field description dldp interval interval for sending dldp advertisement packets dldp work-mode dldp work mode dldp authentication-mode dldp authentication mode cipher dldp authentication password dldp unidirectional-shutdown dldp ac...
Page 204
1-3 when you use the dldp enable/dldp disable command in system view to enable/disable dldp on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently. Examples # enable dldp for all the optical ports of the switch. System-vi...
Page 205
1-4 z when you configure a dldp authentication mode and authentication password on a port, make sure that the same dldp authentication mode and password are set on both the local port and the peer port. Otherwise, dldp authentication fails. Z dldp cannot work before dldp authentication succeeds. Exa...
Page 206
1-5 examples # set the interval for sending dldp advertisement packets to 6 seconds. System-view system view: return to user view with ctrl+z. [sysname] dldp interval 6 dldp reset syntax dldp reset view system view, ethernet port view parameters none description in system view: use the dldp reset co...
Page 207
1-6 manual: prompts the user to disable manually the corresponding port when dldp detects an unidirectional link or finds in the enhanced mode that the peer port is down. After the port is disabled, it can only send and receive recover probe and recover echo packets. Description use the dldp unidire...
Page 208
1-7 examples # configure dldp to work in enhanced mode. System-view system view: return to user view with ctrl+z. [sysname] dldp work-mode enhance dldp delaydown-timer syntax dldp delaydown-timer delaydown-time undo dldp delaydown-timer view system view parameters delaydown-time: delaydown timer to ...
Page 209: Table of Contents
I table of contents 1 mac address table management configuration commands ······························································1-1 mac address table management configuration commands································································1-1 display mac-address aging-time···········...
Page 210: Commands
1-1 1 mac address table management configuration commands z this chapter describes the management of static, dynamic, and blackhole mac address entries. For information about the management of multicast mac address entries, refer to the “multicast protocol” part of the manual. Z the function of dest...
Page 211
1-2 display mac-address aging-time mac address aging time: no-aging the output information indicates that dynamic mac address entries do not age out. Display mac-address syntax display mac-address [ display-option ] view any view parameters display-option: option used to display specific mac address...
Page 212
1-3 description use the display mac-address command to display information about mac address entries in the mac address table, including: mac address, vlan and port corresponding to the mac address, the type (static or dynamic) of a mac address entry, whether a mac address is within the aging time a...
Page 213
1-4 display port-mac syntax display port-mac view any view parameters none description use the display port-mac command to display the configured start port mac address for the ethernet ports on the switch, that is, the mac address of ethernet 1/0/1. Related commands: port-mac. Examples # display th...
Page 215
1-6 view system view parameters none description use the mac-address aging destination-hit enable command to enable the destination mac address triggered update function. Use the undo mac-address aging destination-hit enable command to disable the function. With the destination mac address triggered...
Page 216
1-7 to prevent illegal devices from accessing the network through a port, you can configure static mac addresses and disable mac address learning for the port. Thus, only the packets destined for the configured mac addresses can be forwarded out the port. Related commands: mac-address, mac-address t...
Page 217
1-8 port-mac syntax port-mac start-mac-address undo port-mac view system view parameters start-mac-address: start mac address for the ethernet ports on the switch, in the format of h-h-h. It must be a valid unicast address. Description use the port-mac command to configure the start mac address for ...
Page 218: Table of Contents
I table of contents 1 auto detect configuration commands ···································································································1-1 auto detect configuration commands ···································································································1-1 de...
Page 219
1-1 1 auto detect configuration commands auto detect configuration commands z refer to the routing protocol part of the manual for information about static routing. Z refer to the vrrp part of the manual for information about vrrp. Detect-group syntax detect-group group-number undo detect-group grou...
Page 220
1-2 detect-list syntax detect-list list-number ip address ip-address [nexthop ip-address ] undo detect-list list-number view detected group view parameters list-number: sequence number of the ip address to be detected. This argument ranges from 1 to 10. Ip address ip-address: specifies the destinati...
Page 221
1-3 description use the display detect-group command to display the configuration of the specified detected group or all detected groups. Examples # display the configuration of detected group 1. Display detect-group 1 detect-group 1 : detect loop time(s) : 15 ping wait time(s) : 2 detect retry time...
Page 222
1-4 view system view parameters ip-address: ip address in dotted decimal notation. Mask: subnet mask. Mask-length: length of the subnet mask, that is, the number of successive bits in the subnet mask whose values are 1. Interface-type interface-number: interface type and interface number. Next-hop: ...
Page 223
1-5 parameters and: specifies the relationship between detected objects as logic and, which means that the detecting result is reachable only when all the detected objects contained in the detected group are reachable. Or: specifies the relationship between detected objects as logic or, which means ...
Page 224
1-6 description use the retry command to set the maximum retry times during a detect operation. Use the undo retry command to restore the default times. By default, the maximum retry times during a detect operation is two. Examples # specify the maximum number of retires to 3 for detected group 10. ...
Page 225
1-7 timer loop syntax timer loop interval undo timer loop view detected group view parameters seconds: detecting interval. This argument ranges form 1 to 86,400 (in seconds) and defaults to 15. Description use the timer loop command to set the detecting interval, that is, the frequency to perform au...
Page 226
1-8 system-view system view: return to user view with ctrl+z. [sysname] detect-group 10 [sysname-detect-group-10] timer wait 3 vrrp vrid track detect-group syntax vrrp vrid virtual-router-id track detect-group group-number [ reduced value-reduced ] undo vrrp vrid virtual-router-id track detect-group...
Page 227
1-9 after this configuration, if detected group 10 is reachable, the master keeps as master, and if detected group 10 is unreachable, the master decreases its priority by 20 and becomes a backup..
Page 228: Table of Contents
I table of contents 1 mstp configuration commands ·············································································································1-1 mstp configuration commands ············································································································1...
Page 229
Ii stp portlog all ·································································································································1-40 stp priority ······································································································································...
Page 230: Mstp Configuration Commands
1-1 1 mstp configuration commands the following commands were added: z the commands concerning stp maintenance. Refer to stp portlog and stp portlog all . Z the commands for displaying information about stp. Refer to display stp abnormalport , display stp portdown , and display stp root . Z the comm...
Page 231
1-2 system-view system view: return to user view with ctrl+z. [sysname] stp region-configuration [sysname-mst-region] active region-configuration bpdu-drop any syntax bpdu-drop any undo bpdu-drop any view ethernet port view parameters none description use the bpdu-drop any command to enable bpdu dro...
Page 232
1-3 description use the check region-configuration command to display the mst region-related configuration which is being modified currently, including region name, revision level, and vlan-to-msti mapping table. As specified in the mstp protocol, the configurations of mst regions must be right, esp...
Page 233
1-4 view any view parameters instance-id: id of the msti ranging from 0 to 16. The value of 0 refers to the common and internal spanning tree (cist). Interface-list: ethernet port list. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { interface-typ...
Page 234
1-5 examples # display the brief state information of msti 0 on ethernet 1/0/1 through ethernet 1/0/4. Display stp instance 0 interface ethernet 1/0/1 to ethernet 1/0/4 brief mstid port role stp state protection 0 ethernet1/0/1 alte discarding loop 0 ethernet1/0/2 desi forwarding none 0 ethernet1/0/...
Page 235
1-6 protection type :none mstp bpdu format :config=auto / active=legacy port config digest snooping :disabled num of vlans mapped :1 porttimes :hello 2s maxage 20s fwdly 15s msgage 0s remhop 20 bpdu sent :0 tcn: 0, config: 0, rst: 0, mst: 0 bpdu received :0 tcn: 0, config: 0, rst: 0, mst: 0 table 1-...
Page 236
1-7 field description transmit limit the maximum number of packets sent within each hello time protection type protection type on the port, including root guard and loop guard mst bpdu format format of the mst bpdus that the port can send, which can be legacy or 802.1s. Config indicates the configur...
Page 237
1-8 table 1-4 description on the fields of the display stp abnormalport command field description mstid msti id in the mst region port port that has been blocked block reason the function blocking the port display stp portdown syntax display stp portdown view any view parameters none description use...
Page 238
1-9 description use the display stp region-configuration command to display the activated mst region configuration, including the region name, region revision level, and vlan-to-sti mappings configured for the switch. Related commands: stp region-configuration. Examples # display the configuration o...
Page 239
1-10 -------- -------------------- ------------ ------------- ----------- 0 32768.00e0-fc53-d908 0 200 ethernet1/0/18 table 1-7 description on the fields of the display stp root command field description mstid msti id in the mst region root bridge id id of the root bridge extpathcost cost of the ext...
Page 240
1-11 examples # map vlan 2 to msti 1. System-view system view: return to user view with ctrl+z. [sysname] stp region-configuration [sysname-mst-region] instance 1 vlan 2 region-name syntax region-name name undo region-name view mst region view parameters name: mst region name to be set for the switc...
Page 241
1-12 parameters interface-list: ethernet port list. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &, where & means that you can provide up to 10 port indexes/port index ran...
Page 243
1-14 view system view parameters none description use the stp bpdu-protection command to enable the bpdu guard function on the switch. Use the undo stp bpdu-protection command to restore to the default state of the bpdu guard function. By default, the bpdu guard function is disabled. Normally, the a...
Page 244
1-15 parameters bridgenum: network diameter to be set for a switched network. This argument ranges from 2 to 7. Description use the stp bridge-diameter command to set the network diameter of a switched network. The network diameter of a switched network is represented by the maximum possible number ...
Page 245
1-16 z legacy mode. Ports in this mode recognize/send packets in legacy format. Z 802.1s mode. Ports in this mode recognize/send packets in dot1s format. A port acts as follows according to the format of mstp packets forwarded by a peer switch or router. When a port operates in the automatic mode: z...
Page 246
1-17 according to ieee 802.1s, two interconnected switches can interwork with each other through mstis in an mst region only when the two switches have the same mst region-related configuration. With mstp enabled, interconnected switches determine whether or not they are in the same mst region by ch...
Page 247
1-18 [sysname] stp config-digest-snooping stp cost syntax stp [ instance instance-id ] cost cost undo stp [ instance instance-id ] cost view ethernet port view parameters instance-id: id of an msti ranging from 0 to 16. The value of 0 refers to the cist. Cost: path cost to be set for the port. The r...
Page 249
1-20 description use the stp edged-port enable command to configure the current ethernet port as an edge port. Use the stp edged-port disable command to configure the current ethernet port as a non-edge port. Use the undo stp edged-port command to restore the current ethernet port to its default sta...
Page 250
1-21 disable: disables mstp on the specified ports. Description use the stp interface command to enable or disable mstp on specified ports in system view. By default, mstp is enabled on the ports of a switch if mstp is globally enabled on the switch, and mstp is disabled on the ports if mstp is glob...
Page 251
1-22 by default, a port recognizes and sends mstp packets in the automatic mode. A port can be configured to recognize and send mstp packets in the following modes. Z automatic mode. Ports in this mode determine the format of the mstp packets to be sent according to the format of the received packet...
Page 252
1-23 &, where & means that you can provide up to 10 port indexes/port index ranges for this argument. Description use the stp interface config-digest-snooping command to enable the digest snooping feature on specific ports. Use the undo stp interface config-digest-snooping command to disable the dig...
Page 253
1-24 z when the digest snooping feature is enabled on a port, the port turns to the discarding state. That is, the port stops sending bpdu packets. The port is not involved in the stp calculation until it receives bpdu packets from the peer port. Z the digest snooping feature is needed only when you...
Page 254
1-25 z with the ieee 802.1t standard selected, the path cost of an ethernet port ranges from 1 to 200000000. Z with the proprietary standard selected, the path cost of an ethernet port ranges from 1 to 200000. Description use the stp interface cost command to set the path cost(s) of the specified po...
Page 255
1-26 use the stp interface edged-port disable command to configure the specified ethernet ports as non-edge ports in system view. Use the undo stp interface edged-port command to restore the specified ethernet ports to the default state. By default, all ethernet ports of a switch are non-edge ports....
Page 256
1-27 use the undo stp interface loop-protection command to restore the default state of the loop guard function in system view. The loop guard function is disabled by default. Related commands: stp loop-protection. With the loop guard function enabled, the root guard function and the edge port confi...
Page 257
1-28 examples # perform the mcheck operation for ethernet 1/0/3 in system view. System-view system view: return to user view with ctrl+z. [sysname] stp interface ethernet 1/0/3 mcheck stp interface no-agreement-check syntax stp interface interface-type interface-number no-agreement-check undo stp in...
Page 258
1-29 z the rapid transition feature can be enabled on root ports or alternate ports only. Z you can enable the rapid transition feature on the designated port, however, the feature does not take effect on the port. Examples # enable the rapid transition feature for ethernet 1/0/1. System-view system...
Page 259
1-30 these two commands apply to cist and mstis. If you configure the link to which a port is connected to be a point-to-point link (or a non-point-to-point link), the configuration applies to all mstis (that is, the port is configured to connect to a point-to-point link (or a non-point-to-point lin...
Page 260
1-31 examples # set the port priority of ethernet 1/0/3 in msti 2 to 16. System-view system view: return to user view with ctrl+z. [sysname] stp interface ethernet 1/0/3 instance 2 port priority 16 stp interface root-protection syntax stp interface interface-list root-protection undo stp interface i...
Page 261
1-32 examples # enable the root guard function for ethernet 1/0/1. System-view system view: return to user view with ctrl+z. [sysname] stp interface ethernet 1/0/1 root-protection stp interface transmit-limit syntax stp interface interface-list transmit-limit packetnum undo stp interface interface-l...
Page 262
1-33 view ethernet port view parameters none description use the stp loop-protection command to enable the loop guard function on the current port. Use the undo stp loop-protection command to restore the loop guard function to the default state on the current port. By default, the loop guard functio...
Page 263
1-34 the maximum hop count configured on the region roots of an mst region limits the size of the mst region. A configuration bpdu contains a field that maintains the remaining hops of the configuration bpdu. And a switch discards the configuration bpdus whose remaining hops are 0. After a configura...
Page 265
1-36 undo stp no-agreement-check view ethernet port view parameters none description use the stp no-agreement-check command to enable the rapid transition feature on a port. Use the stp no-agreement-check command to disable the rapid transition feature. By default, the rapid transition feature is di...
Page 266
1-37 view system view parameters dot1d-1998: uses the ieee 802.1d-1998 standard to calculate the default path costs of ports. Dot1t: uses the ieee 802.1t standard to calculate the default path costs of ports. Legacy: uses the proprietary standard to calculate the default path costs of ports. Descrip...
Page 267
1-38 examples # configure to use the ieee 802.1d-1998 standard to calculate the default path costs of ports. System-view system view: return to user view with ctrl+z. [sysname] stp pathcost-standard dot1d-1998 # configure to use the ieee 802.1t standard to calculate the default path costs of ports. ...
Page 268
1-39 examples # configure the link connected to ethernet 1/0/3 as a point-to-point link. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/3 [sysname-ethernet1/0/3] stp point-to-point force-true stp port priority syntax stp [ instance instance-id ] port prior...
Page 269
1-40 undo stp [ instance instance-id ] portlog view system view parameters instance instance-id: specifies an msti id, ranging from 0 to 16. The value of 0 indicates the cist. Description use the stp portlog command to enable log and trap message output for the ports of a specified instance. Use the...
Page 270
1-41 stp priority syntax stp [ instance instance-id ] priority priority undo stp [ instance instance-id ] priority view system view parameters instance-id: msti id ranging from 0 to 16. The value of 0 refers to the cist. Priority: switch priority to be set. This argument ranges from 0 to 61,440 and ...
Page 271
1-42 mst region-related parameters include: region name, revision level, and vlan-to-msti mapping table. By default: z mst region name is the first mac address of the switch z all vlans are mapped to the cist in the vlan-to-msti mapping table z the mstp revision level is 0 you can modify the three p...
Page 272
1-43 you can specify the current switch as the root bridge of an msti regardless of the priority of the switch. You can also specify the network diameter of the switched network by using the stp root primary command. The switch will then figure out the following three time parameters: hello time, fo...
Page 273
1-44 by default, a switch does not operate as a secondary root bridge. If you do not specify the instance-id argument, the two commands apply to only the cist. You can configure one or more secondary root bridges for an msti. If the switch operating as the root bridge fails or is turned off, the sec...
Page 274
1-45 related commands: stp interface root-protection. Examples # enable the root guard function on ethernet 1/0/1. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] stp root-protection stp tc-protection syntax stp tc-protection enabl...
Page 275
1-46 undo stp tc-protection threshold view system view parameters number: maximum number of times that a switch can remove the mac address table and arp entries within each 10 seconds, in the range of 1 to 255. Description use the stp tc-protection threshold command to set the maximum number of time...
Page 276
1-47 parameters centi-seconds: forward delay in centiseconds to be set. This argument ranges from 400 to 3,000. Description use the stp timer forward-delay command to set the forward delay of the switch. Use the undo stp timer forward-delay command to restore the forward delay to the default value. ...
Page 277
1-48 a root bridge regularly sends out configuration bpdus to maintain the stability of existing spanning trees. If the switch does not receive bpdu packets in a specified period, spanning trees will be recalculated because bpdu packets time out. When a switch becomes a root bridge, it regularly sen...
Page 278
1-49 2 × (forward delay – 1 second) >= max age, max age >= 2 × (hello time + 1 second). You are recommended to specify the network diameter of the switched network and the hello time parameter by using the stp root primary or stp root secondary command. After that, the three proper time-related para...
Page 279
1-50 stp transmit-limit syntax stp transmit-limit packetnum undo stptransmit-limit view ethernet port view parameters packetnum: maximum number of configuration bpdus a port can transmit in each hello time. This argument ranges from 1 to 255. Description use the stp transmit-limit command to set the...
Page 280
1-51 mstp uses a vlan-to-msti mapping table to describe vlan-to-msti mappings. You can use this command to establish the vlan-to-msti mapping table and map vlans to mstis in a specific way. Note that a vlan cannot be mapped to multiple different mstis at the same time. A vlan-to-msti mapping becomes...
Page 281
1-52 by default, the vlan-vpn tunnel function is disabled. Z the vlan-vpn tunnel function can only be enabled on stp-enabled devices. Z to enable the vlan-vpn tunnel function, make sure the links between operator’s networks are trunk links. Z if a fabric port exists on a switch, you cannot enable th...
Page 282: Table of Contents
I table of contents 1 ip routing table commands····················································································································1-1 ip routing table commands············································································································...
Page 283
Ii 4 ospf configuration commands··············································································································4-1 ospf configuration commands ············································································································4-1 abr-summary ··...
Page 284
Iii snmp-agent trap enable ospf·········································································································4-48 spf-schedule-interval ·····················································································································4-49 stub···········...
Page 285: Ip Routing Table Commands
1-1 1 ip routing table commands z the term router in this chapter refers to a router in a generic sense or an ethernet switch running a routing protocol. Z the s3600-si series do not support ospf. Z the feature of specifying the abr of an nssa area as the type-7 lsas translator is added. For the com...
Page 286
1-2 description use the display ip routing-table command to display the routing table summary. This command displays the summary of the routing table. Each line represents one route, containing destination address/mask length, protocol, preference, cost, next hop, and output interface. This command ...
Page 287
1-3 127.0.0.0/8 direct 0 0 127.0.0.1 inloopback0 127.0.0.1/32 direct 0 0 127.0.0.1 inloopback0 table 1-1 description on the fields of the display ip routing-table command field description destination/mask destination address/mask length protocol routing protocol pre route preference cost route cost...
Page 288
1-4 192.168.1.2/32 direct 0 0 127.0.0.1 inloopback0 for descriptions of the above fields, refer to table 1-1 . # display the detailed information of routes that match acl 2100. Display ip routing-table acl 2100 verbose routes matched by access-list 2100: + = active route, - = last active, # = both *...
Page 289
1-5 field description description of route state: activeu an active unicast route, where “u” represents unicast. Blackhole a blackhole route is similar to a reject route, but no icmp unreachable message is sent to the source. Delete a route is to be deleted. Gateway an indirect route. Hidden an exis...
Page 290
1-6 parameters ip-address :destination ip address, in dotted decimal notation. Mask: subnet mask, in dotted decimal notation. Mask-length : length of a subnet mask, in the range of 0 to 32. Longer-match : specifies all the routes that lead to the destination address and match the specified mask. If ...
Page 292
1-8 verbose : with this keyword specified, detailed information of routes in the active or inactive state that match the ip prefix list is displayed. With this keyword not specified, brief information of only the routes in the active state that match the prefix list is displayed. Description use the...
Page 293
1-9 parameters protocol : you can provide one of the following values for this argument. Z direct :displays direct-connect route information z ospf : displays ospf route information. Z ospf-ase : displays ospf ase route information. Z ospf-nssa : displays ospf not-so-stubby area (nssa) route informa...
Page 295
1-11 o_ase 0 0 0 0 o_nssa 0 0 0 0 total 28 5 29 1 table 1-4 description on the fields of the display ip routing-table statistics command field description proto routing protocol type o_ase: ospf_ase o_nssa: ospf nssa aggre: aggregation protocol route total number of routes active number of active ro...
Page 296
1-12 **destination: 1.1.1.1 mask: 255.255.255.255 protocol: #direct preference: 0 *nexthop: 127.0.0.1 interface: 127.0.0.1(inloopback0) state: age: 20:17:42 cost: 0/0 **destination: 2.2.2.0 mask: 255.255.255.0 protocol: #direct preference: 0 *nexthop: 2.2.2.1 interface: 2.2.2.1(vlan-interface2) stat...
Page 297
1-13 o_ase 0 0 0 0 o_nssa 0 0 0 0 total 4 4 12 8 # clear the routing statistics of all protocols from the ip routing table. Reset ip routing-table statistics protocol all # display the routing statistics in the ip routing table. Display ip routing-table statistics routing tables: proto route active ...
Page 298
2-1 2 static route configuration commands the term router in this chapter refers to a router in a generic sense or an ethernet switch running a routing protocol. Static route configuration commands delete static-routes all syntax delete static-routes all view system view parameters none description ...
Page 300
2-3 z you cannot configure an interface address of the local switch as the next hop address of a static route. Z you can configure a different preference to implement flexible route management policy. Related commands: display ip routing-table. Examples # configure the next hop of the default route ...
Page 301: Rip Configuration Commands
3-1 3 rip configuration commands the term router in this chapter refers to a router in a generic sense or an ethernet switch running a routing protocol. Rip configuration commands checkzero syntax checkzero undo checkzero view rip view parameters none description use the checkzero command to enable ...
Page 302
3-2 default cost syntax default cost value undo default cost view rip view parameters value : default cost, in the range of 1 to 16. Description use the default cost command to set the default cost for redistributed routes. Use the undo default cost command to restore the default. By default, the de...
Page 303
3-3 rip is running checkzero is on default cost : 1 summary is on preference : 100 traffic-share-across-interface is off period update timer : 30 timeout timer : 180 garbage-collection timer : 120 no peer router network : 202.38.168.0 table 3-1 description on the fields of the display rip command fi...
Page 304
3-4 description use the display rip interface command to display rip interface information. Examples # display rip interface information. Display rip interface rip interface: public net address interface ver metrin/out input output split-horizon 1.0.0.1 vlan-interface100 2 0/1 on on on table 3-2 des...
Page 305
3-5 a = active i = inactive g = garbage collection c = change t = trigger rip destination/mask cost nexthop age sourcegateway att 192.168.110.0/24 1 31.31.31.8 7s 31.31.31.8 a 200.1.1.0/24 1 31.31.31.8 7s 31.31.31.8 a 130.1.0.0/16 1 31.31.31.8 7s 31.31.31.8 a table 3-3 description on the fields of t...
Page 306
3-6 process-id : process id of the routing protocol whose routing information is to be filtered, in the range of 1 to 65535. This argument is valid only for ospf, ospf-ase, and ospf-nssa. Description use the filter-policy export command to enable rip to filter the outgoing routing information. Use t...
Page 307
3-7 description use the filter-policy gateway command to enable rip to filter the routing information advertised by a specified address. Use the undo filter-policy gateway command to disable rip from filtering the routing information advertised by a specified address. Use the filter-policy import co...
Page 309
3-9 network syntax network network-address undo network network-address view rip view parameters network-address : network/ip address of an interface, in dotted decimal notation. Description use the network command to enable rip on an interface attached to the specified network segment. Use the undo...
Page 310
3-10 description use the peer command to specify the ip address of a neighbor, where routing updates destined for the peer are unicast, rather than multicast or broadcast. Use the undo peer command to remove the ip address of a neighbor. By default, no neighbor is specified. This command is used for...
Page 311
3-11 reset syntax reset view rip view parameters none description use the reset command to reset the system configuration parameters of rip. When you need to re-configure the parameters of rip, you can use this command to restore the default. Examples # reset the rip system configuration. System-vie...
Page 312
3-12 note that the interface-related parameters configured previously would be invalid after rip is disabled. Examples # enable rip and enter rip view. System-view system view: return to user view with ctrl+z. [sysname] rip [sysname-rip] rip authentication-mode syntax rip authentication-mode { simpl...
Page 313
3-13 you can configure ripv1 authentication mode in interface view, but the configuration will not take effect because ripv1 does not support authentication. Examples # specify the interface vlan-interface 10 to use the simple authentication with the authentication key of aaa. System-view system vie...
Page 314
3-14 rip metricin syntax rip metricin value undo rip metricin view interface view parameters value : additional metric of rip routes received on an interface, in the range of 0 to 16. Description use the rip metricin command to configure an additional metric for rip routes received on an interface. ...
Page 315
3-15 by default, the additional metric of rip routes sent out of an interface is 1. With the command configured on an interface, the metric of rip routes sent on the interface will be increased. Related commands: rip metricin. Examples # set the additional metric of rip routes sent out of the interf...
Page 316
3-16 parameters none description use the rip split-horizon command to enable the split horizon function. Use the undo rip split-horizon command to disable the split horizon function. By default, the split horizon function is enabled. The split horizon function disables an interface from sending rout...
Page 317
3-17 table 3-4 receive mode of rip packets rip version rip-1 broadcast packet rip-2 broadcast packet rip-2 multicast packet rip-1 √ √ — rip-2 broadcast mode √ √ — rip-2 multicast mode — — √ table 3-5 send mode of rip packets rip version rip-1 broadcast packet rip-2 broadcast packet rip-2 multicast p...
Page 318
3-18 related commands: rip input, rip output. Examples # disable the interface vlan-interface 10 from receiving or sending rip packets. System-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 10 [sysname-vlan-interface10] undo rip work summary syntax summary undo...
Page 320
3-20 view rip view parameters none description use the traffic-share-across-interface command to enable traffic to be forwarded along multiple equivalent rip routes. Use the undo traffic-share-across-interface command to disable this function. By default, this function is disabled. When the number o...
Page 322
4-2 examples # summarize subnets 36.42.10.0/24 and 36.42.110.0/24, in ospf area 1 with summary route 36.42.0.0/16 and advertise it to other areas. System-view system view: return to user view with ctrl+z. [sysname] ospf 1 [sysname-ospf-1] area 1 [sysname-ospf-1-area-0.0.0.1] network 36.42.10.0 0.0.0...
Page 323
4-3 parameters ip-address : ip address of the summary route, in dotted decimal notation. Mask : ip address mask, in dotted decimal notation. Not-advertise : specifies not to advertise the summary route. If this argument is not provided, the summary route will be advertised. Tag value : tag value, wh...
Page 324
4-4 use the undo authentication-mode command to cancel the authentication attribute of this area. By default, an area does not support authentication attribute. All the routers in one area must use the same authentication mode (no authentication, simple text authentication, or md5 cipher text authen...
Page 325
4-5 type : default type of external routes redistributed by ospf. The value of this argument is 1 or 2. Description use the default command to configure the default parameters for redistributed routes, including cost, interval, limit, tag, and type. Use the undo default cost command to restore the d...
Page 326
4-6 you must use the stub command on all the routers connected to a stub area to configure the area with the stub attribute. Use the default-cost command to configure the cost of the default route advertised by an abr to a stub area or nssa. Ospf advertises a default route in the following cases: z ...
Page 327
4-7 cost value: specifies the cost value of the default route. The default route with the lowest cost value is preferred. The value of value ranges from 0 to 16777214. If no cost is specified, the default cost specified by the default cost command applies. Type type-value: specifies the type of the ...
Page 328
4-8 related commands: router id. Examples # display the router id. Display router id configured router id is 1.1.1.1 display ospf abr-asbr syntax display ospf [ process-id ] abr-asbr view any view parameters process-id : ospf process id, in the range of 1 to 65535. If you do not specify a process id...
Page 329
4-9 field description nexthop ip address of the next hop interface local output interface display ospf asbr-summary syntax display ospf [ process-id ] asbr-summary [ ip-address mask ] view any view parameters process-id : ospf process id, in the range of 1 to 65535. If you do not specify a process i...
Page 330
4-10 the count of route is 0 table 4-2 description on the fields of the display ospf asbr-summary command. Field description net network address of the summary route mask subnet mask of the summary route tag tag of the summary route status advertisement state of the summary route, including donotadv...
Page 331
4-11 priority: 1 designated router: 192.168.0.153 backup designated router: 192.168.0.154 timers: hello 10, dead 40, poll 40, retransmit 5, transmit delay 1 area 0.0.0.2: authtype: none flags: spf scheduled: 7/5 translator state: enabled interface: 30.1.1.1 (vlan-interface2) cost: 10 state: backupdr...
Page 332
4-12 field description flags area type flag: nssa: nssa area nssadefault: a default route is generated into the nssa. Nssanosummary: abr is disabled from advertising type-3 lsas into nssa. Nssanoredistribution: prohibits advertisement of redistributed routes into nssa. Stub: stub area stubdefault: a...
Page 333
4-13 display ospf cumulative syntax display ospf [ process-id ] cumulative view any view parameters process-id : ospf process id, in the range of 1 to 65535. If you do not specify a process id, this command applies to all current ospf processes. Description use the display ospf cumulative command to...
Page 334
4-14 rtr: 1 net: 0 sumasb: 0 sumnet: 1 routing table: intra area: 1 inter area: 0 ase: 0 table 4-4 description on the fields of the display ospf cumulative command field description type type of input/output ospf packet: hello: hello packet db description: database description packet link-state req:...
Page 335
4-15 description use the display ospf error command to display ospf error information. Examples # display the ospf error information. Display ospf error ospf process 1 with router id 1.1.1.1 ospf packet error statistics: 0: ip: received my own packet 0: ospf: wrong packet type 0: ospf: wrong version...
Page 336
4-16 field description ospf: packet size > ip length ospf packet size exceeds ip packet length ospf: transmit error ospf transmission error ospf: interface down ospf interface is down, unavailable ospf: unknown neighbor ospf neighbors are unknown hello: netmask mismatch network mask mismatch hello: ...
Page 337
4-17 display ospf interface syntax display ospf [ process-id ] interface [interface-type interface-number ] view any view parameters process-id : ospf process id, in the range of 1 to 65535. If you do not specify a process id, this command applies to all current ospf processes. Interface-type interf...
Page 338
4-18 field description priority priority of dr for interface election designated router dr on the network in which the interface resides backup designated router bdr on the network in which the interface resides ospf timers, defined as follows: hello interval of hello packet dead interval of dead ne...
Page 339
4-19 description use the display ospf lsdb command to display the database information about ospf connecting state. If no ospf process is specified, lsdb information of all ospf processes is displayed. Examples # display the database information about ospf connection state. Display ospf lsdb ospf pr...
Page 340
4-20 field description where location of the lsa, used to indicate in which stage of the route calculation the lsa is: uninitialized: the lsa is not initialized or is originated by another router. Clist: the lsa is on the candidate list. Spftree: the lsa is in the spf tree. Sumasb list: the lsa is i...
Page 341
4-21 field description options options of the lsa: o: opaque lsa advertisement and reception capability e: as external lsa reception capability ea: external extended lsa reception and forwarding capability dc: on-demand link support n: nssa external lsa support p: capability of an nssa abr to transl...
Page 342
4-22 table 4-9 description on the fields of the display ospf nexthop command field description next hops detailed information of next hops address ip address of next hop type type of next hop refcount reference count of the next hop, namely, number of routes using the next hop intf addr ip address o...
Page 343
4-23 field description state state of a neighbor: down: this is the initial state of a neighbor conversation. Init: in this state, the router has seen a hello packet from the neighbor. However, the router has not established bidirectional communication with the neighbor (the router itself did not ap...
Page 344
4-24 field description state state of a neighbor router, including down init attempt 2-way exstart exchange loading full if the neighbor router is a designated router, dr will be attached to the state. If the neighbor route is a backup designated router, bdr will be attached. If the neighbor route i...
Page 345
4-25 field description full it indicates that database synchronization between the routers that have established neighbor relation has been completed, and their link state databases have been consistent total total number of neighbors in various states display ospf request-queue syntax display ospf ...
Page 346
4-26 display ospf retrans-queue syntax display ospf [ process-id ] retrans-queue view any view parameters process-id : ospf process id, in the range of 1 to 65535. If you do not specify a process id, this command applies to all current ospf processes. Description use the display ospf retrans-queue c...
Page 347
4-27 view any view parameters process-id : ospf process id, in the range of 1 to 65535. If you do not specify a process id, this command applies to all current ospf processes. Description use the display ospf routing command to display the information about ospf routing table. Examples # display osp...
Page 348
4-28 view any view parameters process-id : ospf process id, in the range of 1 to 65535. If you do not specify a process id, this command applies to all current ospf processes. Description use the display ospf vlink command to display the information about ospf virtual links. Examples # display ospf ...
Page 352
4-32 log-peer-change syntax log-peer-change undo log-peer-change view ospf view parameters none description use the log-peer-change command to enable logging of ospf neighbor state changes. Use the undo log-peer-change command to disable logging of ospf neighbor state changes. By default, logging of...
Page 353
4-33 examples # set the number of ospf ecmp routes to 2. System-view system view: return to user view with ctrl+z. [sysname] ospf 1 [sysname-ospf-1] multi-path-number 2 network syntax network ip-address wildcard-mask undo network ip-address wildcard-mask view ospf area view parameters ip-address: ip...
Page 354
4-34 view ospf area view parameters default-route-advertise : redistributes a default route into an nssa. No-import-route : redistributes no routes into an nssa. No-summary : advertises only a default route in a type-3 summary lsa into the nssa area and disables the abr from transmitting any other t...
Page 355
4-35 after an ospf area is configured as a stub area, the abr in the area automatically advertises a default route into the attached nssa area. After an area is configured as an nssa area, however, no abr or asbr in the area will automatically advertise a default route into the attached nssa. Exampl...
Page 356
4-36 z to run ospf, a router must have a router id specified. If no router id is specified, the system will automatically select one of the router interface ip addresses as the router id. Z if a router runs multiple ospf processes, you are recommended to specify a router id for each process by using...
Page 357
4-37 examples # configure area 1 where the network segment 131.119.0.0 of interface vlan-interface 10 resides to support md5 cipher text authentication. Set the authentication key identifier to 15 and the authentication key to abc. System-view system view: return to user view with ctrl+z. [sysname] ...
Page 358
4-38 undo ospf dr-priority view interface view parameters priority : designated router (dr) election priority of the interface, in the range of 0 to 255. Description use the ospf dr-priority command to configure the dr election priority of the interface. Use the undo ospf dr-priority command to rest...
Page 359
4-39 examples # bind mib operations to ospf process 100. System-view system view: return to user view with ctrl+z. [sysname] ospf mib-binding 100 ospf mtu-enable syntax ospf mtu-enable undo ospf mtu-enable view interface view parameters none description use the ospf mtu-enable command to add the int...
Page 360
4-40 view interface view parameters broadcast : specifies the network type as broadcast. Nbma : specifies the network type as nbma. P2mp : specifies the network type as point-to-multipoint. Unicast : sends packets to unicast addresses. P2p : specifies the network type as point-to-point. Description ...
Page 361
4-41 [sysname] interface vlan-interface 10 [sysname-vlan-interface10] ospf network-type nbma ospf timer dead syntax ospf timer dead seconds undo ospf timer dead view interface view parameters seconds: dead interval of the ospf neighbor. It is in seconds and ranges from 1 to 65535. Description use th...
Page 362
4-42 description use the ospf timer hello command to configure the interval for transmitting hello messages on an interface. Use the undo ospf timer hello command to restore the interval to the default. By default, the hello interval is z 10 seconds for an interface of p2p or broadcast z 30 seconds ...
Page 363
4-43 system-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 20 [sysname-vlan-interface20] ospf timer poll 130 ospf timer retransmit syntax ospf timer retransmit interval undo ospf timer retransmit view interface view parameters interval: interval, in seconds, fo...
Page 364
4-44 parameters seconds : lsa transmission delay in seconds on an interface. It ranges from 1 to 3600. Description use the ospf trans-delay command to configure the lsa transmission delay on an interface. Use the undo ospf trans-delay command to restore the default. By default, the lsa transmission ...
Page 365
4-45 [sysname] ospf 1 [sysname-ospf-1] peer 10.1.1.1 preference syntax preference [ ase ] value undo preference [ ase ] view ospf view parameters value: ospf protocol preference, in the range of 1 to 255. Ase : indicates the preference of a redistributed external route of the as. Description use the...
Page 366
4-46 after you use this command to reset an ospf process: z invalid lsa is cleared immediately before lsa times out. Z a new router id takes effect if the router id changes. Z dr and bdr are re-elected conveniently. Z ospf configuration before the restart will not lose. After this command is issued,...
Page 367
4-47 use the undo router id command to cancel the router id that has been set. If the router-id command is not used, a router id is set following these rules: z if loopback interfaces configured with ip addresses exist, the greatest loopback interface ip address will be used as the router id. Z if n...
Page 368
4-48 examples # disable interface vlan-interface 20 from transmitting ospf packet. System-view system view: return to user view with ctrl+z. [sysname] ospf 1 [sysname-ospf-1] silent-interface vlan-interface 20 snmp-agent trap enable ospf syntax snmp-agent trap enable ospf [ process-id ] [ ifauthfail...
Page 369
4-49 spf-schedule-interval syntax spf-schedule-interval interval undo spf-schedule-interval view ospf view parameters interval : spf calculation interval of ospf, in seconds. It ranges from 1 to 10. Description use the spf-schedule-interval command to configure the spf calculation interval of ospf. ...
Page 370
4-50 to configure an area as a stub area, all routers attached to it must be configured with this command. If the router is an abr, it will send a default route to the connected stub area. Use the default-cost command to configure the default route cost. In addition, you can specify the no-summary a...
Page 371
4-51 keyid: md5 authentication key id. It ranges from 1 to 255. It must be equal to the authentication key id of the virtually linked peer. Key :md5 authentication key. If you use simple text authentication key, you can input a string containing 1 to 16 characters. When you use the display current-c...
Page 372
5-1 5 ip routing policy configuration commands the term router in this chapter refers to a router in a generic sense or an ethernet switch running a routing protocol. Ip routing policy configuration commands apply cost syntax apply cost value undo apply cost view route policy view parameters value :...
Page 373
5-2 apply tag syntax apply tag value undo apply tag view route policy view parameters value : tag value of a route, in the range of 0 to 4294967295. Description use the apply tag command to configure a tag for a route. Use the undo apply tag command to remove the configuration. By default, no tag is...
Page 374
5-3 examples # display the information about the address prefix list named p1. Display ip ip-prefix p1 name index conditions ip-prefix / mask ge le p1 10 permit 10.1.0.0/16 17 18 table 5-1 description on the fields of the display ip ip-prefix command field description name name of an ip-prefix index...
Page 375
5-4 table 5-2 description on the fields of the display route-policy command field description route-policy name of a routing policy information about the routing policy with the matching mode configured as permit and the node as 10. If-match (ip-prefix) p1 matching conditions permit 10 apply cost 10...
Page 376
5-5 view route policy view parameters value : route cost, in the range of 0 to 4294967295. Description use the if-match cost command to configure a cost matching rule for routing information. Use the undo if-match cost command to remove the configuration. By default, no cost matching rule is defined...
Page 378
5-7 parameters value : tag value, in the range of 0 to 4294967295. Description use the if-match tag command to configure the tag matching rule for routing information. Use the undo if-match tag command to remove the matching rule. By default, no the tag matching rule for routing information is defin...
Page 379
5-8 to", and the meaning of less-equal is "less than or equal to". The range is len greater-equal less-equal greater-equal is used, it denotes the prefix range [greater-equal, 32]. When only less-equal is used, it denotes the prefix range [len, less-equal]. When both greater-equal and less-equal are...
Page 380
5-9 node : specifies a node index in a routing policy. Node-number : index of the node in a routing policy, in the range 0 to 2047. When this routing policy is used, the node with smaller node-number will be matched first. Description use the route-policy command to create a routing policy or enter ...
Page 381
6-1 6 route capacity configuration commands z the term router in this chapter refers to a router in a generic sense or an ethernet switch running a routing protocol. Z the s3600-si series do not support route capacity configuration. Route capacity configuration commands display memory syntax display...
Page 382
6-2 field description used rate memory occupation rate display memory limit syntax display memory limit mode any view parameters none description use the display memory limit command to display the memory setting and state information of the switch. This command displays the current memory limit con...
Page 384
6-4 examples # set the lower limit of the switch free memory to 1 mb and the safety value to 3 mb. System-view system view: return to user view with ctrl+z. [sysname] memory safety 3 limit 1 memory auto-establish disable syntax memory auto-establish disable view system view parameters none descripti...
Page 385
6-5 description use the memory auto-establish enable command to enable automatic connections of routing protocols when the free memory of the switch recovers to the specified value. Use the memory auto-establish disable command to disable this function. By default, when the free memory of the switch...
Page 386: Table of Contents
I table of contents 1 common multicast configuration commands ·······················································································1-1 common multicast configuration commands ························································································1-1 display mac-add...
Page 387
Ii display pim bsr-info··························································································································3-4 display pim interface························································································································3-4 displa...
Page 388
Iii display igmp-snooping group ··········································································································5-2 display igmp-snooping statistics······································································································5-3 igmp-snooping ······...
Page 389
1-1 1 common multicast configuration commands the following are new features in this set of manuals: z enabling multicast packet buffering. The related commands are multicast storing-enable and multicast storing-packet . Z configuring multicast source lifetime. The related command is source-lifetime...
Page 390
1-2 related commands: mac-address multicast interface, mac-address multicast vlan. Examples # display the information of all static multicast mac entries in vlan 1. Display mac-address multicast static vlan 1 mac addr vlan id state port index aging time(s) 0100-0001-0001 1 config static ethernet1/0/...
Page 391
1-3 display mpm forwarding-table total 1 entry(entries) 00001. (120.0.0.2, 225.0.0.2) iif vlan-interface1200 1 oif(s): vlan-interface32 ethernet1/0/19 total 1 entry(entries) listed table 1-2 display mpm forwarding-table command output description field description total 1 entry(entries) total number...
Page 392
1-4 total 1 mac group(s). Vlan(id):1200. Total 1 ip group(s). Total 1 mac group(s). Static router port(s): dynamic router port(s): ethernet1/0/24 ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 static host port(s): dynamic host port(s): ethernet1/0/22 mac gro...
Page 393
1-5 parameters group-address: multicast group address, in the range of 224.0.0.0 to 239.255.255.255. With this argument provided, the command displays the forwarding entries for the specified multicast group. Source-address: multicast source address. With this argument provided, the command displays...
Page 394
1-6 field description (10.0.0.4, 225.1.1.1) multicast source and group addresses of the entry iif vlan-interface2, 0 oifs the incoming interface of the multicast forwarding table is vlan-interface 2, and the multicast forwarding table does not have an outgoing interface. Matched 122 pkts(183000 byte...
Page 395
1-7 multicast routing table total 3 entries (4.4.4.4, 224.2.149.17) uptime: 00:15:16, timeout in 272 sec upstream interface: vlan-interface1(4.4.4.6) downstream interface list: vlan-interface2(2.2.2.4), protocol 0x1: igmp (4.4.4.4, 224.2.254.84) uptime: 00:15:16, timeout in 272 sec upstream interfac...
Page 396
1-8 parameters interface-type: port type. Interface-number: port number. Description use the display multicast-source-deny command to display the multicast source port suppression status. Z with neither a port type nor a port number specified, the command displays the multicast source port suppressi...
Page 397
1-9 each multicast mac address entry contains multicast address, forward port, vlan id, and so on. Related commands: display mac-address multicast static. Examples # create a multicast mac address entry, with the multicast mac address of 0100-5e0a-0805 and a forwarding port of ethernet 1/0/1 in vlan...
Page 398
1-10 view any view parameters source-address: specifies a multicast source. Group-address: specifies a multicast group. Last-hop-router-address: specifies the last-hop router, which is the local device by default. Description use the mtracert command to trace the path down which the multicast traffi...
Page 399
1-11 table 1-6 mtracert command output description field description from last-hop router(192.168.2.2), trace reverse path to source 192.168.4.1 via rpf rules reverse path from the last-hop router (192.168.2.2) to the multicast source (192.168.4.1) -1 5.5.5.8 outgoing interface address of each hop, ...
Page 400
1-12 examples # set the maximum number of entries the multicast routing table can hold to 100. System-view system view: return to user view with ctrl+z. [sysname] multicast route-limit 100 multicast routing-enable syntax multicast routing-enable undo multicast routing-enable view system view paramet...
Page 401
1-13 with the multicast packet buffering feature enabled, multicast packets delivered to the cpu are buffered while the corresponding multicast forwarding entries are being created and forwarded out according to the multicast forwarding entries after entry creation. By default, this function is not ...
Page 402
1-14 interface-type interface-number) and/or one or more port ranges (in the form of interface-type interface-number1 to interface-type interface-number2, where interface-number2 must be greater than interface-number1). The total number of individual ports plus port ranges cannot exceed 10. For port...
Page 403
1-15 all: clears all the forwarding entries or the statistics information of all the forwarding entries. Without this keyword, the command clears the forwarding entries or the statistics information of the forwarding entries defined by the following parameters. Group-address: multicast group address...
Page 404
1-16 incoming-interface interface-type interface-number: clears the routing entries that match the specified incoming interface. Description use the reset multicast routing-table command to clear the routing entries in the multicast core routing table and remove the corresponding forwarding entries ...
Page 406
2-2 display igmp interface syntax display igmp interface [ interface-type interface-number ] view any view parameters interface-type interface-number: specifies an interface by its type and number. With this argument provided, the command displays the igmp configuration and running information on th...
Page 407
2-3 field description value of maximum query response time for igmp(in seconds): 10 the maximum response time for igmp general queries is 10 seconds (default). Value of robust count for igmp: 2 the igmp robustness variable is 2 (default). Value of startup query interval for igmp(in seconds): 15 the ...
Page 408
2-4 system-view system view: return to user view with ctrl+z. [sysname] multicast routing-enable [sysname] interface vlan-interface 10 [sysname-vlan-interface10] igmp enable igmp group-limit syntax igmp group-limit limit undo igmp group-limit view interface view parameters limit: the maximum number ...
Page 410
2-6 examples # configure a multicast group filter on vlan-interface 10 so that the hosts on the subnet attached to the interface can join only multicast group 225.1.1.1 and the interface accepts only igmpv2 reports. System-view system view: return to user view with ctrl+z. [sysname] acl number 2000 ...
Page 411
2-7 [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] port access vlan 10 [sysname-ethernet1/0/1] igmp group-policy 2000 vlan 10 igmp host-join port syntax igmp host-join group-address port interface-list undo igmp host-join group-address port interface-list view interface view parameters g...
Page 412
2-8 igmp host-join vlan syntax igmp host-join group-address vlan vlan-id undo igmp host-join group-address vlan vlan-id view ethernet port view parameters group-address: address of the multicast group to join. Vlan vlan-id: specifies the vlan to which the port belongs. The effective range for vlan-i...
Page 413
2-9 use the undo igmp lastmember-queryinterval command to restore the default. The igmp last-member query interval is 1 second by default. Related commands: igmp robust-count, display igmp interface. Examples # set the igmp last-member query interval to 3 seconds on vlan-interface 10. System-view sy...
Page 414
2-10 view interface view parameters interface-typeinterface-number: specifies the interface for which the current interface will act as the igmp proxy interface. Description use the igmp proxy command to configure the current interface as the igmp proxy interface for another interface on the layer 3...
Page 415
2-11 by default, an igmp querier sends two igmp group-specific query messages after receiving an igmp leave message. Related commands: igmp lastmember-queryinterval, display igmp interface. Examples # set the igmp robustness variable to 3 on vlan-interface 10. System-view system view: return to user...
Page 416
2-12 igmp timer query syntax igmp timer query seconds undo igmp timer query view interface view parameters seconds: igmp query interval, namely the interval between igmp general query messages, in the range of 1 to 65,535 seconds. Description use the igmp timer query command to configure the interva...
Page 417
2-13 the default igmp version is igmp version 2. The device cannot automatically switch between different igmp versions, so all the devices on a subnet must run the same version of igmp. Examples # run igmpv1 on vlan-interface 10. System-view system view: return to user view with ctrl+z. [sysname] i...
Page 418: Pim Configuration Commands
3-1 3 pim configuration commands pim configuration commands bsr-policy syntax bsr-policy acl-number undo bsr-policy view pim view parameters acl-number: acl number to be used in the bsr filtering policy, in the range of 2000 to 2999. Description use the bsr-policy command to limit the range of legal...
Page 419
3-2 view pim view parameters interface-type interface-number: specifies an interface that will be configured as a c-bsr. This configuration takes effect only after pim-sm is enabled on the interface. Hash-mask-len: length of the hash mask used for rp calculation. The effective range is 0 to 32. Prio...
Page 420
3-3 description use the c-rp command to configure an interface as a c-rp. Use the undo c-rp command to remove the configuration. By default, no c-rp is configured. For the configuration of a c-rp, a relatively large bandwidth should be reserved for the switch and other devices in the pim domain. Rel...
Page 421
3-4 [sysname] multicast routing-enable [sysname] pim [sysname-pim] crp-policy 3000 [sysname-pim] quit [sysname] acl number 3000 [sysname-acl-adv-3000] rule 0 permit source 1.1.1.1 0 destination 225.1.0.0 0.0.255.255 display pim bsr-info syntax display pim bsr-info view any view parameters none descr...
Page 422
3-5 view any view parameters interface-type interface-number: specifies an interface by its type and number. Description use the display pim interface command to display the pim configuration information. With an interface specified, the command displays the pim configuration information on the spec...
Page 423
3-6 view any view parameters interface interface-type interface-number: specifies an interface by its type and number. Description use the display pim neighbor command to display the pim neighbor information. With an interface specified, the command displays the pim neighbor information on the speci...
Page 424
3-7 mask: mask of the multicast group address, multicast source address, or rp address, 255.255.255.255 by default. Mask-length: mask length of the multicast group address, multicast source address, or rp address, in the range of 0 to 32. The system default is 32. Incoming-interface: displays multic...
Page 425
3-8 field description flag flag of (s, g) or (*, g) entry in the pim routing table: z spt: the (s, g) entry is on the spt. Z rpt: the (s, g) or (*, g) entry is on the rpt. Z wc: indicates the (*, g) entry. Z loc: the switch is connected with the multicast source directly. Uptime time when the entry ...
Page 426
3-9 expires: 00:01:40 table 3-5 display pim rp-info command output description field description pim-sm rp-set information: rp-set bsr is: ip address of the bsr group/masklen multicast group range served by the rp rp ip address of the rp version pim version priority rp priority uptime length of time...
Page 427
3-10 view interface view parameters none description use the pim bsr-boundary command to configure the current interface as the bsr service boundary, namely, the pim-sm domain border. Use the undo pim bsr-boundary command to remove the configured pim-sm domain border. By default, no pim-sm domain bo...
Page 428
3-11 related commands: multicast routing-enable. Examples # enable pim-dm on vlan-interface 10. System-view system view: return to user view with ctrl+z. [sysname] multicast routing-enable [sysname] interface vlan-interface 10 [sysname-vlan-interface10] pim dm pim neighbor-limit syntax pim neighbor-...
Page 429
3-12 view interface view parameters acl-number: basic acl number, in the range of 2,000 to 2,999. Description use the pim neighbor-policy command to configure a pim neighbor filter on the current interface. Use the undo pim neighbor-policy command to disable pim neighbor filtering on the current int...
Page 430
3-13 related commands: multicast routing-enable. Examples # enable the pim-sm protocol on vlan-interface 10. System-view system view: return to user view with ctrl+z. [sysname] multicast routing-enable [sysname] interface vlan-interface 10 [sysname-vlan-interface10] pim sm pim timer hello syntax pim...
Page 431
3-14 view pim view parameters acl-number: number of ip advanced acl that defines the rule for filtering the source and group addresses. The value ranges from 3000 to 3999. Only register messages that match the permit statement can be accepted by the rp. Description use the register-policy command to...
Page 433
3-16 undo spt-switch-threshold[ group-policy acl-number ] view pim view parameters infinity: specifies to disable rpt-to-spt switchover. Group-policy acl-number: applies the configuration to multicast groups that match the specified group policy, where acl-number indicates a basic acl number, rangin...
Page 434
3-17 source-lifetime syntax source-lifetime interval undo source-lifetime view pim view parameters interval: multicast source lifetime in seconds, with an effective range of 210 to 31536000. Description use the source-lifetime command to configure the multicast source lifetime, also known as (s, g) ...
Page 435
3-18 description use the source-policy command to configure the switch to filter the received multicast data packets as per the source address(es) or source and group addresses defined in the acl rule. Use the undo source-policy command to remove the configuration. If a basic acl is employed in the ...
Page 436
3-19 a static rp functions as a backup for the dynamically elected rp to improve network robustness. When the rp elected through the bsr mechanism functions, the static rp does not take effect. The same rp address must be configured on all the devices in the pim domain. The new configuration overwri...
Page 437: Msdp Configuration Commands
4-1 4 msdp configuration commands msdp configuration commands cache-sa-enable syntax cache-sa-enable undo cache-sa-enable view msdp view parameters none description use the cache-sa-enable command to enable the sa message caching mechanism. Use the undo cache-sa-enable command to disable the sa mess...
Page 438
4-2 description use the display msdp brief command to display the brief information of the msdp peer state. Examples # display the brief information of the msdp peer state. Display msdp brief msdp peer brief information peer's address state up/down time as sa count reset count 20.20.20.20 up 00:00:1...
Page 439
4-3 msdp peer 20.20.20.20, as 100 description: information about connection status: state: up up/down time: 14:41:08 resets: 0 connection interface: loopback0 (20.20.20.30) number of sent/received messages: 867/947 number of discarded output messages: 0 elapsed time since last connection or counters...
Page 440
4-4 field description elapsed time since last connection or counters clear time passed since the information of the msdp peer was last cleared information about (source, group)-based sa filtering policy sa message filtering list information z import policy: filter list for receiving sa messages from...
Page 441
4-5 as-number: as number, in the range of 1 to 65535. Description use the display msdp sa-cache command to display (s, g) entries in the sa cache. Note that: z this command gives the corresponding output only after the cache-sa-enable command is executed. Z if no group address is specified, this com...
Page 442
4-6 display msdp sa-count syntax display msdp sa-count [ as-number ] view any view parameters as-number: as number, in the range of 1 to 65535. Description use the display msdp sa-count command to display the number of (s, g) entries in the sa cache. The debugging output of this command is available...
Page 443
4-7 import-source syntax import-source [ acl acl-number ] undo import-source view msdp view parameters acl-number: basic or advanced ip acl number, ranging from 2000 to 3999. An acl controls sa message advertisement by filtering sources (with a basic acl) and filtering sources or groups (with an adv...
Page 444
4-8 description use the msdp command to enable msdp and enter msdp view. Use the undo msdp command to clear all configurations in msdp view, release resources occupied by msdp, and restore the initial state. Related commands: peer. Examples # enable msdp and enter msdp view. System-view system view:...
Page 445
4-9 msdp-tracert 10.10.1.1 225.2.2.2 20.20.20.20 max-hops 10 sa-info peer-info msdp tracert: press ctrl_c to break d-bit: set if have this (s,g) in cache but with a different rp rp-bit: set if this router is an rp nc-bit: set if this router is not caching sa's c-bit: set if this (s,g,rp) tuple is in...
Page 446
4-10 field description sa cache entry uptime length of time for which the cached (s, g) entry has been existing, in hours:minutes:seconds sa cache entry expiry time length of time in which the cached (s, g) entry will expire, in hours:minutes:seconds peering uptime: 10 minutes the time of the peerin...
Page 447
4-11 parameters peer-address: specifies an msdp peer by its ip address. Interface-type interface-number: specifies an interface by its type and number. The switch will use the primary address of this interface as the source ip to establish a tcp connection with the remote msdp peer. Description use ...
Page 448
4-12 system-view system view: return to user view with ctrl+z. [sysname] msdp [sysname-msdp] peer 125.10.7.6 description router cstmra peer mesh-group syntax peer peer-address mesh-group name undo peer peer-address mesh-group view msdp view parameters peer-address: ip address of the msdp peer to be ...
Page 449
4-13 use the undo peerminimum-ttl command to restore the system default. By default, the minimum required ttl value is 0. Related commands: peer. Examples # set the minimum required ttl value of encapsulated multicast packet to 10 so that only those multicast data packets with a ttl value greater th...
Page 450
4-14 view msdp view parameters peer-address: specifies an msdp peer by its ip address. Sa-limit: maximum number of (s, g) entries that can be cached, ranging from 1 to 2,048. Description use the peer sa-cache-maximum command to configure the maximum number of (s, g) entries learned from the specifie...
Page 451
4-15 related commands: peer. Examples # configure a filtering rule so that only those sa messages permitted by the acl 3100 are forwarded to the msdp peer 125.10.7.6. System-view system view: return to user view with ctrl+z. [sysname] acl number 3100 [sysname-acl-adv-3100] rule permit ip source 170....
Page 452
4-16 [sysname-acl-basic-2001] rule permit source 225.1.1.0 0.0.0.255 [sysname-acl-basic-2001] quit [sysname] msdp [sysname-msdp] peer 175.58.6.5 sa-request-policy acl 2001 reset msdp peer syntax reset msdp peer peer-address view user view parameters peer-address: specifies an msdp peer by its ip add...
Page 453
4-17 reset msdp statistics syntax reset msdp statistics [ peer-address ] view user view parameters peer-address: address of the msdp peer whose statistics information will be cleared. If no msdp peer address is specified, the statistics information of all msdp peers will be cleared. Description use ...
Page 454
4-18 static-rpf-peer syntax static-rpf-peer peer-address [ rp-policy ip-prefix-name ] undo static-rpf-peer peer-address view msdp view parameters peer-address: address of the static rpf peer to receive sa messages. Rp-policy ip-prefix-name: specifies a filtering policy based on rp addresses to filte...
Page 455
4-19 timer retry syntax timer retry seconds undo timer retry view msdp view parameters seconds: connection request retry interval in seconds, ranging from 1 to 60. Description use the timer retry command to configure the connection request retry interval. Use the undo timer retry command to restore ...
Page 456
5-1 5 igmp snooping configuration commands igmp snooping configuration commands display igmp-snooping configuration syntax display igmp-snooping configuration view any view parameters none description use the display igmp-snooping configuration command to display igmp snooping configuration informat...
Page 457
5-2 display igmp-snooping group syntax display igmp-snooping group [ vlan vlan-id ] view any view parameters vlan vlan-id: specifies the vlan in which the multicast group information is to be displayed, where vlan-id ranges from 1 to 4094.. If you do not specify a vlan, this command displays the mul...
Page 458
5-3 table 5-1 display igmp-snooping group command output description field description total 1 ip group(s). Total number of ip multicast groups in all vlans total 1 mac group(s). Total number of mac multicast groups in all vlans vlan(id): id of the vlan whose multicast group information is displayed...
Page 459
5-4 examples # display igmp snooping statistics. Display igmp-snooping statistics received igmp general query packet(s) number:1. Received igmp specific query packet(s) number:0. Received igmp v1 report packet(s) number:0. Received igmp v2 report packet(s) number:3. Received igmp leave packet(s) num...
Page 460
5-5 z although both layer 2 and layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously in the same vlan and on the corresponding vlan interface. Z before enabling igmp snooping in a vlan, be sure to enable igmp snooping globally in system view; otherwis...
Page 461
5-6 z the fast leave processing function works for a port only if the host attached to the port runs igmpv2 or igmpv3. Z the configuration performed in system view takes effect on all ports of the switch if no vlan is specified; if one or more vlans are specified, the configuration takes effect on a...
Page 462
5-7 related commands: igmp-snooping querier, igmp-snooping query-interval. Examples # configure the switch to send general query messages with the source ip address 2.2.2.2 in vlan 3. System-view system view, return to user view with ctrl+z. [sysname] igmp-snooping enable [sysname] vlan 3 [sysname-v...
Page 463
5-8 z to prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. Z when the number of multicast groups exceeds the configured limit, the switch removes ...
Page 464
5-9 z allow the port(s) to join only the multicast group(s) defined in the rule by a permit statement. Z inhibit the port(s) from joining the multicast group(s) defined in the rule by a deny statement. Z a port can belong to multiple vlans, you can configure only one acl rule per vlan on a port. Z i...
Page 465
5-10 [sysname-vlan2] port ethernet 1/0/2 [sysname-vlan2] quit z configure acl 2001 on ethernet1/0/2 to it to join any igmp multicast groups except those defined in the deny rule of acl 2001. [sysname] interface ethernet 1/0/2 [sysname-ethernet1/0/2] igmp-snooping group-policy 2001 vlan 2 igmp-snoopi...
Page 466
5-11 description use the igmp-snooping max-response-time command to configure the maximum response time in igmp general queries. Use the undo igmp-snooping max-response-time command to restore the default. By default, the maximum response time in igmp general queries is 10 seconds. An appropriate se...
Page 467
5-12 z if the function of dropping unknown multicast packets or the irf fabric function is enabled, you cannot enable the igmp snooping non-flooding function. Z the igmp snooping non-flooding function and the multicast source port suppression function cannot take effect at the same time. If both are...
Page 468
5-13 system view, return to user view with ctrl+z. [sysname] igmp-snooping enable [sysname] vlan 3 [sysname-vlan3] igmp-snooping enable [sysname-vlan3] igmp-snooping querier igmp-snooping query-interval syntax igmp-snooping query-interval seconds undo igmp-snooping query-interval view vlan view para...
Page 469
5-14 view system view parameters seconds: aging time of router ports, in the range of 1 to 1,000, in seconds. Description use the igmp-snooping router-aging-time command to configure the aging time of router ports. Use the undo igmp-snooping router-aging-time command to restore the default aging tim...
Page 470
5-15 [sysname -vlan100] igmp-snooping enable [sysname -vlan100] igmp-snooping version 3 igmp-snooping vlan-mapping syntax igmp-snooping vlan-mapping vlan vlan-id undo igmp-snooping vlan-mapping view system view parameters vlan vlan-id: vlan id, in the range of 1 to 4094. Description use the igmp-sno...
Page 471
5-16 port ranges cannot exceed 10. For port types and port numbers, refer to the parameter description in the “port basic configuration” part in this manual. Description use the igmp host-join port command to configure one or more ports under the current vlan interface as simulated member hosts to j...
Page 472
5-17 source-address: address of the multicast source to join. You can specify a multicast source address only when igmpv3 snooping is running in a vlan. Vlan vlan-id: id of the vlan to which the port belongs, in the range of 1 to 4094. Description use the igmp host-join command to configure the curr...
Page 473
5-18 parameters group-address: ip address of the multicast group to join, in the range of 224.0.0.0 to 239.255.255.255. Interface interface-list: specifies a port list. With the interface-list argument, you can define one or more individual ports (in the form of interface-type interface-number) and/...
Page 474
5-19 description use the multicast static-group vlan command to configure the current port in the specified vlan as a static member port for the specified multicast group. Use the undo multicast static-group vlan command to remove the current port in the specified vlan as a static member port for th...
Page 475
5-20 [sysname] vlan 10 [sysname-vlan10] multicast static-router-port ethernet1/0/1 multicast static-router-port vlan syntax multicast static-router-port vlan vlan-id undo multicast static-router-port vlan vlan-id view ethernet port view parameters vlan-id: vlan id the port belongs to, in the range o...
Page 476
5-21 reset igmp-snooping statistics service-type multicast syntax service-type multicast undo service-type multicast view vlan view parameters none description use the service-type multicast command to configure the current vlan as a multicast vlan. Use the undo service-type multicast command to rem...
Page 477: Table of Contents
I table of contents 1 802.1x configuration commands ············································································································1-1 802.1x configuration commands ··········································································································...
Page 478
Ii system-guard ip enable ···················································································································4-5 system-guard l3err enable···············································································································4-6 system-guard tc...
Page 479
1-1 1 802.1x configuration commands z the online user handshaking configuration is added. See dot1x handshake for related information. Z the configuration of 802.1x re-authentication is added. See dot1x re-authenticate . Z the configuration of the 802.1x re-authentication interval is added. See dot1...
Page 480
1-2 examples # display 802.1x-related information. Display dot1x global 802.1x protocol is enabled chap authentication is enabled dhcp-launch is disabled handshake is enabled proxy trap checker is disabled proxy logoff checker is disabled ead quick deploy is enabled configuration: transmit period 30...
Page 481
1-3 1. Authenticated user : mac address: 000d-88f6-44c1 controlled user(s) amount to 1 ethernet1/0/2 …… table 1-1 description on the fields of the display dot1x command field description equipment 802.1x protocol is enabled 802.1x protocol (802.1x for short) is enabled on the switch. Chap authentica...
Page 482
1-4 field description total maximum 802.1x user resource number the maximum number of 802.1x users that a switch can accommodate total current used 802.1x resource number the number of online supplicant systems ethernet1/0/1 is link-down ethernet 1/0/1 port is down. 802.1x protocol is disabled 802.1...
Page 483
1-5 parameters interface-list: ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &, in which interface-type specifies the type of an ethernet port and interface-number is the number of the port. The string “&” means that up ...
Page 484
1-6 undo dot1x authentication-method view system view parameters chap: authenticates using challenge handshake authentication protocol (chap). Pap: authenticates using password authentication protocol (pap). Eap: authenticates using extensible authentication protocol (eap). Description use the dot1x...
Page 485
1-7 parameters none description use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic ip address through dhcp. Use the undo dot1x dhcp-launch command to disable an 802.1x-enable...
Page 486
1-8 z if you do not provide the interface-list argument, these two commands apply to all the ports of the switch. Z if you specify the interface-list argument, these two commands apply to the specified ports. In ethernet port view, the interface-list argument is not available and these two commands ...
Page 487
1-9 z to enable the proxy detecting function, you need to enable the online user handshaking function first. Z with the support of h3c proprietary clients, handshaking packets can be used to test whether or not a user is online. Z as clients that are not of h3c do not support the online user handsha...
Page 488
1-10 examples # enable the handshaking packet protection function. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] dot1x handshake secure dot1x max-user syntax dot1x max-user user-number[ interface interface-list ] undo dot1x max-u...
Page 491
1-13 dot1x quiet-period syntax dot1x quiet-period undo dot1x quiet-period view system view parameters none description use the dot1x quiet-period command to enable the quiet-period timer. Use the undo dot1x quiet-period command to disable the quiet-period timer. When a user fails to pass the authent...
Page 492
1-14 by default, a switch sends authentication request packets to a user for up to 2 times. After a switch sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the switch sti...
Page 493
1-15 dot1x re-authenticate syntax dot1x re-authenticate [ interface interface-list] undo dot1x re-authenticate [ interface interface-list] view system view, ethernet port view parameters interface-list: ethernet port list, in the form of interface-list= { interface-type interface-number [ to interfa...
Page 495
1-17 z sends trap packets without disconnecting the user, which can be achieved by using the dot1x supp-proxy-check trap command. This function needs the cooperation of 802.1x clients and the cams server: z multiple network adapter checking, proxy checking, and ie proxy checking are enabled on the 8...
Page 496
1-18 parameters handshake-period handshake-period-value: sets the handshake timer. This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval for a switch to send handshake request packets to online users. If you set the number of ...
Page 497
1-19 description use the dot1x timer command to set a specified 802.1x timer. Use the undo dot1x timer command to restore a specified 802.1x timer to the default setting. During an 802.1x authentication process, multiple timers are triggered to ensure that the supplicant systems, the authenticator s...
Page 498
1-20 dot1x version-check syntax dot1x version-check [ interface interface-list] undo dot1x version-check [ interface interface-list] view system view, ethernet port view parameters interface-list: ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-typ...
Page 499
1-21 parameters interface-list: ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &, in which interface-type specifies the type of an ethernet port and interface-number is the number of the port. The string “&” means that up...
Page 501
2-2 dot1x timer acl-timeout syntax dot1x timer acl-timeout acl-timeout-value undo dot1x timer acl-timeout view system view parameters acl-timeout-value: acl timeout period (in minutes), in the range of 1 to 1440. Description use the dot1x timer acl-timeout command to configure the acl timeout period...
Page 502
2-3 system view: return to user view with ctrl+z. [sysname] dot1x url http://192.168.19.23.
Page 503: Habp Configuration Commands
3-1 3 habp configuration commands habp configuration commands display habp syntax display habp view any view parameters none description use the display habp command to display habp configuration and status. Examples # display habp configuration and status. Display habp global habp information: habp...
Page 504
3-2 display habp table syntax display habp table view any view parameters none description use the display habp table command to display the mac address table maintained by habp. Examples # display the mac address table maintained by habp. Display habp table mac holdtime receive port 001f-3c00-0030 ...
Page 505
3-3 habp counters : packets output: 0, input: 0 id error: 0, type error: 0, version error: 0 sent failed: 0 table 3-3 description on the fields of the display habp traffic command field description packets output number of the habp packets sent input number of the habp packets received id error numb...
Page 506
3-4 undo habp server view system view parameters vlan-id: vlan id, ranging from 1 to 4094. Description use the habp server vlan command to configure a switch to operate as an habp server. This command also specifies the vlan where habp packets are broadcast. Use the undo habp server vlan command to ...
Page 507
3-5 [sysname] habp timer 50
Page 508
4-1 4 system guard configuration commands system guard configuration commands display system-guard ip state syntax display system-guard ip state view any view parameters none description use the display system-guard ip state command to view the monitoring result and parameter settings of system guar...
Page 509
4-2 display system-guard ip-record syntax display system-guard ip-record view any view parameters none description use the display system-guard ip-record command to view the information about ip packets received by the cpu in the current monitoring cycle. Examples # view the information about ip pac...
Page 510
4-3 parameters none description use the display system-guard l3err state command to view the status of layer 3 error control. Examples # view the status of layer 3 error control. Display system-guard l3err state system-guard l3err status: enabled display system-guard tcn state syntax display system-...
Page 511
4-4 use the undo system-guard ip detect-maxnum command to restore the maximum number of infected hosts that can be monitored to the default setting. By default, system guard can monitor a maximum of 30 infected hosts. Examples # set the maximum number of infected hosts that can be concurrently monit...
Page 512
4-5 the correlations among the arguments of the system-guard ip detect-threshold command can be clearly described with this example: if you set ip-record-threshold, record-times-threshold and isolate-time to 30, 1 and 3 respectively, when the system detects successively three times that over 50 ip p...
Page 513
4-6 [sysname] system-guard ip enable system-guard l3err enable syntax system-guard l3err enable undo system-guard l3err enable view system view parameters none description use the system-guard l3err enable command to enable layer 3 error control. Use the undo system-guard l3err enable command to dis...
Page 514
4-7 system-guard tcn enable syntax system-guard tcn enable undo system-guard tcn enable view system view parameters none description use the system-guard tcn enable command to enable system guard against tcn attacks. Use the undo system-guard tcn enable command to disable system guard against tcn at...
Page 515
4-8 use the undo system-guard tcn rate-threshold command to restore the default threshold of tcn/tc packet receiving rate. By default, the default threshold of tcn/tc packet receiving rate is 1 pps. As the system monitoring cycle is 10 seconds, the system sends trap or log information, by default, i...
Page 516: Table of Contents
I table of contents 1 aaa configuration commands················································································································1-1 aaa configuration commands ·············································································································...
Page 517
Ii primary authentication ···················································································································1-39 radius client ···································································································································1-40 radi...
Page 518: Aaa Configuration Commands
1-1 1 aaa configuration commands z the maximum length of a domain name is changed from 24 characters to 128 characters. See domain . Z the configuration of isp domain delimiter is added. See domain delimiter . Z the configuration of hwtacacs authentication scheme for user level switching is added. S...
Page 520
1-3 new domain added. [sysname-isp-aabbcc.Net] accounting radius-scheme radius accounting optional syntax accounting optional undo accounting optional view isp domain view parameters none description use the accounting optional command to open the accounting-optional switch. Use the undo accounting ...
Page 521
1-4 view local user view parameters ip ip-address : sets the ip address of the user. Mac mac-address : sets the mac address of the user. Here, mac-address is in h-h-h format. Idle-cut second: enables the idle-cut function for the local user and sets the allowed idle time. Here, second is the allowed...
Page 522
1-5 view isp domain view parameters radius-scheme radius-scheme-name : specifies to use a radius authentication scheme. Here, radius-scheme-name is a string of up to 32 characters. Hwtacacs-scheme hwtacacs-scheme-name : specifies to use an hwtacacs authentication scheme. Here, hwtacacs-scheme-name i...
Page 523
1-6 # reference the radius scheme "rd" as the authentication scheme and the local scheme as the secondary authentication scheme of the isp domain aabbcc. System-view system view: return to user view with ctrl+z. [sysname] domain aabbcc new domain added. [sysname-isp-aabbcc] authentication radius-sch...
Page 525
1-8 description use the authorization vlan command to specify an authorized vlan for a local user. A user passing the authentication of the local radius server can access network resources in the authorized vlan. Use the undo authorization vlan command to remove the configuration. By default, no aut...
Page 526
1-9 vlan vlan-id: cuts down all user connections of a specified vlan. Here, vlan-id ranges from 1 to 4094. Ucibindex ucib-index: cuts down the user connection with a specified connection index. Here, ucib-index ranges from 0 to 2071. User-name user-name: cuts down the connection of a specified user....
Page 527
1-10 ucibindex ucib-index: displays the user connection with a specified connection index. Here, ucib-index ranges from 0 to 2071. User-name user-name: displays the connection of a specified user. Here, user-name is a character string in the format of pure-username@domain-name. The pure-username can...
Page 528
1-11 view any view parameters isp-name : name of an isp domain, a string of up to 128 characters. This must be the name of an existing isp domain. Description use the display domain command to display configuration information about one specific or all isp domains. Related commands: access-limit, do...
Page 529
1-12 field description messenger time settings of the messenger time service, which is for reminding online users of their remaining online time. The setting in this example indicates that the system starts to remind an online user (at an interval of 10 minutes) when the remaining online time is 30 ...
Page 530
1-13 state: active servicetype mask: l idle-cut: enable idle timeout: 3600 seconds access-limit: enable current accessnum: 1 max accessnum: 1024 bind location: 127.0.0.1/1/0/2 (nas/unitid/subslot/port) vlan id: 1 authorization vlan: 2 ip address: 192.168.0.108 mac address: 000d-88f6-44c1 total 1 loc...
Page 532
1-15 view system view parameters at : specifies “@” as the delimiter between the username and the isp domain name. Dot : specifies “.” as the delimiter between the username and the isp domain name. Description use the domain delimiter command to specify the delimiter form between the username and th...
Page 533
1-16 description use the idle-cut command to set the user idle-cut function in current isp domain. If a user’s traffic in the specified period of time is less than the specified amount, the system will disconnect the user. By default, this function is disabled. Note that if the authentication server...
Page 536
1-19 parameters limit : time limit in minutes, ranging from 1 to 60. The switch will send prompt messages at regular intervals to users whose remaining online time is less than this limit. Interval : interval to send prompt messages (in minutes). This argument ranges from 5 to 60 and must be a multi...
Page 538
1-21 [sysname] local-user user1 new local user added. [sysname-luser-user1] password simple 20030422 radius-scheme syntax radius-scheme radius-scheme-name view isp domain view parameters radius-scheme-name : name of a radius scheme, a string of up to 32 characters. Description use the radius-scheme ...
Page 539
1-22 description use the scheme command to configure an aaa scheme for current isp domain. Use the undo scheme command to restore the default aaa scheme configuration for the isp domain. By default, the isp domain uses the local aaa scheme. Note that: z when you execute the scheme command to referen...
Page 540
1-23 parameters url-string : url of the web page used to modify user password on the self-service server. It is a string of 1 to 64 characters. This string cannot contain any question mark "?". If the actual url of the self-service server contains a question mark, you should change it to an elect ba...
Page 541
1-24 ssh : authorizes the user to access the ssh service. Terminal : authorizes the user to access the terminal service (that is, allows the user to log into the switch through the console port). Level level : specifies the level of the telnet, terminal or ssh user. Here, level is an integer ranging...
Page 542
1-25 you may use the display domain command or the display local-user command to view the status information. Examples # set the isp domain aabbcc.Net to the block state, so that all its offline users cannot access the network. System-view system view: return to user view with ctrl+z. [sysname] doma...
Page 543
1-26 switch first creates a vlan with the assigned id, and then adds the port to the newly created vlan. Z string: if the radius authentication server assigns string type of vlan ids, you can set the vlan assignment mode to string on the switch. Then, upon receiving a string id assigned by the radiu...
Page 544
1-27 radius configuration commands accounting optional syntax accounting optional undo accounting optional view radius scheme view parameters none description use the accounting optional command to open the accounting-optional switch. Use the undo accounting optional command to close the accounting-...
Page 545
1-28 parameters times : maximum number of attempts to send an accounting-on message, ranging from 1 to 256 and defaulting to 15. If the maximum number has been reached but the switch still receives no response from the cams, the switch stops sending accounting-on messages. Interval : interval to sen...
Page 546
1-29 z after configuring the accounting-on enable command, you need to execute the save command so that the command can take effect when the switch restarts. Z this function requires the cooperation of the h3c cams system. Related commands: nas-ip. Examples # enable the user re-authentication at res...
Page 548
1-31 description use the display local-server statistics command to display the radius message statistics about local radius server. Related commands: local-server. Examples # display the radius message statistics about local radius server. Display local-server statistics on unit 1: the localserver ...
Page 549
1-32 retry sending times of noresponse acct-stop-pkt =500 quiet-interval(min) =5 username format =without-domain data flow unit =byte packet unit =1 calling_station_id format =xxxx-xxxx-xxxx in lowercase unit 1 : primary auth state=active, second auth state=block primary acc state=active, second acc...
Page 550
1-33 field description packet unit packet unit of data flow calling_station_id format mac address format of the calling-station-id (type 31) field in radius packets primary auth state status of the primary authentication server second auth state status of the secondary authentication server primary ...
Page 551
1-34 normal auth request , num=0 , err=0 , succ=0 eap auth request , num=0 , err=0 , succ=0 account request , num=0 , err=0 , succ=0 account off request , num=0 , err=0 , succ=0 pkt auth timeout , num=0 , err=0 , succ=0 pkt acct_timeout , num=0 , err=0 , succ=0 realtime account timer , num=0 , err=0...
Page 552
1-35 parameters here are used to display all the buffered stop-accounting requests generated from start-time to stop-time. User-name user-name: displays the buffered stop-accounting requests of a specified user. Here, user-name is a string of up to 184 characters. Description use the display stop-ac...
Page 553
1-36 description use the key command to set a shared key for radius authentication/authorization messages or accounting messages. Use the undo key command to restore the corresponding default shared key setting. By default, no shared key exists. Note that: z both radius client and server adopt md5 a...
Page 554
1-37 use the undo local-server command to disable the udp ports for local radius services. By default, the udp ports for local radius services are enabled. In addition to functioning as a radius client to provide remote radius authentication, authorization, and accounting services, the switch can ac...
Page 555
1-38 z when serving as a local radius server, the switch does not support eap authentication (that is you cannot set the 802.1x authentication method as eap by using the dot1x authentication-method eap command). Related commands: radius scheme, state, local-server enable. Examples # allow the local ...
Page 556
1-39 system view: return to user view with ctrl+z. [sysname] radius scheme radius1 new radius scheme [sysname-radius-radius1] nas-ip 10.1.1.1 primary accounting syntax primary accounting ip-address [ port-number ] undo primary accounting view radius scheme view parameters ip-address : ip address of ...
Page 557
1-40 parameters ip-address : ip address of the primary authentication/authorization server to be used, in dotted decimal notation. Port-number : udp port number of the primary authentication/authorization server, ranging from 1 to 65535. Description use the primary authentication command to set the ...
Page 558
1-41 parameters none description use the radius client enable command to enable radius authentication and accounting ports. Use the undo radius client command to disable radius authentication and accounting ports. By default, radius authentication and accounting ports are enabled. If you want to use...
Page 559
1-42 note that: z you can set the source ip address of outgoing radius messages to avoid messages returned from radius server from being unable to reach their destination due to physical interface trouble. It is recommended to use a loopback interface address as the source ip address. Z you can set ...
Page 561
1-44 reset radius statistics syntax reset radius statistics view user view parameters none description use the reset radius statistics command to clear radius message statistics. Related commands: display radius scheme. Examples # clear radius message statistics. Reset radius statistics reset stop-a...
Page 562
1-45 examples # delete the stop-accounting requests buffered for user user0001@aabbcc.Net. Reset stop-accounting-buffer user-name user0001@aabbcc.Net # delete the stop-accounting requests buffered from 0:0:0 08/31/2002 to 23:59:59 08/31/2002. Reset stop-accounting-buffer time-range 00:00:00-08/31/20...
Page 563
1-46 undo retry realtime-accounting view radius scheme view parameters retry-times : maximum allowed number of continuous real-time accounting failures, ranging from 1 to 255. Description use the retry realtime-accounting command to set the maximum allowed number of continuous real-time accounting f...
Page 564
1-47 new radius scheme [sysname-radius-radius1] retry realtime-accounting 10 retry stop-accounting syntax retry stop-accounting retry-times undo retry stop-accounting view radius scheme view parameters retry-times : maximum number of transmission attempts of a buffered stop-accounting request, rangi...
Page 565
1-48 view radius scheme view parameters ip-address : ip address of the secondary accounting server to be used, in dotted decimal notation. Port-number : udp port number of the secondary accounting server, ranging from 1 to 65535. Description use the secondary accounting command to set the ip address...
Page 566
1-49 examples # set the ip address and udp port number of the secondary authentication/authorization server for radius scheme radius1 to 10.110.1.2 and 1812 respectively. System-view system view: return to user view with ctrl+z. [sysname] radius scheme radius1 new radius scheme [sysname-radius-radiu...
Page 567
1-50 view radius scheme view parameters primary : specifies that the server to be set is a primary radius server. Secondary : specifies that the server to be set is a secondary radius server. Accounting : specifies that the server to be set is a radius accounting server. Authentication : specifies t...
Page 568
1-51 view radius scheme view parameters none description use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting requests that get no response. Use the undo stop-accounting-buffer enable command to disable the switch from buffering the stop-accounting request...
Page 569
1-52 by default, the response timeout time of radius servers is 3 seconds. Note that: z after sending out a radius request (authentication/authorization request or accounting request) to a radius server, the switch waits for a response from the server. The maximum time that the switch can wait for t...
Page 570
1-53 system view: return to user view with ctrl+z. [sysname] radius scheme radius1 new radius scheme [sysname-radius-radius1] timer quiet 10 timer realtime-accounting syntax timer realtime-accounting minutes undo timer realtime-accounting view radius scheme view parameters minutes : real-time accoun...
Page 571
1-54 [sysname] radius scheme radius1 new radius scheme [sysname-radius-radius1] timer realtime-accounting 51 timer response-timeout syntax timer response-timeout seconds undo timer response-timeout view radius scheme view parameters seconds : response timeout time of radius servers, ranging from 1 t...
Page 572
1-55 view radius scheme view parameters with-domain : specifies to include isp domain names in the usernames to be sent to radius server. Without-domain : specifies to exclude isp domain names from the usernames to be sent to radius server. Description use the user-name-format command to set the for...
Page 574
1-57 related commands: hwtacacs scheme. Examples # display configuration information of hwtacacs scheme ht1. Display hwtacacs ht1 -------------------------------------------------------------------- hwtacacs-server template name : ht1 primary-authentication-server : 172.31.1.11:49 primary-authorizat...
Page 575
1-58 examples # display stop-accounting requests buffered for hwtacacs scheme hwt1. Display stop-accounting-buffer hwtacacs-scheme hwt1 hwtacacs nas-ip syntax hwtacacs nas-ip ip-address undo hwtacacs nas-ip view system view parameters ip-address : source ip address to be set, an ip address of this d...
Page 576
1-59 parameters hwtacacs-scheme-name : hwtacacs scheme name, a string of 1 to 32 characters. Description use the hwtacacs scheme command to create an hwtacacs scheme and enter its view. Use the undo hwtacacs scheme command to delete an hwtacacs scheme. By default, no hwtacacs scheme exists. If the f...
Page 577
1-60 examples # use hello as the shared key for hwtacacs accounting messages in hwtacacs scheme hwt1. System-view system view: return to user view with ctrl+z. [sysname] hwtacacs scheme hwt1 [sysname-hwtacacs-hwt1] key accounting hello nas-ip syntax nas-ip ip-address undo nas-ip view hwtacacs scheme...
Page 578
1-61 view hwtacacs scheme view parameters ip-address : ip address of the primary accounting server to be used, a valid unicast address in dotted decimal notation. Port : port number of the primary accounting server, ranging from 1 to 65535. Description use the primary accounting command to set the i...
Page 579
1-62 use the undo primary authentication command to restore the default ip address and port number of the primary hwtacacs authentication server, which are 0.0.0.0 and 49 respectively. Note that: z you are not allowed to set the same ip address for both primary and secondary authentication servers. ...
Page 580
1-63 examples # set the ip address and udp port number of the primary authorization server for hwtacacs scheme hwt1 to 10.163.155.13 and 49 respectively. System-view system view: return to user view with ctrl+z. [sysname] hwtacacs scheme hwt1 [sysname-hwtacacs-hwt1] primary authorization 10.163.155....
Page 581
1-64 related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer . Examples # delete the stop-accounting requests buffered for hwtacacs scheme hwt1. Reset stop-accounting-buffer hwtacacs-scheme hwt1 retry stop-accounting syntax retry stop-accounting retry-t...
Page 582
1-65 parameters ip-address : ip address of the secondary accounting server to be used, a valid unicast address in dotted decimal notation. Port : port number of the secondary accounting server, ranging from 1 to 65535. Description use the secondary accounting command to set the ip address and port n...
Page 583
1-66 z you are not allowed to set the same ip address for both primary and secondary authentication servers. If you do this, your setting will fail. Z if you re-execute the command, the new setting overwrites the old one. Z you can remove an authentication server setting only when there is no active...
Page 584
1-67 system-view system view: return to user view with ctrl+z. [sysname] hwtacacs scheme hwt1 [sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 timer quiet syntax timer quiet minutes undo timer quiet view hwtacacs scheme view parameters minutes : wait time before primary server state ...
Page 585
1-68 use the undo timer realtime-accounting command to restore the default real-time accounting interval. By default, the real-time accounting interval is 12 minutes. Note that: z to control the interval at which users are charged in real time, you can set the real-time accounting interval. After th...
Page 586
1-69 by default, the response timeout time of tacacs servers is five seconds. As hwtacacs is based on tcp, both server response timeout and tcp timeout may cause disconnection from tacacs server. Related commands: display hwtacacs. Examples # set the response timeout time of tacacs servers to 30 sec...
Page 587
1-70 system-view system view: return to user view with ctrl+z. [sysname] hwtacacs scheme hwt1 [sysname-hwtacacs-hwt1] user-name-format without-domain.
Page 589: Table of Contents
I table of contents 1 web authentication configuration commands ·····················································································1-1 web authentication configuration commands ·······················································································1-1 display web-au...
Page 590
1-1 1 web authentication configuration commands web authentication configuration commands display web-authentication configuration syntax display web-authentication configuration view any view parameters none description use the display web-authentication configuration command to display all web aut...
Page 591
1-2 table 1-1 description on the fields of display web-authentication configuration field description status global status of web authentication web server ip address and port number of the web authentication server idle-cut time idle user checking interval free ip free ip address range information ...
Page 592
1-3 table 1-2 description on the fields of display web-authentication connection field description username name of an online web-authentication user mac mac address of the user interface access port of the user vlan vlan the user belongs to method access method of the user, shared or designated. St...
Page 593
1-4 parameters none description use the web-authentication enable command to enable web authentication globally. Use the undo web-authentication enable command to disable web authentication globally. Web authentication cannot be enabled when one of the following features is enabled, and vice versa: ...
Page 594
1-5 z the to-be-set free ip address range cannot include the web authentication server’s ip address. Z at most four free ip address range can be set. Examples # set ip address range 10.1.1.0/24 as a free address range. System-view system view: return to user view with ctrl+z. [sysname] web-authentic...
Page 595
1-6 examples # set the user with ip address 192.168.0.108 and mac address 0010-0020-0030 as an authentication-free user. System-view system view: return to user view with ctrl+z. [sysname] web-authentication free-user ip 192.168.0.108 mac 0010-0020-0030 web-authentication max-connection syntax web-a...
Page 596
1-7 designated: sets the web authentication access method on the port to designated. Description use the web-authentication select command to enable web authentication on the current port and set the web authentication access method on the port. Use the undo web-authentication select command to disa...
Page 597
1-8 use the undo web-authentication timer idle-cut command to restore the default. By default, the idle user checking interval is 900 seconds for web authentication. The idle user checking interval is the interval at which the system checks whether a user is idle. When a user is found idle, if the c...
Page 598
1-9 before enabling web authentication globally, you should first set the ip address of the web authentication server. Examples # set the ip address and port number of the web authentication server to 192.168.0.56 and 80. System-view system view: return to user view with ctrl+z. [sysname] web-authen...
Page 599: Table of Contents
I table of contents 1 mac address authentication configuration commands ·····································································1-1 mac address authentication basic function configuration commands ···············································1-1 display mac-authentication ············...
Page 600: Commands
1-1 1 mac address authentication configuration commands z the configuration of fixed password when setting the user name in mac address mode for mac address authentication is added. See mac-authentication authmode usernameasmacaddress . Z the configuration of mac address authentication enhanced func...
Page 601
1-2 offline detect period is 300s quiet period is 60 second(s). Server response timeout value is 100s guest vlan re-authenticate period is 30s max allowed user number is 1024 current user number amounts to 1 current domain: not configured, use default domain silent mac user info: mac addr from port ...
Page 602
1-3 field description quiet period quiet timer sets the quiet period. A switch goes through a quiet period if a user fails to pass the mac address authentication. The default value is 60 seconds. Server response timeout value server timeout timer, which sets the timeout time for the connection betwe...
Page 603
1-4 mac-authentication syntax mac-authentication undo mac-authentication view system view, ethernet port view parameters none description use the mac-authentication command to enable mac address authentication globally or on the current port. Use the undo mac-authentication command to disable mac ad...
Page 604
1-5 mac-authentication interface syntax mac-authenticationinterface interface-list undo mac-authenticationinterface interface-list view system view parameters interface-list: list of ethernet ports. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { ...
Page 606
1-7 view system view parameters none description use the mac-authentication authmode usernamefixed command to set the user name in fixed mode for mac address authentication. Use the undo mac-authentication authmode command to restore the default user name mode for mac address authentication. By defa...
Page 607
1-8 mac-authentication authusername syntax mac-authentication authusername username undo mac-authentication authusername view system view parameters username: user name used in authentication, a string of 1 to 55 characters. Description use the mac-authentication authusername command to set a user n...
Page 609
1-10 view user view parameters interface-list: list of ethernet ports. You can specify multiple ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &, where & means that you can provide up to 10 port ind...
Page 610
1-11 z if more than one client are connected to a port, you cannot configure a guest vlan for this port. Z when a guest vlan is configured for a port, only one mac address authentication user can access the port. Even if you set the limit on the number of mac address authentication users to more tha...
Page 611
1-12 use the undo mac-authentication max-auth-num command to restore the maximum number of mac address authentication users allowed to access the port to the default value. By default, the maximum number of mac address authentication users allowed to access a port is 256. Z if both the limit on the ...
Page 612
1-13 examples # configure the switch to re-authenticate users in guest vlans at the interval of 60 seconds. System-view system view: return to user view with ctrl+z. [sysname] mac-authentication timer guest-vlan-reauth 60
Page 613: Table of Contents
I table of contents 1 vrrp configuration commands ·············································································································1-1 vrrp configuration commands ············································································································1...
Page 614: Vrrp Configuration Commands
1-1 1 vrrp configuration commands z keywords in some commands are modified. See display vrrp , display vrrp statistics , reset vrrp statistics , vrrp vrid authentication-mode , and vrrp vrid track interface . Z keyword verbose is added to the display vrrp command to display the detailed information ...
Page 615
1-2 z if you specify a vlan interface only, the command will display the state information of all vrrp groups on the specified vlan interface. Z if you specify both a vlan interface and a vrrp group, the command will display the state information of the specified vrrp group on the specified vlan int...
Page 616
1-3 table 1-2 description on the fields of the display vrrp verbose command field description run method current vrrp running method, including real-mac and virtual-mac virtual ip ping whether you can ping the virtual ip address of the vrrp group interface interface where the vrrp group resides vrid...
Page 617
1-4 z if only a vlan interface is specified, the statistics information about all the vrrp groups on the specified vlan interface is displayed. Z if both a vlan interface and a vrrp group are specified, the statistics information about the specified vrrp group on the specified vlan interface is disp...
Page 618
1-5 field description invalid type pkts rcvd number of the packet type errors reset vrrp statistics syntax reset vrrp statistics [ interface vlan-interface vlan-id [ vrid virtual-router-id ]] view user view parameters vlan-interface vlan-id: specifies a vlan interface by its id. Vlan-id is the id of...
Page 619
1-6 virtual-mac: maps the virtual mac address of the vrrp group to the virtual ip address of the vrrp group. Description use the vrrp method command to configure the mac-virtual ip address mapping for vrrp groups. You can configure to map the real mac address of the switch to the virtual ip address ...
Page 620
1-7 [sysname] vrrp ping-enable vrrp vlan-interface vrid track syntax vrrp vlan-interface vlan-id vrid virtual-router-id track [ reduced value-reduced ] undo vrrp vlan-interface vlan-id vrid virtual-router-id track view ethernet port view parameters virtual-router-id: vrrp group id, ranging from 1 to...
Page 621
1-8 vrrp vrid authentication-mode syntax vrrp vrid virtual-router-id authentication-mode authentication-type authentication-key undo vrrp vrid virtual-router-id authentication-mode view vlan interface view parameters virtual-router-id: vrrp group id, ranging from 1 to 255. Authentication-type: authe...
Page 622
1-9 vrrp vrid preempt-mode syntax vrrp vrid virtual-router-id preempt-mode [ timer delay delay-value ] undo vrrp vrid virtual-router-id preempt-mode view vlan interface view parameters virtual-router-id: vrrp group id, ranging from 1 to 255. Delay-value: preemption delay period (in seconds), ranging...
Page 623
1-10 system view: return to user view with ctrl+z. [sysname] interface vlan-interface 2 [sysname-vlan-interface2] vrrp vrid 1 preempt-mode # set the preemption delay period. [sysname-vlan-interface2] vrrp vrid 1 preempt-mode timer delay 5 # configure the switch to operate in non-preemptive mode. [sy...
Page 624
1-11 view vlan interface view parameters virtual-router-id: vrrp group id, ranging from 1 to 255. Adver-interval: interval (in seconds) at which the master of a vrrp group sends vrrp advertisement packets, in seconds. This argument ranges from 1 to 255 and defaults to 1. Description use the vrrp vri...
Page 625
1-12 the vlan interface tracking function extends the use of the backup function. With this function enabled on a switch, the backup function can take effect not only when the vlan interface where a vrrp group resides fails, but also when some other vlan interfaces on the switch fail. You can utiliz...
Page 626
1-13 the auto detect result of the detected group can control the priority of a switch in a vrrp group. In this way, the automatic switching between the master and the backup is implemented. Z decrease the priority of a switch in a vrrp group when the result of the detected group is unreachable. Z r...
Page 627
1-14 use the undo vrrp vrid virtual-ip command to remove an existing vrrp group, or remove a virtual ip address from the virtual ip address list of an existing vrrp group. A vrrp group is removed if all its virtual ip addresses are removed. By default, no vrrp group is created. Note that: z a virtua...
Page 628: Table of Contents
I table of contents 1 arp configuration commands················································································································1-1 arp configuration commands··············································································································...
Page 629: Arp Configuration Commands
1-1 1 arp configuration commands z the arp packet rate limit feature is a new feature in the manual. For related commands, refer to arp protective-down recover enable , arp protective-down recoverinterval , arp rate-limit , and arp rate-limit enable . Z the arp detection feature is a new feature in ...
Page 630
1-2 examples # disable the arp entry checking function. System-view system view: return to user view with ctrl+z. [sysname] undo arp check enable arp detection enable syntax arp detection enable undo arp detection enable view vlan view parameters none description use the arp detection enable command...
Page 631
1-3 parameters none description use the arp detection trust command to specify the current port as a trusted port, that is, arp packets received on this port are regarded as legal arp packets and will not be checked. Use the undo arp detection trust command to specify the current port as an untruste...
Page 632
1-4 arp protective-down recover interval syntax arp protective-down recover interval interval undo arp protective-down recover interval view system view parameters interval: recovery time (in seconds) of a port which is shut down due to an excessive arp packet receiving rate. The effective range is ...
Page 633
1-5 description use the arp rate-limit command to specify the maximum arp packet receiving rate on the port. If a rate is specified, exceeding packets will be discarded. Use the undo arp rate-limit command to restore the default. By default, after a port is enabled with the arp packet rate limit fun...
Page 634
1-6 arp restricted-forwarding enable syntax arp restricted-forwarding enable undo arp restricted-forwarding enable view vlan view parameters none description use the arp restricted-forwarding enable command to enable arp restricted forwarding so that the legal arp requests received from the specifie...
Page 635
1-7 by default, this function is disabled. Note that: z among s3600 series ethernet switches, only s3600-ei series switches support this command. Z before enabling the master switch of a vrrp backup group to send gratuitous arp packets periodically, you need to create the vrrp backup group and perfo...
Page 636
1-8 examples # create a static arp mapping entry, with the ip address of 202.38.10.2, the mac address of 000f-e20f-0000. The arp mapping entry belongs to ethernet 1/0/1 which belongs to vlan 1. System-view system view: return to user view with ctrl+z. [sysname] arp static 202.38.10.2 000f-e20f-0000 ...
Page 637
1-9 description use the display arp command to display specific arp entries. If you execute this command with no keyword/argument specified, all the arp entries are displayed. Related commands: arp static, reset arp. Examples # display all the arp entries. Display arp type: s-static d-dynamic ip add...
Page 640
1-12 invalid arp packets : 31 table 1-2 description on the fields of the display arp detection statistics interface command field description arp detection arp attack detection state: enabled/disabled arp port trust arp trusted port state: enabled/disabled invalid arp packets number of discarded inv...
Page 641
1-13 use the undo gratuitous-arp period-resending enable command to disable this function. By default, this function is enabled, the gratuitous arp packets are sent at an interval of 30 seconds. After you enable a vlan interface to send gratuitous arp packets periodically, hosts on the network will ...
Page 642
1-14 view user view parameters dynamic: clears dynamic arp entries. Static: clears static arp entries. Interface interface-type interface-number: clears arp entries of the specified port. Description use the reset arp command to clear specific arp entries. Related commands: arp static, display arp. ...
Page 643
2-1 2 proxy arp configuration commands proxy arp configuration commands arp proxy enable syntax arp proxy enable undo arp proxy enable view vlan interface view parameters none description use the arp proxy enable command to enable proxy arp on the vlan interface. Use the undo arp proxy enable comman...
Page 644
2-2 if interface vlan-interface vlan-id is specified, proxy arp configuration of the specified vlan interface is displayed; otherwise, proxy arp configuration of all the vlan interfaces is displayed. Related commands: arp proxy enable. Examples # display the proxy arp status on all vlan interfaces. ...
Page 645
3-1 3 resilient arp configuration commands the contents of this chapter are only applicable to the s3600-ei series among s3600 series ethernet switches. Resilient arp configuration commands display resilient-arp syntax display resilient-arp [ unit unit-id ] view any view parameters unit unit-id: uni...
Page 646
3-2 resilient-arp enable syntax resilient-arp enable undo resilient-arp enable view system view parameters none description use the resilient-arp enable command to enable the resilient arp function. The switch will adopt different methods based on the actual status. If the main link in the fabric br...
Page 647
3-3 note that this command is used to enable a vlan interface to send resilient arp packets, while all vlan interfaces can receive resilient arp packets. Related commands: display resilient-arp. Examples # configure the resilient arp packets to be sent from the vlan-interface 2. System-view system v...
Page 648: Table of Contents
I table of contents 1 dhcp server configuration commands ·································································································1-1 dhcp server configuration commands ································································································1-1 account...
Page 649
Ii static-bind ip-address ····················································································································1-38 static-bind mac-address ················································································································1-39 tftp-server ...
Page 650
Iii display bootp client ··························································································································5-3 ip address bootp-alloc ·····················································································································5-4.
Page 651
1-1 1 dhcp server configuration commands z support for assigning a tftp server address and bootfile name from the dhcp server to the client with auto-configuration function is a new feature in this manual. For specific commands, see bootfile-name , dhcp server bootfile-name , dhcp server tftp-server...
Page 652
1-2 use the undo accounting domain command to disable the dhcp accounting function. Examples # enter system view. System-view system view: return to user view with ctrl+z. # enter dhcp address pool view. [sysname] dhcp server ip-pool test # enable the dhcp accounting function (assuming that domain 1...
Page 653
1-3 bootfile-name syntax bootfile-name bootfile-name undo bootfile-name view dhcp address pool view parameters bootfile-name: boot file name (with the extension name .Cfg), a string of 1 to 63 characters. Description use the bootfile-name command to specify a bootfile name in the dhcp global address...
Page 654
1-4 z among s3600 series switches, only s3600-ei switches support this command. Dhcp is always enabled on s3600-si series switches. Z you need to enable dhcp before performing other dhcp-related configurations. To improve security and avoid malicious attacks to the unused sockets, s3600 ethernet swi...
Page 655
1-5 interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range. All: specifies all interfaces to operate in global address pool mode. Description use the dhcp select global command to configure the specified interface(s) or all interfaces to...
Page 656
1-6 type, interface-number indicates interface number. Interface-type interface-number [ to interface-type interface-number ] specifies an interface range. All: specifies all interfaces to operate in interface address pool mode. Description use the dhcp select interface command to configure the spec...
Page 659
1-9 description use the dhcp server detect command to enable the unauthorized dhcp server detection function. With this feature enabled, upon receiving a dhcp request, the dhcp server will record the ip addresses of any dhcp servers which ever assigned an ip address to the dhcp client and the receiv...
Page 660
1-10 interface number; the interface interface-type interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range. All: (in comparison with the ip-address argument) specifies all dns server ip addresses. All: (in comparison with the interface k...
Page 661
1-11 parameters domain-name: domain name suffix of the dhcp clients whose ip addresses are from the specified interface address pool(s). This argument is a string of 3 to 50 characters. Interface interface-type interface-number [ to interface-type interface-number ]: specifies the interface(s), thro...
Page 663
1-13 undo dhcp server forbidden-ip low-ip-address [ high-ip-address ] view system view parameters low-ip-address: ip address that is not available for being assigned to dhcp clients automatically (an ip address of this kind is known as a forbidden ip address). This argument also marks the lower end ...
Page 664
1-14 undo dhcp server ip-pool pool-name view system view parameters pool-name: name of a dhcp address pool, which uniquely identifies the address pool. This argument is a string of 1 to 35 characters. Description use the dhcp server ip-pool command to create a global dhcp address pool and enter dhcp...
Page 667
1-17 # specify p-node as the netbios node type of the dhcp clients whose ip addresses are from the dhcp interface address pool of vlan-interface 1. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] dhcp server netbios-type p-node dhcp server option syntax in vlan interface view, use the...
Page 668
1-18 if you execute the dhcp server option command repeatedly, the new configuration overwrites the previous one. For commands related to option 184, refer to dhcp server voice-config . Related commands: option. Examples # enter system view. System-view system view: return to user view with ctrl+z. ...
Page 669
1-19 dhcp server relay information enable syntax dhcp server relay information enable undo dhcp server relay information enable view system view parameters none description use the dhcp server relay information enable command to enable the dhcp server to handle option 82. Use the undo dhcp server re...
Page 670
1-20 description use the dhcp server static-bind command to statically bind an ip address of the current dhcp interface address pool to a mac address. When the client with the mac address or id requests an ip address, the dhcp server will find the ip address from the binding in the interface address...
Page 671
1-21 parameters domain-name: tftp server name, a string in the range 3 to 50 characters. All: specifies all interface address pools. Interface interface-type interface-number: specifies an interface address pool. Description use the dhcp server tftp-server domain-name command to specify the tftp ser...
Page 672
1-22 interface interface-type interface-number: specifies an interface address pool. Description use the dhcp server tftp-server ip-address command to specify the tftp server address in dhcp interface address pool for the client. When the client’s request contains option 150 (tftp server ip address)...
Page 673
1-23 z disable: disables the specified vlan, meaning dhcp clients will not take this vlan as their voice vlan. Z enable: enables the specified vlan, meaning dhcp clients will take this vlan as their voice vlan. Fail-over ip-address dialer-string: specifies the failover ip address and dialer string. ...
Page 674
1-24 view any view parameters all: specifies all ip addresses. Ip ip-address: specifies one ip address. Description use the display dhcp server conflict command to display the statistics of ip address conflicts on the dhcp server. Related commands: reset dhcp server conflict. Examples # display the ...
Page 675
1-25 description use the display dhcp server expired command to display the lease expiration information about one ip address, or the lease expiration information about all ip addresses in one or all dhcp address pools. When all the ip addresses in an address pool are assigned, the dhcp server assig...
Page 677
1-27 table 1-3 description on the fields of the display dhcp server ip-in-use command field description global pool address binding information of global dhcp address pools interface pool address binding information of interface dhcp address pools ip address bound ip address client-identifier/hardwa...
Page 678
1-28 dhcp release: 1 dhcp inform: 0 boot reply: 4 dhcp offer: 1 dhcp ack: 3 dhcp nak: 0 bad messages: 0 table 1-4 description on the fields of the display dhcp server statistics command field description global pool statistics about global address pools interface pool statistics about interface addr...
Page 679
1-29 description use the display dhcp server tree command to display information about address pool tree. Examples # display the information about address pool tree. Display dhcp server tree all global pool: pool name: test123 network 10.0.0.0 mask 255.0.0.0 child node:test1234 option 30 hex aa bb e...
Page 681
1-31 view dhcp address pool view parameters domain-name: domain name suffix for the dhcp client of a dhcp global address pool, a string of 3 to 50 characters. Description use the domain-name command to configure a domain name suffix in a dhcp global address pool for the dhcp client. Use the undo dom...
Page 682
1-32 related commands: dhcp server ip-pool, dhcp server expired. Examples # enter system view. System-view system view: return to user view with ctrl+z. # set the lease time of the ip addresses to be dynamically assigned in the dhcp global address pool 0 to 1 day, 2 hours and 3 minutes. [sysname] dh...
Page 684
1-34 p-node: specifies the p-typed node. Nodes of this type acquire host name-to-ip address mapping by communicating with the wins server. M-node: specifies the m-typed node. Nodes of this type are p-nodes with some broadcasting features. H-node: specifies the h-typed node. Nodes of this type are b-...
Page 685
1-35 related commands: dhcp server ip-pool, dhcp server forbidden-ip. Examples # enter system view. System-view system view: return to user view with ctrl+z. # configure the dynamically assigned ip address range 192.168.8.0/24 for the dhcp global address pool 0. [sysname] dhcp server ip-pool 0 [sysn...
Page 687
1-37 description use the reset dhcp server ip-in-use command to clear the specified or all dynamic address binding information. Related commands: display dhcp server ip-in-use. Examples # clear the dynamic address binding information about the ip address 10.110.1.1. Reset dhcp server ip-in-use ip 10...
Page 688
1-38 use the undo static-bind client-identifier command to delete a client id that is statically bound in a dhcp global address pool. By default, no client id is statically bound. Note that: z the static-bind client-identifier command must be used together with the static-bind ip-address command, to...
Page 689
1-39 z if you execute the static-bind ip-address command repeatedly, the new configuration overwrites the previous one. Related commands: dhcp server ip-pool, static-bind mac-address. Examples # enter system view. System-view system view: return to user view with ctrl+z. # bind the ip address 10.1.1...
Page 690
1-40 # bind the ip address 10.1.1.1 (with the subnet mask 255.255.255.0) to the mac address 0000-e03f-0305. [sysname] dhcp server ip-pool 0 [sysname-dhcp-pool-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 [sysname-dhcp-pool-0] static-bind mac-address 0000-e03f-0305 tftp-server domain-name sy...
Page 691
1-41 description use the tftp-server ip-address command to specify the tftp server ip address in a global address pool. Use the undo tftp-server ip-address command to remove the tftp server ip address from a global address pool. By default, no tftp server address is specified. Using the tftp-server ...
Page 692
1-42 by default, a dhcp server global address pool does not assign option 184 and the corresponding sub-options to the client. Related commands: dhcp server voice-config. Examples # enter system view system-view system view: return to user view with ctrl+z. # enable the dhcp server to support option...
Page 693
2-1 2 dhcp relay agent configuration commands dhcp relay agent configuration commands address-check syntax address-check enable address-check disable view vlan interface view parameters none description use the address-check enable command to enable ip address match checking on the dhcp relay agent....
Page 694
2-2 view system view parameters none description use the dhcp relay hand enable command to enable the dhcp relay handshake function. With this feature enabled, the dhcp relay agent uses the ip address of a client and the mac address of the dhcp relay interface to periodically send a handshake messag...
Page 695
2-3 by default, with the option 82 support function enabled on the dhcp relay agent, the dhcp relay agent will adopt the replace strategy to process the request packets containing option 82. However, if other strategies are configured before, then enabling the 82 supporting on the dhcp relay will no...
Page 697
2-5 parameters interval: refreshing interval in seconds, in the range of 1 to 120. Auto: specifies the auto refreshing interval, which is automatically calculated according to the number of binding entries. Description the default handshake interval is auto, the value of 60 seconds divided by the nu...
Page 698
2-6 related commands: dhcp-server ip, display dhcp-server, display dhcp-server interface vlan-interface. To improve security and avoid malicious attack to the unused sockets, s3600 ethernet switches provide the following functions: z udp 67 and udp 68 ports used by dhcp are enabled only when dhcp is...
Page 699
2-7 by default, the unauthorized dhcp server detection function is disabled related commands: dhcp server, display dhcp-server. Examples # enter system view system-view system view: return to user view with ctrl+z. # enable the unauthorized-dhcp server detection function on the dhcp relay agent. [sy...
Page 700
2-8 view any view parameters ip-address: ip address. This argument is used to display the user address entry with the specified ip address. Dynamic: displays the dynamic user address entries. Static: displays the static user address entries. Tracker: displays the interval to update the user address ...
Page 701
2-9 examples # display information about dhcp server group 0. Display dhcp-server 0 ip address of dhcp server group 0: 1.1.1.1 ip address of dhcp server group 0: 2.2.2.2 ip address of dhcp server group 0: 3.3.3.3 ip address of dhcp server group 0: 4.4.4.4 ip address of dhcp server group 0: 5.5.5.5 i...
Page 702
2-10 field description dhcp_discover messages number of the dhcp-discover packets received by the dhcp relay dhcp_request messages number of the dhcp-request packets received by the dhcp relay dhcp_inform messages number of the dhcp-inform packets received by the dhcp relay dhcp_release messages num...
Page 703
2-11 description use the reset dhcp-server command to clear the statistics information of the specified dhcp server group. Related commands: dhcp server, display dhcp-server. Examples # clear the statistics information of dhcp server group 2. Reset dhcp-server 2.
Page 704
3-1 3 dhcp snooping configuration commands dhcp snooping configuration commands dhcp-snooping syntax dhcp-snooping undo dhcp-snooping view system view parameters none description use the dhcp-snooping command to enable the dhcp snooping function. Use the undo dhcp-snooping command to disable the dhc...
Page 705
3-2 view system view parameters none description use the dhcp-snooping information enable command to enable dhcp snooping option 82. Use the undo dhcp-snooping information enable command to disable dhcp snooping option 82. Dhcp snooping option 82 is disabled by default. Enable dhcp snooping before p...
Page 707
3-4 use the undo dhcp-snooping information remote-id command to restore the default value of the remote id sub-option in option 82. By default, the remote id sub-option in option 82 is the mac address of the dhcp snooping device that received the dhcp client’s request. Examples # configure the remot...
Page 708
3-5 z enable dhcp-snooping and dhcp-snooping option 82 before performing this configuration. Z if a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies ...
Page 709
3-6 if you have configured a circuit id with the vlan vlan-id argument specified, and the other one without the argument in ethernet port view, the former circuit id applies to the dhcp messages from the specified vlan, while the latter one applies to dhcp messages from other vlans. Examples # set t...
Page 710
3-7 examples # configure the remote id of option 82 in dhcp packets to abc on the port ethernet 1/0/1. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet1/0/1 [sysname-ethernet1/0/1] dhcp-snooping information remote-id string abc dhcp-snooping trust syntax dhcp-sn...
Page 711
3-8 parameters unit unit-id: displays the dhcp-snooping information on the specified device in the fabric. Unit-id indicates the number of the device whose dhcp-snooping information needs to be viewed. If unit unit-id is not specified, dhcp snooping information of all units in the fabric is displaye...
Page 713
3-10 description use the ip check source ip-address command to enable the filtering of the ip packets received through the current port based on the source ip address of the packets. Use the undo ip check source ip-address command to disable the filtering of the ip packets received through the curre...
Page 714
3-11 related commands: ip check source ip-address. Examples # configure static binding among source ip address 1.1.1.1, source mac address 0015-e20f-0101, and ethernet 1/0/3. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/3 [sysname-ethernet1/0/3] ip sourc...
Page 715
4-1 4 rate limit configuration commands rate limit configuration commands dhcp protective-down recover enable syntax dhcp protective-down recover enable undo dhcp protective-down recover enable view system view parameters none description use the dhcp protective-down recover enable command to enable...
Page 716
4-2 parameters interval: interval (in seconds) for a port disabled due to the dhcp traffic exceeding the set threshold to be brought up again. This argument ranges from 10 to 86,400. Description use the dhcp protective-down recover interval command to set an auto recovery interval. Use the undo dhcp...
Page 717
4-3 examples # configure the dhcp traffic threshold to 100 pps for port ethernet 1/0/11. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/11 [sysname-ethernet1/0/11] dhcp rate-limit enable [sysname-ethernet1/0/11] dhcp rate-limit 100 dhcp rate-limit enable s...
Page 718
5-1 5 dhcp/bootp client configuration dhcp client configuration commands display dhcp client syntax display dhcp client [ verbose ] view any view parameters verbose: displays the detailed address allocation information. Description use the display dhcp client command to display the information about...
Page 719
5-2 field description lease lease period t1 renewal timer setting t2 rebinding timer setting lease from….To…. The starting and end time of the lease period server ip ip address of the dhcp server selected transaction id transaction id default router gateway address next timeout will happen after 0 d...
Page 720
5-3 examples # configure vlan-interface 1 to obtain an ip address through dhcp. System-view system view: return to user view with ctrl+z. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ip address dhcp-alloc bootp client configuration commands display bootp client syntax display bootp...
Page 721
5-4 ip address bootp-alloc syntax ip address bootp-alloc undo ip address bootp-alloc view vlan interface view parameters none description use the ip address bootp-alloc command to configure a vlan interface to obtain an ip address through bootp. Use the undo ip address bootp-alloc command to cancel ...
Page 722: Table of Contents
I table of contents 1 acl configuration commands ················································································································1-1 acl configuration commands ············································································································...
Page 723: Acl Configuration Commands
1-1 1 acl configuration commands z the command used to apply acl rules to a vlan is newly added, which is described in packet-filter vlan . Z the command used to configure vlan information for layer 2 acls is newly added, which is described in rule (for layer 2 acls) . Acl configuration commands acl...
Page 724
1-2 description use the acl command to define an acl and enter the corresponding acl view. Use the undo acl command to remove all the rules of the specified acl or all the acls. By default, acl rules are matched in the order they are defined. Only after the rules in an existing acl are fully removed...
Page 725
1-3 you can give acls descriptions to provide relevant information such as their application purposes and the ports they are applied to, so that you can easily identity and distinguish acls by their descriptions. By default, no description string is assigned for an acl. Examples # assign description...
Page 726
1-4 table 1-1 description on the fields of the display acl command field description basic acl 2000 the displayed information is about the basic acl 2000. 3 rules the acl includes three rules. Match-order is auto the match order of the acl is depth-first. If this field is not displayed, the match or...
Page 727
1-5 table 1-2 description on the fields of the display drv qacl_resource command field description block on the front panel, z from left to right, every four columns of fe ports (total of eight fe ports) represents a block numbered starting from 0. That is, 0 indicates ethernet 1/0/1 to ethernet 1/0...
Page 728
1-6 ethernet1/0/1 inbound: acl 2000 rule 0 running ethernet1/0/2 outbound: acl 2001 rule 0 not running table 1-3 description on the fields of the display packet-filter command field description ethernet1/0/1 port on which packet filtering is performed inbound direction of the packet filtering, inbou...
Page 729
1-7 table 1-4 description on the fields of the display time-range command. Field description current time is 17:01:34 may/21/2007 monday current system time time-range name of the time range active status of the time range, which can be: z active: the time range is active currently. Z inactive: the ...
Page 730
1-8 z the link-group acl-number keyword specifies a layer 2 acl. The acl-number argument ranges from 4000 to 4999. Z the user-group acl-number keyword specifies a user-defined acl. The acl-number argument ranges from 5000 to 5999. Z the rule rule-id keyword specifies a rule of an acl. The rule argum...
Page 731
1-9 parameters vlan-id: vlan id. Inbound: specifies to filter packets received by the ports in the vlan. Outbound: specifies to filter packets to be transmitted by the ports in the vlan. Acl-rule: acl rules to be applied, which can be a combination of the rules of multiple acls, as described in tabl...
Page 732
1-10 parameters parameters of the rule command rule-id: acl rule id, in the range of 0 to 65534. Deny: drops the matched packets. Permit: permits the matched packets. Rule-string: acl rule information, which can be a combination of the parameters described in table 1-6 . Table 1-6 parameters for bas...
Page 733
1-11 z with the config match order specified for the basic acl, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the basic acl, you cannot modify any existent rule; otherwise the system prompts error information. Z if you do not speci...
Page 734
1-12 deny: drops the matched packets. Permit: permits the matched packets. Protocol: protocol carried by ip. When the protocol is represented by numeral, it ranges from 1 to 255; when the protocol is represented by name, it can be gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), and...
Page 735
1-13 arguments/keywords type function description time-range time-name time range information specifies the time range in which the rule takes effect. Time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters. The sour-wildcard/dest-wildcard ...
Page 736
1-14 keyword dscp value in decimal dscp value in binary ef 46 101110 if you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in table 1-9 as ip precedence. Table 1-9 ip precedence values and the corresponding keywords keyword ip p...
Page 737
1-15 table 1-11 tcp/udp-specific acl rule information parameters type function description source-port operator port1 [ port2 ] source port defines the source port information of udp/tcp packets destination-port operator port1 [ port2 ] destination port defines the destination port information of ud...
Page 738
1-16 table 1-12 tcp or udp port values type value tcp chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (...
Page 739
1-17 name icmp type icmp code source-quench type=4 code=0 source-route-failed type=3 code=5 timestamp-reply type=14 code=0 timestamp-request type=13 code=0 ttl-exceeded type=11 code=0 parameters of the undo rule command rule-id: rule id, which must the id of an existing acl rule. You can obtain the ...
Page 740
1-18 z if the acl is created with the auto keyword specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered. Examples # create advanced acl 3000 and define rule 1 to deny packets with the source ip address ...
Page 741
1-19 parameters type function description lsap lsap-code lsap-wildcard lsap field specifies the lsap field for the acl rule lsap-code: encapsulation format of data frames, a 16-bit hexadecimal number. Lsap-wildcard: mask of the lsap value, a 16-bit hexadecimal number used to specify the mask bits. S...
Page 742
1-20 description use the rule command to define an acl rule. Use the undo rule command to remove an acl rule. To remove an acl rule using the undo rule command, you need to provide the id of the acl rule. You can obtain the id of an acl rule by using the display acl command. Note that: z you can mod...
Page 743
1-21 rule-mask: user-defined mask of the acl rule. It must be an even hexadecimal number containing 2 to 160 hexadecimal numerals and be of the same length as that of the rule-string argument. This argument is used to perform the logical and operations with packets. Offset: mask offset of the rule. ...
Page 744
1-22 z you can modify any existent rule of a user-defined acl. If you modify only the time range and/or action, the unmodified parts of the rule remain the same. If you modify the rule-string rule-mask offset combinations, however, the new combinations will replace all of the original ones. Z if you...
Page 745
1-23 processes internally, c0a80001 is the representation of 192.168.0.1 in hexadecimal, and 32 is the offset of the source ip address field in an arp packet that the switch processes internally. [sysname] acl number 5001 [sysname-acl-user-5001] rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32 [sysname...
Page 746
1-24 parameters rule-id: id of the acl rule, in the range of 0 to 65534. Text: comment for the acl rule, a string of 1 to 127 characters. Blank spaces and special characters are acceptable. Description use the rule comment command to define a comment for the acl rule. Use the undo rule comment comma...
Page 747
1-25 end-time: end time of a periodic time range, in the form of hh:mm. The end time must be greater than the start time. Days-of-the-week: day of the week when the periodic time range is active. You can provide this argument in one of the following forms. Z numeral (0 to 6) z mon, tue, wed, thu, fr...
Page 748
1-26 # display the configuration information of the time ranges. [sysname] display time-range all current time is 17:37:23 nov/27/2007 tuesday time-range : tr1 ( inactive ) 08:00 to 12:00 working-day time-range : tr2 ( inactive ) from 12:00 jan/1/2008 to 12:00 jun/1/2008.
Page 749: Table of Contents
I table of contents 1 qos commands·········································································································································1-1 qos commands·················································································································...
Page 750: Qos Commands
1-1 1 qos commands the following commands were added: z vlan mapping related commands: display qos-interface traffic-remark-vlanid and section traffic-remark-vlanid . Z commands related to port rate limiting and traffic policing: line-rate and section traffic-limit . Z vlan-based priority marking co...
Page 751
1-2 z for packets to be forwarded properly, you must not enable the burst function when the irf function is enabled. Refer to irf fabric operation for detailed information about irf. Z because the burst function may affect the qos performance of your switch, you must make sure that you are fully awa...
Page 752
1-3 table 1-1 description on the fields of the display protocol-priority command field description protocol: ospf indicate that a priority has been set for ospf packets with the protocol-priority command. Ip-precedence: routine(0) an ip precedence has been assigned to ospf packets. The assigned ip p...
Page 754
1-5 inbound: matches: acl 2000 rule 0 running 6 packets inprofile 0 packet outprofile ethernet1/0/1: mirrored-to inbound: matches: acl 2000 rule 0 running mirrored to: monitor interface ethernet1/0/1: line-rate inbound: 64 kbps burst bucket size: 16 kbyte ethernet1/0/1: queue scheduling mode: weight...
Page 755
1-6 field description exceed action action to take for exceeding packets: z drop: drops the packets. Z remark-dscp: re-marks the dscp precedence of the packets and forwards the packets. Priority action priority marking action, which can be: z cos: sets 802.1p precedence for packets. Z dscp: sets dsc...
Page 757
1-8 unit-id: unit id of the switch whose traffic policing configuration is to be displayed. For the value range for the unit-id argument, refer to table 1-2 . Description use the display qos-interface traffic-limit command to display the traffic policing configuration of a port or a unit. Related co...
Page 759
1-10 description use the display qos-interface traffic-remark-vlanid command to display the vlan mapping configuration of a port or a unit. Related commands: traffic-remark-vlanid. Examples # display the vlan mapping configuration of ethernet 1/0/1. Display qos-interface ethernet1/0/1 traffic-remark...
Page 760
1-11 display queue-scheduler syntax display queue-scheduler view any view parameters none description use the display queue-scheduler command to display the global queue scheduling configuration. This command does not display the weight or bandwidth set for a queue in port view. To display the setti...
Page 761
1-12 z gigabitethernet port: 64 to 1,000,000. The granularity of port rate limit is 64 kbps. Assume that the value you provide for the target-rate argument is in the range n*64 to (n+1)*64 (n is a natural number), it will be rounded off to (n+1)*64. Burst-bucket burst-bucket-size: specifies the maxi...
Page 762
1-13 table 1-4 ways of applying combined acl rules acl combination form of the acl-rule argument apply a basic or advanced layer 3 acl ip-group acl-number apply a rule in an layer 3 acl ip-group acl-number rule rule-id apply all the rules in a layer 2 acl link-group acl-number apply a rule in a laye...
Page 763
1-14 examples # configure traffic mirroring on ethernet 1/0/1, duplicating the inbound packets sourced from ip address 1.1.1.1 to ethernet 1/0/4. System-view system view: return to user view with ctrl+z. [sysname] acl number 2000 [sysname-acl-basic-2000] rule permit source 1.1.1.1 0 [sysname-acl-bas...
Page 764
1-15 use the undo priority command to restore the default. By default, port priority is trusted and the priority of an ethernet port is 0. After you execute the priority command on a port, the port priority rather than the 802.1p priority of each inbound 802.1q-tagged packet is used to identify the ...
Page 766
1-17 dscp precedence (in words) dscp precedence (in digits) af32 28 af33 30 af41 34 af42 36 af43 38 be (the default) 0 cs1 8 cs2 16 cs3 24 cs4 32 cs5 40 cs6 48 cs7 56 ef 46 description use the protocol-priority command to set the global ip precedence or dscp precedence for the specified type of prot...
Page 767
1-18 [sysname] protocol-priority protocol-type telnet dscp af33 qos cos-local-precedence-map syntax qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec undo qos co...
Page 768
1-19 examples # configure the 802.1p priority-to-local precedence mapping table as follows: 0 to 0, 1 to 1, 2 to 2, 3 to 3, 4 to 4, 5 to 5, 6 to 6, and 7 to 7. System-view system view: return to user view with ctrl+z. [sysname] qos cos-local-precedence-map 0 1 2 3 4 5 6 7 # display the current 802.1...
Page 769
1-20 queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight: customizes the weights to be assigned to queues 0 through 7. The value ranges from 0 to 15 in both system view and ethernet port view. A value of 0 means the corresponding queue adop...
Page 770
1-21 z the display queue-scheduler command cannot display the queue weights (or bandwidth values) specified in ethernet port view. To do that, use the display this command in the corresponding port view or the display current-configuration interface command in any view. Note that the two commands di...
Page 771
1-22 acl-rule: acl rules to be applied. This argument can be the combination of multiple acls. For more information about this argument, refer to table 1-4 and table 1-5 . Description use the reset traffic-statistic command to clear the statistics on packets matching specific acl rules. Related comm...
Page 772
1-23 parameters inbound: imposes traffic limit on the packets received through the interface. Acl-rule: acl rules to be applied for traffic classification. This argument can be the combination of multiple acls. For more information about this argument, refer to table 1-4 and table 1-5 . Note that th...
Page 773
1-24 z when you configure the traffic policing on a port, an acl rule can only be applied to one egress port. If you configure the same acl rule for different egress ports, only the last configuration takes effect. To apply the same acl rule to multiple egress ports, you need to specify different ac...
Page 775
1-26 z if 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned to the output queue corresponding to the local precedence. Z if local precedence marking is configured, the traffic will be assigned to the ...
Page 777
1-28 examples # set the 802.1p priority to 1 for the packets received on any ports in vlan 2 and destined to mac address 000f-e200-1234. System-view system view: return to user view with ctrl+z. [sysname] acl number 4000 [sysname-acl-ethernetframe-4000] rule permit cos 3 dest 000f-e200-1234 ffff-fff...
Page 778
1-29 z packets redirected to the cpu are not forwarded. Z if the traffic is redirected to a combo port in down state, the system automatically redirects the traffic to the port corresponding to the combo port in up state. Refer to port basic configuration module of this manual for information about ...
Page 779
1-30 description use the traffic-remark-vlanid command to enable vlan mapping and set the target vlan id for packets matching specific acl rules. Use the undo traffic-remark-vlanid command to disable vlan mapping for packets matching specific acl rules. Related commands: display qos-interface traffi...
Page 780
1-31 [sysname-acl-basic-2000] quit [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] traffic-statistic inbound ip-group 2000 # display traffic statistics of ethernet 1/0/1. [sysname-ethernet1/0/1] display qos-interface ethernet 1/0/1 traffic-statistic ethernet1/0/1: traffic-statistic inboun...
Page 781
2-1 2 qos profile configuration commands qos profile configuration commands apply qos-profile syntax in system view apply qos-profile profile-name interface interface-list undo apply qos-profile profile-name interface interface-list in ethernet port view apply qos-profile profile-name undo apply qos...
Page 783
2-3 # display the configuration of the qos profile applied to ethernet 1/0/2, assuming that the qos profile has been applied to ethernet 1/0/2 dynamically. Display qos-profile interface ethernet 1/0/2 user's qos-profile applied mode: port-based user abc@net applied qos-profile: test, 3 actions packe...
Page 784
2-4 parameters inbound: filters the inbound packets. Outbound: filters the outbound packets. Acl-rule: acl rules to be applied for traffic classification. This argument can be the combination of multiple acls. For more information about this argument, refer to table 1-4 and table 1-5 . Description u...
Page 785
2-5 examples # create a qos profile named a123. System-view system view: return to user view with ctrl+z. [sysname] qos-profile a123 [sysname-qos-profile-a123] qos-profile port-based syntax qos-profile port-based undo qos-profile port-based view ethernet port view parameters none description use the...
Page 786
2-6 view qos profile view parameters inbound: imposes traffic limit on the packets received through the interface. Acl-rule: acl rules to be applied for traffic classification. This argument can be the combination of multiple acls. For more information about this argument, refer to table 1-4 and tab...
Page 787
2-7 z when you configure the traffic policing over a port, an acl rule can only be applied to one egress port. If you configure the same acl rule for different egress ports, only the last configuration takes effect. To apply the same acl rule to multiple egress ports, you need to specify different a...
Page 788
2-8 view qos profile view parameters inbound: performs priority marking on the inbound packets. Outbound: performs priority marking on the outbound packets. Acl-rule: acl rules to be applied for traffic classification. This argument can be the combination of multiple acls. For more information about...
Page 789: Table of Contents
I table of contents 1 web cache redirection configuration commands ···············································································1-1 web cache redirection configuration commands ················································································1-1 display webcache ····...
Page 790
1-1 1 web cache redirection configuration commands web cache redirection is available on s3600-ei series switches only. Web cache redirection configuration commands display webcache syntax display webcache view any view parameters none description use the display webcache command to view web cache r...
Page 791
1-2 table 1-1 description on the fields of the display webcache command filed description webcache ip address ip address of the web cache server webcache mac address mac address of the web cache server webcache port port that connects to the web cache server webcache vlan vlan that the web cache ser...
Page 792
1-3 vlan-id: id of the vlan where web cache server is to be located. Port interface-type interface-number: specifies the port through which the switch is connected to the web cache server. Interface-type interface-number is the port type and port number. Tcpport tcpport-number: specifies the number ...
Page 793
1-4 webcache redirect-vlan syntax webcache redirect-vlan vlan-id undo webcache redirect-vlan [ vlan-id ] view system view parameters vlan-id: id of the vlan whose http traffic is to be redirected. Description use the webcache redirect-vlan command to configure a vlan as a redirected vlan, that is, s...
Page 794: Table of Contents
I table of contents 1 mirroring commands ································································································································1-1 mirroring commands·············································································································...
Page 795: Mirroring Commands
1-1 1 mirroring commands mirroring commands display mirror syntax display mirror view any view parameters none description use the display mirror command to display the port mirroring configurations. Related commands: mirroring-port, monitor-port. This command is available only on the s3600-si serie...
Page 796
1-2 field description both the direction of the mirrored packets, which can be one of the following: z both: means packets received on and sent from the source port are mirrored. Z inbound: means packets received on the source port are mirrored. Z outbound means packets sent from the source port are...
Page 797
1-3 # display the configurations of a remote source mirroring group on your s3600-ei series ethernet switch. Display mirroring-group 2 mirroring-group 2: type: remote-source status: active mirroring port: ethernet1/0/1 inbound reflector port: ethernet1/0/2 remote-probe vlan: 10 # display the configu...
Page 799
1-5 view system view, ethernet port view parameters group-id: number of a port mirroring group, in the range 1 to 20. Mirroring-port mirroring-port-list: specifies a list of source ports. Mirroring-port-list is available in system view only, and there is no such argument in ethernet port view. Mirro...
Page 800
1-6 mirroring-group monitor-port syntax mirroring-group group-id monitor-port monitor-port undo mirroring-group group-id monitor-port monitor-port view system view, ethernet port view parameters group-id: number of a port mirroring group, in the range 1 to 20. Monitor-port monitor-port: specifies th...
Page 801
1-7 mirroring-group reflector-port syntax mirroring-group group-id reflector-port reflector-port undo mirroring-group group-id reflector-port reflector-port view system view, ethernet port view parameters group-id: number of a port mirroring group, in the range 1 to 20. Reflector-port reflector-port...
Page 802
1-8 mirroring-group remote-probe vlan syntax mirroring-group group-id remote-probe vlan remote-probe-vlan-id undo mirroring-group group-id remote-probe vlan remote-probe-vlan-id view system view parameters group-id: number of a port mirroring group, in the range 1 to 20. Remote-probe vlan remote-pro...
Page 803
1-9 view ethernet port view parameters both: specifies to mirror all packets received on and sent from the port. Inbound: specifies to mirror the packets received on the port. Outbound: specifies to mirror the packets sent from the port. Description use the mirroring-port command to configure the so...
Page 804
1-10 view ethernet port view parameters none description use the monitor-port command to configure the destination port in ethernet port view. Use the undo monitor-port command to remove the configuration of the destination port in ethernet port view. Note that: z you cannot configure a member port ...
Page 805
1-11 parameters none description use the remote-probe vlan enable command to configure the current vlan as the remote-probe vlan. Use the undo remote-probe vlan enable command to restore the remote-probe vlan to a normal vlan. Note that: z you cannot configure a default vlan, a management vlan, or a...
Page 806: Table of Contents
I table of contents 1 irf fabric commands·······························································································································1-1 irf fabric commands ············································································································...
Page 808
1-2 z if you do not bring up the fabric port, you cannot change the unit id of a switch. Z after the unit id of a device is changed, the unit id-related information of this device in the configuration file of the fabric will be upgraded automatically. If the unit id of a device changes from 2 to 4, ...
Page 809
1-3 z unit ids in an irf fabric are not always arranged in order of 1 to 8. Z unit ids in an irf fabric can be inconsecutive. Z after the unit id of a device is changed, the unit id-related information of this device in the configuration file of the fabric will be upgraded automatically. If the unit...
Page 811
1-5 table 1-1 display ftm information command output description field description ftm state ftm state: z disc state: in the topology discovery state. Z listen state: in the topology discovery state, and the ftm slave device is listening. Z hb state: the fabric operates normally. Unit id unit id: z ...
Page 812
1-6 field description left port : index = 255, isedge = 0 right port : index = 25, isedge = 0 indexes of the left and right ports: z isedge: whether the device is at either end of a bus topology irf fabric in which the number of member devices has reached the upper limit. Z 0: no z 1: yes units num ...
Page 814
1-8 input: 0 packets, 0 bytes, 0 input errors output: 7343 packets, 2250406 bytes, 0 output errors fabric member-auto-update software enable syntax fabric member-auto-update software enable undo fabric member-auto-update software enable view system view parameters none description use the fabric mem...
Page 815
1-9 system-view system view: return to user view with ctrl+z. [sysname] fabric member-auto-update software enable fabric save-unit-id syntax fabric save-unit-id undo fabric save-unit-id view user view parameters none description use the fabric save-unit-id command to save the unit ids of all the uni...
Page 816
1-10 unit 7 saved unit id successfully. Unit 8 saved unit id successfully. # display the saved unit ids of the current fabric. Display ftm topology-database total number of units in fabric : 8, my unit id : 4 uid cpu-mac priority stack-port board-id a/m *1 000f-e20f-5002 5 /right 1 m 2 000f-e20f-513...
Page 817
1-11 fabric-port enable syntax fabric-port interface-type interface-number enable undo fabric-port interface-type interface-number enable view system view parameters interface-type interface-number: type and port number of a fabric port. On an s3600 series ethernet switch, only four gigabitethernet ...
Page 818
1-12 ftm fabric-vlan syntax ftm fabric-vlan vlan-id undo ftm fabric-vlan view system view parameters vlan-id: id of the irf fabric vlan, in the range of 2 to 4094. The vlan you specified must be the one that has not been created manually. Description use the ftm fabric-vlan command to specify the vl...
Page 819
1-13 description use the irf-fabric authentication-mode command to configure the authentication mode and password for an irf fabric. Use the undo irf-fabric authentication-mode command to remove the irf fabric authentication configuration. By default, no authentication mode is configured on a switch...
Page 820
1-14 reset ftm statistics syntax reset ftm statistics view user view parameters none description use the reset ftm statistics command to clear ftm statistics. You can use this command together with the display ftm command to view the packet statistics processed by ftm in a period of time, thus analy...
Page 821
1-15 system view: return to user view with ctrl+z. [sysname] set unit 1 name hello [sysname] display irf-fabric fabric name is sysname, system mode is l3. Unit name unit id hello 1 second 2(*) sysname syntax sysname sysname undo sysname view system view parameters sysname: name of the specified fabr...
Page 822: Table of Contents
I table of contents 1 hgmp v2 configuration commands ·······································································································1-1 ndp configuration commands···············································································································1-1...
Page 823
Ii tracemac ········································································································································1-37 enhanced cluster feature configuration commands ··········································································1-38 black-list··········...
Page 824
1-1 1 hgmp v2 configuration commands ndp configuration commands display ndp syntax display ndp [ interface interface-list ] view any view parameters interface interface-list: specifies a port list. You need to provide the interface-list argument in the form of { interface-type interface-number [ to ...
Page 825
1-2 # display ndp information about ethernet 1/0/1. Display ndp interface ethernet 1/0/1 interface: ethernet1/0/1 status: enabled, pkts snd: 15835, pkts rvd: 2879, pkts err: 0 neighbor 1: aging time: 147(s) mac address : 000f-e20f-1234 port name : ethernet1/0/1 software ver: v100r002b01d001 device n...
Page 826
1-3 view system view, ethernet port view parameters interface-list: ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &, where to is used to specify a port range, and & means that you can provide up to ten port indexes/port index ranges f...
Page 827
1-4 you can specify how long the adjacent devices should hold the ndp information received from the local switch. When an adjacent device receives an ndp packet from the local switch, it learns how long it should keep the ndp information of the switch according to the holdtime carried in the ndp pac...
Page 828
1-5 reset ndp statistics syntax reset ndp statistics [ interface interface-list ] view user view parameters interface-list: ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &, where to is used to specify a port range, and & means that yo...
Page 829
1-6 description use the display ntdp command to display the global ntdp information. The displayed information includes topology collection range (hop count), topology collection interval (ntdp timer), device/port forwarding delay of topology collection requests, and time used by the last topology c...
Page 830
1-7 description use the display ntdp device-list command to display the cluster device information collected by ntdp. Examples # display the list of devices collected by ntdp. Display ntdp device-list mac hop ip platform 000f-e20f-3901 0 100.100.1.1/24 s3600 000f-e20f-3190 1 16.1.1.1/24 s3600 table ...
Page 831
1-8 h3c comware platform software. Comware software, version 3.10 copyright(c) 2004-2007 hangzhou h3c tech. Co., ltd. All rights reserved. S3600-28p-ei s3600-ei-1545 cluster : candidate switch peer mac peer port id native port id speed duplex 000f-e20f-1234 ethernet3/0/21 ethernet1/0/22 100 full 560...
Page 832
1-9 use the undo ntdp enable command to disable ntdp globally or on a port. By default, ntdp is enabled both globally and on ports. Note that ntdp can take effect on a port only when ntdp is enabled both globally and on the port. Examples # enable ntdp globally, and then enable ntdp on port ethernet...
Page 833
1-10 parameters hop-value: maximum hops to collect topology information, namely, the topology collection range, in the range of 1 to 16. Description use the ntdp hop command to set the topology collection range. Use the undo ntdp hop command to restore the default topology collection range. By defau...
Page 834
1-11 note that: z only the management switch can collect topology periodically, and a member switch cannot. However, you can use the ndp explore command on the member switch to start a topology collection process manually. Z after a cluster is set up, the management switch will collect the topology ...
Page 835
1-12 [aaa_0.Sysname] ntdp timer hop-delay 300 ntdp timer port-delay syntax ntdp timer port-delay time undo ntdp timer port-delay view system view parameters time: port forwarding delay in milliseconds. This argument ranges from 1 to 100. Description use the ntdp timer port-delay command to configure...
Page 836
1-13 parameters member-number: member number assigned to the candidate device to be added to the cluster. This argument ranges from 1 to 255. H-h-h: mac address of the candidate device to be added (in hexadecimal). Password: super password of the candidate device, a string of 1 to 256 characters. Pa...
Page 837
1-14 description use the administrator-address command to specify the management device mac address and the cluster name on a device to add the device to the cluster. Use the undo administrator-address command to remove the management device mac address from the mac address list of a member device, ...
Page 838
1-15 note that, the collection of candidate/member devices are based on ntdp. Therefore, you must first enable ntdp. In addition, you can use the ntdp hop command in system view to change the collection range. When the system automatically adds a device to the cluster, if the user password configure...
Page 839
1-16 member 000f-e200-2200 is joined in cluster aaa. %apr 3 08:12:37:831 2000 aaa_0.Sysname clst/5/log:- 1 - member 000f-e200-0000 is joined in cluster aaa. %apr 3 08:12:37:847 2000 aaa_0.Sysname clst/5/log:- 1 - member 000f-e200-7800 is joined in cluster aaa. %apr 3 08:12:37:863 2000 aaa_0.Sysname ...
Page 840
1-17 executing the build command on a management device will change the cluster name. Different from the auto-build command, the build command only builds a cluster on the management device, which will not immediately collect the topology information to add the candidate devices into the cluster, bu...
Page 841
1-18 oid:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpmemberstatuschange):member 00.00.00.00.00.12. A9.90.22.40 role change, ntdpindex:0.00.00.00.00.00.12.A9.90.22.40, role:1 [aaa_0.Sysname-cluster] cluster syntax cluster view system view parameters none description use the cluster command to enter clusterview. E...
Page 842
1-19 z when you execute the undo cluster enable command on the management device, the cluster function is disabled on the device, and the device stops operating as a management device, and the cluster and all its members are removed. Z when you execute the undo cluster enable command on a member dev...
Page 843
1-20 z after you switch from a member device to the management device, the privilege level on the management device view will be determined by the configuration on the management device. Z if all the telnet resources on the requested device are used up, the switching to the device will not succeed. ...
Page 844
1-21 examples # configure multicast mac address 0180-c200-0028 for hgmpv2 protocol packets. System-view system view: return to user view with ctrl+z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] cluster-mac 0180-c200-0028 cluster-mac syn-interval syntax cluster-mac syn-interval time-interval view...
Page 845
1-22 parameters member-id: member number of a member device, ranging from 1 to 255. To-black-list: adds the device removed from a cluster to the blacklist to prevent it from being added to the cluster. Description use the delete-member command to remove a member device from the cluster. Note that a ...
Page 846
1-23 executing this command on a member device will display the following information: cluster name, member number of the current switch, mac address and status of the management device, holdtime, and interval to send handshake packets. Executing this command on a management device will display the ...
Page 847
1-24 field description member number member number of this switch handshake timer interval to send handshake packets, which can be configured through the timer command handshake hold-time holdtime of the neighbor status information, which can be configured through the holdtime command administrator ...
Page 848
1-25 table 1-6 description on the fields of the display cluster candidates command field description mac mac address of the candidate device hop hops from the management device to the candidate device ip ip address of the candidate device platform platform of the candidate device # display informati...
Page 850
1-27 copyright(c) 2004-2007 hangzhou h3c tech. Co., ltd. All rights reserved. S3600-28p-ei s3600-ei-1545 member number:1 name:aaa_1.Sysname device:s3600 mac address:3900-0000-3334 member status:up hops to administrator device:2 ip: 16.1.1.11/24 version: h3c comware platform software. Comware softwar...
Page 851
1-28 view user view parameters none description use the ftp cluster command to connect to the shared ftp server of the cluster and enter ftp client view through the management device. You can use the ftp-server command on the management device to configure the shared ftp server of the cluster, which...
Page 852
1-29 description use the ftp-server command to configure a shared ftp server for the cluster on the management device. Use the undo ftp-server command to remove the shared ftp server setting. By default, the management device acts as the shared ftp server of the cluster. After you configure the ip a...
Page 853
1-30 z if the management device receives ndp information form a member device within the holdtime, the member device stays in the normal state and does not need to be added to the cluster again. Z note that, you need only execute the command on a management device, which will advertise the holdtime ...
Page 854
1-31 logging-host syntax logging-host ip-address undo logging-host view cluster view parameters ip-address: ip address of the device to be configured as the log host of a cluster. Description use the logging-host command to configure a shared log host for a cluster on the management device. Use the ...
Page 855
1-32 when specifying the management vlan, note that: z the management vlans on all the devices in a cluster must be the same. Z you can specify the management vlan on a device only when no cluster is created on the device. You cannot change the management vlan on a device that already joins a cluste...
Page 857
1-34 description use the snmp-host command to configure a shared snmp nms for the cluster on the management device. Use the undo snmp-host command to remove the shared snmp nms setting. By default, no shared snmp nms is configured. After setting the ip address of an snmp nms for the cluster, the mem...
Page 858
1-35 z you need to specify the cluster keyword completely in the command. Z for description of other parameters of the tftp command, refer to the ftp-sftp-tftp part of the manual. Examples # download file lanswitch.App from the shared tftp server of the cluster to the switch and save it as vs.App. T...
Page 859
1-36 tftp cluster put config.Cfg temp.Cfg tftp-server syntax tftp-server ip-address undo tftp-server view cluster view parameters ip-address: ip address of a tftp server to be configured for the cluster. Description use the tftp-server command to configure a shared tftp server for the cluster on the...
Page 860
1-37 description use the timer command to set the interval between sending handshake packets. Use the undo timer command to restore the default value of the interval. By default, the interval between sending handshake packets is 10 seconds. In a cluster, the management device keeps connections with ...
Page 861
1-38 z when using the destination ip address to trace a device, the switch looks up the arp entry corresponding to the ip address, and then looks up the mac address entry according to the arp entry. Z if the queried ip address has a corresponding arp entry, but the corresponding mac address of the i...
Page 862
1-39 description use the black-list add-mac command to add the specified mac address to the cluster blacklist, so that the device with the specified mac address cannot join the cluster. Use the black-list delete-mac command to remove all the mac addresses or the specified mac address from the curren...
Page 863
1-40 display cluster base-members sn device mac adress status 0 aaa_0.Sysname 000f-e200-30a0 up 1 aaa_1.S3600 000f-e200-86e4 up table 1-10 description on the fields of display cluster base-members field description sn device number in the cluster device device name mac address device mac address sta...
Page 867
1-44 h3c comware platform software. Comware software, version 3.10 copyright(c) 2004-2007 hangzhou h3c tech. Co., ltd. All rights reserved. S3600-28p-ei s3600-ei-1545 cluster : candidate switch peer mac peer port id native port id speed duplex 000f-e239-1333 ethernet1/0/4 ethernet1/0/10 100 full tab...
Page 868
1-45 mac-address mac-address: accepts adding the device with the specified mac address to the standard topology of the cluster. Member-id member-id: accepts adding the device with the specified member id to the standard topology of the cluster. Administrator: accepts adding the administrative device...
Page 869
1-46 description use the topology restore-from command to restore the standard topology of the cluster from the flash memory of the administrative device when errors occur to the topology, and advertise the topology to the member devices of the cluster to ensure normal operation of the cluster. You ...
Page 870
1-47 system-view system view: return to user view with ctrl+z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] # save the standard topology of the cluster to the local flash. [aaa_0.Sysname-cluster] topology save-to local-flash base topology backup to file ok.
Page 871: Table of Contents
I table of contents 1 poe configuration commands ················································································································1-1 poe configuration commands ············································································································...
Page 872: Poe Configuration Commands
1-1 1 poe configuration commands the newly added function is upgrading the poe module of the fabric switch remotely. See update fabric for details. Poe configuration commands display poe interface syntax display poe interface [ interface-type interface-number ] view any view parameters interface-typ...
Page 873
1-2 port peak power :552 mw port average power :547 mw port current :10 ma port voltage :51 v table 1-1 display poe interface command output description field description port power enabled poe is enabled on the port port power on/off the power on the port is on/off port power status poe status on t...
Page 874
1-3 table 1-2 display poe interface command output description field description port index port index power power status on the port: on/off enable poe enabled/disabled status on the port mode poe mode on the port: z signal: poe through the signal cable z spare: poe through the spare cable priority...
Page 875
1-4 ethernet1/0/3 0 ethernet1/0/4 0 ethernet1/0/5 0 ethernet1/0/6 0 ethernet1/0/7 0 ethernet1/0/8 0 ethernet1/0/9 0 ethernet1/0/10 12400 …… display poe powersupply syntax display poe powersupply view any view parameters none description use the display poe powersupply command to view the parameters ...
Page 876
1-5 field description power average value average power value of the pse power software version version of the pse software power hardware version version of the pse hardware pse cpld version version of the pse complex programmable logical device (cpld) pse power-management mode poe management mode ...
Page 877
1-6 parameters none description use the poe enable command to enable the poe feature on a port. Use the undo poe enable command to disable the poe feature on a port. By default, the poe feature on a port is enabled by the default configuration file when the device is delivered. If you delete the def...
Page 878
1-7 poe max-power syntax poe max-power max-power undo poe max-power view ethernet port view parameters max-power: maximum power distributed to the port, ranging from 1,000 to 15,400, in mw. Description use the poe max-power command to configure the maximum power that can be supplied by the current p...
Page 879
1-8 description use the poe mode command to configure the poe mode on the current port. Use the undo poe mode command to restore the poe mode on the current port to the default mode. By default, signal mode is adopted on a port. Note that the s3600 series ethernet switches do not support the spare m...
Page 881
1-10 parameters none description use the poe temperature-protection enable command to enable poe over-temperature protection on the switch. Use the undo poe temperature-protection enable command to disable poe over-temperature protection on the switch. The poe over-temperature protection operates as...
Page 882
1-11 z use the full mode only when the refresh mode fails. In normal cases, use the refresh mode. Z when the pse processing software is damaged (that is, all the poe commands cannot be successfully executed), you can use the full mode to update and restore the software. Z when the online upgrading p...
Page 883
1-12 2 2591972 y y warning: the verification is completed, start the file transmission? [y/n] y the fabric is being updated, 100% the poe2046.S19 is stored on unit 1 successfully! The poe2046.S19 is stored on unit 2 successfully! Do you want to set poe2046.S19 to be running agent next time to boot?[...
Page 884
2-1 2 poe profile configuration commands poe profile configuration commands apply poe-profile syntax in system view use the following commands: apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] undo apply poe-profile profile-name interfac...
Page 885
2-2 poe profile is a set of poe configurations. One poe profile can contain multiple poe features. When the apply poe-profile command is used to apply a poe profile to a port, some poe features can be applied successfully while some cannot. Poe profiles are applied to s3600 series ethernet switches ...
Page 886
2-3 system-view system view: return to user view with ctrl+z. [sysname] display poe-profile name profile-test poe-profile: profile-test, 3 action poe enable poe max-power 5000 poe priority critical poe-profile syntax poe-profile profile-name undo poe-profile profile-name view system view parameters ...
Page 887: Table of Contents
I table of contents 1 udp helper configuration commands····································································································1-1 udp helper configuration commands ···································································································1-1 disp...
Page 888
1-1 1 udp helper configuration commands udp helper configuration commands display udp-helper server syntax display udp-helper server [ interface vlan-interface vlan-id ] view any view parameters vlan-id: vlan interface number. Description use the display udp-helper server command to display the udp ...
Page 889
1-2 view user view parameters none description use the reset udp-helper packet command to clear udp helper statistics. Examples # clear udp helper statistics. Reset udp-helper packet udp-helper enable syntax udp-helper enable undo udp-helper enable view system view parameters none description use th...
Page 891
1-4 system-view system view: return to user view with ctrl+z. [sysname] udp-helper port 100 # disable forwarding of udp broadcasts with a destination udp port number of 53. [sysname] undo udp-helper port 53 udp-helper server syntax udp-helper server ip-address undo udp-helper server [ ip-address ] v...
Page 892: Table of Contents
I table of contents 1 snmp configuration commands ·············································································································1-1 snmp configuration commands············································································································1-...
Page 893: Snmp Configuration Commands
1-1 1 snmp configuration commands z the configuration of creating a mib view with the mask of a mib subtree is added. See section snmp-agent mib-view for details. Z the configuration of encrypting a plain-text password is added. See section snmp-agent calculate-password . Z the configuration of addi...
Page 895
1-3 table 1-1 display snmp-agent community command output description field description community name community name snmpv1 and snmpv2c use community name authentication. A community name functions like a password; it is used to restrict access between the nms and the agent. Group name group name i...
Page 896
1-4 examples # display the information about all the snmp groups. Display snmp-agent group group name: v3group security model: v3 noauthnopriv readview: viewdefault writeview: viewdefault notifyview : viewdefault storage-type: nonvolatile table 1-2 display snmp-agent group command output description...
Page 897
1-5 description use the display snmp-agent mib-view command to display the mib view configuration of the current ethernet switch, including view name, mib subtree, subtree mask, and so on. For the description of the configuration items of mib view, refer to the related description in the snmp-agent ...
Page 898
1-6 parameters none description use the display snmp-agent statistics command to display the statistics on snmp packets. The statistics are collected from the time when the switch is started, and the statistics will not be cleared if the snmp is restarted. If you execute the command when snmp agent ...
Page 899
1-7 field description messages which represented an illegal operation for the community supplied the total number of snmp messages delivered to the snmp protocol entity which represented an snmp operation which was not allowed by the snmp community named in the message. Asn.1 or ber errors in the pr...
Page 900
1-8 field description alternate response class pdus dropped silently the total number of getrequest-pdus, getnextrequest-pdus, getbulkrequest-pdus, setrequest-pdus, and informrequest-pdus delivered to the snmp entity which were silently dropped because the size of a reply containing an alternate res...
Page 901
1-9 the contact person for this managed node: hangzhou h3c technologies co., ltd. The physical location of this node: hangzhou china snmp version running in the system: snmpv3 display snmp-agent trap-list syntax display snmp-agent trap-list view any view parameters none description use the display s...
Page 903
1-11 field description storage-type storage type, which can be: z volatile: information will be lost if the system is rebooted z nonvolatile: information will not be lost if the system is rebooted z permanent: modification is permitted, but deletion is forbidden z readonly: read only, that is, no mo...
Page 904
1-12 snmp-agent syntax snmp-agent undo snmp-agent view system view parameters none description use the snmp-agent command to enable the snmp agent. Use the undo snmp-agent command to disable the snmp agent. Execution of the snmp-agent command or any of the commands used to configure the snmp agent, ...
Page 905
1-13 parameters plain-password: the plain-text password to be encrypted, in the range 1 to 64 characters. Mode: specifies the authentication algorithm used to encrypt a plain text password. Md5: uses hmac md5 algorithm. Sha: uses hmac sha algorithm, which is securer than md5 algorithm. Local-enginei...
Page 906
1-14 parameters read: specifies that the community to be created has read-only permission to mib objects. Communities of this type can only query mibs for device information. Write: specifies that the community to be created has read-write permission to mib objects. Communities of this type are capa...
Page 907
1-15 view system view parameters v1: specifies snmpv1. V2c: specifies snmpv2c. V3: specifies snmpv3. Group-name: name of the snmp group to be created, a string of 1 to 32 characters. Authentication: configures to authenticate but do not encrypt the packets. Privacy: configures to authenticate and en...
Page 908
1-16 [sysname] rule 0 permit source 192.168.0.108 0 [sysname] snmp-agent group v3 v3group privacy acl 2001 in this case, when you use the display snmp-agent group command to display group information, you can see that two groups with the name v3group are created, but their security modes are noauthn...
Page 911
1-19 you need to define the mib view access right of the community name or group in the configuration of an snmp community name or group name. For the configurations, refer to the snmp-agent community and snmp-agent group commands. Examples # create an snmp mib view with the name of rip2, and mib su...
Page 913
1-21 you can use the display snmp-agent sys-info command to display the current snmp system information. Examples # specify the contact information for system maintenance as dial system operator # 1234. System-view system view: return to user view with ctrl+z. [sysname] snmp-agent sys-info contact d...
Page 914
1-22 1) use the snmp-agent trap enable or enable snmp trap updown command to specify the types of the snmp traps a device can send (by default, a device can send all types of snmp traps). 2) use the snmp-agent target-host command to set the address of the destination for the snmp traps. Related comm...
Page 915
1-23 use the undo snmp-agent trap enable command to disable a device from sending snmp traps that are of specified types. By default, a device sends all types of snmp traps. The snmp-agent trap enable command need to be coupled with the snmp-agent target-host command. The snmp-agent target-host comm...
Page 916
1-24 system view: return to user view with ctrl+z. [sysname] snmp-agent trap ifmib link extended # after the configuration of the extended trap function, the trap information is as follows when a link is down: #apr 2 05:55:00:642 2000 h3c l2inf/2/port link status change:- 1 - trap 1.3.6.1.6.3.1.1.5....
Page 917
1-25 view system view parameters size: the maximum number of traps that can be stored in the queue, an integer ranging from 1 to 1,000. Description use the snmp-agent trap queue-size command to set the length of the queue of the snmp traps to be sent to the destination. Use the undo snmp-agent trap ...
Page 918
1-26 you can configure this command to track a specific event by the source addresses of snmp traps. Before configuring an interface as the source interface for the snmp traps sent, make sure the interface is assigned an ip address. Related commands: snmp-agent trap enable, snmp-agent target-host. E...
Page 919
1-27 adding a new community name. If you fill the newly created username into the community name field of the nms, the nms can establish a connection with the snmp. To make the configured user take effect, you must create a group first. Related commands: snmp-agent group, snmp-agent community, and s...
Page 920
1-28 sha: uses hmac sha algorithm for authentication, which is securer than md5. Auth-password: authentication password, a string of 1 to 64 characters in plain text, a 32-bit hexadecimal number in cipher text if md5 algorithm is used, and a 40-bit hexadecimal number in cipher text if sha algorithm ...
Page 921
1-29 examples # add a user named testuser to the snmpv3 group named testgroup. Set the security mode to authentication without privacy, the authentication algorithm to md5, and authentication password authkey. System-view [sysname] snmp-agent group v3 testgroup authentication [sysname] snmp-agent us...
Page 922: Rmon Configuration Commands
2-1 2 rmon configuration commands rmon configuration commands display rmon alarm syntax display rmon alarm [ entry-number ] view any view parameters entry-number: alarm entry index, in the range 1 to 65535. Description use the display rmon alarm command to display the configuration of a specified al...
Page 923
2-2 field description sampling interval sampling interval, in seconds. The system performs absolute or delta sampling on the sampled node at this interval. Rising threshold rising threshold. When the sampled value equals or exceeds the rising threshold, an alarm is triggered. Falling threshold falli...
Page 924
2-3 event table 1 owned by user1 is valid. Description: null. Will cause log-trap when triggered, last triggered at 0days 00h:02m:27s. Table 2-2 display rmon event command output description field description event table index of an entry in the rmon event table valid the status of the entry identif...
Page 925
2-4 table 2-3 display rmon eventlog command output description field description event table index of an entry in the rmon event table valid the status of the entry identified by the index is valid. Generates eventlog 1.1 at 0days 00h:02m:27s time when the event is triggered. The event can be trigge...
Page 926
2-5 sampling interval : 5(sec) with 10 buckets max latest sampled values : dropevents : 0 , octets : 10035 packets : 64 , broadcast packets : 35 multicast packets : 8 , crc alignment errors : 0 undersize packets : 0 , oversize packets : 0 fragments : 0 , jabbers : 0 collisions : 0 , utilization : 0 ...
Page 927
2-6 parameters prialarm-entry-number: extended alarm entry index, in the range 1 to 65,535. Description use the display rmon prialarm command to display the configuration of an rmon extended alarm entry. If you do not specify the prialarm-entry-number argument, the configuration of all the extended ...
Page 928
2-7 field description when startup enables: risingorfallingalarm the condition under which an alarm is triggered, which can be: z risingorfallingalarm: an alarm is triggered when the rising or falling threshold is reached. Z risingalarm: an alarm is triggered when the rising threshold is reached. Z ...
Page 929
2-8 etherstatsbroadcastpkts : 102 , etherstatsmulticastpkts : 25 etherstatsundersizepkts : 0 , etherstatsoversizepkts : 0 etherstatsfragments : 0 , etherstatsjabbers : 0 etherstatscrcalignerrors : 0 , etherstatscollisions : 0 etherstatsdropevents (insufficient resources): 0 packets received accordin...
Page 930
2-9 alarm-variable: alarm variable, a string comprising 1 to 256 characters in dotted node oid format (such as 1.3.6.1.2.1.2.1.10.1). Only the variables that can be resolved to asn.1 integer data type (that is, integer, counter, gauge, or timeticks) can be used as alarm variables. Sampling-time: sam...
Page 931
2-10 z before adding an alarm entry, you need to use the rmon event command to define the events to be referenced by the alarm entry. Z make sure the node to be monitored exists before executing the rmon alarm command. Examples # add the alarm entry numbered 1 as follows: z the node to be monitored:...
Page 932
2-11 log-trap: logs the event and sends traps to the nms. Log-trapcommunity: community name of the nms that receives the traps, a character string of 1 to 127 characters. None: specifies that the event triggers no action. Owner text: specifies the owner of the event entry, a string of 1 to 127 chara...
Page 933
2-12 system samples the port periodically and stores the samples for later retrieval. The sampled information includes utilization, the number of errors, and total number of packets. You can use the display rmon history command to display the statistics of the history control table. Examples # creat...
Page 934
2-13 description use the rmon prialarm command to create an extended entry in an extended rmon alarm table. If you do not specify the owner text keyword/argument combination, the owner of the entry is displayed as “null”. Use the undo rmon prialarm command to remove an extended alarm entry. Z before...
Page 935
2-14 [sysname-ethernet1/0/1] rmon statistics 1 [sysname-ethernet1/0/1] quit [sysname] rmon prialarm 2 ((.1.3.6.1.2.1.16.1.1.1.4.1)*100) test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 # remove the extended alarm entry numbered 2 from the extended alarm t...
Page 936
2-15 system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] rmon statistics 20
Page 937: Table of Contents
I table of contents 1 ntp configuration commands ················································································································1-1 ntp configuration commands ············································································································...
Page 938: Ntp Configuration Commands
1-1 1 ntp configuration commands to protect unused sockets against attacks by malicious users and improve security, h3c s3600 series ethernet switches provide the following functions: z udp port 123 is opened only when the ntp feature is enabled. Z udp port 123 is closed as the ntp feature is disabl...
Page 939
1-2 examples # view the brief information of all sessions maintained by ntp services. Display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************* [12345]3.0.1.32 locl 1 95 64 42 -14.3 12.9 2.7 [25]3.0...
Page 940
1-3 field description total associations total number of associations an s3600 series switch does not establish a session with its client when it works in the ntp server mode, but does so when it works in other ntp implementation modes. Display ntp-service status syntax display ntp-service status vi...
Page 941
1-4 field description reference clock id address of the remote server or id of the reference clock after the local clock is synchronized to a remote ntp server or a reference clock nominal frequency nominal frequency of the local hardware clock, in hz. Actual frequency actual frequency of the local ...
Page 942
1-5 table 1-3 display ntp-service trace command output description field description server ip address of the ntp server stratum the stratum level of the corresponding system clock offset the clock offset relative to the upper-level clock, in milliseconds. Synch distance the synchronization distance...
Page 943
1-6 ntp service access-control rights from the highest to the lowest are peer, server, synchronization, and query. When a local ntp server receives an ntp request, it will perform an access-control right match and will use the first matched right. The ntp-service access command only provides a minim...
Page 944
1-7 ntp-service authentication-keyid syntax ntp-service authentication-keyid key-id authentication-mode md5 value undo ntp-service authentication-keyid key-id view system view parameters key-id: authentication key id, in the range of 1 to 4294967295. You can configure up to 1024 keys. Value: authent...
Page 945
1-8 use the undo ntp-service broadcast-client command to remove the configuration. By default, no ntp operate mode is configured. Examples # configure the switch to operate in the broadcast client mode and receive ntp broadcast packets through vlan-interface 1. System-view system view: return to use...
Page 946
1-9 undo ntp-service in-interface disable view vlan interface view parameters none description use the ntp-service in-interface disable command to disable the interface from receiving ntp packets. Use the undo ntp-service in-interface disable command to restore the default. By default, the interface...
Page 947
1-10 ntp-service multicast-client syntax ntp-service multicast-client [ ip-address ] undo ntp-service multicast-client [ ip-address ] view vlan interface view parameters ip-address: multicast ip address, in the range of 224.0.1.0 to 224.0.1.255. The default ip address is 224.0.1.1. Description use t...
Page 948
1-11 description use the ntp-service multicast-server command to configure an ethernet switch to operate in the ntp multicast server mode and send ntp multicast packets through the current interface. Use the undo ntp-service multicast-server command to remove the configuration. By default, no ntp op...
Page 949
1-12 [sysname] ntp-service reliable authentication-keyid 37 ntp-service source-interface syntax ntp-service source-interface vlan-interface vlan-id undo ntp-service source-interface view system view parameters vlan-interface vlan-id: specifies an interface. The ip address of the interface serves as ...
Page 950
1-13 view system view parameters remote-ip: ip address of the ntp symmetric-passive peer. This argument can be a unicast address only, and cannot be a broadcast address, a multicast address, or the ip address of the local reference clock. Peer-name: symmetric-passive peer host name, a string compris...
Page 952: Table of Contents
I table of contents 1 ssh commands·········································································································································1-1 ssh commands ················································································································...
Page 953: Ssh Commands
1-1 1 ssh commands the dsa support feature is newly added. For specific commands, see display public-key local , display public-key peer , public-key local create , public-key local destroy , public-key local export rsa , public-key local export dsa , public-key peer , public-key peer import sshkey ...
Page 954
1-2 75fd6a430575d97350e300a20feb773d93d7c3565467b0ca6b95c07d3338c523743b49d82c 5ec2c9458d248955846f9c32f4d25cc92d0e831e564bba6fae794eec6fcdedb822909cc687 bebf51f3dfc5c30d590203010001 ===================================================== time of key pair created: 23:48:36 2000/04/03 key name: sysname...
Page 955
1-3 description use the display public-key peer command to display information about locally saved public keys of ssh peers. If no key name is specified, the command displays detailed information about the locally saved public keys of all ssh peers. Sometimes the public key modulo displayed with the...
Page 956
1-4 display rsa local-key-pair public syntax display rsa local-key-pair public view any view parameters none description use the display rsa local-key-pair public command to display the public key part of the current switch’s rsa key pair(s). If no key pair has been generated, the system prompts “% ...
Page 957
1-5 d0fc303f 51072d6c b5d0054d 3673eba0 a4748984 5ebf6ebe cf6a13b1 c7858241 a2a9aa79 0203 010001 after you complete the rsa key pair generation task: z if the switch is working in ssh1-compatible mode, there should be two public keys generated (that is, the host public key and the server public key)...
Page 958
1-6 type module name --------------------------- dsa 1023 2 dsa 1024 a # display the information about public key “abcd”. Display rsa peer-public-key name abcd ===================================== key name : abcd key type : rsa key module: 1024 ===================================== key code: 30819f...
Page 959
1-7 z if you use the ssh server compatible-ssh1x enable command to configure the server to be compatible with ssh1.X clients, the ssh version will be displayed as 1.99. Z if you use the undo ssh server compatible-ssh1x command to configure the server to be not compatible with ssh1.X clients, the ssh...
Page 960
1-8 if an ssh client needs to authenticate the ssh server, it uses the locally saved public key of the server for authentication. In case the authentication fails, you can use the display ssh server-info command to view whether the locally saved public key of the server is correct. Related commands:...
Page 961
1-9 display ssh2 source-ip syntax display ssh2 source-ip view any view parameters none description use the display ssh2 source-ip command to display the current source ip address or the ip address of the source interface specified for the ssh client. If neither source ip address nor source interface...
Page 962
1-10 peer-public-key end syntax peer-public-key end view public key view parameters none description use the peer-public-key end command to return from public key view to system view. Related commands: rsa peer-public-key, public-key-code begin, public-key peer. Examples # exit public key view. Syst...
Page 963
1-11 as ssh clients access the ssh server through vty user interfaces, you need configure the vty user interfaces of the ssh server to support remote ssh login. Z if you have configured a user interface to support ssh protocol, to ensure a successful login to the user interface, you must configure a...
Page 964
1-12 z the configuration of this command can survive a reboot. You only need to configure it once. Related commands: public-key local destroy, display public-key local. Examples # create an rsa key pair of 512 bits. System-view system view: return to user view with ctrl+z. [sysname] public-key local...
Page 965
1-13 notes: if the key modulus is greater than 512, it will take a few minutes. Input the bits in the modulus[default = 1024]:512 generating keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+................ .......+............
Page 966
1-14 examples # destroy the rsa key pair of the current switch. System-view system view: return to user view with ctrl+z. [sysname]public-key local destroy dsa % confirm to destroy these keys? [y/n]:y ...... # destroy the dsa key pair of the current switch. System-view system view: return to user vi...
Page 967
1-15 examples # generate an rsa key pair. System-view [sysname] public-key local create rsa the range of public key size is (512 ~ 2048). Notes: if the key modulus is greater than 512, it will take a few minutes. Input the bits in the modulus[default = 1024]: generating keys... ........................
Page 968
1-16 if you specify a filename, the public key will be exported to the file and the file will be saved. If you do not specify any filename, the public key will be displayed on the screen. Z ssh1, ssh2, and openssh are three public key file formats. You can choose one as required. Z the host public k...
Page 969
1-17 [sysname] public-key local export dsa openssh key.Pub public-key peer syntax public-key peer keyname undo public-key peer keyname view system view parameters keyname: name of the public key, a string of 1 to 64 characters. Description use the public-key peer command to enter public key view. Us...
Page 970
1-18 parameters keyname: name of the public key , a string of 1 to 64 characters. Filename: name of a public key file, a string of 1 to 142 characters. For file naming rules, refer to file system management command. Description use the public-key peer import sshkey command to import a peer public ke...
Page 971
1-19 examples # enter public key edit view and input a public key. System-view system view: return to user view with ctrl+z. [sysname] rsa peer-public-key switch003 rsa public key view: return to system view with "peer-public-key end". [sysname-rsa-public-key] public-key-code begin rsa key code view...
Page 972
1-20 [sysname-rsa-key-code] 308186028180739a291abda704f5d93dc8fdf84c427463 [sysname-rsa-key-code] 1991c164b0df178c55fa833591c7d47d5381d09ce82913 [sysname-rsa-key-code] d7edf9c08511d83ca4ed2b30b809808eb0d1f52d045de4 [sysname-rsa-key-code] 0861b74a0e135523ccd74cac61f8e58c452b2f3f2da0dc [sysname-rsa-ke...
Page 973
1-21 ...++++++++ ........Done! # display the public key part of the current switch’s rsa key pair(s). [sysname] display rsa local-key-pair public ===================================================== time of key pair created: 02:31:51 2000/04/09 key name: sysname_host key type: rsa encryption key ==...
Page 974
1-22 parameters none description use the rsa local-key-pair destroy command to destroy the current switch’s rsa key pair. Related commands: rsa local-key-pair create. Examples # destroy the current switch’s rsa key pair. System-view system view: return to user view with ctrl+z. [sysname] rsa local-k...
Page 975
1-23 system-view system view: return to user view with ctrl+z. [sysname] rsa peer-public-key switch002 rsa public key view: return to system view with "peer-public-key end". [sysname-rsa-public-key] rsa peer-public-key import sshkey syntax rsa peer-public-key keyname import sshkey filename undo rsa ...
Page 978
1-26 if a pair of ssh peers are both switches that support both dsa and rsa, you must configure the dsa public key of the server on the client. Related command: ssh client first-time enable. Examples # specify the name of the dsa public key of the server (whose ip address is 192.168.0.1) as pub.Ppk ...
Page 979
1-27 examples # disable the client to run first-time authentication. System-view system view: return to user view with ctrl+z. [sysname] undo ssh client first-time ssh server authentication-retries syntax ssh server authentication-retries times undo ssh server authentication-retries view system view...
Page 980
1-28 undo ssh server compatible-ssh1x view system view parameters none description use the ssh server compatible-ssh1x enable command to make the server compatible with ssh1.X clients. Use the undo ssh server compatible-ssh1x command to make the server incompatible with ssh1.X clients. By default, t...
Page 981
1-29 related commands: display ssh server. Examples # configure to update the server's keys every 3 hours. System-view system view: return to user view with ctrl+z. [sysname] ssh server rekey-interval 3 ssh server timeout syntax ssh server timeout seconds undo ssh server timeout view system view par...
Page 982
1-30 the string before the @ sign) cannot be more than 55 characters, and the domain name part cannot be more than 128 characters. Description use the ssh user command to create an ssh user. Use the undo ssh user to delete a specified ssh user. An ssh user created with this command uses the default ...
Page 987
1-35 note that when logging into the ssh server using publickey authentication, an ssh client needs to read its own private key for authentication. As two algorithms (rsa or dsa) are available, the identity-key keyword must be used to specify one algorithm in order to get the correct private key. Ex...
Page 988
1-36 view system view parameters ip-address: source ip address. Description use the ssh2 source-ip command to specify a source ip address for the ssh client. If the specified ip address is not an address of the device, the command fails. Use the undo ssh2 source-ip command to cancel the source ip ad...
Page 989
1-37 ssh-server source-ip syntax ssh-server source-ip ip-address undo ssh-server source-ip view system view parameters ip-address: ip address to be set as the source ip address. Description use the ssh-server source-ip command to specify a source ip address for the ssh server. If the specified ip ad...
Page 990: Table of Contents
I table of contents 1 file system management configuration commands ············································································1-1 file system configuration commands ···································································································1-1 cd ···········...
Page 991: Commands
1-1 1 file system management configuration commands the s3600 series ethernet switches support intelligent resilient framework (irf), and allow you to access a file on a switch in one of the following ways: z to access a file on the specified unit, you need to specify the file in universal resource ...
Page 992
1-2 parameters directory: target directory. Description use the cd command to enter a specified directory on the ethernet switch. The default directory when a user logs onto the switch is the root directory of flash memory. Examples # enter the directory test from the root directory. Cd test # retur...
Page 994
1-4 delete the running config file? [y/n]: delete the running web file? [y/n]: delete the backup image file? [y/n]: delete the backup config file? [y/n]: delete the backup web file? [y/n]: the corresponding files will be deleted after you choose yes. For deleted files whose names are the same, only ...
Page 995
1-5 view user view parameters /all: specifies to display the information about all the files, including those stored in the recycle bin. /fabric: specifies to display the information about all the specified files in the fabric. File-url: path name or the name of a file in the flash memory. You can u...
Page 996
1-6 15367 kb total (3720 kb free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute # display information about all the files (including the files in the recycle bin) in the root directory of the file system of the fabric. Dir /all /fabric directory of uni...
Page 997
1-7 parameters filename: batch file, with the extension .Bat. Description use the execute commandto execute the specified batch file. Executing a batch file is to execute a set of commands in the batch file one by one. Note that: z a batch file cannot contain any invisible character. If any invisibl...
Page 998
1-8 z if the prompt mode is set to alert, the following messages will be displayed when you delete a file: delete unit1>flash:/te.Txt delete unit1>flash:/te.Txt?[y/n]:y ...... %delete file unit1>flash:/te.Txt...Done. The system waits for you to confirm for 30 seconds. If you do not input any confirm...
Page 999
1-9 format syntax format device view user view parameters device: name of a device. Description use the format command to format the flash memory. The format operation clears all the files on the flash memory, and the operation is irretrievable. Examples # format the flash memory. Format unit1>flash...
Page 1000
1-10 z to use this command to create a subdirectory, the specified directory must exist. For instance, to create subdirectory flash:/test/mytest, the test directory must exist. Otherwise, you will fail to create the subdirectory. Examples # create a directory in the current directory, with the name ...
Page 1001
1-11 # vlan 2 # return move syntax move fileurl-source fileurl-dest view user view parameters fileurl-source: name of the source file. Fileurl-dest: name of the target file. Description use the move command to move a file to a specified directory. If the target file name is the same as an existing f...
Page 1002
1-12 view user view parameters none description use the pwd command to display the current working path of the login user. Examples # display the current working path. Pwd unit1>flash: rename syntax rename fileurl-source fileurl-dest view user view parameters fileurl-source: original path name or fi...
Page 1003
1-13 parameters file-url: path name or file name of a file in the flash memory. This argument supports the wildcard “*”. For example, *.Txt means all the files with an extension of txt. /force: specifies not to prompt for confirmation before deleting files. /fabric: specifies to clear the recycle bi...
Page 1004
1-14 15367 kb total (6730 kb free) //the above information indicates that in directory flash:, there are two files a.Cfg and b.Cfg in the recycle bin. Z delete the files in directory flash: that are already in the recycle bin. Reset recycle-bin clear flash:/~/a.Cfg ?[y/n]:y clearing files from flash...
Page 1005
1-15 rmdir syntax rmdir directory view user view parameters directory: name of a directory. Description use the rmdir command to delete a directory. As only empty directories can be deleted, you need to clear a directory before deleting it. Examples # delete the directory named dd. Rmdir dd rmdir un...
Page 1006
1-16 update fabric syntax update fabric file-name view user view parameters file-name: name of the file to be upgraded, a string comprising 1 to 64 characters. Description use the update fabric command to use an app file, boot rom or web file on a device in the fabric to upgrade all the units in the...
Page 1007
1-17 fabric name is fab, system mode is l3. Fabric authentication : no authentication, number of units in stack: 1. Unit name unit id first 1(*) first 2 first 8 update fabric test.Bin this will update the fabric. Continue? [y/n] y the software is verifying ... The result of verification is : unit id...
Page 1008
1-18 the boot, web and configuration file's backup-attribute and main-attribute will exchange. Are you sure? [y/n] y the boot, web and configuration file's backup-attribute and main-attribute successfully exchanged on unit 1! The boot, web and configuration file's backup-attribute and main-attribute...
Page 1009
1-19 view user view parameters file-url: path or the name of the app file in the flash memory, a string comprising 1 to 64 characters. Fabric: specifies to apply the configuration to the whole fabric. Description use the boot boot-loader backup-attribute command to configure an app file of the fabri...
Page 1010
1-20 description use the boot web-package command to configure a web file in the fabric to be with the main or backup attribute. Z before configuring the main or backup attribute for a web file in the fabric, make sure the file exists on all devices in the fabric. Z the configuration of the main or ...
Page 1011
1-21 the main boot app is: test.Bin the backup boot app is: testbak.Bin display web package syntax display web package view any view parameters none description use the display web package command to display information about the web file used by the device, including the name of the currently used ...
Page 1012
1-22 examples # specify to prompt users to use customized passwords to enter the boot menu. Startup bootrom-access enable display startup unit 1 mainboard: current startup saved-configuration file: flash:/config.Cfg next main startup saved-configuration file: flash:/config.Cfg next backup startup sa...
Page 1013
1-23 # back up the current configuration of the whole fabric to the file aaa.Cfg on the tftp server whose ip address is 1.1.1.253. Backup fabric current-configuration to 1.1.1.253 aaa.Cfg backup current configuration to 1.1.1.253. Please wait... File will be transferred in binary mode. Copying file ...
Page 1014
1-24 file downloaded successfully. Unit 7: restore startup current configuration finished! # restore the startup configuration of the whole fabric from the file bbb.Cfg on the tftp server with the ip address 1.1.1.253. Restore fabric startup-configuration from 1.1.1.253 bbb.Cfg restore startup confi...
Page 1015: Table of Contents
I table of contents 1 ftp and sftp configuration commands ·······························································································1-1 ftp server configuration commands····································································································1-1 displa...
Page 1016
Ii sftp client configuration commands·································································································1-26 bye ·················································································································································1-26 cd ····...
Page 1017
1-1 1 ftp and sftp configuration commands ftp server configuration commands display ftp-server syntax display ftp-server view any view parameters none description use the display ftp-server command to display the ftp server-related settings of a switch when it operates as an ftp server, including st...
Page 1018
1-2 the h3c s3600 series ethernet switch supports one user access at one time when it serves as the ftp server. Display ftp-server source-ip syntax display ftp-server source-ip view any view parameters none description use the display ftp-server source-ip command to display the source ip address set...
Page 1019
1-3 description use the display ftp-user command to display the information of the ftp users that have logged in to the switch, including the user name, host ip address, port number, idle timeout time, and authorized directory. For how to create an ftp user on an ftp server, refer to the aaa part of...
Page 1020
1-4 description use the ftp disconnect command to terminate the connection between a specified user and the ftp server. With an h3c s3600 series ethernet switch acting as the ftp server, if you attempt to disconnect a user that is uploading/downloading data to/from the ftp server, the s3600 ethernet...
Page 1021
1-5 to protect unused sockets from being attacked by malicious users, the h3c s3600 series ethernet switch provides the following functions: z tcp 21 is enabled only when you start the ftp server. Z tcp 21 is disabled after you shut down the ftp server. Related commands: display ftp-server. Examples...
Page 1022
1-6 ftp-server source-interface syntax ftp-server source-interface interface-type interface-number undo ftp-server source-interface view system view parameters interface-type: type of the interface serving as the source interface of an ftp server. The interface type can be a loopback interface or a ...
Page 1023
1-7 use the undo ftp-server source-ip command to cancel the source ip address setting. By default, no source ip address is specified for an ftp server, and an ftp client can use any reachable address on the ftp server as the destination address to connect to an ftp server. Examples # specify 192.168...
Page 1024
1-8 200 type set to a. Binary syntax binary view ftp client view parameters none description use the binary command to specify that program files be transferred in binary mode, which is used for transferring program files. By default, files are transferred in ascii mode. Related commands: ascii. Exa...
Page 1025
1-9 cd syntax cd path view ftp client view parameters path: path of the target directory. Description use the cd command to change the working directory on the remote ftp server. Note that you can use this command to enter only authorized directories. Related commands: pwd. Examples # change the wor...
Page 1026
1-10 # display the current directory. [ftp] pwd 257 "flash:" is current directory. Close syntax close view ftp client view parameters none description use the close command to terminate an ftp connection without quitting ftp client view. This command has the same effect as that of the disconnect com...
Page 1027
1-11 dir syntax dir [ filename [ localfile ] ] view ftp client view parameters filename: name of the file to be queried. Localfile: name of the local file where the query result is to be saved. Description use the dir command to query specified files on a remote ftp server, or to display file inform...
Page 1028
1-12 -rwxrwxrwx 1 noone nogroup 5286666 oct 18 2006 switch5.Bin -rwxrwxrwx 1 noone nogroup 306 may 13 11:17 swithc001 226 transfer complete. Ftp: 1025 byte(s) received in 0.019 second(s) 53.00k byte(s)/sec. # display information about file config.Cfg and save the information to file temp1. [ftp] dir...
Page 1029
1-13 for the ftp client, the configured source ip address will be displayed. If neither a source ip address nor source interface is specified for the ftp client, 0.0.0.0 will be displayed. If no source ip address is specified for the ftp client, the switch searches the entry with the destination as ...
Page 1030
1-14 view user view parameters cluster: connects to the configured ftp server of a cluster. For the configuration of the ftp server of a cluster, refer to the cluster part of this manual. Remote-server: host name or ip address of an ftp server, a string of 1 to 20 characters. Interface-type: type of...
Page 1031
1-15 ftp source-interface syntax ftp source-interface interface-type interface-number undo ftp source-interface view system view parameters interface-type: type of the source interface, which can be vlan interface or loopback interface. Interface-number: number of the source interface. Description u...
Page 1032
1-16 description use the ftp source-ip command to specify the source ip address of that the switch uses every time it connects to an ftp server, and the configuration will be saved to the configuration file of the system. The value of argument ip-address must be an ip address on the device where the...
Page 1033
1-17 examples # download file temp.C. [ftp] get temp.C 227 entering passive mode (2,2,2,2,4,12). 125 ascii mode data connection already open, transfer starting for temp.C. ..226 transfer complete. Ftp: 15 byte(s) received in 2.568 second(s) 0.00 byte(s)/sec. Lcd syntax lcd view ftp client view param...
Page 1034
1-18 if you do not specify the remotefile argument, names of all the files in the current remote directory are displayed. The ls command only displays file names on an ftp server. To query other file-related information, for example, file size, creation date and so on, use the dir command. Related c...
Page 1036
1-20 parameters none description use the passive command to set the data transfer mode to the passive mode. Use the undo passive command to set the data transfer mode to the active mode. By default, the passive mode is adopted. The differences between the passive mode and the active mode are: z when...
Page 1037
1-21 125 ascii mode data connection already open, transfer starting for temp.C. 226 transfer complete. Ftp: 15 byte(s) sent in 7.549 second(s) 1.00byte(s)/sec. Pwd syntax pwd view ftp client view parameters none description use the pwd command to display the working directory on an ftp server. Relat...
Page 1038
1-22 remotehelp syntax remotehelp [ protocol-command ] view ftp client view parameters protocol-command: ftp protocol command. Description use the remotehelp command to display the help information about an ftp protocol command. This command works only when the ftp server provides the help informati...
Page 1039
1-23 examples # rename file temp.C as forever.C. [ftp] rename temp.C forever.C 350 enter the name to rename it to... 250 file renamed successfully rmdir syntax rmdir pathname view ftp client view parameters pathname: name of a directory on an ftp server. Description use the rmdir command to remove a...
Page 1040
1-24 verbose syntax verbose undo verbose view ftp client view parameters none description use the verbose command to enable the verbose function, which displays execution information of user operations and all ftp responses. Use the undo verbose command to disable the verbose function. The verbose f...
Page 1041
1-25 view system view parameters none description use the sftp server enable command to enable the sftp server. Use the undo sftp server command to disable the sftp server. By default, the sftp server is disabled. Examples # enable the sftp server. System-view system view: return to user view with c...
Page 1042
1-26 sftp client configuration commands bye syntax bye view sftp client view parameters none description use the bye command to terminate a connection with the remote sftp server and return to system view. This command has the same effect as that of the commands exit and quit. Examples # terminate t...
Page 1043
1-27 examples # change the working path to new1. Sftp-client>cd new1 received status: success current directory is: /new1 sftp-client> cdup syntax cdup view sftp client view parameters none description use the cdup command to change the working path on the remote sftp server and return to the parent...
Page 1045
1-29 display sftp source-ip syntax display sftp source-ip view any view parameters none description use the display sftp source-ip command to display the source ip address specified for the current sftp client. If you have specified a source interface for the sftp client, this command displays the i...
Page 1046
1-30 get syntax get remote-file [ local-file ] view sftp client view parameters remote-file: name of a file on the remote sftp server. Local-file: name of a local file. Description use the get command to download a file from the remote server. By default, the remote file name is used for the file sa...
Page 1048
1-32 examples # create a directory named hj on the remote sftp server. Sftp-client>mkdir hj received status: success new directory created put syntax put local-file [ remote-file ] view sftp client view parameters local-file: name of a local file. Remote-file: name of a file on the remote sftp serve...
Page 1049
1-33 sftp-client> pwd / quit syntax quit view sftp client view parameters none description use the quit command to terminate a connection with the remote sftp server and return to system view. This command has the same effect as that of the commands bye and exit. Examples # terminate a connection wi...
Page 1050
1-34 this operation may take a long time.Please wait... Received status: success file successfully removed rename syntax rename oldname newname view sftp client view parameters oldname: old file name. Newname: new file name. Description use the rename command to rename a specified file on the remote...
Page 1052
1-36 authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key; otherwise you will fail to log in. Examples # connect the sftp server with the ip address 10.1.1.2. Use the default encryption algorithm. System-view system view: return to user...
Page 1053
1-37 sftp source-ip syntax sftp source-ip ip-address undo sftp source-ip view system view parameters ip-address: source ip address to be set. Description use the sftp source-ip command to specify a source ip address for the sftp client. If the specified ip address is not the ip address of the local ...
Page 1054: Tftp Configuration Commands
2-1 2 tftp configuration commands tftp configuration commands when accessing a tftp server configured with an ipv6 address, use the tftp ipv6 command. For details, refer to the ipv6 management part in this manual. Display tftp source-ip syntax display tftp source-ip view any view parameters none des...
Page 1056
2-3 switch can only download the file to its memory, and delete the file if it finds the file is too large when writing the file to the flash. Related commands: tftp put. Examples # download file abc.Txt from the tftp server whose ip address is 1.1.1.1 and save it as efg.Txt (suppose free space of t...
Page 1057
2-4 when uploading files to a tftp server, you can only select the files under the current working directory of the device. To upload files in another directory, use the cd command to change to the specified directory in user view before executing the tftp put command. For the execution of the cd co...
Page 1059
2-6 description use the tftp source-interface command to specify the source interface of a tftp client that the tftp client uses every time it connects to a tftp server. The system prompts that the configuration fails if the specified interface does not exist. Use the undo tftp source-interface comm...
Page 1060
2-7 tftp-server acl syntax tftp-server acl acl-number undo tftp-server acl view system view parameters acl-number: basic acl number, in the range 2000 to 2999. Description use the tftp-server acl command to specify the acl adopted for the connection between a tftp client and a tftp server. Use the u...
Page 1061: Table of Contents
I table of contents 1 information center configuration commands ·······················································································1-1 information center configuration commands ························································································1-1 display cha...
Page 1063
1-2 view any view parameters unit-id: unit id of the device. Description use the display info-center command to display the operation status of information center, the configuration of information channels, the format of time stamp and the information output in case of fabric. Related commands: info...
Page 1064
1-3 field description log host information about the log host, including its ip address, name and number of information channel, language and level of the log host console information about the console port, including name and number of its information channel monitor information about the monitor p...
Page 1065
1-4 severity severity value description errors 4 error information warnings 5 warnings notifications 6 normal information that needs to be noticed informational 7 informational information to be recorded debugging 8 information generated during debugging size buffersize: specifies the size of the lo...
Page 1066
1-5 field description channel number the channel number of the log buffer, defaults to 4. Channel name the channel name of the log buffer, defaults to logbuffer. Dropped messages the number of dropped messages overwritten messages the number of overwritten messages (when the buffer size is not big e...
Page 1067
1-6 size buffersize: specifies the size of the trap buffer (number of messages the buffer holds) you want to display. The buffersize argument ranges from 1 to 1,024 and defaults to 256. Description use the display trapbuffer command to display the status of the trap buffer and the records in the tra...
Page 1068
1-7 use the undo info-center channel command to restore the default name of the channel whose number is channel-number. By default, the name of channel 0 to channel 9 is (in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent, channel6, channel7, channel8, channel9. Do not configure tw...
Page 1069
1-8 info-center enable syntax info-center enable undo info-center enable view system view parameters none description use the info-center enable command to enable the information center. Use the undo info-center enable command to disable the information center. The switch can output system informati...
Page 1070
1-9 description use the info-center logbuffer command to enable information output to the log buffer. Use the undo info-center logbuffer command to disable information output to the log buffer. By default, information output to the log buffer is enabled with channel 4 (logbuffer) as the default chan...
Page 1071
1-10 be sure to set the correct ip address in the info-center loghost command. A loopback ip address will cause an error message, prompting that the address is invalid. Related commands: info-center enable, display info-center. Examples # configure the system to output system information to the unix...
Page 1072
1-11 view system view parameters channel-number: channel number, ranging from 0 to 9, corresponding to the 10 channels of the system. Channel-name: channel name, by default, the name of channel 0 to channel 9 is (in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent, channel6, channel...
Page 1074
1-13 log and trap information is enabled, with severity being informational; the output of debugging information is disabled, with severity being debugging. For example, if you execute the command info-center source snmp channel 5, the command is actually equal to the command info-center source snmp...
Page 1075
1-14 # set the output channel for the log information of vlan module to snmpagent and to output information with severity being emergencies. Log information of other modules and all the other system information cannot be output to this channel. System-view [sysname] info-center source default channe...
Page 1078
1-17 parameters date: specifies to adopt the current system date and time, in the format of mmm dd hh:mm:ss:ms yyyy. No-year-date: specifies to adopt the current system date and time excluding the year, in the format of mmm dd hh:mm:ss:ms. None: specifies not to include time stamp in the output info...
Page 1079
1-18 # display the time stamp configuration of the information center. [sysname] display info-center information center: enabled log host: 192.168.0.10, channel number : 2, channel name : loghost language : english, host facility local : 7 console: channel number : 0, channel name : console monitor:...
Page 1080
1-19 channel-name: channel name. By default, the name of channel 0 to channel 9 is (in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent, channel6, channel7, channel8, channel9. Description use the info-center trapbuffer command to enable information output to the trap buffer. Use th...
Page 1081
1-20 description use the reset trapbuffer command to clear information recorded in the trap buffer. Examples # clear information recorded in the trap buffer. Reset trapbuffer terminal debugging syntax terminal debugging undo terminal debugging view user view parameters none description use the termi...
Page 1082
1-21 description use the terminal logging command to enable log terminal display. Use the undo terminal logging command to disable log terminal display. By default, log terminal display is enabled for console users and terminal users. Examples # disable log terminal display. Undo terminal logging te...
Page 1083
1-22 view user view parameters none description use the terminal trapping command to enable trap terminal display. Use the undo terminal trapping command to disable trap terminal display. By default, trap terminal display is enabled. Examples # enable trap terminal display. Terminal trapping.
Page 1084: Table of Contents
I table of contents 1 basic system configuration and debugging commands·····································································1-1 basic system configuration commands ································································································1-1 clock datetime······...
Page 1085
Ii schedule reboot delay ···················································································································3-18 schedule reboot regularity ·············································································································3-19 system-monitor...
Page 1086: Commands
1-1 1 basic system configuration and debugging commands z the configuration of real-time monitoring of the running status of the system is added. For the detailed configuration, refer to section system-monitor enable . Z the configuration of loading hot patch is added. For the detailed configuration...
Page 1089
1-4 description use the quit command to return from current view to a lower level view. The following lists the three levels of views available on a switch (from lower level to higher level): z user view z system view z vlan view, ethernet port view, and so on if the current view is user view, this ...
Page 1090
1-5 sysname syntax sysname sysname undo sysname view system view parameters sysname: system name of the ethernet switch. It is a string of 1 to 30 characters. By default, it is h3c. Description use the sysname command to set the system name of an ethernet switch. Use the undo sysname command to rest...
Page 1091
1-6 system status and information display commands display clock syntax display clock view any view parameters none description use the display clock command to display the current date, time, timezone and summertime of the system, so that you can adjust them if they are wrong. The maximum date and ...
Page 1092
1-7 interface-type: interface type. Interface-number: interface number. Module-name: functional module name. Fabric: specifies to display the enabled debugging of the switches in the fabric. By-module: specifies to display fabric debugging by module. Description use the display debugging command to ...
Page 1093
1-8 config register points to flash hardware version is rev.C cpld version is cpld 001 bootrom version is 510 [subslot 0] 48 fe hardware version is rev.C [subslot 1] 4 ge hardware version is rev.C system debugging commands debugging syntax debugging module-name [ debugging-option ] undo debugging { ...
Page 1094
1-9 display diagnostic-information syntax display diagnostic-information view any view parameters none description use the display diagnostic-information command to display or save the running statistics of the system function modules. If you choose to save the statistics, the system will save the s...
Page 1095
1-10 parameters none description use the terminal debugging command to enable terminal display for debugging information. Use the undo terminal debugging command to disable terminal display for debugging information. By default, terminal display for debugging information is disabled. Note that: z to...
Page 1096
2-1 2 network connectivity test commands network connectivity test commands ping syntax ping [ -a ip-address ] [-c count ] [ -d ] [ -f ] [ -h ttl ] [ -i interface-type interface-number ] [ ip ] [ -n ] [ - p pattern ] [ -q ] [ -s packetsize ] [ -t timeout ] [ -tos tos ] [ -v ] string view any view pa...
Page 1097
2-2 -t timeout: specifies the timeout time (in milliseconds) before an icmp echo-reply packet is received after an icmp echo-request packet is sent. The timeout argument ranges from 0 to 65535 ms and defaults to 2,000 ms. -tos tos: specifies the tos value of the icmp echo-request packets in the rang...
Page 1098
2-3 0% packet loss round-trip min/avg/max = 1/2/3 ms the above output information indicates that the destination host is reachable. Each probe packet from the source device has got a reply, with the minimum/average/maximum packet roundtrip time being 1ms/2ms/3ms. Tracert syntax tracert [ -a source-i...
Page 1099
2-4 the executing procedure of the tracert command is as follows: first, the source sends a packet with the ttl of 1, and the first hop device returns an icmp error message indicating that it cannot forward this packet because of ttl timeout. Then, the source resends a packet with the ttl of 2, and ...
Page 1101
3-2 device-name: file name, beginning with a device name in the form of unit[no.]>flash, used to indicates that the specified file is stored in the flash memory of a specified switch. Description use the boot bootrom command to update the boot rom. The updated boot rom is used at next startup. Examp...
Page 1102
3-3 display cpu syntax display cpu [ unit unit-id ] view any view parameters unit-id: unit id of a switch. Description use the display cpu command to display the cpu usage. Examples # display the cpu usage of this switch. Display cpu unit 1 board 0 cpu busy status: 12% in last 5 seconds 12% in last ...
Page 1103
3-4 you can use this command to display the following information about each board, including slot number, sub-slot number, the number of ports, versions of pcb, fpga, cpld and boot rom software, address learning mode, interface board type, and so on. Examples # display board information of this swi...
Page 1105
3-6 the times of reconnect: 0 the current state: normal table 3-5 description on the fields of the display memory limit command. Field description system memory safety safety threshold of the system memory, in mbytes. When the available memory is above the threshold, the system resumes the connectio...
Page 1106
3-7 table 3-6 description on the fields of the display patch-information command field description patch version patch version number program version patch baseline version number patch status patch state: idle, deactive, active, running display power syntax display power [ unit unit-id [ power-id ]...
Page 1107
3-8 related commands: schedule reboot at, schedule reboot delay. Examples # display the information about scheduled reboot. Display schedule reboot system will reboot at 16:00:00 2002/11/1 (in 2 hours and 5 minutes). Display transceiver alarm interface syntax display transceiver alarm interface [ in...
Page 1108
3-9 field remarks transceiver type and port configuration mismatch transceiver type does not match port configuration. Transceiver type not supported by port hardware transceiver type is not supported on the port. Xfp rx loss of signal rx signal is lost. Rx not ready rx is not ready rx cdr loss of l...
Page 1109
3-10 field remarks rx power high rx power is high. Rx power low rx power is low. Laser bias current fault laser bias current fault laser temperature fault laser temperature fault laser output power fault laser output power fault tx fault tx fault pma/pmd receiver local fault pma/pmd receiver local f...
Page 1110
3-11 table 3-8 description on the fields of display transceiver alarm interface field description transceiver current alarm information current alarm information of the transceiver tx fault tx fault display transceiver diagnosis interface syntax display transceiver diagnosis interface [ interface-ty...
Page 1111
3-12 field description tx power(dbm) digital diagnosis parameter-tx power, in dbm, with the precision to 0.01 dbm. Display transceiver interface syntax display transceiver interface [ interface-type interface-number ] view any view parameters interface-type interface-number: interface type and inter...
Page 1112
3-13 field description transfer distance(xx) transfer distance, with xx representing km for single-mode transceivers and m for other transceivers. If the transceiver supports multiple transfer medium, every two values of the transfer distance are separated by a comma. The corresponding transfer medi...
Page 1113
3-14 table 3-11 description on the fields of display transceiver manuinfo interface field description manu. Serial number serial number generated during debugging and testing manufacturing date debugging and testing date.. The date takes the value of the system clock of the computer that performs de...
Page 1114
3-15 description use the patch delete command to delete currently working patches. After this command is issued, the patches deleted and become idle. After you execute the command, all patches are deleted. To prevent system problems that have been solved by the patches from happening again, you need...
Page 1115
3-16 system view: return to user view with ctrl+z. [sysname] patch load s3600_1510_p001.Pat patch run syntax patch run view system view parameters none description use the patch run command to place active patches to the running state. This command is applicable to active patches only. After a syste...
Page 1116
3-17 before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations. Examples # directly restart this switch wit...
Page 1117
3-18 the switch timer can be set to a precision of one minute, that is, the switch will reboot within one minute after the specified reboot date and time. Note that: z after you execute the schedule reboot at command with a specified future date, the switch will reboot at the specified time with at ...
Page 1118
3-19 use the undo schedule reboot command to disable the delay reboot function. By default, the delay reboot function is disabled on the switch. Note that: z the switch timer is precise to one minute. When the reboot time reaches, the switch will reboot in one minute at most. Z you can set the reboo...
Page 1119
3-20 the switch timer can be set to a precision of one minute, that is, the switch will reboot within one minute after the specified reboot date and time. After you execute the command, the system will prompt you to confirm. Enter "y" or "y" for your setting to take effect. Your setting will overwri...
Page 1120
3-21 enabling of this function consumes some amounts of cpu resources. Therefore, if your network has a high cpu usage requirement, you can disable this function to save your cpu resources. Examples # disable real-time monitoring of the running status of the system. System-view system view: return t...
Page 1122: Table of Contents
I table of contents 1 vlan-vpn configuration commands ·····································································································1-1 vlan-vpn configuration commands ····································································································1-1 displ...
Page 1123
1-1 1 vlan-vpn configuration commands vlan-vpn configuration commands display port vlan-vpn syntax display port vlan-vpn view any view parameters none description use the display port vlan-vpn command to display the information about vlan-vpn configuration of the current system. Related commands: vl...
Page 1124
1-2 field description vlan-vpn tpid tpid value of the port, which can be configured through the vlan-vpn tpid command. Vlan-vpn enable syntax vlan-vpn enable undo vlan-vpn view ethernet port view parameters none description use the vlan-vpn enable command to enable the vlan-vpn feature for a port. U...
Page 1125
1-3 vlan-vpn inner-cos-trust syntax vlan-vpn inner-cos-trust enable undo vlan-vpn inner-cos-trust view ethernet port view parameters none description use the vlan-vpn inner-cos-trust enable command to enable the inner-to-outer tag priority replicating feature. With the feature enabled, a port replic...
Page 1126
1-4 outer-priority: priority for the outer vlan tag in a packet. This argument can be in the range 0 to 7 or a keyword listed table 1-2 . Table 1-2 description on 802.1p priority ip precedence (decimal) keyword 0 best-effort 1 background 2 spare 3 excellent-effort 4 controlled-load 5 video 6 voice 7...
Page 1127
1-5 vlan-vpn tpid syntax vlan-vpn tpid value undo vlan-vpn tpid view ethernet port view parameters value: user-defined tpid value (in hexadecimal format), in the range 0x0001 to 0xffff. Description use the vlan-vpn tpid command to set the tpid value for a port. With the tpid value set on a port, the...
Page 1128
1-6 system-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/2 [sysname-ethernet1/0/2] vlan-vpn tpid 9100
Page 1129
2-1 2 selective qinq configuration commands the selective qinq feature is new to h3c s3600 series ethernet switches. Selective qinq configuration commands mac-address-mapping syntax mac-address-mapping index source-vlan source-vlan-list destination-vlan dest-vlan-id undo mac-address-mapping { index ...
Page 1130
2-2 z replicate mac address entries in the mac address tables of the outer vlans configured in selective qinq to the mac address table of the default vlan of the downlink port. This is for forwarding uplink packets to the operator network. Z replicate mac address entries in the mac address table of ...
Page 1131
2-3 description use the raw-vlan-id inbound command to specify to encapsulate packets with the specified inner vlan tags with the specified outer tag. This command must be configured on ports connecting the user network. Use the undo raw-vlan-id inbound command to remove the configuration. By defaul...
Page 1132
2-4 before configuring this command on a port, make sure that the vlan-vpn enable command is configured on the port. If irf fabric is enabled on a device, the selective qinq policy cannot be configured on any port of the device. By default, no selective qinq policy is configured on a port. After spe...
Page 1133
3-1 3 bpdu tunnel configuration commands two features, the bpdu tunnel support for packets of multiple protocols and adjusting tunnel packet mac addresses, are newly added. For details, refer to bpdu-tunnel and bpdu-tunnel tunnel-dmac . Bpdu tunnel configuration commands bpdu-tunnel syntax bpdu-tunn...
Page 1134
3-2 description use the bpdu-tunnel command to enable bpdu tunnel on a port, so that packets of the specified protocol will be transparently transmitted through the bpdu tunnel on the port. Use the undo bpdu-tunnel command to disable bpdu tunnel on a port. By default, bpdu tunnel is disabled on a po...
Page 1135
3-3 description use the bpdu-tunnel tunnel-dmac command to configure the destination mac address for protocol packets transmitted along a bpdu tunnel. Use the undo bpdu-tunnel tunnel-dmac command to restore the default destination mac address. By default, the destination mac address for protocol pac...
Page 1136
3-4 tunnel packet's destination-mac-address: 010f-e2cd-0003 the above output information indicates that all the protocol packets transmitted along the bpdu tunnel(s) use 010f-e2cd-0003 as their destination mac addresses..
Page 1137: Table of Contents
I table of contents 1 hwping commands ··································································································································1-1 hwping client commands ·········································································································...
Page 1138: Hwping Commands
1-1 1 hwping commands z the configuration of eight test types, including dhcp, ftp, http, dns, snmp, jitter, tcp and udp tests is added. For the detailed configuration of these tests, refer to the introduction in this chapter. Z the configuration of the maximum number of history records that can be ...
Page 1139
1-2 [sysname-hwping-administrator-icmp] count 10 datasize syntax datasize size undo datasize view hwping test group view parameters size: size of a test packet in bytes. The value range varies with the test types. Table 1-1 value range of the hwping test packets test type value range (in bytes) defa...
Page 1140
1-3 description use the destination-ip command to configure a destination ip address of an hwping test. Use the undo destination-ip command to remove the configured destination ip address. By default, no destination ip address is configured for an hwping test. Related commands: destination-port. The...
Page 1141
1-4 z the destination-port command has effect on jitter, tcp-private, and udp-private tests only. Z it is not recommended to perform a tcp, udp, or jitter test on a well-known port (ports with a number ranging from 1 to 1023) or on a port with a port number greater than 50000. Otherwise, the hwping ...
Page 1142
1-5 destinationip address:10.2.2.2 send operation times: 10 receive response times: 10 min/max/average round trip time: 1/2/1 square-sum of round trip time: 13 last succeeded test time: 2004-11-25 16:28:55.0 extend result: sd maximal delay: 0 ds maximal delay: 0 packet lost in test: 0% disconnect op...
Page 1143
1-6 7 1 1 0 2004-11-25 16:28:55.0 8 1 1 0 2004-11-25 16:28:55.0 9 1 1 0 2004-11-25 16:28:55.9 10 1 1 0 2004-11-25 16:28:55.9 table 1-3 description on the fields of the display hwping history command field description response roundtrip time in the case of a successful test, timeout time in the case ...
Page 1144
1-7 dns resolve min time: 0 http test total time: 27 dns resolve max time: 0 http transmission successful times: 1 dns resolve failed times: 0 http transmission failed times: 0 dns resolve timeout times: 0 http transmission timeout times: 0 tcp connect time: 20 http operation min time: 7 tcp connect...
Page 1145
1-8 other operation errors: 0 jitter result: rtt number:100 min positive sd:1 min positive ds:1 max positive sd:6 max positive ds:8 positive sd number:38 positive ds number:25 positive sd sum:85 positive ds sum:42 positive sd average:2 positive ds average:1 positive sd square sum:267 positive ds squ...
Page 1146
1-9 field description negative ds number number of negative jitter delays from the destination to the source negative sd sum sum of absolute values of negative jitter delays from the source to the destination negative ds sum sum of absolute values of negative jitter delays from the destination to th...
Page 1147
1-10 field description dns resolve timeout times dns resolution timeout times dns resolve failed times number of failed dns resolutions the description on a specific field is available for the test results of all types of tests, so that not the description on the output information of all types of t...
Page 1148
1-11 dns resolve-target syntax dns resolve-target domain-name undo dns resolve-target view hwping test group view parameters domain-name: domain name to be resolved, in the range of 1 to 60 characters. Description use the dns resolve-target command to configure a domain name to be resolved. Use the ...
Page 1149
1-12 use the undo filename command to remove the configured file name. By default, no file name is configured for ftp tests. Related commands: username, password, ftp-operation. The filename command applies to ftp tests only. Examples # specify to transmit config.Txt between hwping client and ftp se...
Page 1150
1-13 z the frequency command does not apply to dhcp tests. Z the frequency command supports fabric only when the test type of this test group is icmp. With fabric enabled, you are allowed to configure the frequency command and use the display command to check your configuration, but unless the test ...
Page 1151
1-14 system view: return to user view with ctrl+z [sysname] hwping administrator ftp [sysname-hwping-administrator-ftp] test-type ftp [sysname-hwping-administrator-ftp] ftp-operation put history-records syntax history-records number undo history-records view hwping test group view parameters number:...
Page 1152
1-15 by default, the http operation mode is get. The http-operation command applies to http tests only. Examples # set the http operation mode to post in an http test. System-view system view: return to user view with ctrl+z [sysname] hwping administrator http [sysname-hwping-administrator-http] tes...
Page 1153
1-16 hwping syntax hwping administrator-name operation-tag undo hwping administrator-name operation-tag view system view parameters administrator-name: name of the administrator to create a hwping test group, a string of 1 to 32 characters. Operation-tag: operation tag, a string of 1 to 32 character...
Page 1154
1-17 related commands: hwping-server enable. Examples # enable hwping client. System-view system view: return to user view with ctrl+z [sysname] hwping-agent enable jitter-interval syntax jitter-interval interval undo jitter-interval view hwping test group view parameters interval: interval in milli...
Page 1155
1-18 view hwping test group view parameters number: number of packets to be transmitted in one probe for a jitter test, in the range of 10 to 100. Description use the jitter-packetnum command to configure the number of packets to be sent in one probe for a jitter test. Use the undo jitter-packetnum ...
Page 1156
1-19 related commands: username, ftp-operation. Z to perform an ftp test successfully, the configured password must be consistent with the ftp user password configured on the server. Z this command applies to ftp tests only. Examples # set the password for logging into the ftp server as hwping in an...
Page 1158
1-21 for icmp tests, use the undo source-interface command to remove the specified source interface, and its corresponding ip address is no longer used as the source ip address of icmp requests. For dhcp tests, use the undo source-interface command to remove the specified interface for dhcp probes. ...
Page 1159
1-22 by default, the ip address of the interface that sends test packets serves as the source ip address. Z for ftp tests, this command is required. This command does not apply to dhcp tests. For other tests, this command is optional. Z the specified source ip address by this command cannot be of an...
Page 1160
1-23 [sysname] hwping administrator http [sysname-hwping-administrator-http] test-type http [sysname-hwping-administrator-http] source-port 8000 test-type syntax test-type type view hwping test group view parameters type: test type. It can be any of the following keywords: z dhcp: indicates a dhcp t...
Page 1161
1-24 test-enable syntax test-enable undo test-enable view hwping test group view parameters none description use the test-enable command to enable a hwping test. Use the undo test-enable command to disable a hwping test. Related commands: display hwping. The result of the hwping test cannot be displ...
Page 1162
1-25 description use the test-failtimes command to configure the number of consecutive times a hwping test fails before the switch sends out a trap message. Use the undo test-failtimes command to restore the default. By default, the switch sends a trap about test failure each time when a test fails....
Page 1163
1-26 undo tos view hwping test group view parameters value: tos value in a hwping test packet header, in the range of 0 to 255. Description use the tos command to configure the tos value in a hwping test packet header. Use the undo tos command to remove the tos value in a hwping test packet header. ...
Page 1164
1-27 related commands: password, ftp-operation. Z to perform an ftp test successfully, the configured username must be consistent with the username configured on the ftp server. Z this command applies to ftp tests only. Examples # configure the username for logging into the ftp server in an ftp test...
Page 1165
1-28 by default, the hwping server function is disabled. Related commands: hwping-agent enable, hwping-server tcpconnect, hwping-server udpecho. Examples # enable a hwping server. System-view system view: return to user view with ctrl+z [sysname] hwping-server enable hwping-server tcpconnect syntax ...
Page 1166
1-29 view system view parameters ip-address: ip address from which a hwping server performs udp listening. Port-number: port from which a hwping server performs udp listening. The value ranges from 1 to 65535. In is not recommended to use a port with a number greater than 50000 or some special ports...
Page 1167: Table of Contents
I table of contents 1 ipv6 configuration commands ················································································································1-1 basic ipv6 configuration commands ····································································································...
Page 1168: Ipv6 Configuration Commands
1-1 1 ipv6 configuration commands basic ipv6 configuration commands display dns ipv6 dynamic-host syntax display dns ipv6 dynamic-host view any view parameters none description use the display dns ipv6 dynamic-host command to display ipv6 dynamic domain name information in the cache, including the d...
Page 1169
1-2 when you use the display dns ipv6 dynamic-host command to check the ipv6 dynamic domain names in the cache, the system will display the first 21 characters of the domain names if they contain more than 21 characters. This is because the domain name displayed in the domain-name field can be up to...
Page 1170
1-3 destination: 2001:: prefixlength : 64 nexthop : 2008::3610 flag : gsu timestamp : date- 5/7/2006, time- 14:35:32 interface : vlan-interface1 table 1-2 description on the fields of the display ipv6 fib command field description total number of routes total number of routes in the fib destination ...
Page 1171
1-4 table 1-3 description on the fields of the display ipv6 host command field description host host name age time for the entry to live, displayed as 0 in the case of static configuration. Flags flag indicating whether the entry is configured statically or acquired dynamically ipv6address (es) ipv6...
Page 1172
1-5 nd reachable time is 30000 milliseconds nd retransmit interval is 1000 milliseconds hosts use stateless autoconfig for addresses table 1-4 description on the fields of the display ipv6 interface command field description vlan-interface1 current state vlan interface link state: z administratively...
Page 1173
1-6 table 1-5 description on the fields of the display ipv6 interface brief command field description *down: administratively down the interface is down, that is, the interface is disabled by using the shutdown command. (s) : spoofing spoofing attribute of the interface, that is, the link protocol s...
Page 1174
1-7 z include: displays the neighbor entries matching the specified regular expression. The regular expression supports various special characters. For details, refer to the display current-configuration command in configuration file management command. Description use the display ipv6 neighbors com...
Page 1176
1-9 examples # display summary information about the routing table. Display ipv6 route-table routing table: destinations : 4 routes : 4 destination: ::1/128 protocol: direct nexthop : ::1 interface : inloopback0 destination: 2008::/64 protocol: direct nexthop : 2008::32 interface : vlan-interface1 d...
Page 1177
1-10 interface : inloopback0 state : active table 1-8 description on the fields of the display ipv6 route-table verbose command field description destinations number of reachable destination networks/hosts routes number of routing entries destination destination network/host ipv6 address. Prefixleng...
Page 1178
1-11 socket state = ss_priv ss_async sock_dgram: sock_raw: table 1-9 description on the fields of the display ipv6 socket command field description sock_stream socket type, which can be: z sock_stream: refers to tcp. Z sock_dgram: refers to udp. Z sock_raw: refers to raw ip. Task task name and id of...
Page 1179
1-12 ipv6 protocol: sent packets: total: 580 local sent out: 550 forwarded: 0 raw packets: 30 discarded: 0 routing failed: 0 fragments: 0 fragments failed: 0 received packets: total: 572 local host: 572 hopcount exceeded: 0 format error: 0 option error: 0 protocol error: 0 fragments: 0 reassembled: ...
Page 1180
1-13 table 1-10 description on the fields of the display ipv6 statistics command field description ipv6 protocol: statistics of ipv6 packets sent packets: total: 580 local sent out: 550 forwarded: 0 raw packets: 0 discarded: 0 routing failed: 0 fragments: 0 fragments failed: 0 statistics of sent ipv...
Page 1181
1-14 field description received packets: total: 126 checksum error: 0 too short: 0 bad code: 0 unreached: 10 too big: 0 hopcount exceeded: 0 reassembly timeout: 0 parameter problem: 0 unknown error type: 0 echoed: 17 echo replied: 30 neighbor solicit: 34 neighbor advert: 35 router solicit: 0 router ...
Page 1182
1-15 window probe packets: 0, window update packets: 0 checksum error: 0, offset error: 0, short error: 0 duplicate packets: 0 (0 bytes), partially duplicate packets: 0 (0 bytes) out-of-order packets: 3 (0 bytes) packets with data after window: 0 (0 bytes) packets after close: 0 ack packets: 239 (61...
Page 1183
1-16 field description sent packets: total: 331 urgent packets: 0 control packets: 5 (including 0 rst) window probe packets: 0, window update packets: 0 data packets: 306 (6135 bytes) data packets retransmitted: 0 (0 bytes) ack only packets: 20 (14 delayed) statistics of sent packets, including: z t...
Page 1184
1-17 examples # view the ipv6 tcp connection status. Display tcp ipv6 status tcp6cb local address foreign address state 83a9fba4 ::->23 ::->0 listening table 1-12 description on the fields of the display tcp ipv6 status command field description tcp6cb ipv6 address of the tcp control block (hexadeci...
Page 1185
1-18 table 1-13 description on the fields of the display udp ipv6 statistics command field description total total number of received/sent packets checksum error total number of packets with an invalid checksum shorter than header total number of ipv6 udp packets whose total length is less than that...
Page 1187
1-20 view vlan interface view parameters none description use the ipv6 address auto link-local command to automatically generate a link-local address for an interface. Use the undo ipv6 address auto link-local command to remove the automatically generated link-local address for an interface. By defa...
Page 1188
1-21 parameters ipv6-address/prefix-length: ipv6 address and ipv6 prefix. The ipv6-address and prefix-length arguments jointly specify the prefix of an ipv6 address in the eui-64 format. The prefix length of an eui-64 address cannot be greater than 64. Description use the ipv6 address eui-64 command...
Page 1189
1-22 [sysname-vlan-interface1] ipv6 address 3001::/64 eui-64 ipv6 address link-local syntax ipv6 address ipv6-address link-local undo ipv6 address ipv6-address link-local view vlan interface view parameters ipv6-address: ipv6 link-local address. The first ten bits of an address must be 1111111010 (b...
Page 1190
1-23 parameters hostname: host name, a string of up to 20 characters. The character string can contain letters, numerals, “_”, “-“, or “.” and must contain at least one letter. Ipv6-address: ipv6 address. Description use the ipv6 host command to configure the mapping between host name and ipv6 addre...
Page 1191
1-24 ipv6 nd dad attempts syntax ipv6 nd dad attempts value undo ipv6 nd dad attempts view vlan interface view parameters value: number of attempts to send a neighbor solicitation message for duplicate address detection, in the range of 0 to 600. The default value is “1”. When it is set to 0, the du...
Page 1192
1-25 by default, the hop limit of icmpv6 reply packets is 64. Examples # set the hop limit of icmpv6 reply packets to 100. System-view system view: return to user view with ctrl+z. [sysname] ipv6 nd hop-limit 100 ipv6 nd ns retrans-timer syntax ipv6 nd ns retrans-timer value undo ipv6 nd ns retrans-...
Page 1193
1-26 description use the ipv6 nd nud reachable-time command to configure the neighbor reachable time on an interface. Use the undo ipv6 nd nud reachable-time command to restore the default. By default, the neighbor reachable time on the local interface is 30,000 milliseconds. Related commands: displ...
Page 1194
1-27 device relates the vlan interface to the ipv6 address to uniquely identify a static neighbor entry which is in reach state. You only need to specify the corresponding vlan interface when removing a static neighbor entry related to that vlan interface. Related commands: display ipv6 neighbors. E...
Page 1195
1-28 view system view parameters ipv6-address prefix-length: destination ipv6 address and prefix length. Interface-type interface-number: type of egress interface and interface number. Nexthop-address: ipv6 address of the next hop. Description use the ipv6 route-static command to configure a static ...
Page 1197
1-30 examples # clear the statistics of ipv6 packets. Reset ipv6 statistics reset tcp ipv6 statistics syntax reset tcp ipv6 statistics view user view parameters none description use the reset tcp ipv6 statistics command to clear the statistics of all ipv6 tcp packets. You can use the display tcp ipv...
Page 1198
1-31 undo tcp ipv6 timer fin-timeout view system view parameters wait-time: length of the finwait timer of ipv6 tcp packets in seconds, in the range of 76 to 3,600. Description use the tcp ipv6 timer fin-timeout command to set the finwait timer of ipv6 tcp packets use the undo tcp ipv6 timer fin-tim...
Page 1199
1-32 view system view parameters size: size of ipv6 tcp receiving/sending buffer in kb (kilobyte), in the range of 1 to 32. Description use the tcp ipv6 window command to set the size of ipv6 tcp receiving/sending buffer. Use the undo tcp ipv6 window command to restore the size of ipv6 tcp receiving...
Page 1201
2-2 examples # test whether destination 2001::1 is accessible. Ping ipv6 2001::1 ping 2001::1 : 56 data bytes, press ctrl_c to break reply from 2001::1 bytes=56 sequence=1 hop limit=64 time = 20 ms reply from 2001::1 bytes=56 sequence=2 hop limit=64 time = 0 ms reply from 2001::1 bytes=56 sequence=3...
Page 1202
2-3 telnet ipv6 syntax telnet ipv6 remote-system [ -i interface-type interface-number ] [ port-number ] view user view parameters remote-system: ipv6 address or host name (a string a 1 to 46 characters) of the destination device. -i interface-type interface-number: specifies the type and number of a...
Page 1203
2-4 view user view parameters remote-system: ipv6 address or host name (a string a 1 to 46 characters) of the destination device. -i interface-type interface-number: specifies the type and number of an interface. This argument takes effect only when the address of the tftp server is a link-local add...
Page 1204
2-5 -w timeout: specifies the timeout in milliseconds of waiting icmpv6 echoes, ranging from 1 to 65,535, with the default of 5,000 milliseconds. Remote-system: ipv6 address or host name (a string a 1 to 46 characters) of the destination device. Description use the tracert ipv6 command to trace the ...
Page 1205: Table of Contents
I table of contents 1 dns configuration commands················································································································1-1 dns configuration commands··············································································································...
Page 1206: Dns Configuration Commands
1-1 1 dns configuration commands dns configuration commands display dns domain syntax display dns domain [ dynamic ] view any view parameters dynamic: displays dns suffixes dynamically assigned through dhcp or other protocols. Description use the display dns domain command to display the dns suffixe...
Page 1207
1-2 description use the display dns dynamic-host command to display the information in the dynamic domain name cache. Examples # display the information in the dynamic domain name cache. Display dns dynamic-host no domain-name ---> ipaddress ttl alias 1 lm.Test.H3c 172.1.223.1 3564 no domain-name 1 ...
Page 1208
1-3 d:dynamic s:static ipv4 dns servers : domain-server type ip address 1 s 192.168.0.4 ipv6 dns servers : table 1-3 description on the fields of the display dns server command field description type type of the dns server. S indicates the dns server is specified manually, while d indicates the dns ...
Page 1209
1-4 table 1-4 description on the fields of the display ip host command field description host host name age time to live. 0 means that a static entry is never outdated. You can only manually remove the mappings between host names and ip addresses. Flags indicates the type of mappings between host na...
Page 1210
1-5 examples # configure com as a dns suffix. System-view system view: return to user view with ctrl+z. [sysname] dns domain com dns resolve syntax dns resolve undo dns resolve view system view parameters none description use the dns resolve command to enable dynamic domain name resolution. Use the ...
Page 1211
1-6 you can configure a maximum of 6 dns servers, including those with ipv6 addresses. Related commands: display dns server. Examples # configure 172.16.1.1 for a dns server. System-view system view: return to user view with ctrl+z. [sysname] dns server 172.16.1.1 ip host syntax ip host hostname ip-...
Page 1212
1-7 parameters ptr ip-address: displays the corresponding domain name for an ip address. A domain-name: displays the corresponding ip address for a dns domain name. A domain name is a string of up to 30 characters. Automatic domain name addition is supported. Description use the nslookup type comman...
Page 1213: Table of Contents
I table of contents 1 smart link configuration commands·····································································································1-1 smart link configuration commands ·····································································································1-1 d...
Page 1214
1-1 1 smart link configuration commands smart link configuration commands display smart-link flush syntax display smart-link flush view any view parameters none description use the display smart-link flush command to view the information about how the smart link device processes flush messages. Exam...
Page 1215
1-2 field description control vlan id of last flush packet received control vlan id in the last legal flush message received a legal flush message refers to the message whose control vlan id is consistent with the receiving control vlan id configured on the receiving port. Display smart-link group s...
Page 1216
1-3 field description flush-count number of sent flush messages last-flush-time time when the last flush message is sent. If no flush message is sent, “na” will be displayed. Flush enable control-vlan syntax flush enable control-vlan vlan-id undo flush enable view smart link group view parameters vl...
Page 1217
1-4 slave: specifies the specified link aggregation group as the slave port of the smart link group. Description use the link-aggregation group command to assign a link aggregation group to the smart link group. Use the undo link-aggregation group command to remove the specified link aggregation gro...
Page 1218
1-5 because smart link and stp cannot be enabled on an ethernet port at the same time, you must make sure that stp is disabled on the port before assigning the port to a smart link group. Examples # configure ethernet 1/0/6 as the slave port of smart link group 1. System-view system view: return to ...
Page 1219
1-6 examples # configure ethernet 1/0/3 as the master port of smart link group 1. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet 1/0/3 [sysname-ethernet1/0/3] port smart-link group 1 master reset smart-link packets counter syntax reset smart-link packets count...
Page 1220
1-7 description use the smart-link flush enable control-vlan command to enable the current/specified port to process flush messages received on the specified control vlan. Use the undo smart-link flush enable command to disable the port from processing flush messages. Z the command executed in ether...
Page 1221
1-8 use the undo smart-link group command to remove the specified smart link group. After creating a smart link group, you must configure member ports for this smart link group. Related commands: port smart-link group, link-aggregation group, port. Make sure that the smart link group has no members ...
Page 1223
2-2 undo link-aggregation group group-id view monitor link group view parameters group-id: link aggregation group id, ranging from 1 to 416 (a link aggregation group can be a manual or static link aggregation group only). Uplink:specifies the specified link aggregation group as the uplink port of th...
Page 1224
2-3 parameters group-id: monitor link group id, ranging from 1 to 24. Description use the monitor-link group command to create a monitor link group and enter monitor link group view. If the monitor link group has been created, you enter the monitor link group view directly. Use the undo monitor-link...
Page 1225
2-4 in monitor link, a monitor link group member can be a single port, a static link aggregation group, but not a dynamic link aggregation group. The uplink port of a monitor link group can also be a smart link group. Do not use this command on member ports of a link aggregation group or a smart lin...
Page 1226
2-5 a port or a link aggregation group cannot serve as a member port for two smart link groups. On the other hand, a port or a link aggregation group cannot serve as a member for a smart link group and a monitor link group at the same time. However, a smart link group can serve as the uplink member ...
Page 1227: Table of Contents
I table of contents 1 access management configuration commands····················································································1-1 access management configuration commands ····················································································1-1 am enable············...
Page 1228
1-1 1 access management configuration commands access management configuration commands am enable syntax am enable undo am enable view system view parameters none description use the am enable command to enable the access management function. Use the undo am enable command to disable the function. B...
Page 1229
1-2 address-list: ip address list. You need to provide this argument in the format of start-ip-address [ ip-address-number ] & , where start-ip-address is the start ip address of an ip address range in the address pool, ip-address-number specifies the number of the successive ip addresses following ...
Page 1230
1-3 description use the am trap enable command to enable the access management trap function. Use the undo am trap enable command to disable the access management trap function. By default, the access management trap function is disabled. Examples # enable the access management trap. System-view sys...
Page 1231
1-4 table 1-1 description on the fields of the display am command field description status access management state of a port: enabled or disabled ip pools access management ip pools. Null means the access management ip pool is not configured. Each ip address range is represented as x.X.X.X (number),...
Page 1232: Appendix A Command Index
A-1 appendix a command index the command index includes all the commands in the command manual, which are arranged alphabetically. A b c d e f g h i j k l m n o p q r s t u v w x y z a abr-summary 16-routing protocol command 4-1 access-limit 19-aaa command 1-1 accounting 19-aaa command 1-2 accountin...
Page 1233
A-2 arp detection trust 23-arp command 1-2 arp protective-down recover enable 23-arp command 1-3 arp protective-down recover interval 23-arp command 1-4 arp proxy enable 23-arp command 2-1 arp rate-limit 23-arp command 1-4 arp rate-limit enable 23-arp command 1-5 arp restricted-forwarding enable 23-...
Page 1234
A-3 boot boot-loader 39-system maintenance and debugging command 3-1 boot boot-loader backup-attribute 36-file system management command 1-18 boot bootrom 39-system maintenance and debugging command 3-1 boot web-package 36-file system management command 1-19 bootfile-name 24-dhcp command 1-3 bpdu-dr...
Page 1235
A-4 clock datetime 39-system maintenance and debugging command 1-1 clock summer-time 39-system maintenance and debugging command 1-2 clock timezone 39-system maintenance and debugging command 1-3 close 37-ftp-sftp-tftp command 1-10 cluster 30-cluster command 1-18 cluster enable 30-cluster command 1-...
Page 1236
A-5 delete 36-file system management command 1-3 delete 37-ftp-sftp-tftp command 1-10 delete 37-ftp-sftp-tftp command 1-27 delete static-routes all 16-routing protocol command 2-1 delete-member 30-cluster command 1-21 description 04-vlan command 1-1 description 08-port basic configuration command 1-...
Page 1237
A-6 dhcp server netbios-type 24-dhcp command 1-16 dhcp server option 24-dhcp command 1-17 dhcp server ping 24-dhcp command 1-18 dhcp server relay information enable 24-dhcp command 1-19 dhcp server static-bind 24-dhcp command 1-19 dhcp server tftp-server domain-name 24-dhcp command 1-20 dhcp server ...
Page 1239
A-8 display device 39-system maintenance and debugging command 3-3 display dhcp client 24-dhcp command 5-1 display dhcp server conflict 24-dhcp command 1-23 display dhcp server expired 24-dhcp command 1-24 display dhcp server free-ip 24-dhcp command 1-25 display dhcp server ip-in-use 24-dhcp command...
Page 1240
A-9 display fib ip-address 05-ip address and performance command 2-2 display fib ip-prefix 05-ip address and performance command 2-5 display fib statistics 05-ip address and performance command 2-5 display ftm 29-irf fabric command 1-4 display ftp source-ip 37-ftp-sftp-tftp command 1-12 display ftp-...
Page 1241
A-10 display interface vlan-interface 04-vlan command 1-2 display ip host 43-dns command 1-3 display ip interface 05-ip address and performance command 1-1 display ip interface brief 05-ip address and performance command 1-2 display ip ip-prefix 16-routing protocol command 5-2 display ip routing-tab...
Page 1242
A-11 display link-aggregation summary 09-link aggregation command 1-2 display link-aggregation verbose 09-link aggregation command 1-3 display link-delay 08-port basic configuration command 1-11 display local-server statistics 19-aaa command 1-30 display local-user 19-aaa command 1-12 display logbuf...
Page 1243
A-12 display multicast-source-deny 17-multicast command 1-7 display ndp 30-cluster command 1-1 display ntdp 30-cluster command 1-5 display ntdp device-list 30-cluster command 1-6 display ntdp single-device mac-address 30-cluster command 1-43 display ntp-service sessions 34-ntp command 1-1 display nt...
Page 1244
A-13 display poe interface power 31-poe-poe profile command 1-3 display poe powersupply 31-poe-poe profile command 1-4 display poe temperature-protection 31-poe-poe profile command 1-5 display poe-profile 31-poe-poe profile command 2-2 display port 04-vlan command 1-9 display port vlan-vpn 40-vlan-v...
Page 1245
A-14 display rip interface 16-routing protocol command 3-3 display rip routing 16-routing protocol command 3-4 display rmon alarm 33-snmp-rmon command 2-1 display rmon event 33-snmp-rmon command 2-2 display rmon eventlog 33-snmp-rmon command 2-3 display rmon history 33-snmp-rmon command 2-4 display ...
Page 1246
A-15 display startup 03-configuration file management command 1-9 display stop-accounting-buffer 19-aaa command 1-34 display stop-accounting-buffer 19-aaa command 1-57 display storm-constrain 08-port basic configuration command 1-13 display stp 15-mstp command 1-3 display stp abnormalport 15-mstp co...
Page 1247
A-16 display transceiver interface 39-system maintenance and debugging command 3-12 display transceiver manuinfo interface 39-system maintenance and debugging command 3-13 display trapbuffer 38-information center command 1-5 display udp ipv6 statistics 42-ipv6 management command 1-17 display udp sta...
Page 1248
A-17 dldp unidirectional-shutdown 12-dldp command 1-5 dldp work-mode 12-dldp command 1-6 dns domain 43-dns command 1-4 dns resolve 43-dns command 1-5 dns resolve-target 41-hwping command 1-11 dns server 43-dns command 1-5 dns server ipv6 42-ipv6 management command 1-18 dns-list 24-dhcp command 1-30 ...
Page 1249
A-18 dot1x re-authenticate 18-802.1x and system guard command 1-15 dot1x retry 18-802.1x and system guard command 1-13 dot1x retry-version-max 18-802.1x and system guard command 1-14 dot1x supp-proxy-check 18-802.1x and system guard command 1-16 dot1x timer 18-802.1x and system guard command 1-17 do...
Page 1250
A-19 filename 41-hwping command 1-11 filter-policy export 16-routing protocol command 3-5 filter-policy export 16-routing protocol command 4-29 filter-policy import 16-routing protocol command 3-6 filter-policy import 16-routing protocol command 4-30 fixdisk 36-file system management command 1-8 flo...
Page 1251
A-20 garp timer 07-gvrp command 1-3 garp timer leaveall 07-gvrp command 1-4 gateway-list 24-dhcp command 1-32 get 37-ftp-sftp-tftp command 1-16 get 37-ftp-sftp-tftp command 1-30 giant-frame statistics enable 08-port basic configuration command 1-18 gratuitous-arp period-resending enable 23-arp comma...
Page 1253
A-22 igmp-snooping group-limit 17-multicast command 5-7 igmp-snooping group-policy 17-multicast command 5-8 igmp-snooping host-aging-time 17-multicast command 5-10 igmp-snooping max-response-time 17-multicast command 5-10 igmp-snooping nonflooding-enable 17-multicast command 5-11 igmp-snooping queri...
Page 1254
A-23 ip address 05-ip address and performance command 1-4 ip address bootp-alloc 24-dhcp command 5-4 ip address dhcp-alloc 24-dhcp command 5-2 ip check source ip-address 24-dhcp command 3-9 ip forward-broadcast 05-ip address and performance command 2-15 ip host 43-dns command 1-6 ip http acl 02-logi...
Page 1255
A-24 jitter-packetnum 41-hwping command 1-17 jumboframe enable 08-port basic configuration command 1-20 k key 19-aaa command 1-35 key 19-aaa command 1-59 l lacp enable 09-link aggregation command 1-5 lacp port-priority 09-link aggregation command 1-5 lacp system-priority 09-link aggregation command ...
Page 1256
A-25 loopback-detection interval-time 08-port basic configuration command 1-24 loopback-detection per-vlan enable 08-port basic configuration command 1-24 ls 37-ftp-sftp-tftp command 1-17 ls 37-ftp-sftp-tftp command 1-31 m mac-address 13-mac address table management command 1-4 mac-address aging des...
Page 1257
A-26 mac-authentication max-auth-num 21-mac address authentication command 1-11 mac-authentication timer 21-mac address authentication command 1-9 mac-authentication timer guest-vlan-reauth 21-mac address authentication command 1-12 management-vlan 30-cluster command 1-31 mdi 08-port basic configura...
Page 1258
A-27 multicast routing-enable 17-multicast command 1-12 multicast static-group interface 17-multicast command 5-17 multicast static-group vlan 17-multicast command 5-18 multicast static-router-port 17-multicast command 5-19 multicast static-router-port vlan 17-multicast command 5-20 multicast storin...
Page 1259
A-28 ntdp timer hop-delay 30-cluster command 1-11 ntdp timer port-delay 30-cluster command 1-12 ntp-service access 34-ntp command 1-5 ntp-service authentication enable 34-ntp command 1-6 ntp-service authentication-keyid 34-ntp command 1-7 ntp-service broadcast-client 34-ntp command 1-7 ntp-service b...
Page 1260
A-29 ospf trans-delay 16-routing protocol command 4-43 p packet-filter 25-acl command 1-7 packet-filter 26-qos-qos profile command 2-3 packet-filter vlan 25-acl command 1-8 parity 02-login command 1-16 passive 37-ftp-sftp-tftp command 1-19 password 19-aaa command 1-20 password 41-hwping command 1-18...
Page 1261
A-30 pim neighbor-policy 17-multicast command 3-11 pim sm 17-multicast command 3-12 pim timer hello 17-multicast command 3-13 ping 39-system maintenance and debugging command 2-1 ping ipv6 42-ipv6 management command 2-1 poe enable 31-poe-poe profile command 1-5 poe legacy enable 31-poe-poe profile c...
Page 1262
A-31 port-security authorization ignore 11-port security-port binding command 1-9 port-security enable 11-port security-port binding command 1-6 port-security intrusion-mode 11-port security-port binding command 1-7 port-security max-mac-count 11-port security-port binding command 1-10 port-security...
Page 1263
A-32 public-key local export dsa 35-ssh command 1-15 public-key local export rsa 35-ssh command 1-14 public-key peer 35-ssh command 1-17 public-key peer import sshkey 35-ssh command 1-17 public-key-code begin 35-ssh command 1-18 public-key-code end 35-ssh command 1-19 put 37-ftp-sftp-tftp command 1-...
Page 1264
A-33 region-name 15-mstp command 1-11 register-policy 17-multicast command 3-13 remotehelp 37-ftp-sftp-tftp command 1-22 remote-probe vlan enable 28-mirroring command 1-10 remove 37-ftp-sftp-tftp command 1-33 rename 36-file system management command 1-12 rename 37-ftp-sftp-tftp command 1-22 rename 3...
Page 1265
A-34 reset mac-authentication 21-mac address authentication command 1-9 reset msdp peer 17-multicast command 4-16 reset msdp sa-cache 17-multicast command 4-16 reset msdp statistics 17-multicast command 4-17 reset multicast forwarding-table 17-multicast command 1-14 reset multicast routing-table 17-...
Page 1266
A-35 resilient-arp enable 23-arp command 3-2 resilient-arp interface vlan-interface 23-arp command 3-2 restore startup-configuration 36-file system management command 1-23 retry 14-auto detect command 1-5 retry 19-aaa command 1-45 retry realtime-accounting 19-aaa command 1-45 retry stop-accounting 1...
Page 1267
A-36 rsa local-key-pair create 35-ssh command 1-20 rsa local-key-pair destroy 35-ssh command 1-21 rsa peer-public-key 35-ssh command 1-22 rsa peer-public-key import sshkey 35-ssh command 1-23 rule (for advanced acls) 25-acl command 1-11 rule (for basic acls) 25-acl command 1-9 rule (for layer 2 acls...
Page 1268
A-37 service-type multicast 17-multicast command 5-21 set authentication password 02-login command 1-20 set unit name 29-irf fabric command 1-14 sftp 37-ftp-sftp-tftp command 1-35 sftp server enable 37-ftp-sftp-tftp command 1-24 sftp source-interface 37-ftp-sftp-tftp command 1-36 sftp source-ip 37-f...
Page 1270
A-39 ssh2 source-ip 35-ssh command 1-35 ssh-server source-interface 35-ssh command 1-36 ssh-server source-ip 35-ssh command 1-37 standby detect-group 14-auto detect command 1-6 startup bootrom-access enable 36-file system management command 1-21 startup saved-configuration 03-configuration file mana...
Page 1271
A-40 stp interface 15-mstp command 1-20 stp interface compliance 15-mstp command 1-21 stp interface config-digest-snooping 15-mstp command 1-22 stp interface cost 15-mstp command 1-24 stp interface edged-port 15-mstp command 1-25 stp interface loop-protection 15-mstp command 1-26 stp interface mchec...
Page 1272
A-41 stp timer max-age 15-mstp command 1-48 stp timer-factor 15-mstp command 1-49 stp transmit-limit 15-mstp command 1-50 stub 16-routing protocol command 4-49 summary 16-routing protocol command 3-18 super 01-cli command 1-4 super authentication-mode 01-cli command 1-5 super password 01-cli command...
Page 1273
A-42 tcp timer syn-timeout 05-ip address and performance command 2-18 tcp window 05-ip address and performance command 2-18 telnet 02-login command 1-23 telnet ipv6 02-login command 1-24 telnet ipv6 42-ipv6 management command 2-3 telnet source-interface 02-login command 1-25 telnet source-ip 02-logi...
Page 1274
A-43 tftp-server domain-name 24-dhcp command 1-40 tftp-server ip-address 24-dhcp command 1-40 timeout 41-hwping command 1-25 timer 19-aaa command 1-51 timer 30-cluster command 1-36 timer loop 14-auto detect command 1-7 timer quiet 19-aaa command 1-52 timer quiet 19-aaa command 1-67 timer realtime-ac...
Page 1275
A-44 traffic-statistic 26-qos-qos profile command 1-30 u udp-helper enable 32-udp helper command 1-2 udp-helper port 32-udp helper command 1-3 udp-helper server 32-udp helper command 1-4 undelete 36-file system management command 1-15 unicast-suppression 08-port basic configuration command 1-33 unkn...
Page 1276
A-45 vlan-vpn tunnel 15-mstp command 1-51 vlan-vpn vid 40-vlan-vpn command 2-3 vlink-peer 16-routing protocol command 4-50 voice vlan 06-voice vlan command 1-4 voice vlan aging 06-voice vlan command 1-5 voice vlan enable 06-voice vlan command 1-6 voice vlan legacy 06-voice vlan command 1-6 voice vla...
Page 1277
A-46 webcache address 27-web cache redirection command 1-2 webcache redirect-vlan 27-web cache redirection command 1-4 wred 26-qos-qos profile command 1-31 x xmodem get 39-system maintenance and debugging command 3-22 y z.