Download Print this page

H3C s3100 series Command Manual

H3C s3100 series Command Manual

Hide thumbs Also See for s3100 series:

Command manual (1089 pages)

,

Operation manual (1057 pages)

,

Installation manual (94 pages)

page of 1186

/ 1186
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

See also: Command Manual , Operating Manual

H3C S3100 Series Ethernet Switches

Command Manual

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Manual Version: 20091230-C-1.01

Product Version: Release 2209

Table of Contents

Advertisement

Chapters

Table of Contents

Need help?

Need help?

Do you have a question about the s3100 series and is the answer not in the manual?

Questions and answers

Summary of Contents for H3C s3100 series

Page 1 H3C S3100 Series Ethernet Switches Command Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 20091230-C-1.01 Product Version: Release 2209...
Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.
Page 3: Table Of Contents
About This Manual Organization H3C S3100 Series Ethernet Switches Command Manual is organized as follows: Part Contents Introduces the commands used for switching between the command 1 CLI levels and command level setting. 2 Login Introduces the commands used for logging into the Ethernet switch.
Page 4 Part Contents Introduces the commands used for PoE and PoE profile 26 PoE-PoE Profile configuration. 27 SNMP-RMON Introduces the commands used for SNMP and RMON configuration. 28 NTP Introduces the NTP-related commands. 29 SSH Introduces the commands used for SSH configuration. 30 File System Management Introduces the commands used for file system management.
Page 5 Means a complementary description. Means techniques helpful for you to make configuration with ease. Related Documentation In addition to this manual, each H3C S3100 Series Ethernet Switches documentation set includes the following: Manual Description H3C S3100 Series Ethernet Switches It provides information for the system installation.
Page 6 Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. The following are the columns from which you can obtain different categories of product documentation: [Products & Solutions]: Provides information about products and technologies, as well as solutions.
Page 7 Table of Contents 1 CLI Configuration Commands··················································································································1-1 CLI Configuration Commands·················································································································1-1 command-privilege level··················································································································1-1 display history-command·················································································································1-4 super················································································································································1-4 super authentication-mode··············································································································1-5 super password ·······························································································································1-6...
Page 8: Cli Configuration Commands
Parameters level level: Command level to be set, in the range of 0 to 3. view view: CLI view. It can be any CLI view that the Ethernet switch supports. The S3100 series support only the CLI views listed in...
Page 9 CLI view Description mst-region MST region view Monitor link group view, which is supported by only the mtlk-group S3100-EI series null NULL interface view peer-key-code Public key editing view peer-public-key Public key view pki-domain PKI domain view pki-entity PKI entity view PoE profile view, which is supported by only the poe-profile S3100-TP-PWR-EI series...
Page 10: Login
Level Name Command System level All configuration commands except for those at the manage level. Commands associated with the basic operation modules and support modules of the system, such as file system, Manage level FTP/TFTP/XMODEM downloading, user management, and level setting commands.
Page 11: Display History-Command
display history-command Syntax display history-command View Any view Parameters None Description Use the display history-command command to display the history commands of the current user, so that the user can check the configurations performed formerly. History commands are those commands that were successfully executed recently and saved in the history command buffer.
Page 12: Super Authentication-Mode
You can switch between user levels after logging into a switch successfully. The high-to-low user level switching is unlimited. However, the low-to-high user level switching requires the corresponding authentication. The authentication mode can be set through the super authentication-mode command. For security purpose, the password entered is not displayed when you switch to another user level.
Page 13: Super Password
authentication modes are specified, the order to perform the two types of authentication is determined by the order in which they are specified, as described below. If the super authentication-mode super-password scheme command is executed to specify the authentication mode for user level switching, the super password authentication is preferred and the HWTACACS authentication mode is the backup.
Page 14 Description Use the super password command to set a switching password for a specified user level, which will be used when users switch from a lower user level to the specified user level. Use the undo super password command to restore the default configuration. By default, no such password is set.
Page 15 Table of Contents 1 Login Commands ······································································································································1-1 Login Commands ····································································································································1-1 authentication-mode ························································································································1-1 auto-execute command ···················································································································1-3 copyright-info enable ·······················································································································1-4 databits ············································································································································1-4 display user-interface ······················································································································1-5 display users····································································································································1-7 display web users ····························································································································1-8 free user-interface ···························································································································1-9 header ·············································································································································1-9 history-command max-size ···········································································································1-11 idle-timeout ····································································································································1-12 ip http shutdown ····························································································································1-13 lock ················································································································································1-14 parity ··············································································································································1-14 protocol inbound ····························································································································1-15...
Page 16: Login Commands
Login Commands Login Commands authentication-mode Syntax authentication-mode { password | scheme [ command-authorization ] | none } View User interface view Parameters none: Specifies not to authenticate users. password: Authenticates users using the local password. scheme: Authenticates users locally or remotely using usernames and passwords. command-authorization: Performs command authorization on TACACS authentication server.
Page 17 To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.
Page 18: Auto-Execute Command
auto-execute command Syntax auto-execute command text undo auto-execute command View VTY user interface view Parameters text: Command to be executed automatically. Description Use the auto-execute command command to set the command that is executed automatically after a user logs in. Use the undo auto-execute command command to disable the specified command from being automatically executed.
Page 19: Copyright-Info Enable
Note that these two commands apply to users logging in through the console port and by means of Telnet. Examples # Disable copyright information displaying. ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 20: Display User-Interface
Parameters 7: Sets the databits to 7. 8: Sets the databits to 8. Description Use the databits command to set the databits for the user interface. Use the undo databits command to revert to the default databits. The default databits is 8. Examples # Set the databits to 7.
Page 21 AUX 0 9600 : Current user-interface is active. : Current user-interface is active and work in async mode. : Absolute index of user-interface. Type : Type and relative index of user-interface. Privi: The privilege of user-interface. Auth : The authentication mode of user-interface. : The physical location of UIs.
Page 22: Display Users
# Display the summary information about the user interface. <Sysname> display user-interface summary User interface type : [AUX] 0:UXXX XXXX User interface type : [VTY] 8:UUUU X 5 character mode users. 8 UI never used. 5 total UI in use Table 1-2 Description on the fields of the display user-interface summary command Field Description...
Page 23: Display Web Users
<Sysname> display users Delay Type Ipaddress Username Userlevel VTY 0 00:00:00 192.168.0.208 : Current operation user. : Current operation user work in async mode. Table 1-3 Descriptions on the fields of the display users command Field Description The numbers in the left sub-column are the absolute user interface indexes, and those in the right sub-column are the relative user interface indexes.
Page 24: Free User-Interface
Table 1-4 Description on the fields of the display web users command Field Description ID of a Web user Name Name of a Web user Language Language a Web user uses Level Level of a Web user Login Time Time when a Web user logs in Last Req.
Page 25 undo header { incoming | legal | login | shell } View System view Parameters incoming: Sets the login banner for users that log in through modems. If you specify to authenticate login users, the banner appears after a user passes the authentication. (The session does not appear in this case.) legal: Sets the authorization banner, which is displayed when a user enters user view.
Page 26: History-Command Max-Size
# Test the configuration remotely using Telnet. (only when login authentication is configured can the login banner be displayed). ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.
Page 27: Idle-Timeout
undo history-command max-size View User interface view Parameters value: Size of the history command buffer, ranging from 0 to 256 (in terms of commands). Description Use the history-command max-size command to set the size of the history command buffer. Use the undo history-command max-size command to revert to the default history command buffer size.
Page 28: Ip Http Shutdown
System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] idle-timeout 1 ip http shutdown Syntax ip http shutdown undo ip http shutdown View System view Parameters None Description Use the ip http shutdown command to shut down the WEB Server. Use the undo ip http shutdown command to launch the WEB Server.
Page 29: Lock
# Launch the WEB Server. [Sysname] undo ip http shutdown lock Syntax lock View User view Parameters None Description Use the lock command to lock the current user interface to prevent unauthorized operations in the user interface. After you execute this command, the system prompts you for the password and prompts you to confirm the password.
Page 30: Protocol Inbound
View AUX user interface view Parameters even: Performs even checks. none: Does not check. odd: Performs odd checks. Description Use the parity command to set the check mode of the user interface. Use the undo parity command to revert to the default check mode. By default, no check is performed.
Page 31: Screen-Length
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22 (ports for Telnet and SSH services respectively) will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.
Page 32: Send
You can use the screen-length 0 command to disable the function to display information in pages. Examples # Set the number of lines the terminal screen can contain to 20. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] screen-length 20 send...
Page 33: Service-Type
service-type Syntax service-type { ftp | lan-access | { ssh | telnet | terminal }* [ level level ] } undo service-type { ftp | lan-access | { ssh | telnet | terminal }* } View Local user view Parameters ftp: Specifies the users to be of FTP type.
Page 34: Set Authentication Password
[Sysname] local-user zbr [Sysname-luser-zbr] service-type telnet level 0 # To verify the above configuration, you can quit the system, log in again using the user name of zbr, and then list the available commands, as listed in the following. <Sysname> ? User view commands: cluster Run cluster command...
Page 35: Shell
By default, password authentication is performed when a user logs in through a modem or Telnet. If no password is set, the user cannot establish a connection with the switch. Examples # Set the local password of VTY 0 to “123”. <Sysname>...
Page 36: Speed
speed Syntax speed speed-value undo speed View AUX user interface view Parameters speed-value: Transmission speed (in bps). This argument can be 300, 600, 1200, 2400, 4800, 9600, 19,200, 38,400, 57,600, and 115,200. Description Use the speed command to set the transmission speed of the user interface. Use the undo speed command to revert to the default transmission speed.
Page 37: Telnet
The S3100 series do not support communication with a terminal emulation program with stopbits set to 1.5. Changing the stop bits value of the switch to a value different from that of the terminal emulation utility does not affect the communication between them.
Page 38: Telnet Ipv6
************************************************************************** * Copyright(c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB> telnet ipv6 Syntax telnet ipv6 remote-system [ -i interface-type interface-number ] [ port-number ]...
Page 39: User Privilege Level
View System view Parameters type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface). first-number: User interface index identifying the first user interface to be configured. A user interface index can be relative or absolute. In relative user interface index scheme, the type argument is required.
Page 40 Visit level: Commands at this level are used to diagnose network, such as the ping, tracert, and telnet command. Commands at this level cannot be saved in configuration files. Monitor level: Commands at this level are used to maintain the system, to debug service problems, and so on.
Page 41: Commands For User Control
Commands for User Control Commands for Controlling Logging in Users Syntax acl acl-number { inbound | outbound } undo acl { inbound | outbound } View User interface view Parameters acl-number: ACL number. This argument can identify different types of ACLs, as listed below. 2000 to 2999, for basic ACLs 3000 to 3999, for advanced ACLs inbound: Applies the ACL for the users Telnetting to the local switch from the current user interface.
Page 42: Ip Http Acl
Parameters all: Specifies all Web users. user-id: Web user ID, an eight-digit hexadecimal number. user-name: User name of the Web user. This argument can contain 1 to 80 characters. Description Use the free web-users command to disconnect a specified Web user or all Web users by force. Examples # Disconnect all Web users by force.
Page 43: Snmp-Agent Group
Parameters read: Specifies that the community has read-only permission in the specified view. write: Specifies that the community has read/write permission in the specified view. community-name: Community name, a string of 1 to 32 characters. acl acl-number: Specifies an ACL number for the community. The acl-number argument ranges from 2000 to 2999.
Page 44: Snmp-Agent Usm-User
v3: SNMPv3. group-name: Group name. This argument can be of 1 to 32 characters. authentication: Specifies to authenticate SNMP data without encrypting the data. privacy: Authenticates and encrypts packets. read-view: Name of the view to be set to read-only. This argument can be of 1 to 32 characters. write-view: Name of the view to be set to readable &...
Page 45 group-name: Name of the group to which the user corresponds. This argument is a string of 1 to 32 characters. cipher: Specifies the authentication or encryption password to be in ciphertext. authentication-mode: Requires authentication. If this keyword is not provided, neither authentication nor encryption is performed.
Page 46 Table of Contents 1 Configuration File Management Commands ··························································································1-1 File Attribute Configuration Commands ··································································································1-1 display current-configuration ···········································································································1-1 display current-configuration vlan····································································································1-5 display saved-configuration·············································································································1-6 display startup ·································································································································1-8 display this·······································································································································1-9 reset saved-configuration ··············································································································1-10 save ···············································································································································1-11 startup saved-configuration ···········································································································1-12...
Page 47: Configuration File Management Commands
Configuration File Management Commands S3100 series Ethernet switches allow you to input a file path and file name in one of the following ways: In universal resource locator (URL) format and starting with “unit1>flash:/”. or “flash:/” This method is used to specify a file in the current Flash memory. For example, the URL of a file named text.txt in the root directory of the switch is unit1>flash:/text.txt or flash:/text.txt.
Page 48 interface-number: Port/interface number. by-linenum: Displays configuration information with line numbers. |: Uses a regular expression to filter the configuration of the switch to be displayed. By specifying a regular expression, you can locate and query the needed information quickly. regular-expression: A regular expression, case sensitive. It supports the following match rules: begin: Displays the line that matches the regular expression and all the subsequent lines.
Page 49 Related commands: save, reset saved-configuration, display saved-configuration. Examples # Display configuration information about all the interfaces on the current switch. <Sysname> display current-configuration interface interface Vlan-interface1 ip address 192.168.0.241 255.255.255.0 interface Aux1/0/0 interface Ethernet1/0/1 port link-aggregation group 1 interface Ethernet1/0/2 interface Ethernet1/0/3 interface Ethernet1/0/4 interface Ethernet1/0/5...
Page 50 interface Ethernet1/0/19 interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface GigabitEthernet1/1/1 interface GigabitEthernet1/1/2 shutdown interface GigabitEthernet1/2/1 interface GigabitEthernet1/2/2 shutdown interface NULL0 interface LoopBack0 return # Display the lines that include the strings matching 10* in the configuration information. (The character * means that the character 0 in the string before it can appear multiple times or does not appear.) <Sysname>...
Page 51: Display Current-Configuration Vlan
interface Ethernet1/0/12 interface Ethernet1/0/13 interface Ethernet1/0/14 interface Ethernet1/0/15 interface Ethernet1/0/16 interface Ethernet1/0/17 interface Ethernet1/0/18 interface Ethernet1/0/19 interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface GigabitEthernet1/1/1 interface GigabitEthernet1/1/2 interface GigabitEthernet1/2/1 interface GigabitEthernet1/2/2 # Display the configuration information starting with the string user. <Sysname>...
Page 52: Display Saved-Configuration
vlan 1 vlan 5 to 69 vlan 70 description Vlan 70 vlan 71 to 100 return display saved-configuration Syntax display saved-configuration [ unit unit-id ] [ by-linenum ] View Any view Parameters unit unit-id: Specifies the unit ID of a switch. It only can be 1. by-linenum: Displays configuration information with line numbers.
Page 53 ip address 192.168.0.241 255.255.255.0 #LOCCFG. MUST NOT DELETE interface Aux1/0/0 interface Ethernet1/0/1 interface Ethernet1/0/2 interface Ethernet1/0/3 interface Ethernet1/0/4 interface Ethernet1/0/5 interface Ethernet1/0/6 interface Ethernet1/0/7 interface Ethernet1/0/8 interface Ethernet1/0/9 interface Ethernet1/0/10 interface Ethernet1/0/11 interface Ethernet1/0/12 interface Ethernet1/0/13 interface Ethernet1/0/14 interface Ethernet1/0/15 interface Ethernet1/0/16 interface Ethernet1/0/17 interface Ethernet1/0/18...
Page 54: Display Startup
interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface GigabitEthernet1/1/1 interface GigabitEthernet1/1/2 shutdown interface GigabitEthernet1/2/1 interface GigabitEthernet1/2/2 shutdown #TOPOLOGYCFG. MUST NOT DELETE #GLBCFG. MUST NOT DELETE interface NULL0 user-interface aux 0 user-interface vty 0 4 authentication-mode none user privilege level 3 return The configuration information output above in turn is the system configuration, logical interface configuration, physical port configuration, and user interface configuration.
Page 55: Display This
UNIT1: Current Startup saved-configuration file: flash:/config.cfg Next main startup saved-configuration file: flash:/config.cfg Next backup startup saved-configuration file: flash:/backup.cfg Bootrom-access enable state: enabled Table 1-2 Description on the fields of the display startup command Field Description Current Startup The configuration file used for the current startup saved-configuration file Next main startup The main configuration file used for the next startup...
Page 56: Reset Saved-Configuration
Examples # Display the configuration parameters that take effect in all user interface views. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] display this user-interface aux 0 user-interface vty 0 4 authentication-mode none user privilege level 3 return reset saved-configuration...
Page 57: Save
This command will permanently delete the configuration file from the switch. An error occurs when you execute this command if the configuration file to be deleted does not exist. Related commands: save. Examples # Erase the main configuration file to be used in the next startup. <Sysname>...
Page 58: Startup Saved-Configuration
S3100 series Ethernet switches do not support the safe mode. When you are saving a configuration file using the save safely command, if the device reboots or the power fails during the saving process, the configuration file will be lost.
Page 59 Parameters cfgfile: Path name or file name of a configuration file in the Flash, a string of 5 to 56 characters. backup: Specifies the configuration file to be the backup configuration file. main: Specifies the configuration file to be the main configuration file. unit unit-id: Specifies a switch by its unit ID.
Page 60 Table of Contents 1 VLAN Configuration Commands··············································································································1-1 VLAN Configuration Commands·············································································································1-1 description ·······································································································································1-1 display interface Vlan-interface ·······································································································1-2 display vlan······································································································································1-3 interface Vlan-interface····················································································································1-4 name················································································································································1-5 shutdown ·········································································································································1-6 vlan ··················································································································································1-7 Port-Based VLAN Configuration Commands··························································································1-8 display port ······································································································································1-8 port···················································································································································1-9 port access vlan·······························································································································1-9 port hybrid pvid vlan ······················································································································1-10 port hybrid vlan ······························································································································1-11 port link-type ··································································································································1-12 port trunk permit vlan·····················································································································1-13...
Page 61: Vlan Configuration Commands
VLAN Configuration Commands VLAN Configuration Commands description Syntax description text undo description View VLAN view, VLAN interface view Parameters text: Case sensitive character string to describe the current VLAN or VLAN interface. Special characters and spaces are allowed. It has: 1 to 32 characters for a VLAN description.
Page 62: Display Interface Vlan-Interface
display interface Vlan-interface Syntax display interface Vlan-interface [ vlan-id ] View Any view Parameters vlan-id: Specifies a VLAN interface number. Description Use the display interface Vlan-interface command to display information about the specified VLAN interface or all VLAN interfaces already created if no VLAN interface is specified. The output of this command shows the state, IP address, description and other information of a VLAN interface.
Page 63: Display Vlan
Field Description Format of the frames sent from the VLAN interface. PKTFMT_ETHNT 2 indicates that this VLAN interface IP Sending Frames' Format is sends Ethernet II frames. Refer to the VLAN configuration PKTFMT_ETHNT_2 part in the accompanied operation manual for information about frame formats.
Page 64: Interface Vlan-Interface
Examples # Display information about VLAN 1. <Sysname> display vlan 1 VLAN ID: 1 VLAN Type: static Route Interface: configured IP Address: 192.168.0.39 Subnet Mask: 255.255.255.0 Description: VLAN 0001 Name: VLAN 0001 Tagged Ports: Ethernet1/0/1 Untagged Ports: Ethernet1/0/2 Table 1-2 Description on the fields of the display vlan command Field Description VLAN ID...
Page 65: Name
VLAN. Related commands: display interface Vlan-interface. An S3100 series switch can be configured with a single VLAN interface only, and the VLAN must be the management VLAN. For details about the management VLAN, refer to the “Management VLAN Configuration”...
Page 66: Shutdown
named VLAN is deployed, you must use the name command to associate the VLAN name with the intended VLAN ID. The name of a VLAN must be unique among all VLANs. By default, the name of a VLAN is its VLAN ID, VLAN 0001 for example. Examples # Specify the name of VLAN 2 as test vlan.
Page 67: Vlan
System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] shutdown vlan Syntax vlan { vlan-id1 [ to vlan-id2 ] | all } undo vlan { vlan-id1 [ to vlan-id2 ] | all } View System view Parameters vlan-id1: Specifies the ID of the VLAN you want to create or remove, in the range of 1 to 4094.
Page 68: Port-Based Vlan Configuration Commands
# Remove VLAN 5. [Sysname-vlan5] quit [Sysname] undo vlan 5 # Create VLAN 4 through VLAN 100. [Sysname] vlan 4 to 100 Please wait..... Done. # Remove VLAN 2 through VLAN 9 in bulk. VLAN 7 is the voice VLAN. [Sysname] undo vlan 2 to 9 Note:The VLAN kept by protocol, the voice VLAN, the default VLAN, the management VLAN and the remote probe VLAN will not be deleted!
Page 69: Port
port Syntax port interface-list undo port interface-list View VLAN view Parameters interface-list: List of the Ethernet ports to be added to or removed from the current VLAN. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value no less than interface-number1.
Page 70: Port Hybrid Pvid Vlan
By default, all access ports belong to VLAN 1. You cannot assign an access port to or remove an access port from VLAN 1 with the port access vlan command or its undo form. To assign an access port that has been assigned to a VLAN other than VLAN 1, you can use the undo port access vlan command.
Page 71: Port Hybrid Vlan
The local and remote hybrid ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted properly. Examples # Set the default VLAN ID of the hybrid port Ethernet 1/0/1 to 100. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 72: Port Link-Type
Examples # Assign hybrid port Ethernet 1/0/1 to VLAN 2, VLAN 4, and VLAN 50 through VLAN 100; configure the port to keep VLAN tags when sending the packets of these VLANs. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type hybrid [Sysname-Ethernet1/0/1] port hybrid vlan 2 4 50 to 100 tagged...
Page 73: Port Trunk Permit Vlan
port trunk permit vlan Syntax port trunk permit vlan { vlan-id-list | all } undo port trunk permit vlan { vlan-id-list | all } View Ethernet port view Parameters vlan-id-list: List of the VLANs that the current trunk port will be assigned to or removed from. In this list, you can specify individual VLAN IDs (each in the form of vlan-id) and VLAN ID ranges (each in the form of vlan-id1 to vlan-id2).
Page 74: Mac Address-Based Vlan Configuration Commands
View Ethernet port view Parameters vlan-id: Specifies the default VLAN ID of the current port, in the range of 1 to 4094. Description Use the port trunk pvid vlan command to set the default VLAN ID for the trunk port. A trunk port sends packets of the default VLAN untagged.
Page 75: Display Mac-Vlan Interface
Parameters all: Displays all the MAC address-to-VLAN entries. dynamic: Displays dynamically configured MAC address-to-VLAN entries. static: Displays the statically configured MAC address-to-VLAN entries. vlan vlan-id: Displays the MAC address-to-VLAN entries associated with the specified VLAN. Description Use the display mac-vlan command to display the specified MAC address-to-VLAN entries. Examples # Display all the MAC address-to-VLAN entries.
Page 76: Mac-Vlan Enable
View Any view Default Level 1: Monitor level Parameters None Description Use the display mac-vlan interface command to display all the ports with MAC address-based VLAN enabled. Related commands: mac-vlan enable. Examples # Display all the interfaces with MAC address-based VLAN enabled. <Sysname>...
Page 77: Mac-Vlan Mac-Address
<Sysname> system-view [Sysname] mac-vlan mac-address 0-1-1 vlan 100 priority 7 Protocol-Based VLAN Configuration Commands The contents of this section are only applicable to the S3100-EI series among S3100 series switches. display protocol-vlan interface Syntax display protocol-vlan interface { interface-type interface-number [ to interface-type interface-number ]...
Page 78: Display Protocol-Vlan Vlan
View Any view Parameters interface-type interface-number: Specify a port by its type and number to display the protocol VLAN(s) bound with the port. You can use the interface-type interface-number to interface-type interface-number keyword and argument combination to specify a port range to display the protocol template information of the ports bound with protocol VLAN(s) in the range.
Page 79: Port Hybrid Protocol-Vlan Vlan
Parameters vlan-id1: Specifies a VLAN ID in the range of 1 to 4094, of which the protocol VLAN configuration information is to be displayed. to vlan-id2: In conjunction with vlan-id1, define a VLAN range to display the protocol template configurations of all protocol VLANs in the range. The vlan-id2 argument takes a value in the range of 1 to 4094, and must not be less than that of vlan-id1.
Page 80 Parameters vlan-id: Specifies the ID of the protocol VLAN bound with the port. The value range is 1 to 4094. At least one protocol template must have been configured for the VLAN. protocol-index: Specifies a protocol template, in the range of 0 to 15. to protocol-index-end: In conjunction with protocol-index, specify a protocol index range.
Page 81: Protocol-Vlan
[Sysname-Ethernet1/0/1] undo port hybrid protocol-vlan vlan 3 1 to 4 Protocol index 1 does not exist in VLAN 3 Protocol index 4 does not exist in VLAN 3 protocol-vlan Syntax protocol-vlan [ protocol-index ] { at | ip | ipx { ethernetii | llc | raw | snap } | mode { ethernetii etype etype-id | llc dsap dsap-id ssap ssap-id | snap etype etype-id } } undo protocol-vlan { protocol-index [ to protocol-index-end ] | all } View...
Page 82 At present, the S3100 series support only the standard templates of AppleTalk and IP, the standard template of IPX encapsulated in Ethernet II format, and the user-defined templates matching the Ethernet II encapsulation format. Protocol templates matching 802.2/802.3 encapsulation formats and their extended encapsulation formats are not supported on the S3100 series currently.
Page 83 Table of Contents 1 Management VLAN Configuration Commands ······················································································1-1 Management VLAN Configuration Commands·······················································································1-1 delete static-routes all······················································································································1-1 display interface Vlan-interface ·······································································································1-1 display ip interface···························································································································1-2 display ip interface brief···················································································································1-4 display ip routing-table·····················································································································1-5 display ip routing-table acl···············································································································1-6 display ip routing-table ip-address···································································································1-8 display ip routing-table ip-address1 ip-address2·············································································1-9 display ip routing-table protocol·····································································································1-10 display ip routing-table radix··········································································································1-11 display ip routing-table statistics····································································································1-11...
Page 84: Management Vlan Configuration Commands
Management VLAN Configuration Commands Management VLAN Configuration Commands delete static-routes all Syntax delete static-routes all View System view Parameter None Description Use the delete static-routes all command to delete all static routes. The system will request your confirmation before it deletes all the configured static routes. Related command: ip route-static and display ip routing-table.
Page 85: Display Ip Interface
Example # Display the information about the management VLAN interface. (Assume that VLAN 1 is the management VLAN.) <Sysname> display interface Vlan-interface 1 Vlan-interface1 current state : DOWN Line protocol current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e256-ae10 Internet Address is 192.168.0.39/24 Primary Description : Vlan-interface1 Interface The Maximum Transmit Unit is 1500...
Page 86 The Maximum Transmit Unit : 1500 bytes IP packets input number: 7420, bytes: 557679, multicasts: 1 IP packets output number: 7509, bytes: 385809, multicasts: 0 TTL invalid packet number: ICMP packet input number: Echo reply: Unreachable: Source quench: Routing redirect: Echo request: Router advert: Router solicit:...
Page 87: Display Ip Interface Brief
Field Description IP header bad IP header bad messages Timestamp request Timestamp requests Timestamp reply Timestamp replies Information request Information requests Information reply Information replies Netmask request Netmask requests Netmask reply Netmask replies Unknown type Messages with unknown type display ip interface brief Syntax display ip interface brief [ Vlan-interface [ vlan-id ] ] View...
Page 88: Display Ip Routing-Table
Field Description Physical Physical state of the interface Protocol Link layer protocol state of the interface Description Description information for the interface display ip routing-table Syntax display ip routing-table [ | { begin | exclude | include } regular-expression ] View Any view Parameter...
Page 89: Display Ip Routing-Table Acl
Field Description Nexthop Next hop IP address of the route Outbound interface, through which packets destined for the destination Interface network segment are to be transmitted display ip routing-table acl Syntax display ip routing-table acl acl-number [ verbose ] View Any view Parameter acl-number: Number of a basic access control list (ACL), in the range of 2000 to 2999.
Page 90 **Destination: 10.1.1.0 Mask: 255.255.255.0 Protocol: #STATIC Preference: 60 *NextHop: 192.168.0.31 Interface: 192.168.0.51(Vlan-interface1) State: <Int ActiveU Gateway Static Unicast> Age: 1:48:18 Cost: 0/0 Table 1-5 Description on the fields of the display ip routing-table acl command Field Description Destination Destination address Mask Mask Protocol...
Page 91: Display Ip Routing-Table Ip-Address
Field Description Time period during which the route is allowed to be in the routing table, in the form of hh:mm:ss. Cost Cost of the route display ip routing-table ip-address Syntax display ip routing-table ip-address [ mask ] [ longer-match ] [ verbose ] View Any view Parameter...
Page 92: Display Ip Routing-Table Ip-Address1 Ip-Address2
Refer to Table 1-4 for the description on the output fields. # Display the detailed information of the routes with their destination addresses matched within the natural mask range. <Sysname> display ip routing-table 10.1.1.0 verbose Routing tables: + = Active Route, - = Last Active, # = Both * = Next hop in use Summary count: 1 **Destination: 10.1.1.0...
Page 93: Display Ip Routing-Table Protocol
Refer to Table 1-4 for the description on the output fields. display ip routing-table protocol Syntax display ip routing-table protocol protocol [ inactive | verbose ] View Any view Parameter protocol: This argument can be one of the following: direct: Displays the information about the direct routes. static: Displays the information about the static routes.
Page 94: Display Ip Routing-Table Radix
Summary count: 0 Refer to Table 1-4 for the description on the output fields. display ip routing-table radix Syntax display ip routing-table radix View Any view Parameter None Description Use the display ip routing-table radix command to display the information about the routes in a routing table in a hierarchical way.
Page 95: Display Ip Routing-Table Verbose
The statistics information displayed by this command includes: The total number of the routes The number of the active routes The number of the added routes The number of the routes with deleted flags Example # Display the statistics information about the routing table. <Sysname>...
Page 96: Interface Vlan-Interface
<Sysname> display ip routing-table verbose Routing Tables: + = Active Route, - = Last Active, # = Both * = Next hop in use Destinations: 2 Routes: 2 Holddown: 0 Delete: 0 Hidden: 0 **Destination: 127.0.0.0 Mask: 255.0.0.0 Protocol: #DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0)
Page 97: Ip Address
Before creating a management VLAN interface, make sure the VLAN identified by the vlan-id argument is created and is configured as the management VLAN. Note that: To create the VLAN interface for the management VLAN on a switch operating as the management device in a cluster, make sure the ID of the management VLAN is consistent with that of the cluster management VLAN, that is, the vlan-id argument in the management-vlan vlan-id command when you configure the cluster management VLAN.
Page 98: Ip Route-Static
[Sysname-Vlan-interface1] ip address 192.168.0.51 255.255.255.0 ip route-static Syntax ip route-static ip-address { mask | mask-length } { interface-type interface-number | next-hop } [ preference preference-value ] [ reject | blackhole ] [ description text ] undo ip route-static ip-address { mask | mask-length } [ interface-type interface-number | next-hop ] [ preference preference-value ] View System view...
Page 99: Management-Vlan
A static route with both its destination IP address and mask both being 0.0.0.0 is the default route. When no matched entry is found in the routing table, a received packet is forwarded according to the default route. Related command: display ip routing-table. Example # Configure the next hop of the default route as 129.102.0.2.
Page 100 Description Use the reset ip routing-table statistics protocol command to clear the statistics of routes in a routing table. Example # Before executing the reset ip routing-table statistics protocol command, use the display ip routing-table statistics command to display the routing statistics: <Sysname>...
Page 101 Table of Contents 1 IP Address Configuration Commands·····································································································1-1 IP Address Configuration Commands·····································································································1-1 display ip interface···························································································································1-1 display ip interface brief···················································································································1-2 ip address ········································································································································1-3 2 IP Performance Configuration Commands·····························································································2-1 IP Performance Configuration Commands ·····························································································2-1 display fib·········································································································································2-1 display fib ip-address·······················································································································2-2 display fib acl ···································································································································2-3 display fib |·······································································································································2-4 display fib statistics··························································································································2-4 display icmp statistics ······················································································································2-5...
Page 102: Ip Address Configuration Commands
IP Address Configuration Commands IP Address Configuration Commands display ip interface Syntax display ip interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display ip interface command to display information about a specified or all Layer 3 interfaces.
Page 103: Display Ip Interface Brief
Timestamp reply: Information request: Information reply: Netmask request: Netmask reply: Unknown type: Table 1-1 Description on the fields of the display ip interface command Field Description Vlan-interface1 current state Current physical state of VLAN-interface 1 Line protocol current state Current state of the link layer protocol Internet Address IP address of the interface Directed broadcast address of the subnet attached...
Page 104: Ip Address
Parameters interface-type: Interface type. interface-number: Interface number. Description Use the display ip interface brief command to display brief information about a specified or all Layer 3 interfaces. With no argument included, the command displays information about all layer 3 interfaces; with only the interface type specified, it displays information about all layer 3 interfaces of the specified type;...
Page 105 View VLAN interface view, loopback interface view Parameters ip-address: IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Subnet mask length, the number of consecutive ones in the mask. It is in the range of 0 to Description Use the ip address command to specify an IP address and mask for a VLAN or loopback interface.
Page 106: Ip Performance Configuration Commands
IP Performance Configuration Commands IP Performance Configuration Commands display fib Syntax display fib View Any view Parameters None Description Use the display fib command to display all forwarding information base (FIB) information. Examples # Display all FIB information. <Sysname> display fib Flag: U:Usable G:Gateway...
Page 107: Display Fib Ip-Address
Table 2-1 Description on the fields of the display fib command Field Description Flags: U: A route is up and available. G: Gateway route H: Local host route B: Blackhole route Flag D: Dynamic route S: Static route R: Rejected route E: Multi-path equal-cost route L: Route generated by ARP or ESIS Destination/Mask...
Page 108: Display Fib Acl
Examples # Display FIB entry information which matches destination 12.158.10.0 and has a mask length no less than eight. <Sysname> display fib 12.158.10.0 longer Route Entry Count: 1 Flag: U:Usable G:Gateway H:Host B:Blackhole D:Dynamic S:Static R:Reject E:Equal cost multi-path L:Generated by ARP or ESIS Destination/Mask Nexthop Flag TimeStamp...
Page 109: Display Fib
# Display the FIB entries filtered by ACL 2001. <Sysname> display fib acl 2001 Route Entry matched by access-list 2001 Summary Counts :1 Flag: U:Usable G:Gateway H:Host B:Blackhole D:Dynamic S:Static R:Reject E:Equal cost multi-path L:Generated by ARP or ESIS Destination/Mask Nexthop Flag TimeStamp Interface...
Page 110: Display Icmp Statistics
Parameters None Description Use the display fib statistics command to display the total number of FIB entries. Examples # Display the total number of FIB entries. <Sysname> display fib statistics Route Entry Count : 8 display icmp statistics Syntax display icmp statistics View Any view Parameters...
Page 111: Display Ip Socket
Table 2-2 Description on the fields of the display icmp statistics command Field Description bad formats Number of received wrong format packets bad checksum Number of received wrong checksum packets echo Number of received echo packets Number of received destination unreachable destination unreachable packets source quench...
Page 112 task-id: ID of a task, with the value ranging from 1 to 100. socket-id: ID of a socket, with the value ranging from 0 to 3072. Description Use the display ip socket command to display socket information. Examples # Display the information about the socket of the TCP type. <Sysname>...
Page 113: Display Ip Statistics
display ip statistics Syntax display ip statistics View Any view Parameters None Description Use the display ip statistics command to display the statistics about IP packets. Related commands: display ip interface, reset ip statistics. Examples # Display the statistics about IP packets. <Sysname>...
Page 114: Display Tcp Statistics
Field Description forwarding Total number of IP packets forwarded by the local device local Total number of IP packets initiated from the local device Output: dropped Total number of IP packets discarded no route Total number of IP packets for which no route is available compress fails Total number of IP packets failed to compress input...
Page 115 packets received after close: 0 ACK packets: 481 (8776 bytes) duplicate ACK packets: 7, too much ACK packets: 0 Sent packets: Total: 665 urgent packets: 0 control packets: 5 (including 1 RST) window probe packets: 0, window update packets: 2 data packets: 618 (8770 bytes) data packets retransmitted: 0 (0 bytes) ACK-only packets: 40 (28 delayed) Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0...
Page 116: Display Tcp Status
Field Description Total Total number of packets sent urgent packets Number of urgent packets sent Number of control packets sent; in brackets are control packets retransmitted packets Number of window probe packets sent; in the window probe packets brackets are resent packets Sent packets: window update packets Number of window update packets sent...
Page 117: Display Udp Statistics
Description Use the display tcp status command to display the state of all the TCP connections so that you can monitor TCP connections in real time. Examples # Display the state of all the TCP connections. <Sysname> display tcp status *: TCP MD5 Connection TCPCB Local Add:port...
Page 118: Icmp Redirect Send
total broadcast or multicast packets : 25006 no socket broadcast or multicast packets: 24989 not delivered, input socket full: 0 input packets missing pcb cache: 1314 Sent packets: Total: 7187 Table 2-7 Description on the fields of the display udp statistics command Field Description Total...
Page 119: Icmp Unreach Send
Examples # Disable the device from sending ICMP redirection packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo icmp redirect send icmp unreach send Syntax icmp unreach send undo icmp unreach send View System view Parameters None Description Use the icmp unreach send command to enable the device to send ICMP destination unreachable...
Page 120: Reset Tcp Statistics
Description Use the reset ip statistics command to clear the statistics about IP packets. You can use the display ip statistics command to view the current IP packet statistics. Related commands: display ip interface. Examples # Clear the statistics about IP packets. <Sysname>...
Page 121: Tcp Timer Fin-Timeout
tcp timer fin-timeout Syntax tcp timer fin-timeout time-value undo tcp timer fin-timeout View System view Parameters time-value: TCP finwait timer, in seconds, with the value ranging from 76 to 3600. Description Use the tcp timer fin-timeout command to configure the TCP finwait timer. Use the undo tcp timer fin-timeout command to restore the default value of the TCP finwait timer.
Page 122: Tcp Window
When sending the SYN packet, TCP starts the synwait timer. If the response packet is not received before synwait times out, the TCP connection will be terminated. Related commands: tcp timer fin-timeout, tcp window. Examples # Configure the value of the TCP synwait timer to 80 seconds. <Sysname>...
Page 123 Table of Contents 1 Voice VLAN Configuration Commands ···································································································1-1 Voice VLAN Configuration Commands···································································································1-1 display voice vlan error-info·············································································································1-1 display voice vlan oui·······················································································································1-2 display voice vlan status··················································································································1-2 display vlan······································································································································1-3 voice vlan·········································································································································1-4 voice vlan aging·······························································································································1-5 voice vlan enable·····························································································································1-6 voice vlan legacy ·····························································································································1-7 voice vlan mac-address···················································································································1-7 voice vlan mode·······························································································································1-8 voice vlan qos··································································································································1-9 voice vlan qos trust························································································································1-10...
Page 124: Voice Vlan Configuration Commands
Voice VLAN Configuration Commands The contents of this chapter are only applicable to the S3100-EI series among S3100 series switches. Voice VLAN Configuration Commands display voice vlan error-info Syntax display voice vlan error-info View Any view Parameters None Description Use the display voice vlan error-info command to display the ports on which the voice VLAN function fails to be enabled.
Page 125: Display Voice Vlan Oui
# Display the OUI list for the voice VLAN. <Sysname> display voice vlan oui Oui Address Mask Description 0003-6b00-0000 ffff-ff00-0000 Cisco phone 000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone display voice vlan status...
Page 126: Display Vlan
Examples # Display the information about the voice VLAN. <Sysname> display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 100 minutes Current voice vlan enabled port mode: PORT MODE -------------------------------- Ethernet1/0/2...
Page 127: Voice Vlan
Description Use the display vlan command to display information about the specified VLAN. For the voice VLAN, this command displays all the ports in the VLAN. Related commands: voice vlan, voice vlan enable. Examples # Display all the ports in the current voice VLAN, assuming that the current voice VLAN is VLAN 6. <Sysname>...
Page 128: Voice Vlan Aging
If you want to delete a VLAN with voice VLAN function enabled, you must disable the voice VLAN function first. The voice VLAN function can be enabled for only one VLAN at one time. When an S3100-C-EPON-EI switch works as an ONU device in the EPON system, the voice VLAN function may not run properly.
Page 129: Voice Vlan Enable
The voice VLAN aging timer does not take effect on ports working in manual voice VLAN assignment mode, because these ports are assigned to the voice VLAN statically. When setting the voice VLAN aging timer, consider the usage frequency of IP phones. Note that: A large voice VLAN aging timer setting can prevent a port from being assigned to or removed from the voice VLAN frequently, keeping voice communication stable.
Page 130: Voice Vlan Legacy
Parameters None Description Use the voice vlan legacy command to realize the communication between H3C device and other vendors’ voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’ voice device. Use the undo voice vlan legacy command to disable the voice VLAN legacy function.
Page 131: Voice Vlan Mode
The OUI list can contain up to 16 OUI address entries. Table 1-2 Default OUI addresses of a switch Number OUI address Vendor 0003-6b00-0000 Cisco phone 000f-e200-0000 H3C Aolynk phone 00d0-1e00-0000 Pingtel phone 00e0-7500-0000 Polycom phone 00e0-bb00-0000 3Com phone Related commands: display voice vlan oui.
Page 132: Voice Vlan Qos
View Ethernet port view Parameters None Description Use the voice vlan mode auto command to configure the voice VLAN assignment mode of the Ethernet port to automatic. Use the undo voice vlan mode auto command to configure the voice VLAN assignment mode of the Ethernet port to manual.
Page 133: Voice Vlan Qos Trust
Description Use the voice vlan qos command to configure the interface to modify the CoS and DSCP values marked for incoming traffic of the voice VLAN into specified values. Use the undo voice vlan qos command to restore the default. By default, an interface modifies the CoS value and the DSCP value marked for voice VLAN traffic into 6 and 46 respectively.
Page 134: Voice Vlan Security Enable
Use the undo voice vlan qos command to restore the default. By default, an interface modifies the CoS value and the DSCP value marked for voice VLAN traffic into 6 and 46 respectively. Related commands: voice vlan qos. Configure the QoS priority trust mode for voice VLAN traffic on an interface before enabling voice VLAN on the interface.
Page 135 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo voice vlan security enable 1-12...
Page 136 Table of Contents 1 GVRP Configuration Commands ·············································································································1-1 GARP Configuration Commands ············································································································1-1 display garp statistics ······················································································································1-1 display garp timer ····························································································································1-2 garp timer ········································································································································1-3 garp timer leaveall ···························································································································1-4 reset garp statistics··························································································································1-5 GVRP Configuration Commands ············································································································1-6 display gvrp statistics·······················································································································1-6 display gvrp status···························································································································1-6 gvrp··················································································································································1-7 gvrp registration·······························································································································1-8...
Page 137: Gvrp Configuration Commands
GVRP Configuration Commands GARP Configuration Commands display garp statistics Syntax display garp statistics [ interface interface-list ] View Any view Parameters interface-list: Specifies a list of Ethernet ports for which the statistics about GARP are to be displayed. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2,...
Page 138: Display Garp Timer
Number Of Frames Discarded Table 1-1 Description on the fields of the display garp statistics command Field Description Number of the GVRP frames received on the Number of GVRP Frames Received port Number of the GVRP frames transmitted through Number of GVRP Frames Transmitted the port Number of Frames Discarded Number of GVRP frames discarded by the port...
Page 139: Garp Timer
Garp Leave Time : 60 centiseconds Garp LeaveAll Time : 1000 centiseconds Garp Hold Time : 10 centiseconds garp timer Syntax garp timer { hold | join | leave } timer-value undo garp timer { hold | join | leave } View Ethernet port view Parameters...
Page 140: Garp Timer Leaveall
Timer Lower threshold Upper threshold This lower threshold is greater than This upper threshold is less than the twice the timeout time of the Join timeout time of the LeaveAll timer. You Leave timer. You can change the threshold can change the threshold by changing by changing the timeout time of the the timeout time of the LeaveAll timer.
Page 141: Reset Garp Statistics
By default, the LeaveAll timer is set to 1,000 centiseconds, that is, 10 seconds. In networking, you are recommended to set the GARP LeaveAll timer to 12000 centiseconds (2 minutes). Related commands: display garp timer. Examples # Set the GARP LeaveAll timer to 100 centiseconds. <Sysname>...
Page 142: Gvrp Configuration Commands
GVRP Configuration Commands display gvrp statistics Syntax display gvrp statistics [ interface interface-list ] View Any view Parameters interface interface-list: Specifies an Ethernet port list. By providing a value for this argument, you can display the GVRP statistics on the specified ports. You need to provide the interface-list argument in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where the interface-type argument represents the port type, the interface-number argument represents the port number, and &...
Page 143: Gvrp
Parameters None Description Use the display gvrp status command to display the global GVRP status (enabled or disabled). Examples # Display the global GVRP status. <Sysname> display gvrp status GVRP is enabled The above information indicates that GVRP is enabled globally. gvrp Syntax gvrp...
Page 144: Gvrp Registration
GVRP is enabled on port Ethernet1/0/5. gvrp registration Syntax gvrp registration { fixed | forbidden | normal } undo gvrp registration View Ethernet port view Parameters fixed: Specifies the fixed GVRP registration mode. A port operating in this mode cannot register or deregister VLAN information dynamically.
Page 145 Table of Contents 1 Port Basic Configuration Commands······································································································1-1 Port Basic Configuration Commands······································································································1-1 broadcast-suppression ····················································································································1-1 copy configuration ···························································································································1-2 description ·······································································································································1-4 display brief interface·······················································································································1-5 display interface·······························································································································1-7 display link-delay ···························································································································1-11 display loopback-detection ············································································································1-11 display port combo ························································································································1-12 display unit·····································································································································1-12 duplex ············································································································································1-14 enable log updown ························································································································1-14 flow interval····································································································································1-15 flow-control ····································································································································1-16 interface·········································································································································1-17...
Page 146: Port Basic Configuration Commands
Port Basic Configuration Commands Port Basic Configuration Commands broadcast-suppression Syntax broadcast-suppression { ratio | bps max-bps } undo broadcast-suppression View System view, Ethernet port view Parameter ratio: Maximum ratio of the broadcast traffic allowed on a port to the total transmission capacity of the port.
Page 147: Copy Configuration
If you configure broadcast-suppression command in both system view and Ethernet port view, the configuration in Ethernet port view will take effect. With the Traffic Policing enabled, broadcast-suppression function cannot be enabled either on System view or Ethernet port view. Refer to the QoS part for information about Traffic Policing. Example # Allow incoming broadcast traffic on all port to occupy at most 20% of the total transmission capacity of the port and suppress the broadcast traffic that exceeds the specified range.
Page 148: Link Aggregation
If you specify a source aggregation group ID, the system uses the port with the smallest port number in the aggregation group as the source. If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port.
Page 149: Description
Any aggregation group port you input in the destination port list will be removed from the list and the copy command will not take effect on the port. If you want an aggregation group port to have the same configuration with the source port, you can specify the aggregation group of the port as the destination (with the destination-agg-id argument).
Page 150: Display Brief Interface
Example # Set description string "lanswitch-interface" for the Ethernet1/0/1 port. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/1 [Sysname-Ethernet1/0/1] description lanswitch-interface display brief interface Syntax display brief interface [ interface-type [ interface-number ] ] [ | { begin | include | exclude } regular-expression ] View Any view...
Page 151 Related command: display interface. Example # Display the brief configuration information about the Ethernet1/0/1 port. <Sysname> display brief interface Ethernet1/0/1 Interface: - Ethernet - GigabitEthernet TENGE - tenGigabitEthernet Loop - LoopBack Vlan - Vlan-interface - Cascade Speed/Duplex: A - auto-negotiation Interface Link Speed...
Page 152: Display Interface
display interface Syntax display interface [ interface-type | interface-type interface-number ] View Any view Parameter interface-type: Port type. interface-number: Port number. For details about the arguments, refer to the parameter description of the interface command. Description Use the display interface command to display port configuration. When using this command: If you specify neither port type nor port number, the command displays information about all ports.
Page 153 - broadcasts, - multicasts, - pauses Input: 0 input errors, 0 runts, 0 giants, - throttles, 0 CRC 0 frame, - overruns, 0 aborts, 0 ignored, - parity errors Output(total): 0 packets, 0 bytes 0 broadcasts, 0 multicasts, 0 pauses Output(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Output: 0 output errors,...
Page 154 Field Description Count in packets and in bytes of incoming normal packets on the port, including incoming normal packets and normal PAUSE frames The number of normal incoming broadcast Input(normal): - packets, - bytes packets, the number of normal incoming - broadcasts, - multicasts, - pauses multicast packets, and the number of normal incoming PAUSE frames of the port...
Page 155 Field Description Count in packets and in bytes of outgoing normal packets on the port, including outgoing normal packets and normal Pause frames. The number of normal outgoing broadcast Output(normal): - packets, - bytes packets, the number of normal outgoing - broadcasts, - multicasts, - pauses multicast packets, and the number of normal outgoing Pause frames on the port.
Page 156: Display Link-Delay
display link-delay Syntax display link-delay View Any view Parameters None Description Use the display link-delay command to display the information about the ports with the link-delay command configured, including the port name and the configured delay. Related commands: link-delay. Examples # Display the information about the ports with the link-delay command configured.
Page 157: Display Port Combo
You can refer to the shutdown command to change the state of the two ports. For information about combo port, refer to H3C S3100 Series Ethernet Switch Installation Manual. display unit Syntax display unit unit-id interface...
Page 158 View Any view Parameter unit-id: Unit ID, only can be 1. Description Use the display unit command to display information about the ports on a specified unit. Example # Display information about the ports on unit 1. <Sysname> display unit 1 interface Aux1/0/0 Description : Aux Interface...
Page 159: Duplex
(The following displayed information is omitted) Table 1-5 Description on the fields of the display unit command Field Description Aux1/0/0 The description string of the AUX port is "Aux Interface". Description : Aux Interface For the description of other fields, refer to Table 1-3.
Page 160: Flow Interval
Parameter None Description Use the enable log updown command to enable Up/Down log information output. Use the undo log enable updown command to disable Up/Down log information output. By default, a port is allowed to output Up/Down log information. Example # By default, a port is allowed to output the Up/Down log information.
Page 161: Flow-Control
When you use the display interface interface-type interface-number command to display the information of a port, the system performs statistical analysis on the traffic flow passing through the port during the specified interval and displays the average rates in the interval. For example, if you set the interval to 100 seconds, the displayed information is as follows: Last 100 seconds input: 0 packets/sec 0 bytes/sec...
Page 162: Interface
interface Syntax interface interface-type interface-number View System view Parameter interface-type: Port type, which can be Aux, Ethernet, GigabitEthernet, LoopBack, NULL or Vlan-interface. interface-number: Port number, in the format of Unit ID/slot number/port number, where: Unit ID is fixed to 1; The slot number is 0 if the port is an Ethernet port, the slot number is 1 or 2 if the port is a GigabitEthernet port.
Page 163: Link-Delay
Only S3100-EI Series switches support this feature. The configuration of jumboframe enable command takes effect on all the ports while the configuration of undo jumboframe enable takes effect on current port. Example # Set the maximum frame size allowed on Ethernet 1/0/1 to 2048 bytes. <Sysname>...
Page 164: Loopback
Examples # Set the port state change delay of Ethernet 1/0/5 to 8 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/5 [Sysname-Ethernet1/0/5] link-delay 8 loopback Syntax loopback { external | internal } View Ethernet port view Parameter external: Performs external loop test.
Page 165: Loopback-Detection Enable
Parameter None Description Use the loopback-detection control enable command to enable the loopback port control function on the current trunk or hybrid port. Use the undo loopback-detection control enable command to disable the loopback port control function on the trunk or hybrid port. The loopback port control function works in conjunction with the loopback detection function (refer to loopback-detection enable).
Page 166 Use the undo loopback-detection enable command to disable the loopback detection function on the port. If a loop is found on an access port, the system will set the port to the block state (ports in this state cannot forward data packets), send log and trap messages to the terminal, and remove the corresponding MAC forwarding entry.
Page 167: Loopback-Detection Interface-List Enable
loopback-detection interface-list enable Syntax loopback-detection interface-list enable undo loopback-detection interface-list enable View System view Parameter interface-list: Ethernet port list, in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where interface-type is the port type, and interface-number is the port number. Keyword to is used to specify a range of ports.
Page 168: Loopback-Detection Per-Vlan Enable
Description Use the loopback-detection interval-time command to set time interval for loopback detection. Use the undo loopback-detection interval-time command to restore the default time interval. Example # Set time interval for loopback detection to 10 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] loopback-detection interval-time 10 loopback-detection per-vlan enable Syntax...
Page 169: Mdi
Parameter None Description Use the loopback-detection shutdown enable command to enable the loopback port auto-shutdown function. Use the undo loopback-detection shutdown enable command to disable the function. The loopback port auto-shutdown function works in conjunction with the loopback detection function (refer to loopback-detection enable).
Page 170: Multicast-Suppression
Parameter across: Sets the MDI mode to medium dependent interface (MDI). normal: Sets the MDI mode to media dependent interface-X mode (MDI-X). auto: Sets the MDI mode to auto-sensing. Port operating in this mode adjust its MDI mode between MDI and MDI-X automatically. An RJ-45 interface can operate in MDI or MDI-X mode.
Page 171: Port
Use the undo multicast-suppression command to restore the default unknown multicast and unknown unicast traffic suppression setting on the current port. After the configuration, the switch will suppress the unknown multicast and unknown unicast traffic simultaneously. When the sum of incoming unknown multicast traffic and unknown unicast traffic on the port exceeds the traffic threshold you set, the system drops the packets exceeding the threshold to reduce the unknown multicast and unknown unicast traffic ratio to the reasonable range, so as to keep normal network service..
Page 172: Port-Group
A port can not be added to a port group if it has been added to an aggregation group, and vice versa. Example # Add the interface Ethernet 1/0/2~Ethernet1/0/5 to the port group1. <Sysname> system-view [Sysname] port-group 1 [Sysname-port-group-1] port Ethernet 1/0/2 to Ethernet 1/0/5 port-group Syntax port-group...
Page 173: Shutdown
View User view Parameter interface-type: Port type. interface-number: Port number. For details about the parameters, see the parameter description of the interface command. Description Use the reset counters interface command to clear the statistics of the port, preparing for a new statistics collection.
Page 174: Speed
You can use the display port combo command to check the states of the two ports forming a combo port. The one in active state is currently enabled and the one in inactive state is currently disabled. For the two ports forming a combo port, executing the shutdown command on the active port changes the port state to inactive;...
Page 175: Speed Auto
[Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] speed 10 speed auto Syntax speed auto [ 10 | 100 | 1000 ]* View Ethernet port view Parameters 10: Configures 10 Mbps as an auto-negotiation speed of the port. 100: Configures 100 Mbps as an auto-negotiation speed of the port. 1000: Configures 1,000 Mbps as an auto-negotiation speed of the port (only available to GigabitEthernet ports).
Page 176: Storm-Constrain Control
max-packets: Upper threshold of the traffic on the port, in pps, or kbps. It ranges from 1 to 4,294,967,295 and must be greater than or equal to the lower threshold. min-packets: Lower threshold of the traffic on the port, in pps, or kbps. It ranges from 1 to 4,294,967,295, and must be less than or equal to the upper threshold.
Page 177: Storm-Constrain Enable
If the broadcast-suppression command, or multicast-suppression command is configured on a port, you cannot configure the storm control function on the port, and vice versa. You are not recommended to set the upper and lower traffic thresholds to the same value. The system can take one of the actions when the broadcast/multicast traffic received on a port exceeds the upper threshold: block and shutdown.
Page 178: Storm-Constrain Interval
By default, log/trap information is output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. Related commands: display storm-constrain, storm-constrain. Examples # Disable log information from being output when traffic received on Ethernet 1/0/1 exceeds the upper threshold or falls below the lower threshold.
Page 179 Parameter None Description Use the virtual-cable-test command to enable the system to test the cable connected to a specific port and to display the results. The system can test these attributes of the cable: Cable status, including normal, abnormal, abnormal-open, abnormal-short and failure Cable length If the cable is in normal state, the displayed length value is the total length of the cable.
Page 180 Pair polarity: - Insertion loss: - db Return loss: - db Near-end crosstalk: - db 1-35...
Page 181 Table of Contents 1 Link Aggregation Configuration Commands··························································································1-1 Link Aggregation Configuration Commands ···························································································1-1 display link-aggregation interface····································································································1-1 display link-aggregation summary···································································································1-2 display link-aggregation verbose·····································································································1-3 display lacp system-id ·····················································································································1-4 lacp enable ······································································································································1-5 lacp port-priority·······························································································································1-5 lacp system-priority··························································································································1-6 link-aggregation group description ··································································································1-6 link-aggregation group mode···········································································································1-7 port link-aggregation group ·············································································································1-8 reset lacp statistics ··························································································································1-8...
Page 182: Link Aggregation Configuration Commands
Link Aggregation Configuration Commands Link Aggregation Configuration Commands display link-aggregation interface Syntax display link-aggregation interface interface-type interface-number interface-type interface-number ] View Any view Parameter interface-type: Port type. interface-number: Port number. to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends.
Page 183: Display Link-Aggregation Summary
Table 1-1 Description on the fields of the display link-aggregation interface command Field Description ID of the aggregation group to which the Selected AggID specified port belongs Local Information about the local end Port-Priority Port priority Oper key Operation key Flag Protocol status flag Remote...
Page 184: Display Link-Aggregation Verbose
-------------------------------------------------------------------------- 0x8000,0000-0000-0000 0 NonS Ethernet1/0/2 none NonS Ethernet1/0/3 Table 1-2 Description on the fields of the display link-aggregation summary command Field Description Aggregation Group Type Aggregation group type: D for dynamic, S for static, and M for manual Load sharing type: Shar for load sharing and NonS for non-load Loadsharing Type sharing Actor ID...
Page 185: Display Lacp System
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Flags: A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation, D -- Synchronization, E -- Collecting, F -- Distributing, G -- Defaulted, H -- Expired Aggregation ID: 1, AggregationType: Static, Loadsharing Type: NonS Aggregation Description: abc System ID: 0x16, 0012-a990-2240 Port Status: S -- Selected,...
Page 186: Lacp Enable
Description Use the display lacp system-id command to display the device ID of the local system, including the system priority and the MAC address. Example # Display the device ID of the local system. <Sysname> display lacp system-id Actor System ID: 0x8000, 000f-e20f-0100 The Actor System ID field is the device ID (consisting of the system priority and the system MAC address) of the local system.
Page 187: Lacp System-Priority
Parameter port-priority: Port priority, ranging from 0 to 65,535. Description Use the lacp port-priority command to set the priority of the current port. Use the undo lacp port-priority command to restore the default port priority. By default, the port priority is 32,768. You can use the display link-aggregation verbose command or the display link-aggregation interface command to check the configuration result.
Page 188: Link-Aggregation Group Mode
undo link-aggregation group agg-id description View System view Parameter agg-id: Aggregation group ID, in the range of 1 to 28. agg-name: Aggregation group name, a string of 1 to 32 characters. Description Use the link-aggregation group description command to set a description for an aggregation group. Use the undo link-aggregation group description command to remove the description of an aggregation group.
Page 189: Port Link-Aggregation Group
Description Use the link-aggregation group mode command to create a manual or static aggregation group. Use the undo link-aggregation group command to remove the specified aggregation group. Related command: display link-aggregation summary. Example # Create manual aggregation group 22 <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 190 Parameter interface-type: Port type interface-number: Port number to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends. Description Use the reset lacp statistics command to clear LACP statistics on specified port(s), or on all ports if no port is specified.
Page 191: Port Isolation
Table of Contents 1 Port Isolation Configuration Commands ································································································1-1 Port Isolation Configuration Commands ·································································································1-1 display isolate port···························································································································1-1 port isolate ·······································································································································1-1...
Page 192 Port Isolation Configuration Commands Port Isolation Configuration Commands display isolate port Syntax display isolate port View Any view Parameter None Description Use the display isolate port command to display the Ethernet ports assigned to the isolation group. Example # Display information about the Ethernet ports added to the isolation group. <Sysname>...
Page 193 When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group on the local device will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
Page 194 Table of Contents 1 Port Security Commands··························································································································1-1 Port Security Commands ························································································································1-1 display mac-address security ··········································································································1-1 display port-security·························································································································1-2 mac-address security ······················································································································1-5 port-security authorization ignore ····································································································1-6 port-security enable ·························································································································1-7 port-security guest-vlan ···················································································································1-8 port-security intrusion-mode ············································································································1-9 port-security max-mac-count·········································································································1-11 port-security ntk-mode···················································································································1-12 port-security oui ·····························································································································1-13 port-security port-mode ·················································································································1-14 port-security timer autolearn··········································································································1-17 port-security timer disableport ·······································································································1-18...
Page 195: Port Security Commands
Port Security Commands Port Security Commands display mac-address security Syntax display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] View Any view Parameters Interface interface-type interface-number: Specify a port by its type and number, of which the security MAC address information is to be displayed.
Page 196 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0000-0000-0001 Security Ethernet1/0/20 NOAGED 0000-0000-0002 Security Ethernet1/0/20 NOAGED 0000-0000-0003 Security Ethernet1/0/20 NOAGED 0000-0000-0004 Security Ethernet1/0/20 NOAGED 4 mac address(es) found on port Ethernet1/0/20 --- # Display the security MAC address entries for VLAN 1. <Sysname>...
Page 197 Parameters interface interface-list: Specify a list of Ethernet ports of which the port security configurations are to be displayed. For the interface-list argument, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1.
Page 198 Max mac-address num is 4 Stored mac-address num is 0 Authorization is ignore Ethernet1/0/2 is link-down Port mode is AutoLearn NeedtoKnow mode is disabled Intrusion mode is no action Max mac-address num is not configured Stored mac-address num is 0 Authorization is ignore Ethernet1/0/3 is link-down Port mode is AutoLearn...
Page 199: Mac-Address Security
Field Description The maximum number of MAC addresses Max mac-address num is 4 allowed on the port is 4. Stored mac-address num is 0 No MAC address is stored. Authorization information delivered by the Authorization is ignore Remote Authentication Dial-In User Service (RADIUS) server will not be applied to the port.
Page 200: Port-Security Authorization Ignore
Examples # Enable port security; configure the port security mode of Ethernet 1/0/1 as autolearn and create a security MAC address entry for 0001-0001-0001, setting the associated port to Ethernet 1/0/1 and assigning the MAC address to VLAN 1. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 201: Port-Security Enable
After a RADIUS user passes authentication, the RADIUS server authorizes the attributes configured for the user account such as the dynamic VLAN configuration. For more information, refer to AAA Command. Examples # Configure Ethernet 1/0/2 to ignore the authorization information delivered by the RADIUS server. <Sysname>...
Page 202: Port-Security Guest-Vlan
Examples # Enable port security. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled. Please wait... Done. port-security guest-vlan Syntax port-security guest-vlan vlan-id undo port-security guest-vlan View Ethernet port view...
Page 203: Port-Security Intrusion-Mode
authentication of a user fails, the blocking MAC address feature will be triggered and packets of the user will be dropped, making the user unable to access the guest VLAN. Examples # Set the security mode of port Ethernet 1/0/1 to macAddressOrUserLoginSecure, and specify VLAN 100 as the guest VLAN of the port.
Page 204 By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.
Page 205: Port-Security Max-Mac-Count
NeedtoKnow mode is disabled Intrusion mode is BlockMacaddress Max mac-address num is 2 Stored mac-address num is 2 Authorization is permit For description on the output information, refer to Table 1-2. # Configure the intrusion protection mode on Ethernet 1/0/1 as disableport-temporarily. As a result, the port will be disconnected when intrusion protection is triggered and then re-enabled 30 seconds later.
Page 206: Port-Security Ntk-Mode
By default, there is no limit on the number of MAC addresses allowed on the port. By configuring the maximum number of MAC addresses allowed on a port, you can: Limit the number of users accessing the network through the port. Limit the number of security MAC addresses that can be added on the port.
Page 207: Port-Security Oui
Description Use the port-security ntk-mode command to configure the NTK feature on the port. Use the undo port-security ntk-mode command to restore the default setting. Be default, NTK is disabled on a port, namely all frames are allowed to be sent. By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.
Page 208: Port-Security Port-Mode
Description Use the port-security oui command to set an OUI value for authentication. Use the undo port-security oui command to cancel the OUI value setting. By default, no OUI value is set for authentication. The OUI value set by this command takes effect only when the security mode of the port is set to userLoginWithOUI by the port-security port-mode command.
Page 209 Table 1-3 Keyword description Keyword Security mode Description In this mode, MAC addresses learned on the port become security MAC addresses. When the number of security MAC addresses exceeds the maximum number of MAC addresses configured by the port-security max-mac-count autolearn autolearn command, the port security mode...
Page 210 Keyword Security mode Description In this mode, MAC-based 802.1x authentication is applied on users trying to access the network through the port. The port will be enabled when the authentication succeeds and allow packets from authenticated users to pass through. In this mode, only one userlogin-secure userLoginSecure...
Page 211: Port-Security Timer Autolearn
Description Use the port-security port-mode command to set the security mode of the port. Use the undo port-security port-mode command to restore the default mode. By default, the port is in the noRestriction mode, namely access to the port is not restricted. Before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of MAC addresses allowed on the port.
Page 212: Port-Security Timer Disableport
Description Use the port-security timer autolearn command to configure the aging time for the security MAC address entries that are learned by the port automatically. Use the undo port-security timer autolearn command to restore the default. By default, the aging time is 0, that is, the security MAC address entries are not aged. After you execute the port-security timer autolearn command, you can display security MAC address entries by the display mac-address security command.
Page 213: Port-Security Timer Guest-Vlan-Reauth
The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled. Related commands: port-security intrusion-mode. Examples # Set the intrusion protection mode on Ethernet 1/0/1 to disableport-temporarily. It is required that when intrusion protection is triggered, the port be shut down temporarily and then go up 30 seconds later.
Page 214: Port-Security Trap
port-security trap Syntax port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } View System view Parameters...
Page 215 When you use the display port-security command to display global information, the system will display which types of trap messages are allowed to send. Related commands: display port-security. Examples # Allow the sending of intrusion packet-detected trap messages. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 216: Port Binding Commands
Port Binding Commands Currently, only the S3100-EI series support port binding. Port Binding Commands am user-bind Syntax In system view: am user-bind mac-addr mac-address { ip-addr ip-address | ipv6 ipv6-address } [ interface interface-type interface-number ] undo am user-bind mac-addr mac-address { ip-addr ip-address | ipv6 ipv6-address } [ interface interface-type interface-number ] In Ethernet port view: am user-bind [ mac-addr mac-address ] [ ip-addr ip-address | ipv6 ipv6-address ]...
Page 217: Display Am User-Bind
By default, no user MAC address or IP address is bound to a port. An IP address can be bound with only one port at a time. A MAC address can be bound with only one port at a time. Examples # In system view, bind the MAC address 000f-e200-5101 and IP address 10.153.1.1 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/1.
Page 218: Display Am User-Bind Ipv6
Parameters interface interface-type interface-number: Specify the port to be bound. The interface-type interface-number arguments indicate the port type and port number. ip-addr ip-address: Specify the IP address to be bound. mac-addr mac-address: Specify the MAC address to be bound. The mac-address argument is in the form of H-H-H.
Page 219 Description Use the display am user-bind ipv6 command to display IPv6 bindings. Related commands: am user-bind. Examples # Display bindings of all ports. <Sysname> display am user-bind ipv6 Following User address bind have been configured: Ipv6 Port 000f-e200-5101 1::ef:1 Ethernet1/0/1 000f-e200-5102 1::ef:2 Ethernet1/0/2...
Page 220 Table of Contents 1 DLDP Configuration Commands··············································································································1-1 DLDP Configuration Commands·············································································································1-1 display dldp······································································································································1-1 dldp ··················································································································································1-2 dldp authentication-mode ················································································································1-3 dldp interval ·····································································································································1-4 dldp reset·········································································································································1-5 dldp unidirectional-shutdown···········································································································1-5 dldp work-mode ·······························································································································1-6 dldp delaydown-timer ······················································································································1-7...
Page 221: Dldp Configuration Commands
DLDP Configuration Commands Currently, only S3100-EI series Ethernet switches support the DLDP feature. DLDP Configuration Commands display dldp Syntax display dldp { unit-id | interface-type interface-number } View Any view Parameters unit-id: Unit number of a device. interface-type: Port type. interface-number: Port number.
Page 222: Dldp
neighbor mac address : 000f-e20f-7201 neighbor port index : 98 neighbor state : two way neighbor aged time : 24 Table 1-1 Description on the fields of the display dldp command Field Description Interval for sending DLDP advertisement packets (in dldp interval seconds) dldp work-mode...
Page 223: Dldp Authentication-Mode
Use the dldp enable command to enable DLDP on the current port. Use the dldp disable command to disable DLDP on the current port. The dldp command can apply to a non-optical port as well as an optical port. By default, DLDP is disabled. When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently.
Page 224: Dldp Interval
Use the undo dldp authentication-mode to remove the DLDP authentication mode and password on the current port. By default, the authentication mode on the current port is none. Note that: When you configure a DLDP authentication mode and authentication password on a port, make sure that the same DLDP authentication mode and password are set on the ports connected with a fiber cable or copper twisted pair.
Page 225: Dldp Reset
Note that: The interval takes effect on all DLDP-enabled ports. It is recommended that you set the interval shorter than one-third of the STP convergence time (usually 30 seconds). If too long an interval is set, an STP loop may occur before DLDP shuts down unidirectional links.
Page 226: Dldp Work-Mode
View System view Parameters auto: Disables automatically the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down. manual: Generates log and traps and prompts the user to disable manually the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down.
Page 227: Dldp Delaydown-Timer
When DLDP works in normal mode, the system can identify only the unidirectional link caused by fiber cross-connection. When the DLDP protocol works in enhanced mode, the system can identify two types of unidirectional links: one is caused by fiber cross-connection and the other is caused by one fiber being not connected or being broken.
Page 228 Examples # Set the delaydown timer to 5 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp delaydown-timer 5...
Page 229: Mac Address Table
Table of Contents 1 MAC Address Table Management Configuration Commands ······························································1-1 MAC Address Table Management Configuration Commands································································1-1 display mac-address aging-time······································································································1-1 display mac-address························································································································1-2 display port-mac ······························································································································1-3 mac-address····································································································································1-4 mac-address max-mac-count··········································································································1-5 mac-address max-mac-count 0·······································································································1-6 mac-address timer···························································································································1-7 port-mac ··········································································································································1-8...
Page 230: Mac Address Table Management Configuration Commands
MAC Address Table Management Configuration Commands This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the “Multicast Protocol” part of the manual. MAC Address Table Management Configuration Commands display mac-address aging-time Syntax display mac-address aging-time...
Page 231: Display Mac-Address
display mac-address Syntax display mac-address [ display-option ] View Any view Parameters display-option: Option used to display specific MAC address table information, as described in Table 1-1. Table 1-1 Description on the display-option argument Value Description Displays information about a specified MAC mac-address [ vlan vlan-id ] address entry.
Page 232 Examples # Display information about MAC address 000f-e20f-0101. <Sysname> display mac-address 000f-e20f-0101 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 000f-e20f-0101 Learned Ethernet1/0/1 AGING # Display the MAC address entries for the port Ethernet 1/0/4. <Sysname> display mac-address interface Ethernet 1/0/4 MAC ADDR VLAN ID STATE...
Page 233: Mac-Address
Parameters None Description Use the display port-mac command to display the configured start port MAC address for the Ethernet ports on the switch, that is, the MAC address of Ethernet 1/0/1. Related commands: port-mac. Examples # Display the start port MAC address. <Sysname>...
Page 234: Mac-Address Max-Mac-Count
Syntax Description Removes the static, dynamic, or blackhole MAC { static | dynamic | blackhole } vlan vlan-id address entries concerning a specified VLAN. { static | dynamic | blackhole } mac-address Removes a specified static, dynamic, or [ interface interface-type interface-number ] blackhole MAC address entry.
Page 235: Mac-Address Max-Mac-Count 0
Parameters count: Maximum number of MAC addresses a port can learn. This argument ranges from 0 to 8192. A value of 0 disables the port from learning MAC addresses. Description Use the mac-address max-mac-count command to set the maximum number of MAC addresses an Ethernet port can learn.
Page 236: Mac-Address Timer
Description Use the mac-address max-mac-count 0 command to disable a switch from learning MAC address in a VLAN. Use the undo mac-address max-mac-count command to enable a switch to learn MAC address in a VLAN. By default, a switch learns MAC addresses in any VLAN. Example # Disable the switch from learning MAC address in VLAN 3.
Page 237: Port-Mac
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-address timer aging 500 port-mac Syntax port-mac start-mac-address undo port-mac View System view Parameters start-mac-address: Start MAC address for the Ethernet ports on the switch, in the format of H-H-H. It must be a valid unicast address.
Page 238: Mstp
Table of Contents 1 MSTP Configuration Commands ·············································································································1-1 MSTP Configuration Commands ············································································································1-1 active region-configuration ··············································································································1-1 bpdu-drop any ·································································································································1-1 check region-configuration ··············································································································1-2 display stp········································································································································1-3 display stp abnormalport ·················································································································1-7 display stp portdown························································································································1-8 display stp region-configuration·······································································································1-9 display stp root ······························································································································1-10 instance ·········································································································································1-10 region-name ··································································································································1-11 reset stp·········································································································································1-12 revision-level··································································································································1-12 stp ··················································································································································1-13...
Page 239 stp transmit-limit ····························································································································1-44 vlan-mapping modulo ····················································································································1-45 vlan-vpn tunnel ······························································································································1-46...
Page 240: Mstp Configuration Commands
MSTP Configuration Commands MSTP Configuration Commands active region-configuration Syntax active region-configuration View MST region view Parameters None Description Use the active region-configuration command to activate the settings of a multiple spanning tree (MST) region. Configuring MST region-related parameters (especially the VLAN-to-instance mapping table) can result in network topology jitter.
Page 241: Check Region-Configuration
View Ethernet port view Parameters None Description Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port. Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port. By default, BPDU dropping is disabled. In a STP-enabled network, some malicious users may send BPDU packets to the switch continuously in order to destabilize the network.
Page 242: Display Stp
The H3C series support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches which have the settings of these parameters the same are assigned to the same MST region.
Page 243 View Any view Parameters instance-id: ID of the MSTI ranging from 0 to 16. The value of 0 refers to the common and internal spanning tree (CIST). interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 244 Examples # Display the brief state information of MSTI 0 on Ethernet 1/0/1 through Ethernet 1/0/4. <Sysname> display stp instance 0 interface Ethernet 1/0/1 to Ethernet 1/0/4 brief MSTID Port Role STP State Protection Ethernet1/0/1 ALTE DISCARDING LOOP Ethernet1/0/2 DESI FORWARDING NONE Ethernet1/0/3...
Page 245 ----[Port2(Ethernet1/0/2)][DOWN]---- Port Protocol :enabled Port Role :CIST Disabled Port Port Priority :128 Port Cost(Legacy) :Config=auto / Active=200000 Desg. Bridge/Port :32768.00e0-fc12-4001 / 128.2 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=false Transmit Limit :10 packets/hello-time Protection Type :None MSTP BPDU format :Config=auto / Active=legacy Port Config Digest Snooping...
Page 246: Display Stp Abnormalport
Field Description Path cost of the port. The field in the bracket indicates the standard used for port path cost calculation, which can be Port Cost(Legacy) legacy, dot1d-1998, or dot1t. Config indicates the configured value, and Active indicates the actual value. Designated bridge ID and port ID of the port Desg.
Page 247: Display Stp Portdown
Examples # Display the ports that are blocked by STP guard functions. <Sysname> display stp abnormalport MSTID Port Block Reason --------- -------------------- ------------- Ethernet1/0/20 Root-Protection Ethernet1/0/21 Loop-Protection Table 1-4 Description on the fields of the display stp abnormalport command Field Description MSTID MSTI ID in the MST region...
Page 248: Display Stp Region-Configuration
Field Description Reason that caused the port to be blocked. BPDU-Protected: BPDU attack guard function Down Reason Formatfrequency-Protected: MSTP BPDU format frequent change protection function display stp region-configuration Syntax display stp region-configuration View Any view Parameters None Description Use the display stp region-configuration command to display the activated MST region configuration, including the region name, region revision level, and VLAN-to-instance mappings configured for the switch.
Page 249: Display Stp Root
display stp root Syntax display stp root View Any view Parameters None Description Use the display stp root command to display information about the root ports in the MSTP region where the switch resides. Examples # Display information about the root ports in the MSTP region where the switch resides. <Sysname>...
Page 250: Region-Name
Parameters instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST. vlan-list: List of VLANs. You need to provide this argument in the form of vlan-list = { vlan-id [ to vlan-id ] }&<1-10>, where &<1-10> means that you can provide up to 10 VLAN IDs/VLAN ID ranges for this argument.
Page 251: Reset Stp
MST region name, along with VLAN-to-instance mapping table and MSTP revision level, determines the MST region which a switch belongs to. Related commands: instance, revision-level, check region-configuration, vlan-mapping modulo, active region-configuration. Examples # Set the MST region name of the switch to hello. <Sysname>...
Page 252: Stp
undo revision-level View MST region view Parameters level: MSTP revision level to be set for the switch. This argument ranges from 0 to 65,535. Description Use the revision-level command to set the MSTP revision level for a switch. Use the undo revision-level command to restore the revision level to the default value. By default, the MSTP revision level of a switch is 0.
Page 253 Description Use the stp command in system view to enable/disable MSTP globally. Use the undo stp command in system view to restore the MSTP state to the default globally. Use the stp command in Ethernet port view to enable/disable MSTP on a port. Use the undo stp command in Ethernet port view to restore the MSTP state to the default on a port.
Page 254: Stp Bpdu-Protection
stp bpdu-protection Syntax stp bpdu-protection undo stp bpdu-protection View System view Parameters None Description Use the stp bpdu-protection command to enable the BPDU guard function on the switch. Use the undo stp bpdu-protection command to restore to the default state of the BPDU guard function.
Page 255: Stp Compliance
View System view Parameters bridgenum: Network diameter to be set for a switched network. This argument ranges from 2 to 7. Description Use the stp bridge-diameter command to set the network diameter of a switched network. The network diameter of a switched network is represented by the maximum possible number of switches between any two terminal devices in a switched network.
Page 256: Stp Config-Digest-Snooping
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the format of interface-list ={ interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Page 257 undo stp interface interface-list config-digest-snooping View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 258: Stp Cost
When the digest snooping feature is enabled on a port, the port turns to the discarding state. That is, the port stops sending BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.
Page 259 System view: stp interface interface-list [ instance instance-id ] cost cost undo stp interface interface-list [ instance instance-id ] cost View System view, Ethernet port view Parameters instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST. cost: Path cost to be set for the port.
Page 260: Stp Dot1D-Trap
[Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 2 cost 200 Set the path cost of Ethernet 1/0/1 in MSTI 2 to 200 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 instance 2 cost 200 # Set the path cost of Ethernet 1/0/2 to Ethernet 1/0/4 in MSTI 2 to 400 in system view.
Page 261: Stp Edged-Port
Examples # Enable a switch to send trap messages conforming to 802.1d standard to the network management device when the switch becomes the root bridge of MSTI 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp instance 1 dot1d-trap newroot enable stp edged-port Syntax Ethernet port view:...
Page 262: Stp Loop-Protection
Normally, configuration BPDUs cannot reach an edge port because the port is not connected to another switch. But when the BPDU guard function is disabled on an edge port, configuration BPDUs sent deliberately by a malicious user may reach the port. If an edge port receives a BPDU, it turns to a non-edge port.
Page 263 Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp loop-protection command to enable the loop guard function on the current port.
Page 264: Stp Max-Hops
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 loop-protection stp max-hops Syntax stp max-hops hops undo stp max-hops View System view Parameters hops: Maximum hop count to be set. This argument ranges from 1 to 40. Description Use the stp max-hops command to set the maximum hop count for the MST region the current switch belongs to.
Page 265 System view: stp [ interface interface-list ] mcheck View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 266: Stp Mode
stp mode Syntax stp mode { stp | rstp | mstp } undo stp mode View System view Parameters stp: Specifies the STP-compatible mode. mstp: Specifies the MSTP mode. rstp: Specifies the RSTP-compatible mode. Description Use the stp mode command to set the operating mode of an MSTP-enabled switch. Use the undo stp mode command to restore the default operating mode of an MSTP-enabled switch.
Page 267 H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will then actively send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.
Page 268: Stp Pathcost-Standard
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]stp interface Ethernet1/0/1 no-agreement-check stp pathcost-standard Syntax stp pathcost-standard { dot1d-1998 | dot1t | legacy } undo stp pathcost-standard View System view Parameters dot1d-1998: The device calculates the default path cost for ports based on IEEE 802.1d-1998. dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.
Page 269: Stp Point-To-Point
Path cost in Path cost in Path cost in Link speed Duplex state 802.1d-1998 IEEE 802.1t private standard standard standard Full-duplex 2,000 Aggregated link 2 ports 1,000 10 Gbps Aggregated link 3 ports Aggregated link 4 ports Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.
Page 270 force-false: Specifies that the link connected to the current Ethernet port is not a point-to-point link. auto: Specifies to automatically determine whether or not the link connected to the current Ethernet port is a point-to-point link. interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 271: Stp Port Priority
# Configure the links connected to Ethernet 1/0/2 to Ethernet 1/0/4 as point-to-point links in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 point-to-point force-true stp port priority Syntax Ethernet port view: stp [ instance instance-id ] port priority priority...
Page 272: Stp Portlog
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 2 port priority 16 Set the port priority of Ethernet 1/0/1 in MSTI 2 to 16 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 instance 2 port priority 16 # Set the port priority of Ethernet 1/0/2 to Ethernet 1/0/4 in MSTI 2 to 16 in system view.
Page 273: Stp Priority
View System view Parameters None Description Use the stp portlog all command to enable log and trap message output for the ports of all instances. Use the undo stp portlog all command to disable this function. By default, log and trap message output is disabled on the ports of all instances. Examples # Enable log and trap message output for the ports of all instances.
Page 274: Stp Region-Configuration
[Sysname] stp instance 1 priority 4096 stp region-configuration Syntax stp region-configuration undo stp region-configuration View System view Parameters None Description Use the stp region-configuration command to enter MST region view. Use the undo stp region-configuration command to restore the MST region-related settings to the default.
Page 275 undo stp [ instance instance-id ] root View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree. This argument ranges from 2 to 7 and defaults to 7.
Page 276: Stp Root Secondary
stp root secondary Syntax stp [ instance instance-id ] root secondary [ bridge-diameter bridgenum [ hello-time centi-seconds ] ] undo stp [ instance instance-id ] root View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree.
Page 277: Stp Root-Protection
stp root-protection Syntax Ethernet port view: stp root-protection undo stp root-protection System view: stp interface interface-list root-protection undo stp interface interface-list root-protection View System view, Ethernet port view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 278: Stp Tc-Protection
Examples # Enable the root guard function on Ethernet 1/0/1. Enable the root guard function on Ethernet 1/0/1 in Ethernet port view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp root-protection Enable the root guard function on Ethernet 1/0/1 in system view. <Sysname>...
Page 279: Stp Tc-Protection Threshold
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp tc-protection enable stp tc-protection threshold Syntax stp tc-protection threshold number undo stp tc-protection threshold View System view Parameters number: Maximum number of times that a switch can remove the MAC address table and ARP entries within each 10 seconds, in the range of 1 to 255.
Page 280: Stp Timer Forward-Delay
stp timer forward-delay Syntax stp timer forward-delay centi-seconds undo stp timer forward-delay View System view Parameters centi-seconds: Forward delay in centiseconds to be set. This argument ranges from 400 to 3,000. Description Use the stp timer forward-delay command to set the forward delay of the switch. Use the undo stp timer forward-delay command to restore the forward delay to the default value.
Page 281: Stp Timer Max-Age
Parameters centi-seconds: Hello time to be set, in the range of 100 to 1,000 (in centiseconds). Description Use the stp timer hello command to set the hello time of the switch. Use the undo stp timer hello command to restore the hello time of the switch to the default value. By default, the hello time of the switch is 200 centiseconds.
Page 282: Stp Timer-Factor
MSTP is capable of detecting link failures and automatically restoring redundant links to the forwarding state. In CIST, switches use the max age parameter to judge whether or not a received configuration BPDU times out. Spanning trees will be recalculated if a configuration BPDU received by a port times out.
Page 283 can be four (or more) times of the hello time. For a steady network, the timeout time can be five to seven times of the hello time. Examples # Set the hello time factor to 7. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp timer-factor 7 stp transmit-limit Syntax...
Page 284 Examples # Set the maximum number of configuration BPDUs that can be transmitted through Ethernet 1/0/1 in each hello time to 15. In Ethernet port view: <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp transmit-limit 15 In system view: <Sysname>...
Page 285 You can map VLANs to the specific MSTIs rapidly by using the vlan-mapping modulo modulo command. The ID of the MSTI to which a VLAN is mapped can be figured out by using the following formula: (VLAN ID-1) % modulo + 1. In this formula, (VLAN ID-1) % modulo yields the module of (VLAN ID-1) with regards to the modulo argument.
Page 286 The VLAN-VPN tunnel function can only be enabled on STP-enabled devices. To enable the VLAN-VPN tunnel function, make sure the links between operator’s networks are trunk links. Currently, only S3100-SI series Ethernet Switches support the VLAN-VPN tunnel feature. Examples # Enable the VLAN-VPN tunnel function for the switch. <Sysname>...
Page 287: Multicast
Table of Contents 1 IGMP Snooping Configuration Commands ····························································································1-1 IGMP Snooping Configuration Commands·····························································································1-1 display igmp-snooping configuration ·······························································································1-1 display igmp-snooping group ··········································································································1-2 display igmp-snooping statistics······································································································1-3 igmp-snooping ·································································································································1-4 igmp-snooping fast-leave ················································································································1-5 igmp-snooping general-query source-ip··························································································1-6 igmp-snooping group-limit ···············································································································1-7 igmp-snooping group-policy ············································································································1-8 igmp-snooping host-aging-time ·····································································································1-10 igmp-snooping nonflooding-enable ·······························································································1-10 igmp-snooping querier···················································································································1-11 igmp-snooping query-interval ········································································································1-12...
Page 288 mld-snooping group-limit ···············································································································2-13 mld-snooping host-aging-time ·······································································································2-13 mld-snooping host-join ··················································································································2-14 mld-snooping last-listener-query-interval ······················································································2-15 mld-snooping max-response-time ·································································································2-16 mld-snooping overflow-replace ·····································································································2-17 mld-snooping proxying enable ······································································································2-18 mld-snooping querier·····················································································································2-18 mld-snooping query-interval ··········································································································2-19 mld-snooping report source-ip·······································································································2-20 mld-snooping router-aging-time ····································································································2-21 mld-snooping special-query source-ip···························································································2-22 mld-snooping static-group ·············································································································2-22 mld-snooping static-router-port ·····································································································2-23 mld-snooping version ····················································································································2-24 overflow-replace (MLD-Snooping view) ························································································2-25 report-aggregation (MLD-Snooping view) ·····················································································2-26...
Page 289: Igmp Snooping Configuration Commands
IGMP Snooping Configuration Commands Only the S3100-EI series support the IGMP Snooping querier feature. The related commands are as follows: igmp-snooping querier igmp-snooping query-interval igmp-snooping general-query source-ip IGMP Snooping Configuration Commands display igmp-snooping configuration Syntax display igmp-snooping configuration View Any view Parameters None Description...
Page 290: Display Igmp-Snooping Group
Examples # Display IGMP Snooping configuration information on the switch. <Sysname> display igmp-snooping configuration Enable IGMP Snooping. The router port timeout is 105 second(s). The max response timeout is 10 second(s). The host port timeout is 260 second(s). The above-mentioned information shows: IGMP Snooping is enabled, the aging time of the router port is 105 seconds, the maximum response time in IGMP queries is 10 seconds, and the aging time of multicast member ports is 260 seconds.
Page 291: Display Igmp-Snooping Statistics
Ethernet1/0/23 Dynamic host port(s): Ethernet1/0/10 MAC group(s): MAC group address:0100-5e00-0001 Host port(s):Ethernet1/0/10 Ethernet1/0/23 Table 1-1 display igmp-snooping group command output description Field Description Total 1 IP Group(s). Total number of IPv6 multicast groups Total 1 IP Source(s). Total number of IPv6 multicast sources Total 1 MAC Group(s).
Page 292: Igmp-Snooping
When IGMPv3 Snooping is enabled, the device makes statistics of IGMPv3 messages as IGMPv2 messages. Related commands: igmp-snooping. Examples # Display IGMP Snooping statistics. <Sysname> display igmp-snooping statistics Received IGMP general query packet(s) number:1. Received IGMP specific query packet(s) number:0. Received IGMP V1 report packet(s) number:0.
Page 293: Igmp-Snooping Fast-Leave
Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view; otherwise the IGMP Snooping setting will not take effect. If IGMP Snooping and VLAN VPN are enabled on a VLAN at the same time, IGMP queries are likely to fail to pass the VLAN.
Page 294: Igmp-Snooping General-Query Source
The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).
Page 295: Igmp-Snooping Group-Limit
By default, the Layer 2 multicast switch sends general query messages with the source IP address of 0.0.0.0. Related commands: igmp-snooping querier, igmp-snooping query-interval. Examples # Configure the switch to send general query messages with the source IP address 2.2.2.2 in VLAN 3. <Sysname>...
Page 296: Igmp-Snooping Group-Policy
To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.
Page 297 A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. If no ACL rule is configured, all the multicast groups will be filtered. Since most devices broadcast unknown multicast packets by default, this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function.
Page 298: Igmp-Snooping Host-Aging-Time
Configure ACL 2001 on Ethernet1/0/2 to it to join any IGMP multicast groups except those defined in the deny rule of ACL 2001. [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] igmp-snooping group-policy 2001 vlan 2 igmp-snooping host-aging-time Syntax igmp-snooping host-aging-time seconds undo igmp-snooping host-aging-time View System view Parameters...
Page 299: Igmp-Snooping Querier
Description Use the igmp-snooping nonflooding-enable command to enable the IGMP Snooping non-flooding function. With this function enabled, unknown multicast packets are passed to the router ports of the switch rather than being flooded in the VLAN. Use the undo igmp-snooping nonflooding-enable command to disable the IGMP Snooping non-flooding function.
Page 300: Igmp-Snooping Query-Interval
View VLAN view Parameters None Description Use the igmp-snooping querier command to enable the IGMP Snooping querier feature on the current VLAN. Use the undo igmp-snooping querier command to restore the default. By default, the IGMP Snooping querier feature is disabled. This command takes effect only if IGMP Snooping is enabled globally and also enabled in the current VLAN.
Page 301: Igmp-Snooping Router-Aging-Time
Related commands: igmp-snooping, igmp-snooping querier, igmp-snooping general-query source-ip Examples # Configure the IGMP query interval to 100 seconds in VLAN 3. <Sysname> system-view System view, return to user view with Ctrl+Z. [Sysname] igmp-snooping enable [Sysname] vlan 3 [Sysname-vlan3] igmp-snooping enable [Sysname-vlan3] igmp-snooping querier [Sysname-vlan3] igmp-snooping query-interval 100 igmp-snooping router-aging-time...
Page 302: Igmp-Snooping Version
View VLAN view Parameters current-interface: Specifies the IP address of the current VLAN interface as the source address to be carried in IGMP group-specific queries. If the current VLAN interface does not have an IP address, the default IP address 0.0.0.0 will be used as the source IP address of IGMP group-specific queries. ip-address: Specifies the source address to be carried in IGMP group-specific queries, which can be any legal IP address.
Page 303: Igmp-Snooping Vlan-Mapping
This command can take effect only if IGMP Snooping is enabled in the VLAN. Related commands: igmp-snooping enable. Examples # Set IGMP Snooping version to version 3 in VLAN 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] igmp-snooping enable Enable IGMP-Snooping ok.
Page 304 View Ethernet port view Parameters group-address: Address of the multicast group to join. source-address: Address of the multicast source to join. You can specify a multicast source address only when IGMPv3 Snooping is running in a VLAN. vlan vlan-id: ID of the VLAN to which the port belongs, in the range of 1 to 4094. Description Use the igmp host-join command to configure the current port as a simulated multicast group member host to join the specified multicast group or source and group.
Page 305: Multicast Static-Group Interface
multicast static-group interface Syntax multicast static-group group-address interface interface-list undo multicast static-group group-address interface interface-list View VLAN interface view Parameters group-address: IP address of the multicast group to join, in the range of 224.0.0.0 to 239.255.255.255. interface interface-list: Specifies a port list. With the interface-list argument, you can define one or more individual ports (in the form of interface-type interface-number) and/or one or more port ranges (in the form of interface-type interface-number1 to interface-type interface-number2, where interface-number2 must be greater than interface-number1).
Page 306: Multicast Static-Router-Port
vlan vlan-id: Specifies the VLAN the Ethernet port belongs to, where vlan-id ranges from 1 to 4094. Description Use the multicast static-group vlan command to configure the current port as a static member port for the specified multicast group and specify the VLAN the port belongs to. Use the undo multicast static-group vlan command to remove the current port in the specified VLAN as a static member port for the specified multicast group.
Page 307: Multicast Static-Router-Port Vlan
Examples # Configure Ethernet 1/0/1 in VLAN 10 as a static router port. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 10 [Sysname-vlan10] multicast static-router-port Ethernet1/0/1 multicast static-router-port vlan Syntax multicast static-router-port vlan vlan-id undo multicast static-router-port vlan vlan-id View Ethernet port view Parameters...
Page 308: Service-Type Multicast
View User view Parameters None Description Use the reset igmp-snooping statistics command to clear IGMP Snooping statistics. Related commands: display igmp-snooping statistics. Examples # Clear IGMP Snooping statistics. <Sysname> reset igmp-snooping statistics service-type multicast Syntax service-type multicast undo service-type multicast View VLAN view Parameters...
Page 309 One port belongs to only one multicast VLAN. The port connected to a user terminal must be a hybrid port. The multicast member port must be in the same multicast VLAN with the router port. Otherwise, the port cannot receive multicast packets. If a router port is in a multicast VLAN, the router port must be configured as a trunk port or a hybrid port that allows tagged packets to pass for the multicast VLAN.
Page 310: Mld Snooping Configuration Commands
MLD Snooping Configuration Commands MLD Snooping Configuration Commands Only the S3100-EI series support MLD Snooping Configuration Commands. display mld-snooping group Syntax display mld-snooping group [ vlan vlan-id ] [ verbose ] View Any view Default Level 1: Monitor level Parameters vlan vlan-id: Displays the MLD snooping multicast group information in the specified VLAN, where vlan-id is in the range of 1 to 4094.
Page 311: Display Mld-Snooping Statistics
Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. Eth1/0/1 (D) ( 00:01:30 ) IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 1 port. Eth1/0/2 (D) ( 00:03:23 ) MAC group(s): MAC group address:3333-0000-0101...
Page 312: Dot1P-Priority (Mld-Snooping View)
Description Use the display mld-snooping statistics command to view the statistics information of MLD messages learned by MLD snooping. Examples # View the statistics information of all kinds of MLD messages learned by MLD snooping. <Sysname> display mld-snooping statistics Received MLD general queries:0. Received MLDv1 specific queries:0.
Page 313: Drop-Unknown (Mld-Snooping View)
Parameters priority-number: Specifies 802.1p precedence for MLD messages, in the range of 0 to 7. The higher the number, the higher the precedence. Description Use the dot1p-priority command to configure 802.1p precedence for MLD messages globally. Use the undo dot1p-priority command to restore the default. The default 802.1p precedence for MLD messages is 0.
Page 314: Entry-Limit (Mld-Snooping View)
entry-limit (MLD-Snooping view) Syntax entry-limit limit undo entry-limit View MLD-Snooping view Default Level 2: System level Parameters limit: Maximum number of entries in the MLD snooping forwarding table, in the range of 0 to 512. Description Use the entry-limit command to configure the maximum number of entries in the MLD snooping forwarding table globally.
Page 315: Host-Aging-Time (Mld-Snooping View)
Description Use the fast-leave command to enable fast leave processing globally. With this function enabled, when the switch receives an MLD leave message on a port, it directly removes that port from the forwarding table entry for the specific group. Use the undo fast-leave command to disable fast leave processing globally.
Page 316: Last-Listener-Query-Interval (Mld-Snooping View)
last-listener-query-interval (MLD-Snooping view) Syntax last-listener-query-interval interval undo last-listener-query-interval View MLD-Snooping view Default Level 2: System level Parameters interval: MLD last listener query interval in units of seconds, namely the length of time the device waits between sending MLD multicast-address-specific queries. The effective range is 1 to 5. Description Use the last-listener-query-interval command to configure the MLD last listener query interval globally.
Page 317: Mld-Snooping
Description Use the max-response-time command to configure the maximum response time for MLD general queries globally. Use the undo max-response-time command to restore the system default. By default, the maximum response time for MLD general queries is 10 seconds. This command works only on MLD snooping–enabled VLANs. Related commands: mld-snooping max-response-time, mld-snooping query-interval.
Page 318: Mld-Snooping Done Source
mld-snooping done source-ip Syntax mld-snooping done source-ip { ipv6-address | current-interface } undo mld-snooping done source-ip View VLAN view Default Level 2: System level Parameters ipv6-address: Specifies a source IPv6 address for the MLD done messages sent by the MLD snooping proxy, which can be any legal IPv6 link-local address.
Page 319: Mld-Snooping Dot1P-Priority
mld-snooping dot1p-priority Syntax mld-snooping dot1p-priority priority-number undo mld-snooping dot1p-priority View VLAN view Default Level 2: System level Parameters priority-number: Specifies 802.1p precedence for MLD messages, in the range of 0 to 7. The higher the number, the higher the precedence. Description Use the mld-snooping dot1p-priority command to configure 802.1p precedence for MLD messages in a VLAN.
Page 320: Mld-Snooping Fast-Leave
Parameters None Description Use the mld-snooping enable command to enable MLD snooping in the current VLAN. Use the undo mld-snooping enable command to disable MLD snooping in the current VLAN. By default, MLD snooping is disabled in a VLAN. MLD snooping must be enabled globally before it can be enabled in a VLAN Related commands: mld-snooping.
Page 321: Mld-Snooping General-Query Source
This command works on MLD snooping–enabled VLANs. If you do not specify any VLAN when using this command in Ethernet interface view, the command will take effect for all VLANs the interface belongs to; if you specify a VLAN or multiple VLANs, the command will take effect only if the interface belongs to the specified VLAN(s).
Page 322: Mld-Snooping Group-Limit
[Sysname-mld-snooping] quit [Sysname] vlan 2 [Sysname-vlan2] mld-snooping enable [Sysname-vlan2] mld-snooping general-query source-ip fe80:0:0:1::1 mld-snooping group-limit Syntax mld-snooping group-limit limit [ vlan vlan-list ] undo mld-snooping group-limit [ vlan vlan-list ] View Ethernet interface view Default Level 2: System level Parameters limit: Maximum number of IPv6 multicast groups that can be joined on a port, in the range of 1 to 512.
Page 323: Mld-Snooping Host-Join
View VLAN view Default Level 2: System level Parameters interval: Dynamic member port aging time, in seconds. The effective range is 200 to 1,000. Description Use the mld-snooping host-aging-time command to configure the aging time of dynamic member ports in the current VLAN. Use the undo mld-snooping host-aging-time command to restore the system default.
Page 324: Mld-Snooping Last-Listener-Query-Interval
Description Use the mld-snooping host-join command to enable simulated joining on a port, namely configure the current port as member host for the specified IPv6 multicast group or source and group. Use the undo mld-snooping host-join command to remove the current port(s) as simulated member host(s) for the specified IPv6 multicast group or source and group.
Page 325: Mld-Snooping Max-Response-Time
Description Use the mld-snooping last-listener-query-interval command to configure the MLD last-listener query interval in the VLAN. Use the undo mld-snooping last-listener-query-interval command to restore the system default. By default, the MLD last listener query interval is 1 second. This command takes effect only if MLD snooping is enabled in the VLAN. Related commands: mld-snooping enable, last-listener-query-interval.
Page 326: Mld-Snooping Overflow-Replace
<Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] quit [Sysname] vlan 2 [Sysname-vlan2] mld-snooping enable [Sysname-vlan2] mld-snooping max-response-time 5 mld-snooping overflow-replace Syntax mld-snooping overflow-replace [ vlan vlan-list ] undo mld-snooping overflow-replace [ vlan vlan-list ] View Ethernet interface view Default Level 2: System level Parameters vlan vlan-list: Defines one or multiple VLANs.
Page 327: Mld-Snooping Proxying Enable
mld-snooping proxying enable Syntax mld-snooping proxying enable undo mld-snooping proxying enable View VLAN view Default Level 2: System level Parameters None Description Use the mld-snooping proxying enable command to enable the MLD Snooping Proxying function in a VLAN. Use the undo mld-snooping proxying enable command to disable the MLD Snooping Proxying function in a VLAN.
Page 328: Mld-Snooping Query-Interval
Default Level 2: System level Parameters None Description Use the mld-snooping querier command to enable the MLD snooping querier function. Use the undo mld-snooping querier command to disable the MLD snooping querier function. By default, the MLD snooping querier function is disabled. Note that: This command takes effect only if MLD snooping is enabled in the VLAN.
Page 329: Mld-Snooping Report Source
Related commands: mld-snooping enable, mld-snooping querier, mld-snooping max-response-time, max-response-time. Examples # Enable MLD snooping and set the MLD query interval to 20 seconds in VLAN 2. <Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] quit [Sysname] vlan 2 [Sysname-vlan2] mld-snooping enable [Sysname-vlan2] mld-snooping query-interval 20 mld-snooping report source-ip Syntax mld-snooping report source-ip { ipv6-address | current-interface }...
Page 330: Mld-Snooping Router-Aging-Time
Examples # Enable MLD Snooping in VLAN 2 and configure the source IPv6 address of MLD reports sent by the MLD Snooping proxy in VLAN 2 to FE80:0:0:1::1. <Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] quit [Sysname] vlan 2 [Sysname-vlan2] mld-snooping enable [Sysname-vlan2] mld-snooping report source-ip fe80:0:0:1::1 mld-snooping router-aging-time Syntax...
Page 331: Mld-Snooping Special-Query Source
mld-snooping special-query source-ip Syntax mld-snooping special-query source-ip { ipv6-address | current-interface } undo mld-snooping special-query source-ip View VLAN view Default Level 2: System level Parameters ipv6-address: Specifies an IPv6 link-local address as the source IPv6 address of MLD multicast-address-specific queries. current-interface: Specifies the source IPv6 link-local address of the VLAN interface of the current VLAN as the source IPv6 address of MLD multicast-address-specific queries.
Page 332: Mld-Snooping Static-Router-Port
View Ethernet interface view Default Level 2: System level Parameters ipv6-group-address: Address of a IPv6 multicast group the port(s) will be configured to join as static member port(s). The effective range is FFxy::/16 (excluding FFx0::/16, FFx1::/16, FFx2::/16 and FF0y::), where x and y represent any hexadecimal number between 0 and F, inclusive. ipv6-source-address: Address of the IPv6 multicast source the port(s) will be configured to join as static member port(s).
Page 333: Mld-Snooping Version
View Ethernet interface view Default Level 2: System level Parameters vlan vlan-id: Specifies a VLAN in which one or more static router ports are to be configured, where vlan-id is in the range of 1 to 4094. Description Use the mld-snooping static-router-port command to configure the current port(s) as static router port(s).
Page 334: Overflow-Replace (Mld-Snooping View)
Note that: This command can take effect only if MLD snooping is enabled in the VLAN. Related commands: mld-snooping enable. Examples # Enable MLD snooping in VLAN 2, and set the MLD snooping version to version 2. <Sysname> system-view [Sysname] mld-snooping [Sysname-mld-snooping] quit [Sysname] vlan 2 [Sysname-vlan2] mld-snooping enable...
Page 335: Report-Aggregation (Mld-Snooping View)
[Sysname-mld-snooping] overflow-replace vlan 2 report-aggregation (MLD-Snooping view) Syntax report-aggregation undo report-aggregation View MLD-Snooping view Default Level 2: System level Parameters None Description Use the mld-snooping report-aggregation command to enable MLD report suppression. Use the undo mld-snooping report-aggregation command to disable MLD report suppression. By default, MLD report suppression is enabled.
Page 336: Reset Mld-Snooping Statistics
vlan vlan-id: Clears the MLD snooping multicast group information in the specified VLAN. The effective range of vlan-id is 1 to 4094. Description Use the reset mld-snooping group command to clear MLD snooping multicast group information. Note that: This command works on MLD snooping–enabled VLANs. This command cannot clear MLD snooping multicast group information of static joining.
Page 337 Parameters interval: Dynamic router port aging time, in seconds. The effective range is 1 to 1,000. Description Use the router-aging-time command to configure the aging time of dynamic router ports globally. Use the undo router-aging-time command to restore the default setting. By default, the dynamic router port aging time is 260 seconds.
Page 338: Ipv6 Multicast Vlan Configuration Commands
IPv6 Multicast VLAN Configuration Commands IPv6 Multicast VLAN Configuration Commands Only the S3100-EI series support IPv6 Multicast VLAN Configuration Commands. display multicast-vlan ipv6 Syntax display multicast-vlan ipv6 [ vlan-id ] View Any view Default Level 1: Monitor level Parameters vlan-id: VLAN ID of an IPv6 multicast VLAN, in the range of 1 to 4094. If this argument is not provided, the information about all IPv6 multicast VLANs will be displayed.
Page 339: Multicast-Vlan Ipv6
Field Description IPv6 Multicast vlan An IPv6 multicast VLAN port list Port list of the IPv6 multicast VLAN multicast-vlan ipv6 Syntax multicast-vlan ipv6 vlan-id undo multicast-vlan ipv6 { all | vlan-id } View System view Default Level 2: System level Parameters vlan-id: Specifies a VLAN by its ID, in the range of 1 to 4094.
Page 340: Port (Ipv6 Multicast Vlan View)
port (IPv6 multicast VLAN view) Syntax port interface-list undo port { all | interface-list } View IPv6 multicast VLAN view Default Level 2: System level Parameters interface-list: Specifies a port in the form of interface-type interface-number, or a port range in the form of interface-type start-interface-number to interface-type end-interface-number, where the end interface number must be greater than the start interface number.
Page 341 Parameters vlan-id: VLAN ID of the IPv6 multicast VLAN you want to assign the current port(s) to, in the range of 1 to 4094. Description Use the port multicast-vlan ipv6 command to assign the current port(s) to the specified IPv6 multicast VLAN.
Page 342: Common Multicast Configuration Commands
Common Multicast Configuration Commands Only the S3100-EI series support multicast source port suppression. The related commands are multicast-source-deny display multicast-source-deny. Common Multicast Configuration Commands display mac-address multicast static Syntax display mac-address multicast static [ [ mac-address ] vlan vlan-id ] [ count ] View Any view Parameters...
Page 343: Display Multicast-Source-Deny
1 static mac address(es) found Table 4-1 display mac-address multicast static command output description Field Description MAC ADDR MAC address VLAN ID The VLAN in which the MAC address is manually added State of the MAC address, which includes only Config static, STATE indicating that the table entry is manually added.
Page 344: Mac-Address Multicast Interface
mac-address multicast interface Syntax mac-address multicast mac-address interface interface-list vlan vlan-id undo mac-address multicast [ mac-address [ interface interface-list ] vlan vlan-id ] View System view Parameters mac-address: Multicast MAC address, in the form of H-H-H. interface interface-list: Specifies forwarding ports for the specified multicast MAC group address. With the interface-list argument, you can define one or more individual ports (in the form of interface-type interface-number) and/or one or more port ranges (in the form of interface-type interface-number1 to interface-type interface-number2, where interface-number2 must be greater than interface-number1).
Page 345: Multicast-Source-Deny
vlan vlan-id: Specifies the VLAN the current port belongs to. The effective range for vlan-id is 1 to 4094. Description Use the mac-address multicast vlan command to create a multicast MAC address entry on the current port. Use the undo mac-address multicast vlan command to remove the specified multicast MAC address entry or all multicast MAC address entries on the current port.
Page 346: Unknown-Multicast Drop Enable
In system view, if no port or port list is specified, the multicast source port suppression feature is enabled on all the ports of the switch; if one or more ports or port lists are specified, the multicast source port suppression feature is enabled on the specified ports. In Ethernet port view, you can use the command to enable the multicast source port suppression feature on the current port only.
Page 347 Table of Contents 1 802.1x Configuration Commands ············································································································1-1 802.1x Configuration Commands ···········································································································1-1 display dot1x····································································································································1-1 dot1x ················································································································································1-4 dot1x authentication-method ···········································································································1-5 dot1x dhcp-launch ···························································································································1-6 dot1x guest-vlan ······························································································································1-7 dot1x handshake ·····························································································································1-8 dot1x handshake secure ·················································································································1-9 dot1x mandatory-domain···············································································································1-10 dot1x max-user······························································································································1-10 dot1x port-control···························································································································1-11 dot1x port-method ·························································································································1-12 dot1x quiet-period··························································································································1-13 dot1x retry······································································································································1-14 dot1x retry-version-max·················································································································1-15...
Page 348 system-guard timer-interval ·············································································································4-5 5 System-Guard Configuration Commands (For S3100-SI) ·····································································5-1 System-guard Configuration Commands································································································5-1 display system-guard config············································································································5-1 system-guard enable ·······················································································································5-2 system-guard mode·························································································································5-2 system-guard permit························································································································5-3...
Page 349: 802.1X Configuration Commands
802.1x Configuration Commands 802.1x Configuration Commands display dot1x Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] View Any view Parameter sessions: Displays the information about 802.1x sessions. statistics: Displays the statistics on 802.1x. interface: Display the 802.1x-related information about a specified port. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 350 ReAuth Period 3600 s, ReAuth MaxTimes Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Interval between version requests is 30s Maximal request times for version information is 3 The maximal retransmitting times EAD Quick Deploy configuration: Url: http: //192.168.19.23 Free-ip: 192.168.19.0 255.255.255.0...
Page 351 Field Description Handshake is enabled The online user handshaking function is enabled. Whether or not to send Trap packets when detecting a supplicant system logs in through a proxy. Disable means the switch does not send Trap packets Proxy trap checker is disabled when it detects that a supplicant system logs in through a proxy.
Page 352: Dot1X
Field Description Whether or not to disconnect a supplicant system when detecting it in logging in through a proxy. Disable means the switch does not disconnect a Proxy logoff checker is disabled supplicant system when it detects that the latter logs in through a proxy.
Page 353: Dot1X Authentication-Method
In Ethernet port view, the interface-list argument is not available and the command enables 802.1x for only the current Ethernet port. 802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port. Configurations of 8021.x and the maximum number of MAX addresses that can be learnt are mutually exclusive.
Page 354: Dot1X Dhcp-Launch
Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method. The default 802.1x authentication method is CHAP. PAP applies a two-way handshaking procedure. In this method, passwords are transmitted in plain text. CHAP applies a three-way handshaking procedure. In this method, user names are transmitted rather than passwords.
Page 355: Dot1X Guest-Vlan
Related command: display dot1x. Example # Configure to authenticate a supplicant system when it applies for a dynamic IP address through DHCP. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x dhcp-launch dot1x guest-vlan Syntax dot1x guest-vlan vlan-id [ interface interface-list ] undo dot1x guest-vlan [ interface interface-list ] View System view, Ethernet port view...
Page 356: Dot1X Handshake
The Guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one Guest VLAN can be configured on a switch. The Guest VLAN function is unavailable when the dot1x dhcp-launch command is executed on the switch, because the switch does not send authentication request packets in this case.
Page 357: Dot1X Handshake Secure
Handshaking packets need the support of the H3C-proprietary client. They are used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.
Page 358: Dot1X Mandatory-Domain
Example # Enable the handshaking packet secure function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] dot1x handshake secure dot1x mandatory-domain Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain View Ethernet Interface view Parameters domain-name: ISP domain name, a case-insensitive string of 1 to 128 characters.
Page 359: Dot1X Port-Control
Parameter user-number: Maximum number of users a port can accommodate, in the range 1 to 256. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 360: Dot1X Port-Method
unauthorized-force: Specifies to operate in unauthorized-force access control mode. When a port operates in this mode, the hosts connected to it cannot access the network resources. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 361: Dot1X Quiet-Period
Description Use the dot1x port-method command to specify the access control method for specified Ethernet ports. Use the undo dot1x port-method command to revert to the default access control method. By default, the access control method is macbased. This command specifies the way in which the users are authenticated. If you specify to authenticate users by MAC addresses (that is, executing the dot1x port-method command with the macbased keyword specified), all the users connected to the specified Ethernet ports are authenticated separately.
Page 362: Dot1X Retry
Use the undo dot1x quiet-period command to disable the quiet-period timer. When a user fails to pass the authentication, the authenticator system (such as a H3C series Ethernet switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication.
Page 363: Dot1X Retry-Version-Max
dot1x retry-version-max Syntax dot1x retry-version-max max-retry-version-value undo dot1x retry-version-max View System view Parameter max-retry-version-value: Maximum number of times that a switch sends version request packets to a user. This argument ranges from 1 to 10. Description Use the dot1x retry-version-max command to set the maximum number of times that a switch sends version request packets to a user.
Page 364: Dot1X Supp-Proxy-Check
Description Use the dot1x re-authenticate command to enable 802.1x re-authentication on specific ports or on all ports of the switch. Use the undo dot1x re-authenticate command to disable 802.1x re-authentication on specific ports or on all ports of the switch. By default, 802.1x re-authentication is disabled on all ports.
Page 365 trap: Sends Trap packets upon detecting a user logging in through a proxy or through multiple network adapters. interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port.
Page 366: Dot1X Timer
The 802.1x proxy checking function needs the cooperation of H3C's 802.1x client program. The proxy checking function takes effect only after the client version checking function is enabled on the switch (using the dot1x version-check command). Related command: display dot1x.
Page 367 system. During this quiet period, the switch does not perform any 802.1x authentication-related actions for the supplicant system. The quiet-period-value argument ranges from 10 to 120 (in seconds). By default, the quiet-period timer is set to 60 seconds. server-timeout server-timeout-value: Sets the RADIUS server timer. This timer sets the server-timeout period.
Page 368: Dot1X Timer Reauth-Period
Example # Set the RADIUS server timer to 150 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x timer server-timeout 150 dot1x timer reauth-period Syntax dot1x timer reauth-period reauth-period-value undo dot1x timer reauth-period View System view Parameter reauth-period reauth-period-value: Specifies re-authentication interval, in seconds.
Page 369: Reset Dot1X Statistics
Description Use the dot1x version-check command to enable 802.1x client version checking for specified Ethernet ports. Use the undo dot1x version-check command to disable 802.1x client version checking for specified Ethernet ports. By default, 802.1x client version checking is disabled on all the Ethernet ports. In system view: If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.
Page 370 Related command: display dot1x. Example # Clear 802.1x statistics on Ethernet 1/0/1 port. <Sysname> reset dot1x statistics interface Ethernet 1/0/1 1-22...
Page 371: Quick Ead Deployment Configuration Commands
Quick EAD Deployment Configuration Commands The command introduced in this chapter is only supported by the S3100-EI series switches. Quick EAD Deployment Configuration Commands dot1x free-ip Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip [ ip-address { mask-address | mask-length } ] View System view Parameters...
Page 372: Dot1X Timer Acl-Timeout
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x free-ip 192.168.19.23 24 dot1x timer acl-timeout Syntax dot1x timer acl-timeout acl-timeout-value undo dot1x timer acl-timeout View System view Parameters acl-timeout-value: ACL timeout period (in minutes), in the range of 1 to 1440. Description Use the dot1x timer acl-timeout command to configure the ACL timeout period.
Page 373 Examples # Configure the URL for HTTP redirection. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dot1x url http://192.168.19.23...
Page 374: Habp Configuration Commands
HABP Configuration Commands HABP Configuration Commands display habp Syntax display habp View Any view Parameter None Description Use the display habp command to display HABP configuration and status. Example # Display HABP configuration and status. <Sysname> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 20 seconds Bypass VLAN: 2...
Page 375: Display Habp Traffic
View Any view Parameter None Description Use the display habp table command to display the MAC address table maintained by HABP. Example # Display the MAC address table maintained by HABP. <Sysname> display habp table Holdtime Receive Port 001f-3c00-0030 Ethernet1/0/1 Table 3-2 Description on the fields of the display habp table command Field Description...
Page 376: Habp Enable
Table 3-3 Description on the fields of the display habp traffic command Field Description Packets output Number of the HABP packets sent Input Number of the HABP packets received ID error Number of the HABP packets with ID errors Type error Number of the HABP packets with type errors Version error Number of the HABP packets with version errors...
Page 377: Habp Timer
Parameter vlan-id: VLAN ID, ranging from 1 to 4094. Description Use the habp server vlan command to configure a switch to operate as an HABP server. This command also specifies the VLAN where HABP packets are broadcast. Use the undo habp server vlan command to revert to the default HABP mode. By default, a switch operates as an HABP client.
Page 378: System-Guard Configuration Commands (For S3100
System-Guard Configuration Commands (For S3100-EI) The command introduced in this chapter is only supported by the S3100-EI series switches. System-Guard Configuration Commands display system-guard attack-record Syntax display system-guard attack-record View Any view Parameter None Description Use the display system-guard attack-record command to display the record of detected attacks. Example # Display the record of detected attacks.
Page 379: Display System-Guard State
Table 4-1 Description on the fields of display system-guard attack-record Field Description Target No Number of the attack record Range Control range of the attack Packet type Type of the attack packet Port Number of the port being attacked MAC address Source MAC address of the attack packet IP address Source IP address of the attack packet...
Page 380: System-Guard Detect-Threshold
Table 4-2 Description on the fields of the display system-guard state command Field Description System-guard Status The enable/disable status of the system-guard function Permitted Interfaces Interfaces enabled with the system-guard function The threshold for the number of packets when an attack is Detect Threshold detected Isolated Time...
Page 381: System-Guard Permit
View System view Parameter None Description Use the system-guard enable command to enable the system-guard feature. Use the undo system-guard enable command to disable the system-guard feature. By default, the system-guard feature is disabled. Related command: display system-guard state. Example # Enable the system-guard feature.
Page 382: System-Guard Timer-Interval
Example # Apply the system-guard function to Ethernet1/0/1 through Ethernet1/0/10 ports. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] system-guard permit Ethernet 1/0/1 to Ethernet 1/0/10 system-guard timer-interval Syntax system-guard timer-interval isolate-timer undo system-guard timer-interval View System view Parameter isolate-timer: Length of the isolation after an attack is detected, in the range of 1 to 10,000 in minutes.
Page 383: System-Guard Configuration Commands (For S3100
System-Guard Configuration Commands (For S3100-SI) The command introduced in this chapter is only supported by the S3100-SI series switches. System-guard Configuration Commands display system-guard config Syntax display system-guard config View Any view Parameter None Description Use the display system-guard config command to display current system-guard configuration and the attacked ports.
Page 384: System-Guard Enable
system-guard enable Syntax system-guard enable undo system-guard enable View System view Parameter None Description Use the system-guard enable command to enable the system-guard function. Use the undo system-guard enable command to disable the system-guard function. By default, the system-guard function is disabled. Example # Enable the system-guard function.
Page 385: System-Guard Permit
Use the undo system-guard mode command to revert to the default system-guard configuration. Related command: display system-guard config. Example # Implement the system-guard function by means of port rate limit, with the checking interval being 5 seconds, the threshold being 100, and the timeout time being 30 seconds. <Sysname>...
Page 386 After system-guard is enabled on a port, if the number of packets the port received and sent to the CPU in a specified interval exceeds the specified threshold, the system considers that the port is under attack and begins to limit the packet receiving rate on the port (this function is also called inbound rate limit).
Page 387 Table of Contents 1 AAA Configuration Commands················································································································1-1 AAA Configuration Commands ···············································································································1-1 access-limit······································································································································1-1 accounting ·······································································································································1-1 accounting lan-access ·····················································································································1-2 accounting login·······························································································································1-3 accounting optional··························································································································1-4 attribute············································································································································1-5 authentication ··································································································································1-6 authentication lan-access ················································································································1-7 authentication login··························································································································1-8 authentication super ························································································································1-9 authorization ··································································································································1-10 authorization login ·························································································································1-11 authorization vlan ··························································································································1-11 cut connection ·······························································································································1-12 display connection ·························································································································1-13 display domain·······························································································································1-15...
Page 388 display local-server statistics·········································································································1-38 display radius scheme ···················································································································1-39 display radius statistics··················································································································1-41 display stop-accounting-buffer ······································································································1-42 key ·················································································································································1-43 local-server ····································································································································1-44 local-server nas-ip ·························································································································1-45 nas-ip ·············································································································································1-46 primary accounting ························································································································1-47 primary authentication ···················································································································1-48 radius client ···································································································································1-49 radius nas-ip ··································································································································1-50 radius scheme ·······························································································································1-51 radius trap······································································································································1-52 reset radius statistics ·····················································································································1-53 reset stop-accounting-buffer··········································································································1-53 retry················································································································································1-54 retry realtime-accounting ···············································································································1-55...
Page 389 timer quiet······································································································································1-77 timer realtime-accounting ··············································································································1-78 timer response-timeout··················································································································1-79 user-name-format ··························································································································1-79 2 EAD Configuration Commands················································································································2-1 EAD Configuration Commands···············································································································2-1 security-policy-server·······················································································································2-1...
Page 390: Aaa Configuration Commands
AAA Configuration Commands AAA Configuration Commands access-limit Syntax access-limit { disable | enable max-user-number } undo access-limit View ISP domain view Parameters disable: Specifies not to limit the number of access users that can be contained in current ISP domain. enable max-user-number: Specifies the maximum number of access users that can be contained in current ISP domain.
Page 391: Accounting Lan-Access
View ISP domain view Parameters local: Performs local accounting. It is not used for charging purposes, but for collecting statistics and limiting the number of local user connections. none: Specifies not to perform user accounting. radius-scheme radius-scheme-name: Specifies to use a RADIUS accounting scheme. Here, radius-scheme-name is the name of a RADIUS scheme;...
Page 392: Accounting Login
View ISP domain view Parameters local: Performs local accounting. It is not used for charging purposes, but for collecting statistics and limiting the number of local user connections. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Page 393: Accounting Optional
none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the accounting login command to configure the accounting method for login users. Use the undo accounting login command to restore the default. By default, the default accounting method is used for login users.
Page 394: Attribute
The accounting optional command is commonly used in the cases where only authentication is needed and accounting is not needed. If you configure the accounting optional command in ISP domain view, it is effective to all users in the domain; if you configure it in RADIUS scheme view, it is effective to users the RADIUS scheme is used for.
Page 395: Authentication
Use the undo attribute command to cancel attribute settings of the user. You may use display local-user command to view the settings of the attributes. Examples # Create local user user1 and set the IP address attribute of user1 to 10.110.50.1, allowing only the user using the IP address of 10.110.50.1 to use the account user1 for authentication.
Page 396: Authentication Lan-Access
If you execute the authentication hwtacacs-scheme hwtacacs-scheme-name local command, the local scheme is used as the secondary authentication scheme in case no TACACS server is available. That is, if the communication between the switch and a TACACS server is normal, no local authentication will be performed;...
Page 397: Authentication Login
Description Use the authentication lan-access command to configure the authentication method for LAN access users. Use the undo authentication lan-access command to restore the default. By default, the default authentication method is used for LAN access users. Note that the RADIUS scheme specified for the current ISP domain must have been configured. Related commands: authentication, radius scheme.
Page 398: Authentication Super
HWTACACS scheme must exist. The S3100 series switches adopt hierarchical protection for command lines so as to inhibit users at lower levels from using higher level commands to configure the switches. For details about configuring a HWTACACS authentication scheme for low-to-high user level switching, refer to Switching User Level in the Command Line Interface Operation.
Page 399: Authorization
Examples # Set the HWTACACS scheme to ht for user level switching in the current ISP domain aabbcc.net. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] authentication super hwtacacs-scheme ht authorization Syntax authorization { local | none | hwtacacs-scheme hwtacacs-scheme-name [ local ] } undo authorization...
Page 400: Authorization Login
authorization login Syntax authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none } undo authorization login View ISP domain view Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters. local: Performs local authorization.
Page 401: Cut Connection
Parameters string: Number or descriptor of the authorized VLAN for the current user, a string of 1 to 32 characters. If it is a numeral string and there is a VLAN with the number configured, it specifies the VLAN. If it is a numeral string but no VLAN is present with the number, it specifies the VLAN using it as the VLAN descriptor.
Page 402: Display Connection
interface interface-type interface-number: Cuts down all user connections under a specified port. Here, interface-type is a port type and interface-number is a port number. ip ip-address: Cuts down all user connections with a specified IP address. ipv6 ipv6-address: Cuts down all user connections with a specified IPv6 address. mac mac-address: Cuts down the user connection with a specified MAC address.
Page 403 ip ip-address: Displays all user connections with a specified IP address. ipv6 ipv6-address: Displays all user connections with a specified IPv6 address. mac mac-address: Displays the user connection with a specified MAC address. Here, mac-address is in hexadecimal format (in the form of H-H-H). radius-scheme radius-scheme-name: Displays all user connections using a specified RADIUS scheme.
Page 404: Display Domain
Table 1-1 Description of the Port NO field 31 to 28 bit 27 to 24 bit 23 to 20 bit 19 to 12 bit 11 to 0 bit UNIT ID Slot number Sub-slot number Port number VLAN ID display domain Syntax display domain [ isp-name ] View...
Page 405: Display Local-User
Field Description Vlan-assignment-mode VLAN assignment mode, which can be Integer or String. Domain user template settings, that is, attribute settings for all users Domain User Template in the domain. Idle-Cut Status of the idle-cut function Self-service URL Self-service URL for password changing Settings of the messenger time service, which is for reminding online users of their remaining online time.
Page 406: Domain
Examples # Display information about all local users. <Sysname> display local-user The contents of local user test: State: Active ServiceType Mask: L Idle-cut: Enable Idle TimeOut: 3600 seconds Access-limit: Enable Current AccessNum: 1 Max AccessNum: 1024 Bind location: 127.0.0.1/1/0/2 (NAS/UNITID/SUBSLOT/PORT) Vlan ID: Authorization VLAN: IP address:...
Page 407 View System view Parameters isp-name: Name of an ISP domain, a string of up to 128 characters. This string cannot contain the following characters: /\:*?<>|. If the domain name includes one or more “~” characters and the last “~” is followed by numerals, it must be followed by at least five numerals to avoid confusion.
Page 408: Domain Delimiter
domain delimiter Syntax domain delimiter { at | dot } undo domain delimiter View System view Parameters at: Specifies “@” as the delimiter between the username and the ISP domain name. dot: Specifies “.” as the delimiter between the username and the ISP domain name. Description Use the domain delimiter command to specify the delimiter form between the username and the ISP domain name.
Page 409 Parameters disable: Disables the idle-cut function for the domain. enable: Enables the idle-cut function for the domain. minute: Maximum idle time in minutes, ranging from 1 to 120. flow: Minimum traffic in bytes, ranging from 1 to 10,240,000. Description Use the idle-cut command to set the user idle-cut function in current ISP domain. If a user’s traffic in the specified period of time is less than the specified amount, the system will disconnect the user.
Page 410: Local-User
If the configured authentication method is none or password authentication, the command level that a user can access after login is determined by the level of the user interface. If the configured authentication method requires a username and a password, the command level that a user can access after login is determined by the privilege level of the user.
Page 411: Local-User Password-Display-Mode
Examples # Add a local user named user1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user user1 New local user added. [Sysname-luser-user1] # Add a local user named 01234567891234567 (note that it will appear as 012345678912345~0000 in the view prompt).
Page 412: Messenger
System View: return to User View with Ctrl+Z. [Sysname] local-user password-display-mode cipher-force messenger Syntax messenger time { enable limit interval | disable } undo messenger time View ISP domain view Parameters limit: Time limit in minutes, ranging from 1 to 60. The switch will send prompt messages at regular intervals to users whose remaining online time is less than this limit.
Page 413: Password
Parameters string: Assigned VLAN name, a string of up to 32 characters. Description Use the name command to set a VLAN name, which will be used for VLAN assignment. Use the undo name command to cancel the VLAN name. By default, a VLAN uses its VLAN ID (like VLAN 0001) as its assigned VLAN name. This command is used in conjunction with the dynamic VLAN assignment function.
Page 414: Radius-Scheme
With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt the password, the system treats it as a password in cipher text.
Page 415: Scheme
scheme Syntax scheme { local | none | radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] } undo scheme [ none | radius-scheme | hwtacacs-scheme ] View ISP domain view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. hwtacacs-scheme-name: Name of a HWTACACS scheme, a string of up to 32 characters.
Page 416: Scheme Lan-Access
[Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] scheme radius-scheme raduis1 local scheme lan-access Syntax scheme lan-access { local | none | radius-scheme radius-scheme-name [ local ] } undo scheme lan-access View ISP domain view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. local: Specifies to use local authentication.
Page 417: Scheme Login
scheme login Syntax scheme login { local | none | radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] } undo scheme login View ISP domain view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. local: Specifies to use local authentication.
Page 418: Self-Service-Url
self-service-url Syntax self-service-url { disable | enable url-string } undo self-service-url View ISP domain view Parameters url-string: URL of the web page used to modify user password on the self-service server. It is a string of 1 to 64 characters. This string cannot contain any question mark "?". If the actual URL of the self-service server contains a question mark, you should change it to an elect bar "|".
Page 419: State
View Local user view Parameters ftp: Specifies that this is an FTP user. lan-access: Specifies that this is a LAN access user (who is generally an Ethernet access user, for example, 802.1x user). telnet: Authorizes the user to access the Telnet service. ssh: Authorizes the user to access the SSH service.
Page 420: Vlan-Assignment-Mode
Description Use the state command to set the status of current ISP domain (in ISP domain view) or current local user (in local user view). By default, an ISP domain/local user is in the active state once it is created. After an ISP domain is set to the block state, except for online users, users in this domain are inhibited from accessing the network.
Page 421 The dynamic VLAN assignment feature enables a switch to dynamically add the ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access. In actual applications, to use this feature together with Guest VLAN, you are recommended to set port control to port-based mode.
Page 422: Radius Configuration Commands
Examples # Set the VLAN assignment mode of the domain h3c163.net to string. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] domain aabbcc.net New Domain added. [Sysname-isp-aabbcc.net] vlan-assignment-mode string RADIUS Configuration Commands accounting optional Syntax accounting optional undo accounting optional View RADIUS scheme view...
Page 423: Accounting Start-Mode
accounting start-mode Syntax accounting start-mode { with-ip | without-ip } View RADIUS scheme view Parameters with-ip: Specifies the mode in which the device must obtain the IP address of a requesting client and add the IP address to an accounting start request before this request can be sent to the RADIUS server. without-ip: Specifies the mode in which the device sends the RADIUS server an accounting start request without the IP address of the requesting client.
Page 424 After configuring the accounting-on enable command, you need to execute the save command so that the command can take effect when the switch restarts. This function requires the cooperation of the H3C CAMS system. Related commands: nas-ip. Examples # Enable the user re-authentication at restart function for the RADIUS scheme named radius1.
Page 425: Attribute-Ignore
[Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute-ignore standard type 28 # Configure RADIUS scheme radius1 to ignore H3C’s attribute 22. The vendor ID of H3C is 25506. [Sysname-radius-radius1] attribute-ignore vendor 25506 type 22 # Disable the RADIUS scheme from ignoring the standard RADIUS attributes, making the scheme to accept all standard RADIUS attributes assigned to it.
Page 426: Calling-Station-Id Mode
[Sysname-radius-radius1] undo attribute-ignore standard # Disable the RADIUS scheme from ignoring H3C’s attributes, making the scheme to accept all H3C’s RADIUS attributes assigned to it. [Sysname-radius-radius1] undo attribute-ignore vendor 25506 # Disable the RADIUS scheme from ignoring any attributes, making the scheme to accept all RADIUS attributes assigned to it.
Page 427: Display Local-Server Statistics
View RADIUS scheme view Parameters data: Sets the data unit of outgoing RADIUS flows, which can be byte, giga-byte, kilo-byte, or mega-byte. packet: Sets the packet unit of outgoing RADIUS flows, which can be one-packet, giga-packet, kilo-packet, or mega-packet. Description Use the data-flow-format command to set the units of RADIUS data flows to RADIUS servers.
Page 428: Display Radius Scheme
<Sysname> display local-server statistics On Unit 1: The localserver packet statistics: Receive: Send: Discard: Receive Packet Error: Auth Receive: Auth Send: Acct Receive: Acct Send: display radius scheme Syntax display radius scheme [ radius-scheme-name ] View Any view Parameters radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters. Description Use the display radius scheme command to display configuration information about one specific or all RADIUS schemes...
Page 429 Primary Acc State=active, Second Acc State=block ------------------------------------------------------------------ Total 1 RADIUS scheme(s). 1 listed Table 1-5 Description on the fields of the display radius scheme command Field Description SchemeName Name of the RADIUS scheme Index Index number of the RADIUS scheme Type Type of the RADIUS servers IP address/port number of the primary authentication...
Page 430: Display Radius Statistics
display radius statistics Syntax display radius statistics View Any view Parameters None Description Use the display radius statistics command to display the RADIUS message statistics. Related commands: radius scheme. Examples # Display RADIUS message statistics. <Sysname> display radius statistics state statistic(total=1048): DEAD=1048 AuthProc=0 AuthSucc=0...
Page 431: Display Stop-Accounting-Buffer
Session ctrl pkt , Num=0 , Err=0 , Succ=0 Set policy result , Num=0 , Err=0 , Succ=0 RADIUS sent messages statistic: Auth accept , Num=0 Auth reject , Num=0 EAP auth replying , Num=0 Account success , Num=0 Account failure , Num=0 Cut req , Num=0...
Page 432: Key
You can choose to display the buffered stop-accounting requests of a specified RADIUS scheme, session (by session ID), or user (by username). You can also specify a time range to display those generated within the specified time range. The displayed information helps you diagnose and resolve RADIUS problems.
Page 433: Local-Server
The two parties verify the validity of the RADIUS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have same shared key. The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server.
Page 434: Local-Server Nas
Examples # Enable UDP ports for local RADIUS services. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-server enable local-server nas-ip Syntax local-server nas-ip ip-address key password undo local-server nas-ip ip-address View System view Parameters nas-ip ip-address: Specifies the IP address of a network access server (NAS) that can use the local RADIUS services.
Page 435 [Sysname] local-server nas-ip 10.110.1.2 key aabbcc nas-ip Syntax nas-ip { ip-address | ipv6 ipv6-address } undo nas-ip View RADIUS scheme view Parameters ip-address: Source IP address for RADIUS messages, an IP address of this device. This address can neither be the all 0's address nor be a Class-D address. ipv6 ipv6-address: Specifies an IPv6 address.
Page 436: Primary Accounting
System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 [Sysname-radius-radius1] nas-ip ipv6 1:1::2:2 primary accounting Syntax primary accounting { ip-address | ipv6 ipv6-address } [ port-number ] [ key string ] undo primary accounting View RADIUS scheme view Parameters ip-address: IP address of the primary accounting server to be used, in dotted decimal notation.
Page 437: Primary Authentication
# Specify the IP address of the primary accounting server for RADIUS scheme radius1 as 10.110.1.2, the UDP port of the server as 1813, and the shared key of accounting packets as key1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key key1 primary authentication Syntax primary authentication { ip-address | ipv6 ipv6-address } [ port-number ] [ key string ]...
Page 438: Radius Client
key string is not configured here, the shared key configured in the key command in RADIUS scheme view will be used. The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails. Related commands: key, radius scheme, state. Examples # Set the IP address and UDP port number of the primary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.1 and 1812 respectively.
Page 439: Radius Nas
Examples # Disable the RADIUS authentication and accounting ports. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo radius client enable radius nas-ip Syntax radius nas-ip { ip-address | ipv6 ipv6-address } undo radius nas-ip View System view Parameters ip-address: Source IP address to be set, an IP address of this device.
Page 440: Radius Scheme
You can set only one source IP address by using this command. When you re-execute this command again, the newly set source IP address will overwrite the old one. Related commands: nas-ip. Examples # Set source address 129.10.10.1 for outgoing RADIUS messages. <Sysname>...
Page 441: Radius Trap
Examples # Create a RADIUS scheme named radius1 and enter its view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] radius trap Syntax radius trap { authentication-server-down | accounting-server-down } undo radius trap { authentication-server-down | accounting-server-down } View System view...
Page 442: Reset Radius Statistics
reset radius statistics Syntax reset radius statistics View User view Parameters None Description Use the reset radius statistics command to clear RADIUS message statistics. Related commands: display radius scheme. Examples # Clear RADIUS message statistics. <Sysname> reset radius statistics reset stop-accounting-buffer Syntax reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }...
Page 443: Retry
Examples # Delete the stop-accounting requests buffered for user user0001@aabbcc.net. <Sysname> reset stop-accounting-buffer user-name user0001@aabbcc.net # Delete the stop-accounting requests buffered from 0:0:0 08/31/2002 to 23:59:59 08/31/2002. <Sysname> reset stop-accounting-buffer time-range 00:00:00-08/31/2002 23:59:59-08/31/2002 retry Syntax retry retry-times undo retry View RADIUS scheme view Parameters retry-times: Maximum number of transmission attempts of a RADIUS request, ranging from 1 to 20.
Page 444: Retry Realtime-Accounting
retry realtime-accounting Syntax retry realtime-accounting retry-times undo retry realtime-accounting View RADIUS scheme view Parameters retry-times: Maximum allowed number of continuous real-time accounting failures, ranging from 1 to 255. Description Use the retry realtime-accounting command to set the maximum allowed number of continuous real-time accounting failures.
Page 445: Retry Stop-Accounting
Examples # Set the maximum allowed number of continuous real-time accounting failures for RADIUS scheme radius1 to 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1] retry realtime-accounting 10 retry stop-accounting Syntax retry stop-accounting retry-times undo retry stop-accounting...
Page 446: Secondary Accounting
secondary accounting Syntax secondary accounting { ip-address | ipv6 ipv6-address } [ port-number ] [ key string ] undo secondary accounting View RADIUS scheme view Parameters ip-address: IP address of the secondary accounting server to be used, in dotted decimal notation. ipv6 ipv6-address: IPv6 address of the secondary accounting server.
Page 447: Server-Type
View RADIUS scheme view Parameters ip-address: IP address of the secondary authentication/authorization server to be used, in dotted decimal notation. ipv6 ipv6-address: IPv6 address of the secondary authentication/authorization server. port-number: UDP port number of the secondary authentication/authorization server, ranging from 1 to 65535.
Page 448: State Primary
Parameters extended: Specifies to support H3C's RADIUS server (which is generally a CAMS), that is, use the procedure and message format of private RADIUS protocol to interact with an H3C's RADIUS server. standard: Specifies to support standard RADIUS server, that is, use the procedure and message format of a standard RADIUS protocol (RFC 2865/2866 or above) to interact with a standard RADIUS server.
Page 449: State Secondary
When the switch fails to communicate with the primary server due to some server trouble, the switch will turn to the secondary server and exchange messages with the secondary server. After the primary server remains in the block state for a set time (set by the timer quiet command), the switch will try to communicate with the primary server again when it receives a RADIUS request.
Page 450: Stop-Accounting-Buffer Enable
Examples # Set the status of the secondary accounting server with IPv6 address 1:1::2:5 to block. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] radius scheme radius1 New Radius scheme [Sysname-radius-radius1]state secondary accounting ipv6 1:1::2:5 block stop-accounting-buffer enable Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable...
Page 451: Timer
timer Syntax timer seconds undo timer View RADIUS scheme view Parameters seconds: Response timeout time of RADIUS servers, ranging from 1 to 10 seconds. Description Use the timer command to set the response timeout time of RADIUS servers (that is, the timeout time of the response timeout timer of RADIUS servers).
Page 452: Timer Realtime-Accounting
View RADIUS scheme view Parameters minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes. Description Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active. Use the undo timer quiet command to restore the default wait time.
Page 453: Timer Response-Timeout
server is, the shorter the interval can be. It is recommended to set the interval as long as possible when the number of users is relatively great (≥1000). Table 1-6 lists the recommended intervals for different numbers of users. Table 1-6 Numbers of users and recommended intervals Number of users Real-time accounting interval 1 to 99...
Page 454: User-Name-Format
switch gets no answer before the response timeout timer expires, it needs to retransmit the request to ensure that the user can obtain RADIUS service. Appropriately setting the timeout time of this timer according to your network situation can improve the performance of your system.
Page 455: Hwtacacs Configuration Commands
For an 802.1x user, if you have specified to use EAP authentication, the switch will encapsulate and send the contents from the client directly to the server. In this case, the configuration of the user-name-format command is not effective. Related commands: radius scheme. Examples # Specify to exclude ISP domain names from the usernames to be sent to RADIUS server in RADIUS scheme radius1.
Page 456: Display Hwtacacs
System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname- hwtacacs-hwt1] data-flow-format data kilo-byte [Sysname- hwtacacs-hwt1] data-flow-format packet kilo-packet display hwtacacs Syntax display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] View Any view Parameters hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 characters. This name is case-insensitive.
Page 457: Display Stop-Accounting-Buffer
Traffic-unit Packet traffic-unit : one-packet display stop-accounting-buffer Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name View Any view Parameters hwtacacs-scheme hwtacacs-scheme-name: Displays the buffered stop-accounting requests of a specified HWTACACS scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters. Description Use the display stop-accounting-buffer command to display stop-accounting requests buffered in the switch.
Page 458: Hwtacacs Scheme
You can specify the source address of outgoing HWTACACS messages to avoid messages returned from server from being unable to reach their destination due to physical interface trouble. It is recommended to use a Loopback interface address as the source IP address. You can specify only one source IP address by using this command.
Page 459 View HWTACACS scheme view Parameters accounting: Sets a shared key for HWTACACS accounting messages. authentication: Sets a shared key for HWTACACS authentication messages. authorization: Sets a shared key for HWTACACS authorization messages. string: Shared key to be set, a string of up to 16 characters. Description Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting messages.
Page 460: Primary Accounting
You can set only one source IP address by using this command. When you re-execute this command again, the newly set source IP address will overwrite the old one. Related commands: display hwtacacs. Examples # Set source IP address 10.1.1.1 for outgoing HWTACACS messages in HWTACACS scheme hwt1. <Sysname>...
Page 461: Primary Authentication
primary authentication Syntax primary authentication ip-address [ port ] undo primary authentication View HWTACACS scheme view Parameters ip-address: IP address of the primary authentication server to be used, a valid unicast address in dotted decimal notation. port: Port number of the primary authentication server, ranging from 1 to 65535. Description Use the primary authentication command to set the IP address and port number of the primary HWTACACS authentication server to be used by the current scheme.
Page 462: Reset Hwtacacs Statistics
Parameters ip-address: IP address of the primary authorization server to be used, a valid unicast address in dotted decimal notation. port: Port number of the primary authorization server, ranging from 1 to 65535. Description Use the primary authorization command to set the IP address and port number of the primary HWTACACS authorization server to be used by the current scheme.
Page 463: Reset Stop-Accounting-Buffer
Examples # Clear all HWTACACS protocol statistics. <Sysname> reset hwtacacs statistics all reset stop-accounting-buffer Syntax reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name View User view Parameters hwtacacs-scheme hwtacacs-scheme-name: Deletes the buffered stop-accounting requests of a specified HWTACACS scheme. Here, hwtacacs-scheme-name is the name of a HWTACACS scheme, which is a string of up to 32 characters.
Page 464: Secondary Accounting
Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer. Examples # Enable the stop-accounting request retransmission function and set the maximum number of transmission attempts of a request to 50. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] retry stop-accounting 50 secondary accounting Syntax...
Page 465: Secondary Authentication
secondary authentication Syntax secondary authentication ip-address [ port ] undo secondary authentication View HWTACACS scheme view Parameters ip-address: IP address of the secondary authentication server to be used, a valid unicast address in dotted decimal notation. port: Port number of the secondary authentication server, ranging from 1 to 65535. Description Use the secondary authentication command to set the IP address and port number of the secondary HWTACACS authentication server to be used by the current scheme.
Page 466: Timer Quiet
Parameters ip-address: IP address of the secondary authorization server, a valid unicast address in dotted decimal notation. port: Port number of the secondary authorization server, ranging from 1 to 65535. Description Use the secondary authorization command to set the IP address and port number of the secondary HWTACACS authorization server to be used by the current scheme.
Page 467: Timer Realtime-Accounting
Examples # Configure the switch to wait 10 minutes before it tries to restore the status of the primary server to active. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer quiet timer realtime-accounting Syntax timer realtime-accounting minutes undo timer realtime-accounting...
Page 468: Timer Response-Timeout
Examples # Set the real-time accounting interval in HWTACACS scheme hwt1 to 51 minutes. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer realtime-accounting 51 timer response-timeout Syntax timer response-timeout seconds undo timer response-timeout View HWTACACS scheme view Parameters...
Page 469 without-domain: Specifies to exclude ISP domain names from the usernames to be sent to TACACS server. Description Use the user-name-format command to set the format of the usernames to be sent to TACACS server. By default, the usernames sent to TACACS server in a HWTACACS scheme carry ISP domain names. Note that: Generally, an access user is named in the userid@isp-name format.
Page 470: Ead Configuration Commands
EAD Configuration Commands Only the S3100-EI series switches support the EAD configuration. EAD Configuration Commands security-policy-server Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } View RADIUS scheme view Parameters ip-address: IP address of a security policy server. all: IP addresses of all security policy servers. Description Use the security-policy-server command to set the IP address of a security policy server.
Page 471 primary authentication 1.1.11.29 1812 secondary authentication 127.0.0.1 1645 security-policy-server 192.168.0.1 user-name-format without-domain …...
Page 472 Table of Contents 1 MAC Address Authentication Configuration Commands ·····································································1-1 MAC Address Authentication Basic Function Configuration Commands ···············································1-1 display mac-authentication ··············································································································1-1 mac-authentication ··························································································································1-3 mac-authentication interface ···········································································································1-4 mac-authentication authmode usernameasmacaddress ································································1-5 mac-authentication authmode usernamefixed ················································································1-6 mac-authentication authpassword···································································································1-7 mac-authentication authusername ··································································································1-7 mac-authentication domain ·············································································································1-8 mac-authentication timer ·················································································································1-8 reset mac-authentication ·················································································································1-9 MAC Address Authentication Enhanced Function Configuration Commands······································1-10...
Page 473: Mac Address Authentication Basic Function Configuration Commands
MAC Address Authentication Configuration Commands MAC Address Authentication Basic Function Configuration Commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] View Any view Parameters interface interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10>...
Page 474 --- 1 silent mac address(es) found. --- Ethernet1/0/1 is link-up MAC address authentication is Enabled max-auth-num is 256 Guest VLAN is 2 Authenticate success: 1, failed: 0 Current online user number is 1 MAC ADDR Authenticate state AuthIndex 000d-88f8-4e71 MAC_AUTHENTICATOR_SUCCESS ……(The following is omitted) Table 1-1 Description on the fields of the display mac-authentication command Field...
Page 475: Mac-Authentication
Field Description The maximum number of users supported by the Max allowed user number switch. It is 1,024 by default. Current user number amounts to The current number of users The current domain. It is not configured by Current domain default.
Page 476: Mac-Authentication Interface
Parameters None Description Use the mac-authentication command to enable MAC address authentication globally or on the current port. Use the undo mac-authentication command to disable MAC address authentication globally or on the current port. By default, MAC address authentication is disabled both globally and on a port. When being executed in system view, the mac-authentication command enables MAC address authentication globally.
Page 477: Mac-Authentication Authmode Usernameasmacaddress
Parameters interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Page 478: Mac-Authentication Authmode Usernamefixed
Parameters usernameformat: Specifies the input format of the username and password. with-hyphen: Uses hyphened MAC addresses as usernames and passwords, for example, 00-05-e0-1c-02-e3. without-hyphen: Uses MAC addresses without hyphens as usernames and passwords, for example, 0005e01c02e3. lowercase: Uses lowercase MAC addresses as usernames and passwords. uppercase: Uses uppercase MAC addresses as usernames and passwords.
Page 479: Mac-Authentication Authpassword
Examples # Use the user name in fixed mode for MAC address authentication. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-authentication authmode usernamefixed mac-authentication authpassword Syntax mac-authentication authpassword password undo mac-authentication authpassword View System view Parameters password: Password to be set, a string comprising 1 to 63 characters.
Page 480: Mac-Authentication Domain
By default, the user name in fixed mode is “mac”. Examples # Set the user name to vipuser in fixed mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-authentication authusername vipuser mac-authentication domain Syntax mac-authentication domain isp-name undo mac-authentication domain View System view...
Page 481: Reset Mac-Authentication
Parameters offline-detect-value: Offline detect timer (in seconds) setting. This argument ranges from 1 to 65,535 and defaults to 300. The offline detect timer sets the time interval for a switch to test whether a user goes offline. quiet-value: Quiet timer (in seconds) setting. This argument ranges from 1 to 3,600 and defaults to 60. After a user fails to pass the authentication performed by a switch, the switch quiets for a specific period (the quiet period) before it authenticates the user again.
Page 482: Mac Address Authentication Enhanced Function Configuration Commands
<Sysname> reset mac-authentication statistics interface Ethernet 1/0/1 MAC Address Authentication Enhanced Function Configuration Commands mac-authentication guest-vlan Syntax mac-authentication guest-vlan vlan-id undo mac-authentication guest-vlan View Ethernet port view Parameters vlan-id: ID of the guest VLAN configured for the current port. This argument is in the range of 1 to 4,094. Description Use the mac-authentication guest-vlan command to configure a guest VLAN for the current port.
Page 483: Mac-Authenticiaon Intrusion-Mode Block-Mac
If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.
Page 484: Mac-Authentication Max-Auth-Num
By default, quiet MAC function is enabled on a port. Example # Enable the quiet MAC function on port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] mac-authenticiaon intrusion-mode block-mac enable mac-authentication max-auth-num Syntax mac-authentication max-auth-num user-number...
Page 485: Mac-Authentication Timer Guest-Vlan-Reauth
Examples # Set the maximum number of MAC address authentication users allowed to access Ethernet 1/0/2 to 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] mac-authentication max-auth-num 100 mac-authentication timer guest-vlan-reauth Syntax mac-authentication timer guest-vlan-reauth interval undo mac-authentication timer guest-vlan-reauth View...
Page 486 Table of Contents 1 ARP Configuration Commands················································································································1-1 ARP Configuration Commands···············································································································1-1 arp check enable ·····························································································································1-1 arp detection enable ························································································································1-1 arp detection trust····························································································································1-2 arp protective-down recover enable ································································································1-3 arp protective-down recover interval ·······························································································1-3 arp rate-limit·····································································································································1-4 arp rate-limit enable·························································································································1-5 arp restricted-forwarding enable······································································································1-5 arp static ··········································································································································1-6 arp timer aging·································································································································1-7 display arp ·······································································································································1-7 display arp | ·····································································································································1-9...
Page 487: Arp Configuration Commands
ARP Configuration Commands ARP Configuration Commands arp check enable Syntax arp check enable undo arp check enable View System view Parameters None Description Use the arp check enable command to enable the ARP entry checking function on a switch. Use the undo arp check enable command to disable the ARP entry checking function. With the ARP entry checking function enabled, the switch cannot learn any ARP entry with a multicast MAC address.
Page 488: Arp Detection Trust
VLAN. By default, ARP attack detection is disabled on the switch. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Enable ARP attack detection on all ports in VLAN 1.
Page 489: Arp Protective-Down Recover Enable
ARP packet receiving rate after a specified period. By default, the port state auto-recovery function is disabled. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Enable the port state auto-recovery function of the switch.
Page 490: Arp Rate-Limit
By default, when the port state auto-recovery function is enabled, the recovery interval is 300 seconds. Note that: Among S3100 series switches, only S3100-EI series switches support the two commands. You need to enable the port state auto-recovery feature before you can configure the auto-recovery interval.
Page 491: Arp Rate-Limit Enable
Use the undo arp rate-limit enable command to disable the ARP packet rate limit function on the port. By default, the ARP packet rate limit function is disabled, that is, ARP packet rate is not limited on a port. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Enable the ARP packet rate limit function on Ethernet 1/0/11.
Page 492: Arp Static
Use the undo arp restricted-forwarding enable command to disable ARP restricted forwarding. By default, ARP restricted forwarding is disabled. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Related commands: arp detection enable, arp detection trust Syntax # Enable ARP restricted forwarding in VLAN 1.
Page 493: Arp Timer Aging
Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically. As for the arp static command, the value of the vlan-id argument must be the ID of an existing VLAN, and the port identified by the interface-type and interface-number arguments must belong to the VLAN.
Page 494 View Any view Parameters dynamic: Displays dynamic ARP entries. static: Displays static ARP entries. ip-address: IP address. ARP entries containing the IP address are to be displayed. Description Use the display arp command to display specific ARP entries. If you execute this command with no keyword/argument specified, all the ARP entries are displayed. Related commands: arp static, reset arp.
Page 495 display arp | Syntax display arp [ dynamic | static] | { begin | exclude | include } regular-expression View Any view Parameters dynamic: Displays dynamic ARP entries. static: Displays static ARP entries. |: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Configuration File Management Command in this manual.
Page 496: Display Arp Count
display arp count Syntax display arp count [ [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] | ip-address ] View Any view Parameters dynamic: Counts the dynamic ARP entries. static: Counts the static ARP entries. |: Uses a regular expression as the match criterion.
Page 497: Display Arp Timer Aging
If ARP attack detection is disabled, the statistics of ARP trusted port state and discarded invalid ARP packets will not be displayed. Note that among S3100 series switches, only S3100-EI series switches support the command. Examples # Display ARP detection statistics on Ethernet 1/0/10.
Page 498: Reset Arp
View System view Parameters None Description Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function. Then, a switch receiving a gratuitous ARP packet can add the IP and MAC addresses carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache.
Page 499 Table of Contents 1 DHCP Server Configuration Commands ·································································································1-1 DHCP Server Configuration Commands ································································································1-1 accounting domain ··························································································································1-1 bims-server······································································································································1-2 dhcp enable ·····································································································································1-2 dhcp select global····························································································································1-3 dhcp select interface························································································································1-4 dhcp server bims-server ··················································································································1-6 dhcp server detect ···························································································································1-6 dhcp server dns-list ·························································································································1-7 dhcp server domain-name···············································································································1-8 dhcp server expired ·························································································································1-9 dhcp server forbidden-ip················································································································1-11 dhcp server ip-pool ························································································································1-12...
Page 500 2 DHCP Snooping Configuration Commands ···························································································2-1 DHCP Snooping Configuration Commands····························································································2-1 dhcp-snooping ·································································································································2-1 dhcp-snooping information enable ··································································································2-1 dhcp-snooping information format···································································································2-2 dhcp-snooping information packet-format ·······················································································2-3 dhcp-snooping information remote-id······························································································2-3 dhcp-snooping information strategy ································································································2-4 dhcp-snooping information vlan circuit-id ························································································2-5 dhcp-snooping information vlan remote-id ······················································································2-6 dhcp-snooping server-guard enable································································································2-7 dhcp-snooping server-guard method ······························································································2-7 dhcp-snooping server-guard source-mac························································································2-8...
Page 501: Dhcp Server Configuration Commands
DHCP Server Configuration Commands DHCP Server Configuration Commands The contents of this chapter are only applicable to the S3100-EI series among S3100 Series Ethernet Switches. accounting domain Syntax accounting domain domain-name undo accounting domain View DHCP address pool view Parameters domain-name: Name of a domain, a string of 1 to 24 characters.
Page 502: Bims-Server
bims-server Syntax bims-server ip ip-address [ port port-number ] sharekey key undo bims-server View DHCP address pool view Parameters ip ip-address: Specifies the IP address of the remote BIMS server. port port-number: Specifies the port number of the remote BIMS. The port-number argument ranges from 1 to 65534.
Page 503: Dhcp Select Global
Description Use the dhcp enable command to enable DHCP. Use the undo dhcp enable command to disable DHCP. By default, DHCP is enabled. You need to enable DHCP before performing other DHCP-related configurations. To improve security and avoid malicious attacks to the unused sockets, S3100 Ethernet switches provide the following functions: UDP ports 67 and 68 used by DHCP are enabled/disabled only when DHCP is enabled/disabled.
Page 504: Dhcp Select Interface
Parameters interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s) to operate in global address pool mode. The interface-type argument specifies an interface type; the interface-number argument specifies an interface number; the interface interface-type interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range.
Page 505 Parameters interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s) to operate in interface address pool mode. The argument interface-type indicates interface type, interface-number indicates interface number. interface-type interface-number [ to interface-type interface-number ] specifies an interface range. all: Specifies all interfaces to operate in interface address pool mode.
Page 506: Dhcp Server Bims-Server
[Sysname] dhcp select interface all dhcp server bims-server Syntax dhcp server bims-server ip ip-address [ port port-number ] sharekey key { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server bims-server { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view...
Page 507: Dhcp Server Dns-List
undo dhcp server detect View System view Parameters None Description Use the dhcp server detect command to enable the unauthorized DHCP server detection function. With this feature enabled, upon receiving a DHCP request, the DHCP server will record the IP addresses of any DHCP servers which ever assigned an IP address to the DHCP client and the receiving interface.
Page 508: Dhcp Server Domain-Name
Parameters ip-address&<1-8>: IP address of a DNS server. &<1-8> means you can provide up to eight DNS server IP addresses. When inputting more than one DNS server IP address, separate two neighboring IP addresses with a space. interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s), through which you can specify the corresponding interface address pools.
Page 509: Dhcp Server Expired
undo dhcp server domain-name { interface interface-type interface-number [ to interface-type interface-number ] | all } View System view, VLAN interface view Parameters domain-name: Domain name suffix of the DHCP clients whose IP addresses are from the specified interface address pool(s). This argument is a string of 3 to 50 characters. interface interface-type interface-number [ to interface-type interface-number ]: Specifies the interface(s), through which you can specify the corresponding interface address pool(s).
Page 510 dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } undo dhcp server expired In system view, use the following commands to configure the lease time of the IP addresses in multiple DHCP interface address pools. dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server expired { interface interface-type interface-number [ to interface-type...
Page 511: Dhcp Server Forbidden
dhcp server forbidden-ip Syntax dhcp server forbidden-ip low-ip-address [ high-ip-address ] undo dhcp server forbidden-ip low-ip-address [ high-ip-address ] View System view Parameters low-ip-address: IP address that is not available for being assigned to DHCP clients automatically (An IP address of this kind is known as a forbidden IP address). This argument also marks the lower end of the range of the forbidden IP addresses.
Page 512: Dhcp Server Ip-Pool
dhcp server ip-pool Syntax dhcp server ip-pool pool-name undo dhcp server ip-pool pool-name View System view Parameters pool-name: Name of a DHCP address pool, which uniquely identifies the address pool. This argument is a string of 1 to 35 characters. Description Use the dhcp server ip-pool command to create a global DHCP address pool and enter DHCP address pool view.
Page 513: Dhcp Server Nbns-List
dhcp server nbns-list Syntax In VLAN interface view, use the following commands to configure WINS server IP address(es) in the current DHCP interface address pool for the client. dhcp server nbns-list ip-address&<1-8> undo dhcp server nbns-list { ip-address | all } In system view, use the following commands to configure WINS server IP addresses in multiple DHCP interface address pools for the client.
Page 514: Dhcp Server Netbios-Type
# Configure the WINS server IP address 10.12.1.99 in all the DHCP interface address pools for the DHCP client. [Sysname] dhcp server nbns-list 10.12.1.99 all dhcp server netbios-type Syntax In VLAN interface view, use the following commands to configure the NetBIOS node type of the DHCP clients whose IP addresses are from the current DHCP interface address pool.
Page 515: Dhcp Server Option
Use the undo dhcp server netbios-type command to restore the default NetBIOS node type. By default, no NetBIOS node type is specified. After the WINS server IP address is configured for the client in the DHCP interface address pool, the client uses the hybrid node (h-node). Related commands: netbios-type, dhcp server nbns-list.
Page 516: Dhcp Server Ping
interface-type argument specifies an interface type; the interface-number argument specifies an interface number; the interface interface-type interface-number [ to interface-type interface-number ] keyword and argument combination specifies an interface range. all: Specifies all interface address pools. Description Use the dhcp server option command to customize DHCP options for the specified DHCP interface address pool(s).
Page 517: Dhcp Server Relay Information Enable
System View: return to User View with Ctrl+Z. # Set the maximum number of the echo request packets to 10, and the response timeout time to 300 milliseconds. [Sysname] dhcp server ping packets 10 [Sysname] dhcp server ping timeout 300 dhcp server relay information enable Syntax dhcp server relay information enable...
Page 518: Dhcp Server Voice-Config
client-identifier: Client ID of a static binding, a string of 4 to 160 characters in the format H-H-H…, each H indicates 4 hex digits except the last H that indicates 2 or 4 hex digits. For example, aabb-cccc-dd is a valid ID, while aabb-c-dddd and aabb-cc-dddd are both invalid. mac-address: MAC address to which the IP address is statically bound.
Page 519 dhcp server voice-config { ncp-ip ip-address | as-ip ip-address | voice-vlan vlan-id { enable | disable } | fail-over ip-address dialer-string } { interface interface-type interface-number [ to interface-type interface-number ] | all } undo dhcp server voice-config [ ncp-ip | as-ip | voice-vlan | fail-over ] { interface interface-type interface-number [ to interface-type interface-number ] | all } View VLAN interface view...
Page 520: Display Dhcp Server Conflict
# Enable the DHCP server to support all the sub-options of Option 184 in VLAN-interface 1. The NCP IP address is 1.1.1.1 and the IP address of the alternate server is 2.2.2.2. The voice VLAN is enabled, with the ID being 3. The fail-over IP address is 3.3.3.3 and the dial number string is 99*. [Sysname-Vlan-interface1] dhcp select interface [Sysname-Vlan-interface1] dhcp server voice-config ncp-ip 1.1.1.1 [Sysname-Vlan-interface1] dhcp server voice-config as-ip 2.2.2.2...
Page 521 View Any view Parameters ip ip-address: Specifies an IP address. pool [ pool-name ]: Specifies a global address pool. The pool-name argument, a string of 1 to 35 characters, is the name of an address pool. If you do not provide this argument, this command applies to all global address pools.
Page 522: Display Dhcp Server Free
Table 1-2 Description on the fields of the display dhcp server expired command Field Description The information about the expired IP addresses Global pool of global address pools The information about the expired IP addresses Interface pool of interface address pools IP address Bound IP addresses User ID or MAC addresses to which IP...
Page 523 pool [ pool-name ]: Specifies a global address pool. The pool-name argument, a string of 1 to 35 characters, is the name of an address pool. If you do not provide this argument, this command applies to all global address pools. interface [ interface-type interface-number ]: Specifies a VLAN interface.
Page 524: Display Dhcp Server Statistics
display dhcp server statistics Syntax display dhcp server statistics View Any view Parameters None Description Use the display dhcp server statistics command to display the statistics on a DHCP server. Related commands: reset dhcp server statistics. Examples # Display the statistics on a DHCP server. <Sysname>...
Page 525: Display Dhcp Server Tree
Pool Number Number of address pools Auto Number of the automatically bound IP addresses Manual Number of the manually bound IP addresses Expire Number of the expired IP addresses Boot Request: Dhcp Discover: Dhcp Request: Statistics about the DHCP packets received from DHCP clients Dhcp Decline: Dhcp Release:...
Page 526: Dns-List
expired 1 0 0 Pool name: test1234 network 10.1.1.0 mask 255.255.255.0 Parent node:test123 option 30 hex AA BB expired 1 0 0 Interface pool: Pool name: Vlan-interface2 network 192.168.2.0 mask 255.255.255.0 gateway-list 192.168.2.1 expired 1 0 0 Table 1-5 Description on the fields of the display dhcp server tree command Field Description Global pool...
Page 527: Domain-Name
Parameters ip-address&<1-8>: IP address of a DNS server. &<1-8> string means you can provide up to eight DNS server IP addresses. When inputting more than one IP address, separate two neighboring IP addresses with a space. all: Specifies all configured DNS server IP addresses. Description Use the dns-list command to configure one or multiple DNS server IP addresses in a DHCP global address pool for the DHCP client.
Page 528: Expired
Examples # Enter system view. <Sysname> system-view System View: return to User View with Ctrl+Z. # Configure the domain name suffix mydomain.com in the DHCP global address pool 0 for the DHCP client. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] domain-name mydomain.com expired Syntax expired { day day [ hour hour [ minute minute ] ] | unlimited }...
Page 529: Gateway-List
gateway-list Syntax gateway-list ip-address&<1-8> undo gateway-list { ip-address | all } View DHCP address pool view Parameters ip-address&<1-8>: IP address of a gateway. &<1-8> means you can provide up to eight gateway IP addresses. When inputting more than one IP address, separate two neighboring IP addresses with a space.
Page 530: Netbios-Type
all: Specifies all configured WINS server IP addresses. Description Use the nbns-list command to configure one or multiple WINS server IP addresses in the DHCP global address pool for the DHCP client. Use the undo nbns-list command to remove one or all WINS server IP addresses configured for the DHCP client.
Page 531: Network
By default, no NetBIOS node type is specified in a DHCP global address pool for the DHCP client. After the WINS server IP address is configured for the client in the DHCP global address pool, the client uses the hybrid node (h-node). Related commands: dhcp server ip-pool, dhcp server netbios-type, nbns-list.
Page 532: Reset Dhcp Server Conflict
option Syntax option code { ascii ascii-string | hex hex-string&<1-10> | ip-address ip-address&<1-8> } undo option code View DHCP address pool view Parameters code: Customized option number ranging from 2 to 254. Note that this argument cannot be 3, 6, 15, 44, 46, 50 through 55, 57 through 61, 66, 67, 82, 150, 184, or 217.
Page 533: Reset Dhcp Server Ip-In-Use
Parameters ip ip-address: Specifies an IP address, whose conflict statistics will be cleared. all: Clears all address conflict statistics. Description Use the reset dhcp server conflict command to clear address conflict statistics. Related commands: display dhcp server conflict. Examples # Clear all address conflict statistics. <Sysname>...
Page 534: Static-Bind Client-Identifier
View User view Parameters None Description Use the reset dhcp server statistics command to clear the statistics on a DHCP server, such as the number of DHCP unrecognized packets/request packets/response packets. Related commands: display dhcp server statistics. Examples # Clear the statistics on a DHCP server. <Sysname>...
Page 535: Static-Bind Ip-Address
<Sysname> system-view System View: return to User View with Ctrl+Z. # Bind the host aaaa-bbbb with the IP address 10.1.1.1. The mask is 255.255.255.0. [Sysname] dhcp server ip-pool 0 [Sysname-dhcp-pool-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 [Sysname-dhcp-pool-0] static-bind client-identifier aaaa-bbbb static-bind ip-address Syntax static-bind ip-address ip-address [mask mask ] undo static-bind ip-address...
Page 536: Static-Bind Mac-Address
static-bind mac-address Syntax static-bind mac-address mac-address undo static-bind mac-address View DHCP address pool view Parameters mac-address: MAC address of the host to which the IP address is to be bound. You need to provide this argument in the form of H-H-H. Description Use the static-bind mac-address command to specify a MAC address to which an IP address will be bound statically in a DHCP global address pool.
Page 537 View DHCP address pool view Parameters ncp-ip ip-address: Specifies the IP address of the primary network calling processor. as-ip ip-address: Specifies the IP address of the backup network calling processor. voice-vlan vlan-id: Specifies the voice VLAN ID, in the range of 2 to 4094. disable: Disables the specified VLAN, meaning DHCP clients will not take this VLAN as their voice VLAN.
Page 538: Dhcp Snooping Configuration Commands
DHCP Snooping Configuration Commands DHCP Snooping Configuration Commands dhcp-snooping Syntax dhcp-snooping undo dhcp-snooping View System view Parameters None Description Use the dhcp-snooping command to enable the DHCP snooping function. Use the undo dhcp-snooping command to disable the DHCP snooping function. After DHCP snooping is disabled, all the ports can forward DHCP replies from the DHCP server without recording the IP-to-MAC bindings of the DHCP clients.
Page 539: Dhcp-Snooping Information Format
Option 82 as HEX or ASCII. By default, the Option 82 is in HEX format. Note that among S3100 series switches, only S3100-EI series switches support the two commands. The dhcp-snooping information format command applies only to the default content of the Option 82 field.
Page 540: Dhcp-Snooping Information Packet-Format
Option 82 as the extended or standard one. By default, the padding format for Option 82 is the extended one. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Configure the padding format for Option 82 as the standard one.
Page 541: Dhcp-Snooping Information Strategy
By default, the remote ID sub-option in Option 82 is the MAC address of the DHCP Snooping device that received the DHCP client’s request. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Configure the remote ID sub-option of Option 82 as the system name (sysname) of the DHCP snooping device.
Page 542: Dhcp-Snooping Information Vlan Circuit
Enable DHCP-snooping and DHCP-snooping Option 82 before performing this configuration. If a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies on those ports where a handling policy is not natively configured. Examples # Configure the keep handling policy for DHCP requests that contain Option 82 on the DHCP snooping device.
Page 543: Dhcp-Snooping Information Vlan Remote
Ethernet port view, the former circuit ID applies to the DHCP messages from the specified VLAN, while the latter one applies to DHCP messages from other VLANs. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Set the circuit ID field in Option 82 of the DHCP messages sent through Ethernet 1/0/1 to abc.
Page 544: Dhcp-Snooping Server-Guard Enable
Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Configure the remote ID of Option 82 in DHCP packets to abc on the port Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 545: Dhcp-Snooping Server-Guard Source-Mac
By default, the unauthorized DHCP server detection handling method is trap. Note that: Among S3100 series switches, only S3100-SI series switches support the two commands. A port shut down administratively is in the closed state and cannot receive or forward packets;...
Page 546: Dhcp-Snooping Trust
By default, the source MAC address of DHCP-DISCOVER messages is the bridge MAC address of the switch. Note that among S3100 series switches, only S3100-SI series switches support the two commands. Examples # Specify the source MAC address for DHCP-DISCOVER messages as 000f-e200-3100.
Page 547: Display Dhcp-Snooping
display dhcp-snooping Syntax display dhcp-snooping [ unit unit-id ] View Any view Parameters unit unit-id: Indicates the number of the device whose DHCP-snooping information needs to be viewed, the value is 1. Description Use the display dhcp-snooping command to display the user IP-MAC address mapping entries recorded by the DHCP snooping function.
Page 548: Display Dhcp-Snooping Trust
Description Use the display dhcp-snooping server-guard command to display information about unauthorized DHCP server detection. Note that among S3100 series switches, only S3100-SI series switches support this command. Examples # Display information about unauthorized DHCP server detection. <Sysname> display dhcp-snooping server-guard DHCP-Snooping is enabled.
Page 549: Display Ip Source Static Binding
If you specify a VLAN, all the IP static binding entries for the specified VLAN will be displayed. If you specify a port, all the IP static binding entries for the specified port will be displayed. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Display all IP static binding entries configured.
Page 550: Ip Check Source Ip-Address
By default, the filtering of the IP packets received through a port based on the source IP address or source MAC address of the packets is disabled. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Enable the filtering of the IP packets received through port Ethernet 1/0/11 based on the source IP address of the packets.
Page 551: Ip Source Static Binding
IP address cannot pass the IP filtering. Note that among S3100 series switches, only S3100-EI series switches support the two commands. Related commands: ip check source ip-address. Examples # Configure static binding among source IP address 1.1.1.1, source MAC address 0015-e20f-0101, and...
Page 552 Description Use the reset dhcp-snooping command to remove DHCP snooping entries from a switch. If no ip-address is specified, all DHCP snooping entries are removed. Examples # Remove all DHCP snooping entries from the switch. <Sysname> reset dhcp-snooping 2-15...
Page 553: Rate Limit Configuration Commands
Rate Limit Configuration Commands Among S3100 series Ethernet switches, only S3100-EI series switches support the DHCP Rate Limit function. Rate Limit Configuration Commands dhcp protective-down recover enable Syntax dhcp protective-down recover enable undo dhcp protective-down recover enable View System view...
Page 554: Dhcp Protective-Down Recover Interval
dhcp protective-down recover interval Syntax dhcp protective-down recover interval interval undo dhcp protective-down recover interval View System view Parameters interval: Interval (in seconds) for a port disabled due to the DHCP traffic exceeding the set threshold to be brought up again. This argument ranges from 10 to 86,400. Description Use the dhcp protective-down recover interval command to set an auto recovery interval.
Page 555: Dhcp Rate-Limit Enable
Description Use the dhcp rate-limit command to configure the maximum rate of DHCP traffic for the port. When the number of DHCP packets received on the port per second exceeds the specified threshold, the switch will discard the exceeding DHCP packets. Use the undo dhcp rate-limit command to restore the default.
Page 556 [Sysname-Ethernet1/0/11] dhcp rate-limit enable...
Page 557: Dhcp/Bootp Client Configuration
Description Use the display dhcp client command to display the information about the address allocation of DHCP clients. Note that S3100 series Ethernet switches that operate as DHCP clients support a maximum lease duration of 24 days currently. Examples # Display the information about the address allocation of DHCP clients.
Page 558: Ip Address Dhcp-Alloc
Table 4-1 Description on the fields of the display dhcp client command Field Description VLAN interface operating as a DHCP client to Vlan-interface1 obtain an IP address dynamically Current machine state The state of the client state machine Allocated IP IP address allocated to the DHCP client lease Lease period...
Page 559: Bootp Client Configuration Commands
To improve security and avoid malicious attacks to the unused sockets, S3100 Ethernet switches provide the following functions: UDP ports 67 and 68 used by DHCP are enabled/disabled only when DHCP is enabled/disabled. The implementation is as follows: After the DHCP client is enabled by executing the ip address dhcp-alloc command, UDP port 68 is enabled.
Page 560: Ip Address Bootp-Alloc
Table 4-2 Description on the fields of the display bootp client command Field Description VLAN-interface 1 is configured to obtain an IP Vlan-interface1 address through BOOTP. Allocated IP IP address allocated to the VLAN interface Transaction ID Value of the XID field in BOOTP packets Mac Address MAC address of the BOOTP client Default router...
Page 561 Table of Contents 1 ACL Configuration Commands ················································································································1-1 ACL Configuration Commands ···············································································································1-1 acl ····················································································································································1-1 description ·······································································································································1-2 display acl········································································································································1-3 display acl remaining entry··············································································································1-4 display ipv6-acl-template ·················································································································1-5 display packet-filter··························································································································1-5 display time-range ···························································································································1-6 ipv6-acl-template ·····························································································································1-7 packet-filter ······································································································································1-8 packet-filter vlan ····························································································································1-10 rule (for Basic ACLs) ·····················································································································1-11 rule (for Advanced ACLs) ··············································································································1-13 rule (for Layer 2 ACLs) ··················································································································1-19 rule (for IPv6 ACLs) ·······················································································································1-21...
Page 562: Acl Configuration Commands
ACL Configuration Commands H3C S3100-SI Series Ethernet switches support basic ACLs and advanced ACLs; S3100-EI Series Ethernet switches support basic ACLs, advanced ACLs, and Layer 2 ACLs, and IPv6 ACLs. ACL Configuration Commands Syntax acl number acl-number [ match-order { auto | config } ]...
Page 563: Description
By default, ACL rules are matched in the order they are defined. Only after the rules in an existing ACL are fully removed can you modify the match order of the ACL. In ACL view, you can use the rule command to add rules to the ACL. Related commands: rule.
Page 564: Display Acl
Examples # Assign description string “This ACL is used for filtering all HTTP packets” to ACL 3000. <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] description This ACL is used for filtering all HTTP packets # Use the display acl command to view the configuration information of ACL 3000. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, 0 rule...
Page 565: Display Acl Remaining Entry
According to the output, you can determine the number of resources consumed by a certain type of ACL rules and whether the exhaustion of resources causes the failure to assign ACL rules. Only H3C S3100-EI series switches support this command. Example # Display information about the remaining ACL resources.
Page 566: Display Ipv6-Acl-Template
Field Description Remaining Number Number of remaining resources Start Port Name Start port number and end port number corresponding to the entry End Port Name display ipv6-acl-template Syntax display ipv6-acl-template View Any view Parameter None Description Use the display ipv6-acl-template command to display the IPv6 ACL template configuration information.
Page 567: Display Time-Range
Displays information about packet filtering on the VLAN specified by vlan-id. Description Use the display packet-filter command to display information about packet filtering. Only H3C S3100-EI series switches support this command. Example # Display information about packet filtering on the switch.
Page 568: Ipv6-Acl-Template
Description Use the display time-range command to display the configuration and status of a time range or all the time ranges. For active time ranges, this command displays “Active”; for inactive time ranges, this command displays “Inactive”. Related commands: time-range. Examples # Display all time ranges.
Page 569: Packet-Filter
If there is already a template, you need to remove it to configure a new one. If the template is referenced by an IPv6 ACL rule that has been applied, you cannot remove it. Only H3C S3100-EI series switches support this command. Example # Configure an IPv6 ACL template to match the source address and destination address fields in IPv6 packets.
Page 570 Use the undo packet-filter command to cancel the assignment of an ACL. Only H3C S3100-EI series switches support this command. Examples # Apply all rules of basic ACL 2000 on Ethernet 1/0/1 to filter inbound packets. Here, it is assumed that the ACL and its rules are already configured.
Page 571: Packet-Filter Vlan
When you need to apply an ACL to all ports in a VLAN, you can use the packet-filter vlan command to achieve the goal in one operation. Only H3C S3100-EI series switches support this command. An ACL assigned to a VLAN takes effect only for the packets tagged with 802.1Q header. For more information about 802.1Q header, refer to the VLAN part.
Page 572: Rule (For Basic Acls)
rule (for Basic ACLs) Syntax rule [ rule-id ] { deny | permit} [ rule-string ] undo rule rule-id [ fragment | source | time-range ]* View Basic ACL view Parameters Parameters of the rule command rule-id: ACL rule ID, in the range of 0 to 65534. deny: Drops the matched packets.
Page 573 When you assign basic ACLs to the hardware for packet filtering, the fragment keyword is not supported on a H3C S3100-EI Series Ethernet switch. Description Use the rule command to define an ACL rule. Use the undo rule command to remove an ACL rule or specified settings of an ACL rule.
Page 574: Rule (For Advanced Acls)
rule (for Advanced ACLs) Syntax rule [ rule-id ] { deny | permit } protocol [ rule-string ] undo rule rule-id [ destination | destination-port | dscp | fragment | icmp-type | precedence | source | source-port | time-range | tos ]* View Advanced ACL view Parameters...
Page 575 Arguments/Keywords Type Function Description Indicates that the Fragment rule applies only fragment — information to non-tail fragments. Specifies the TTL The ttl argument can be a number in information for the ACL rule. the range 0 to 255. Specifies the time-name: specifies the name of the Time range time range in...
Page 576 Keyword DSCP value in decimal DSCP value in binary 110000 111000 101110 If you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-9 as IP precedence. Table 1-9 IP Precedence values and the corresponding keywords Keyword IP Precedence in decimal...
Page 577 Table 1-11 TCP/UDP-specific ACL rule information Parameters Type Function Description The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not equal to) or range (within the range of). Only the range operator requires two port numbers as the operands.
Page 578 Table 1-13 ICMP-specific ACL rule information Parameters Type Function Description icmp-type: ICMP message type, Type and Specifies the type and icmp-type ranging from 0 to 255 message code message code icmp-type information of information of ICMP icmp-code: ICMP message code, icmp-code ICMP packets packets in the ACL rule...
Page 579 destination: Removes the settings concerning the destination address in the ACL rule. destination-port: Removes the settings concerning the destination port in the ACL rule. This keyword is only available to the ACL rules with their protocol types set to TCP or UDP. icmp-type: Removes the settings concerning the ICMP type and message code in the ACL rule.
Page 580: Rule (For Layer 2 Acls)
Examples # Create advanced ACL 3000 and define rule 1 to deny packets with the source IP address of 192.168.0.1 and DSCP priority of 46. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip source 192.168.0.1 0 dscp 46 [Sysname-acl-adv-3000] quit # Create advanced ACL 3001 and define rule 1 to permit TCP packets that are sourced from network 129.9.0.0/16, destined for network 202.38.160.0/24, and using the destination port number of 80.
Page 581 Parameters Type Function Description source-mac-addr: Source MAC address, in the format of H-H-H. source-mac-mask: Mask of the source MAC address, in the format of H-H-H. vlan-id, vlan-id1, vlan-id2: Source VLAN ID, in the range of 1 to 4,094. The value of operator can be lt (less than), gt (greater than), eq (equal Specifies the to), neq (not equal to) or range...
Page 582: Rule (For Ipv6 Acls)
Note the following when assigning an Layer 2 ACL to the hardware: The 802.3/802.2 and 802.3 keywords are not supported. When you defining the source VLAN information, the operator argument cannot be neq. When defining the source VLAN information, you can specify up to four port ranges with the range operator.
Page 583 View IPv6 ACL view Parameter rule-id: ACL rule ID, in the range of 0 to 65534. deny: Drops the matched packets. permit: Permits the matched packets. dscp rule-string rule-mask: Specifies the traffic class information. Arguments rule-string and rule-mask indicate the content string and mask and consist of two hexadecimal numbers respectively. ip-protocol rule-string rule-mask: Specifies the next header information.
Page 584: Rule Comment
If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
Page 585: Time-Range
By default, an ACL rule has no comment. Before defining a comment for an ACL rule, make sure that the ACL rule exists. Examples # Define the comment “This rule is to be applied to Ethernet 1/0/1” for rule 0 of advanced ACL 3001. <Sysname>...
Page 586 jointly define a period in which the absolute time range takes effect. If the start date is not specified, the time range starts from 1970/01/01 00:00. to end-time end-date: Specifies the end date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD.
Page 587 Table of Contents 1 QoS Commands·········································································································································1-1 QoS Commands······································································································································1-1 burst-mode enable···························································································································1-1 display priority-trust ·························································································································1-1 display qos cos-local-precedence-map ···························································································1-2 display qos dscp-local-precedence-map ·························································································1-2 display qos ip-precedence-local-precedence-map··········································································1-4 display qos-global····························································································································1-5 display qos-interface all ···················································································································1-6 display qos-interface line-rate ·········································································································1-7 display qos-interface mirrored-to·····································································································1-7 display qos-interface traffic-limit ······································································································1-8 display qos-interface traffic-priority··································································································1-9 display qos-interface traffic-redirect ······························································································1-10 display qos-interface traffic-remark-vlanid·····················································································1-11...
Page 588 traffic-statistic vlan ·························································································································1-43 2 QoS Profile Configuration Commands····································································································2-1 QoS Profile Configuration Commands····································································································2-1 apply qos-profile ······························································································································2-1 display qos-profile····························································································································2-2 packet-filter ······································································································································2-4 qos-profile········································································································································2-4 qos-profile port-based······················································································································2-5 traffic-limit ········································································································································2-6 traffic-priority····································································································································2-7...
Page 589: Qos Commands
QoS Commands QoS Commands burst-mode enable Syntax burst-mode enable undo burst-mode enable View System view Parameter None Description Use the burst-mode enable command to enable the burst function. Use the undo burst-mode enable command to disable the burst function. By default, the burst function is disabled. Example # Enable the burst function.
Page 590: Display Qos Cos-Local-Precedence-Map
Examples # Display the priority trust mode on the current switch. <Sysname> display priority-trust Priority trust mode: dscp display qos cos-local-precedence-map Syntax display qos cos-local-precedence-map View Any view Parameter None Description display cos-local-precedence-map command display CoS-precedence-to-local-precedence mapping table. Related command: qos cos-local-precedence-map. Example # Display the CoS-precedence-to-local-precedence mapping table.
Page 591 Example # Display the DSCP-precedence-to-local-precedence mapping table. <Sysname> display qos dscp-local-precedence-map dscp-local-precedence-map: dscp : local-precedence(queue) ---------------------------------------------- 10 : 11 : 12 : 13 : 14 : 15 : 16 : 17 : 18 : 19 : 20 : 21 : 22 : 23 : 24 :...
Page 592: Display Qos Ip-Precedence-Local-Precedence-Map
60 : 61 : 62 : 63 : display qos ip-precedence-local-precedence-map Syntax display qos ip-precedence-local-precedence-map View Any view Parameter None Description display ip-precedence-local-precedence-map command display IP-precedence-to-local-precedence mapping table. Related command: qos ip-precedence-local-precedence-map. Only H3C S3100-SI series switches support this command.
Page 593: Display Qos-Global
Use the display qos-global command to display the QoS-related configuration performed for all the packets. Only H3C S3100-EI series switches support this command. Example # Display all the QoS configurations performed for all the packets on an S3100-EI series switch.
Page 594: Display Qos-Interface All
Table 1-1 Description on the fields of the display qos-global command Field Description Inbound Packet direction Matches ACL rules for traffic classifying Target rate Traffic policing target rate Conform action Action conducted to packet conforming to the traffic specification Exceed action Action conducted to packets exceeding the traffic specification The function of collecting traffic policing statistics information is meter-statistic running...
Page 595: Display Qos-Interface Line-Rate
weight of queue 3: 1 Table 1-2 Description on the fields of the display qos-interface all command Field Description line-rate Port with rate limiting configured Inbound direction. That is, rate limiting is performed to the Inbound inbound packets 1024 Kbps The target rate Queue scheduling mode Queue scheduling algorithm adopted...
Page 596: Display Qos-Interface Traffic-Limit
Use the display qos-interface mirrored-to command to display the traffic mirroring configuration of a port or all the ports on the device. Related command: mirrored-to. Only H3C S3100-EI series switches support this command. Example # Display the traffic mirroring configuration of Ethernet 1/0/1 on an S3100-EI series switch.
Page 597: Display Qos-Interface Traffic-Priority
Unit ID, which is fixed to 1. With this argument specified, the traffic policing configuration of all the ports on the device is displayed. Only H3C S3100-EI series switches support this command. Description Use the display qos-interface traffic-limit command to display the traffic policing configuration of a port or all the ports on the device.
Page 598: Display Qos-Interface Traffic-Redirect
Use the display qos-interface traffic-priority command to display the priority marking configuration of a port or all the ports on the device. Related command: traffic-priority. Only H3C S3100-EI series switches support this command. Example # Display the priority marking configuration of Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch).
Page 599: Display Qos-Interface Traffic-Remark-Vlanid
Use the display qos-interface traffic-redirect command to display the traffic redirecting configuration of a port or all the ports on the device. Related command: traffic-redirect. Only H3C S3100-EI series switches support this command. Example # Display the traffic redirecting configuration of Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch).
Page 600: Display Qos-Interface Traffic-Shape
Unit ID, which is fixed to 1. With this argument specified, the traffic shaping configuration of all the ports is displayed. Description Use the display qos-interface traffic-shape command to display the traffic shaping configuration of a port or all the ports on the device. Related command: traffic-shape. Only H3C S3100-EI series switches support this command. 1-12...
Page 601: Display Qos-Interface Traffic-Statistic
Example # Display the traffic shaping configuration of Ethernet 1/0/1. <Sysname> display qos-interface Ethernet 1/0/1 traffic-shape Ethernet1/0/1 QID: status max-rate(kbps) burst-size(byte) ---------------------------------------------------- Enable Enable Enable Disable Table 1-7 Description on the fields of the display qos-interface traffic-shape command Field Description Ethernet1/0/1 Port with traffic shaping configured Queue ID...
Page 602: Display Qos-Port-Group
Only H3C S3100-EI series switches support this command. Example # Display the traffic accounting configuration information and traffic statistics on Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch). <Sysname> display qos-interface Ethernet 1/0/1 traffic-statistic Ethernet1/0/1: traffic-statistic...
Page 603: Display Qos-Vlan
Only H3C S3100-EI series switches support this command. Example # Display all the QoS-related configurations of port group 1 (assuming that the current device is an S3100-EI series switch). <Sysname> display qos-port-group 1 all Port-group 1 traffic-limit Inbound: Matches: Acl 3001 rule 0...
Page 604: Display Queue-Scheduler
Example # Display all the QoS-related configuration performed for VLAN 1 (assuming that the current device is an S3100-EI series switch). <Sysname> display qos-vlan 1 all Vlan 1 traffic-limit Inbound: Matches: Acl 3001 rule 0 running Target rate: 128 Kbps Exceed action: drop meter-statistic not running Refer to...
Page 605 View Ethernet port view Parameter inbound: Limits the inbound packet rate. outbound: Limits the outbound packet rate. target-rate: Total target rate (in kbps). The range of this argument varies with port type as follows: Fast Ethernet port: 64 to 99,968; GigabitEthernet port: 64 to 1,000,000.
Page 606 View System view, Port group, Ethernet port view Parameter inbound: Duplicates inbound packets. acl-rule: ACL rules to be applied. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-9 Table 1-10. Note that the ACL rules referenced must be those defined with the permit keyword specified.
Page 607: Mirrored-To Vlan
Only H3C S3100-EI series switches support this command. Example # Mirror packets that match ACL 2000 on port Ethernet 1/0/1 to Ethernet 1/0/4 through traffic mirroring (assuming that the current device is an S3100-EI series switch). <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 608: Priority
Note that, the same ACL cannot be simultaneously referenced in both traffic mirroring configuration and traffic redirecting configuration for a VLAN. Only H3C S3100-EI series switches support this command. The traffic mirroring function configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 609: Priority Trust
Parameter priority-level: Port priority, ranging from 0 to 7. Description Use the priority command to configure the priority of an Ethernet port. Use the undo priority command to restore the default port priority. By default, the priority of an Ethernet port is 0. Example # Set the priority of Ethernet 1/0/1 to 6.
Page 610 By default, a switch trusts the 802.1p priority of the received packets. A port of an S3100 series switch can accommodate four output queues. The output queue to which a received packet is to be added to is determined by its local precedence: DSCP precedence: Ranges from 0 to 63.
Page 611: Qos Cos-Local-Precedence-Map
Related command: display priority-trust. Example # Configure the switch to trust the DSCP precedence of the received packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] priority-trust dscp # Display the configuration result. [Sysname] display priority-trust Priority trust mode: dscp qos cos-local-precedence-map Syntax qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec...
Page 612: Qos Dscp-Local-Precedence-Map
CoS value Local precedence Related command: display qos cos-local-precedence-map. Example # Configure the CoS-precedence-to-local-precedence mapping relationship as follows: 0 to 0, 1 to 0, 2 to 1, 3 to 1, 4 to 2, 5 to 2, 6 to 3, and 7 to 3. <Sysname>...
Page 613 The default DSCP-precedence-to-local-precedence mapping tables as shown in Table 1-12. Table 1-12 The default DSCP-precedence-to-local-precedence mapping table DSCP Local precedence 0 to 15 16 to 31 32 to 47 48 to 63 Related command: display qos dscp-local-precedence-map. Example # Modify the DSCP-precedence-to-local-precedence mapping table according to Table 1-13.
Page 614 14 : 15 : 16 : 17 : 18 : 19 : 20 : 21 : 22 : 23 : 24 : 25 : 26 : 27 : 28 : 29 : 30 : 31 : 32 : 33 : 34 : 35 : 36 :...
Page 615: Qos Ip-Precedence-Local-Precedence-Map
62 : 63 : qos ip-precedence-local-precedence-map Syntax ip-precedence-local-precedence-map ip0-map-local-prec ip1-map-local-prec ip2-map-local-prec ip3-map-local-prec ip4-map-local-prec ip5-map-local-prec ip6-map-local-prec ip7-map-local-prec undo qos cos-local-precedence-map View System view Parameter ip0-map-local-prec: Local precedence to which IP 0 is to be mapped, in the range 0 to 3. ip1-map-local-prec: Local precedence to which IP 1 is to be mapped, in the range 0 to 3.
Page 616: Queue-Scheduler
Related command: display qos ip-precedence-local-precedence-map. Only H3C S3100-SI series switches support this command. Example # Configure the IP-precedence-to-local-precedence mapping relationship as follows: 0 to 1, 1 to 1, 2 to 0, 3 to 0, 4 to 2, 5 to 2, 6 to 3, and 7 to 3 (assuming that the current device is an S3100-SI series switch).
Page 617: Reset Traffic-Limit
By default, the WRR queue scheduling algorithm is adopted, and the weight assigned to queue 0, queue 1, queue 2, and queue 3 is 1, 2, 3, and 4. The port of an S3100 series switch can accommodate four output queues. You can configure the queue scheduling algorithm as needed:...
Page 618: Reset Traffic-Limit Vlan
ACL rules, or packets that match specific ACL rules and are of a port group or pass a port. Related command: traffic-limit. Only H3C S3100-EI series switches support this command. Example # Clear the traffic policing statistics on packets matching ACL 2000 and passing Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch).
Page 619: Reset Traffic-Statistic
Only H3C S3100-EI series switches support this command. Example # Clear the statistics on packets that match ACL 2000 and are of VLAN 1 (assuming that the current device is an S3100-EI series switch). <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 620: Reset Traffic-Statistic Vlan
Use the reset traffic-statistics vlan command to clear the statistics on packets that are of a VLAN and match specific ACL rules. Related command: traffic-statistic vlan. Only H3C S3100-EI series switches support this command. Example # Clear the statistics on packets that match ACL 2000 and are of VLAN 1 (assuming that the current device is an S3100-EI series switch).
Page 621 acl-rule: ACL rules to be applied. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-9 Table 1-10. Note that the ACL rules referenced must be those defined with the permit keyword specified. target-rate: Target traffic rate of traffic policing ( in kbps).
Page 622 Use the undo traffic-limit command to cancel the configuration. By default, traffic policing is disabled globally, on all port groups, and all ports. Only H3C S3100-EI series switches support this command. With broadcast suppression, multicast suppression, or line rate for the inbound direction enabled on a device, you cannot configure traffic policing on the device.
Page 623: Traffic-Limit Vlan
Related command: display qos-interface traffic-limit, reset traffic-limit. Example # Perform traffic policing for packets matching ACL 4000 on Ethernet 1/0/1. Limit the rate within 128 kbps and drop the packets exceeding the traffic limit (assuming that the current device is an S3100-EI series switch).
Page 624: Traffic-Priority
Use the undo traffic-limit vlan command to disable traffic policing on a VLAN. By default, traffic policing is disabled on a VLAN. Only H3C S3100-EI series switches support this command. Traffic policing configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 625: Traffic-Priority Vlan
By default, priority marking is disabled globally, on all port groups, and all ports. Related command: display qos-interface traffic-priority. Only H3C S3100-EI series switches support this command. Example # Set the 802.1p precedence to 1 for packets matching ACL 4000 and passing Ethernet 1/0/1 (assuming that the current device is an S3100-EI series switch).
Page 626: Traffic-Redirect
VLAN. By default, priority marking is disabled on a VLAN. Related command: display qos-vlan. Only H3C S3100-EI series switches support this command. The priority marking function configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 627 By default, traffic redirecting is disabled globally, on all port groups, and all ports. Only H3C S3100-EI series switches support this command. Packets redirected to the CPU are not forwarded.
Page 628: Traffic-Redirect Vlan
Note that, the same ACL cannot be simultaneously referenced in both traffic mirroring configuration and traffic redirecting configuration for a VLAN. Only H3C S3100-EI series switches support this command. The traffic redirecting function configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 629: Traffic-Remark-Vlanid
Example # Redirect the packets that match ACL 2000 rules and are of VLAN 1 to Ethernet 1/0/7 (assuming that the current device is an S3100-EI series switch). <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 1.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-redirect vlan 1 inbound ip-group 2000 interface Ethernet1/0/7...
Page 630: Traffic-Shape
By default, traffic shaping is disabled. Related command: display qos-interface traffic-shape. Only H3C S3100-EI series switches support this command. Example # Configure traffic shaping on Ethernet 1/0/1, with the maximum rate being 640 kbps and the burst size being 16 KB.
Page 631: Traffic-Statistic
Note that, for the same ACL rule, the traffic accounting function and the meter statistic keyword of the traffic-limit command are mutually exclusive in system view, Ethernet port view, or port group view. Only H3C S3100-EI series switches support this command. Related command: display qos-interface traffic-statistic, reset traffic-statistic.
Page 632 Note that, for the same ACL rule, the traffic accounting function and the meter statistic keyword of the traffic-limit command are mutually exclusive in a VLAN. Only H3C S3100-EI series switches support this command. The traffic accounting function configured on a VLAN is only applicable to packets tagged with 802.1Q header.
Page 633: Qos Profile Configuration Commands
QoS Profile Configuration Commands Only H3C S3100-EI series switches support this configuration. QoS Profile Configuration Commands apply qos-profile Syntax In system view apply qos-profile profile-name interface interface-list undo apply qos-profile profile-name interface interface-list In Ethernet port view apply qos-profile profile-name...
Page 634: Display Qos-Profile
System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] apply qos-profile a123 # Apply the QoS profile named a123 to Ethernet 1/0/1 through Ethernet 1/0/4. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] apply qos-profile a123 interface Ethernet 1/0/1 to Ethernet 1/0/4 display qos-profile Syntax display qos-profile { all | name profile-name | interface interface-type interface-number | user...
Page 635 # Display the configuration of the QoS profile applied to Ethernet 1/0/1, assuming that the QoS profile has been applied to Ethernet 1/0/1 manually. <Sysname> display qos-profile interface Ethernet 1/0/1 User's qos-profile applied mode: user-based Default applied qos-profile: test, 3 actions packet-filter inbound ip-group 2000 rule 0 traffic-limit inbound ip-group 3000 rule 0 64 traffic-priority inbound ip-group 4000 rule 0 cos controlled-load...
Page 636: Packet-Filter
packet-filter Syntax packet-filter inbound acl-rule undo packet-filter inbound acl-rule View QoS profile view Parameter inbound: Filters the inbound packets. acl-rule: ACL rules to be applied. This argument can be the combination of multiple ACLs. For more information about this argument, refer to Table 1-9 Table 1-10.
Page 637: Qos-Profile Port-Based
Description Use the qos-profile command to create a QoS profile and enter QoS profile view. If the QoS profile already exists, this command leads you to the corresponding QoS profile view. Use the undo qos-profile command to remove a QoS profile. A QoS profile currently applied to a port cannot be removed or modified.
Page 638: Traffic-Limit
[Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] qos-profile port-based traffic-limit Syntax traffic-limit inbound acl-rule target-rate [ burst-bucket burst-bucket-size ] [ conform con-action ] [ exceed exceed-action ] [ meter-statistic ] undo traffic-limit inbound acl-rule [ meter-statistic ] View QoS profile view Parameter inbound: Performs traffic policing on the inbound packets.
Page 639: Traffic-Priority
Example # Add a traffic policing action to the QoS profile named a123 to limit the rate of the inbound packets matching ACL 2000 to 128 kbps and drop the packets exceeding 128 kbps. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] qos-profile a123 [Sysname-qos-profile-a123] traffic-limit inbound ip-group 2000 128 exceed drop...
Page 640 Table of Contents 1 Mirroring Commands ································································································································1-1 Mirroring Commands·······························································································································1-1 display mirroring-group····················································································································1-1 mirroring-group ································································································································1-2 mirroring-group mirroring-port ·········································································································1-3 mirroring-group monitor-port ···········································································································1-4 mirroring-group reflector-port ··········································································································1-5 mirroring-group remote-probe vlan··································································································1-6 mirroring-port ···································································································································1-6 monitor-port ·····································································································································1-7 remote-probe vlan enable ···············································································································1-8...
Page 641: Mirroring Commands
Mirroring Commands Mirroring Commands display mirroring-group Syntax display mirroring-group { group-id | all | local | remote-destination | remote-source } View Any view Parameters group-id: Specifies the mirroring group of which the configurations are to be displayed, the value of which can only be 1.
Page 642: Mirroring-Group
Ethernet1/0/1 inbound reflector port: Ethernet1/0/2 remote-probe vlan: 10 # Display the configurations of a remote destination mirroring group on your S3100-EI series Ethernet switch. <Sysname> display mirroring-group 1 mirroring-group 1: type: remote-destination status: active monitor port: Ethernet1/0/3 remote-probe vlan: 20 Table 1-1 Description on the fields of the display mirroring-group command Field Description...
Page 643: Mirroring-Group Mirroring-Port
The mirroring group you created can take effect only after you configure other parameters for it. Note that, an S3100 series Ethernet switch supports configuring only one destination port in local port mirroring or one reflector port in remote port mirroring. That is, on an S3100 switch, there can be only one effective local mirroring group or one effective remote source mirroring group.
Page 644: Mirroring-Group Monitor-Port
Description Use the mirroring-group mirroring-port command to configure the source ports for a local mirroring group or a remote source mirroring group. Use the undo mirroring-group mirroring-port command to remove the source ports of a local mirroring group or a remote source mirroring group. Note that: The S3100-SI series do not support the both keyword in the source port configuration for a remote source mirroring group.
Page 645: Mirroring-Group Reflector-Port
You cannot configure a member port of an aggregation group, or a port enabled with LACP or STP as the destination port. Before configuring a destination port for a local mirroring group, make sure that the corresponding mirroring group has already been created. It is recommended that you use a destination port for port mirroring purpose only.
Page 646: Mirroring-Group Remote-Probe Vlan
[Sysname] mirroring-group 1 remote-source [Sysname] mirroring-group 1 reflector-port Ethernet 1/0/2 mirroring-group remote-probe vlan Syntax mirroring-group group-id remote-probe vlan remote-probe-vlan-id undo mirroring-group group-id remote-probe vlan remote-probe-vlan-id View System view Parameters group-id: Number of a port mirroring group, the value of which can only be 1. remote-probe vlan remote-probe-vlan-id: Specifies the remote-probe VLAN for the mirroring group.
Page 647: Monitor-Port
Related commands: display mirroring-group. When you configure mirroring source port on an Ethernet port of an S3100 series Ethernet switch, if mirroring group 1 does not exist, the switch will automatically create local mirroring group 1 and add the source port to the group;...
Page 648: Remote-Probe Vlan Enable
Note that: You cannot configure a member port of an aggregation group, or a port enabled with LACP and STP as the mirroring destination port. It is recommended that you use a destination port for port mirroring purpose only. Do not use a destination port to transmit other service packets.
Page 649 Examples # Configure VLAN 5 as the remote-probe VLAN. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 5 [Sysname-vlan5] remote-probe vlan enable...
Page 650 Table of Contents 1 Stack Function Configuration Commands······························································································1-1 Stack Function Configuration Commands ······························································································1-1 display stacking ·······························································································································1-1 stack-port enable ·····························································································································1-3 stacking ···········································································································································1-3 stacking enable································································································································1-4 stacking ip-pool································································································································1-4 2 HGMP V2 Configuration Commands ·······································································································2-1 NDP Configuration Commands···············································································································2-1 display ndp ······································································································································2-1 ndp enable·······································································································································2-3 ndp timer aging································································································································2-3 ndp timer hello ·································································································································2-4 reset ndp statistics···························································································································2-5 NTDP Configuration Commands ············································································································2-6...
Page 651 management-vlan··························································································································2-33 reboot member ······························································································································2-33 snmp-host······································································································································2-34 tftp get············································································································································2-35 tftp put············································································································································2-35 tftp-server ······································································································································2-36 timer···············································································································································2-37 tracemac········································································································································2-38 Enhanced Cluster Feature Configuration Commands ··········································································2-39 black-list·········································································································································2-39 display cluster base-members·······································································································2-40 display cluster base-topology ········································································································2-40 display cluster black-list·················································································································2-41 display cluster current-topology·····································································································2-42 display ntdp single-device mac-address ·······················································································2-44 topology accept ·····························································································································2-45 topology restore-from ····················································································································2-46 topology save-to ····························································································································2-46...
Page 652: Stack Function Configuration Commands
Stack Function Configuration Commands Stack Function Configuration Commands display stacking Syntax display stacking [ members ] View Any view Parameter members: Displays the information about the members of a stack. Do not specify this keyword when you execute this command on a slave switch. Description Use the display stacking command to display the information about the main switch or the slave switches of a stack.
Page 653 MAC Address:000f-e20f-3124 Member status:Admin IP: 129.10.1.15 /16 Member number: 1 Name:stack_1.Sysname Device: S3100 MAC Address: 000f-e20f-3130 Member status:Up IP: 129.10.1.16/16 Member number: 2 Name:stack_2.Sysname Device: S3100 MAC Address: 000f-e20f-3135 Member status:Up IP: 129.10.1.17/16 Table 1-1 Description on the fields of the display stacking command Field Description Numbers of the switches in the stack...
Page 654: Stack-Port Enable
stack-port enable Syntax stack-port enable undo stack-port enable View Ethernet port view Parameters None Description Use the stack-port enable command to allow the stack port to send/forward stack join-in requests to/from its connected switch. Use the undo stack-port enable command to prohibit the stack port from sending/forwarding stack join-in requests to/from its connected switch.
Page 655: Stacking Enable
<stack_0.Sysname> stacking 1 <stack_1.Sysname> <stack_1.Sysname> quit <stack_0.Sysname> stacking enable Syntax stacking enable undo stacking enable View System view Parameter None Description Use the stacking enable command to create a stack. Use the undo stacking enable command to remove a stack. The stacking enable command triggers a main switch to add the switches connected to its stack ports to the stack.
Page 656 undo stacking ip-pool View System view Parameter from-ip-address: Start address of the stack IP address pool. ip-address-number: Number of the IP addresses in the stack IP address pool. A stack IP address pool contains 16 addresses by default. ip-mask: Mask of the stack IP address. Description Use the stacking ip-pool command to create a stack IP address pool.
Page 657: Hgmp V2 Configuration Commands
HGMP V2 Configuration Commands NDP Configuration Commands display ndp Syntax display ndp [ interface interface-list ] View Any view Parameters interface interface-list: Specifies a port list. You need to provide the interface-list argument in the form of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10>...
Page 658 MAC Address : 000f-e20f-1234 Host Name : 1234_2.Sysname Port Name : Ethernet1/0/1 Software Ver: V100R002B01D001 Device Name : H3C S3100 Port Duplex : AUTO Product Ver : 3100 BootROM Ver : 506 Table 2-1 Description on the fields of the two commands Field...
Page 659: Ndp Enable
Field Description Product Ver Product version of the neighbor device BootROM Ver Bootrom version of the neighbor device ndp enable Syntax ndp enable [ interface interface-list ] undo ndp enable [ interface interface-list ] View System view, Ethernet port view Parameters interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where to is used to specify a port range, and &<1-10>...
Page 660: Ndp Timer Hello
View System view Parameters aging-in-seconds: Holdtime of the NDP information, ranging from 5 to 255 seconds. Description Use the ndp timer aging command to set the holdtime of the NDP information. This command specifies how long an adjacent device should hold the NDP neighbor information received from the local switch before discarding the information.
Page 661 Note that NDP information holdtime should be longer than the interval between sending NDP packets. Otherwise, a neighbor entry will be generated and age out frequently, resulting in instability of the NDP port neighbor table. Examples # Set the interval between sending NDP packets to 80 seconds. <Sysname>...
Page 662: Ntdp Configuration Commands
NTDP Configuration Commands display ntdp Syntax display ntdp View Any view Parameters None Description Use the display ntdp command to display the global NTDP information. The displayed information includes topology collection range (hop count), topology collection interval (NTDP timer), device/port forwarding delay of topology collection requests, and time used by the last topology collection.
Page 663: Display Ntdp Device-List
: 00e0-fc11-1111 Platform : S3100 : 192.168.0.234/24 Version H3C Comware Platform Software Comware Software, Version 3.10 Copyright(c) 2004-2007 Hangzhou H3C Technologies Co.,Ltd.All rights reserved. S3100 3100-0002 Cluster Administrator switch of cluster 1234 Stack Candidate switch Peer MAC Peer Port ID...
Page 664 : 00e0-fc3d-9da8 Platform : H3C S3026 Version H3C Comware Platform Software Comware Software, Version 3.10 Copyright(c) 2004-2007 Hangzhou H3C Technologies Co.,Ltd.All rights reserved. S3100 3100-0002 Cluster Member switch of cluster 1234 , Administrator MAC: 00e0-fc11-1111 Stack Candidate switch Peer MAC...
Page 665: Ntdp Enable
Field Description Cluster The role of the collected device for the cluster MAC address of a neighbor device connected to Peer MAC the collected device Index of the port on the neighbor device Peer Port ID connected to the collected device Index of the port on the collected device Native Port ID connected to the neighbor device...
Page 666: Ntdp Hop
Parameters None Description Use the ntdp explore command to manually start a topology collection process. NTDP is able to periodically collect topology information. In addition, you can use this command to manually start a topology collection process at any moment. If you do this, NTDP collects NDP information from all devices in a specific network range (which can be set through the ntdp hop command) as well as the connection information of all its neighbors.
Page 667: Ntdp Timer
Examples # Set the topology collection range to 5 hops. <aaa_0.Sysname> system-view System View: return to User View with Ctrl+Z. [aaa_0.Sysname] ntdp hop 5 ntdp timer Syntax ntdp timer interval-in-minutes undo ntdp timer View System view Parameters interval-in-minutes: Interval (in minutes) to collect topology information, ranging from 0 to 65,535. A value of 0 disables topology information collection.
Page 668: Ntdp Timer Hop-Delay
ntdp timer hop-delay Syntax ntdp timer hop-delay time undo ntdp timer hop-delay View System view Parameters time: Device forwarding delay in milliseconds. This argument ranges from 1 to 1,000. Description Use the ntdp timer hop-delay command to set the delay for devices to forward topology collection requests.
Page 669: Cluster Configuration Commands
Description Use the ntdp timer port-delay command to configure the topology request forwarding delay between two ports, that is, the interval at which the device forwards the topology requests through the NTDP-enabled ports one after another. Use the undo ntdp timer port-delay command to restore the default port forwarding delay. By default, the port forwarding delay is 20 ms.
Page 670: Administrator-Address
If you do not specify the member number when adding a new cluster member, the management device assigns the next available member number to the new member. If you want to specify the member manually, you need to specify a number that is never used by a member device of the cluster. After you add a candidate device to the cluster, the super password of the device automatically changes to the super password of the management device.
Page 671: Auto-Build
Examples # Remove the current member device from the cluster. <aaa_1.Sysname> system-view System View: return to User View with Ctrl+Z [aaa_1.Sysname] cluster [aaa_1.Sysname-cluster] undo administrator-address auto-build Syntax auto-build [ recover ] View Cluster view Parameters recover: Recovers all member devices. Description Use the auto-build command to start an automatic cluster building process.
Page 672 #Apr 3 08:12:32:832 2000 aaa_0.Sysname CLST/5/Cluster_Trap:- 1 - OID:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpMemberStatusChange):member 00.00.00.00.00.12. a9.90.22.40 role change, NTDPIndex:0.00.00.00.00.00.12.a9.90.22.40, Role:1 Candidate list: Name Hops MAC Address Device Sysname 0016-e0c0-c201 H3C S3100-28F-EI 000f-e221-616e H3C S3100-28F-EI 000f-e202-2180 H3C S3100-28P-SI SwitchA 0016-e0be-e200 H3C S5600-26C 000f-e200-1774 H3C S5600-26F 000f-e200-5600...
Page 673: Build
Member 000f-e200-2420 is joined in cluster aaa. %Apr 3 08:12:37:996 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 000f-e202-2180 is joined in cluster aaa. %Apr 3 08:12:38:113 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 0016-e0c0-c201 is joined in cluster aaa. %Apr 3 08:12:38:139 2000 aaa_0.Sysname CLST/5/LOG:- 1 - Member 000f-e200-5104 is joined in cluster aaa.
Page 674 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S3100 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
Page 675: Cluster Enable
cluster Syntax cluster View System view Parameters None Description Use the cluster command to enter cluster view. Examples # Enter cluster view. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] cluster [Sysname-cluster] cluster enable Syntax cluster enable undo cluster enable View System view...
Page 676: Cluster Switch
When you execute undo cluster enable command on a device that does not belong to any cluster, the cluster function is disabled on the device, and thus you cannot create a cluster on the device or add the device to an existing cluster. Examples # Enable the cluster function on the switch.
Page 677: Cluster-Mac
When you execute this command on the management device with an inexistent member number or a MAC address that is not in the member list, an error will occur. In this case, you can enter quit to end the switching. Examples # Switch from the management device to number-6 member device and then switch back to the management device.
Page 678: Cluster-Mac Syn-Interval
System View: return to User View with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] cluster-mac 0180-C200-0028 cluster-mac syn-interval Syntax cluster-mac syn-interval time-interval View Cluster view Parameters time-interval: Interval to send multicast MAC synchronization packets, ranging from 0 to 30 minutes. Description Use the cluster-mac syn-interval command to set the interval for the management device to send HGMP V2 multicast MAC synchronization packets periodically.
Page 679: Display Cluster
to-black-list: Adds the device removed from a cluster to the blacklist to prevent it from being added to the cluster. Description Use the delete-member command to remove a member device from the cluster. Note that a cluster will collect the topology information at the topology collection interval. If you do not add a device to the cluster blacklist when removing it from the cluster, the device will be added to the cluster again when the cluster collects topology information.
Page 680 Description Use the display cluster command to display the status and statistics information of the cluster to which the current switch belongs. Executing this command on a member device will display the following information: cluster name, member number of the current switch, MAC address and status of the management device, holdtime, and interval to send handshake packets.
Page 681: Display Cluster Candidates
You can only use this command on a management device. Note that, after a cluster is set up on an S3100 series switch, the switch will collect the topology information of the network at the topology collection interval you set and automatically add the candidate devices it discovers into the cluster.
Page 682 Hostname : 3100-3 : 000f-e20f-3190 Platform : S3100 : 16.1.1.1/24 # Display detailed information about all candidate devices. <aaa_0.Sysname-cluster> display cluster candidates verbose Hostname : H3C : 3100-0000-3334 Platform : S3100 : 16.1.1.11/24 Hostname : 3100-3 : 000f-e20f-3190 Platform : S3100 : 16.1.1.1/24...
Page 683 Field Description Platform Platform of the candidate device display cluster members Syntax display cluster members [ member-number | verbose ] View Any view Parameters member-number: Member number of a device, ranging from 0 to 255. verbose: Displays detailed information about all the devices in a cluster. Description Use the display cluster members command to display information about one specific or all devices in a cluster.
Page 684 Hops to administrator device:0 IP: 100.100.1.1/24 Version: H3C Comware Platform Software. Comware Software, Version 3.10 Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. S3100 3100-0002 Member number:1 Name:aaa_1.Sysname Device:S3100 MAC Address:3900-0000-3334 Member status:Up Hops to administrator device:2 IP: 16.1.1.11/24 Version: H3C Comware Platform Software.
Page 685: Ftp Cluster
ftp cluster Syntax ftp cluster View User view Parameters None Description Use the ftp cluster command to connect to the shared FTP server of the cluster and enter FTP Client view through the management device. You can use the ftp-server command on the management device to configure the shared FTP server of the cluster, which is used for software version update and configuration file backup of the cluster members.
Page 686: Holdtime
View Cluster view Parameters ip-address: IP address of the FTP server to be configured for the cluster. Description Use the ftp-server command to configure a shared FTP server for the cluster on the management device. Use the undo ftp-server command to remove the shared FTP server setting. By default, the management device acts as the shared FTP server of the cluster.
Page 687: Ip-Pool
By default, the neighbor information holdtime is 60 seconds. Note that: If the management switch does not receive NDP information from a member device within the holdtime, it sets the state of the member device to “down”. When the management device receives the NDP information from the device again, the device will be re-added to the cluster automatically.
Page 688: Logging-Host
Examples # Configure a private IP address pool for a cluster. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] cluster [Sysname-cluster] ip-pool 10.200.0.1 20 logging-host Syntax logging-host ip-address undo logging-host View Cluster view Parameters ip-address: IP address of the device to be configured as the log host of a cluster. Description Use the logging-host command to configure a shared log host for a cluster on the management device.
Page 689: Management-Vlan
management-vlan Syntax management-vlan vlan-id undo management-vlan View System view Parameters vlan-id: ID of the VLAN to be specified as the management VLAN. Description Use the management-vlan command to specify the management VLAN on the switch. Use the undo management-vlan command to restore the default management VLAN. By default, VLAN 1 is used as the management VLAN.
Page 690: Snmp-Host
Description Use the reboot member command to reboot a specified member device on the management device. When a member device is in trouble due to some configuration errors, you can use the remote control function on the management device to maintain the member device remotely. For example, from the management device, you can delete the configuration file on a member device and reboot the member device, and recover the device to the normal state with the backup configuration.
Page 691: Tftp Get
[aaa_0.Sysname-cluster] snmp-host 1.0.0.9 tftp get Syntax tftp { cluster | tftp-server } get source-file [ destination-file ] View User view Parameters cluster: Downloads files through the shared TFTP server of the cluster. tftp-server: IP address or host name of the TFTP server. source-file: Name of the file to be downloaded from the shared TFTP server of the cluster.
Page 692: Tftp-Server
Parameters cluster: Uploads files through the shared TFTP server of the cluster. tftp-server: IP address or host name of the TFTP server. source-file: File name to be uploaded to the shared TFTP server. destination-file: Name of the file to which the uploaded file will be saved in the storage directory of the TFTP server.
Page 693: Timer
By default, no shared TFTP server is configured. After the IP address of the shared TFTP server is configured, NAT is enabled on the management device immediately. When a member device uses the tftp cluster get or tftp cluster put command to download or upload a file from the shared TFTP server, the management device translates the private IP address of the member device to a public network address, forwards the requests of the member device to the TFTP server, and forwards the responses of TFTP server to the member device according...
Page 694: Tracemac
tracemac Syntax tracemac { by-mac mac-address vlan vlan-id | by-ip ip-address } [ nondp ] View Any view Parameters by-mac: Specifies to trace a device through the specified destination MAC address. mac-address: MAC address of the device to be traced. vlan vlan-id: Specifies to trace a device in the specified VLAN.
Page 695: Enhanced Cluster Feature Configuration Commands
Tracing MAC address 000f-e232-0005 in vlan 1 1 000f-e232-0001 H3C01 Ethernet1/0/2 2 000f-e232-0002 H3C02 Ethernet1/0/7 3 000f-e232-0003 H3C03 Ethernet1/0/4 4 000f-e232-0005 H3C05 Local Enhanced Cluster Feature Configuration Commands black-list Syntax black-list add-mac mac-address black-list delete-mac { all | mac-address } View Cluster view Parameters...
Page 696: Display Cluster Base-Members
[aaa_0.Sysname-cluster] black-list add-mac 0010-3500-e001 # Delete all addresses in the current cluster blacklist. [aaa_0.Sysname-cluster] black-list delete-mac all display cluster base-members Syntax display cluster base-members View Any view Parameters None Description Use the display cluster base-members command to display the information about all the devices in the base cluster topology, such as member number, name, MAC address, and the current status of each device in a cluster.
Page 697: Display Cluster Black-List
Parameters mac-address mac-address: Displays the structure of the standard topology three layers above or below the node specified by the MAC address. member member-id: Displays the structure of the standard topology three layers above or below the node specified by the member ID. Description Use the display cluster base-topology command to display the standard topology of the cluster.
Page 698: Display Cluster Current-Topology
Parameters None Description Use the display cluster black-list command to display the information of devices in the current cluster blacklist. Related commands: black-list. Examples # Display the contents of the current cluster blacklist. <aaa_0.Sysname> display cluster black-list Device ID Access Device ID Access port 000f-e200-5502 000f-e202-2180...
Page 699 <aaa_0.Sysname> display cluster current-topology -------------------------------------------------------------------- (PeerPort) ConnectFlag (NativePort) [SysName:DeviceMac] -------------------------------------------------------------------- ConnectFlag: <--> normal connect ---> odd connect **** in blacklist ???? lost device ++++ new device -┤├- STP discarding -------------------------------------------------------------------- [aaa_0.H3C:000f-e202-2180] ├-(P_0/40)<-->(P_0/6)[Sysname:000f-e200-2200] ├-(P_0/28)<-->(P_3/0/1)[Sysname:000f-e200-1774] ├-(P_0/24)****(P_1/0/6)[clie:000f-e200-5502] ├-(P_0/22)<-->(P_1/0/2)[aaa_5.H3C:000f-e200-5111] ├-(P_0/18)<-->(P_3/0/2)[Sysname S7503S3600:000f-e218-d0d0] ├-(P_0/14)<-->(P_1/0/2)[Sysname:000f-e200-5601] ├-(P_0/10)<-->(P_1/0/1)[aaa_7.S5500-28C-SI:0012-a990-2241] ├-(P_0/4)<-->(P_0/2)[2024CS3600:000f-e200-00cc] └-(P_0/1)****(P_0/1)[Sysname:00e0-fd34-bc66] 2-43...
Page 700 : H3C : 000f-e200-3956 Platform : H3C S3100-28P-EI Version: H3C Comware Platform Software. Comware Software, Version 3.10 Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. S3100-28P-EI S3100-EI-1545 Cluster Candidate switch Peer MAC Peer Port ID Native Port ID...
Page 701: Topology Accept
Field Description Cluster Role the device plays in the cluster Peer MAC MAC address of the peer device Peer Port ID Name of the port on the peer device connecting to the local device Native Port ID Name of the port on the local device connecting to the peer device Speed Rate of the local port connecting to the peer device Duplex...
Page 702: Topology Restore-From
<aaa_0.Sysname> system-view Enter system view, return to user view with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] topology accept all save-to local-flash # Accept the device with the MAC address 0010-0f66-3022 as a member of the base cluster topology. <aaa_0.Sysname> system-view Enter system view, return to user view with Ctrl+Z. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] topology accept mac-address 0010-0f66-3022 topology restore-from...
Page 703 View Cluster view Parameters None Description Use the topology save-to command to save the standard topology of the cluster to the local Flash memory. The file name used to save the standard topology is topology.top. Do not modify the file name. This command is applicable to only the management device of a cluster.
Page 704 Table of Contents 1 PoE Configuration Commands ················································································································1-1 PoE Configuration Commands ···············································································································1-1 display poe interface························································································································1-1 display poe interface power·············································································································1-3 display poe powersupply ·················································································································1-4 display poe temperature-protection·································································································1-5 poe enable·······································································································································1-5 poe legacy enable ···························································································································1-6 poe max-power································································································································1-6 poe mode·········································································································································1-7 poe power-management··················································································································1-8 poe priority·······································································································································1-8 poe temperature-protection ·············································································································1-9 poe update·····································································································································1-10 2 PoE Profile Configuration Commands ····································································································2-1...
Page 705: Poe Configuration Commands
PoE Configuration Commands PoE Configuration Commands display poe interface Syntax display poe interface [ interface-type interface-number ] View Any view Parameter interface-type interface-number: Port type and port number. Description Use the display poe interface command to view the PoE status of a specific port or all ports of the switch.
Page 706 Table 1-1 Description on the fields of the display poe interface command Field Description Port power enabled PoE is enabled on the port Port power ON/OFF The power on the port is on/off PoE status on the port: user command set port to off: PoE to the port is turned off by the user Port power status Standard PD was detected: A standard PD is detected...
Page 707: Display Poe Interface Power
Field Description PoE mode on the port: MODE signal: PoE through the signal cable spare: PoE through the spare cable PoE priority of the port: critical: Highest PRIORITY high: High low: Low PoE status on the port: user command set port to off: PoE to the port is turned off by the user Standard PD was detected: A standard PD is detected Legacy PD was detected: A non-standard PD is detected STATUS...
Page 708: Display Poe Powersupply
<Omitted> display poe powersupply Syntax display poe powersupply View Any view Parameter None Description Use the display poe powersupply command to view the parameters of the power sourcing equipment (PSE). Example # Display the PSE parameters. <Sysname> display poe powersupply Unit 1 PSE ID PSE Legacy Detection...
Page 709: Display Poe Temperature-Protection
Field Description PoE management mode on the port when the PSE is overloaded: The auto keyword indicates that the auto mode is PSE Power-Management mode adopted, that is, the PoE management mode based on the PoE priority of the port is adopted The manual keyword indicates that the manual mode is adopted in the PoE management on the port display poe temperature-protection...
Page 710: Poe Legacy Enable
By default, the PoE feature on a port is enabled by the default configuration file when the device is delivered. If you delete the default configuration file without specifying another one, the PoE function on a port will be disabled after you restart the device. You can use the display poe interface command to display whether PoE is enabled on a port.
Page 711: Poe Mode
Use the undo poe mode command to restore the PoE mode on the current port to the default mode. By default, signal mode is adopted on a port. Note that the S3100 series switches do not support the spare mode currently.
Page 712: Poe Power-Management
Example # Set the PoE mode on Ethernet 1/0/3 to signal. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] poe mode signal poe power-management Syntax poe power-management { auto | manual } undo poe power-management View System view Parameter...
Page 713: Poe Temperature-Protection
high: Sets the port priority to high. low: Sets the port priority to low. Description Use the poe priority command to configure the PoE priority of a port. Use the undo poe priority command to restore the default PoE priority. By default, the PoE priority of a port is low.
Page 714: Poe Update
The switch disables the PoE feature on all ports when its internal temperature exceeds 65°C (149°F) for self-protect, and restores the PoE feature settings on all its ports when the temperature drops below 60°C (140°F). By default, PoE over-temperature protection is enabled on the switch. You can use the display poe temperature-protection command to display whether PoE over-temperature protection is enabled on the switch.
Page 715 Example # Update the PSE processing software online. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] poe update refresh 0400_001.S19 Update PoE board successfully 1-11...
Page 716: Poe Profile Configuration Commands
PoE Profile Configuration Commands PoE Profile Configuration Commands apply poe-profile Syntax In system view use the following commands: apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] undo apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] In Ethernet port view use the following commands: apply poe-profile profile-name undo apply poe-profile profile-name...
Page 717: Display Poe-Profile
PoE profile is a set of PoE configurations. One PoE profile can contain multiple PoE features. When the apply poe-profile command is used to apply a PoE profile to a port, some PoE features can be applied successfully while some cannot. PoE profiles are applied to S3100 series Ethernet switches according to the following rules: When the apply poe-profile command is used to apply a PoE profile to a port, the PoE profile is applied successfully only if one PoE feature in the PoE profile is applied properly.
Page 718: Poe-Profile
System View: return to User View with Ctrl+Z. [Sysname] display poe-profile name profile-test Poe-profile: profile-test, 3 action poe enable poe max-power 5000 poe priority critical poe-profile Syntax poe-profile profile-name undo poe-profile profile-name View System view Parameter profile-name: Name of PoE profile, a string with 1 to 15 characters. It starts with a letter from a to z or from A to Z, and it cannot be any of reserved keywords like all, interface, user, undo, and mode.
Page 719 Table of Contents 1 SNMP Configuration Commands ·············································································································1-1 SNMP Configuration Commands············································································································1-1 display snmp-agent ·························································································································1-1 display snmp-agent community·······································································································1-1 display snmp-agent group ···············································································································1-3 display snmp-agent mib-view ··········································································································1-4 display snmp-agent statistics ··········································································································1-5 display snmp-agent sys-info ············································································································1-8 display snmp-agent trap-list ············································································································1-9 display snmp-agent usm-user ·········································································································1-9 enable snmp trap updown ·············································································································1-10 snmp-agent····································································································································1-11 snmp-agent calculate-password····································································································1-12...
Page 720: Snmp Configuration Commands
SNMP Configuration Commands SNMP Configuration Commands display snmp-agent Syntax display snmp-agent { local-engineid | remote-engineid } View Any view Parameters local-engineid: Displays the local SNMP entity engine ID. remote-engineid: Displays all the remote SNMP entity engine IDs. At present, the device does not support application of the keyword.
Page 721 Parameters read: Displays the information about the SNMP communities with read-only permission. write: Displays the information about the SNMP communities with read-write permission. Description Use the display snmp-agent community command to display the information about the SNMPv1/SNMPv2c communities with the specific access permission. SNMPv1 and SNMPv2c use community name authentication.
Page 722: Display Snmp-Agent Group
Field Description Storage type, which can be: volatile: Information will be lost if the system is rebooted nonVolatile: Information will not be lost if the system is rebooted Storage-type permanent: Modification is permitted, but deletion is forbidden readOnly: Read only, that is, no modification, no deletion other: Other storage types display snmp-agent group...
Page 723: Display Snmp-Agent Mib-View
Table 1-2 display snmp-agent group command output description Field Description Group name SNMP group name of the user SNMP group security mode, which can be AuthPriv (authentication with privacy), Security model AuthnoPriv (authentication without privacy), and noAuthnoPriv (no authentication no privacy). Read-only MIB view corresponding to the SNMP Readview group...
Page 724: Display Snmp-Agent Statistics
View name:ViewDefault MIB Subtree:iso Subtree mask: Storage-type: nonVolatile View Type:included View status:active View name:ViewDefault MIB Subtree:snmpUsmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault MIB Subtree:snmpVacmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault MIB Subtree:snmpModules.18 Subtree mask: Storage-type: nonVolatile View Type:excluded...
Page 725 Examples # Display the statistics on SNMP packets. <Sysname> display snmp-agent statistics 1276 Messages delivered to the SNMP entity 0 Messages which were for an unsupported version 0 Messages which used a SNMP community name not known 0 Messages which represented an illegal operation for the community supplied 0 ASN.1 or BER errors in the process of decoding 1291 Messages passed from the SNMP entity 0 SNMP PDUs which had badValue error-status...
Page 726 Field Description The total number of SNMP PDUs which were delivered to the SNMP protocol entity and for SNMP PDUs which had genErr error-status which the value of the error-status field is `genErr'. The total number of SNMP PDUs which were SNMP PDUs which had noSuchName delivered to the SNMP protocol entity and for error-status...
Page 727: Display Snmp-Agent Sys-Info
For the detailed configuration, refer to the snmp-agent sys-info command. By default, the contact information of an S3100 Ethernet switch is "Hangzhou H3C Technologies Co., Ltd.", the geographical location is "Hangzhou China", and the SNMP version employed is SNMPv3.
Page 728: Display Snmp-Agent Trap-List
SNMPv3 display snmp-agent trap-list Syntax display snmp-agent trap-list View Any view Parameters None Description Use the display snmp-agent trap-list command to display the modules that can generate traps and whether the sending of traps is enabled on the modules. If a module contains multiple submodules, the trap function of the entire module is displayed as enabled as long as the trap function of any of the submodules is enabled.
Page 729: Enable Snmp Trap Updown
group-name: Name of an SNMP group, a string of 1 to 32 characters. Description Use the display snmp-agent usm-user command to display the information about a specific type of SNMPv3 users. If you execute this command with no keyword specified, the information about all the SNMPv3 users is displayed, including username, group name, engine ID, storage type and user status.
Page 730: Snmp-Agent
View Ethernet port view, interface view Parameters None Description Use the enable snmp trap updown command to enable the sending of port/interface linkUp/linkDown traps. Use the undo enable snmp trap updown command to disable the sending of linkUp/linkDown traps. By default, the sending of port/interface linkUp/linkDown traps is enabled. Note that you need to enable the generation of port/interface linkUp/linkDown traps both on the port/interface and globally if you want a port/interface to generate port/interface linkUp/linkDown traps when the state of the port/interface changes.
Page 731: Snmp-Agent Calculate-Password
By default, the SNMP agent is disabled. Examples # Start the SNMP agent. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent An S3100 Ethernet switch provides the following functions to prevent attacks through unused UDP ports. Starting the SNMP agent opens UDP port used by SNMP agents and the UDP port used by SNMP trap respectively.
Page 732: Snmp-Agent Community
The generated password is related to engine ID: password generated under an engine ID can only take effect on this engine ID. Related commands: snmp-agent usm-user v3. SNMP agent must be enabled for you to encrypt a plain-text password. Examples # Use the local engine ID and the md5 algorithm to encrypt plain-text password aaaa.
Page 733: Snmp-Agent Group
Typically, “public” is used as a read community name, and “private” is used as a write community name. For the security purposes, you are recommended to configure another community name except these two. Examples # Create an SNMP community named comaccess, which has read-only permission to MIB objects. <Sysname>...
Page 734 acl-number: ID of a basic ACL, in the range 2000 to 2999. Using basic ACL can restrict the source addresses of SNMP messages, namely, permitting or refusing the SNMP messages with specific source addresses, thus restricting access between the NMS and the agent. Description Use the snmp-agent group command to create an SNMP group, and set the security mode and corresponding SNMP view of the group.
Page 735: Snmp-Agent Local-Engineid
Storage-type: nonVolatile Acl:2001 snmp-agent local-engineid Syntax snmp-agent local-engineid engineid undo snmp-agent local-engineid View System view Parameters engineid: Engine ID, an even number of hexadecimal characters, in the range 10 to 64. Description Use the snmp-agent local-engineid command to set an engine ID for the local SNMP entity. Use the undo snmp-agent local-engineid command to restore the default engine ID.
Page 736: Snmp-Agent Mib-View
Description Use the snmp-agent log command to enable network management operation logging. Use the undo snmp-agent log command to disable network management operation logging. By default, network management operation logging is disabled. After SNMP logging is enabled, when NMS performs specified operations on the SNMP agent, the SNMP agent records and then saves the information related to the operations into the information center of the device.
Page 737 mask mask-value: Mask of a MIB subtree, an even number of hexadecimal characters, in the range 2 to 32. An odd number of characters are invalid. Description Use snmp-agent mib-view command to create or update the information about a MIB view to limit the MIB objects the NMS can access.
Page 738: Snmp-Agent Packet Max-Size
# Create an SNMP MIB view with the name of view-a, MIB subtree of 1.3.6.1.5.4.3.4 and subtree mask of FE. MIB nodes with the OID of 1.3.6.1.5.4.3.x are included in this view, with x indicating any integer number. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 739: Snmp-Agent Target-Host
Multiple SNMP versions can be running the on the device at the same time to allow access of different NMSs. By default, the contact information of an S3100 Ethernet switch is "Hangzhou H3C Technologies Co., Ltd.", the geographical location is "Hangzhou China", and the SNMP version employed is SNMPv3.
Page 740 View System view Parameters trap: Enables the host to receive SNMP traps. address: Specifies the destination for the SNMP traps. udp-domain: Specifies to use UDP to communicate with the target host. ip-address: The IPv4 address of the host that is to receive the traps. port-number: Number of the UDP port that is to receive the traps, in the range 1 to 65,535.
Page 741: Snmp-Agent Trap Enable
Specifies to send SNMP linkUp traps when a port becomes up. warmstart: Specifies to send SNMP warm start traps when SNMP is newly launched. system: Specifies to send H3C-SYS-MAN-MIB (proprietary MIB) traps. Description Use the snmp-agent trap enable command to enable a device to send SNMP traps that are of specified types.
Page 742: Snmp-Agent Trap Life
# Before the configuration of the extended trap function, the trap information is as follows when a link is down: #Apr 2 05:53:15:883 2000 H3C L2INF/2/PORT LINK STATUS CHANGE:- 1 - Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227634, ifAdminStatus is 2, ifOperStatus is 2 #Apr 2 05:53:16:094 2000 H3C IFNET/5/TRAP:- 1 -1.3.6.1.6.3.1.1.5.3(linkDown) Interface 31...
Page 743: Snmp-Agent Trap Queue-Size
View System view Parameters seconds: SNMP trap aging time (in seconds) to be set, ranging from 1 to 2,592,000. Description Use the snmp-agent trap life command to set the SNMP trap aging time. SNMP traps exceeding the aging time will be discarded. Use the undo snmp-agent trap life command to restore the default SNMP trap aging time.
Page 744: Snmp-Agent Trap Source
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent trap queue-size 200 snmp-agent trap source Syntax snmp-agent trap source interface-type interface-number undo snmp-agent trap source View System view Parameters interface-type interface-number: Interface type and interface number. The source IP address of the trap is the IP address of this interface.
Page 745: Snmp-Agent Usm-User { V1 | V2C
snmp-agent usm-user { v1 | v2c } Syntax snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] undo snmp-agent usm-user { v1 | v2c } user-name group-name View System view Parameters v1: Creates an SNMPv1 user. v2c: Creates an SNMPv2c user.
Page 746: Snmp-Agent Usm-User V3
<Sysname> system-view [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0 [Sysname-acl-basic-2001] rule deny source any [Sysname-acl-basic-2001] quit [Sysname] snmp-agent sys-info version v2c [Sysname] snmp-agent group v2c readCom [Sysname] snmp-agent usm-user v2c userv2c readCom acl 2001 Specify the SNMP version of the NMS with an IP address 1.1.1.1 as SNMPv2c, fill the write community name field with userv2c.
Page 747 the SNMP messages with specific source addresses, thus restricting access between the NMS and the agent. local: Specifies a local entity user. engineid-string: Engine ID associated with the user, an even number of hexadecimal characters, in the range 10 to 64. Description Use the snmp-agent usm-user command to add a user to an SNMP group.
Page 748 [Sysname] snmp-agent usm-user v3 testUser testGroup authentication-mode md5 authkey privacy-mode des56 prikey On the NMS, set the version to SNMPv3, the username to testUser, the authentication algorithm to MD5, the authentication password to authkey, the privacy algorithm to DES, and the privacy password to prikey, and establish a connection with the device.
Page 749: Rmon Configuration Commands
RMON Configuration Commands RMON Configuration Commands display rmon alarm Syntax display rmon alarm [ entry-number ] View Any view Parameters entry-number: Alarm entry index, in the range 1 to 65535. Description Use the display rmon alarm command to display the configuration of a specified alarm entry or all the alarm entries.
Page 750: Display Rmon Event
Field Description Sampling interval, in seconds. The system Sampling interval performs absolute or delta sampling on the sampled node at this interval. Rising threshold. When the sampled value Rising threshold equals or exceeds the rising threshold, an alarm is triggered. Falling threshold.
Page 751: Display Rmon Eventlog
Event table 1 owned by user1 is VALID. Description: null. Will cause log-trap when triggered, last triggered at 0days 00h:02m:27s. Table 2-2 display rmon event command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid.
Page 752: Display Rmon History
less than(or =) 100 with alarm value 0. Alarm sample type is absolute. Table 2-3 display rmon eventlog command output description Field Description Event table Index of an entry in the RMON event table The status of the entry identified by the index is VALID valid.
Page 753: Display Rmon Prialarm
History control entry 1 owned by user1 is VALID Samples interface : Ethernet1/0/1<ifIndex.4227625> Sampling interval : 5(sec) with 10 buckets max Latest sampled values : Dropevents , octets : 10035 packets : 64 , broadcast packets : 35 multicast packets : 8 , CRC alignment errors : 0 undersize packets : 0 , oversize packets...
Page 754 View Any view Parameters prialarm-entry-number: Extended alarm entry Index, in the range 1 to 65,535. Description Use the display rmon prialarm command to display the configuration of an RMON extended alarm entry. If you do not specify the prialarm-entry-number argument, the configuration of all the extended alarm entries is displayed.
Page 755: Display Rmon Statistics
Field Description Linked with event Event index corresponding to an alarm The condition under which an alarm is triggered, which can be: risingOrFallingAlarm: An alarm is triggered when the rising or falling threshold is When startup enables: risingOrFallingAlarm reached. risingAlarm: An alarm is triggered when the rising threshold is reached.
Page 756: Rmon Alarm
Interface : Ethernet1/0/1<ifIndex.4227625> etherStatsOctets : 30561 , etherStatsPkts : 217 etherStatsBroadcastPkts : 102 , etherStatsMulticastPkts : 25 etherStatsUndersizePkts , etherStatsOversizePkts etherStatsFragments , etherStatsJabbers etherStatsCRCAlignErrors : 0 , etherStatsCollisions etherStatsDropEvents (insufficient resources): 0 Packets received according to length: : 177 65-127 : 27 128-255 256-511: 0...
Page 757 Parameters entry-number: Index of the alarm entry to be added/removed, in the range 1 to 65535. alarm-variable: Alarm variable, a string comprising 1 to 256 characters in dotted node OID format (such as 1.3.6.1.2.1.2.1.10.1). Only the variables that can be resolved to ASN.1 INTEGER data type (that is, INTEGER, Counter, Gauge, or TimeTicks) can be used as alarm variables.
Page 758: Rmon Event
Comparison Operation The sample value is smaller than the set lower Triggering the event identified by the threshold (threshold-value2) event-entry2 argument Before adding an alarm entry, you need to use the rmon event command to define the events to be referenced by the alarm entry.
Page 759: Rmon History
description string: Specifies the event description, a string of 1 to 127 characters. log: Logs events. trap: Sends traps to the NMS. trap-community: Community name of the NMS that receives the traps, a string of 1 to 127 characters. log-trap: Logs the event and sends traps to the NMS. log-trapcommunity: Community name of the NMS that receives the traps, a character string of 1 to 127 characters.
Page 760: Rmon Prialarm
Description Use the rmon history command to add an entry to the history control table. If you do not specify the owner text keyword/argument combination, the owner of the entry is displayed as “null”. Use the undo rmon history command to remove an entry from the history control table. You can use the rmon history command to sample a specific port.
Page 761 threshold-value2: Lower threshold, in the range 0 to 2147483647. event-entry2: Index of the event entry that corresponds to the falling threshold, in the range 0 to 65535. forever: Specifies the corresponding RMON alarm instance is valid permanently. cycle: Specifies the corresponding RMON alarm instance is valid periodically. cycle-period: Life time (in seconds) of the RMON alarm instance, in the range 0 to 2147483647.
Page 762: Rmon Statistics
Falling threshold: 5 Event 1 is triggered when the change ratio is larger than the rising threshold. Event 2 is triggered when the change ratio is less than the falling threshold. The alarm entry is valid forever. Entry owner: user1 <Sysname>...
Page 763 For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry was already created for a given port, you will fail to create a statistics entry with a different index for the port. You can use the display rmon statistics command to display the information about the statistics entry.
Page 764 Table of Contents 1 NTP Configuration Commands ················································································································1-1 NTP Configuration Commands ···············································································································1-1 display ntp-service sessions············································································································1-1 display ntp-service status ················································································································1-2 display ntp-service trace··················································································································1-4 ntp-service access···························································································································1-4 ntp-service authentication enable····································································································1-5 ntp-service authentication-keyid······································································································1-6 ntp-service broadcast-client ············································································································1-7 ntp-service broadcast-server···········································································································1-7 ntp-service in-interface disable········································································································1-8 ntp-service max-dynamic-sessions ·································································································1-8 ntp-service multicast-client ··············································································································1-9 ntp-service multicast-server ··········································································································1-10 ntp-service reliable authentication-keyid ·······················································································1-10...
Page 765: Ntp Configuration Commands
NTP Configuration Commands To protect unused sockets against attacks by malicious users and improve security, H3C S3100 series Ethernet switches provide the following functions: UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled.
Page 766: Display Ntp-Service Status
Total associations Total number of associations An S3100 series switch does not establish a session with its client when it works in the NTP server mode, but does so when it works in other NTP implementation modes. display ntp-service status...
Page 767 View Any view Parameter None Description Use the display ntp-service status command to display the status of NTP services. Example # View the status of the NTP service of the local switch. <Sysname> display ntp-service status Clock status: synchronized Clock stratum: 4 Reference clock ID: 1.1.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz...
Page 768: Display Ntp-Service Trace
display ntp-service trace Syntax display ntp-service trace View Any view Parameter None Description Use the display ntp-service trace command to display the brief information of each NTP time server along the time synchronization chain from the local switch to the reference clock source. Example # View the brief information of each NTP time server along the time synchronization chain from the local switch to the reference clock source.
Page 769: Ntp-Service Authentication Enable
View System view Parameter query: Control query right. This level of right permits the peer device to perform control query to the NTP service on the local device but does not permit the peer device to synchronize its clock to the local device.
Page 770: Ntp-Service Authentication-Keyid
View System view Parameter None Description Use the ntp-service authentication enable command to enable the NTP authentication. Use the undo ntp-service authentication enable command to disable the NTP authentication. By default, the NTP authentication is disabled. Refer to the ntp-service reliable authentication-keyid and ntp-service authentication-keyid commands for related configuration.
Page 771: Ntp-Service Broadcast-Client
System View: return to User View with Ctrl+Z. [Sysname] ntp-service authentication-keyid 10 authentication-mode md5 BetterKey ntp-service broadcast-client Syntax ntp-service broadcast-client undo ntp-service broadcast-client View VLAN interface view Parameter None Description Use the ntp-service broadcast-client command to configure an Ethernet switch to operate in the NTP broadcast client mode and receive NTP broadcast messages through the current interface.
Page 772: Ntp-Service In-Interface Disable
Description Use the ntp-service broadcast-server command to configure an Ethernet switch to operate in the NTP broadcast server mode and send NTP broadcast messages through the current interface. Use the undo ntp-service broadcast-server command to remove the configuration. By default, no NTP operate mode is configured. Example # Configure the switch to send NTP broadcast messages through Vlan-interface1 and use authentication key 4 for encryption, and set the NTP version number to 3.
Page 773: Ntp-Service Multicast-Client
View System view Parameter number: Maximum number of the dynamic NTP sessions that can be established locally. This argument ranges from 0 to 100. Description Use the ntp-service max-dynamic-sessions command to set the maximum number of dynamic NTP sessions that can be established locally. Use the undo ntp-service max-dynamic-sessions command to restore the default.
Page 774: Ntp-Service Multicast-Server
ntp-service multicast-server Syntax ntp-service multicast-server [ ip-address ] [ authentication-keyid key-id | ttl ttl-number | version number ]* undo ntp-service multicast-server [ ip-address ] View VLAN interface view Parameter ip-address: Multicast IP address, in the range of 224.0.1.0 to 239.255.255.255. The default IP address is 224.0.1.1.
Page 775: Ntp-Service Source-Interface
Description Use the ntp-service reliable authentication-keyid command to specify an authentication key as a trusted key. Use the undo ntp-service reliable authentication-keyid command to remove the configuration. By default, no trusted key is configured. When NTP authentication is enabled, a client can be synchronized only to a server that can provide a trusted authentication key.
Page 776: Ntp-Service Unicast-Peer
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ntp-service source-interface Vlan-interface 1 ntp-service unicast-peer Syntax ntp-service unicast-peer { remote-ip | peer-name } [ authentication-keyid key-id | priority | source-interface Vlan-interface vlan-id | version number ]* undo ntp-service unicast-peer { remote-ip | peer-name } View System view Parameter...
Page 777: Ntp-Service Unicast-Server
Example # Configure the local switch to obtain time information from the peer with the IP address 128.108.22.44 and also to provide time information to the peer. Set the NTP version number to 3. The source IP address of NTP messages is the IP address of Vlan- interface1. <Sysname>...
Page 778 The remote server specified by remote-ip or server-name serves as the NTP server, and the local switch serves as the NTP client. The clock of the NTP client will be synchronized by but will not synchronize that of the NTP server. Example # Configure the local switch to be synchronized to the NTP server with the IP address 128.108.22.44, and set the version number to 3.
Page 779 Table of Contents 1 SSH Commands·········································································································································1-1 SSH Commands ·····································································································································1-1 display public-key local····················································································································1-1 display public-key peer ····················································································································1-2 display rsa local-key-pair public ······································································································1-4 display rsa peer-public-key··············································································································1-5 display ssh server····························································································································1-6 display ssh server-info·····················································································································1-7 display ssh user-information············································································································1-8 peer-public-key end ·························································································································1-9 protocol inbound ······························································································································1-9 public-key local create ···················································································································1-10 public-key local destroy ·················································································································1-12 public-key local export rsa ·············································································································1-13 public-key local export dsa ············································································································1-14...
Page 780: Ssh Commands
SSH Commands SSH Commands display public-key local Syntax display public-key local { dsa | rsa } public View Any view Parameters dsa: Displays the public key of the current switch’s DSA key pair. rsa: Displays the public key part of the current switch’s RSA key pair(s). Description Use the display public-key local command to display the public key part of the current switch’s key pairs.
Page 781: Display Public-Key Peer
75FD6A430575D97350E300A20FEB773D93D7C3565467B0CA6B95C07D3338C523743B49D82C 5EC2C9458D248955846F9C32F4D25CC92D0E831E564BBA6FAE794EEC6FCDEDB822909CC687 BEBF51F3DFC5C30D590203010001 ===================================================== Time of Key pair created: 23:48:36 2000/04/03 Key name: Sysname_Server Key type: RSA encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100BC86D8F08E101461C1231B12 2777DBE777645C81C569C004EC2FEC03C205CC7E3B5DAA38DD865C6D1FB61C91B85ED63C6F 35BAFBF9A6D2D2989C20051FF8FA31A14FCF73EC1485422E5B800B55920FC121329020E82F 2945FFAD81BE72663BF70203010001 # Display the public key of the current switch’s DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 08:01:23 2000/04/02...
Page 782 Description Use the display public-key peer command to display information about locally saved public keys of SSH peers. If no key name is specified, the command displays detailed information about the locally saved public keys of all SSH peers. Sometimes the public key modulo displayed with the display public-key peer command is one bit smaller than the actual modulo.
Page 783: Display Rsa Local-Key-Pair Public
display rsa local-key-pair public Syntax display rsa local-key-pair public View Any view Parameters None Description Use the display rsa local-key-pair public command to display the public key part of the current switch’s RSA key pair(s). If no key pair has been generated, the system prompts “% RSA keys not found”.
Page 784: Display Rsa Peer-Public-Key
D0FC303F 51072D6C B5D0054D 3673EBA0 A4748984 5EBF6EBE CF6A13B1 C7858241 A2A9AA79 0203 010001 After the RSA key pair is generated, the display rsa local-key-pair public command displays two public keys (the host public key and server public key) when the S3100-EI switch is working in SSH1-compatible, but only one public key (the host public key) when the switch is working in SSH2 mode.
Page 785: Display Ssh Server
Related commands: ssh server authentication-retries, ssh server timeout, ssh server compatible-ssh1x enable, ssh server rekey-interval. Examples # Display SSH server status information on an S3100-EI switch. <H3C> display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours...
Page 786: Display Ssh Server-Info
SSH connection timeout : 60 seconds SSH Authentication retries : 3 times SFTP Server: Disable SFTP idle timeout : 10 minutes If you use the ssh server compatible-ssh1x enable command to configure the server to be compatible with SSH1.x clients, the SSH version will be displayed as 1.99. If you use the undo ssh server compatible-ssh1x command to configure the server to be not compatible with SSH1.x clients, the SSH version will be displayed as 2.0.
Page 787: Display Ssh User-Information
If an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for authentication. In case the authentication fails, you can use the display ssh server-info command to view whether the locally saved public key of the server is correct. Related commands: ssh client assign, ssh client first-time enable.
Page 788: Peer-Public-Key End
peer-public-key end Syntax peer-public-key end View Public key view Parameters None Description Use the peer-public-key end command to return from public key view to system view. Related commands: rsa peer-public-key, public-key-code begin, public-key peer. Examples # Exit public key view. <Sysname>...
Page 789: Public-Key Local Create
As SSH clients access the SSH server through VTY user interfaces, you need configure the VTY user interfaces of the SSH server to support remote SSH login. If you have configured a user interface to support SSH protocol, to ensure a successful login to the user interface, you must configure AAA authentication for the user interface by using the authentication-mode scheme command.
Page 790 The configuration of this command can survive a reboot. You only need to configure it once. Related commands: public-key local destroy, display public-key local. Examples # Create an RSA key pair of 512 bits. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048).
Page 791: Public-Key Local Destroy
NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 1024]:512 Generating keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+..+.......+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* ..# Display the public key of the DSA key pair. [Sysname]display public-key local dsa public ===================================================== Time of Key pair created: 03:17:33...
Page 792: Public-Key Local Export Rsa
Examples # Destroy the RSA key pair of the current switch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]public-key local destroy dsa % Confirm to destroy these keys? [Y/N]:y ..# Destroy the DSA key pair of the current switch. <Sysname>system-view System View: return to User View with Ctrl+Z.
Page 793: Public-Key Local Export Dsa
Related commands: public-key local create, rsa local-key-pair create. Examples # Generate an RSA key pair. <Sysname> system-view [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
Page 794 Description Use the public-key local export dsa command to display the public key of the current switch’s DSA key pair on the screen or export it to a specified file. If you specify a filename, the public key will be exported to the file and the file will be saved. If you do not specify any filename, the public key will be displayed on the screen.
Page 795: Public-Key Peer
---- END SSH2 PUBLIC KEY ---- # Export the public key in OpenSSH format. <Sysname> system-view [Sysname] public-key local export dsa openssh key.pub public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Parameters keyname: Name of the public key, a string of 1 to 64 characters. Description Use the public-key peer command to enter public key view.
Page 796: Public-Key-Code Begin
View System view Parameters keyname: Name of the public key , a string of 1 to 64 characters. filename: Name of a public key file, a string of 1 to 142 characters. For file naming rules, refer to File System Management Command. Description Use the public-key peer import sshkey command to import a peer public key from the public key file.
Page 797: Public-Key-Code End
Related commands: rsa peer-public-key, public-key peer, public-key-code end. Examples # Enter public key edit view and input a public key. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key Switch003 RSA public key view: return to System View with "peer-public-key end". [Sysname-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end".
Page 798: Rsa Local-Key-Pair Create
[Sysname-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end". [Sysname-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [Sysname-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [Sysname-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [Sysname-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Sysname-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Sysname-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Sysname-rsa-key-code] public-key-code end [Sysname-rsa-public-key] rsa local-key-pair create Syntax rsa local-key-pair create View System view Parameters None Description...
Page 799: Rsa Local-Key-Pair Destroy
......++++++ ..++++++ .........++++++++ ...++++++++ ..Done! # Display the public key part of the current switch’s RSA key pair(s). [Sysname] display rsa local-key-pair public ===================================================== Time of Key pair created: 02:31:51 2000/04/09 Key name: Sysname_Host Key type: RSA encryption Key ===================================================== Key code: 308188 028180...
Page 800: Rsa Peer-Public-Key
View System view Parameters None Description Use the rsa local-key-pair destroy command to destroy the current switch’s RSA key pair. Related commands: rsa local-key-pair create. Examples # Destroy the current switch’s RSA key pair. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa local-key-pair destroy % The local-key-pair will be destroyed.
Page 801: Rsa Peer-Public-Key Import Sshkey
Examples # Enter Switch002 public key view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key Switch002 RSA public key view: return to System View with "peer-public-key end". [Sysname-rsa-public-key] rsa peer-public-key import sshkey Syntax rsa peer-public-key keyname import sshkey filename undo rsa peer-public-key keyname View System view...
Page 802: Ssh Authentication-Type Default
Examples # Transform the format of client public key file abc and configure a public key named 123. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rsa peer-public-key 123 import sshkey abc ssh authentication-type default Syntax ssh authentication-type default { all | password | password-publickey | publickey | rsa } undo ssh authentication-type default View System view...
Page 803: Ssh Client Assign
[Sysname] ssh user user1 # Display information about SSH users. [Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type user1 publickey null stelnet ssh client assign Syntax ssh client { server-ip | server-name } assign { publickey | rsa-key } keyname undo ssh client { server-ip | server-name } assign { publickey | rsa-key } View System view...
Page 804: Ssh Client First-Time Enable
If a pair of SSH peers are both switches that support both DSA and RSA, you must configure the DSA public key of the server on the client. Related command: ssh client first-time enable. Examples # Specify the name of the DSA public key of the server (whose IP address is 192.168.0.1) as pub.ppk on the client.
Page 805: Ssh Server Authentication-Retries
By default, the client is enabled to run first-time authentication. Examples # Disable the client to run first-time authentication. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo ssh client first-time ssh server authentication-retries Syntax ssh server authentication-retries times undo ssh server authentication-retries View System view...
Page 806: Ssh Server Compatible-Ssh1X Enable
ssh server compatible-ssh1x enable Syntax ssh server compatible-ssh1x enable undo ssh server compatible-ssh1x View System view Parameters None Description Use the ssh server compatible-ssh1x enable command to make the server compatible with SSH1.x clients. Use the undo ssh server compatible-ssh1x command to make the server incompatible with SSH1.x clients.
Page 807: Ssh Server Timeout
Description Use the ssh server rekey-interval command to set the interval to update the RSA server keys regularly. Use the undo ssh server rekey-interval command to cancel the current configuration. By default, the update interval is zero, which indicates the system does not update the server keys. This command only takes effect on users whose client version is SSH1.
Page 808: Ssh User
ssh user Syntax ssh user username undo ssh user username View System view Parameters username: SSH user name, a string of 1 to 184 characters. It cannot contain any of these characters: slash (/), backslash (\), colon (:), asterisk (*), question mark (?), less than sign (<), greater than sign (>), and the vertical bar sign (|).
Page 809: Ssh User Assign
# Display SSH user information. [Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type password null stelnet ssh user assign Syntax ssh user username assign { publickey | rsa-key } keyname undo ssh user username assign { publickey | rsa-key } View System view Parameters...
Page 810: Ssh User Authentication-Type
[Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type publickey 127.0.0.1 stelnet ssh user authentication-type Syntax ssh user username authentication-type { all | password | password-publickey | publickey | rsa } undo ssh user username authentication-type View System view Parameters username: SSH user name, a string of 1 to 184 characters. It cannot contain any of these characters: slash (/), backslash (\), colon (:), asterisk (*), question mark (?), less than sign (<), greater than sign (>), and the vertical bar sign (|).
Page 811: Ssh User Service-Type
You need to specify the authentication mode for an SSH user. Otherwise, the user will not be able to log in to the SSH server. Related commands: display ssh user-information. Examples # Specify the publickey authentication for SSH users. <Sysname>system-view System View: return to User View with Ctrl+Z.
Page 812: Ssh2
Examples # Specify that user kk can access SFTP service. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ssh user kk service-type sftp # Display SSH user information. [Sysname] display ssh user-information Username Authentication-type User-public-key-name Service-type publickey null sftp ssh2...
Page 813 md5_96: HMAC-MD5-96 algorithm. DES (data encryption standard) is a standard data encryption algorithm. AES (advanced encryption standard) is an advanced encryption standard algorithm. Description Use the ssh2 command to start the SSH client to establish a connection with an SSH server, and at the same time specify the preferred key exchange algorithm, encryption algorithms and HMAC algorithms between the server and client.
Page 814 Table of Contents 1 File System Management Configuration Commands ············································································1-1 File System Configuration Commands ···································································································1-1 cd ·····················································································································································1-1 copy ·················································································································································1-2 delete ···············································································································································1-3 dir·····················································································································································1-4 execute ············································································································································1-6 file prompt········································································································································1-6 fixdisk···············································································································································1-7 format···············································································································································1-8 mkdir ················································································································································1-8 more·················································································································································1-9 move ··············································································································································1-10 pwd ················································································································································1-11 rename ··········································································································································1-11 reset recycle-bin ····························································································································1-12 rmdir···············································································································································1-13 undelete·········································································································································1-14 File Attribute Configuration Commands ································································································1-14...
Page 815: File System Configuration Commands
File System Management Configuration Commands S3100 series Ethernet switches allow you to input a file path and file name in one of the following ways: In universal resource locator (URL) format and starting with “unit1>flash:/”. or “flash:/” This method is used to specify a file in the current Flash memory. For example, the URL of a file named text.txt in the root directory of the switch is unit1>flash:/text.txt or flash:/text.txt.
Page 816: Copy
Description Use the cd command to enter a specified directory on the Ethernet switch. The default directory when a user logs onto the switch is the root directory of Flash memory. Example # Enter the directory named test from the root directory. <Sysname>...
Page 817: Delete
delete Syntax delete [ /unreserved ] file-url delete { running-files | standby-files } [ /unreserved ] View User view Parameter /unreserved: Specifies to delete a file completely. file-url: Path name or file name of a file in the Flash memory. You can use the * character in this argument as a wildcard.
Page 818: Dir
Delete the backup config file? [Y/N]: Delete the backup web file? [Y/N]: The corresponding files will be deleted after you choose yes. For deleted files whose names are the same, only the latest deleted file is stored in the recycle bin and can be restored.
Page 819 If executed with the /all keyword, the command will display information about all files, including the files in the recycle bin. If executed without the /all keyword, the command will not display the files in the recycle bin. If executed with the file-url argument, the command will display information about files and folders in the specified directory.
Page 820: Execute
(*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute execute Syntax execute filename View System view Parameter filename: Batch file, with the extension .bat. Description Use the execute command to execute the specified batch file. Executing a batch file is to execute a set of commands in the batch file one by one.
Page 821: Fixdisk
# Set the prompt mode to quiet for file-related operations. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] file prompt quiet fixdisk Syntax fixdisk device View User view Parameter device: Name of a device which must be “unit1>flash:” or “flash:” for S3100 series Ethernet switches.
Page 822: Format
View User view Parameter device: Name of a device which must be “unit1>flash:” or “flash:” for S3100 series Ethernet switches. Description Use the format command to format the Flash memory. The format operation clears all the files on the Flash memory, and the operation is irretrievable.
Page 823: More
Parameter directory: Name of a directory. Description Use the mkdir command to create a subdirectory in the specified directory of a Flash memory. Note that: The name of the subdirectory to be created must be unique under the specified directory. Otherwise, you will fail to create the subdirectory under the directory.
Page 824: Move
This file (the project file) contains information at the project level and is used to build a single project or subproject. Other users can share the project (.dsp) file, but they should export the makefiles locally. # Display the content of the file testcfg.cfg. <Sysname>...
Page 825: Pwd
The file unit1>flash:/test/22.txt exists. Overwrite it?[Y/N]:y The file will be permanently deleted from flash, please wait..%Moved file unit1>flash:/22.txt to unit1>flash:/test/22.txt. Syntax View User view Parameter None Description Use the pwd command to display the current working path of the login user. Example # Display the current working path.
Page 826: Reset Recycle-Bin
%Renamed file unit1>flash:/config.txt to unit1>flash:/config.bak. reset recycle-bin Syntax reset recycle-bin [ file-url ] [ /force ] View User view Parameter file-url: Path name or file name of a file in the Flash memory. This argument supports the wildcard “*”. For example, *.txt means all the files with an extension of txt. /force: Specifies not to prompt for confirmation before deleting files.
Page 827: Rmdir
//The above information indicates that in directory flash:, there are two files a.cfg and b.cfg in the recycle bin. Delete the files in directory flash: that are already in the recycle bin. <Sysname> reset recycle-bin Clear flash:/~/a.cfg ?[Y/N]:y Clearing files from flash may take a long time. Please wait..
Page 828: Undelete
Parameter directory: Name of a directory. Description Use the rmdir command to delete a directory. As only empty directories can be deleted, you need to clear a directory before deleting it. Example # Delete the directory named dd. <Sysname> rmdir dd Rmdir unit1>flash:/dd?[Y/N]:y ..
Page 829: Boot Boot-Loader
Parameter all: Specifies all the files, including app files, configuration files and Web files. app: Specifies app files. configuration: Specifies configuration files. web: Specifies Web files. Description Use the boot attribute-switch command to switch between the main and backup attribute for all the files or a specified type of files.
Page 830: Boot Web-Package
View User view Parameter file-url: Path or the name of the app file in the Flash memory, a string comprising 1 to 64 characters. Description Use the boot boot-loader backup-attribute command to configure an app file of the device to be with the backup attribute.
Page 831: Display Boot-Loader
Example # Configure the Web file named boot.web to be with the main attribute. <Sysname> boot web-package boot.web main display boot-loader Syntax display boot-loader [ unit unit-id ] View Any view Parameter unit unit-id: Specifies the unit ID of a switch. You cannot choose any other number except 1 for S3100 series Ethernet switches.
Page 832: Startup Bootrom-Access Enable
Example # Display information about the Web file used by the device. <Sysname>display web package The current using web package is: flash:/h3c-http3.1.5-0040.web The main web package is: unit1>flash:/h3c-http3.1.5-0040.web The backup web package is: unit1>flash:/ startup bootrom-access enable Syntax startup bootrom-access enable...
Page 833 Table of Contents 1 FTP and SFTP Configuration Commands·······························································································1-1 FTP Server Configuration Commands····································································································1-1 display ftp-server ·····························································································································1-1 display ftp-user ································································································································1-2 ftp disconnect ··································································································································1-3 ftp server enable······························································································································1-4 ftp timeout········································································································································1-4 FTP Client Configuration Commands ·····································································································1-5 ascii··················································································································································1-5 binary ···············································································································································1-6 bye ···················································································································································1-6 cd ·····················································································································································1-7 cdup ·················································································································································1-7 close ················································································································································1-8 delete ···············································································································································1-8 dir·····················································································································································1-9...
Page 834 help ················································································································································1-25 ls ····················································································································································1-25 mkdir ··············································································································································1-26 put··················································································································································1-26 pwd ················································································································································1-27 quit ·················································································································································1-27 remove···········································································································································1-28 rename ··········································································································································1-28 rmdir···············································································································································1-29 sftp ·················································································································································1-29 2 TFTP Configuration Commands ··············································································································2-1 TFTP Configuration Commands ·············································································································2-1 tftp { ascii | binary } ··························································································································2-1 tftp get··············································································································································2-1 tftp put··············································································································································2-3 tftp-server acl···································································································································2-3...
Page 835: Ftp And Sftp Configuration Commands
FTP and SFTP Configuration Commands FTP Server Configuration Commands display ftp-server Syntax display ftp-server View Any view Parameters None Description Use the display ftp-server command to display the FTP server-related settings of a switch when it operates as an FTP server, including startup status, number of users, and so on. You can use this command to verify FTP server-related configurations.
Page 836: Display Ftp-User
The H3C S3100 series Ethernet switch supports one user access at one time when it serves as the FTP server. display ftp-user Syntax display ftp-user View Any view Parameters None Description Use the display ftp-user command to display the information of the FTP users that have logged in to the switch, including the user name, host IP address, port number, idle timeout time, and authorized directory.
Page 837: Ftp Disconnect
Use the ftp disconnect command to terminate the connection between a specified user and the FTP server. With an H3C S3100 series Ethernet switch acting as the FTP server, if you attempt to disconnect a user that is uploading/downloading data to/from the FTP server, the S3100 Ethernet switch will disconnect the user after the data transmission is completed.
Page 838: Ftp Server Enable
Use the ftp server enable command to enable the FTP server function of the switch. Use the undo ftp server command to disable the FTP server function of the switch. By default, the FTP server function is disabled on the H3C S3100 series switch to avoid potential security risks.
Page 839: Ftp Client Configuration Commands
Parameters minutes: Idle timeout time (in minutes), in the range 1 to 35791. Description Use the ftp timeout command to set the idle timeout time of an FTP client. When the idle time of the FTP client exceeds this timeout time, the FTP server terminates the connection with the FTP client. Use the undo ftp timeout command to restore the default idle timeout time.
Page 840: Binary
Description Use the ascii command to specify that files be transferred in ASCII mode, which is used for transferring text files. By default, files are transferred in ASCII mode. Related commands: binary. Examples # Specify to transfer text files in ASCII mode. [ftp] ascii 200 Type set to A.
Page 841: Cdup
Description Use the bye command to terminate the control connection and data connection with the FTP server and return to user view. This command has the same effect as that of the quit command. Examples # Terminate the connections with the remote FTP server and return to user view. [ftp] bye 221 Server closing.
Page 842: Close
Description Use the cdup command to exit the current working directory and enter the parent directory. The parent directory must be a directory that a user is authorized to access; otherwise, the command cannot be executed. Related commands: cd, pwd. Examples # Change the working directory to flash:/temp.
Page 843: Dir
Parameters remotefile: Name of the file to be deleted. Description Use the delete command to delete a specified remote file. Examples # Delete the file temp.c. [ftp] delete temp.c 250 DELE command successful. Syntax dir [ filename [ localfile ] ] View FTP client view Parameters...
Page 844: Disconnect
-rwxrwxrwx 1 noone nogroup 2833 May 11 17:58 config.cfg -rwxrwxrwx 1 noone nogroup 225295 Apr 26 12:21 default.diag -rwxrwxrwx 1 noone nogroup 377424 Apr 30 16:58 switch.btm drwxrwxrwx 1 noone nogroup 0 Apr 28 11:41 test -rwxrwxrwx 1 noone nogroup 2145 Apr 28 13:13 test.txt -rwxrwxrwx 1 noone...
Page 845: Get
View User view Parameters cluster: Connects to the configured FTP server of a cluster. For the configuration of the FTP server of a cluster, refer to the Cluster part of this manual. remote-server: Host name or IP address of an FTP server, a string of 1 to 20 characters. port-number: Port number of the FTP server, in the range 0 to 65535.
Page 846: Lcd
When using the get command to download files from a remote FTP server, note to limit the length of file path and file name within the following ranges: A directory name should be no more than 91 characters. A file name plus its local path name should be no more than 127 characters. A device name should be no more than 14 characters.
Page 847: Mkdir
View FTP client view Parameters remotefile: Name of the file to be queried. localfile: Name of the local file where the querying result is to be saved. Description Use the ls command to display the information about a specified file on an FTP server. If you do not specify the remotefile argument, names of all the files in the current remote directory are displayed.
Page 848: Open
View FTP client view Parameters pathname: Name of the directory to be created. Description Use the mkdir command to create a directory on an FTP server. This command is available only to the FTP clients that are assigned the permission to create directories on FTP servers.
Page 849: Passive
Password: 230 User logged in. passive Syntax passive undo passive View FTP client view Parameters None Description Use the passive command to set the data transfer mode to the passive mode. Use the undo passive command to set the data transfer mode to the active mode. By default, the passive mode is adopted.
Page 850: Pwd
remotefile: File name used after a file is uploaded and saved on an FTP server. Description Use the put command to upload a local file on an FTP client to an FTP server. If you do not specify the remotefile argument, the local file is saved on the FTP server with its original name.
Page 851: Remotehelp
This command works only when the FTP server provides the help information about FTP protocol commands. This command is always valid when an H3C series Ethernet switch operates as the FTP server. If you use other FTP server software, refer to related instructions to know whether the FTP server provides help information about FTP protocol commands.
Page 852: Rmdir
View FTP client view Parameters remote-source: Name of a file on a remote host. remote-dest: Destination file name. Description Use the rename command to rename a file on a remote FTP server. If the destination file name conflicts with the name of an existing file or directory, you will fail to rename the file.
Page 853: Verbose
Parameters username: Username used to log in to an FTP server. password: Password used to log in to an FTP server. Description Use the user command to log in to an FTP server with the specified username and password. Examples # Log in to the FTP server using the user account with the username tom and the password 111.
Page 854: Sftp Server Configuration Commands
The above output indicates that if the verbose function is disabled, only execution information of users’ operations is obtained from the system of the switch, while the output information beginning with three-digit numbers cannot be returned to the users. For the description of the numbers at the beginning of FTP output information, refer to the corresponding section in RFC 959.
Page 855: Sftp Client Configuration Commands
Use the undo sftp timeout command to restore the idle timeout time to the default value. If the idle timeout time exceeds the specified threshold, the system disconnects the SFTP user automatically. Examples # Set the idle timeout time to 500 minutes. <Sysname>...
Page 856: Cdup
Description Use the cd command to change the working path on the remote SFTP server. If no remote path is specified, this command displays the current working path. Use the cd .. command to return to the parent directory. Use the cd / command to return to the root directory. Examples # Change the working path to new1.
Page 857: Dir
View SFTP client view Parameters remote-file&<1-10>: Name of a file on the server. &<1-10> indicates that up to ten file names can be input. These file names should be separated by spaces. Description Use the delete command to delete a specified file from the remote SFTP server. This command has the same effect as that of the remove command.
Page 858: Exit
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone...
Page 859: Help
Examples # Download the file tt.bak and save it with the name tt.txt. sftp-client>get tt.bak tt.txt..This operation may take a long time, please wait... Remote file:tt.bak ---> Local file: tt.txt.. Received status: End of file Received status: Success Downloading file successfully ended help Syntax help [ all |command ]...
Page 860: Mkdir
If -a or -l is not specified, the command displays details about the files and folders in the specified directory in a list. If no remote path is specified, this command displays the files in the current working directory. This command has the same effect as that of the dir command. Examples # Display the files in the current directory.
Page 861: Pwd
Parameters local-file: Name of a local file. remote-file: Name of a file on the remote SFTP server. Description Use the put command to upload a local file to the remote SFTP server. By default, the local file name is used for the remote file if no remote file name is specified. Examples # Upload the file named config.cfg to the remote SFTP server and save it as 1.txt.
Page 862: Remove
Description Use the quit command to terminate a connection with the remote SFTP server and return to system view. This command has the same effect as that of the commands bye and exit. Examples # Terminate a connection with the remote SFTP server. sftp-client>...
Page 863: Rmdir
Parameters oldname: Old file name. newname: New file name. Description Use the rename command to rename a specified file on the remote SFTP server. Examples # Change the file name temp.bat to temp.txt. sftp-client> rename temp.bat temp.txt File successfully renamed rmdir Syntax rmdir remote-path&<1-10>...
Page 864 View System view Parameters host-ip: IP address of the server. host-name: Host name of the server, a string of 1 to 20 characters. port-num: Port number of the server, in the range of 0 to 65535. The default value is 22. identity-key: The public key algorithm used by the publickey authentication.
Page 865 Do you want to save the server's public key?(Y/N):y Enter password: sftp-client> 1-31...
Page 866: Tftp Configuration Commands
TFTP Configuration Commands TFTP Configuration Commands When accessing a TFTP server configured with an IPv6 address, use the tftp ipv6 command. For details, refer to the IPv6 Management part in this manual. tftp { ascii | binary } Syntax tftp { ascii | binary } View System view Parameters...
Page 867 TFTP client. To enter another working directory, you need to modify the working directory on the TFTP server and relog in. The H3C S3100 series switch supports the TFTP file size negotiation function, namely, before downloading a file, the switch requests the size of the file to be downloaded to the TFTP server, thus to ensure whether there is enough space on the Flash for file downloading.
Page 868: Tftp Put
tftp put Syntax tftp tftp-server put source-file [ dest-file ] View User view Parameters tftp-server: IP address or the host name of a TFTP server, a string of 1 to 20 characters. If the switch belongs to a cluster, the value cluster means to connect to the TFTP server of the cluster. For the configuration of the TFTP server of a cluster, refer to the Cluster part in this manual.
Page 869 Use the undo tftp-server acl command to cancel all ACLs adopted. Examples # Specify to adopt ACL 2000 on the TFTP client. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] tftp-server acl 2000...
Page 870 Table of Contents 1 Information Center Configuration Commands ·······················································································1-1 Information Center Configuration Commands ························································································1-1 display channel································································································································1-1 display info-center ···························································································································1-1 display logbuffer ······························································································································1-3 display logbuffer summary ··············································································································1-4 display trapbuffer ·····························································································································1-5 info-center channel name················································································································1-6 info-center console channel ············································································································1-6 info-center enable····························································································································1-7 info-center logbuffer·························································································································1-8 info-center loghost ···························································································································1-8 info-center loghost source ···············································································································1-9 info-center monitor channel ···········································································································1-10...
Page 871: Information Center Configuration Commands
Information Center Configuration Commands Information Center Configuration Commands display channel Syntax display channel [ channel-number | channel-name ] View Any view Parameter channel-number: Channel number, ranging from 0 to 9, corresponding to the 10 channels of the system. channel-name: Channel name, by default, the name of channel 0 to channel 9 is (in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent, channel6, channel7, channel8, channel9.
Page 872 Related command: info-center enable, info-center loghost, info-center logbuffer, info-center console channel, info-center monitor channel, info-center trapbuffer, info-center snmp channel, info-center timestamp Example # Display the operation status of information center, the configuration of information channels, the format of time stamp of the current system. <Sysname>...
Page 873 Field Description Information about the trap buffer, including its state (enabled or disabled), maximum size, current size, current messages, channel Trap buffer number and name, number of dropped messages, and number of overwritten messages Information timestamp Information about the time stamp setting, showing the time stamp format setting: of the log, trap and debugging information display logbuffer...
Page 874: Display Logbuffer Summary
Description Use the display logbuffer command to display the status of the log buffer and the records in the log buffer. Example # Display the status of the log buffer and the records in the log buffer. <Sysname> display logbuffer Logging buffer configuration and contents:enabled Allowed max buffer size : 1024 Actual buffer size : 512...
Page 875: Display Trapbuffer
Parameter Level severity: Specifies an information severity level. The severity argument ranges from 1 to 8. Description Use the display logbuffer summary command to display the statistics of the log buffer. Example # Display the summary of the log buffer. <Sysname>...
Page 876: Info-Center Channel Name
#Apr 2 00:17:47:875 2006 Sysname L2INF/2/PORT LINK STATUS CHANGE:- 1 - Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227833, ifAdminStatus is 2, ifOperStatus is 2 …… <Omitted> info-center channel name Syntax info-center channel channel-number name channel-name undo info-center channel channel-number View System view Parameter channel-number: Channel number, ranging from 0 to 9, corresponding to the 10 channels of the system.
Page 877: Info-Center Enable
Parameter channel-number: Channel number, ranging from 0 to 9, corresponding to the 10 channels of the system. channel-name: Channel name, by default, the name of channel 0 to channel 9 is (in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent, channel6, channel7, channel8, channel9. Description Use the info-center console channel command to set the channel through which information is output to the console.
Page 878: Info-Center Logbuffer
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] info-center enable % Information center is enabled info-center logbuffer Syntax info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ]* undo info-center logbuffer [ channel | size ] View System view Parameter...
Page 879: Info-Center Loghost Source
Parameter host-ip-addr: IP address of a log host. channel: Sets the information channel for the log host. channel-number: Channel number, ranging from 0 to 9, corresponding to the 10 channels of the system. channel-name: Channel name, by default, the name of channel 0 to channel 9 is (in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent, channel6, channel7, channel8, channel9.
Page 880: Info-Center Monitor Channel
Parameter interface-type: Specifies an interface type. interface-number: Specifies an interface number. Description Use the info-center loghost source command to configure the source interface through which information is sent to the log host. Use the undo info-center loghost source command to cancel the source interface configuration. Related command: info-center enable, display info-center.
Page 881: Info-Center Snmp Channel
[Sysname] info-center monitor channel 0 info-center snmp channel Syntax info-center snmp channel { channel-number | channel-name } undo info-center snmp channel View System view Parameter channel-number: Channel number, ranging from 0 to 9, corresponding to the 10 channels of the system. channel-name: Channel name, by default, the name of channel 0 to channel 9 is (in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent, channel6, channel7, channel8, channel9.
Page 882 log: Specifies to output log information. trap: Specifies to output trap information. debug: Specifies to output debugging information. level severity: Specifies an information severity level. For the value of severity, refer to Table 1-2. state state: Configures whether to output the system information. The value of state can be on (enabled) or off (disabled).
Page 883: Info-Center Synchronous
Table 1-4 Default output rules for different output destinations TRAP DEBUG Output Modules destinati allowed Enabled/ Enabled/ Enabled/ Severity Severity Severity disabled disabled disabled default (all Console Enabled warnings Enabled debugging Enabled debugging modules) Monitor default (all Enabled warnings Enabled debugging Enabled debugging...
Page 884: Info-Center Timestamp
Parameter None Description Use the info-center synchronous command to enable synchronous information output, so that if system information (such as log information) is output when the user is inputting information, the command prompt and the input information are echoed after the output (note that, the command prompt is echoed in command edit state but is not echoed in interactive state).
Page 885: Info-Center Timestamp Loghost
date: The current system date and time, in the format of “Mmm dd hh:mm:ss:sss yyyy”. Mmm: The abbreviations of the months in English, which could be Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, or Dec. dd: The date, starting with a space if less than 10, for example “ 7”. hh:mm:ss:sss: The local time, with hh ranging from 00 to 23, mm and ss ranging from 00 to 59, and sss ranging from 0 to 999.
Page 886: Info-Center Timestamp Utc
Example # Set the no-year-date time stamp for the output information sent to the log host. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] info-center timestamp loghost no-year-date info-center timestamp utc Syntax info-center timestamp utc undo info-center timestamp utc View System view Parameter...
Page 887: Info-Center Trapbuffer
info-center trapbuffer Syntax info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ]* undo info-center trapbuffer [ channel | size ] View System view Parameter size: Sets the size of the trap buffer. buffersize: Size of the trap buffer, represented by the number of messages it holds. It ranges from 0 to 1,024 and defaults to 256.
Page 888: Reset Trapbuffer
Description Use the reset logbuffer command to clear information recorded in the log buffer. Example # Clear information recorded in the log buffer. <Sysname> reset logbuffer reset trapbuffer Syntax reset trapbuffer [ unit unit-id ] View User view Parameter unit-id: Unit ID of the device, the value can only be 1. Description Use the reset trapbuffer command to clear information recorded in the trap buffer.
Page 889: Terminal Logging
Example # Enable debugging terminal display. <Sysname> terminal debugging terminal logging Syntax terminal logging undo terminal logging View User view Parameter None Description Use the terminal logging command to enable log terminal display. Use the undo terminal logging command to disable log terminal display. By default, log terminal display is enabled for console users and terminal users.
Page 890: Terminal Trapping
Disabling the function has the same effect as executing the following three commands: undo terminal debugging, undo terminal logging and undo terminal trapping. That is, no debugging/log/trap information will be displayed on the current terminal. If the function is enabled, you can run the terminal debugging/undo terminal debugging, terminal logging/undo terminal logging or terminal trapping/undo terminal trapping command to enable or disable debug/log/trap terminal output respectively.
Page 891 Table of Contents 1 Basic System Configuration and Debugging Commands·····································································1-1 Basic System Configuration Commands ································································································1-1 clock datetime··································································································································1-1 clock summer-time ··························································································································1-1 clock timezone·································································································································1-2 quit ···················································································································································1-3 return ···············································································································································1-4 sysname ··········································································································································1-4 system-view·····································································································································1-5 System Status and Information Display Commands ··············································································1-5 display clock ····································································································································1-5 display debugging····························································································································1-6 display version·································································································································1-6 System Debugging Commands ··············································································································1-7 debugging········································································································································1-7...
Page 892 reboot·············································································································································3-13 schedule reboot at ·························································································································3-14 schedule reboot delay ···················································································································3-15 schedule reboot regularity ·············································································································3-16 system-monitor enable ··················································································································3-17 xmodem get···································································································································3-18 4 Scheduled Task Configuration Commands····························································································4-1 Scheduled Task Configuration Commands ····························································································4-1 display job········································································································································4-1 job ····················································································································································4-2 time ··················································································································································4-2 view··················································································································································4-4...
Page 893: Basic System Configuration Commands
Basic System Configuration and Debugging Commands Basic System Configuration Commands clock datetime Syntax clock datetime HH:MM:SS { YYYY/MM/DD | MM/DD/YYYY } View User view Parameter HH:MM:SS: Current time, where HH ranges from 0 to 23, MM and SS range from 0 to 59. YYYY/MM/DD or MM/DD/YYYY: Current date, where YYYY represents year ranging from 2000 to 2099, MM represents month ranging from 1 to 12, and DD represents day ranging from 1 to 31.
Page 894: Clock Timezone
View User view Parameter zone-name: Name of the summer time, a string of 1 to 32 characters. one-off: Sets the summer time for only one year (the specified year). repeating: Sets the summer time for every year starting from the specified year. start-time: Start time of the summer time, in the form of HH:MM:SS.
Page 895: Quit
add: Specifies to add a time value based on the universal time coordinated (UTC) time to generate a later time. minus: Specifies to subtract a time value based on the UTC time to generate an earlier time. HH:MM:SS: Time to be added or subtracted from the UTC time, in the form of HH:MM:SS. Description Use the clock timezone command to set the local time zone.
Page 896: Sysname
System view Parameter sysname: System name of the Ethernet switch. It is a string of 1 to 30 characters. By default, it is H3C. Description Use the sysname command to set the system name of an Ethernet switch. Use the undo sysname command to restore the default system name of the Ethernet switch.
Page 897: System-View
Example # Set the system name of the Ethernet switch to LANSwitch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] sysname LANSwitch [LANSwitch] system-view Syntax system-view View User view Parameter None Description Use the system-view command to enter system view from user view. Related command: quit, return.
Page 898: Display Debugging
Example # Display the current date and time of the system. <Sysname> display clock 18:36:31 beijing Sat 2002/02/02 Time Zone : beijing add 01:00:00 Summer-Time : bj one-off 01:00:00 2003/01/01 01:00:00 2003/08/08 01:00:00 Table 1-1 Field description of the display clock command Field Description 18:36:31 beijing Sat 2002/02/02...
Page 899: System Debugging Commands
H3C Comware Platform Software. Comware Software, Version 3.10, Alpha 2101 Copyright (c) 2004-2007 Hangzhou H3C Technologies Co., Ltd. All rights reserved. H3C S3100-26TP-EI-W uptime is 0 week, 0 day, 19 hours, 40 minutes H3C S3100-26TP-EI-W with 1 Processor bytes SDRAM...
Page 900: Display Diagnostic-Information
Description Use the debugging command to enable system debugging. Use the undo debugging command to disable system debugging. By default, all debugging is disabled for the system. Note that: Enabled debugging will generate a great deal of debugging information and thus will affect the efficiency of the system.
Page 901: Terminal Debugging
# Display the diagnostic information of the system. <Sysname> display diagnostic-information This operation may take a few minutes, continue?[Y/N]y Diagnostic-information is saved to Flash or displayed(Y=save N=display)?[Y/N]n -------------------- display version -------------------- …… <Omitted> terminal debugging Syntax terminal debugging undo terminal debugging View User view Parameter...
Page 902: Command Alias Configuration Commands
Command Alias Configuration Commands command-alias enable Syntax command-alias enable undo command-alias enable View System view Default Level 2: System level Parameters None Description Use the command-alias enable command to enable the command alias function. Use the undo command-alias enable command to disable the command alias function. By default, the command alias function is disabled, that is, you cannot configure command aliases.
Page 903: Display Command-Alias
Description Use the command-alias mapping command to configure command aliases. Use the undo command-alias mapping command to delete command aliases. By default, a command has no alias. When configuring a command alias, the cmdkey argument must be a complete keyword; otherwise, the system prompts for incomplete keyword or nonexistent keyword, and the operation will fail.
Page 904: Network Connectivity Test Commands
Network Connectivity Test Commands Network Connectivity Test Commands ping Syntax ping [ -a ip-address ] [ -c count ] [ -d ] [ -f ] [ -h ttl ] [ -i interface-type interface-number ] [ ip ] [ -n ] [ - p pattern ] [ -q ] [ -s packetsize ] [ -t timeout ] [ -tos tos ] [ -v ] host View Any view...
Page 905 -t timeout: Specifies the timeout time (in milliseconds) before an ICMP ECHO-REPLY packet is received after an ICMP ECHO-REQUEST packet is sent. The timeout argument ranges from 0 to 65535 ms and defaults to 2,000 ms. -tos tos: Specifies the ToS value of the ICMP ECHO-REQUEST packets in the range 0 to 255. By default, this value is 0.
Page 906: Tracert
tracert Syntax tracert [ -a source-ip ] [ -f first-ttl ] [ -m max-ttl ] [ -p port ] [ -q num-packet ] [ -w timeout ] string View Any view Parameter -a source-ip: Specifies the source interface IP address used by this command. -f first-ttl: Specifies the initial TTL value of the packets to be sent, so as to only display the addresses of those gateways on the path whose hop counts are not smaller than the hop count specified by the first-ttl argument.
Page 907 Example # Trace the gateways that the packets pass through to the destination with IP address 18.26.0.115. <Sysname> tracert 18.26.0.115 tracert to 18.26.0.115 (18.26.0.115), 30 hops max,40 bytes packet 1 128.3.112.1 (128.3.112.1) 0 ms 0 ms 0 ms 2 128.32.216.1 (128.32.216.1) 19 ms 19 ms 19 ms 3 128.32.206.1 (128.32.206.1) 39 ms 19 ms 19 ms 4 128.32.136.23 (128.32.136.23) 19 ms 39 ms 39 ms 5 128.32.168.22 (128.32.168.22) 20 ms 39 ms 39 ms...
Page 908: Device Management Commands
Device Management Commands Device Management Commands boot boot-loader Syntax boot boot-loader [ backup-attribute ] { file-url | device-name } View User view Parameter backup-attribute: Specifies the backup attribute for a file. file-url: Path plus name of a host software file in the Flash, a string of 1 to 64 characters. device-name: File name, in the form of unit[NO.]>flash:, which is used to indicate that the specified file is stored in the Flash memory of a specified switch.
Page 909: Display Boot-Loader
Description Use the boot bootrom command to update the Boot ROM. The updated Boot ROM is used at next startup. Example # Update the Boot ROM of the switch using the file named Switch.btm. <Sysname> boot bootrom Switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait...
Page 910: Display Device
View Any view Parameter unit-id: Unit ID of a switch, the value can only be 1. Description Use the display cpu command to display the CPU usage. Example # Display the CPU usage of this switch. <Sysname> display cpu Unit 1 Board 0 CPU busy status: 16% in last 5 seconds 16% in last 1 minute...
Page 911: Display Environment
Parameter None Description Use the display environment command to view the environment temperature of the switch. Note that only PoE-enabled S3100 series Ethernet switches support this command currently. Example # Display the environment temperature of the switch. <Sysname> display environment...
Page 912: Display Fan
ID number of a fan. Description Use the display fan command to view the working states of fans in a switch. Note that only PoE-enabled S3100 series Ethernet switches support this command currently. Example # Display the working states of the fans.
Page 913: Display Power
Example # Display the memory usage of this switch. <Sysname> display memory Unit 1 System Available Memory(bytes): 28486656 System Used Memory(bytes): 13180084 Used Rate: 46% Table 3-4 Description for the fields of the display memory command Field Description System Available Memory(bytes) Available memory size of the system, in unit of bytes System Used Memory(bytes) Used memory size of the system, in unit of bytes...
Page 914: Display Transceiver Alarm Interface
Parameter None Description Use the display schedule reboot command to display information about scheduled reboot. Related command: schedule reboot at, schedule reboot delay. Example # Display the information about scheduled reboot. <Sysname> display schedule reboot System will reboot at 16:00:00 2002/11/1 (in 2 hours and 5 minutes). display transceiver alarm interface Syntax display transceiver alarm interface [ interface-type interface-number ]...
Page 915 Field Remarks Voltage high Voltage is high. Voltage low Voltage is low. Transceiver info I/O error Transceiver information read and write error Transceiver info checksum error Transceiver information checksum error Transceiver type and port configuration Transceiver type does not match port configuration. mismatch Transceiver type not supported by port Transceiver type is not supported on the port.
Page 916 Transceiver type not supported by port Transceiver type is not supported on the port. hardware For pluggable transceivers supported by S3100 series Ethernet switches, refer to H3C S3100 Series Ethernet Switches Installation Manual. Examples # Display the alarm information of the transceiver on interface GigabitEthernet 1/1/2.
Page 917: Display Transceiver Diagnosis Interface
Description Use the display transceiver diagnosis interface command to display the currently measured value of digital diagnosis parameters of a single or all anti-spoofing transceivers customized by H3C. Examples # Display the currently measured value of digital diagnosis parameters of the anti-spoofing pluggable optical transceiver customized by H3C on interface GigabitEthernet 1/2/2.
Page 918: Display Transceiver Interface
Wavelength(nm) : 1310 Transfer Distance(km) : 10(9um) Digital Diagnostic Monitoring : YES Vendor Name : H3C Ordering Name : SFP-GE-LX10-SM1310 Table 3-8 Description on the fields of the display transceiver interface command Field Description transceiver information Transceiver information of the interface...
Page 919: Display Transceiver Manuinfo Interface
Description Use the display transceiver manuinfo interface command to display part of the electrical label information of a single or all anti-spoofing pluggable transceivers customized by H3C. Examples # Display part of the electrical label information of the anti-spoofing pluggable transceiver customized by H3C on interface GigabitEthernet 1/2/2.
Page 920: Port Auto-Power-Down
Serial number generated during debugging and testing Debugging and testing date.. The date takes the value of the system Manufacturing Date clock of the computer that performs debugging and testing. Vendor Name Vendor name specified, that is, H3C. port auto-power-down Syntax port auto-power-down undo port auto-power-down...
Page 921: Schedule Reboot At
Description Use the reboot command to restart a specified Ethernet switch. Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations.
Page 922: Schedule Reboot Delay
By default, no scheduled reboot is set on the switch. The switch timer can be set to a precision of one minute, that is, the switch will reboot within one minute after the specified reboot date and time. After you execute the schedule reboot at command with a specified future date, the switch will reboot at the specified time with at most one minute delay.
Page 923 Use the undo schedule reboot command to cancel the scheduled reboot. By default, no scheduled reboot is set on the switch. The switch timer can be set to a precision of one minute, that is, the switch will reboot within one minute after the specified reboot date and time.
Page 924 Use the schedule reboot regularity command to enable the periodical reboot of the switch and set the reboot time. Use the undo schedule reboot regularity command to cancel the configured reboot period. By default, the reboot period of the switch is not configured. The switch timer can be set to a precision of one minute, that is, the switch will reboot within one minute after the specified reboot date and time.
Page 925: Xmodem Get
By default, real-time monitoring of the running status of the system is enabled. Enabling of this function consumes some amounts of CPU resources. Therefore, if your network has a high CPU usage requirement, you can disable this function to release your CPU resources. Example # Disable real-time monitoring of the running status of the system.
Page 926: Scheduled Task Configuration Commands
Scheduled Task Configuration Commands Scheduled Task Configuration Commands display job Syntax display job [ job-name ] View Any view Default Level 1: Monitor level Parameters job-name: Name of a scheduled task, a string of 1 to 32 characters. When executed without the job-name argument, the command displays configuration of all the scheduled tasks;...
Page 927: Job
Syntax job job-name undo job job-name View System view Default Level 3: Manage level Parameters job-name: Name of a scheduled task, a string of 1 to 32 characters. You can configure multiple scheduled tasks, with each task uniquely identified by the string. You can create up to 100 scheduled tasks.
Page 928 View Scheduled task view Default Level 3: Manage level Parameters time time-id: Time record, where time-id is an integer ranging from 1 to 10, indicating that you can configure up to ten time records for one scheduled task. one-off: Specifies that the specified command(s) are executed for once, that is, the specified command(s) are executed when the time is reached, and will not be executed when the time is reached next time.
Page 929: View
Examples # Configure a scheduled task so that PoE can be enabled on the device at eight AM from Monday to Friday. [Sysname-job-phone] time 1 repeating at 8:00 week-day Mon Tue Wed Thu Fri command poe enable # Configure a scheduled task so that PoE can be disabled on the device on sixth April 2008. [Sysname-job-phone] time 2 at 8:00 2008/04/06 command undo poe enable # Configure a scheduled task so that PoE is disabled on the device five hours after the command is configured.
Page 930 return [Sysname-job-saveconfig] view system [Sysname-job-saveconfig] display this job saveconfig view system return...
Page 931: Vlan-Vpn
Table of Contents 1 VLAN-VPN Configuration Commands ·····································································································1-1 VLAN-VPN Configuration Commands ····································································································1-1 display port vlan-vpn························································································································1-1 vlan-vpn enable ·······························································································································1-2 vlan-vpn tpid ····································································································································1-2 2 Selective QinQ Configuration Commands ······························································································2-1 Selective QinQ Configuration Commands ······························································································2-1 raw-vlan-id inbound ·························································································································2-1 vlan-vpn vid ·····································································································································2-2 vlan-vpn selective enable ················································································································2-3 3 VLAN Mapping Configuration Commands······························································································3-1 VLAN Mapping Configuration Commands ······························································································3-1 vlan-mapping ···································································································································3-1...
Page 932: Vlan-Vpn Configuration Commands
VLAN-VPN Configuration Commands VLAN-VPN Configuration Commands display port vlan-vpn Syntax display port vlan-vpn View Any view Parameters None Description Use the display port vlan-vpn command to display the information about VLAN-VPN configuration of the current system. Related commands: vlan-vpn enable, vlan-vpn inner-cos-trust, vlan-vpn tpid. Examples # Display the VLAN-VPN configuration of the current system.
Page 933 vlan-vpn enable Syntax vlan-vpn enable undo vlan-vpn View Ethernet port view Parameters None Description Use the vlan-vpn enable command to enable the VLAN-VPN feature for a port. Use the undo vlan-vpn command to disable the VLAN-VPN feature for a port. By default, the VLAN-VPN feature is disabled.
Page 934 Syntax vlan-vpn tpid value undo vlan-vpn tpid View System view Parameters value: User-defined TPID value (in hexadecimal format), in the range 0x0001 to 0xFFFF. Description Use the vlan-vpn tpid command to set the global TPID value. With the TPID value set , the port fills the value to the TPID field of the outer tag to be added for a packet and, upon receiving a packet, compares the TPID value with the TPID field of the packet to determine whether the packet carries a VLAN tag or not.
Page 935: Selective Qinq Configuration Commands
Selective QinQ Configuration Commands This chapter is only applicable to S3100-EI series switches. Selective QinQ Configuration Commands raw-vlan-id inbound Syntax raw-vlan-id inbound vlan-id-list undo raw-vlan-id inbound { all | vlan-id-list } View QinQ view Parameters vlan-id-list: Lists of VLAN IDs. After receiving packets of these VLANs, the switch will encapsulate the packets with the specified outer VLAN tag.
Page 936 A packet cannot be tagged with different outer VLAN tags. To change the outer VLAN tag of a packet, you need to remove the existing outer VLAN tag configuration and configure a new outer VLAN tag. Before configuring this command in QinQ view, you need to use the vlan-vpn vid command to configure the outer VLAN tag to be used in the selective QinQ policy.
Page 937 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan-vpn vid 20 [Sysname-vid-20] raw-vlan-id inbound 2 to 14 vlan-vpn selective enable Syntax vlan-vpn selective enable undo vlan-vpn selective enable View Ethernet port view Parameter None Description Use the vlan-vpn selective enable command to enable the selective QinQ feature on a port. With the selective QinQ feature enabled, packets carrying specific inner VLAN tags are tagged with specific outer VLAN tags according to the VLAN tag mapping rules defined.
Page 938: Vlan Mapping Configuration Commands
VLAN Mapping Configuration Commands This chapter is only applicable to S3100-EI series switches. VLAN Mapping Configuration Commands vlan-mapping Syntax vlan-mapping vlan old-vlan-id remark new-vlan-id undo vlan-mapping vlan old-vlan-id View System view, Ethernet port view Parameter vlan old-vlan-id: Specifies the source VLAN ID for VLAN mapping. The old-vlan-id argument is in the range of 1 to 4094.
Page 939 By default, no global VLAN mapping rule or port-level VLAN mapping rule is defined. A port that is in a link aggregation port group cannot have the VLAN Mapping feature enabled. The VLAN mapping function and the protocol-based VLAN function are mutually exclusive on the same port.
Page 940 By default, the VLAN mapping function is disabled. A port that is in a link aggregation port group cannot have the VLAN Mapping feature enabled. With port-based VLAN mapping rules configured for a port, the VLAN mapping function is enabled on the port at the same time.
Page 941: Bpdu Tunnel Configuration Commands
BPDU Tunnel Configuration Commands This chapter is only applicable to the S3100-EI series Ethernet switches. BPDU Tunnel Configuration Commands bpdu-tunnel Syntax bpdu-tunnel protocol-type undo bpdu-tunnel { protocol-type | all } View Ethernet port view Parameters protocol-type: Protocol type, packets of which will be transmitted through a BPDU tunnel, This argument can be a keyword listed in Table 4-1.
Page 942 Value Description Enable/Disable BPDU tunnel for VLAN trunk protocol (VTP). Enable/Disable BPDU tunnel for uni-directional udld link direction (UDLD). all: Disables BPDU tunnel for all protocol packets. Description Use the bpdu-tunnel command to enable BPDU tunnel on a port, so that packets of the specified protocol will be transparently transmitted through the BPDU tunnel on the port.
Page 943 View System view Parameters mac-address: Destination MAC address to be assigned to the protocol packets transmitted along a BPDU tunnel. This argument must be a multicast MAC address. Description Use the bpdu-tunnel tunnel-dmac command to configure the destination MAC address for protocol packets transmitted along a BPDU tunnel.
Page 944 Description Use the display bpdu-tunnel command to display the private multicast MAC address configured for protocol packets transmitted along the BPDU tunnel(s). Related commands: bpdu-tunnel tunnel-dmac. Examples # Display the private multicast MAC address configured for packets transmitted along the BPDU tunnel(s).
Page 945 Table of Contents 1 HWPing Commands ··································································································································1-1 HWPing Client Commands ·····················································································································1-1 adv-factor·········································································································································1-1 count ················································································································································1-1 datafill ··············································································································································1-2 datasize ···········································································································································1-3 description ·······································································································································1-4 destination-ip ···································································································································1-4 destination-port································································································································1-5 display hwping ·································································································································1-6 display hwping statistics ················································································································1-12 dns-server······································································································································1-15 dns resolve-target··························································································································1-15 filename ·········································································································································1-16 filesize············································································································································1-17 frequency·······································································································································1-18 ftp-operation ··································································································································1-18 history keep-time ···························································································································1-19 history-record enable·····················································································································1-20 history-records·······························································································································1-20 http-operation ································································································································1-21...
Page 946 ttl ····················································································································································1-37 username·······································································································································1-38 HWPing Server Commands··················································································································1-39 hwping-server enable ····················································································································1-39 hwping-server tcpconnect ·············································································································1-40 hwping-server udpecho ·················································································································1-40...
Page 947: Hwping Commands
HWPing Commands HWPing Client Commands adv-factor Syntax adv-factor adv-number undo adv-factor View HWPing test group view Parameters adv-number: Advantage factor, used to count Mos and ICPIF value in a jitter voice test. It is in the range 0 to 20 and defaults to 0. Description Use the adv-factor command to configure the advantage factor which is used to count Mos and ICPIF value in a jitter voice test.
Page 948: Datafill
View HWPing test group view Parameters times: Number of probes in each HWPing test. The times argument ranges from 1 to 15. Description Use the count command to set the number of probes in each HWPing test. Use the undo count command to restore the default. For tests except jitter test, only one packet is sent in a probe.
Page 949: Datasize
Note that: The configuration of a padding character string is only supported by ICMP, UDP and jitter tests. A portion of a test packet is reserved and the padding character string is padded to the rest part. The length of the reserved part varies depending on the test type. Table 1-1 describes the reserved length for different test types.
Page 950: Description
Test Type Code Range Default value None 4-8100 Other None 4-8100 Description Use the datasize command to configure the size of a test packet in a test. Use the undo datasize command to restore the default. The configuration of packet size is only supported by ICMP, UDP and jitter tests. Examples # Set the size of ICMP test packets to 50 bytes.
Page 951: Destination-Port
undo destination-ip View HWPing test group view Parameters ip-address: Destination IP address of an HWPing (pronounced Hua’Wei Ping) test. Description Use the destination-ip command to configure a destination IP address of an HWPing test. Use the undo destination-ip command to remove the configured destination IP address. By default, no destination IP address is configured for an HWPing test.
Page 952: Display Hwping
By default, no destination port number is configured for a test. Related commands: destination-ip. The destination-port command has effect on jitter, TCP-Private, and UDP-Private tests only. It is not recommended to perform a TCP, UDP, or jitter test on a well-known port (ports with a number ranging from 1 to 1023) or on a port with a port number greater than 50000.
Page 953 Examples # Display the test results of the test group with administrator name administrator, and operation tag icmp. <Sysname> display hwping results administrator icmp HWPing entry(admin administrator, tag icmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 1/2/1 Square-Sum of Round Trip Time: 13 Last succeeded test time: 2004-11-25 16:28:55.0...
Page 954 # Display the history records of HWPing tests. <Sysname> display hwping history administrator icmp HWPing entry(admin administrator, tag icmp) history record: Index Response Status LastRC Time 2004-11-25 16:28:55.0 2004-11-25 16:28:55.0 2004-11-25 16:28:55.0 2004-11-25 16:28:55.0 2004-11-25 16:28:55.0 2004-11-25 16:28:55.0 2004-11-25 16:28:55.0 2004-11-25 16:28:55.0 2004-11-25 16:28:55.9 2004-11-25 16:28:55.9...
Page 955 Square-Sum of Round Trip Time: 729 Last succeeded test time: 2000-4-2 3:45:36.8 Extend result: SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0...
Page 956 # Display the test results of the test group with administrator name administrator, and operation tag Jitter. <Sysname> display hwping results administrator Jitter HWPing entry(admin administrator, tag Jitter) test result: Destination ip address:10.2.2.2 Send operation times: 100 Receive response times: 100 Min/Max/Average Round Trip Time: 9/21/13 Square-Sum of Round Trip Time: 18623 Last succeeded test time: 2000-4-2 8:14:58.2...
Page 957 Field Description Number of positive jitter delays from the Positive DS Number destination to the source Sum of positive jitter delays from the source to Positive SD Sum the destination Sum of positive jitter delays from the destination Positive DS Sum to the source Average of positive jitter delays from the source Positive SD average...
Page 958 # Display the test results of the test group with administrator name administrator, and operation tag dns. <Sysname> display hwping results administrator dns HWPing entry(admin administrator, tag dns) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 6/10/8 Square-Sum of Round Trip Time: 756 Last succeeded test time: 2006-11-28 11:50:40.9...
Page 959 Parameters administrator-name: Name of the administrator creating the test. operation-tag: Test operation tag. Description Use the display hwping statistics command to display test statistics. After a test begins, if all the probes in the first test have not been finished, when you use the command to view statistics, all statistics results will be 0.
Page 960 Field Description Lifetime The time that a test lasts Send operation times The number of the sent test packets. Receive response times The number of successful test attempts Roundtrip time in its minimum, maximum, and Min/Max/Average Round Trip Time average Square-Sum of Round Trip Time The square sum of roundtrip time Packet lost in test...
Page 961: Dns-Server
Field Description The number of the lost packets for unknown Unknown result lost packet number reason dns-server Syntax dns-server ip-address undo dns-server View HWPing test group view Parameters ip-address: IP address to be assigned to a domain name server (DNS). Description Use the dns-server command to configure the IP address of a DNS server.
Page 962: Filename
View HWPing test group view Parameters domain-name: Domain name to be resolved, in the range of 1 to 60 characters. Description Use the dns resolve-target command to configure a domain name to be resolved. Use the undo resolve-target command to remove a domain name to be resolved. By default, no dns resolve-target information is configured.
Page 963: Filesize
The filename command applies to FTP tests only. Examples # Specify to transmit config.txt between HWPing client and FTP server in an FTP test. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping administrator ftp [Sysname-hwping-administrator-ftp] test-type ftp [Sysname-hwping-administrator-ftp] filename config.txt filesize Syntax...
Page 964: Frequency
[Sysname-hwping-administrator-ftp] ftp-operation put [Sysname-hwping-administrator-ftp] filesize 2000 frequency Syntax frequency interval undo frequency View HWPing test group view Parameters interval: Automatic test interval in seconds. It ranges from 0 to 65,535. Description Use the frequency command to configure the time interval of performing automatic tests. Use the undo frequency command to restore the default.
Page 965 Parameters get: Specifies the test operation as download from the FTP server. put: Specifies the test operation as upload to the FTP server. Description Use the ftp-operation command to configure the FTP operation mode, which can be get and put. By default, the FTP operation mode is get.
Page 966: History-Records
System View: return to User View with Ctrl+Z [Sysname] hwping administrator icmp [Sysname-hwping-administrator-icmp] history keep-time 240 history-record enable Syntax history-record enable undo history-record enable View HWPing test group view Parameters None Description Use the history-record enable command to enable history record. Use the undo history-record enable command to disable history record.
Page 967: Http-Operation
Parameters Number: Maximum number of history records that can be saved in a test group, in the range of 0 to 50, and 50 by default. Description Use the history-records command to set the maximum number of history records that can be saved in a test group.
Page 968: Http-String
[Sysname] hwping administrator http [Sysname-hwping-administrator-http] test-type http [Sysname-hwping-administrator-http] http-operation post http-string Syntax http-string string version undo http-string View HWPing test group view Parameters string: HTTP operation string used to specify the webpage to be accessed. It can consist of 1 to 230 characters.
Page 969 Parameters administrator-name: Name of the administrator to create an HWPing test group, a string of 1 to 32 characters. operation-tag: Operation tag, a string of 1 to 32 characters. Description Use the hwping command to create an HWPing test group and enter HWPing test group view. If the specified HWPing test group already exists, this command leads you to HWPing test group view directly.
Page 970 View System view Parameters None Description Use the hwping-agent enable command to enable the HWPing client function. Use the undo hwping-agent enable command to disable the HWPing client function. By default, the HWPing client function is disabled. You can perform tests only after you enable the HWPing client function. Related commands: hwping-server enable.
Page 971: Jitter-Interval
Examples # Set the maximum number of concurrent tests to 4. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping-agent max-requests 4 jitter-interval Syntax jitter-interval interval undo jitter-interval View HWPing test group view Parameters interval: Interval in milliseconds between jitter test packets. The value is in the range of 10 to 1000. Description Use the jitter-interval command to configure the interval between sending jitter test packets.
Page 972: Password
View HWPing test group view Parameters number: Number of packets to be transmitted in one probe for a jitter test, in the range of 10 to 1000. Description Use the jitter-packetnum command to configure the number of packets to be sent in one probe for a jitter test.
Page 973: Probe-Failtimes
To perform an FTP test successfully, the configured password must be consistent with the FTP user password configured on the server. This command applies to FTP tests only. Examples # Set the password for logging into the FTP server as hwping in an FTP test. <Sysname>...
Page 974: Send-Trap
send-trap Syntax send-trap { all | { probefailure | testcomplete | testfailure }* } undo send-trap { all | { probefailure | testcomplete | testfailure }* } View HWPing test group view Parameters probefailure: Sends a trap when a probe fails. testcomplete: Sends a trap after a test is finished.
Page 975: Source-Interface
With routing table bypass, a remote host can bypass the normal routing tables and send ICMP packets directly to a host on an attached network. If the host is not on a directly connected network, an error is returned. You can use this function when pinging a local host on an interface that has no route defined. Examples # Bypass routing table when sending ICMP packets.
Page 976 For DHCP tests, this command is required. For ICMP tests, this command is optional. This command does not apply to other tests. For ICMP tests, if a source IP address has been configured with the source-ip command, the source-interface command cannot change the configured IP address. For an ICMP test, if a source interface has been configured with the source-interface command, the test destination address should be configured as the address of the device directly connected to the interface.
Page 977: Source-Port
For FTP tests, this command is required. This command does not apply to DHCP tests. For other tests, this command is optional. The specified source IP address by this command cannot be of an interface on a remote device, and the interface must be Up; otherwise the test will fail. Examples # Configure the source IP address as 169.254.10.2 for this ICMP test.
Page 978: Statistics
[Sysname-hwping-administrator-tcpprivate] source-port 8000 statistics Syntax statistics { interval interval | max-group number } undo statistics { interval | max-group } View HWPing test group view Parameters interval: Statistics interval, in the range 1 to 1440, in minutes, and defaults to 60 minutes. number: Number of groups of statistics information, in the range 1 to 100 and defaults to 2.
Page 979 Description Use the statistics keep-time command to configure the retaining time of the test statistics. Use the undo statistics keep-time command to remove your configuration and restore the default. Examples # Configure the retaining time of the test statistics to 180 minutes. <Sysname>...
Page 980: Test-Type
Examples # Set the test to start from 14:03 and last 3600 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping administrator icmp [Sysname-hwping-administrator-icmp] test-time begin 14:03:00 lifetime 3600 test-type Syntax test-type type [ codec codec-value ] View HWPing test group view Parameters...
Page 981: Test-Enable
Examples # Configure the test type as an FTP test. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping administrator ftp [Sysname-hwping-administrator-ftp] test-type ftp test-enable Syntax test-enable undo test-enable View HWPing test group view Parameters None Description Use the test-enable command to enable an HWPing test.
Page 982: Test-Failtimes
test-failtimes Syntax test-failtimes times undo test-failtimes View HWPing test group view Parameters times: Number of times of consecutive test failure, in the range of 1 to 15. Description Use the test-failtimes command to configure the number of consecutive times an HWPing test fails before the switch sends out a trap message.
Page 983: Tos
Examples # Set the timeout time for one probe in an ICMP test to 10 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping administrator icmp [Sysname-hwping-administrator-icmp] test-type icmp [Sysname-hwping-administrator-icmp] timeout 10 Syntax tos value undo tos View HWPing test group view Parameters...
Page 984 View HWPing test group view Parameters number: Time to live (TTL) value or lifetime of HWPing test packets. It is in the range 1 to 255 and defaults to 20. Description Use the ttl command to configure TTL of HWPing test packets. Use the undo ttl command to restore the default TTL of HWPing test packets.
Page 985 To perform an FTP test successfully, the configured username must be consistent with the username configured on the FTP server. This command applies to FTP tests only. Examples # Configure the username for logging into the FTP server in an FTP test as administrator. <Sysname>...
Page 986 Related commands: hwping-agent enable, hwping-server tcpconnect, hwping-server udpecho. Examples # Enable an HWPing server. <Sysname> system-view System View: return to User View with Ctrl+Z [Sysname] hwping-server enable hwping-server tcpconnect Syntax hwping-server tcpconnect ip-address port-number undo hwping-server tcpconnect ip-address port-number View System view Parameters ip-address: IP address specified for a TCP listening service on the HWPing server.
Page 987 Parameters ip-address: IP address from which an HWPing server performs UDP listening. port-number: Port from which an HWPing server performs UDP listening. The value ranges from 1 to 49999. In is not recommended to use some special ports (that is, those used for fixed functions, such as port 1701).
Page 988 Table of Contents 1 IPv6 Configuration Commands ················································································································1-1 Basic IPv6 Configuration Commands ·····································································································1-1 dhcp-snooping ipv6 enable ·············································································································1-1 dhcp-snooping ipv6 max-learning-num ···························································································1-1 dhcp-snooping ipv6 trust ·················································································································1-2 display dhcp-snooping ipv6 ·············································································································1-3 display dns ipv6 dynamic-host ········································································································1-4 display ipv6 fib ·································································································································1-4 display ipv6 host ······························································································································1-6 display ipv6 interface ·······················································································································1-7 display ipv6 nd detection ·················································································································1-9 display ipv6 nd detection statistics ································································································1-10...
Page 989 reset dhcp-snooping ipv6 all··········································································································1-41 reset dns ipv6 dynamic-host··········································································································1-41 reset ipv6 nd detection statistics ···································································································1-42 reset ipv6 nd snooping ··················································································································1-42 reset ipv6 neighbors ······················································································································1-43 reset ipv6 statistics ························································································································1-44 reset tcp ipv6 statistics ··················································································································1-44 reset udp ipv6 statistics ·················································································································1-44 tcp ipv6 timer fin-timeout ···············································································································1-45 tcp ipv6 timer syn-timeout ·············································································································1-45 tcp ipv6 window ·····························································································································1-46 2 IPv6 Application Configuration Commands ···························································································2-1...
Page 990 Use the dhcp-snooping ipv6 enable command to enable DHCPv6 snooping. Use the undo dhcp-snooping ipv6 enable command to disable DHCPv6 snooping. By default, DHCPv6 snooping is disabled. Among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Enable DHCPv6 snooping.
Page 991 Use the undo dhcp-snooping ipv6 max-learning-num command to restore the default. By default, the number of DHCPv6 snooping entries that an interface can learn is not limited. Among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Set the maximum number of DHCPv6 snooping entries that can be learned on Layer 2 Ethernet interface Ethernet 1/0/1 to 1000.
Page 992 Among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Specify Ethernet1/0/1 as a trusted port . <Sysname> system-view [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] dhcp-snooping ipv6 trust display dhcp-snooping ipv6 Syntax display dhcp-snooping ipv6 { all | unit unit-id }...
Page 993: Display Ipv6 Fib
0 dhcp-snooping Ipv6 item(s) of unit 1 found display dns ipv6 dynamic-host Syntax display dns ipv6 dynamic-host View Any view Parameters None Description Use the display dns ipv6 dynamic-host command to display IPv6 dynamic domain name information in the cache, including the domain name, IPv6 address, and TTL of the DNS entries. You can use the reset dns ipv6 dynamic-host command to clear all IPv6 dynamic domain name information from the cache.
Page 994 View Any view Parameters None Description Use the display ipv6 fib command to display all the IPv6 FIB entries. The switch looks up a matching IPv6 FIB entry for forwarding an IPv6 packet. Examples # Display all the IPv6 FIB entries. <Sysname>...
Page 995: Display Ipv6 Host
Field Description Route flag: “U” — Usable route “G” — Gateway route Flag “H” — Host route “B” — Blackhole route “D” — Dynamic route “S” — Static route TimeStamp Generation time of an FIB entry Interface Interface from which a packet is forwarded display ipv6 host Syntax display ipv6 host...
Page 996: Display Ipv6 Interface
display ipv6 interface Syntax display ipv6 interface [ interface-type interface-number | brief ] View Any view Parameters interface-type: Interface type. interface-number: Interface number. brief: Displays the brief IPv6 information of an interface. Description Use the display ipv6 interface command to display the IPv6 information of a specified interface. If no interface is specified, the IPv6 information of all interfaces for which IPv6 addresses can be configured is displayed;...
Page 997 Table 1-4 Description on the fields of the display ipv6 interface command Field Description VLAN interface link state: Administratively DOWN: Indicates the VLAN interface is administratively down; that is, the interface is shut down using the shutdown command. Vlan-interface1 current DOWN: Indicates the VLAN interface is administratively up but its state physical state is down;...
Page 998 Use the display ipv6 nd detection command to display ND detection configuration. Refer to the ipv6 nd detection enable command and ipv6 nd detection trust command for related configuration. Among S3100 series switches, only S3100-EI series switches support the two commands.
Page 999 Note that: for a specified interface, only displaying the statistics of the packets discarded by that interface; otherwise, displaying the statistics of packets discarded by all the interfaces. Among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Display the statistics of discarded packets when the ND detection checks the user legality.
Page 1000 Use the display ipv6 nd snooping command to display ND snooping entries. Note that if no parameter is specified, this command displays all ND snooping entries. Among S3100 series switches, only S3100-EI series switches support the two commands. Examples # Display ND snooping entries of VLAN 1.