H3C SOHO IE4300 Command Reference Manual Download Page 40

Page: 40 / 3296

[Sysname-role-role1] rule 1 permit command system-view ; *

# Permit the user role to access VPN instance

vpn1

[Sysname-role-role1] vpn policy deny

[Sysname-role-role1-vpnpolicy] permit vpn-instance vpn1

[Sysname-role-role1-vpnpolicy] quit

[Sysname-role-role1] quit

Verify that you cannot use user role

role1

to work on any VPN instances except for

vpn1

# Verify that you can enter the view of

vpn1

[Sysname] ip vpn-instance vpn1

[Sysname-vpn-instance-vpn1] quit

# Verify that you can specify the primary accounting server at 10.110.1.2 in VPN instance

vpn1

for RADIUS scheme

radius1

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 vpn-instance vpn1

[Sysname-radius-radius1] quit

# Verify that you cannot create VPN instance

vpn2

or enter VPN instance view.

[Sysname] ip vpn-instance vpn2

Permission denied.

Related commands

display role

role

vpn-instance policy deny

role

Use

role

to create a user role and enter its view, or enter the view of an existing user role.

Use

undo role

to delete a user role.

Syntax

role name

role-name

undo role name role-name

Default

The system has the following predefined user roles: network-admin, network-operator, level-

(where

represents an integer in the range of 0 to 15), and security-audit.

Views

System view

Predefined user roles

network-admin

Parameters

name role-name

: Specifies a username. The

role-name

argument is a case-sensitive string of

1 to 63 characters.

Usage guidelines

You can create a maximum of 64 user roles in addition to the predefined user roles.

Summary of Contents for SOHO IE4300

Page 1: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series Fundamentals Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 2: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 3: ...Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual values Square bracket...

Page 4: ...to hardware or software IMPORTANT An alert that calls attention to essential information NOTE An alert that contains additional or supplementary information TIP An alert that provides helpful informat...

Page 5: ...IPS or ACG module Examples provided in this document Examples in this document might use devices that differ from your device in hardware model configuration or software version It is normal that the...

Page 6: ...ias 1 display by linenum begin exclude include 2 display 4 display 5 display alias 6 display history command 6 display history command all 7 display hotkey 8 hotkey 9 quit 11 repeat 11 return 13 scree...

Page 7: ...lay write save Views System view Predefined user roles network admin Parameters alias Specifies an alias a case sensitive string of 1 to 20 characters An alias cannot be alias or contain spaces comman...

Page 8: ...and verify the configuration Sysname system view Sysname alias shiprt display ip routing table Sysname shiprt Destinations 13 Routes 13 Destination Mask Proto Pre Cost NextHop Interface 0 0 0 0 32 Dir...

Page 9: ...ular expressions to filter the output and display a number before each output line For more information about regular expressions see Fundamentals Configuration Guide If you specify multiple filter co...

Page 10: ...splay available keywords and arguments enter display filename Specifies the name of the file that is used to save the output a string of 1 to 63 characters Usage guidelines The display commands show t...

Page 11: ...use display to save the output to a file If the specified file does not exist the system creates the file and saves the output to the file If the file already exists the system appends the output to...

Page 12: ...splay alias Index Alias Command key 1 access list acl 2 end return 3 erase delete 4 exit quit 5 hostname sysname 6 logging info center 7 no undo 8 shinc display 1 include 2 9 show display 10 sirt disp...

Page 13: ...and system view vlan 2 quit Related commands history command max size display history command all Use display history command all to display all commands that are saved in the command history buffer f...

Page 14: ...ory command display hotkey Use display hotkey to display hotkey information Syntax display hotkey Views Any view Predefined user roles network admin network operator Examples Display hotkey informatio...

Page 15: ...nction function none undo hotkey hotkey Default Table 3 shows the default definitions for hotkeys Table 3 Default definitions for hotkeys Hotkey Function or command Ctrl A move_the_cursor_to_the_begin...

Page 16: ...he word Esc F move_the_cursor_forward_one_word Moves the cursor forward one word Views System view Predefined user roles network admin Parameters hotkey Specifies a hotkey To display the supported hot...

Page 17: ...hotkey ctrl_a none Related commands display hotkey quit Use quit to return to the upper level view Syntax quit Views Any view Predefined user roles network admin network operator Usage guidelines Exe...

Page 18: ...er the view for the first command The repeat command executes commands in the order they were executed The system waits for your interaction when it repeats an interactive command Examples Configure t...

Page 19: ...r view from the Python shell execute the exit command in the Python shell Examples Return to user view from GigabitEthernet 1 0 1 interface view Sysname GigabitEthernet1 0 1 return Sysname screen leng...

Page 20: ...ogged out the default is restored Examples Disable pausing between screens of output for the current CLI session Sysname screen length disable Related commands screen length system view Use system vie...

Page 21: ...ature 13 interface policy deny 14 permit interface 15 permit vlan 16 permit vpn instance 18 role 19 role default role enable 20 role feature group 21 rule 22 super 26 super authentication mode 26 supe...

Page 22: ...default Syntax description text undo description Default A user role does not have a description Views User role view Predefined user roles network admin Parameters text Specifies a description a case...

Page 23: ...eny W feature ldap 3 permit command system radius sc 4 permit R xml element 5 permit RW oid 1 2 1 R Read W Write X Execute Display information about all user roles Sysname display role Role network ad...

Page 24: ...tem view local user sys 15 permit R web menu sys 16 permit R xml element sys 17 deny command display security logfile summary sys 18 deny command system view info center security logfile directory sys...

Page 25: ...AN policy permit default Interface policy permit default VPN instance policy permit default Role level 3 Description Predefined level 3 role VLAN policy permit default Interface policy permit default...

Page 26: ...ure device sys 3 deny RWX feature filesystem sys 4 permit command display sys 5 deny command display history command all R Read W Write X Execute Role level 10 Description Predefined level 10 role VLA...

Page 27: ...irectory sys 6 deny command security logfile save sys 7 permit RW oid 1 R Read W Write X Execute Role security audit Description Predefined security audit role only has access to commands for the secu...

Page 28: ...tguestaccount sys 7 permit RWX xml element useraccounts exportguesttemplet sys 8 permit RWX xml element rpc sys 9 deny command R Read W Write X Execute Table 1 Command output Field Description Role Us...

Page 29: ...y W Write X Execute Scope Rule control scope command Controls access to the command or commands as specified in the Entity field feature Controls access to the commands of the feature as specified in...

Page 30: ...feature Sysname display role feature verbose Feature device Device configuration related commands display clock R debugging dev W display debugging dev R display device R display diagnostic informati...

Page 31: ...rt with the display user group keywords in user view display debugging local server All commands that start with the display debugging local server keywords in user view debugging local server All com...

Page 32: ...ture stp STP related commands Feature lldp LLDP related commands Feature dldp DLDP related commands Feature cfm CFM related commands Feature eoam EOAM related commands Feature smart link Smart link re...

Page 33: ...st vlan W reset l2 multicast W debugging igmp snooping W display debugging igmp snooping R system view probe debugging system internal igmp snooping W Feature mld snooping MLD Snooping related command...

Page 34: ...o feature to remove a feature from a feature group Syntax feature feature name undo feature feature name Default A user defined feature group does not have any features Views Feature group view Predef...

Page 35: ...2 Use permit interface to specify accessible interfaces You can perform the following tasks on an accessible interface Create remove or configure the interface Enter interface view Specify the interf...

Page 36: ...ce must meet the following requirements Be the same type as the start interface Have a higher interface number than the start interface Usage guidelines To permit a user role to access an interface af...

Page 37: ...that you can enter GigabitEthernet 1 0 1 interface view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 quit Verify that you can assign GigabitEthernet 1 0 5 to VLAN 10 In this e...

Page 38: ...after the change By default all access ports belong to VLAN 1 To assign an access port to any other VLAN by using the port access vlan command make sure you have a user role that can access both VLAN...

Page 39: ...a VPN instance after you configure the vpn instance policy deny command you must add the VPN instance to the permitted VPN instance list of the policy With the user role you can perform the following...

Page 40: ...nstance vpn1 Sysname radius radius1 quit Verify that you cannot create VPN instance vpn2 or enter VPN instance view Sysname ip vpn instance vpn2 Permission denied Related commands display role role vp...

Page 41: ...o enable the default user role feature for remote AAA users Use undo role default role enable to restore the default Syntax role default role enable role name undo role default role enable Default The...

Page 42: ...nd L3 exist Views System view Predefined user roles network admin Parameters name feature group name Specifies a feature group name The feature group name argument is a case sensitive string of 1 to 3...

Page 43: ...function or program The ping command is an example of execute commands read Specifies the read commands Web menus XML elements or MIB nodes to display configuration or maintenance information The disp...

Page 44: ...role rules User role rules include predefined identified by sys n and user defined user role rules You can configure a maximum of 256 user defined rules for a user role The total number of user defin...

Page 45: ...em view before you enter interface view To specify all commands starting with the ip keyword in any interface view you must use the system interface ip command string For another example the system ra...

Page 46: ...ample rule 1 permit command display debugging log can never find a match This is because the system has a display debugging command but not a display debugging log command Examples Permit user role ro...

Page 47: ...ou must configure user role authentication If no local password is configured in the local password authentication local an AUX user can obtain the user role by either entering a string or not enterin...

Page 48: ...rver does not respond or if the AAA configuration on the device is invalid local scheme Enables local then remote authentication mode The device first performs local password authentication If no pass...

Page 49: ...do not specify a user role for the command Examples Specify network operator as the default target user role for temporary user role authorization Sysname system view Sysname super default role networ...

Page 50: ...igure local password authentication for temporary user role authorization It is a good practice to specify different passwords for different user roles When the global password control feature is enab...

Page 51: ...user role authorization from a remote authentication server will fail This command does not take effect on local password authentication for temporary user role authorization Examples Enable the devi...

Page 52: ...ect only on users who log in with the user role after the change Examples Enter user role VLAN policy view of role1 and deny the access of role1 to any VLANs Sysname system view Sysname role name role...

Page 53: ...llowing tasks on an accessible VPN instance Create remove or configure the VPN instance Enter VPN instance view Specify the VPN instance in feature commands Any change to a user role VPN instance poli...

Page 54: ...p http enable 24 ip http port 25 ip https acl 25 ip https certificate access control policy 26 ip https enable 27 ip https port 28 ip https ssl server policy 28 line 29 line class 30 lock 31 lock reau...

Page 55: ...ii user interface 51 user interface class 52 user role 54 web captcha 55 web https authorization mode 55 web idle timeout 56 webui log enable 57...

Page 56: ...inal session activation key Pressing this shortcut key starts a terminal session Use undo activation key to restore the default Syntax activation key key string undo activation key Default The termina...

Page 57: ...n key command Table 1 ASCII code values for combined keys that use the Ctrl key Combined key ASCII code value Ctrl A 1 Ctrl B 2 Ctrl C 3 Ctrl D 4 Ctrl E 5 Ctrl F 6 Ctrl G 7 Ctrl H 8 Ctrl I 9 Ctrl J 10...

Page 58: ...ssion 4 Press s A terminal session is started Sysname authentication mode Use authentication mode to set the authentication mode for a user line Use undo authentication mode to restore the default Syn...

Page 59: ...gs for the commands in VTY line class view take effect If the settings of the two commands in VTY line view are both non default settings the non default settings in VTY line view take effect If only...

Page 60: ...ice will automatically execute the specified command when a user logs in through the user line and close the user connection after the command is executed This command is not supported in AUX line vie...

Page 61: ...ctly logging in to the device at 192 168 1 41 through Telnet When you close the Telnet connection to 192 168 1 41 the Telnet connection to 192 168 1 40 is closed at the same time command accounting Us...

Page 62: ...thorization Default Command authorization is disabled Logged in users can execute commands without authorization Views User line view User line class view Predefined user roles network admin Usage gui...

Page 63: ...character 7 Uses seven data bits for a character 8 Uses eight data bits for a character Usage guidelines This command is not supported in VTY line class view This setting must be the same as the sett...

Page 64: ...ay ip https Use display ip https to display HTTPS service configuration and status information Syntax display ip https Views Any view Predefined user roles network admin network operator Examples Disp...

Page 65: ...nformation Syntax display line number1 aux usb vty number2 summary Views Any view Predefined user roles network admin network operator Parameters number1 Specifies the absolute number of a user line T...

Page 66: ...ays a hyphen Location Physical position of the line in the form of slot number CPU number Display summary information about all user lines Sysname display line summary Line type AUX 0 XXXX XXXX XX Lin...

Page 67: ...Views Any view Predefined user roles network admin network operator Parameters number1 Specifies the absolute number of a user line The value range is 0 to 83 aux Specifies the AUX line usb Specifies...

Page 68: ...nt Physical port for the line If there is no physical port for the line or the port is a console port this field displays a hyphen Location Physical position of the line in the form of slot number CPU...

Page 69: ...list network admin network operator Location 192 168 1 107 VTY 2 User role list level 0 network admin network operator Location 192 168 1 134 Current operation user F Current operation user works in...

Page 70: ...Web interface navigation tree If you do not specify this keyword the command displays information about the English Web interface navigation tree Usage guidelines This command displays all options on...

Page 71: ..._ipv6dns Mirroring ID m_mirror Port Mirroring ID m_portmirror Routing ID m_routing Routing Table ID m_routingtable Static Routing ID m_staticrouting RIP ID m_rip Policy Based Routing ID m_pbr Multicas...

Page 72: ...ard Access Control ID m_access 802 1X ID m_8021x MAC Authentication ID m_maca Port Security ID m_portsec Portal ID m_portal Authentication ID m_authentication ISP Domains ID m_ispdomain RADIUS ID m_ra...

Page 73: ...t key you must specify the ASCII code value of the character for this argument For information about ASCII code values of individual characters see the standard ASCII code chart For information about...

Page 74: ...acter a as the escape key for VTY line 0 Sysname system view Sysname line vty 0 Sysname line vty0 escape key a To verify the configuration 1 Ping IP address 192 168 1 80 specifying the c keyword to se...

Page 75: ...les Configure software flow control in the inbound and outbound directions for AUX line 0 Sysname system view Sysname line aux 0 Sysname line aux0 flow control software free line Use free line to rele...

Page 76: ...his command is an older version reserved for backward compatibility purposes It has the same functionality and output as the free line command As a best practice use the free line command Examples Rel...

Page 77: ...o store commands successfully executed by its user The buffer size determines how many history commands the buffer can store To display history commands in the buffer for your session press the up or...

Page 78: ...e class view A non default setting in either view takes precedence over a default setting in the other view A non default setting in user line view takes precedence over a non default setting in user...

Page 79: ...pplies only to non VPN packets Examples Use ACL 2001 to allow only users from 10 10 0 0 16 to access the device through HTTP Sysname system view Sysname acl basic 2001 Sysname acl ipv4 basic 2001 rule...

Page 80: ...o 65535 Usage guidelines This command is not supported in FIPS mode When the HTTP service is enabled changing the HTTP service port number re enables the HTTP service and closes all HTTP connections T...

Page 81: ...applies only to the packets of the VPN instance If no VPN instance is specified in an ACL rule the ACL rule applies only to non VPN packets If you execute this command multiple times the most recent c...

Page 82: ...tps enable Default The HTTPS service is disabled Views System view Predefined user roles network admin Usage guidelines To allow users to access the device through HTTPS you must enable the HTTPS serv...

Page 83: ...TPS and HTTP connections To log in again users must enter the new URL in the Web browser s address bar Examples Set the HTTPS service port number to 8080 Sysname system view Sysname ip https port 8080...

Page 84: ...ber2 Views System view Predefined user roles network admin Parameters first number1 Specifies the absolute number of the first user line The value range is 0 to 83 last number1 Specifies the absolute...

Page 85: ...o execute command authentication mode command accounting command authorization escape key history command max size idle timeout protocol inbound screen length set authentication password shell termina...

Page 86: ...ne 0 restore the default terminal session activation key Sysname line aux 0 Sysname line aux0 undo activation key Alternatively you can use the following command Sysname line aux0 activation key 13 To...

Page 87: ...hentication Use lock reauthentication to lock the current user line and enable unlocking authentication Syntax lock reauthentication Default The system does not lock any user lines or initiate reauthe...

Page 88: ...aracters see the standard ASCII code chart For information about ASCII code values of combined keys that use the Ctrl key see Table 1 Usage guidelines As a best practice specify a combined key as the...

Page 89: ...twork admin Parameters even Uses even parity mark Uses mark parity none Uses no parity odd Uses odd parity space Uses space parity Usage guidelines This command is not supported in VTY line view The c...

Page 90: ...with the authentication mode command If you specify a non default value for one of the two commands the other command uses the default setting regardless of the setting in VTY line class view If the...

Page 91: ...d in without authentication 2 Display online CLI user information Server display users Idx Line Idle Time Pid Type 50 VTY 0 00 00 00 Jan 17 15 29 27 189 TEL Following are more details VTY 0 User role...

Page 92: ...https enable undo restful https enable Default RESTful access over HTTPS is disabled Views System view Predefined user roles network admin Usage guidelines For users to access the device through the...

Page 93: ...eens of output is enabled This command is available in both user line view and user line class view A non default setting in either view takes precedence over a default setting in the other view A non...

Page 94: ...t the system in 3 minutes Send message Y N y The message should appear on the user s terminal screen as follows Sysname Message from vty0 to vty1 Your attention please I will reboot the system in 3 mi...

Page 95: ...It takes effect for subsequent login sessions Examples Set the password to hello12345 for local password authentication on VTY line 0 Sysname system view Sysname line vty 0 Sysname line vty0 authentic...

Page 96: ...sion rate is 9600 bps on a user line Views User line view Predefined user roles network admin Parameters speed value Specifies the transmission rate in bps Supported transmission rates depend on the n...

Page 97: ...If you specify this keyword two stop bits are used 2 Uses two stop bits Usage guidelines This command is not supported in VTY line view The configuration terminal and the device must use the same numb...

Page 98: ...e source IPv4 address for outgoing Telnet packets ip ip address Specifies the source IPv4 address for outgoing Telnet packets dscp dscp value Specifies a DSCP value for outgoing Telnet packets The val...

Page 99: ...Predefined user roles network admin Parameters remote host Specifies the IPv6 address or host name of a remote host A host name can be a case insensitive string of 1 to 253 characters Valid character...

Page 100: ...elnet server acl Default No ACL is used to filter Telnet logins Views System view Predefined user roles network admin Parameters mac Specifies a Layer 2 ACL To specify an ACL of a different type do no...

Page 101: ...d by the Telnet login control ACL Views System view Predefined user roles network admin Usage guidelines Only clients permitted by the Telnet login control ACL can Telnet to the device This logging fe...

Page 102: ...mples Set the DSCP value for IPv4 to use for outgoing Telnet packets to 30 on a Telnet server Sysname system view Sysname telnet server dscp 30 telnet server enable Use telnet server enable to enable...

Page 103: ...es not have rules all users can Telnet to the device To control Telnet logins specify an ACL that exists and has rules so only users permitted by the ACL can Telnet to the device If a VPN instance is...

Page 104: ...on a Telnet server Sysname system view Sysname telnet server ipv6 dscp 30 telnet server ipv6 port Use telnet server ipv6 port to specify the IPv6 Telnet service port number Use undo telnet server ipv...

Page 105: ...he value can be 23 or in the range of 1025 to 65535 Usage guidelines This command terminates all existing Telnet connections to the IPv4 Telnet server To use the Telnet service users must reestablish...

Page 106: ...ame line vty0 terminal type vt100 user interface Use user interface to enter one or multiple user line views Syntax user interface first number1 last number1 aux usb vty first number2 last number2 Vie...

Page 107: ...x user interface class aux usb vty Views System view Predefined user roles network admin Parameters aux Specifies the AUX line class view usb Specifies the USB line vty Specifies the VTY line class vi...

Page 108: ...Examples Set the CLI connection idle timeout timer to 15 minutes in VTY line class view Sysname system view Sysname user interface class vty Sysname line class vty idle timeout 15 In AUX line class v...

Page 109: ...user line class view If you do not specify this argument the undo user role command restores the default user role Usage guidelines This command is not supported in FIPS mode Only users assigned the n...

Page 110: ...xed verification code to improve test efficiency For Web access security purposes do not use this feature in production environments If you execute the web captcha command multiple times the most rece...

Page 111: ...nvalid for example expired the device closes the HTTPS connection Examples Set the HTTPS login authentication mode to auto Sysname system view Sysname web https authorization mode auto web idle timeou...

Page 112: ...for example system time change The device outputs log messages as indicated by information center settings Web operations that can trigger Web operation logging depend on the device model A Web opera...

Page 113: ...ssl server policy 7 ftp timeout 7 FTP client commands 8 8 append 9 ascii 10 binary 10 bye 11 cd 11 cdup 12 close 13 debug 13 delete 14 dir 14 disconnect 15 display ftp client source 16 ftp 16 ftp clie...

Page 114: ...ii tftp client ipv6 source 41 tftp client source 41 tftp ipv6 42 tftp server acl 44 tftp server ipv6 acl 44...

Page 115: ...p server Views Any view Predefined user roles network admin network operator Examples Display FTP server configuration and status information Sysname display ftp server FTP server is running User coun...

Page 116: ...cters Sysname display ftp user UserName HostIP Port HomeDir user2 2000 2000 2000 1499 flash user2 2000 2000 2000 2000 2000 administra 100 100 100 100 10001 flash 123456789 123456789 123456789 tor 1234...

Page 117: ...addresses of FTP connections execute the display ftp user command port port Specifies the source port of an FTP connection To view the source ports of FTP connections execute the display ftp user comm...

Page 118: ...ifies a basic IPv4 ACL number in the range of 2000 to 2999 ipv6 advanced acl number Specifies an advanced IPv6 ACL number in the range of 3000 to 3999 ipv6 basic acl number Specifies a basic IPv6 ACL...

Page 119: ...enerates log messages for FTP login attempts that are denied by the FTP login control ACL For information about log message output see the information center in Network Management and Monitoring Confi...

Page 120: ...er Use undo ftp server enable to disable the FTP server Syntax ftp server enable undo ftp server enable Default The FTP server is disabled Views System view Predefined user roles network admin Example...

Page 121: ...default Syntax ftp server ssl server policy policy name undo ftp server ssl server policy Default No SSL server policy is associated with the FTP server Views System view Predefined user roles networ...

Page 122: ...mands For FTP users to execute FTP client configuration commands you must configure authorization settings for users on the FTP server Authorized operations include viewing the files in the working di...

Page 123: ...rectory Related commands help append Use append to add the content of a file on the FTP client to a file on the FTP server Syntax append localfile remotefile Views FTP client view Predefined user role...

Page 124: ...is determined by the FTP client When the device acts as the FTP client you can set the transfer mode The transfer mode is binary by default Examples Set the file transfer mode to ASCII ftp ascii 200...

Page 125: ...shed between the device and the FTP server use this command to return to user view Syntax bye Views FTP client view Predefined user roles network admin Examples Terminate the connection to the FTP ser...

Page 126: ...older subdirectory of the FTP root directory ftp cd folder 250 OK Current directory is folder Change the working directory to the upper directory of the current directory ftp cd 250 OK Current directo...

Page 127: ...the connection to the FTP server without exiting the FTP client view ftp close 221 Goodbye You uploaded 0 and downloaded 0 kbytes 221 Logout ftp Related commands disconnect debug Use debug to enable o...

Page 128: ...delete a file from the FTP server make sure the file is no longer in use You can perform this operation only after you log in to the FTP server To perform this operation you must have delete permissi...

Page 129: ...0201 rwxr xr x 1 0 0 1481 Jul 7 15 36 a txt drwxr xr x 2 0 0 8192 Jul 2 14 33 diagfile drwxr xr x 3 0 0 8192 Jul 7 15 21 ftp drwxr xr x 2 0 0 8192 Jul 5 09 15 logfile drwxr xr x 2 0 0 8192 Jul 2 14 33...

Page 130: ...display the source address settings on the FTP client Syntax display ftp client source Views Any view Predefined user roles network admin network operator Examples Display the source address settings...

Page 131: ...s the source address To establish the FTP connection successfully make sure the interface is up and has the primary IPv4 address configured ip source ip address Specifies an IPv4 address To establish...

Page 132: ...Pv6 address as defined in RFC 3484 Views System view Predefined user roles network admin Parameters interface interface type interface number Specifies an interface by its type and number The device w...

Page 133: ...s primary IPv4 address as the source address For successful FTP packet transmission make sure the interface is up and has the primary IPv4 address configured ip source ip address Specifies an IPv4 add...

Page 134: ...option can be used only when the FTP server address is a link local address and the specified output interface has a link local address For information about link local addresses see Layer 3 IP Servic...

Page 135: ...word required for root Password Apr 10 09 03 25 575 2017 Sysname FTPC 7 COMMAND PASS XXXX 230 User logged in 215 UNIX Type L8 Remote system type is UNIX Using binary mode to transfer files ftp Apr 10...

Page 136: ...command ftp get a txt flash test b txt local flash test b txt remote a txt 150 Connecting to port 47457 226 File successfully transferred 1569 bytes received in 0 00527 seconds 290 6 kbyte s Download...

Page 137: ...ined user roles network admin Parameters directory Changes the local working directory of the FTP client to the specified local directory There must be a slash sign before the name of the storage medi...

Page 138: ...e ls command is the same as executing the dir command Examples Display detailed information about the files and subdirectories in the working directory on the FTP server ftp ls 150 Connecting to port...

Page 139: ...rent directory of the FTP server ftp mkdir newdir 257 newdir The directory was successfully created newer Use newer to update a local file by using a file on the FTP server Syntax newer remotefile loc...

Page 140: ...pecifies the TCP port number of the FTP server in the range of 0 to 65535 The default is 21 Usage guidelines After you issue this command the system will prompt you to enter the username and password...

Page 141: ...de to passive ftp passive Passive mode on ftp passive Passive mode off put Use put to upload a file from the FTP client to the FTP server Syntax put localfile remotefile Views FTP client view Predefin...

Page 142: ...evice Save the file as b txt on the FTP server ftp put slot2 flash test a txt b txt local slot2 flash test a txt remote b txt 150 Connecting to port 47461 226 File successfully transferred 1569 bytes...

Page 143: ...operator Parameters remotefile Specifies a file on the FTP server localfile Specifies a local file Usage guidelines You can perform this operation only after you log in to the FTP server If a file do...

Page 144: ...Method 1 ftp rename from name a txt to name b txt 350 RNFR accepted file exists ready for destination 250 File successfully renamed or moved Method 2 ftp rename a txt to name b txt 350 RNFR accepted...

Page 145: ...t for this command depends on the FTP server Examples Set retransmission offset to 2 bytes and retransmit the h c file The file has 82 bytes in total ftp restart 2 restarting at 2 execute get put or a...

Page 146: ...MD XRMD ABOR SIZE RNFR RNTO 214 UNIX Type L8 Table 3 Command output Field Description USER Username PASS Password NOOP Null operation SYST System parameters TYPE Request type CWD Changes the current w...

Page 147: ...on the FTP server Usage guidelines CAUTION Permanently delete a directory from the FTP server with caution When you permanently delete a directory from the FTP server make sure the directory is no lo...

Page 148: ...atus 211 FTP server status Connected to 192 168 20 177 Logged in as root TYPE ASCII No session bandwidth limit Session timeout in seconds is 300 Control connection is plain text Data connections will...

Page 149: ...FTP command rw r r The first bit specifies the file type Common B Block c Character d Directory l Symbol connection file p Pipe s socket The second bit through the tenth bit are divided into three gr...

Page 150: ...Prompting on Globbing off Displays debugging information Store unique off Receive unique off The name of the file on the FTP server is unique and the name of the local file is unique Case off CR strip...

Page 151: ...initiate an FTP authentication to change to a new account By changing to a new account you can get a different privilege without re establishing the FTP connection Make sure the specified username an...

Page 152: ...mation about FTP operations ftp verbose Verbose mode off Execute the get command ftp get a cfg 1 cfg Enable the device to display detailed information about FTP operations ftp verbose Verbose mode on...

Page 153: ...to memory before writing it to the destination folder The system starts to write the file to the destination folder only after the file is downloaded and saved to memory successfully If the destinati...

Page 154: ...s Download the new bin file from TFTP server 192 168 1 1 and save the file as new bin Sysname tftp 192 168 1 1 get new bin Press CTRL C to abort Total Received Xferd Average Speed Time Time Time Curre...

Page 155: ...source ipv6 address Specifies an IPv6 address For successful TFTP packet transmission make sure this address is the IPv6 address of an interface in up state on the device Usage guidelines If you exec...

Page 156: ...te on the device Usage guidelines If you execute this command multiple times the most recent configuration takes effect The source address specified with the tftp command takes precedence over the sou...

Page 157: ...sitive string of 1 to 255 characters If this argument is not specified the file uses the source file name vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the TFTP server belo...

Page 158: ...admin Parameters acl number Specifies the number of a basic ACL in the range of 2000 to 2999 Usage guidelines You can use an ACL to deny or permit the device s access to specific TFTP servers If a VP...

Page 159: ...or permit the device s access to specific TFTP servers If a VPN instance is specified in an ACL rule the ACL rule applies only to the packets of the VPN instance If no VPN instance is specified in an...

Page 160: ...2 delete 5 dir 6 execute 7 fdisk 7 file prompt 9 fixdisk 10 format 10 gunzip 11 gzip 12 md5sum 13 mkdir 13 more 14 mount 14 move 15 pwd 16 rename 16 reset recycle bin 16 rmdir 17 sha256sum 18 tar crea...

Page 161: ...file system wait for the ongoing operation to be completed and then use one of the following methods Use the absolute path to specify a file or directory For example use the dir flash command to disp...

Page 162: ...es the destination directory in FIPS mode To copy the source file to a remote file server specify a URL The device copies the source file to the destination location and saves the file with its origin...

Page 163: ...e the startup cfg file is saved in the authorized directory on the HTTP server at 1 1 1 1 The HTTP account username and password are a and 1 respectively To copy the file enter the URL http a 1 1 1 1...

Page 164: ...directory on TFTP server 1 1 1 1 Save the copy to the local current directory as testbackup cfg The TFTP server belongs to VPN instance vpn1 Sysname copy tftp 1 1 1 1 test cfg testbackup cfg vpn insta...

Page 165: ...he delete unreserved file command deletes a file permanently The file cannot be restored The delete file command without unreserved moves a file to the recycle bin A file moved to the recycle bin can...

Page 166: ...ice Usage guidelines If no option is specified the command displays all visible files and directories in the current directory The directory name of the recycle bin is trash To display files in the re...

Page 167: ...or directory name execute Use execute to execute a batch file Syntax execute filename Views System view Predefined user roles network admin Parameters filename Specifies the name of a batch file Usage...

Page 168: ...a storage medium you must format the partitions to create the file systems before you can access the file systems The actual partition size and the specified partition size might have a difference of...

Page 169: ...se all available space 127 Enter 127 to set the size of the second partition to 127 MB The remaining space is less than 32MB Please enter the size of partition 2 again Partition 2 32MB 96MB 128MB Pres...

Page 170: ...ion mode to alert Sysname system view Sysname file prompt alert fixdisk Use fixdisk to check a file system for damage and repair any damage Syntax fixdisk filesystem Views User view Predefined user ro...

Page 171: ...n delete security log files For more information about the security audit user role see RBAC in Fundamentals Configuration Guide Examples Format file system flash Sysname format flash All data on flas...

Page 172: ...ile Specifies the name of the file to be compressed Usage guidelines This command saves the compressed file to the file gz file and deletes the source file Examples Compress file system bin 1 Before c...

Page 173: ...name md5sum system bin MD5 digest 4f22b6190d151a167105df61c35f0917 mkdir Use mkdir to create a directory Syntax mkdir directory Views User view Predefined user roles network admin Parameters directory...

Page 174: ...dmin Parameters file Specifies the name of a file Examples Display the contents of the test txt file Sysname more test txt Have a nice day Display the contents of the testcfg cfg file Sysname more tes...

Page 175: ...es Mount a file system on the USB disk Sysname mount usba0 Related commands umount move Use move to move a file Syntax move source file dest file dest directory Views User view Predefined user roles n...

Page 176: ...file source directory Specifies the name of the source directory dest file Specifies the name of the destination file dest directory Specifies the name of the destination directory Usage guidelines Th...

Page 177: ...se The delete file command only moves a file to the recycle bin To permanently delete the file use the reset recycle bin command to delete the file from the recycle bin Examples Empty the recycle bin...

Page 178: ...the files in the recycle bin under this directory will be deleted permanently Continue Y N y Removing directory flash test subtest Done sha256sum Use sha256sum to use the SHA 256 algorithm to calcula...

Page 179: ...space separated list of up to five items Each item can be a file or directory name The specified files and directories must be in the current working directory Examples Archive the 1 cfg and 2 cfg fi...

Page 180: ...st close the current connection and log in to the device again If you do not specify the screen keyword or the to directory option the command saves the extracted files and directories to the working...

Page 181: ...reate tar extract umount Use umount to unmount a file system Syntax umount filesystem Views User view Predefined user roles network admin Parameters filesystem Specifies the name of a file system Usag...

Page 182: ...the directory the system prompts whether or not you want to overwrite the existing file If you enter Y the existing file is overwritten If you enter N the command is not executed Examples Restore the...

Page 183: ...startup configuration 8 configuration commit 9 configuration commit delay 10 configuration encrypt 11 configuration replace file 11 display archive configuration 12 display current configuration 14 d...

Page 184: ...on archives For local archiving use the archive configuration location command to specify a local configuration archive directory and a name prefix For remote archiving use the archive configuration s...

Page 185: ...automatic archive it resets the archiving interval timer Before enabling automatic configuration archiving you must use one of the following methods to specify a directory and a name prefix for the co...

Page 186: ...a file name prefix for configuration archives a case insensitive string of 1 to 30 characters Valid characters are letters digits underscores _ and hyphens Usage guidelines Before archiving the runni...

Page 187: ...tem view Sysname archive configuration location flash archive filename prefix my_archive Related commands archive configuration archive configuration interval archive configuration max display archive...

Page 188: ...commands archive configuration archive configuration location archive configuration interval display archive configuration archive configuration server Use archive configuration server to configure t...

Page 189: ...archive configuration interval command On the specified remote SCP server configuration archives are named in the format of filename prefix_YYYYMMDD_HHMMSS cfg for example archive_20170526_203430 cfg...

Page 190: ...imple Specifies a password in plaintext form For security purposes the password specified in plaintext form will be stored in encrypted form string Specifies the password Its plaintext form is a case...

Page 191: ...st filename vpn instance vpn instance name Views User view Predefined user roles network admin Parameters ipv4 server Specifies a TFTP server by its IPv4 address or host name The host name is a case i...

Page 192: ...in startup configuration file to 2001 2 Done Related commands restore startup configuration configuration commit Use configuration commit to commit the settings configured after the configuration comm...

Page 193: ...misconfiguration from causing the inability to access the device and is especially useful when you configure the device remotely When you use this feature follow these restrictions and guidelines In...

Page 194: ...evice to automatically encrypt a configuration file when saving the running configuration to the file Any devices running Comware 7 software can decrypt the encrypted configuration file To prevent an...

Page 195: ...lly compatible with the device If the replacement configuration file is encrypted make sure the device can decrypt it Examples Replace the running configuration with the configuration in the my_archiv...

Page 196: ...ndicates the most recent archive file Table 1 Command output Field Description Username Username for accessing the SCP server that saves the configuration archives Location Absolute path of the direct...

Page 197: ...e command displays the running configuration for all interfaces of this type all Displays all configuration information If you do not specify this keyword this command displays only non default config...

Page 198: ...isplay current configuration diff Views Any view Predefined user roles network admin network operator Usage guidelines This command searches for the next startup configuration in the following order 1...

Page 199: ...he linenumber2 argument represents the start line of the section The number2 argument represents the number of lines between the start line and the end line of the section cmd1 cmd2 cmd3 cmd4 Displays...

Page 200: ...s the target configuration file for comparison current configuration Specifies the running configuration In the display diff current configuration command this keyword specifies the source configurati...

Page 201: ...display diff current configuration startup configuration Current configuration Startup configuration 5 7 5 7 sysname Sysname alias dhc display history command alias dh display hotkey system working mo...

Page 202: ...file is available this command displays the contents of the backup file 3 If both the main and backup startup configuration files are not available this command does not display anything Examples Dis...

Page 203: ...able 3 Command output Field Description MainBoard Displays the startup configuration files on the master device Current startup saved configuration file Configuration file that the device has started...

Page 204: ...defined user roles network admin Parameters backup Specifies the backup next startup configuration file main Specifies the main next startup configuration file Usage guidelines CAUTION By default this...

Page 205: ...cters include letters digits hyphens underscores _ and dots src filename Specifies the name of the configuration file to be downloaded The file must be a cfg file The file name is a case insensitive s...

Page 206: ...elated commands backup startup configuration save Use save file url all slot slot number to save the running configuration to a configuration file without specifying the file as a next startup configu...

Page 207: ...s not exist the system creates the file before saving the configuration If the file already exists the system prompts you to confirm whether to overwrite the file If you choose to not overwrite the fi...

Page 208: ...ide next startup configuration file operations Syntax standby auto update config undo standby auto update config Default Next startup configuration file operations are automatically synchronized acros...

Page 209: ...up configuration files are specified Views User view Predefined user roles network admin Parameters cfgfile Specifies the path of a configuration file a string of up to 255 characters The file must be...

Page 210: ...d configuration command changes the file attribute of the main and backup next startup configuration files to NULL However the command does not delete the two configuration files You can also specify...

Page 211: ...ware upgrade commands 1 boot loader file 1 boot loader update 3 bootrom update 4 display boot loader 5 display install active 6 display install committed 8 install activate 9 install commit 10 install...

Page 212: ...system location section if any the value string can have a maximum of 63 characters For more information about specifying a file see Fundamentals Configuration Guide ipe filename Specifies an ipe ima...

Page 213: ...bin Done Decompressing file feature bin to flash feature bin Done Verifying the file flash boot bin on slot 1 Done Verifying the file flash system bin on slot 1 Done Verifying the file flash feature...

Page 214: ...t 2 The images that have passed all examinations will be used as the main startup software images at the next reboot on slot 3 Decompression completed Do you want to delete flash all ipe now Y N n Rel...

Page 215: ...Y N y Updating Please wait Verifying the file flash boot bin on slot 1 Done Verifying the file flash system bin on slot 1 Done Copying main startup software images to slot 2 Please wait Done Setting c...

Page 216: ...tinue Y N y Now updating the Boot ROM please wait Done Related commands boot loader file display boot loader Use display boot loader to display current software images and startup software images Synt...

Page 217: ...ifies an IRF member device by its member ID If you do not specify an IRF member device this command displays information for all IRF member devices verbose Displays detailed information If you do not...

Page 218: ...kage Table 2 Command output Field Description Package Detailed information about the software image Service name Image type boot Boot image boot patch Boot image patch system System image system patch...

Page 219: ...image changes to take effect after a reboot you must execute the install commit command to update the main startup image list with the image changes You can use the display install committed command t...

Page 220: ...l activate Use install activate to activate feature or patch images Syntax install activate feature filename 1 30 slot slot number install activate patch filename all slot slot number Views User view...

Page 221: ...Sysname install activate system patch bin slot 1 Related commands display install active install commit install deactivate install commit Use install commit to commit software changes Syntax install...

Page 222: ...stored in the root directory of a file system on the device Excluding the file system location section if any the value string can have a maximum of 63 characters For more information about specifying...

Page 223: ...t status 24 display power 25 display scheduler job 26 display scheduler logfile 26 display scheduler reboot 27 display scheduler schedule 28 display system stable state 29 display transceiver alarm 30...

Page 224: ...50 scheduler reboot delay 51 scheduler schedule 52 shutdown interval 53 sysname 53 transceiver monitor enable 54 transceiver monitor interval 55 temperature limit 55 time at 56 time once 57 time repe...

Page 225: ...eyword loop Issues an alarm when a loop is detected on the device To monitor this type of alarm you must enable loop detection For more information about loop detection see Layer 2 LAN Switching Confi...

Page 226: ...Sysname alarm port slot 1 to 3 event cpu usage port out 1 Related commands alarm port in alarm port out alarm port in Use alarm port in to specify the alarm signal type used by the alarm input port t...

Page 227: ...igh level signal to indicate an alarm Views System view Predefined user roles network admin Parameters high Uses the high level signal to indicate an alarm low Uses the low level signal to indicate an...

Page 228: ...se period to restore the default Syntax alarm port slot slot number1 to slot number2 pulse period pulse period value undo alarm port slot slot number1 to slot number2 pulse period Default The pulse pe...

Page 229: ...or example scheduled tasks and collaborative operations of the device with other devices for example log reporting and statistics collection Before executing this command make sure you fully understan...

Page 230: ...he locally set system time or obtain the UTC time from a time source on the network and calculate the system time If you execute the clock protocol none command the device uses the locally set system...

Page 231: ...d If the seconds segment is 0 hh mm 00 you can omit it If both the minutes and seconds segments are 0 hh 00 00 you can omit both of the segments For example to specify 08 00 00 you can enter 8 end dat...

Page 232: ...an offset to the UTC time in the hh mm ss format The value range for hh is 0 to 23 The value range for mm is 0 to 59 The value range for ss is 0 to 59 The leading zero in a segment can be omitted If...

Page 233: ...pecify the ID of an existing command for another command the existing command is replaced Make sure all commands in a schedule are compliant to the command syntax The system does not examine the synta...

Page 234: ...enable Default Copyright statement display is enabled Views System view Predefined user roles network admin Examples Enable copyright statement display Sysname system view Sysname copyright info enabl...

Page 235: ...specified Sysname display clock 15 11 00 211 Z5 Fri 03 16 2015 Time Zone Z5 add 05 00 00 Summer Time PDT 06 00 00 08 01 06 00 00 09 01 01 00 00 Related commands clock datetime clock timezone clock sum...

Page 236: ...Slot 1 CPU 0 CPU usage 1 in last 5 seconds 1 in last 1 minute 1 in last 5 minutes Display the current CPU usage statistics in table form Sysname display cpu usage Slot CPU Last 5 sec Last 1 min Last...

Page 237: ...CPU usage alarm threshold Current minor alarm threshold is xxx Minor CPU usage alarm threshold Current recovery threshold is xxx CPU usage recovery threshold Related commands monitor cpu usage enable...

Page 238: ...mples in a coordinate system as follows The vertical axis represents the CPU usage If a statistic is not a multiple of the usage step it is rounded up or down to the closest multiple of the usage step...

Page 239: ...flash Displays flash memory information usb Displays USB interface information slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command disp...

Page 240: ...ot number Views Any view Predefined user roles network admin network operator Parameters slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this com...

Page 241: ...erating information for the Layer 3 features service Specifies operating information for Layer 4 and upper layer features key info Displays or saves only critical operating information The device migh...

Page 242: ...shes colons asterisks question marks less than signs greater than signs pipeline signs and quotation marks For example device name A B will change to A_B in the file name as in flash diag_A_B_20160101...

Page 243: ...ssage type Syslog Table 5 Command output Field Description IPv4 address IPv4 address of the poweroff alarm destination host IPv6 address IPv6 address of the poweroff alarm destination host VPN instanc...

Page 244: ...1 hotspot 3 33 0 100 110 NA 1 hotspot 4 33 0 100 110 NA 1 hotspot 5 38 0 100 110 NA 1 hotspot 6 36 0 100 110 NA 1 hotspot 7 35 0 100 110 NA 1 hotspot 8 42 0 100 110 NA Table 6 Command output Field De...

Page 245: ...id Specifies a fan tray by its ID If you do not specify a fan tray this command displays operating status information for all fan trays at the specified position Examples Display the operating states...

Page 246: ...1316 76332 41 0 Table 8 Command output Field Description Mem Memory usage information Total Total size of the physical memory space that can be allocated The memory space is virtually divided into two...

Page 247: ...guidelines For more information about memory usage notifications see log information containing MEM_EXCEED_THRESHOLD or MEM_BELOW_THRESHOLD Examples Display memory alarm thresholds and statistics Sysn...

Page 248: ...on the E552C X PS F switch Syntax display output power port status slot slot number Views Any view Predefined user roles network admin network operator Parameters slot slot number Specifies an IRF mem...

Page 249: ...rator Parameters slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays power supply information for all member devices power id S...

Page 250: ...fined user roles network admin network operator Parameters job name Specifies a job by its name a case sensitive string of 1 to 47 characters If you do not specify a job this command displays configur...

Page 251: ...1 0 3 Sysname if range shutdown Table 11 Command output Field Description Logfile Size Size of the log file in bytes Schedule name Schedule to which the job belongs Execution time Time when the job w...

Page 252: ...heduler schedule Schedule name shutdown Schedule type Run once after 0 hours 2 minutes Start time Tue Dec 27 10 44 42 2015 Last execution time Tue Dec 27 10 44 42 2015 Last completion time Tue Dec 27...

Page 253: ...m stable state Views Any view Predefined user roles network admin network operator Usage guidelines Before performing a switchover execute this command multiple times to identify whether the system is...

Page 254: ...vice kernel is being initialized Service starting Services are starting on the member device Service stopping Services are stopping on the member device HA Batch backup An HA batch backup is going on...

Page 255: ...e display transceiver alarm interface gigabitethernet 1 0 1 GigabitEthernet1 0 1 transceiver current alarm information RX loss of signal RX power low Table 15 Command output Field Description transcei...

Page 256: ...01 1 01 30 00 0 00 Table 16 Command output Field Description transceiver diagnostic information Digital diagnosis information for the transceiver module in the interface Temp C Temperature in C accura...

Page 257: ...nd number If no interface is specified this command displays electronic label information for all transceiver modules Examples Display electronic label information for the transceiver module in interf...

Page 258: ...vice management handshake failure SlaveSwitch reboot The reboot was caused by a master subordinate switchover IRF Merge reboot The reboot was caused by an IRF merge Auto Update reboot The reboot was c...

Page 259: ...snmp trap version v1 v2c securityname security string dying gasp host ip address ipv6 ipv6 address vpn instance vpn instance name syslog undo dying gasp host ip address ipv6 ipv6 address vpn instance...

Page 260: ...splay dying gasp host dying gasp source dying gasp source Use dying gasp source to specify the source interface for sending the poweroff alarm Use undo dying gasp source to restore the default Syntax...

Page 261: ...meters legal Configures the banner to be displayed before a user inputs the username and password to access the CLI login Configures the banner to be displayed before password or scheme authentication...

Page 262: ...ssign job save job to schedule saveconfig Sysname system view Sysname scheduler schedule saveconfig Sysname schedule saveconfig job save job Related commands scheduler job scheduler schedule memory th...

Page 263: ...ice this command sets free memory thresholds for the master device cpu cpu number Specifies a CPU by its number Usage guidelines To ensure correct operation and improve memory efficiency the system mo...

Page 264: ...shold in percentage The value range is 0 to 100 Usage guidelines The device samples memory usage at 1 minute intervals If the sample is greater than the memory usage threshold the device sends a trap...

Page 265: ...e monitoring Use undo monitor cpu usage interval to restore default settings Syntax monitor cpu usage interval interval slot slot number cpu cpu number undo monitor cpu usage interval slot slot number...

Page 266: ...ifies the severe CPU usage alarm threshold in percentage The value range for this argument is 2 to 100 minor threshold minor threshold Specifies the minor CPU usage alarm threshold in percentage The v...

Page 267: ...ange of 10 to 3600 slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command sets alarm resending intervals for the master device cpu cpu numb...

Page 268: ...s in the range of 1 to 48 severe interval severe interval Specifies the severe alarm resending interval in hours in the range of 1 to 48 slot slot number Specifies an IRF member device by its member I...

Page 269: ...t slot number port port number Default Power supply is enabled on a power supply port Views System view Predefined user roles network admin Parameters port port number Specifies a power supply port by...

Page 270: ...rce Views User view Predefined user roles network admin Parameters slot slot number Specifies an IRF member device by its member ID If you do not specify an IRF member device the command reboots all I...

Page 271: ...configuration file please wait DONE Current configuration will be lost after the reboot save current configuration Y N y Please input the file name cfg flash startup cfg To leave the existing filenam...

Page 272: ...tore factory default Views User view Predefined user roles network admin Usage guidelines CAUTION This command restores the device to the factory default settings Use this command with caution This co...

Page 273: ...string of 1 to 47 characters Usage guidelines A job can be referenced by multiple schedules In job view you can assign commands to the job Examples Create a job named backupconfig and enter job view S...

Page 274: ...o scheduler reboot Default No reboot date or time is specified Views User view Predefined user roles network admin Parameters time Specifies the reboot time in the hh mm format The value range for hh...

Page 275: ...Predefined user roles network admin Parameters time Specifies the reboot delay time in the hh mm or mm format This argument can contain up to six characters When in the hh mm format mm must be in the...

Page 276: ...mand or a set of commands without administrative interference To configure a schedule 1 Use the scheduler job command to create a job and enter job view 2 Use the command command to assign commands to...

Page 277: ...o the port status reflects the port s physical status If you change the timer setting during port detection the device compares the new setting T1 with the time that elapsed since the port was shut do...

Page 278: ...transceiver monitoring Use undo transceiver monitor enable to restore the default Syntax transceiver monitor enable undo transceiver monitor enable Default Transceiver monitoring is disabled Views Sy...

Page 279: ...tput power of transceiver modules If a sampled value reaches the alarm threshold the device generates a log entry to notify users This command takes effect only when the transceiver monitor enable com...

Page 280: ...question mark in the place of this argument alarmlimit Specifies the high temperature alarming threshold in Celsius degrees This threshold must be greater than the warning threshold To view the value...

Page 281: ...me at 1 1 2015 05 11 Related commands scheduler schedule time once Use time once to specify one or more execution days and the execution time for a non periodic schedule Use undo time to delete the ex...

Page 282: ...Sysname schedule saveconfig time once at 15 00 Schedule starts at 15 00 5 11 2011 Configure the device to execute schedule saveconfig once at 15 00 on the coming 15th day in a month Sysname system vi...

Page 283: ...ek day week day 1 7 Specifies a space separated list of up to seven week days for the schedule Valid week day values include Mon Tue Wed Thu Fri Sat and Sun Usage guidelines The time repeating at time...

Page 284: ...les network admin Parameters role name Specifies a user role name a case sensitive string of 1 to 63 characters The user role can be user defined or predefined Predefined user roles include network ad...

Page 285: ...i Contents Tcl commands 1 cli 1 tclquit 1 tclsh 2...

Page 286: ...and that conflicts with a Tcl command in Tcl configuration view 1 Execute a Comware command in Tcl configuration view The output shows that the Comware command cannot be executed because it conflicts...

Page 287: ...w Sysname tcl tclquit Sysname Related commands tclsh tclsh Use tclsh to enter Tcl configuration view from user view Syntax tclsh Views User view Predefined user roles network admin Usage guidelines In...

Page 288: ...i Contents Python commands 1 exit 1 python 1 python filename 2...

Page 289: ...les Exit the Python shell Python 2 7 3 default GCC 4 4 1 on linux2 Type help copyright credits or license for more information exit Sysname python Use python to enter the Python shell Syntax python Vi...

Page 290: ...ion py is case insensitive param Specifies the parameters to be passed to the script To enter multiple parameters use spaces as the delimiter Usage guidelines You cannot perform any operations while y...

Page 291: ...i Contents Automatic configuration commands 1 autodeploy udisk enable 1...

Page 292: ...onfiguration Syntax autodeploy udisk enable undo autodeploy udisk enable Default USB based automatic configuration is enabled Views System view Predefined user roles network admin Usage guidelines Thi...

Page 293: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series Virtual Technologies Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 294: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 295: ...Italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax...

Page 296: ...Network topology icons Convention Description Represents a generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents...

Page 297: ...ardware model configuration or software version It is normal that the port numbers sample output screenshots and other information in the examples differ from what you have on your device Documentatio...

Page 298: ...update enable 10 irf domain 10 irf link delay 11 irf mac address persistent 12 irf member description 13 irf member priority 13 irf member renumber 14 irf port 15 irf port configuration active 16 mad...

Page 299: ...the master indicates the device through which the user logs in The Bridge MAC of the IRF is 00e0 fc00 1000 Auto upgrade yes Mac persistent always Domain ID 30 Table 1 Command output Field Description...

Page 300: ...s no Bridge MAC address of the current master replaces the original bridge MAC address as soon as the owner of the original address leaves Domain ID Domain ID of the IRF fabric The domain ID you assig...

Page 301: ...IRF port Related commands display irf display irf topology display irf link Use display irf link to display IRF link information Syntax display irf link Views Any view Predefined user roles network ad...

Page 302: ...ogy to display IRF fabric topology information Syntax display irf topology Views Any view Predefined user roles network admin network operator Examples Display the IRF fabric topology Sysname display...

Page 303: ...IRF port This field displays three hyphens if no device is connected to the port Belong To IRF fabric that has the device represented by the CPU MAC address of the master in the IRF fabric Related co...

Page 304: ...192 168 1 2 24 1 Normal Table 5 Command output Field Description MAD ARP disabled Status of ARP MAD This field displays MAD ARP enabled if ARP MAD is enabled MAD ND disabled Status of ND MAD This fiel...

Page 305: ...operating correctly Faulty LACP MAD is not operating correctly Verify the following items Verify that the ports on LACP MAD links are up Verify that the intermediate device supports extended LACPDUs V...

Page 306: ...erface can be bound to only one IRF port The interface list2 argument represents a space separated list of up to eight interface items Each interface item specifies one interface in the interface type...

Page 307: ...succeeded The device will reboot for the new member ID to take effect Continue Y N y Bulk configure basic IRF settings by using the interactive method Change the member ID from 2 to 3 set the domain I...

Page 308: ...ommand automatically propagates the current software images of the master device in the IRF fabric to any devices you are adding to the IRF fabric To ensure a successful software update verify that th...

Page 309: ...the two IRF fabrics different domain IDs for correct split detection False detection causes IRF split An IRF fabric has only one IRF domain ID You can change the IRF domain ID by using the following c...

Page 310: ...the IRF fabric within the time limit the IRF bridge MAC address does not change If the owner does not rejoin the IRF fabric within the time limit the IRF fabric uses the bridge MAC address of the cur...

Page 311: ...description to restore the default Syntax irf member member id description text undo irf member member id description Default No description is configured for an IRF member device Views System view Pr...

Page 312: ...irf member member id renumber Default The IRF member ID is 1 Views System view Predefined user roles network admin Parameters member id Specifies the ID of an IRF member The value range for IRF member...

Page 313: ...he irf member 1 renumber 2 command the device member ID changes to 2 at system reboot Using undo irf member 1 renumber cannot restore the member ID to 1 You must use the irf member 2 renumber 1 comman...

Page 314: ...en gigabitethernet 1 0 51 Sysname Ten GigabitEthernet1 0 51 shutdown Sysname Ten GigabitEthernet1 0 51 quit Sysname irf port 1 2 Sysname irf port1 2 port group interface ten gigabitethernet 1 0 51 You...

Page 315: ...for any other purposes ARP MAD and feature configuration If an intermediate device is used make sure the following requirements are met Run the spanning tree feature between the IRF fabric and the int...

Page 316: ...ow these guidelines Category Restrictions and guidelines BFD MAD VLAN Do not enable BFD MAD on VLAN interface 1 If you are using an intermediate device perform the following tasks On the IRF fabric an...

Page 317: ...terface3 mad bfd enable mad enable Use mad enable to enable LACP MAD Use undo mad enable to disable LACP MAD Syntax mad enable undo mad enable Default LACP MAD is disabled Views Aggregate interface vi...

Page 318: ...collision Syntax mad exclude interface interface type interface number undo mad exclude interface interface type interface number Default Except for the network interfaces automatically excluded by th...

Page 319: ...subnet mask in decimal dotted notation mask length Specifies a subnet mask in length in the range of 0 to 32 member member id Specifies the ID of an IRF member Usage guidelines To use BFD MAD configur...

Page 320: ...not configure ND MAD together with LACP MAD or BFD MAD because they handle collisions differently When you configure ND MAD on a VLAN interface follow these restrictions and guidelines Category Restr...

Page 321: ...change the IRF domain ID by using the following commands irf domain mad enable mad arp enable or mad nd enable The IRF domain IDs configured by using these commands overwrite each other Examples Enabl...

Page 322: ...ter you remove the binding Execute this command multiple times to bind multiple physical interfaces to an IRF port You can bind a maximum of eight physical interfaces to an IRF port However you might...

Page 323: ...25 Sysname Ten GigabitEthernet1 0 51 undo shutdown Related commands irf port...

Page 324: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series Layer 2 LAN Switching Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 325: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 326: ...aces enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical bars from which yo...

Page 327: ...s a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the access controller engine on a u...

Page 328: ...Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Page 329: ...jumboframe enable 29 link delay 30 link flap protect enable 31 loopback 32 multicast suppression 32 port auto power down 33 port ifmonitor crc error 34 port ifmonitor input error 35 port ifmonitor ou...

Page 330: ...ge guidelines The expected bandwidth is an informational parameter used only by higher layer protocols for calculation You cannot adjust the actual bandwidth of an interface by using this command Exam...

Page 331: ...n a port The broadcast suppression command uses the chip to physically suppress broadcast traffic It has less influence on the device performance than the storm constrain command which uses software t...

Page 332: ...ly disabled You can select to activate the copper combo port or fiber combo port This command is available only on devices that support combo interfaces If you execute the combo enable auto command on...

Page 333: ...nes When configuring the dampening command follow these rules to set the values mentioned above The ceiling is equal to 2 Max suppress time Decay reuse limits It is not user configurable The configure...

Page 334: ...his command when you use it in a live network This command might fail to restore the default settings for some commands because of command dependencies or system restrictions You can use the display t...

Page 335: ...mber Views Any view Predefined user roles network admin network operator Parameters inbound Displays inbound traffic statistics outbound Displays outbound traffic statistics interface type Specifies a...

Page 336: ...the following conditions exist The data length of an Err field value is greater than 7 decimal digits The data length of a non Err field value is greater than 14 decimal digits Not supported The stati...

Page 337: ...pported Table 2 Command output Field Description Interface Abbreviated interface name Usage Bandwidth usage in percentage of the interface for the last statistics polling interval Total pps Average re...

Page 338: ...0 ErrEncap 0 ErrTagVLAN 0 IfShut 0 IfErr 0 Table 3 Output description Field Description ETH receive packet statistics Statistics about the Ethernet packets received by the Ethernet module Totalnum Tot...

Page 339: ...ut of Layer 3 Ethernet interfaces This field is not supported in the current software version VLANOutNum Number of packets sent out of VLAN interfaces FastOutNum Number of packets fast forwarded L2Out...

Page 340: ...n interface type this command displays information about all interfaces If you specify an interface type but do not specify an interface number this command displays information about all interfaces o...

Page 341: ...deferred 0 collisions 0 late collisions 0 lost carrier 0 no carrier Table 4 Command output Field Description Current state Physical link state of the interface Administratively DOWN The interface has...

Page 342: ...n the interface This field depends on your configuration Loopback is set external An external loopback test is running on the interface This field depends on your configuration Loopback is not set No...

Page 343: ...reshold in ratio pps or kbps The unit of the threshold depends on your configuration PVID Port VLAN ID PVID of the interface MDI type MDIX mode of the interface automdix mdi mdix Port link type Link t...

Page 344: ...erface All inbound normal packets abnormal packets and normal pause frames were counted The four fields on the second line represent Number of inbound unicast packets Number of inbound broadcasts Numb...

Page 345: ...ntrol frames Length error frames Frames whose 802 3 length fields did not match the actual frame length 46 to 1500 bytes ignored Number of inbound frames dropped because the receiving buffer of the po...

Page 346: ...ct the carrier when attempting to send frames This counter increases by one when a port failed to detect the carrier and applies to serial WAN interfaces Peak input rate Peak rate of inbound traffic i...

Page 347: ...been shut down by using the shutdown command To restore the physical state of the interface use the undo shutdown command Stby The interface is a backup interface in standby state Protocol Data link...

Page 348: ...down The loopback detection module has detected loops DOWN Monitor Link uplink down The monitor link module has detected that the uplink is down MAD ShutDown The interface is on an IRF fabric placed b...

Page 349: ...ame Link Physical link state of the interface UP The interface is physically up DOWN The interface is physically down ADM The interface has been shut down by using the shutdown command To restore the...

Page 350: ...Parameters interface type Specifies an interface type If you do not specify an interface type the command displays information about link flapping protection on all interfaces interface number Specif...

Page 351: ...lt Syntax duplex auto full half undo duplex Default An Ethernet interface operates in autonegotiation mode Views Ethernet interface view Predefined user roles network admin Parameters auto Configures...

Page 352: ...When a packet arrives later the interface restores to the normal state Examples Enable EEE on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet...

Page 353: ...interface view Predefined user roles network admin Usage guidelines With Rx mode flow control enabled an interface can receive but cannot send flow control frames When the interface receives a flow c...

Page 354: ...terface view takes priority As a best practice use the default setting when you set the statistics polling interval in system view A short statistics polling interval might decrease the system perform...

Page 355: ...exceeding alarm and enters the alarm state When the number of incoming CRC error packets on an interface in the alarm state within the specified interval drops below the lower threshold the interface...

Page 356: ...he number of input error packets on an interface in normal state within the specified interval exceeds the upper threshold the interface generates an upper threshold exceeding alarm and enters the ala...

Page 357: ...hreshold on the interface slot slot number Specifies an IRF member device by its member ID Usage guidelines With the output error packet alarm function enabled when the number of output error packets...

Page 358: ...pass through Use undo jumboframe enable to prevent jumbo frames from passing through Use undo jumboframe enable size to restore the default Syntax jumboframe enable size undo jumboframe enable size De...

Page 359: ...uppressed If you do not specify the msec keyword the value range is 0 to 30 seconds If you specify the msec keyword the value range is 0 to 10000 milliseconds and the value must be a multiple of 100 U...

Page 360: ...tect enable undo link flap protect enable Default Link flapping protection is disabled globally Views System view Predefined user roles network admin Usage guidelines Link flapping on any interface ch...

Page 361: ...faces manually brought down displayed as in ADM or Administratively DOWN state The speed duplex and shutdown commands cannot be configured on an Ethernet interface in a loopback test The shutdown port...

Page 362: ...uses the chip to physically suppress multicast traffic It has less influence on the device performance than the storm constrain command which uses software to suppress multicast traffic For the traff...

Page 363: ...he power save mode The time period depends on the chip specifications and is not configurable When the interface comes up both of the following events occur The device automatically restores the power...

Page 364: ...n normal state within the specified interval exceeds the upper threshold the interface generates an upper threshold exceeding alarm and enters the alarm state When the number of incoming CRC error pac...

Page 365: ...ror packet alarm function enabled when the number of input error packets on an interface in normal state within the specified interval exceeds the upper threshold the interface generates an upper thre...

Page 366: ...s generated and the interface enters the alarm state when the number of output error packets exceeds the upper threshold on the interface Usage guidelines With the output error packet alarm function e...

Page 367: ...ct only when it is enabled in both system view and interface view If you do not specify the interval interval or threshold threshold option when you execute the port link flap protect enable command t...

Page 368: ...the port to forward packets unidirectionally over a single link In this way transmission links are well utilized Copper ports and combo interfaces do not support this command The shutdown port up mode...

Page 369: ...et counters interface gigabitethernet 1 0 1 Related commands display counters interface display counters rate interface display interface reset ethernet statistics Use reset ethernet statistics to cle...

Page 370: ...nd loopback commands are mutually exclusive Examples Shut down and then bring up GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 shutdown...

Page 371: ...face speed to 100 Mbps 1000 Sets the interface speed to 1000 Mbps 2000 Sets the interface speed to 2000 Mbps 2500 Sets the interface speed to 2500 Mbps 5000 Sets the interface speed to 5000 Mbps 10000...

Page 372: ...mand or configure the port to autonegotiate the speed as 1000 Mbps by using the speed auto command Examples Configure GigabitEthernet 1 0 1 to autonegotiate the speed Sysname system view Sysname inter...

Page 373: ...e limits the size of unknown unicast traffic to a threshold on an interface When the unknown unicast traffic on the interface exceeds this threshold the system discards packets until the unknown unica...

Page 374: ...ast storm control settings and statistics multicast Displays multicast storm control settings and statistics unicast Displays unknown unicast storm control settings and statistics interface interface...

Page 375: ...on is configured Status Packet forwarding status FW The port is forwarding traffic correctly shutdown The port has been shut down block The port drops the type of traffic Trap Status of the storm cont...

Page 376: ...le to disable bridging on an Ethernet interface Syntax port bridge enable undo port bridge enable Default Bridging is disabled on an Ethernet interface Views Layer 2 Ethernet interface view Predefined...

Page 377: ...o 100 Mbps If you configure speed 100 and then speed auto 100 1000 on the interface the interface negotiates with its peer for a speed The negotiated speed is either 100 Mbps or 1000 Mbps Speed autone...

Page 378: ...t argument is 0 to 100 lowerlimit Sets the lower threshold in pps kbps or percentage If you specify the pps keyword the value range for the lowerlimit argument is 0 to 1 4881 the interface bandwidth I...

Page 379: ...strain interval storm constrain control Use storm constrain control to set the action to take on an Ethernet interface when a type of traffic unknown unicast multicast or broadcast exceeds the upper s...

Page 380: ...enable log undo storm constrain enable log Default An Ethernet interface outputs log messages when monitored traffic exceeds the upper threshold or drops below the lower threshold from a value above t...

Page 381: ...default Syntax storm constrain interval interval undo storm constrain interval Default The storm control module polls traffic statistics every 10 seconds Views System view Predefined user roles networ...

Page 382: ...ble a hyphen is displayed Examples Test the cable connection of GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 virtual cable test Cable...

Page 383: ...ion Pair x state Cable pair state OK The cable pair is in good condition Abnormal The cable pair is abnormal Abnormal open An open circuit is detected Abnormal short A short circuit is detected Invali...

Page 384: ...ommands 1 bandwidth 1 default 1 description 2 display interface inloopback 3 display interface loopback 5 display interface null 7 interface loopback 9 interface null 9 reset counters interface loopba...

Page 385: ...es the expected bandwidth in the range of 1 to 400000000 kbps Usage guidelines The expected bandwidth is an informational parameter used only by higher layer protocols for calculation You cannot adjus...

Page 386: ...me system view Sysname interface loopback 1 Sysname LoopBack1 default description Use description to configure the description of an interface Use undo description to restore the default Syntax descri...

Page 387: ...information about interfaces in down state and the causes If you do not specify this keyword the command displays information about interfaces in all states Usage guidelines The device has only one in...

Page 388: ...c Average number of bits sent per second packets sec Average number of packets sent per second Input 0 packets 0 bytes 0 drops Total number and size in bytes of incoming packets of the interface and t...

Page 389: ...t the command displays information about all existing loopback interfaces on the device brief Displays brief interface information If you do not specify this keyword the command displays detailed inte...

Page 390: ...me when statistics on the logical interface were last cleared by using the reset counters interface command If the statistics of the interface have never been cleared by using the reset counters inter...

Page 391: ...mmand Stby The interface is a backup interface in standby state Protocol Data link layer protocol state of the interface which is always UP s UP s represents that the data link layer protocol of the i...

Page 392: ...ays information about the interface Null 0 regardless of whether you specify the 0 keyword Examples Display detailed information about Null 0 Sysname display interface null 0 NULL0 Current state UP Li...

Page 393: ...e and link layer protocols of a loopback interface are always up unless the loopback interface is manually shut down You can use a loopback interface to achieve the following purposes Prevent the conn...

Page 394: ...terfaces If you specify the loopback keyword but do not specify the interface number argument the command clears the statistics on all loopback interfaces Usage guidelines To determine whether a loopb...

Page 395: ...tatistics Examples Clear the statistics on Null 0 Sysname reset counters interface null 0 Related commands display interface null shutdown Use shutdown to shut down a loopback interface Use undo shutd...

Page 396: ...i Contents Bulk interface configuration commands 1 display interface range 1 interface range 1 interface range name 3...

Page 397: ...the interface range name command Sysname display interface range Interface range name t2 GigabitEthernet1 0 1 GigabitEthernet1 0 2 Interface range name test GigabitEthernet1 0 3 GigabitEthernet1 0 4...

Page 398: ...system view It means that The command is supported in both system view and interface view The execution failed on a member interface in interface range view and succeeded in system view The command i...

Page 399: ...e commands supported by the first interface in the specified interface list alphabetically sorted are available for configuration To view available commands enter a question mark in interface range vi...

Page 400: ...mber interfaces to an interface range Some commands after being executed on both an aggregate interface and its member interfaces can break up the aggregation Understand that the more interfaces you s...

Page 401: ...2 mac address mac move fast update 13 mac address mac roaming enable 14 mac address max mac count 15 mac address max mac count enable forwarding 15 mac address multicast source packet filter 16 mac ad...

Page 402: ...umber blackhole Displays blackhole MAC address entries multiport Displays multiport unicast MAC address entries count Displays only the number of MAC address entries that match all entry attributes yo...

Page 403: ...arned Dynamic MAC address entry Dynamic entries can be learned or manually configured Blackhole Blackhole MAC address entry Multiport Multiport unicast MAC address entry OpenFlow MAC address entry for...

Page 404: ...ews Any view Predefined user roles network admin Usage guidelines Examples Display the hash bucket size for the MAC address table Sysname display mac address hash bucket size Hash bucket size in use 4...

Page 405: ...C Address VLAN Port Count Timestamp 0001 0101 0101 100 GE1 0 1 1 2020 11 11 21 11 29 0000 0000 0002 100 GE1 0 3 1 2020 11 11 21 11 29 00e0 fc00 5829 100 GE1 0 4 1 2020 11 11 21 11 29 Table 3 Command o...

Page 406: ...GE1 0 1 Enabled GE1 0 2 Enabled Table 4 Command output Field Description Global MAC address learning status Global MAC address learning status Enabled Disabled Learning Status MAC address learning st...

Page 407: ...urce port Last time Times 0000 0001 002c 1 GE1 0 1 GE1 0 2 2013 05 20 13 40 52 20 0000 0001 002c 1 GE1 0 2 GE1 0 1 2013 05 20 13 41 32 20 0000 0094 0001 1 GE1 0 3 GE1 0 4 2013 05 20 13 42 22 13 0000 0...

Page 408: ...gered by packets Dynamic Unicast Address Security service defined Count Number of dynamic unicast MAC address entries triggered by the security service Static Unicast Address User defined Count Number...

Page 409: ...onfigure static MAC address entries For a MAC address a manually configured static entry takes precedence over a dynamically learned entry To improve the security for the user device connected to an i...

Page 410: ...ress vlan vlan id undo mac address dynamic static interface interface type interface number undo mac address multiport mac address interface interface list vlan vlan id undo mac address multiport mac...

Page 411: ...ckhole entries Multiport unicast entries To send frames with a specific destination MAC address out of multiple ports configure a multiport unicast entry When you execute this command for the first ti...

Page 412: ...y through hashing MAC address hash conflicts occur and the device cannot learn some of these MAC addresses The device will broadcast the traffic destined for the unknown MAC addresses which consumes b...

Page 413: ...ress learning You can use this feature to identify the MAC addresses that the device fails to learn because of hashing conflicts To display the log messages generated for MAC hashing conflicts execute...

Page 414: ...ace For more information about broadcast storm suppression see Interface Configuration Guide With MAC address learning enabled globally you can disable MAC address learning for an interface or VLAN Af...

Page 415: ...address mac roaming enable Default MAC address synchronization is disabled Views System view Predefined user roles network admin Usage guidelines On an IRF fabric if ports on different IRF member devi...

Page 416: ...ace reaches the limit the interface stops learning MAC address entries Examples Configure GigabitEthernet 1 0 1 to learn a maximum of 600 MAC address entries Sysname system view Sysname interface giga...

Page 417: ...mac address multicast source packet filter to enable filtering of frames sourced from a multicast or broadcast MAC address Use undo mac address multicast source packet filter to disable filtering of f...

Page 418: ...er of MAC address moves within a detection interval A MAC address can have only one MAC address move record If a MAC address moves multiple times the new record overrides the old record Within a detec...

Page 419: ...ts an interface down when a MAC address has been moved to or from the interface more than the suppression threshold within a MAC move detection interval The shutdown interface automatically goes up af...

Page 420: ...al The value range for this argument is 0 to 1024 If you do not specify this option the default suppression threshold of 3 is used Usage guidelines For this command to take effect on an interface you...

Page 421: ...t device performance Examples Set the aging time to 500 seconds for dynamic MAC address entries Sysname system view Sysname mac address timer aging 500 Related commands display mac address aging time...

Page 422: ...onfiguration in the information center For information about SNMP and information center configuration see the network management and monitoring configuration guide for the device The MAC address tabl...

Page 423: ...record MAC change information when an existing MAC address is deleted Usage guidelines Before you enable MAC Information on an interface enable MAC Information globally Examples Enable MAC Informatio...

Page 424: ...rval Default The MAC change notification interval is 1 second Views System view Predefined user roles network admin Parameters interval Specifies the MAC change notification interval in the range of 1...

Page 425: ...store the default Syntax mac address information queue length value undo mac address information queue length Default The MAC Information queue length is 50 Views System view Predefined user roles net...

Page 426: ...ds syslog messages or SNMP notifications only if the MAC change notification interval expires Examples Set the MAC Information queue length to 600 Sysname system view Sysname mac address information q...

Page 427: ...ort 16 lacp mode 17 lacp period short 17 lacp select speed 18 lacp system mac 19 lacp system number 19 lacp system priority 20 link aggregation bfd ipv4 21 link aggregation global load sharing mode 22...

Page 428: ...ional parameter used only by higher layer protocols for calculation You cannot adjust the actual bandwidth of an interface by using this command Examples Set the expected bandwidth to 10000 kbps for L...

Page 429: ...of an interface Use undo description to restore the default Syntax description text undo description Default The description of an interface is interface name Interface For example the default descri...

Page 430: ...Examples Display detailed information about Layer 2 aggregate interface Bridge Aggregation 1 Sysname display interface bridge aggregation 1 Bridge Aggregation1 Current state UP Line protocol state UP...

Page 431: ...physically up IP packet frame type IPv4 packet framing format Description Description of the interface Bandwidth Expected bandwidth of the interface This field is not displayed when the bandwidth is...

Page 432: ...lex mode of the interface A Autonegotiation The interface is configured to autonegotiate its duplex mode but the autonegotiation has not started F Full duplex F a Autonegotiated full duplex H Half dup...

Page 433: ...ggregation load sharing mode Use display link aggregation load sharing mode to display global or group specific link aggregation load sharing modes Syntax display link aggregation load sharing mode in...

Page 434: ...egation load sharing mode Global link aggregation load sharing mode By default this field displays the link aggregation load sharing modes for Layer 2 and Layer 3 traffic If you have configured the gl...

Page 435: ...in information about the peer group For such member ports the command displays the port number port priority and operational key of only the local end Examples Display detailed information about Gigab...

Page 436: ...ey 1 Flag ACDEF Remote System ID 0x8000 a057 75a2 0100 Port Number 3 Port Priority 32768 Oper Key 1 Flag ACDEF Received LACP Packets 3 packet s Illegal 0 packet s Sent LACP Packets 6 packet s Table 4...

Page 437: ...flag Remote Information about the peer end System ID Peer system ID containing the LACP system priority and the LACP system MAC address Received LACP Packets Total number of LACP packets received Ill...

Page 438: ...ity and the local LACP system MAC address AGG Interface Type and number of the aggregate interface AGG Mode Aggregation group type Partner ID System ID of the peer system which contains the peer LACP...

Page 439: ...g Port Status S Selected U Unselected I Individual Port A Auto port M Management port R Reference port Flags A LACP_Activity B LACP_Timeout C Aggregation D Synchronization E Collecting F Distributing...

Page 440: ...not appear when its bit is 0 A Indicates whether LACP is active on the port 1 indicates active 0 indicates passive B Indicates the LACP timeout interval 1 indicates the short timeout interval 0 indic...

Page 441: ...rt This field displays the R flag next to the port if its peer port is the reference port Priority Priority of the peer port Index Index of the peer port Oper Key Operational key of the peer port Syst...

Page 442: ...mboframe enable size to restore the default Syntax jumboframe enable size undo jumboframe enable size Default An interface allows jumbo frames with a maximum length of 10240 bytes to pass through View...

Page 443: ...default port selection action Sysname system view Sysname lacp default selected port disable lacp edge port Use lacp edge port to configure an aggregate interface as an edge aggregate interface Use u...

Page 444: ...mber ports of dynamic aggregation groups When LACP is operating in passive mode on a local member port and its peer port both ports cannot send LACPDUs When LACP is operating in active mode on either...

Page 445: ...tion When you use this command make sure you understand its impact on your network This command enables a dynamic aggregation group to select a high speed member port as the reference port You must ex...

Page 446: ...this command takes effect only on aggregate interfaces in S MLAG groups Aggregate interfaces not in S MLAG groups do not use the configured LACP system MAC address to send LACPDUs To identify the LACP...

Page 447: ...ber to 1 Sysname system view Sysname lacp system number 1 Related commands display link aggregation verbose lacp system priority Use lacp system priority to set the LACP system priority Use undo lacp...

Page 448: ...ake effect on all BFD sessions established by the member ports in its aggregation group BFD on an aggregate link supports only control packet mode for session establishment and maintenance The two end...

Page 449: ...estination MAC addresses destination port Distributes traffic based on destination ports ingress port Distributes traffic based on ingress ports source ip Distributes traffic based on source IP addres...

Page 450: ...port is shut down by using the shutdown command The slot that hosts the port reboots and the aggregation group spans multiple slots NOTE The device does not redirect traffic to member ports that beco...

Page 451: ...aring mode local first Default Local first load sharing is enabled for link aggregation Views System view Predefined user roles network admin Usage guidelines Use local first load sharing in a multide...

Page 452: ...gregation port priority Use link aggregation port priority to set the port priority of an interface Use undo link aggregation port priority to restore the default Syntax link aggregation port priority...

Page 453: ...for the local and peer ends For an aggregation group the maximum number of Selected ports must be equal to or higher than the minimum number of Selected ports The maximum number of Selected ports allo...

Page 454: ...m percentage of Selected ports for an aggregation group aggregate interface flapping might occur when ports join or leave an aggregation group Make sure you are fully aware of the impacts of this sett...

Page 455: ...the value range is 0 to 10000 milliseconds and the value must be a multiple of 100 Usage guidelines You can configure this feature to suppress link down events link up events or both If an event of t...

Page 456: ...ts the attribute configurations on the aggregate interface You can modify the attribute configurations only on the aggregate interface The force keyword takes effect only when you assign the interface...

Page 457: ...mode to an S MLAG group Each S MLAG group can contain only one aggregate interface on each device Examples Assign Bridge Aggregation 1 to S MLAG group 1 Sysname system view Sysname interface bridge a...

Page 458: ...nterface interface list Views User view Predefined user roles network admin Parameters interface interface list Specifies a list of link aggregation member ports in the format interface type interface...

Page 459: ...hed on an interface Make sure you are fully aware of the impacts of this command when you use it on a live network Examples Bring up Layer 2 aggregate interface Bridge Aggregation 1 Sysname system vie...

Page 460: ...i Contents Port isolation commands 1 display port isolate group 1 port isolate enable 2 port isolate group 2...

Page 461: ...splay port isolate group Port isolation group information Group ID 1 Group members GigabitEthernet1 0 1 Group ID 5 Group members GigabitEthernet1 0 2 GigabitEthernet1 0 4 Display information about iso...

Page 462: ...onfiguration to the aggregate interface it does not assign any aggregation member port to the isolation group If the failure occurs on an aggregation member port the device skips the port and continue...

Page 463: ...ps exist Views System view Predefined user roles network admin Parameters group id Specifies an isolation group by its ID The value range is 1 to 8 all Deletes all isolation groups Examples Create iso...

Page 464: ...stp enable 29 stp global config digest snooping 30 stp global enable 30 stp global mcheck 31 stp ignore pvid inconsistency 32 stp log enable tc 33 stp loop protection 33 stp max hops 34 stp mcheck 34...

Page 465: ...ii stp vlan enable 55 vlan mapping modulo 55...

Page 466: ...iguration command or the stp global enable command As a best practice use the check region configuration command to determine whether the MST region configurations to be activated are correct Run this...

Page 467: ...me MST region only when they are connected through a physical link and configured with the same details as follows Format selector 0 by default and not configurable MST region name MST region revision...

Page 468: ...nstance id2 The value for instance id2 must be equal to or greater than the value for instance id1 The value range for the instance id argument is 0 to 4094 and the value 0 represents the CIST vlan vl...

Page 469: ...MSTIs on all ports If you specify an MSTI list but not a port this command applies to all ports in the specified MSTIs If you specify a port list but not an MSTI this command applies to all MSTIs on...

Page 470: ...Info Mode MSTP Bridge ID 32768 0001 0000 0000 Bridge times Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20 Root ID ERPC 32768 0001 0000 0000 0 RegRoot ID IRPC 32768 0001 0000 0000 0 RootPort ID 0 0 BPDU P...

Page 471: ...s and statistics for all ports in all VLANs Sysname system view Sysname stp mode pvst Sysname display stp VLAN 1 Global Info Protocol status Enabled Bridge ID 32768 000f e200 2200 Bridge times Hello 2...

Page 472: ...tree feature is disabled Sysname display stp Protocol status Disabled Protocol Std IEEE 802 1w pvst Version 2 Bridge Prio 32768 MAC address 3822 d69f 0800 Max age s 20 Forward delay s 15 Hello time s...

Page 473: ...rt cost Legacy Path cost of the port The field in parentheses indicates the standard legacy dot1d 1998 or dot1t used for port path cost calculation Config Configured value Active Actual value Desg bri...

Page 474: ...U received Statistics on received BPDUs RegRoot ID IRPC MSTI regional root internal path cost Root Type MSTI root type Primary root Secondary root Master bridge MSTI root bridge ID Cost to master Path...

Page 475: ...ected 14 39 00 04 15 2016 In PVST mode display history about ports that are blocked by spanning tree protection features GigabitEthernet1 0 1 VLAN ID BlockReason Time 1 Root Protected 14 49 17 04 15 2...

Page 476: ...the CIST Usage guidelines In MSTP mode the command output is sorted by port name and by MSTI ID on each port If you do not specify an MSTI or port this command applies to all MSTIs on all ports If yo...

Page 477: ...interface gigabitethernet 1 0 1 Port GigabitEthernet1 0 1 Type Count Last Updated Invalid BPDUs 0 Looped back BPDUs 0 Max aged BPDUs 0 TCN sent 0 TCN received 0 TCA sent 0 TCA received 2 10 33 12 01...

Page 478: ...Instance Statistics for a specific MSTI Timeout BPDUs Number of expired BPDUs Max hoped BPDUs Number of BPDUs whose maximum hops were exceeded TC detected Number of detected topology changes TC sent N...

Page 479: ...arated list of up to 10 VLAN items Each item specifies a VLAN or a range of VLANs in the form of vlan id1 to vlan id2 The value for vlan id2 must be equal to or greater than the value for vlan id1 The...

Page 480: ...ty 0 00e0 fc01 6510 0 0 00e0 fc01 6510 128 2 Table 7 Command output Field Description Port Port name Role change Role change of the port Aged means that the change was caused by expiration of the rece...

Page 481: ...Predefined user roles network admin network operator Examples In MSTP mode display effective MST region configuration Sysname display stp region configuration Oper Configuration Format selector 0 Regi...

Page 482: ...tPathCost Root Port 1 0 00e0 fc0e 6554 200200 0 GigabitEthernet1 0 1 Table 9 Command output Field Description ExtPathCost External path cost The path cost of a port is either automatically calculated...

Page 483: ...In PVST mode the command output is sorted by VLAN ID and by port name in each VLAN If you do not specify a VLAN this command applies to all VLANs If you specify a VLAN list this command applies to th...

Page 484: ...the vlan id argument is 1 to 4094 Usage guidelines CAUTION Use caution with global Digest Snooping in the following situations When you modify the VLAN to instance mappings When you restore the defau...

Page 485: ...T region name the VLAN to instance mapping table and the MSTP revision level of a device determine the device s MST region After configuring this command execute the active region configuration comman...

Page 486: ...abitethernet 1 0 1 to gigabitethernet 1 0 3 Related commands display stp revision level Use revision level to configure the MSTP revision level Use undo revision level to restore the default MSTP revi...

Page 487: ...y changes In PVST mode SNMP notifications are disabled for spanning tree topology changes in all VLANs Views System view Predefined user roles network admin Parameters new root Enables the device to s...

Page 488: ...formation about this command see device management commands in Fundamentals Command Reference The global BPDU guard setting takes effect on all edge ports configured by using the stp edged port comman...

Page 489: ...timers are related to the network size and you can set the timers by setting the network diameter With the network diameter set to 7 the default the three timers are also set to their defaults In STP...

Page 490: ...net interface view it takes effect only on that interface If this command is configured in Layer 2 aggregate interface view it takes effect only on the aggregate interface If this command is configure...

Page 491: ...itEthernet1 0 1 quit Sysname stp global config digest snooping Related commands display stp stp global config digest snooping stp cost Use stp cost to set the path cost of a port Use undo stp cost to...

Page 492: ...system calculates the role of the port and initiates a state transition If this command is configured in Layer 2 Ethernet interface view it takes effect only on that interface If this command is conf...

Page 493: ...t Use stp edged port to configure a port as an edge port Use undo stp edged port to restore the default Syntax stp edged port undo stp edged port Default All ports are non edge ports Views Layer 2 Eth...

Page 494: ...x stp enable undo stp enable Default The spanning tree feature is enabled on all ports Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin Usage...

Page 495: ...ned user roles network admin Usage guidelines For Digest Snooping to take effect you must enable Digest Snooping both globally and on associated ports As a best practice first enable Digest Snooping o...

Page 496: ...g tree feature is enabled the device dynamically maintains the spanning tree status of VLANs based on received configuration BPDUs When the spanning tree feature is disabled the device stops maintaini...

Page 497: ...nore pvid inconsistency Default Inconsistent PVID protection is enabled Views System view Predefined user roles network admin Usage guidelines This command takes effect only when the device is operati...

Page 498: ...e system view Sysname stp log enable tc stp loop protection Use stp loop protection to enable loop guard on a port Use undo stp loop protection to disable loop guard on a port Syntax stp loop protecti...

Page 499: ...et the maximum number of hops for an MST region Use undo stp max hops to restore the default Syntax stp max hops hops undo stp max hops Default The maximum number of hops for an MST region is 20 Views...

Page 500: ...ice C perform mCheck operations on the ports that connect Device B and Device C The device operates in STP RSTP PVST or MSTP mode depending on the spanning tree mode setting The stp mcheck command tak...

Page 501: ...mode is compatible with other modes in any VLAN Trunk or hybrid port The PVST mode is compatible with other modes only in the default VLAN Examples Configure the spanning tree device to operate in ST...

Page 502: ...he default path costs for ports Use undo stp pathcost standard to restore the default Syntax stp pathcost standard dot1d 1998 dot1t legacy undo stp pathcost standard Default The default standard used...

Page 503: ...a port that operates in full duplex mode As a best practice use the default setting to let the device automatically detect the port link type In MSTP or PVST mode the stp point to point force false or...

Page 504: ...t status detection timer expires You can set this timer by using the shutdown interval command For more information about this command see device management commands in Fundamentals Command Reference...

Page 505: ...for vlan id2 must be equal to or greater than the value for vlan id1 The value range for the vlan id argument is 1 to 4094 priority Specifies the port priority in the range of 0 to 240 in increments...

Page 506: ...down by BPDU guard after this command is configured The device does not bring up the shutdown ports if you execute the undo stp port shutdown permanent command To bring up these ports you must use the...

Page 507: ...igabitEthernet1 0 1 has been set to discarding state Aug 16 00 49 41 856 2011 Sysname STP 3 STP_FORWARDING Instance 2 s port GigabitEthernet1 0 2 has been set to forwarding state The output shows that...

Page 508: ...1 to 4094 priority Specifies the device priority in the range of 0 to 61440 in increments of 4096 as in 0 4096 8192 You can set up to 16 priority values on the device The smaller the value the higher...

Page 509: ...default MST region configurations Syntax stp region configuration undo stp region configuration Default The default settings for an MST region are as follows The MST region name of the device is its...

Page 510: ...bitethernet 1 0 1 Sysname GigabitEthernet1 0 1 stp role restriction stp root primary Use stp root primary to configure the device as the root bridge Use undo stp root to restore the default Syntax stp...

Page 511: ...Syntax stp instance instance list vlan vlan id list root secondary undo stp instance instance list vlan vlan id list root Default The device is not a secondary root bridge Views System view Predefine...

Page 512: ...oot protection Default Root guard is disabled Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin Usage guidelines On a port the loop guard featu...

Page 513: ...orwarding address entry flush when the interval elapses This prevents frequent flushing of forwarding address entries Examples Disable TC BPDU attack guard for the device Sysname system view Sysname u...

Page 514: ...er 2 aggregate interface view Predefined user roles network admin Usage guidelines When TC BPDU transmission restriction is enabled on a port the port does not send TC BPDUs to other ports It also doe...

Page 515: ...imer Use undo stp timer forward delay to restore the default Syntax stp vlan vlan id list timer forward delay time undo stp vlan vlan id list timer forward delay Default The forward delay timer is 150...

Page 516: ...centiseconds Sysname system view Sysname stp timer forward delay 2000 In PVST mode set the forward delay timer for VLAN 2 to 2000 centiseconds Sysname system view Sysname stp vlan 2 timer forward del...

Page 517: ...set the hello time for VLAN 2 to 400 centiseconds Sysname system view Sysname stp vlan 2 timer hello 400 Related commands stp bridge diameter stp timer forward delay stp timer max age stp timer max a...

Page 518: ...n PVST mode set the max age timer for VLAN 2 to 1000 centiseconds Sysname system view Sysname stp vlan 2 timer max age 1000 Related commands stp bridge diameter stp timer forward delay stp timer hello...

Page 519: ...10 Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin Parameters limit Specifies the BPDU transmission rate in the range of 1 to 255 Usage guid...

Page 520: ...nge for the vlan id argument is 1 to 4094 Usage guidelines When you enable the spanning tree feature the device operates in STP RSTP PVST or MSTP mode depending on the spanning tree mode setting When...

Page 521: ...the old mapping is automatically deleted This command maps each VLAN to the MSTI with ID VLAN ID 1 modulo 1 VLAN ID 1 modulo is the modulo operation for VLAN ID 1 If the modulo value is 15 then VLAN 1...

Page 522: ...op detection commands 1 display loopback detection 1 loopback detection action 2 loopback detection enable 3 loopback detection global action 3 loopback detection global enable 4 loopback detection in...

Page 523: ...Action mode Loop protection action Block When a loop is detected on a port the device performs the following operations Generates a log Disables the port from learning MAC addresses Blocks the port N...

Page 524: ...yer 2 aggregate interfaces do not support this keyword no learning Enables the no learning mode If a loop is detected the device generates a log and disables MAC address learning on the port Layer 2 a...

Page 525: ...value range for VLAN IDs is 1 to 4094 The ID for vlan id2 must be no less than the ID for vlan id1 all Specifies all existing VLANs Usage guidelines You can enable loop detection globally or on a per...

Page 526: ...on takes precedence over the global action Example Set the global loop protection action to shutdown Sysname system view System loopback detection global action shutdown Related commands display loopb...

Page 527: ...se undo loopback detection interval time to restore the default Syntax loopback detection interval time interval undo loopback detection interval time Default The loop detection interval is 30 seconds...

Page 528: ...mac vlan trigger enable 22 port pvid forbidden 22 vlan precedence 23 IP subnet based VLAN commands 24 display ip subnet vlan interface 24 display ip subnet vlan vlan 25 ip subnet vlan 26 port hybrid...

Page 529: ...mands 54 display voice vlan mac address 54 display voice vlan state 54 voice vlan aging 55 voice vlan enable 56 voice vlan mac address 57 voice vlan mode auto 58 voice vlan security enable 59 voice vl...

Page 530: ...s the expected bandwidth in the range of 1 to 400000000 kbps Usage guidelines The expected bandwidth is an informational parameter used only by higher layer protocols for calculation You cannot adjust...

Page 531: ...tion Use description to configure the description of a VLAN or VLAN interface Use undo description to restore the default Syntax description text undo description Default For a VLAN the description is...

Page 532: ...umber the command displays information about all existing VLAN interfaces brief Displays brief interface information If you do not specify this keyword the command displays detailed interface informat...

Page 533: ...cription Description of the VLAN interface Bandwidth Expected bandwidth of the VLAN interface Maximum transmission unit MTU of the VLAN interface Internet protocol processing Disabled The VLAN interfa...

Page 534: ...range of 1 to 4094 vlan id1 to vlan id2 Specifies a VLAN ID range Both the vlan id1 and the vlan id2 arguments are in the range of 1 to 4094 The value for the vlan id2 argument must be equal to or gre...

Page 535: ...r the VLAN Not configured Configured Description Description of the VLAN Name VLAN name IP address Primary IPv4 address of the VLAN interface This field is displayed only when an IPv4 address is confi...

Page 536: ...15 GE1 0 16 GE1 0 17 GE1 0 18 GE1 0 19 GE1 0 20 GE1 0 21 GE1 0 22 GE1 0 23 GE1 0 24 GE1 0 25 GE1 0 26 GE1 0 27 GE1 0 28 GE1 0 29 GE1 0 30 GE1 0 31 GE1 0 32 GE1 0 33 GE1 0 34 GE1 0 35 GE1 0 36 GE1 0 37...

Page 537: ...LAN interfaces for secondary VLANs that meet the following requirements Associated with the same primary VLAN Enabled with Layer 3 communication in VLAN interface view of the primary VLAN interface Ex...

Page 538: ...o a VLAN Use undo name to restore the default Syntax name text undo name Default The name of a VLAN is VLAN vlan id The vlan id argument specifies the VLAN ID in a four digit format If the VLAN ID has...

Page 539: ...istics on all existing VLAN interfaces Usage guidelines Use this command to clear the history statistics before you collect statistics within a time period Examples Clear statistics on VLAN interface...

Page 540: ...each Ethernet port is independent of the state of the VLAN interface Examples Shut down VLAN interface 2 and then bring it up Sysname system view Sysname interface vlan interface 2 Sysname Vlan interf...

Page 541: ...ommands display port Use display port to display information about hybrid or trunk ports Syntax display port hybrid trunk Views Any view Predefined user roles network admin network operator Parameters...

Page 542: ...cifies a space separated list of up to 10 Ethernet interface items Each item specifies an Ethernet interface or a range of Ethernet interfaces in the form of interface type interface number1 to interf...

Page 543: ...ess ports to VLAN 1 To move an access port to VLAN 1 execute the undo port access vlan command on the access port Before assigning an access port to a VLAN make sure the VLAN has been created Examples...

Page 544: ...o VLAN 100 and assign it to VLAN 100 as an untagged member Sysname system view Sysname vlan 100 Sysname vlan100 quit Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 port link type...

Page 545: ...port the hybrid port allows all the specified VLANs Examples Configure GigabitEthernet 1 0 1 as a hybrid port and assign it to VLAN 2 VLAN 4 and VLAN 50 through VLAN 100 as a tagged member Sysname sy...

Page 546: ...a range of VLAN IDs in the form of vlan id1 to vlan id2 The value range for VLAN IDs is 1 to 4094 The value for the vlan id2 argument must be equal to or greater than the value for the vlan id1 argum...

Page 547: ...or correct packet transmission set the same PVID for a local trunk port and its peer To enable a trunk port to transmit packets from its PVID you must assign the trunk port to the PVID by using the po...

Page 548: ...for the vlan id argument is 1 to 4094 Examples Display all MAC to VLAN entries Sysname display mac vlan all The following MAC VLAN entries exist State S Static D Dynamic MAC address Mask VLAN ID Dot1p...

Page 549: ...wing ports GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3 Related commands mac vlan enable mac vlan enable Use mac vlan enable to enable the MAC based VLAN feature on a port Use undo m...

Page 550: ...ve Fs in hexadecimal notation The default value is ffff ffff ffff vlan vlan id Specifies a VLAN ID in the range of 1 to 4094 dot1p priority Specifies the 802 1p priority of the VLAN specific to the MA...

Page 551: ...based VLAN assignment on a port Syntax mac vlan trigger enable undo mac vlan trigger enable Default Dynamic MAC based VLAN assignment is disabled on a port Views Layer 2 Ethernet interface view Predef...

Page 552: ...me interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 port pvid forbidden Related commands mac vlan trigger enable vlan precedence Use vlan precedence to set the VLAN matching order Use undo...

Page 553: ...display ip subnet vlan interface interface type interface number1 to interface type interface number2 all Views Any view Predefined user roles network admin network operator Parameters interface type...

Page 554: ...ased VLAN is not complete The port does not allow the IP subnet based VLAN Related commands display ip subnet vlan vlan ip subnet vlan port hybrid ip subnet vlan display ip subnet vlan vlan Use displa...

Page 555: ...index Specifies a beginning IP subnet index in the range of 0 to 65535 The value can be configured by users It can also be automatically numbered by the system based on the order in which the IP subne...

Page 556: ...id all Default A port is not associated with an IP subnet based VLAN Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin Parameters vlan vlan id...

Page 557: ...rface to display protocol based VLANs that are associated with the specified ports Syntax display protocol vlan interface interface type interface number1 to interface type interface number2 all Views...

Page 558: ...rotocol vlan vlan to display information about protocol based VLANs Syntax display protocol vlan vlan vlan id1 to vlan id2 all Views Any view Predefined user roles network admin network operator Param...

Page 559: ...l end all undo hybrid protocol vlan vlan vlan id protocol index to protocol end all all Default A port is not associated with a protocol based VLAN Views Layer 2 Ethernet interface view Layer 2 aggreg...

Page 560: ...tagged Sysname GigabitEthernet1 0 1 port hybrid protocol vlan vlan 2 1 Configure Layer 2 aggregate interface Bridge Aggregation 1 as a hybrid port assign it to VLAN 2 as an untagged member and associa...

Page 561: ...hat is associated with the VLAN The value range for this argument is 0 to 65535 The system will automatically assign an index if you do not specify this argument to protocol end Specifies an end proto...

Page 562: ...n3 protocol vlan 1 ipv4 Sysname vlan3 protocol vlan 2 mode ethernetii etype 0806 Related commands display protocol vlan interface display protocol vlan vlan port protocol vlan VLAN group commands disp...

Page 563: ...oups exist Views System view Predefined user roles network admin Parameters group name Specifies a VLAN group by its name a case sensitive string of 1 to 31 characters The first character must be an a...

Page 564: ...ch item specifies a VLAN ID or a range of VLAN IDs in the form of vlan id1 to vlan id2 The value range for VLAN IDs is 1 to 4094 The value for the vlan id2 argument must be equal to or greater than th...

Page 565: ...VLANs and their associated secondary VLANs Examples Display information about primary VLANs and their associated secondary VLANs Sysname display private vlan Primary VLAN ID 2 Secondary VLAN ID 3 4 VL...

Page 566: ...s display interface vlan interface display this VLAN interface view IPv4 subnet mask Subnet mask for the primary IPv4 address of the VLAN interface This field is displayed only when an IPv4 address is...

Page 567: ...imary VLAN associated with the secondary VLAN Also the following events occur For an access port the device performs the following operations Changes the port link type to hybrid Configures the second...

Page 568: ...1 to VLAN 20 and then verify the configuration Sysname GigabitEthernet1 0 1 port access vlan 20 Sysname GigabitEthernet1 0 1 display this interface GigabitEthernet1 0 1 port link mode bridge port priv...

Page 569: ...r untagged member of the primary VLAN and part of its associated secondary VLANs this member attribute remains in these VLANs The device assigns the hybrid port to the rest of the associated secondary...

Page 570: ...is an untagged member of primary VLAN 2 and secondary VLAN 20 The port link type of GigabitEthernet 1 0 1 is hybrid and its PVID is VLAN 2 Execute the undo port private vlan command on GigabitEtherne...

Page 571: ...ines If the specified VLANs are primary VLANs that have been associated with secondary VLANs the command assigns the port to the associated secondary VLANs Also the following events occur For an acces...

Page 572: ...ethernet 1 0 1 Sysname GigabitEthernet1 0 1 display this interface GigabitEthernet1 0 1 port link mode bridge return Configure GigabitEthernet 1 0 1 as a trunk promiscuous port of VLANs 2 and 3 and th...

Page 573: ...VLANs Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin Parameters vlan id list Specifies a space separated list of up to 10 secondary VLAN it...

Page 574: ...this command This command does not take effect on the specified VLAN if any of the following conditions applies The specified VLAN does not exist The specified VLAN is not a secondary VLAN and is use...

Page 575: ...this interface GigabitEthernet1 0 1 port link mode bridge port link type hybrid port hybrid vlan 2 3 tagged port hybrid vlan 1 untagged return The output shows that GigabitEthernet 1 0 1 is removed fr...

Page 576: ...idge port link type hybrid port hybrid vlan 1 untagged return The output shows that GigabitEthernet 1 0 1 is removed from VLAN 10 The port link type and PVID of GigabitEthernet 1 0 1 do not change Rel...

Page 577: ...multiple times all the specified secondary VLANs are interoperable at Layer 3 When you execute the undo private vlan command follow these guidelines If you specify the secondary vlan id list option th...

Page 578: ...Enable local proxy ARP on VLAN interface 2 Sysname Vlan interface2 local proxy arp enable Related commands private vlan VLAN view private vlan primary private vlan VLAN view Use private vlan to associ...

Page 579: ...dissociates the primary VLAN from all secondary VLANs Examples Associate primary VLAN 2 with secondary VLANs 3 and 4 Sysname system view Sysname vlan 3 to 4 Sysname vlan 2 Sysname vlan2 private vlan p...

Page 580: ...GigabitEthernet1 0 1 quit Assign GigabitEthernet 1 0 2 to VLAN 4 and configure the port as a host port Sysname interface gigabitethernet 1 0 2 Sysname GigabitEthernet1 0 2 port access vlan 4 Sysname...

Page 581: ...ame vlan 4 Sysname vlan4 quit Sysname vlan 2 Sysname vlan2 private vlan primary Sysname vlan2 private vlan secondary 4 Sysname vlan2 quit Configure GigabitEthernet 1 0 1 as a promiscuous port of VLAN...

Page 582: ...on is triggered based on the interface configuration when the following conditions exist This command is configured for a VLAN that has been associated with secondary VLANs Ports on the device are pro...

Page 583: ...00 ffff ff00 0000 Cisco phone 0004 0d00 0000 ffff ff00 0000 Avaya phone 000f e200 0000 ffff ff00 0000 H3C Aolynk phone 0060 b900 0000 ffff ff00 0000 Philips NEC phone 00d0 1e00 0000 ffff ff00 0000 Pin...

Page 584: ...ecurity Normal Voice VLAN aging time Voice VLAN aging timer No aging indicates that the voice VLAN does not age out Voice VLAN enabled ports and their modes Voice VLAN enabled ports and their voice VL...

Page 585: ...for a voice VLAN equals the sum of the voice VLAN aging timer and the aging timer for its dynamic MAC address entry For more information about the aging timer for dynamic MAC address entries see MAC a...

Page 586: ...or voice packet identification Use undo voice vlan mac address to delete an OUI address Syntax voice vlan mac address mac address mask oui mask description text undo voice vlan mac address oui Default...

Page 587: ...1234 1234 1234 and the mask as fff ff00 0000 Configure the OUI address description as PhoneA Sysname system view Sysname voice vlan mac address 1234 1234 1234 mask ffff ff00 0000 description PhoneA Re...

Page 588: ...y voice packets whose source MAC addresses match the OUI addresses of the device In normal mode a voice VLAN transmits voice packets and non voice packets Examples Disable the voice VLAN security mode...

Page 589: ...60 Examples Enable LLDP for automatic IP phone discovery Sysname system view Sysname voice vlan track lldp...

Page 590: ...g status 1 display mvrp state 2 display mvrp statistics 3 mrp timer join 5 mrp timer leave 6 mrp timer leaveall 7 mrp timer periodic 8 mvrp enable 9 mvrp global enable 9 mvrp gvrp compliance enable 10...

Page 591: ...erface number1 argument If the specified interfaces are not enabled with MVRP this command displays global MVRP information If you do not specify this option the command displays global MVRP informati...

Page 592: ...ffect on the port Enabled MVRP takes effect on the port Disabled MVRP does not take effect on the port Whether MVRP takes effect on a port is determined by the following items Global and port specific...

Page 593: ...ut Field Description MVRP state of VLAN 2 on port GE1 0 1 MVRP state of GigabitEthernet 1 0 1 in VLAN 2 App state State of the attribute that the local participant declares to its peer participant VO...

Page 594: ...d ports Usage guidelines If MVRP is disabled on the specified ports this command does not provide any output Examples Display MVRP statistics of all ports Sysname display mvrp statistics GigabitEthern...

Page 595: ...Received Number of JoinIn events received In Event Received Number of In events received JoinMt Event Received Number of JoinMt events received Mt Event Received Number of Mt events received Leave Ev...

Page 596: ...by 20 centiseconds Examples Set the Join timer to 40 centiseconds In this example the Leave timer is 100 centiseconds Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEtherne...

Page 597: ...LeaveAll timer Use undo mrp timer leaveall to restore the default Syntax mrp timer leaveall timer value undo mrp timer leaveall Default The LeaveAll timer is 1000 centiseconds Views Layer 2 Ethernet i...

Page 598: ...rp timer periodic Use mrp timer periodic to set the Periodic timer Use undo mrp timer periodic to restore the default Syntax mrp timer periodic timer value undo mrp timer periodic Default The Periodic...

Page 599: ...lobally and on the port The port is physically up The port link type is trunk The port is not a member of an aggregation group Examples Enable MVRP on GigabitEthernet 1 0 1 Sysname system view Sysname...

Page 600: ...iance enable to restore the default Syntax mvrp gvrp compliance enable undo mvrp gvrp compliance enable Default MVRP is incompatible with GVRP Views System view Predefined user roles network admin Usa...

Page 601: ...lated commands display mvrp running status reset mvrp statistics Use reset mvrp statistics to clear MVRP statistics for ports Syntax reset mvrp statistics interface interface list Views User view Pred...

Page 602: ...12 Related commands display mvrp statistics...

Page 603: ...i Contents QinQ commands 1 display qinq 1 qinq enable 2 qinq ethernet type interface view 2 qinq ethernet type system view 3 qinq transparent vlan 4...

Page 604: ...isplays all QinQ enabled interfaces Usage guidelines If QinQ is not enabled on any interfaces this command does not provide any output Examples Enable QinQ on GigabitEthernet 1 0 1 Then verify that Qi...

Page 605: ...stem view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 qinq enable Related commands display qinq qinq ethernet type interface view Use qinq ethernet type to set the TPID value...

Page 606: ...A port without QinQ enabled uses the SVLAN TPID to match incoming tagged frames The port modifies the TPID in the SVLAN tag of outgoing frames as the configured value Examples Set the TPID value in SV...

Page 607: ...RARP 0x8035 IP 0x0800 IPv6 0x86dd PPPoE 0x8863 0x8864 MPLS 0x8847 0x8848 IPX SPX 0x8137 IS IS 0x8000 LACP 0x8809 LLDP 0x88cc 802 1X 0x888e 802 1ag 0x8902 Cluster 0x88a7 Reserved 0xfffd 0xfffe 0xffff E...

Page 608: ...o ensure successful transmission for a transparent VLAN follow these configuration guidelines Set the link type of the port to trunk or hybrid and assign the port to the transparent VLAN Do not config...

Page 609: ...i Contents VLAN mapping commands 1 display vlan mapping 1 vlan mapping 2...

Page 610: ...Interface GigabitEthernet1 0 1 Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN 10 N A 120 N A Interface GigabitEthernet1 0 3 Outer VLAN Inner VLAN Translated Outer VLAN Translated I...

Page 611: ...nges and the SVLAN for a one to two VLAN mapping The vlan range list argument specifies a space separated list of up to 10 CVLAN items Each item specifies a CVLAN ID or a range of CVLAN IDs in the for...

Page 612: ...the packet length is added by 4 bytes As a best practice set the MTU to a minimum of 1504 bytes for ports on the forwarding path of the packet on the service provider network Examples Configure a one...

Page 613: ...lv port id 29 lldp global tlv enable basic tlv management address tlv 30 lldp hold multiplier 32 lldp ignore pvid inconsistency 32 lldp local information all interface 33 lldp management address 34 ll...

Page 614: ...mmand configured CDP frames sent to IP phones from the interface carry the voice VLAN ID specified in this command IP phones use the voice VLAN ID to send voice traffic Examples Set the voice VLAN ID...

Page 615: ...ervice Bridge MED information Device class Connectivity device MED inventory information of master board HardwareRev REV A FirmwareRev 109 SoftwareRev 7 1 070 Release 6343P09 SerialNum NONE Manufactur...

Page 616: ...PSE Power source Primary Power priority Unknown PD requested power value 0 0 w PSE allocated power value 0 0 w PD requested power value mode A 0 0 W PD requested power value mode B 0 0 W PSE allocate...

Page 617: ...s Bridge Switching is enabled Router Routing is enabled Repeater Signal repeating is enabled Telephone The local device is acting as a telephone DocsisCableDevice The local device is acting as a DOCSI...

Page 618: ...ther link aggregation is supported on the port Link aggregation enabled Indicates whether link aggregation is enabled on the port Aggregation port ID Member port ID which is 0 when link aggregation is...

Page 619: ...alue alternative A This field is supported only on the UPWR switches 4 pair PSE allocated power value in mode A in watts PSE allocated power value alternative B This field is supported only on the UPW...

Page 620: ...ss 2 Class 3 Class 4 Class 5 Single signature PD or 2 pair only PSE A single signature PD is connected or a 2 pair PSE power supply is used Power class ext This field is supported only on the UPWR swi...

Page 621: ...eiving priority of PD ports Unknown Critical High Low Port available power value Available PoE power on PSE ports or power needed on PD ports in watts Transmit Tw Sleep time of the local client in s R...

Page 622: ...iled LLDP information that the local device receives from the neighboring devices If you do not specify this keyword the command displays the brief LLDP information that the local device receives from...

Page 623: ...plex Full Power port class PD PSE power supported Yes PSE power enabled Yes PSE pairs control ability Yes Power pairs Signal Port power classification Class 0 Power type Type 2 PD Power source PSE and...

Page 624: ...n of port 3 GigabitEthernet1 0 3 LLDP agent nearest nontpmr LLDP neighbor index 6 ChassisID subtype 0011 2233 4400 MAC address PortID subtype 000c 29f5 c715 MAC address Capabilities None Display brief...

Page 625: ...is supported Telephone The neighboring device can act as a telephone DocsisCableDevice The neighboring device can act as a DOCSIS compliant cable device StationOnly The neighboring device can act as...

Page 626: ...er the pair selection ability is available Power pairs Power supply mode Signal Uses data pairs to supply power Spare Uses spare pairs to supply power Port power classification Power class of the PD C...

Page 627: ...R switches PD powered status Reserved Unknown powered status Powered single signature PD Powered status of a single signature PD 2 pair Powered dual signature PD Powered status of a dual signature PD...

Page 628: ...s field is supported only on theUPWR switches Indicates whether a dual signature PD is connected and isolation between mode A and mode B is required PSE maximum available power This field is supported...

Page 629: ...nearest customer bridge neighbor display lldp statistics Use display lldp statistics to display the global LLDP statistics or the LLDP statistics of a port Syntax display lldp statistics global inter...

Page 630: ...ber of CDP frames transmitted 0 The number of CDP frames received 0 The number of CDP frames discarded 0 The number of CDP error frames 0 LLDP agent nearest nontpmr The number of LLDP frames transmitt...

Page 631: ...LLDP neighbor information last change time Time when the neighbor information was last updated The number of LLDP neighbor information inserted Number of times neighbor information was added The numbe...

Page 632: ...max credit 5 Hold multiplier 4 Reinit delay 2s Trap interval 5s Fast start times 3 LLDP status information of port 1 GigabitEthernet1 0 1 LLDP agent nearest bridge Port status of LLDP Enable Admin st...

Page 633: ...iggered Port 1 LLDP status of port 1 Port status of LLDP Indicates whether LLDP is enabled on the port Admin status LLDP operating mode of the port TX_RX The port can send and receive LLDP frames Rx_O...

Page 634: ...rest nontpmr Specifies nearest non TPMR bridge agents Examples Display the types of advertisable optional LLDP TLVs of GigabitEthernet 1 0 1 Sysname display lldp tlv config interface gigabitethernet 1...

Page 635: ...ES NO Power via MDI TLV YES NO Maximum Frame Size TLV YES NO LLDP MED extend TLV Capabilities TLV YES NO Network Policy TLV YES NO Location Identification TLV NO NO Extended Power via MDI TLV YES NO I...

Page 636: ...pabilities TLV Management Address TLV IEEE 802 1 extended TLV IEEE 802 1 organizationally specific TLVs Port PVID TLV Port and protocol VLAN ID TLV VLAN name TLV DCBX TLV DCBX TLVs are not supported i...

Page 637: ...LDP agent type If you do not specify an agent type in Ethernet the command sets the operating mode for nearest bridge agents nearest customer Specifies nearest customer bridge agents nearest nontpmr S...

Page 638: ...ts the polling interval for nearest bridge agents nearest customer Specifies nearest customer bridge agents nearest nontpmr Specifies nearest non TPMR bridge agents interval Sets the LLDP polling inte...

Page 639: ...xamples Enable CDP compatible LLDP globally and configure CDP compatible LLDP to operate in TxRx mode on GigabitEthernet 1 0 1 Sysname system view Sysname lldp compliance cdp Sysname interface gigabit...

Page 640: ...s LLDP takes effect on a port only when LLDP is enabled both globally and on the port Examples Disable LLDP on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname...

Page 641: ...R bridge agents Usage guidelines LLDP CDP packets use only SNAP encapsulation Examples Set the encapsulation format for LLDP frames to SNAP on GigabitEthernet 1 0 1 Sysname system view Sysname interfa...

Page 642: ...itial configuration or factory defaults see Fundamentals Configuration Guide Views System view Predefined user roles network admin Usage guidelines LLDP takes effect on a port only when LLDP is enable...

Page 643: ...rt ID TLV type in system view or interface view The interface specific setting takes precedence over the global setting Examples Enable the device to advertise port ID TLVs that contain interface name...

Page 644: ...If you execute this command multiple times the most recent configuration takes effect You can configure advertisement of the management address TLV globally or on a per interface basis The device sel...

Page 645: ...e Sets the TTL multiplier in the range of 2 to 10 Usage guidelines The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device...

Page 646: ...ormation all interface to enable displaying LLDP local information about all interfaces Use undo lldp local information all interface to disable displaying LLDP local information about interfaces not...

Page 647: ...an ARP entry if the received management address TLV contains an IPv4 address nd learning Generates an ND entry if the received management address TLV contains an IPv6 address vlan vlan id Specifies t...

Page 648: ...format string undo lldp agent nearest customer nearest nontpmr management address format In Layer 2 aggregate interface view lldp agent nearest customer nearest nontpmr management address format stri...

Page 649: ...x credit credit value undo lldp max credit Default The token bucket size for sending LLDP frames is 5 Views System view Predefined user roles network admin Parameters credit value Specifies the token...

Page 650: ...is enabled globally If LLDP is disabled globally LLDP can only operate in customer bridge mode Examples Configure LLDP to operate in service bridge mode Sysname system view Sysname lldp mode service...

Page 651: ...agent Specifies an LLDP agent type If you do not specify an agent type in Ethernet the command enables LLDP trapping for nearest bridge agents nearest customer Specifies nearest customer bridge agents...

Page 652: ...situations The specified VLAN or the corresponding VLAN interface does not exist The VLAN interface to which the VLAN ID belongs is physically down Examples Set the source MAC address of LLDP frames...

Page 653: ...n Parameters interval Sets the LLDP trap and LLDP MED trap transmission interval in the range of 5 to 3600 seconds Examples Set both the LLDP trap and LLDP MED trap transmission interval to 8 seconds...

Page 654: ...68 seconds Examples Set the LLDP frame transmission interval to 20 seconds Sysname system view Sysname lldp timer tx interval 20 lldp tlv config basic tlv port id Use lldp tlv config basic tlv port id...

Page 655: ...onfigure the port ID TLV type in system view or interface view The interface specific setting takes precedence over the global setting Examples Enable GigabitEthernet 1 0 1 to advertise port ID TLVs t...

Page 656: ...ot3 tlv all link aggregation undo lldp tlv enable dot1 tlv protocol vlan id vlan name management vid For nearest customer bridge agents lldp agent nearest customer tlv enable basic tlv all port descri...

Page 657: ...ny TLVs Nearest customer bridge agents can advertise basic TLVs and IEEE 802 1 organizationally specific TLVs Among the IEEE 802 1 organizationally specific TLVs only port and protocol VLAN ID TLVs VL...

Page 658: ...he permitted VLANs is assigned an IPv4 or IPv6 address or all VLAN interfaces are down the MAC address of the interface will be advertised For a Layer 2 aggregate interface the IPv4 or IPv6 address of...

Page 659: ...on firmware revision software revision serial number manufacturer name model name and asset ID location id Advertises location identification TLVs civic address Inserts the typical address information...

Page 660: ...ble private tlv to disable advertising H3C proprietary TLVs on an interface Syntax lldp agent nearest customer nearest nontpmr tlv enable private tlv actual power undo lldp agent nearest customer near...

Page 661: ...ameters interface interface type interface number Specifies a port by its type and number If you do not specify this option the command clears LLDP statistics on all ports agent Specifies an agent typ...

Page 662: ...i Contents L2PT commands 1 display l2protocol statistics 1 l2protocol tunnel dot1q 2 l2protocol tunnel dmac 4 l2protocol type tunnel dmac 4 reset l2protocol statistics 6...

Page 663: ...2PT statistics for all Layer 2 Ethernet and aggregate interfaces Examples Display L2PT statistics for all Layer 2 Ethernet and aggregate interfaces Sysname display l2protocol statistics L2PT statistic...

Page 664: ...ncreases by 1 when the interface receives a protocol packet and forwards it The number increases by 1 for protocol Tunnel when the interface receives a tunneled packet and forwards it If no interface...

Page 665: ...LD vtp Specifies VTP Usage guidelines Before you enable L2PT for a protocol on a port perform the following tasks Enable the protocol on the CE and disable the protocol on the port Enable L2PT only on...

Page 666: ...roles network admin Parameters mac address Specifies a destination multicast MAC address The available addresses are 0100 0ccd cdd0 0100 0ccd cdd1 0100 0ccd cdd2 and 010f e200 0003 Usage guidelines T...

Page 667: ...n multicast MAC address for tunneled packets of the specified protocol in the range of 0100 0000 0000 to 01ff ffff ffff Usage guidelines The l2protocol tunnel dmac command sets the destination multica...

Page 668: ...User view Predefined user roles network admin Parameters interface interface type interface number Specifies a Layer 2 Ethernet or aggregate interface by its type and number If you do not specify thi...

Page 669: ...relay client information 1 display pppoe relay statistics 2 pppoe relay client information format 3 pppoe relay client information strategy 5 pppoe relay enable 6 pppoe relay server information vendo...

Page 670: ...fic tag processing for client side packets on the PPPoE relay Sysname display pppoe relay client information format The current client information format Circuit ID ASCII Remote ID ASCII Display the p...

Page 671: ...PADR packets Keep Keeps the vendor specific tag unchanged Replace Pads the vendor specific tag in the configured padding format Related commands pppoe relay client information format pppoe relay clien...

Page 672: ...of PADT packets Packets dropped Dropped packets statistics of the interface Server responses from untrusted ports Number of PADO and PADS packets dropped on untrusted ports Client requests towards un...

Page 673: ...ters the first 63 characters are padded When the user defined format is used the system automatically recognizes the escape keyword input by the user and translates it to the actual information For mo...

Page 674: ...mac for the remote ID Sysname pppoe relay client information format remote id user defined mac Examples Configure the circuit ID padding format as the ASCII string format for the client side PPPoE pa...

Page 675: ...p member ports If a Layer 2 Ethernet interface is configured with this command before joining a Layer 2 aggregation group the command is cleared on the member port after the member ports joins the agg...

Page 676: ...ay trusted port with this feature enabled the PPPoE relay strips the vendor specific tags of the packets before forwarding the packets This command takes effect only on packets received on PPPoE relay...

Page 677: ...configure the PPPoE server facing interfaces on the PPPoE relay as trusted ports and configure the PPPoE client facing interfaces on the PPPoE relay as untrusted ports This command is not supported on...

Page 678: ...9 Related commands reset pppoe relay statistics...

Page 679: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series Layer 3 IP Services Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 680: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 681: ...enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical bars from which you sel...

Page 682: ...s a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the access controller engine on a u...

Page 683: ...Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Page 684: ...p openflow count 15 display arp timer aging 16 display arp user ip conflict record 16 display arp user move record 18 display arp vpn instance 19 reset arp 20 Gratuitous ARP commands 21 arp ip conflic...

Page 685: ...dd static ARP entries that contain multicast MAC addresses When dynamic ARP entry check is disabled ARP entries containing multicast MAC addresses are supported The device can learn dynamic ARP entrie...

Page 686: ...ng only when you are auditing or troubleshooting ARP events Examples Enable ARP logging Sysname system view Sysname arp check log enable arp mac interface consistency check enable Use arp mac interfac...

Page 687: ...s 0 to 1024 alarm alarm threshold Specifies an alarm threshold for dynamic ARP learning in percentage The value range for the alarm threshold argument is 1 to 100 The device generates a log message wh...

Page 688: ...redefined user roles network admin Parameters max number Specifies the maximum number of dynamic ARP entries for a device The value range for this argument is 0 to 1024 slot slot number Specifies an I...

Page 689: ...ticast or multiport unicast MAC address entry to specify multiple output interfaces The MAC address entry must have the same MAC address and VLAN ID as the multiport ARP entry In addition the IP addre...

Page 690: ...rface by its type and number vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the static ARP entry belongs The vpn instance name argument represents the VPN instance name a cas...

Page 691: ...ernet 1 0 1 Related commands display arp reset arp arp timer aging Use arp timer aging to set the aging timer for dynamic ARP entries Use undo arp timer aging to restore the default Syntax arp timer a...

Page 692: ...view Sysname interface vlan interface 2 Sysname Vlan interface2 arp timer aging second 200 Related commands arp timer aging probe count arp timer aging probe interval display arp timer aging arp timer...

Page 693: ...ve probes for dynamic ARP entries Sysname system view Sysname arp timer aging probe count 5 Allow the device to perform a maximum of five probes for dynamic ARP entries on VLAN interface 2 Sysname sys...

Page 694: ...the probe interval to 10 seconds for dynamic ARP entries on VLAN interface 2 Sysname system view Sysname interface vlan interface 2 Sysname Vlan interface2 arp timer aging probe interval 10 Related c...

Page 695: ...port migrations Use undo arp user move record enable to disable recording user port migrations Syntax arp user move record enable undo arp user move record enable Default Recording user port migratio...

Page 696: ...nt Displays the number of ARP entries verbose Displays detailed information about ARP entries Usage guidelines This command displays information about ARP entries including the IP address MAC address...

Page 697: ...does not belong to the VLAN Interface Output interface in an ARP entry This field displays hyphens in either of the following situations The ARP entry is an unresolved short static ARP entry The ARP e...

Page 698: ...ersion Name of the VSI to which the ARP entry belongs If the ARP entry does not belong to any VSI this field displays hyphens VSI interface This field is not supported in the current software version...

Page 699: ...ludes the IP address MAC address VLAN ID output interface entry type and aging timer Examples Display the ARP entry for the IP address 20 1 1 1 Sysname display arp 20 1 1 1 Type S Static D Dynamic O O...

Page 700: ...sname display arp timer aging Current ARP aging time is 1200 seconds Related commands arp timer aging display arp user ip conflict record Use display arp user ip conflict record to display user IP add...

Page 701: ...d Description IP address IP address of a user System time Time when the user IP address conflict occurred Conflict count Number of times that conflicts for the IP address Log suppress count Number of...

Page 702: ...0 user port migration records When the number of user port migration records reaches the upper limit new records will overwrite the earliest ones Examples Display all user port migration records Sysna...

Page 703: ...the ARP entries for a VPN instance Syntax display arp vpn instance vpn instance name count Views Any view Predefined user roles network admin network operator Parameters vpn instance name Specifies a...

Page 704: ...D If you do not specify a member device this command clears ARP entries for the master device interface interface type interface number Specifies an interface by its type and number If you do not spec...

Page 705: ...rror message after the device receives an ARP reply about the conflict You can use this command to enable the device to display error messages before sending a gratuitous ARP reply or request for conf...

Page 706: ...enabled on multiple interfaces Each interface is configured with multiple secondary IP addresses A small sending interval is configured in the preceding cases Examples Enable VLAN interface 2 to send...

Page 707: ...ble to disable learning of gratuitous ARP packets Syntax gratuitous arp learning enable undo gratuitous arp learning enable Default Learning of gratuitous ARP packets is enabled Views System view Pred...

Page 708: ...n it receives ARP requests whose sender IP address is on a different subnet Views System view Predefined user roles network admin Examples Disable a device from sending gratuitous ARP packets upon rec...

Page 709: ...command to check whether local proxy ARP is enabled or disabled Examples Display the local proxy ARP status for VLAN interface 2 Sysname display local proxy arp interface vlan interface 2 Interface V...

Page 710: ...for which local proxy ARP is enabled The start IP address must be lower than or equal to the end IP address Usage guidelines Proxy ARP enables a device on a network to answer ARP requests for an IP a...

Page 711: ...nables a device on a network to answer ARP requests for an IP address not on that network With proxy ARP hosts in different broadcast domains can communicate with each other as they do on the same net...

Page 712: ...g to display ARP snooping entries Syntax display arp snooping vlan vlan id slot slot number count display arp snooping vlan ip ip address slot slot number Views Any view Predefined user roles network...

Page 713: ...AC address in an ARP snooping entry VLAN ID ID of the VLAN to which the ARP snooping entry belongs Interface Input interface in an ARP snooping entry Aging Aging time for an ARP snooping entry in minu...

Page 714: ...ip ip address Deletes the ARP snooping entry for the specified IP address in VLANs Examples Delete ARP snooping entries for VLAN 2 Sysname reset arp snooping vlan 2 Related commands display arp snoopi...

Page 715: ...ble ARP direct route advertisement Syntax arp route direct advertise undo arp route direct advertise Default ARP direct route advertisement is disabled Views Interface view Predefined user roles netwo...

Page 716: ...i Contents IP addressing commands 1 display ip interface 1 display ip interface brief 3 ip address 5 ip address unnumbered 6...

Page 717: ...ude the following information The number of unicast packets bytes and multicast packets the interface has sent and received The number of TTL invalid packets and ICMP packets the interface has receive...

Page 718: ...e data link layer protocol is up UP spoofing The data link layer protocol is up but the link is an on demand link or does not exist Internet Address IP address of an interface followed by Primary A pr...

Page 719: ...ackets Related commands display ip interface brief ip address display ip interface brief Use display ip interface brief to display brief IP configuration for Layer 3 interfaces Syntax display ip inter...

Page 720: ...terface is administratively shut down by using the shutdown command down The interface is administratively up but its physical state is down possibly because of a connection or link failure up Both th...

Page 721: ...command multiple times to specify different primary IP addresses on an interface the most recent configuration takes effect If the interface connects to multiple subnets configure primary and secondar...

Page 722: ...ually or through DHCP If the IP addresses are not enough or the interface is used only occasionally you can configure an interface to borrow an IP address from other interfaces This is called IP unnum...

Page 723: ...hcp server database update now 18 dhcp server database update stop 18 dhcp server forbidden ip 19 dhcp server ip pool 20 dhcp server ping packets 21 dhcp server ping timeout 21 dhcp server relay infor...

Page 724: ...splay dhcp relay information 68 display dhcp relay server address 70 display dhcp relay statistics 70 gateway list 72 master server switch delay 73 remote server 73 remote server algorithm 74 reset dh...

Page 725: ...ing 97 display dhcp snooping binding database 99 display dhcp snooping information 100 display dhcp snooping packet statistics 101 display dhcp snooping trust 102 reset dhcp snooping binding 103 reset...

Page 726: ...on the DHCP server reclaims an assigned IP address and deletes the binding entry when the ARP entry ages out for the IP address This feature on the DHCP relay agent deletes the related relay entry and...

Page 727: ...the DHCP relay agent Sysname system view Sysname dhcp dscp 30 dhcp enable Use dhcp enable to enable DHCP Use undo dhcp enable to disable DHCP Syntax dhcp enable undo dhcp enable Default DHCP is disabl...

Page 728: ...this situation might occur when a large number of clients frequently come online or go offline Examples Enable DHCP server logging Sysname system view Sysname dhcp log enable dhcp select Use dhcp sel...

Page 729: ...s in these responses as its own IP address Examples Enable the DHCP relay agent on VLAN interface 2 Sysname system view Sysname interface vlan interface 2 Sysname Vlan interface2 dhcp select relay Rel...

Page 730: ...8 150 in address pool 1 Sysname system view Sysname dhcp server ip pool 1 Sysname dhcp pool 1 address range 192 168 8 1 192 168 8 150 Related commands class dhcp class display dhcp server pool network...

Page 731: ...ame to restore the default Syntax bootfile name bootfile name url undo bootfile name Default No configuration file name or URL is specified Views DHCP address pool view Predefined user roles network a...

Page 732: ...lass Views DHCP policy view Predefined user roles network admin Parameters class name Specifies a DHCP user class by its name a case insensitive string of 1 to 63 characters pool name Specifies a DHCP...

Page 733: ...he DHCP options in the option group If multiple matches are found the server selects option groups by using the following methods If the option groups have options in common the server selects the opt...

Page 734: ...range specified by the address range command If the address range has no assignable IP addresses or no address range is configured the address allocation fails After you specify an address range for...

Page 735: ...configuration takes effect Examples Specify DHCP address pool pool1 as the default DHCP address pool in DHCP policy 1 Sysname system view Sysname dhcp policy 1 Sysname dhcp policy 1 default ip pool p...

Page 736: ...e undo dhcp class class name Default No DHCP user classes exist Views System view Predefined user roles network admin Parameters class name Specifies the name of a DHCP user class a case insensitive s...

Page 737: ...rs option group number Assigns a number to the DHCP option group in the range of 1 to 32768 Examples Create DHCP option group 1 and enter DHCP option group view Sysname system view Sysname dhcp option...

Page 738: ...st to enable the DHCP server to broadcast all responses Use undo dhcp server always broadcast to restore the default Syntax dhcp server always broadcast undo dhcp server always broadcast Default The D...

Page 739: ...from all address pools If no static binding is found the server assigns configuration parameters from the address pool applied on the interface to the client If the address pool has no assignable IP a...

Page 740: ...1048 Default This feature is disabled The DHCP server does not process the Vend field of RFC 1048 incompliant requests but copies the Vend field into responses Views System view Predefined user roles...

Page 741: ...bindings to a file Use undo dhcp server database filename to restore the default Syntax dhcp server database filename filename url url undo dhcp server database filename Default The DHCP server does n...

Page 742: ...e dhcp Related commands dhcp server database update interval dhcp server database update now dhcp server database update stop dhcp server database update interval Use dhcp server database update inter...

Page 743: ...Usage guidelines Each time this command is executed the DHCP bindings are saved to the backup file For this command to take effect you must configure the DHCP auto backup by using the dhcp server dat...

Page 744: ...ndo dhcp server forbidden ip to remove the configuration Syntax dhcp server forbidden ip start ip address end ip address vpn instance vpn instance name undo dhcp server forbidden ip start ip address e...

Page 745: ...r ip pool to create a DHCP address pool and enter its view or enter the view of an existing DHCP address pool Use undo dhcp server ip pool to delete the specified DHCP address pool Syntax dhcp server...

Page 746: ...ss before assigning it to a DHCP client If a ping attempt succeeds the server determines that the IP address is in use and picks a new IP address If all the ping attempts fail the server assigns the I...

Page 747: ...view Sysname dhcp server ping timeout 1000 Related commands dhcp server ping packets display dhcp server conflict reset dhcp server conflict dhcp server relay information enable Use dhcp server relay...

Page 748: ...its IP address is correct If the requested IP address is different from the allocated one or has no matching lease record the DHCP server remains silent by default After the allocated IP address lease...

Page 749: ...HCP client sends a DECLINE packet to the DHCP server to inform the server of an IP address conflict The DHCP server discovers that the only assignable address in the address pool is its own IP address...

Page 750: ...n information Syntax display dhcp server expired ip ip address vpn instance vpn instance name pool pool name Views Any view Predefined user roles network admin network operator Parameters ip ip addres...

Page 751: ...d user roles network admin network operator Parameters pool pool name Displays assignable IP addresses in the specified address pool The pool name is a case insensitive string of 1 to 63 characters If...

Page 752: ...dress Displays binding information about the specified assigned IP address If you do not specify an IP address this command displays binding information about all assigned IP addresses vpn instance vp...

Page 753: ...atic binding has not been assigned to the specific client Unlimited Infinite lease expiration time After 2100 The lease will expire after 2100 Type Binding types Static F A free static binding whose I...

Page 754: ...68 domain name www aabbcc com bims server ip 192 168 0 51 sharekey cipher c 3 K13OmQPi791YvQoF2Gs1E 65LOU option 2 ip address 1 1 1 1 expired day 1 hour 2 minute 3 second 0 Pool name 1 Network 20 1 2...

Page 755: ...e DHCP user class and its address range static bindings Static IP to MAC client ID bindings option Customized DHCP option expired Lease duration bootfile name Boot file name dns list DNS server IP add...

Page 756: ...plays information about all address pools vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If you do not specify a VPN instance...

Page 757: ...if you display statistics for a specific address pool Messages received DHCP packets received from clients DHCPDISCOVER DHCPREQUEST DHCPDECLINE DHCPRELEASE DHCPINFORM BOOTPREQUEST This field is not di...

Page 758: ...ame dhcp pool 0 dns list 10 1 1 254 Related commands display dhcp server pool domain name Use domain name to specify a domain name in a DHCP address pool Use undo domain name to restore the default Sy...

Page 759: ...ange of 0 to 59 The default is 0 unlimited Specifies the unlimited lease duration which is actually 136 years Usage guidelines The DHCP server assigns an IP address together with the lease duration to...

Page 760: ...xclude a maximum of 4096 IP addresses in an address pool by executing this command multiple times If you do not specify any parameters the undo forbidden ip command removes all excluded IP addresses E...

Page 761: ...secondary subnet view DHCP assigns those specified in address pool view If you do not specify any parameters the undo gateway list command deletes all gateway addresses Examples Specify gateway addres...

Page 762: ...ule For example if you specify abc in the rule option content xabc xyzabca xabcyz and abcxyz all match the rule hex hex string Specifies a hexadecimal number The length of the hexadecimal number must...

Page 763: ...offset offset partial options If you do not specify the offset or partial parameter a packet matches a rule if the option content starts with the ASCII string Examples Configure match rule 1 for DHCP...

Page 764: ...hold for the address pool usage percentage The value range is 1 to 100 Usage guidelines If you execute this command in the same address pool view multiple times the most recent configuration takes eff...

Page 765: ...ame dhcp pool 0 nbns list 10 1 1 1 Related commands display dhcp server pool netbios type netbios type Use netbios type to specify the NetBIOS node type in a DHCP address pool Use undo netbios type to...

Page 766: ...ied subnet Syntax network network address mask length mask mask secondary undo network network address mask length mask mask secondary Default No subnet is specified in a DHCP address pool Views DHCP...

Page 767: ...Sysname dhcp pool 0 network 192 168 8 0 mask 255 255 255 0 Sysname dhcp pool 0 network 192 168 10 0 mask 255 255 255 0 secondary Sysname dhcp pool 0 secondary Related commands display dhcp server poo...

Page 768: ...decimal number must be an even number in the range of 2 to 256 ip address ip address 1 8 Specifies a space separated list of up to eight IP addresses as the option content Usage guidelines The DHCP se...

Page 769: ...tion Syntax reset dhcp server conflict ip ip address vpn instance vpn instance name Views User view Predefined user roles network admin Parameters ip ip address Clears conflict information about the s...

Page 770: ...ool name is a case insensitive string of 1 to 63 characters If you do not specify an address pool this command clears binding information about expired IP addresses in all address pools Examples Clear...

Page 771: ...statistics Syntax reset dhcp server statistics vpn instance vpn instance name Views User view Predefined user roles network admin Parameters vpn instance vpn instance name Specifies an MPLS L3VPN inst...

Page 772: ...ample aabb cccc dd is correct and aabb c dddd and aabb cc dddd are not correct ethernet Specifies the client hardware address type as Ethernet The default type is Ethernet token ring Specifies the cli...

Page 773: ...ommands display dhcp server pool tftp server ip address tftp server ip address Use tftp server ip address to specify a TFTP server address in a DHCP address pool Use undo tftp server ip address to res...

Page 774: ...8 Specifies a space separated list of up to eight DHCP user classes by their names a case insensitive string of 1 to 63 characters Usage guidelines For this command to take effect you must enable the...

Page 775: ...ntax voice config as ip ip address fail over ip address dialer string ncp ip ip address voice vlan vlan id disable enable undo voice config as ip fail over ncp ip voice vlan Default No Option 184 cont...

Page 776: ...o restore the default Syntax vpn instance vpn instance name undo vpn instance Default The DHCP address pool is not applied to any VPN instance Views DHCP address pool view Predefined user roles networ...

Page 777: ...HCP relay agent forwards the request to the DHCP server If they are not the same the DHCP relay agent discards the request The MAC address check feature takes effect only when the dhcp select relay co...

Page 778: ...information record Use dhcp relay client information record to enable recording client information in relay entries Use undo dhcp relay client information record to disable the feature Syntax dhcp rel...

Page 779: ...the refresh interval The more the entries the shorter the refresh interval The shortest interval is 50 ms interval interval Specifies the refresh interval in the range of 1 to 120 seconds Usage guidel...

Page 780: ...the IP address If the server returns a DHCP NAK message the relay agent keeps the entry With this feature disabled the DHCP relay agent does not remove relay entries automatically After a DHCP client...

Page 781: ...undo dhcp relay gateway to restore the default Syntax dhcp relay gateway ip address undo dhcp relay gateway Default The primary IP address of the interface is inserted in DHCP requests as the DHCP rel...

Page 782: ...ier interface information and VLAN ID The default node identifier is the MAC address of the access node The default interface information consists of the Ethernet type fixed to eth chassis number slot...

Page 783: ...pe Hex for the chassis number slot number sub slot number interface number and VLAN ID Examples Specify the content mode as verbose node identifier as the device name and the padding format as ASCII f...

Page 784: ...sname Vlan interface10 dhcp relay information enable Related commands dhcp relay information circuit id dhcp relay information remote id dhcp relay information strategy display dhcp relay information...

Page 785: ...cp relay information enable Sysname Vlan interface10 dhcp relay information strategy replace Sysname Vlan interface10 dhcp relay information remote id string device001 Related commands dhcp relay info...

Page 786: ...ormation enable display dhcp relay information dhcp relay master server switch delay Use dhcp relay master server switch delay to enable the switchback to the master DHCP server and set the switchback...

Page 787: ...r you execute this command the relay agent sends a DHCP RELEASE packet to the DHCP server and removes the relay entry of the IP address Upon receiving the packet the server removes binding information...

Page 788: ...e user class for different DHCP servers If you execute the command with different user classes for the same ip address the most recent configuration takes effect If you specify an MPLS L3VPN instance...

Page 789: ...backup as the DHCP server selecting algorithm on VLAN interface 2 Sysname system view Sysname interface vlan interface 2 Sysname Vlan interface2 dhcp relay server address algorithm master backup Relat...

Page 790: ...the output interface up in the MAC address table to forward the DHCP reply If you execute this command multiple times the most recent configuration takes effect Examples Specify 1 1 1 1 as the source...

Page 791: ...ned user roles network admin Parameters time Specifies the DHCP server response timeout time in the range of 1 to 65535 seconds Usage guidelines If you execute this command multiple times the most rec...

Page 792: ...stance vpn instance name Views Any view Predefined user roles network admin network operator Parameters interface interface type interface number Displays relay entries on the specified interface If y...

Page 793: ...type Dynamic The relay agent creates a dynamic relay entry upon receiving an ACK response from the DHCP server Temporary The relay agent creates a temporary relay entry upon receiving a REQUEST packe...

Page 794: ...defined Circuit ID vlan100 Remote ID device001 Table 11 Command output Field Description Interface Interface name Status Option 82 states Enable DHCP relay agent support for Option 82 is enabled Disa...

Page 795: ...3 Y abc Table 12 Command output Field Description Interface name Interface name Server IP address DHCP server IP address Public VRF name Location of the DHCP server which is determined by the configu...

Page 796: ...t statistics on the DHCP relay agent Sysname display dhcp relay statistics DHCP packets dropped 0 DHCP packets received from clients 0 DHCPDISCOVER 0 DHCPREQUEST 0 DHCPINFORM 0 DHCPRELEASE 0 DHCPDECLI...

Page 797: ...assified into different types by their locations In this case the relay interface typically has no IP address configured You can use the gateway list command to specify gateway addresses for clients m...

Page 798: ...e this command multiple times the most recent configuration takes effect Examples Configure the DHCP relay agent to switch back to the master DHCP server 3 minutes after it switches to a backup DHCP s...

Page 799: ...restore the default Syntax remote server algorithm master backup polling undo remote server algorithm Default The polling algorithm is used The DHCP relay agent forwards DHCP requests to all DHCP ser...

Page 800: ...or all IP addresses vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the specified IP address belongs The vpn instance name argument is a case sensitive string of 1 to 31 char...

Page 801: ...mal string of 4 to 64 characters as the value in Option 60 Usage guidelines Option 60 acts as a vendor class identifier VCI You can configure a DHCP client to send a request with Option 60 for the DHC...

Page 802: ...licate address Sysname system view Sysname undo dhcp client dad enable dhcp client dscp Use dhcp client dscp to set the DSCP value for DHCP packets sent by the DHCP client Use undo dhcp client dscp to...

Page 803: ...ent ID mac interface type interface number Uses the MAC address of the specified interface as a DHCP client ID The interface type interface number argument specifies an interface by its type and numbe...

Page 804: ...T2 226800 seconds DHCP server 40 1 1 2 Display detailed DHCP client information on all interfaces Sysname display dhcp client verbose Vlan interface10 DHCP client information Current state BOUND Alloc...

Page 805: ...HCP server IP address that assigned the IP address Transaction ID Transaction ID a random number chosen by the client to identify an IP address allocation Default router Gateway address assigned to th...

Page 806: ...oc command the interface sends a DHCP RELEASE message to release the IP address obtained through DHCP If the interface is down the message cannot be sent out This situation can occur when a subinterfa...

Page 807: ...ping entries to a remote file If you use the local storage medium the frequent erasing and writing might damage the medium and then cause the DHCP snooping device to malfunction When the file is on a...

Page 808: ...g entry is learned updated or removed the waiting period starts The DHCP snooping device updates the backup file when the waiting period is reached All changed entries during the period will be saved...

Page 809: ...ing record Default DHCP snooping does not record client information Views Layer 2 Ethernet interface Layer 2 aggregate interface view VLAN view Predefined user roles network admin Usage guidelines Thi...

Page 810: ...ing check request message to disable DHCP REQUEST check for DHCP snooping Syntax dhcp snooping check request message undo dhcp snooping check request message Default DHCP REQUEST check for DHCP snoopi...

Page 811: ...ess acquisition failure configure a port to block DHCP packets only if no DHCP clients are attached to it To enable a port on the snooping device to drop all incoming DHCP requests configure that port...

Page 812: ...ing disable dhcp snooping enable Use dhcp snooping enable to enable DHCP snooping globally Use undo dhcp snooping enable to disable DHCP snooping globally Syntax dhcp snooping enable undo dhcp snoopin...

Page 813: ...CP responses This mechanism ensures that DHCP clients obtain IP addresses from authorized DHCP servers After you disable DHCP snooping for a VLAN all interfaces in the VLAN can forward DHCP responses...

Page 814: ...e node identifier sysname Uses the device name as the node identifier You can set the device name by using the sysname command in system view The padding format for the device name is always ASCII reg...

Page 815: ...at ascii Related commands dhcp snooping information enable dhcp snooping information strategy display dhcp snooping information dhcp snooping information enable Use dhcp snooping information enable to...

Page 816: ...padding format is hex Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin Parameters vlan vlan id Pads the Remote ID sub option for packets recei...

Page 817: ...tegy for Option 82 in request messages Use undo dhcp snooping information strategy to restore the default Syntax dhcp snooping information strategy append drop keep replace undo dhcp snooping informat...

Page 818: ...nooping information enable Sysname GigabitEthernet1 0 1 dhcp snooping information strategy keep Related commands dhcp snooping information circuit id dhcp snooping information remote id dhcp snooping...

Page 819: ...ving a DHCP request The device forwards the DHCP request without padding the Vendor Specific sub option if the following conditions exist The dhcp snooping information strategy append command is confi...

Page 820: ...thernet interface Layer 2 aggregate interface view Predefined user roles network admin Parameters max number Specifies the maximum number of DHCP snooping entries for an interface to learn The value r...

Page 821: ...mum rate to 67 the value 64 or 72 takes effect Examples Set the maximum rate to 64 Kbps at which Layer 2 Ethernet interface GigabitEthernet 1 0 1 can receive DHCP packets Sysname system view Sysname i...

Page 822: ...nterface number Specifies an interface by its type and number Usage guidelines In a VLAN configure interfaces facing the DHCP server as trusted ports and configure other interfaces as untrusted ports...

Page 823: ...ping entries Sysname display dhcp snooping binding 2 DHCP snooping entries found IP address MAC address Lease VLAN SVLAN Interface 1 1 1 7 0000 0101 0107 16907533 2 3 GE1 0 1 1 1 1 11 0000 0101 010b 1...

Page 824: ...hcp snooping enable reset dhcp snooping binding display dhcp snooping binding database Use display dhcp snooping binding database to display information about DHCP snooping entry auto backup Syntax di...

Page 825: ...device Syntax display dhcp snooping information all interface interface type interface number Views Any view Predefined user roles network admin network operator Parameters all Displays Option 82 con...

Page 826: ...this field displays the user defined string For the Vendor Specific sub option the node identifier can be MAC Sysname or User Defined string where string in the brackets indicates the user defined no...

Page 827: ...mation about trusted ports Syntax display dhcp snooping trust Views Any view Predefined user roles network admin network operator Examples Display information about trusted ports Sysname display dhcp...

Page 828: ...hernet service instance view Trusted This field is not supported in the current software version Trusted AC specified in VXLAN based DHCP snooping configuration Related commands dhcp snooping trust dh...

Page 829: ...tion about a BOOTP client Syntax display bootp client interface interface type interface number Views Any view Predefined user roles network admin network operator Parameters interface interface type...

Page 830: ...address of a BOOTP client Related commands ip address bootp alloc ip address bootp alloc Use ip address bootp alloc to configure an interface to use BOOTP for IP address acquisition Use undo ip addres...

Page 831: ...2 display dns server 3 display ipv6 dns server 4 dns domain 5 dns dscp 5 dns proxy enable 6 dns server 7 dns source interface 7 dns spoofing 8 dns trust interface 9 ip host 10 ipv6 dns dscp 11 ipv6 dn...

Page 832: ...stance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If you do not specify a VPN instance this command displays domain name suffixes for the public ne...

Page 833: ...nce this command displays domain name to IP address mappings for the public network Usage guidelines If you do not specify the ip or ipv6 keyword this command displays domain name to IP address mappin...

Page 834: ...oles network admin network operator Parameters dynamic Displays IPv4 DNS server information dynamically obtained through DHCP or other protocols If you do not specify this keyword the command displays...

Page 835: ...do not specify this keyword the command displays the statically configured and dynamically obtained IPv6 DNS server information vpn instance vpn instance name Specifies an MPLS L3VPN instance by its n...

Page 836: ...haracters and each separated string includes no more than 63 characters vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters To con...

Page 837: ...affects the transmission priority of the packet A bigger DSCP value represents a higher priority Examples Set the DSCP value to 30 for outgoing DNS packets Sysname system view Sysname dns dscp 30 dns...

Page 838: ...to the DNS servers in the order their IPv4 addresses are specified The system allows a maximum of six DNS server IPv4 addresses for the public network or each VPN instance You can specify DNS server...

Page 839: ...S query The method of selecting the IPv6 address is defined in RFC 3484 The system allows only one source interface for the public network or each VPN instance If you execute this command multiple tim...

Page 840: ...d specify IPv4 address 1 1 1 1 for spoofing DNS requests Sysname system view Sysname dns proxy enable Sysname dns spoofing 1 1 1 1 Related commands dns proxy enable dns trust interface Use dns trust i...

Page 841: ...ers are letters digits hyphens underscores _ and dots ip address Specifies the IPv4 address of the host vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive str...

Page 842: ...The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet A bigger DSCP value represents a higher priority Examples Set the DSCP value t...

Page 843: ...addresses are specified The system allows a maximum of six DNS server IPv6 addresses for the public network or each VPN instance You can specify DNS server IPv6 addresses for both public network and...

Page 844: ...enable Sysname ipv6 dns spoofing 2001 1 Related commands dns proxy enable ipv6 host Use ipv6 host to create a host name to IPv6 address mapping Use undo ipv6 host to remove a host name to IPv6 addres...

Page 845: ...reset dns host ip ipv6 vpn instance vpn instance name Views User view Predefined user roles network admin Parameters ip Specifies type A queries A type A query resolves a domain name to the mapped IP...

Page 846: ...i Contents Basic IP forwarding commands 1 display fib 1 ip forwarding table save 2...

Page 847: ...0 to 32 Usage guidelines If you specify an IP address without a mask or mask length this command displays the longest matching FIB entry If you specify an IP address and a mask or mask length this com...

Page 848: ...ry count 1 Flag U Usable G Gateway H Host B Blackhole D Dynamic S Static R Relay F FRR Destination Mask Nexthop Flag OutInterface Token Label 10 2 1 1 32 127 0 0 1 UH InLoop0 Null Table 1 Command outp...

Page 849: ...age guidelines The command automatically creates the file if you specify a nonexistent file If the file already exists this command overwrites the file content To automatically save the IP forwarding...

Page 850: ...g commands 1 display ip fast forwarding aging time 1 display ip fast forwarding cache 1 display ip fast forwarding fragcache 2 ip fast forwarding aging time 3 ip fast forwarding load sharing 4 reset i...

Page 851: ...g cache to display fast forwarding entries Syntax display ip fast forwarding cache ip address slot slot number Views Any view Predefined user roles network admin network operator Parameters ip address...

Page 852: ...warding cache display ip fast forwarding fragcache Use display ip fast forwarding fragcache to display fast forwarding entries for fragmented packets Syntax display ip fast forwarding fragcache ip add...

Page 853: ...ding cache ip fast forwarding aging time Use ip fast forwarding aging time to configure the aging time for fast forwarding entries Use undo ip fast forwarding aging time to restore the default Syntax...

Page 854: ...ed the device identifies a data flow by the packet information and the input interface No load sharing is implemented Examples Enable fast forwarding load sharing Sysname system Views Sysname ip fast...

Page 855: ...tics 14 display udp verbose 14 ip forward broadcast 17 ip icmp error interval 18 ip icmp source 19 ip mtu 20 ip reassemble local enable 21 ip redirects enable 21 ip ttl expires enable 22 ip unreachabl...

Page 856: ...MP statistics Sysname display icmp statistics Input bad formats 0 bad checksum 0 echo 175 destination unreachable 0 source quench 0 redirects 0 echo replies 201 parameter problem 0 timestamp 0 informa...

Page 857: ...ress fails 0 Fragment input 0 output 0 dropped 0 fragmented 0 couldn t fragment 0 Reassembling sum 0 timeouts 0 Table 1 Command output Field Description Input Statistics about received packets sum Tot...

Page 858: ...RawIP connections Syntax display rawip slot slot number Views Any view Predefined user roles network admin network operator Parameters slot slot number Specifies an IRF member device by its member ID...

Page 859: ...t specify a member device this command displays detailed information about RawIP connections for all member devices Usage guidelines The detailed information includes socket creator state option type...

Page 860: ...pped packets state Buffer state CANTSENDMORE Unable to send data to the peer CANTRCVMORE Unable to receive data from the peer RCVATMARK Receiving tag N A None of the above states Sending buffer cc hiw...

Page 861: ...wIP support this flag INP_USEICMPSRC Uses the specified IP address as the source IP address for outgoing ICMP packets INP_SYNCPCB Waits until Internet PCB is synchronized N A None of the above flags I...

Page 862: ...te Examples Display brief information about TCP connections Sysname display tcp TCP connection with authentication Local Addr port Foreign Addr port State Slot PCB 0 0 0 0 21 0 0 0 0 0 LISTEN 1 0x0000...

Page 863: ...plicate packets 12 36 bytes partially duplicate packets 0 0 bytes out of order packets 0 0 bytes packets with data after window 0 0 bytes packets after close 0 ACK packets 3531 795048 bytes duplicate...

Page 864: ...tablished connections 23 closed connections 50051 dropped 0 initiated dropped 0 bad connection attempt 0 ignored RSTs in the window 0 listen queue overflows 0 RTT updates 3518 attempt segment 3537 cor...

Page 865: ...1 Location slot 6 cpu 0 NSR standby N A Creator bgpd 199 State ISCONNECTED Options N A Error 0 Receiving buffer cc hiwat lowat state 0 65700 1 N A Sending buffer cc hiwat lowat state 0 65700 512 N A T...

Page 866: ...t lowat state Displays send buffer information in the following order cc Used space hiwat Maximum space lowat Minimum space state Buffer state CANTSENDMORE Unable to send data to the peer CANTRCVMORE...

Page 867: ...D Receives the VLAN ID of the packet Only UDP and RawIP support this flag INP_RCVMACADDR Receives the MAC address of the frame INP_RECVTOS Receives TOS of the packet Only UDP and RawIP support this fl...

Page 868: ...f the connection M Main connection S Standby connection Send VRF This field is not supported in the current software version VRF from which packets are sent Receive VRF This field is not supported in...

Page 869: ...IRF member device by its member ID If you do not specify a member device this command displays UDP traffic statistics for all member devices Usage guidelines UDP traffic statistics include information...

Page 870: ...on IP address and port number for UDP connections Examples Display detailed UDP connection information Sysname display udp verbose Total UDP socket number 1 Connection info src 0 0 0 0 69 dst 0 0 0 0...

Page 871: ...TMARK Receiving tag N A None of the above states Sending buffer cc hiwat lowat state Displays send buffer information in the following order cc Used space hiwat Maximum space lowat Minimum space state...

Page 872: ...l Internet PCB is synchronized N A None of the above flags Inpcb extflag Extension flags in the Internet PCB INP_EXTRCVPVCIDX Records the PVC index of the received packet INP_RCVPWID Records the PW ID...

Page 873: ...AN The command enables the interface to forward directed broadcast packets that are destined for the directly connected network and are received from another subnet to support Wake on LAN Wake on LAN...

Page 874: ...mpty ICMP error messages are not sent until a new token is placed in the bucket Examples Set the interval to 200 milliseconds for tokens to arrive in the bucket and the bucket size to 40 tokens for IC...

Page 875: ...he sending device easily Examples Specify 1 1 1 1 as the source address for outgoing ICMP packets Sysname system view Sysname ip icmp source 1 1 1 1 ip mtu Use ip mtu to set the interface MTU for IPv4...

Page 876: ...Default IPv4 local fragment reassembly is disabled Views System view Predefined user roles network admin Usage guidelines Use this feature on a multichassis IRF fabric to improve fragment reassembly...

Page 877: ...P time exceeded messages Use undo ip ttl expires enable to disable sending ICMP time exceeded messages Syntax ip ttl expires enable undo ip ttl expires enable Default Sending ICMP time exceeded messag...

Page 878: ...ble The device sends the source an ICMP protocol unreachable message when the following conditions are met The received packet is destined for the device The transport layer protocol of the packet is...

Page 879: ...raffic statistics for all member devices Usage guidelines Use this command to clear history IP traffic statistics before you collect IP traffic statistics for a time period Examples Clear IP traffic s...

Page 880: ...ytes The value range for this argument is 128 to 1460 Usage guidelines The MSS option informs the receiver of the largest segment that the sender can accept Each end announces its MSS during TCP conne...

Page 881: ...0 minutes no aging Does not age out the path MTU Usage guidelines After you enable TCP path MTU discovery all new TCP connections detect the path MTU The device uses the path MTU to calculate the MSS...

Page 882: ...er establishes a large number of TCP semi connections and cannot handle normal services SYN Cookie can protect the server from SYN flood attacks When the server receives a SYN packet it responds to th...

Page 883: ...ue undo tcp timer syn timeout Default The TCP SYN wait timer is 75 seconds Views System view Predefined user roles network admin Parameters time value Specifies the TCP SYN wait timer in the range of...

Page 884: ...ons that are established after you execute the command Existing TCP connections are not affected Examples Enable the device to encapsulate the TCP Timestamps option in outgoing TCP packets Sysname sys...

Page 885: ...i Contents UDP helper commands 1 display udp helper interface 1 reset udp helper statistics 1 udp helper broadcast map 2 udp helper enable 3 udp helper port 3 udp helper server 4...

Page 886: ...isplay information about broadcast to unicast conversion by UDP helper on VLAN interface 100 Sysname display udp helper interface vlan interface 100 Interface Server VPN instance Server address Packet...

Page 887: ...he destination broadcast address is converted acl acl number Specifies an ACL by its number The ACL filters incoming broadcast packets for UDP helper Packets permitted by the ACL can be converted If n...

Page 888: ...ew Predefined user roles network admin Usage guidelines For UDP helper to take effect on an interface make sure the following conditions are met UDP helper is enabled A UDP port number is specified by...

Page 889: ...eceiving a UDP broadcast or multicast packet UDP helper uses the specified UDP ports to match the UDP destination port number of the packet To specify a UDP port you can specify the port number or the...

Page 890: ...ent the undo udp helper server command removes all destination servers on the interface A destination server with the global keyword and the same destination server with the vpn instance vpn instance...

Page 891: ...link local 37 ipv6 address eui 64 38 ipv6 address link local 38 ipv6 address prefix number 40 ipv6 hop limit 41 ipv6 hoplimit expires enable 41 ipv6 icmpv6 error interval 42 ipv6 icmpv6 multicast echo...

Page 892: ...nimize 67 ipv6 neighbor stale aging 68 ipv6 neighbor timer stale aging 69 ipv6 neighbors max learning num 69 ipv6 pathmtu 70 ipv6 pathmtu age 71 ipv6 prefer temporary address 72 ipv6 prefix 72 ipv6 re...

Page 893: ...s command displays all IPv6 FIB entries prefix length Specifies a prefix length for the IPv6 address in the range of 0 to 128 If you do not specify the prefix length this command displays the IPv6 FIB...

Page 894: ...lot number Views Any view Predefined user roles network admin network operator Parameters slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this co...

Page 895: ...age guidelines If you do not specify an interface this command displays IPv6 information about all interfaces If you specify only the interface type argument this command displays IPv6 information abo...

Page 896: ...ards 0 OutDiscards 0 Table 2 Command output Field Description Vlan interface2 current state Physical state of the interface Administratively DOWN The interface has been administratively shut down by u...

Page 897: ...igured global unicast addresses using a prefix are preferred Joined group address es Addresses of the multicast groups that the interface has joined MTU MTU of the interface ND DAD is enabled number o...

Page 898: ...tNotMembers Received IPv6 multicast packets that are discarded because the interface is not in the multicast group OutMcastPkts IPv6 multicast packets sent by the interface InAddrErrors Received IPv6...

Page 899: ...ays the link local address If no address is configured this field displays Unassigned display ipv6 interface prefix Use display ipv6 interface prefix to display IPv6 prefix information for an interfac...

Page 900: ...figuration N The prefix is not advertised in RA messages P The prefix has a preference Lifetime Lifetime in seconds advertised in RA messages If the prefix does not need to be advertised this field di...

Page 901: ...ing vlan vlan id interface interface type interface number global link local ipv6 address verbose Views Any view Predefined user roles network admin network operator Parameters vlan vlan id Displays N...

Page 902: ...r more information about the SVLAN and CVLAN see QinQ in Layer 2 LAN Switching Configuration Guide Interface Input interface in the ND snooping entry Status Status of the ND snooping entry TENTATIVE T...

Page 903: ...ace GigabitEthernet1 0 2 Old SVLAN CVLAN 100 2 New SVLAN CVLAN 100 2 Old MAC 00e0 ca63 8141 New MAC 00e0 ca63 8142 IPv6 address 10 2 System time 2018 02 02 10 20 30 Conflict count 1 Log suppress count...

Page 904: ...Syntax display ipv6 nd user move record slot slot number Views Any view Predefined user roles network admin network operator Parameters slot slot number Specifies an IRF member device by its member I...

Page 905: ...ipv6 nd user move record enable display ipv6 neighbors Use display ipv6 neighbors to display IPv6 neighbor information Syntax display ipv6 neighbors ipv6 address all dynamic static slot slot number i...

Page 906: ...9 0204 1 GE1 0 2 STALE D 136 Display detailed information about all neighbors Sysname display ipv6 neighbors all verbose IPv6 Address 1 2 MAC address 6864 6839 0202 Type Dynamic State STALE Aging 136...

Page 907: ...e time of the neighbor For a static neighbor entry this field displays hyphens representing the neighbor entry never expires For a dynamic neighbor entry this field displays the elapsed time in second...

Page 908: ...splays the total number of neighbor entries in the specified VLAN The value range for VLAN ID is 1 to 4094 Examples Display the total number of neighbor entries created dynamically Sysname display ipv...

Page 909: ...AN Interface Interface connected to the neighbor State State of the neighbor INCMP The address is being resolved The link layer address of the neighbor is unknown REACH The neighbor is reachable STALE...

Page 910: ...ays all Path MTU information for the public network dynamic Displays all dynamic Path MTU information static Displays all static Path MTU information count Displays the total number of Path MTU entrie...

Page 911: ...efix command A dynamic IPv6 prefix is obtained from the DHCPv6 server and its prefix ID is configured by using the ipv6 dhcp client pd command For detailed information see Layer 3 IP Services Configur...

Page 912: ...n network operator Parameters slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays brief information about IPv6 RawIP connection...

Page 913: ...range for the pcb index argument is 1 to 16 Examples Display detailed information about an IPv6 RawIP connection Sysname display ipv6 rawip verbose Total RawIP socket number 1 Connection info src dst...

Page 914: ...the out of band data in the input queue SO_REUSEPORT Allows the local port reuse SO_TIMESTAMP Records the timestamps of the incoming packets accurate to milliseconds This option is applicable to proto...

Page 915: ...e VLAN ID of the packet Only UDP and RawIP support this flag IN6P_IPV6_V6ONLY Only supports IPv6 protocol stack IN6P_PKTINFO Receives the source IPv6 address and input interface of the packet IN6P_HOP...

Page 916: ...t Hop limit in the Internet PCB Send VRF VRF from which packets are sent Receive VRF VRF from which packets are received display ipv6 statistics Use display ipv6 statistics to display IPv6 and ICMPv6...

Page 917: ...cts 0 Router renumbering 0 Send failed Rate limitation 0 Other errors 0 Received packets Total 0 Checksum errors 0 Too short 0 Bad codes 0 Unreachable 0 Too big 0 Hop limit exceeded 0 Reassembly timeo...

Page 918: ...0000000009 Table 15 Command output Field Description Indicates that the TCP connection uses authentication LAddr port Local IPv6 address and port number FAddr port Peer IPv6 address and port number St...

Page 919: ...n TCP inpcb number Number of IPv6 TCP Internet PCBs Connection info Connection information including source IPv6 address source port number destination IPv6 address and destination port number Locatio...

Page 920: ...uffer cc hiwat lowat state Displays receive buffer information in the following order cc Used space hiwat Maximum space lowat Minimum space state Buffer state CANTSENDMORE Unable to send data to the p...

Page 921: ...ong a given data path TCP does not support this flag INP_RCVMACADDR Receives the MAC address of the frame INP_SYNCPCB Waits until Internet PCB is synchronized N A None of the above flags Inpcb extflag...

Page 922: ...he Nagle algorithm that buffers the sent data inside the TCP TF_NOOPT No TCP options TF_NOPUSH Forces TCP to delay sending any TCP data until a full sized segment is buffered in the TCP buffers TF_BIN...

Page 923: ...port Peer IPv6 address and port number PCB PCB index display ipv6 udp verbose Use display ipv6 udp verbose to display detailed information about IPv6 UDP connections Syntax display ipv6 udp verbose sl...

Page 924: ...CONNECTING The connection is being interrupted ASYNC Asynchronous mode ISDISCONNECTED The connection has been terminated PROTOREF Indicates strong protocol reference N A None of above state Options So...

Page 925: ...ormation in the following order cc Used space hiwat Maximum space lowat Minimum space state Buffer state CANTSENDMORE Unable to send data to the peer CANTRCVMORE Unable to receive data from the peer R...

Page 926: ...A None of the above flags Inpcb extflag Extension flags in the Internet PCB INP_EXTRCVPVCIDX Records the PVC index of the received packet INP_RCVPWID Records the PW ID of the received packet N A None...

Page 927: ...global unicast address of VLAN interface 100 to 2001 1 with prefix length 64 Method 1 Sysname system view Sysname interface vlan interface 100 Sysname Vlan interface100 ipv6 address 2001 1 64 Method 2...

Page 928: ...the interface can automatically generate a global unicast address Use undo ipv6 address auto to disable this feature Syntax ipv6 address auto undo ipv6 address auto Default The stateless address auto...

Page 929: ...mmand deletes only the link local addresses generated through the ipv6 address auto link local command If the undo command is executed on an interface with an IPv6 global unicast address configured th...

Page 930: ...formats ipv6 address prefix length For example 2001 1 64 ipv6 address prefix length For example 2001 1 64 Usage guidelines An EUI 64 IPv6 address is generated based on the specified prefix and the au...

Page 931: ...automatically generated If you use manual assignment and then use automatic generation both of the following occur The automatically generated link local address does not take effect The manually assi...

Page 932: ...host bit An interface can generate only one IPv6 global unicast address based on the prefix specified by using the ipv6 address command To configure the interface to generate a new IPv6 address execu...

Page 933: ...vertises the hop limit in RA messages All RA message receivers use the advertised value to fill in the Hop Limit field for IPv6 packets to be sent To disable the device from advertising the hop limit...

Page 934: ...rval Default The bucket allows a maximum of 10 tokens and a token is placed in the bucket every 100 milliseconds Views System view Predefined user roles network admin Parameters interval Specifies the...

Page 935: ...gured to reply to multicast echo requests an attacker can use this mechanism to attack the host For example the attacker can send an echo request to a multicast address with Host A as the source All h...

Page 936: ...e system view Sysname ipv6 icmpv6 source 1 1 ipv6 mtu Use ipv6 mtu to set the interface MTU for IPv6 packets Use undo ipv6 mtu to restore the default Syntax ipv6 mtu size undo ipv6 mtu Default The int...

Page 937: ...ful autoconfiguration for example from an DHCPv6 server to obtain IPv6 addresses If the M flag is set to 0 in RA advertisements receiving hosts use stateless autoconfiguration Stateless autoconfigurat...

Page 938: ...to set the number of attempts to send an NS message for DAD Use undo ipv6 nd dad attempts to restore the default Syntax ipv6 nd dad attempts times undo ipv6 nd dad attempts Default The number of attem...

Page 939: ...rval value in the range of 1000 to 4294967295 milliseconds Usage guidelines If a device does not receive a response from the peer within the specified interval the device resends an NS message The dev...

Page 940: ...ace and uses the value to fill the Reachable Time field in RA messages to be sent Examples Set the neighbor reachable time on VLAN interface 100 to 10000 milliseconds Sysname system view Sysname inter...

Page 941: ...fies the URL address of the boot file a case sensitive string of 1 to 127 characters The URL address must be started with http https ftp or tftp Usage guidelines In some specific networks a device fol...

Page 942: ...maller sequence number represents a higher priority Usage guidelines The DNS search list DNSSL option in RA messages provides DNS suffix information for hosts The RA messages allow hosts to obtain the...

Page 943: ...terface view Predefined user roles network admin Usage guidelines This command suppresses advertising DNS suffixes in RA messages RA messages are suppressed by default To disable RA message suppressio...

Page 944: ...v6 address of the DNS server which must be a global unicast address or a link local address seconds Specifies the lifetime of the DNS server in seconds The value range is 4 to 4294967295 Value 4294967...

Page 945: ...for RA messages on VLAN interface 100 Sysname system view Sysname interface vlan interface 100 Sysname Vlan interface100 ipv6 nd ra dns server 2001 10 100 infinite sequence 1 Related commands ipv6 nd...

Page 946: ...the interface has no DNS server information specified or no AAA authorized DNS server address assigned no RA messages are triggered Each time the device sends an RA message from an interface it immedi...

Page 947: ...les Specify unlimited hops in the RA messages on VLAN interface 100 Sysname system view Sysname interface vlan interface 10 Sysname Vlan interface10 ipv6 nd ra hop limit unspecified Related commands i...

Page 948: ...s ipv6 nd ra router lifetime ipv6 nd ra no advlinkmtu Use ipv6 nd ra no advlinkmtu to turn off the MTU option in RA messages Use undo ipv6 nd ra no advlinkmtu to restore the default Syntax ipv6 nd ra...

Page 949: ...ecifies a prefix not to be used for stateless autoconfiguration If you do not specify this keyword the prefix is used for stateless autoconfiguration off link Indicates that the address with the prefi...

Page 950: ...seconds The default value is 2592000 seconds 30 days preferred lifetime Specifies the preferred lifetime of a prefix used for stateless autoconfiguration in the range of 0 to 4294967295 seconds The p...

Page 951: ...to 0 the router does not act as the default router Usage guidelines The router lifetime in RA messages specifies how long the router sending the RA messages acts as the default router Hosts receiving...

Page 952: ...ples Set the router preference in RA messages to the highest on VLAN interface 100 Sysname system view Sysname interface vlan interface 100 Sysname Vlan interface100 ipv6 nd router preference high ipv...

Page 953: ...system view Sysname ipv6 nd snooping dad retrans timer 200 ipv6 nd snooping enable global Use ipv6 nd snooping enable global to enable ND snooping for global unicast addresses Use undo ipv6 nd snoopin...

Page 954: ...oping is disabled for data packets from unknown sources Views VLAN view Predefined user roles network admin Usage guidelines This command enables the device to learn ND snooping entries from data pack...

Page 955: ...LID status TENTATIVE TESTING_TPLT or TESTING_VP The value range is 250 to 1000 milliseconds valid valid lifetime Sets a timeout timer for ND snooping entries in VALID status The value range is 60 to 9...

Page 956: ...k port The ND snooping uplink port cannot learn ND snooping entries Use undo ipv6 nd snooping uplink to restore the default Syntax ipv6 nd snooping uplink undo ipv6 nd snooping uplink Default The port...

Page 957: ...d Monitoring Configuration Guide Each IRF member device can generate a maximum of 10 user IPv6 address conflict logs per second When this maximum number is reached the member device suppresses generat...

Page 958: ...ion records When the number of saved user port migration records reaches the upper limit new records overwrite old ones Examples Enable recording user port migrations Sysname system view Sysname ipv6...

Page 959: ...of the previous configuration methods to configure a static neighbor entry for a VLAN interface If Method 1 is used the neighbor entry is in INCMP state After the device obtains the corresponding Laye...

Page 960: ...undo ipv6 neighbor stale aging Default The aging timer for ND entries in stale state is 240 minutes Views System view Predefined user roles network admin Parameters aging time Specifies the aging tim...

Page 961: ...updated before the timer expires it changes to the delay state If it is still not updated in 5 seconds the ND entry changes to the probe state The device sends an NS message for probe and a maximum of...

Page 962: ...stops learning neighbor information Examples Allow VLAN interface 100 to learn a maximum of 10 dynamic neighbor entries Sysname system view Sysname interface vlan interface 100 Sysname Vlan interface...

Page 963: ...athmtu age to set the aging time for a dynamic Path MTU Use undo ipv6 pathmtu age to restore the default Syntax ipv6 pathmtu age age time undo ipv6 pathmtu age Default The aging time for dynamic Path...

Page 964: ...user roles network admin Usage guidelines The temporary address feature enables the system to generate and preferentially use the temporary IPv6 address of the sending interface as the source address...

Page 965: ...Sysname system view Sysname ipv6 prefix 1 2001 0410 32 Related commands display ipv6 prefix ipv6 reassemble local enable Use ipv6 reassemble local enable to enable IPv6 local fragment reassembly Use u...

Page 966: ...ages enables hosts that hold few routes to establish routing tables and find the best route Because this feature adds host routes into the routing tables host performance degrades when there are too m...

Page 967: ...in the RA message and a fixed interface ID generated based on the interface s MAC address Temporary IPv6 address Includes an address prefix in the RA message and a random interface ID generated throu...

Page 968: ...incorrectly disable sending ICMPv6 destination unreachable messages to prevent attack risks Examples Enable sending ICMPv6 destination unreachable messages Sysname system view Sysname ipv6 unreachabl...

Page 969: ...nooping vlan Use reset ipv6 nd snooping vlan to clear ND snooping entries in VLANs Syntax reset ipv6 nd snooping vlan vlan id global link local vlan id ipv6 address Views User view Predefined user rol...

Page 970: ...pe and number slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command clears dynamic neighbor information for all member devices static Clea...

Page 971: ...tu reset ipv6 statistics Use reset ipv6 statistics to clear IPv6 and ICMPv6 packet statistics Syntax reset ipv6 statistics slot slot number Views User view Predefined user roles network admin Paramete...

Page 972: ...icy 26 ipv6 dhcp class 26 ipv6 dhcp option group 27 ipv6 dhcp policy 28 ipv6 dhcp pool 28 ipv6 dhcp prefix pool 29 ipv6 dhcp server 30 ipv6 dhcp server apply pool 31 ipv6 dhcp server database filename...

Page 973: ...ename 72 ipv6 dhcp snooping binding database update interval 73 ipv6 dhcp snooping binding database update now 74 ipv6 dhcp snooping binding record 74 ipv6 dhcp snooping check request message 75 ipv6...

Page 974: ...er the DHCPv6 process is running on the device Examples Display the DUID of the local device Sysname display ipv6 dhcp duid The DUID of this device 0003000100e0fc005552 ipv6 dhcp advertise pd route Us...

Page 975: ...ipv6 dhcp dscp to set the DSCP value for the DHCPv6 packets sent by the DHCPv6 server or the DHCPv6 relay agent Use undo ipv6 dhcp dscp to restore the default Syntax ipv6 dhcp dscp dscp value undo ipv...

Page 976: ...tion might occur when a large number of clients frequently come online or go offline Examples Enable DHCPv6 server logging Sysname system view Sysname ipv6 dhcp log enable ipv6 dhcp select Use ipv6 dh...

Page 977: ...dhcp server DHCPv6 server commands address range Use address range to specify a non temporary IPv6 address range in a DHCPv6 address pool for dynamic allocation Use undo address range to restore the d...

Page 978: ...100 10 through 3ffe 501 ffff 100 31 in address pool 1 Sysname system view Sysname ipv6 dhcp pool 1 Sysname dhcp6 pool 1 network 3ffe 501 ffff 100 64 Sysname dhcp6 pool 1 address range 3ffe 501 ffff 1...

Page 979: ...HCPv6 policy view Predefined user roles network admin Parameters class name Specifies a DHCPv6 user class by its name a case insensitive string of 1 to 63 characters pool name Specifies a DHCPv6 addre...

Page 980: ...ecified or the default address pool does not have assignable IPv6 addresses or prefixes the assignment fails You can specify only one default address pool in a DHCPv6 policy If you execute this comman...

Page 981: ...d or deleted Examples Display information about all DHCPv6 option groups Sysname display ipv6 dhcp option group DHCPv6 option group 1 DNS server addresses Type Static Interface N A 1 1 DNS server addr...

Page 982: ...prefix acquisition Dynamic DHCPv6 address and prefix allocation Parameters in a dynamic DHCPv6 option group created during IPv6 address and prefix acquisition Interface Interface name DNS server addr...

Page 983: ...1 FFFF 100 64 Preferred lifetime 604800 seconds valid lifetime 2592000 seconds Prefix pool 1 Preferred lifetime 24000 seconds valid lifetime 36000 seconds Addresses Range from 3FFE 501 FFFF 100 1 to 3...

Page 984: ...refix pool referenced by the address pool Preferred lifetime Preferred lifetime in seconds valid lifetime Valid lifetime in seconds Addresses Non temporary IPv6 address range Range IPv6 address range...

Page 985: ...f information about all prefix pools Sysname display ipv6 dhcp prefix pool Prefix pool Prefix Available In use Static 1 5 64 64 0 0 Display brief information about all prefix pools Sysname display ipv...

Page 986: ...es display ipv6 dhcp server Use display ipv6 dhcp server to display DHCPv6 server configuration information Syntax display ipv6 dhcp server interface interface type interface number Views Any view Pre...

Page 987: ...s prefix assignment is enabled Rapid commit Indicates whether rapid address prefix assignment is enabled display ipv6 dhcp server conflict Use display ipv6 dhcp server conflict to display information...

Page 988: ...play ipv6 dhcp server database to display information about DHCPv6 binding auto backup Syntax display ipv6 dhcp server database Views Any view Predefined user roles network admin network operator Exam...

Page 989: ...Pv6 address this command displays lease expiration information for all IPv6 addresses vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 cha...

Page 990: ...tion for all IPv6 addresses vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If you do not specify a VPN instance this command...

Page 991: ...sent by the DHCPv6 server in a DHCPv6 OFFER packet to the client Static C Committed static binding whose IPv6 address has been assigned to the client Auto O Offered dynamic binding whose IPv6 address...

Page 992: ...a DHCPv6 address pool this command displays IPv6 prefix binding information for all DHCPv6 address pools prefix prefix prefix len Displays binding information for the specified IPv6 prefix The value r...

Page 993: ...dynamic binding whose IPv6 prefix has been dynamically selected by the DHCPv6 server and sent in a DHCPv6 OFFER packet to the DHCPv6 client Auto C Committed dynamic binding whose IPv6 prefix has been...

Page 994: ...you do not specify an address pool this command displays DHCPv6 packet statistics for all address pools vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive st...

Page 995: ...s pool are displayed this field is not displayed Packets dropped Number of packets discarded If statistics about an address pool are displayed this field is not displayed Packets sent Number of messag...

Page 996: ...domain name in a DHCPv6 address pool Use undo domain name to restore the default Syntax domain name domain name undo domain name Default No domain name is specified Views DHCPv6 address pool view DHCP...

Page 997: ...rule if the specified option in the packet contains the ASCII string or hexadecimal number specified in the rule For example if you specify abc in the rule option content xabc xyzabca xabcyz and abcx...

Page 998: ...with the ASCII string Examples Configure match rule 1 for the DHCPv6 user class exam to match DHCPv6 requests that contain Option 16 Sysname system view Sysname ipv6 dhcp class exam Sysname dhcp6 clas...

Page 999: ...e DHCPv6 policy to an interface If you execute this command multiple times the most recent configuration takes effect Examples Apply the DHCPv6 policy test to VLAN interface 2 Sysname system view Sysn...

Page 1000: ...se undo ipv6 dhcp option group to delete the specified static DHCPv6 option group Syntax ipv6 dhcp option group option group number undo ipv6 dhcp option group option group number Default No static DH...

Page 1001: ...age guidelines In DHCP policy view you can specify address pools for different user classes Clients matching a user class will obtain IPv6 addresses and other parameters from the specified address poo...

Page 1002: ...Create a DHCPv6 address pool named pool1 and enter its view Sysname system view Sysname ipv6 dhcp pool pool1 Sysname dhcp6 pool pool1 Related commands class pool display ipv6 dhcp pool ipv6 dhcp serv...

Page 1003: ...e restrictions and guidelines This command does not take effect if the prefix does not exist This command takes effect after the prefix is created Do not specify the same prefix for different prefix p...

Page 1004: ...low hint keyword is not specified the server ignores the desired address or prefix and selects an address or prefix from a global address pool If you use the ipv6 dhcp server and ipv6 dhcp server appl...

Page 1005: ...rver assigns a free address or prefix If allow hint is not specified the server ignores the desired address or prefix and assigns a free address or prefix Only one address pool can be applied to an in...

Page 1006: ...v6 server to malfunction When the backup file is on a remote device follow these restrictions and guidelines to specify the URL If the file is on an FTP server enter URL in the format of ftp server ad...

Page 1007: ...ct only after you configure the DHCPv6 binding auto backup by using the ipv6 dhcp server database filename command Examples Set the waiting time to 600 seconds for the DHCPv6 server to update the back...

Page 1008: ...he timer expires the DHCPv6 server stops waiting and starts providing address allocation services You can execute this command to terminate the download immediately Manual termination allows the DHCPv...

Page 1009: ...ork do not specify this option Usage guidelines The IPv6 addresses of some devices such as the gateway and FTP server cannot be assigned to clients Use this command to exclude such addresses from dyna...

Page 1010: ...end prefix prefix len are all excluded vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If the excluded IPv6 prefixes belong to...

Page 1011: ...conds and the default is 2592000 seconds 30 days The valid lifetime must be longer than or equal to the preferred lifetime Usage guidelines You can specify only one subnet for a DHCPv6 address pool If...

Page 1012: ...ption Use option to configure a self defined DHCPv6 option in a DHCPv6 address pool Use undo option to remove a self defined DHCPv6 option from a DHCPv6 address pool Syntax option code hex hex string...

Page 1013: ...kes effect Examples Configure Option 23 that specifies a DNS server address 2001 f3e0 1 in DHCPv6 address pool 1 Sysname system view Sysname ipv6 dhcp pool 1 Sysname dhcp6 pool 1 option 23 hex 2001f3e...

Page 1014: ...ifetime valid lifetime Sets the valid lifetime in the range of 60 to 4294967295 seconds The default value is 2592000 seconds 30 days The valid lifetime must be longer than or equal to the preferred li...

Page 1015: ...pecify a VPN instance this command clears conflict information about IPv6 addresses for the public network Usage guidelines Address conflicts occur when dynamically assigned IP addresses have been sta...

Page 1016: ...ax reset ipv6 dhcp server ip in use address ipv6 address vpn instance vpn instance name pool pool name Views User view Predefined user roles network admin Parameters address ipv6 address Clears bindin...

Page 1017: ...128 If you do not specify an IPv6 prefix this command clears binding information for all assigned IPv6 prefixes vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sens...

Page 1018: ...erver address ipv6 address domain name domain name undo sip server address ipv6 address domain name domain name Default No SIP server address or domain name is specified Views DHCPv6 address pool view...

Page 1019: ...efix len Specifies the prefix and prefix length The value range for the prefix length is 1 to 128 duid duid Specifies a client DUID The value is an even hexadecimal number in the range of 2 to 256 iai...

Page 1020: ...rred lifetime preferred lifetime valid lifetime valid lifetime undo temporary address range Default No temporary IPv6 address range is configured in a DHCPv6 address pool Views DHCPv6 address pool vie...

Page 1021: ...network admin Parameters vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If you do not specify a VPN instance the DHCPv6 address pool belon...

Page 1022: ...o not specify an interface this command displays DHCPv6 server addresses on all interfaces enabled with DHCPv6 relay agent Examples Display DHCPv6 server addresses on all interfaces enabled with DHCPv...

Page 1023: ...ecified the VPN instance name is displayed after the slash for example 1 Related commands ipv6 dhcp relay server address ipv6 dhcp select display ipv6 dhcp relay statistics Use display ipv6 dhcp relay...

Page 1024: ...0 Relay reply 8 Packets sent 16 Advertise 0 Reconfigure 0 Reply 8 Relay forward 8 Relay reply 0 Table 12 Command output Field Description Packets dropped Number of discarded packets Packets received...

Page 1025: ...view Predefined user roles network admin Parameters ipv6 address 1 8 Specifies a space separated list of up to eight addresses Usage guidelines DHCPv6 clients of the same access type can be classified...

Page 1026: ...hus cannot forward the packets destined for the client To resolve this problem enable the DHCPv6 relay agent to advertise host routes for assigned IPv6 addresses in DHCP replies The advertised route i...

Page 1027: ...passes to support Option 79 This feature allows the DHCPv6 relay agent to learn the MAC address in the client request When the relay agent generates a Relay Forward packet for the request it fills the...

Page 1028: ...hcp relay interface id to restore the default Syntax ipv6 dhcp relay interface id bas interface undo ipv6 dhcp relay interface id Default The DHCPv6 relay agent fills the Interface ID option with the...

Page 1029: ...is on the public network If you do not specify this keyword whether the DHCPv6 server is on the public network or in the VPN depends on the DHCPv6 client location vpn instance vpn instance name Specif...

Page 1030: ...ource IPv6 address for relayed DHCPv6 requests Views Interface view Predefined user roles network admin Parameters ipv6 address Specifies a source IPv6 address interface interface type interface numbe...

Page 1031: ...to forward packets to the DHCPv6 server If you do not specify an outgoing interface the DHCPv6 relay agent performs a routing table lookup Usage guidelines You can specify a maximum of eight DHCPv6 s...

Page 1032: ...ce number Views Any view Predefined user roles network admin network operator Parameters interface interface type interface number Specifies an interface by its type and number If you do not specify a...

Page 1033: ...s DHCPv6 State Current state of the DHCPv6 client IDLE The client is in idle state SOLICIT The client is locating a DHCPv6 server REQUEST The client is requesting an IPv6 address or prefix OPEN The cl...

Page 1034: ...e DNS server Domain name Domain name suffix SIP server addresses IPv6 address of the SIP server SIP server domain names Domain name of the SIP server Options Self defined options Code Code of the self...

Page 1035: ...ackets Reconfigure Number of received reconfigure packets Invalid Number of invalid packets Packets sent Number of sent packets Solicit Number of sent solicit packets Request Number of sent request pa...

Page 1036: ...t Examples Configure VLAN interface 10 to use DHCPv6 for IPv6 address acquisition Configure the DHCPv6 client to support rapid address assignment and create dynamic DHCPv6 option group 1 for the confi...

Page 1037: ...twork admin Parameters ascii ascii string Specifies a case sensitive ASCII string of 1 to 130 characters as the DHCPv6 client DUID hex hex string Specifies a hexadecimal number of 2 to 260 characters...

Page 1038: ...group number Enables the DHCPv6 client to create a dynamic DHCPv6 option group for saving the configuration parameters and assigns an ID to the option group The value range for the ID is 1 to 100 If...

Page 1039: ...groups Usage guidelines The ipv6 dhcp client stateful command takes effect if it is configured with the ipv6 address dhcp alloc and ipv6 dhcp client pd commands on an interface You must execute the un...

Page 1040: ...hcp client statistics interface interface type interface number Views User view Predefined user roles network admin Parameters interface interface type interface number Specifies an interface by its t...

Page 1041: ...Field Description IPv6 Address IPv6 address assigned to the DHCPv6 client MAC Address MAC address of the DHCPv6 client Lease Remaining lease duration in seconds VLAN When both DHCPv6 snooping and QinQ...

Page 1042: ...al Waiting time in seconds after a DHCPv6 snooping entry change for the DHCPv6 snooping device to update the backup file Latest write time Time of the latest update Status Status of the update Writing...

Page 1043: ...refix length argument is 1 to 128 vlan vlan id Specifies the ID of the VLAN where the IPv6 prefix resides The value range for the vlan id argument is 1 to 4094 Usage guidelines This command takes effe...

Page 1044: ...d reset ipv6 dhcp snooping pd binding display ipv6 dhcp snooping trust Use display ipv6 dhcp snooping trust to display information about trusted ports Syntax display ipv6 dhcp snooping trust Views Any...

Page 1045: ...ce view Trusted This field is not supported in the current software version Trusted AC specified in VXLAN based DHCPv6 snooping configuration Related commands ipv6 dhcp snooping trust ipv6 dhcp snoopi...

Page 1046: ...hcp You can also specify the DNS domain name for the server address field for example ftp company database dhcp Examples Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the...

Page 1047: ...ame ipv6 dhcp snooping binding database update now Use ipv6 dhcp snooping binding database update now to manually save DHCPv6 snooping entries to the backup file Syntax ipv6 dhcp snooping binding data...

Page 1048: ...dhcp snooping binding record ipv6 dhcp snooping check request message Use ipv6 dhcp snooping check request message to enable the DHCPv6 REQUEST check feature Use undo ipv6 dhcp snooping check request...

Page 1049: ...dhcp snooping deny Default A port does not block DHCPv6 requests Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network admin Usage guidelines CAUTION To...

Page 1050: ...command on the target interface Examples Disable DHCPv6 snooping on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 ipv6 dhcp snooping di...

Page 1051: ...a range of VLANs in the form of vlan id1 to vlan id2 The value range for the VLAN IDs is 1 to 4094 If you specify a VLAN range the value for the vlan id2 argument must be greater than the value for th...

Page 1052: ...r see Network Management and Monitoring Configuration Guide As a best practice disable this feature if the log generation affects the device performance Examples Enable DHCPv6 snooping logging Sysname...

Page 1053: ...t for Option 18 Views Layer 2 Ethernet interface Layer 2 aggregate interface view Predefined user roles network admin Parameters vlan vlan id Pads the interface ID for packets received from the specif...

Page 1054: ...p snooping enable ipv6 dhcp snooping option remote id string ipv6 dhcp snooping option remote id string Use ipv6 dhcp snooping option remote id string to specify the content as the remote ID for Optio...

Page 1055: ...ecording of DHCPv6 snooping prefix entries is disabled Views Layer 2 Ethernet interface Layer 2 aggregate interface view VLAN view Predefined user roles network admin Usage guidelines This command ena...

Page 1056: ...rs of the aggregate interface If a member interface leaves the aggregation group it uses the rate configured in its Ethernet interface view The chip supported maximum rate is an integer multiple of ei...

Page 1057: ...ing trust interface interface type interface number Default After you enable DHCPv6 snooping for a VLAN all ports in the VLAN are DHCP snooping untrusted ports Views VLAN view Predefined user roles ne...

Page 1058: ...Examples Clear all DHCPv6 snooping address entries Sysname reset ipv6 dhcp snooping binding all Related commands display ipv6 dhcp snooping binding reset ipv6 dhcp snooping packet statistics Use reset...

Page 1059: ...ntries for 1 2 64 Sysname reset ipv6 dhcp snooping pd binding prefix 1 2 64 Related commands display ipv6 dhcp snooping pd binding DHCPv6 guard commands The DHCPv6 guard feature operates correctly onl...

Page 1060: ...servers are attached to the target interface or VLAN set the device role to DHCPv6 client for devices attached to the target interface or VLAN The trust port command has a higher priority than the de...

Page 1061: ...olicy DHCPv6 guard policy name Device role Device role Client DHCPv6 client role Server DHCPv6 server role Trusted port Whether the trusted port is configured for the guard policy Server preference mi...

Page 1062: ...me Specifies a basic or advanced ACL by its name a case insensitive string of 1 to 63 characters The ACL name must start with an English letter and to avoid confusion it cannot be all Usage guidelines...

Page 1063: ...ue range for this argument is as follows 2000 to 2999 for a basic ACL 3000 to 3999 for an advanced ACL name acl name Specifies a basic or advanced ACL by its name a case insensitive string of 1 to 63...

Page 1064: ...olicy policy name undo ipv6 dhcp guard apply policy Default No DHCPv6 guard policy is applied to an interface or VLAN Views Interface view VLAN view Predefined user roles network admin Parameters poli...

Page 1065: ...Specifies a DHCPv6 guard policy name a case insensitive string of 1 to 63 characters Usage guidelines To provide finer level of filtering granularity you can specify the following parameters for a DH...

Page 1066: ...The device uses the specified range to match the DHCPv6 server preference in the received DHCPv6 Advertise message If the DHCPv6 server preference is in the allowed range the device continues to use o...

Page 1067: ...d all interfaces in the VLAN to which the DHCPv6 guard policy is applied are trusted ports The device forwards received DHCP replies on the trusted ports without check The trust port command has a hig...

Page 1068: ...v6 fast forwarding commands 1 display ipv6 fast forwarding aging time 1 display ipv6 fast forwarding cache 1 ipv6 fast forwarding aging time 2 ipv6 fast forwarding load sharing 3 reset ipv6 fast forwa...

Page 1069: ...g time of IPv6 fast forwarding entries in seconds Related commands ipv6 fast forwarding aging time display ipv6 fast forwarding cache Use display ipv6 fast forwarding cache to display IPv6 fast forwar...

Page 1070: ...tination IPv6 address Dst Port Destination port number Protocol Protocol number VPN instance VPN instance If the entry does not belong to any VPN instance this field displays N A Input interface Input...

Page 1071: ...rding load sharing Use undo ipv6 fast forwarding load sharing to disable IPv6 fast forwarding load sharing Syntax ipv6 fast forwarding load sharing undo ipv6 fast forwarding load sharing Default IPv6...

Page 1072: ...User view Predefined user roles network admin Parameters slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command clears the IPv6 fast forwa...

Page 1073: ...i Contents HTTP redirect commands 1 http redirect https port 1 http redirect ssl server policy 1...

Page 1074: ...a TCP port number used by a well known protocol or used by any other service To display TCP port numbers that have been used by services use the display tcp command If you execute this command multipl...

Page 1075: ...te a nonexistent SSL server policy with the HTTPS redirect service and then configure the SSL server policy If you change the SSL server policy associated with the HTTPS redirect service the new polic...

Page 1076: ...i Contents NAT commands 1 display nat session 1 display nat static 3 nat static enable 4 nat static outbound 4 reset nat session 5...

Page 1077: ...t slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays NAT sessions for all member devices verbose Displays detailed information...

Page 1078: ...tunnel interface If the session does not belong to any DS Lite tunnel this field displays a hyphen VPN instance VLAN ID VLL ID The fields identify the following information VPN instance MPLS L3VPN ins...

Page 1079: ...4 4 4 4 Global IP 5 5 5 5 Config status Active Interfaces enabled with static NAT Totally 1 interfaces enabled with static NAT Interface Vlan interface100 Service card Config status Active Table 2 Com...

Page 1080: ...s After you enable static NAT on an interface if packet IP addresses match a NAT rule the device generates NAT sessions and performs forwarding in software The packets are sent to the CPU at a maximum...

Page 1081: ...local ip When you specify an ACL follow these restrictions and guidelines If the ACL does not exist or does not contain a rule the ACL cannot match any packet If you specify the vpn instance keyword...

Page 1082: ...member device by its member ID If you do not specify a member device this command clears NAT sessions for all member devices Examples Clear NAT sessions for the specified slot Sysname reset nat sessi...

Page 1083: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series Layer 3 IP Routing Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 1084: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 1085: ...enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical bars from which you sel...

Page 1086: ...s a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the access controller engine on a u...

Page 1087: ...Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Page 1088: ...lay ipv6 routing table acl 28 display ipv6 routing table ipv6 address 32 display ipv6 routing table prefix list 34 display ipv6 routing table protocol 36 display ipv6 routing table statistics 37 displ...

Page 1089: ...work admin Examples Create the RIB IPv4 address family and enter its view Sysname system view Sysname rib Sysname rib address family ipv4 Sysname rib ipv4 address family ipv6 Use address family ipv6 t...

Page 1090: ...nformation including information about both active and inactive routes If you do not specify this keyword the command displays only brief information about active routes Usage guidelines If you do not...

Page 1091: ...255 255 255 32 Direct 0 0 127 0 0 1 InLoop0 VPN instance vpn1 Destinations 10 Routes 10 Destination Mask Proto Pre Cost NextHop Interface 0 0 0 0 32 Direct 0 0 127 0 0 1 InLoop0 1 1 2 0 24 Static 60 0...

Page 1092: ...blic network or VPN instance that the routing table belongs to For the public network this field displays public instance For a VPN instance this field displays the VPN instance name Destinations Numb...

Page 1093: ...LastAs 0 AttrID 0xffffffff Neighbor 0 0 0 0 Flags 0x1008c OrigNextHop 192 168 47 4 Label NULL RealNextHop 192 168 47 4 BkLabel NULL BkNextHop N A SRLabel NULL BkSRLabel NULL Tunnel ID Invalid Interfa...

Page 1094: ...el NULL RealNextHop 192 168 47 4 BkLabel NULL BkNextHop N A SRLabel NULL BkSRLabel NULL Tunnel ID Invalid Interface Vlan interface11 BkTunnel ID Invalid BkInterface N A FtnIndex 0x0 TrafficIndex N A C...

Page 1095: ...the route RealNextHop Real next hop of the route BkLabel Backup label BkNexthop Backup next hop SRLabel Segment routing SR label BkSRLabel Backup segment routing SR label Tunnel ID This field is not...

Page 1096: ...ot specify this keyword the command displays only brief information about active routes permitted by the basic ACL Usage guidelines If the specified ACL does not exist or has no rules configured the c...

Page 1097: ...111 Label NULL RealNextHop 192 168 1 111 BkLabel NULL BkNextHop N A SRLabel NULL BkSRLabel NULL Tunnel ID Invalid Interface Vlan interface11 BkTunnel ID Invalid BkInterface N A FtnIndex 0x0 TrafficIn...

Page 1098: ...SubProtID 0x0 Age 04h20m37s Cost 0 Preference 0 IpPre N A QosLocalID N A Tag 0 State Active NoAdv OrigTblID 0x0 OrigVrf default vrf TableID 0x2 OrigAs 0 NibID 0x10000003 LastAs 0 AttrID 0xffffffff Ne...

Page 1099: ...brief information about active routes Usage guidelines Executing the command with different parameters yields different outputs display ip routing table ip address The system ANDs the entered destinat...

Page 1100: ...60 0 0 0 0 0 NULL0 Display brief information about the routes to the destination IP address 11 0 0 1 and mask length 20 Sysname display ip routing table 11 0 0 1 20 Summary count 2 Destination Mask P...

Page 1101: ...Specifies an IP prefix list by its name a case sensitive string of 1 to 63 characters verbose Displays detailed information about all routes permitted by the IP prefix list If you do not specify this...

Page 1102: ...ip routing table protocol to display information about routes installed by a protocol Syntax display ip routing table vpn instance vpn instance name protocol protocol inactive verbose Views Any view P...

Page 1103: ...Direct 0 0 127 0 0 1 InLoop0 Direct Routing table status Inactive Summary count 0 Display brief information about static routes Sysname display ip routing table protocol static Summary count 1 Static...

Page 1104: ...to Routes Active Added Deleted DIRECT 12 12 30 18 STATIC 3 3 5 2 RIP 0 0 0 0 OSPF 0 0 0 0 Total 15 15 35 20 Display IPv4 route statistics for the public network and all VPN instances Sysname display i...

Page 1105: ...ary Use display ip routing table summary to display brief routing table information Syntax display ip routing table vpn instance vpn instance name summary Views Any view Predefined user roles network...

Page 1106: ...shold value percentage of max active routes This field is displayed when the alarm threshold is specified by using the routing table limit number warn threshold command in the range of 1 to 100 in per...

Page 1107: ...to ffffffff verbose Displays detailed next hop information in the IPv6 RIB If you do not specify this keyword the command displays brief next hop information in the IPv6 RIB protocol protocol Specifi...

Page 1108: ...serKey0 0x0 VrfNthp 0 UserKey1 0x0 Nexthop 1 IFIndex 0x112 LocalAddr 1 TopoNthp Invalid ExtType 0x0 RefCnt 4 FlushRefCnt 1 Flag 0x84 Version 1 1 nexthop s PrefixIndex 0 OrigNexthop 1 RelyDepth 0 RealN...

Page 1109: ...yword the command displays brief next hop information for IPv6 direct routes Examples Display brief next hop information for IPv6 direct routes Sysname display ipv6 route direct nib Total number of ne...

Page 1110: ...dex 0x112 LocalAddr 1 TopoNthp Invalid ExtType 0x0 RefCnt 1 FlushRefCnt 0 Flag 0x2 Version 1 1 nexthop s PrefixIndex 0 OrigNexthop 1 RelyDepth 0 RealNexthop 1 Interface InLoop0 LocalAddr 1 TunnelCnt 0...

Page 1111: ...y brief information about active routes in the IPv6 routing table Sysname display ipv6 routing table Destinations 2 Routes 2 Destination 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0...

Page 1112: ...ic network or VPN instance that the IPv6 routing table belongs to For the public network this field displays public instance For a VPN instance this field displays the VPN instance name Destinations N...

Page 1113: ...0 Preference 0 IpPre N A QosLocalID N A Tag 0 State Active Adv OrigTblID 0x0 OrigVrf default vrf TableID 0xa OrigAs 0 NibID 0x20000003 LastAs 0 AttrID 0xffffffff Neighbor Flags 0x10080 OrigNextHop La...

Page 1114: ...AttrID 0xffffffff Neighbor Flags 0x10004 OrigNextHop 1 Label NULL RealNextHop 1 BkLabel NULL BkNextHop N A SRLabel NULL BkSRLabel NULL Tunnel ID Invalid Interface Vlan interface11 BkTunnel ID Invalid...

Page 1115: ...op Next hop address of the route RealNextHop Real next hop of the route BkLabel Backup label BkNexthop Backup next hop SRLabel SR label BkSRLabel Backup SR label Tunnel ID This field is not supported...

Page 1116: ...to 2999 verbose Displays detailed information about all routes permitted by the basic IPv6 ACL If you do not specify this keyword the command displays only brief information about active routes permit...

Page 1117: ...routing table acl 2000 verbose Summary count 6 Destination 1 128 Protocol Direct Process ID 0 SubProtID 0x0 Age 19h29m12s Cost 0 Preference 0 IpPre N A QosLocalID N A Tag 0 State Active NoAdv OrigTblI...

Page 1118: ...lt vrf TableID 0xa OrigAs 0 NibID 0x20000000 LastAs 0 AttrID 0xffffffff Neighbor Flags 0x10004 OrigNextHop 1 Label NULL RealNextHop 1 BkLabel NULL BkNextHop N A SRLabel NULL BkSRLabel NULL Tunnel ID I...

Page 1119: ...RLabel NULL BkSRLabel NULL Tunnel ID Invalid Interface InLoopBack0 BkTunnel ID Invalid BkInterface N A FtnIndex 0x0 TrafficIndex N A Connector N A PathID 0x0 Destination FF00 8 Protocol Direct Process...

Page 1120: ...Specifies a destination IPv6 address range verbose Displays detailed routing table information including information about both active and inactive routes If you do not specify this keyword the comman...

Page 1121: ...destinations in the range of ipv6 address1 128 to ipv6 address2 128 Examples Display brief information about the routes to the destination IPv6 address 10 1 127 Sysname display ipv6 routing table 10 1...

Page 1122: ...ID 0xa OrigAs 0 NibID 0x23000002 LastAs 0 AttrID 0xffffffff Neighbor Flags 0x10041 OrigNextHop FE80 A1F 3FFF FE45 206 Label NULL RealNextHop FE80 A1F 3FFF FE45 206 BkLabel NULL BkNextHop N A SRLabel N...

Page 1123: ...8 Sysname system view Sysname ipv6 prefix list test permit 1 128 Display brief information about the active IPv6 route permitted by the IPv6 prefix list Sysname display ipv6 routing table prefix list...

Page 1124: ...on for the public network protocol Specifies a routing protocol inactive Displays information about inactive routes If you do not specify this keyword the command displays information about both activ...

Page 1125: ...routing table statistics Use display ipv6 routing table statistics to display IPv6 route statistics including numbers of total routes routes installed and deleted by the protocol and active routes Sy...

Page 1126: ...Routes Active Added Deleted DIRECT 3 3 3 0 STATIC 3 3 5 2 RIPng 0 0 0 0 OSPFv3 0 0 0 0 Total 6 6 8 2 Display IPv6 route statistics for VPN instance vpn1 Sysname display ipv6 routing table vpn instance...

Page 1127: ...name summary Views Any view Predefined user roles network admin network operator Parameters vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to...

Page 1128: ...No Table 8 Command output Field Description RIB GR state RIB GR status Start GR starts IGP end All IGP protocols complete GR VPN triggering end Optimal route selection triggered by VPN routes complete...

Page 1129: ...letes flushing routes to the FIB No Protocol number Lifetime Lifetime in seconds of routes labels in the RIB during GR FD Handle between the protocol and the RIB State Protocol GR state Init Initializ...

Page 1130: ...Type 0x1 Flushed Yes UserKey0 0x0 VrfNthp 0 UserKey1 0x0 Nexthop 127 0 0 1 IFIndex 0x112 LocalAddr 127 0 0 1 TopoNthp 0 ExtType 0x0 NibID 0x10000002 Sequence 2 Type 0x5 Flushed Yes UserKey0 0x0 VrfNth...

Page 1131: ...Seq Sequence number of the sub next hop NthpCnt Number of sub next hops Samed Number of the same sub next hops NthpType Type of the sub next hop The value can be IP which represents IP forwarding Disp...

Page 1132: ...unnelID 1025 Topology base Weight 0 Table 10 Command output Field Description NibID ID of the next hop Sequence Sequence number of the next hop Type Type of the next hop Flushed Indicates whether the...

Page 1133: ...the current software version Number of tunnels after route recursion TunnelID This field is not supported in the current software version ID of the tunnel after route recursion Topology This field is...

Page 1134: ...thp 0 UserKey1 0x0 Nexthop 0 0 0 0 IFIndex 0x111 LocalAddr 0 0 0 0 TopoNthp 0 ExtType 0x0 NibID 0x10000001 Sequence 1 Type 0x1 Flushed Yes UserKey0 0x0 VrfNthp 0 UserKey1 0x0 Nexthop 127 0 0 1 IFIndex...

Page 1135: ...Flushed Yes UserKey0 0x0 VrfNthp 0 UserKey1 0x0 Nexthop 0 0 0 0 IFIndex 0x111 LocalAddr 0 0 0 0 TopoNthp Invalid ExtType 0x0 RefCnt 2 FlushRefCnt 0 Flag 0x2 Version 1 1 nexthop s PrefixIndex 0 OrigNe...

Page 1136: ...t Reference count of the next hop FlushRefCnt Reference count of the next hop that is flushed to the FIB Flag Flag of the next hop Version Version of the next hop x nexthop s Number of next hops Prefi...

Page 1137: ...switchover Usage guidelines When a protocol or RIB process switchover occurs and GR or NSR is not configured FIB entries age out after the time specified in this command Examples Set the maximum life...

Page 1138: ...the public network Sysname system view Sysname rib Sysname rib address family ipv4 Sysname rib ipv4 inter protocol fast reroute ip route fast switchover enable Use ip route fast switchover enable to...

Page 1139: ...k failure occurs on an interface the device typically performs the following operations before switching the traffic to a valid route 1 Deletes all ND entries for the link 2 Instructs the FIB to delet...

Page 1140: ...mmand Examples Enable MTP Sysname system view Sysname maintenance probe enable non stop routing Use non stop routing to enable RIB NSR Use undo non stop routing to disable RIB NSR Syntax non stop rout...

Page 1141: ...is command Examples Set the maximum lifetime for RIP routes and labels in the RIB to 60 seconds Sysname system view Sysname rib Sysname rib address family ipv4 Sysname rib ipv4 protocol rip lifetime 6...

Page 1142: ...sive lookup route policy policy1 reset ip routing table statistics protocol Use reset ip routing table statistics protocol to clear IPv4 route statistics Syntax reset ip routing table statistics proto...

Page 1143: ...ces all vpn instance Clears route statistics for all VPN instances protocol Clears route statistics for an IPv6 routing protocol all Clears route statistics for all IPv6 routing protocols Usage guidel...

Page 1144: ...he device to still accept active routes but generate a log message when the number of active IPv4 IPv6 routes exceeds the maximum number Usage guidelines Configuration in RIB IPv4 address family view...

Page 1145: ...play route static nib 1 display route static routing table 4 ip route static 6 ip route static arp request 9 ip route static default preference 10 ip route static fast reroute auto 11 ip route static...

Page 1146: ...re executing the command make sure you fully understand the potential impact on the network When you use this command the system will prompt you to confirm the operation before deleting all the static...

Page 1147: ...ype 0x21 Flushed Yes UserKey0 0x111 VrfNthp 0 UserKey1 0x0 Nexthop 0 0 0 0 IFIndex 0x111 LocalAddr 0 0 0 0 TopoNthp 0 ExtType 0x0 NibID 0x11000001 Sequence 1 Type 0x41 Flushed Yes UserKey0 0x0 VrfNthp...

Page 1148: ...sion 1 1 nexthop s PrefixIndex 0 OrigNexthop 0 0 0 0 RelyDepth 0 RealNexthop 0 0 0 0 Interface NULL0 LocalAddr 0 0 0 0 TunnelCnt 0 Vrf default vrf TunnelID N A Topology base Weight 1000000 NibID 0x110...

Page 1149: ...oute recursion Topology This field is not supported in the current software version Topology name The topology name for the public network is base Weight ECMP routes are not supported in the current s...

Page 1150: ...able Total number of routes 24 Status valid Destination 0 0 0 0 0 NibID 0x1100000a NextHop 2 2 2 10 MainNibID N A BkNextHop N A BkNibID N A Interface Vlan interface11 TableID 0x2 BkInterface Vlan inte...

Page 1151: ...d Ctrl Control packet mode Echo Echo packet mode TrackIndex NQA Track index vrfIndexDst Index of VPN instance that the destination belongs to For the public network this field displays 0 vrfIndexNH In...

Page 1152: ...c vpn instance d vpn instance name next hop address preference preference Default No static route is configured Views System view Predefined user roles network admin Parameters vpn instance s vpn inst...

Page 1153: ...ies a preference for the static route in the range of 1 to 255 The default is 60 tag tag value Sets a tag value for marking the static route in the range of 1 to 4294967295 The default is 0 Tags of ro...

Page 1154: ...p all prefixes in the static route group will be assigned the next hop and output interface specified by using this command Examples Configure a static route whose destination address is 1 1 1 1 24 ne...

Page 1155: ...s The static route has no output interface specified The static route fails the next hop recursion Examples Enable sending of ARP requests to the next hops of static routes and set the sending interva...

Page 1156: ...Static route FRR is disabled from automatically selecting a backup next hop Views System view Predefined user roles network admin Examples Configure static route FRR to automatically select a backup n...

Page 1157: ...p route static group to delete a static route group Syntax ip route static group group name undo ip route static group group name Default No static route groups exist Views System view Predefined user...

Page 1158: ...s Execute this command repeatedly to add multiple static route prefixes to a static route group After you add static route prefixes to a static route group you can specify that group in the ip route s...

Page 1159: ...oute 18 network 19 non stop routing 20 output delay 20 peer 21 preference 21 reset rip process 22 reset rip statistics 23 rip 23 rip authentication mode 24 rip bfd enable 25 rip bfd enable destination...

Page 1160: ...all messages are trustworthy disable this feature to reduce the workload of the CPU Examples Disable zero field check on RIPv1 messages for RIP process 1 Sysname system view Sysname rip Sysname rip 1...

Page 1161: ...ault No default route is sent to RIP neighbors Views RIP view Predefined user roles network admin Parameters only Advertises only a default route originate Advertises both a default route and other ro...

Page 1162: ...formation for all RIP processes Sysname display rip Public VPN instance name RIP process 1 RIP version 1 Preference 100 Routing policy abc Fast reroute Routing policy frr Checkzero Enabled Default cos...

Page 1163: ...imeout time in seconds Suppress time RIP suppress interval in seconds Garbage collect time RIP garbage collect interval in seconds Update output delay RIP packet sending interval in seconds Output cou...

Page 1164: ...play rip 100 database 1 0 0 0 8 auto summary 1 1 1 0 24 cost 16 interface summary 1 1 1 0 24 cost 0 nexthop 1 1 1 1 RIP interface 1 1 2 0 24 cost 0 imported 2 0 0 0 8 auto summary 2 0 0 0 8 cost 1 nex...

Page 1165: ...graceful restart RIP process 1 Graceful Restart capability Enabled Current GR state Normal Graceful Restart period 60 seconds Graceful Restart remaining time 0 seconds Table 3 Command output Field Des...

Page 1166: ...P Address Mask IP address and mask of the interface Version RIP version running on the interface MetricIn Additional metric added to incoming routes MetricIn route policy Name of the routing policy us...

Page 1167: ...cess id Specifies a RIP process by its ID in the range of 1 to 65535 interface type interface number Specifies an interface by its type and number If you do not specify this argument the command displ...

Page 1168: ...process 1 Sysname display rip 1 non stop routing RIP process 1 Nonstop Routing capability Enabled Current NSR state Finish Table 6 Command output Field Description Nonstop Routing capability Indicates...

Page 1169: ...s 1 Sysname display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect D Direct O Optimal F Flush to RIB Peer 1 1 1 1 on Vlan interface10 Destination Mask Nexthop...

Page 1170: ...ining time of the timer corresponding to the route state Display routing statistics for RIP process 1 Sysname display rip 1 route statistics Peer Optimal Aging Optimal Permanent Garbage 1 1 1 1 1 1 0...

Page 1171: ...n the command designates a backup next hop for the routes that match the routing policy Usage guidelines RIP FRR is available only when the state of primary link with Layer 3 interfaces staying up cha...

Page 1172: ...he default process ID is 1 interface type interface number Specifies an interface by its type and number Usage guidelines You can configure only one filtering policy to filter routes redistributed fro...

Page 1173: ...ex 10 permit 11 0 0 0 8 Sysname rip 1 Sysname rip 1 filter policy prefix list abc export Configure advanced ACL 3000 to permit only route 113 0 0 0 16 to pass Use ACL 3000 to filter redistributed rout...

Page 1174: ...l match the ACL If a rule in the ACL has the vpn instance keyword configured the rule applies to only the RIP routes in the specified VPN instance If the rule does not have the vpn instance keyword co...

Page 1175: ...port Related commands acl ACL and QoS Command Reference ip prefix list graceful restart Use graceful restart to enable RIP GR Use undo graceful restart to disable RIP GR Syntax graceful restart undo g...

Page 1176: ...enable host route reception Use undo host route to disable host route reception Syntax host route undo host route Default RIP receives host routes Views RIP view Predefined user roles network admin U...

Page 1177: ...If you do not specify the allow direct keyword the networks of the local interfaces are not redistributed If you specify both the allow direct keyword and the route policy route policy name option ma...

Page 1178: ...address where an interface resides wildcard mask Specifies an IP address wildcard mask A wildcard mask can be thought of as a subnet mask with 1s and 0s inverted For example a wildcard mask of 255 25...

Page 1179: ...enable RIP NSR for each process if multiple RIP processes exist The non stop routing command and the graceful restart command are mutually exclusive Examples Enable NSR for RIP process 1 Sysname syste...

Page 1180: ...s Default RIP does not unicast updates to any neighbor Views RIP view Predefined user roles network admin Parameters ip address Specifies the IP address of a RIP neighbor in dotted decimal notation Us...

Page 1181: ...ute policy to set a preference for matching RIP routes The preference set by the routing policy applies to all matching RIP routes The preference of other routes is set by the preference command If no...

Page 1182: ...enter RIP view Use undo rip to disable RIP Syntax rip process id vpn instance vpn instance name undo rip process id Default RIP is disabled Views System view Predefined user roles network admin Parame...

Page 1183: ...lain Specifies a password in plaintext form For security purposes the password specified in plaintext form will be stored in encrypted form string Specifies the password Its plaintext form is a case s...

Page 1184: ...y Using the undo peer command does not delete the neighbor relationship immediately and cannot bring down the BFD session immediately The rip bfd enable command and the rip bfd enable destination comm...

Page 1185: ...gure a RIP interface to advertise a default route with a specified metric Use undo rip default route to disable a RIP interface from sending a default route Syntax rip default route only originate cos...

Page 1186: ...le Use rip enable to enable RIP on an interface Use undo rip enable to disable RIP on an interface Syntax rip process id enable exclude subip undo rip enable Default RIP is disabled on an interface Vi...

Page 1187: ...p max packet length to restore the default Syntax rip max packet length value undo rip max packet length Default The maximum length of RIP packets is 512 bytes Views Interface view Predefined user rol...

Page 1188: ...dditional metric for the routes that match the routing policy value Adds an additional metric to inbound routes in the range of 0 to 16 Usage guidelines When a valid RIP route is received the system a...

Page 1189: ...an additional metric for the routes that match the routing policy value Adds an additional metric to outbound routes in the range of 1 to 16 Usage guidelines With the command configured on an interfac...

Page 1190: ...ith the smallest process ID Views System view Predefined user roles network admin Parameters process id Specifies a RIP process by its ID in the range of 1 to 65535 Usage guidelines If the specified p...

Page 1191: ...y Default An interface uses the RIP packet sending rate set for the RIP process that the interface runs Views Interface view Predefined user roles network admin Parameters Time Specifies the RIP packe...

Page 1192: ...o disable BFD single hop echo detection for RIP FRR Syntax rip primary path detect bfd echo undo rip primary path detect bfd Default BFD single hop echo detection for RIP FRR is disabled Views Interfa...

Page 1193: ...s effect Examples Enable the split horizon feature on VLAN interface 10 Sysname system view Sysname interface vlan interface 10 Sysname Vlan interface10 rip split horizon rip summary address Use rip s...

Page 1194: ...dcasts and unicasts and RIPv2 broadcasts multicasts and unicasts Views Interface view Predefined user roles network admin Parameters 1 Specifies the RIP version as RIPv1 2 Specifies the RIP version as...

Page 1195: ...e interface number all Default All RIP interfaces can send RIP messages Views RIP view Predefined user roles network admin Parameters interface type interface number Disables a specified interface fro...

Page 1196: ...mer triggered to set the interval for sending triggered updates Use undo timer triggered to restore the default Syntax timer triggered maximum interval minimum interval incremental interval undo timer...

Page 1197: ...timer is 120 seconds the suppress timer is 120 seconds the timeout timer is 180 seconds and the update timer is 30 seconds Views RIP view Predefined user roles network admin Parameters garbage collect...

Page 1198: ...15 15 and 30 seconds Sysname system view Sysname rip 100 Sysname rip 100 timers update 5 timeout 15 suppress 15 garbage collect 30 validate source address Use validate source address to enable source...

Page 1199: ...it over the global RIP version If no RIP version is specified for the interface and the global version is RIPv1 the interface uses RIPv1 and can perform the following operations Send RIPv1 broadcasts...

Page 1200: ...p 41 display ospf non stop routing status 42 display ospf peer 42 display ospf peer statistics 46 display ospf request queue 47 display ospf retrans queue 48 display ospf routing 49 display ospf spf t...

Page 1201: ...98 ospf timer retransmit 98 ospf trans delay 99 ospf troubleshooting max number 99 ospf ttl security 100 peer OSPF view 101 pic OSPF view 102 preference OSPF view 103 prefix priority OSPF view 104 pr...

Page 1202: ...oute or not By default the command advertises the summary route cost cost value Specifies the cost of the summary route in the range of 1 to 16777215 The default cost is the largest cost value among r...

Page 1203: ...x asbr summary ip address mask length mask cost cost value not advertise nssa only tag tag undo asbr summary ip address mask length mask Default Route summarization is not configured on an ASBR Views...

Page 1204: ...R is not a translator it cannot summarize routes in Type 5 LSAs translated from Type 7 LSAs To enable ASBR to advertise specific routes that have been summarized use the undo asbr summary command Exam...

Page 1205: ...ue key ID and key string As a best practice to minimize the risk of key compromise use only one key for an area and delete the old key after key replacement To replace the key used for MD5 or HMAC MD5...

Page 1206: ...535 is used If the calculated cost is less than 1 the value of 1 is used Examples Set the reference bandwidth value to 1000 Mbps Sysname system view Sysname ospf 100 Sysname ospf 100 bandwidth referen...

Page 1207: ...specify an ACL follow these guidelines If a rule in the specified ACL is applied to a VPN instance the rule does not take effect If a rule in the specified ACL is not applied to any VPN instance the...

Page 1208: ...pf 1 Sysname ospf 1 database filter peer 121 20 20 121 summary acl 3000 Related commands ospf database filter default OSPF view Use default to configure default parameters for redistributed routes Use...

Page 1209: ...ABR of a stub area or the ABR or ASBR of an NSSA area Examples Configure Area 1 as a stub area and set the cost of the default route advertised to the stub area to 20 Sysname system view Sysname ospf...

Page 1210: ...a routing policy by its name a case sensitive string of 1 to 63 characters When the routing policy is matched and one of the following conditions is met the command redistributes a default route in a...

Page 1211: ...command is used to identify an OSPF process or area Examples Describe OSPF process 100 as abc Sysname system view Sysname ospf 100 Sysname ospf 100 description abc Describe OSPF Area 0 as bone area S...

Page 1212: ...ence 100 and 200 respectively Sysname system view Sysname ospf 100 Sysname ospf 100 discard route external 100 internal 200 display ospf Use display ospf to display OSPF process information Syntax dis...

Page 1213: ...Count 300 This process is currently bound to MIB Area count 1 NSSA area count 1 Normal areas with up interfaces 0 NSSA areas with up interfaces 1 Up interfaces 1 ExChange Loading neighbors 0 Full neig...

Page 1214: ...ain ID primary ID Opaque capable Opaque LSA advertisement and reception capability is enabled Originating router LSAs with maximum metric The maximum cost value for router LSAs excluding stub links is...

Page 1215: ...f incremental AS external prefixes is triggered N A Route calculation is not triggered Current calculation type Current route calculation type SPF calculation Intra router calculation Intra area route...

Page 1216: ...Route calculation module R Route redistribution module Reset process message replied Modules that reply reset process messages P Neighbor maintenance module L LSDB synchronization module C Route calc...

Page 1217: ...area NSSA NSSANoSummary totally NSSA area 7 5 translator state State of the translator that translates Type 7 LSAs to Type 5 LSAs Enabled The translator is specified through commands Elected The trans...

Page 1218: ...s id abr asbr verbose Views Any view Predefined user roles network admin network operator Parameters process id Specifies an OSPF process by its ID in the range of 1 to 65535 If you do not specify thi...

Page 1219: ...of an ABR or ASBR Area ID of the area of the next hop Cost Cost from the router to the ABR or ASBR Nexthop Next hop address BkNexthop Backup next hop address RtType Router type ABR or ASBR Interface...

Page 1220: ...ief information about summary routes on the ABR Sysname display ospf abr summary OSPF Process 1 with Router ID 2 2 2 2 ABR Summary Addresses Topology base MTID 0 Area 0 0 0 1 Total summary address cou...

Page 1221: ...o display ASBR summary route information Syntax display ospf process id asbr summary ip address mask length mask Views Any view Predefined user roles network admin network operator Parameters process...

Page 1222: ...gy is base MTID Topology ID The value of 0 indicates the base topology Total summary address count Total number of summary routes Net Address of the summary route Mask Mask of the summary route addres...

Page 1223: ...ting table Neighbor logs include information about the following events The OSPF neighbor state goes down The OSPF neighbor state goes backward because the local end receives BadLSReq SeqNumberMismatc...

Page 1224: ...28 19 0 0 0 0 Intra area LSA 2012 06 27 15 28 19 0 0 0 0 external LSA 2012 06 27 15 28 19 0 3 0 0 0 Intra area LSA 2012 06 27 15 28 12 0 1 0 0 Intra area LSA 2012 06 27 15 28 11 0 0 0 0 Routing policy...

Page 1225: ...hip Remote Address Peer address of the neighbor relationship Router ID Neighbor router ID Reason Reasons for neighbor state changes ResetConnect The connection is lost due to insufficient memory IntCh...

Page 1226: ...or The secondary router receives an unexpected serial number from the primary router RecvOpqIntf A DD packet that contains a type 9 LSA is received when the opaque LSA reception and advertisement capa...

Page 1227: ...nt hello packets Sysname display ospf event log hello sent OSPF Process 1 with Router ID 5 5 5 5 Hello Log Interface Vlan10 Neighbor address 10 1 1 2 NbrID 1 0 0 2 First 4 hello packets sent 2019 09 0...

Page 1228: ...tion address 224 0 0 5 sent failed errno 132 Date 2019 09 06 Time 11 20 20 116 Interface Vlan11 Destination address 10 1 1 2 sent failed errno 132 Table 10 Command output Field Description Date Date f...

Page 1229: ...lo packet Display log information about received hello packets Sysname display ospf event log hello received OSPF Process 1 with Router ID 5 5 5 5 Hello Log Interface Vlan10 Neighbor address 10 1 1 2...

Page 1230: ...area 0 0 0 1 Drop reason Hello time mismatch Date 2019 09 06 Time 14 51 20 121 Interface Vlan10 Source address 10 1 1 2 NbrID 1 0 0 2 area 0 0 0 1 Drop reason NP bit mismatch Table 13 Command output F...

Page 1231: ...face Vlan10 Source address 10 1 1 2 NbrID 1 0 0 2 area 0 0 0 1 Last one received 2019 09 06 14 51 05 113 Table 14 Command output Field Description Date Tme Date for receiving the abnormal hello packet...

Page 1232: ...xamples Display OSPF FRR backup next hop information Sysname display ospf 1 area 0 fast reroute lfa candidate OSPF Process 1 with Router ID 2 2 2 2 LFA Candidate List Topology base MTID 0 Area 0 0 0 0...

Page 1233: ...aceful Restart support Planned and unplanned Partial Helper capability Enable IETF Helper support Planned and unplanned IETF Strict LSA check Current GR state Normal Graceful Restart period 40 seconds...

Page 1234: ...cess supports Enable IETF Supports IETF GR helper capability Enable Nonstandard Supports non IETF GR helper capability Enable IETF and nonstandard Supports both IETF GR helper capability and non IETF...

Page 1235: ...on Reason that the helper exited most recently Virtual link Neighbor ID Router ID of the virtual link s neighbor Neighbor State Neighbor state Down Init 2 Way ExStart Exchange Loading and Full Interfa...

Page 1236: ...MA State Interface state Down No protocol traffic can be sent or received on the interface Loopback The interface is in loopback state and it cannot forward traffic Waiting The interface starts sendin...

Page 1237: ...lculation is enabled on an interface Primary path detection mode Primary link detection mode BFD ctrl BFD control packet mode BFD echo BFD echo packet mode Enabled by interface configuration including...

Page 1238: ...ot specify this argument the command displays hello packet information for all OSPF processes interface type interface number Specifies an interface by its type and number If you do not specify this a...

Page 1239: ...y link state id originate router advertising router id self originate Views Any view Predefined user roles network admin network operator Parameters process id Specifies an OSPF process by its ID in t...

Page 1240: ...1 321 32 80000003 0 Sum Net 192 168 1 0 192 168 0 1 321 28 80000002 1 Sum Net 192 168 2 0 192 168 0 2 474 28 80000002 1 Area 0 0 0 1 Type LinkState ID AdvRouter Age Len Sequence Metric Router 192 168...

Page 1241: ...en 32 Options NP Seq 80000003 Checksum 0x2a77 Net mask 255 255 255 0 Attached router 192 168 1 1 Attached router 192 168 1 2 Table 21 Command output Field Description Type LSA type LS ID DR IP address...

Page 1242: ...in the range of 1 to 65535 If you do not specify this argument the command displays next hop information for all OSPF processes Examples Display OSPF next hop information Sysname display ospf nexthop...

Page 1243: ...tatus OSPF Process 1 with Router ID 192 168 33 12 Non Stop Routing information Non Stop Routing capability Enabled Upgrade phase Normal Table 23 Command output Field Description Non Stop Routing capab...

Page 1244: ...interface by its type and number If you do not specify this argument the command displays neighbor information for all interfaces neighbor id Specifies a neighbor router ID If you do not specify this...

Page 1245: ...o keep the neighbor relationship 2 Way Communication between the two routers is bidirectional The local router appears in the neighbor s Hello packet Exstart The goal of this state is to decide which...

Page 1246: ...ID Address Pri Dead Time State Interface 1 1 1 2 1 1 1 2 1 40 Full DR Vlan10 Table 25 Command output Field Description Area Neighbor area Router ID Neighbor router ID Address Neighbor interface addres...

Page 1247: ...from neighbors Last 4 hello packets received Time for receiving the last four hello packets from neighbors First 4 hello packets sent Time and result succeeded or failed for sending the first four hel...

Page 1248: ...of neighboring routers in Init state in the same area 2 Way Number of neighboring routers in 2 Way state in the same area ExStart Number of neighboring routers in ExStart state in the same area Exchan...

Page 1249: ...rface 10 1 1 1 Area 0 0 0 0 Request list Type LinkState ID AdvRouter Sequence Age Router 2 2 2 2 1 1 1 1 80000004 1 Network 192 168 0 1 1 1 1 1 80000003 1 Sum Net 192 168 1 0 1 1 1 1 80000002 2 Table...

Page 1250: ...Router ID 192 168 1 59 Link State Retransmission List The Router s Neighbor is Router ID 2 2 2 2 Address 10 1 1 2 Interface 10 1 1 1 Area 0 0 0 0 Retransmit list Type LinkState ID AdvRouter Sequence A...

Page 1251: ...specify this option the command displays all OSPF routing information verbose Displays detailed OSPF routing information If you do not specify this keyword the command displays brief OSPF routing info...

Page 1252: ...e Stub AdvRouter 192 168 1 2 Area 0 0 0 0 SubProtoID 0x1 Preference 10 NextHop 192 168 1 2 BkNextHop N A IfType Broadcast BkIfType N A Interface Vlan100 BkInterface N A NibID 0x1300000c Status Normal...

Page 1253: ...terface Backup output interface NibID Next hop ID Status Route status Local The route is on the local end and is not sent to the route management module Invalid The next hop is invalid Stale The next...

Page 1254: ...tination H Nexthop changed N Link is a new path V Link is involved G Link is in change list Topology base MTID 0 Area 0 0 0 0 Shortest Path Tree SpfNode Type Flag SpfLink Type Cost Flag 192 168 119 13...

Page 1255: ...erbose OSPF Process 1 with Router ID 100 0 0 4 Flags S Node is on SPF tree R Node is directly reachable I Node or Link is init D Node or Link is to be deleted P Neighbor is parent A Node is in candida...

Page 1256: ...he root node VlinkData Destination address of virtual link packets ParentLinkCnt Number of parent links NodeFlag Node flag I The node is in initialization state A The node is on the candidate list S T...

Page 1257: ...process id Specifies an OSPF process by its ID in the range of 1 to 65535 If you do not specify this argument the command displays OSPF statistics for all OSPF processes error Displays error statistic...

Page 1258: ...lo Hell packet DB Description Database Description packet Link State Req Link State Request packet Link State Update Link State Update packet Link State Ack Link State Acknowledge packet LSAs originat...

Page 1259: ...t option mismatch 0 HELLO Mbit option mismatch 0 DD MTU option mismatch 0 DD Unknown LSA type 0 DD Ebit option mismatch 0 ACK Bad ack 0 ACK Unknown LSA type 0 REQ Empty request 0 REQ Bad request 0 UPD...

Page 1260: ...option field ACK Bad ack Bad LSAck packets for LSU packets ACK Unknown LSA type LSAck packets with unknown LSA type REQ Empty request LSR packets with no request information REQ Bad request Bad LSR p...

Page 1261: ...s 0 Table 37 Command output Field Description Total sent Total number of hello packets sent Total sent failed Total number of hello packets that failed to be sent Sent after one and a half intervals T...

Page 1262: ...e OSPF neighbor was disconnected The most recent entry is displayed first Sequence Sequence number of the OSPF neighbor relationship troubleshooting entry Description OSPF neighbor relationship troubl...

Page 1263: ...ease check the connection to the peer Interface Vlan10 peer address 10 1 1 1 ping result waitting for the ping to execute CPU usage 25 37 memory usage 36 49 memory state normal The state of OSPF 1 pee...

Page 1264: ...n the remote end Interface Vlan10 peer address 10 1 1 1 The state of OSPF 1 peer 1 1 1 1 changed to EXSTART because a SeqNumberMismatch event was triggered by the change of the OSPF peer s capability...

Page 1265: ...ion on both ends Interface Vlan10 peer address 10 1 1 1 The state of OSPF 1 peer 1 1 1 1 changed to EXSTART because a SeqNumberMismatch event was triggered upon the receipt of a DD packet containing i...

Page 1266: ...link Cost Interface route cost State Interface state Type Virtual link Transit Area Transit area ID Timers Values of timers in seconds Hello Dead and Retransmit Transmit Delay LSA transmission delay o...

Page 1267: ...ts Examples Set the DSCP value for outgoing OSPF packets to 63 in OSPF process 1 Sysname system view Sysname ospf 1 Sysname ospf 1 dscp 63 enable link local signaling Use enable link local signaling t...

Page 1268: ...idelines Before you configure this command enable the link local signaling capability Examples Enable the out of band resynchronization capability for OSPF process 1 Sysname system view Sysname ospf 1...

Page 1269: ...ze count Specifies the number of OSPF logs in the range of 0 to 65535 Examples Set the number of route calculation logs to 50 in OSPF process 100 Sysname system view Sysname ospf 100 Sysname ospf 100...

Page 1270: ...tbound Type 3 LSAs prefix list name Specifies an IP prefix list by its name a case sensitive string of 1 to 63 characters to filter inbound outbound Type 3 LSAs route policy name Specifies a routing p...

Page 1271: ...routes process id Specifies a process by its ID in the range of 1 to 65535 This argument is available only when the protocol argument is rip or ospf Usage guidelines When you specify an ACL follow th...

Page 1272: ...ved LSAs Use undo filter policy import to restore the default Syntax filter policy ipv4 acl number gateway prefix list name gateway prefix list name prefix list prefix list name gateway prefix list na...

Page 1273: ...he destination keyword specifies the subnet mask of the destination address For the mask configuration to take effect specify a contiguous subnet mask Examples Use basic ACL 2000 to filter received ro...

Page 1274: ...chover occurs because of device failure Before OSPF restart or active standby switchover the GR restarter does not send Grace LSAs to GR helpers Before enabling IETF GR for OSPF enable Opaque LSA adve...

Page 1275: ...keyword is available only for the IETF GR helper Examples Enable GR helper capability for OSPF process 1 Sysname system view Sysname ospf 1 Sysname ospf 1 graceful restart helper enable graceful rest...

Page 1276: ...er roles network admin Parameters interval Specifies the GR interval in the range of 40 to 1800 seconds Usage guidelines For GR restart to succeed the value of the GR restart interval cannot be smalle...

Page 1277: ...e type import route ospf rip process id all processes allow direct cost cost value nssa only route policy route policy name tag tag type type undo import route direct ospf rip process id all processes...

Page 1278: ...ype 1 external routes Have high credibility The cost of Type 1 external routes is comparable with the cost of OSPF internal routes The cost of a Type 1 external route equals the cost from the router t...

Page 1279: ...e logging for OSPF neighbor state changes Syntax log peer change undo log peer change Default Logging for OSPF neighbor state changes is enabled Views OSPF view Predefined user roles network admin Usa...

Page 1280: ...system resources due to frequent network changes As a best practice set the interval with the lsa arrival interval command to be smaller than or equal to the minimum interval set with the lsa generat...

Page 1281: ...alue n is the number of generation times The minimum interval and the incremental interval cannot be greater than the maximum interval Examples Set the maximum LSA generation interval to 2 seconds min...

Page 1282: ...ternal LSAs in the LSDB Use undo lsdb overflow limit to restore the default Syntax lsdb overflow limit number undo lsdb overflow limit Default The number of external LSAs is not limited Views OSPF vie...

Page 1283: ...n network 131 108 20 0 24 to run OSPF in Area 2 Sysname system view Sysname ospf 100 Sysname ospf 100 area 2 Sysname ospf 100 area 0 0 0 2 network 131 108 20 0 0 0 0 255 Related commands ospf non stop...

Page 1284: ...t for the default route in the range of 0 to 16777214 If you do not specify this option the default cost specified by the default cost command applies nssa only Limits the default route advertisement...

Page 1285: ...uters attached to an NSSA area must be configured with the nssa command in area view If you specify the translate ignore checking backbone keyword for an ABR you must also specify the keyword for othe...

Page 1286: ...name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If you do not specify this option the OSPF process runs on the public network Usage guidelines You can...

Page 1287: ...e does not delete the OSPF process or the area Examples Enable OSPF process 1 on VLAN interface 10 that is in Area 2 and exclude secondary IP addresses Sysname system view Sysname interface vlan inter...

Page 1288: ...interface and delete the old key after key replacement To replace the key used for MD5 or HMAC MD5 authentication on an interface you must configure the new key before removing the old key from each r...

Page 1289: ...ospf cost interface view Use ospf cost to set an OSPF cost for an interface Use undo ospf cost to restore the default Syntax ospf cost cost value undo ospf cost Default An interface computes its OSPF...

Page 1290: ...If a rule in the specified ACL is applied to a VPN instance the rule does not take effect If a rule in the specified ACL is not applied to any VPN instance the rule takes effect on both VPN packets a...

Page 1291: ...on an interface Use undo ospf dr priority to restore the default value Syntax ospf dr priority priority undo ospf dr priority Default The router priority is 1 Views Interface view Predefined user role...

Page 1292: ...Use undo ospf lsu flood control to disable OSPF to limit LSU transmit rate Syntax ospf lsu flood control interval count undo ospf lsu flood control Default OSPF does not limit the LSU transmit rate V...

Page 1293: ...inding to restore the default Syntax ospf mib binding process id undo ospf mib binding Default The public MIB is bound to the OSPF process with the smallest process ID Views System view Predefined use...

Page 1294: ...t Examples Enable VLAN interface 10 to add the interface MTU value into DD packets Sysname system view Sysname interface vlan interface 10 Sysname Vlan interface10 ospf mtu enable ospf network type Us...

Page 1295: ...an interface is P2MP unicast all OSPF packets are unicast by the interface Examples Specify the OSPF network type for VLAN interface 10 as NBMA Sysname system view Sysname interface vlan interface 10...

Page 1296: ...n Parameters disable Disables prefix suppression for an interface Usage guidelines To disable prefix suppression for an interface associated with an OSPF process that has been enabled with prefix supp...

Page 1297: ...Sysname Vlan interface10 ospf primary path detect bfd ctrl On VLAN interface 11 enable BFD echo packet mode for OSPF PIC Sysname system view Sysname ospf 1 Sysname ospf 1 pic additional path always Sy...

Page 1298: ...f timer hello to set the hello interval on an interface Use undo ospf timer hello to restore the default Syntax ospf timer hello seconds undo ospf timer hello Default The hello interval is 10 seconds...

Page 1299: ...s hello packets at the poll interval The poll interval must be a minimum of four times the hello interval Examples Set the poll timer interval on VLAN interface 10 to 130 seconds Sysname system view S...

Page 1300: ...interface Use undo ospf trans delay to restore the default Syntax ospf trans delay seconds undo ospf trans delay Default The LSA transmission delay is 1 second Views Interface view Predefined user ro...

Page 1301: ...GTSM for an interface ospf ttl security disable to disable OSPF GTSM for an interface Use undo ospf ttl security to restore the default Syntax ospf ttl security hops hop count disable undo ospf ttl se...

Page 1302: ...ame Vlan interface10 ospf ttl security hops 254 Enable GTSM in OSPF area view and disable OSPF GTSM for VLAN interface 10 Sysname system view Sysname ospf 100 Sysname ospf 100 area 1 Sysname ospf 100...

Page 1303: ...Sysname ospf 100 peer 1 1 1 1 Related commands ospf dr priority pic OSPF view Use pic to enable OSPF PIC Use undo pic to disable OSPF PIC Syntax pic additional path always undo pic Default OSPF PIC is...

Page 1304: ...multiple routing protocols find routes to the same destination the router uses the route found by the protocol with the highest preference When the route policy route policy name option is specified t...

Page 1305: ...efix priorities it uses the highest priority By default the 32 bit OSPF host routes have a medium priority and other routes have a low priority Examples Use a routing policy to assign the medium prior...

Page 1306: ...ensure traffic forwarding On broadcast and NBMA networks the DR generates Type 2 LSAs with a mask length of 32 to suppress network routes Other routing information can still be advertised to ensure t...

Page 1307: ...cify this argument the command clears OSPF log information for all processes received Specifies log information for received hello packets sent Specifies log information for sent hello packets abnorma...

Page 1308: ...select whether to restart OSPF process upon execution of this command Examples Restart all OSPF processes Sysname reset ospf process Reset OSPF process Y N y reset ospf redistribution Use reset ospf r...

Page 1309: ...p troubleshooting information Syntax reset ospf troubleshooting Views User view Predefined user roles network admin Examples Clear OSPF neighbor relationship troubleshooting information Sysname reset...

Page 1310: ...100 undo rfc1583 compatible router id Use router id to configure a global router ID Use undo router id to restore the default Syntax router id router id undo router id Default No global router ID is...

Page 1311: ...e interface number all Default An interface can receive and send OSPF packets Views OSPF view Predefined user roles network admin Parameters interface type interface number Specifies an interface by i...

Page 1312: ...able SNMP notifications for OSPF Syntax snmp agent trap enable ospf authentication failure bad packet config error grhelper status change grrestarter status change if state change lsa maxage lsa origi...

Page 1313: ...tions about packets that are received and forwarded on an interface virt authentication failure Specifies notifications about authentication failures on a virtual interface virt bad packet Specifies n...

Page 1314: ...ion interval you can prevent overconsumption of bandwidth and router resources due to frequent topology changes For a stable network the minimum interval is used If network changes become frequent the...

Page 1315: ...ystem view Sysname ospf 100 Sysname ospf 100 area 1 Sysname ospf 100 area 0 0 0 1 stub Related commands default cost OSPF area view stub router OSPF view Use stub router to configure a router as a stu...

Page 1316: ...ransmit pacing Default An OSPF interface sends a maximum of three LSU packets every 20 milliseconds Views OSPF view Predefined user roles network admin Parameters interval interval Specifies an interv...

Page 1317: ...55 the configured hop count 1 to 255 When GTSM is configured the OSPF packets sent by the device have a TTL of 255 To use GTSM you must configure GTSM on both the local and peer devices You can specif...

Page 1318: ...ey in encrypted form plain Specifies a key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is case s...

Page 1319: ...lover OSPF sends multiple packets that contain both the new and old MD5 HMAC MD5 authentication keys to ensure that the neighbor device can pass the authentication 2 Configure the new MD5 HMAC MD5 aut...

Page 1320: ...lay ip policy based route 2 display ip policy based route interface 3 display ip policy based route local 5 display ip policy based route setup 6 if match acl 7 ip local policy based route 7 ip policy...

Page 1321: ...he inbound vpn keyword the next hop belongs to the public network direct Specifies that the next hop must be directly connected to take effect track track entry number Specifies a track entry by its n...

Page 1322: ...ed route Use display ip policy based route to display PBR policy information Syntax display ip policy based route policy policy name Views Any view Predefined user roles network admin network operator...

Page 1323: ...ts type and number slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays information on the master device Examples Display PBR co...

Page 1324: ...hysical interfaces on multiple slots specify a slot that contains its member interfaces For a physical interface specify its slot number node 0 deny not support node 2 permit no resource Match mode of...

Page 1325: ...sed route local Use display ip policy based route local to display local PBR configuration and statistics Syntax display ip policy based route local slot slot number Views Any view Predefined user rol...

Page 1326: ...nds reset ip policy based route statistics display ip policy based route setup Use display ip policy based route setup to display PBR configuration Syntax display ip policy based route setup Views Any...

Page 1327: ...he specified ACL is a basic or advanced ACL Usage guidelines If the specified ACL does not exist or has no rules configured all packets will match the ACL If the vpn instance keyword is specified for...

Page 1328: ...ure you fully understand its impact on local services of the device You can specify only one policy for local PBR and must make sure the specified policy already exists Before you apply a new policy y...

Page 1329: ...w Predefined user roles network admin Parameters policy name Specifies a policy by its name a case sensitive string of 1 to 19 characters deny Specifies the match mode for the policy node as deny perm...

Page 1330: ...r PBR statistics Syntax reset ip policy based route statistics policy policy name Views User view Predefined user roles network admin Parameters policy policy name Specifies a policy by its name a cas...

Page 1331: ...ontents IPv6 static routing commands 1 delete ipv6 static routes all 1 display ipv6 route static nib 1 display ipv6 route static routing table 4 ipv6 route static 6 ipv6 route static default preferenc...

Page 1332: ...work communication and cause packet forwarding failure Before executing the command make sure you fully understand the potential impact on the network When you use this command the system will prompt...

Page 1333: ...y0 0x0 VrfNthp 0 UserKey1 0x0 Nexthop 3 4 IFIndex 0x0 LocalAddr TopoNthp Invalid ExtType 0x0 Table 1 Command output Field Description NibID ID of the NIB Sequence Sequence number of the NIB Type Type...

Page 1334: ...rf TunnelID N A Topology Weight 0 NibID 0x21000001 Sequence 1 Type 0x41 Flushed Yes UserKey0 0x0 VrfNthp 0 UserKey1 0x0 Nexthop 3 4 IFIndex 0x0 LocalAddr TopoNthp Invalid ExtType 0x0 RefCnt 1 FlushRef...

Page 1335: ...lushed to the FIB Flag Flag of the next hop Version Version of the next hop ExtType NIB extension type display ipv6 route static routing table Use display ipv6 route static routing table to display IP...

Page 1336: ...0xa BkInterface N A Flag 0x80d0a BfdSrcIp N A DbIndex 0x1 BfdIfIndex 0x0 Type Normal BfdVrfIndex 0 TrackIndex 0xffffffff Label NULL Preference 60 vrfIndexDst 0 BfdMode N A vrfIndexNH 0 Permanent 0 Tag...

Page 1337: ...e static ipv6 address prefix length interface type interface number next hop address bfd control packet echo packet bfd source ipv6 address permanent preference preference tag tag value description te...

Page 1338: ...e range of 1 to 4294967295 The default is 0 Tags of routes are used for route control in routing policies For more information about routing policies see Layer 3 IP Routing Configuration Guide descrip...

Page 1339: ...d together with the bfd keyword Examples Configure an IPv6 static route with the destination address 1 1 2 64 and next hop 1 1 3 1 Sysname system view Sysname ipv6 route static 1 1 2 64 1 1 3 1 Relate...

Page 1340: ...9 Sysname ipv6 route static default preference 120 Related commands display ipv6 routing table protocol...

Page 1341: ...ter policy export 10 filter policy import 12 graceful restart 13 graceful restart interval 13 import route 14 non stop routing 15 output delay 16 preference 16 reset ripng process 17 reset ripng stati...

Page 1342: ...ckets If a zero field of a packet contains a non zero value RIPng discards the packet Examples Disable zero field check on RIPng packets for RIPng 100 Sysname system view Sysname ripng 100 Sysname rip...

Page 1343: ...ork admin network operator Parameters process id Specifies a RIPng process by its ID in the range of 1 to 65535 If you do not specify this argument the command displays information about all RIPng pro...

Page 1344: ...ge collection interval in seconds Update output delay RIPng packet sending interval in milliseconds Output count Maximum number of RIPng packets that can be sent at each interval Graceful restart inte...

Page 1345: ...graceful restart Views Any view Predefined user roles network admin network operator Parameters process id Specifies a RIPng process by its ID in the range of 1 to 65535 Examples Display GR informatio...

Page 1346: ...s Display interface information for RIPng process 1 Sysname display ripng 1 interface Total 1 Interface Vlan interface100 Link local address FE80 20C 29FF FEC8 B4DD Split horizon On Poison reverse Off...

Page 1347: ...cess id neighbor interface type interface number Views Any view Predefined user roles network admin network operator Parameters process id Specifies a RIPng process by its ID in the range of 1 to 6553...

Page 1348: ...Nonstop Routing capability Enabled Current NSR state Finish Table 6 Command output Field Description Nonstop Routing capability Indicates whether NSR is enabled Enabled or Disabled Current NSR state N...

Page 1349: ...bage collect D Direct O Optimal F Flush to RIB Peer FE80 20C 29FF FED4 7171 on Vlan interface100 Destination 4 4 128 via FE80 20C 29FF FED4 7171 cost 1 tag 0 AOF 5 secs Local route Destination 3 3 128...

Page 1350: ...rbage Number of routes in Garbage collection state Local Total number of locally generated direct route total Total number of routes learned from RIPng neighbors enable ipsec profile Use enable ipsec...

Page 1351: ...th Layer 3 interfaces in up state changes from bidirectional to unidirectional or down RIPng FRR is effective only for RIPng routes that are learned from directly connected neighbors Examples Enable R...

Page 1352: ...all routes redistributed by RIPng will match the ACL If a rule in the ACL has the vpn instance keyword configured the rule applies to only the RIPng routes in the specified VPN instance If the rule d...

Page 1353: ...to filter received routes Usage guidelines To specify an ACL in the command follow these restrictions and guidelines If the ACL does not exist or has no rules configured all routes received by RIPng...

Page 1354: ...y ipv6 Sysname acl ipv6 adv 3000 quit Sysname ripng 100 Sysname ripng 100 filter policy 3000 import graceful restart Use graceful restart to enable Graceful Restart GR for RIPng Use undo graceful rest...

Page 1355: ...es from another routing protocol Use undo import route to remove routes redistributed from another routing protocol Syntax import route direct static cost cost value route policy route policy name und...

Page 1356: ...a routing policy by its name a case sensitive string of 1 to 63 characters Usage guidelines This command redistributes only active routes To view route state information use the display ipv6 routing...

Page 1357: ...count Specifies the maximum number of RIPng packets sent by a RIPng process at each interval in the range of 1 to 30 Usage guidelines If you configure the RIPng packet sending rate for both a RIPng pr...

Page 1358: ...f no preference is set by the routing policy the preference of all RIPng routes is set by the preference command Examples Set the preference for RIPng routes to 120 Sysname system view Sysname ripng 1...

Page 1359: ...ed user roles network admin Parameters process id Specifies a RIPng process by its ID in the range of 1 to 65535 The default value is 1 vpn instance vpn instance name Specifies an MPLS L3VPN instance...

Page 1360: ...tive string of 1 to 63 characters The command advertises a default route only when a route in the routing table matches the routing policy Usage guidelines This command enables the interface to advert...

Page 1361: ...a RIPng interface Use undo ripng ipsec profile to remove the IPsec profile from the RIPng interface Syntax ripng ipsec profile profile name undo ripng ipsec profile Default No IPsec profile is applie...

Page 1362: ...ound RIPng routes Sysname system view Sysname interface vlan interface 100 Sysname Vlan interface100 ripng metricin 12 ripng metricout Use ripng metricout to configure an interface to add a metric to...

Page 1363: ...the range of 10 to 100 milliseconds count Specifies the maximum number of RIPng packets sent at each interval in the range of 1 to 30 Usage guidelines If you set the RIPng packet sending rate for both...

Page 1364: ...g primary path detect bfd Default BFD single hop echo detection is disabled for RIPng FRR Views Interface view Predefined user roles network admin Usage guidelines For quicker RIPng FRR use BFD single...

Page 1365: ...y network to be advertised through an interface Use undo ripng summary address to remove a summary network Syntax ripng summary address ipv6 address prefix length undo ripng summary address ipv6 addre...

Page 1366: ...in Parameters maximum interval Specifies the maximum interval for sending triggered updates in the range of 1 to 5 seconds minimum interval Specifies the minimum interval for sending triggered updates...

Page 1367: ...for a route is received before the timer expires RIPng sets the metric of the route to 16 Suppress timer How long a RIPng route stays in suppressed state When the metric of a route becomes 16 the rou...

Page 1368: ...tree 41 display ospfv3 statistics 44 display ospfv3 vlink 48 enable ipsec profile 49 event log 50 fast reroute OSPFv3 view 51 filter OSPFv3 area view 51 filter policy export OSPFv3 view 52 filter poli...

Page 1369: ...log 77 reset ospfv3 process 78 reset ospfv3 redistribution 79 reset ospfv3 statistics 79 router id 79 silent interface OSPFv3 view 80 snmp context name 81 snmp trap rate limit 81 snmp agent trap enab...

Page 1370: ...fines the network ID not advertise Specifies not to advertise the summary IPv6 route If you do not specify this keyword the command advertises the IPv6 summary route cost cost value Specifies the cost...

Page 1371: ...x length cost cost value not advertise nssa only tag tag undo asbr summary ipv6 address prefix length Default Route summarization is not configured on an ASBR Views OSPFv3 view Predefined user roles n...

Page 1372: ...xamples Configure a summary route 2000 16 and specify a cost of 100 and a tag value of 2 for the summary route Sysname system view Sysname ospfv3 1 Sysname ospfv3 1 asbr summary 2000 16 cost 100 tag 2...

Page 1373: ...sname system view Sysname ospfv3 1 Sysname ospfv3 1 area 1 Sysname ospfv3 1 area 0 0 0 1 authentication mode keychain test bandwidth reference OSPFv3 view Use bandwidth reference to set a reference ba...

Page 1374: ...roles network admin Parameters tag Specifies a tag for redistributed routes in the range of 0 to 4294967295 Usage guidelines If you do not set a tag for redistributed routes by using the default rout...

Page 1375: ...1 area 0 0 0 1 default cost 60 Related commands nssa OSPFv3 area view stub OSPFv3 area view default route advertise OSPFv3 view Use default route advertise to redistribute a default route into the OS...

Page 1376: ...lt route in an AS external LSA into the OSPFv3 routing domain A default route exists in the routing table The always keyword is specified The routing policy modifies values in the AS external LSA tag...

Page 1377: ...id 0 0 0 0 DN bit check Enabled DN bit set Enabled Originating router LSAs with maximum metric Condition On startup for 600 seconds State Inactive Advertise summary LSAs with metric 16711680 Advertis...

Page 1378: ...0 MTU 1440 Default cost 1 Created by Vlink Process reset state N A Current reset type N A Reset prepare message replied Reset process message replied Reset phase of module M N A P N A S N A C N A R N...

Page 1379: ...the check is enabled for the route tag in OSPFv3 LSAs of the OSPFv3 process Multi VPN Instance Whether the OSPFv3 process supports PE or multiple VPN instances Multi VPN Instance Disabled The process...

Page 1380: ...As SNMP trap rate limit interval 10 Count 7 The OSPFv3 process can output a maximum of seven notifications within 10 seconds Area count Total number of areas Stub area count Number of stub areas NSSA...

Page 1381: ...culation inter AS Calculating AS external routes Calculation end Ending phase of calculation N A Route calculation is not triggered Redistribute timer Route redistribution timer status on or off Redis...

Page 1382: ...lete intra AS Delete intra AS routes Delete inter AS Delete AS external routes Delete ASBR Delete ASBR routes Route redistribution R module N A Not reset Delete import Delete redistributed routes IPse...

Page 1383: ...BkInterface Vlan101 NextHop FE80 1 1 1 BkNexthop FE80 1 2 2 Cost 1 Destination 1 1 1 3 Rtr Type ASBR Area 0 0 0 0 Path Type Intra Interface Vlan103 BkInterface Vlan104 NextHop FE80 2 1 1 BkNexthop FE...

Page 1384: ...BR summary routes for all OSPFv3 areas ipv6 address prefix length Specifies an IPv6 address The ipv6 address argument specifies an IPv6 prefix The prefix length argument specifies a prefix length in t...

Page 1385: ...nation Metric 1000 4 10 3 96 1 1000 4 11 3 96 1 Table 4 Command output Field Description Destination Destination address of a summarized route Metric Metric of a summarized route display ospfv3 asbr s...

Page 1386: ...1000 4 32 Status Advertise NULL0 Active Cost 1 Configured Tag Not configured Nssa only Not configured Routes count 2 Table 5 Command output Field Description Total summary addresses Total number of s...

Page 1387: ...stributed Type Type of the summarized route Metric Metric of the summarized route display ospfv3 event log Use display ospfv3 event log to display OSPFv3 log information Syntax display ospfv3 process...

Page 1388: ...dvRtr 1 3 3 3 Seq 80000001 Table 7 Command output Field Description Received MaxAge LSA from X X X X The device received an LSA that has reached the maximum age from X X X X Flushed MaxAge LSA by itse...

Page 1389: ...rea LSA changes External LSA External LSA changes Configuration Configuration changes Area 0 full neighbor Number of FULL state neighbors in Area 0 changes Area 0 up interface Number of interfaces in...

Page 1390: ...sions BFDDown The interface is shut down by BFD SilentInt The interface is configured as a silent interface ConfStubArea The interface is configured with stub area parameters ConfNssaArea The interfac...

Page 1391: ...utput Field Description OSPFv3 Process 1 with Router ID 3 3 3 3 The GR status of OSPFv3 process 1 with router ID 3 3 3 3 is displayed Graceful restart capability Whether OSPFv3 GR is enabled Enabled D...

Page 1392: ...r BDR changes Helper Reason that the helper exited most recently None Completed GR is completed Received 1 way hello The device receives 1 way hello packets from the neighbor Grace Period timer is fir...

Page 1393: ...sit Area up interface count 3 Interface 5506 Vlan interface3 Instance ID 0 Restarter state Normal State DR Type Broadcast Last exit reason Restarter None Helper None Neighbor count of this interface 0...

Page 1394: ...f up interfaces in the area Interface Interface in the area or the output interface of the virtual link Restarter state Restarter state on the interface State Interface state Type Interface network ty...

Page 1395: ...fy the interface type interface number argument or the verbose keyword this command displays brief information about all OSPFv3 interfaces Examples Display OSPFv3 information about VLAN interface 1 Sy...

Page 1396: ...outer on the network DROther The router is a DR Other router on the attached network Type Network type of the interface PTP P2P PTMP P2MP Broadcast or NBMA MTU MTU value of the interface Priority DR p...

Page 1397: ...s LSDB information for all processes external Displays AS external LSAs Type 5 LSAs grace Displays Grace LSAs Type 11 LSAs inter prefix Displays Inter area prefix LSAs Type 3 LSAs inter router Display...

Page 1398: ...state ID Origin router Age SeqNumber Checksum 0 15 0 8 2 2 2 2 0019 0x80000007 0x599e Intra Area Prefix LSA Area 0 0 0 1 Link state ID Origin router Age SeqNumber Checksum Prefix Reference 0 0 0 2 2...

Page 1399: ...tate ID Link state ID Originating router Originating router LS seq number LSA sequence number Checksum LSA checksum Length LSA length Priority Router priority Options Options Link Local address Link l...

Page 1400: ...m Prefix 0 15 0 8 2 2 2 2 0691 0x80000041 0x8315 1 SendCnt 0 RxmtCnt 0 Status Stale 0 0 0 3 1 1 1 1 0623 0x80000001 0x0fee 1 SendCnt 0 RxmtCnt 0 Status Stale Router LSA Area 0 0 0 1 Link state ID Orig...

Page 1401: ...OSPFv3 next hop information Syntax display ospfv3 process id nexthop Views Any view Predefined user roles network admin network operator Parameters process id Specifies an OSPFv3 process by its ID in...

Page 1402: ...ocess id Specifies an OSPFv3 process by its ID in the range of 1 to 65535 If you do not specify this argument the command displays OSPFv3 NSR information for all OSPFv3 processes Examples Display OSPF...

Page 1403: ...not specify an area this command displays neighbor information for all areas interface type interface number Specifies an interface by its type and number verbose Displays detailed neighbor informati...

Page 1404: ...0 00 33 Neighbor is up for 00 24 19 Authentication sequence high 0 low 59755 Neighbor state change count 205 Database Summary List 0 Link State Request List 0 Link State Retransmission List 0 Neighbor...

Page 1405: ...uthentication sequence number carried in the received packets The high 32 bit value is 0 and the low 32 bit value is 59755 Neighbor state change count Count of neighbor state changes Database Summary...

Page 1406: ...has been accomplished between neighbors Total Total number of neighbors under the same state display ospfv3 request queue Use display ospfv3 request queue to display OSPFv3 request list information S...

Page 1407: ...uence number Nbr ID Neighbor ID Request list Request list information Type LSA type LinkState ID Link state ID AdvRouter Advertising router SeqNum LSA sequence number Age LSA age CkSum Checksum displa...

Page 1408: ...eighbors Examples Display OSPFv3 retransmission list information Sysname display ospfv3 retrans queue OSPFv3 Process 1 with Router ID 1 1 1 1 Area 0 0 0 0 Interface Vlan interface100 Nbr ID 1 2 2 2 Re...

Page 1409: ...external route N1 Type 1 NSSA route IA Inter area route E2 Type 2 external route N2 Type 2 NSSA route Selected route Destination 1 64 Type IA Area 0 0 0 1 AdvRouter 2 2 2 2 Preference 10 NibID 0x2300...

Page 1410: ...e Use display ospfv3 spf tree to display OSPFv3 SPF tree information Syntax display ospfv3 process id area area id spf tree verbose Views Any view Predefined user roles network admin network operator...

Page 1411: ...router ID Node type Network Network node Router Router node Node flag I The node is in initialization state A The node is on the candidate list S The node is on the SPF tree R The node is directly con...

Page 1412: ...21 Interface Vlan102 NhFlag Valid BkInterface Vlan103 RefCount 4 Nexthop FE80 20C 29FF FED7 F308 BkNexthop FE80 4 SPFLink count 1 AdvID 1 1 1 1 LsID 0 0 0 0 IntID 232 NbrIntID 465 NbrID 2 2 2 2 LinkT...

Page 1413: ...is in initialization state P The peer is the parent node C The peer is the child node D The link is to be deleted H The next hop is changed V When the peer node is deleted or added the peer node is n...

Page 1414: ...number If you do not specify this argument the command displays statistics for all interfaces Examples Display OSPFv3 statistics Sysname display ospfv3 statistics OSPFv3 Process 1 with Router ID 1 1...

Page 1415: ...Area Prefix LSA Number of Type 9 LSAs Grace LSA Number of Type 11 LSAs Unknown LSA Number of Unknown LSAs Total Total number Routes Statistics Number of routes Intra Area Intra area routes Inter Area...

Page 1416: ...l links HELLO Hello time mismatch Hello packets with mismatched hello timer HELLO Dead time mismatch Hello packets with mismatched dead timer HELLO Ebit option mismatch Hello packets with mismatched E...

Page 1417: ...0 0 1 Interface Vlan interface101 DD LSR LSU ACK Total Input 16 0 45 7 68 Output 17 1 7 44 69 Interface Vlan interface102 DD LSR LSU ACK Total Input 41 13 720 719 1493 Output 54 41 750 713 1558 Table...

Page 1418: ...te Neighbor state Down Init 2 Way ExStart Exchange Loading or Full Interface Number and name of the local interface on the virtual link Cost Interface route cost State Interface state Type Virtual lin...

Page 1419: ...1 area 0 0 0 0 enable ipsec profile profile001 event log Use event log to set the maximum number of OSPFv3 logs Use undo event log to remove the configuration Syntax event log lsa flush peer spf size...

Page 1420: ...designate a backup next hop The route policy name argument is a case sensitive string of 1 to 63 characters Usage guidelines Do not use the fast reroute lfa command together with the vlink peer comma...

Page 1421: ...applied to a VPN instance the rule does not take effect If a rule in the specified ACL is not applied to any VPN instance the rule takes effect on both VPN packets and public network packets Examples...

Page 1422: ...permit a route with the specified destination and prefix use rule rule id deny permit ipv6 source sour sour prefix destination dest dest prefix The source keyword specifies the destination address of...

Page 1423: ...ter routes by destination route policy route policy name Specifies a routing policy by its name a case sensitive string of 1 to 63 characters to filter received routes Usage guidelines When you specif...

Page 1424: ...restart enable Default The GR capability for OSPFv3 is disabled Views OSPFv3 view Predefined user roles network admin Parameters global Enables global GR In global GR mode a GR process can be complet...

Page 1425: ...r capability for OSPFv3 Use undo graceful restart helper enable to disable the GR helper capability for OSPFv3 Syntax graceful restart helper enable planned only undo graceful restart helper enable De...

Page 1426: ...A change on the GR helper is detected the GR helper device exits the GR helper mode Examples Enable strict LSA checking for the GR helper in OSPFv3 process 1 Sysname system view Sysname ospfv3 1 Sysna...

Page 1427: ...oute direct ospfv3 ripng process id all processes static Default OSPFv3 route redistribution is disabled Views OSPFv3 view Predefined user roles network admin Parameters direct Redistributes direct ro...

Page 1428: ...include the following types Type 1 external routes Have high credibility The cost of Type 1 external routes is comparable with the cost of OSPFv3 internal routes The cost of a Type 1 external route eq...

Page 1429: ...rval to restore the default Syntax lsa generation interval maximum interval minimum interval incremental interval undo lsa generation interval Default The maximum interval is 5 seconds the minimum int...

Page 1430: ...ntax non stop routing undo non stop routing Default OSPFv3 NSR is disabled Views OSPFv3 view Predefined user roles network admin Usage guidelines This command takes effect only for the current process...

Page 1431: ...icy is matched the command redistributes a default route in a Type 7 LSA into the OSPFv3 routing domain The routing policy modifies values in the Type 7 LSA tag tag Specifies a tag for the default rou...

Page 1432: ...OSPFv3 process by its ID in the range of 1 to 65535 The default process ID is 1 vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 character...

Page 1433: ...nce 1 of OSPFv3 process 1 in Area 1 Sysname system view Sysname interface vlan interface 10 Sysname Vlan interface10 ospfv3 1 area 1 instance 1 ospfv3 authentication mode Use ospfv3 authentication mod...

Page 1434: ...discards the packet OSPFv3 supports only the HMAC SHA 256 authentication algorithm The ID of keys used for authentication can only be in the range of 0 to 65535 Examples Configure GigabitEthernet 1 0...

Page 1435: ...ser roles network admin Parameters cost value Specifies an OSPFv3 cost in the range of 0 to 65535 for a loopback interface and in the range of 1 to 65535 for other interfaces instance instance id Spec...

Page 1436: ...v3 fast reroute lfa backup exclude instance instance id undo ospfv3 fast reroute lfa backup exclude instance instance id Default LFA is enabled on an interface Views Interface view Predefined user rol...

Page 1437: ...ile profile001 to VLAN interface 10 Sysname system view Sysname interface vlan interface 10 Sysname Vlan interface10 ospfv3 ipsec profile profile001 ospfv3 mib binding Use ospfv3 mib binding to bind a...

Page 1438: ...the range of 0 to 255 The default is 0 Usage guidelines A neighbor relationship can be established only if the interface s MTU is the same as that of the peer Examples Configure VLAN interface 10 tha...

Page 1439: ...t use the peer command to specify the neighbor When the network type of an interface is P2MP unicast all OSPFv3 packets are unicast by the interface Examples Specify the OSPFv3 network type for VLAN i...

Page 1440: ...r fe80 1111 ospfv3 prefix suppression Use ospfv3 prefix suppression to disable an OSPFv3 interface from advertising all its prefixes Use undo ospfv3 prefix suppression to remove the configuration Synt...

Page 1441: ...stance instance id Specifies an instance by its ID in the range of 0 to 255 The default is 0 Usage guidelines This command enables OSPFv3 FRR to use BFD to detect primary link failures Examples On VLA...

Page 1442: ...network segment Examples Set the OSPFv3 neighbor dead time to 60 seconds for VLAN interface 10 Sysname system view Sysname interface vlan interface 10 Sysname Vlan interface10 ospfv3 timer dead 60 Re...

Page 1443: ...l instance instance id Default The poll interval is 120 seconds on an interface Views Interface view Predefined user roles network admin Parameters seconds Specifies the poll interval in the range of...

Page 1444: ...ry retransmissions set an appropriate retransmission interval For example you can set a large retransmission interval value on a low speed link Examples Set the LSA retransmission interval to 12 secon...

Page 1445: ...Predefined user roles network admin Parameters ase Specifies a preference for OSPFv3 external routes If you do not specify this keyword the command sets a preference for OSPFv3 internal routes prefer...

Page 1446: ...the interfaces by using the ospfv3 prefix suppression command When prefix suppression is enabled OSPFv3 does not advertise the prefixes of suppressed interfaces in Type 8 LSAs On broadcast and NBMA ne...

Page 1447: ...ss Use reset ospfv3 process to restart OSPFv3 processes Syntax reset ospfv3 process id process graceful restart Views User view Predefined user roles network admin Parameters process id Specifies an O...

Page 1448: ...reset ospfv3 redistribution reset ospfv3 statistics Use reset ospfv3 statistics to clear OSPFv3 statistics Syntax reset ospfv3 process id statistics Views User view Predefined user roles network admin...

Page 1449: ...ace OSPFv3 view Use silent interface to disable the specified interface from receiving and sending OSPFv3 packets Use undo silent interface to remove the configuration Syntax silent interface interfac...

Page 1450: ...s context name Specifies a context name a case sensitive string of 1 to 32 characters Usage guidelines The standard OSPFv3 MIB provides only single instance MIB objects For SNMP to correctly identify...

Page 1451: ...ew Sysname ospfv3 100 Sysname ospfv3 100 snmp trap rate limit interval 5 count 10 snmp agent trap enable ospfv3 Use snmp agent trap enable ospfv3 to enable SNMP notifications for OSPFv3 Use undo snmp...

Page 1452: ...virtif state change Specifies notifications about virtual interface state changes virtgrhelper status change Specifies notifications about neighbor GR helper state changes of a virtual interface virt...

Page 1453: ...be greater than the maximum interval Examples Set the maximum SPF calculation interval to 10 seconds minimum interval to 500 milliseconds and incremental interval to 300 milliseconds Sysname system vi...

Page 1454: ...max metric value Specifies a cost for external LSAs in the range of 1 to 16777215 The default is 16711680 summary lsa max metric value Specifies a cost for Type 3 and Type 4 LSAs in the range of 1 to...

Page 1455: ...he range of 10 to 1000 milliseconds If the router has multiple OSPFv3 interfaces increase the interval to reduce the total number of LSU packets sent by the router every second count count Specifies t...

Page 1456: ...l in the range of 1 to 3600 seconds The default is 5 trans delay seconds Specifies the transmission delay interval in the range of 1 to 3600 seconds The default is 1 Usage guidelines You can configure...

Page 1457: ...btain a valid accept key from the keychain OSPFv3 discards the packet if it fails to obtain a valid accept key 2 Uses the authentication algorithm and key string for the valid accept key to authentica...

Page 1458: ...d route 2 display ipv6 policy based route interface 3 display ipv6 policy based route local 5 display ipv6 policy based route setup 6 if match acl 7 ipv6 local policy based route 8 ipv6 policy based r...

Page 1459: ...name option or the inbound vpn keyword the next hop belongs to the public network direct Specifies that the next hop must be directly connected to take effect track track entry number Specifies a tra...

Page 1460: ...ased route Use display ipv6 policy based route to display IPv6 PBR policy information Syntax display ipv6 policy based route policy policy name Views Any view Predefined user roles network admin netwo...

Page 1461: ...Specifies an interface by its type and number slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays IPv6 interface PBR configurat...

Page 1462: ...mand For a global interface for example a VLAN interface which might have member physical interfaces on multiple slots specify a slot that contains its member interfaces For a physical interface speci...

Page 1463: ...y based route statistics display ipv6 policy based route local Use display ipv6 policy based route local to display IPv6 local PBR configuration and statistics Syntax display ipv6 policy based route l...

Page 1464: ...of successful matches on all nodes Related commands reset ipv6 policy based route statistics display ipv6 policy based route setup Use display ipv6 policy based route setup to display IPv6 PBR configu...

Page 1465: ...IPv6 ACL by its name a case insensitive string of 1 to 63 characters starting with a letter The ACL name cannot be all For the command to take effect make sure the specified IPv6 ACL is a basic or ad...

Page 1466: ...ply a new policy you must first remove the current policy IPv6 local PBR is used to route locally generated packets except the packets destined for the sender This feature might affect local services...

Page 1467: ...v6 policy based route to delete an IPv6 policy or IPv6 policy node Syntax ipv6 policy based route policy name deny permit node node number undo ipv6 policy based route policy name deny node node numbe...

Page 1468: ...splay ipv6 policy based route reset ipv6 policy based route statistics Use reset ipv6 policy based route statistics to clear IPv6 PBR statistics Syntax reset ipv6 policy based route statistics policy...

Page 1469: ...interface 6 if match route type 7 if match tag 8 route policy 8 route policy change delay time 9 IPv4 routing policy commands 10 apply fast reroute 10 apply ip address next hop 11 display ip prefix l...

Page 1470: ...alue Specifies a cost in the range of 0 to 4294967295 Examples Configure node 10 in permit mode for routing policy policy1 to set a cost of 120 for OSPF external routes Sysname system view Sysname rou...

Page 1471: ...ence to set an IP precedence for matching routes Use undo apply ip precedence to restore the default Syntax apply ip precedence value clear undo apply ip precedence Default No IP precedence is set Vie...

Page 1472: ...ocol Unmatched routing protocols still use the preferences set by using the preference command Examples Configure node 10 in permit mode for routing policy policy1 to set the preference for OSPF exter...

Page 1473: ...tical apply tag Use apply tag to set a tag for IGP routes Use undo apply tag to restore the default Syntax apply tag tag value undo apply tag Default No routing tag is set for IGP routes Views Routing...

Page 1474: ...y route policy Use display route policy to display routing policy information Syntax display route policy name route policy name Views Any view Predefined user roles network admin network operator Par...

Page 1475: ...the range of 0 to 4294967295 Examples Configure node 10 in permit mode for routing policy policy1 to permit routes with a cost of 8 Sysname system view Sysname route policy policy1 permit node 10 Sys...

Page 1476: ...sa external type1or2 nssa external type2 undo if match route type external type1 external type1or2 external type2 internal nssa external type1 nssa external type1or2 nssa external type2 Default No rou...

Page 1477: ...IGP routes that have a tag of 8 Sysname system view Sysname route policy policy1 permit node 10 Sysname route policy policy1 10 if match tag 8 route policy Use route policy to create a routing policy...

Page 1478: ...ses of a node is logical AND All the if match clauses must be met The relation between nodes is logical OR A packet passing a node passes the routing policy If a packet does not pass any nodes the pac...

Page 1479: ...ommand Then execute the undo form of the command after you complete the configuration If you modify the routing policy change delay timer before it expires the timer will be reset Examples Set the rou...

Page 1480: ...next hop is set for IPv4 routes Views Routing policy node view Predefined user roles network admin Parameters ip address Specifies the next hop IP address public Specifies the public network vpn inst...

Page 1481: ...list abc Sysname display ip prefix list name abc Prefix list abc Permitted 0 Denied 0 index 10 Deny 6 6 6 0 24 ge 26 le 28 Table 2 Command output Field Description Prefix list Name of the IPv4 prefix...

Page 1482: ...rs Usage guidelines When you specify an IPv4 ACL follow these guidelines If the specified ACL does not exist or has no rules all IPv4 routes can match the ACL If a rule in the specified ACL is applied...

Page 1483: ...e greater equal keyword means greater than or equal to and the less equal keyword means less than or equal to The prefix length range relation is mask length min mask length max mask length 32 If only...

Page 1484: ...ds apply ipv6 fast reroute Use apply ipv6 fast reroute to set a backup link for fast reroute FRR Use undo apply ipv6 fast reroute to restore the default Syntax apply ipv6 fast reroute backup interface...

Page 1485: ...et for IPv6 routes Views Routing policy node view Predefined user roles network admin Parameters ipv6 address Specifies the next hop IPv6 address Usage guidelines If you use this command to set a next...

Page 1486: ...ied Number of routes not matching the criterion index Index number of an item permit Match mode of the item Permit Deny 6 64 IPv6 address and prefix length for matching ge Greater equal the lower pref...

Page 1487: ...d ACL is applied to a VPN instance the rule does not take effect If a rule in the specified ACL is not applied to any VPN instance the rule takes effect on both VPN packets and public network packets...

Page 1488: ...f only the min prefix length argument is specified the prefix length range is min prefix length 128 If only the max prefix length argument is specified the prefix length range is prefix length max pre...

Page 1489: ...s network admin Parameters prefix list name Specifies an IPv6 prefix list by its name a case sensitive string of 1 to 63 characters If you do not specify this argument the command clears statistics fo...

Page 1490: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series IP Multicast Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 1491: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 1492: ...actual values Square brackets enclose syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax choices separated by vertical bars from which you select one x...

Page 1493: ...generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a...

Page 1494: ...ardware model configuration or software version It is normal that the port numbers sample output screenshots and other information in the examples differ from what you have on your device Documentatio...

Page 1495: ...riority 26 igmp snooping drop unknown 27 igmp snooping disable enable 28 igmp snooping fast leave 28 igmp snooping general query source ip 29 igmp snooping group limit 30 igmp snooping group policy 31...

Page 1496: ...gmp snooping router port 51 reset igmp snooping statistics 52 reset l2 multicast fast forwarding cache 52 router aging time IGMP snooping view 53 source deny IGMP snooping view 54 version IGMP snoopin...

Page 1497: ...snooping status in all VLANs Examples Display the global IGMP snooping status and the IGMP snooping status for all VLANs Sysname display igmp snooping IGMP snooping information Global Global enable E...

Page 1498: ...1 0 0 1 Host tracking Disabled Dot1p priority Proxy Disabled Table 1 Command output Field Description Global enable Global IGMP snooping status Enabled Disabled IGMP snooping IGMP snooping status in a...

Page 1499: ...sending IGMP general queries General query source IP Source IP address of IGMP general queries Special query source IP Source IP address of IGMP group specific queries Report source IP Source IP addre...

Page 1500: ...tion about dynamic IGMP snooping group entries If you do not specify this keyword the command displays brief information about dynamic IGMP snooping group entries slot slot number Specifies an IRF mem...

Page 1501: ...member device or the master device when no member device is specified Host ports 1 in total Member ports and the total number of member ports 00 03 23 Remaining aging time for the dynamic member port...

Page 1502: ...Command output Field Description VLAN VLAN ID 0 0 0 0 224 1 1 1 S G entry where 0 0 0 0 in the S position means any multicast sources Port Member port Host IP address of the host Uptime Length of tim...

Page 1503: ...n total Router ports 2 in total GE1 0 1 00 01 30 GE1 0 2 00 00 23 Table 4 Command output Field Description VLAN 2 VLAN ID Router slots 0 in total Member IDs and total number of the member devices that...

Page 1504: ...ember device by its member ID If you do not specify a member device this command displays information about static IGMP snooping group entries for the master device Examples Display detailed informati...

Page 1505: ...network admin network operator Parameters vlan vlan id Specifies a VLAN by its VLAN ID in the range of 1 to 4094 verbose Displays detailed information about static router ports If you do not specify t...

Page 1506: ...rk admin network operator Examples Display statistics for the IGMP messages and PIMv2 hello messages learned through IGMP snooping Sysname display igmp snooping statistics Received IGMP general querie...

Page 1507: ...by its VLAN ID in the range of 1 to 4094 source address Specifies a multicast source address If you do not specify a multicast source this command displays Layer 2 multicast fast forwarding entries fo...

Page 1508: ...0x2 The entry is added by multicast forwarding The following flags are available for an outgoing interface 0x1 The port is added to the entry because of packets passed through between cards 0x2 The p...

Page 1509: ...bout Layer 2 IP multicast groups for VLAN 2 Sysname display l2 multicast ip vlan 2 Total 1 entries VLAN 2 Total 1 entries 0 0 0 0 224 1 1 1 Attribute static success Host ports 1 in total GE1 0 1 S SUC...

Page 1510: ...s VLAN ID in the range of 1 to 4094 If you do not specify a VLAN this command displays Layer 2 multicast IP forwarding entries for all VLANs slot slot number Specifies an IRF member device by its memb...

Page 1511: ...r all VLANs slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays information about Layer 2 MAC multicast groups for the master d...

Page 1512: ...ber Specifies an IRF member device by its member ID If you do not specify a member device this command displays Layer 2 multicast MAC group entries for the master device Examples Display Layer 2 multi...

Page 1513: ...ameters this command displays all MAC address table entries including unicast MAC address entries and static multicast MAC address entries Examples Display static multicast MAC address entries for VLA...

Page 1514: ...r the value the higher the priority Usage guidelines You can set the 802 1p priority globally for all VLANs in IGMP snooping view or for a VLAN in VLAN view For a VLAN the VLAN specific configuration...

Page 1515: ...IGMP snooping view Predefined user roles network admin Parameters vlan vlan list Specifies a space separated list of up to 10 VLAN items Each item specifies a VLAN by its ID or a range of VLANs in the...

Page 1516: ...user roles network admin Parameters limit Specifies the maximum number of IGMP snooping forwarding entries in the range of 0 to 4294967295 Examples Set the global maximum number of IGMP snooping forw...

Page 1517: ...the global configuration Examples Globally enable fast leave processing for VLAN 2 Sysname system view Sysname igmp snooping Sysname igmp snooping fast leave vlan 2 Related commands igmp snooping fas...

Page 1518: ...the multicast groups that hosts can join This command does not take effect on static member ports because static member ports do not send IGMP reports You can configure a multicast group policy global...

Page 1519: ...timer for dynamic member ports is 260 seconds Views IGMP snooping view Predefined user roles network admin Parameters seconds Specifies an aging timer for dynamic member ports in the range of 1 to 80...

Page 1520: ...lly for all VLANs in IGMP snooping view or for a VLAN in VLAN view For a VLAN the global configuration has the same priority as the VLAN specific configuration Examples Enable host tracking globally S...

Page 1521: ...ulticast users can join or leave any multicast groups Views User profile view Predefined user roles network admin Parameters ipv4 acl number Specifies an IPv4 basic or advanced ACL by its number in th...

Page 1522: ...llow multicast users to join or leave only multicast group 225 1 1 1 Sysname system view Sysname acl basic 2001 Sysname acl ipv4 basic 2001 rule permit source 225 1 1 1 0 Sysname acl ipv4 basic 2001 q...

Page 1523: ...rop unknown to disable dropping unknown multicast data packets for a VLAN Syntax igmp snooping drop unknown undo igmp snooping drop unknown Default Dropping unknown multicast data packets is disabled...

Page 1524: ...IGMP snooping for a VLAN by using this command in VLAN view or for multiple VLANs by using the enable command in IGMP snooping view The configuration in VLAN view has the same priority as the configur...

Page 1525: ...leave processing for a port in interface view or globally for all ports in IGMP snooping view For a port the port specific configuration takes priority over the global configuration Examples Enable fa...

Page 1526: ...ticast groups that a port can join Use undo igmp snooping group limit to remove the limit on the maximum number of multicast groups that a port can join Syntax igmp snooping group limit limit vlan vla...

Page 1527: ...osts can join only the multicast groups that the ACL permits If the ACL does not exist or does not have valid rules hosts cannot join multicast groups vlan vlan list Specifies a space separated list o...

Page 1528: ...ticast group policy for VLAN 2 so that hosts in VLAN 2 can join only multicast group 225 1 1 1 Sysname system view Sysname acl basic 2000 Sysname acl ipv4 basic 2000 rule permit source 225 1 1 1 0 Sys...

Page 1529: ...tem view Sysname igmp snooping Sysname igmp snooping quit Sysname vlan 2 Sysname vlan2 igmp snooping enable Sysname vlan2 igmp snooping host aging time 300 Related commands enable IGMP snooping view h...

Page 1530: ...m view Sysname igmp snooping Sysname igmp snooping quit Sysname vlan 2 Sysname vlan2 igmp snooping enable Sysname vlan2 igmp snooping version 3 Sysname vlan2 quit Sysname interface gigabitethernet 1 0...

Page 1531: ...ws VLAN view Predefined user roles network admin Parameters interval Specifies an IGMP last member query interval in the range of 1 to 25 seconds Usage guidelines You must enable IGMP snooping for a V...

Page 1532: ...source IP address for IGMP leave messages Usage guidelines You must enable IGMP snooping for a VLAN before you execute this command Examples In VLAN 2 enable IGMP snooping and specify 10 1 1 1 as the...

Page 1533: ...n the IGMP general query interval Examples In VLAN 2 enable IGMP snooping and set the maximum response time for IGMP general queries to 5 seconds Sysname system view Sysname igmp snooping Sysname igmp...

Page 1534: ...0 1 enable multicast group replacement for VLAN 2 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 igmp snooping overflow replace vlan 2 Related commands overfl...

Page 1535: ...GMP snooping for a VLAN before you execute this command For a sub VLAN of a multicast VLAN this command takes effect only after you remove the sub VLAN from the multicast VLAN Examples In VLAN 2 enabl...

Page 1536: ...Sysname igmp snooping Sysname igmp snooping quit Sysname vlan 2 Sysname vlan2 igmp snooping enable Sysname vlan2 igmp snooping querier Sysname vlan2 igmp snooping querier election Related commands ig...

Page 1537: ...response time igmp snooping report source ip Use igmp snooping report source ip to configure the source IP address for IGMP reports Use undo igmp snooping report source ip to restore the default Synt...

Page 1538: ...les network admin Parameters seconds Specifies an aging timer for dynamic router ports in the range of 1 to 8097894 seconds Usage guidelines You must enable IGMP snooping for a VLAN before you execute...

Page 1539: ...e VLAN ID is in the range of 1 to 4094 If you specify VLANs this command takes effect only when the port belongs to the specified VLANs If you do not specify a VLAN this command takes effect on all VL...

Page 1540: ...cial query source ip ip address undo igmp snooping special query source ip Default In a VLAN the source IP address of IGMP group specific queries is one of the following The source address of IGMP gro...

Page 1541: ...rameters group address Specifies a multicast group address in the range of 224 0 1 0 to 239 255 255 255 source ip source address Specifies a multicast source by its IP address If you specify a multica...

Page 1542: ...2 aggregate interface view Predefined user roles network admin Parameters all Specifies all VLANs vlan vlan id Specifies a VLAN by its VLAN ID in the range of 1 to 4094 Examples Configure GigabitEthe...

Page 1543: ...le IGMP snooping view igmp snooping enable version IGMP snooping view last member query interval IGMP snooping view Use last member query interval to set the IGMP last member query interval globally U...

Page 1544: ...ticast MAC address A multicast MAC address is a MAC address in which the least significant bit of the most significant octet is 1 interface interface list Specifies a space separated list of up to fou...

Page 1545: ...response time to set the maximum response time for IGMP general queries globally Use undo max response time to restore the default Syntax max response time seconds undo max response time Default The...

Page 1546: ...an id The VLAN ID is in the range of 1 to 4094 If you do not specify a VLAN this command takes effect on all VLANs Usage guidelines This command takes effect only on the multicast groups that a port j...

Page 1547: ...24 0 1 0 to 239 255 255 255 source address Specifies a multicast source address If you do not specify a multicast source this command clears information about dynamic IGMP snooping group entries for a...

Page 1548: ...to clear statistics for IGMP messages and PIMv2 hello messages learned through IGMP snooping Syntax reset igmp snooping statistics Views User view Predefined user roles network admin Examples Clear t...

Page 1549: ...cast fast forwarding cache 20 0 0 2 225 0 0 2 Related commands display l2 multicast fast forwarding cache router aging time IGMP snooping view Use router aging time to set the aging timer for dynamic...

Page 1550: ...ber to end interface type interface number Usage guidelines You can enable this feature for the specified ports in IGMP snooping view or for a port in interface view For a port the configuration in IG...

Page 1551: ...d VLANs before you execute this command You can specify the version for the specified VLANs in IGMP snooping view or for a VLAN in VLAN view The configuration in IGMP snooping view has the same priori...

Page 1552: ...r 1 display pim snooping router port 2 display pim snooping routing table 3 display pim snooping statistics 5 pim snooping enable 5 pim snooping graceful restart join aging time 6 pim snooping gracefu...

Page 1553: ...Displays detailed information about PIM snooping neighbors If you do not specify this keyword the command displays brief information about PIM snooping neighbors Examples Display detailed information...

Page 1554: ...Syntax display pim snooping router port vlan vlan id slot slot number verbose Views Any view Predefined user roles network admin network operator Parameters vlan vlan id Specifies a VLAN by its VLAN I...

Page 1555: ...routing table to display PIM snooping routing entries Syntax display pim snooping routing table vlan vlan id slot slot number verbose Views Any view Predefined user roles network admin network operato...

Page 1556: ...no info The entry does not exist normal The entry is a correct entry Upstream neighbor Upstream neighbor of the S G or G entry Upstream Slots 0 in total Member IDs and total number of the member devi...

Page 1557: ...les network admin network operator Examples Display statistics for the PIM messages learned through PIM snooping Sysname display pim snooping statistics Received PIMv2 hello 100 Received PIMv2 join pr...

Page 1558: ...ing Sysname igmp snooping quit Sysname vlan 2 Sysname vlan2 igmp snooping enable Sysname vlan2 pim snooping enable Related commands igmp snooping igmp snooping enable pim snooping graceful restart joi...

Page 1559: ...art join aging time 600 Related commands pim snooping enable pim snooping graceful restart neighbor aging time Use pim snooping graceful restart neighbor aging time to set the aging time for global ne...

Page 1560: ...le Sysname vlan2 pim snooping graceful restart neighbor aging time 300 Related commands pim snooping enable reset pim snooping statistics Use reset pim snooping statistics to clear statistics for the...

Page 1561: ...multicast vlan 1 display multicast vlan forwarding table 2 display multicast vlan group 3 multicast vlan 5 multicast vlan entry limit 6 port multicast VLAN view 6 port multicast vlan 7 reset multicas...

Page 1562: ...about all multicast VLANs Examples Display information about all multicast VLANs Sysname display multicast vlan Total 2 multicast VLANs Multicast VLAN 100 Sub VLAN list 3 in total 2 3 6 Port list 3 in...

Page 1563: ...this command displays multicast VLAN forwarding entries for all multicast sources mask mask length mask Specifies a mask length or subnet mask for the multicast source address The value range for the...

Page 1564: ...and the total number of the sub VLANs display multicast vlan group Use display multicast vlan group to display information about multicast groups in multicast VLANs Syntax display multicast vlan grou...

Page 1565: ...tries 2 2 2 2 225 1 1 2 Flags 0x70000010 Sub VLANs 0 in total 111 112 113 115 225 1 1 4 Flags 0x70000010 Sub VLANs 0 in total 0 0 0 0 226 1 1 6 Flags 0x50000010 Sub VLANs 0 in total Table 3 Command ou...

Page 1566: ...eset multicast vlan group multicast vlan Use multicast vlan to configure a multicast VLAN and enter its view or enter the view of an existing multicast VLAN Use undo multicast vlan to remove the confi...

Page 1567: ...aximum number of multicast VLAN forwarding entries in the range of 0 to 500 Usage guidelines If the configured value is smaller than the current number of multicast VLAN forwarding entries the device...

Page 1568: ...LAN you must enable IGMP snooping for the VLANs to which the ports belong Examples Assign GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 as user ports to multicast VLAN 100 Sysname system view Sy...

Page 1569: ...ource address The value range for the mask length argument is 0 to 32 default and the default value for the mask argument is 255 255 255 255 group address Specifies a multicast group by its IP address...

Page 1570: ...1 to 4094 The specified VLANs must exist and cannot be multicast VLANs or sub VLANs of other multicast VLANs all Specifies all sub VLANs of the current multicast VLAN Usage guidelines You must enable...

Page 1571: ...ooping 24 mld snooping access policy 25 mld snooping done source ip 26 mld snooping dot1p priority 27 mld snooping drop unknown 28 mld snooping disable enable 29 mld snooping fast leave 29 mld snoopin...

Page 1572: ...ii reset mld snooping statistics 50 router aging time MLD snooping view 51 source deny MLD snooping view 51 version MLD snooping view 52...

Page 1573: ...6 excluding FFx1 16 and FFx2 16 where x and y represent any hexadecimal numbers in the range of 0 to F If you do not specify an IPv6 multicast group this command displays Layer 2 IPv6 multicast forwar...

Page 1574: ...outgoing port Enabled Available Disabled Unavailable Ingress port Incoming port of the S G entry List of 1 egress ports List of outgoing ports of the S G entry Related commands reset ipv6 l2 multicas...

Page 1575: ...of Layer 2 IPv6 multicast groups in VLAN 2 FF1E 101 S G entry where a double colon in the S position means all IPv6 multicast sources Attribute Entry attribute dynamic The entry is created by a dynami...

Page 1576: ...If you do not specify a member device this command displays Layer 2 IPv6 multicast IP forwarding entries for the master device Examples Display Layer 2 IPv6 multicast IP forwarding entries for VLAN 2...

Page 1577: ...splay information about Layer 2 IPv6 multicast MAC multicast groups for VLAN 2 Sysname display ipv6 l2 multicast mac vlan 2 Total 1 entries VLAN 2 Total 1 entries MAC group address 3333 0000 0101 Attr...

Page 1578: ...rding entries for the master device Examples Display Layer 2 IPv6 multicast MAC forwarding entries for VLAN 2 Sysname display ipv6 l2 multicast mac forwarding vlan 2 Total 1 entries VLAN 2 Total 1 ent...

Page 1579: ...rval 1s Report aggregation Enabled Host tracking Disabled Dot1p priority MLD snooping information VLAN 1 MLD snooping Enabled Drop unknown Disabled Version 1 Host aging time 260s Router aging time 260...

Page 1580: ...ging timer for the dynamic member port Router aging time Aging timer for the dynamic router port Max response time Maximum time for responding to MLD general queries Last listener query interval Inter...

Page 1581: ...16 excluding FFx1 16 and FFx2 16 where x and y represent any hexadecimal numbers in the range of 0 to F If you do not specify an IPv6 multicast group this command displays information about all dynam...

Page 1582: ...Table 7 Command output Field Description Total 1 entries Total number of dynamic MLD snooping group entries VLAN 2 Total 1 entries Total number of dynamic MLD snooping group entries in VLAN 2 FF1E 10...

Page 1583: ...in network operator Parameters vlan vlan id Specifies a VLAN by its VLAN ID in the range of 1 to 4094 group ipv6 group address Specifies an IPv6 multicast group by its IPv6 address The value range for...

Page 1584: ...outer port information Syntax display mld snooping router port vlan vlan id verbose slot slot number Views Any view Predefined user roles network admin network operator Parameters verbose Displays det...

Page 1585: ...port is on the master device and no member device is specified Related commands reset mld snooping router port display mld snooping static group Use display mld snooping static group to display infor...

Page 1586: ...oup entries VLAN 2 Total 1 entries Total number of static MLD snooping group entries in VLAN 2 FF1E 101 S G entry where a double colon in the S position means all IPv6 multicast sources Attribute Entr...

Page 1587: ...2 Sysname display mld snooping static router port vlan 2 VLAN 2 Router ports 2 in total GE1 0 1 GE1 0 2 Display detailed information about static router ports for VLAN 2 Sysname display mld snooping s...

Page 1588: ...ved IPv6 PIM hello 0 Received error MLD messages 0 Table 12 Command output Field Description general queries Number of MLD general queries specific queries Number of MLD multicast address specific que...

Page 1589: ...s to 3 globally Sysname system view Sysname mld snooping Sysname mld snooping dot1p priority 3 Related commands mld snooping dot1p priority dscp Use dscp to set the DSCP value for outgoing MLD protoco...

Page 1590: ...must enable the MLD snooping feature by using the mld snooping command before you enable MLD snooping for VLANs You can enable MLD snooping for multiple VLANs by using this command in MLD snooping vie...

Page 1591: ...an list undo fast leave vlan vlan list Default Fast leave processing is disabled Views MLD snooping view Predefined user roles network admin Parameters vlan vlan list Specifies a space separated list...

Page 1592: ...ork admin Usage guidelines To configure other MLD snooping features for VLANs you must enable MLD snooping for the specific VLANs even though MLD snooping is enabled globally Examples Enable MLD snoop...

Page 1593: ...er the global configuration When you configure a rule in the IPv6 ACL follow these restrictions and guidelines For the rule to take effect do not specify the vpn instance vpn instance option In a basi...

Page 1594: ...a VLAN the VLAN specific configuration takes priority over the global configuration To avoid mistakenly deleting IPv6 multicast group members set the aging timer for dynamic member ports to be greater...

Page 1595: ...ld snooping host tracking last listener query interval MLD snooping view Use last listener query interval to set the MLD last listener query interval globally Use undo last listener query interval to...

Page 1596: ...mum response time for MLD general queries in the range of 1 to 3174 seconds Usage guidelines You can set the time globally for all VLANs in MLD snooping view or for a VLAN in VLAN view For a VLAN the...

Page 1597: ...trol policy Use undo mld snooping access policy to delete an MLD snooping access control policy Syntax mld snooping access policy ipv6 acl number undo mld snooping access policy ipv6 acl number all De...

Page 1598: ...me range name option take effect If the vpn instance vpn instance option is specified in the rule the rule does not take effect If the vpn instance vpn instance option is not specified in the rule the...

Page 1599: ...ty to set the 802 1p priority for MLD messages in a VLAN Use undo mld snooping dot1p priority to restore the default Syntax mld snooping dot1p priority priority undo mld snooping dot1p priority Defaul...

Page 1600: ...t data packets for a VLAN Syntax mld snooping drop unknown undo mld snooping drop unknown Default Dropping unknown IPv6 multicast data packets is disabled Unknown IPv6 multicast data packets are flood...

Page 1601: ...for a VLAN by using this command in VLAN view or for multiple VLANs by using the enable command The configuration in VLAN view has the same priority as the configuration in MLD snooping view and the...

Page 1602: ...r all ports in MLD snooping view For a port the port specific configuration takes priority over the global configuration Examples Enable fast leave processing for VLAN 2 on GigabitEthernet 1 0 1 Sysna...

Page 1603: ...remove the limit on the maximum number of IPv6 multicast groups that a port can join Syntax mld snooping group limit limit vlan vlan list undo mld snooping group limit vlan vlan list Default No limit...

Page 1604: ...mits If the ACL does not exist or does not have valid rules hosts cannot join IPv6 multicast groups vlan vlan list Specifies a space separated list of up to 10 VLAN items Each item specifies a VLAN by...

Page 1605: ...ame system view Sysname acl ipv6 basic 2000 Sysname acl ipv6 basic 2000 rule permit source ff03 101 128 Sysname acl ipv6 basic 2000 quit Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet...

Page 1606: ...w host aging time MLD snooping view mld snooping enable mld snooping host join Use mld snooping host join to configure a port as a simulated member host for an IPv6 multicast group or an IPv6 multicas...

Page 1607: ...e IPv6 multicast group FF3E 101 in VLAN 2 Sysname system view Sysname mld snooping Sysname mld snooping quit Sysname vlan 2 Sysname vlan2 mld snooping enable Sysname vlan2 quit Sysname interface gigab...

Page 1608: ...ew Predefined user roles network admin Parameters interval Specifies an MLD last listener query interval in the range of 1 to 25 seconds Usage guidelines You must enable MLD snooping for a VLAN before...

Page 1609: ...N in VLAN view or globally for all VLANs in MLD snooping view For a VLAN the VLAN specific configuration takes priority over the global configuration To avoid mistakenly deleting IPv6 multicast group...

Page 1610: ...s This command takes effect only on the IPv6 multicast groups that a port joins dynamically You can enable the IPv6 multicast group replacement feature for a port in interface view or globally for all...

Page 1611: ...er Use mld snooping querier to enable the MLD snooping querier Use undo mld snooping querier to disable the MLD snooping querier Syntax mld snooping querier undo mld snooping querier Default The MLD s...

Page 1612: ...le MLD snooping for a VLAN before you execute this command For MLD snooping querier election to take effect you must enable the MLD snooping querier Examples In VLAN 2 enable MLD snooping and enable M...

Page 1613: ...mld snooping Sysname mld snooping quit Sysname vlan 2 Sysname vlan2 mld snooping enable Sysname vlan2 mld snooping query interval 20 Related commands enable MLD snooping view max response time mld sn...

Page 1614: ...to set the aging timer for dynamic router ports in a VLAN Use undo mld snooping router aging time to restore the default Syntax mld snooping router aging time seconds undo mld snooping router aging ti...

Page 1615: ...face view Predefined user roles network admin Parameters vlan vlan list Specifies a space separated list of up to 10 VLAN items Each item specifies a VLAN by its ID or a range of VLANs in the form of...

Page 1616: ...MLD snooping view mld snooping special query source ip Use mld snooping special query source ip to configure the source IPv6 address for MLD multicast address specific queries Use undo mld snooping sp...

Page 1617: ...static group ipv6 group address source ip ipv6 source address vlan vlan id undo mld snooping static group ipv6 group address source ip ipv6 source address vlan vlan id all Default A port is not a sta...

Page 1618: ...remove the configuration of static router ports Syntax mld snooping static router port vlan vlan id undo mld snooping static router port all vlan vlan id Default A port is not a static router port Vie...

Page 1619: ...t Examples In VLAN 2 enable MLD snooping and specify MLD snooping version 2 Sysname system view Sysname mld snooping Sysname mld snooping quit Sysname vlan 2 Sysname vlan2 mld snooping enable Sysname...

Page 1620: ...cement feature for VLAN 2 Sysname system view Sysname mld snooping Sysname mld snooping overflow replace vlan 2 Related commands mld snooping overflow replace report aggregation MLD snooping view Use...

Page 1621: ...group FF1E 2 Sysname reset ipv6 l2 multicast fast forwarding cache FF1E 2 Related commands display ipv6 l2 multicast fast forwarding cache reset mld snooping group Use reset mld snooping group to cle...

Page 1622: ...094 If you do not specify a VLAN this command clears dynamic router port information for all VLANs Examples Clear information about all dynamic router ports Sysname reset mld snooping router port all...

Page 1623: ...r for a VLAN in VLAN view For a VLAN the VLAN specific configuration takes priority over the global configuration Examples Set the global aging timer for dynamic router ports to 100 seconds Sysname sy...

Page 1624: ...MLD snooping view Use version to specify an MLD snooping version for VLANs Use undo version to restore the default Syntax version version number vlan vlan list undo version vlan vlan list Default The...

Page 1625: ...name system view Sysname mld snooping Sysname mld snooping enable vlan 2 to 10 Sysname mld snooping version 2 vlan 2 to 10 Related commands enable MLD snooping view mld snooping enable mld snooping ve...

Page 1626: ...pv6 pim snooping router port 2 display ipv6 pim snooping routing table 3 display ipv6 pim snooping statistics 5 ipv6 pim snooping enable 6 ipv6 pim snooping graceful restart join aging time 6 ipv6 pim...

Page 1627: ...the master device verbose Displays detailed information about IPv6 PIM snooping neighbors If you do not specify this keyword the command displays brief information about IPv6 PIM snooping neighbors E...

Page 1628: ...port Use display ipv6 pim snooping router port to display IPv6 PIM snooping router port information Syntax display ipv6 pim snooping router port vlan vlan id slot slot number verbose Views Any view P...

Page 1629: ...o member device is specified display ipv6 pim snooping routing table Use display ipv6 pim snooping routing table to display IPv6 PIM snooping routing entries Syntax display ipv6 pim snooping routing t...

Page 1630: ...nformation Finite state machine information for the entry delete The entry attributes have been deleted dummy The entry is a new temporary entry no info The entry does not exist normal The entry is a...

Page 1631: ...v6 pim snooping statistics to display statistics for the IPv6 PIM messages learned through IPv6 PIM snooping Syntax display ipv6 pim snooping statistics Views Any view Predefined user roles network ad...

Page 1632: ...able the MLD snooping feature and then enable MLD snooping and IPv6 PIM snooping for VLAN 2 Sysname system view Sysname mld snooping Sysname mld snooping quit Sysname vlan 2 Sysname vlan2 mld snooping...

Page 1633: ...rdinate switchover Sysname system view Sysname mld snooping Sysname mld snooping quit Sysname vlan 2 Sysname vlan2 mld snooping enable Sysname vlan2 ipv6 pim snooping enable Sysname vlan2 ipv6 pim sno...

Page 1634: ...snooping Sysname mld snooping quit Sysname vlan 2 Sysname vlan2 mld snooping enable Sysname vlan2 ipv6 pim snooping enable Sysname vlan2 ipv6 pim snooping graceful restart neighbor aging time 300 Rela...

Page 1635: ...1 display ipv6 multicast vlan forwarding table 2 display ipv6 multicast vlan group 3 ipv6 multicast vlan 5 ipv6 multicast vlan entry limit 6 ipv6 port multicast vlan 6 port IPv6 multicast VLAN view 7...

Page 1636: ...out all IPv6 multicast VLANs Examples Display information about all IPv6 multicast VLANs Sysname display ipv6 multicast vlan Total 2 IPv6 multicast VLANs IPv6 multicast VLAN 100 Sub VLAN list 3 in tot...

Page 1637: ...you do not specify an IPv6 multicast group this command displays IPv6 multicast VLAN forwarding entries for all IPv6 multicast groups prefix length Specifies a prefix length of the IPv6 multicast grou...

Page 1638: ...vlan group Use display ipv6 multicast vlan group to display information about IPv6 multicast groups in IPv6 multicast VLANs Syntax display ipv6 multicast vlan group ipv6 source address ipv6 group addr...

Page 1639: ...N 40 FF0E 10 Flags 0x10000030 Sub VLANs 1 in total VLAN 40 IPv6 multicast VLAN 20 Total 3 entries 2 2 FF0E 2 Flags 0x70000010 Sub VLANs 0 in total 22 22 FF0E 4 Flags 0x70000010 Sub VLANs 0 in total FF...

Page 1640: ...multicast vlan Use ipv6 multicast vlan to configure an IPv6 multicast VLAN and enter its view or enter the view of an existing IPv6 multicast VLAN Use undo ipv6 multicast vlan to remove the configurat...

Page 1641: ...ters limit Specifies the maximum number of IPv6 multicast VLAN forwarding entries in the range of 0 to 120 Usage guidelines If the configured value is smaller than the current number of IPv6 multicast...

Page 1642: ...bitEthernet 1 0 1 to IPv6 multicast VLAN 100 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 ipv6 port multicast vlan 100 port IPv6 multicast VLAN view Use por...

Page 1643: ...e value range for this argument is FFxy 16 excluding FFx1 16 and FFx2 16 where x and y represent any hexadecimal numbers in the range of 0 to F If you do not specify an IPv6 multicast group this comma...

Page 1644: ...0 VLAN items Each item specifies a VLAN by its ID or a range of VLANs in the form of start vlan id to end vlan id The value range for the VLAN ID is 1 to 4094 The specified VLANs must exist and cannot...

Page 1645: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series MCE Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 1646: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 1647: ...ose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical bars from which you select...

Page 1648: ...s a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the access controller engine on a u...

Page 1649: ...Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Page 1650: ...rt route policy 3 import route policy 4 ip binding vpn instance 5 ip vpn instance system view 6 route distinguisher VPN instance view 7 routing table limit 7 vpn id 8 vpn instance capability simple OS...

Page 1651: ...can configure IPv4 VPN parameters such as inbound and outbound routing policies Examples Enter VPN instance IPv4 address family view Sysname system view Sysname ip vpn instance vpn1 Sysname vpn insta...

Page 1652: ...e vpn instance name argument is a case sensitive string of 1 to 31 characters If you do not specify a VPN instance this command displays brief information about all VPN instances Examples Display brie...

Page 1653: ...N instance Address family IPv4 IPv4 VPN information Address family IPv6 IPv6 VPN information Export VPN Targets Export route targets Import VPN Targets Import route targets Export Route Policy Routing...

Page 1654: ...oth VPN instance IPv4 address family view and VPN instance view IPv4 VPN uses the export routing policy specified in VPN instance IPv4 address family view If you have specified export routing policies...

Page 1655: ...iew and VPN instance view IPv4 VPN uses the import routing policy specified in VPN instance IPv4 address family view If you have specified import routing policies in both VPN instance IPv6 address fam...

Page 1656: ...ve the existing association Examples Associate VLAN interface 1 with VPN instance vpn1 Sysname system view Sysname interface vlan interface 1 Sysname Vlan interface1 ip binding vpn instance vpn1 Relat...

Page 1657: ...xample 192 168 122 15 1 32 bit AS number 16 bit user defined number where the minimum value of the AS number is 65536 For example 65536 1 Usage guidelines RDs enable VPNs to use the same address space...

Page 1658: ...s active routes but generates a log message Usage guidelines Setting the maximum number of active routes for a VPN instance can prevent a PE from learning too many routes A limit configured in VPN ins...

Page 1659: ...s must have different VPN IDs A VPN ID cannot be 0 0 Examples Configure VPN ID 20 1 for VPN instance vpn1 Sysname system view Sysname ip vpn instance vpn1 Sysname vpn instance vpn1 vpn id 20 1 Related...

Page 1660: ...iews VPN instance view VPN instance IPv4 address family view VPN instance IPv6 address family view Predefined user roles network admin Parameters vpn target 1 8 Specifies a space separated list of up...

Page 1661: ...he IPv6 VPN Route targets configured in VPN instance IPv4 address family view apply only to the IPv4 VPN Route targets configured in VPN instance IPv6 address family view apply only to the IPv6 VPN IP...

Page 1662: ...ance IPv6 address family view you can configure IPv6 VPN parameters such as inbound and outbound routing policies Examples Enter VPN instance IPv6 address family view Sysname system view Sysname ip vp...

Page 1663: ...ou must disable routing loop detection for a VPN OSPFv3 process on the MCE This command is applicable only to VPN OSPFv3 processes Examples Disable routing loop detection for VPN OSPFv3 process 100 Sy...

Page 1664: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series ACL and QoS Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 1665: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 1666: ...s enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical bars from which you s...

Page 1667: ...s a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the access controller engine on a u...

Page 1668: ...Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Page 1669: ...tatistics 9 display packet filter statistics sum 11 display packet filter verbose 13 display qos acl resource 15 packet filter 16 packet filter default deny 18 reset packet filter statistics 18 rule I...

Page 1670: ...view Predefined user roles network admin Parameters ipv6 Specifies the IPv6 ACL type To specify the IPv4 ACL type do not use this keyword basic Specifies the basic ACL type advanced Specifies the adva...

Page 1671: ...enter the view of the ACL by using either of the following commands acl ipv6 name acl name for only basic ACLs and advanced ACLs acl ipv6 advanced basic mac name acl name You can change the match orde...

Page 1672: ...2999 for basic ACLs 3000 to 3999 for advanced ACLs 4000 to 4999 for Layer 2 ACLs name source acl name Specifies an existing source ACL by its name The source acl name argument is a case insensitive st...

Page 1673: ...r roles network admin Parameters interval Specifies the interval at which log entries are generated and output It must be a multiple of 5 in the range of 0 to 1440 minutes To disable the logging set t...

Page 1674: ...t have the logging keyword You can configure the ACL module to generate SNMP notifications for packet filtering and output them to the SNMP module at the output interval The notification records the n...

Page 1675: ...Sysname acl basic 2000 Sysname acl ipv4 basic 2000 description This is an IPv4 basic ACL Related commands display acl display acl Use display acl to display ACL configuration and match statistics Synt...

Page 1676: ...Description Basic IPv4 ACL 2001 Type and number of the ACL The following field information is about IPv4 basic ACL 2001 1 rule The ACL contains one rule match order is auto The match order for the ACL...

Page 1677: ...CL application information for inbound packet filtering on interface GigabitEthernet 1 0 1 Sysname display packet filter interface gigabitethernet 1 0 1 inbound Interface GigabitEthernet1 0 1 Inbound...

Page 1678: ...ult action deny for packet filtering The action permit still functions Permit The default action permit has been successfully applied for packet filtering display packet filter statistics Use display...

Page 1679: ...nd output Field Description Interface Interface to which the ACL applies Inbound policy ACL used for filtering incoming traffic Outbound policy ACL used for filtering outgoing traffic IPv4 ACL 2001 IP...

Page 1680: ...mit The default action permit has been successfully applied for packet filtering MAC default action Packet filter default action for packets that do not match any Layer 2 ACLs Deny The default action...

Page 1681: ...0 denied Display brief accumulated packet filtering statistics for IPv4 basic ACL 2000 on incoming packets Sysname display packet filter statistics sum inbound 2000 brief Sum Inbound policy IPv4 ACL 2...

Page 1682: ...ACLs 3000 to 3999 for advanced ACLs 4000 to 4999 for Layer 2 ACLs name acl name Specifies an ACL by its name The acl name argument is a case insensitive string of 1 to 63 characters slot slot number S...

Page 1683: ...t action deny has been successfully applied for packet filtering Deny Failed The device has failed to apply the default action deny for packet filtering The action permit still functions Permit The de...

Page 1684: ...g features cannot work correctly when QoS and ACL resources are insufficient Packet filtering Device login 802 1X MAC authentication For these features to work correctly reserve enough QoS and ACL res...

Page 1685: ...sources that you can apply Usage Configured and reserved resources as a percentage of total resources If the percentage is not an integer this field displays the integer part For example if the actual...

Page 1686: ...is not specified in a rule the rule applies to both VPN packets and non VPN packets The hardware count keyword in this command enables match counting in hardware for all rules in an ACL and the counti...

Page 1687: ...ACL rule Views System view Predefined user roles network admin Usage guidelines The packet filter applies the default action to all ACL applications for packet filtering The default action appears in...

Page 1688: ...keyword Examples Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on GigabitEthernet 1 0 1 Sysname reset packet filter statistics interface gigabitethernet 1 0 1 inbound 2001 Related...

Page 1689: ...example if the rule numbering step is 5 and the current highest rule ID is 28 the rule is numbered 30 deny Denies matching packets permit Allows matching packets to pass protocol Specifies a protocol...

Page 1690: ...dscp dscp Specifies a DSCP priority The dscp argument can be a number in the range of 0 to 63 or in words af11 10 af12 12 af13 14 af21 18 af22 20 af23 22 af31 26 af32 28 af33 30 af41 34 af42 36 af43 3...

Page 1691: ...bootps 67 discard 9 dns 53 dnsix 90 echo 7 mobilip ag 434 mobilip mn 435 nameserver 42 netbios dgm 138 netbios ns 137 netbios ssn 139 ntp 123 rip 520 snmp 161 snmptrap 162 sunrpc 111 syslog 514 tacac...

Page 1692: ...equest 13 0 ttl exceeded 11 0 Usage guidelines Within an ACL the permit or deny statement of each rule must be unique If the rule you are creating or editing has the same deny or permit statement as a...

Page 1693: ...ftp data Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets Sysname system view Sysname acl advanced 3003 Sysname acl ipv4 adv 3003 rule permit udp source port eq...

Page 1694: ...The time range name argument is a case insensitive string of 1 to 32 characters It must start with an English letter If the time range is not configured the system creates the rule However the rule us...

Page 1695: ...ation dest address dest prefix dest address dest prefix any destination port operator port dscp dscp flow label flow label value fragment icmp6 type icmp6 type icmp6 code icmp6 message logging routing...

Page 1696: ...v6 esp Matches IPv6 ESP packets 51 ipv6 ah Matches IPv6 AH packets 89 ospf Matches OSPF packets Table 12 describes the parameters that you can specify regardless of the value for the protocol argument...

Page 1697: ...e applies to all types of IPv6 routing headers hop by hop type hop type Specifies an IPv6 Hop by Hop Options header type hop type Value of the IPv6 Hop by Hop Options header type in the range of 0 to...

Page 1698: ...a UDP or TCP destination port ack ack value fin fin value psh psh value rst rst value syn syn value urg urg value Specifies one or more TCP flags including ACK FIN PSH RST SYN and URG Parameters spec...

Page 1699: ...it statement as another rule in the ACL the rule will not be created or changed You can edit ACL rules only when the match order is config To view the existing IPv6 basic and advanced ACL rules use th...

Page 1700: ...p destination port eq snmptrap Create IPv6 advanced ACL 3004 and configure two rules one permits packets with the Hop by Hop Options header type as 5 and the other one denies packets with other Hop by...

Page 1701: ...ource prefix source address source prefix any Matches a source IPv6 address The source address argument specifies a source IPv6 address The source prefix argument specifies an address prefix length in...

Page 1702: ...e acl ipv6 basic 2000 Sysname acl ipv6 basic 2000 rule permit source 1001 16 Sysname acl ipv6 basic 2000 rule permit source 3124 1123 32 Sysname acl ipv6 basic 2000 rule permit source fe80 5060 1001 4...

Page 1703: ...ap type mask argument is 0 to ffff type protocol type protocol type mask Matches one or more protocols in the Layer 2 The protocol type argument is a hexadecimal number that represents a protocol type...

Page 1704: ...ime range rule comment Use rule comment to configure a comment for an ACL rule Use undo rule comment to delete an ACL rule comment Syntax rule rule id comment text undo rule rule id comment Default A...

Page 1705: ...ering step sets the increment by which the system numbers rules automatically If you do not specify a rule ID when creating an ACL rule the system automatically assigns it a rule ID This rule ID is th...

Page 1706: ...user profile 22 display qos vlan policy 24 qos apply policy interface view 25 qos apply policy user profile view 26 qos apply policy global 27 qos policy 27 qos vlan policy 28 reset qos policy global...

Page 1707: ...44 Queue scheduling profile commands 45 display qos qmprofile configuration 45 display qos qmprofile interface 46 qos apply qmprofile 46 qos qmprofile 47 queue 48 Queue based accounting commands 49 di...

Page 1708: ...n a case sensitive string of 1 to 127 characters Usage guidelines If you execute this command multiple times the most recent configuration takes effect Examples Configure the description as classifier...

Page 1709: ...nformation Classifier 1 ID 100 Operator AND Rule s If match acl 2000 Classifier 2 ID 101 Operator AND Rule s If match protocol ipv6 Classifier 3 ID 102 Operator AND Rule s none Table 1 Command output...

Page 1710: ...argument specifies a space separated list of up to 10 VLAN items Each item specifies a VLAN or a range of VLANs in the form of vlan id1 to vlan id2 The value for vlan id2 must be greater than or equa...

Page 1711: ...at can have multiple values in one if match command follow these restrictions and guidelines You can specify up to eight values for any of the following match criteria in one if match command 802 1p p...

Page 1712: ...02 1p priority 5 in the outer VLAN tag Sysname system view Sysname traffic classifier class1 Sysname classifier class1 if match service dot1p 5 Define a match criterion for traffic class class1 to mat...

Page 1713: ...o traffic classifier to delete a traffic class Syntax traffic classifier classifier name operator and or undo traffic classifier classifier name Default No traffic classes exist Views System view Pred...

Page 1714: ...ounting action in traffic behavior database to count traffic in bytes Sysname system view Sysname traffic behavior database Sysname behavior database accounting byte car Use car to configure a CAR act...

Page 1715: ...lt setting is pass red action Specifies the action to take on packets that conform to neither CIR nor PIR The default setting is discard yellow action Specifies the action to take on packets that conf...

Page 1716: ...of 1 to 31 characters If you do not specify a traffic behavior this command displays all traffic behaviors slot slot number Specifies an IRF member device by its member ID If you do not specify a memb...

Page 1717: ...c redirecting Mirroring Information about traffic mirroring none No other traffic behavior is configured filter Use filter to configure a traffic filtering action in a traffic behavior Use undo filter...

Page 1718: ...only to the incoming traffic of an interface If you execute the nest top most command multiple times in the same traffic behavior the most recent configuration takes effect Examples Configure traffic...

Page 1719: ...LAN list of the trunk port Otherwise the trunk port drops redirected packets If a QoS policy applied to a user profile contains the redirect interface action make sure the redirected to interface and...

Page 1720: ...CP marking action in a traffic behavior Use undo remark dscp to restore the default Syntax remark red yellow dscp dscp value undo remark red yellow dscp Default No DSCP marking action is configured Vi...

Page 1721: ...local precedence marking action in a traffic behavior Use undo remark local precedence to restore the default Syntax remark local precedence local precedence value undo remark local precedence Defaul...

Page 1722: ...vlan id Specifies an SVLAN ID in the range of 1 to 4094 Usage guidelines An SVLAN marking action can be applied only to an interface Examples Configure traffic behavior b1 to mark matching packets wit...

Page 1723: ...ic class Views QoS policy view Predefined user roles network admin Parameters classifier name Specifies a traffic class by its name a case sensitive string of 1 to 31 characters behavior name Specifie...

Page 1724: ...ws Any view Predefined user roles network admin network operator Parameters user defined Specifies user defined QoS policies policy name Specifies a QoS policy by its name a case sensitive string of 1...

Page 1725: ...lobal Use display qos policy global to display QoS policies applied globally Syntax display qos policy global slot slot number inbound outbound Views Any view Predefined user roles network admin netwo...

Page 1726: ...s If match protocol ipv6 Behavior 2 Accounting enable 0 Packets Filter enable Permit Marking Remark dscp 3 Classifier 3 Operator AND Rule s none Behavior 3 none Table 6 Command output Field Descriptio...

Page 1727: ...going traffic Examples Display the QoS policy applied to the incoming traffic of GigabitEthernet 1 0 1 Sysname display qos policy interface gigabitethernet 1 0 1 inbound Interface GigabitEthernet1 0 1...

Page 1728: ...faces Sysname display qos policy interface Interface GigabitEthernet1 0 1 Direction Inbound Policy a Classifier a Operator AND Rule s If match any Behavior a Mirroring Mirror to the interface GigabitE...

Page 1729: ...iption Direction Direction in which the QoS policy is applied Matched Number of matching packets Forwarded Average rate of successfully forwarded matching packets in a statistics collection period Dro...

Page 1730: ...oS policies applied to user profiles for all member devices inbound Specifies QoS policies applied to incoming traffic outbound Specifies QoS policies applied to outgoing traffic Usage guidelines If y...

Page 1731: ...ay qos vlan policy name policy name vlan vlan id slot slot number inbound outbound Views Any view Predefined user roles network admin network operator Parameters name policy name Specifies a QoS polic...

Page 1732: ...tor AND Rule s If match protocol ipv6 Behavior 2 Accounting enable 0 Packets Filter enable Permit Marking Remark dscp 3 Classifier 3 Operator AND Rule s none Behavior 3 none Table 9 Command output Fie...

Page 1733: ...Ethernet1 0 1 qos apply policy TEST1 outbound qos apply policy user profile view Use qos apply policy to apply a QoS policy to a user profile Use undo qos apply policy to remove a QoS policy applied t...

Page 1734: ...o QoS policy is applied globally Views System view Predefined user roles network admin Parameters policy name Specifies a QoS policy by its name a case sensitive string of 1 to 31 characters inbound A...

Page 1735: ...Use qos vlan policy to apply a QoS policy to the specified VLANs Use undo qos vlan policy to remove a QoS policy from the specified VLANs Syntax qos vlan policy policy name vlan vlan id list inbound o...

Page 1736: ...ection globally outbound Specifies the QoS policy applied to the outbound direction globally Usage guidelines If you do not specify a direction this command clears statistics for the global QoS polici...

Page 1737: ...If you do not specify a direction this command clears the statistics of the QoS policies in both directions of the VLAN Examples Clear the statistics of QoS policies applied to VLAN 2 Sysname reset qo...

Page 1738: ...s the following types of priority map Table 10 Priority maps Priority mapping Description dot1p lp 802 1p local priority map dscp dot1p DSCP 802 1p priority map dscp dscp DSCP DSCP priority map Usage...

Page 1739: ...used For more information see ACL and QoS Configuration Guide Views Priority map view Predefined user roles network admin Parameters import value list Specifies a list of input values export value Sp...

Page 1740: ...interface type interface number Views Any view Predefined user roles network admin network operator Parameters interface type interface number Specifies an interface by its type and number If you do...

Page 1741: ...qos trust dot1p dscp undo qos trust Default An interface does not trust any packet priority and uses the port priority as the 802 1p priority for mapping Views Layer 2 Ethernet interface view Predefi...

Page 1742: ...the dscp keyword is not specified this argument specifies the port priority in the range of 0 to 7 If the dscp keyword is specified this argument specifies the DSCP value to be set for packets in the...

Page 1743: ...ys the GTS configuration for all interfaces Examples Display the GTS configuration for all interfaces Sysname display qos gts interface Interface GigabitEthernet1 0 1 Rule If match queue 1 CIR 512 kbp...

Page 1744: ...a multiple of 512 it is rounded up to the nearest integral multiple of 512 that is greater than the product A default value greater than 16777216 is converted to 16777216 Examples Shape the packets o...

Page 1745: ...Limits the rate of outgoing packets cir committed information rate Specifies the CIR in kbps The value range for committed information rate is 8 to 102400 for 100 Mbps interfaces 8 to 1048576 for GE...

Page 1746: ...nd number If you do not specify an interface this command displays the queuing information for all interfaces Examples Display the queuing information for all interfaces Sysname display qos queue inte...

Page 1747: ...erface type interface number Views Any view Predefined user roles network admin network operator Parameters interface type interface number Specifies an interface by its type and number If you do not...

Page 1748: ...y the WRR queuing configuration of an interface Syntax display qos queue wrr interface interface type interface number Views Any view Predefined user roles network admin network operator Parameters in...

Page 1749: ...undo qos wrr to restore the default Syntax qos wrr weight undo qos wrr weight Default An interface uses packet count WRR queuing Views Layer 2 Ethernet interface view Predefined user roles network adm...

Page 1750: ...e 18 Table 18 The number keyword map for the queue id argument Number Keyword 0 be 1 af1 2 af2 3 af3 4 af4 5 ef 6 cs6 7 cs7 group 1 Specifies WRR group 1 Only WRR group 1 is supported in the current s...

Page 1751: ...keywords in Table 18 Usage guidelines This command is available only on a WRR enabled interface Queues in the SP group are scheduled with SP The SP group has higher scheduling priority than the WRR gr...

Page 1752: ...ou do not specify a member device this command displays the queue scheduling profile configuration for the master device Examples Display the configuration of queue scheduling profile myprofile Sysnam...

Page 1753: ...face number Views Any view Predefined user roles network admin network operator Parameters interface type interface number Specifies an interface by its type and number If you do not specify an interf...

Page 1754: ...igabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 qos apply qmprofile myprofile Related commands display qos qmprofile interface qos qmprofile Use qos qmprofile to create a queue scheduling profile an...

Page 1755: ...in Parameters queue id Specifies a queue by its ID The value range for this argument is 0 to 7 or keywords in Table 18 sp Enables SP for the queue wrr Enables WRR for the queue group group id Specifie...

Page 1756: ...e by its type and number If you do not specify an interface this command displays the queue based outgoing traffic statistics for all interfaces Examples Display queue based outgoing traffic statistic...

Page 1757: ...eue length 0 packets Queue 7 Forwarded 0 packets 0 bytes 0 pps 0 bps Dropped 0 packets 0 bytes Current queue length 0 packets Table 21 Command output Field Description Interface Interface for which qu...

Page 1758: ...aggregate CAR action This argument must start with a letter and is a case sensitive string of 1 to 31 characters Examples Use aggregate CAR action aggcar 1 in traffic behavior be1 Sysname system view...

Page 1759: ...Packets 0 Bytes Yellow packets 0 Packets 0 Bytes Red packets 0 Packets 0 Bytes Slot 2 Apply failed Table 22 Command output Field Description Name Name of the aggregate CAR action Mode Type of the CAR...

Page 1760: ...it is rounded up to the nearest integral multiple of 512 that is greater than the product A default value greater than 256000000 is converted to 256000000 ebs excess burst size Specifies the EBS in by...

Page 1761: ...sed in a QoS policy Examples Configure aggregate CAR action aggcar 1 where CIR is 25600 CBS is 512000 and red packets are dropped Sysname system view Sysname qos car aggcar 1 aggregative cir 25600 cbs...

Page 1762: ...i Contents Data buffer commands 1 buffer apply 1 buffer queue guaranteed 1 buffer shared 2 buffer total shared 3 burst mode enable 4 display buffer 4 display buffer usage 6...

Page 1763: ...guidelines For data buffer settings to take effect you must execute this command after configuring data buffer settings After applying manually configured data buffer settings you cannot directly modi...

Page 1764: ...herefore it is also called the minimum guaranteed buffer for the queue The sum of fixed area space configured for all queues cannot exceed the total fixed area space Otherwise the configuration fails...

Page 1765: ...on and the number of packets to be received and sent Examples Configure queue 0 to use up to 10 shared area space of cell resources in the egress buffer Sysname system view Sysname buffer egress cell...

Page 1766: ...idelines The Burst feature is especially useful for reducing packet losses under the following circumstances Broadcast or multicast traffic is intensive resulting in bursts of traffic Traffic enters a...

Page 1767: ...tal shared area ratio Examples Display buffer size settings Sysname display buffer Slot Type Eg Total shared Shared 1 packet 0 20 1 cell 0 20 Eg Size of the sending buffer Total shared Size of the sha...

Page 1768: ...ecify an IRF member device this command displays buffer usage for all IRF member devices Examples Display buffer usage Sysname display buffer usage Egress total shared cell buffer usage on slot 1 Tota...

Page 1769: ...er Free Size of free data buffer 5sec Percentage of the buffer that the port uses for the last 5 seconds 1min Percentage of the buffer that the port uses for the last 1 minute 5min Percentage of the b...

Page 1770: ...i Contents Time range commands 1 display time range 1 time range 1...

Page 1771: ...ge t4 Sysname display time range t4 Current time is 17 12 34 11 23 2010 Tuesday Time range t4 Inactive 10 00 to 12 00 Mon 14 00 to 16 00 Wed from 00 00 1 1 2011 to 00 00 1 1 2012 from 00 00 6 1 2011 t...

Page 1772: ...ck Its value is in the range of 00 00 to 23 59 The date1 argument specifies a date in MM DD YYYY or YYYY MM DD format where MM is the month of the year in the range of 1 to 12 DD is the day of the mon...

Page 1773: ...m view Sysname time range t1 08 00 to 18 00 working day Create an absolute time range t2 setting it to be active in the whole year of 2011 Sysname system view Sysname time range t2 from 00 00 1 1 2011...

Page 1774: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series Security Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 1775: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 1776: ...Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual va...

Page 1777: ...at contains additional or supplementary information TIP An alert that provides helpful information Network topology icons Convention Description Represents a generic network device such as a router sw...

Page 1778: ...document might use devices that differ from your device in hardware model configuration or software version It is normal that the port numbers sample output screenshots and other information in the e...

Page 1779: ...ult enable 29 domain if unknown 30 local server log change password prompt 31 nas id bind vlan 32 session time include idle time 33 state ISP domain view 34 Local user commands 34 access limit 34 auth...

Page 1780: ...er load statistics 95 reset radius statistics 95 reset stop accounting buffer for RADIUS 96 retry 97 retry realtime accounting 98 retry stop accounting RADIUS scheme view 99 secondary accounting RADIU...

Page 1781: ...view 143 vpn instance HWTACACS scheme view 144 LDAP commands 144 attribute map 144 authentication server 145 authorization server 146 display ldap scheme 146 ip 148 ipv6 149 ldap attribute map 150 ld...

Page 1782: ...Default No NAS ID profiles exist Views System view Predefined user roles network admin Parameters profile name Specifies the NAS ID profile name a case insensitive string of 1 to 31 characters Usage...

Page 1783: ...edefined user roles network admin Parameters ftp FTP users http HTTP users https HTTPS users ssh SSH users telnet Telnet users max sessions Specifies the maximum number of concurrent login users The v...

Page 1784: ...fully executed Command line accounting can use only a remote HWTACACS server Examples In ISP domain test perform command line accounting based on HWTACACS scheme hwtac Sysname system view Sysname doma...

Page 1785: ...ify one primary default accounting method and multiple backup default accounting methods When the primary method is invalid the device attempts to use the backup methods in sequence For example the ac...

Page 1786: ...ring of 1 to 32 characters Usage guidelines You can specify one primary accounting method and multiple backup accounting methods When the primary method is invalid the device attempts to use the backu...

Page 1787: ...scheme rd2 local Related commands accounting default local user radius scheme timer realtime accounting accounting login Use accounting login to specify accounting methods for login users Use undo ac...

Page 1788: ...ms RADIUS accounting by default and performs local accounting when the RADIUS server is invalid The device does not perform accounting when both of the previous methods are invalid Examples In ISP dom...

Page 1789: ...scheme name local none command specifies a primary default RADIUS accounting method and two backup methods local accounting and no accounting The device performs RADIUS accounting by default and perfo...

Page 1790: ...e undo accounting quota out Default The device logs off users that have used up their accounting quotas Views ISP domain view Predefined user roles network admin Parameters offline Logs off users that...

Page 1791: ...accounting update fail Use accounting update fail to configure access control for users that have failed all their accounting update attempts Use undo accounting update fail to restore the default Syn...

Page 1792: ...heme hwtacacs scheme name radius scheme radius scheme name local ldap scheme ldap scheme name local local radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name local undo authenticatio...

Page 1793: ...ysname system view Sysname domain test Sysname isp test authentication default radius scheme rd local Related commands hwtacacs scheme ldap scheme local user radius scheme authentication lan access Us...

Page 1794: ...m view Sysname domain test Sysname isp test authentication lan access local In ISP domain test perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup...

Page 1795: ...the device attempts to use the backup methods in sequence For example the authentication login radius scheme radius scheme name local none command specifies the default primary RADIUS authentication...

Page 1796: ...me Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines You can specify one primary authentication method and multiple backup authentication methods W...

Page 1797: ...to 32 characters radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines To enable a user to obtain another user role wi...

Page 1798: ...uthorization restricts login users to execute only authorized commands by employing an authorization server to verify whether each entered command is permitted When local command authorization is conf...

Page 1799: ...on Fundamentals Command Reference hwtacacs scheme local user authorization default Use authorization default to specify default authorization methods for an ISP domain Use undo authorization default t...

Page 1800: ...he same RADIUS scheme You can specify one primary authorization method and multiple backup authorization methods When the default authorization method is invalid the device attempts to use the backup...

Page 1801: ...device attempts to use the backup methods in sequence For example the authorization lan access radius scheme radius scheme name local none command specifies a primary RADIUS authorization method and t...

Page 1802: ...al users Terminal users can access the device through the console port For more information about the level 0 user role see RBAC configuration in Fundamentals Configuration Guide The working directory...

Page 1803: ...yntax In non FIPS mode authorization portal local none none radius scheme radius scheme name local none undo authorization portal In FIPS mode authorization portal local radius scheme radius scheme na...

Page 1804: ...Sysname system view Sysname domain test Sysname isp test authorization portal radius scheme rd local Related commands authorization default local user radius scheme authorization attribute ISP domain...

Page 1805: ...of 1 to 63 characters This option is applicable only to portal users mld max access number max access number Specifies the maximum number of MLD groups that an IPv6 user can join concurrently The valu...

Page 1806: ...domain to display ISP domain configuration Syntax display domain isp name Views Any view Predefined user roles network admin network operator Parameters isp name Specifies an ISP domain by its name a...

Page 1807: ...t Disabled IP pool appy User profile test Inbound CAR CIR 64000 bps PIR 640000 bps Outbound CAR CIR 64000 bps PIR 640000 bps ACL number 3000 User group ugg IPv6 pool ipv6pool URL http test IGMP access...

Page 1808: ...control for users that have failed all their accounting update attempts Online Allows the users to stay online Offline Logs off the users Accounting quota out policy Access control for users that have...

Page 1809: ...on outbound CAR CIR Committed information rate in bps PIR Peak information rate in bps If no outbound CAR is authorized this field displays N A ACL number Authorization ACL for users User group Author...

Page 1810: ...SP domain Before you use the undo domain command change the domain to a non default ISP domain by using the undo domain default enable command Use short domain names to ensure that user names containi...

Page 1811: ...ds display domain domain domain if unknown Use domain if unknown to specify an ISP domain to accommodate users that are assigned to nonexistent domains Use undo domain if unknown to restore the defaul...

Page 1812: ...local server log change password prompt to enable password change prompt logging Use undo local server log change password prompt to disable password change prompt logging Syntax local server log cha...

Page 1813: ...the user meets the password control requirements The password composition policy or the minimum password length has changed You can use the display password control command to display password contro...

Page 1814: ...ation sent to the server depending on the accounting policy in your network The idle timeout period is assigned to users by the authorization server after the users pass authentication For portal user...

Page 1815: ...ISP domain to request network services block Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services Usage guidelines By blocking an ISP domain you d...

Page 1816: ...sname luser manage abc access limit 5 Related commands accounting start fail offline display local user authorization attribute local user view user group view Use authorization attribute to configure...

Page 1817: ...icts the behavior of authenticated users For more information see Security Configuration Guide user role role name Specifies an authorized user role The role name argument is a case sensitive string o...

Page 1818: ...le has access to the commands for managing security log files and security log file system To display all the accessible commands of the security audit user role use the display role name security aud...

Page 1819: ...r belongs The vlan id argument is in the range of 1 to 4094 This option applies only to LAN and portal users Usage guidelines To perform local authentication of a user the device matches the actual us...

Page 1820: ...ndo description Default No description is configured for a network access user Views Network access user view Predefined user roles network admin Parameters text Configures a description case sensitiv...

Page 1821: ...ccess network services but a local user in blocked state cannot user name user name Specifies all local users using the specified username The username must be a case sensitive string of 1 to 55 chara...

Page 1822: ...cc Validity period Start date and time 2016 01 01 00 01 01 Expiration date and time 2017 01 01 01 01 01 Password control configurations Password length 4 characters Total 2 local users matched Table...

Page 1823: ...sition policy Minimum number of character types that a password must contain Minimum number of characters from each type in a password Password complexity Password complexity checking policy Reject a...

Page 1824: ...User group User group name Authorization attributes Authorization attributes of the user group Idle timeout Idle timeout period in minutes Session timeout Session timeout timer in minutes Work directo...

Page 1825: ...to assign a local user to a user group Use undo group to restore the default Syntax group group name undo group Default A local user belongs to user group system Views Local user view Predefined user...

Page 1826: ...the command adds a device management user manage Device management user that can configure and monitor the device after login Device management users can use FTP HTTP HTTPS Telnet SSH and terminal ser...

Page 1827: ...ws System view Predefined user roles network admin Usage guidelines This feature enables the device to examine the validity of local users at fixed time periods of 10 minutes and automatically delete...

Page 1828: ...ser In FIPS mode a password is required for a device management user to pass authentication You must set the password in interactive mode When global password control is enabled the device handles pas...

Page 1829: ...security purposes the password specified in plaintext form will be stored in encrypted form string Specifies the password string Its plaintext form is a case sensitive string of 1 to 63 characters It...

Page 1830: ...e lan access Authorizes the user to use the LAN access service The users are typically Ethernet users for example 802 1X users ssh Authorizes the user to use the SSH service telnet Authorizes the user...

Page 1831: ...up Use user group to create a user group and enter its view or enter the view of an existing user group Use undo user group to delete a user group Syntax user group group name undo user group group na...

Page 1832: ...YYYY MM DD The value range for the MM argument is 1 to 12 The value range for the DD argument varies with the specified month The value range for the YYYY argument is 2000 to 2035 start time Specifie...

Page 1833: ...10 02 12 00 00 Related commands display local user RADIUS commands aaa device id Use aaa device id to configure the device ID Use undo aaa device id to restore the default Syntax aaa device id device...

Page 1834: ...nd an accounting on packet to the RADIUS server after a device reboot Upon receiving the accounting on packet the RADIUS server logs out all online users so they can log in again through the device Ex...

Page 1835: ...h the member device If no users have come online through the member device the IRF fabric does not send an accounting on packet after the member device reboots The IRF fabric uses the packet retransmi...

Page 1836: ...types of network access users Examples Set the NAS Port attribute format to the port format in RADIUS scheme radius1 Sysname system view Sysname radius scheme radius1 Sysname radius radius1 attribute...

Page 1837: ...e the default Syntax attribute 25 car undo attribute 25 car Default The RADIUS class attribute is not interpreted as CAR parameters Views RADIUS scheme view Predefined user roles network admin Usage g...

Page 1838: ...cter that separates the sections lowercase Specifies the letters in a MAC address to be in lower case uppercase Specifies the letters in a MAC address to be in upper case Usage guidelines Configure th...

Page 1839: ...DIUS server If you specify the interface name format the attribute contains the name of the user access interface For example if a user access the network from GigabitEthernet 1 0 1 the NAS Port ID at...

Page 1840: ...attribute translation feature is enabled When you configure RADIUS attribute conversion rules follow these restrictions and guidelines The source and destination RADIUS attributes in a rule must use t...

Page 1841: ...uidelines The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule The conversion rules take effect only when the RA...

Page 1842: ...E packets Usage guidelines Configure RADIUS attribute rejection rules for the following purposes Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify...

Page 1843: ...eceived RADIUS packets sent Specifies the sent RADIUS packets Usage guidelines Configure RADIUS attribute rejection rules for the following purposes Delete attributes from the RADIUS packets to be sen...

Page 1844: ...fies the unit as kilobyte mega byte Specifies the unit as megabyte Usage guidelines Make sure the measurement unit is the same as the user data measurement unit on the RADIUS server Examples In RADIUS...

Page 1845: ...S DAS view attribute reject RADIUS scheme view ca file Use ca file to specify a CA certificate file for EAP authentication Use undo ca file to restore the default Syntax ca file file name undo ca file...

Page 1846: ...DAC by its IPv4 address ipv6 ipv6 address Specifies a DAC by its IPv6 address key Specifies the shared key for secure communication between the RADIUS DAC and server Make sure the shared key is the s...

Page 1847: ...hor server port data flow format RADIUS scheme view Use data flow format to set the data flow and packet measurement units for traffic statistics Use undo data flow format to restore the default Synta...

Page 1848: ...s scheme to display RADIUS scheme configuration Syntax display radius scheme radius scheme name Views Any view Predefined user roles network admin network operator Parameters radius scheme name Specif...

Page 1849: ...Retransmission Times 3 Retransmission Times for Accounting Update 5 Server Quiet Period minutes 5 Realtime Accounting Interval seconds 22 Stop accounting packets buffering Enabled Retransmission time...

Page 1850: ...server is set to blocked state manually Test profile Test profile used for RADIUS server status detection Probe username Username used for RADIUS server status detection Probe interval Server status d...

Page 1851: ...ribute 25 RADIUS attribute 25 interpretation status Standard The attribute is not interpreted as CAR parameters CAR The attribute is interpreted as CAR parameters Attribute 87 format NAS Port ID attri...

Page 1852: ...it sends an authentication or accounting request to the server The device does not decrease the history statistics even though users go offline or the server fails to response to a request within the...

Page 1853: ...within the last 5 seconds History Total number of RADIUS authentication or accounting requests sent to the RADIUS server since the device starts up Related commands reset radius server load statistic...

Page 1854: ...olicy Number of packets for updating user authorization information Packet With Response Number of packets for which responses were received Packet Without Response Number of packets for which no resp...

Page 1855: ...RADIUS stop accounting requests buffered for user abc Sysname display stop accounting buffer user name abc Total entries 2 Scheme Session ID Username First sending time Attempts rad1 1000326232325010...

Page 1856: ...S requests Use undo exclude to cancel the configuration of excluding an attribute from RADIUS requests Syntax exclude accounting authentication name attribute name undo exclude accounting authenticati...

Page 1857: ...ounting authentication name attribute name vendor vendor id code attribute code type binary date integer interface id ip ipv6 ipv6 prefix octets string value attribute value undo include accounting au...

Page 1858: ...m the RADIUS requests For an attribute that RADIUS requests carry by default you can use this command to change its value The undo form of this command restores the attribute value to the default Tabl...

Page 1859: ...Predefined user roles network admin Parameters accounting Specifies the shared key for secure RADIUS accounting communication authentication Specifies the shared key for secure RADIUS authentication c...

Page 1860: ...fies the MD5 challenge method peap gtc Specifies the PEAP GTC method peap mschapv2 Specifies the PEAP MSCHAPv2 method ttls gtc Specifies the TTLS GTC method ttls mschapv2 Specifies the TTLS MSCHAPv2 m...

Page 1861: ...ddress or a loopback address ipv6 ipv6 address Specifies an IPv6 address which must be a unicast address of the device and cannot be a loopback address or a link local address Usage guidelines The sou...

Page 1862: ...e radius1 specify IP address 10 1 1 1 as the source IP address for outgoing RADIUS packets Sysname system view Sysname radius scheme radius1 Sysname radius radius1 nas ip 10 1 1 1 Related commands dis...

Page 1863: ...ies the key in encrypted form simple Specifies the key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argume...

Page 1864: ...s enabled the device returns an accounting failure message rather than searching for another active accounting server If you remove an actively used accounting server the device no longer sends users...

Page 1865: ...ce vpn instance name Specifies an MPLS L3VPN instance to which the primary RADIUS authentication server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the s...

Page 1866: ...rver test profile secondary authentication RADIUS scheme view server load sharing enable vpn instance RADIUS scheme view radius attribute extended Use radius attribute extended to define an extended R...

Page 1867: ...with RADIUS servers of a third party vendor map attributes that cannot be identified by the server to server supported attributes Two RADIUS attributes cannot have the same combination of attribute na...

Page 1868: ...US attributes that will be included in or excluded from RADIUS requests The system can have multiple RADIUS attribute test groups Examples Create a RADIUS attribute test group named t1 and enter its v...

Page 1869: ...nd enter RADIUS DAS view Use undo radius dynamic author server to disable the RADIUS DAS feature Syntax radius dynamic author server undo radius dynamic author server Default The RADIUS DAS feature is...

Page 1870: ...at user If the device has sent RADIUS authentication requests for that user to a RADIUS server the device processes that user depending on whether it receives a response from the RADIUS server If the...

Page 1871: ...address or the IPv6 address of the interface as the source IP address of an outgoing RADIUS packet ipv4 address Specifies an IPv4 address which must be an address of the device The IP address cannot...

Page 1872: ...network source IPv4 address and one private network source IPv6 address in system view You can specify only one source interface to provide the source IP address for outgoing RADIUS packets Make sure...

Page 1873: ...control client by its IPv4 address ipv6 ipv6 address Specifies a session control client by its IPv6 address key Specifies the shared key for secure communication with the session control client cipher...

Page 1874: ...t form Sysname system view Sysname radius session control client ip 10 110 1 2 key simple 12345 Related commands radius session control enable radius session control enable Use radius session control...

Page 1875: ...password RADIUS server might mistake detection packets that contain randomly generated passwords as attack packets cipher Specifies a password in encrypted form simple Specifies a password in plaintex...

Page 1876: ...ame admin and plaintext password abc123 is sent every 10 minutes Sysname system view Sysname radius server test profile abc username admin password simple abc123 interval 10 Related commands eap profi...

Page 1877: ...racters and cannot contain a letter A session ID uniquely identifies an online user for a RADIUS scheme time range start time end time Specifies a time range The start time and end time must be in the...

Page 1878: ...the device considers the request a failure If the client times out during the authentication process the user is immediately logged off To avoid user logoffs the value multiplied by the following item...

Page 1879: ...the user when a failure occurs The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters For example the following conditions exist The RADIUS serv...

Page 1880: ...mission of stop accounting requests together with the following parameters RADIUS server response timeout timer set by using the timer response timeout command Maximum number of times to transmit a RA...

Page 1881: ...of a secondary RADIUS accounting server port number Specifies the service port number of the secondary RADIUS accounting server The value range for the UDP port number is 1 to 65535 The default setti...

Page 1882: ...d by this command takes precedence over the VPN instance specified for the RADIUS scheme If you use the secondary accounting command to modify or delete a secondary accounting server to which the devi...

Page 1883: ...encrypted form simple Specifies the key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is case sen...

Page 1884: ...hentication server during an authentication process communication with the secondary server times out When the RADIUS server load sharing feature is disabled the device tries to communicate with an ac...

Page 1885: ...t accounting requests of the user to the same server If the accounting server is unreachable the device returns an accounting failure message rather than searching for another active accounting server...

Page 1886: ...cify any keywords this command enables or disables all types of notifications for RADIUS When SNMP notifications for RADIUS are enabled the device supports the following notifications generated by RAD...

Page 1887: ...active unless you manually set the status to active When the RADIUS server load sharing feature is enabled the device checks the weight value and number of currently served users only for servers in...

Page 1888: ...e state Usage guidelines If you do not specify an IP address this command changes the status of all configured secondary RADIUS servers If the device finds that a secondary server in active state is u...

Page 1889: ...have been received Views RADIUS scheme view Predefined user roles network admin Usage guidelines This command enables the device to buffer a RADIUS stop accounting request that has no response after...

Page 1890: ...for an authenticated user it does not send a stop accounting packet when the user goes offline If the server has generated a user entry for the user without start accounting packets it does not relea...

Page 1891: ...o 31 characters If you do not specify a RADIUS attribute test group or the specified RADIUS attribute test group does not exist the device does not change the attributes carried in authentication or a...

Page 1892: ...t password You can retry 9 times Sent a RADIUS start accounting request Server IP 192 168 1 110 Source IP 192 168 1 166 VPN instance N A Server port 1813 Packet type Start accounting request Packet le...

Page 1893: ...ation about the test The test uses username user1 password 123456 and the CHAP authentication method to test RADIUS server at 192 168 1 110 in RADIUS scheme test Sysname test aaa user user1 password 1...

Page 1894: ...er for the servers specified in a RADIUS scheme Use undo timer quiet to restore the default Syntax timer quiet minutes undo timer quiet Default The server quiet timer period is 5 minutes in a RADIUS s...

Page 1895: ...al time accounting interval in the range of 0 to 71582 second Specifies the measurement unit as second If you do not specify this keyword the real time accounting interval is measured in minutes Usage...

Page 1896: ...accounting 51 Related commands retry realtime accounting timer response timeout RADIUS scheme view Use timer response timeout to set the RADIUS server response timeout timer Use undo timer response ti...

Page 1897: ...user roles network admin Parameters keep original Sends the username to the RADIUS server as the username is entered with domain Includes the ISP domain name in the username sent to the RADIUS server...

Page 1898: ...user roles network admin Parameters vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters Usage guidelines The VPN instance specified for a RADIU...

Page 1899: ...packet Specifies the unit as kilo packet mega packet Specifies the unit as mega packet one packet Specifies the unit as one packet Usage guidelines The data flow and packet measurement units for traf...

Page 1900: ...ay hwtacacs scheme Total 1 HWTACACS schemes HWTACACS Scheme Name hwtac Index 0 Primary Auth Server Host name Not configured IP 2 2 2 2 Port 49 State Active VPN Instance 2 Single connection Enabled Pri...

Page 1901: ...he HWTACACS server or scheme belongs If no VPN instance is specified for the server or scheme this field displays Not configured Single connection Single connection status Enabled Establish only one T...

Page 1902: ...kets 0 Get username response packets 0 Get password response packets 1 Restart response packets 0 Error response packets 0 Follow response packets 0 Malformed response packets 0 Continue packets 1 Con...

Page 1903: ...Request packets Total number of sent request packets Login request packets Number of sent login request packets Change password request packets Number of sent request packets for changing passwords Re...

Page 1904: ...nting start request packets Accounting stop request packets Number of accounting stop request packets Accounting update request packets Number of accounting update request packets Success response pac...

Page 1905: ...pn instance vpn instance name Default The source IP address of an HWTACACS packet sent to the server is the primary IPv4 address or the IPv6 address of the outbound interface Views System view Predefi...

Page 1906: ...he setting in HWTACACS scheme view takes precedence over the setting in system view You can specify a maximum of 16 source IP addresses in system view including Zero or one public network source IPv4...

Page 1907: ...authentication authorization or accounting communication Use undo key to delete the shared key for secure HWTACACS authentication authorization or accounting communication Syntax key accounting authe...

Page 1908: ...Sysname hwtacacs hwt1 key authentication simple 123456TESTauth Set the shared key to 123456TESTautr in plaintext form for secure HWTACACS authorization communication Sysname hwtacacs hwt1 key authori...

Page 1909: ...rce IP address for outgoing HWTACACS packets to avoid HWTACACS packet loss caused by physical port errors If you use both the nas ip command and hwtacacs nas ip command the following guidelines apply...

Page 1910: ...ntext form will be stored in encrypted form string Specifies the key This argument is case sensitive In non FIPS mode the encrypted form of the key is a string of 1 to 373 characters The plaintext for...

Page 1911: ...ds display hwtacacs scheme key HWTACACS scheme view secondary accounting HWTACACS scheme view vpn instance HWTACACS scheme view primary authentication HWTACACS scheme view Use primary authentication t...

Page 1912: ...k do not specify this option Usage guidelines Make sure the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server Two authent...

Page 1913: ...key is a string of 1 to 373 characters The plaintext form of the key is a string of 1 to 255 characters In FIPS mode the encrypted form of the key is a string of 15 to 373 characters The plaintext fo...

Page 1914: ...3 155 13 49 key simple 123456TESTautr Related commands display hwtacacs scheme key HWTACACS scheme view secondary authorization HWTACACS scheme view vpn instance HWTACACS scheme view reset hwtacacs st...

Page 1915: ...me view Use retry stop accounting to set the maximum number of transmission attempts for individual HWTACACS stop accounting requests Use undo retry stop accounting to restore the default Syntax retry...

Page 1916: ...ver The value range for the TCP port number is 1 to 65535 The default setting is 49 key Specifies the shared key for secure communication with the secondary HWTACACS accounting server cipher Specifies...

Page 1917: ...name option The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme You can remove an accounting server only when it is not used for user ac...

Page 1918: ...n packets for all users If you do not specify this keyword the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user...

Page 1919: ...ver Syntax secondary authorization host name ipv4 address ipv6 ipv6 address port number key cipher simple string single connection vpn instance vpn instance name undo secondary authorization host name...

Page 1920: ...maximum of 16 secondary HWTACACS authorization servers If the primary server fails the device tries to communicate with a secondary server in active state The device connects to the secondary servers...

Page 1921: ...ds the buffered request until it receives a server response or when the number of transmission attempts reaches the maximum set by using the retry stop accounting command If no more attempts are avail...

Page 1922: ...ccounting Default The real time accounting interval is 12 minutes Views HWTACACS scheme view Predefined user roles network admin Parameters minutes Specifies the real time accounting interval in minut...

Page 1923: ...mer response timeout HWTACACS scheme view Use timer response timeout to set the HWTACACS server response timeout timer Use undo timer response timeout to restore the default Syntax timer response time...

Page 1924: ...delines A username is generally in the userid isp name format of which the isp name argument is used by the device to determine the ISP domain to which a user belongs However some HWTACACS servers can...

Page 1925: ...ecified for an HWTACACS scheme applies to all servers in that scheme If a VPN instance is also configured for an individual HWTACACS server the VPN instance specified for the HWTACACS scheme does not...

Page 1926: ...your operation Examples Specify LDAP attribute map map1 in LDAP scheme test Sysname system view Sysname ldap scheme test Sysname ldap test attribute map map1 Related commands display ldap scheme ldap...

Page 1927: ...or an LDAP scheme Views LDAP scheme view Predefined user roles network admin Parameters server name Specifies the name of an LDAP server a case insensitive string of 1 to 64 characters Usage guideline...

Page 1928: ...1 1 1 Port 111 VPN instance Not configured LDAP protocol version LDAPv3 Server timeout interval 10 seconds Login account DN Not configured Base DN Not configured Search scope all level User searching...

Page 1929: ...period in seconds Login account DN DN of the administrator Base DN Base DN for user search Search scope User DN search scope including all level All subdirectories single level Next lower level of su...

Page 1930: ...e IP address and port number as 192 168 0 10 and 4300 for LDAP server ccc Sysname system view Sysname ldap server ccc Sysname ldap server ccc ip 192 168 0 10 port 4300 Related commands ldap server ipv...

Page 1931: ...of an existing LDAP attribute map Use undo ldap attribute map to delete an LDAP attribute map Syntax ldap attribute map map name undo ldap attribute map map name Default No LDAP attribute maps exist V...

Page 1932: ...sitive string of 1 to 32 characters Usage guidelines An LDAP scheme can be used by more than one ISP domain at the same time You can configure a maximum of 16 LDAP schemes Examples Create an LDAP sche...

Page 1933: ...inistrator DN is specified Views LDAP server view Predefined user roles network admin Parameters dn string Specifies the administrator DN for binding with the server a case insensitive string of 1 to...

Page 1934: ...crypted form string Specifies the password Its plaintext form is a case sensitive string of 1 to 128 characters Its encrypted form is a case sensitive string of 1 to 201 characters Usage guidelines Th...

Page 1935: ...ring of the LDAP attribute aaa attribute Specifies an AAA attribute user group Specifies the user group attribute user profile Specifies the user profile attribute Usage guidelines Because the device...

Page 1936: ...version the change takes effect only on the LDAP authentication that occurs after the change A Microsoft LDAP server supports only LDAPv3 Examples Specify the LDAP version as LDAPv2 for LDAP server c...

Page 1937: ...ope Default The user search scope is all level Views LDAP server view Predefined user roles network admin Parameters all level Specifies that the search goes through all subdirectories of the base DN...

Page 1938: ...erver ccc Sysname ldap server ccc server timeout 15 Related commands display ldap scheme user parameters Use user parameters to configure LDAP user attributes including the username attribute username...

Page 1939: ...epresents a class value a case insensitive string of 1 to 64 characters Usage guidelines If the username on the LDAP server does not contain the domain name specify the without domain keyword If the u...

Page 1940: ...asterisk question mark left angle bracket right angle bracket or at sign Cannot be a al or all If you do not specify a RADIUS user name this command displays information about all RADIUS users Example...

Page 1941: ...ime Expiration date and time Related commands local user radius server activate Use radius server activate to activate the RADIUS server configuration including RADIUS clients and users Syntax radius...

Page 1942: ...S client cipher Specifies the key in encrypted form simple Specifies the key in plaintext form string Specifies a case sensitive key string The encrypted form of the key is a string of 1 to 117 charac...

Page 1943: ...er This feature enables the device to provide an accounting server with the connection start and termination information When the login client establishes a connection with the login server the system...

Page 1944: ...on takes effect The device includes the username entered by a user in the accounting packets to be sent to the AAA server for connection recording The username format configured by using the user name...

Page 1945: ...164 Connection recording policy Accounting scheme HWTACACS tac1 Related commands aaa connection recording policy accounting hwtacacs scheme...

Page 1946: ...url 21 dot1x eap tls fragment to server 22 dot1x eapol untag 23 dot1x guest vlan 24 dot1x guest vlan delay 24 dot1x handshake 25 dot1x handshake reply enable 26 dot1x handshake secure 27 dot1x mac bin...

Page 1947: ...ut 802 1X including session information statistics and settings If you do not specify the interface interface type interface number option this command displays all global and port specific 802 1X inf...

Page 1948: ...onfigured Critical voice VLAN Disabled Add Guest VLAN delay Disabled Re auth server unreachable Logoff Max online users 4294967295 User IP freezing Disabled Reauth period 0 s Send Packets Without Tag...

Page 1949: ...ging timer in seconds for users in critical VLANs User aging period for guest VLAN Aging timer in seconds for users in guest VLANs EAD assistant function Whether EAD assistant is enabled Permit authen...

Page 1950: ...VLAN is configured on the port this field displays Not configured Critical voice VLAN Whether the 802 1X critical voice VLAN feature is enabled on the port Add Guest VLAN delay Status and mode of the...

Page 1951: ...ets EAP Failure packets Number of sent EAP Failure packets Received EAPOL Start packets Number of received EAPOL Start packets EAPOL LogOff packets Number of received EAPOL LogOff packets EAP Response...

Page 1952: ...r by its name The name string argument represents the username a case sensitive string of 1 to 253 characters If you do not specify an 802 1X user this command displays all online 802 1X user informat...

Page 1953: ...802 1X authentication Authorization untagged VLAN Untagged VLAN assigned to the user The VLAN assigned by the server to a user as an authorization VLAN might have been configured on the user access p...

Page 1954: ...ssigned session timeout timer Radius request Reauthenticates the online user when the server assigned session timeout timer expires regardless of whether the 802 1X periodic reauthentication feature i...

Page 1955: ...N 5 Aging time 30 sec MAC addresses 2 0801 2700 9427 0801 2700 2341 Table 3 Command output Field Description Total MAC addresses Total number of MAC addresses in the specified type of VLAN on the spec...

Page 1956: ...rify source ipv6 verify source enable Use dot1x ip verify source ipv6 verify source enable to enable generation of dynamic IPv4SG or IPv6SG binding entries for 802 1X authenticated users Use undo dot1...

Page 1957: ...ble to enable 802 1X user logging Use undo dot1x access user log enable to disable 802 1X user logging Syntax dot1x access user log enable abnormal logoff failed login normal logoff successful login u...

Page 1958: ...range of 1 to 50 Usage guidelines The device denies 802 1X authentication requests of a MAC authenticated user after the maximum number of 802 1X authentication attempts has been made The device will...

Page 1959: ...uthentication initiated by an iNode client PAP transports usernames and passwords in plain text The authentication method applies to scenarios that do not require high security To use PAP the client c...

Page 1960: ...vers Users in the Auth Fail VLAN can access a limited set of network resources To delete a VLAN that has been configured as an 802 1X Auth Fail VLAN you must first use the undo dot1x auth fail vlan co...

Page 1961: ...0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 dot1x critical eapol Related commands dot1x critical vlan dot1x critical vlan Use dot1x critical vlan to co...

Page 1962: ...e Before you enable the 802 1X critical voice VLAN feature on the port make sure the following requirements are met The port is configured with the voice VLAN To configure a voice VLAN on a port use t...

Page 1963: ...ng with the backslash sign Usage guidelines Any character in the configured set can be used as the domain name delimiter for 802 1X authentication users Usernames that include domain names can use the...

Page 1964: ...ver this mechanism might result in authentication failure if the authentication server cannot respond to duplicate EAPOL Start requests To resolve this issue use this command on the user access interf...

Page 1965: ...C authentication again only after the user s EAD entry ages out As a best practice do not configure MAC authentication guest VLANs or critical VLANs The VLANs might fail to work correctly when both EA...

Page 1966: ...resses Usage guidelines With EAD assistant enabled on the device unauthenticated 802 1X users can access the network resources in the free IP segments before they pass 802 1X authentication Execute th...

Page 1967: ...direct URL for EAD assistant Use undo dot1x ead assistant url to restore the default Syntax dot1x ead assistant url url string undo dot1x ead assistant url Default No redirect URL exists for EAD assis...

Page 1968: ...w Predefined user roles network admin Parameters eap tls max length Sets the maximum EAP TLS fragment size in bytes The value range is 100 to 1500 Usage guidelines 802 1X EAP TLS fragmentation takes e...

Page 1969: ...This command removes the VLAN tags of all 802 1X protocol packets sent out of the port to 802 1X clients Do not use this command if VLAN aware 802 1X clients are attached to the port As a best practi...

Page 1970: ...a limited set of network resources such as a software server to download anti virus software and system patches To delete a VLAN that has been configured as a guest VLAN you must use the undo dot1x g...

Page 1971: ...ress that triggers the authentication 2 Retransmits the packet if no response has been received within the username request timeout interval set by using the dot1x timer tx period command 3 Assigns th...

Page 1972: ...1 0 1 Sysname GigabitEthernet1 0 1 dot1x handshake Related commands display dot1x dot1x timer handshake period dot1x retry dot1x handshake reply enable Use dot1x handshake reply enable to enable the 8...

Page 1973: ...ent users from using illegal client software The feature is implemented based on the online user handshake feature To bring the security function into effect make sure the online user handshake featur...

Page 1974: ...he number of 802 1X MAC address binding entries reaches the upper limit of concurrent 802 1X users set by using the dot1x max user command the following restrictions exist Users not in the binding ent...

Page 1975: ...ot1x max user command the following restrictions exist Users not in the binding entries will fail authentication even after users in the binding entries go offline New 802 1X MAC address binding entri...

Page 1976: ...o dot1x max user to restore the default Syntax dot1x max user max number undo dot1x max user Default A port allows a maximum of 4294967295 concurrent 802 1X users Views Layer 2 Ethernet interface view...

Page 1977: ...nts and trigger authentication You can use the dot1x timer tx period command to set the interval for sending multicast EAP Request Identity packets Examples Enable the multicast trigger feature on Gig...

Page 1978: ...ed force Related commands display dot1x dot1x port method Use dot1x port method to specify an access control method for the port Use undo dot1x port method to restore the default Syntax dot1x port met...

Page 1979: ...ork admin Usage guidelines When a client fails 802 1X authentication the device must wait a period of time before it can process authentication requests from the client You can use the dot1x timer qui...

Page 1980: ...802 1X periodic reauthentication feature on GigabitEthernet 1 0 1 and set the periodic reauthentication interval to 1800 seconds Sysname system view Sysname dot1x timer reauth period 1800 Sysname int...

Page 1981: ...or 802 1X reauthentication Views Layer 2 Ethernet interface view Predefined user roles network admin Usage guidelines This feature keeps authenticated 802 1X users online when no server is reachable f...

Page 1982: ...e packet The access device stops retransmitting the request if it has made the maximum number of request transmission attempts but still received no response Examples Set the maximum number of attempt...

Page 1983: ...IUS server status detection feature which is configurable with the radius server test profile command When you configure this feature make sure the detection interval is shorter than the RADIUS server...

Page 1984: ...the quiet period value argument is 10 to 120 reauth period reauth period value Sets the periodic reauthentication timer in seconds The value range for this argument is 60 to 86400 server timeout serv...

Page 1985: ...lowing values The maximum number of RADIUS packet transmission attempts set by using the retry command in RADIUS scheme view The RADIUS server response timeout timer set by using the timer response ti...

Page 1986: ...network admin Parameters reauth period value Sets the 802 1X periodic reauthentication timer in seconds The value range for this argument is 60 to 86400 Usage guidelines The device reauthenticates on...

Page 1987: ...for the user from the access port The 802 1X user aging mechanism on a port depends on its access control mode If the port uses port based access control a user aging timer starts when the port is ass...

Page 1988: ...does not receive any responses within a period of time set by using the dot1x timer tx period command This process continues until the maximum number of request attempts set by using the dot1x retry c...

Page 1989: ...mac mac address Specifies an 802 1X user by its MAC address The mac address argument is in the format of H H H username username Specifies an 802 1X user by its name The username argument is a case se...

Page 1990: ...type and number mac address mac address Specifies the MAC address of an 802 1X user in the guest VLAN If you do not specify this option the command removes all 802 1X users from the 802 1X guest VLAN...

Page 1991: ...45 Examples Clear 802 1X statistics on GigabitEthernet 1 0 1 Sysname reset dot1x statistics interface gigabitethernet 1 0 1 Related commands display dot1x...

Page 1992: ...ion mac range account 17 mac authentication max user 19 mac authentication offline detect enable 19 mac authentication offline detect mac address 20 mac authentication parallel with dot1x 22 mac authe...

Page 1993: ...tion information including the global settings port specific settings MAC authentication statistics and online user statistics Examples Display all MAC authentication settings and statistics Sysname d...

Page 1994: ...ccessful 2 failed 3 Current online users 1 MAC address Auth state 0001 0000 0000 Authenticated 0001 0000 0001 Unauthenticated Table 1 Command output Field Description MAC authentication Whether MAC au...

Page 1995: ...n is specified in system view this field displays Not configured use default domain Online MAC auth wired users Number of wired online MAC authentication users including users that have passed MAC aut...

Page 1996: ...port Host mode MAC authentication VLAN mode for users moving from one VLAN to another on the port Single VLAN Single VLAN mode Multiple VLAN Multi VLAN mode Offline detection Status of MAC authenticat...

Page 1997: ...de If you do not specify this keyword the command displays information about all online MAC authentication users interface interface type interface number Specifies a port by its type and number If yo...

Page 1998: ...ions Total number of online MAC authentication users User MAC address MAC address of the user Access interface Interface through which the user accesses the device User access state Access state of th...

Page 1999: ...shorter than the server assigned session timeout timer Radius request Reauthenticates the online user when the server assigned session timeout timer expires regardless of whether the periodic MAC reau...

Page 2000: ...on mac address guest vlan Total MAC addresses 10 Interface GigabitEthernet1 0 1 Guest VLAN 3 Aging time N A MAC addresses 8 0800 2700 9427 0800 2700 2341 0800 2700 2324 0800 2700 2351 0800 2700 5627 0...

Page 2001: ...ication globally Sysname system view Sysname mac authentication Enable MAC authentication on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1...

Page 2002: ...ser log enable failed login Related commands info center source maca logfile deny Network Management and Monitoring Command Reference mac authentication authentication method Use mac authentication au...

Page 2003: ...lude ip acl acl number undo mac authentication carry user ip Default A MAC authentication request does not include the user IP address Views Layer 2 Ethernet interface view Predefined user roles netwo...

Page 2004: ...ctively Use permit rules to identify source IP addresses that are valid for MAC authentication Use deny rules to identify source IP addresses that cannot trigger MAC authentication In the rules only t...

Page 2005: ...the critical VLAN can access network resources in the critical VLAN The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers If a MAC authentication use...

Page 2006: ...er 2 LAN Switching Command Reference A MAC authentication critical VLAN is configured on the port This setting ensures that a voice user is assigned to the critical VLAN if it has failed authenticatio...

Page 2007: ...for MAC authentication users in the following order 1 Authentication domain specified on the port 2 Global authentication domain specified in system view 3 Default authentication domain Examples Speci...

Page 2008: ...uration Examples Configure VLAN 100 as the MAC authentication guest VLAN on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 mac authentic...

Page 2009: ...network admin Usage guidelines To accommodate IP phone services or any other applications that are sensitive to delay or service interruption in a multi VLAN environment enable MAC authentication mul...

Page 2010: ...s the password specified in plaintext form will be stored in encrypted form string Specifies the password Its plaintext form is a case sensitive string of 1 to 63 characters Its encrypted form is a ca...

Page 2011: ...m of 4294967295 concurrent MAC authentication users Views Layer 2 Ethernet interface view Predefined user roles network admin Parameters max number Sets the maximum number of concurrent MAC authentica...

Page 2012: ...e device determines that the user is idle If the device has not received traffic from a user before the timer expires the device logs off that user and requests the accounting server to stop accountin...

Page 2013: ...e resets the offline detection timer and the user stays online If the offline detection timer expires because the device has not found a matching snooping entry for the user or received traffic from t...

Page 2014: ...02 1X authentication and MAC authentication and performs MAC based access control for 802 1X authentication The port is enabled with the 802 1X unicast trigger For the port to perform MAC authenticati...

Page 2015: ...users on a port This feature tracks the connection status of online users and updates the authorization attributes assigned by the server such as the ACL and VLAN To set the periodic reauthentication...

Page 2016: ...thentication Examples Enable the keep online feature for authenticated MAC authentication users on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthe...

Page 2017: ...hronization increases as the number of online users grows This might result in an increased delay for new MAC authentication users and users in the critical VLAN to authenticate or reauthenticate to t...

Page 2018: ...in secure ext when you want to use MAC authentication delay The delay does not take effect on a port in either of the two modes For more information about port security modes see Port security command...

Page 2019: ...is 60 to 86400 server timeout server timeout value Sets the server timeout timer The value range is 100 to 300 seconds user aging Sets the user aging timer for a type of MAC authentication VLAN criti...

Page 2020: ...uration Guide User aging timer user aging Sets the user aging timer for a type of MAC authentication VLAN If you enable user aging for unthenticated MAC authentication user you can set a user aging ti...

Page 2021: ...feature as a best practice Examples Disable unauthenticated MAC authentication user aging on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1...

Page 2022: ...e password specified in plaintext form will be stored in encrypted form string Specifies the password Its plaintext form is a case sensitive string of 1 to 63 characters Its encrypted form is a case s...

Page 2023: ...ation to come online again With a VLAN specified this command logs off the following MAC authentication users Users that have passed MAC authentication and have been assigned the specified VLAN as the...

Page 2024: ...entication critical voice vlan to remove MAC authentication users from the MAC authentication critical voice VLAN on a port Syntax reset mac authentication critical voice vlan interface interface type...

Page 2025: ...the MAC authentication guest VLAN on GigabitEthernet 1 0 1 Sysname reset mac authentication guest vlan interface gigabitethernet 1 0 1 mac address 1 1 1 Related commands display mac authentication mac...

Page 2026: ...34 Related commands display mac authentication...

Page 2027: ...t destination 34 portal free rule 35 portal free rule destination 37 portal free rule source 38 portal ipv6 free all except destination 39 portal ipv6 layer3 source 40 portal ipv6 user detect 41 porta...

Page 2028: ...ii...

Page 2029: ...utomatically push the portal authentication page to iOS devices and some Android devices when they are connected to the network The device pushes the portal authentication page only when the user acce...

Page 2030: ...our own authentication pages For more information about the restrictions and guidelines see portal authentication configuration in Security Configuration Guide Examples Specify file pagefile1 zip as t...

Page 2031: ...on authentication subnet IP address Mask 2 2 2 2 255 255 255 0 IPv6 portal status Disabled Portal authentication method Disabled Portal web server Not configured Portal mac trigger server Not configur...

Page 2032: ...ication Disabled Both users with IP addresses obtained through DHCP and users with static IP addresses can pass authentication to get online Pre auth ip pool Name of the IP address pool specified for...

Page 2033: ...view Predefined user roles network admin network operator Parameters server server name Specifies a portal authentication server by its name a case sensitive string of 1 to 32 characters Usage guideli...

Page 2034: ...acknowledgment packet the access device sent to the portal authentication server REQ_AUTH Authentication request packet the portal authentication server sent to the access device ACK_AUTH Authenticati...

Page 2035: ...ortal authentication server sent to the access device Related commands reset portal packet statistics display portal rule Use display portal rule to display portal filtering rules Syntax display porta...

Page 2036: ...0 0000 Interface Vlan interface100 VLAN 100 Destination IP 192 168 0 111 Mask 255 255 255 255 Port Any Rule 2 Type Dynamic Action Permit Status Active Source IP 2 2 2 2 MAC 000d 88f8 0eab Interface Vl...

Page 2037: ...pe Static Action Permit Protocol Any Status Active Source IP Prefix length 0 Port Any MAC 0000 0000 0000 Interface Vlan interface100 VLAN 100 Destination IP 3000 1 Prefix length 64 Port Any Rule 2 Typ...

Page 2038: ...al filtering rule Dynamic Dynamic portal filtering rule Action Action triggered by the portal filtering rule Permit The interface allows packets to pass Redirect The interface redirects packets Deny T...

Page 2039: ...c portal filtering rule Number Number of the authorized ACL This field displays N A if the AAA server does not assign an ACL display portal server Use display portal server to display information abou...

Page 2040: ...r User synchronization User idle timeout in seconds for portal user synchronization Status Reachability status of the portal authentication server Up This value indicates one of the following conditio...

Page 2041: ...server pts State Online VPN instance N A MAC IP VLAN Interface 000d 88f8 0eab 2 2 2 2 100 Vlan interface100 Authorization information DHCP IP pool N A User profile N A Session group profile N A ACL nu...

Page 2042: ...thorized user profile is applied to the user access interface successfully inactive The authorized user profile is not applied to the user access interface or the user profile does not exist on the de...

Page 2043: ...18000002 Access interface Vlan interface20 Service VLAN Customer VLAN MAC address 0000 0000 0001 Domain hrss VPN instance N A Status Online Portal server test Portal authentication method Direct AAA R...

Page 2044: ...PLS L3VPN instance to which the portal user belongs If the portal user is on a public network this field displays N A Status Status of the portal user Authenticating The user is being authenticated Au...

Page 2045: ...nline Offline Log out the user DHCP IP pool Authorized DHCP IP address pool If no DHCP IP address pool is authorized for the portal user this field displays N A Inbound CAR This field is not supported...

Page 2046: ...n ITA traffic statistics for the portal user Accounting merge This field is not supported in the current software version Status of the accounting merge feature Enabled The accounting merge feature is...

Page 2047: ...s interface N A No inbound CAR is authorized Outbound CAR This field is not supported in the current software version Authorized outbound CAR for ITA traffic CIR Committed information rate in bps PIR...

Page 2048: ...erver IMC IMC server Portal Web server Name of the portal Web server URL URL of the portal Web server URL parameters URL parameters for the portal Web server VPN instance Name of the MPLS L3VPN where...

Page 2049: ...interface interface type interface number slot slot number Views Any view Predefined user roles network admin network operator Parameters interface interface type interface number Specifies an interfa...

Page 2050: ...direct Redirects the packets Status Status of the Web redirect rule Active The Web redirect rule is effective Inactive The Web redirect rule is not effective Source Source information in the Web redir...

Page 2051: ...ion algorithm to encrypt the parameters carried in the redirection URL If you do not specify an encryption algorithm the parameters carried in the redirection URL are not encrypted aes Specifies the A...

Page 2052: ...tion URL Sysname system view Sysname portal web server wbs Sysname portal websvr wbs if match original url http www abc com cn redirect url http 192 168 0 1 url param encryption des key simple 1234567...

Page 2053: ...plaintext form is a case sensitive string of 1 to 64 characters Its encrypted form is a case sensitive string of 1 to 117 characters Usage guidelines A portal authentication server has only one IPv4 a...

Page 2054: ...key Its plaintext form is a case sensitive string of 1 to 64 characters Its encrypted form is a case sensitive string of 1 to 117 characters Usage guidelines A portal authentication server has only on...

Page 2055: ...undo portal bas ip bas ipv6 to restore the default Syntax portal bas ip ipv4 address bas ipv6 ipv6 address undo portal bas ip bas ipv6 Default The BAS IP attribute of an IPv4 portal reply packet sent...

Page 2056: ...following conditions are met The portal authentication server is an H3C IMC server or the portal authentication mode on the interface is re DHCP The portal device IP address specified on the portal au...

Page 2057: ...server name fail permit undo portal ipv6 apply web server Default No portal Web server is specified Views Interface view Predefined user roles network admin Parameters ipv6 Specifies an IPv6 portal W...

Page 2058: ...profile does not exist on the device or the user profile fails to be deployed the user will not be logged out Views Interface view Predefined user roles network admin Parameters acl Enables strict ch...

Page 2059: ...nterface type interface number Specifies an interface by its type and number If you specify this option this command logs out all IPv4 and IPv6 online portal users on the interface ipv6 ipv6 address S...

Page 2060: ...pv6 domain to delete the configured portal authentication domain Syntax portal ipv6 domain domain name undo portal ipv6 domain Default No portal authentication domain is configured on an interface Vie...

Page 2061: ...lines To modify the portal authentication mode first execute the undo portal ipv6 enable command to disable portal authentication and then execute the portal ipv6 enable command Make sure the device s...

Page 2062: ...reachable After portal authentication resumes unauthenticated portal users need to pass authentication to access network resources Portal users who has passed authentication can continue accessing net...

Page 2063: ...subnets on the interface Re DHCP authentication does not support authentication destination subnets If you configure both an authentication source subnet and an authentication destination subnet on a...

Page 2064: ...s any IPv6 address tcp tcp port number Specifies a TCP port number for the portal free rule in the range of 0 to 65535 udp udp port number Specifies a UDP port number for the portal free rule in the r...

Page 2065: ...interface 1 when they access services provided on TCP port 23 of host 2001 1 Related commands display portal rule portal free rule destination Use portal free rule destination to configure a destinat...

Page 2066: ...the same rule already exists Examples Configure a destination based portal free rule specify the rule number as 4 and host name as www h3c com This rule allows the portal user who sends the HTTP HTTP...

Page 2067: ...IPv6 portal authentication destination subnets on the interface Syntax portal ipv6 free all except destination ipv6 network address prefix length undo portal ipv6 free all except destination ipv6 netw...

Page 2068: ...face view Predefined user roles network admin Parameters ipv6 network address Specifies an IPv6 portal authentication source subnet address prefix length Specifies the prefix length of the IPv6 addres...

Page 2069: ...s a detection interval in the range of 1 to 1200 seconds The default interval is 3 seconds idle time Sets the user idle timeout in the range of 60 to 3600 seconds The default idle timeout is 180 secon...

Page 2070: ...em view Sysname interface vlan interface 100 Sysname Vlan interface100 portal ipv6 user detect type nd retry 5 interval 10 idle 300 Related commands display portal portal layer3 source Use portal laye...

Page 2071: ...he local portal Web service Syntax portal local web server http https ssl server policy policy name tcp port port number undo portal local web server http https Default Local portal Web service is dis...

Page 2072: ...protocol except HTTPS or other service For example do not specify port numbers 80 and 23 which are used by HTTP and Telnet respectively Do not configure the same TCP port number for HTTP and HTTPS lo...

Page 2073: ...r logins and logouts Sysname system view Sysname portal user log enable portal max user Use portal max user to set the maximum number of total portal users allowed in the system Use undo portal max us...

Page 2074: ...ews Interface view Predefined user roles network admin Parameters profile name Specifies the name of a NAS ID profile a case insensitive string of 1 to 31 characters Usage guidelines A NAS ID profile...

Page 2075: ...ADIUS packets sent for portal users to the RADIUS server The device then automatically constructs a value for the NAS Port Id attribute in the specified format to meet the RADIUS server requirements F...

Page 2076: ...identifying the further service type requirement For example use this field to identify specific services in a multi PVC scenario For ATM interfaces ANI_XPI is VPI in the range of 0 to 255 ANI_XCI is...

Page 2077: ...ers IfNO Interface number a string of 3 characters VlanID VLAN ID a string of 9 characters DHCPoption DHCP option 82 is appended for IPv4 users and DHCP option 1 is appended for IPv6 Format 4 is slot...

Page 2078: ...ecifies the NAS port type as ISDN Sync attribute value 2 piafs Specifies the NAS port type as PIAFS attribute value 6 sdsl Specifies the NAS port type as SDSL attribute value 11 sync Specifies the NAS...

Page 2079: ...use this IP address to perform portal authentication The specified IP address pool takes effect when the following requirements are met The direct portal authentication mode is used on the interface T...

Page 2080: ...D entries for portal users Examples Disable the Rule ARP entry feature for portal clients Sysname system view Sysname undo portal refresh arp enable portal roaming enable Use portal roaming enable to...

Page 2081: ...ers Usage guidelines In portal authentication server view you can configure the following parameters and features for the portal authentication server IP address of the server Destination UDP port num...

Page 2082: ...atus If the device receives a reply within the maximum number of detection attempts it considers that the user is online and stops sending detection packets Then the device resets the idle timer and r...

Page 2083: ...ers with DHCP assigned IP addresses and users with static IP addresses can pass portal authentication to come online Views Interface view Predefined user roles network admin Parameters ipv6 Specifies...

Page 2084: ...ltering rules use the display portal rule dynamic command Examples Enable the device to check the issuing of category 2 portal filtering rules Sysname system view Sysname portal rule assign check enab...

Page 2085: ...WPAD server to pass without authentication If portal users enable Web proxy in their browsers the users must add the IP address of the portal authentication server as a proxy exception in their browse...

Page 2086: ...et portal packet statistics server server name Views User view Predefined user roles network admin Parameters server name Specifies a portal authentication server by its name a case sensitive string o...

Page 2087: ...l authentication server supports sending heartbeat packets The detection timeout configured on the device must be greater than the server heartbeat interval configured on the portal authentication ser...

Page 2088: ...dependently No configuration on the portal Web server is required for the detection The portal Web server detection feature takes effect only when the URL of the portal Web server is specified and the...

Page 2089: ...ce name and the IP address and port number after NAT The register information is used for subsequent authentication information exchanges between the server and the access device The access device upd...

Page 2090: ...p port port number undo tcp port Default The listening TCP port number for HTTP is 80 and that for HTTPS is the TCP port number set by the portal local web server command Views Local portal Web servic...

Page 2091: ...l Web server Use undo url to restore the default Syntax url url string undo url Default No URL is specified for a portal Web server Views Portal Web server view Predefined user roles network admin Par...

Page 2092: ...user visits source address Specifies the user IP address source mac Specifies the user MAC address encryption Specifies the encryption algorithm to encrypt the MAC address of the user aes Specifies t...

Page 2093: ...thm for a parameter the redirection URL carries the encrypted value for the parameter Execute the url parameter usermac source mac encryption des key simple 12345678 command Then the access device sen...

Page 2094: ...han the synchronization detection timeout configured on the access device Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server If yo...

Page 2095: ...al websvr wbs vpn instance abc web redirect url Use web redirect url to enable the Web redirect feature Use undo web redirect url to disable the Web redirect feature Syntax web redirect ipv6 url url s...

Page 2096: ...wser After the specified interval the user is redirected to the specified URL again Web redirect does not work when both Web redirect and portal authentication are enabled The Web redirect feature tak...

Page 2097: ...eb auth server 2 display web auth user 3 ip 4 redirect wait time 5 url 6 url parameter 7 web auth auth fail vlan 8 web auth domain 9 web auth enable 9 web auth free ip 10 web auth max user 11 web auth...

Page 2098: ...bitethernet 1 0 1 Global Web auth parameters Temp entry aging time 500 s HTTP proxy port numbers Not configured HTTPS proxy port numbers Not configured Total online web auth users 1 GigabitEthernet1 0...

Page 2099: ...Max online users Maximum number of Web authentication users allowed on the interface Web auth enable State of Web authentication Enabled Disabled Total online web auth users Total number of online Web...

Page 2100: ...IP address of the Web authentication server Port Port number of the Web authentication server URL Redirection URL of the Web authentication server Redirect wait time Time before redirecting an authent...

Page 2101: ...ss of the online Web authentication user Access interface Access interface of the online Web authentication user Initial VLAN Initial VLAN of the user before the user passes Web authentication Authori...

Page 2102: ...twork access requests The port number of the Web authentication server must be the same as the listening port of the local portal Web service For more information about the local portal Web service co...

Page 2103: ...e the default Syntax url url string undo url Default No redirection URL is specified for a Web authentication server Views Web authentication server view Predefined user roles network admin Parameters...

Page 2104: ...ress source mac Specifies the user MAC address value expression Specifies a custom case sensitive string of 1 to 256 characters The string can include question marks If you enter a question mark in th...

Page 2105: ...After you configure this command on an interface users who failed Web authentication on the interface can access resources in the Auth Fail VLAN You must also configure the IP address of the server t...

Page 2106: ...Specifies an ISP authentication domain name a case insensitive string of 1 to 255 characters User guidelines After you configure this command the device uses the authentication domain for authenticat...

Page 2107: ...view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 web auth enable apply server wbs Related commands web auth server web auth free ip Use web auth free ip to specify a Web authe...

Page 2108: ...arameters max number Specifies the maximum number of Web authentication users allowed on an interface The value range for this argument is 1 to 2048 User guidelines If the specified maximum number is...

Page 2109: ...mistakenly logging out users set the detection interval to be the same as the aging time of MAC address entries Examples On GigabitEthernet 1 0 1 enable online detection of Web authentication users an...

Page 2110: ...at use a Web proxy server do not use the proxy server for the listening IP address of the local portal Web service Then HTTP packets that the Web authentication user sends to the local portal Web serv...

Page 2111: ...n it detects traffic from a user for the first time The entry records the MAC address access interface and VLAN ID of the user as well as the aging time of the entry The aging timer works as follows I...

Page 2112: ...btain resources from the Auth Fail VLAN for example it failed to download the virus patches Examples Set the aging timer for temporary MAC address entries to 500 seconds Sysname system view Sysname we...

Page 2113: ...curity free vlan 11 port security intrusion mode 12 port security mac address aging type inactivity 13 port security mac address dynamic 14 port security mac address security 15 port security mac limi...

Page 2114: ...ort security information for all ports Sysname display port security Global port security parameters Port security Enabled AutoLearn aging time 0 min Disableport timeout 20 s Blockmac timeout 180 s MA...

Page 2115: ...fline Logs off the users NAS ID profile NAS ID profile applied globally Dot1x failure trap Whether SNMP notifications for 802 1X authentication failures are enabled Dot1x logon trap Whether SNMP notif...

Page 2116: ...ress NeedToKnowAuto Forwards only broadcast multicast and unicast frames with an authenticated destination MAC address and only when the port has online users Disabled NTK is disabled Intrusion protec...

Page 2117: ...om other ports display port security mac address block Use display port security mac address block to display information about blocked MAC addresses Syntax display port security mac address block int...

Page 2118: ...splay port security mac address security interface interface type interface number vlan vlan id count Views Any view Predefined user roles network admin network operator Parameters interface interface...

Page 2119: ...lays the remaining lifetime If the remaining lifetime is less than 60 seconds the lifetime is counted in seconds If the lifetime is not less than 60 seconds the lifetime is counted in minutes By defau...

Page 2120: ...er log enable violation Related commands info center source portsec logfile deny Network Management and Monitoring Command Reference port security authentication open Use port security authentication...

Page 2121: ...se undo port security authentication open global to disable global open authentication mode Syntax port security authentication open global undo port security authentication open global Default Global...

Page 2122: ...port uses the authorization information from the server Views Layer 2 Ethernet interface view Predefined user roles network admin Usage guidelines After a user passes RADIUS or local authentication th...

Page 2123: ...em Usage guidelines The authorization fail offline feature logs off port security users that have failed ACL or user profile authorization A user fails ACL or user profile authorization in the followi...

Page 2124: ...the following security settings to the default 802 1X access control mode is MAC based Port authorization state is auto When online users are present on a port disabling port security logs off the onl...

Page 2125: ...MAC authentication on a port configured with any of the following features 802 1X authentication MAC authentication Any of the following port security modes userLogin userLoginSecure userLoginWithOUI...

Page 2126: ...ever it receives an illegal frame You can use the port security timer disableport command to set the period Usage guidelines To bring up the port disabled by the intrusion protection feature use the u...

Page 2127: ...imer is set to a value not less than 60 seconds the traffic data detection interval is fixed at 30 seconds If the aging timer is set to a value less than 60 seconds the traffic data detection interval...

Page 2128: ...sticky MAC addresses Examples Enable the dynamic secure MAC feature on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 port security mac...

Page 2129: ...in autoLearn mode Sticky MAC addresses do not age out by default You can use the port security timer autolearn aging command to set an aging timer for the sticky MAC addresses When the timer expires...

Page 2130: ...N items Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan id1 to vlan id2 The value range for the VLAN IDs is 1 to 4094 The value for the vlan id2 argument m...

Page 2131: ...e VLAN to which the user belongs is permitted by the port Views Layer 2 Ethernet interface view Predefined user roles network admin Usage guidelines Enable VLAN check bypass on a port to skip checking...

Page 2132: ...move allows an online user authenticated through 802 1X or MAC authentication on one port or VLAN to be reauthenticated and come online on another port or VLAN without going offline first After the us...

Page 2133: ...the port This option takes effect only on a port that operates in autoLearn mode Usage guidelines For autoLearn mode this command sets the maximum number of secure MAC addresses both configured and au...

Page 2134: ...file by its name The argument is a case insensitive string of 1 to 31 characters Usage guidelines A NAS ID profile defines NAS ID and VLAN bindings You can create a NAS ID profile by using the aaa nas...

Page 2135: ...MAC address and only when the port has online users ntkonly Forwards only unicast frames with an authenticated destination MAC address Usage guidelines The NTK feature checks the destination MAC addr...

Page 2136: ...oginWithOUI mode In userLoginWithOUI mode a port allows only one 802 1X user and one user whose MAC address matches one of the configured OUI values Examples Configure an OUI value of 000d2a and set t...

Page 2137: ...ation users to log in Upon receiving a non 802 1X frame a port in this mode performs only MAC authentication Upon receiving an 802 1X frame the port performs MAC authentication and then if MAC authent...

Page 2138: ...ddress contains a specific OUI In this mode the port performs OUI check at first If the OUI check fails the port performs 802 1X authentication The port permits frames that pass OUI check or 802 1X au...

Page 2139: ...Usage guidelines The timer applies to all sticky secure MAC addresses and those automatically learned by a port The effective aging timer varies by the aging timer setting If the aging timer is set i...

Page 2140: ...s time value Specifies the silence period in seconds during which the port remains disabled The value is in the range of 20 to 300 Usage guidelines If you configure the intrusion protection action as...

Page 2141: ...MAC based access control mode this feature collects user traffic statistics on a per MAC basis on the port If a port performs 802 1X authentication in port based access control mode this feature coll...

Page 2142: ...llegal frame detection mac auth failure Specifies notifications about MAC authentication failures mac auth logoff Specifies notifications about MAC authentication user logoffs mac auth logon Specifies...

Page 2143: ...i Contents User profile commands 1 display user profile 1 user profile 2...

Page 2144: ...isplays configuration and online user information for all user profiles slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays use...

Page 2145: ...e view of an existing user profile Use undo user profile to delete a user profile Syntax user profile profile name undo user profile profile name Default No user profiles exist Views System view Prede...

Page 2146: ...assword control change password weak password enable 8 password control complexity 9 password control composition 10 password control enable 12 password control expired user login 13 password control...

Page 2147: ...Global password control configurations Password control Enabled device management users Enabled network access users Password aging Enabled 90 days Password length Enabled 10 characters Password comp...

Page 2148: ...wed maximum number of consecutive failed login attempts for FTP and VTY users Action for exceeding login attempts Action to be taken after a user fails to log in after the specified number of attempts...

Page 2149: ...nformation about blacklisted FTP Web and virtual terminal line VTY users Users accessing the system through the console interface are not blacklisted for the following reasons The system is unable to...

Page 2150: ...ssword control feature is enabled The default minimum password length and default password composition restriction vary by device model In FIPS mode the password composition restriction or the minimum...

Page 2151: ...password control aging aging time undo password control aging Default A password expires after 90 days The password aging time for a user group equals the global setting The password aging time for a...

Page 2152: ...g 100 Related commands display local user display password control display user group password control aging enable password control alert before expire Use password control alert before expire to set...

Page 2153: ...iew Predefined user roles network admin Parameters timeout Specifies the user authentication timeout time in seconds in the range of 30 to 600 Usage guidelines This command takes effect only on Telnet...

Page 2154: ...ontrol enable password control change password weak password enable Use password control change password weak password enable to enable mandatory weak password change Use undo password control change...

Page 2155: ...assword control length password control enable password control complexity Use password control complexity to configure the password complexity checking policy Use undo password control complexity to...

Page 2156: ...oup the system uses the global policy In non FIPS mode username checking is enabled regardless of whether or not the global password control feature is enabled In FIPS mode the password complexity che...

Page 2157: ...ser view applies only to the local user A password composition policy with a smaller application scope has higher priority The system prefers to use the password composition policy in local user view...

Page 2158: ...rs Usage guidelines When you enable global password control the device automatically generates a dat file and saves the file to the storage media The file is used to record authentication and login in...

Page 2159: ...umber of times that a user can log in after the password expires Use undo password control expired user login to restore the defaults Syntax password control expired user login delay delay times times...

Page 2160: ...s for each user is 4 Views System view Predefined user roles network admin Parameters max record number Specifies the maximum number of history password records for each user The value range is 2 to 1...

Page 2161: ...sword length in characters The value range for this argument is 4 to 32 in non FIPS mode and 15 to 32 in FIPS mode Usage guidelines The minimum length setting depends on the view The setting in system...

Page 2162: ...word control login idle time idle time undo password control login idle time Default The maximum account idle time is 90 days Views System view Predefined user roles network admin Parameters idle time...

Page 2163: ...value range is 2 to 10 exceed Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts lock Disables the user account permanently lock time time Di...

Page 2164: ...counts The password control login attempt command takes effect immediately after being executed and can affect the users already in the password control blacklist Examples Allow a maximum of four cons...

Page 2165: ...trol super aging Default A super password expires after 90 days Views System view Predefined user roles network admin Parameters aging time Specifies the super password aging time in days in the range...

Page 2166: ...mode and 1 to 15 in FIPS mode Usage guidelines The product of the minimum number of character types and minimum number of characters for each type cannot be greater than the maximum length of the sup...

Page 2167: ...change their passwords Use undo password control update interval to restore the default Syntax password control update interval interval undo password control update interval Default The minimum passw...

Page 2168: ...password control history record Use reset password control history record to delete history password records Syntax reset password control history record super role role name user name user name netw...

Page 2169: ...nagement users Sysname reset password control history record Are you sure you want to delete all device management users history records Y N y Delete the history password records of all network access...

Page 2170: ...local public 1 display public key peer 4 peer public key end 6 public key local create 7 public key local destroy 10 public key local export dsa 11 public key local export ecdsa 13 public key local ex...

Page 2171: ...f you do not specify a key pair this command displays the public keys of all local key pairs of the specified type Usage guidelines You can copy and distribute the public key of a local key pair to pe...

Page 2172: ...CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA3...

Page 2173: ...DD6145BF9362B 1D Key name ecdsa1 Key type ECDSA Time when key pair created 15 43 33 2011 05 12 Key code 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02...

Page 2174: ...of the local ECDSA key pair ecdsa1 Sysname display public key local ecdsa public name ecdsa1 Key name ecdsa1 Key type ECDSA Time when key pair created 15 43 33 2011 05 12 Key code 3049301306072A8648C...

Page 2175: ...he public key peer import sshkey command to configure a peer host public key on the local device Examples Display detailed information about the peer host public key idrsa Sysname display public key p...

Page 2176: ...the correct format the system discards the key and displays an error message If the key is valid for example the key was displayed by the display public key local public command the system saves the...

Page 2177: ...key pair type secp192r1 Uses the secp192r1 curve to create a 192 bit ECDSA key pair secp256r1 Uses the secp256r1 curve to create a 256 bit ECDSA key pair secp384r1 Uses the secp384r1 curve to create...

Page 2178: ...ite the existing key pair The key pairs are automatically saved and can survive system reboots Table 5 A comparison of different types of asymmetric key algorithms Type Generated key pairs Modulus key...

Page 2179: ...l create rsa name rsa1 The range of public key modulus is 512 4096 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generat...

Page 2180: ...key local destroy dsa ecdsa rsa name key name Views System view Predefined user roles network admin Parameters dsa Specifies the DSA key pair type ecdsa Specifies the ECDSA key pair type rsa Specifie...

Page 2181: ...me ecdsa1 Confirm to destroy the key pair Y N y Related commands public key local create public key local export dsa Use public key local export dsa to export a local DSA host public key Syntax public...

Page 2182: ...fault name in SSH 2 0 format Sysname system view Sysname public key local export dsa ssh2 BEGIN SSH2 PUBLIC KEY Comment dsa key 2011 05 12 AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9 5ra4WzTO9yz...

Page 2183: ...MIR8YvZbl8GHE8KQj9 5ra4WzTO9yzhSg06UiL CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh kiuoRCHyLDyJy5sG WD AZQd3Xf axKJPadu68HRKNl BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAA...

Page 2184: ...amentals Configuration Guide 3 On the peer device use the public key peer import sshkey command to import the host public key from the file SSH 2 0 and OpenSSH are different public key formats Choose...

Page 2185: ...see Fundamentals Configuration Guide If you do not specify a file name this command displays the key on the monitor screen Usage guidelines You can use this command to export a local RSA host public k...

Page 2186: ...a1 pub Sysname system view Sysname public key local export rsa name rsa1 openssh rsa1 pub Display the host public key of the local RSA key pair rsa1 in SSH 2 0 format Sysname system view Sysname publi...

Page 2187: ...peer public key end command to save the public key and return to system view The public key you type in the public key view must be in a correct format If the peer device is an H3C device use the disp...

Page 2188: ...this command the system automatically transforms the host public key to the PKCS format and saves the key Before you use this command make sure you have got a copy of the public key file from the pee...

Page 2189: ...play pki certificate request status 17 display pki crl domain 18 fqdn 20 ip 21 ldap server 21 locality 22 organization 23 organization unit 23 pki abort certificate request 24 pki certificate access c...

Page 2190: ...iew Predefined user roles network admin Parameters id Specifies a rule ID in the range of 1 to 16 alt subject name Specifies the alternative subject name field fqdn Specifies the FQDN attribute ip Spe...

Page 2191: ...bject name field of the certificate contains the DN attribute The DN attribute value contains the abc string A certificate matches an attribute group if it matches all attribute rules in the group Exa...

Page 2192: ...e pki domain aaa Sysname pki domain aaa ca identifier new ca certificate request entity Use certificate request entity to specify the PKI entity for certificate request Use undo certificate request en...

Page 2193: ...ficate request from ca ra undo certificate request from Default The type of certificate request reception authority is not specified Views PKI domain view Predefined user roles network admin Parameter...

Page 2194: ...line or online mode In online mode a certificate request can be automatically or manually submitted Auto request mode A PKI entity automatically obtains the CA certificate and submits a certificate re...

Page 2195: ...for the certificate request status The periodic query operation stops until the PKI entity obtains the certificate or the maximum number of query attempts is reached If the maximum number of query att...

Page 2196: ...n Usage guidelines The certificate request URL contains the location of the certificate request reception authority server and the path of the application script on the server in the format http serve...

Page 2197: ...to restore the default Syntax country country code string undo country Default No country code is set for a PKI entity Views PKI entity view Predefined user roles network admin Parameters country code...

Page 2198: ...ault Syntax crl url url string vpn instance vpn instance name undo crl url Default The URL of the CRL repository is not specified Views PKI domain view Predefined user roles network admin Parameters u...

Page 2199: ...rl url http 169 254 0 30 Set the URL of the CRL repository to ldap 169 254 0 30 in MPLS L3VPN instance vpn1 Sysname system view Sysname pki domain 1 Sysname pki domain 1 crl url ldap 169 254 0 30 vpn...

Page 2200: ...ates that match the attribute group in the access control rule Related commands pki certificate access control policy rule display pki certificate attribute group Use display pki certificate attribute...

Page 2201: ...ctn Not contain operation equ Equal operation nequ Not equal operation Attribute 1 subject name dn ctn abc Attribute rule contents alt subject name Alternative subject name issuer name Certificate iss...

Page 2202: ...also displayed If you specify the local keyword this command displays information about all local certificates in the domain If you specify the peer keyword without a serial number this command displa...

Page 2203: ...formation about local certificates in the PKI domain aaa Sysname display pki certificate domain aaa local Certificate Data Version 3 0x2 Serial Number bc 05 70 1f 0e da 0d 10 16 1e Signature Algorithm...

Page 2204: ...hRSAEncryption 94 ef 56 70 48 66 be 8f 9d bb 77 0f c9 f4 65 77 e3 bd ea 9a b8 24 ae a1 38 2d f4 ab e8 0e 93 c2 30 33 c8 ef f5 e9 eb 9d 37 04 6f 99 bd b2 c0 e9 eb b1 19 7e e3 cb 95 cd 6c b8 47 e2 cf 18...

Page 2205: ...78 98 68 03 5b 72 f4 57 d3 bf c5 30 32 0d 58 72 67 04 06 61 08 3b e9 ac 53 b9 e7 69 68 1a 23 f2 97 4c 26 14 c2 b5 d9 34 8b ee c1 ef af 1a f4 39 da c5 ae ab 56 95 b5 be 0e c3 46 35 c1 52 29 9c b7 46 f2...

Page 2206: ...ificate request status domain domain name Views Any view Predefined user roles network admin network operator Parameters domain name Specifies a PKI domain by its name a case insensitive string of 1 t...

Page 2207: ...ld Description Certificate Request Transaction number Certificate request transaction number starting from 1 Status Certificate request status including only the pending status Key usage Certificate p...

Page 2208: ...ki crl domain aaa Certificate Revocation List CRL Version 2 0x1 Signature Algorithm sha1WithRSAEncryption Issuer C cn O docm OU sec CN therootca Last Update Apr 28 01 42 13 2011 GMT Next Update NONE C...

Page 2209: ...pdate time X509v3 Authority Key Identifier X509v3 ID of the CA that issues the CRL keyid Key ID This field identifies the key pair used to sign the CRL Signature Algorithm Signature algorithm and sign...

Page 2210: ...e IP address of the PKI entity Usage guidelines Use this command to assign an IP address to a PKI entity or specify an interface for the entity The interface s primary IPv4 address will be used as the...

Page 2211: ...y uses LDAP for CRL distribution However the CRL repository URL configured for the PKI domain does not contain the IP address or host name of the LDAP server You can specify only one LDAP server for a...

Page 2212: ...n to restore the default Syntax organization org name undo organization Default No organization name is set for a PKI entity Views PKI entity view Predefined user roles network admin Parameters org na...

Page 2213: ...domain name Views System view Predefined user roles network admin Parameters domain name Specifies a PKI domain by its name a case insensitive string of 1 to 31 characters The domain name cannot conta...

Page 2214: ...policies exist Views System view Predefined user roles network admin Parameters policy name Specifies a policy name a case insensitive string of 1 to 31 characters Usage guidelines A certificate based...

Page 2215: ...nt configured by using the rule command If a certificate attribute group does not have any attribute rules the system determines that the all certificates match the associated access control rule Exam...

Page 2216: ...following steps 1 Execute the display pki certificate command to determine the serial number of the peer certificate 2 Execute the pki delete certificate domain domain name peer serial serial num comm...

Page 2217: ...ameters domain name Specifies a PKI domain name a case insensitive string of 1 to 31 characters The domain name cannot contain the special characters listed in Table 11 Table 11 Special characters Cha...

Page 2218: ...ect contents in the certificate issued by the CA Examples Create a PKI entity named en and enter its view Sysname system view Sysname pki entity en Sysname pki entity en Related commands pki domain pk...

Page 2219: ...l certificate in PEM format filename filename Specifies the name of the file for storing the certificate The file name is a case insensitive string If you do not specify a file name when you export ce...

Page 2220: ...private keys the export operation fails When you export the local certificates if the key pair in the PKI domain is changed and no longer matches the key in the local certificates the export operatio...

Page 2221: ...CCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG EIBDQQh Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct 23zU ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn gx0 CDAaBgNVHREEEzARgQ9ja...

Page 2222: ...UxMzMxMjla ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhM...

Page 2223: ...i9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA A4IBAQC0q0SSmvQNfa5ELtRKYF62C Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ zaQSHi d4kQf5QWgYkQ55 C5puOmcMRgCbMpR...

Page 2224: ...xport domain domain1 pem ca BEGIN CERTIFICATE MIIB7jCCAVcCEQCdSVShJFEMifVG8zRRoSsWMA0GCSqGSIb3DQEBBQUAMDcxCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEMMAoGA1UEAxMD YWNhMB4XDTExMDEwNjAyNTc0...

Page 2225: ...main to a file named cert lo der in PKCS12 format The password for the private keys is 123 Sysname system view Sysname pki export domain domain1 p12 local passphrase 123 filename cert lo der Export al...

Page 2226: ...or peer certificates If the PKI domain the local certificates or the peer certificates do not have the CA certificate chain you must import the CA certificate first To import a local or peer certific...

Page 2227: ...he certificate file The import operation automatically updates or generates the correct key pair When you perform the import operation be sure to save the configuration file to avoid data loss Example...

Page 2228: ...wKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7 Uz2QHJOfP10 0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ END RSA PRIVATE KEY Bag Attributes localKeyID 01 00 00 00 subject CN sldsslserver issuer C cn O...

Page 2229: ...he password Local certificate already exist confirm to overwrite it Y N y The PKI domain already has a CA certificate If it is overwritten local certificates peer certificates and CRL of this domain w...

Page 2230: ...d to print the BASE64 encoded request information Use the pkcs10 filename filename option to save the request information to a local file and transfer the file to the CA by using an out of band means...

Page 2231: ...ensitive string of 1 to 31 characters Usage guidelines In online mode You can obtain the CA certificate through the SCEP protocol If a CA certificate already exists locally do not obtain the CA certif...

Page 2232: ...me system view Sysname pki retrieve certificate domain aaa peer en1 Related commands display pki certificate pki delete certificate pki retrieve crl Use pki retrieve crl to obtain CRLs and save them l...

Page 2233: ...the CRL repository If a CRL repository is found the device obtains CRLs from the CRL repository If no CRL repository is found the device obtains CRLs through the SCEP protocol Examples Obtain CRLs fr...

Page 2234: ...ify the validity of certificates Syntax pki validate certificate domain domain name ca local Views System view Predefined user roles network admin Parameters domain name Specifies a PKI domain by its...

Page 2235: ...e current CA to the root CA Examples Verify the validity of the CA certificate in PKI domain aaa Sysname system view Sysname pki validate certificate domain aaa ca Verifying certificate Serial Number...

Page 2236: ...e key pair name can contain only letters digits and hyphens length key length Specifies the key length in bits In non FIPS mode the value range is 512 to 2048 and the default is 1024 In FIPS mode the...

Page 2237: ...al create public key ecdsa Use public key ecdsa to specify an ECDSA key pair for certificate request Use undo public key to restore the default Syntax In non FIPS mode public key ecdsa name key name s...

Page 2238: ...quest The curve parameter is ignored if the specified key pair already exists or is already contained in an imported certificate If you do not specify an elliptic curve the secp192r1 curve is used by...

Page 2239: ...a key pair A PKI domain can have key pairs using only one type of cryptographic algorithm DSA ECDSA or RSA A PKI domain can have two RSA key pairs of different purposes one is the signing key pair and...

Page 2240: ...that does not have a CA certificate you must configure the fingerprint for root CA certificate verification When an application for example IKE triggers the device to request local certificates the de...

Page 2241: ...view Sysname pki domain aaa Sysname pki domain aaa root certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E Specify an SHA1 fingerprint for verifying the root CA certificate Sysname system vi...

Page 2242: ...n defined in the access control rule Examples Create rule 1 to permit all certificates that match certificate attribute group mygroup Sysname system view Sysname pki certificate access control policy...

Page 2243: ...in 1 source ipv6 1 8 Use the IP address of VLAN interface 1 as the source IP address for PKI protocol packets Sysname system view Sysname pki domain aaa Sysname pki domain aaa source ip interface vlan...

Page 2244: ...E certificate extension so IKE peers can use the certificates ssl client Specifies the SSL client certificate extension so the SSL client can use the certificates ssl server Specifies the SSL server c...

Page 2245: ...template 29 ipsec anti replay check 30 ipsec anti replay window 31 ipsec apply 32 ipsec decrypt check enable 32 ipsec df bit 33 ipsec fragmentation 34 ipsec global df bit 35 ipsec limit max tunnel 35...

Page 2246: ...84 match local address IKE keychain view 85 match local address IKE profile view 86 match remote 87 pre shared key 89 priority IKE keychain view 90 priority IKE profile view 91 proposal 91 reset ike s...

Page 2247: ...ss IKEv2 policy view 123 match remote 124 match vrf IKEv2 policy view 125 match vrf IKEv2 profile view 126 nat keepalive 127 peer 128 pre shared key 129 prf 130 priority IKEv2 policy view 131 priority...

Page 2248: ...Specifies the HMAC AES XCBC 96 algorithm which uses a 128 bit key This keyword is available only for IKEv2 md5 Specifies the HMAC MD5 96 algorithm which uses a 128 bit key sha1 Specifies the HMAC SHA...

Page 2249: ...meters text Specifies a description a case sensitive string of 1 to 80 characters Usage guidelines If the system has multiple IPsec policies IPsec policy templates or IPsec profiles you can use this c...

Page 2250: ...pecify an IPsec policy name without any sequence number this command displays information about all IPsec policy entries with the specified name Examples Display information about all IPv4 IPsec polic...

Page 2251: ...y data flow Selector mode standard Local address Remote address Transform set IKE profile IKEv2 profile SA duration time based 3600 seconds SA duration traffic based 1843200 kilobytes SA idle time IPs...

Page 2252: ...abled Security data flow 3200 Selector mode standard Local address Remote address 5 3 6 9 Transform set completetransform IKE profile IKEv2 profile SA duration time based 3600 seconds SA duration traf...

Page 2253: ...onfiguration incomplete Possible causes include The ACL is not configured The IPsec transform set is not configured The ACL does not have any permit statements The IPsec transform set configuration is...

Page 2254: ...configured and it is empty if the key is not configured Related commands ipsec ipv6 policy policy display ipsec ipv6 policy template policy template Use display ipsec ipv6 policy template policy temp...

Page 2255: ...ile Remote address 162 105 10 2 Transform set testprop IPsec SA local duration time based 3600 seconds IPsec SA local duration traffic based 1843200 kilobytes SA idle time Display information about al...

Page 2256: ...dress of the IPsec tunnel Transform set Transform set used by the IPsec policy template IPsec SA local duration time based Time based IPsec SA lifetime in seconds IPsec SA local duration traffic based...

Page 2257: ...ion hex key ESP authentication hex key Table 3 Command output Field Description IPsec profile IPsec profile name Mode Negotiation mode used by the IPsec profile Description Description of the IPsec pr...

Page 2258: ...Specifies an IPsec SA by its remote end IP address ipv6 Specifies an IPsec SA by its remote end IPv6 address If this keyword is not specified the specified remote end IP address is an IPv4 address Usa...

Page 2259: ...2 168 1 0 255 255 255 0 port 0 protocol ip Inbound ESP SAs SPI 3564837569 0xd47b1ac1 Connection ID 90194313219 Transform set ESP ENCRYPT AES CBC 128 ESP AUTH SHA1 SA duration kilobytes sec 4294967295...

Page 2260: ...mode ISAKMP IKE negotiation mode Template IPsec policy template mode Tunnel id IPsec tunnel ID Encapsulation mode Encapsulation mode transport or tunnel Perfect Forward Secrecy Perfect Forward Secrecy...

Page 2261: ...e IPsec transform set SA duration kilobytes sec IPsec SA lifetime in kilobytes or seconds SA remaining duration kilobytes sec Remaining IPsec SA lifetime in kilobytes or seconds Max received sequence...

Page 2262: ...0 45 Dropped packets statistics No available SA 0 Wrong SA 0 Invalid length 0 Authentication failure 0 Encapsulation failure 0 Decapsulation failure 0 Replayed packets 0 ACL check failure 45 MTU chec...

Page 2263: ...ets ACL check failure Number of packets dropped due to ACL check failure MTU check failure Number of packets dropped due to MTU check failure Loopback limit exceeded Number of packets dropped due to l...

Page 2264: ...sed by the IPsec policy for negotiation 768 bit Diffie Hellman group dh group1 1024 bit Diffie Hellman group dh group2 1536 bit Diffie Hellman group dh group5 2048 bit Diffie Hellman group dh group14...

Page 2265: ...nd SPI Outbound SPI Status 0 1000 2000 Active 3000 4000 1 1 2 3 1 2 2 2 2 5000 6000 Active 7000 8000 Table 8 Command output Field Description Src Address Source IP address of the IPsec tunnel For IPse...

Page 2266: ...vpn instance SA s SPI outbound 6000 0x00001770 AH inbound 5000 0x00001388 AH outbound 8000 0x00001f40 ESP inbound 7000 0x00001b58 ESP Tunnel local address 1 2 3 1 remote address 2 2 2 2 Flow as define...

Page 2267: ...ss Local end IP address of the IPsec tunnel remote address Remote end IP address of the IPsec tunnel Flow Information about the data flow protected by the IPsec tunnel including source IP address dest...

Page 2268: ...secured transmission start and end points are not the actual start and end points of the data packets for example when two gateways provide IPsec but the data start and end points are two hosts behind...

Page 2269: ...tion algorithm In FIPS mode esp authentication algorithm sha1 sha256 sha384 sha512 undo esp authentication algorithm Default ESP does not use any authentication algorithms Views IPsec transform set vi...

Page 2270: ...92 aes ctr 256 camellia cbc 128 camellia cbc 192 camellia cbc 256 des cbc gmac 128 gmac 192 gmac 256 gcm 128 gcm 192 gcm 256 null undo esp encryption algorithm In FIPS mode esp encryption algorithm ae...

Page 2271: ...hich uses a 256 bit key This keyword is available only for IKEv2 null Specifies the NULL algorithm which means encryption is not performed Usage guidelines You can specify multiple ESP encryption algo...

Page 2272: ...stem view the device uses the global IKE settings The IKE profile specified for an IPsec policy IPsec policy template or IPsec profile defines the parameters used for IKE negotiation You can specify o...

Page 2273: ...policy1 10 isakmp Sysname ipsec policy isakmp policy1 10 ikev2 profile profile1 Related commands display ipsec ipv6 policy display ipsec policy ikev2 profile ipsec ipv6 policy policy Use ipsec ipv6 p...

Page 2274: ...have the same name Examples Create an IKE based IPsec policy entry and enter the IPsec policy view The policy name is policy1 and the sequence number is 100 Sysname system view Sysname ipsec policy p...

Page 2275: ...template are determined by the initiator When the remote end s information such as the IP address is unknown this method allows the remote end to initiate negotiations with the local end Examples Crea...

Page 2276: ...c SAs have been established if you bind the IPsec policy to a source interface the existing IPsec SAs are deleted Only an IKE based IPsec policy can be bound to a source interface An IPsec policy can...

Page 2277: ...ve the same name but different sequence numbers With the seq number argument specified the undo command deletes an IPsec policy template entry An IPv4 IPsec policy template and an IPv6 IPsec policy te...

Page 2278: ...s Enable IPsec anti replay checking Sysname system view Sysname ipsec anti replay check Related commands ipsec anti replay window ipsec anti replay window Use ipsec anti replay window to set the anti...

Page 2279: ...On an interface you can apply a maximum of two IPsec policies one IPv4 IPsec policy and one IPv6 IPsec policy An IKE based IPsec policy can be applied to multiple interfaces As a best practice apply a...

Page 2280: ...s on an interface Use undo ipsec df bit to restore the default Syntax ipsec df bit clear copy set undo ipsec df bit Default The DF bit is not configured for the outer IP header of IPsec packets on an...

Page 2281: ...gmentation Default The device fragments packets before IPsec encapsulation Views System view Predefined user roles network admin Parameters after encryption Fragments packets after IPsec encapsulation...

Page 2282: ...unnel mode It is not effective in transport mode because the outer IP header is not added in transport mode This command does not change the DF bit for the original IP header of IPsec packets Packet f...

Page 2283: ...c logging packet enable Use ipsec logging packet enable to enable logging for IPsec packets Use undo ipsec logging packet enable to disable logging for IPsec packets Syntax ipsec logging packet enable...

Page 2284: ...profile you must specify the IPsec SA setup mode manual When you enter the view of an existing IPsec profile you do not need to specify the IPsec SA setup mode A manual IPsec profile is similar to a m...

Page 2285: ...re the global IPsec SA lifetime Use undo ipsec sa global duration to restore the default Syntax ipsec sa global duration time based seconds traffic based kilobytes undo ipsec sa global duration time b...

Page 2286: ...out feature and set the idle timeout If no traffic matches an IPsec SA within the idle timeout interval the IPsec SA is deleted Use undo ipsec sa idle time to disable the global IPsec SA idle timeout...

Page 2287: ...ity parameters for IPsec SA negotiation including the security protocol encryption algorithms authentication algorithms and encapsulation mode Examples Create an IPsec transform set named tran1 and en...

Page 2288: ...olicy isakmp map 1 local address 1 1 1 1 Related commands remote address pfs Use pfs to enable the Perfect Forward Secrecy PFS feature for an IPsec transform set Use undo pfs to restore the default Sy...

Page 2289: ...the responder This restriction does not apply to IKEv2 The end without the PFS feature performs IKE negotiation according to the PFS requirements of the peer end Examples Enable PFS using 2048 bit Dif...

Page 2290: ...Enable the QoS pre classify feature Sysname system view Sysname ipsec policy policy1 100 manual Sysname ipsec policy manual policy1 100 qos pre classify redundancy replay interval Use redundancy repla...

Page 2291: ...short interval improves the anti replay information consistency between the active device and the standby device but it sacrifices the forwarding performance of the devices Examples Set the anti repla...

Page 2292: ...the latest remote IP address If a static DNS entry is used for resolution you must reconfigure the remote address command whenever the remote IP address changes Without the reconfiguration the local...

Page 2293: ...a remote IPv4 address ipv6 ipv6 address Specifies a remote IPv6 address ah Specifies the AH protocol esp Specifies the ESP protocol spi num Specifies the security parameter index in the range of 256...

Page 2294: ...et ipsec statistics Use reset ipsec statistics to clear IPsec packet statistics Syntax reset ipsec statistics tunnel id tunnel id Views User view Predefined user roles network admin Parameters tunnel...

Page 2295: ...d according to this IPsec policy and the associated static routes To display the static routes created by RRI use the display ip routing table command Examples Enable IPsec RRI to create a static rout...

Page 2296: ...g to this IPsec policy and the associated static routes Examples Change the preference to 100 for static routes created by IPsec RRI Sysname system view Sysname ipsec policy 1 1 isakmp Sysname ipsec p...

Page 2297: ...e Syntax sa duration time based seconds traffic based kilobytes undo sa duration time based traffic based Default The SA lifetime of an IPsec policy IPsec policy template or IPsec profile is the curre...

Page 2298: ...key authentication to delete an authentication key for a manual IPsec SA Syntax sa hex key authentication inbound outbound ah esp cipher simple string undo sa hex key authentication inbound outbound a...

Page 2299: ...bccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH Sysname system view Sysname ipsec policy policy1 100 manual Sysname ipsec policy manual policy1 100 sa h...

Page 2300: ...rofile to be applied to an IPv6 routing protocol the local encryption keys of the inbound and outbound SAs must be identical The keys for the IPsec SAs at the two tunnel ends must be configured in the...

Page 2301: ...command takes precedence over the global IPsec SA timeout configured by the ipsec sa idle time command If the IPsec policy IPsec policy template or IPsec profile is not configured with the SA idle tim...

Page 2302: ...lines The local inbound and outbound SAs must use the same SPI The IPsec SAs on the devices in the same scope must have the same SPI The scope is defined by protocols For OSPFv3 the scope consists of...

Page 2303: ...the same format either in hexadecimal or character format Otherwise they cannot establish an IPsec tunnel When you configure an IPsec profile for an IPv6 routing protocol follow these guidelines The...

Page 2304: ...mode One IPsec tunnel protects one data flow The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it The standard mode is used if you do not specify t...

Page 2305: ...t failure encrypt failure global invalid sa failure no sa failure policy add policy attach policy delete policy detach tunnel start tunnel stop undo snmp agent trap enable ipsec auth failure decrypt f...

Page 2306: ...sec globally Sysname system view Sysname snmp agent trap enable ipsec global Enable SNMP notifications for events of creating IPsec tunnels Sysname snmp agent trap enable ipsec tunnel start tfc enable...

Page 2307: ...age guidelines You can specify only one IPsec transform set for a manual IPsec policy If you execute this command multiple times the most recent configuration takes effect You can specify a maximum of...

Page 2308: ...61 ipsec transform set...

Page 2309: ...FIPS mode authentication algorithm sha sha256 sha384 sha512 undo authentication algorithm Default In non FIPS mode The IKE proposal uses the HMAC SHA1 authentication algorithm In FIPS mode The IKE pro...

Page 2310: ...ture authentication does and it is usually used in a simple network Signature authentication provides higher security and it is usually deployed in a large scale network such as a network with many br...

Page 2311: ...ation On the initiator If the IKE profile has a PKI domain and the automatic certificate request mode is configured for the PKI domain the initiator automatically obtains the CA certificate If the IKE...

Page 2312: ...itive string of 1 to 80 characters Usage guidelines When multiple IKE proposals exist you configure different descriptions for them to distinguish them Examples Configure a description of test for IKE...

Page 2313: ...ity but needs more time for processing To achieve the best trade off between processing performance and security choose a proper Diffie Hellman group for your network Examples Specify the 2048 bit Dif...

Page 2314: ...SHA256 algorithm SHA384 HMAC SHA384 algorithm SHA512 HMAC SHA512 algorithm Encryption algorithm Encryption algorithm used by the IKE proposal 3DES CBC 168 bit 3DES algorithm in CBC mode AES CBC 128 12...

Page 2315: ...splays summary information about all IKE SAs Examples Display summary information about all IKE SAs Sysname display ike sa Connection ID Remote Flag DOI 1 202 38 0 2 RD IPsec Flags RD READY RL REPLACE...

Page 2316: ...d information about the IKE SA with a remote address of 4 4 4 5 Sysname display ike sa verbose remote address 4 4 4 5 Connection ID 2 Outside VPN Inside VPN Profile prof1 Transmitting entity Initiator...

Page 2317: ...e IKE proposal MD5 HMAC MD5 algorithm SHA1 HMAC SHA1 algorithm SHA256 HMAC SHA256 algorithm SHA384 HMAC SHA384 algorithm SHA512 HMAC SHA512 algorithm Encryption algorithm Encryption algorithm used by...

Page 2318: ...ation failure 0 Invalid flags 0 Invalid message id 0 Invalid cookie 0 Invalid transform ID 0 Malformed payload 0 Invalid key information 0 Invalid hash information 0 Unsupported attribute 0 Unsupporte...

Page 2319: ...h consumes more bandwidth and CPU When DPD settings are configured in both IKE profile view and system view the DPD settings in IKE profile view apply If DPD is not configured in IKE profile view the...

Page 2320: ...key for encryption aes cbc 256 Specifies the AES algorithm in CBC mode The AES algorithm uses a 256 bit key for encryption des cbc Specifies the DES algorithm in CBC mode The DES algorithm uses a 56 b...

Page 2321: ...e proposal ike dpd Use ike dpd to configure global IKE DPD Use undo ike dpd to disable global IKE DPD Syntax ike dpd interval interval retry seconds on demand periodic undo ike dpd interval Default Gl...

Page 2322: ...al identity used by the local end during IKE negotiations Use undo ike identity to restore the default Syntax ike identity address ipv4 address ipv6 ipv6 address dn fqdn fqdn name user fqdn user fqdn...

Page 2323: ...enable to enable invalid security parameter index SPI recovery Use undo ike invalid spi recovery enable to disable invalid SPI recovery Syntax ike invalid spi recovery enable undo ike invalid spi reco...

Page 2324: ...seconds between IKE keepalives in the range of 20 to 28800 Usage guidelines To detect the status of the peer configure IKE DPD instead of the IKE keepalive feature unless IKE DPD is not supported on t...

Page 2325: ...alive timeout time to 20 seconds Sysname system view Sysname ike keepalive timeout 20 Related commands ike keepalive interval ike keychain Use ike keychain to create an IKE keychain and enter its view...

Page 2326: ...the maximum number of half open IKE SAs and IPsec SAs The value range for the negotiation limit argument is 1 to 99999 max sa sa limit Specifies the maximum number of established IKE SAs The value ran...

Page 2327: ...ct only for a device that resides in the private network behind a NAT gateway The device behind the NAT gateway needs to send NAT keepalives to its peer to keep the NAT session alive so that the peer...

Page 2328: ...de Authentication method Preshared key authentication DH group 768 bit Diffie Hellman group in non FIPS mode and 2048 bit Diffie Hellman group in FIPS mode IKE SA lifetime 86400 seconds You cannot cha...

Page 2329: ...ntity from certificate Default The local end uses the identity information specified by the local identity or ike identity command for signature authentication Views System view Predefined user roles...

Page 2330: ...age guidelines This command determines where the device should forward received IPsec protected data If you configure this command the device looks for a route in the specified VPN instance to forward...

Page 2331: ...rofile uses the local ID configured in system view by using the ike identity command If the local ID is not configured in system view the IKE profile uses the IP address of the interface to which the...

Page 2332: ...name system view Sysname ike profile prof1 Sysname ike profile prof1 local identity address 2 2 2 2 Related commands match remote ike identity match local address IKE keychain view Use match local add...

Page 2333: ...d to restrict the application scope of IKE keychain B to address 3 3 3 3 Examples Create IKE keychain key1 Sysname system view Sysname ike keychain key1 Apply IKE keychain key1 to IP address 2 2 2 2 s...

Page 2334: ...earlier To use IKE profile B you can use this command to restrict the application scope of IKE profile B to address 3 3 3 3 Examples Create IKE profile prof1 Sysname system view Sysname ike profile pr...

Page 2335: ...www test com user fqdn user fqdn name Uses the peer s user FQDN as the peer ID for IKE profile matching The user fqdn name argument is a case sensitive string of 1 to 255 characters such as adc test c...

Page 2336: ...s of the peer mask Specifies the mask in dotted decimal notation The default mask is 255 255 255 255 mask length Specifies the mask length in the range of 0 to 32 The default mask length is 32 ipv6 Sp...

Page 2337: ...iation with peer 1 1 1 2 to 123456TESTplat Sysname ike keychain key1 pre shared key address 1 1 1 2 255 255 255 255 key simple 123456TESTplat Related commands authentication method keychain priority I...

Page 2338: ...iority of an IKE profile the device examines the existence of the match local address command before examining the priority number An IKE profile with the match local address command configured has a...

Page 2339: ...amples Specify IKE proposal 10 for IKE profile prof1 Sysname system view Sysname ike profile prof1 Sysname ike profile prof1 proposal 10 Related commands ike proposal reset ike sa Use reset ike sa to...

Page 2340: ...cs Views User view Predefined user roles network admin Examples Clears IKE MIB statistics Sysname reset ike statistics Related commands snmp agent trap enable ike sa duration Use sa duration to set th...

Page 2341: ...invalid id invalid proposal invalid protocol invalid sign no sa failure proposal add proposal delete tunnel start tunnel stop unsupport exch type undo snmp agent trap enable ike attr not support auth...

Page 2342: ...notifications about events of deleting IKE proposals tunnel start Specifies notifications about events of creating IKE tunnels tunnel stop Specifies notifications about events of deleting IKE tunnels...

Page 2343: ...Pv4 address in the range of 0 to 32 ipv6 ipv6 address Specifies the IPv6 address of the IKEv2 peer prefix length Specifies the prefix length of the IPv6 address in the range of 0 to 128 Usage guidelin...

Page 2344: ...od rsa signature Specifies the RSA signatures as the identity authentication method Usage guidelines The local and remote identity authentication methods must both be specified and they can be differe...

Page 2345: ...Specifies a PKI domain by its name a case insensitive string of 1 to 31 characters sign Uses the local certificate in the PKI domain to generate a signature verify Uses the CA certificate in the PKI d...

Page 2346: ...cept the configuration set payload carried in Info messages send Enables the device to send Info messages carrying the configuration set payload Usage guidelines The configuration exchange feature ena...

Page 2347: ...oup2 Uses the 1024 bit Diffie Hellman group group5 Uses the 1536 bit Diffie Hellman group group14 Uses the 2048 bit Diffie Hellman group group24 Uses the 2048 bit Diffie Hellman group with the 256 bit...

Page 2348: ...Ev2 policy Usage guidelines If you do not specify any parameters this command displays the configuration of all IKEv2 policies Examples Display the configuration of all IKEv2 policies Sysname display...

Page 2349: ...case insensitive string of 1 to 63 characters If you do not specify an IKEv2 profile this command displays the configuration of all IKEv2 profiles Examples Display the configuration of all IKEv2 prof...

Page 2350: ...rifying the remote end s certificate SA duration Lifetime of the IKEv2 SA DPD DPD settings Detection interval in seconds Retry interval in seconds Detection mode on demand or periodically If DPD is di...

Page 2351: ...ntegrity MD5 SHA256 AES XCBC MAC PRF MD5 SHA256 AES XCBC MAC DH Group MODP1024 Group2 MODP1536 Group5 IKEv2 proposal default Encryption AES CBC 128 3DES CBC Integrity SHA1 MD5 PRF SHA1 MD5 DH Group MO...

Page 2352: ...s keyword the command displays the summary information tunnel tunnel id Displays detailed IKEv2 SA information for an IPsec tunnel The tunnel id argument specifies an IPsec tunnel by its ID in the ran...

Page 2353: ...Remote ID type FQDN Remote ID device_b Auth sign method Pre shared key Auth verify method Pre shared key Integrity algorithm HMAC_MD5 PRF algorithm HMAC_MD5 Encryption algorithm AES CBC 192 Life durat...

Page 2354: ...Local window 1 Remote window 1 Local request message ID 2 Remote request message ID 2 Local next message ID 0 Remote next message ID 0 Pushed IP address 192 168 1 5 Assigned IP address 192 168 2 24 Ta...

Page 2355: ...ed in IKEv2 key negotiation NAT traversal Whether a NAT gateway is detected between the local and remote ends DPD DPD settings Detection interval in seconds Retry interval in seconds If DPD is disable...

Page 2356: ...ayload 0 Authentication failed 0 Single pair required 0 TS unacceptable 0 Invalid selectors 0 Temporary failure 0 No child SA 0 Unknown other notify 0 No enough resource 0 Enqueue error 0 No IKEv2 SA...

Page 2357: ...number of IKEv2 peers For an earlier detection of dead peers use the periodic triggering mode which consumes more bandwidth and CPU The triggering interval must be longer than the retry interval so t...

Page 2358: ...a 128 bit key camellia cbc 192 Specifies the Camellia algorithm in CBC mode which uses a 192 bit key camellia cbc 256 Specifies the Camellia algorithm in CBC mode which uses a 256 bit key des cbc Spec...

Page 2359: ...host name test of the IKEv2 peer Sysname ikev2 keychain key1 peer peer1 hostname test Related commands ikev2 keychain peer identity Use identity to specify the ID of an IKEv2 peer Use undo identity t...

Page 2360: ...chain key1 Create an IKEv2 peer named peer1 Sysname ikev2 keychain key1 peer peer1 Specify IPv4 address 1 1 1 2 as the ID of the IKEv2 peer Sysname ikev2 keychain key1 peer peer1 identity address 1 1...

Page 2361: ...hallenge to enable the cookie challenging feature Use undo ikev2 cookie challenge to disable the cookie challenging feature Syntax ikev2 cookie challenge number undo ikev2 cookie challenge Default The...

Page 2362: ...egular intervals The device triggers DPD at the specified interval Usage guidelines DPD is triggered periodically or on demand As a best practice use the on demand mode when the device communicates wi...

Page 2363: ...ring of 1 to 63 characters and cannot contain a hyphen Usage guidelines An IKEv2 keychain is required on both ends if either end uses preshared key authentication The preshared key configured on both...

Page 2364: ...Predefined user roles network admin Parameters policy name Specifies a name for the IKEv2 policy The policy name is a case insensitive string of 1 to 63 characters Usage guidelines Each end must have...

Page 2365: ...rofiles exist Views System view Predefined user roles network admin Parameters profile name Specifies a name for the IKEv2 profile The profile name is a case insensitive string of 1 to 63 characters U...

Page 2366: ...uidelines An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges including the encryption algorithms integrity protection algorithms PRF algorithms and DH groups An IKEv2 proposa...

Page 2367: ...determines where the device should forward received IPsec packets after it de encapsulates them If you configure this command the device looks for a route in the specified VPN instance to forward the...

Page 2368: ...n IKEv2 proposal Otherwise the proposal is incomplete and useless You can specify multiple integrity protection algorithms for an IKEv2 proposal An algorithm specified earlier has a higher priority Ex...

Page 2369: ...profile view Use match local to specify a local interface or a local IP address to which an IKEv2 profile can be applied Use undo match local to remove a local interface or a local IP address to whic...

Page 2370: ...IKEv2 profile B to IPv4 address 3 3 3 3 You can specify multiple applicable local interfaces or IP addresses for an IKEv2 profile Examples Create an IKEv2 profile named profile1 Sysname system view S...

Page 2371: ...ertificate policy name identity address ipv4 address mask mask length range low ipv4 address high ipv4 address ipv6 ipv6 address prefix length range low ipv6 address high ipv6 address fqdn fqdn name e...

Page 2372: ...c string for doing proprietary types of identification Usage guidelines The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles If a match is found it uses the IK...

Page 2373: ...the interface belongs The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs IKEv2 policies with t...

Page 2374: ...he VPN instance that the IKEv2 profile belongs to Sysname ikev2 profile profile1 match vrf name vrf1 Related commands match remote nat keepalive Use nat keepalive to set the NAT keepalive interval Use...

Page 2375: ...IKEv2 peer The peer name is a case insensitive string of 1 to 63 characters Usage guidelines An IKEv2 peer contains a preshared key and the criteria for looking up the peer The criteria for peer look...

Page 2376: ...t form is a string of 15 to 128 characters and its encrypted form is a string of 15 to 201 characters Usage guidelines If you specify the local or remote keyword you configure an asymmetric key If you...

Page 2377: ...telecom peer peer1 quit Create an IKEv2 peer named peer2 Sysname ikev2 keychain telecom peer peer2 Configure asymmetric plaintext preshared keys The key for certificate signing is 111 key b and the ke...

Page 2378: ...5 as the PRF algorithms with HMAC SHA1 preferred Sysname ikev2 proposal prop1 prf sha1 md5 Related commands ikev2 proposal integrity priority IKEv2 policy view Use priority to set a priority for an IK...

Page 2379: ...ity of the IKEv2 profile in the range of 1 to 65535 A smaller number represents a higher priority Usage guidelines The priority set by this command can only be used to adjust the match order of IKEv2...

Page 2380: ...es network admin Parameters local Deletes IKEv2 SAs for a local IP address remote Deletes IKEv2 SAs for a remote IP address ipv4 address Specifies a local or remote IPv4 address ipv6 ipv6 address Spec...

Page 2381: ...IKEv2 SA whose remote IP address is 1 1 1 2 Sysname reset ikev2 sa remote 1 1 1 2 Display information about IKEv2 SAs again Verify that the IKEv2 SA is deleted Sysname display ikev2 sa Tunnel ID Local...

Page 2382: ...re its lifetime expires saving a lot of negotiation time However the longer the lifetime the higher the possibility that attackers collect enough information and initiate attacks Two peers can have di...

Page 2383: ...ge enable 12 ssh server pki domain 13 ssh server port 14 ssh server rekey interval 14 ssh user 15 SSH client commands 18 bye 18 cd 18 cdup 19 delete 19 delete ssh client server public key 20 dir 20 di...

Page 2384: ...urce 53 ssh2 54 ssh2 ipv6 57 ssh2 ipv6 suite b 60 ssh2 suite b 62 SSH2 commands 64 display ssh2 algorithm 64 ssh2 algorithm cipher 65 ssh2 algorithm key exchange 66 ssh2 algorithm mac 67 ssh2 algorith...

Page 2385: ...Specifies the SSH server sessions status Specifies the SSH server status Examples Display the SSH server status Sysname display ssh server status Stelnet server Disable SSH version 2 0 SSH authenticat...

Page 2386: ...name 184 0 2 0 aes128 cbc Established 1 Stelnet abc 123 Table 2 Command output Field Description UserPid User process ID SessID Session ID Ver Protocol version of the SSH server Encrypt Encryption alg...

Page 2387: ...2 Username Authentication type User public key name Service type yemx password Stelnet SFTP test publickey pubkey SFTP Table 3 Command output Field Description Total ssh users Total number of SSH use...

Page 2388: ...rocess ID of an SSH session use the display ssh server session command username username Specifies the username of the SSH session to be disconnected To view the username of an SSH session use the dis...

Page 2389: ...server Syntax sftp server enable undo sftp server enable Default The SFTP server is disabled Views System view Predefined user roles network admin Examples Enable the SFTP server Sysname system view...

Page 2390: ...cify an ACL to control IPv4 SSH connections to the server Use undo ssh server acl to restore the default Syntax ssh server acl advanced acl number basic acl number mac mac acl number undo ssh server a...

Page 2391: ...CL Use undo ssh server acl deny log enable to disable logging for SSH login attempts that are denied by the SSH login control ACL Syntax ssh server acl deny log enable undo ssh server acl deny log ena...

Page 2392: ...per limit specified in this command further authentication is not allowed For any authentication an authentication attempt is a publickey or password authentication process For password publickey auth...

Page 2393: ...tions set the authentication timeout timer to a small value Examples Set the authentication timeout timer to 10 seconds for SSH users Sysname system view Sysname ssh server authentication timeout 10 R...

Page 2394: ...rver dscp to restore the default Syntax ssh server dscp dscp value undo ssh server dscp Default The DSCP value is 48 in IPv4 SSH packets Views System view Predefined user roles network admin Parameter...

Page 2395: ...in Parameters ipv6 Specifies the IPv6 ACL type advanced acl number Specifies an IPv6 advanced ACL number in the range of 3000 to 3999 basic acl number Specifies an IPv6 basic ACL number in the range o...

Page 2396: ...fault Syntax ssh server ipv6 dscp dscp value undo ssh server ipv6 dscp Default The DSCP value is 48 in IPv6 SSH packets Views System view Predefined user roles network admin Parameters dscp value Spec...

Page 2397: ...nge with SSH clients This command takes effect only on new SSH connections that are established after the command is configured and it does not affect existing SSH connections Examples Enable SSH algo...

Page 2398: ...ort number when the SSH server is enabled the SSH service is restarted and all SSH connections are terminated after the modification SSH users must reconnect to the SSH server to access the server If...

Page 2399: ...pair 2 Uses the updated RSA server key pair for key pair negotiation with the new user 3 Resets the interval and starts to count down the interval again This command takes effect only on SSH1 clients...

Page 2400: ...ation process is the same as the password authentication password Specifies password authentication This authentication method provides easy and fast encryption but it is vulnerable It can work with A...

Page 2401: ...the SSH server and perform one of the following tasks For local authentication configure a local user on the SSH server For remote authentication configure an SSH user on a remote authentication serve...

Page 2402: ...directory flash user role network admin Related commands authorization attribute display ssh user information local user pki domain SSH client commands bye Use bye to terminate the connection with th...

Page 2403: ...working directory new1 sftp cdup Use cdup to return to the upper level directory Syntax cdup Views SFTP client view Predefined user roles network admin Example Return to the upper level directory fro...

Page 2404: ...ress of the server whose public key information will be deleted If you do not specify a server IP address this command deletes the public keys of all servers from the client s public key file Examples...

Page 2405: ...the current directory including the files and subdirectories with names starting with dots sftp dir a drwxrwxrwx 2 1 1 512 Dec 18 14 12 drwxrwxrwx 2 1 1 512 Dec 18 14 12 rwxrwxrwx 1 1 1 301 Dec 18 14...

Page 2406: ...play ssh client server public key Use display ssh client server public key to display server public key information saved in the public key file of the SSH client Syntax display ssh client server publ...

Page 2407: ...RR 9Y8fI2b4tS7PoNf QKDVD7XnoiZ dqd0tnnRf6GV 74cp8ZEUQdAoTeDzzaAh 7t6FbxrNrQ Display the public key of server 2 2 2 1 saved in the public key file of the SSH client Sysname display ssh client server pu...

Page 2408: ...e The source IP address of the SSH client is 192 168 0 1 The source IPv6 address of the SSH client is 2 2 2 2 Related commands ssh client ipv6 source ssh client source exit Use exit to terminate the S...

Page 2409: ...0 00 help Use help to display help information on the SFTP client Syntax help Views SFTP client view Predefined user roles network admin network operator Usage guidelines This command has the same fun...

Page 2410: ...t excluding the files and subdirectories with names starting with dots remote path Specifies the name of the directory to be queried If you do not specify this argument the command displays informatio...

Page 2411: ...load a local file to the SFTP server Syntax put local file remote file Views SFTP client view Predefined user roles network admin Parameters local file Specifies the name of a local file remote file S...

Page 2412: ...inate the SFTP connection and return to user view Syntax quit Views SFTP client view Predefined user roles network admin network operator Usage guidelines This command has the same function as the bye...

Page 2413: ...cifies the name of an existing file or directory newname Specifies a new name for the existing file or directory Examples Change the name of a file on the SFTP server from temp1 c to temp2 c sftp dir...

Page 2414: ...nstance name put get source file name destination file name identity key ecdsa sha2 nistp256 ecdsa sha2 nistp384 rsa x509v3 ecdsa sha2 nistp256 x509v3 ecdsa sha2 nistp384 pki domain domain name prefer...

Page 2415: ...fy this option for the client to get the correct local certificate prefer compress Specifies the preferred compression algorithm for data compression between the server and the client By default compr...

Page 2416: ...s dots angle brackets quotation marks and apostrophes source Specifies a source IPv4 address or source interface for SCP packets By default the device uses the primary IPv4 address of the output inter...

Page 2417: ...v6 ipv6 address undo scp client ipv6 source Default The source IPv6 address for outgoing SCP packets is not configured The SCP client automatically selects an IPv6 address for outgoing SCP packets in...

Page 2418: ...ber Specifies a source interface by its type and number The SCP client uses the primary IPv4 address of the interface as the source address of outgoing SCP packets ip ip address Specifies a source IPv...

Page 2419: ...x509v3 ecdsa sha2 nistp384 pki domain domain name prefer compress zlib prefer ctos cipher aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm prefer ctos hmac sha1 sha1 96 sha...

Page 2420: ...y algorithm is used you must specify this option for the client to get the correct local certificate prefer compress Specifies the preferred compression algorithm for data compression between the serv...

Page 2421: ...ckslashes vertical bars colons dots angle brackets quotation marks and apostrophes source Specifies a source IPv6 address or source interface for IPv6 SCP packets By default the device automatically s...

Page 2422: ...estination file name suite b 128 bit 192 bit pki domain domain name server pki domain domain name prefer compress zlib source interface interface type interface number ipv6 ipv6 address user username...

Page 2423: ...ult compression is not supported zlib Specifies compression algorithm zlib source Specifies a source IPv6 address or source interface for IPv6 SCP packets By default the device automatically selects a...

Page 2424: ...he server in the range of 1 to 65535 The default is 22 vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the server belongs The vpn instance name argument represents the VPN in...

Page 2425: ...address Specifies a source IPv4 address user username Specifies an SCP username a case sensitive string of 1 to 80 characters If the username contains an ISP domain name use the pureusername domain p...

Page 2426: ...2 512 prefer kex dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 prefer stoc cipher aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm prefer stoc hmac sha1 sha1 96 sha...

Page 2427: ...CTR aes256 cbc Specifies encryption algorithm AES256 CBC aes256 ctr Specifies encryption algorithm AES256 CTR aes256 gcm Specifies encryption algorithm AES256 GCM des cbc Specifies encryption algorith...

Page 2428: ...v4 address of a loopback interface as the source address interface interface type interface number Specifies a source interface by its type and number The primary IPv4 address of this interface is the...

Page 2429: ...sftp ipv6 command takes effect only on the current IPv6 SFTP connection If you specify the source IPv6 address both in this command and the sftp ipv6 command the source IPv6 address specified in the s...

Page 2430: ...IPv6 SFTP server and enter SFTP client view Syntax In non FIPS mode sftp ipv6 server port number vpn instance vpn instance name i interface type interface number identity key dsa ecdsa sha2 nistp256 e...

Page 2431: ...algorithm for publickey authentication of the client The default is DSA in non FIPS mode and is RSA in FIPS mode If the server uses publickey authentication you must specify this keyword The client g...

Page 2432: ...ies key exchange algorithm diffie hellman group exchange sha1 dh group1 sha1 Specifies key exchange algorithm diffie hellman group1 sha1 dh group14 sha1 Specifies key exchange algorithm diffie hellman...

Page 2433: ...PKI domain of its own certificate to verify the server s certificate Examples Connect an SFTP client to SFTP server 2000 1 and specify the public key of the server as svkey The SFTP client uses public...

Page 2434: ...e brackets quotation marks and apostrophes If you do not specify the server s PKI domain the client uses the PKI domain of its own certificate to verify the server s certificate prefer compress Specif...

Page 2435: ...case sensitive string of 1 to 31 characters suite b Specifies the Suite B algorithms If neither the 128 bit keyword nor the 192 bit keyword is specified all algorithms in Suite B are used For more inf...

Page 2436: ...HMAC algorithm Public key algorithm 128 bit ecdh sha2 nistp256 AES128 GCM x509v3 ecdsa sha2 nistp256 192 bit ecdh sha2 nistp384 AES256 GCM x509v3 ecdsa sha2 nistp384 Both ecdh sha2 nistp256 ecdh sha2...

Page 2437: ...client ipv6 source ipv6 2 2 2 2 Related commands display ssh client source ssh client source Use ssh client source to configure the source IPv4 address for SSH packets that are sent by the Stelnet cl...

Page 2438: ...sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 prefer stoc cipher 3des cbc aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm des cbc prefer stoc hmac md5 md5 96 sha1 sha1 96 sh...

Page 2439: ...ame argument is a case insensitive string of 1 to 31 characters When the x509v3 public key algorithm is used you must specify this option for the client to get the correct local certificate prefer com...

Page 2440: ...ransmission priority of the packet escape character Specifies a case sensitive escape character By default the escape character is a tilde public key keyname Specifies the host public key of the serve...

Page 2441: ...r stoc hmac sha1 96 prefer compress zlib public key svkey escape ssh2 ipv6 Use ssh2 ipv6 to establish a connection to an IPv6 Stelnet server Syntax In non FIPS mode ssh2 ipv6 server port number vpn in...

Page 2442: ...ord The client generates the digital signature or certificate by using the local private key that is associated with the specified algorithm dsa Specifies public key algorithm DSA ecdsa sha2 nistp256...

Page 2443: ...nistp256 Specifies key exchange algorithm ecdh sha2 nistp256 ecdh sha2 nistp384 Specifies key exchange algorithm ecdh sha2 nistp384 prefer stoc cipher Specifies the preferred server to client encrypti...

Page 2444: ...domain domain name option The client uses the CA certificate stored in the specified PKI domain to verify the server s certificate and does not need to save the server s public key before authenticati...

Page 2445: ...ver pki domain domain name Specifies the PKI domain for verifying the server s certificate The domain name argument represents the PKI domain name a case insensitive string of 1 to 31 characters Inval...

Page 2446: ...bit Suite B algorithms to establish a connection to Stelnet server 2000 1 Specify the client s PKI domain and the server s PKI domain as clientpkidomain and serverpkidomain respectively Sysname ssh2...

Page 2447: ...the default value is 48 The DSCP value determines the transmission priority of the packet escape character Specifies a case sensitive escape character By default the escape character is a tilde sourc...

Page 2448: ...the algorithm negotiation stage Sysname display ssh2 algorithm Key exchange algorithms ecdh sha2 nistp256 ecdh sha2 nistp384 dh group exchange sha1 dh group14 sha1 dh group1 sha1 Public key algorithms...

Page 2449: ...GCM AES256 GCM AES128 CBC 3DES CBC AES256 CBC and DES CBC in descending order of priority for algorithm negotiation Views System view Predefined user roles network admin Parameters 3des cbc Specifies...

Page 2450: ...orithm key exchange Default SSH2 uses key exchange algorithms ecdh sha2 nistp256 ecdh sha2 nistp384 diffie hellman group exchange sha1 diffie hellman group14 sha1 and diffie hellman group1 sha1 in des...

Page 2451: ...sha2 512 undo ssh2 algorithm mac Default SSH2 uses HMAC algorithms SHA2 256 SHA2 512 SHA1 MD5 SHA1 96 and MD5 96 in descending order of priority for algorithm negotiation Views System view Predefined...

Page 2452: ...public key Default SSH2 uses public key algorithms x509v3 ecdsa sha2 nistp256 x509v3 ecdsa sha2 nistp384 ecdsa sha2 nistp256 ecdsa sha2 nistp384 RSA and DSA in descending order of priority for algorit...

Page 2453: ...algorithm dsa as the public key algorithm for SSH2 Sysname system view Sysname ssh2 algorithm public key dsa Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm key exchange...

Page 2454: ...y 4 display ssl client policy 5 display ssl server policy 6 pki domain SSL client policy view 7 pki domain SSL server policy view 7 prefer cipher 8 server verify enable 10 session 11 ssl client policy...

Page 2455: ...roles network admin Usage guidelines This feature causes additional overheads in the SSL negotiation process Enable it only when the SSL client does not have the complete certificate chain to verify t...

Page 2456: ...6_cbc_sha Specifies the cipher suite that uses key exchange algorithm DHE RSA data encryption algorithm 256 bit AES_CBC and MAC algorithm SHA dhe_rsa_aes_256_cbc_sha256 Specifies the cipher suite that...

Page 2457: ...orithm SHA256 rsa_des_cbc_sha Specifies the cipher suite that uses key exchange algorithm RSA data encryption algorithm DES_CBC and MAC algorithm SHA rsa_rc4_128_md5 Specifies the cipher suite that us...

Page 2458: ...SSL client authentication The SSL server requires an SSL client to submit its digital certificate for identity authentication The SSL client can access the SSL server only after it passes identity aut...

Page 2459: ...licy1 undo client verify Related commands display ssl server policy display ssl client policy Use display ssl client policy to display SSL client policy information Syntax display ssl client policy po...

Page 2460: ...er policies Examples Display information about the SSL server policy policy1 Sysname display ssl server policy policy1 SSL server policy policy1 PKI domain server domain Ciphersuites DHE_RSA_AES_128_C...

Page 2461: ...ient policy the SSL client that uses the SSL client policy will obtain its digital certificate through the specified PKI domain Examples Specify PKI domain client domain for SSL client policy policy1...

Page 2462: ...e_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_256_gcm_sha384 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_sha256 ecdhe_rsa_aes_256_cbc_...

Page 2463: ...CM and MAC algorithm SHA384 ecdhe_rsa_aes_128_cbc_sha256 Specifies the cipher suite that uses key exchange algorithm ECDHE RSA data encryption algorithm 128 bit AES_CBC and MAC algorithm SHA256 ecdhe_...

Page 2464: ...rity Commonly used MAC algorithms include MD5 and SHA When using a MAC algorithm the SSL server and the SSL client must use the same key Key exchange algorithms Implement secure exchange of the keys u...

Page 2465: ...lient policy policy1 server verify enable Related commands display ssl client policy session Use session to set the maximum number of sessions that the SSL server can cache and the timeout time for ca...

Page 2466: ...policy policy name undo ssl client policy policy name Default No SSL client policies exist Views System view Predefined user roles network admin Parameters policy name Specifies an SSL client policy...

Page 2467: ...n renegotiation Sysname system view Sysname ssl renegotiation disable ssl server policy Use ssl server policy to create an SSL server policy and enter its view or enter the view of an existing SSL ser...

Page 2468: ...n tls1 0 tls1 1 disable Default In non FIPS mode The SSL server supports SSL 3 0 TLS 1 0 TLS 1 1 and TLS 1 2 In FIPS mode The SSL server supports TLS 1 0 TLS 1 1 and TLS 1 2 Views System view Predefin...

Page 2469: ...iews SSL client policy view Predefined user roles network admin Parameters ssl3 0 Specifies SSL 3 0 tls1 0 Specifies TLS 1 0 tls1 1 Specifies TLS 1 1 tls1 2 Specifies TLS 1 2 Usage guidelines To ensur...

Page 2470: ...i Contents Attack detection and prevention commands 1 attack defense login reauthentication delay 1 attack defense tcp fragment enable 1...

Page 2471: ...eriod in the range of 4 to 60 seconds Usage guidelines The login delay feature delays the device to accept a login request from a user after the user fails a login attempt This feature can slow down l...

Page 2472: ...fragments First fragments in which the TCP header is smaller than 20 bytes Non first fragments with a fragment offset of 8 bytes FO 1 TCP fragment attack prevention takes precedence over single packet...

Page 2473: ...i Contents TCP attack prevention commands 1 tcp anti naptha enable 1 tcp check state interval 1 tcp state 2...

Page 2474: ...tate exceeds the limit the device will accelerate the aging of the TCP connections in that state The check interval is set by the tcp check state interval command The TCP connection limits are set by...

Page 2475: ...em view Sysname tcp check state interval 40 Related commands tcp anti naptha enable tcp state tcp state Use tcp state to set the maximum number of TCP connections in a state Use undo tcp state to rest...

Page 2476: ...This command takes effect after you enable Naptha attack prevention If the number of TCP connections in a state exceeds the limit the device will accelerate the aging of the TCP connections in the sta...

Page 2477: ...urce excluded 2 display ipv6 source binding 3 display ipv6 source binding pd 5 ip source binding interface view 6 ip source binding system view 7 ip verify source 8 ip verify source exclude 9 ipv6 sou...

Page 2478: ...relay agent dhcp server Specifies IPv4SG bindings generated based on DHCP server dhcp snooping Specifies IPv4SG bindings generated based on DHCP snooping dot1x Specifies IPv4SG bindings generated base...

Page 2479: ...filtering in IPSG or used by other modules to provide security services ARP snooping vlan Dynamically generated based on ARP snooping for the VLAN The binding is for packet filtering in IPSG 802 1X Dy...

Page 2480: ...through VLAN 10 that have been configured to be excluded from IPSG filtering Sysname display ip verify source excluded vlan 3 Slot VLAN ID 3 Status Active Sysname display ip verify source excluded vl...

Page 2481: ...in H H H format vlan vlan id Specifies a VLAN ID in the range of 1 to 4094 interface interface type interface number Specifies an interface by its type and number slot slot number Specifies an IRF mem...

Page 2482: ...binding pd vpn instance vpn instance name prefix prefix prefix length mac address mac address vlan vlan id interface interface type interface number slot slot number Views Any views Predefined user r...

Page 2483: ...ce Interface to which the IPv6SG prefix binding belongs This field displays N A for a global IPv6SG prefix binding or an IPv6SG prefix binding generated based on an ND RA prefix entry VLAN VLAN inform...

Page 2484: ...ndings on an interface implement the following functions Filter incoming IPv4 packets on the interface Check user validity by cooperating with the ARP attack detection feature Examples Configure a sta...

Page 2485: ...ip verify source Use ip verify source to enable IPv4SG on an interface Use undo ip verify source to disable IPv4SG on an interface Syntax ip verify source ip address ip address mac address mac addres...

Page 2486: ...s display ip source binding ip verify source exclude Use ip verify source exclude to exclude IPv4 packets with the specified source items from IPSG filtering Use undo ip verify source exclude to remov...

Page 2487: ...s ipv6 address mac address mac address mac address mac address vlan vlan id Default No static IPv6SG bindings exist on an interface Views Layer 2 Ethernet interface view Layer 3 aggregate subinterface...

Page 2488: ...ings exist Views System view Predefined user roles network admin Parameters ipv6 address ipv6 address Specifies the IPv6 address for the static binding The IPv6 address cannot be an all zero address a...

Page 2489: ...indings to match incoming packets on the interface Packets that match an IPv6SG binding are forwarded and packets that do not match any IPv6SG binding are discarded The matching criterion specified by...

Page 2490: ...ce mac 10 ARP packet source MAC consistency check commands 11 arp valid check enable 11 ARP active acknowledgement commands 12 arp active ack enable 12 Authorized ARP commands 12 arp authorized enable...

Page 2491: ...figure this command on the gateways Examples Enable ARP blackhole routing Sysname system view Sysname arp resolving route enable Related commands arp resolving route probe count arp resolving route pr...

Page 2492: ...nterval to restore the default Syntax arp resolving route probe interval interval undo arp resolving route probe interval Default The device probes ARP blackhole routes every 1 second Views System vie...

Page 2493: ...ssed per source IP address within 5 seconds Use undo arp source suppression limit to restore the default Syntax arp source suppression limit limit value undo arp source suppression limit Default The d...

Page 2494: ...splay arp source suppression ARP source suppression is enabled Current suppression limit 100 Table 1 Command output Field Description Current suppression limit Maximum number of unresolvable packets t...

Page 2495: ...disable logging for ARP packet rate limit Syntax arp rate limit log enable undo arp rate limit log enable Default Logging for ARP packet rate limit is disabled Views System view Predefined user roles...

Page 2496: ...imit Examples Set the device to send notifications and log messages every 120 seconds when the rate of ARP packets received on an interface exceeds the limit Sysname system view Sysname arp rate limit...

Page 2497: ...ndo arp source mac filter monitor Default The source MAC based ARP attack detection feature is disabled Views System view Predefined user roles network admin Parameters filter Specifies the filter han...

Page 2498: ...Views System view Predefined user roles network admin Parameters time Sets the aging time for ARP attack entries in the range of 60 to 6000 seconds Examples Set the aging time for ARP attack entries...

Page 2499: ...o disable logging for source MAC based ARP attack detection Syntax arp source mac log enable undo arp source mac log enable Default Logging for source MAC based ARP attack detection is disabled Views...

Page 2500: ...erface interface type interface number slot slot number slot slot number Views Any view Predefined user roles network admin network operator Parameters interface interface type interface number Specif...

Page 2501: ...ce Interface on which the attack was detected Aging time sec Aging time for the ARP attack entry in seconds ARP packet source MAC consistency check commands arp valid check enable Use arp valid check...

Page 2502: ...ive acknowledgement Usage guidelines Configure this feature on gateways to prevent user spoofing In strict mode a gateway learns an entry only when ARP active acknowledgement is successful based on th...

Page 2503: ...efault ARP attack detection is disabled Views VLAN view Predefined user roles network admin Examples Enable ARP attack detection for VLAN 2 Sysname system view Sysname vlan 2 Sysname vlan2 arp detecti...

Page 2504: ...etwork Management and Monitoring Configuration Guide As a best practice disable this feature if the log generation affects the device performance Excessive number of logs not only affects the device p...

Page 2505: ...ns an ID to the user validity check rule The ID value range is 0 to 511 A smaller value represents a higher priority deny Denies matching ARP packets permit Permits matching ARP packets ip ip address...

Page 2506: ...onfigure an interface as an ARP trusted interface Use undo arp detection trust to restore the default Syntax arp detection trust undo arp detection trust Default An interface is an ARP untrusted inter...

Page 2507: ...entical the packet is forwarded Otherwise the packet is discarded Usage guidelines You can specify more than one object to be checked in one command line If no keyword is specified the undo arp detect...

Page 2508: ...is enabled in the following VLANs VLANs enabled with ARP attack detection If no VLANs are enabled with ARP attack detection this field displays ARP detection is not enabled in any VLANs Related comman...

Page 2509: ...ands arp detection enable display arp detection statistics packet drop Use display arp detection statistics packet drop to display statistics for packets dropped by ARP attack detection Syntax display...

Page 2510: ...invalid destination MAC address Inspect Number of ARP packets that failed to pass user validity check Related commands reset arp detection statistics packet drop reset arp detection statistics attack...

Page 2511: ...isplay arp detection statistics packet drop ARP scanning and fixed ARP commands arp fixup Use arp fixup to convert existing dynamic ARP entries to static ARP entries Use undo arp fixup to convert vali...

Page 2512: ...or the pps argument is 10 to 1000 and the value must be a multiple of 10 If you do not set the rate the device sends ARP requests to all IP addresses in the specified scanning range simultaneously Usa...

Page 2513: ...sname interface vlan interface 2 Sysname Vlan interface2 arp scan 1 1 1 1 to 1 1 1 20 send rate 10 ARP gateway protection commands arp filter source Use arp filter source to enable ARP gateway protect...

Page 2514: ...arameters ip address Specifies a permitted sender IP address mac address Specifies a permitted sender MAC address Usage guidelines If the sender IP and MAC addresses of an ARP packet match an ARP perm...

Page 2515: ...ipv6 nd detection trust 4 reset ipv6 nd detection statistics 4 RA guard commands 5 display ipv6 nd raguard policy 5 display ipv6 nd raguard statistics 6 if match acl 7 if match autoconfig managed addr...

Page 2516: ...then output log messages from different source modules to different destinations For more information about the information center see Network Management and Monitoring Configuration Guide As a best...

Page 2517: ...v6 nd detection statistics to display statistics for ND messages dropped by ND attack detection Syntax display ipv6 nd detection statistics interface interface type interface number Views Any view Pre...

Page 2518: ...ipv6 nd detection enable Default ND attack detection is disabled Views VLAN view Predefined user roles network admin Examples Enable ND attack detection for VLAN 10 Sysname system view Sysname vlan 10...

Page 2519: ...nable ipv6 nd detection trust Use ipv6 nd detection trust to configure an interface as an ND trusted interface Use undo ipv6 nd detection trust to restore the default Syntax ipv6 nd detection trust un...

Page 2520: ...icy by its name The policy name is a case sensitive string of 1 to 31 characters If you do not specify a policy this command displays the configuration of all RA guard policies Usage guidelines When y...

Page 2521: ...ue of the advertised O flag is 0 if match hop limit maximum The maximum advertised hop limit match criterion if match hop limit minimum The minimum advertised hop limit match criterion if match prefix...

Page 2522: ...ipv6 acl name undo if match acl Default No ACL match criterion exists Views RA guard policy view Predefined user roles network admin Parameters ipv6 acl number Specifies an IPv6 basic ACL by its numbe...

Page 2523: ...ch criterion exists Views RA guard policy view Predefined user roles network admin Parameters off Specifies the advertised M flag as 0 on Specifies the advertised M flag as 1 Usage guidelines The M fl...

Page 2524: ...O flag is set to 0 the host uses stateless autoconfiguration Examples Specify on as the M flag match criterion for RA guard policy policy1 Sysname system view Sysname ipv6 nd raguard policy policy1 S...

Page 2525: ...erion exists Views RA guard policy view Predefined user roles network admin Parameters ipv6 acl number Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999 name ipv6 acl name Specifi...

Page 2526: ...n high low Sets the maximum router preference to low An RA message passes the check if its router preference is not higher than low medium Sets the maximum router preference to medium An RA message pa...

Page 2527: ...e VLAN tags RA guard uses the outermost VLAN tag to select the applied RA guard policy If the specified RA guard policy does not exist the command does not take effect Examples Apply RA guard policy p...

Page 2528: ...le the RA guard logging feature Sysname system view Sysname ipv6 nd raguard log enable Related commands display ipv6 nd raguard statistics reset ipv6 nd raguard statistics ipv6 nd raguard policy Use i...

Page 2529: ...to a router forwards all received RA messages Usage guidelines Make sure your setting is consistent with the device type If you are not aware of the attached device type do not specify a role for the...

Page 2530: ...15 Examples Clear RA guard statistics Sysname reset ipv6 nd raguard statistics Related commands display ipv6 nd raguard statistics...

Page 2531: ...i Contents SAVI commands 1 ipv6 savi down delay 1 ipv6 savi log enable 1 ipv6 savi strict 2...

Page 2532: ...he device waits before deleting the DHCPv6 snooping entries and ND snooping entries for a down port Examples Set the entry deletion delay to 100 seconds Sysname system view Sysname ipv6 savi down dela...

Page 2533: ...for filtering entries A log message contains the IPv6 address MAC address VLAN and interface of a filtering entry The device sends packet spoofing and filtering entry log messages to the information c...

Page 2534: ...3 Sysname ipv6 savi strict Related commands ipv6 verify source...

Page 2535: ...mmands 1 display mac forced forwarding interface 1 display mac forced forwarding vlan 1 mac forced forwarding 2 mac forced forwarding gateway probe 3 mac forced forwarding network port 3 mac forced fo...

Page 2536: ...arding interface Network Port GE1 0 1 GE1 0 2 User Port GE1 0 3 GE1 0 4 GE1 0 5 Table 1 Command output Field Description Network Port List of network ports User Port List of user ports Related command...

Page 2537: ...e MFF and specify the default gateway Use undo mac forced forwarding to disable MFF Syntax mac forced forwarding default gateway gateway ip undo mac forced forwarding Default MFF is disabled Views VLA...

Page 2538: ...be Default Periodic gateway probe is disabled Views VLAN view Predefined user roles network admin Usage guidelines Make sure you have enabled MFF before enabling periodic gateway probe The probe inter...

Page 2539: ...ancel the network port configuration of a link aggregation member port in a MFF enabled VLAN remove the network port from the link aggregation group first For more information about link aggregation s...

Page 2540: ...from the server to a host are not forwarded by the gateway However packets from a host to the server are forwarded by the gateway MFF does not check whether the IP address of a server is on the same...

Page 2541: ...i Contents Crypto engine commands 1 display crypto engine 1 display crypto engine statistics 1 reset crypto engine statistics 3...

Page 2542: ...256 sha2 384 sha2 512 md5 hmac sha1 hmac sha2 256 hmac sha2 384 hmac sha2 512 hmac aes xcbc aes xcbc hmac Asymmetric algorithms Random number generation function Supported Table 1 Command output Fiel...

Page 2543: ...to engine ID 0 Submitted sessions 0 Failed sessions 0 Symmetric operations 0 Symmetric errors 0 Asymmetric operations 0 Asymmetric errors 0 Get random operations 0 Get random errors 0 Table 2 Command...

Page 2544: ...gine id Specifies a crypto engine by its ID The switch supports only one software crypto engine and the engine ID can only be 0 slot slot number Specifies an IRF member device by its member ID Usage g...

Page 2545: ...i Contents FIPS commands 1 display crypto version 1 display fips status 1 fips mode enable 2 fips self test 4...

Page 2546: ...ples Display the version number of the current device algorithm base Sysname display crypto version 7 1 1 1 1 72 Table 1 Command output Field Description 7 1 1 1 1 72 Version number in the 7 1 X forma...

Page 2547: ...security requirements and performs self tests on cryptography modules to verify that they are operating correctly After you execute the fips mode enable command the system provides the following meth...

Page 2548: ...device by using the default non FIPS configuration file After the reboot you are directly logged into the device Manual reboot This method requires that you manually complete the configurations for en...

Page 2549: ...iews System view Predefined user roles network admin Usage guidelines CAUTION A successful self test requires that all cryptographic algorithms pass the self test If the self test fails the device whe...

Page 2550: ...verification passed Known answer test for ECDH passed Known answer test for random number generator x931 passed Known answer test for DRBG passed Known Answer tests in the user space passed Starting K...

Page 2551: ...ant 1 dot1x supplicant anonymous identify 2 dot1x supplicant eap method 3 dot1x supplicant enable 4 dot1x supplicant mac address 4 dot1x supplicant password 5 dot1x supplicant ssl client policy 6 dot1...

Page 2552: ...n about 802 1X clients on all interfaces Examples Display 802 1X authentication information about 802 1X clients on GigabitEthernet 1 0 1 Sysname display dot1x supplicant interface gigabitethernet 1 0...

Page 2553: ...X client anonymous identifier exists Views Ethernet interface view Predefined user roles network admin Parameters identifier Specifies an 802 1X client anonymous identifier a case sensitive string of...

Page 2554: ...on method Use undo dot1x supplicant eap method to restore the default Syntax dot1x supplicant eap method md5 peap gtc peap mschapv2 ttls gtc ttls mschapv2 undo dot1x supplicant eap method Default The...

Page 2555: ...uthenticator before you use this command Examples Enable the 802 1X client feature on a port Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 dot1x supplicant e...

Page 2556: ...MAC address as 0001 0001 0001 on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 dot1x supplicant mac address 1 1 1 dot1x supplicant pass...

Page 2557: ...ts Usage guidelines If the PEAP MSCHAPv2 PEAP GTC TTLS MSCHAPv2 or TTLS GTC authentication is used the 802 1X authentication process is as follows The first phase The device acts as an SSL client to n...

Page 2558: ...which the destination addresses are multicast MAC address 01 80 C2 00 00 03 unicast Specifies unicast mode for sending EAP Response and EAPOL Logoff packets Usage guidelines When the device acts as a...

Page 2559: ...domain name or username domain name If you want to use backslash as the domain name delimiter you must enter the escape character along with the backslash sign If a username string includes multiple c...

Page 2560: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series High Availability Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 2561: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 2562: ...close syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set...

Page 2563: ...generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a...

Page 2564: ...ardware model configuration or software version It is normal that the port numbers sample output screenshots and other information in the examples differ from what you have on your device Documentatio...

Page 2565: ...mbol period window 16 oam global errored frame threshold 16 oam global errored frame window 17 oam global errored frame period threshold 18 oam global errored frame period window 19 oam global errored...

Page 2566: ...plays Ethernet OAM connection information for all interfaces Examples Display Ethernet OAM connection information for all local interfaces Sysname display oam local GigabitEthernet1 0 1 Enable status...

Page 2567: ...The way in which the local end processes Ethernet OAMPDUs RX_INFO The interface receives only Information OAMPDUs and does not send any Ethernet OAMPDUs LF_INFO The interface sends only Information O...

Page 2568: ...DUs OAMPDU Total number of sent or received Ethernet OAMPDUs OAMInformation Number of sent or received Information OAMPDUs OAMEventNotification Number of sent or received Event notification OAMPDUs OA...

Page 2569: ...rectional Indicates whether unidirectional transmission is supported Remote loopback Indicates whether Ethernet OAM remote loopback is supported Link events Indicates whether Ethernet OAM link error e...

Page 2570: ...onfiguration Examples Display Ethernet OAM configuration globally and for interfaces that do not use the default configuration Sysname display oam configuration Global OAM timers Hello timer 1000 mill...

Page 2571: ...d symbol event Errored frame Errored frame event Errored frame period Errored frame period event Errored frame seconds Errored frame seconds event Window Detection window configured for link events Th...

Page 2572: ...ics for Ethernet OAM link error events for local or peer interfaces Syntax display oam link event local remote interface interface type interface number Views Any view Predefined user roles network ad...

Page 2573: ...s OAM local errored frame seconds summary event Event time stamp 50022 x 100 milliseconds Errored frame seconds window 600 x 100 milliseconds Errored frame seconds threshold 1 error seconds Errored fr...

Page 2574: ...al Total number of errored symbols Event running total Total number of errored symbol events that have occurred OAM local remote errored frame event Information about local remote end errored frame ev...

Page 2575: ...errored frame seconds Event running total Total number of errored frame seconds events that have occurred Related commands reset oam oam enable Use oam enable to enable Ethernet OAM Use undo oam enab...

Page 2576: ...Ethernet1 0 1 oam errored frame threshold 100 Related commands display oam configuration display oam link event oam global errored frame threshold oam errored frame window Use oam errored frame window...

Page 2577: ...value undo oam errored frame period threshold Default An interface uses the global setting Views Layer 2 Ethernet interface view Predefined user roles network admin Parameters threshold value Specifie...

Page 2578: ...ew takes effect only on the specified interface For an interface the configuration in interface view takes precedence Examples Set the errored frame period event detection window to 20000000 on Gigabi...

Page 2579: ...o 100 on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 oam errored frame seconds threshold 100 Related commands display oam configurati...

Page 2580: ...frame seconds period oam errored symbol period threshold Use oam errored symbol period threshold to set the errored symbol event triggering threshold Use undo oam errored symbol period threshold to r...

Page 2581: ...ctual value is the value of this argument multiplied by 1000000 Usage guidelines The configuration in interface view takes effect only on the specified interface For an interface the configuration in...

Page 2582: ...stem view Sysname oam global errored frame threshold 100 Related commands display oam configuration display oam link event oam errored frame threshold oam global errored frame window Use oam global er...

Page 2583: ...reshold to restore the default Syntax oam global errored frame period threshold threshold value undo oam global errored frame period threshold Default The errored frame period event triggering thresho...

Page 2584: ...guidelines The configuration in system view takes effect on all interfaces but has a lower precedence than the configuration in interface view Examples Set the errored frame period event detection win...

Page 2585: ...event oam errored frame seconds threshold oam global errored frame seconds window oam global errored frame seconds window Use oam global errored frame seconds window to set the global errored frame s...

Page 2586: ...bal errored symbol period threshold to restore the default Syntax oam global errored symbol period threshold threshold value undo oam global errored symbol period threshold Default The global errored...

Page 2587: ...be a multiple of 1000000 Usage guidelines The configuration in system view takes effect on all interfaces but has a lower precedence than the configuration in interface view Examples Set the errored...

Page 2588: ...view Sysname oam global timer hello 600 Related commands display oam configuration oam timer hello oam global timer keepalive Use oam global timer keepalive to configure the global Ethernet OAM conne...

Page 2589: ...nabled Ethernet interface operates in active Ethernet OAM mode Views Layer 2 Ethernet interface view Predefined user roles network admin Parameters active Specifies the active Ethernet OAM mode passiv...

Page 2590: ...nt Specifies a critical event dying gasp Specifies a fatal event link fault Specifies a link fault event error link down Terminates the OAM connection and sets the link state of the interface to down...

Page 2591: ...net1 0 1 oam enable Sysname GigabitEthernet1 0 1 oam remote loopback start Related commands oam enable oam mode oam remote loopback interface oam remote loopback interface Use oam remote loopback star...

Page 2592: ...st to configure an interface to reject the Ethernet OAM remote loopback request from a remote interface Use undo oam remote loopback reject request to restore the default Syntax oam remote loopback re...

Page 2593: ...ion timeout timer to be at least five times the handshake packet transmission interval The configuration in interface view takes effect only on the specified interface For an interface the configurati...

Page 2594: ...OAM connection timeout timer to 6000 milliseconds on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 oam timer keepalive 6000 Related co...

Page 2595: ...auto detection 11 cfd loopback 12 cfd md 13 cfd mep 14 cfd meplist 15 cfd mip rule 16 cfd service instance 17 cfd slm 18 cfd tst 19 display cfd ais 20 display cfd ais track link status 22 display cfd...

Page 2596: ...cfd ais level cfd ais period cfd ais level Use cfd ais level to configure the AIS frame transmission level Use undo cfd ais level to remove the AIS frame transmission level Syntax cfd ais level level...

Page 2597: ...d to configure the AIS frame transmission period Use undo cfd ais period to remove the AIS frame transmission period Syntax cfd ais period period value service instance instance id undo cfd ais period...

Page 2598: ...k link status global Related commands cfd ais track link status level cfd ais track link status period cfd ais track link status vlan cfd ais track link status level Use cfd ais track link status leve...

Page 2599: ...link status period Use cfd ais track link status period to configure the EAIS frame transmission period Use undo cfd ais track link status period to restore the default Syntax cfd ais track link statu...

Page 2600: ...terface view Layer 2 aggregate interface view Predefined user roles network admin Parameters vlan vlan list Specifies the VLANs where the EAIS frames can be transmitted The vlan list argument specifie...

Page 2601: ...ameters service instance instance id Specifies a service instance by its ID in the range of 1 to 32767 mep mep id Specifies a MEP by its ID in the range of 1 to 8191 Usage guidelines Follow these guid...

Page 2602: ...is 1 to 7 If you set the value to 1 or 2 the continuity check might work incorrectly due to hardware restrictions service instance instance id Specifies a service instance by its ID in the range of 1...

Page 2603: ...range for the number argument is 2 to 10 and the default is 5 Usage guidelines The one way DM function measures the one way frame delay between the source and target MEPs by using 1DM frames To view t...

Page 2604: ...The default value is 1 Usage guidelines The two way DM function measures the two way frame delay between the source and target MEPs by using DMM frames and DMR frames Examples Enable the two way DM f...

Page 2605: ...twork admin Parameters service instance instance id Specifies a service instance by its ID in the range of 1 to 32767 mep mep id Specifies the source MEP by its ID in the range of 1 to 8191 target mac...

Page 2606: ...n IEEE 802 1ag of CFD is used Hit The current device is the destination device FDB The forwarding device found the destination MAC address MPDB The destination MAC address is not found or the destinat...

Page 2607: ...number number Views Any view Predefined user roles network admin Parameters service instance instance id Specifies a service instance by its ID in the range of 1 to 32767 mep mep id Specifies the sou...

Page 2608: ...from the MP with the MAC address 0010 FC00 6512 sequence number Sequence number in the LBR messages Time 5ms The interval between the sending of LBMs and receiving of LBRs is 5 milliseconds Sent Numbe...

Page 2609: ...y the MEP Usage guidelines An MD name must be in compliant with the specifications in IEEE802 1ag 2007 You can create only one MD with a specific level MD cannot be created if you enter an invalid MD...

Page 2610: ...p take effect only on the current member port If the MEP belongs to an MA that carries the VLAN attribute configurations on a member port of an aggregation group take effect only when the member port...

Page 2611: ...5 ma id vlan based md test_md vlan 100 Sysname cfd meplist 9 to 15 service instance 5 Related commands cfd md cfd service instance cfd mip rule Use cfd mip rule to configure the rules for generating...

Page 2612: ...ma name argument is a string of 1 to 13 characters integer ma num Specifies that an MA is identified by an integer where the ma num argument is in the range of 0 to 65535 string ma name Specifies that...

Page 2613: ...tribute You must create the relevant MD before creating a service instance with the MD name Deleting a service instance also deletes the configurations related to that service instance Deleting a serv...

Page 2614: ...Reply from 0010 fc00 6512 Far end frame loss 10 Near end frame loss 20 Reply from 0010 fc00 6512 Far end frame loss 40 Near end frame loss 40 Reply from 0010 fc00 6512 Far end frame loss 0 Near end f...

Page 2615: ...TST frame The value range for the length argument is 4 to 1400 in bytes The default value is 64 pattern of test all zero prbs with crc Specifies the pattern of the Test TLV in the TST frame all zero...

Page 2616: ...isplay cfd ais Service instance 5 AIS level 4 AIS period 1s MEP ID 1 AIS condition yes Time to enter the condition 2013 01 22 10 43 57 AIS state machine Previous state NO_RECEIVE Current state RECEIVE...

Page 2617: ...es are received display cfd ais track link status Use display cfd ais track link status to display the configuration and information of the AIS associated with the port status Syntax display cfd ais t...

Page 2618: ...here the EAIS frames can be transmitted AIS condition EAIS frame sending status yes EAIS frames are being sent no No EAIS frame is being sent Time to enter the condition Time when the EAIS frame sendi...

Page 2619: ...3ms Service instance 2 No MEP exists in the service instance Service instance 3 MEP ID 1023 Sent 1DM total number 5 Received 1DM total number 10 Frame delay 20ms 9ms 8ms 7ms 1ms 5ms 13ms 17ms 9ms 10ms...

Page 2620: ...LTR information for all MEPs Usage guidelines This command displays only information about LTRs received by execution of the cfd linktrace command Examples Display the LTR information saved on all the...

Page 2621: ...redefined user roles network admin network operator Parameters size size value Specifies the times of recent auto detections in the range of 1 to 100 If you do not specify this option the command disp...

Page 2622: ...ard version IEEE 802 1ag of CFD is used Hit The current device is the destination device FDB The forwarding device found the destination MAC address MPDB The destination MAC address is not found or th...

Page 2623: ...ttribute and operating information for a MEP Syntax display cfd mep mep id service instance instance id Views Any view Predefined user roles network admin network operator Parameters mep mep id Specif...

Page 2624: ...n mdtest1 Maintenance association matest1 MEP ID 6 Sequence Number 0x63A MAC Address 0011 2233 4401 Received Time 2013 03 06 13 01 34 Some other MEPs are transmitting the RDI bit Table 12 Command outp...

Page 2625: ...ceiveOutOrderLBR Number of LBRs received out of order Linktrace Information related to linktrace NextSeqNumber Sequence number of the next LTM to be sent SendLTR Number of LTRs sent If the MEP is inwa...

Page 2626: ...id Views Any view Predefined user roles network admin network operator Parameters service instance instance id Specifies a service instance by its ID in the range of 1 to 32767 If you do not specify t...

Page 2627: ...in index 2 Maintenance association ma_1 Maintenance association index 2 MEP ID 100 Level 0 Service instance 100 Direction Outbound Maintenance domain md_0 Maintenance domain index 1 Maintenance associ...

Page 2628: ...the remote MEP device If this field is not supported a hyphen is displayed State Running state of the remote MEP OK FAILED Time Time when the remote MEP entered the FAILED or OK state for the last tim...

Page 2629: ...tEthernet1 0 1 Service instance 6 Maintenance domain Without ID Maintenance domain index 6 Maintenance association ma_6 Maintenance association index 6 Level 6 VLAN 6 MIP rule NONE CCM interval 1s Dir...

Page 2630: ...display cfd tst to display the TST result Syntax display cfd tst service instance instance id mep mep id Views Any view Predefined user roles network admin network operator Parameters service instance...

Page 2631: ...e 3 MEP ID 1023 Sent TST total number 5 Received TST total number 0 Table 16 Command output Field Description Service instance Service instance of the MEP Sent TST total number Number of sent TST fram...

Page 2632: ...mmands cfd dm one way display cfd dm one way history reset cfd tst Use reset cfd tst to clear the TST result Syntax reset cfd tst service instance instance id mep mep id Views User view Predefined use...

Page 2633: ...lay dldp statistics 3 dldp authentication mode 4 dldp authentication password 5 dldp delaydown timer 6 dldp enable 6 dldp global enable 7 dldp interval 8 dldp port unidirectional shutdown 8 dldp unidi...

Page 2634: ...interval 5s DLDP authentication mode Simple DLDP authentication password DLDP unidirectional shutdown mode Auto DLDP delaydown timer value 1s Number of enabled ports 2 Interface GigabitEthernet1 0 1...

Page 2635: ...ectional links are detected DLDP port unidirectional shutdown mode Port shutdown mode for the interface auto manual or hybrid after unidirectional links are detected If no port shutdown mode is config...

Page 2636: ...nterface number Specifies an interface by its type and number If you do not specify this option the command displays DLDP packet statistics for all interfaces Examples Display DLDP packet statistics f...

Page 2637: ...tion mode is none Views System view Predefined user roles network admin Parameters md5 Specifies the MD5 authentication mode none Specifies not to perform authentication simple Specifies the plaintext...

Page 2638: ...n encrypted form string Specifies the password Its plaintext form is a case sensitive string of 1 to 16 characters Its encrypted form is a case sensitive string of 1 to 53 characters Usage guidelines...

Page 2639: ...e range of 1 to 5 seconds Usage guidelines The DelayDown timer configured by using this command applies to all DLDP enabled ports Examples Set the DelayDown timer to 2 seconds Sysname system view Sysn...

Page 2640: ...e expires DLDP blocks the port Examples Enable DLDP globally and enable DLDP on GigabitEthernet 1 0 1 and set a delay time of 100 seconds for DLDP to block the port upon an Initial to Unidirectional s...

Page 2641: ...nes This command applies to all DLDP enabled ports To enable DLDP to operate correctly make sure the intervals for sending Advertisement packets configured on the two ends of a link are the same Examp...

Page 2642: ...tdown command to bring up the port If the link becomes bidirectional the port becomes bidirectional Usage guidelines If DLDP detects a unidirectional link you must troubleshoot the interface and cabli...

Page 2643: ...omes bidirectional Usage guidelines If DLDP detects a unidirectional link you must troubleshoot the interface and cabling faults The global port shutdown mode setting takes effect on all interfaces an...

Page 2644: ...isplay rrpp ring group 3 display rrpp statistics 4 display rrpp verbose 7 domain ring 9 linkup delay timer 10 protected vlan 11 reset rrpp statistics 12 ring 12 ring enable 14 rrpp domain 15 rrpp enab...

Page 2645: ...he secondary control VLAN ID For the control VLAN configuration to succeed make sure the IDs of the two control VLANs are consecutive and have not been assigned yet Do not configure the default VLAN o...

Page 2646: ...port status 1 1 M GE1 0 1 GE1 0 2 Yes Domain ID 2 Control VLAN Primary 10 Secondary 11 Protected VLAN Reference instance 0 to 2 4 Hello timer 1 sec Fail timer 3 sec Linkup Delay timer 1 sec Ring Ring...

Page 2647: ...occurs The port is not configured on the ring The port is a member of a link aggregation group Secondary Edge port This field displays secondary ports when the node mode is master node or transit node...

Page 2648: ...ing 1 in RRPP domain 1 display rrpp statistics Use display rrpp statistics to display RRPPDU statistics Syntax display rrpp statistics domain domain id ring ring id Views Any view Predefined user role...

Page 2649: ...16879 Ring ID 2 Ring level 1 Node mode Edge Active status No Common port GE1 0 3 Direct Hello Link Common Complete Edge Major Total down flush FDB flush FDB hello fault Out 0 0 0 0 0 0 0 In 0 0 0 0 0...

Page 2650: ...r of a link aggregation group Edge port The edge port field means the node mode is edge node or assistant edge node A hyphen appears when one of the following cases occurs The port is not configured o...

Page 2651: ...domain Examples Display detailed information for all rings in RRPP domain 2 Sysname display rrpp verbose domain 2 Domain ID 2 Control VLAN Primary 10 Secondary 11 Protected VLAN Reference instance 3...

Page 2652: ...nknown The RRPP domain is disabled Possible states on a transit node or edge node LinkUp All ports on the node are up LinkDown At least one port on the node is down PreForward A port on the node is bl...

Page 2653: ...rs when one of the following cases occurs The port is not configured on the ring The port is a member of a link aggregation group Edge port The edge port field means the node mode is edge node or assi...

Page 2654: ...de first and then on the assistant edge node When you deactivate rings in a ring group deactivate them on the assistant edge node first and then on the edge node If you do not follow these guidelines...

Page 2655: ...tected vlan Use protected vlan to configure the protected VLANs for an RRPP domain Use undo protected vlan to remove the protected VLANs from an RRPP domain Syntax protected vlan reference instance in...

Page 2656: ...iguration Layer 2 LAN Switching Command Reference rrpp domain reset rrpp statistics Use reset rrpp statistics to clear RRPPDU statistics Syntax reset rrpp statistics domain domain id ring ring id View...

Page 2657: ...he edge port for the node Usage guidelines The ID of an RRPP ring in a domain must be unique When an RRPP ring is activated you cannot configure its RRPP ports When you configure the edge node and the...

Page 2658: ...0 1 secondary port gigabitethernet 1 0 2 level 0 Sysname rrpp domain1 ring 20 node mode edge edge port gigabitethernet 1 0 3 Related commands ring enable ring enable Use ring enable to enable an RRPP...

Page 2659: ...RRPP domains exist Views System view Predefined user roles network admin Parameters domain id Specifies an RRPP domain by its ID in the range of 1 to 128 Usage guidelines When you delete an RRPP doma...

Page 2660: ...tax rrpp ring group ring group id undo rrpp ring group ring group id Default No RRPP ring groups exist Views System view Predefined user roles network admin Parameters ring group id Specifies an RRPP...

Page 2661: ...ates notifications when multiple master nodes are configured for the RRPP ring ring fail Generates notifications when the state of the RRPP ring changes from Health to Disconnect ring recover Generate...

Page 2662: ...r roles network admin Parameters hello timer hello value Specifies the Hello timer in the range of 1 to 10 seconds fail timer fail value Specifies the Fail timer in the range of 3 to 30 seconds Usage...

Page 2663: ...nable 7 erps ring 8 erps switch 8 erps tcn propagation 9 instance 10 instance enable 10 node role 11 port erps track 12 port0 12 port1 13 protected vlan 14 r aps level 15 r aps ring mac 15 reset erps...

Page 2664: ...ecifies the control VLAN by its ID in the range of 2 to 4094 Usage guidelines The control VLAN must be a VLAN that has not been created on the device Examples Configure VLAN 100 as the control VLAN fo...

Page 2665: ...abled Globally enabled Disabled Globally disabled Ring ERPS ring ID Instance ERPS instance ID NodeRole Node type Owner Neighbor Interconnection Normal NodeState Node state Idle The ERPS ring enters th...

Page 2666: ...d Views Any view Predefined user roles network admin network operator Parameters ring ring id Specifies an ERPS ring by its ID in the range of 1 to 255 instance instance id Specifies an ERPS instance...

Page 2667: ...r Node state Idle Connect ring instance 1 2 2 3 Control VLAN 100 Protected VLAN Reference instance 0 to 2 Guard timer 500 ms Hold off timer 1 sec WTR timer 5 min Revertive operation Non revertive Enab...

Page 2668: ...anual switching mode FS Forced switching mode Pending Transient mode between any two states ERPS is disabled for the ERPS instance or disabled globally Connect ring instance Ring or instance associate...

Page 2669: ...Parameters ring ring id Specifies an ERPS ring by its ID in the range of 1 to 255 instance instance id Specifies an ERPS instance by its ID in the range of 1 to 64 If you do not specify this option th...

Page 2670: ...ring id Specifies an ERPS ring by its ID in the range of 1 to 255 instance instance id Specifies an ERPS instance by its ID in the range of 1 to 64 Usage guidelines After you configure this command th...

Page 2671: ...erps ring ring id Default No ERPS rings exist Views System view Predefined user roles network admin Parameters ring ring id Specifies an ERPS ring by its ID in the range of 1 to 255 Usage guideline T...

Page 2672: ...ching mode for port 1 of instance 1 on ERPS ring 1 Sysname system view Sysname erps switch force ring 1 instance 1 port0 erps tcn propagation Use erps tcn propagation to enable flush packet transparen...

Page 2673: ...You can create multiple instances for an ERPS ring Each instance has its own protected VLAN control VLAN and RPL owner Each instance maintains its own state machine and data You can locate an ERPS in...

Page 2674: ...de role owner neighbor rpl interconnection port0 port1 undo node role Default An ERPS node is a normal node Views ERPS instance view Predefined user roles network admin Parameters owner Configures the...

Page 2675: ...ack entry by its ID in the range of 1 to 1024 For more information about specifying the track entry ID see the track cfd command in Track commands Usage guidelines An ERPS ring member port collaborate...

Page 2676: ...rnet interface or a Layer 2 aggregate interface by its type and number Examples Specify GigabitEthernet 1 0 1 as the first member port for ERPS ring 1 Sysname system view Sysname erps ring 1 Sysname e...

Page 2677: ...e id list Specifies a space separated list of up to 10 MSTI items Each item specifies an MSTI or a range of MSTIs in the form of instance id1 to instance id2 The value for instance id2 must be greater...

Page 2678: ...xamples Configure the R APS packet level as 1 for instance 1 of ERPS ring 1 Sysname system view Sysname erps ring 1 Sysname erps ring1 instance 1 Sysname erps ring1 inst1 r aps level 1 r aps ring mac...

Page 2679: ...RPS ring Examples Clear packet statistics for instance 1 of ERPS ring 1 Sysname reset erps statistics ring 1 instance 1 Related commands display erps statistics revertive operation Use revertive opera...

Page 2680: ...ring 1 as a subring Sysname system view Sysname erps ring 1 Sysname erps ring1 ring type sub ring sub ring connect Use sub ring connect to associate the subring with an ERPS ring Use undo sub ring co...

Page 2681: ...efault The guard timer is 500 milliseconds for an ERPS instance Views ERPS instance view Predefined user roles network admin Parameters guard value Specifies the guard timer in the range of 0 to 2000...

Page 2682: ...report time and might impact the link recovery performance Examples Set the hold off timer to 300 milliseconds for instance 1 of ERPS ring 1 Sysname system view Sysname erps ring 1 Sysname erps ring1...

Page 2683: ...20 Examples Set the WTR timer to 3 minutes for instance 1 of ERPS ring 1 Sysname system view Sysname erps ring 1 Sysname erps ring1 instance 1 Sysname erps ring1 inst1 timer wtr 3...

Page 2684: ...link flush 1 display smart link group 1 flush enable 2 port 3 port smart link group 4 port smart link group track 5 preemption delay 7 preemption mode 7 protected vlan 8 reset smart link statistics 9...

Page 2685: ...e200 8500 Control VLAN of the last flush packet 1 Table 1 Command output Field Description Received flush packets Total number of received flush messages Receiving interface of the last flush packet P...

Page 2686: ...Field Description Preemption mode Preemption mode None Preemption disabled Role Role preemption mode Speed Speed preemption mode Preemption delay Preemption delay time in seconds Control VLAN Control...

Page 2687: ...nd assign the smart link group member ports to the control VLAN The control VLAN of a smart link group must also be one of its protected VLANs Do not remove the control VLAN Otherwise flush messages c...

Page 2688: ...p member configuration takes effect after the port leaves the aggregation group You can also assign a port to a smart link group by using the port smart link group command in interface view Examples C...

Page 2689: ...k group view Examples Configure GigabitEthernet 1 0 1 as the primary port of smart link group 1 Sysname system view Sysname smart link group 1 Sysname smlk group1 protected vlan reference instance 0 S...

Page 2690: ...t of smart link group 1 and the CC function of CFD through track entry 1 to detect the link status Sysname system view Sysname track 1 cfd cc service instance 100 mep 2 Sysname smart link group 1 Sysn...

Page 2691: ...th the switchover of upstream devices The preemption delay configuration takes effect only after a preemption mode is configured Examples Enable role preemption and set the preemption delay to 10 seco...

Page 2692: ...port speed If you do not specify the threshold threshold value option the primary port transitions to forwarding state when the primary port speed exceeds the secondary port speed Examples Configure...

Page 2693: ...rotected vlan command removes configuration of VLANs mapped to the specified MSTIs If you do not specify the reference instance instance id list option the command removes configuration of all protect...

Page 2694: ...s network admin Parameters control vlan vlan id list Specifies a space separated list of up to 10 control VLAN items Each item specifies a control VLAN ID or a range of control VLAN IDs in the form of...

Page 2695: ...group id undo smart link group group id Default No smart link groups exist Views System view Predefined user roles network admin Parameters group id Specifies a smart link group ID The value range for...

Page 2696: ...i Contents Monitor Link commands 1 display monitor link group 1 downlink up delay 2 monitor link disable 3 monitor link group 3 port 4 port monitor link group 5 uplink up port threshold 6...

Page 2697: ...ies all monitor link groups Usage guidelines This command does not display information about ports that belong to a link aggregation group Examples Display information about all monitor link groups Sy...

Page 2698: ...r interface is shut down by Monitor Link UP downlink up delay Use downlink up delay to set the switchover delay for the downlink interfaces in a monitor link group Use undo downlink up delay to restor...

Page 2699: ...monitor link groups can operate only after you enable Monitor Link globally When you disable Monitor Link globally all monitor link groups cannot operate and the downlink interfaces brought down by t...

Page 2700: ...an interface by its number downlink Specifies a downlink interface uplink Specifies an uplink interface Usage guidelines You can assign an interface to only one monitor link group You can also assign...

Page 2701: ...rface uplink Specifies an uplink interface Usage guidelines You can assign an interface to only one monitor link group You can also assign an interface to a monitor link group by using the port comman...

Page 2702: ...itchover in the range of 1 to 1024 Usage guidelines When the number of uplink interfaces in up state in a monitor link group is less than the specified threshold the monitor link group goes down and s...

Page 2703: ...t mode 22 vrrp vrid priority 23 vrrp vrid shutdown 24 vrrp vrid source interface 25 vrrp vrid timer advertise 26 vrrp vrid track 27 vrrp vrid vrrpv3 send packet 29 IPv6 VRRP commands 30 display vrrp i...

Page 2704: ...ot specify the verbose keyword the command displays brief IPv4 VRRP group information Usage guidelines If no interface or VRRP group is specified this command displays the states of all IPv4 VRRP grou...

Page 2705: ...rent priority of the router When a track entry is associated with a VRRP group on the router the router s priority changes when the track entry s status changes Adver Timer VRRP advertisement sending...

Page 2706: ...only after you configure the vrrp send gratuitous arp command Total number of virtual routers Total number of VRRP groups Interface Interface where the VRRP group is configured VRID Virtual router ID...

Page 2707: ...field is displayed only after you configure the vrrp vrid name command Follow Name Name of the master VRRP group that the VRRP group follows This field is displayed only after you configure the vrrp...

Page 2708: ...track entry is associated with a VRRP group on the router the router s priority changes when the track entry s status changes For a VF this field indicates the running priority of the VF When a track...

Page 2709: ...der Weight Track Information Track Object 1 State Positive Weight Reduced 250 Interface Vlan interface2 VRID 11 Adver Timer 100 Admin Status Up State Backup Config Pri 80 Running Pri 80 Preempt Mode Y...

Page 2710: ...t priority of the router When a track entry is associated with a VRRP group on the router the router s priority changes when the track entry s status changes Preempt Mode Preemptive mode Yes No Delay...

Page 2711: ...state Virtual MAC Virtual MAC address of the VF Owner ID Real MAC address of the VF owner Priority VF priority in the range of 1 to 255 Active IP address of the interface where the AVF resides If the...

Page 2712: ...d displays all master to subordinate IPv4 VRRP group bindings If you specify an interface but do not specify the virtual router ID of a master VRRP group this command displays all master to subordinat...

Page 2713: ...group belongs VRID Virtual router ID of the subordinate VRRP group Related commands vrrp vrid follow vrrp vrid name display vrrp statistics Use display vrrp statistics to display statistics for IPv4 V...

Page 2714: ...0 Global statistics CheckSum Errors 0 Version Errors 0 VRID Errors 0 Display statistics for all IPv4 VRRP groups when VRRP operates in load balancing mode Sysname display vrrp statistics Interface Vla...

Page 2715: ...Number of times that the router has been elected as the master Priority Zero Pkts Rcvd Number of received advertisements with the router priority of 0 Adver Rcvd Number of received advertisements Prio...

Page 2716: ...cvd Number of received requests Adver Sent Number of sent advertisements Request Sent Number of sent requests Reply Rcvd Number of received replies Release Rcvd Number of received release packets Repl...

Page 2717: ...VRRP group are specified this command clears statistics for the specified IPv4 VRRP group on the specified interface Examples Clear statistics for all IPv4 VRRP groups on all interfaces Sysname reset...

Page 2718: ...ttl enable undo vrrp check ttl enable Default TTL check for IPv4 VRRP packets is enabled Views Interface view Predefined user roles network admin Usage guidelines The master in an IPv4 VRRP group per...

Page 2719: ...ue to 30 for VRRP packets Sysname system view Sysname vrrp dscp 30 vrrp mode Use vrrp mode to specify the operating mode for IPv4 VRRP Use undo vrrp mode to restore the default Syntax vrrp mode load b...

Page 2720: ...rval interval undo vrrp send gratuitous arp Default Periodic sending of gratuitous ARP packets is disabled for IPv4 VRRP Views System view Predefined user roles network admin Parameters interval Speci...

Page 2721: ...2 indicates VRRPv2 described in RFC 3768 and 3 indicates VRRPv3 described in RFC 5798 Usage guidelines The version of VRRP on all routers in an IPv4 VRRP group must be the same Examples Specify VRRPv2...

Page 2722: ...rovided that other settings for example priority and preemption mode are available Such a VRRP group stays in inactive state and does not function The virtual IP address of an IPv4 VRRP group and the...

Page 2723: ...the following authentication modes simple Simple text authentication The sender fills an authentication key into the VRRP packet and the receiver compares the received authentication key with its loca...

Page 2724: ...d Specifies an IPv4 VRRP group by its virtual router ID The value range for the virtual router id argument is 1 to 255 name Specifies a master IPv4 VRRP group by its name a case sensitive string of 1...

Page 2725: ...d configures an IPv4 VRRP group as a master group by assigning a master group name to it A VRRP group that follows the master group is a subordinate VRRP group The master VRRP group exchanges VRRP pac...

Page 2726: ...nd backups In preemptive mode a backup sends VRRP advertisements when it detects that it has a higher priority than the master Then the backup takes over as the master and the previous master becomes...

Page 2727: ...priority is more likely to become the master Priorities 1 to 254 are configurable Priority 0 is reserved for special uses and priority 255 is for the IP address owner The IP address owner in a VRRP gr...

Page 2728: ...VRRP group resides to send and receive VRRP packets Use undo vrrp source interface to cancel the specified source interface Syntax vrrp vrid virtual router id source interface interface type interfac...

Page 2729: ...v3 the configured value for the adver interval argument takes effect Usage guidelines The master in an IPv4 VRRP group periodically sends VRRP advertisements to declare its presence You can use this c...

Page 2730: ...Enables the LVF on the router to take over the role of the AVF at the specified IP address immediately after the specified track entry changes to the Negative state The ip address argument specifies...

Page 2731: ...r ip ip address option The weight reduced weight reduced option The weight reduced keyword The weight of a VF is 255 and its lower limit of failure is 10 When the weight of a VF owner is higher than o...

Page 2732: ...he packet sending mode for IPv4 VRRPv3 takes effect only on outgoing VRRP packets A router configured with VRRPv3 can process incoming VRRPv2 and VRRPv3 packets If you set the packet sending mode for...

Page 2733: ...mation Usage guidelines If no interface or VRRP group is specified this command displays the states of all IPv6 VRRP groups If only an interface is specified this command displays the states of all IP...

Page 2734: ...ty changes when the track entry s status changes Adver Timer VRRP advertisement sending interval in centiseconds Auth Type Authentication type Only none is available which means no authentication is r...

Page 2735: ...Adver Timer VRRP advertisement sending interval in centiseconds Admin Status Administrative status Up or Down State State of the router in the VRRP group Master The router is the master in the VRRP g...

Page 2736: ...you configure the vrrp ipv6 vrid track command Track Object Track entry which is associated with the VRRP group State Track entry state Negative Positive NotReady Pri Reduced Value by which the prior...

Page 2737: ...e state of the track entry changes Address For a VRRP group this field indicates the virtual IP address of the VRRP group For a VF this field indicates the virtual MAC address of the VF Active For a V...

Page 2738: ...IP List FE80 3 Local Backup FE80 2 Master Master IP FE80 2 Forwarder Information 2 Forwarders 1 Active Config Weight 255 Running Weight 255 Forwarder 01 State Active Virtual MAC 000f e2ff 40b1 Learnt...

Page 2739: ...n is required Virtual IP Virtual IP address list of the VRRP group Member IP List IP addresses of the member devices in the VRRP group Local IP address of the local router Master IP address of the mas...

Page 2740: ...ly after you configure the vrrp ipv6 vrid track command State Track entry state Negative Positive NotReady Weight Reduced Value by which the weights of the VFs decrease when the state of the associate...

Page 2741: ...ecified master VRRP group on the specified interface Examples Display master to subordinate IPv6 VRRP group bindings Sysname display vrrp ipv6 binding IPv6 virtual router binding information Total num...

Page 2742: ...an interface by its type and number vrid virtual router id Specifies an IPv6 VRRP group by its virtual router ID The value range for the virtual router id argument is 1 to 255 Usage guidelines If no i...

Page 2743: ...Priority Zero Pkts Rcvd 1 Adver Sent 16373 Priority Zero Pkts Sent 49 Request Rcvd 2 Reply Rcvd 10 Request Sent 12 Reply Sent 2 Release Rcvd 0 VF Priority Zero Pkts Rcvd 1 Release Sent 0 VF Priority...

Page 2744: ...otal number of packets with version errors VRID Errors Total number of packets with VRID errors Table 14 Command output in load balancing mode Field Description Interface Interface where the VRRP grou...

Page 2745: ...router priority of 0 VF Priority Zero Pkts Sent Number of sent advertisements with the VF priority of 0 Packet Option Errors Number of packet option errors Global statistics Global statistics for all...

Page 2746: ...se vrrp ipv6 dscp to set a DSCP value for IPv6 VRRP packets Use undo vrrp ipv6 dscp to restore the default Syntax vrrp ipv6 dscp dscp value undo vrrp ipv6 dscp Default The DSCP value for IPv6 VRRP pac...

Page 2747: ...ysname system view Sysname vrrp ipv6 mode load balance Related commands display vrrp ipv6 vrrp ipv6 send nd Use vrrp ipv6 send nd to enable periodic sending of ND packets for IPv6 VRRP Use undo vrrp i...

Page 2748: ...up or to remove a virtual IPv6 address from an IPv6 VRRP group Syntax vrrp ipv6 vrid virtual router id virtual ip virtual address link local undo vrrp ipv6 vrid virtual router id virtual ip virtual ad...

Page 2749: ...nfigure an IPv6 VRRP group to follow a master group Use undo vrrp ipv6 vrid follow to remove the configuration Syntax vrrp ipv6 vrid virtual router id follow name undo vrrp ipv6 vrid virtual router id...

Page 2750: ...e virtual router id argument is 1 to 255 name Specifies a master IPv6 VRRP group name a case sensitive string of 1 to 20 characters Usage guidelines This command configures an IPv6 VRRP group as a mas...

Page 2751: ...e master as long as it operates correctly even if a backup is assigned a higher priority later The non preemptive mode helps avoid frequent switchover between the master and backups In preemptive mode...

Page 2752: ...role master or backup of each router in a VRRP group by priority A router with a higher priority is more likely to become the master Priorities 1 to 254 are configurable Priority 0 is reserved for spe...

Page 2753: ...s VRRP advertisements Use undo vrrp ipv6 vrid timer advertise to restore the default Syntax vrrp ipv6 vrid virtual router id timer advertise adver interval undo vrrp ipv6 vrid virtual router id timer...

Page 2754: ...an IPv6 VRRP group or the VFs in an IPv6 VRRP group with a track entry Use undo vrrp ipv6 vrid track to remove the association between an IPv6 VRRP group or the VFs in an IPv6 VRRP group and a track...

Page 2755: ...erface and assign a virtual IPv6 address to the IPv6 VRRP group You can create a track entry by using the track command before or after you associate it with an IPv6 VRRP group or the VFs in an IPv6 V...

Page 2756: ...es to Negative Sysname system view Sysname interface vlan interface 2 Sysname Vlan interface2 vrrp ipv6 vrid 1 track 1 forwarder switchover member ip 1 3 Associate the VFs of IPv6 VRRP group 1 on VLAN...

Page 2757: ...bfd echo source ip 7 bfd echo source ipv6 8 bfd min echo receive interval 9 bfd min receive interval 9 bfd min transmit interval 10 bfd multi hop authentication mode 11 bfd multi hop destination port...

Page 2758: ...eticulous MD5 algorithm hmac msha1 Specifies the HMAC Meticulous SHA1 algorithm hmac sha1 Specifies the HMAC SHA1 algorithm m md5 Specifies the Meticulous MD5 algorithm m sha1 Specifies the Meticulous...

Page 2759: ...r end is operating in Demand mode both ends stop sending BFD control packets When the connectivity to another system needs to be verified explicitly a system sends several BFD control packets with the...

Page 2760: ...to DOWN BFD This behavior helps applications relying on the link layer protocol state achieve fast convergence The source IP address of control packets is specified manually and the destination IP ad...

Page 2761: ...etect interface first fail timer seconds undo bfd detect interface first fail timer Default The first BFD session establishment failure is not reported to the data link layer Views Interface view Pred...

Page 2762: ...his keyword the device sets the BFD session state to Down but does not notify the session down event to the data link layer authentication change Immediately sets the session to down state upon a loca...

Page 2763: ...es the maximum number of concurrent BFD packets including control packets and echo packets that can be discarded Table 1 Actual detection interval calculation method Mode Actual detection interval of...

Page 2764: ...e same time To enable only the echo packet receiving capability use the bfd echo receive enable command To enable only the echo packet sending capability use the bfd echo send enable command If you do...

Page 2765: ...o source ip 8 8 8 8 bfd echo source ipv6 Use bfd echo source ipv6 to configure the source IPv6 address of BFD echo packets Use undo bfd echo source ipv6 to remove the configured source IPv6 address of...

Page 2766: ...takes 0 or is in the range of 100 to 1000 Usage guidelines This command sets the BFD echo packet receiving interval which is the actual BFD echo packet sending interval The local end stops sending ec...

Page 2767: ...tween the following values Minimum interval for transmitting BFD control packets on the peer end Minimum interval for receiving BFD control packets on the local end Examples Set the minimum interval f...

Page 2768: ...ysname Vlan interface11 bfd min transmit interval 500 bfd multi hop authentication mode Use bfd multi hop authentication mode to configure the authentication mode for multihop BFD control packets Use...

Page 2769: ...1 and key to 123456 Sysname system view Sysname bfd multi hop authentication mode simple 1 plain 123456 bfd multi hop destination port Use bfd multi hop destination port to configure the destination p...

Page 2770: ...time multiplier of the receiver MAX minimum receiving interval supported by the sender minimum sending interval supported by the receiver Control packet mode BFD session in demand mode Detection time...

Page 2771: ...smitting multihop BFD control packets Use undo bfd multi hop min transmit interval to restore the default Syntax bfd multi hop min transmit interval interval undo bfd multi hop min transmit interval D...

Page 2772: ...t actively transmit a BFD control packet to the remote end it transmits a BFD control packet only after receiving a BFD control packet from the remote end Usage guidelines A minimum of one end must op...

Page 2773: ...ormation about all BFD sessions verbose Displays detailed BFD session information If this keyword is not specified the command displays brief BFD session information Examples Display brief information...

Page 2774: ...detailed IPv6 BFD session information Sysname display bfd session verbose Total Session Num 1 Up Session Num 1 Init Mode Active IPv6 session working in control packet mode Local Discr 513 Remote Discr...

Page 2775: ...r of packets sent Hold Time Holdtime Length of time before the session detection timer expires in milliseconds For a BFD session in Down state this field displays 0ms Auth mode Session authentication...

Page 2776: ...ap enable bfd to disable SNMP notifications for BFD Syntax snmp agent trap enable bfd undo snmp agent trap enable bfd Default All SNMP notifications are enabled for BFD Views System view Predefined us...

Page 2777: ...mmands 1 delay 1 display track 2 track bfd ctrl 5 track bfd echo 6 track cfd 7 track interface 8 track interface physical 9 track interface protocol 10 track ip route reachability 11 track lldp neighb...

Page 2778: ...state has changed to Positive The positive time argument represents the positive state notification delay in the range of 1 to 300 seconds Usage guidelines If the Track module immediately notifies the...

Page 2779: ...tive Specifies track entries in Positive state brief Displays brief information about track entries Examples Display information about all track entries Sysname display track all Track ID 1 State Posi...

Page 2780: ...ck ID 6 State Positive Duration 0 days 0 hours 0 minutes 32 seconds Tracked object type Failover group Notification delay Positive 20 Negative 30 in seconds Tracked object LLDP interface Vlan interfac...

Page 2781: ...ted with the track entry BFD session mode BFD session mode Outgoing interface Outgoing interface of BFD echo packets VPN instance name Name of the VPN instance to which BFD session packets belong If t...

Page 2782: ...and all its settings Syntax track track entry number bfd ctrl interface interface type interface number vpn instance vpn instance name remote ip remote ip address local ip local ip address undo track...

Page 2783: ...e BFD session Examples Associate track entry 1 with a control mode BFD session The BFD control packets use destination IP address 192 168 1 1 source IP address 192 168 1 2 and outgoing interface VLAN...

Page 2784: ...al or remote address of a BFD session Examples Associate track entry 1 with an echo mode BFD session The BFD echo packets use destination IP address 1 1 1 1 source IP address 1 1 1 2 and outgoing inte...

Page 2785: ...with the link state of an interface and enter Track view or enter the view of an existing track entry Use undo track to remove the track entry and all its settings Syntax track track entry number inte...

Page 2786: ...sociated with the physical state of an interface and enter Track view or enter the view of an existing track entry Use undo track to remove the track entry and all its settings Syntax track track entr...

Page 2787: ...terface by its type and number ipv4 Monitors the IPv4 protocol state When the IPv4 protocol state of an interface is up the state of the track object is Positive When the IPv4 protocol state of an int...

Page 2788: ...redefined user roles network admin Parameters track entry number Specifies the track entry ID in the range of 1 to 1024 vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a ca...

Page 2789: ...ailability status of an LLDP interface and enter Track view or enter the view of an existing track entry Use undo track to remove the track entry and all its settings Syntax track track entry number l...

Page 2790: ...associated with the track entry The admin name argument specifies the name of the NQA operation administrator who creates the NQA operation and is a case insensitive string of 1 to 32 characters The...

Page 2791: ...14 Sysname track 1 Related commands delay display track...

Page 2792: ...E4300 IE4300 M IE4320 Industrial Switch Series Network Management and Monitoring Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 202...

Page 2793: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 2794: ...you enter literally as shown Italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional x y Braces enclo...

Page 2795: ...s Convention Description Represents a generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such...

Page 2796: ...ardware model configuration or software version It is normal that the port numbers sample output screenshots and other information in the examples differ from what you have on your device Documentatio...

Page 2797: ...i Contents Ping tracert and system debugging commands 1 debugging 1 display debugging 2 ping 2 ping ipv6 5 tracert 7 tracert ipv6 10...

Page 2798: ...by module To display the debugging options supported by a module use the debugging module name command all Specifies all modules Usage guidelines CAUTION Output of excessive debugging messages increa...

Page 2799: ...source ip c count f h ttl i interface type interface number m interval n p pad q r s packet size t timeout tos tos v vpn instance vpn instance name host Views Any view Predefined user roles network ad...

Page 2800: ...orded s packet size Specifies the length in bytes of ICMP echo requests excluding the IP packet header and the ICMP packet header The value range is 20 to 9600 and the default is 56 t timeout Specifie...

Page 2801: ...of 1 1 2 2 is reachable Only results are displayed Sysname ping q 1 1 2 2 Ping 1 1 2 2 1 1 2 2 56 data bytes press CTRL_C to break Ping statistics for 1 1 2 2 5 packet s transmitted 5 packet s receiv...

Page 2802: ...CMP echo requests sent 5 packet s received Number of ICMP echo replies received 0 0 packet loss Percentage of unacknowledged packets to the total packets sent round trip min avg max std dev 4 685 4 76...

Page 2803: ...a case sensitive string of 1 to 31 characters If the destination is on the public network do not specify this option host Specifies the IPv6 address or host name of the destination The host name is a...

Page 2804: ...cmp_seq 1 hlim 64 dst 2001 1 idx 3 time 62 000 ms Received ICMPv6 echo replies from the device whose IPv6 address is 2001 2 The number of data bytes is 56 The packet sequence is 1 The hop limit value...

Page 2805: ...ult global Specifies the global routing table none Disables AS resolution vpn Specifies the VPN routing table w timeout Specifies the timeout time in milliseconds of the reply packet for a probe packe...

Page 2806: ...to 1 1 3 2 1 1 3 2 30 hops at most 40 bytes each packet press CTRL_C to break 1 1 1 1 2 1 1 1 2 673 ms 425 ms 30 ms 2 1 1 2 2 1 1 2 2 580 ms 470 ms 80 ms 3 1 1 3 2 1 1 3 2 AS 65535 530 ms 472 ms 380...

Page 2807: ...longs The vpn instance name argument represents the VPN instance name a case sensitive string of 1 to 31 characters If the destination is on the public network do not specify this option resolve as Sp...

Page 2808: ...essage is displayed if the probe packet has a link local source address and a non link local destination address Such a packet cannot be delivered to the destination without leaving the scope of the s...

Page 2809: ...2 including the following information about the second hop IPv6 address of the hop Number of the AS the hop belongs to The AS number appears only when it is found for the hop in the specified routing...

Page 2810: ...e 38 next hop ip 38 next hop ipv6 39 no fragment enable 40 nqa 40 nqa agent enable 41 nqa schedule 41 nqa template 42 operation FTP operation view 43 operation HTTP HTTPS operation view 44 out interfa...

Page 2811: ...ICMP echo UDP tracert operation view 67 source ip 68 source ipv6 69 source port 70 ssl client policy 71 statistics hold time 71 statistics interval 72 statistics max group 73 target only 73 tos 74 tt...

Page 2812: ...s The evaluation of voice quality depends on users tolerance for voice quality For users with higher tolerance for voice quality use the advantage factor command to set an advantage factor When the sy...

Page 2813: ...community name undo community read Default The SNMP operation uses the community name public Views SNMP operation view Predefined user roles network admin Parameters cipher Specifies a community name...

Page 2814: ...sensitive string of 1 to 200 characters Usage guidelines If the payload length is smaller than the string length only the first part of the string is filled For example if you configure the string as...

Page 2815: ...sname nqatplt tcp tcptplt data fill abcd data size Use data size to set the payload size for each probe packet Use undo data size to restore the default Syntax data size size undo data size Default Th...

Page 2816: ...a admin test type icmp echo Sysname nqa admin test icmp echo data size 80 In ICMP template view set the payload size to 80 bytes for each probe packet Sysname system view Sysname nqa template icmp icm...

Page 2817: ...Parameters host name Specifies the destination host name a case sensitive string of 1 to 254 characters The host name can contain letters digits hyphens underscores _ and dots but consecutive dots ar...

Page 2818: ...pecify 10 1 1 1 as the destination IPv4 address for the ICMP echo operation Sysname system view Sysname nqa template icmp icmptplt Sysname nqatplt icmp icmptplt destination ip 10 1 1 1 destination ipv...

Page 2819: ...operations The destination port numbers for the operations that use the following NQA templates are 53 for the DNS template 1812 for the RADIUS template No destination port number is configured for o...

Page 2820: ...or statistics of the ICMP jitter path jitter UDP jitter and voice operations use the display nqa result or display nqa statistics command Examples Display the history records of the UDP tracert opera...

Page 2821: ...cannot be completed in milliseconds Hop IP IP address of the node that sent the reply packet Status Status of the operation result Succeeded Unknown error Internal error Timeout Time Time when the op...

Page 2822: ...ation consecutive 160 56 4 probe fail accumulate 12 0 5 probe fail consecutive 162 2 Table 3 Command output Field Description Index ID of a reaction entry Checked Element Monitored performance metric...

Page 2823: ...tion starts Number of sent packets Number of packets with the one way delay exceeding the threshold packet loss accumulate Packets sent after the operation starts Number of sent packets Total packet l...

Page 2824: ...results Send operation times 10 Receive response times 10 Min Max Average round trip time 1 2 1 Square Sum of round trip time 13 Last packet received time 2015 03 09 17 40 29 8 Extended results Packet...

Page 2825: ...ve SD 18 Max positive DS 8 Positive SD number 5 Positive DS number 2 Positive SD sum 75 Positive DS sum 32 Positive SD average 15 Positive DS average 16 Positive SD square sum 1189 Positive DS square...

Page 2826: ...ative SD sum 0 Negative DS sum 0 Negative SD average 0 Negative DS average 0 Negative SD square sum 0 Negative DS square sum 0 SD average 0 DS average 0 One way results Max SD delay 0 Max DS delay 0 M...

Page 2827: ...ilures due to other errors 0 Packets out of sequence 0 Packets arrived late 0 Path Jitter Results Jitter number 9 Min Max Average jitter 0 0 0 Positive jitter number 0 Min Max Average positive jitter...

Page 2828: ...timeout occurrences in an operation Failures due to disconnect Number of disconnections by the peer Failures due to no connection Number of failures to connect with the peer Failures due to internal e...

Page 2829: ...ive DS number Number of negative jitters from destination to source Negative SD sum Sum of absolute values of negative jitters from source to destination Negative DS sum Sum of absolute values of nega...

Page 2830: ...in milliseconds This field is available only for the path jitter operation Positive jitter number Number of positive jitter This field is available only for the path jitter operation Min Max Average...

Page 2831: ...f a reaction entry is configured the command displays the monitoring results of the reaction entry in the period specified by the statistics internal command The result fields display hyphens in one o...

Page 2832: ...8 Positive DS square sum 55 Min negative SD 1 Min negative DS 1 Max negative SD 1 Max negative DS 2 Negative SD number 24 Negative DS number 57 Negative SD sum 24 Negative DS sum 58 Negative SD averag...

Page 2833: ...negative SD 10 Max negative DS 1 Negative SD number 81 Negative DS number 94 Negative SD sum 556 Negative DS sum 191 Negative SD average 6 Negative DS average 2 Negative SD square sum 4292 Negative DS...

Page 2834: ...SD 9 Max negative DS 1 Negative SD number 4 Negative DS number 2 Negative SD sum 25 Negative DS sum 2 Negative SD average 6 Negative DS average 1 Negative SD square sum 187 Negative DS square sum 2 SD...

Page 2835: ...er 0 0 Negative jitter number 0 Min Max Average negative jitter 0 0 0 Sum Square Sum negative jitter 0 0 Hop IP 192 168 50 209 Basic Results Send operation times 10 Receive response times 10 Min Max A...

Page 2836: ...be times out ICMP jitter results ICMP jitter operation results This field is available only for the ICMP jitter operation UDP jitter results UDP jitter operation results This field is available only f...

Page 2837: ...egative SD square sum Square sum of negative jitters from source to destination Negative DS square sum Square sum of negative jitters from destination to source SD average Average value of jitters fro...

Page 2838: ...on results This field is available only for the path jitter operation Jitter number Number of jitters This field is available only for the path jitter operation Min Max Average jitter Minimum maximum...

Page 2839: ...for ICMP jitter UDP jitter voice operations Monitored performance metric Threshold type Collect data in Checked Num Over threshold Num RTT accumulate Packets sent in the counting interval Number of se...

Page 2840: ...is found again the NQA destination device is verified as illegal The NQA client does not perform the second round if no offset is specified It verifies the NQA destination as illegal directly if no ma...

Page 2841: ...dnstplt expect ip 1 1 1 1 expect ipv6 Use expect ipv6 to specify the expected IPv6 address Use undo expect ipv6 to restore the default Syntax expect ipv6 ipv6 address undo expect ipv6 Default No expec...

Page 2842: ...o 999 The value for the status num 2 argument must be equal to or greater than the value for the status num 1 argument Usage guidelines The status code of the HTTP or HTTPS packet is a three digit fie...

Page 2843: ...at which the NQA operation repeats Use undo frequency to restore the default Syntax frequency interval undo frequency Default In NQA operation view the interval between two consecutive voice or path j...

Page 2844: ...able Use history record enable to enable the saving of history records for the NQA operation Use undo history record enable to disable the saving of history records Syntax history record enable undo h...

Page 2845: ...history records can be saved The value range is 1 to 1440 minutes Usage guidelines When an NQA operation completes the timer starts All records are removed when the lifetime is reached Examples Set t...

Page 2846: ...entry admin test Sysname nqa admin test type icmp echo Sysname nqa admin test icmp echo history record number 10 init ttl Use init ttl to set the TTL value for UDP packets in the start round of the U...

Page 2847: ...ing Its plaintext form is a case sensitive string of 1 to 64 characters Its encrypted form is a case sensitive string of 1 to 117 characters Usage guidelines Make sure the NQA client and the RADIUS se...

Page 2848: ...se max failure to set the maximum number of consecutive probe failures in a UDP tracert operation Use undo max failure to restore the default Syntax max failure times undo max failure Default A UDP tr...

Page 2849: ...n request Examples Set the data transmission mode to passive for the FTP operation Sysname system view Sysname nqa entry admin test Sysname nqa admin test type ftp Sysname nqa admin test ftp mode pass...

Page 2850: ...obe packets Use undo next hop ipv6 to restore the default Syntax next hop ipv6 ipv6 address undo next hop ipv6 Default No next hop IPv6 address is specified for probe packets Views ICMP echo operation...

Page 2851: ...link Examples Enable the no fragmentation feature for the UDP tracert operation Sysname system view Sysname nqa entry admin test Sysname nqa admin test type udp tracert Sysname nqa admin test udp trac...

Page 2852: ...to disable the NQA client and stop all operations being performed Syntax nqa agent enable undo nqa agent enable Default The NQA client is enabled Views System view Predefined user roles network admin...

Page 2853: ...by using the undo nqa schedule command recurring Runs the operation automatically at the start time and for the specified duration If you do not specify this keyword the NQA operation is performed onl...

Page 2854: ...RADIUS template ssl Specifies the SSL template tcp Specifies the TCP template tcphalfopen Specifies the TCP half open template udp Specifies the UDP template name Specifies the name of the NQA templat...

Page 2855: ...r services for occupying much network bandwidth Examples Set the operation type to put for the FTP operation Sysname system view Sysname nqa entry admin test Sysname nqa admin test type ftp Sysname nq...

Page 2856: ...view Sysname nqa entry admin test Sysname nqa admin test type http Sysname nqa admin test http operation raw In HTTP template view set the operation type to raw for the HTTP operation Sysname system v...

Page 2857: ...o password is specified Views FTP HTTP operation view FTP HTTP HTTPS RADIUS template view Predefined user roles network admin Parameters cipher Specifies a password in encrypted form simple Specifies...

Page 2858: ...peration view ICMP jitter UDP jitter operation view Predefined user roles network admin Parameters times Specifies the probe times For the UDP tracert operation this argument specifies the times of pr...

Page 2859: ...itter operations Each of these operations performs only one probe Examples Configure the ICMP echo operation to perform 10 probes Sysname system view Sysname nqa entry admin test Sysname nqa admin tes...

Page 2860: ...ICMP jitter UDP jitter and path jitter operations 10 to 60000 for the voice operation Examples Configure the UDP jitter probe to send 100 packets Sysname system view Sysname nqa entry admin test Sysna...

Page 2861: ...o TCP UDP echo operation view DHCP DLSw DNS FTP HTTP SNMP operation view UDP tracert operation view Any NQA template view Predefined user roles network admin Parameters timeout Specifies the probe tim...

Page 2862: ...you must enter raw request view and configure the request content to be sent to the HTTP or HTTPS server To ensure successful operations make sure the request content does not contain command aliases...

Page 2863: ...violations in the operation The value range is 1 to 14999 for the ICMP jitter and UDP jitter operations and 1 to 59999 for the voice operation average Checks the average one way jitter threshold value...

Page 2864: ...y is set to below threshold Once the state of the reaction entry changes a trap message is generated and sent to the NMS Sysname system view Sysname nqa entry admin test Sysname nqa admin test type ud...

Page 2865: ...low threshold Once the state of the reaction entry changes a trap message is generated and sent to the NMS Sysname system view Sysname nqa entry admin test Sysname nqa admin test type udp jitter Sysna...

Page 2866: ...e Sysname nqa admin test voice reaction 1 checked element icpif threshold value 50 5 action type trap only reaction checked element mos Use reaction checked element mos to configure a reaction entry f...

Page 2867: ...action 1 checked element mos threshold value 200 100 action type trap only reaction checked element packet loss Use reaction checked element packet loss to configure a reaction entry for monitoring pa...

Page 2868: ...reaction checked element probe duration to configure a reaction entry for monitoring the probe duration Use undo reaction to delete a reaction entry Syntax reaction item number checked element probe d...

Page 2869: ...Create reaction entry 2 for monitoring the probe duration of ICMP echo operation and set the upper limit to 50 milliseconds and the lower limit to 5 milliseconds Before the NQA operation starts the in...

Page 2870: ...what action to be triggered The default action is none none Specifies the action of displaying results on the terminal display trap only Specifies the action of displaying results on the terminal disp...

Page 2871: ...em number checked element probe fail threshold type consecutive consecutive occurrences action type trigger only undo reaction item number Default No reaction entries for monitoring probe failures exi...

Page 2872: ...cumulate occurrences Checks the total number of threshold violations Available value ranges include 1 to 15000 for the ICMP jitter and UDP jitter operations 1 to 60000 for the voice operation average...

Page 2873: ...eration the packet round trip time is checked If the total number of threshold violations reaches or exceeds 100 the state of the entry is set to over threshold Otherwise the state of the entry is set...

Page 2874: ...the test complete keyword The following parameters are not available for the UDP tracert operation The probe failure consecutive probe failures option The accumulate probe failures argument Examples C...

Page 2875: ...lient notifies the feature of the operation failure when the number of consecutive probe failures reaches 3 Views Any NQA template view Predefined user roles network admin Parameters count Specifies t...

Page 2876: ...ched the NQA client notifies the feature that uses the template of the successful operation event If you execute this command and the reaction trigger per probe command multiple times the most configu...

Page 2877: ...1 as the domain name to be resolved Sysname system view Sysname nqa template dns dnstplt Sysname nqatplt dns dnstplt resolve target domain1 resolve type Use resolve type to configure the domain name r...

Page 2878: ...ched Packets are sent to the destination on a directly connected network The TTL value in the probe packet is set to 1 The TTL set in the ttl command does not take effect This command does not take ef...

Page 2879: ...ce VLAN interface 1 as the source IP address of ICMP echo request packets Sysname system view Sysname nqa entry admin test Sysname nqa admin test type icmp echo Sysname nqa admin test icmp echo source...

Page 2880: ...on the most recent configuration takes effect Examples Specify 10 1 1 1 as the source IPv4 address for ICMP echo requests Sysname system view Sysname nqa entry admin test Sysname nqa admin test type i...

Page 2881: ...CMP echo operation Sysname system view Sysname nqa entry admin test Sysname nqa admin test type icmp echo Sysname nqa admin test icmp echo source ipv6 1 1 In ICMP template view specify 1 1 as the sour...

Page 2882: ...ssl client policy Default No SSL client policy is specified for an HTTPS or SSL template Views HTTPS SSL template view Predefined user roles network admin Parameters policy name Specifies an SSL clien...

Page 2883: ...echo Sysname nqa admin test icmp echo statistics hold time 3 statistics interval Use statistics interval to set the statistics collection interval for an NQA operation Use undo statistics interval to...

Page 2884: ...jitter path jitter UDP jitter voice operation view Predefined user roles network admin Parameters number Specifies the maximum number of statistics groups in the range of 0 to 100 To disable statistic...

Page 2885: ...store the default Syntax tos value undo tos Default The ToS value in the IP header of probe packets is 0 Views Any operation view Any NQA template view Predefined user roles network admin Parameters v...

Page 2886: ...1 to 255 Usage guidelines The route option bypass route command sets the TTL to 1 for probe packets If you configure both the route option bypass route and ttl commands for an operation the ttl comman...

Page 2887: ...e SNMP operation type tcp Specifies the TCP operation type udp echo Specifies the UDP echo operation type udp jitter Specifies the UDP jitter operation type udp tracert Specifies the UDP tracert opera...

Page 2888: ...c com for example Each label consists of 1 to 63 characters Consecutive dots and question marks are not allowed For description about the filename parameter see Fundamentals Configuration Guide HTTPS...

Page 2889: ...em view Sysname nqa entry admin test Sysname nqa admin test type ftp Sysname nqa admin test ftp username administrator Set the FTP login username to administrator in FTP template view Sysname system v...

Page 2890: ...TP SNMP operation view UDP tracert operation view ICMP jitter path jitter UDP jitter voice operation view Any NQA template view Predefined user roles network admin Parameters vpn instance name Specifi...

Page 2891: ...s Whether the NQA server is enabled TCP connect Information about the TCP listening service on the NQA server UDP echo Information about the UDP listening service on the NQA server IP address IP addre...

Page 2892: ...ntax nqa server enable undo nqa server enable Default The NQA server is disabled Views System view Predefined user roles network admin Examples Enable the NQA server Sysname system view Sysname nqa se...

Page 2893: ...port number for a TCP listening service on the NQA server follow these restrictions and guidelines The IP address port number and VPN instance must be unique on the NQA server and match the configurat...

Page 2894: ...ue the ToS value in the request packet is used Usage guidelines Use this command on the NQA server only for the UDP jitter UDP echo and voice operations When you configure the IP address and port numb...

Page 2895: ...client 21 ntp service ipv6 multicast server 21 ntp service ipv6 source 22 ntp service ipv6 unicast peer 23 ntp service ipv6 unicast server 25 ntp service max dynamic sessions 27 ntp service multicast...

Page 2896: ...ons Sysname display ntp service ipv6 sessions Notes 1 source master 2 source peer 3 selected 4 candidate 5 configured Source 125 3000 32 Reference 127 127 1 0 Clock stratum 2 Reachabilities 1 Poll int...

Page 2897: ...time Length of time from when the last NTP message was received or when the local clock was last updated to the current time Time is in seconds by default If the time length is greater than 2048 seco...

Page 2898: ...date reference source sane The clock source has passed authentication and its clock will be used as the reference clock insane The clock source has not passed authentication or it has passed authentic...

Page 2899: ...64 seconds Offset Offset of the system clock relative to the reference clock in milliseconds roundtrip delay Roundtrip delay from the local device to the clock source in milliseconds dispersion Maximu...

Page 2900: ...t or multicast server mode the display ntp service sessions command does not display the IPv4 NTP association information corresponding to the broadcast or multicast server However the associations ar...

Page 2901: ...me Time is in seconds by default If the time length is greater than 2048 seconds it is displayed in minutes m If the time length is greater than 300 minutes it is displayed in hours h If the time leng...

Page 2902: ...server of the current system selected The clock source has survived the clock selection algorithm candidate The clock source is the candidate reference source sane The clock source has passed authent...

Page 2903: ...ue is 6 the poll interval of the local device is 2 6 or 64 seconds Offset Offset of the system clock relative to the reference clock in milliseconds roundtrip delay Roundtrip delay from the local devi...

Page 2904: ...k admin network operator Examples Display NTP service status after time synchronization Sysname display ntp service status Clock status synchronized Clock stratum 2 System peer LOCAL 0 Local mode clie...

Page 2905: ...IP address of the local clock For an IPv6 NTP server The field represents the MD5 digest of the first 32 bits of the IPv6 address of the remote server when the local device is synchronized to a remote...

Page 2906: ...erver from the source interface make sure the source interface and the NTP servers from the local device to the primary NTP server are reachable to each other Examples Display brief information about...

Page 2907: ...query Allows only NTP control queries from a peer device to the local device server Allows time requests and NTP control queries from a peer device but does not allow the local device to synchronize...

Page 2908: ...ervice authentication keyid ntp service reliable authentication keyid ntp service authentication enable Use ntp service authentication enable to enable NTP authentication Use undo ntp service authenti...

Page 2909: ...will be stored in encrypted form string Specifies a case sensitive authentication key Its plaintext form is a string of 1 to 32 characters Its encrypted form is a string of 1 to 73 characters acl ipv...

Page 2910: ...mples Set a plaintext MD5 authentication key with the key ID of 10 and key value of BetterKey Sysname system view Sysname ntp service authentication enable Sysname ntp service authentication keyid 10...

Page 2911: ...e used for sending broadcast messages to broadcast clients The value range for the keyid argument is 1 to 4294967295 If you do not specify this option the local device cannot synchronize broadcast cli...

Page 2912: ...DSCP value in the range of 0 to 63 for IPv4 NTP packets Usage guidelines The DSCP value is included in the ToS field of an IPv4 packet to identify the packet priority Examples Set the DSCP value for...

Page 2913: ...ponding subnet You do not want the device to be synchronized by the peer device in the subnet corresponding to the interface Examples Disable VLAN interface 1 from receiving NTP messages Sysname syste...

Page 2914: ...ronization and query If no right is matched the peer device does not have access to the IPv6 NTP service on the local device and the device cannot synchronize the time with the peer device If the spec...

Page 2915: ...se undo ntp service ipv6 inbound enable to disable an interface from receiving IPv6 NTP messages Syntax ntp service ipv6 inbound enable undo ntp service ipv6 inbound enable Default An interface receiv...

Page 2916: ...ized based on the received IPv6 NTP messages If you have configured the device to operate in IPv6 multicast client mode on an interface by using the command do not add the interface to any aggregate g...

Page 2917: ...the device to operate in IPv6 multicast server mode on an interface with the command do not add the interface to any aggregate group To add the interface to an aggregate group remove the configuratio...

Page 2918: ...as the source interface for IPv6 NTP messages In NTP symmetric active passive mode if you have specified the source interface for IPv6 NTP messages in the ntp service ipv6 unicast peer command the sp...

Page 2919: ...is 2 6 64 seconds priority Specifies the peer specified by ipv6 address or peer name as the first choice under the same condition source interface type interface number Specifies the source interface...

Page 2920: ...ntp service ipv6 unicast server to remove an IPv6 NTP server specified for the device Syntax ntp service ipv6 unicast server server name ipv6 address vpn instance vpn instance name authentication keyi...

Page 2921: ...not specify an interface the device automatically selects the source IPv6 address of IPv6 NTP messages For more information see RFC 3484 Usage guidelines When you specify an IPv6 NTP server for the d...

Page 2922: ...eated by using an NTP command A dynamic association is a temporary association created by the system during operation This command limits the number of dynamic NTP associations and prevents dynamic NT...

Page 2923: ...erface vlan interface 1 Sysname Vlan interface1 ntp service multicast client 224 0 1 1 Related commands ntp service multicast server ntp service multicast server Use ntp service multicast server to co...

Page 2924: ...on Set the NTP version to 4 Sysname system view Sysname interface vlan interface 1 Sysname Vlan interface1 ntp service multicast server 224 0 1 1 version 4 authentication keyid 4 Related commands ntp...

Page 2925: ...ey as a trusted key Use undo ntp service reliable authentication keyid to remove the configuration Syntax ntp service reliable authentication keyid keyid undo ntp service reliable authentication keyid...

Page 2926: ...4 address of the specified source interface as the source address to send NTP messages The receiving device uses this address as the destination address of the NTP response message ip address Specifie...

Page 2927: ...s time to the server and outputs a log and a trap when the time offset exceeds 128 ms for multiple times After you set the thresholds the system synchronizes the client s time to the server when the t...

Page 2928: ...base 2 is raised to get the interval in seconds The minimum polling interval is in the range of 2 4 to 2 17 16 to 131072 seconds The default value for the minpoll interval argument is 6 and the defaul...

Page 2929: ...service unicast server to remove an NTP server specified for the device Syntax ntp service unicast server server name ip address vpn instance vpn instance name authentication keyid keyid maxpoll maxp...

Page 2930: ...ce IP address of the NTP messages version number Specifies the NTP version The value range for the number argument is 1 to 4 The default value is 4 Usage guidelines When you specify an NTP server for...

Page 2931: ...t Field Description SNTP server SNTP server NTP server If this field displays the IPv6 address of the NTP server has not been resolved successfully Stratum Stratum level of the NTP server which determ...

Page 2932: ...vel 16 is not synchronized Version SNTP version Last receive time Time when the last message was received Synced means the local clock is synchronized to the NTP server sntp authentication enable Use...

Page 2933: ...sha 384 Specifies the HMAC SHA 384 algorithm hmac sha 512 Specifies the HMAC SHA 512 algorithm md5 Specifies the MD5 algorithm cipher Specifies an authentication key in encrypted form simple Specifies...

Page 2934: ...server and client After you configure an SNTP authentication key use the sntp reliable authentication keyid command to set it as a trusted key The key automatically changes to untrusted after you dele...

Page 2935: ...ey ID to be used for sending NTP messages to the NTP server The value range for the keyid argument is 1 to 4294967295 If you do not specify this option the local device and NTP server do not authentic...

Page 2936: ...ed key Use undo sntp reliable authentication keyid to remove the trusted key Syntax sntp reliable authentication keyid keyid undo sntp reliable authentication keyid keyid Default No trusted key is spe...

Page 2937: ...threshold Specifies the SNTP time offset threshold for trap output The value range for the trap threshold argument is 128 to 60000 in milliseconds Usage guidelines By default the system synchronizes t...

Page 2938: ...the local device and NTP server do not authenticate each other source interface type interface number Specifies the source interface for NTP messages In an NTP message the local device sends to the N...

Page 2939: ...9 sntp authentication keyid sntp reliable authentication keyid...

Page 2940: ...oe profile 12 display poe profile interface 14 poe ai enable 14 poe detection mode 15 poe enable 16 poe fast on enable 16 poe force power 17 poe high inrush enable 18 poe legacy enable interface view...

Page 2941: ...profile name Specifies a PoE profile by its name a case sensitive string of 1 to 15 characters Examples Apply the PoE profile named forIPphone to GigabitEthernet 1 0 1 Sysname system view Sysname int...

Page 2942: ...profile is applied Examples Apply the PoE profile named forIPphone to GigabitEthernet 1 0 1 Sysname system view Sysname apply poe profile name forIPphone interface gigabitethernet 1 0 1 Apply the PoE...

Page 2943: ...display poe interface to display power supplying information for PIs Syntax display poe interface interface type interface number Views Any view Predefined user roles network admin network operator Pa...

Page 2944: ...equires more power than the configured power IEEE Class PD power class by which the PI supplies power to the PD If the PI does not support supplying power to the PD this field displays a hyphen Detect...

Page 2945: ...0 0 Off 0 Disabled GE1 0 11 Disabled Low 0 0 Off 0 Disabled GE1 0 12 Disabled Low 0 0 Off 0 Disabled GE1 0 13 Disabled Low 0 0 Off 0 Disabled GE1 0 14 Disabled Low 0 0 Off 0 Disabled GE1 0 15 Disabled...

Page 2946: ...The PI is undergoing a test Other fault A fault has caused the PSE to enter the idle status PD disconnected The PD is disconnected On State Ports Number of PIs that are supplying power Used Power con...

Page 2947: ...0 14 0 0 0 0 30 0 GE1 0 15 0 0 0 0 30 0 GE1 0 16 0 0 0 0 30 0 GE1 0 17 0 0 0 0 30 0 GE1 0 18 0 0 0 0 30 0 GE1 0 19 0 0 0 0 30 0 GE1 0 20 0 0 0 0 30 0 GE1 0 21 0 0 0 0 30 0 GE1 0 22 0 0 0 0 30 0 GE1 0...

Page 2948: ...displays detailed information about all PSEs Examples Display detailed PSE information Sysname display poe pse PSE ID 4 Slot No 1 PSE Model LSPPSE48A PSE Status Enabled Power Priority Low Current Powe...

Page 2949: ...SE Maximum guaranteed power of the PSE Total maximum power of all critical PIs of the PSE PSE CPLD Version PSE CPLD version number PSE Software Version PSE software version number PSE Hardware Version...

Page 2950: ...Disabled GE1 0 11 Disabled Low 0 0 Off 0 Disabled GE1 0 12 Disabled Low 0 0 Off 0 Disabled GE1 0 13 Disabled Low 0 0 Off 0 Disabled GE1 0 14 Disabled Low 0 0 Off 0 Disabled GE1 0 15 Disabled Low 0 0...

Page 2951: ...PD Delivering Power The PI is supplying power to the PD Fault A fault occurred during the test Test The PI is undergoing a test Other Fault A fault has caused the PSE to enter the idle status PD Disco...

Page 2952: ...0 0 30 0 GE1 0 23 0 0 0 0 30 0 GE1 0 24 0 0 0 0 30 0 On State Ports 0 Used 0 0 W Remaining 600 0 W Table 7 Command output Field Description Interface Interface name of a PI Current Current power of a...

Page 2953: ...3 GE1 0 4 forAP 2 2 GE1 0 5 poe enable GE1 0 6 poe max power 14000 Total PoE profiles 2 total ports 6 Display information about the PoE profile with index number 1 Sysname display poe profile index 1...

Page 2954: ...iguration field displays the configurations that have taken effect For the descriptions of other fields see Table 8 poe ai enable Use poe ai enable to enable AI driven PoE Use undo ai poe enable to di...

Page 2955: ...orrectly connected to the device without causing short circuit simple Enables the device to supply power to PDs that comply with basic requirements of 802 3af or 802 3at strict Enables the device to s...

Page 2956: ...profile has been applied to a PI remove the application before configuring the PI in PoE profile view If a PI has been configured remove the configuration before configuring the PI in PI view Examples...

Page 2957: ...d Examples Enable fast PoE for PSE 4 Sysname system view Sysname poe fast on enable pse 4 Related commands display poe pse poe force power Use poe force power to enable forced PoE power supply Use und...

Page 2958: ...inrush enable pse pse id undo poe high inrush enable pse pse id Default Inrush currents drawn by PDs are not allowed Views System view Predefined user roles network admin Parameters pse pse id Specifi...

Page 2959: ...interface view the configuration in system view takes effect As a best practice for disabling nonstandard PD detection for all PIs successfully in one operation disable this feature in both system vi...

Page 2960: ...E 4 to detect nonstandard PDs Sysname system view Sysname poe legacy enable pse 4 Related commands display poe pse poe legacy enable interface view poe max power interface view Use poe max power to se...

Page 2961: ...nnects to a PI Views PI view Predefined user roles network admin Parameters text Configures a description for the PD connected to the PI a case sensitive string of 1 to 80 characters Examples Configur...

Page 2962: ...fined user roles network admin Parameters critical Sets the power supply priority to critical The PI with critical power priority operates in guaranteed mode Power is first supplied to the PD connecte...

Page 2963: ...ndo poe reset enable Default PI power cycling upon a system warm reboot is disabled Views System view Predefined user roles network admin Usage guidelines During the system warm reboot process upon ex...

Page 2964: ...wer classes 0 to 3 and provides a maximum power of 12 95 W 802 3at Adds class 4 in addition to the four power classes defined by 802 3af and provides a maximum power of 25 5 W 802 3bt Adds classes 5 t...

Page 2965: ...eting it You can use the refresh mode in most cases Full mode Deletes the current PSE firmware and reloads a new one Use the full mode if the PSE firmware is damaged and you cannot execute any PoE com...

Page 2966: ...name a case sensitive string of 1 to 15 characters A PoE configuration file name begins with a letter and must not contain reserved keywords including undo all name interface user poe disable max pow...

Page 2967: ...27 Related commands apply poe profile poe enable poe max power interface view poe priority...

Page 2968: ...culate password 19 snmp agent community 21 snmp agent community map 24 snmp agent configuration examine interval 24 snmp agent context 25 snmp agent group 26 snmp agent local engineid 28 snmp agent lo...

Page 2969: ...edefined user roles network admin network operator Parameters read Specifies SNMP read only communities write Specifies SNMP read and write communities Usage guidelines This command is not available i...

Page 2970: ...y name ACL Number of the ACL This field appears only when an ACL is specified for the SNMPv1 or SNMPv2c community ACL name Name of the ACL This field appears only when an ACL is specified for the SNMP...

Page 2971: ...SNMP contexts Sysname display snmp agent context testcontext Related commands snmp agent context display snmp agent group Use display snmp agent group to display information about SNMP groups Syntax d...

Page 2972: ...send notifications only for the nodes in the notify MIB view Storage type Storage type including volatile nonvolatile permanent readOnly and other For more information see Table 1 ACL Number of the I...

Page 2973: ...ed MIB node information including node name last octet of an OID string and name of the next leaf node index node Specifies SNMP MIB tables and node names and OIDs of MIB index nodes trap node Specifi...

Page 2974: ...1xPaeSystemAuthControl iso8802 8802 dot1xPaeSystemAuthControl ieee802dot1 1 dot1xPaeSystemAuthControl ieee802dot1mibs 1 dot1xPaeSystemAuthControl Table 4 Command output Field Description std MIB node...

Page 2975: ...0 8802 1 1 2 1 2 4 Name lldpStatsRemTablesAgeouts OID 1 0 8802 1 1 2 1 2 5 Table 6 Command output Field Description Name MIB notification node name OID MIB notification node OID Trap Object Name and...

Page 2976: ...2 A 32 bit integer with no mathematical sign Gauge A non negative integer that might increase or decrease Gauge32 A 32 bit non negative integer that might increase or decrease Counter A non negative i...

Page 2977: ...rk operator Parameters exclude Displays the subtrees excluded from any MIB view include Displays the subtrees included in any MIB view viewname view name Displays information about the specified MIB v...

Page 2978: ...by the MIB view Subtree mask MIB subtree mask Storage type Type of the medium see Table 1 where the subtree view is stored View Type Access privilege for the MIB subtree in the MIB view Included All o...

Page 2979: ...n SNMP domain If you do not specify a remote SNMP entity this command displays the engine IDs of all remote SNMP entities Examples Display engine IDs of all remote SNMP entities Sysname display snmp a...

Page 2980: ...rocessed 0 alternate Response Class PDUs dropped silently 0 forwarded Confirmed Class PDUs dropped silently Table 10 Command output Field Description messages delivered to the SNMP entity Number of me...

Page 2981: ...processed Trap PDUs accepted and processed Number of notifications that have been received and processed alternate Response Class PDUs dropped silently Number of dropped response packets forwarded Co...

Page 2982: ...e configuration and usage status Sysname display snmp agent trap queue Queue size 100 Message number 6 Related commands snmp agent trap life snmp agent trap queue size display snmp agent trap list Use...

Page 2983: ...information Syntax display snmp agent usm user engineid engineid group group name username user name Views Any view Predefined user roles network admin network operator Parameters engineid engineid Sp...

Page 2984: ...Role name snmprole network operator Engine ID 800063A280000002BB0001 Storage type nonVolatile UserStatus active Table 11 Command output Field Description Username SNMP username Group name SNMP group...

Page 2985: ...n an interface Syntax enable snmp trap updown undo enable snmp trap updown Default Link state notifications are enabled Views Interface view Predefined user roles network admin Usage guidelines For an...

Page 2986: ...the display udp verbose command If you disable the SNMP agent the SNMP settings do not take effect The display current configuration command does not display the SNMP settings The SNMP settings will n...

Page 2987: ...not been created and will take effect only after a valid IP address is assigned to the specified interface Examples Configure the primary IP address of GigabitEthernet 1 0 1 as the source address of...

Page 2988: ...form for the encryption key by using the AES256 encryption algorithm and the HMAC SHA1 authentication algorithm md5 Calculates the encrypted form for the authentication key or encryption key by using...

Page 2989: ...ity name user role role name acl ipv4 acl number name ipv4 acl name acl ipv6 ipv6 acl number name ipv6 acl name undo snmp agent community cipher community name Default No SNMPv1 or SNMPv2c communities...

Page 2990: ...mands of the SNMP feature or this command An SNMP community is identified by a community name It contains a set of NMSs and SNMP agents Devices in an SNMP community authenticate each other by using th...

Page 2991: ...t community read simple readaccess Create the read and write community with the plaintext form name writeaccess so only the SNMPv2c NMS at 1 1 1 1 can use the community name writeaccess to read or set...

Page 2992: ...haracters context name Specifies an SNMP context a case sensitive string of 1 to 32 characters Usage guidelines This command enables a module on an agent to obtain the context mapped to a community na...

Page 2993: ...MP notification You can use this command to modify the examination interval Examples Set the intervals at which the SNMP module examines the system configuration for changes to 600 seconds sysname sys...

Page 2994: ...v3 snmp agent group v3 group name authentication privacy notify view view name read view view name write view view name acl ipv4 acl number name ipv4 acl name acl ipv6 ipv6 acl number name ipv6 acl na...

Page 2995: ...ive string of 1 to 63 characters acl ipv6 Specifies a basic or advanced IPv6 ACL for the group ipv6 acl number Specifies a basic or advanced IPv6 ACL by its number The basic IPv6 ACL number is in the...

Page 2996: ...cified ACL does not contain any rule all NMSs can access the device If a VPN instance is specified in an ACL rule the rule applies only to the packets of the VPN instance If no VPN instance is specifi...

Page 2997: ...or example you can set the engine ID for device 1 on the first floor of building A to 000Af0010001 and device 2 to 000Af0010002 Examples Set the local SNMP engine ID to 123456789A Sysname system view...

Page 2998: ...cluded view name oid tree mask mask value undo snmp agent mib view view name Default The system creates the ViewDefault view when the SNMP agent is enabled In this default MIB view all MIB objects in...

Page 2999: ...agent community read public mib view mibtest An SNMPv1 NMS in the public community can query the objects in the mib 2 subtree but not any object for example the sysDescr or sysObjectID node in the sys...

Page 3000: ...er roles network admin Parameters dscp value Sets the DSCP value for SNMP responses in the range of 0 to 63 A greater DSCP value represents a higher priority Usage guidelines The DSCP value is encapsu...

Page 3001: ...nt remote Use snmp agent remote to set an SNMP engine ID for a remote SNMP entity Use undo snmp agent remote to delete the SNMP engine ID of a remote SNMP entity Syntax snmp agent remote ipv4 address...

Page 3002: ...nmp agent sys info contact to restore the default contact Syntax snmp agent sys info contact sys contact undo snmp agent sys info contact Default The system contact is New H3C Technologies Co Ltd View...

Page 3003: ...on as Room524 row1 3 Sysname system view Sysname snmp agent sys info location Room524 row1 3 Related commands display snmp agent sys info snmp agent sys info version Use snmp agent sys info version to...

Page 3004: ...ng v2c v3 authentication privacy snmp agent target host trap address udp domain ipv4 target host ipv6 ipv6 target host udp port port number dscp dscp value vpn instance vpn instance name params securi...

Page 3005: ...apsulated in the ToS field of an IP packet It specifies the priority level of the packet and affects the transmission priority of the packet A greater DSCP value represents a higher priority The defau...

Page 3006: ...linkup warmstart system undo snmp agent trap enable configuration protocol standard authentication coldstart linkdown linkup warmstart system Default SNMP configuration notifications standard notific...

Page 3007: ...ified this command or its undo form enables or disables all SNMP notifications supported by the device Examples Enable the SNMP agent to send SNMP authentication failure notifications Sysname system v...

Page 3008: ...stem view Predefined user roles network admin Parameters seconds Sets a lifetime in the range of 1 to 2592000 in seconds Usage guidelines When congestion occurs the SNMP agent buffers notifications in...

Page 3009: ...eue size size undo snmp agent trap queue size Default The SNMP notification queue can store a maximum of 100 notifications Views System view Predefined user roles network admin Parameters size Specifi...

Page 3010: ...itive string of 1 to 32 characters The group can be one that has been created or not The user takes effect only after you create the group acl Specifies a basic or advanced IPv4 ACL for the user ipv4...

Page 3011: ...s specified in an ACL rule the rule applies only to the packets of the VPN instance If no VPN instance is specified in an ACL rule the rule applies only to the packets on the public network If you spe...

Page 3012: ...ode snmp agent usm user v3 user name user role role name remote ipv4 address ipv6 ipv6 address vpn instance vpn instance name cipher simple authentication mode md5 sha auth password privacy mode 3des...

Page 3013: ...e sensitive string of 1 to 31 characters If the target host belongs to the public network do not specify this option cipher Specifies an authentication key and an encryption key in encrypted form The...

Page 3014: ...even number of hexadecimal characters All zero and all F strings are invalid The even number is in the range of 10 to 64 If you change the local engine ID the existing SNMPv3 users and keys become in...

Page 3015: ...ACL can access the device For more information about ACL see ACL and QoS Configuration Guide Examples In VACM mode Add user testUser to SNMPv3 group testGroup and enable authentication for the group S...

Page 3016: ...ysname system view Sysname snmp agent usm user v3 testUser user role network operator simple authentication mode sha 123456TESTplat For an NMS to have read only access to all MIB objects make sure the...

Page 3017: ...es You can assign a maximum of 64 user roles to an SNMPv3 user An SNMPv3 user must have a minimum of one user role Examples Assign the user role network admin to the SNMPv3 user testUser Sysname syste...

Page 3018: ...s 1 display rmon alarm 1 display rmon event 2 display rmon eventlog 3 display rmon history 5 display rmon prialarm 7 display rmon statistics 8 rmon alarm 10 rmon event 12 rmon history 13 rmon prialarm...

Page 3019: ...4 1 etherStatsOctets 1 Sampling interval in seconds 10 Rising threshold 50 associated with event 1 Falling threshold 5 associated with event 2 Alarm sent upon entry startup risingOrFallingAlarm Lates...

Page 3020: ...t to display information about RMON event entries Syntax display rmon event entry number Views Any view Predefined user roles network admin network operator Parameters entry number Specifies an event...

Page 3021: ...cription Community SNMP community name for the RMON event Take the action action when triggered Actions that the system takes when the event is triggered none Takes no action log Logs the event trap S...

Page 3022: ...28s uptime Description The alarm formula defined in prialarmEntry 777 uprise 17000000 with alarm value 17077846 Alarm sample type is absolute This example shows that the event log table has four recor...

Page 3023: ...es of Ethernet statistics for Ethernet interfaces To collect history samples for an Ethernet interface you must first create a history control entry on the interface To configure the number of history...

Page 3024: ...tistic is the number of times that a drop condition occurred It is not necessarily the total number of dropped packets octets Total number of octets received during the sampling interval packets Total...

Page 3025: ...y index in the range of 1 to 65535 If you do not specify an entry the command displays all private alarm entries Examples Display information about all RMON private alarm entries Sysname display rmon...

Page 3026: ...Description of the alarm Sampling interval Interval in seconds at which data is sampled Rising threshold Alarm rising threshold Falling threshold Alarm falling threshold associated with event Event in...

Page 3027: ...sions 0 etherStatsDropEvents insufficient resources 0 Incoming packets by size 64 0 65 127 0 128 255 0 256 511 0 512 1023 0 1024 1518 0 Table 6 Command output Field Description EtherStatsEntry entry n...

Page 3028: ...tistic is the number of times that a drop condition occurred It is not necessarily the total number of dropped packets Incoming packets by size Incoming packet statistics by packet length 64 Number of...

Page 3029: ...tes a falling alarm rising falling Generates a rising or falling alarm rising threshold threshold value1 event entry1 Sets the rising threshold The threshold value1 argument represents the rising thre...

Page 3030: ...igabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 rmon statistics 1 Sysname GigabitEthernet1 0 1 quit Sysname rmon alarm 1 1 3 6 1 2 1 16 1 1 1 4 1 10 absolute rising threshold 5000 1 falling threshol...

Page 3031: ...bout SNMP notifications see Network Management and Monitoring Configuration Guide Usage guidelines You can create a maximum of 60 event entries You can associate an event entry with a standard or priv...

Page 3032: ...erface has a history control entry RMON periodically samples packet statistics on the interface and stores the samples to the history table When the bucket size for the history control entry is reache...

Page 3033: ...reshold threshold value1 event entry1 Sets the rising threshold The threshold value1 argument represents the rising threshold in the range of 2147483648 to 2147483647 The event entry1 argument represe...

Page 3034: ...1 is the OID of the object instance etherStatsPkts 1 Sysname system view Sysname rmon event 1 log Sysname rmon event 2 none Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 rmon st...

Page 3035: ...sts number of bytes received and number of packets received The statistics are cleared at a reboot To display the RMON statistics table use the display rmon statistics command The index of an RMON sta...

Page 3036: ...ds 1 netconf capability specific namespace 1 netconf idle timeout 1 netconf log 2 netconf soap acl 4 netconf soap domain 5 netconf soap dscp 5 netconf soap enable 6 netconf ssh server enable 7 netconf...

Page 3037: ...le specific namespaces The common namespace is incompatible with module specific namespaces To set up a NETCONF session the device and the client must use the same type of namespaces By default the co...

Page 3038: ...o disable the timeout feature set this argument to 0 Usage guidelines If no NETCONF packets are exchanged on a NETCONF session within the NETCONF session idle timeout time the device tears down the se...

Page 3039: ...error information about failed edit config operations Usage guidelines If you specify the protocol operation keyword the device logs each of the matching operation and the operation result For exampl...

Page 3040: ...ONF over SOAP over HTTP access https Applies an IPv4 ACL to control NETCONF over SOAP over HTTPS access name ipv4 acl name Specifies an IPv4 ACL by its name The acl name argument is a case insensitive...

Page 3041: ...n authentication domain Execute the netconf soap domain command to specify a mandatory authentication domain After this command is executed all NETCONF users are placed in the domain for authenticatio...

Page 3042: ...ge guidelines The DSCP value of an IP packet specifies the priority level of the packet and affects the transmission priority of the packet Examples Set the DSCP value to 30 for outgoing NETCONF over...

Page 3043: ...ned user roles network admin Usage guidelines This feature allows you to use an SSH client to invoke NETCONF as an SSH subsystem Then you can directly use XML messages to perform NETCONF operations wi...

Page 3044: ...CONF over SSH session requests Sysname system view Sysname netconf ssh server port 800 xml Use xml to enter XML view Syntax xml Views User view Predefined user roles network admin network operator Usa...

Page 3045: ...iew the NETCONF message should not contain the shortcut key string If the NETCONF message contains the shortcut key string relevant configurations in XML view might be affected For example in user lin...

Page 3046: ...username 5 cwmp cpe connect interface 6 cwmp cpe connect retry 6 cwmp cpe inform interval 7 cwmp cpe inform interval enable 8 cwmp cpe inform time 8 cwmp cpe password 9 cwmp cpe provision code 10 cwm...

Page 3047: ...Syntax cwmp acs default password cipher simple string undo cwmp acs default password Default No password is configured for authentication to the default ACS URL Views CWMP view Predefined user roles...

Page 3048: ...undo cwmp acs default url to restore the default Syntax cwmp acs default url url undo cwmp acs default url Default No default ACS URL is specified Views CWMP view Predefined user roles network admin P...

Page 3049: ...or authentication to the default ACS URL If you execute this command multiple times the most recent configuration takes effect For a successful connection make sure the CPE has the same username and p...

Page 3050: ...le times the most recent configuration takes effect For a successful connection make sure the CPE has the same username and password settings as the ACS Examples Configure the password used for authen...

Page 3051: ...to configure the username for authentication to the preferred ACS URL Use undo cwmp acs username to restore the default Syntax cwmp acs username username undo cwmp acs username Default No username is...

Page 3052: ...cts the CWMP connection interface automatically If the CWMP connection interface is not the interface that connects the CPE to the ACS the CPE fails to establish a CWMP connection with the ACS For exa...

Page 3053: ...e upper limit Examples Set the maximum number of CWMP connection retries to 5 Sysname system view Sysname cwmp Sysname cwmp cwmp cpe connect retry 5 cwmp cpe inform interval Use cwmp cpe inform interv...

Page 3054: ...w Predefined user roles network admin Usage guidelines If this command is configured the CPE sends Inform messages regularly to establish a CWMP session with the ACS To set the periodic Inform interva...

Page 3055: ...work admin Parameters cipher Specifies a password in encrypted form simple Specifies a password in plaintext form For security purposes the password specified in plaintext form will be stored in encry...

Page 3056: ...he full stop Usage guidelines The ACS can use the provision code to identify services assigned to each CPE For correct configuration deployment make sure the same provision code is configured on the C...

Page 3057: ...an open NAT binding a public IP address and port binding through which the ACS can send unsolicited packets The CPE sends the binding to the ACS when it initiates a connection to the ACS For the conne...

Page 3058: ...wait timer for the CPE to close an idle connection Use undo cwmp cpe wait timeout to restore the default Syntax cwmp cpe wait timeout seconds undo cwmp cpe wait timeout Default The close wait timer i...

Page 3059: ...ork admin Usage guidelines CWMP configuration takes effect only after CWMP is enabled Examples Enable CWMP Sysname system view Sysname cwmp Sysname cwmp cwmp enable Related commands cwmp display cwmp...

Page 3060: ...URL Periodic inform Status of the periodic Inform feature Enabled or Disabled Inform interval Periodic Inform interval The default interval is 600 seconds Inform time Date and time at which an Inform...

Page 3061: ...tion attempt This field displays Null if no ACS URL was available ACS information source Source from which the CPE obtained the ACS URL User ACS URL assigned by using the cwmp acs url command or by AC...

Page 3062: ...client policy to restore the default Syntax ssl client policy policy name undo ssl client policy Default No SSL client policy is specified for CWMP Views CWMP view Predefined user roles network admin...

Page 3063: ...nvironment 4 display rtm policy 5 event cli 7 event hotplug 8 event interface 9 event process 11 event snmp oid 12 event snmp notification 13 event syslog 14 event track 17 rtm cli policy 18 rtm envir...

Page 3064: ...to a policy you must make sure the execution order is correct If two actions have the same ID the most recent one takes effect To execute a command in a view other than user view you must define acti...

Page 3065: ...oot actions You can configure a series of actions to be executed in response to the event specified in a monitor policy EAA executes the actions in ascending order of action IDs When you add actions t...

Page 3066: ...t to perform an active standby switchover Sysname system view Sysname rtm cli policy test Sysname rtm test action 3 switchover action syslog Use action syslog to add a Syslog action to a monitor polic...

Page 3067: ...Configure an action for the CLI defined policy test to send a log message hello with a severity of 7 from the facility device local3 Sysname system view Sysname rtm cli policy test Sysname rtm test a...

Page 3068: ...a user defined EAA environment variable name of more than 30 characters use the display current configuration command Value Value of the user defined EAA environment variable This field displays a max...

Page 3069: ...ication Syslog and track TimeActive Time when the monitor policy was triggered PolicyName Name of the monitor policy Display brief information about all created monitor policies Sysname display rtm po...

Page 3070: ...i async skip sync mode execute help tab pattern regular exp undo event Default No CLI event is configured Views CLI defined policy view Predefined user roles network admin Parameters async skip Enable...

Page 3071: ...m to execute the actions in the policy and display the complete parameter when Tab is pressed at a policy matching command line Sysname system view Sysname rtm cli policy test Sysname rmt test event c...

Page 3072: ...interface to configure an interface event for a CLI defined monitor policy Use undo event to delete the event in a CLI defined monitor policy Syntax event interface interface list monitor obj monitor...

Page 3073: ...ut drops Number of discarded outgoing packets during the sampling interval output errors Number of outgoing error packets during the sampling interval rcv bps Receive rate in bps during the sampling i...

Page 3074: ...when the statistic exceeds 1000 for the first time Enable EAA to re execute the policy if the statistic exceeds 1000 each time after the statistic has dropped below 50 Sysname system view Sysname rtm...

Page 3075: ...event Examples Configure a CLI defined policy to monitor all instances of the process snmpd for restart events Sysname system view Sysname rtm cli policy test Sysname rtm test event process restart n...

Page 3076: ...monitored MIB variable s value crosses the start threshold in the following situations The monitored variable s value crosses the start threshold for the first time The monitored variable s value cro...

Page 3077: ...n If you do not specify this keyword the system sends the notification Usage guidelines Use SNMP Notification event monitor policies to monitor variables in SNMP notifications EAA executes an SNMP Not...

Page 3078: ...nitor policies to monitor log messages EAA executes a Syslog event monitor policy when the number of matching logs over an interval reaches the limit NOTE EAA does not count log messages generated by...

Page 3079: ...b n Matches the preceding character n times or more The number n must be a nonnegative integer o 2 matches foooood but not Bob n m Matches the preceding character n to m times or more The numbers n an...

Page 3080: ...ser roles network admin Parameters track list Specifies a space separated list of up to 16 track items Each item specifies a track entry number or a range of track entry numbers in the form of track e...

Page 3081: ...an existing CLI defined EAA monitor policy Use undo rtm cli policy to delete a CLI defined monitor policy Syntax rtm cli policy policy name undo rtm cli policy policy name Default No CLI defined moni...

Page 3082: ...ent_time Time when the event occurs _event_severity Severity level of an event CLI _cmd Commands that are matched Syslog _syslog_pattern Log message content Hotplug _slot ID of the member device that...

Page 3083: ...vent syslog buffer size Default The size of the EAA monitored log buffer is 50000 Views System view Predefined user roles network admin Parameters buffer size Specifies the size for the EAA monitored...

Page 3084: ...ute the policies even if the trigger conditions are met This command does not suspend a running monitor policy until all its actions are executed Examples Suspend monitor policies Sysname system view...

Page 3085: ...defined policy and a Tcl defined policy However you cannot assign the same name to policies that are the same type Examples Create a Tcl policy and bind it to a Tcl script file Sysname system view Sy...

Page 3086: ...ource EAA does not perform the action and all the subsequent actions For example a monitor policy has four actions numbered from 1 to 4 The policy has user roles that are required for performing actio...

Page 3087: ...ocess memory 24 display process memory heap 25 display process memory heap address 27 display process memory heap size 28 exception filepath 29 monitor kernel deadloop action 29 monitor kernel deadloo...

Page 3088: ...e is 1 slot slot number Specifies an IRF member device by its ID If you do not specify this option the command displays context information for process exceptions on the IRF master device cpu cpu numb...

Page 3089: ...i 0x0000000000000003 rbp 0x00007fff88a5dcf0 rsp 0x00007fff88a5dcf0 r8 0x00007fae7ea587e0 r9 0x0000000000000079 r10 0xffffffffffffffff r11 0x0000000000000246 r12 0x0000000000405b18 r13 0x00007fff88a5ff...

Page 3090: ...t grp00 0x00000000000000ee 0x00000fffffd04840 grp02 0x00000fff80425c28 0x0000000000000004 grp04 0x00000fffffd048c0 0x000000000000000a grp06 0xffffffffffffffff 0x00000fff803c66b4 grp08 0x000000008002d0...

Page 3091: ...2010 cause 0x00800020 pc 0x2af2faf4 Display the exception context information on the MIPS based 64 bit terminal Sysname display exception context Index 1 of 1 Crashed PID 270 routed Crash signal SIGBU...

Page 3092: ...RAP Trap message SIGXCPU CPU usage limit exceeded SIGXFSZ File size limit exceeded SIGUNKNOW Unknown reason Crash time Time when the crash occurred Core file path Directory where the core dump file is...

Page 3093: ...o not specify this option the command displays kernel thread deadloop information for the master device cpu cpu number Specifies a CPU by its number Examples Display brief information about the most r...

Page 3094: ...g r29 Val 0x00000000 Reg r30 Val 0x0000002c Reg r31 Val 0x00000000 Reg cr Val 0x84000028 Reg nip Val 0x057d9550 Reg xer Val 0x00000000 Reg lr Val 0x0186eff0 Reg ctr Val 0x682f7344 Reg msr Val 0x00784b...

Page 3095: ...00 00 00 00 00 00 00 00 02 be 66 c0 02 be 66 d0 0xe2be6080 02 be 61 e0 00 00 00 02 00 00 00 00 02 be 61 70 0xe2be6090 00 00 00 00 02 21 00 00 05 8d 34 c4 05 7d 92 44 Call trace Function Address 0x801...

Page 3096: ...e kernel thread deadloop was detected ffffffff indicates an illegitimate instruction code No information to display No kernel thread deadloop information Related commands reset kernel deadloop display...

Page 3097: ...lay kernel exception Use display kernel exception to display kernel thread exception information Syntax display kernel exception show number offset verbose slot slot number cpu cpu number Views Any vi...

Page 3098: ...1 Cpu 0 VCPU ID 0 Kernel module info module name mrpnc module address 0xe332a000 module name 12500 module address 0xe00bd000 Last 5 thread switches migration 0 11 16 00 823018 swapper 11 16 00 833018...

Page 3099: ...0 00 00 08 0xe2be5f60 02 be 5f 80 00 ac 1b 14 00 00 00 00 00 00 00 00 0xe2be5f70 05 b4 5f 90 02 be 5f e0 00 00 00 30 02 be 5f e0 0xe2be5f80 02 be 5f c0 00 ac 1b f4 00 00 00 00 02 45 00 00 0xe2be5f90 0...

Page 3100: ...display in the range of 1 to 20 offset Specifies the offset between the starting reboot and the most recent reboot in the range of 0 to 19 The default value is 0 verbose Displays detailed information...

Page 3101: ...5 b4 00 00 00 00 00 00 00 00 00 00 00 00 0xe2be5ee0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xe2be5ef0 95 47 73 35 00 00 00 00 00 00 00 00 00 00 00 00 0xe2be5f00 a0 e1 64 21 00 00 00 00 00 00...

Page 3102: ...Field Description Recorded at Time when the reboot was recorded with microsecond precision Occurred at Time when the reboot occurred with microsecond precision Reason Reboot reason Thread Name and num...

Page 3103: ...information for the master device cpu cpu number Specifies a CPU by its number Examples Display brief information about the most recent kernel thread starvation Sysname display kernel starvation 1 St...

Page 3104: ...8 Val 0x0000002c Reg r29 Val 0x00000000 Reg r30 Val 0x0000002c Reg r31 Val 0x00000000 Reg cr Val 0x84000028 Reg nip Val 0x057d9550 Reg xer Val 0x00000000 Reg lr Val 0x0186eff0 Reg ctr Val 0x682f7344 R...

Page 3105: ...0 00 04 02 21 00 00 00 00 00 00 01 e9 00 00 0xe2be6060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xe2be6070 00 00 00 00 00 00 00 00 02 be 66 c0 02 be 66 d0 0xe2be6080 02 be 61 e0 00 00 00 02 00...

Page 3106: ...ime interval in seconds to identify a kernel thread starvation A kernel thread starvation occurs if a kernel thread does not run within n seconds Threads excluded from monitoring Kernel threads exclud...

Page 3107: ...0K 120 S 0 0 5 220 scmd Table 6 Command output Field Description Job ID Job ID of the process The job ID never changes PID Number of the process The number identifies the process and it might change a...

Page 3108: ...Running S Sleeping T Traced or stopped D Uninterruptible sleep Z Zombie HH MM SS MSEC Running time since the most recent start Name Process name Display state information for all processes Sysname dis...

Page 3109: ...a process HH MM SS Running time since the most recent start If the running time reaches or exceeds 100 hours this field displays only the number of hours COMMAND Name and parameters of a process If sq...

Page 3110: ...mation for all user processes Syntax display process log slot slot number cpu cpu number Views Any view Predefined user roles network admin network operator Parameters slot slot number Specifies an IR...

Page 3111: ...ory Use display process memory to display memory usage for all user processes Syntax display process memory slot slot number cpu cpu number Views Any view Predefined user roles network admin network o...

Page 3112: ...0 Stack Stack memory used by the user process in KB The value for a kernel thread is 0 Dynamic Dynamic memory used by the user process in KB The value for a kernel thread is 0 Name Name of the user p...

Page 3113: ...ommand Examples Display brief information about heap memory usage for the process identified by job ID 1 Sysname display process memory heap job 1 Total virtual memory heap space in bytes 2228224 Tota...

Page 3114: ...member device this command displays information for the master device cpu cpu number Specifies a CPU by its number Usage guidelines When a user process runs abnormally the command helps locate the pr...

Page 3115: ...evice by its member ID If you do not specify a member device this command displays information for the master device cpu cpu number Specifies a CPU by its number Usage guidelines The command displays...

Page 3116: ...stem will save core dump files to the core folder in the specified directory on the master If the core folder does not exist in the specified directory the system creates the core folder before saving...

Page 3117: ...ate configuration can cause system breakdown As a best practice leave the default unchanged Examples Set the kernel thread deadloop protection action to reboot for slot 1 Sysname system view Sysname m...

Page 3118: ...dloops If a thread occupies the CPU regularly the device considers that a deadloop has occurred Examples Enable kernel thread deadloop detection Sysname system view Sysname monitor kernel deadloop ena...

Page 3119: ...em view Sysname monitor kernel deadloop exclude thread 15 Related commands display kernel deadloop configuration display kernel deadloop monitor kernel deadloop enable monitor kernel deadloop time Use...

Page 3120: ...vation enable slot slot number cpu cpu number undo monitor kernel starvation enable slot slot number cpu cpu number Default Kernel thread starvation detection is disabled Views System view Predefined...

Page 3121: ...efault Kernel thread starvation detection if enabled monitors all kernel threads Views System view Predefined user roles network admin Parameters tid Specifies a kernel thread by its ID in the range o...

Page 3122: ...ion in the range of 1 to 65535 seconds slot slot number Specifies an IRF member device by its ID If you do not specify this option the master device is specified cpu cpu number Specifies a CPU by its...

Page 3123: ...umber of displayed processes according to the screen size and does not display exceeding processes You can also input interactive commands as shown in Table 12 to perform relevant operations Table 12...

Page 3124: ...ksoftirqd 0 5 5 99 S 0 0K 00 00 00 0 00 watchdog 0 6 6 115 S 0 0K 00 00 01 0 00 events 0 7 7 115 S 0 0K 00 00 00 0 00 khelper 4797 4797 120 S 8 28832K 00 00 02 0 00 comsh 5117 5117 120 S 8 1496K 00 00...

Page 3125: ...td 2 2 115 S 0 0K 00 00 00 0 00 kthreadd 3 3 99 S 0 0K 00 00 00 0 00 migration 0 4 4 115 S 0 0K 00 00 06 0 00 ksoftirqd 0 5 5 99 S 0 0K 00 00 00 0 00 watchdog 0 7 7 115 S 0 0K 00 00 00 0 00 khelper 47...

Page 3126: ...ds Thread states 2 running 111 sleeping 0 stopped 0 zombie CPU states 86 57 idle 0 83 user 11 74 kernel 0 83 interrupt Memory 755M total 414M available page size 4K JID PID PRI State FDs MEM HH MM SS...

Page 3127: ...I Priority level of a process State State of a process R Running S Sleeping T Traced or stopped D Uninterruptible sleep Z Zombie FDs Number of open files for a process MEM Memory usage It displays 0 f...

Page 3128: ...he following items in turn when you press 1 again and again Values of parameters of physical CPUs Average values of parameters of all CPUs By default the command displays the average values of paramet...

Page 3129: ...00 ksoftirqd 0 4 4 0 99 S 00 00 00 1 0 00 watchdog 0 5 5 0 115 S 00 00 00 0 0 00 events 0 6 6 0 115 S 00 00 00 0 0 00 khelper Enter h or a question mark to display help information as follows Help fo...

Page 3130: ...page size 4K JID TID LAST_CPU PRI State HH MM SS MAX CPU Name 1176 1176 0 120 R 00 00 04 1 1 86 top 866 866 0 120 S 00 00 14 1 0 87 devd 1 1 0 120 S 00 00 07 1 0 49 scmd 730 730 0 0 S 00 00 04 1 0 12...

Page 3131: ...s not change after the process restarts slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays information for the master device c...

Page 3132: ...e reset exception context Related commands display exception context reset kernel deadloop Use reset kernel deadloop to clear kernel thread deadloop information Syntax reset kernel deadloop slot slot...

Page 3133: ...eboot Use reset kernel reboot to clear kernel thread reboot information Syntax reset kernel reboot slot slot number cpu cpu number Views User view Predefined user roles network admin Parameters slot s...

Page 3134: ...er device by its ID If you do not specify this option the command clears kernel thread starvation information for the master device cpu cpu number Specifies a CPU by its number Examples Clear kernel t...

Page 3135: ...rface view 2 mirroring group mirroring port system view 3 mirroring group monitor egress 4 mirroring group monitor port interface view 6 mirroring group monitor port system view 7 mirroring group refl...

Page 3136: ...rroring groups remote destination Specifies remote destination groups remote source Specifies remote source groups Usage guidelines Mirroring group information includes the type status and content of...

Page 3137: ...No mirroring groups exist Views System view Predefined user roles network admin Parameters group id Specifies a mirroring group ID The value range for this argument is 1 to 4 local Specifies local mir...

Page 3138: ...t as a source port for only one mirroring group A source port cannot be used as a reflector port monitor port or egress port Examples Create local mirroring group 1 to monitor the bidirectional traffi...

Page 3139: ...groups and remote source groups A Layer 2 aggregate interface cannot be configured as a source port for a mirroring group Do not assign a source port of a mirroring group to the remote probe VLAN of t...

Page 3140: ...or port mirroring to work correctly disable the following features on the egress port of a mirroring group Spanning tree 802 1X IGMP snooping Static ARP MAC address learning The member port of an exis...

Page 3141: ...mirroring group do not configure its member ports as source ports of the mirroring group Use a monitor port only for port mirroring so the data monitoring device receives and analyzes only the mirror...

Page 3142: ...tree feature on the monitor port of a mirroring group For an aggregate interface configured as the monitor port of a mirroring group do not configure its member ports as source ports of the mirroring...

Page 3143: ...ge guidelines CAUTION The port to be configured as a reflector port must be a port not in use Do not connect a network cable to a reflector port When a port is configured as a reflector port the port...

Page 3144: ...user roles network admin Parameters group id Specifies a mirroring group by its ID The value range for this argument is 1 to 4 vlan id Specifies a VLAN by its ID Usage guidelines You can configure re...

Page 3145: ...te destination group 2 and configure VLAN 20 as its remote probe VLAN Sysname system view Sysname mirroring group 2 remote destination Sysname mirroring group 2 remote probe vlan 20 Related commands m...

Page 3146: ...o the CPU for the traffic behavior Sysname system view Sysname traffic behavior 1 Sysname behavior 1 mirror to cpu mirror to interface Use mirror to interface to configure a mirroring action that mirr...

Page 3147: ...e first four traffic behaviors take effect You can use the mirror to interface interface type interface number command to mirror traffic to only one interface in a traffic behavior If you execute the...

Page 3148: ...commands 1 display sflow 1 sflow agent 2 sflow collector 3 sflow counter collector 4 sflow counter interval 5 sflow flow collector 5 sflow flow max header 6 sflow sampling mode 7 sflow sampling rate...

Page 3149: ...Office Port counter sampling information Interface Instance CID Interval s GE1 0 1 2 2 100 GE1 0 1 1 1 200 Port flow sampling information Interface Instance FID MaxHLen Rate Mode Status GE1 0 1 2 2 12...

Page 3150: ...erval in seconds FID ID of the sFlow collector for receiving flow sampled packets If no sFlow collector ID is specified this field displays 0 MaxHLen Maximum number of bytes that can be copied in a sa...

Page 3151: ...ector collector id Default No sFlow collector information is configured Views System view Predefined user roles network admin Parameters collector id Specifies an sFlow collector by its ID The value r...

Page 3152: ...tance instance id collector Default No sFlow instance or sFlow collector is specified for counter sampling Views Layer 2 Ethernet interface view Predefined user roles network admin Parameters instance...

Page 3153: ...fault Counter sampling is disabled Views Layer 2 Ethernet interface view Predefined user roles network admin Parameters interval Specifies the counter sampling interval in the range of 2 to 86400 seco...

Page 3154: ...erface counter sampling and flow sampling are separate from each other They can have the same sFlow instance but different sFlow collectors specified Settings of sFlow instances and sFlow collectors f...

Page 3155: ...set to 4000 by using the sflow sampling rate command the device samples packets randomly as follows The device might sample one packet from the first 4000 packets The device might sample multiple pack...

Page 3156: ...gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 sflow sampling rate 32768 Related commands sflow sampling mode sflow source Use sflow source to specify the source IP address of sent sFlow packets...

Page 3157: ...5 info center logfile enable 16 info center logfile frequency 17 info center logfile overwrite protection 17 info center logfile size quota 18 info center logging suppress duplicates 18 info center lo...

Page 3158: ...command The system clears the diagnostic log file buffer after saving the buffered diagnostic logs to the diagnostic log file If the diagnostic log file buffer is empty this command displays a succes...

Page 3159: ...Directory where the diagnostic log file is saved Writing frequency Interval at which the system saves diagnostic logs from the buffer to the diagnostic log file display info center Use display info c...

Page 3160: ...og output filters Examples Display information about log output filter loghost1 Sysname display info center filter loghost1 Log output filter loghost1 Module Rule ARP Debugging CFGLOG Deny Default Inf...

Page 3161: ...the memory resources are used up warning 5 Notification Normal but significant condition For example a terminal logs in to the device or the device reboots notificatio n 6 Informational Informational...

Page 3162: ...ffer last mins 5 Table 4 Command output Field Description Log buffer Status of the log buffer Enabled Logs can be output to the log buffer Disabled Logs cannot be output to the buffer Max buffer size...

Page 3163: ...itical For more information see Table 3 ERROR Represents error For more information see Table 3 WARN Represents warning For more information see Table 3 NOTIF Represents notification For more informat...

Page 3164: ...g file directory flash logfile Writing frequency 24 hour 0 min 10 sec Table 6 Command output Field Description Log file Log file status Enabled Logs can be output to the log file Disabled Logs cannot...

Page 3165: ...se display security logfile summary to display the summary of the security log file Syntax display security logfile summary Views Any view Predefined user roles security audit Usage guidelines To use...

Page 3166: ...g link up or link down logs when the interface state changes Syntax enable log updown undo enable log updown Default All interfaces are allowed to generate link up and link down logs Views Interface v...

Page 3167: ...c logs to the diagnostic log file Syntax info center diagnostic logfile enable undo info center diagnostic logfile enable Default Saving diagnostic logs to the diagnostic log file is enabled Views Sys...

Page 3168: ...ng interval to 600 seconds Sysname system view Sysname info center diagnostic logfile frequency 600 Related commands info center diagnostic logfile enable info center diagnostic logfile quota Use info...

Page 3169: ...on center is enabled info center filter Use info center filter to create a log output filter Syntax info center filter filter name module name default deny level severity undo info center filter filte...

Page 3170: ...et log output filter rules for the same module multiple times the most recent configuration takes effect To set a general log output filter rule for all modules use the default keyword The general log...

Page 3171: ...m view Sysname info center format unicom info center logbuffer Use info center logbuffer to enable log output to the log buffer Use undo info center logbuffer to disable log output to the log buffer S...

Page 3172: ...undo info center logbuffer size Default A maximum of 512 logs can be buffered Views System view Predefined user roles network admin Parameters buffersize Specifies the maximum log buffer size The valu...

Page 3173: ...rectory to flash test Sysname mkdir test Creating directory flash test Done Sysname system view Sysname info center logfile directory flash test Related commands info center logfile enable info center...

Page 3174: ...nes This command enables the system to automatically save logs in the log file buffer to the log file at the specified interval Examples Set the log file saving interval to 60000 seconds Sysname syste...

Page 3175: ...size quota Use info center logfile size quota to set the maximum log file size Use undo info center logfile size quota to restore the default Syntax info center logfile size quota size undo info cente...

Page 3176: ...suppress module module name mnemonic all mnemonic value undo info center logging suppress module module name mnemonic all mnemonic value Default The device does not suppress output of any logs from an...

Page 3177: ...g hosts are specified Views System view Predefined user roles network admin Parameters vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 ch...

Page 3178: ...me info center loghost 1 1 1 1 Related commands info center filter info center source info center loghost source Use info center loghost source to specify a source IP address for logs sent to log host...

Page 3179: ...e value must be an integer in the range of 1 to 100 Usage guidelines When the security log file is full the system deletes the oldest logs and then writes new logs to the security log file This featur...

Page 3180: ...e system view Sysname info center security logfile directory flash test info center security logfile enable Use info center security logfile enable to enable saving of security logs to the security lo...

Page 3181: ...ge guidelines The system outputs security logs to the security log file buffer and then saves the buffered logs to the security log file at the specified interval Examples Set the security log file sa...

Page 3182: ...odule name default console logbuffer logfile loghost monitor Default Table 8 lists the default log output rules Table 8 Default output rules Destination Log source modules Output switch Severity Conso...

Page 3183: ...tion takes effect If you execute this command for the default modules multiple times the most recent configuration takes effect Examples Output only VLAN module s information with the emergency level...

Page 3184: ...execute the command Enable synchronous information output and then save the current configuration enter interactive information Sysname system view Sysname info center synchronous Info center synchron...

Page 3185: ...buffer log traps Usage guidelines Log traps are SNMP notifications stored in the log trap buffer After the snmp agent trap enable syslog command is configured the device sends log messages in SNMP no...

Page 3186: ...a space if it is less than 10 for example 7 hh mm ss ms Local time with hh in the range of 00 to 23 mm and ss in the range of 00 to 59 and ms in the range of 0 to 999 YYYY Year none Indicates no time...

Page 3187: ...009 09 21T15 32 55 01 00 By default the ISO format timestamp does not contain the time zone information no year date Sets the timestamp format to the current system date and time without year or milli...

Page 3188: ...tically or manually If the log file buffer is empty this command displays a success message event though no logs are saved to the log file Examples Manually save logs from the log file buffer to the l...

Page 3189: ...ut configuring the security audit user role see AAA commands in Security Command Reference Examples Manually save the security logs in the security log file buffer to the security log file Sysname sec...

Page 3190: ...g to disable display of debug information on the current terminal Syntax terminal debugging undo terminal debugging Default Display of debug information is disabled on the current terminal Views User...

Page 3191: ...gging level severity undo terminal logging level Default The lowest level of logs that can be output to the current terminal is 6 Informational Views User view Predefined user roles network admin Para...

Page 3192: ...toring of logs is enabled on the console and disabled on the monitor terminal Views User view Predefined user roles network admin Usage guidelines This command takes effect only for the current connec...

Page 3193: ...interval 10 ptp announce timeout 11 ptp asymmetry correction 12 ptp clock step 13 ptp delay mechanism 14 ptp destination mac 14 ptp domain 15 ptp dscp 16 ptp enable 17 ptp force state 18 ptp min delay...

Page 3194: ...TP profile PTP standard or a PTP mode Examples Display PTP clock information Sysname display ptp clock PTP profile IEEE 1588 Version 2 PTP mode BC Slave only No Clock ID 000FE2 FFFE FF0000 Clock type...

Page 3195: ...e in nanoseconds N A indicates that information for this field is not obtained Mean path delay Mean path delay in nanoseconds N A indicates that information for this field is not obtained Steps remove...

Page 3196: ...isplay ptp foreign masters record to display information about foreign master nodes Syntax display ptp foreign masters record interface interface type interface number Views Any view Predefined user r...

Page 3197: ...ed user roles network admin network operator Parameters interface type interface number Specifies an interface by its type and number If you do not specify an interface this command displays PTP runni...

Page 3198: ...te Passive Neither receives nor sends synchronization messages A PTP interface is in passive state after it receives an announce messages Master Sends synchronization messages Premaster Temporary stat...

Page 3199: ...field displays the value for the interval exponent Announce receipt time out Number of announcement intervals before the receiving node stops receiving announce messages If a member node does not rec...

Page 3200: ...uality Class 248 Accuracy 254 Offset log variance 65535 Priority1 128 Priority2 128 Table 5 Command output Field Description Parent port number Outgoing interface number of the parent clock Observed p...

Page 3201: ...owUp 0 PdelayReq 0 PdelayResp 0 PdelayRespFollowUp 0 Sent packets Announce 476 Sync 2543 Signaling 0 DelayReq 0 DelayResp 0 FollowUp 2542 PdelayReq 238 PdelayResp 0 PdelayRespFollowUp 0 Discarded pack...

Page 3202: ...or Table 7 Command output Field Description Current UTC offset valid Whether the UTC offset is valid True Yes False No Current UTC offset Cumulative offset in seconds between the Coordinated Universal...

Page 3203: ...ned user roles network admin Usage guidelines This command is available only after you specify a PTP profile and a PTP mode Examples Activate the port role configuration Sysname system view Sysname pt...

Page 3204: ...is available only after you specify a PTP profile and a PTP mode The master node uses the value configured on its interface as the interval for sending announce messages Examples Set the announce mes...

Page 3205: ...ce message sending interval to 5 on GigabitEthernet 1 0 1 Sysname system view Sysname ptp profile 1588v2 Sysname ptp mode oc Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 ptp an...

Page 3206: ...mestamps Views Layer 2 Ethernet interface view Predefined user roles network admin Parameters one step Specifies the single step mode two step Specifies the two step mode Usage guidelines You can conf...

Page 3207: ...pecifies the peer delay mechanism used by P2PTC Usage guidelines This command is applicable only to BCs and OCs GigabitEthernet1 0 1 to GigabitEthernet1 0 16 on the IE4320 28P switch do not support th...

Page 3208: ...elay messages is 0180 C200 000E which cannot be modified This command takes effect only if PTP messages are encapsulated in IEEE 802 3 Ethernet packets Examples Configure the destination MAC address f...

Page 3209: ...profile 1588v2 Sysname ptp mode oc Sysname ptp domain 2 Related commands ptp mode ptp profile ptp source ptp dscp Use ptp dscp to set a DSCP value for PTP messages that are transmitted over UDP IPv4...

Page 3210: ...ter you specify a PTP profile and a PTP mode An OC can have only one PTP port As a best practice enable PTP on an interface after you configure PTP parameters For PTP to take effect on a Layer 2 Ether...

Page 3211: ...rnet interface view Predefined user roles network admin Parameters master Specifies the PTP port as a master port passive Specifies the PTP port as a passive port slave Specifies the PTP port as a sub...

Page 3212: ...file is SMPTE ST 2059 2 the value range for the interval argument is 5 to 4 Usage guidelines When a member clock receives a Sync message it responds by sending a Delay_Req message and starts a timer d...

Page 3213: ...is specified Views System view Predefined user roles network admin Parameters bc Specifies the clock node type as boundary clock BC e2etc Specifies the clock node type as end to end transparent clock...

Page 3214: ...ifies an exponent to the power of which base 2 is raised to get the interval in seconds for sending peer delay request messages When the PTP profile is IEEE 1588 version 2 the value range for the inte...

Page 3215: ...ble only after you specify a PTP profile and a PTP mode The SMPTE ST 2059 2 PTP profiles does not support this command Examples Specify the clock node type as P2PTC OC for the device Configure the por...

Page 3216: ...guidelines This command is available only after you specify a PTP profile and a PTP mode Examples Configure priority 1 as 10 for the local clock Sysname system view Sysname ptp profile 1588v2 Sysname...

Page 3217: ...the default Syntax ptp slave only undo ptp slave only Default An OC can operate either as a master clock or a member clock Views System view Predefined user roles network admin Usage guidelines This...

Page 3218: ...tance name Specifies an MPLS L3VPN instance used for communication between the local device and the peer device The vpn instance name argument is a case sensitive string of 1 to 31 characters If the p...

Page 3219: ...argument is 1 to 1 When the PTP profile is SMPTE ST 2059 2 the value range for the interval argument is 5 to 1 Usage guidelines This command is available only after you specify a PTP profile and a PT...

Page 3220: ...correction date configured for the UTC Syntax ptp utc leap59 date leap61 date date undo ptp utc leap59 date leap61 date Default No correction date is configured for the UTC Views System view Predefine...

Page 3221: ...en the UTC and TAI is 0 seconds Views System view Predefined user roles network admin Parameters utc offset Sets the cumulative offset between the UTC and TAI in seconds The utc offset argument is in...

Page 3222: ...rnet interface view Predefined user roles network admin Parameters vlan vlan id Specifies a VLAN by its ID in the range of 1 to 4094 dot1p dot1p value Specifies an 802 1p precedence for PTP messages i...

Page 3223: ...user roles network admin Parameters interface interface type interface number Specifies an interface by its type and number If you do not specify an interface this command clears PTP statistics on al...

Page 3224: ...1 display network clock status 2 network clock source forcessm 3 network clock source priority 4 network clock source ssm 4 network clock ssmcontrol 5 network clock work mode 6 Synchronous Ethernet c...

Page 3225: ...nd output Field Description Port Line clock input port State State of the clock source Normal The clock source is operating correctly Lost The clock source is not available or is in an error condition...

Page 3226: ...ay network clock status Mode Auto Reference N A Traced reference N A Lock mode Unknown SSM output level SSUB SSM control enable On Table 2 Command output Field Description Mode Clock reference selecti...

Page 3227: ...he quality level of a clock source Use undo network clock source forcessm to restore the default Syntax network clock source lpuport interface type interface number ptp forcessm off on undo network cl...

Page 3228: ...type interface number ptp priority Default All clock sources have a priority of 255 Views System view Predefined user roles network admin Parameters lpuport interface type interface number Specifies...

Page 3229: ...the SSM quality level to SDH equipment clock ssua Sets the SSM quality level to G 812 primary level SSU ssub Sets the SSM quality level to G 812 second level SSU unknown Sets the SSM quality level to...

Page 3230: ...Related commands display network clock source network clock ssm network clock work mode Use network clock work mode to set the clock reference selection mode Use undo network clock work mode to resto...

Page 3231: ...clock lpuport command It takes time for a clock reference selection mode change to take effect To verify the effectiveness of the change use the display network clock status command or check the log...

Page 3232: ...the command displays ESMC information for all interfaces Usage guidelines ESMC information is not available for interfaces in asynchronous mode Examples Display ESMC information for all interfaces Sys...

Page 3233: ...event packets sent Number of received or sent ESMC event packets ESMC information rate Transmission rate of ESMC information packets The value is fixed at 1 pps ESMC expiration ESMC expiration timer T...

Page 3234: ...twork admin Parameters master Specifies the master clock mode slave Specifies the slave clock mode Usage guidelines To avoid a negotiation result that conflicts with your clock synchronization trail d...

Page 3235: ...s network admin Usage guidelines You can configure an interface as a line clock input port only after you enable the synchronous mode on the interface GigabitEthernet 1 0 25 to GigabitEthernet 1 0 28...

Page 3236: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series Telemetry Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 3237: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 3238: ...lose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical bars from which you select...

Page 3239: ...s a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the access controller engine on a u...

Page 3240: ...Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Page 3241: ...timeout 6 grpc port 6 gRPC dial out mode commands 7 destination group subscription view 7 destination group telemetry view 8 domain name 8 ipv4 address 10 ipv6 address 11 ipv6 domain name 11 sensor p...

Page 3242: ...lay detailed gRPC information If you do not specify this keyword the command displays brief gRPC information Examples Display brief gRPC information Sysname display grpc gRPC status Enabled Current ti...

Page 3243: ...s Connection ID ID of the connection between the device and a collector IP address Port IP address and service port number of the collector Domain name Port Domain name and service port number of the...

Page 3244: ...vent triggered statistics Effective count 0 Sent successfully 0 Failed 0 Queued packets Queue size 204 1000 Dropped 0 Last error Channel Connecting Table 2 Command output Field Description gRPC status...

Page 3245: ...type Event triggered Event triggered sampling Periodic Periodical sampling Effective sampling interval Data sampling interval that takes effect Sensor path Sensor path Destination group Name of the de...

Page 3246: ...se grpc enable to enable the gRPC service Use undo grpc enable to disable the gRPC service Syntax grpc enable undo grpc enable Default The gRPC service is disabled Views System view Predefined user ro...

Page 3247: ...s in the range of 0 to 30 To disable gRPC sessions from being timed out set it to 0 Usage guidelines If no gRPC packet exchanges occur on the session between a gRPC and the server before the idle time...

Page 3248: ...n group for a subscription Use undo destination group to remove a destination group from a subscription Syntax destination group group name undo destination group group name Default A subscription doe...

Page 3249: ...roup name a case sensitive string of 1 to 31 characters Usage guidelines As a best practice configure a maximum of five destination groups Configuring too many destination groups might degrade the sys...

Page 3250: ...ot specify this option Usage guidelines If you specify collectors by their domain names you must configure DNS to make sure the device can translate the domain names of the collectors to IPv4 addresse...

Page 3251: ...elongs The vpn instance name argument represents the VPN instance name a case sensitive string of 1 to 31 characters If the collector belongs to the public network do not specify this option Usage gui...

Page 3252: ...e sensitive string of 1 to 31 characters If the collector belongs to the public network do not specify this option Usage guidelines To add multiple collectors to a destination group execute this comma...

Page 3253: ...d VPN instance already exists If the collector is on the public network do not specify this option Usage guidelines If you specify IPv6 collectors by their domain names you must configure DNS to make...

Page 3254: ...d multiple times The device supports a maximum of 128 sensor paths If the device does not support the specified sensor path the command displays an error message To modify the sensor path configuratio...

Page 3255: ...or paths do not take effect If you do not specify the option for periodic sensor paths the device does not sample or push data The specified sensor group must have been created by using the sensor gro...

Page 3256: ...ddress for packets sent to collectors Use undo source address to restore the default Syntax source address ipv4 address interface interface type interface number ipv6 ipv6 address undo source address...

Page 3257: ...scription to create a subscription and enter its view or enter the view of an existing subscription Use undo sensor group to delete a subscription Syntax subscription subscription name undo subscripti...

Page 3258: ...etry view Syntax telemetry Views System view Predefined user roles network admin Usage guidelines In telemetry view you can configure telemetry parameters Examples Enter telemetry view Sysname system...

Page 3259: ...H3C IE4300 IE4300 M IE4320 Industrial Switch Series OpenFlow Command Reference New H3C Technologies Co Ltd http www h3c com Software version Release 63xx Document version 6W101 20230116...

Page 3260: ...H3C Technologies Co Ltd any trademarks that may be mentioned in this document are the property of their respective owners Notice The information in this document is subject to change without notice A...

Page 3261: ...nclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical bars from which you sele...

Page 3262: ...s a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the access controller engine on a u...

Page 3263: ...Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Page 3264: ...group 15 display openflow instance 16 display openflow meter 18 display openflow summary 20 fail open mode 21 flow entry max limit 22 flow log disable 22 flow table 23 forbidden packet in arp control...

Page 3265: ...the instance take effect After an OpenFlow instance is reactivated it disconnects from all controllers clears the deployed flow tables updates the capability set and then reconnects to controllers Ex...

Page 3266: ...able the VLAN mode for OpenFlow instance 1 and associate OpenFlow instance 1 with VLANs determined by VLAN ID 255 and VLAN mask 7 Sysname system view Sysname openflow instance 1 Sysname of inst 1 clas...

Page 3267: ...itive string of 1 to 31 characters If you do not specify a VRF name the controller is in the public network Usage guidelines You can specify multiple controllers for an OpenFlow switch The OpenFlow ch...

Page 3268: ...oller port port number Sets the port number used to establish TCP connections to the controller The value range for the port number is 1 to 65535 The default value is 6633 Usage guidelines Auxiliary c...

Page 3269: ...rval Use controller echo request interval to set the connection detection interval for an OpenFlow switch Use undo controller echo request interval to restore the default Syntax controller echo reques...

Page 3270: ...n single mode the OpenFlow switch connects to only one controller at a time When communication with the current controller fails the OpenFlow instance connects to the controller with the lowest ID amo...

Page 3271: ...se undo default table miss permit to restore the default Syntax default table miss permit undo default table miss permit Default The default action of a table miss flow entry is to drop packets Views...

Page 3272: ...OpenFlow instance by its ID in the range of 1 to 4094 controller id Specifies a controller by its ID in the range of 0 to 63 If you do not specify a controller ID this command displays information ab...

Page 3273: ...r for the OpenFlow instance If the controller is not configured with any role this field displays two hyphens Connect type Type of the connection between the OpenFlow instance and the controller TCP o...

Page 3274: ...IP address 192 168 49 49 Controller port 6633 Connect type TCP Connect state Established Packets sent 9 Packets received 9 SSL policy Table 2 Command output Field Description Auxiliary connection numb...

Page 3275: ...Instance 100 flow table information Table 0 information Table type MAC IP flow entry count 1 total flow entry count 2 MissRule default flow entry information cookie 0x0 priority 0 hard time 0 idle ti...

Page 3276: ...utput interface Controller send length 128 bytes Table 3 Command output Field Description Table information Information about the flow table Table type Type of the flow table MAC IP or Extensibility f...

Page 3277: ...iately clears all actions in the action set Apply actions Immediately applies specified actions in the action set Write actions Writes specified actions into the current action set For more informatio...

Page 3278: ...the matched packet This action is not defined in the OpenFlow specifications Output interface Sends the packet through a specific port For more information about ports see Table 6 Group Specifies a g...

Page 3279: ...mation about all group entries for an OpenFlow instance Examples Display group information for OpenFlow instance 100 Sysname display openflow instance 100 group Instance 100 group table information Gr...

Page 3280: ...atistics cannot be collected this field displays two hyphens packet count Number of packets processed by a group or by a bucket If the statistics cannot be collected this field displays two hyphens wa...

Page 3281: ...ble Table ID type 0 MAC IP count 0 Flow entry max limit 65535 Datapath ID 0x0000001234567891 Default table miss Drop Forbidden port None Qinq Network Disabled TCP connection backup Enabled Port inform...

Page 3282: ...in the extensibility flow table Datapath ID Datapath ID of the OpenFlow instance Default table miss Default action of the table miss flow entry Permit or Drop Forbidden port Type of interfaces that a...

Page 3283: ...e drop rate 1024 burst size 65536 Byte count 0 packet count 0 Referenced information Count 3 Flow table 0 Flow entry 1 2 3 Meter entry 200 information Meter flags KBPS Band 1 information Type drop rat...

Page 3284: ...er entry display openflow summary Use display openflow summary to display brief OpenFlow instance information Syntax display openflow instance summary Views Any view Predefined user roles network admi...

Page 3285: ...w instance is required to be reactivated N indicates the configuration is unchanged and the OpenFlow instance is not required to be reactivated If the OpenFlow instance is not activated this field dis...

Page 3286: ...rs limit value Specifies the maximum number of flow entries for an extensibility flow table The value range for this argument is 1 to 65535 Usage guidelines If the number of extensibility flow table e...

Page 3287: ...r roles network admin Parameters extensibility extensibility table id Specifies an extensibility flow table by its ID in the range of 0 to 254 mac ip mac ip table id Specifies a MAC IP flow table by i...

Page 3288: ...list argument the undo form of this command restores all configuration of this feature to the default Examples Forbid the device not to report ARP packets to controller 0 Sysname system view Sysname...

Page 3289: ...nagement vlan Default No inband management VLANs are configured for an OpenFlow instance Views OpenFlow instance view Predefined user roles network admin Parameters vlan id list Specifies a space sepa...

Page 3290: ...ler acts as the SSL client and actively connects to the OpenFlow instance For more information about SSL see Security Configuration Guide To re configure the SSL server first execute the undo form of...

Page 3291: ...mic mac aware to restore the default Syntax mac ip dynamic mac aware undo mac ip dynamic mac aware Default An OpenFlow instance ignores the dynamic MAC addresses in the query and deletion flow entry i...

Page 3292: ...ting OpenFlow instance Use undo openflow instance to remove an OpenFlow instance Syntax openflow instance instance id undo openflow instance instance id Default No OpenFlow instances exist Views Syste...

Page 3293: ...OpenFlow Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 openflow shutdown permit port type member port Use permit port type member port to allow link aggrega...

Page 3294: ...amic ARP entries to overwrite OpenFlow ARP entries Sysname system view Sysname openflow instance 1 Sysname of inst 1 precedence dynamic arp refresh ip flow Use refresh ip flow to refresh all Layer 3 f...

Page 3295: ...nd and receive for an OpenFlow instance listened Specifies the client that connects to the server enabled for the OpenFlow instance Examples Clear statistics on packets that all controllers send and r...

Page 3296: ...instance view Predefined user roles network admin Usage guidelines This command enables an OpenFlow instance to back up OpenFlow connections established over TCP This prevents connection interruption...

Search results

Summary of Contents for SOHO IE4300

Reviews:

Related manuals for SOHO IE4300

Brands by name

Popular brands

H3C SOHO IE4300, Command Reference Manual

Search results

Summary of Contents for SOHO IE4300

Reviews:

Related manuals for SOHO IE4300

Brands by name

Popular brands