3Com Switch 4210 Family
Command Reference Guide
Switch 4210 9-Port
Switch 4210 18-Port
Switch 4210 26-Port
Switch 4210 52-Port
Switch 4210 PWR 9-Port
Switch 4210 PWR 18-Port
Switch 4210 PWR 26-Port
Product Version: V03.01.12
Manual Version:
6W102-20091224
www.3com.com
3Com Corporation
350 Campus Drive, Marlborough,
MA, USA 01752 3064
Copyright © 2006-2009, 3Com Corporation. All rights reserved. No part of this documentation may be
reproduced in any form or by any means or used to make any derivative work (such as translation,
transformation, or adaptation) without written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to
time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied
or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability,
satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the
product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license
agreement included with the product as a separate document, in the hard copy documentation, or on the
removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,
please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are
provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense.
Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or
as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are
provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights
only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.
You agree not to remove or deface any portion of any legend provided on any licensed program or
documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may
not be registered in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
All other company and product names may be trademarks of the respective companies with which they are
associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we
are committed to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental
standards. Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainable, managed forests; it is fully
biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and the
inks are vegetable-based with a low heavy-metal content.
About This Manual
Organization
3Com Switch 4210 Family Command Reference Guide is organized as follows:
Part
Contents
1 Login
Introduces the commands used for logging into the Ethernet
switch and the commands used for configuring CLI.
2 Configuration File Management
Introduces the commands used for configuration file
management.
3 VLAN
Introduces the commands used for configuring VLAN.
4 Management VLAN
Introduces the commands used for management VALN.
5 IP Address and Performance
Introduces the commands used for IP Address and
Performance Configuration.
6 Port Basic Configuration
Introduces the port-related commands.
7 Link Aggregation
Introduces the commands used for link aggregation.
8 Port Isolation
Introduces the commands used for port isolation.
9 Port Security
Introduces the commands used for configuring port security.
10 MAC Address Table
Management
Introduces the commands used for MAC address forwarding
table management.
11 MSTP
Introduces the STP-related commands.
12 Multicast
Introduces the commands used for IGMP snooping.
13 802.1x-System Guard
Introduces the 802.1x-related commands.
14 AAA
Introduces the commands used for AAA and RADIUS.
15 MAC Address Authentication
Introduces the commands used for MAC address
authentication.
16 ARP
Introduces the ARP-related commands.
17 DHCP
Introduces the commands used for DHCP Snooping and
DHCP/BOOTP client.
18 ACL
Introduces the ACL-related commands.
19 QoS
Introduces the commands used for QoS.
20 Mirroring
Introduces the commands used for mirroring.
21 Cluster
Introduces the commands used for configuring cluster
22 PoE-PoE Profile
Introduces the commands used for PoE and PoE profile
configuration.
23 SNMP-RMON
Introduces the SNMP-related and RMON-related commands.
24 NTP
Introduces the NTP-related commands.
25 SSH
Introduces the commands used for configuring SSH2.0
26 File System Management
Introduces the commands used for file system management.
27 FTP-SFTP-TFTP
Introduces the FTP/SFTP/TFTP-related commands.
Part
Contents
28 Information Center
Introduces the commands used for configuring the information
center.
29 System Maintenance and
Debugging
Introduces the commands used for system maintenance and
debugging.
30 Remote-ping
Introduces the Remote-ping related commands.
31 IPv6 Management
Introduces the commands used for IPv6 Management.
32 DNS
Introduces the DNS related commands.
33 Password Control
Introduces the commands used for password control.
34 GVRP
Introduces the commands used for GVRP.
35 VLAN-VPN
Introduces the commands used for VLAN-VPN.
36 LLDP
Introduces the commands used for LLDP.
37 PKI
Introduces the commands used for PKI.
38 SSL
Introduces the commands used for SSL.
39 HTTPS
Introduces the commands used for HTTPS.
40 Appendix
Lists all the commands described in this command manual in
an alphabetic order. The parts and pages where the
commands are described are also given.
Conventions
The manual uses the following conventions:
Command conventions
Convention
Description
Boldface
The keywords of a command line are in Boldface.
italic
Command arguments are in italic.
[]
Items (keywords or arguments) in square brackets [ ] are optional.
{ x | y | ... }
Alternative items are grouped in braces and separated by vertical bars.
One is selected.
[ x | y | ... ]
Optional alternative items are grouped in square brackets and
separated by vertical bars. One or none is selected.
{ x | y | ... } *
Alternative items are grouped in braces and separated by vertical bars.
A minimum of one or a maximum of all can be selected.
[ x | y | ... ] *
Optional alternative items are grouped in square brackets and
separated by vertical bars. Many or none can be selected.
&<1-n>
The argument(s) before the ampersand (&) sign can be entered 1 to n
times.
#
A line starting with the # sign is comments.
GUI conventions
Convention
Description
<>
Button names are inside angle brackets. For example, click <OK>.
[]
Window names, menu items, data table and field names are inside
square brackets. For example, pop up the [New User] window.
/
Multi-level menus are separated by forward slashes. For example,
[File/Create/Folder].
Symbols
Convention
Description
Means reader be extremely careful. Improper operation may cause
bodily injury.
Means reader be careful. Improper operation may cause data loss or
damage to equipment.
Means a complementary description.
Related Documentation
In addition to this manual, each 3com Switch 4210 documentation set includes the following:
Manual
Description
3Com Switch 4210 Family
Configuration Guide
Describe how to configure your 4210 Switch using the
supported protocols and CLI commands.
3Com Switch 4210 Family Getting
Started Guide
This guide provides all the information you need to install
and use the 3Com Switch 4210 Family.
Obtaining Documentation
You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL:
http://www.3com.com.
Table of Contents
1 Login Commands ······································································································································1-1
Login Commands ····································································································································1-1
authentication-mode ························································································································1-1
auto-execute command ···················································································································1-3
copyright-info enable ·······················································································································1-3
databits ············································································································································1-4
display user-interface ······················································································································1-5
display users····································································································································1-7
display web users ····························································································································1-8
free user-interface ···························································································································1-9
header ···········································································································································1-10
history-command max-size ···········································································································1-12
idle-timeout ····································································································································1-12
ip http shutdown ····························································································································1-13
lock ················································································································································1-14
parity ··············································································································································1-15
protocol inbound ····························································································································1-16
screen-length·································································································································1-17
send ···············································································································································1-17
service-type ···································································································································1-18
set authentication password··········································································································1-19
shell ···············································································································································1-20
speed ·············································································································································1-21
stopbits ··········································································································································1-22
telnet ··············································································································································1-23
telnet ipv6 ······································································································································1-23
user-interface·································································································································1-24
user privilege level·························································································································1-25
CLI Configuration Commands···············································································································1-26
command-privilege level················································································································1-26
display history-command···············································································································1-29
super··············································································································································1-29
super password ·····························································································································1-30
2 Commands for User Control ····················································································································2-1
Commands for Controlling Logging in Users ··························································································2-1
acl ····················································································································································2-1
free web-users·································································································································2-1
ip http acl ·········································································································································2-2
snmp-agent community ···················································································································2-2
snmp-agent group ···························································································································2-3
snmp-agent usm-user······················································································································2-4
i
1
Login Commands
Login Commands
authentication-mode
Syntax
authentication-mode { password | scheme [ command-authorization ] | none }
View
User interface view
Parameters
none: Specifies not to authenticate users.
password: Authenticates users using the local password.
scheme: Authenticates users locally or remotely using usernames and passwords.
command-authorization: Performs command authorization on TACACS authentication server.
Description
Use the authentication-mode command to specify the authentication mode.
z
If you specify the password keyword to authenticate users using the local password, remember to
set the local password using the set authentication password command. Otherwise, AUX users
can log in to the switch successfully without password, but VTY users will fail the login. VTY users
must enter the correct authentication password to log in to the switch.
z
If you specify the scheme keyword to authenticate users locally or remotely using usernames and
passwords, the actual authentication mode, that is, local or remote, depends on other related AAA
scheme configuration of the domain.
z
If this command is executed with the command-authorization keyword specified, authorization is
performed on the TACACS server whenever you attempt to execute a command, and the
command can be executed only when you pass the authorization. Normally, a TACACS server
contains a list of the commands available to different users.
By default, the authentication mode is none for AUX users and password for VTY users.
For a VTY user interface, to specify the none keyword or password keyword for login users, make sure
that SSH is not enabled in the user interface. Otherwise, the configuration fails. Refer to the protocol
inbound command for related configuration.
1-1
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet
and SSH services respectively, will be enabled or disabled after corresponding configurations.
z
If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled.
z
If the authentication mode is password, and the corresponding password has been set, TCP 23 will
be enabled, and TCP 22 will be disabled.
z
If the authentication mode is scheme, there are three scenarios: when the supported protocol is
specified as telnet, TCP 23 will be enabled; when the supported protocol is specified as SSH, TCP
22 will be enabled; when the supported protocol is specified as all, both the TCP 23 and TCP 22
port will be enabled.
Examples
z
Example of the password authentication mode configuration
# Configure to authenticate users using the local password on the console port, and set the
authentication password to aabbcc in plain text.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] authentication-mode password
[Sysname-ui-aux0] set authentication password simple aabbcc
After the configuration, when a user logs in to the switch through the console port, the user must enter
the correct password.
z
Example of the scheme authentication mode configuration
# Configure the authentication mode as scheme for VTY users logging in through Telnet.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] authentication-mode scheme
[Sysname-ui-vty0] quit
# Specify domain system as the default domain, and set the scheme authentication mode to local for
the domain.
[Sysname] domain default enable system
[Sysname] domain system
[Sysname-isp-system] scheme local
[Sysname-ui-vty0] quit
# Configure the local authentication username and password.
[Sysname] local-user guest
[Sysname-luser-guest] password simple 123456
[Sysname-luser-guest] service-type telnet level 2
After the configuration, when a user logs in to the switch through VTY0, the user must enter the
configured username and password.
1-2
auto-execute command
Syntax
auto-execute command text
undo auto-execute command
View
VTY user interface view
Parameters
text: Command to be executed automatically.
Description
Use the auto-execute command command to set the command that is executed automatically after a
user logs in.
Use the undo auto-execute command command to disable the specified command from being
automatically executed.
By default, no command is configured to be executed automatically after a user logs in.
Normally, the telnet command is specified to be executed automatically to enable the user to Telnet to a
specific network device automatically.
z
The auto-execute command command may cause you unable to perform common configuration
in the user interface, so use it with caution.
z
Before executing the auto-execute command command and save your configuration, make sure
you can log in to the switch in other modes and cancel the configuration.
Examples
# Configure the telnet 10.110.100.1 command to be executed automatically after users log in to VTY 0.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] auto-execute command telnet 10.110.100.1
% This action will lead to configuration failure through ui-vty0. Are you sure?[
Y/N]y
After the above configuration, when a user logs onto the device through VTY 0, the device automatically
executes the configured command and logs off the current user.
copyright-info enable
Syntax
copyright-info enable
1-3
undo copyright-info enable
View
System view
Parameters
None
Description
Use the copyright-info enable command to enable copyright information displaying.
Use the undo copyright-info enable command to disable copyright information displaying.
By default, copyright information displaying is enabled. That is, the copyright information is displayed
after a user logs into a switch successfully.
Note that these two commands apply to users logging in through the console port and by means of
Telnet.
Examples
# Disable copyright information displaying.
********************************************************************************
*
Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved.
*
*
Without the owner's prior written consent,
*
*
no decompiling or reverse-engineering shall be allowed.
*
********************************************************************************
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] undo copyright-info enable
# After the above configuration, no copyright information is displayed after a user logs in, as shown
below.
<Sysname>
databits
Syntax
databits { 7 | 8 }
undo databits
View
AUX user interface view
Parameters
7: Sets the databits to 7.
8: Sets the databits to 8.
Description
Use the databits command to set the databits for the user interface.
1-4
Use the undo databits command to revert to the default databits.
The default databits is 8.
z
This command takes effect on AUX user interfaces only.
z
The databits setting on the terminal and that on the device user interface must be the same for
communication.
Examples
# Set the databits to 7.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] databits 7
display user-interface
Syntax
display user-interface [ type number | number ] [ summary ]
View
Any view
Parameters
type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface).
number: User interface index. A user interface index can be relative or absolute.
z
In relative user interface number scheme, the type argument is required. In this case, AUX user
interfaces is numbered AUX0; VTY user interfaces are numbered from VTY0 through VTY4.
z
In absolute user interface number scheme, the type argument is not required. In this case, user
interfaces are numbered from 0 to 5.
summary: Displays the summary information about a user interface.
Description
Use the display user-interface command to display the information about a specified user interface or
all user interfaces. If the summary keyword is not specified, this command displays user interface type,
absolute/relative user interface index, transmission speed, available command level, authentication
mode, and physical position. If the summary keyword is specified, this command displays the number
and type of the user interfaces, including those that are in use and those that are not in use.
Examples
# Display the information about user interface 0.
<Sysname> display user-interface 0
1-5
Idx
F 0
Type
Tx/Rx
AUX 0
19200
Modem Privi Auth
-
3
N
Int
-
+
: Current user-interface is active.
F
: Current user-interface is active and work in async mode.
Idx
: Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi: The privilege of user-interface.
Auth : The authentication mode of user-interface.
Int
: The physical location of UIs.
A
: Authentication use AAA.
N
: Current UI need not authentication.
P
: Authentication use current UI's password.
Table 1-1 display user-interface command output description
Filed
Description
+
The user interface is in use.
F
The user interface operates in asynchronous
mode.
Idx
The absolute index of the user interface
Type
User interface type and the relative index
Tx/Rx
Transmission speed of the user interface
Modem
Indicates whether or not a modem is used.
Privi
Available command level
Auth
Authentication mode
Int
Physical position of the user interface
A
The current user authentication mode is scheme.
N
The current user authentication mode is none.
P
The current user authentication mode is
password.
# Display the summary information about the user interface.
<Sysname> display user-interface summary
User interface type : [AUX]
0:X
User interface type : [VTY]
1:UXXX X
1 character mode users.
(U)
5 UI never used.
(X)
1 total UI in use
1-6
Table 1-2 display user-interface summary command output description
Field
Description
User interface type
User interface type: AUX or VTY
0: X/1:UXXX X
0 and 1 represent the least absolute number for
AUX user interfaces and VTY user interfaces.
“U” and “X” indicate the usage state of an
interface: U indicates that the corresponding
user interface is used; X indicates that the
corresponding user interface is idle. The total
number of Us and Xs is the total number of user
interfaces that are available.
character mode users.
UI never used.
The number of current users, that is, the number
of Us
(U)
The number of user interfaces not being used
currently, that is, the number of Xs
(X)
The total number of user interfaces being used
currently, that is, the total number of users
currently logging in to the switch successfully
total UI in use.
display users
Syntax
display users [ all ]
View
Any view
Parameters
all: Displays the user information about all user interfaces.
Description
Use the display users command to display the login user information about user interfaces, including
AUX user interfaces and VTY user interfaces.
If you do not specify the all keyword, only the user information about the user interface that is being
used is displayed.
Examples
# Display the user information about the current user interface.
<Sysname> display users
UI
+ 1
VTY 0
Delay
Type
Ipaddress
00:00:00
TEL
192.168.0.208
Username
+
: Current operation user.
F
: Current operation user work in async mode.
1-7
Userlevel
3
Table 1-3 display users command output description
Field
Description
UI
The numbers in the left sub-column are the absolute user interface
indexes, and those in the right sub-column are the relative user
interface indexes.
Delay
The period (in seconds) the user interface idles for.
Type
User type
Ipaddress
The IP address from which the user logs in.
Username
The login name of the user that logs into the user interface.
Userlevel
The level of the commands available to the users logging in to the
user interface
F
The information is about the current user interface, and the current
user interface operates in asynchronous mode.
+
The user interface is in use.
display web users
Syntax
display web users
View
Any view
Parameters
None
Description
Use the display web users command to display the information about the current on-line Web users
(management users that log in to the switch through the Web interface).
Examples
# Display the information about the current on-line Web users.
<Sysname> display web users
ID
Name
Language
Level
Login Time
Last Req. Time
00800003
admin
English
Management
06:16:32
06:18:35
Table 1-4 display web users command output description
Field
Description
ID
ID of a Web user
Name
Name of a Web user
Language
Language a Web user uses
Level
Level of a Web user
Login Time
Time when a Web user logs in
1-8
Field
Description
Last Req. Time
Time when the latest request is made
free user-interface
Syntax
free user-interface [ type ] number
View
User view
Parameters
type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface).
number: User interface index. A user interface index can be relative or absolute.
In relative user interface index scheme, the type argument is required. In this case, AUX user
z
interfaces is numbered AUX0; VTY user interfaces are numbered from VTY0 through VTY4.
In absolute user interface index scheme, the type argument is not required. In this case, user
z
interfaces are numbered from 0 to 5.
Description
Use the free user-interface command to free a user interface. That is, this command tears down the
connection between a user and a user interface. Users of the manage level can use this command to
control use of other user interfaces.
Multiple users can log in to the system to configure the device simultaneously. In some circumstances,
when the administrator wants to make configurations without interruption from the users that have
logged in using other user interfaces, the administrator can execute the following commands to release
the connections established on the specified user interfaces.
Note that the current user interface that you are actively using for this command cannot be freed.
Examples
# The user logging in to the switch through AUX 0, and with the user level of 3 (manage level) releases
user interface VTY 0.
<Sysname> display users
UI
Delay
F 0
AUX 0
00:00:00
8
VTY 0
00:01:30
Type
Ipaddress
Username
Userlevel
3
TEL
192.168.0.108
song
+
: Current operation user.
F
: Current operation user work in async mode.
2
<Sysname> free user-interface vty 0
Are you sure you want to free user-interface vty0 [Y/N]? y
[OK]
After you perform the above operation, the user connection on user interface VTY0 is torn down. The
user in it must log in again to connect to the switch.
1-9
header
Syntax
header [ incoming | legal | login | shell ] text
undo header { incoming | legal | login | shell }
View
System view
Parameters
incoming: Sets the login banner for users that log in through modems. If you specify to authenticate
login users, the banner appears after a user passes the authentication. (The session does not appear in
this case.)
legal: Sets the authorization banner, which is displayed when a user enters user view.
login: Sets the login banner. The banner set by this keyword is valid only when users are authenticated
before they log in to the switch and appears while the switch prompts for user name and password. If a
user logs in to the switch through Web, the banner text configured will be displayed on the banner page.
shell: Sets the session banner, which appears after a session is established. If you specify to
authenticate login users, the banner appears after a user passes the authentication.
text: Banner to be displayed. If no keyword is specified, this argument is the login banner. You can
provide this argument in two ways. One is to enter the banner in the same line as the command (A
command line can accept up to 254 characters.) The other is to enter the banner in multiple lines (you
can start a new line by pressing Enter,) where you can enter a banner that can contain up to 2000
characters (including the invisible characters such as carriage return). Note that the first character is the
beginning character and the end character of the banner. After entering the end character, you can
press Enter to exit the interaction.
Description
Use the header command to set the banners that are displayed when a user logs into a switch through
an AUX or VTY user interface. The login banner is displayed on the terminal when the connection is
established. And the session banner is displayed on the terminal if a user successfully logs in.
Use the undo header command to disable displaying a specific banner or all banners.
By default, no banner is configured.
This command is valid to users logging in through AUX and VTY user interfaces, without affecting users
logging in through the Web interface.
Note the following:
z
If you specify any one of the four keywords without providing the text argument, the specified
keyword will be regarded as the login information.
1-10
The banner configured with the header incoming command is displayed after a modem user logs
z
in successfully or after a modem user passes the authentication when authentication is required. In
the latter case, the shell banner is not displayed.
The banner configured with the header legal command is displayed when you enter the user
z
interface. If password authentication is enabled or an authentication scheme is specified, this
banner is displayed before login authentication.
With password authentication enabled or an authentication scheme specified, the banner
z
configured with the header login command is displayed after the banner configured with the
header legal command and before login authentication.
The banner configured with the header shell command is displayed after a non-modem user
z
session is established.
Examples
# Configure banners.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] header login %Welcome to login!%
[Sysname] header shell %
Input banner text, and quit with the character '%'.
Welcome to shell!%
[Sysname] header incoming %
Input banner text, and quit with the character '%'.
Welcome to incoming!%
[Sysname] header legal %
Input banner text, and quit with the character '%'.
Welcome to legal!%
z
The character % is the starting/ending character of text in this example. Entering % after the
z
As the starting and ending character, % is not a part of a banner.
displayed text quits the header command.
# Test the configuration remotely using Telnet. (only when login authentication is configured can the
login banner be displayed).
********************************************************************************
*
Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved.
*
*
Without the owner's prior written consent,
*
*
no decompiling or reverse-engineering shall be allowed.
*
********************************************************************************
Welcome to legal!
Press Y or ENTER to continue, N to exit.
Welcome to login!
1-11
Login authentication
Password:
Welcome to shell!
<Sysname>
history-command max-size
Syntax
history-command max-size value
undo history-command max-size
View
User interface view
Parameters
value: Size of the history command buffer, ranging from 0 to 256 (in terms of commands).
Description
Use the history-command max-size command to set the size of the history command buffer of the
current user interface.
Use the undo history-command max-size command to revert to the default history command buffer
size.
By default, the history command buffer of each user can contain up to ten commands.
Each user interface has an independent history command buffer, which saves validated history
commands of the current user. The size of a history command buffer determines the number of history
commands that can be saved. You can use the display history-command command, up-arrow key or
down-arrow key to display commands saved in the history command buffer.
After you terminate the current session, the system automatically clears the commands saved in the
corresponding history command buffer.
Related commands: display history-command.
Examples
# Set the size of the history command buffer of AUX 0 to 20 to enable it to store up to 20 commands.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] history-command max-size 20
idle-timeout
Syntax
idle-timeout minutes [ seconds ]
undo idle-timeout
1-12
View
User interface view
Parameters
minutes: Number of minutes. This argument ranges from 0 to 35,791.
seconds: Number of seconds. This argument ranges from 0 to 59.
Description
Use the idle-timeout command to set the timeout time. The connection to a user interface is terminated
if no operation is performed in the user interface within the timeout time.
Use the undo idle-timeout command to revert to the default timeout time.
You can use the idle-timeout 0 command to disable the timeout function.
The default timeout time is 10 minutes.
Examples
# Set the timeout time of AUX 0 to 1 minute.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] idle-timeout 1
ip http shutdown
Syntax
ip http shutdown
undo ip http shutdown
View
System view
Parameters
None
Description
Use the ip http shutdown command to shut down the WEB Server.
Use the undo ip http shutdown command to launch the WEB Server.
By default, the WEB Server is launched.
To improve security and prevent attacks to the unused Sockets, TCP 80 port for HTTP service will be
enabled or disabled after corresponding configurations.
1-13
z
TCP 80 port is enabled only after you use the undo ip http shutdown command to enable the
Web server.
z
If you use the ip http shutdown command to disabled the Web server, TCP 80 port is disabled.
After the Web file is upgraded, you need to use the boot web-package command to specify a new Web
file or specify a new Web file from the boot menu after reboot for the Web server to operate properly.
Refer to the File System Management part in this manual for information about the boot web-package
command.
Examples
# Shut down the WEB Server.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] ip http shutdown
# Launch the WEB Server.
[Sysname] undo ip http shutdown
lock
Syntax
lock
View
User view
Parameters
None
Description
Use the lock command to lock the current user interface to prevent unauthorized operations in the user
interface.
After you execute this command, the system prompts you for the password and prompts you to confirm
the password. The user interface is locked only when the password entered is the same both times.
To unlock a user interface, press Enter and then enter the password as prompted.
Note that if you set a password containing more than 16 characters, the system matches only the first
16 characters of the password entered for unlocking the user interface. That is, the system unlocks the
user interface as long as the first 16 characters of the password entered are correct.
By default, the current user interface is not locked.
1-14
Examples
# Lock the current user interface.
<Sysname> lock
Press Enter, enter a password, and then confirm it as prompted. (The password entered is not
displayed).
Password:
Again:
locked !
In this case, the user interface is locked. To operate the user interface again, you need to press Enter
and provide the password as prompted.
Password:
<Sysname>
parity
Syntax
parity { even | none | odd | }
undo parity
View
AUX user interface view
Parameters
even: Performs even checks.
none: Does not check.
odd: Performs odd checks.
Description
Use the parity command to set the check mode of the user interface.
Use the undo parity command to revert to the default check mode.
By default, no check is performed.
z
This command takes effect on AUX user interfaces only.
z
The check mode on the terminal and that on the device user interface must be the same for
communication.
Examples
# Set to perform even checks.
<Sysname> system-view
1-15
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] parity even
protocol inbound
Syntax
protocol inbound { all | ssh | telnet }
View
VTY user interface view
Parameters
all: Supports both Telnet protocol and SSH protocol.
ssh: Supports SSH protocol.
telnet: Supports Telnet protocol.
Description
Use the protocol inbound command to specify the protocols supported by the user interface.
Both Telnet protocol and SSH protocol are supported by default.
Related commands: user-interface vty.
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22 (ports for Telnet
and SSH services respectively) will be enabled or disabled after corresponding configurations.
z
If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled.
z
If the authentication mode is password, and the corresponding password has been set, TCP 23 will
be enabled, and TCP 22 will be disabled.
z
If the authentication mode is scheme, there are three scenarios: when the supported protocol is
specified as telnet, TCP 23 will be enabled; when the supported protocol is specified as ssh, TCP
22 will be enabled; when the supported protocol is specified as all, both the TCP 23 and TCP 22
port will be enabled.
To configure a user interface to support SSH, you need to set the authentication mode to scheme for
users to log in successfully. If the authentication mode is set to password or none for login users, the
protocol inbound ssh command will fail. Refer to the authentication-mode command for the related
configuration.
1-16
Examples
# Configure that only SSH protocol is supported in VTY 0.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] protocol inbound ssh
screen-length
Syntax
screen-length screen-length
undo screen-length
View
User interface view
Parameters
screen-length: Number of lines the screen can contain. This argument ranges from 0 to 512.
Description
Use the screen-length command to set the number of lines the terminal screen can contain.
Use the undo screen-length command to revert to the default number of lines.
By default, the terminal screen can contain up to 24 lines.
You can use the screen-length 0 command to disable the function to display information in pages.
Examples
# Set the number of lines the terminal screen can contain to 20.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] screen-length 20
send
Syntax
send { all | number | type number }
View
User view
Parameters
all: Sends messages to all user interfaces.
type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface).
number: User interface index. A user interface index can be relative or absolute.
1-17
z
In relative user interface index scheme, the type argument is required. In this case, AUX user
interfaces is numbered AUX0; VTY user interfaces are numbered from VTY0 through VTY4.
z
In absolute user interface index scheme, the type argument is not required. In this case, user
interfaces are numbered from 0 to 5.
Description
Use the send command to send messages to a user interface or all the user interfaces.
Examples
# Send “hello” to all user interfaces.
<Sysname> send all
Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
hello^Z
Send message? [Y/N]y
The current user interface will receive the following information:
<Sysname>
***
***
***Message from vty1 to vty1
***
hello
service-type
Syntax
service-type { ftp | lan-access | { ssh | telnet | terminal }* [ level level ] }
undo service-type { ftp | lan-access | { ssh | telnet | terminal }* }
View
Local user view
Parameters
ftp: Specifies the users to be of FTP type.
lan-access: Specifies the users to be of LAN-access type, which normally means Ethernet users, such
as 802.1x users.
ssh: Specifies the users to be of SSH type.
telnet: Specifies the users to be of Telnet type.
terminal: Makes terminal services available to users logging in through the console port.
level level: Specifies the user level for Telnet users, Terminal users, or SSH users. The level argument
ranges from 0 to 3 and defaults to 0.
Description
Use the service-type command to specify the login type and the corresponding available command
level.
1-18
Use the undo service-type command to cancel login type configuration.
Commands fall into four command levels: visit, monitor, system, and manage, which are described as
follows:
Visit level: Commands at this level are used to diagnose network and change the language mode
z
of user interface, such as the ping, tracert, and language-mode command. The telnet command
is also at this level. Commands at this level cannot be saved in configuration files.
Monitor level: Commands at this level are used to maintain the system, to debug service problems,
z
and so on. The display and debugging commands are at monitor level. Commands at this level
cannot be saved in configuration files.
System level: Commands at this level are used to configure services. Commands concerning
z
routing and network layers are at system level. You can utilize network services by using these
commands.
Manage level: Commands at this level are for the operation of the entire system and the system
z
supporting modules. Services are supported by these commands. Commands concerning file
system, file transfer protocol (FTP), trivial file transfer protocol (TFTP), downloading using
XModem, user management, and level setting are at administration level.
Refer to CLI for detailed introduction to the command level.
Examples
# Configure commands at level 0 are available to the users logging in using the user name of zbr.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user zbr
[Sysname-luser-zbr] service-type telnet level 0
# To verify the above configuration, you can quit the system, log in again using the user name of zbr,
and then list the available commands, as listed in the following.
<Sysname> ?
User view commands:
cluster
Run cluster command
display
Display current system information
nslookup
Query Internet name servers
ping
Ping function
quit
Exit from current command view
super
Set the current user priority level
telnet
Establish one TELNET connection
tracert
Trace route function
undo
Cancel current setting
set authentication password
Syntax
set authentication password { cipher | simple } password
undo set authentication password
View
User interface view
1-19
Parameters
cipher: Specifies to save the local password in cipher text.
simple: Specifies to save the local password in plain text.
password: Password to be set. The password must be in plain text if you specify the simple keyword in
the set authentication password command. If you specify the cipher keyword, the password can be
in either cipher text or plain text, as described in the following.
z
When you enter the password in plain text containing no more than 16 characters (such as 123),
the system converts the password to the corresponding 24-character encrypted password.
z
When you enter the password in cipher text containing 24 characters, make sure you are aware of
the corresponding password in plaintext. For example, the plain text “123456” corresponds to the
cipher text “OUM!K%F<+$[Q=^Q`MAF4<1!!”.
Description
Use the set authentication password command to set the local password.
Use the undo set authentication password command to remove the local password.
Note that only plain text passwords are expected when users are authenticated.
By default, password authentication is performed when a user logs in through a modem or Telnet. If no
password is set, the user cannot establish a connection with the switch.
Examples
# Set the local password of VTY 0 to “123”.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] set authentication password simple 123
shell
Syntax
shell
undo shell
View
User interface view
Parameters
None
1-20
Description
Use the shell command to enable terminal services.
Use the undo shell command to disable terminal services.
By default, terminal services are disabled in all user interfaces.
Note the following when using the undo shell command:
z
Terminal services cannot be disabled in AUX user interfaces.
z
This command is unavailable in the current user interface.
z
The execution of this command requires user confirmation.
Examples
# Disable terminal services in VTY 0 through VTY 4 (assuming that you log in through an AUX user
interface).
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] undo shell
% Disable ui-vty0-4 , are you sure ? [Y/N]y
speed
Syntax
speed speed-value
undo speed
View
AUX user interface view
Parameters
speed-value: Transmission speed (in bps). This argument can be 300, 600, 1200, 2400, 4800, 9600,
19,200, 38,400, 57,600, and 115,200.
Description
Use the speed command to set the transmission speed of the user interface.
Use the undo speed command to revert to the default transmission speed.
By default, the transmission speed is 19,200 bps.
z
This command takes effect on AUX user interfaces only.
z
The transmission speed setting on the terminal and that on the device user interface must be the
same for communication.
1-21
Examples
# Set the transmission speed of the user interface AUX 0 to 115,200 bps.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] speed 115200
stopbits
Syntax
stopbits { 1 | 1.5 | 2 }
undo stopbits
View
AUX user interface view
Parameters
1: Sets the stopbits to 1.
1.5: Sets the stopbits to 1.5.
2: Sets the stopbits to 2.
Description
Use the stopbits command to set the stopbits of the user interface.
Use the undo stopbits command to revert to the default stopbits.
Execute these two commands in AUX user interface view only.
By default, the stopbits is 1.
z
The Switch 4210 does not support communication with a terminal emulation program with stopbits
set to 1.5.
z
Changing the stop bits value of the switch to a value different from that of the terminal emulation
utility does not affect the communication between them.
Examples
# Set the stop bits to 2.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] stopbits 2
1-22
telnet
Syntax
telnet { hostname | ip-address } [ service-port ] [ source-interface interface-type interface-number |
source-ip ip-address ]
View
User view
Parameters
hostname: Host name of the remote device, a string of 1 to 20 characters.
ip-address: IPv4 address of the remote device.
service-port: Number of the TCP port through which the remote device provides Telnet service. This
argument ranges from 0 to 65535, and defaults to 23.
source-interface interface-type interface-number: Specifies the type and number of the source
interface.
source-ip ip-address: Specifies the source IP address.
Description
Use the telnet command to Telnet to another device from the current switch to manage the former
remotely. You can terminate a Telnet connection by pressing Ctrl+K or by executing the quit command.
Examples
# Telnet from Ethernet switch Switch A to Switch B whose IP address is 129.102.0.1.
<SwitchA> telnet 129.102.0.1
Trying 129.102.0.1 ...
Press CTRL+K to abort
Connected to 129.102.0.1 ...
********************************************************************************
*
Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved.
*
*
Without the owner's prior written consent,
*
*
no decompiling or reverse-engineering shall be allowed.
*
********************************************************************************
<SwitchB>
telnet ipv6
Syntax
telnet ipv6 remote-system [ -i interface-type interface-number ] [ port-number ]
View
User view
1-23
Parameters
remote-system: IPv6 address or host name of the remote system. An IPv6 address can be up to 46
characters; a host name is a string of 1 to 20 characters.
-i interface-type interface-number: Specifies the outbound interface by interface type and interface
number. The outbound interface is required when the destination address is a local link address.
port-number: TCP port number assigned to Telnet service on the remote system, in the range 0 to
65535 and defaults to 23.
Description
Use the telnet ipv6 command to Telnet to a device from the current device to perform remote
management operation. You can terminate a Telnet session by pressing Ctrl+K.
Example
# Telnet to the device with IPv6 address 3001::1.
<Sysname> telnet ipv6 3001::1
Trying 3001::1 ...
Press CTRL+K to abort
Connected to 3001::1 ...
********************************************************************************
*
Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved.
*
*
Without the owner's prior written consent,
*
*
no decompiling or reverse-engineering shall be allowed.
*
********************************************************************************
<Sysname>
user-interface
Syntax
user-interface [ type ] first-number [ last-number ]
View
System view
Parameters
type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface).
first-number: User interface index identifying the first user interface to be configured. A user interface
index can be relative or absolute.
z
In relative user interface index scheme, the type argument is required. In this case, AUX user
interfaces is numbered AUX0; VTY user interfaces are numbered from VTY0 through VTY4.
z
In absolute user interface index scheme, the type argument is not required. In this case, user
interfaces are numbered from 0 to 5.
last-number: User interface number identifying the last user interface to be configured. The value of this
argument must be larger than that of the first-number argument.
1-24
Description
Use the user-interface command to enter one or more user interface views to perform configuration.
Examples
# Enter VTY0 user interface.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0]
user privilege level
Syntax
user privilege level level
undo user privilege level
View
User interface view
Parameters
level: Command level ranging from 0 to 3.
Description
Use the user privilege level command to configure the command level available to the users logging in
to the user interface.
Use the undo user privilege level command to revert to the default command level.
By default, the commands at level 3 are available to the users logging in to the AUX user interface. The
commands at level 0 are available to the users logging in to VTY user interfaces.
Commands fall into four command levels: visit, monitor, system, and manage, which are described as
follows:
z
Visit level: Commands at this level are used to diagnose network, such as the ping, tracert, and
telnet command. Commands at this level cannot be saved in configuration files.
z
Monitor level: Commands at this level are used to maintain the system, to debug service problems,
and so on. The display and debugging commands are at monitor level. Commands at this level
cannot be saved in configuration files.
z
System level: Commands at this level are used to configure services. Commands concerning
routing and network layers are at system level. You can utilize network services by using these
commands.
z
Manage level: Commands at this level are for the operation of the entire system and the system
supporting modules. Services are supported by these commands. Commands concerning file
system, file transfer protocol (FTP), trivial file transfer protocol (TFTP), downloading using
XModem, user management, and level setting are at administration level.
Refer to CLI Configuration for information about command level.
1-25
Examples
# Configure that commands at level 1 are available to the users logging in to VTY 0.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] user privilege level 1
# You can verify the above configuration by Telnetting to VTY 0 and displaying the available commands,
as listed in the following.
<Sysname> ?
User view commands:
cluster
Run cluster command
debugging
Enable system debugging functions
display
Display current system information
mtracert
Trace route to multicast source
nslookup
Query Internet name servers
ping
Ping function
quit
Exit from current command view
reset
Reset operation
send
Send information to other user terminal interfaces
super
Set the current user priority level
telnet
Establish one TELNET connection
terminal
Set the terminal line characteristics
tracert
Trace route function
undo
Cancel current setting
CLI Configuration Commands
command-privilege level
Syntax
command-privilege level level view view command
undo command-privilege view view command
View
System view
Parameters
level level: Command level to be set, in the range of 0 to 3.
view view: CLI view. It can be any CLI view that the Ethernet switch supports. The 3com switch 4210
supports only the CLI views listed in Table 1-5:
Table 1-5 Available CLI views for the view argument
CLI view
Description
acl-adv
Advanced ACL view
acl-basic
Basic ACL view
1-26
CLI view
Description
aux
Aux 1/0/0 port view, that is, console port view
cluster
Cluster view
ethernet
100M Ethernet port view
ftp-client
FTP client view
gigabitethernet
GigabitEthernet port view
isp
ISP domain view
loopback
Loopback interface view
luser
Local user view
manage-vlan
Management VLAN view
mst-region
MST region view
null
NULL interface view
peer-key-code
Public key editing view
peer-public-key
Public key view
poe-profile
PoE profile view, which is supported by only the switch
4210 PWR
radius-template
RADIUS scheme view
remote-ping
Remote-ping test group view
shell
User view
system
System view
user-interface
User interface view
vlan
VLAN view
vlan-interface
VLAN interface view
command: Command for which the level is to be set.
Description
Use the command-privilege level command to set the level of a specified command in a specified
view.
Use the undo command-privilege view command to restore the default.
Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage (level 3).
The administrator can change the level of a command as required. For example, the administrator can
change a command from a higher level to a lower level so that the lower level users can use the
command.
The default levels of commands are described in the following table:
Table 1-6 Default levels of commands
Level
0
Name
Visit level
Command
Commands used to diagnose network, such as ping, tracert, and
telnet commands.
1-27
Level
Name
Command
1
Monitor level
Commands used to maintain the system and diagnose service fault,
such as debugging, terminal and reset commands.
2
System level
All configuration commands except for those at the manage level.
Manage level
Commands associated with the basic operation modules and
support modules of the system, such as file system,
FTP/TFTP/XMODEM downloading, user management, and level
setting commands.
3
Note that:
z
You are recommended to use the default command level or modify the command level under the
guidance of professional staff; otherwise, the change of command level may bring inconvenience
to your maintenance and operation, or even potential security problem.
z
When you change the level of a command with multiple keywords or arguments, you should input
the keywords or arguments one by one in the order they appear in the command syntax. Otherwise,
your configuration will not take effect. The values of the arguments should be within the specified
ranges.
z
When you configure the undo command-privilege view command, the value of the command
argument can be an abbreviated form of the specified command, that is, you only need to enter the
keywords at the beginning of the command. For example, after the undo command-privilege
view system ftp command is executed, all commands starting with the keyword ftp (such as ftp
server acl, ftp server enable, and ftp timeout) will be restored to the default level; if you have
modified the command level of commands ftp server enable and ftp timeout, and you want to
restore only the ftp server enable command to its default level, you should use the undo
command-privilege view system ftp server command.
z
If you modify the command level of a command in a specified view from the default command level
to a lower level, remember to modify the command levels of the quit command and the
corresponding command that is used to enter this view. For example, the default command level of
commands interface and system-view is 2 (system level); if you want to make the interface
command available to the users with the user privilege level of 1, you need to execute the following
three commands: command-privilege level 1 view shell system-view, command-privilege level
1 view system interface ethernet 1/0/1, and command-privilege level 1 view system quit, so that
the login users with the user privilege level of 1 can enter system view, execute the interface
ethernet command, and then return to user view.
Examples
# Set the level of the tftp get command in user view (shell) to 0, and configure the keywords or
arguments one by one in the order they appear in the tftp get command syntax.
[Sysname] command-privilege level 0 view shell tftp
[Sysname] command-privilege level 0 view shell tftp 192.168.0.1
[Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get
[Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm
# Restore the default level of the tftp get command. To restore the default levels of the commands
starting with the tftp keyword, you only need to specify the tftp keyword.
[Sysname] undo command-privilege view shell tftp
1-28
display history-command
Syntax
display history-command
View
Any view
Parameters
None
Description
Use the display history-command command to display the history commands of the current user, so
that the user can check the configurations performed formerly.
History commands are those commands that were successfully executed recently and saved in the
history command buffer. You can set the size of the buffer by the history-command max-size
command. When the history command buffer is full for that user, the earlier commands will be
overwritten by the new ones.
By default, the CLI can save 10 history commands for each user.
Related commands: history-command max-size in login module.
Examples
# Display the history commands of the current user.
<Sysname> display history-command
system-view
quit
display history-command
super
Syntax
super [ level ]
View
User view
Parameters
level: User level, in the range of 0 to 3.
Description
Use the super command to switch from the current user level to a specified level.
Executing this command without the level argument will switch the current user level to level 3 by
default.
Note that:
z
Users logged into the switch fall into four user levels, which correspond to the four command levels
respectively. Users at a specific level can only use the commands at the same level or lower levels.
1-29
You can switch between user levels after logging into a switch successfully. The high-to-low user
z
level switching is unlimited. However, the low-to-high user level switching requires the
corresponding authentication. The authentication mode can be set through the super
authentication-mode command.
For security purpose, the password entered is not displayed when you switch to another user level.
z
You will remain at the original user level if you have tried three times but failed to enter the correct
authentication information.
Related commands: super authentication-mode, super password.
Examples
# Switch from the current user level to user level 3.
<Sysname> super 3
Password:
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
super password
Syntax
super password [ level level ] { cipher | simple } password
undo super password [ level level ]
View
System view
Parameters
level level: User level, in the range of 1 to 3. It is 3 by default.
cipher: Stores the password in the configuration file in ciphered text.
simple: Stores the password in the configuration file in plain text.
password: Password to be set. If the simple keyword is used, you must provide a plain-text password,
that is, a string of 1 to 16 characters. If the cipher keyword is used, you can provide a password in either
of the two ways:
z
Input a plain-text password, that is, a string of 1 to 16 characters, which will be automatically
converted into a 24-character cipher-text password.
z
Directly input a cipher-text password, that is, a string of 1 to 24 characters, which must correspond
to a plain-text password. For example, The cipher-text password “_(TT8F]Y\5SQ=^Q`MAF4<1!!”
corresponds to the plain-text password 1234567.
Description
Use the super password command to set a switching password for a specified user level, which will be
used when users switch from a lower user level to the specified user level.
Use the undo super password command to restore the default configuration.
By default, no such password is set.
1-30
Note that, no matter whether a plain-text or cipher-text password is set, users must enter the plain-text
password during authentication.
Examples
# Set the switching password for level 3 to 0123456789 in plain text.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] super password level 3 simple 0123456789
1-31
2
Commands for User Control
Commands for Controlling Logging in Users
acl
Syntax
acl acl-number { inbound | outbound }
undo acl acl-number { inbound | outbound }
View
User interface view
Parameters
acl-number: ACL number. This argument can identify different types of ACLs, as listed below.
z
2000 to 2999, for basic ACLs
z
3000 to 3999, for advanced ACLs
z
4000 to 4999, for Layer 2 ACLs
inbound: Applies the ACL for the users Telnetting to the local switch from the current user interface.
outbound: Applies the ACL for the users Telnetting to other devices from the current user interface.
This keyword is unavailable to Layer 2 ACLs.
Description
Use the acl command to apply an ACL for Telnet users.
Use the undo acl command to cancel the configuration.
By default, no ACL is applied.
Examples
# Apply ACL 2000 (a basic ACL) for the users Telnetting to the current switch (assuming that ACL 2000
already exists.)
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 2000 inbound
free web-users
Syntax
free web-users { all | user-id user-id | user-name user-name }
View
User view
2-1
Parameters
all: Specifies all Web users.
user-id: Web user ID, an eight-digit hexadecimal number.
user-name: User name of the Web user. This argument can contain 1 to 80 characters.
Description
Use the free web-users command to disconnect a specified Web user or all Web users by force.
Examples
# Disconnect all Web users by force.
<Sysname> free web-users all
ip http acl
Syntax
ip http acl acl-number
undo ip http acl
View
System view
Parameters
acl-number: ACL number ranging from 2000 to 2999.
Description
Use the ip http acl command to apply an ACL to filter Web users.
Use the undo ip http acl command to disable the switch from filtering Web users using the ACL.
By default, the switch does not use the ACL to filter Web users.
Examples
# Apply ACL 2000 to filter Web users (assuming that ACL 2000 already exists.)
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] ip http acl 2000
snmp-agent community
Syntax
snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]*
undo snmp-agent community community-name
View
System view
2-2
Parameters
read: Specifies that the community has read-only permission in the specified view.
write: Specifies that the community has read/write permission in the specified view.
community-name: Community name, a string of 1 to 32 characters.
acl acl-number: Specifies an ACL number for the community. The acl-number argument ranges from
2000 to 2999.
mib-view view-name: Sets the name of the MIB view accessible to the community. The view-name
argument is a string of 1 to 32 characters.
Description
Use the snmp-agent community command to set a community name and to enable users to access
the switch through SNMP. You can also optionally use this command to apply an ACL to perform access
control for network management users.
Use the undo snmp-agent community command to cancel community-related configuration for the
specified community.
By default, SNMPv1 and SNMPv2c access a switch by community names.
Examples
# Set the community name to h123, enable users to access the switch in the name of the community
(with read-only permission). Apply ACL 2000 for network management users (assuming that ACL 2000
already exists.)
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] snmp-agent community read h123 acl 2000
snmp-agent group
Syntax
In SNMPv1 and SNMPv2c:
snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ]
[ notify-view notify-view ] [ acl acl-number ]
undo snmp-agent group { v1 | v2c } group-name
In SNMPv3:
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view
write-view ] [ notify-view notify-view ] [ acl acl-number ]
undo snmp-agent group v3 group-name [ authentication | privacy ]
View
System view
Parameters
v1: SNMPv1.
v2c: SNMPv2c.
v3: SNMPv3.
2-3
group-name: Group name. This argument can be of 1 to 32 characters.
authentication: Specifies to authenticate SNMP data without encrypting the data.
privacy: Authenticates and encrypts packets.
read-view: Name of the view to be set to read-only. This argument can be of 1 to 32 characters.
write-view: Name of the view to be set to readable & writable. This argument can be of 1 to 32
characters.
notify-view: Name of the view to be set to a notifying view. This argument can be of 1 to 32 characters.
acl acl-number: Specifies an ACL. The acl-number argument ranges from 2,000 to 2,999.
Description
Use the snmp-agent group command to create an SNMP group. You can also optionally use this
command to apply an ACL to filter network management users.
Use the undo snmp-agent group command to remove a specified SNMP group.
By default, the SNMP group configured through the snmp-agent group v3 command is not
authenticated or encrypted.
Examples
# Create an SNMP group named h123 and apply ACL 2001 for network management users (assuming
that basic ACL 2001 already exists).
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] snmp-agent group v1 h123 acl 2001
snmp-agent usm-user
Syntax
For SNMPv1 and SNMPv2c:
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]
undo snmp-agent usm-user { v1 | v2c } user-name group-name
For SNMPv3:
snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha }
auth-password [ privacy-mode { aes128 | des56 } priv-password ] ] [ acl acl-number ]
undo snmp-agent usm-user v3 user-name group-name { engineid engineid-string | local }
View
System view
Parameters
v1: SNMPv1.
v2c: SNMPv2c.
v3: SNMPv3.
user-name: User name, a string of 1 to 32 characters.
2-4
group-name: Name of the group to which the user corresponds. This argument is a string of 1 to 32
characters.
cipher: Specifies the authentication or encryption password to be in ciphertext.
authentication-mode: Requires authentication. If this keyword is not provided, neither authentication
nor encryption is performed.
md5: Adopts HMAC-MD5 algorithm.
sha: Adopts HMAC-SHA algorithm.
auth-password: Authentication password, a string of 1 to 64 characters in plain text, a 32-bit
hexadecimal number in cipher text if MD5 algorithm is used, and a 40-bit hexadecimal number in cipher
text if SHA algorithm is used.
privacy: Encrypts packets.
des56: Specifies data encryption standard (DES) for encrypting.
aes128: Specifies advanced encryption standard (AES) for encrypting.
priv-password: Encryption password, a string of 1 to 64 characters in plain text, a 32-bit hexadecimal
number in cipher text if MD5 algorithm is used, and a 40-bit hexadecimal number in cipher text if SHA
algorithm is used.
acl-number: Basic ACL number, ranging from 2000 to 2999.
local: Specifies local entity users.
engineid-string: Engine ID associated with the user, a string of even number of hexadecimal numbers
and comprising of 10 to 64 hexadecimal digits.
Description
Use the snmp-agent usm-user command to add a user to an SNMP group. You can also optionally
use this command to apply an ACL for network management users.
Use the undo snmp-agent usm-user command to remove an SNMP user from the corresponding
SNMP group and to remove the ACL configuration on the user.
Examples
# Add a user named aaa to an SNMP group named group1, specify to require authentication, specify
the authentication protocol as HMAC-MD5-96 and authentication password as 123, and apply ACL
2002 to filter network management users (assuming that ACL 2002 already exists).
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] snmp-agent usm-user v3 aaa group1 authentication-mode md5 123 acl 2002
2-5
Table of Contents
1 Configuration File Management Commands ··························································································1-1
File Attribute Configuration Commands ··································································································1-1
display current-configuration ···········································································································1-1
display current-configuration vlan····································································································1-5
display saved-configuration·············································································································1-6
display startup ·································································································································1-8
display this·······································································································································1-9
reset saved-configuration ··············································································································1-10
save ···············································································································································1-11
startup saved-configuration ···········································································································1-12
i
1
Configuration File Management Commands
3com switch 4210 allows you to input a file path and file name in one of the following ways:
z
In universal resource locator (URL) format and starting with “unit1>flash:/”. or “flash:/” This method
is used to specify a file in the current Flash memory. For example, the URL of a file named text.txt
in the root directory of the switch is unit1>flash:/text.txt or flash:/text.txt.
z
Entering the path name or file name directly. This method can be used to specify a path or a file in
the current work directory. For example, to access file text.txt in the current directory, you can
directly input the file name text.txt as the file URL
File Attribute Configuration Commands
display current-configuration
Syntax
display current-configuration [ configuration [ configuration-type ] | interface [ interface-type ]
[ interface-number ] ] [ by-linenum ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Parameters
configuration configuration-type: Specifies to display non-interface configuration. If configuration-type
is not specified, all the non-interface configurations are displayed; if configuration-type is specified, the
specified type of configuration is displayed. The configuration type you can specify is based on your
current configuration. For example:
z
acl-adv: Indicates the advanced Access Control List (ACL) configuration.
z
acl-basic: Indicates the basic ACL configuration.
z
remote-ping: Indicates the remote-ping configuration.
z
isp: Indicates the internet service provider configuration.
z
radius-template: Indicates the radius template configuration.
z
system: Indicates the system configuration.
z
user-interface: Indicates the user interface configuration.
interface: Displays port/interface configuration.
interface-type: Port/interface type, which can be one of the following: Aux, Ethernet, GigabitEthernet,
Loopback, NULL and VLAN-interface.
1-1
interface-number: Port/interface number.
by-linenum: Displays configuration information with line numbers.
|: Uses a regular expression to filter the configuration of the switch to be displayed. By specifying a
regular expression, you can locate and query the needed information quickly.
regular-expression: A regular expression, case sensitive. It supports the following match rules:
z
begin: Displays the line that matches the regular expression and all the subsequent lines.
z
exclude: Displays the lines that do not match the regular expression.
z
include: Displays only the lines that match the regular expression.
A regular expression also supports some special characters. For match rules of the special characters,
refer to Table 1-1 for details.
Table 1-1 Special characters in regular expression
Character
Meaning
Remarks
^
Starting sign, the string to the right of this
character appears only at the beginning
of a line.
For example, regular expression ^user
matches lines beginning with user, not
Auser.
$
Ending sign, the string to the left of this
character appears only at the end of a
line.
For example, regular expression user$
matches lines ending with user, not
userA.
.
Full stop, a wildcard used in place of any
character, including blank
None
*
Asterisk, the character to the left of the
asterisk should match zero or more
consecutive times.
For example, zo* can match z and zoo,
and so on, but not zo.
+
Plus sign, the character to the left of the
plus sign should match one or more
consecutive times.
For example, zo+ can match zo and
zoo, and so on, but not z.
-
Hyphen. It connects two values (the
smaller one before it and the bigger one
after it) to indicate a range together with
[ ].
For example, 1-9 means numbers from 1
to 9 (inclusive); a-h means from a to h
(inclusive).
[]
Square brackets. Specifies a range of
characters, and matches any character
in the specified range.
For example, [1-36A] can match a
string containing any character among
1, 2, 3, 6, and A.
Parenthesis. Specifies a character
group. It is usually used with + or *.
For example, (123A) means a character
group 123A; 408(12)+ can match 40812
or 408121212. But it cannot match 408.
That is, 12 can appear continuously and
it must at least appear once.
()
Description
Use the display current-configuration command to display the current configuration of a switch.
After you finish a set of configurations, you can execute the display current-configuration command
to display the parameters that take effect currently.
Note that:
z
Parameters that are the same as the default are not displayed.
z
The configured parameter whose corresponding function does not take effect is not displayed.
1-2
Related commands: save, reset saved-configuration, display saved-configuration.
Examples
# Display configuration information about all the interfaces on the current switch.
<Sysname> display current-configuration interface
#
interface Vlan-interface1
ip address 192.168.0.241 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
port link-aggregation group 1
#
interface Ethernet1/0/2
#
interface Ethernet1/0/3
#
interface Ethernet1/0/4
#
interface Ethernet1/0/5
#
interface Ethernet1/0/6
#
interface Ethernet1/0/7
#
interface Ethernet1/0/8
#
interface Ethernet1/0/9
#
interface Ethernet1/0/10
#
interface Ethernet1/0/11
#
interface Ethernet1/0/12
#
interface Ethernet1/0/13
#
interface Ethernet1/0/14
#
interface Ethernet1/0/15
#
interface Ethernet1/0/16
#
interface Ethernet1/0/17
#
interface Ethernet1/0/18
#
1-3
interface Ethernet1/0/19
#
interface Ethernet1/0/20
#
interface Ethernet1/0/21
#
interface Ethernet1/0/22
#
interface Ethernet1/0/23
#
interface Ethernet1/0/24
#
interface GigabitEthernet1/0/25
#
interface GigabitEthernet1/0/26
shutdown
#
interface GigabitEthernet1/0/27
#
interface GigabitEthernet1/0/28
shutdown
#
interface NULL0
#
interface LoopBack0
#
return
# Display the lines that include the strings matching 10* in the configuration information. (The character
* means that the character 0 in the string before it can appear multiple times or does not appear.)
<Sysname> display current-configuration | include 10*
vlan 1
interface Vlan-interface1
ip address 192.168.0.241 255.255.255.0
interface Aux1/0/0
interface Ethernet1/0/1
port link-aggregation group 1
interface Ethernet1/0/2
interface Ethernet1/0/3
interface Ethernet1/0/4
interface Ethernet1/0/5
interface Ethernet1/0/6
interface Ethernet1/0/7
interface Ethernet1/0/8
interface Ethernet1/0/9
interface Ethernet1/0/10
interface Ethernet1/0/11
interface Ethernet1/0/12
1-4
interface Ethernet1/0/13
interface Ethernet1/0/14
interface Ethernet1/0/15
interface Ethernet1/0/16
interface Ethernet1/0/17
interface Ethernet1/0/18
interface Ethernet1/0/19
interface Ethernet1/0/20
interface Ethernet1/0/21
interface Ethernet1/0/22
interface Ethernet1/0/23
interface Ethernet1/0/24
interface GigabitEthernet1/0/25
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
# Display the configuration information starting with the string user.
<Sysname> display current-configuration | include ^user
user-interface aux 0
user-interface vty 0 4
display current-configuration vlan
Syntax
display current-configuration vlan [ vlan-id ] [ by-linenum ]
View
Any view
Parameters
vlan vlan-id: VLAN ID, in the range 1 to 4094.
by-linenum: Displays configuration information with line numbers.
Description
Use the display current-configuration vlan command to display the current VLAN configuration of
the switch.
Without the vlan-id argument specified, this command displays configuration information about all the
VLANs that exist on the switch.
If there are contiguous VLANs without any configuration, the system combines these VLANs together in
the format of vlan-id to vlan-id when displaying the VLAN configuration information.
Related commands: save, reset saved-configuration, display saved-configuration.
Examples
# Display the VLAN configuration information of the current switch.
<Sysname> display current-configuration vlan
#
1-5
vlan 1
#
vlan 5 to 69
#
vlan 70
description Vlan 70
#
vlan 71 to 100
#
return
display saved-configuration
Syntax
display saved-configuration [ unit unit-id ] [ by-linenum ]
View
Any view
Parameters
unit unit-id: Specifies the unit ID of a switch. It only can be 1.
by-linenum: Displays configuration information with line numbers.
Description
Use the display saved-configuration command to display the initial configuration file of a switch.
Note that:
If the switch starts up without a configuration file, the system will display that no configuration file
z
exists upon execution of the command.
If you have saved configuration after the switch starts up, the command displays the last saved
z
configuration.
Related commands: save, reset saved-configuration, display current-configuration.
Examples
# Display the initial configuration file of the current switch.
<Sysname> display saved-configuration
#
sysname Sysname
#
radius scheme system
#
domain system
#
vlan 1
#
interface Vlan-interface1
ip address 192.168.0.241 255.255.255.0
#LOCCFG. MUST NOT DELETE
1-6
#
interface Aux1/0/0
#
interface Ethernet1/0/1
#
interface Ethernet1/0/2
#
interface Ethernet1/0/3
#
interface Ethernet1/0/4
#
interface Ethernet1/0/5
#
interface Ethernet1/0/6
#
interface Ethernet1/0/7
#
interface Ethernet1/0/8
#
interface Ethernet1/0/9
#
interface Ethernet1/0/10
#
interface Ethernet1/0/11
#
interface Ethernet1/0/12
#
interface Ethernet1/0/13
#
interface Ethernet1/0/14
#
interface Ethernet1/0/15
#
interface Ethernet1/0/16
#
interface Ethernet1/0/17
#
interface Ethernet1/0/18
#
interface Ethernet1/0/19
#
interface Ethernet1/0/20
#
interface Ethernet1/0/21
#
interface Ethernet1/0/22
#
interface Ethernet1/0/23
1-7
#
interface Ethernet1/0/24
#
interface GigabitEthernet1/0/25
#
interface GigabitEthernet1/0/26
shutdown
#
interface GigabitEthernet1/0/27
#
interface GigabitEthernet1/0/28
shutdown
#TOPOLOGYCFG. MUST NOT DELETE
#GLBCFG. MUST NOT DELETE
#
interface NULL0
#
user-interface aux 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
return
The configuration information output above in turn is the system configuration, logical interface
configuration, physical port configuration, and user interface configuration.
display startup
Syntax
display startup [ unit unit-id ]
View
Any view
Parameters
unit unit-id: Specifies the unit ID of a switch. It only can be 1.
Description
Use the display startup command to display the startup configuration of a switch.
Related commands: startup saved-configuration.
Examples
# Display the startup configuration file information of the current switch.
<Sysname> display startup
UNIT1:
Current Startup saved-configuration file:
flash:/config.cfg
Next main startup saved-configuration file:
flash:/config.cfg
1-8
Next backup startup saved-configuration file:
flash:/backup.cfg
Bootrom-access enable state:
enabled
Table 1-2 Description on the fields of the display startup command
Field
Description
Current Startup
saved-configuration file
The configuration file used for the current startup
Next main startup
saved-configuration file
The main configuration file used for the next startup
Next backup startup
saved-configuration file
The backup configuration file used for the next startup
Whether you can use the user-defined password to access the
Boot ROM:
z
Bootrom-access enable state
z
enabled indicates you can access the Boot ROM with the
user-defined password.
disabled indicates you cannot access the Boot ROM with the
user-defined password.
For related information, refer to the startup bootrom-access
enable command in the File System Management part of the
manual.
display this
Syntax
display this [ by-linenum ]
View
Any view
Parameters
by-linenum: Displays configuration information with line numbers.
Description
Use the display this command to display the current configuration performed in the current view. To
verify the configuration performed in a view, you can use this command to display the parameters that
are valid in the current view.
Note that:
z
Effective parameters that are the same as the default are not displayed.
z
The configured parameter whose corresponding function does not take effect is not displayed.
z
Execution of this command in any user interface view or VLAN view displays the valid configuration
parameters in all user interfaces or VLANs.
Related commands: save, reset saved-configuration, display saved-configuration, display
current-configuration.
Examples
# Display the configuration parameters that take effect in all user interface views.
<Sysname> system-view
1-9
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] display this
#
user-interface aux 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
return
reset saved-configuration
Syntax
reset saved-configuration [ backup | main ]
View
User view
Parameters
backup: Erases the backup configuration file.
main: Erases the main configuration file.
Description
Use the reset saved-configuration command to erase the configuration file saved in the Flash of a
switch.
The following two situations exist:
z
While the reset saved-configuration [ main ] command erases the configuration file with main
attribute, it only erases the main attribute of a configuration file having both main and backup
attribute.
z
While the reset saved-configuration backup command erases the configuration file with backup
attribute, it only erases the backup attribute of a configuration file having both main and backup
attribute.
You may need to erase the configuration file for one of these reasons:
z
After you upgrade software, the old configuration file does not match the new software.
z
The startup configuration file is corrupted or not the one you need.
z
This command will permanently delete the configuration file from the switch.
z
An error occurs when you execute this command if the configuration file to be deleted does not
exist.
Related commands: save.
1-10
Examples
# Erase the main configuration file to be used in the next startup.
<Sysname> reset saved-configuration main
The saved configuration will be erased.
Are you sure?[Y/N]y
Configuration in flash memory is being cleared.
Please wait ...
....
Unit1 reset saved-configuration successfully.
save
Syntax
save [ cfgfile | [ safely ] [ backup | main ] ]
View
Any view
Parameters
cfgfile: Path name or file name of a configuration file in the Flash, a string of 5 to 56 characters.
safely: Saves the current configuration in the safe mode.
backup: Saves the configuration to the backup configuration file.
main: Saves the configuration to the main configuration file.
Description
Use the save command to save the current configuration to a configuration file in the Flash.
When you use this command to save the configuration file,
z
If the main and backup keywords are not specified, the current configuration will be saved to the
main configuration file.
z
If the cfgfile argument is specified, but the file specified by it does not exist, the system will create
the file and then save the current configuration to it. The file attribute is neither main nor backup.
z
If the cfgfile argument is specified and the file specified by it exists, the system will save the current
configuration to the specified file. The file attribute is the original attribute of the file.
z
If the cfgfile argument is not specified, the system will save the current configuration to the
configuration file used for this startup. If the switch starts up without loading the configuration file,
the system will save the current configuration with the default name (config.cfg) in the root
directory.
The system supports two modes for saving the current configuration file.
z
Fast saving mode. This is the mode when you use the save command without the safely keyword.
The mode saves the file quicker but is likely to lose the original configuration file if the switch
reboots or the power fails during the process.
z
Safe mode. This is the mode when you use the save command with the safely keyword. The mode
saves the file slower but can retain the original configuration file in the Flash even if the switch
reboots or the power fails during the process.
1-11
3com switch 4210 does not support the safe mode. When you are saving a configuration file using the
save safely command, if the device reboots or the power fails during the saving process, the
configuration file will be lost.
The extension name of the configuration file must be .cfg.
Examples
# Save the current configuration to 123.cfg as the main configuration file for the next startup.
<Sysname> save main
The configuration will be written to the device.
Are you sure?[Y/N]y
Please input the file name(*.cfg)(To leave the existing filename
unchanged press the enter key):123.cfg
Now saving current configuration to the device.
Saving configuration. Please wait...
............
Unit1 save configuration flash:/123.cfg successfully
startup saved-configuration
Syntax
startup saved-configuration cfgfile [ backup | main ]
undo startup saved-configuration [ unit unit-id ]
View
User view
Parameters
cfgfile: Path name or file name of a configuration file in the Flash, a string of 5 to 56 characters.
backup: Specifies the configuration file to be the backup configuration file.
main: Specifies the configuration file to be the main configuration file.
unit unit-id: Specifies a switch by its unit ID. It only can be 1.
Description
Use the startup saved-configuration command to specify a configuration file to be the main
configuration file or the backup configuration file to be used for the next startup of the switch.
1-12
Use the undo startup saved-configuration command to specify a switch to use null configuration
when it restarts.
Note that: If you execute the startup saved-configuration command with neither the backup nor the
main keyword specified, the configuration file identified by the cfgfile argument is specified as the main
configuration file to be used for the next startup of the switch.
The configuration file must use .cfg as its extension name and the startup configuration file must be
saved at the root directory in the Flash of the switch.
Related commands: display startup.
Examples
# Configure the configuration file named config.cfg as the main configuration file to be used for the next
startup of the current switch.
<Sysname> startup saved-configuration config.cfg main
Please wait......Done!
1-13
Table of Contents
1 VLAN Configuration Commands··············································································································1-1
VLAN Configuration Commands·············································································································1-1
description ·······································································································································1-1
display interface Vlan-interface ·······································································································1-2
display vlan······································································································································1-3
interface Vlan-interface····················································································································1-4
name················································································································································1-5
shutdown ·········································································································································1-6
vlan ··················································································································································1-7
Port-Based VLAN Configuration Commands··························································································1-8
display port ······································································································································1-8
port···················································································································································1-8
port access vlan·······························································································································1-9
port hybrid pvid vlan ······················································································································1-10
port hybrid vlan ······························································································································1-11
port link-type ··································································································································1-11
port trunk permit vlan·····················································································································1-12
port trunk pvid vlan ························································································································1-13
i
1
VLAN Configuration Commands
VLAN Configuration Commands
description
Syntax
description text
undo description
View
VLAN view, VLAN interface view
Parameters
text: Case sensitive character string to describe the current VLAN or VLAN interface. Special characters
and spaces are allowed.
It has:
z
1 to 32 characters for a VLAN description.
z
1 to 80 characters for a VLAN interface description.
Description
Use the description command to configure the description of the current VLAN or VLAN interface. You
can use the description to provide information helping identify the devices or network segment attached
to the VLAN or VLAN interface, and so on.
Use the undo description command to restore the default.
By default, the description of a VLAN is its VLAN ID, for example VLAN 0001; the description of a VLAN
interface is its name, for example Vlan-interface 1 Interface.
You can display the description of a VLAN or VLAN interface with the display vlan or display interface
Vlan-interface command.
Examples
# Configure the description of VLAN 10 as connect to LAB1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan 10
[Sysname-vlan10] description connect to LAB1
# Configure the description of VLAN-interface 10 as gateway of LAB1.
[Sysname-vlan10] quit
[Sysname] interface Vlan-interface 10
[Sysname-Vlan-interface10] description gateway of LAB1
1-1
display interface Vlan-interface
Syntax
display interface Vlan-interface [ vlan-id ]
View
Any view
Parameters
vlan-id: Specifies a VLAN interface number.
Description
Use the display interface Vlan-interface command to display information about the specified VLAN
interface or all VLAN interfaces already created if no VLAN interface is specified.
The output of this command shows the state, IP address, description and other information of a VLAN
interface. You can use the information to troubleshoot network problems.
Related commands: interface Vlan-interface.
Examples
# Display information about VLAN-interface 1.
<Sysname> display interface Vlan-interface 1
Vlan-interface1 current state : DOWN
Line protocol current state : DOWN
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e20f-4101
Internet Address is 10.1.1.1/24 Primary
Description : Vlan-interface1 Interface
The Maximum Transmit Unit is 1500
Table 1-1 Description on the fields of the display interface Vlan-interface command
Field
Description
The state of the VLAN interface, which can be one of the
following:
z
Vlan-interface1 current state
z
z
Administratively DOWN: This VLAN interface has been
manually disabled with the shutdown command.
DOWN: The administrative state of this VLAN interface
is up, but its physical state is down. It indicates that the
VLAN corresponding to this interface does not contain
ports in up state (possibly because the lines have
failed).
UP: The administrative and physical states of this
VLAN interface are both up.
The link layer protocol state of the VLAN interface, which
can be one of the following:
Line protocol current state
DOWN: The protocol state of this VLAN interface is down,
usually because no IP address is configured.
UP: The protocol state of this VLAN interface is up.
1-2
Field
Description
IP Sending Frames' Format is
PKTFMT_ETHNT_2
Format of the frames sent from the VLAN interface.
PKTFMT_ETHNT 2 indicates that this VLAN interface
sends Ethernet II frames. Refer to the VLAN configuration
part in the accompanied operation manual for information
about frame formats.
Hardware address
MAC address corresponding to the VLAN interface
Internet Address
IP address corresponding to the VLAN interface
10.1.1.1/24 Primary
Primary IP address of this VLAN interface
Description
Description string of the VLAN interface
The Maximum Transmit Unit
Maximum transmission unit (MTU)
For information about how to configure an IP address for a VLAN interface, refer to the description on
the ip address command in the IP Address and Performance Command part.
display vlan
Syntax
display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | static ]
View
Any view
Parameters
vlan-id1: Specifies the ID of a VLAN of which information is to be displayed, in the range of 1 to 4094.
to vlan-id2: In conjunction with vlan-id1, define a VLAN range to display information about all existing
VLANs in the range. The vlan-id2 argument takes a value in the range of 1 to 4094, and must not be
less than that of vlan-id1.
all: Displays information about all the VLANs.
dynamic: Displays the number of dynamic VLANs and the ID of each dynamic VLAN. Dynamic VLANs
refer to VLANs that are generated through GVRP or those distributed by a RADIUS server.
static: Displays the number of static VLANs and the ID of each static VLAN. Static VLANs refer to
VLANs manually created.
Description
Use the display vlan command to display information about VLANs. The output shows the ID, type,
VLAN interface state and member ports of a VLAN.
If no keyword or argument is specified, the command displays the number of existing VLANs in the
system and the ID of each VLAN.
Related commands: vlan.
1-3
Examples
# Display information about VLAN 1.
<Sysname> display vlan 1
VLAN ID: 1
VLAN Type: static
Route Interface: configured
IP Address: 192.168.0.39
Subnet Mask: 255.255.255.0
Description: VLAN 0001
Name: VLAN 0001
Tagged
Ports:
Ethernet1/0/1
Untagged Ports:
Ethernet1/0/2
Table 1-2 Description on the fields of the display vlan command
Field
Description
VLAN ID
VLAN ID.
VLAN Type
VLAN type (dynamic or static).
Route Interface
Indicates whether the VLAN interface of the VLAN is configured
with an IP address for routing.
IP Address
Primary IP address of the VLAN interface (available only on a
VLAN interface configured with an IP address). You can use the
display interface vlan-interface command in any view or the
display this command in VLAN interface view to display its
secondary IP address(es), if any.
Subnet Mask
Subnet mask of the IP address of the VLAN interface.
Description
Description of the VLAN.
Name
VLAN name.
Tagged Ports
Ports out of which packets are sent tagged.
Untagged Ports
Ports out of which packets are sent untagged.
interface Vlan-interface
Syntax
interface Vlan-interface vlan-id
undo interface Vlan-interface vlan-id
View
System view
Parameters
vlan-id: Specifies the ID of a VLAN interface, in the range of 1 to 4094.
1-4
Description
Use the interface Vlan-interface command to create the VLAN interface for a VLAN and enter VLAN
interface view.
Use the undo interface Vlan-interface command to delete a VLAN interface.
You can create a VLAN interface only for an existing VLAN and must ensure that the ID of the VLAN
interface is the same as the VLAN ID.
You can use the ip address command in VLAN interface view (refer to the IP Address and Performance
Command part for the command description) to configure an IP address for this VLAN interface to
enable it to route packets for the devices in the corresponding VLAN.
Related commands: display interface Vlan-interface.
An Switch 4210 series switch can be configured with a single VLAN interface only, and the VLAN must
be the management VLAN. For details about the management VLAN, refer to the “Management VLAN
Configuration” part of this manual.
Examples
# Create the VLAN interface for VLAN 1 and enter VLAN-interface 1 view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1]
name
Syntax
name text
undo name
View
VLAN view
Parameters
text: VLAN name, a description of 1 to 32 characters. It can contain special characters and spaces.
Description
Use the name command to assign a name to the current VLAN.
Use the undo name command to restore the default VLAN name.
When 802.1x or MAC address authentication is configured on the switch, a RADIUS server may be
used to deploy VLANs (either named or numbered) on the ports that have passed authentication. If a
1-5
named VLAN is deployed, you must use the name command to associate the VLAN name with the
intended VLAN ID. The name of a VLAN must be unique among all VLANs.
By default, the name of a VLAN is its VLAN ID, VLAN 0001 for example.
Examples
# Specify the name of VLAN 2 as test vlan.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan 2
[Sysname-vlan2] name test vlan
shutdown
Syntax
shutdown
undo shutdown
View
VLAN interface view
Parameters
None
Description
Use the shutdown command to administratively shut down the VLAN interface.
Use the undo shutdown command to bring up the VLAN interface.
By default, a VLAN interface is administratively enabled. In this case, the physical state of the VLAN
interface is affected by that of the ports in the VLAN.
z
When all the Ethernet ports in the VLAN are down, the VLAN interface of the VLAN is down, that is,
disabled.
z
When one or more Ethernet ports in the VLAN are up, the VLAN interface of the VLAN is up, that is,
enabled.
If you shut down the VLAN interface manually, the administrative state of the VLAN interface will always
be down, regardless of the state of the ports in the VLAN.
You can use the undo shutdown command to enable a VLAN interface when its related parameters
and protocols are configured. When a VLAN interface fails, you can use the shutdown command to
disable the interface, and then use the undo shutdown command to enable this interface again, which
may restore the interface.
Enabling or disabling a VLAN interface does not influence the state of the Ethernet ports belonging to
this VLAN.
Related commands: display interface Vlan-interface.
Examples
# Disable the VLAN-interface1.
<Sysname> system-view
1-6
System View: return to User View with Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] shutdown
vlan
Syntax
vlan { vlan-id1 [ to vlan-id2 ] | all }
undo vlan { vlan-id1 [ to vlan-id2 ] | all }
View
System view
Parameters
vlan-id1: Specifies the ID of the VLAN you want to create or remove, in the range of 1 to 4094.
to vlan-id2: In conjunction with vlan-id1, specify a VLAN ID range you want to create or remove. The
vlan-id2 argument takes a value in the range of 1 to 4094, and must not be less than that of vlan-id1.
all: Creates or removes all existing VLANs except those configured with other functions.
Description
Use the vlan command to create VLANs. If you create only one VLAN, you enter the view of the VLAN
upon its creation; if the specified VLAN already exists, you enter its VLAN view directly.
Use the undo vlan command to remove VLANs.
By default, only VLAN 1 exists in the system.
z
VLAN 1 is the default VLAN and cannot be removed.
z
You cannot use the undo vlan command to directly remove the VLANs reserved by the protocol or
VLANs used for performing any other features. To remove them, you must remove the
associations of them with the features.
z
After you use the undo vlan command to remove a VLAN functioning as the default VLAN of a
trunk or a hybrid port, the configuration of the default VLAN on the trunk port or hybrid port does not
change. The port will continue to use the removed VLAN as its default VLAN.
Examples
# Create VLAN 5 and enter its VLAN view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan 5
[Sysname-vlan5]
# Remove VLAN 5.
1-7
[Sysname-vlan5] quit
[Sysname] undo vlan 5
# Create VLAN 4 through VLAN 100.
[Sysname] vlan 4 to 100
Please wait............. Done.
Port-Based VLAN Configuration Commands
display port
Syntax
display port { hybrid | trunk }
View
Any view
Parameters
hybrid: Displays hybrid ports.
trunk: Displays trunk ports.
Description
Use the display port command to display the existing hybrid or trunk ports, if any.
For information about port type configuration, refer to the port link-type command.
Examples
# Display the existing hybrid ports.
<Sysname> display port hybrid
The following hybrid ports exist:
Ethernet1/0/1
Ethernet1/0/2
The above information shows the current system has two hybrid ports: Ethernet 1/0/1 and Ethernet
1/0/2.
port
Syntax
port interface-list
undo port interface-list
View
VLAN view
Parameters
interface-list: List of the Ethernet ports to be added to or removed from the current VLAN. In this list, you
can specify individual ports and port ranges. An individual port takes the form of interface-type
interface-number and a port range takes the form of interface-type interface-number1 to interface-type
1-8
interface-number2, with interface-number2 taking a value no less than interface-number1. The total
number of individual ports and port ranges defined in the list must not exceed 10.
Description
Use the port command to assign one or multiple access ports to the current VLAN.
Use the undo port command to remove the specified access port(s) from the current VLAN.
The command applies to access ports only. For information about how to assign to or remove from a
VLAN trunk or hybrid ports, refer to the port hybrid vlan command and the port trunk permit vlan
command. For port type configuration, refer to the port link-type command.
Related commands: display vlan.
Examples
# Assign Ethernet1/0/2 through Ethernet1/0/4 to VLAN 2.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan 2
[Sysname-vlan2] port Ethernet 1/0/2 to Ethernet 1/0/4
port access vlan
Syntax
port access vlan vlan-id
undo port access vlan
View
Ethernet port view
Parameters
vlan-id: Specifies the ID of the VLAN to which you want to assign the current port, in the range of 1 to
4094. The specified VLAN must already exist.
By default, all access ports belong to VLAN 1. You cannot assign an access port to or remove an
access port from VLAN 1 with the port access vlan command or its undo form. To assign an access
port that has been assigned to a VLAN other than VLAN 1, you can use the undo port access vlan
command.
Description
Use the port access vlan command to assign the current access port to the specified VLAN.
Use the undo port access vlan command to remove the access port from the specified VLAN. After
that, the access port joins VLAN 1 automatically.
1-9
Examples
# Assign Ethernet 1/0/1 to VLAN 3.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface ethernet 1/0/1
[Sysname-Ethernet1/0/1] port access vlan 3
port hybrid pvid vlan
Syntax
port hybrid pvid vlan vlan-id
undo port hybrid pvid
View
Ethernet port view
Parameters
vlan-id: Specifies the default VLAN ID of the current hybrid port, in the range of 1 to 4094. The specified
VLAN can be one already created or not.
Description
Use the port hybrid pvid vlan command to set the default VLAN ID of the hybrid port.
Use the undo port hybrid pvid command to restore the default VLAN ID of the hybrid port.
If the specified default VLAN has been removed or is not carried on the hybrid port, the port will be
unable to receive VLAN untagged packets. You can configure a hybrid port to permit the packets of its
default VLAN to pass through with the port hybrid vlan command.
Related commands: port link-type, port hybrid vlan.
The local and remote hybrid ports must use the same default VLAN ID for the traffic of the default VLAN
to be transmitted properly.
Examples
# Set the default VLAN ID of the hybrid port Ethernet 1/0/1 to 100.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface ethernet1/0/1
[Sysname-Ethernet1/0/1] port link-type hybrid
[Sysname-Ethernet1/0/1] port hybrid pvid vlan 100
1-10
port hybrid vlan
Syntax
port hybrid vlan vlan-id-list { tagged | untagged }
undo port hybrid vlan vlan-id-list
View
Ethernet port view
Parameters
vlan-id-list: List of the VLANs that the current hybrid port will be assigned to or removed from. In this list,
you can specify individual VLAN IDs (each in the form of vlan-id) and VLAN ID ranges (each in the form
of vlan-id1 to vlan-id2). Specify each VLAN ID in the range of 1 to 4094 and ensure that vlan-id2 is no
less than vlan-id1. The total number of individual VLAN IDs and VLAN ID ranges defined in the list must
not exceed 10. Be sure that the specified VLANs already exist.
tagged: Keeps VLAN tags when the packets of the specified VLANs are forwarded on the port.
untagged: Removes VLAN tags when the packets of the specified VLANs are forwarded on the port.
Description
Use the port hybrid vlan command to assign the hybrid port to one or multiple VLANs and configure
the port to send packets tagged or untagged for the VLAN(s).
Use the undo port hybrid vlan command to remove the hybrid port from the specified VLAN(s).
By default, a hybrid port only allows packets from VLAN 1 to pass through untagged.
You can configure the port hybrid vlan vlan-id-list { tagged | untagged } command multiple times. The
VLANs specified each time does not overwrite those configured before, if any.
The VLAN specified by the vlan-id argument must already exist. Otherwise, this command is invalid.
Related commands: port link-type.
Examples
# Assign hybrid port Ethernet 1/0/1 to VLAN 2, VLAN 4, and VLAN 50 through VLAN 100; configure the
port to keep VLAN tags when sending the packets of these VLANs.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface ethernet 1/0/1
[Sysname-Ethernet1/0/1] port link-type hybrid
[Sysname-Ethernet1/0/1] port hybrid vlan 2 4 50 to 100 tagged
port link-type
Syntax
port link-type { access | hybrid | trunk }
undo port link-type
View
Ethernet port view
1-11
Parameters
access: Sets the link type of the current port to access.
hybrid: Sets the link type of the current port to hybrid.
trunk: Sets the link type of the current port to trunk.
Description
Use the port link-type command to set the link type of the Ethernet port.
Use the undo port link-type command to restore the default link type.
The default link type of an Ethernet port is access.
To change the link type of a port from hybrid to trunk or vice versa, you need to change the link type to
access first.
Examples
# Configure Ethernet 1/0/1 as a trunk port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface ethernet 1/0/1
[Sysname-Ethernet1/0/1] port link-type trunk
port trunk permit vlan
Syntax
port trunk permit vlan { vlan-id-list | all }
undo port trunk permit vlan { vlan-id-list | all }
View
Ethernet port view
Parameters
vlan-id-list: List of the VLANs that the current trunk port will be assigned to or removed from. In this list,
you can specify individual VLAN IDs (each in the form of vlan-id) and VLAN ID ranges (each in the form
of vlan-id1 to vlan-id2). Specify each VLAN ID in the range of 1 to 4094 and ensure that vlan-id2 is no
less than vlan-id1. The total number of individual VLAN IDs and VLAN ID ranges defined in the list must
not exceed 10.
all: Assigns the trunk port to all VLANs. On a GVRP-enabled trunk port, you must configure the port
trunk permit vlan all command to ensure that the traffic of all dynamically registered VLANs can pass
through. However, When GVRP is disabled, you are discouraged to configure the keyword. This is to
prevent users of unauthorized VLANs from accessing restricted resources through the port.
1-12
Description
Use the port trunk permit vlan command to assign the trunk port to the specified VLAN(s), that is, to
allow packets from these VLANs to pass through the port.
Use the undo port trunk permit vlan command to remove the hybrid port from the specified VLAN(s).
By default, a trunk port belongs to VLAN 1 only.
On a trunk port, only traffic of the default VLAN can pass through untagged.
You can perform the command multiple times. The VLANs specified each time does not overwrite those
configured before, if any.
Related commands: port link-type.
Examples
# Assign the trunk port Ethernet 1/0/1 to VLAN 2, VLAN 4, and VLAN 50 through VLAN 100.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface ethernet 1/0/1
[Sysname-Ethernet1/0/1] port link-type trunk
[Sysname-Ethernet1/0/1] port trunk permit vlan 2 4 50 to 100
Please wait... Done.
port trunk pvid vlan
Syntax
port trunk pvid vlan vlan-id
undo port trunk pvid
View
Ethernet port view
Parameters
vlan-id: Specifies the default VLAN ID of the current port, in the range of 1 to 4094.
Description
Use the port trunk pvid vlan command to set the default VLAN ID for the trunk port. A trunk port sends
packets of the default VLAN untagged.
Use the undo port trunk pvid command to restore the default.
By default, the default VLAN ID of a trunk port is VLAN 1.
After configuring the default VLAN of a trunk port, you need to use the port trunk permit vlan
command to configure the trunk port to allow the packets of the default VLAN to pass through.
If the specified default VLAN has been removed or is not carried on the trunk port, the port will be unable
to receive VLAN untagged packets.
1-13
The local and remote trunk ports must use the same default VLAN ID for the traffic of the default VLAN
to be transmitted properly.
Related commands: port link-type, port trunk permit vlan.
Examples
# Set the default VLAN ID of the trunk port Ethernet 1/0/1 to 100.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface ethernet 1/0/1
[Sysname-Ethernet1/0/1] port link-type trunk
[Sysname-Ethernet1/0/1] port trunk pvid vlan 100
1-14
Table of Contents
1 Management VLAN Configuration Commands ······················································································1-1
Management VLAN Configuration Commands·······················································································1-1
delete static-routes all······················································································································1-1
display interface Vlan-interface ·······································································································1-1
display ip interface···························································································································1-2
display ip interface brief···················································································································1-4
display ip routing-table·····················································································································1-5
display ip routing-table acl···············································································································1-6
display ip routing-table ip-address···································································································1-8
display ip routing-table ip-address1 ip-address2·············································································1-9
display ip routing-table protocol·····································································································1-10
display ip routing-table radix··········································································································1-11
display ip routing-table statistics····································································································1-11
display ip routing-table verbose·····································································································1-12
interface Vlan-interface··················································································································1-13
ip address ······································································································································1-14
ip route-static ·································································································································1-15
management-vlan··························································································································1-16
reset ip routing-table statistics protocol ·························································································1-16
i
1
Management VLAN Configuration Commands
Management VLAN Configuration Commands
delete static-routes all
Syntax
delete static-routes all
View
System view
Parameter
None
Description
Use the delete static-routes all command to delete all static routes.
The system will request your confirmation before it deletes all the configured static routes.
Related command: ip route-static and display ip routing-table.
Example
# Delete all the static routes in the router.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] delete static-routes all
Are you sure to delete all the unicast static routes?[Y/N]y
display interface Vlan-interface
Syntax
display interface Vlan-interface [ vlan-id ]
View
Any view
Parameter
vlan-id: ID of the management VLAN interface the information about which is to be displayed.
Description
Use the display interface Vlan-interface command to display the information about the management
VLAN interface.
Related command: interface Vlan-interface.
1-1
Example
# Display the information about the management VLAN interface. (Assume that VLAN 1 is the
management VLAN.)
<Sysname> display interface Vlan-interface 1
Vlan-interface1 current state : DOWN
Line protocol current state : DOWN
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e256-ae10
Internet Address is 192.168.0.39/24 Primary
Description : Vlan-interface1 Interface
The Maximum Transmit Unit is 1500
Table 1-1 Description on the fields of the display interface Vlan-interface command
Field
Description
Vlan-interface current state
Current state of Vlan-interface1
Line protocol current state
Current state of the link layer protocol
IP Sending Frames' Format
Format of the sent IP packets
Hardware address
MAC address corresponding to the management
VLAN interface
Internet Address Primary
Primary IP address
Description
Description string assigned to the VLAN
interface
The Maximum Transmit Unit
The maximum transmit unit (MTU)
display ip interface
Syntax
display ip interface [ Vlan-interface vlan-id ]
View
Any view
Parameter
vlan-id: ID of the management VLAN interface.
Description
Use the display ip interface command to display the information about a specified VLAN interface.
Example
# Display the information about VLAN-interface 1.
<Sysname> display ip interface Vlan-interface 1
Vlan-interface1 current state :UP
Line protocol current state :UP
Internet Address is 192.168.0.39/24 Primary
Broadcast address : 192.168.0.255
1-2
The Maximum Transmit Unit : 1500 bytes
IP packets input number: 7420, bytes: 557679, multicasts: 1
IP packets output number: 7509, bytes: 385809, multicasts: 0
TTL invalid packet number:
0
ICMP packet input number:
0
Echo reply:
0
Unreachable:
0
Source quench:
0
Routing redirect:
0
Echo request:
0
Router advert:
0
Router solicit:
0
Time exceed:
0
IP header bad:
0
Timestamp request:
0
Timestamp reply:
0
Information request:
0
Information reply:
0
Netmask request:
0
Netmask reply:
0
Unknown type:
0
Table 1-2 Description on the fields of the display ip interface command
Field
Description
Vlan-interface1 current state
Current state of Vlan-interface1
Line protocol current state
Current state of the link layer protocol
Internet Address
IP address
Broadcast address
Broadcast address
The Maximum Transmit Unit
The maximum transmit unit (MTU)
IP packets input number: 11790, bytes: 550920,
multicasts: 3049
IP packets output number: 8374, bytes: 404537,
multicasts: 0
Number of received/sent packets (total), bytes,
and multicast packets.
TTL invalid packet number
Number of received packets with TTL errors
ICMP packet input number
Number of received ICMP messages
Echo reply
Echo replies
Unreachable
Unreachable messages
Source quench
Source quench messages
Routing redirect
Routing redirect messages
Echo request
Echo requests
Router advert
Router advertisements
Router solicit
Router solicit messages
Time exceed
Time exceed messages
1-3
Field
Description
IP header bad
IP header bad messages
Timestamp request
Timestamp requests
Timestamp reply
Timestamp replies
Information request
Information requests
Information reply
Information replies
Netmask request
Netmask requests
Netmask reply
Netmask replies
Unknown type
Messages with unknown type
display ip interface brief
Syntax
display ip interface brief [ Vlan-interface [ vlan-id ] ]
View
Any view
Parameter
vlan-id: ID of the management VLAN interface.
Description
Use the display ip interface brief command to display brief information about a specified VLAN
interface.
Example
# Display brief information about VLAN-interface1.
<Sysname> display ip interface brief vlan-interface 1
*down: administratively down
(l): loopback
(s): spoofing
Interface
IP Address
Vlan-interface1
192.168.0.39
Physical Protocol
up
up
Description
Vlan-inte...
Table 1-3 Description on fields of the display ip interface brief command
Field
Description
*down
The interface is administratively shut down with the shutdown command.
(s)
Spoofing attribute of the interface. It indicates that the interface whose link layer
protocol is displayed up may have no such a link present or the link is set up only
on demand.
Interface
Interface name
IP Address
IP address of the interface (If no IP address is configured, “unassigned” is
displayed.)
1-4
Field
Description
Physical
Physical state of the interface
Protocol
Link layer protocol state of the interface
Description
Description information for the interface
display ip routing-table
Syntax
display ip routing-table [ | { begin | exclude | include } regular-expression ]
View
Any view
Parameter
regular-expression: Regular expression, which specifies a match character string.
|: Uses the regular expression to match the output routing information.
begin: Displays the routing information from the route entry containing the specified character string.
include: Displays all routing information containing the specified character string.
exclude: Displays all routing information without the specified character string.
Description
Use the display ip routing-table command to display the summary information about the routing table.
This command displays the summary information about a routing table, with the items of a routing entry
contained in one line. The information displayed includes destination IP address/mask length, protocol,
preference, cost, next hop and outbound interface.
The display ip routing-table command only displays the routes currently in use, that is, the optimal
routes.
Example
# Display the summary information about the routing table.
<Sysname> display ip routing-table
Routing Table: public net
Destination/Mask
Protocol Pre
Cost
Nexthop
Interface
127.0.0.0/8
DIRECT
0
0
127.0.0.1
InLoopBack0
127.0.0.1/32
DIRECT
0
0
127.0.0.1
InLoopBack0
Table 1-4 Description on the fields of the display ip routing-table command
Field
Description
Destination/Mask
Destination IP address/mask length
Protocol
Routing protocol that discovers the route
Pre
Route preference
Cost
Route cost
1-5
Field
Description
Nexthop
Next hop IP address of the route
Interface
Outbound interface, through which packets destined for the destination
network segment are to be transmitted
display ip routing-table acl
Syntax
display ip routing-table acl acl-number [ verbose ]
View
Any view
Parameter
acl-number: Number of a basic access control list (ACL), in the range of 2000 to 2999.
verbose: Displays the detailed information about the active and inactive routes that match the specified
ACL. If you do not specify this keyword, only the summary information about the active routes matching
the specified ACL is displayed.
Description
Use the display ip routing-table acl command to display the routes that match a specified basic ACL.
As this command displays the routes that match a specified basic ACL, you can use it to trace routing
policies.
Example
# Display the summary information about the active routes that match ACL 2000.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255
[Sysname-acl-basic-2000] rule deny source any
[Sysname-acl-basic-2000] display ip routing-table acl 2000
Routes matched by access-list 2000:
Summary count: 1
Destination/Mask
10.1.1.0/24
Protocol Pre
STATIC
60
Cost
Nexthop
0
Interface
192.168.0.31
Vlan-interface1
Refer to Table 1-4 for the description on the output fields.
# Display the detailed information about the active and inactive routes that match ACL 2000.
[Sysname] display ip routing-table acl 2000 verbose
Routes matched by access-list 2000:
+ = Active Route, - = Last Active, # = Both
Summary count: 1
1-6
* = Next hop in use
**Destination: 10.1.1.0
Mask: 255.255.255.0
Protocol: #STATIC
Preference: 60
*NextHop: 192.168.0.31
Interface: 192.168.0.51(Vlan-interface1)
State: <Int ActiveU Gateway Static Unicast>
Age: 1:48:18
Cost: 0/0
Table 1-5 Description on the fields of the display ip routing-table acl command
Field
Description
Destination
Destination address
Mask
Mask
Protocol
Routing protocol that discovers the route
Preference
Route preference
NextHop
Next hop IP address
Interface
Outbound interface, through which packets destined for the destination network
segment are to be transmitted
Descriptions on the route state are as follows:
State
ActiveU
Valid unicast route. “U” stands for unicast.
Blackhole
Blackhole route is the same as reject route except that a router
drops a packet traveling along a blackhole route without sending
ICMP unreachable messages to the source of the packets.
Delete
The route is deleted.
Gateway
The route is not a direct route.
Hidden
The route is a hidden route. The system hides routes that are
temporarily unavailable for some reasons (such as the policy
configured or the interface is down) for later use.
Holddown
The route is held down. Holddown is a kind of route advertisement
policy used in some D-V (distance vector) routing protocols (such as
RIP) to avoid the propagation of some incorrect routes and improve
the transmission speed of route-unreachable information. For
details, refer to corresponding routing protocols.
Int
The route is discovered by the internal gateway protocol (IGP).
NoAdvise
The route is not advertised when the router advertises routes based
on policies
NotInstall
The route are not loaded to the core routing table but can be
advertised. Normally, the routes with the highest preference in the
routing table are loaded to the core routing table and are advertised.
Reject
The packets travel along the route will be dropped. Besides, the
router sends ICMP unreachable messages to the source of the
dropped packets. The Reject routes are usually used for network
testing.
Retain
The route is not deleted when the routes in the core routing table are
deleted. You can enable static routes to remain in the core routing
table by configure them to be in retain state.
Static
Static routes configured manually on the router are marked as static.
Such routes are not lost when you perform the save operation and
then restart the router.
Unicast
The route is a unicast route.
1-7
Field
Description
Age
Time period during which the route is allowed to be in the routing table, in the form of
hh:mm:ss.
Cost
Cost of the route
display ip routing-table ip-address
Syntax
display ip routing-table ip-address [ mask ] [ longer-match ] [ verbose ]
View
Any view
Parameter
ip-address: Destination IP address, in dotted decimal notation.
mask: Mask of the destination IP address, which can be in dotted decimal notation or be an integer
ranging from 0 to 32.
longer-match: Displays all the routes leading to the destination coupled with the default mask.
verbose: Displays the detailed information about the active and inactive routes leading to the
destination. If this keyword is not specified, only the summary information about the active routes is
displayed.
Description
Use the display ip routing-table ip-address command to display the information about the routes
leading to a specified destination.
The output information of this command differs with the arguments/keywords specified as follows:
z
display ip routing-table ip-address
For the destination address ip-address, if there are some routes matched within the natural mask range,
the active routes which best match ip-address are displayed.
z
display ip routing-table ip-address mask
Only the routes which match exactly the specified destination address and mask are displayed.
z
display ip routing-table ip-address longer-match
All routes with their destination addresses matched within the natural mask range are displayed.
z
display ip routing-table ip-address mask longer-match
All routes with their destination addresses matched within the specified mask range are displayed.
Example
# Display the summary information of the routes with their destination addresses matched within the
natural mask range.
<Sysname> display ip routing-table 10.1.1.0
Destination/Mask
10.1.1.0/24
Protocol Pre
STATIC
60
Cost
Nexthop
0
Interface
192.168.0.31
1-8
Vlan-interface1
Refer to Table 1-4 for the description on the output fields.
# Display the detailed information of the routes with their destination addresses matched within the
natural mask range.
<Sysname> display ip routing-table 10.1.1.0 verbose
Routing tables:
+ = Active Route, - = Last Active, # = Both
* = Next hop in use
Summary count: 1
**Destination: 10.1.1.0
Mask: 255.255.255.0
Protocol: #STATIC
Preference: 60
*NextHop: 192.168.0.31
Interface: 192.168.0.246(Vlan-interface1)
State: <Int ActiveU Gateway Static Unicast>
Age: 32:31
Cost: 0/0
Refer to Table 1-5 for the description on the output fields.
display ip routing-table ip-address1 ip-address2
Syntax
display ip routing-table ip-address1 mask1 ip-address2 mask2 [ verbose ]
View
Any view
Parameter
ip-address1, ip-address2: Destination IP addresses in dotted decimal notation. ip-address1 and mask1,
together with ip-address2 and mask2, determine an IP address range. The starting address of the IP
address range is determined by the ip-address1 and mask1 arguments; and the end address of the IP
address range is determined by the ip-address2 and mask2 arguments.
mask1, mask2: IP address masks. These two arguments can be in dotted decimal notation or two
integers ranging from 0 to 32.
verbose: Displays the detailed information about the active and inactive routes. If you do not specify
this keyword, only the summary information about the active routes is displayed.
Description
Use the display ip routing-table ip-address1 ip-address2 command to display the information about
the routes with their destinations within the specified destination IP address range.
Example
# Display the information about the routes with their destinations within the range of 1.1.1.0 to 2.2.2.0.
<Sysname> display ip routing-table 1.1.1.0 24 2.2.2.0 24
Routing tables:
Summary count: 1
Destination/Mask
Protocol
1.1.1.0/24
DIRECT
Pre Cost
0
0
1-9
Nexthop
Interface
1.1.1.1
Vlan-interface1
Refer to Table 1-4 for the description on the output fields.
display ip routing-table protocol
Syntax
display ip routing-table protocol protocol [ inactive | verbose ]
View
Any view
Parameter
protocol: This argument can be one of the following:
z
direct: Displays the information about the direct routes.
z
static: Displays the information about the static routes.
inactive: Displays the information about the inactive routes. If you do not specify this keyword, the
information about both active and inactive routes is displayed.
verbose: Displays the detailed route information. If you do not specify this keyword, only the summary
route information is displayed.
Description
Use the display ip routing-table protocol command to display the information about specified type of
routes.
Example
# Display the summary information about all the direct routes.
<Sysname> display ip routing-table protocol direct
DIRECT Routing tables:
Summary count: 4
DIRECT Routing table status:<active>:
Summary count: 4
Destination/Mask
Protocol Pre
Cost
Nexthop
Interface
127.0.0.0/8
DIRECT
0
0
127.0.0.1
InLoopBack0
127.0.0.1/32
DIRECT
0
0
127.0.0.1
InLoopBack0
192.168.0.0/24
DIRECT
0
0
192.168.0.246 Vlan-interface1
192.168.0.246/32
DIRECT
0
0
127.0.0.1
InLoopBack0
DIRECT Routing table status:<inactive>:
Summary count: 0
# Display the summary information about the static routing table.
<Sysname> display ip routing-table protocol static
STATIC Routing tables:
Summary count: 1
STATIC Routing table status:<active>:
Summary count: 1
Destination/Mask
Protocol Pre
Cost
10.1.1.0/24
STATIC
0
60
Nexthop
192.168.0.31
STATIC Routing table status:<inactive>:
1-10
Interface
Vlan-interface1
Summary count: 0
Refer to Table 1-4 for the description on the output fields.
display ip routing-table radix
Syntax
display ip routing-table radix
View
Any view
Parameter
None
Description
Use the display ip routing-table radix command to display the information about the routes in a
routing table in a hierarchical way.
Example
# Display the information about the routes in a routing table in a hierarchical way.
<Sysname> display ip routing-table radix
Radix tree for INET (2) inodes 2 routes 2:
+--8+--{127.0.0.0
+-32+--{127.0.0.1
Table 1-6 Description on the fields of the display ip routing-table radix command
Field
Description
INET
Address family
inodes
Number of nodes
routes
Number of routes
display ip routing-table statistics
Syntax
display ip routing-table statistics
View
Any view
Parameter
None
Description
Use the display ip routing-table statistics command to display the statistics of a routing table.
1-11
The statistics information displayed by this command includes:
z
The total number of the routes
z
The number of the active routes
z
The number of the added routes
z
The number of the routes with deleted flags
Example
# Display the statistics information about the routing table.
<Sysname> display ip routing-table statistics
Routing tables:
Proto
route
DIRECT
2
STATIC
Total
active
added
deleted
2
2
0
0
0
0
0
2
2
2
0
Table 1-7 Description on the fields of the display ip routing-table statistics command
Field
Description
Proto
Routing protocol
route
Total number of routes
active
Number of the active routes that are currently in use
added
Number of the routes that are added to the routing table after the switch starts or
the routing table is cleared last time
deleted
Number of the routes with deleted flags (this type of routes will be removed after a
period of time)
Total
Total numbers of various routes
display ip routing-table verbose
Syntax
display ip routing-table verbose
View
Any view
Parameter
None
Description
Use the display ip routing-table verbose command to display the detailed information about a routing
table.
You can use this command to display all the routes, including the inactive and invalid routes.
Example
# Display the detailed information about the routing table.
1-12
<Sysname> display ip routing-table verbose
Routing Tables:
+ = Active Route, - = Last Active, # = Both
Destinations: 2
Holddown: 0
* = Next hop in use
Routes: 2
Delete: 0
**Destination: 127.0.0.0
Protocol: #DIRECT
Hidden: 0
Mask: 255.0.0.0
Preference: 0
*NextHop: 127.0.0.1
Interface: 127.0.0.1(InLoopBack0)
State: <NoAdvise Int ActiveU Retain Unicast>
Age: 57:12
Cost: 0/0
**Destination: 127.0.0.1
Protocol: #DIRECT
Mask: 255.255.255.255
Preference: 0
*NextHop: 127.0.0.1
Interface: 127.0.0.1(InLoopBack0)
State: <NotInstall NoAdvise Int ActiveU Retain Gateway Unicast>
Age: 57:12
Cost: 0/0
The statistics of the routing table are displayed first, and then the detailed descriptions of each route.
Table 1-5 describes the route states and Table 1-8 describes the statistics information about the routing
table.
Table 1-8 Description on the fields of the display ip routing-table verbose command
Field
Description
Holddown
Number of the routes that are held down
Delete
Number of the deleted routes
Hidden
Number of the hidden routes
interface Vlan-interface
Syntax
interface Vlan-interface vlan-id
undo interface Vlan-interface vlan-id
View
System view
Parameter
vlan-id: ID of the management VLAN, in the range of 1 to 4094.
Description
Use the interface Vlan-interface command to create a management VLAN interface and enter
management VLAN interface view.
Use the undo interface Vlan-interface command to remove the management VLAN interface.
1-13
Before creating a management VLAN interface, make sure the VLAN identified by the vlan-id argument
is created and is configured as the management VLAN.
Note that:
To create the VLAN interface for the management VLAN on a switch operating as the management
device in a cluster, make sure the ID of the management VLAN is consistent with that of the cluster
management VLAN, that is, the vlan-id argument in the management-vlan vlan-id command when you
configure the cluster management VLAN. Otherwise, the configuration fails.
Example
# Create VLAN 10 and configure it as the management VLAN. Create VLAN 10 interface and enter
VLAN 10 interface view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan 10
[Sysname-vlan10] quit
[Sysname] management-vlan 10
[Sysname] interface Vlan-interface 10
[Sysname-Vlan-interface10]
ip address
Syntax
ip address ip-address mask
undo ip address [ ip-address mask ]
View
VLAN interface view
Parameter
ip-address: IP address to be assigned to the management VLAN interface.
mask: Mask of the IP address to be assigned to the management VLAN interface. The mask can be in
dotted decimal notation or an integer in the range of 0 to 32.
Description
Use the ip address command to assign an IP address with the mask to a management VLAN interface.
Use the undo ip address command to remove the IP address assigned to a management VLAN
interface.
Related command: display interface Vlan-interface.
Example
# Assign the IP address 192.168.0.51 (with the mask 255.255.255.0) to the management VLAN
interface. (Assume that VLAN 1 is the management VLAN.)
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Vlan-interface 1
1-14
[Sysname-Vlan-interface1] ip address 192.168.0.51 255.255.255.0
ip route-static
Syntax
ip route-static ip-address { mask | mask-length } { interface-type interface-number | next-hop }
[ preference preference-value ] [ reject | blackhole ] [ description text ]
undo ip route-static ip-address { mask | mask-length } [ interface-type interface-number | next-hop ]
[ preference preference-value ]
View
System view
Parameter
ip-address: Destination IP address, in dotted decimal notation.
mask: IP address mask, in dotted decimal notation.
mask-length: Mask length, in the range of 0 to 32.
interface-type interface-number: Next hop outgoing interface. Currently, you can specify a NULL
interface only. A null interface is a virtual interface. Packets destined for a null interface are discarded,
helping to reduce system load.
next-hop: IP address of the next hop of this route, in dotted decimal notation.
preference-value: Preference of this route, in the range of 1 to 255.
reject: Specifies the route as an unreachable route. When a static route destined for a destination
address is of the reject attribute, all the IP packets destined for the destination address are discarded,
and the source host is informed that the destination address is unreachable.
blackhole: Specifies the route as a black hole route. When a static route destined for a destination
address is of the blackhole attribute, the outgoing interface of the route is Null 0 regardless of the next
hop address. All the IP packets destined for the destination address are discarded, and the source host
is not informed that the destination address is unreachable.
description text: Specifies a descriptive string for the static route. The text argument is a case-sensitive
string of 1 to 60 characters (including the space).
Description
Use the ip route-static command to configure a static route.
Use the undo ip route-static command to remove a static route.
By default, the system can obtain the subnet route directly connected to the router. When you configure
a static route, if no preference is specified for the route, the preference defaults to 60. Note that routes
with the same destinations, the same next hops, but different preferences are different routes. Among
these routes, the one with least preference (which means the highest preference) is chosen to be the
current route. A route configured using the ip route-static command is a reachable route if neither of
the reject and blackhole keywords is specified.
Note the following when configuring a static route:
z
The next hop address of a static route cannot be the VLAN interface address of the local switch.
1-15
z
A static route with both its destination IP address and mask both being 0.0.0.0 is the default route.
When no matched entry is found in the routing table, a received packet is forwarded according to
the default route.
Related command: display ip routing-table.
Example
# Configure the next hop of the default route as 129.102.0.2.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] ip route-static 0.0.0.0 0.0.0.0 129.102.0.2
management-vlan
Syntax
management-vlan vlan-id
undo management-vlan
View
System view
Parameter
vlan-id: ID of the management VLAN, in the range of 1 to 4094.
Description
Use the management-vlan command to configure a VLAN as the management VLAN.
Use the undo management vlan command to restore the default.
VLAN 1 is the default management VLAN.
Example
# Configure VLAN 2 as the management VLAN.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] management-vlan 2
reset ip routing-table statistics protocol
Syntax
reset ip routing-table statistics protocol { all | protocol }
View
User view
Parameter
all: Specifies all protocols.
protocol: Specifies a protocol, which can be static, or direct.
1-16
Description
Use the reset ip routing-table statistics protocol command to clear the statistics of routes in a routing
table.
Example
# Before executing the reset ip routing-table statistics protocol command, use the display ip
routing-table statistics command to display the routing statistics:
<Sysname> display ip routing-table statistics
Routing tables:
Proto
route
active
added
deleted
DIRECT
4
4
24
20
STATIC
0
0
1
1
Total
4
4
25
21
# Clear the routing statistics of all protocols from the IP routing table.
<Sysname> reset ip routing-table statistics protocol all
This will erase the specific routing counters information.
Are you sure?[Y/N]y
# Display the routing statistics in the IP routing table.
<Sysname> display ip routing-table statistics
Routing tables:
Proto
route
active
added
deleted
DIRECT
4
4
0
0
STATIC
0
0
0
0
Total
4
4
0
0
The above information shows that the routing statistics in the IP routing table is cleared.
1-17
Table of Contents
1 IP Address Configuration Commands·····································································································1-1
IP Address Configuration Commands·····································································································1-1
display ip interface···························································································································1-1
display ip interface brief···················································································································1-2
ip address ········································································································································1-3
2 IP Performance Configuration Commands·····························································································2-1
IP Performance Configuration Commands ·····························································································2-1
display fib·········································································································································2-1
display fib ip-address·······················································································································2-2
display fib acl ···································································································································2-3
display fib |·······································································································································2-4
display fib statistics··························································································································2-5
display icmp statistics ······················································································································2-5
display ip socket ······························································································································2-6
display ip statistics···························································································································2-8
display tcp statistics·························································································································2-9
display tcp status ···························································································································2-12
display udp statistics······················································································································2-13
icmp redirect send ·························································································································2-14
icmp unreach send ························································································································2-14
reset ip statistics ····························································································································2-15
reset tcp statistics ··························································································································2-15
reset udp statistics·························································································································2-16
tcp timer fin-timeout ·······················································································································2-16
tcp timer syn-timeout ·····················································································································2-17
tcp window·····································································································································2-17
i
1
IP Address Configuration Commands
IP Address Configuration Commands
display ip interface
Syntax
display ip interface [ interface-type interface-number ]
View
Any view
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Description
Use the display ip interface command to display information about a specified or all Layer 3
interfaces.
If no argument is specified, information about all Layer 3 interfaces is displayed.
Examples
# Display information about VLAN-interface 1.
<Sysname> display ip interface Vlan-interface 1
Vlan-interface1 current state :UP
Line protocol current state :UP
Internet Address is 192.168.0.39/24 Primary
Broadcast address : 192.168.0.255
The Maximum Transmit Unit : 1500 bytes
IP packets input number: 9678, bytes: 475001, multicasts: 7
IP packets output number: 8622, bytes: 391084, multicasts: 0
TTL invalid packet number:
0
ICMP packet input number:
0
Echo reply:
0
Unreachable:
0
Source quench:
0
Routing redirect:
0
Echo request:
0
Router advert:
0
Router solicit:
0
Time exceed:
0
IP header bad:
0
Timestamp request:
0
1-1
Timestamp reply:
0
Information request:
0
Information reply:
0
Netmask request:
0
Netmask reply:
0
Unknown type:
0
Table 1-1 Description on the fields of the display ip interface command
Field
Description
Vlan-interface1 current state
Current physical state of VLAN-interface 1
Line protocol current state
Current state of the link layer protocol
Internet Address
IP address of the interface
Broadcast address
Directed broadcast address of the subnet attached
to the interface
The Maximum Transmit Unit
Maximum transmission unit on the interface
IP packets input number: 9678, bytes:
475001, multicasts: 7
IP packets output number: 8622, bytes:
391084, multicasts: 0
TTL invalid packet number
ICMP packet input number:
Total number of packets, bytes, and multicast
packets forwarded and received on the interface
Number of received invalid TTL packets
0
Echo reply:
0
Unreachable:
0
Source quench:
0
Routing redirect:
0
Echo request:
0
Total number of received ICMP packets, including:
Router advert:
0
Router solicit:
0
Time exceed:
0
IP header bad:
0
Timestamp request:
0
Timestamp reply:
0
Echo reply packet, unreachable packet, source
quench packet, routing redirect packet, Echo
request packet, router advert packet, router solicit
packet, time exceed packet, IP header bad packet,
timestamp request packet, timestamp reply packet,
information request packet, information reply
packet, netmask request packet, netmask reply
packet, and unknown types of packets.
Information request:
0
Information reply:
0
Netmask request:
0
Netmask reply:
0
Unknown type:
0
display ip interface brief
Syntax
display ip interface brief [ interface-type [ interface-number ] ]
View
Any view
1-2
Parameters
interface-type: Interface type.
interface-number: Interface number.
Description
Use the display ip interface brief command to display brief information about a specified or all Layer 3
interfaces.
With no argument included, the command displays information about all layer 3 interfaces; with only the
interface type specified, it displays information about all layer 3 interfaces of the specified type; with
both the interface type and interface number specified, it displays information about the specified
interface.
Related commands: display ip interface.
Examples
# Display brief information about VLAN-interface 1.
<Sysname> display ip interface brief vlan-interface 1
*down: administratively down
(l): loopback
(s): spoofing
Interface
IP Address
Vlan-interface1
192.168.0.39
Physical Protocol
up
up
Description
Vlan-inte...
Table 1-2 Description on the fields of the display ip interface brief command
Field
Description
*down
The interface is administratively shut down with the shutdown
command.
(s)
Spoofing attribute of the interface. It indicates that the interface whose
link layer protocol is displayed up may have no such a link present or the
link is set up only on demand.
Interface
Interface name
IP Address
IP address of the interface (If no IP address is configured, “unassigned”
is displayed.)
Physical
Physical state of the interface
Protocol
Link layer protocol state of the interface
Interface description information.
Description
If the description has no more than 12 characters, the whole description
can be displayed. If it has more than 12 characters, only the first nine
characters are displayed.
ip address
Syntax
ip address ip-address { mask | mask-length }
undo ip address [ ip-address { mask | mask-length } ]
1-3
View
VLAN interface view, loopback interface view
Parameters
ip-address: IP address, in dotted decimal notation.
mask: Subnet mask, in dotted decimal notation.
mask-length: Subnet mask length, the number of consecutive ones in the mask. It is in the range of 0 to
32.
Description
Use the ip address command to specify an IP address and mask for a VLAN or loopback interface.
Use the undo ip address command to remove an IP address and mask of a VLAN or loopback
interface.
By default, no IP address is configured for VLAN or loopback interface.
z
A newly specified IP address overwrites the previous one if there is any.
z
The IP address of a VLAN interface must not be in the same network segment as that of a loopback
interface on a device.
Related commands: display ip interface.
Examples
# Assign the IP address 129.12.0.1 to VLAN interface 1 with subnet mask 255.255.255.0.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address 129.12.0.1 255.255.255.0
1-4
2
IP Performance Configuration Commands
IP Performance Configuration Commands
display fib
Syntax
display fib
View
Any view
Parameters
None
Description
Use the display fib command to display all forwarding information base (FIB) information.
Examples
# Display all FIB information.
<Sysname> display fib
Flag:
U:Usable
R:Reject
G:Gateway
H:Host
E:Equal cost multi-path
B:Blackhole
D:Dynamic
L:Generated by ARP or ESIS
S:Static
Destination/Mask
Flag TimeStamp
Interface
10.153.17.0/24
10.153.17.99
U
t[37]
Vlan-interface1
10.153.18.88/32
127.0.0.1
GHU
t[37]
InLoopBack0
10.153.18.0/24
10.153.18.88
U
t[37]
LoopBack0
10.153.17.99/32
127.0.0.1
GHU
t[37]
InLoopBack0
127.0.0.0/8
127.0.0.1
U
t[33]
InLoopBack0
2-1
Nexthop
Table 2-1 Description on the fields of the display fib command
Field
Description
Flags:
U: A route is up and available.
G: Gateway route
H: Local host route
Flag
B: Blackhole route
D: Dynamic route
S: Static route
R: Rejected route
E: Multi-path equal-cost route
L: Route generated by ARP or ESIS
Destination/Mask
Destination address/mask length
Nexthop
Next hop address
TimeStamp
Timestamp
Interface
Forwarding interface
display fib ip-address
Syntax
display fib ip-address1 [ { mask1 | mask-length1 } [ ip-address2 { mask2 | mask-length2 } | longer ] |
longer ]
View
Any view
Parameters
ip-address1, ip-address2: Destination IP addresses, in dotted decimal notation. ip-address1 and
ip-address2 together define an address range. The FIB entries in this address range will be displayed.
mask1, mask2: Subnet masks, in dotted decimal notation.
mask-length1, mask-length2: Length of the subnet masks, the number of consecutive ones in the
masks, in the range of 0 to 32.
longer: Displays the FIB entries matching the specified address/mask and having masks longer than or
equal to the specified mask. If no masks are specified, FIB entries that match the natural network
address and have the masks longer than or equal to the natural mask will be displayed.
2-2
Description
Use the display fib ip-address command to view the FIB entries matching the specified destination IP
address.
If no mask or mask length is specified, the FIB entry that matches the destination IP address and has
the longest mask will be displayed; if the mask is specified, the FIB entry that exactly matches the
specified destination IP address and mask will be displayed.
Examples
# Display FIB entry information which matches destination 12.158.10.0 and has a mask length no less
than eight.
<Sysname> display fib 12.158.10.0 longer
Route Entry Count: 1
Flag:
U:Usable
G:Gateway
H:Host
B:Blackhole
R:Reject
E:Equal cost multi-path
D:Dynamic
S:Static
L:Generated by ARP or ESIS
Destination/Mask
Nexthop
Flag TimeStamp
Interface
12.158.10.0/24
12.158.10.1
U
Vlan-interface10
t[85391]
# Display FIB entry information which has a destination in the range of 12.158.10.0/24 to
12.158.10.6/24 and has a mask length of 24.
<Sysname> display fib 12.158.10.0 255.255.255.0 12.158.10.6 255.255.255.0
Route Entry Count: 1
Flag:
U:Usable
G:Gateway
H:Host
B:Blackhole
R:Reject
E:Equal cost multi-path
D:Dynamic
S:Static
L:Generated by ARP or ESIS
Destination/Mask
Nexthop
Flag TimeStamp
Interface
12.158.10.0/24
12.158.10.1
U
Vlan-interface10
t[85391]
For details about the displayed information, see Table 2-1.
display fib acl
Syntax
display fib acl acl-number
View
Any view
Parameters
acl-number: Basic ACL number, in the range of 2000 to 2999.
Description
Use the display fib acl command to display the FIB entries matching a specific ACL. For ACL, refer to
the part discussing ACL in this manual.
Examples
# Configure and display ACL 2001.
2-3
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 211.71.75.0 0.0.0.255
[Sysname-acl-basic-2001] display acl 2001
Basic ACL
2001, 1 rule
Acl's step is 1
rule 0 permit source 211.71.75.0 0.0.0.255
# Display the FIB entries filtered by ACL 2001.
<Sysname> display fib acl 2001
Route Entry matched by access-list 2001
Summary Counts :1
Flag:
U:Usable
G:Gateway
H:Host
B:Blackhole
R:Reject
E:Equal cost multi-path
D:Dynamic
S:Static
L:Generated by ARP or ESIS
Destination/Mask
Nexthop
Flag TimeStamp
Interface
211.71.75.0/24
1.1.1.2
GSU
Vlan-interface2
t[250763]
For details about the displayed information, see Table 2-1.
display fib |
Syntax
display fib | { begin | exclude | include } regular-expression
View
Any view
Parameters
|: Uses a regular expression to match FIB entries. For detailed information about regular expression,
refer to Configuration File Management Command.
begin: Displays a specific FIB entry and all the FIB entries following it. The specific FIB entry is the first
entry that matches the specified regular expression.
exclude: Displays the FIB entries that do not match the specified regular expression.
include: Displays the FIB entries that match the specified regular expression.
regular-expression: A case-sensitive character string.
Description
Use the display fib | command to display the FIB entries filtered by the specified regular expression.
Examples
# Display the entries starting from the first one containing the string 169.254.0.0.
<Sysname> display fib | begin 169.254.0.0
169.254.0.0/16 2.1.1.1
U
t[0]
Vlan-interface1
2.0.0.0/16
U
t[0]
Vlan-interface1
2.1.1.1
For details about the displayed information, see Table 2-1.
2-4
display fib statistics
Syntax
display fib statistics
View
Any view
Parameters
None
Description
Use the display fib statistics command to display the total number of FIB entries.
Examples
# Display the total number of FIB entries.
<Sysname> display fib statistics
Route Entry Count : 8
display icmp statistics
Syntax
display icmp statistics
View
Any view
Parameters
None
Description
Use the display icmp statistics command to display the statistics about ICMP packets.
Related commands: display ip interface, reset ip statistics.
Examples
# Display the statistics about ICMP packets.
<Sysname> display icmp statistics
Input: bad formats
0
bad checksum
0
echo
5
destination unreachable 0
source quench 0
redirects
0
echo reply
10
parameter problem
0
timestamp
0
information request
0
mask replies
0
mask requests 0
time exceeded 0
Output:echo
10
destination unreachable 0
source quench 0
redirects
2-5
0
echo reply
5
parameter problem
timestamp
0
information reply
mask requests 0
0
0
mask replies
0
time exceeded 0
Table 2-2 Description on the fields of the display icmp statistics command
Field
Input:
Output:
Description
bad formats
Number of received wrong format packets
bad checksum
Number of received wrong checksum packets
echo
Number of received echo packets
destination unreachable
Number of received destination unreachable
packets
source quench
Number of received source quench packets
redirects
Number of received redirection packets
echo reply
Number of received replies
parameter problem
Number of received parameter problem packets
timestamp
Number of received time stamp packets
information request
Number of received information request packets
mask requests
Number of received mask requests
mask replies
Number of received mask replies
time exceeded
Number of received expiration packets
echo
Number of sent echo packets
destination unreachable
Number of sent destination unreachable packets
source quench
Number of sent source quench packets
redirects
Number of sent redirection packets
echo reply
Number of sent replies
parameter problem
Number of sent parameter problem packets
timestamp
Number of sent time stamp packets
information reply
Number of sent information reply packets
mask requests
Number of sent mask requests
mask replies
Number of sent mask replies
time exceeded
Number of sent expiration packets
display ip socket
Syntax
display ip socket [ socktype sock-type ] [ task-id socket-id ]
View
Any view
2-6
Parameters
socktype sock-type: Displays the socket information of this type. The sock type is in the range 1 to 3,
corresponding to TCP, UDP and raw IP respectively.
task-id: ID of a task, with the value ranging from 1 to 100.
socket-id: ID of a socket, with the value ranging from 0 to 3072.
Description
Use the display ip socket command to display socket information.
Examples
# Display the information about the socket of the TCP type.
<Sysname> display ip socket socktype 1
SOCK_STREAM:
Task = VTYD(18), socketid = 1, Proto = 6,
LA = 0.0.0.0:23, FA = 0.0.0.0:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_SENDVPNID SO_SETKEEPALIVE,
socket state = SS_PRIV SS_ASYNC
Task = VTYD(18), socketid = 2, Proto = 6,
LA = 10.153.17.99:23, FA = 10.153.17.56:1161,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_KEEPALIVE SO_OOBINLINE SO_SENDVPNID SO_SETKEEPALIVE,
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC
Task = VTYD(18), socketid = 3, Proto = 6,
LA = 10.153.17.99:23, FA = 10.153.17.82:1121,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_KEEPALIVE SO_OOBINLINE SO_SENDVPNID SO_SETKEEPALIVE,
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC
Table 2-3 Description on the fields of the display ip socket command
Field
Description
SOCK_STREAM
Indicates the socket type is TCP
SOCK_DGRAM
Indicates the socket type is UDP
SOCK_RAW
Indicates the socket type is raw IP
Task
Task ID
socketid
Socket ID
Proto
Protocol number used by the socket
sndbuf
Sending buffer size of the socket
rcvbuf
Receiving buffer size of the socket
sb_cc
Current data size in the sending buffer. The value makes sense
only for the socket of TCP type, because only TCP is able to cache
data.
2-7
Field
Description
rb_cc
Current data size in the receiving buffer
socket option
Option of a socket
socket state
State of a socket
display ip statistics
Syntax
display ip statistics
View
Any view
Parameters
None
Description
Use the display ip statistics command to display the statistics about IP packets.
Related commands: display ip interface, reset ip statistics.
Examples
# Display the statistics about IP packets.
<Sysname> display ip statistics
Input:
Output:
sum
7120
local
112
bad protocol
0
bad format
0
bad checksum
0
bad options
0
forwarding
0
local
27
dropped
0
no route
2
output
0
compress fails 0
Fragment:input
0
dropped
0
fragmented
0
couldn't fragment 0
0
timeouts
Reassembling:sum
0
Table 2-4 Description on the fields of the display ip statistics command
Field
Input:
Description
sum
Total number of packets received
local
Total number of packets with destination being local
Total number of unknown protocol packets.
bad protocol
Unknown protocol packets are destined to the local device,
but the upper layer protocol specified in their IP header
cannot be processed by the device. (For example, if a switch
is not enabled with the Layer 3 multicast function, it considers
IGMP packets as unknown protocol packets.)
2-8
Field
Output:
Fragment:
Description
bad format
Total number of packets with incorrect header format that
contains a wrong version, or has a header length less than 20
bytes.
bad checksum
Total number of packets with incorrect checksum
bad options
Total number of packets with incorrect option
forwarding
Total number of IP packets forwarded by the local device
local
Total number of IP packets initiated from the local device
dropped
Total number of IP packets discarded
no route
Total number of IP packets for which no route is available
compress fails
Total number of IP packets failed to compress
input
Total number of fragments received
output
Total number of fragments sent
dropped
Total number of fragments discarded
fragmented
Total number of IP packets successfully fragmented
couldn't
fragment
Total number of IP packets that cannot be fragmented
sum
Total number of IP packets reassembled
timeouts
Total number of reassembly timeout IP packets
Reassembling:
display tcp statistics
Syntax
display tcp statistics
View
Any view
Parameters
None
Description
Use the display tcp statistics command to display the statistics about TCP packets.
Related commands: display tcp status, reset tcp statistics.
Examples
# Display the statistics about TCP connections.
<Sysname> display tcp statistics
Received packets:
Total: 753
packets in sequence: 412 (11032 bytes)
window probe packets: 0, window update packets: 0
2-9
checksum error: 0, offset error: 0, short error: 0
duplicate packets: 4 (88 bytes), partially duplicate packets: 5 (7 bytes)
out-of-order packets: 0 (0 bytes)
packets of data after window: 0 (0 bytes)
packets received after close: 0
ACK packets: 481 (8776 bytes)
duplicate ACK packets: 7, too much ACK packets: 0
Sent packets:
Total: 665
urgent packets: 0
control packets: 5 (including 1 RST)
window probe packets: 0, window update packets: 2
data packets: 618 (8770 bytes) data packets retransmitted: 0 (0 bytes)
ACK-only packets: 40 (28 delayed)
Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0
Keepalive timeout: 0, keepalive probe: 0, Keepalive timeout, so connections disconnected :
0
Initiated connections: 0, accepted connections: 0, established connections: 0
Closed connections: 0 (dropped: 0, initiated dropped: 0)
Packets dropped with MD5 authentication: 0
Packets permitted with MD5 authentication: 0
2-10
Table 2-5 Description on the fields of the display tcp statistics command
Field
Received
packets:
Description
Total
Total number of packets received
packets in sequence
Number of packets arriving in sequence
window probe packets
Number of window probe packets received
window update packets
Number of window update packets received
checksum error
Number of checksum error packets received
offset error
Number of offset error packets received
short error
Number of received packets with length being too
small
duplicate packets
Number of completely duplicate packets received
partially duplicate packets
Number of partially duplicate packets received
out-of-order packets
Number of out-of-order packets received
packets of data after
window
Number of packets outside the receiving window
packets received after close
Number of packets that arrived after connection
is closed
ACK packets
Number of ACK packets received
duplicate ACK packets
Number of duplicate ACK packets received
too much ACK packets
Number of ACK packets for data unsent
Total
Total number of packets sent
urgent packets
Number of urgent packets sent
control packets
Number of control packets sent; in brackets are
retransmitted packets
window probe packets
Number of window probe packets sent; in the
brackets are resent packets
window update packets
Number of window update packets sent
data packets
Number of data packets sent
data packets retransmitted
Number of data packets retransmitted
ACK-only packets: 40
Number of ACK packets sent; in brackets are
delayed ACK packets
Sent packets:
Retransmitted timeout
Number of retransmission timer timeouts
connections dropped in retransmitted timeout
Number of connections broken due to
retransmission timeouts
Keepalive timeout
Number of keepalive timer timeouts
keepalive probe
Number of keepalive probe packets sent
Keepalive timeout, so connections disconnected
Number of connections broken due to keepalive
probe failures
Initiated connections
Number of connections initiated
accepted connections
Number of connections accepted
established connections
Number of connections established
2-11
Field
Description
Closed connections
Number of connections closed; in brackets are
connections closed accidentally (before receiving
SYN from the peer) and connections closed
initiatively (after receiving SYN from the peer)
Packets dropped with MD5 authentication
Number of packets dropped with MD5
authentication
Packets permitted with MD5 authentication
Number of packets permitted with MD5
authentication
display tcp status
Syntax
display tcp status
View
Any view
Parameters
None
Description
Use the display tcp status command to display the state of all the TCP connections so that you can
monitor TCP connections in real time.
Examples
# Display the state of all the TCP connections.
<Sysname> display tcp status
*: TCP MD5 Connection
TCPCB
Local Add:port
Foreign Add:port
State
03e37dc4
0.0.0.0:4001
0.0.0.0:0
Listening
04217174
100.0.0.204:23
100.0.0.253:65508
Established
Table 2-6 Description on the fields of the display tcp status command
Field
Description
*
If there is an asterisk before a connection, it means that the TCP
connection is authenticated through the MD5 algorithm.
TCPCB
TCP control block
Local Add:port
Local IP address and port number
Foreign Add:port
Remote IP address and port number
State
State of the TCP connection
2-12
display udp statistics
Syntax
display udp statistics
View
Any view
Parameters
None
Description
Use the display udp statistics command to display the statistics about UDP packets.
Related commands: reset udp statistics.
Examples
# Display the statistics about UDP packets.
<Sysname> display udp statistics
Received packets:
Total: 26320
checksum error: 0
shorter than header: 0, data length larger than packet: 0
no socket on port: 0
total broadcast or multicast packets : 25006
no socket broadcast or multicast packets: 24989
not delivered, input socket full: 0
input packets missing pcb cache: 1314
Sent packets:
Total: 7187
Table 2-7 Description on the fields of the display udp statistics command
Field
Received
packets:
Description
Total
Total number of received UDP packets
checksum error
Total number of packets with incorrect checksum
shorter than header
Number of packets with data shorter than header
data length larger than
packet
Number of packets with data longer than packet
no socket on port
Number of unicast packets with no socket on port
total broadcast or multicast
packets
Total number of received broadcast or multicast
packets
no socket broadcast or
multicast packets
Total number of broadcast or multicast packets without
socket on port
not delivered, input socket
full
Number of not delivered packets due to a full socket
cache
2-13
Field
Sent
packets:
Description
input packets missing pcb
cache
Number of packets without matching PCB cache
Total
Total number of UDP packets sent
icmp redirect send
Syntax
icmp redirect send
undo icmp redirect send
View
System view
Parameters
None
Description
Use the icmp redirect send command to enable the device to send ICMP redirection packets.
Use the undo icmp redirect send command to disable the device from sending ICMP redirection
packets.
By default, the device is enabled to send ICMP redirection packets.
Examples
# Disable the device from sending ICMP redirection packets.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] undo icmp redirect send
icmp unreach send
Syntax
icmp unreach send
undo icmp unreach send
View
System view
Parameters
None
2-14
Description
Use the icmp unreach send command to enable the device to send ICMP destination unreachable
packets. After enabled with this feature, the switch, upon receiving a packet with an unreachable
destination, discards the packet and then sends a destination unreachable packet to the source host.
Use the undo icmp unreach send command to disable the device from sending ICMP destination
unreachable packets.
By default, the device is enabled to send ICMP destination unreachable packets.
Examples
# Disable the device from sending ICMP destination unreachable packets.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] undo icmp unreach send
reset ip statistics
Syntax
reset ip statistics
View
User view
Parameters
None
Description
Use the reset ip statistics command to clear the statistics about IP packets. You can use the display
ip statistics command to view the current IP packet statistics.
Related commands: display ip interface.
Examples
# Clear the statistics about IP packets.
<Sysname> reset ip statistics
reset tcp statistics
Syntax
reset tcp statistics
View
User view
Parameters
None
2-15
Description
Use the reset tcp statistics command to clear the statistics about TCP packets. You can use the
display tcp statistics command to view the current TCP packet statistics.
Examples
# Clear the statistics about TCP packets.
<Sysname> reset tcp statistics
reset udp statistics
Syntax
reset udp statistics
View
User view
Parameters
None
Description
Use the reset udp statistics command to clear the statistics about UDP packets. You can use the
display udp statistics command to view the current UDP packet statistics.
Examples
# Clear the statistics about UDP packets.
<Sysname> reset udp statistics
tcp timer fin-timeout
Syntax
tcp timer fin-timeout time-value
undo tcp timer fin-timeout
View
System view
Parameters
time-value: TCP finwait timer, in seconds, with the value ranging from 76 to 3600.
Description
Use the tcp timer fin-timeout command to configure the TCP finwait timer.
Use the undo tcp timer fin-timeout command to restore the default value of the TCP finwait timer.
By default, the value of the TCP finwait timer is 675 seconds.
2-16
When the TCP connection state changes from FIN_WAIT_1 to FIN_WAIT_2, the finwait timer is
enabled. If the switch does not receive FIN packets before finwait timer times out, the TCP connection
will be terminated.
Related commands: tcp timer syn-timeout, tcp window.
Examples
# Configure the value of the TCP finwait timer to 800 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] tcp timer fin-timeout 800
tcp timer syn-timeout
Syntax
tcp timer syn-timeout time-value
undo tcp timer syn-timeout
View
System view
Parameters
time-value: TCP synwait timer, in seconds, with the value ranging from 2 to 600.
Description
Use the tcp timer syn-timeout command to configure the TCP synwait timer.
Use the undo tcp timer syn-timeout command to restore the default value of the TCP synwait timer.
By default, the value of the TCP synwait timer is 75 seconds.
When sending the SYN packet, TCP starts the synwait timer. If the response packet is not received
before synwait times out, the TCP connection will be terminated.
Related commands: tcp timer fin-timeout, tcp window.
Examples
# Configure the value of the TCP synwait timer to 80 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] tcp timer syn-timeout 80
tcp window
Syntax
tcp window window-size
undo tcp window
2-17
View
System view
Parameters
window-size: Size of the transmission and receiving buffers of the connection-oriented socket,
measured in kilobytes (KB), in the range of 1 to 32.
Description
Use the tcp window command to configure the size of the transmission and receiving buffers of the
connection-oriented socket.
Use the undo tcp window command to restore the default size of the transmission and receiving
buffers of the connection-oriented socket.
By default, the size of the transmission and receiving buffers is 8 KB.
Related commands: tcp timer fin-timeout, tcp timer syn-timeout.
Examples
# Configure the size of the transmission and receiving buffers of the connection-oriented socket to 3 KB.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] tcp window 3
2-18
Table of Contents
1 Port Basic Configuration Commands······································································································1-1
Port Basic Configuration Commands······································································································1-1
broadcast-suppression ····················································································································1-1
copy configuration ···························································································································1-2
description ·······································································································································1-4
display brief interface·······················································································································1-4
display interface·······························································································································1-6
display link-delay ···························································································································1-10
display loopback-detection ············································································································1-10
display port combo ························································································································1-11
display storm-constrain··················································································································1-12
display unit·····································································································································1-13
duplex ············································································································································1-14
enable log updown ························································································································1-15
flow-control ····································································································································1-16
flow interval····································································································································1-16
interface·········································································································································1-17
link-delay ·······································································································································1-18
loopback ········································································································································1-18
loopback-detection control enable·································································································1-19
loopback-detection enable ············································································································1-20
loopback-detection interface-list enable ························································································1-21
loopback-detection interval-time····································································································1-22
loopback-detection per-vlan enable ······························································································1-23
loopback-detection shutdown enable ····························································································1-23
mdi ·················································································································································1-24
multicast-suppression····················································································································1-25
reset counters interface ·················································································································1-26
shutdown ·······································································································································1-27
speed ·············································································································································1-28
speed auto·····································································································································1-28
storm-constrain······························································································································1-29
storm-constrain control ··················································································································1-30
storm-constrain enable ··················································································································1-31
storm-constrain interval ·················································································································1-32
virtual-cable-test ····························································································································1-32
i
1
Port Basic Configuration Commands
Port Basic Configuration Commands
broadcast-suppression
Syntax
In system view:
broadcast-suppression ratio
undo broadcast-suppression
In Ethernet interface view:
broadcast-suppression { ratio | bps max-bps }
undo broadcast-suppression
View
System view, Ethernet port view
Parameters
ratio: Maximum ratio of the broadcast traffic allowed on a port to the total transmission capacity of the
port. The value ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio is, the less
broadcast traffic is allowed.
max-bps: Maximum number (in Kbps) of broadcast traffic that can be received per second on an
Ethernet port (in step of 64). This argument can only be configured on Ethernet port view.
z
For a 100Mbps Ethernet port, the max-bps argument is in the range 64 to 99,968.
z
For a GigabitEthernet port, the max-bps argument is in the range 64 to 1,000,000.
Description
Use the broadcast-suppression command to limit broadcast traffic allowed to be received on each
port (in system view) or on a specified port (in Ethernet port view).
Use the undo broadcast-suppression command to restore the default broadcast suppression setting.
The broadcast-suppression command is used to enable broadcast suppression. By default,
broadcast suppression is disabled.
When incoming broadcast traffic exceeds the broadcast traffic threshold you set, the system drops the
packets exceeding the threshold to reduce the broadcast traffic ratio to the specified range, so as to
keep normal network service.
You can use the undo broadcast-suppression command in system view to cancel the broadcast
suppression settings on all ports, or use the broadcast-suppression command in system view to make a
global setting.
Executing the commands in Ethernet port view only takes effect on the current port.
1-1
z
The global broadcast suppression setting configured by the broadcast-suppression command in
system view takes effect on all Ethernet ports in the system except for the stack ports and ports
having their own broadcast suppression settings.
z
If you configure broadcast-suppression command in both system view and Ethernet port view, the
configuration in Ethernet port view will take effect.
Examples
# Allow incoming broadcast traffic on Ethernet1/0/1 to occupy at most 20% of the total transmission
capacity of the port and suppress the broadcast traffic that exceeds the specified range.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] broadcast-suppression 20
# Set the maximum incoming broadcast traffic rate allowed on Ethernet 1/0/2 to 128 kbps.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] broadcast-suppression bps 128
copy configuration
Syntax
copy configuration source { interface-type interface-number | aggregation-group source-agg-id }
destination { interface-list [ aggregation-group destination-agg-id ] | aggregation-group
destination-agg-id }
View
System view
Parameters
interface-type: Port type.
interface-number: Port number.
source-agg-id: Source aggregation group number, in the range of 1 to 52. The port with the smallest
port number in the aggregation group is used as the source port.
destination-agg-id: Destination aggregation group number, in the range of 1 to 52.
interface-list: Destination port list, interface-list = interface-type interface-number [ to interface-type
interface-number ] &<1-10. &<1-10> means that you can input up to 10 ports/port ranges.
Description
Use the copy configuration command to duplicate the configuration of a port to specified ports to keep
consistent configuration on them.
1-2
If you specify a source aggregation group ID, the system uses the port with the smallest port
z
number in the aggregation group as the source.
If you specify a destination aggregation group ID, the configuration of the source port will be copied
z
to all ports in the aggregation group and all ports in the group will have the same configuration as
that of the source port.
Refer to Table 1-1 for the configurations that can be copied.
Table 1-1 Configurations that can be copied
Configuration category
VLAN
Contents
VLANs carried on the port and the default VLAN ID.
The enable/disable status of LACP.
LACP (Link Aggregation
Control protocol)
(As the configuration commands of manual and static link
aggregation groups cannot be copied, you cannot assign a port to a
link aggregation group with the copy command.)
QoS
Packet priority marking, port priority, port rate limiting, priority trust
mode, and so on.
STP
The enable/disable state of STP on the port, link attribute of the port
(point-to-point or non-point-to-point), STP priority, path cost,
transmission rate limit, enable/disable state of loop protection,
enable/disable state of root protection, and whether the port is an
edge port.
GARP
GVRP enable/disable status, and registration mode.
Basic port configuration
Link type of the port, port rate, and duplex mode.
In case a configuration setting fails to be copied, the system will print the error message.
Examples
# Copy the configurations of Ethernet1/0/1 to Ethernet1/0/2 and Ethernet1/0/3.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] copy configuration source Ethernet 1/0/1 destination Ethernet 1/0/2 Ethernet 1/0/3
Copying VLAN configuration...
Copying LACP configuration...
Copying QOS configuration...
Copying GARP configuration...
Copying STP configuration...
Copying speed/duplex configuration...
1-3
Any aggregation group port you input in the destination port list will be removed from the list and the
copy command will not take effect on the port. If you want an aggregation group port to have the same
configuration with the source port, you can specify the aggregation group of the port as the destination
(with the destination-agg-id argument).
description
Syntax
description text
undo description
View
Ethernet port view
Parameters
text: Port description, a string of 1 to 80 characters.
Description
Use the description command to configure a description for the port.
Use the undo description command to remove the port description.
By default, no description is configured for a port.
You can use the display brief interface command to display the configured description.
Examples
# Set description string home for the Ethernet 1/0/1 port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] description home
display brief interface
Syntax
display brief interface [ interface-type [ interface-number ] ] [ | { begin | include | exclude }
regular-expression ]
View
Any view
Parameters
interface-type: Port type.
1-4
interface-number: Port number.
|: Specifies to use a regular expression to filter the configuration information entries to be displayed.
begin: Each entry must begin with a specified character string.
include: Each entry must include a specified character string.
exclude: Each entry must not include a specified character string.
regular-expression: Regular expression, a string of 1 to 256 characters.
For details about regular expression, refer to the Configuration File Management module in this manual.
Description
Use the display brief interface command to display the brief configuration information about one or all
interfaces, including: interface type, link state, link rate, duplex attribute, link type, default VLAN ID and
description string.
Currently, for the port types other than Ethernet port, this command only displays the link state, and
shows "--" in all other configuration information fields.
Related commands: display interface.
Examples
# Display the brief configuration information about the Ethernet 1/0/1 port.
<Sysname> display brief interface Ethernet 1/0/1
Interface:
Eth
- Ethernet
Loop - LoopBack
GE
- GigabitEthernet TENGE - tenGigabitEthernet
Vlan - Vlan-interface
Cas
- Cascade
Speed/Duplex:
A - auto-negotiation
Interface
Link
Speed
Duplex Type
PVID Description
-----------------------------------------------------------------------Eth1/0/1
DOWN
A
A
hybrid 1
home
Table 1-2 Description on the fields of the display brief interface command
Field
Description
Interface
Port type
Link
Current link state: UP, DOWN or ADMINISTRATIVELY DOWN
1-5
Field
Description
Speed
Link rate
Duplex
Duplex attribute
Type
Link type: access, hybrid or trunk
PVID
Default VLAN ID
Description
Port description string
The state of an Ethernet port can be UP, DOWN, or ADMINISTRATIVELY DOWN. The following table
shows the port state transitions.
Table 1-3 Port state transitions
Initial port state
Not connected to
any cable
State after executing
the undo shutdown
command
DOWN
DOWN
ADMINISTRATIVELY
DOWN
DOWN
DOWN
Connected to a
cable
State after executing the
shutdown command
ADMINISTRATIVELY
DOWN
DOWN
UP
UP
ADMINISTRATIVELY
DOWN
UP
display interface
Syntax
display interface [ interface-type | interface-type interface-number ]
View
Any view
Parameters
interface-type: Port type.
interface-number: Port number.
For details about the arguments, refer to the parameter description of the interface command.
Description
Use the display interface command to display port configuration.
When using this command:
z
If you specify neither port type nor port number, the command displays information about all ports.
z
If you specify only port type, the command displays information about all ports of the specified type.
z
If you specify both port type and port number, the command displays information about the
specified port.
1-6
Examples
# Display the configuration information of Ethernet 1/0/1.
<Sysname> display interface Ethernet 1/0/1
Ethernet1/0/1 current state : DOWN
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e247-e58c
Media type is twisted pair, loopback not set
Port hardware type is 100_BASE_TX
Unknown-speed mode, unknown-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
Flow-control is not enabled
The Maximum Frame Length is 1536
Broadcast MAX-ratio: 100%
PVID: 1
Mdi type: auto
Port link-type: access
Tagged
VLAN ID : none
Untagged VLAN ID : 1
Last 300 seconds input:
Last 300 seconds output:
Input(total):
0 packets/sec 0 bytes/sec
0 packets/sec 0 bytes/sec
2 packets, 306 bytes
0 broadcasts, 2 multicasts, 0 pauses
Input(normal):
2 packets, 306 bytes
0 broadcasts, 2 multicasts, 0 pauses
Input:
0 input errors, 0 runts, 0 giants,
0 frame,
- throttles, 0 CRC
- overruns, 0 aborts, - ignored, - parity errors
Output(total): 3 packets, 430 bytes
0 broadcasts, 3 multicasts, 0 pauses
Output(normal): 3 packets, - bytes
0 broadcasts, 3 multicasts, - pauses
Output: 0 output errors,
- underruns, - buffer failures
0 aborts, 0 deferred, 0 collisions, 0 late collisions
- lost carrier, - no carrier
Table 1-4 Description on the fields of the display interface command
Field
Description
Ethernet1/0/1 current state
Current Ethernet port status: UP, DOWN or
ADMINISTRATIVELY DOWN
IP Sending Frames' Format
Ethernet frame format
Hardware address
Port hardware address
Media type
Media type
Port hardware type
Port hardware type
Unknown-speed mode, unknown-duplex
mode
Current speed mode and duplex mode
Link speed type is autonegotiation, link
duplex type is autonegotiation
Link speed and duplex status ( force or
auto-negotiation)
1-7
Field
Description
Flow-control is not enabled
Status of flow-control on the port
The Maximum Frame Length
Maximum frame length allowed on the port
Broadcast MAX-ratio
Broadcast suppression ratio on the port
PVID
Default VLAN ID of the port
Mdi type
Network cable type
Port link-type
Port link type
Tagged VLAN ID
Identify the VLANs whose packets will be forwarded
with tags on the port.
Untagged VLAN ID
Identify the VLANs whose packets will be forwarded
without tags on the port.
Last 300 seconds input: 0 packets/sec 0
bytes/sec
Last 300 seconds output: 0 packets/sec 0
bytes/sec
Input(total): 2 packets, 306 bytes
0 broadcasts, 2 multicasts, 0
pauses
Input(normal): 2 packets, 306 bytes
0 broadcasts, 2 multicasts, 0
pauses
input errors
Average input and output rates (in pps and Bps) in the
last 300 seconds
Count in packets and in bytes of total incoming traffic
on the port, including incoming normal packets,
abnormal packets, and normal PAUSE frames
The number of incoming broadcast packets, the
number of incoming multicast packets, and the number
of incoming PAUSE frames on the port.
Count in packets and in bytes of incoming normal
packets on the port, including incoming normal packets
and normal PAUSE frames
The number of normal incoming broadcast packets, the
number of normal incoming multicast packets, and the
number of normal incoming PAUSE frames of the port
The total number of incoming error frames
The number of incoming runt frames
runts
A runt frame is of less than 64 bytes but has the correct
format and CRC field
The number of incoming giant frames
giants
(A giant frame is of more than 1518 bytes if untagged
or more than 1522 bytes if tagged.)
The number of throttles that occurred on the port
- throttles
(A throttle occurs when a port is shut down due to
buffer or memory overload.)
CRC
The number of CRC error frames received in correct
length
frame
The number of incoming CRC error frames with
non-integer number of bytes
- overruns
The number of packets dropped because the receiving
rate of the port exceeds the processing capability of the
input queues
1-8
Field
Description
The total number of incoming illegal packets, including:
z
z
aborts
z
z
z
Fragments: CRC error frames of less than 64 bytes
(integer or non-integer).
Jabber frames: CRC error frames of more than
1518 bytes if untagged or 1522 bytes if tagged
(integer or non-integer).
Symbol error frames: frames with at least one
symbol error.
Unknown operator frames: MAC control frames that
are not Pause frames
Length error frames: frames whose actual length
(46-1500 bytes) is inconsistent with the length field
in the 802.3 header.
- ignored
The number of packets dropped due to insufficient
receive buffer on the port
- parity errors
The number of incoming parity error frames
Output(total): 3 packets, 430 bytes
0 broadcasts, 3 multicasts, 0
pauses
Output(normal): 3 packets, - bytes
0 broadcasts, 3 multicasts, - pauses
Count in packets and in bytes of total outgoing traffic on
the port, including normal packets, abnormal packets,
and normal Pause frames
The number of outgoing broadcast packets, the
number of outgoing multicast packets, and the number
of outgoing Pause frames on the port
Count in packets and in bytes of outgoing normal
packets on the port, including outgoing normal packets
and normal Pause frames.
The number of normal outgoing broadcast packets, the
number of normal outgoing multicast packets, and the
number of normal outgoing Pause frames on the port.
output errors
The total number of outgoing error frames
- underruns
The number of packets dropped because the
transmitting rate of the port exceeds the processing
capacity of the output queue, which is a rare hardware
error.
- buffer failures
The number of packets dropped due to insufficient
transmit buffer on the port
aborts
The number of transmission failures due to various
reasons, such as collisions
deferred
The number of first transmission attempts delayed
because of detection of collisions
The number of detected collisions
collisions
(Transmission of a frame will be aborted upon
detection of a collision.)
The number of detected late collisions
late collisions
- lost carrier
(A late collision occurs if the transmission of a frame
defers due to detection of collision after its first 512 bits
have been transmitted.)
The lost carrier counter applicable to serial WAN
interfaces
The counter increases by 1 upon each carrier loss
detected during frame transmission.
1-9
Field
Description
The no carrier counter applicable to serial WAN
interfaces
- no carrier
The counter increases by 1 upon each carrier detection
failure for frame transmission.
A hyphen (-) indicates that the statistical item is not supported.
display link-delay
Syntax
display link-delay
View
Any view
Parameters
None
Description
Use the display link-delay command to display the information about the ports with the link-delay
command configured, including the port name and the configured delay.
Related commands: link-delay.
Examples
# Display the information about the ports with the link-delay command configured.
<Sysname> display link-delay
Interface
Time Delay
===================== ==============
Ethernet1/0/5
8
display loopback-detection
Syntax
display loopback-detection
View
Any view
Parameters
None
1-10
Description
Use the display loopback-detection command to display the loopback detection status on the port. If
loopback detection is enabled, this information will also be displayed: time interval for loopback
detection and the loopback ports.
Examples
# Display the loopback detection status on the port.
<Sysname> display loopback-detection
Port Ethernet1/0/1 loopback-detection is running
system Loopback-detection is running
Detection interval time is 30 seconds
There is no port existing loopback link
Table 1-5 Description on the fields of the display loopback-detection command
Field
Description
Port Ethernet1/0/1 loopback-detection is running
Loopback detection is enabled on the Ethernet
1/0/1.
system Loopback-detection is running
Loopback detection is enabled globally.
Detection interval time is 30 seconds
Time interval for loopback detection is 30
seconds.
There is no port existing loopback link
No loopback port exists.
display port combo
Syntax
display port combo
View
Any view
Parameters
None
Description
Use the display port combo command to display the Combo ports of a device and the corresponding
optical ports and electrical ports.
Examples
# Display the Combo ports of the device and the corresponding optical ports and electrical ports.
<Sysname> display port combo
Combo-group
Active
Inactive
1
GigabitEthernet1/0/17
GigabitEthernet1/0/19
2
GigabitEthernet1/0/18
GigabitEthernet1/0/20
1-11
Table 1-6 display port combo command output description
Field
Description
Combo-group
Combo ports of the device, represented by Combo port number, which
is generated by the system.
Active
Ports of the Combo ports that are active
Inactive
Ports of the Combo ports that are inactive
As for the optical port and the electrical port of a Combo port, the one with the smaller port number is
active by default. You can determine whether a port is an optical port or an electrical port by checking
the “Media type is” field of the display interface command.
display storm-constrain
Syntax
display storm-constrain [ interface interface-type interface-number ] [ | { begin | exclude | include }
regular-expression ]
View
Any view
Parameters
interface-type: Port type.
interface-number: Port number.
|: Uses a regular expression to filter the output configuration information.
begin: Displays the configurations that begin with the string specified by regular-expression.
exclude: Displays the configurations that do not contain the string specified by regular-expression.
include: Displays the configurations that contain the string specified by regular-expression.
regular-expression: Regular expression.
Description
Use the display storm-constrain command to display the storm control configurations.
Examples
# Display the storm control configurations.
<Sysname> display storm-constrain
Abbreviation: BC - broadcast; MC - multicast; UC - unicast
Flow Statistic Interval: 10(second)
PortName
Type LowerLimit UpperLimit CtrMode
Status
Trap Log SwiNum Unit
------------------------------------------------------------------------------
Table 1-7 Description on the fields of the display storm-constrain command
Field
Flow Statistic
Interval
Description
Interval to collect traffic statistics.
1-12
Field
Description
PortName
Name of an Ethernet port
Type
Traffic type, which can be multicast, and broadcast
LowerLimit
Lower threshold of traffic received on the port
UpperLimit
Upper threshold of traffic received on the port
CtrMode
Control action to be taken when the broadcast/multicast/unicast traffic
exceeds the upper threshold, which can be block or shutdown.
Status
Current status of the port, which can be normal or control.
Trap
Log
SwiNum
on: trap information is output when a type of traffic received on the port
exceeds the upper threshold or falls below the lower threshold.
off: trap information is not output when a type of traffic received on the port
exceeds the upper threshold or falls below the lower threshold.
on: log information is output when traffic received on the port exceeds the
upper threshold or falls below the lower threshold
off: log information is not output when traffic received on the port exceeds the
upper threshold or falls below the lower threshold
Number of port state switchover
display unit
Syntax
display unit unit-id interface
View
Any view
Parameters
unit-id: Unit ID, in the range of 1 to 8.
Description
Use the display unit command to display information about the ports on a specified unit.
Examples
# Display information about the ports on unit 1.
<Sysname> display unit 1 interface
Aux1/0/0
Description :
Aux Interface
Ethernet1/0/1 current state : DOWN
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e247-e58c
Media type is twisted pair, loopback not set
Port hardware type is 100_BASE_TX
Unknown-speed mode, unknown-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
Flow-control is not enabled
The Maximum Frame Length is 1536
1-13
Broadcast MAX-ratio: 100%
PVID: 1
Mdi type: auto
Port link-type: access
Tagged
VLAN ID : none
Untagged VLAN ID : 1
Last 300 seconds input:
Last 300 seconds output:
Input(total):
0 packets/sec 0 bytes/sec
0 packets/sec 0 bytes/sec
2 packets, 306 bytes
0 broadcasts, 2 multicasts, 0 pauses
Input(normal):
2 packets, 306 bytes
0 broadcasts, 2 multicasts, 0 pauses
Input:
0 input errors, 0 runts, 0 giants,
0 frame,
- throttles, 0 CRC
- overruns, 0 aborts, - ignored, - parity errors
Output(total): 3 packets, 430 bytes
0 broadcasts, 3 multicasts, 0 pauses
Output(normal): 3 packets, - bytes
0 broadcasts, 3 multicasts, - pauses
Output: 0 output errors,
- underruns, - buffer failures
0 aborts, 0 deferred, 0 collisions, 0 late collisions
- lost carrier, - no carrier
(The following displayed information is omitted)
Table 1-8 Description on the fields of the display unit command
Field
Description
Aux1/0/0
The description string of the AUX port is Aux
Interface.
Description : Aux Interface
For the description of other fields, refer to Table 1-4.
duplex
Syntax
duplex { auto | full | half }
undo duplex
View
Ethernet port view
Parameters
auto: Sets the port to auto-negotiation mode.
full: Sets the port to full duplex mode.
half: Sets the port to half duplex mode.
Description
Use the duplex command to set the duplex mode of the current port.
1-14
Use the undo duplex command to restore the default duplex mode, that is, auto-negotiation.
By default, the port is in auto-negotiation mode.
Related commands: speed.
Examples
# Set the Ethernet 1/0/1 port to auto-negotiation mode.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] duplex auto
enable log updown
Syntax
enable log updown
undo enable log updown
View
Ethernet port view
Parameters
None
Description
Use the enable log updown command to enable Up/Down log information output.
Use the undo log enable updown command to disable Up/Down log information output.
By default, a port is allowed to output Up/Down log information.
Examples
# By default, a port is allowed to output the Up/Down log information. Execute the shutdown command
or the undo shutdown command on Ethernet 1/0/1, and the system outputs Up/Down log information
of Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] shutdown
[Sysname-Ethernet1/0/1]
%Apr
5 07:25:37:634 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 -
Ethernet1/0/1 is DOWN
[Sysname-Ethernet1/0/1] undo shutdown
[Sysname-Ethernet1/0/1]
%Apr
5 07:25:56:244 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 -
Ethernet1/0/1 is UP
1-15
# Disable Ethernet 1/0/1 from outputting Up/Down log information and execute the shutdown
command or the undo shutdown command on Ethernet 1/0/1. No Up/Down log information is output
for Ethernet 1/0/1.
[Sysname-Ethernet1/0/1] undo enable log updown
[Sysname-Ethernet1/0/1] shutdown
[Sysname-Ethernet1/0/1] undo shutdown
flow-control
Syntax
flow-control
undo flow-control
View
Ethernet port view
Parameters
None
Description
Use the flow-control command to enable flow control on the current Ethernet port.
Use the undo flow-control command to disable flow control on the port.
Suppose flow control is enabled on both the local and peer switches. When congestion occurs on the
local switch,
z
the local switch sends a message to notify the peer switch of stopping sending packets to itself
temporarily,
z
the peer switch will stop sending packets to the local switch temporarily when it receives the
message; and vice versa. By this way, packet loss is avoided and the network service operates
normally.
By default, flow control is disabled on a port.
Examples
# Enable flow control on the Ethernet1/0/1 port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] flow-control
flow interval
Syntax
flow-interval interval
undo flow-interval
1-16
View
Ethernet port view
Parameters
Interval: Interval (in seconds) to perform statistics on port information. This argument ranges from 5 to
300 (in step of 5) and is 300 by default.
Description
Use the flow-interval command to set the interval to perform statistics on port information.
Use the undo flow-interval command to restore the default interval.
By default, this interval is 300 seconds.
When you use the display interface interface-type interface-number command to display the
information of a port, the system performs statistical analysis on the traffic flow passing through the port
during the specified interval and displays the average rates in the interval. For example, if you set the
interval to 100 seconds, the displayed information is as follows:
Last 100 seconds input:
Last 100 seconds output:
0 packets/sec 0 bytes/sec
0 packets/sec 0 bytes/sec
Related commands: display interface.
Examples
# Set the interval to perform statistics on the Ethernet 1/0/1 port to 100 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] flow-interval 100
interface
Syntax
interface interface-type interface-number
View
System view
Parameters
interface-type: Port type, which can be Aux, Ethernet, GigabitEthernet, LoopBack, NULL or
VLAN-interface.
interface-number: Port number, in the format of Unit ID/slot number/port number, where:
Unit ID is in the range of 1 to 8;
The port number is relevant to the device.
Description
Use the interface command to enter specific port view. To configure an Ethernet port, you need to enter
Ethernet port view first.
1-17
Examples
# Enter Ethernet 1/0/1 port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1]
link-delay
Syntax
link-delay delay-time
undo link-delay
View
Ethernet port view
Parameters
delay-time: Port state change delay to be set. This argument is in the range 2 to 10 (in seconds).
Description
Use the link-delay command to set the port state change delay.
Use the undo link-delay command to restore the default.
By default, the port state change delay is 0 seconds, that is, the port state changes without any delay.
During a short period after you connect your switch to another device, the connecting port may go up
and down frequently due to hardware compatibility, resulting in service interruption.
To avoid situations like this, you may set a port state change delay.
The port state change delay takes effect when the port goes down but not when the port goes up.
Examples
# Set the port state change delay of Ethernet 1/0/5 to 8 seconds.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] interface Ethernet1/0/5
[Sysname-Ethernet1/0/5] link-delay 8
loopback
Syntax
loopback { external | internal }
1-18
View
Ethernet port view
Parameters
external: Performs external loop test. In the external loop test, self-loop headers must be used on the
port of the switch. The external loop test can locate the hardware failures on the port.
For 100M port, the self-loop headers are made from four cores of the 8-core cables, for 1000M port, the
self-loop headers are made from eight cores of the 8-core cables, and the packets forwarded by the port
will be received by itself.
internal: Performs internal loop test. In the internal loop test, self loop is established in the switching
chip to locate the chip failure which is related to the port.
Description
Use the loopback command to perform a loopback test on the current Ethernet port to check whether
the Ethernet port works normally. The loopback test terminates automatically after running for a specific
period.
By default, no loopback test is performed on the Ethernet port.
Examples
# Perform an internal loop test on Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] loopback internal
Loopback internal succeeded.
loopback-detection control enable
Syntax
loopback-detection control enable
undo loopback-detection control enable
View
Ethernet port view
Parameters
None
1-19
Description
Use the loopback-detection control enable command to enable the loopback detection control
feature on the current trunk or hybrid port.
Use the undo loopback-detection control enable command to disable the loopback detection control
feature on the trunk or hybrid port.
This function needs to be used in conjunction with the loopback detection function. For details, refer to
the loopback-detection enable command. When a loopback is detected in a VLAN on a trunk or
hybrid port, you can use this function to control the working status of the port.
z
If this feature is enabled on the trunk or hybrid port, when loopback is found on the port, the system
sets the port to the block state (where the port cannot forward data packets), sends log messages
to the terminal, and removes the corresponding MAC forwarding entry. After the loop is removed,
the port automatically resumes the normal forwarding state.
z
If this feature is disabled on the trunk or hybrid port, when loopback is found on the port, the system
merely reports a Trap message, and the port still works normally.
By default, the loopback detection control feature is disabled on the trunk or hybrid port.
Note that, this command is not applicable to access ports. When the link type of a non-access port
changes to access, the loopback-detection control enable command already configured on the port
becomes invalid automatically.
Related commands: loopback-detection enable.
Examples
# Enable the loopback detection control feature on Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port link-type trunk
[Sysname-Ethernet1/0/1] loopback-detection control enable
loopback-detection enable
Syntax
loopback-detection enable
undo loopback-detection enable
View
System view or Ethernet port view
Parameters
None
Description
Use the loopback-detection enable command to enable the loopback detection feature on ports to
detect whether external loopback occurs on a port.
Use the undo loopback-detection enable command to disable the loopback detection feature on port.
1-20
1)
If a loop is found on an access port, the system sets the port to the block state (where the port
cannot forward data packets), sends log messages to the terminal, and removes the corresponding
MAC forwarding entry.
z
If you have also enabled the loopback port auto-shutdown function on the port, the system shuts
down the port, and sends log messages to the terminal. After the loop is removed, you need to use
the undo shutdown command to bring up the port.
z
If you have not enabled the loopback port auto-shutdown function on the port, the port
automatically resumes the normal forwarding state after the loop is removed.
2)
If a loop is found on a trunk or hybrid port, the system merely sends log messages to the terminal
but does not set the port to the block state or remove the corresponding MAC forwarding entry.
You can also further control the loopback port by enabling one of the following function on it (note
that, the following two functions are mutually exclusive, and the latest function configured takes
effect):
z
Enable the loopback port control function on the port: the system sets the port to the block state
(where the port cannot forward data packets), sends log messages to the terminal, and removes
the corresponding MAC forwarding entry. After the loop is removed, the port automatically resumes
the normal forwarding state.
z
Enable the loopback port auto-shutdown function on the port: the system shuts down the port and
sends log messages to the terminal. After the loop is removed, the port does not automatically
resume the normal forwarding state. Instead, you need to use the undo shutdown command to
bring up the port.
The loopback detection function on a specific port can take effect only after you enable the loopback
detection function globally (in system view) and on the port (in the specified port view).
By default, the global loopback detection function is enabled if the device boots with the default
configuration file (config.def);
By default, this function is disabled. if the device boots with null configuration,
Related command: loopback-detection control enable, loopback-detection shutdown enable
Examples
# Enable the loopback detection feature on Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] loopback-detection enable
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] loopback-detection enable
loopback-detection interface-list enable
Syntax
loopback-detection interface-list enable
1-21
undo loopback-detection interface-list enable
View
System view
Parameter
interface-list: Ethernet port list, in the form of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, where
z
interface-type is the port type, and interface-number is the port number.
z
Keyword to is used to specify a range of ports. The port number after to must be equal to or greater
z
&<1-10> means that you can specify up to 10 ports or port ranges.
than that before to.
Description
Use the loopback-detection interface-list enable command to enable the loopback detection function
on a range of ports.
Use the undo loopback-detection interface-list enable command to disable the loopback detection
function on a range of ports.
z
By default, the loopback detection function is enabled on ports if the device boots with the default
configuration file (config.def);
z
if the device boots with null configuration, this function is disabled.
Example
# Enable the loopback detection function on ports Ethernet 1/0/1 through Ethernet 1/0/4.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] loopback-detection enable
[Sysname] loopback-detection Ethernet 1/0/1 to Ethernet 1/0/4 enable
loopback-detection interval-time
Syntax
loopback-detection interval-time time
undo loopback-detection interval-time
View
System view
Parameters
time: Time interval for loopback detection, in the range of 5 to 300 (in seconds). It is 30 seconds by
default.
Description
Use the loopback-detection interval-time command to set time interval for loopback detection.
Use the undo loopback-detection interval-time command to restore the default time interval.
1-22
Examples
# Set time interval for loopback detection to 10 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] loopback-detection interval-time 10
loopback-detection per-vlan enable
Syntax
loopback-detection per-vlan enable
undo loopback-detection per-vlan enable
View
Ethernet port view
Parameters
None
Description
Use the loopback-detection per-vlan enable command to configure the system to run loopback
detection on all VLANs of the current trunk or hybrid port.
Use the undo loopback-detection per-vlan enable command to restore the default setting.
By default, the system runs loopback detection only on the default VLAN of the trunk or hybrid port.
Note that, this command is not applicable to access ports. When the link type of a non-access port
changes to access, the loopback-detection per-vlan enable command already configured on the port
becomes invalid automatically.
Examples
# Configure the system to run loopback detection on all VLANs of the trunk port Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port link-type trunk
[Sysname-Ethernet1/0/1] loopback-detection per-vlan enable
loopback-detection shutdown enable
Syntax
loopback-detection shutdown enable
undo loopback-detection shutdown enable
View
Ethernet port view
1-23
Parameter
None
Description
Use the loopback-detection shutdown enable command to enable the loopback port auto-shutdown
function.
Use the undo loopback-detection shutdown enable command to disable the function.
The loopback port auto-shutdown function works in conjunction with the loopback detection function
(refer to loopback-detection enable). If a loop is found at a port:
z
With the function enabled on the port, the system will shut down the port, and send log messages
to the terminal. After the loop is removed, you need to use the undo shutdown command to bring
up the port.
z
With the function disabled on the port, the system will only send log messages to the terminal, and
the port is still in the normal forwarding state.
By default, the loopback port auto-shutdown function is enabled on ports if the device boots with the
default configuration file (config.def); if the device boots with null configuration, this function is disabled.
Related command: loopback-detection enable; loopback-detection control enable.
You cannot enable both the loopback port control function (with the loopback-detection control
enable command) and the loopback port auto-shutdown function on a port. If you do so, the function
configured later will take effect.
Example
# Enable the loopback port auto-shutdown function on port Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] loopback-detection enable
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] loopback-detection shutdown enable
mdi
Syntax
mdi { across | auto | normal }
undo mdi
View
Ethernet port view
1-24
Parameters
across: Sets the MDI mode to medium dependent interface (MDI).
normal: Sets the MDI mode to media dependent interface-X mode (MDI-X).
auto: Sets the MDI mode to auto-sensing. Port operating in this mode adjust its MDI mode between
MDI and MDI-X automatically.
z
An RJ-45 interface can operate in MDI or MDI-X mode.
z
To connect two RJ-45 interfaces operating in the same MDI mode, use a crossover cable; to
connect two RJ-45 interfaces operating in different MDI modes, use a straight-through cable.
z
The MDI mode of an optical port is fixed to auto.
Description
Use the mdi command to set the MDI mode for a port.
Use the undo mdi command to restore the default setting.
By default, a port operates in auto-sensing MDI mode.
Examples
# Set the MDI mode of Ethernet 1/0/1 to MDI.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] mdi across
multicast-suppression
Syntax
multicast-suppression bps max-bps
undo multicast-suppression
View
Ethernet port view
Parameters
max-bps: Maximum number (in Kbps) of multicast traffic that can be received per second on an
Ethernet port (in step of 64).
z
For a 100Mbps Ethernet port, the max-bps argument is in the range 64 to 99,968.
z
For a GigabitEthernet port, the max-bps argument is in the range 64 to 1,000,000.
1-25
Description
Use the multicast-suppression command to limit multicast traffic allowed to be received on the current
port.
Use the undo multicast-suppression command to restore the default multicast suppression setting on
the current port.
When incoming multicast traffic on the port exceeds the multicast traffic threshold you set, the system
drops the packets exceeding the threshold to reduce the multicast traffic ratio to the reasonable range,
so as to keep normal network service.
By default, the switch does not suppress multicast traffic.
Examples
# Set the maximum number of multicast traffic that can be received per second by Ethernet 1/0/2 to
128Kbps.
<Sysname>
system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet1/0/2
[Sysname-Ethernet1/0/2] multicast-suppression bps 128
reset counters interface
Syntax
reset counters interface [ interface-type | interface-type interface-number ]
View
User view
Parameters
interface-type: Port type.
interface-number: Port number.
For details about the parameters, see the parameter description of the interface command.
Description
Use the reset counters interface command to clear the statistics of the port, preparing for a new
statistics collection.
If you specify neither port type nor port number, the command clears statistics of all ports.
If specify only port type, the command clears statistics of all ports of this type.
If specify both port type and port number, the command clears statistics of the specified port.
Note that the statistics of the 802.1x-enabled ports cannot be cleared.
Examples
# Clear the statistics of Ethernet 1/0/1.
<Sysname> reset counters interface Ethernet 1/0/1
1-26
shutdown
Syntax
shutdown
undo shutdown
View
Ethernet port view
Parameters
None
Description
Use the shutdown command to shut down an Ethernet port.
Use the undo shutdown command to bring up an Ethernet port.
By default, an Ethernet port is in up state.
Examples
# Shut down Ethernet 1/0/1 and then bring it up.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] shutdown
#Apr 13 23:13:53:600 2000 Sysname L2INF/2/PORT LINK STATUS CHANGE:- 1 Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227650, ifAdminStatus is 2, ifOperStatus
is 2
%Apr 13 23:13:53:807 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 Ethernet1/0/4 is DOWN
%Apr 13 23:13:53:927 2000 Sysname L2INF/5/VLANIF LINK STATUS CHANGE:- 1 Vlan-interface3 is DOWN
%Apr 13 23:13:54:057 2000 Sysname IFNET/5/UPDOWN:- 1 -Line protocol on the interface
Vlan-interface3 is DOWN
# Enable Ethernet 1/0/1.
[Sysname-Ethernet1/0/1] undo shutdown
#Apr 13 23:14:54:454 2000 Sysname L2INF/2/PORT LINK STATUS CHANGE:- 1 Trap 1.3.6.1.6.3.1.1.5.4(linkUp): portIndex is 4227650, ifAdminStatus is 1, ifOperStatus
is 1
%Apr 13 23:14:54:657 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 Ethernet1/0/4 is UP
%Apr 13 23:14:54:777 2000 Sysname L2INF/5/VLANIF LINK STATUS CHANGE:- 1 -
1-27
Vlan-interface3 is UP
%Apr 13 23:14:54:897 2000 Sysname IFNET/5/UPDOWN:- 1 -Line protocol on the interface
Vlan-interface3 is UP
speed
Syntax
speed { 10 | 100 | 1000 | auto }
undo speed
View
Ethernet port view
Parameters
10: Specifies the port speed to 10 Mbps.
100: Specifies the port speed to 100 Mbps.
1000: Specifies the port speed to 1,000 Mbps (only available to GigabitEthernet ports).
auto: Specifies the port speed to the auto-negotiation mode.
Description
Use the speed command to set the port speed.
Use the undo speed command to restore the port speed to the default setting.
By default, the port speed is in the auto-negotiation mode.
Note that you can only specify the 1000 and auto keyword for Gigabit Ethernet ports.
Related commands: duplex.
Examples
# Set the speed of Ethernet 1/0/1 to 10 Mbps.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] speed 10
speed auto
Syntax
speed auto [ 10 | 100 | 1000 ]*
1-28
View
Ethernet port view
Parameters
10: Configures 10 Mbps as an auto-negotiation speed of the port.
100: Configures 100 Mbps as an auto-negotiation speed of the port.
1000: Configures 1,000 Mbps as an auto-negotiation speed of the port.
Description
Use the speed auto [ 10 | 100 | 1000 ]* command to configure auto-negotiation speed(s) for the current
port.
By default, the port speed is auto-negotiated.
The last configuration will take effect if you configure the command for multiple times.
Examples
# Configure 10 Mbps and 100 Mbps as the auto-negotiation speeds of Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] speed auto 10 100
storm-constrain
Syntax
storm-constrain { broadcast | multicast } max-packets min-packets { pps | kbps }
undo storm-constrain { all | broadcast | multicast }
View
Ethernet port view
Parameters
broadcast: Specifies to control broadcast traffic on the port.
multicast: Specifies to control multicast traffic on the port.
all: Cancels all the storm control threshold configurations on the port.
pps: Specifies the storm constrain threshold in packets.
kbps: Specifies the storm constrain threshold in kilobits per second (kbps).
max-packets: Upper threshold of the traffic on the port, in pps, or kbps. It ranges from 1 to
4,294,967,295 and must be greater than or equal to the lower threshold.
min-packets: Lower threshold of the traffic on the port, in pps, or kbps. It ranges from 1 to 4,294,967,295,
and must be less than or equal to the upper threshold.
Description
Use the storm-constrain command to set the upper and lower thresholds of the broadcast/multicast
traffic received on the port.
1-29
Use the undo storm-constrain command to cancel the threshold configuration.
z
With traffic upper and lower thresholds specified on a port, the system periodically collects
statistics about the broadcast/multicast traffic on the port. Once it finds that a type of traffic exceeds
the specified upper threshold, it blocks this type of traffic on the port or directly shuts down the port,
and outputs trap/log information according to your configuration.
z
When a type of traffic on the port falls back to the specified lower threshold, the system cancels the
blocking of this type of traffic on the port or brings up the port to restore traffic forwarding for the port,
and outputs log/trap information according to your configuration.
Related commands: display storm-constrain, storm-constrain control, storm-constrain enable.
Examples
# Set the upper and lower thresholds of broadcast traffic on Ethernet 1/0/1 to 100 pps and 10 pps
respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] storm-constrain broadcast 100 10 pps
storm-constrain control
Syntax
storm-constrain control { block | shutdown }
undo storm-constrain control
View
Ethernet port view
Parameters
block: Blocks and stops forwarding those types of traffic exceeding the upper thresholds.
shutdown: Shutdowns the port if the broadcast/multicast traffic exceeds the upper threshold, and stops
receiving and forwarding all types of traffic on the port.
Description
Use the storm-constrain control command to set the action to be taken when the broadcast/multicast
traffic on the port exceeds the upper threshold.
Use the undo storm-constrain control command to cancel the configured action.
By default, no action is taken.
1-30
z
If the broadcast-suppression command, or multicast-suppression command is configured on a
port, you cannot configure the storm control function on the port, and vice versa.
z
You are not recommended to set the upper and lower traffic thresholds to the same value.
z
The system can take one of the actions when the broadcast/multicast traffic received on a port
exceeds the upper threshold: block and shutdown. The block action blocks only those types of
traffic that exceed the upper thresholds instead of all types of traffic. When a type of traffic is
blocked, it is still counted by the system and contained in the traffic statistics. The shutdown action
automatically shutdowns the port when a type of traffic on the port exceeds the upper threshold. If
you want to bring up the port again, you can execute the undo shutdown command or the undo
storm-constrain { all | broadcast | multicast } command.
Related commands: display storm-constrain, storm-constrain.
Examples
# Set the control action on Ethernet 1/0/1 to block.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] storm-constrain control block
storm-constrain enable
Syntax
storm-constrain enable { log | trap }
undo storm-constrain enable
View
Ethernet port view
Parameters
log: Enables log information to be output when traffic received on the port exceeds the upper threshold
or falls below the lower threshold.
trap: Enables trap information to be output when traffic received on the port exceeds the upper
threshold or falls below the lower threshold.
Description
Use the storm-constrain enable command to enable log/trap information to be output when traffic
received on the port exceeds the upper threshold or falls below the lower threshold.
Use the undo storm-constrain enable command to disable log/trap information from being output
when traffic received on the port exceeds the upper threshold or falls below the lower threshold.
By default, log/trap information is output when traffic received on the port exceeds the upper threshold
or falls below the lower threshold.
1-31
Related commands: display storm-constrain, storm-constrain.
Examples
# Disable log information from being output when traffic received on Ethernet 1/0/1 exceeds the upper
threshold or falls below the lower threshold.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] undo storm-constrain enable log
storm-constrain interval
Syntax
storm-constrain interval interval-value
undo storm-constrain interval
View
System view
Parameters
interval-value: Interval to collect traffic statistics, in the range of 1 to 300 (in seconds).
Description
Use the storm-constrain interval command to set the interval to collect traffic statistics.
Use the undo storm-constrain interval command to restore the default setting.
By default, the interval is 10 seconds.
Related commands: display storm-constrain, storm-constrain.
Examples
# Set the interval to collect traffic statistics to 2 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] storm-constrain interval 2
virtual-cable-test
Syntax
virtual-cable-test
View
Ethernet port view
Parameter
None
1-32
Description
Use the virtual-cable-test command to enable the system to test the cable connected to a specific port
and to display the results. The system can test these attributes of the cable:
Cable status, including normal, abnormal, abnormal-open, abnormal-short and failure
Cable length
z
If the cable is in normal state, the displayed length value is the total length of the cable.
z
If the cable is in any other state, the displayed length value is the length from the port to the faulty
point.
Pair impedance mismatch
Pair skew
Pair swap
Pair polarity
Insertion loss
Return loss
Near-end crosstalk
By default, the system does not test the cable connected to the Ethernet port.
Currently, the device is only capable of testing the cable status and cable length. For the testing items
that are currently not supported, “-” is displayed in the corresponding output fields.
Example
# Enable the system to test the cable connected to Ethernet1/0/1.
<Sysname>
system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet0/1] virtual-cable-test
Cable status: abnormal(open), 1 meter(s)
Pair Impedance mismatch: Pair skew: - ns
Pair swap: Pair polarity: Insertion loss: - db
Return loss: - db
1-33
Near-end crosstalk: - db
1-34
Table of Contents
1 Link Aggregation Configuration Commands··························································································1-1
Link Aggregation Configuration Commands ···························································································1-1
display link-aggregation interface····································································································1-1
display link-aggregation summary···································································································1-2
display link-aggregation verbose·····································································································1-3
display lacp system-id ·····················································································································1-4
lacp enable ······································································································································1-5
lacp port-priority·······························································································································1-5
lacp system-priority··························································································································1-6
link-aggregation group description ··································································································1-6
link-aggregation group mode···········································································································1-7
port link-aggregation group ·············································································································1-8
reset lacp statistics ··························································································································1-9
i
1
Link Aggregation Configuration Commands
Link Aggregation Configuration Commands
display link-aggregation interface
Syntax
display
link-aggregation
interface
interface-type
interface-number
[
to
interface-type
interface-number ]
View
Any view
Parameters
interface-type: Port type.
interface-number: Port number.
to: Specifies a port index range, with the two interface-type interface-number argument pairs around it
as the two ends.
Description
Use the display link-aggregation interface command to display the link aggregation details about a
specified port or port range.
Note that as ports in a manual link aggregation groups do not acquire the information about their peers
automatically, so the entries in the information about the peer ports displayed are all 0 instead of the
actual values.
Examples
# Display the link aggregation details on Ethernet 1/0/1.
<Sysname> display link-aggregation interface Ethernet1/0/1
Ethernet1/0/1:
Selected AggID: 1
Local:
Port-Priority: 32768, Oper key: 2, Flag: 0x45
Remote:
System ID: 0x8000, 0000-0000-0000
Port Number: 0, Port-Priority: 32768 , Oper-key: 0, Flag: 0x38
Received LACP Packets: 0 packet(s), Illegal: 0 packet(s)
Sent LACP Packets: 0 packet(s)
1-1
Table 1-1 Description on the fields of the display link-aggregation interface command
Field
Description
Selected AggID
ID of the aggregation group to which the
specified port belongs
Local
Information about the local end
Port-Priority
Port priority
Oper key
Operation key
Flag
Protocol status flag
Remote
Information about the remote end
System ID
Remote device ID
Port number
Port number
Received LACP Packets: 0 packet(s), Illegal: 0
packet(s)
Statistics about received, invalid, and sent LACP
packets
Sent LACP Packets: 0 packet(s)
display link-aggregation summary
Syntax
display link-aggregation summary
View
Any view
Parameters
None
Description
Use the display link-aggregation summary command to display summary information of all
aggregation groups.
Note that as ports in a manual link aggregation groups do not acquire the information about their peers
automatically, so the entries in the information about the peer ports displayed are all 0 instead of the
actual values.
Examples
# Display summary information of all aggregation groups.
<Sysname> display link-aggregation summary
Aggregation Group Type:D -- Dynamic, S -- Static , M -- Manual
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Actor ID: 0x8000, 000f-e20f-5104
AL
AL
ID
Type
Partner ID
Select Unselect Share Master
Ports
Ports
1-2
Type
Port
-------------------------------------------------------------------------1
S
0x8000,0000-0000-0000 0
2
M
none
1
0
NonS
1
Ethernet1/0/2
NonS
Ethernet1/0/3
Table 1-2 Description on the fields of the display link-aggregation summary command
Field
Description
Aggregation Group Type
Aggregation group type: D for dynamic, S for static, and M for
manual
Loadsharing Type
Load sharing type: Shar for load sharing and NonS for
non-load sharing
Actor ID
Local device ID
AL ID
Aggregation group ID
AL Type
Aggregation group type: D (dynamic), S (static), or M
(manual)
ID of the remote device, including the system priority and
system MAC address of the remote device
Partner ID
For a device belonging to an dynamic aggregation group or
static aggregation group, if no LACP packet is received, the
partner ID is displayed as 0x8000, 0000-0000-0000.
Select Ports
Number of the selected ports
Unselect Ports
Number of the unselected ports
Share Type
Load sharing type: Shar (load-sharing), or NonS
(non-load-sharing)
Master Port
the smallest port number in an aggregation group
display link-aggregation verbose
Syntax
display link-aggregation verbose [ agg-id ]
View
Any view
Parameters
agg-id: Aggregation group ID, which ranges from 1 to 52 and must be the ID of an existing aggregation
group.
Description
Use the display link-aggregation verbose command to display the details about a specified
aggregation group or all aggregation groups.
Note that as ports in a manual link aggregation groups do not acquire the information about their peers
automatically, so the entries in the information about the peer ports displayed are all 0 instead of the
actual values.
1-3
Examples
# Display the details about aggregation group 1.
<Sysname> display link-aggregation verbose 1
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Flags:
A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregation ID: 1,
AggregationType: Manual,
Loadsharing Type: NonS
Aggregation Description:
System ID: 0x8000, 000f-e214-000a
Port Status: S -- Selected,
U -- Unselected
Local:
Port
Status
Priority
Key
Flag
-------------------------------------------------------------------------Ethernet1/0/2
S
32768
1
{}
Ethernet1/0/3
U
32768
1
{}
Remote:
Actor
Partner Priority Key
SystemID
Flag
-------------------------------------------------------------------------Ethernet1/0/2
0
0
0
0x0000,0000-0000-0000 {}
Ethernet1/0/3
0
0
0
0x0000,0000-0000-0000 {}
Table 1-3 Description on the fields of the display link-aggregation verbose command
Field
Description
Loadsharing Type
Loadsharing type, including Loadsharing and
Non-Loadsharing
Flags
Flag types of LACP
Aggregation ID
Aggregation group ID
Aggregation Description
Aggregation group description string
AggregationType
Aggregation group type
System ID
Device ID
Port Status
Port status, including selected and unselected
display lacp system-id
Syntax
display lacp system-id
View
Any view
1-4
Parameters
None
Description
Use the display lacp system-id command to display the device ID of the local system, including the
system priority and the MAC address.
Examples
# Display the device ID of the local system.
<Sysname> display lacp system-id
Actor System ID: 0x8000, 000f-e20f-0100
The value of the Actor System ID field is the device ID.
lacp enable
Syntax
lacp enable
undo lacp enable
View
Ethernet port view
Parameters
None
Description
Use the lacp enable command to enable LACP on the current port.
Use the undo lacp enable command to disable LACP.
By default, LACP is disabled on a port.
Examples
# Enable the LACP protocol on Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] lacp enable
lacp port-priority
Syntax
lacp port-priority port-priority
undo lacp port-priority
View
Ethernet port view
1-5
Parameters
port-priority: Port priority, ranging from 0 to 65,535.
Description
Use the lacp port-priority command to set the priority of the current port.
Use the undo lacp port-priority command to restore the default port priority.
By default, the port priority is 32,768.
You can use the display link-aggregation verbose command or the display link-aggregation
interface command to check the configuration result.
Examples
# Set the priority of Ethernet 1/0/1 to 64.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] lacp port-priority 64
lacp system-priority
Syntax
lacp system-priority system-priority
undo lacp system-priority
View
System view
Parameters
system-priority: System priority, ranging from 0 to 65,535.
Description
Use the lacp system-priority command to set the system priority.
Use the undo lacp system-priority command to restore the default system priority.
By default, the system priority is 32,768.
Examples
# Set the system priority to 64.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] lacp system-priority 64
link-aggregation group description
Syntax
link-aggregation group agg-id description agg-name
1-6
undo link-aggregation group agg-id description
View
System view
Parameters
agg-id: Aggregation group ID, in the range of 1 to 52.
agg-name: Aggregation group name, a string of 1 to 32 characters.
Description
Use the link-aggregation group description command to set a description for an aggregation group.
Use the undo link-aggregation group description command to remove the description of an
aggregation group.
If you have saved the current configuration with the save command, after system reboot, the
configuration concerning manual and static aggregation groups and their descriptions still exists, but
that of the dynamic aggregation groups and their descriptions gets lost.
You can use the display link-aggregation verbose command to check the configuration result.
Examples
# Set the description abc for aggregation group 1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] link-aggregation group 1 description abc
link-aggregation group mode
Syntax
link-aggregation group agg-id mode { manual | static }
undo link-aggregation group agg-id
View
System view
Parameters
agg-id: Aggregation group ID, in the range of 1 to 52.
manual: Creates a manual aggregation group.
static: Creates a static aggregation group.
1-7
Description
Use the link-aggregation group mode command to create a manual or static aggregation group.
Use the undo link-aggregation group command to remove the specified aggregation group.
Related commands: display link-aggregation summary.
Examples
# Create manual aggregation group 22
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] link-aggregation group 22 mode manual
port link-aggregation group
Syntax
port link-aggregation group agg-id
undo port link-aggregation group
View
Ethernet port view
Parameters
agg-id: Aggregation group ID, in the range of 1 to 52.
Description
Use the port link-aggregation group command to add the current Ethernet port to a manual or static
aggregation group.
Use the undo port link-aggregation group command to remove the current Ethernet port from the
aggregation group.
Related commands: display link-aggregation verbose.
Examples
# Add Ethernet 1/0/1 to aggregation group 22.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] port link-aggregation group 22
1-8
reset lacp statistics
Syntax
reset lacp statistics [ interface interface-type interface-number [ to interface-type interface-number ] ]
View
User view
Parameters
interface-type: Port type
interface-number: Port number
to: Specifies a port index range, with the two interface-type interface-number argument pairs around it
as the two ends.
Description
Use the reset lacp statistics command to clear LACP statistics on specified port(s), or on all ports if no
port is specified.
Related commands: display link-aggregation interface.
Examples
# Clear LACP statistics on all Ethernet ports.
<Sysname> reset lacp statistics
1-9
Table of Contents
1 Port Isolation Configuration Commands ································································································1-1
Port Isolation Configuration Commands ·································································································1-1
display isolate port···························································································································1-1
port isolate ·······································································································································1-1
i
1
Port Isolation Configuration Commands
Port Isolation Configuration Commands
display isolate port
Syntax
display isolate port
View
Any view
Parameters
None
Description
Use the display isolate port command to display the Ethernet ports assigned to the isolation group.
Examples
# Display the Ethernet ports added to the isolation group.
<Sysname> display isolate port
Isolated port(s) on UNIT 1:
Ethernet1/0/2, Ethernet1/0/3, Ethernet1/0/4
The information above shows that Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/04 are in the isolation
group. Neither Layer-2 nor Layer-3 packets can be exchanged between these ports.
port isolate
Syntax
port isolate
undo port isolate
View
Ethernet port view
Parameters
None
Description
Use the port isolate command to assign the Ethernet port to the isolation group.
Use the undo port isolate command to remove the Ethernet port from the isolation group.
1-1
z
Assigning or removing an aggregation member port to or from the isolation group can cause the
other ports in the aggregation group join or leave the isolation group.
z
For ports that belong to an aggregation group and an isolation group simultaneously, removing a
port from the aggregation group has no effect on the other ports. That is, the rest ports remain in
the aggregation group and the isolation group.
z
Ports that belong to an aggregation group and the isolation group simultaneously are still isolated
after they are removed from the aggregation group (in system view).
z
Assigning an isolated port to an aggregation group causes all the ports in the aggregation group on
the local unit to join the isolation group.
By default, the isolation group contains no port.
Examples
# Assign Ethernet 1/0/1 and Ethernet 1/0/2 to the isolation group.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface ethernet1/0/1
[Sysname-Ethernet1/0/1] port isolate
[Sysname-Ethernet1/0/1] quit
[Sysname] interface ethernet1/0/2
[Sysname-Ethernet1/0/2] port isolate
After the configuration, packets cannot be exchanged between Ethernet 1/0/1 and Ethernet 1/0/2.
# Remove Ethernet 1/0/1 from the isolation group.
[Sysname-Ethernet1/0/1] undo port isolate
1-2
Table of Contents
1 Port Security Commands··························································································································1-1
Port Security Commands ························································································································1-1
display mac-address security ··········································································································1-1
display port-security·························································································································1-2
mac-address security ······················································································································1-5
port-security authorization ignore ····································································································1-6
port-security enable ·························································································································1-7
port-security guest-vlan ···················································································································1-8
port-security intrusion-mode ············································································································1-9
port-security max-mac-count·········································································································1-11
port-security ntk-mode···················································································································1-12
port-security oui ·····························································································································1-13
port-security port-mode ·················································································································1-14
port-security timer disableport ·······································································································1-17
port-security timer guest-vlan-reauth·····························································································1-18
port-security trap····························································································································1-19
i
1
Port Security Commands
Port Security Commands
display mac-address security
Syntax
display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
View
Any view
Parameters
Interface interface-type interface-number: Specify a port by its type and number, of which the security
MAC address information is to be displayed.
vlan vlan-id: Specify a VLAN by its ID, of which the security MAC address information is to be displayed.
The value range for the vlan-id argument is 1 to 4094.
count: Displays the number of matching security MAC addresses.
Description
Use the display mac-address security command to display security MAC address entries.
If no argument is specified, the command displays information about all security MAC address entries.
For each security MAC address entry, the output of the command displays the MAC address, the VLAN
that the MAC address belongs to, state of the MAC address (which is always security), port associated
with the MAC address, and the remaining lifetime of the entry.
By checking the output of this command, you can verify the current configuration.
Examples
# Display information about all security MAC address entries.
<Sysname> display mac-address security
MAC ADDR
VLAN ID
0000-0000-0001
1
0000-0000-0002
PORT INDEX
AGING TIME(s)
Security
Ethernet1/0/20
NOAGED
1
Security
Ethernet1/0/20
NOAGED
0000-0000-0003
1
Security
Ethernet1/0/20
NOAGED
0000-0000-0004
1
Security
Ethernet1/0/20
NOAGED
0000-0000-0001
2
Security
Ethernet1/0/22
NOAGED
0000-0000-0007
2
Security
Ethernet1/0/22
NOAGED
---
STATE
6 mac address(es) found
---
# Display the security MAC address entries for port Ethernet 1/0/20.
<Sysname> display mac-address security interface Ethernet 1/0/20
1-1
MAC ADDR
VLAN ID
0000-0000-0001
1
0000-0000-0002
0000-0000-0003
0000-0000-0004
---
STATE
PORT INDEX
AGING TIME(s)
Security
Ethernet1/0/20
NOAGED
1
Security
Ethernet1/0/20
NOAGED
1
Security
Ethernet1/0/20
NOAGED
1
Security
Ethernet1/0/20
NOAGED
4 mac address(es) found on port Ethernet1/0/20 ---
# Display the security MAC address entries for VLAN 1.
<Sysname> display mac-address security vlan 1
MAC ADDR
VLAN ID
0000-0000-0001
1
0000-0000-0002
PORT INDEX
AGING TIME(s)
Security
Ethernet1/0/20
NOAGED
1
Security
Ethernet1/0/20
NOAGED
0000-0000-0003
1
Security
Ethernet1/0/20
NOAGED
0000-0000-0004
1
Security
Ethernet1/0/20
NOAGED
---
STATE
4 mac address(es) found in vlan 1 ---
# Display the total number of security MAC address entries.
<Sysname> display mac-address security count
6 mac address(es) found
# Display the number of security MAC address entries for VLAN 1.
<Sysname> display mac-address security vlan 1 count
4 mac address(es) found in vlan 1
Table 1-1 Description on the fields of the display mac-address security command
Field
Description
MAC ADDR
Security MAC address
VLAN ID
VLAN that the MAC address belongs to
STATE
MAC address type, which is always security for a security
MAC address
PORT INDEX
Port associated with the MAC address
AGING TIME(s)
Remaining lifetime of the MAC address entry
mac address(es) found
Number of matching security MAC addresses
display port-security
Syntax
display port-security [ interface interface-list ]
View
Any view
Parameters
interface interface-list: Specify a list of Ethernet ports of which the port security configurations are to be
displayed. For the interface-list argument, you can specify individual ports and port ranges. An
1-2
individual port takes the form of interface-type interface-number and a port range takes the form of
interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a
value greater than interface-number1. The total number of individual ports and port ranges defined in
the list must not exceed 10.
Description
Use the display port-security command to display port security configurations.
If no interface is specified, the command displays the port security configurations of all Ethernet ports.
The output of the command includes the global configurations (such as whether port security is enabled
on the switch and whether the sending of specified Trap messages is enabled) and port configurations
(such as the security mode and the port security features).
By checking the output of this command, you can verify the current configuration.
Examples
# Display the global port security configurations and those of all ports.
<Sysname> display port-security
Equipment port-security is enabled
AddressLearn trap is Enabled
Intrusion trap is Enabled
Dot1x logon trap is Enabled
Dot1x logoff trap is Enabled
Dot1x logfailure trap is Enabled
RALM logon trap is Enabled
RALM logoff trap is Enabled
RALM logfailure trap is Enabled
Disableport Timeout: 20 s
OUI value:
Index is 5,
OUI value is 000100
Ethernet1/0/1 is link-up
Port mode is AutoLearn
NeedtoKnow mode is needtoknowonly
Intrusion mode is BlockMacaddress
Max mac-address num is 4
Stored mac-address num is 0
Authorization is ignore
(The rest of the information is omitted.)
# Display the port security configurations of ports Ethernet 1/0/1 to Ethernet 1/0/3.
<Sysname> display port-security interface Ethernet 1/0/1 to Ethernet 1/0/3
Ethernet1/0/1 is link-up
Port mode is AutoLearn
NeedtoKnow mode is needtoknowonly
Intrusion mode is BlockMacaddress
Max mac-address num is 4
Stored mac-address num is 0
Authorization is ignore
Ethernet1/0/2 is link-down
1-3
Port mode is AutoLearn
NeedtoKnow mode is disabled
Intrusion mode is no action
Max mac-address num is not configured
Stored mac-address num is 0
Authorization is ignore
Ethernet1/0/3 is link-down
Port mode is AutoLearn
NeedtoKnow mode is disabled
Intrusion mode is BlockMacaddress
Max mac-address num is not configured
Stored mac-address num is 0
Authorization is ignore
Table 1-2 Description on the fields of the display port-security command
Field
Description
Equipment port security is enabled
Port security is enabled on the switch.
AddressLearn trap is Enabled
The sending of address-learning trap messages
is enabled.
Intrusion trap is Enabled
The sending of intrusion-detection trap
messages is enabled.
Dot1x logon trap is Enabled
The sending of 802.1x user authentication
success trap messages is enabled.
Dot1x logoff trap is Enabled
The sending of 802.1x user logoff trap messages
is enabled.
Dot1x logfailure trap is Enabled
The sending of 802.1x user authentication failure
trap messages is enabled.
RALM logon trap is Enabled
The sending of MAC-based authentication
success trap messages is enabled.
RALM logoff trap is Enabled
The sending of logoff trap messages for
MAC-based authenticated users is enabled.
RALM logfailure trap is Enabled
The sending of MAC-based authentication
failure trap messages is enabled.
Disableport Timeout: 20 s
The temporary port-disabling time is 20 seconds.
OUI value
The next line displays OUI value.
Index
OUI index
Ethernet1/0/1 is link-up
The link status of port Ethernet 1/0/1 is up.
Port mode is AutoLearn
The security mode of the port is autolearn.
NeedtoKnow mode is needtoknowonly
The NTK (Need To Know) mode is ntkonly.
Intrusion mode is BlockMacaddress
The intrusion detection mode is
BlockMacaddress.
Max mac-address num is 4
The maximum number of MAC addresses
allowed on the port is 4.
Stored mac-address num is 0
No MAC address is stored.
1-4
Field
Description
Authorization information delivered by the
Remote Authentication Dial-In User Service
(RADIUS) server will not be applied to the port.
Authorization is ignore
mac-address security
Syntax
In system view:
mac-address security mac-address interface interface-type interface-number vlan vlan-id
undo mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan
vlan-id ]
In Ethernet port view:
mac-address security mac-address vlan vlan-id
undo mac-address security [ [ mac-address ] vlan vlan-id ]
View
System view, Ethernet port view
Parameters
mac-address: Security MAC address, in the H-H-H format.
interface interface-type interface-number: Specify the port on which the security MAC address is to be
added. The interface-type interface-number arguments indicate the port type and port number.
vlan vlan-id: Specify the VLAN to which the MAC address belongs. The vlan-id argument specifies a
VLAN ID in the range 1 to 4094.
Description
Use the mac-address security command to create a security MAC address entry.
Use the undo mac-address security command to remove a security MAC address.
By default, no security MAC address entry is configured.
z
The mac-address security command can be configured successfully only when port security is
enabled and the security mode is autolearn.
z
To create a security MAC address entry successfully, you must make sure that the specified VLAN
is carried on the specified port.
1-5
Examples
# Enable port security; configure the port security mode of Ethernet 1/0/1 as autolearn and create a
security MAC address entry for 0001-0001-0001, setting the associated port to Ethernet 1/0/1 and
assigning the MAC address to VLAN 1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] port-security max-mac-count 100
[Sysname-Ethernet1/0/1] port-security port-mode autolearn
[Sysname-Ethernet1/0/1] mac-address security 0001-0001-0001 vlan 1
# Use the display mac-address interface command to verify the configuration result.
[Sysname]display mac-address interface Ethernet 1/0/1
MAC ADDR
VLAN ID
STATE
0001-0001-0001
1
Security
---
PORT INDEX
Ethernet1/0/1
AGING TIME(s)
NOAGED
1 mac address(es) found on port Ethernet1/0/1 ---
port-security authorization ignore
Syntax
port-security authorization ignore
undo port-security authorization ignore
View
Ethernet port view
Parameters
None
Description
Use the port-security authorization ignore command to configure the port to ignore the authorization
information delivered by the RADIUS server.
Use the undo port-security authorization ignore command to restore the default configuration.
By default, the port uses (does not ignore) the authorization information delivered by the RADIUS
server.
You can use the display port-security command to check whether the port will use the authorization
information delivered by the RADIUS server.
1-6
After a RADIUS user passes authentication, the RADIUS server authorizes the attributes configured for
the user account such as the dynamic VLAN configuration. For more information, refer to AAA
Command.
Examples
# Configure Ethernet 1/0/2 to ignore the authorization information delivered by the RADIUS server.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] port-security authorization ignore
port-security enable
Syntax
port-security enable
undo port-security enable
View
System view
Parameters
None
Description
Use the port-security enable command to enable port security.
Use the undo port-security enable command to disable port security.
By default, port security is disabled.
Enabling port security resets the following configurations on the ports to the defaults (as shown in
parentheses below):
z
802.1x (disabled), port access control method (macbased), and port access control mode (auto)
z
MAC authentication (disabled)
In addition, you cannot perform the above-mentioned configurations manually because these
configurations change with the port security mode automatically.
Related commands: display port-security.
1-7
Examples
# Enable port security.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled.
Please wait... Done.
port-security guest-vlan
Syntax
port-security guest-vlan vlan-id
undo port-security guest-vlan
View
Ethernet port view
Parameters
vlan-id: Specifies a guest VLAN by its VLAN ID in the range of 1 to 4094. The VLAN must already exist.
Description
Use the port-security guest-vlan command to specify an existing VLAN as the guest VLAN of a port.
Use the undo port-security guest-vlan command to remove the guest VLAN configuration.
By default, no guest VLAN is specified for a port.
Note that:
z
Only an existing VLAN can be specified as a guest VLAN. Make sure the guest VLAN of the port
contain the resources that the users need.
z
If one user of the port has passed or is undergoing authentication, you cannot specify a guest
VLAN for it.
z
When a user using a port with a guest VLAN specified fail the authentication, the port is added to
the guest VLAN and users of the port can access only the resources in the guest VLAN.
z
Multiple users may connect to one port in the macAddressOrUserLoginSecure
mode for
authentication; however, after a guest VLAN is specified, a maximum of one user can pass the
security authentication. In this case, the authentication client software of the other 802.1x users
displays messages about the failure; MAC address authentication does not have any client
software and therefore no such messages will be displayed.
z
To change the security mode from macAddressOrUserLoginSecure mode of a port that is
assigned to a guest VLAN, execute the undo port-security guest-vlan command first to remove
the guest VLAN configuration.
z
For a port configured with both the port-security guest-vlan and port-security intrusion-mode
disableport commands, when authentication of a user fails, only the intrusion detection feature is
triggered. The port is not added to the specified guest VLAN.
z
It is not recommended to configure the port-security guest-vlan and port-security
intrusion-mode blockmac commands simultaneously for a port. Because when the
1-8
authentication of a user fails, the blocking MAC address feature will be triggered and packets of the
user will be dropped, making the user unable to access the guest VLAN.
Examples
# Set the security mode of port Ethernet 1/0/1 to macAddressOrUserLoginSecure, and specify VLAN
100 as the guest VLAN of the port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security port-mode userlogin-secure-or-mac
[Sysname-Ethernet1/0/1] port-security guest-vlan 100
port-security intrusion-mode
Syntax
port-security intrusion-mode { blockmac | disableport | disableport-temporarily }
undo port-security intrusion-mode
View
Ethernet port view
Parameters
blockmac: Adds the source MAC addresses of illegal packets to the blocked MAC address list. As a
result, the packets sourced from the blocked MAC addresses will be filtered out. A blocked MAC
address will be unblocked three minutes (not user configurable) after the block action.
disableport: Disables a port permanently once an illegal frame or event is detected on it.
disableport-temporarily: Disables a port for a specified period of time after an illegal frame or event is
detected on it. You can set the period with the port-security timer disableport command.
Description
Use the port-security intrusion-mode command to set intrusion protection.
Use the undo port-security intrusion-mode command to disable intrusion protection.
By default, intrusion protection is not configured.
1-9
By checking the source MAC addresses in inbound data frames or the username and password in
802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with
illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include:
disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.
The following cases can trigger intrusion protection on a port:
A packet with unknown source MAC address is received on the port while MAC address learning is
z
disabled on the port.
A packet with unknown source MAC address is received on the port while the amount of security
z
MAC addresses on the port has reached the preset maximum number.
The user fails the 802.1x or MAC address authentication.
z
After executing the port-security intrusion-mode blockmac command, you can only use the display
port-security command to view blocked MAC addresses.
Related commands: display port-security, port-security timer disableport.
Examples
# Configure the intrusion protection mode on Ethernet 1/0/1 as blockmac.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security intrusion-mode blockmac
# Display information about blocked MAC addresses after intrusion protection is triggered.
<Sysname> display port-security
Equipment port-security is enabled
AddressLearn trap is Enabled
Intrusion trap is Enabled
Dot1x logon trap is Enabled
Dot1x logoff trap is Enabled
Dot1x logfailure trap is Enabled
RALM logon trap is Enabled
RALM logoff trap is Enabled
RALM logfailure trap is Enabled
Disableport Timeout: 20 s
OUI value:
Index is 5,
OUI value is 000100
Blocked Mac info:
MAC ADDR
From Port
Vlan
--- On unit 1, 2 blocked mac address(es) found. --0000-0000-0003
Ethernet1/0/1
1
0000-0000-0004
Ethernet1/0/1
1
--- 2 blocked mac address(es) found. --Ethernet1/0/1 is link-up
Port mode is Secure
1-10
NeedtoKnow mode is disabled
Intrusion mode is BlockMacaddress
Max mac-address num is 2
Stored mac-address num is 2
Authorization is permit
For description on the output information, refer to Table 1-2.
# Configure the intrusion protection mode on Ethernet 1/0/1 as disableport-temporarily. As a result,
the port will be disconnected when intrusion protection is triggered and then re-enabled 30 seconds
later.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security timer disableport 30
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily
# Configure the intrusion protection mode on Ethernet 1/0/1 as disableport. As a result, when intrusion
protection is triggered, the port will be disconnected permanently.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport
You can bring up a port that has been permanently disabled by running the undo shutdown command
or disabling port security on the port.
port-security max-mac-count
Syntax
port-security max-mac-count count-value
undo port-security max-mac-count
View
Ethernet port view
Parameters
count-value: Maximum number of MAC addresses allowed on the port, in the range of 1 to 1024.
Description
Use the port-security max-mac-count command to set the maximum number of MAC addresses
allowed on the port.
Use the undo port-security max-mac-count command to cancel this limit.
1-11
By default, there is no limit on the number of MAC addresses allowed on the port.
By configuring the maximum number of MAC addresses allowed on a port, you can:
z
Limit the number of users accessing the network through the port.
z
Limit the number of security MAC addresses that can be added on the port.
When the maximum number of MAC addresses allowed on a port is reached, the port will not allow
more users to access the network through this port.
z
The port-security max-mac-count command is irrelevant to the maximum number of MAC
addresses that can be learned on a port configured in MAC address management.
z
When there are online users on a port, you cannot perform the port-security max-mac-count
command on the port.
Examples
# Set the maximum number of MAC addresses allowed on the port to 100.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security max-mac-count 100
port-security ntk-mode
Syntax
port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts }
undo port-security ntk-mode
View
Ethernet port view
Parameters
ntkonly: Allows the port to transmit only unicast packets with successfully-authenticated destination
MAC addresses.
ntk-withbroadcasts: Allows the port to transmit broadcast packets and unicast packets with
successfully-authenticated destination MAC addresses.
ntk-withmulticasts: Allows the port to transmit multicast packets, broadcast packets and unicast
packets with successfully-authenticated destination MAC addresses.
1-12
Description
Use the port-security ntk-mode command to configure the NTK feature on the port.
Use the undo port-security ntk-mode command to restore the default setting.
Be default, NTK is disabled on a port, namely all frames are allowed to be sent.
By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature
ensures that only successfully authenticated devices can obtain data frames from the port, thus
preventing illegal devices from intercepting network data.
Examples
# Set the NTK feature to ntk-withbroadcasts on Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security ntk-mode ntk-withbroadcasts
port-security oui
Syntax
port-security oui OUI-value index index-value
undo port-security oui index index-value
View
System view
Parameters
OUI-value: OUI value. You can input a 48-bit MAC address in the form of H-H-H for this argument and
the system will take the first 24 bits as the OUI value and ignore the rest.
index-value: OUI index, ranging from 1 to 16.
The organizationally unique identifiers (OUIs) are assigned by the IEEE to different vendors. Each OUI
uniquely identifies an equipment vendor in the world and is the higher 24 bits of a MAC address.
1-13
Description
Use the port-security oui command to set an OUI value for authentication.
Use the undo port-security oui command to cancel the OUI value setting.
By default, no OUI value is set for authentication.
z
The OUI value set by this command takes effect only when the security mode of the port is set to
userLoginWithOUI by the port-security port-mode command.
z
The OUI value set by this command cannot be a multicast MAC address.
Related commands: port-security port-mode.
Examples
# Configure an OUI value of 00ef-ec00-0000, setting the OUI index to 5.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security oui 00ef-ec00-0000 index 5
port-security port-mode
Syntax
port-security port-mode { autolearn | mac-and-userlogin-secure | mac-and-userlogin-secure-ext
| mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure |
userlogin
|
userlogin-secure
|
userlogin-secure-ext
userlogin-secure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
View
Ethernet port view
Parameters
Table 1-3 shows the description on the security mode keywords.
1-14
|
userlogin-secure-or-mac
|
Table 1-3 Keyword description
Keyword
Security mode
Description
In this mode, MAC addresses learned on the
port become security MAC addresses.
autolearn
When the number of security MAC addresses
exceeds the maximum number of MAC
addresses configured by the port-security
max-mac-count command, the port security
mode changes to secure automatically.
autolearn
After that, no more security MAC addresses
can be added to the port and only the packets
whose source MAC addresses are the security
MAC addresses can pass through the port.
mac-and-userlogin-sec
ure
macAddressAndUser
LoginSecure
In this mode, users trying to assess the
network through the port must first pass MAC
address authentication and then 802.1x
authentication.
In this mode, only one user can access the
network through the port at a time.
mac-and-userlogin-sec
ure-ext
macAddressAndUser
LoginSecureExt
This mode is similar to the
macAddressAndUserLoginSecure mode,
except that in this mode, more than one user
can access the network through the port in this
mode.
mac-authentication
macAddressWithRad
ius
In this mode, MAC address authentication is
applied on users trying to access the network.
mac-else-userlogin-se
cure
macAddressElseUse
rLoginSecure
In this mode, a port performs MAC
authentication or 802.1x authentication of an
access user. If either authentication succeeds,
the user is authenticated.
In this mode, only one 802.1x-authenticated
user can access the network through the port.
But at the same time, there can be more than
one MAC-address-authenticated user on the
port.
macAddressElseUse
rLoginSecureExt
This mode is similar to the
macAddressElseUserLoginSecure mode,
except that in this mode, there can be more
than one 802.1x-authenticated user on the
port.
secure
secure
In this mode, MAC address learning is
disabled on the current port. Only packets
whose source MAC addresses are security
MAC addresses, already configured static
MAC addresses can pass through the port.
userlogin
userlogin
In this mode, 802.1x authentication is applied
on users trying to access the network through
the current port.
mac-else-userlogin-se
cure-ext
1-15
Keyword
Security mode
Description
In this mode, MAC-based 802.1x
authentication is applied on users trying to
access the network through the port. The port
will be enabled when the authentication
succeeds and allow packets from
authenticated users to pass through.
userlogin-secure
userLoginSecure
In this mode, only one 802.1x-authenticated
user can access the network through the port.
When the security mode of the port changes
from noRestriction to this mode, the old
dynamic MAC address entries and
authenticated MAC address entries kept on
the port are deleted automatically.
userlogin-secure-ext
userLoginSecureExt
This mode is similar to the userLoginSecure
mode, except that in this mode, there can be
more than one 802.1x-authenticated user on
the port.
MAC address authentication and 802.1x
authentication can coexist on a port, with
802.1x authentication having higher priority.
userlogin-secure-or-m
ac
macAddressOrUserL
oginSecure
802.1x authentication can be applied on users
who have already passed MAC address
authentication.
However, users who have already passed
802.1x authentication do not need to go
through MAC address authentication.
In this mode, only one 802.1x-authenticated
user can access the network through the port.
However, there can be more than one
MAC-address-authenticated user on the port.
userlogin-secure-or-m
ac-ext
userlogin-withoui
macAddressOrUserL
oginSecureExt
userLoginWithOUI
This mode is similar to the
macAddressOrUserLoginSecure mode,
except that in this mode, there can be more
than one 802.1x-authenticated user on the
port.
Similar to the userLoginSecure mode, in this
mode, there can be only one
802.1x-authenticated user on the port.
However, the port also allows packets with the
OUI address to pass through.
When the security mode of the port changes
from noRestriction to this mode, the old
dynamic MAC address entries and
authenticated MAC address entries kept on
the port are deleted automatically.
Description
Use the port-security port-mode command to set the security mode of the port.
Use the undo port-security port-mode command to restore the default mode.
By default, the port is in the noRestriction mode, namely access to the port is not restricted.
1-16
z
Before setting the security mode to autolearn, you need to use the port-security max-mac-count
command to configure the maximum number of MAC addresses allowed on the port.
z
When a port operates in the autolearn mode, you cannot change the maximum number of MAC
addresses allowed on the port.
z
After setting the security mode to autolearn, you cannot configure static or blackhole MAC
addresses on the port.
z
When the port security mode is not noRestriction, you need to use the undo port-security
port-mode command to change it back to noRestriction before you change the port security
mode to other modes.
On a port configured with a security mode, you cannot do the following:
z
Configure the maximum number of MAC addresses that can be learned.
z
Configure link aggregation.
Related commands: display port-security.
Examples
# Set the security mode of Ethernet 1/0/1 on the switch to userLogin.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security port-mode userlogin
port-security timer disableport
Syntax
port-security timer disableport timer
undo port-security timer disableport
View
System view
Parameters
timer: This argument ranges from 20 to 300, in seconds.
Description
Use the port-security timer disableport command to set the time during which the system temporarily
disables a port.
Use undo port-security timer disableport command restore the default time.
By default, the system disables a port for 20 seconds.
1-17
The port-security timer disableport command is used in conjunction with the port-security
intrusion-mode disableport-temporarily command to set the length of time during which the port
remains disabled.
Related commands: port-security intrusion-mode.
Examples
# Set the intrusion protection mode on Ethernet 1/0/1 to disableport-temporarily. It is required that
when intrusion protection is triggered, the port be shut down temporarily and then go up 30 seconds
later.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security timer disableport 30
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily
port-security timer guest-vlan-reauth
Syntax
port-security timer guest-vlan-reauth interval
undo port-security timer guest-vlan-reauth
View
System view
Parameters
interval: Time period in the range of 1 to 3600, in seconds.
Description
Use the port-security timer guest-vlan-reauth command to configure the interval at which the switch
triggers MAC address authentication after a port is added to its guest VLAN.
Use the undo port-security timer guest-vlan-reauth command to restore the default.
By default, the switch triggers MAC address authentication at intervals of 30 seconds.
At a certain interval, the switch uses the first MAC address learned in the guest VLAN to trigger MAC
address authentication. If the authentication succeeds, the port leaves the guest VLAN.
Examples
# Configure the switch to trigger MAC address authentication at intervals of 60 seconds.
<Sysname> system-view
[Sysname] port-security timer guest-vlan-reauth 60
1-18
port-security trap
Syntax
port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff | ralmlogon }
undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff | ralmlogon }
View
System view
Parameters
addresslearned: Enables/disables sending traps for MAC addresses learning events.
dot1xlogfailure: Enables/disables sending traps for 802.1x authentication failures.
dot1xlogoff: Enables/disables sending traps for 802.1x-authenticated user logoff events.
dot1xlogon: Enables/disables sending traps for 802.1x-authenticated user logon events.
intrusion: Enables/disables sending traps for detections of intrusion packets.
ralmlogfailure: Enables/disables sending traps for MAC authentication failures.
ralmlogoff: Enables/disables sending traps for MAC-authenticated user logoff events.
ralmlogon: Enables/disables sending traps for MAC-authenticated user logon events.
RADIUS authenticated login using MAC-address (RALM) refers to MAC-based RADIUS authentication.
Description
Use the port-security trap command to enable the sending of specified type(s) of trap messages.
Use the undo port-security trap command to disable the sending of specified type(s) of trap
messages.
By default, the system disables the sending of any types of trap messages.
This command is based on the device tracking feature, which enables the switch to send trap messages
when special data packets (generated by illegal intrusion, abnormal user logon/logoff, or other special
activities) are passing through a port, so as to help the network administrator to monitor special
activities.
1-19
When you use the display port-security command to display global information, the system will
display which types of trap messages are allowed to send.
Related commands: display port-security.
Examples
# Allow the sending of intrusion packet-detected trap messages.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security trap intrusion
# Use the display port-security command to display the related configuration information.
<Sysname> display port-security
Equipment port-security is enabled
Intrusion trap is Enabled
Disableport Timeout: 20 s
OUI value:
Ethernet1/0/1 is link-down
Port mode is AutoLearn
NeedtoKnow mode is needtoknowonly
Intrusion mode is disableportTemporarily
Max mac-address num is 4
Stored mac-address num is 0
Authorization is ignore
The rest of the information is omitted, if any.
For description of the output information, refer to Table 1-2.
1-20
Table of Contents
1 MAC Address Table Management Configuration Commands ······························································1-1
MAC Address Table Management Configuration Commands································································1-1
display mac-address aging-time······································································································1-1
display mac-address························································································································1-2
mac-address····································································································································1-3
mac-address max-mac-count··········································································································1-5
mac-address timer···························································································································1-6
i
1
MAC Address Table Management Configuration
Commands
This chapter describes the management of static, dynamic, and blackhole MAC address entries. For
information about the management of multicast MAC address entries, refer to the “Multicast” part of the
manual.
MAC Address Table Management Configuration Commands
display mac-address aging-time
Syntax
display mac-address aging-time
View
Any view
Parameters
None
Description
Use the display mac-address aging-time command to display the aging time of the dynamic MAC
address entries in the MAC address table.
Related commands: mac-address, mac-address timer, display mac-address.
Examples
# Display the aging time of the dynamic MAC address entries.
<Sysname> display mac-address aging-time
Mac address aging time: 300s
The output information indicates that the aging time of the dynamic MAC address entries is 300
seconds.
<Sysname> display mac-address aging-time
Mac address aging time: no-aging
The output information indicates that dynamic MAC address entries do not age out.
1-1
display mac-address
Syntax
display mac-address [ display-option ]
View
Any view
Parameters
display-option: Option used to display specific MAC address table information, as described in Table
1-1.
Table 1-1 Description on the display-option argument
Value
Description
mac-address [ vlan vlan-id ]
Displays information about a specified MAC
address entry.
{ static | dynamic | blackhole } [ interface
interface-type interface-number ] [ vlan vlan-id ]
[ count ]
Displays information about dynamic, static, or
blackhole MAC address entries.
interface interface-type interface-number [ vlan
vlan-id ] [ count ]
Displays information about the MAC address
entries concerning a specified port.
vlan vlan-id [ count ]
Displays information about the MAC address
entries concerning a specified VLAN.
count
Displays the total number of the MAC address
entries maintained by the switch.
statistics
Displays statistics of the MAC address entries
maintained by the switch.
mac-address: Specifies a MAC address, in the form of H-H-H.
static: Displays static MAC address entries.
dynamic: Displays dynamic MAC address entries.
blackhole: Displays blackhole MAC address entries.
interface-type interface-number: Specify a port by its interface type and number, of which the MAC
address entries are displayed.
vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094, in which the MAC address entries are
displayed.
count: Displays only the total number of the MAC address entries.
statistics: Displays statistics of the MAC address entries maintained by the switch.
Description
Use the display mac-address command to display information about MAC address entries in the MAC
address table, including: MAC address, VLAN and port corresponding to the MAC address, the type
(static or dynamic) of a MAC address entry, whether a MAC address is within the aging time and so on.
1-2
Examples
# Display information about MAC address 000f-e20f-0101.
<Sysname> display mac-address 000f-e20f-0101
MAC ADDR
VLAN ID
STATE
PORT INDEX
AGING TIME(s)
000f-e20f-0101
1
Learned
Ethernet1/0/1
AGING
# Display the MAC address entries for the port Ethernet 1/0/4.
<Sysname> display mac-address interface Ethernet 1/0/4
MAC ADDR
VLAN ID
STATE
PORT INDEX
000d-88f6-44ba
1
Learned
Ethernet1/0/4
AGING
000d-88f7-9f7d
1
Learned
Ethernet1/0/4
AGING
000d-88f7-b094
1
Learned
Ethernet1/0/4
AGING
000f-e200-00cc
1
Learned
Ethernet1/0/4
AGING
000f-e200-2201
1
Learned
Ethernet1/0/4
AGING
000f-e207-f2e0
1
Learned
Ethernet1/0/4
AGING
000f-e209-ecf9
1
Learned
Ethernet1/0/4
AGING
---
AGING TIME(s)
7 mac address(es) found on port Ethernet1/0/4 ---
# Display the total number of MAC address entries for VLAN 2.
<Sysname> display mac-address vlan 2 count
9 mac address(es) found in vlan 2
Table 1-2 Description on the fields of the display mac-address command
Field
Description
MAC ADDR
MAC address
VLAN ID
ID of the VLAN to which the network device identified by the MAC
address belongs
The state of the MAC address entry, which can be one of the
following:
z
STATE
z
z
z
Config static: Indicates a manually configured static address entry.
Learned: Indicates a dynamically learnt address entry.
Config dynamic: Indicates a manually configured dynamic address
entry.
Blackhole: Indicates a blackhole entry.
PORT INDEX
Outgoing port out of which the traffic destined for the MAC address
should be sent.
AGING TIME(s)
Indicates whether the MAC address entry is aging. AGING indicates
that the entry is aging; NOAGED indicates that the entry will never
age out.
mac-address
Syntax
z
In system view:
mac-address { static | dynamic | blackhole } mac-address interface interface-type interface-number
vlan vlan-id
undo mac-address [ mac-address-attribute ]
1-3
z
In Ethernet port view:
mac-address { static | dynamic | blackhole } mac-address vlan vlan-id
undo mac-address { static | dynamic | blackhole } mac-address vlan vlan-id
View
System view, Ethernet port view
Parameters
static: Specifies a static MAC address entry.
dynamic: Specifies a dynamic MAC address entry.
blackhole: Specifies a blackhole MAC address entry.
mac-address: Specifies a MAC address, in the form of H-H-H. When entering the MAC address, you
can omit the leading 0s in each segment. For example, you can input f-e2-1 for 000f-00e2-0001.
interface-type interface-number: Specifies the outgoing port by its type and number for the MAC
address. All traffic destined for the MAC address will be sent out the port.
vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. The VLAN must already exist.
mac-address-attribute: Specifies the criteria for removing MAC address entries. Available syntax
options for the argument are described in Table 1-3.
Table 1-3 Available syntax options for the mac-address-attribute argument
Syntax
Description
{ static | dynamic | blackhole } interface
interface-type interface-number
Removes the static, dynamic, or blackhole MAC
address entries concerning a specified port.
{ static | dynamic | blackhole } vlan vlan-id
Removes the static, dynamic, or blackhole MAC
address entries concerning a specified VLAN.
{ static | dynamic | blackhole } mac-address
[ interface interface-type interface-number ]
vlan vlan-id
Removes a specified static, dynamic, or
blackhole MAC address entry.
interface interface-type interface-number
Removes all the MAC address entries
concerning a specified port.
vlan vlan-id
Removes all the MAC address entries
concerning a specified VLAN.
1-4
Syntax
Description
mac-address [ interface interface-type
interface-number ] vlan vlan-id
Removes a specified MAC address entry.
Description
Use the mac-address command to add or modify a MAC address entry.
Use the undo mac-address command to remove one or more MAC address entries.
In Ethernet port view, the MAC address entry configured with the mac-address command in Ethernet
port view takes the current Ethernet port as the outgoing port.
If the MAC address you input in the mac-address command already exists in the MAC address table,
the system will modify the attributes of the corresponding MAC address entry according to your settings
in the command.
You can remove all unicast MAC address entries on a port, or remove a specific type of MAC address
entries, such as the addresses learnt by the system, dynamic or static MAC address entries configured,
or blackhole addresses.
Examples
# Configure a static MAC address entry with the following settings:
z
MAC address: 000f-e20f-0101
z
Outbound port: Ethernet 1/0/1 port
z
Ethernet 1/0/1 port belongs to VLAN 2.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-address static 000f-e20f-0101 interface Ethernet 1/0/1 vlan 2
mac-address max-mac-count
Syntax
mac-address max-mac-count count
undo mac-address max-mac-count
View
Ethernet port view
Parameters
count: Maximum number of MAC addresses a port can learn. This argument ranges from 0 to 8192. A
value of 0 disables the port from learning MAC addresses.
Description
Use the mac-address max-mac-count command to set the maximum number of MAC addresses an
Ethernet port can learn.
Use the undo mac-address max-mac-count command to cancel the limitation on the number of MAC
addresses an Ethernet port can learn.
By default, the number of MAC addresses an Ethernet port can learn is unlimited.
1-5
When you use the mac-address max-mac-count command, the port stops learning MAC addresses
after the number of MAC addresses it learned reaches the value of the count argument you provided.
You can use the undo command to cancel this limit so that the port can learn MAC addresses without
the number limitation. By default, no number limitation is set to the port for MAC address learning.
To prevent illegal devices from accessing the network through a port, you can configure static MAC
addresses and disable MAC address learning for the port. Thus, only the packets destined for the
configured MAC addresses can be forwarded out the port.
Related commands: mac-address, mac-address timer.
Examples
# Set the maximum number of MAC addresses Ethernet 1/0/3 port can learn to 600.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/3
[Sysname-Ethernet1/0/3] mac-address max-mac-count 600
mac-address timer
Syntax
mac-address timer { aging age | no-aging }
undo mac-address timer aging
View
System view
Parameters
aging age: Specifies the aging time (in seconds) for dynamic MAC address entries. The age argument
ranges from 10 to 1000000.
no-aging: Specifies not to age dynamic MAC address entries.
Description
Use the mac-address timer command to set the MAC address aging timer.
Use the undo mac-address timer command to restore the default.
The default MAC address aging timer is 300 seconds.
The timer applies only to dynamic address entries, including both entries learnt and configured.
Setting an appropriate MAC address aging timer is important for the switch to run efficiently.
z
If the aging timer is set too short, the MAC address entries that are still valid may be removed.
Upon receiving a packet destined for a MAC address that is already removed, the switch
broadcasts the packet through all its ports in the VLAN which the packet belongs to. This
decreases the operating performance of the switch.
z
If the aging timer is set too long, MAC address entries may still exist even if they turn invalid. This
causes the switch to be unable to update its MAC address table in time. In this case, the MAC
address table cannot reflect the position changes of network devices in time.
1-6
Examples
# Set the aging time of MAC address entries to 500 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-address timer aging 500
1-7
Table of Contents
1 MSTP Configuration Commands ·············································································································1-1
MSTP Configuration Commands ············································································································1-1
active region-configuration ··············································································································1-1
check region-configuration ··············································································································1-1
display stp········································································································································1-3
display stp abnormalport ·················································································································1-6
display stp portdown························································································································1-7
display stp region-configuration·······································································································1-8
display stp root ································································································································1-9
instance ·········································································································································1-10
region-name ··································································································································1-10
reset stp·········································································································································1-11
revision-level··································································································································1-12
stp ··················································································································································1-12
stp bpdu-protection························································································································1-14
stp bridge-diameter························································································································1-15
stp compliance·······························································································································1-15
stp config-digest-snooping ············································································································1-17
stp cost ··········································································································································1-19
stp dot1d-trap ································································································································1-20
stp edged-port ·······························································································································1-21
stp loop-protection ·························································································································1-22
stp max-hops ·································································································································1-24
stp mcheck ····································································································································1-25
stp mode········································································································································1-26
stp no-agreement-check················································································································1-26
stp pathcost-standard ····················································································································1-28
stp point-to-point····························································································································1-29
stp port priority·······························································································································1-31
stp portlog······································································································································1-32
stp portlog all ·································································································································1-33
stp priority ······································································································································1-33
stp region-configuration ·················································································································1-34
stp root primary······························································································································1-35
stp root secondary ·························································································································1-36
stp root-protection··························································································································1-37
stp tc-protection ·····························································································································1-38
stp tc-protection threshold ·············································································································1-39
stp timer forward-delay ··················································································································1-40
stp timer hello ································································································································1-40
stp timer max-age··························································································································1-41
stp timer-factor·······························································································································1-42
stp transmit-limit ····························································································································1-43
i
vlan-mapping modulo ····················································································································1-44
vlan-vpn tunnel ······························································································································1-45
ii
1
MSTP Configuration Commands
MSTP Configuration Commands
active region-configuration
Syntax
active region-configuration
View
MST region view
Parameters
None
Description
Use the active region-configuration command to activate the settings of a multiple spanning tree
(MST) region.
Configuring MST region-related parameters (especially the VLAN-to-instance mapping table) can result
in network topology jitter. To reduce network topology jitter caused by such a configuration change,
multiple spanning tree protocol (MSTP) does not recalculate spanning trees immediately after the
configuration change; it does this only after you activate the new MST region-related settings or enable
MSTP; only then will the new settings begin to take effect.
When you carry out this command, MSTP will replace the currently running MST region–related
parameters with the parameters you have just configured and will perform spanning tree recalculation.
Related commands: instance, region-name, revision-level, vlan-mapping modulo, check
region-configuration.
Examples
# Activate the MST region-related settings.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp region-configuration
[Sysname-mst-region] active region-configuration
check region-configuration
Syntax
check region-configuration
View
MST region view
1-1
Parameters
None
Description
Use the check region-configuration command to display the MST region-related configuration which
is being modified currently, including region name, revision level, and VLAN-to-instance mapping table.
As specified in the MSTP protocol, the configurations of MST regions must be right, especially the
VLAN-to-instance mapping table. MSTP-enabled switches are in the same region only when they have
the same format selector (a 802.1s-defined protocol selector, which is 0 by default and cannot be
configured), region name, VLAN-to-instance mapping table, and revision level. A switch cannot be in
the expected region if any of the four MST region-related parameters mentioned above are not
consistent with those of other switches in the region.
The 3Com switches support only the MST region name, VLAN-to-instance mapping table, and revision
level. Switches which have the settings of these parameters the same are assigned to the same MST
region.
This command is used to display the configuration information of inactivated MST regions. You can use
this command to find the MST region the switch currently belongs to or check to see whether or not the
MST region-related configuration is correct.
Related commands: instance, region-name, revision-level, vlan-mapping modulo, active
region-configuration.
Examples
# Display the MST region-related configuration.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp region-configuration
[Sysname-mst-region] check region-configuration
Admin Configuration
Format selector :0
Region name
:00e0fc003600
Revision level
:0
Instance
0
16
Vlans Mapped
1 to 9, 11 to 4094
10
Table 1-1 Description on the fields of the check region-configuration command
Field
Description
Format selector
The selector specified by MSTP
Region name
The name of the MST region
Revision level
The revision level of the MST region
Instance Vlans Mapped
VLAN-to-instance mappings in the MST region
1-2
display stp
Syntax
display stp [ instance instance-id ] [ interface interface-list | slot slot-number ] [ brief ]
View
Any view
Parameters
instance-id: ID of the MSTI ranging from 0 to 16. The value of 0 refers to the common and internal
spanning tree (CIST).
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
slot slot-number: Specifies a slot whose STP-related information is to be displayed.
brief: Displays only port state and protection measures taken on the port.
Description
Use the display stp command to display the state and statistical information about one or all spanning
trees.
The state and statistical information about MSTP can be used to analyze and maintain the topology of a
network. It can also be helpful when trying to make MSTP operate properly.
z
If neither MSTI nor port list is specified, the command displays spanning tree information about all
MSTIs on all ports in the order of port number.
z
If only one MSTI is specified, the command displays information about the specified MSTI on all
ports in the order of the port number.
z
If only a port list is specified, the command displays information about all MSTIs on these ports in
the order of the port numbers.
z
If both an MSTI ID list and a port list are specified, the command displays spanning tree information
about the specified MSTIs and the specified ports in the order of MSTI ID.
MSTP state information includes:
1)
Global CIST parameters: Protocol operating mode, switch priority in the CIST instance, MAC
address, hello time, max age, forward delay, max hops, the common root of the CIST, the external
path cost for the switch to reach the CIST common root, region root, the internal path cost for the
switch to reach the region root, CIST root port of the switch, the state of the BPDU guard function
(enabled or disabled), the state of the digest snooping feature (enabled or disabled), and the state
of the TC-BPDU attack guard function (enabled or disabled).
2)
CIST port parameters: Port protocol, port role, port priority, path cost, designated bridge,
designated port, edge port/non-edge port, whether or not the link on a port is a point-to-point link,
format of the MST BPDUs that the port can send, the maximum transmitting speed, type of the
enabled guard function, state of the digest snooping feature (enabled or disabled), VLAN mappings,
hello time, max age, forward delay, Message-age time, and remaining hops.
3)
Global MSTI parameters: MSTI instance ID, bridge priority of the instance, region root, internal
path cost, MSTI root port, master bridge, and external path cost.
1-3
4)
MSTI port parameters: Port state, role, priority, path cost, designated bridge, designated port,
remaining hops, and the number of VLANs mapped to the current MSTI.
The statistical information includes: the numbers of the TCN BPDUs, the configuration BPDUs, the RST
BPDUs, and the MST BPDUs transmitted/received by each port.
Related commands: reset stp.
Examples
# Display the brief state information of MSTI 0 on Ethernet 1/0/1 through Ethernet 1/0/4.
<Sysname> display stp instance 0 interface Ethernet 1/0/1 to Ethernet 1/0/4 brief
MSTID
Port
Role
STP State
Protection
0
Ethernet1/0/1
ALTE
DISCARDING
LOOP
0
Ethernet1/0/2
DESI
FORWARDING
NONE
0
Ethernet1/0/3
DESI
FORWARDING
NONE
0
Ethernet1/0/4
DESI
FORWARDING
NONE
Table 1-2 Description on the fields of the display stp brief command
Field
Description
MSTID
ID of an MSTI in the MST region
Port
Port index corresponding to an MSTI
Port role, which can be one of the following:
z
z
Role
z
z
z
z
ALTE: The port is an alternate port
BACK: The port is a backup port
ROOT: The port is a root port
DESI: The port is a designated port
MAST: The port is a master port
DISA: The port is disabled
MSTP state on the port , which can be:
z
STP State
z
z
FORWARDING: The port learns MAC addresses and forwards
user traffic
DISCARDING: The port does not learn MAC addresses or
forward user traffic
LEARNING: The port learns MAC addresses but does not
forward user traffic
Protection type of the port, which can be one of the following:
z
Protection
z
z
z
ROOT: Root protection
LOOP: Loop protection
BPDU: BPDU protection
NONE: No protection
# Display the detailed MSTP status information and statistics information.
<Sysname> display stp instance 0 interface Ethernet 1/0/2
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.00e0-fc12-4001
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.000f-cb00-6600 / 200
CIST RegRoot/IRPC
:32768.00e0-fc12-4001 / 0
CIST RootPortId
:128.22
1-4
BPDU-Protection
:disabled
TC-Protection
:enabled / Threshold=6
Bridge Config
Digest Snooping
:disabled
TC or TCN received
:0
Time since last TC
:0 days 1h:33m:54s
----[Port2(Ethernet1/0/2)][DOWN]---Port Protocol
:enabled
Port Role
:CIST Disabled Port
Port Priority
:128
Port Cost(Legacy)
:Config=auto / Active=200000
Desg. Bridge/Port
:32768.00e0-fc12-4001 / 128.2
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=false
Transmit Limit
:10 packets/hello-time
Protection Type
:None
MSTP BPDU format
:Config=auto / Active=legacy
Port Config
Digest Snooping
:disabled
Num of Vlans Mapped :1
PortTimes
:Hello 2s MaxAge 20s FwDly 15s MsgAge 0s RemHop 20
BPDU Sent
:0
TCN: 0, Config: 0, RST: 0, MST: 0
BPDU Received
:0
TCN: 0, Config: 0, RST: 0, MST: 0
Table 1-3 display stp command output description
Field
CIST Bridge
Description
CIST bridge ID
Major parameters for the bridge:
z
Bridge Times
z
z
z
Hello: Hello timer
MaxAge: Max Age timer
FwDly: Forward delay timer
MaxHop: Max hops within the MST region
CIST Root/ERPC
CIST root and external path cost
CIST RegRoot/IRPC
CIST regional root and internal path cost
CIST RootPortId
CIST root port ID
BPDU-Protection
Indicates whether BPDU protection is enabled globally.
TC-Protection*** / Threshold=**
Indicates whether TC-BPDU attack guard function is enabled
globally, and the maximum times that a switch can remove the
MAC address table and ARP entries within each 10 seconds.
Bridge Config
Digest Snooping
Indicates whether Digest Snooping is enabled globally on the
bridge.
TC or TCN received
Number of received TC/TCN packets
Time since last TC
Time of the latest topology change
1-5
Field
Description
Port Protocol
Indicates whether STP is enabled on the port
Port Role
Port role, which can be Alternate, Backup, Root, Designated,
Master, or Disabled
Port Priority
Port priority
Port Cost(Legacy)
Path cost of the port. The field in the bracket indicates the
standard used for port path cost calculation, which can be
legacy, dot1d-1998, or dot1t. Config indicates the configured
value, and Active indicates the actual value.
Designated bridge ID and port ID of the port
Desg. Bridge/Port
The port ID displayed is insignificant for a port which does not
support port priority.
Port Edged
Indicates whether the port is an edge port. Config indicates the
configured value, and Active indicates the actual value.
Point-to-point
Indicates whether the port is connected to a point-to-point link.
Config indicates the configured value, and Active indicates the
actual value.
Transmit Limit
The maximum number of packets sent within each Hello time
Protection Type
Protection type on the port, including Root guard and Loop
guard
MST BPDU format
Format of the MST BPDUs that the port can send, which can be
legacy or 802.1s. Config indicates the configured value, and
Active indicates the actual value.
Port Config
Digest Snooping
Num of Vlans Mapped
Indicates whether digest snooping is enabled on the port.
Number of VLANs mapped to the current MSTI
Major parameters for the port:
z
PortTimes
z
z
z
z
Hello: Hello timer
MaxAge: Max Age timer
FwDly: Forward delay timer
MsgAge: Message Age timer
Remain Hop: Remaining hops
BPDU Sent
The number of BPDUs sent since MSTP was enabled on the
device
BPDU Received
The number of BPDUs received since MSTP was enabled on
the device
display stp abnormalport
Syntax
display stp abnormalport
View
Any view
1-6
Parameters
None
Description
Use the display stp abnormalport command to display the ports that are blocked by STP guard
functions.
Examples
# Display the ports that are blocked by STP guard functions.
<Sysname> display stp abnormalport
MSTID
Port
Block Reason
--------- --------------------
-------------
0
Ethernet1/0/20
Root-Protection
1
Ethernet1/0/21
Loop-Protection
Table 1-4 Description on the fields of the display stp abnormalport command
Field
Description
MSTID
MSTI ID in the MST region
Port
Port that has been blocked
The function blocking the port:
z
Block Reason
z
z
Root-Protected: root guard function
Loop-Protected: loop guard function
Formatcompatibility-Protected:
MSTP
incompatibility protection function
BPDU
format
display stp portdown
Syntax
display stp portdown
View
Any view
Parameters
None
Description
Use the display stp portdown command to display the ports that are shut down by STP guard
functions.
Examples
# Display the ports that are shut down by STP guard functions.
<Sysname> display stp portdown
Port
Down Reason
---------------------
------------
1-7
Ethernet1/0/20
BPDU-Protection
Table 1-5 Description on the fields of the display stp portdown command
Field
Description
Port
Port that has been shut down
Reason that caused the port to be blocked.
z
Down Reason
z
BPDU-Protected: BPDU attack guard function
Formatfrequency-Protected: MSTP BPDU format frequent change
protection function
display stp region-configuration
Syntax
display stp region-configuration
View
Any view
Parameters
None
Description
Use the display stp region-configuration command to display the activated MST region configuration,
including the region name, region revision level, and VLAN-to-instance mappings configured for the
switch.
Related commands: stp region-configuration.
Examples
# Display the configuration of the MST region.
<Sysname> display stp region-configuration
Oper Configuration
Format selector :0
Region name
:hello
Revision level
:0
Instance
Vlans Mapped
0
21 to 4094
1
1 to 10
2
11 to 20
Table 1-6 Description on the fields of the display stp region-configuration command
Field
Description
Format selector
The selector specified by MSTP
Region name
The name of the MST region
1-8
Field
Description
Revision level
Revision level of the MST region, which can be configured
using the revision-level command and defaults to 0.
Instance Vlans Mapped
VLAN-to-instance mappings in the MST region
display stp root
Syntax
display stp root
View
Any view
Parameters
None
Description
Use the display stp root command to display information about the root ports in the MSTP region
where the switch resides.
Examples
# Display information about the root ports in the MSTP region where the switch resides.
<Sysname> display stp root
MSTID Root Bridge ID
-------0
ExtPathCost IntPathCost Root Port
-------------------- ------------
32768.00e0-fc53-d908
0
------------- -----------
200
Ethernet1/0/18
Table 1-7 Description on the fields of the display stp root command
Field
Description
MSTID
MSTI ID in the MST region
Root Bridge ID
ID of the root bridge
ExtPathCost
Cost of the external path from the switch to the root bridge. The device
can automatically calculate the default path cost of a port, or
alternatively, you can use the stp cost command to configure the path
cost of a port.
IntPathCost
Cost of the internal path from the switch to the root bridge. The device
can automatically calculate the default path cost of a port, or
alternatively, you can use the stp cost command to configure the path
cost of a port.
Root Port
Root port (If a port on the current device is an MSTI root port, the port
type and port number is displayed. Otherwise, the root port name is not
displayed.)
1-9
instance
Syntax
instance instance-id vlan vlan-list
undo instance instance-id [ vlan vlan-list ]
View
MST region view
Parameters
instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST.
vlan-list: List of VLANs. You need to provide this argument in the form of vlan-list = { vlan-id [ to
vlan-id ] }&<1-10>, where &<1-10> means that you can provide up to 10 VLAN IDs/VLAN ID ranges for
this argument. Normally, a VLAN ID can be a number ranging from 1 to 4094.
Description
Use the instance command to map specified VLANs to a specified MSTI.
Use the undo instance command to remove the mappings from the specified VLANs to the specified
MSTI and remap the specified VLANs to the CIST (MSTI 0). If you specify no VLAN in the undo
instance command, all VLANs that are mapped to the specified MSTI are remapped to the CIST.
By default, all VLANs are mapped to the CIST.
VLAN-to-instance mappings are recorded in the VLAN-to-instance mapping table of an MSTP-enabled
switch. So these two commands are actually used to manipulate the VLAN-to-instance mapping table.
You can add/remove a VLAN to/from the VLAN-to-instance mapping table of a specific MSTI by using
these two commands.
Note that a VLAN cannot be mapped to multiple MSTIs at the same time. A VLAN-to-instance mapping
is automatically removed if you map the VLAN to another MSTI.
Related
commands:
region-name,
revision-level,
region-configuration, active region-configuration.
Examples
# Map VLAN 2 to MSTI 1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp region-configuration
[Sysname-mst-region] instance 1 vlan 2
region-name
Syntax
region-name name
undo region-name
View
MST region view
1-10
vlan-mapping
modulo,
check
Parameters
name: MST region name to be set for the switch, a string of 1 to 32 characters.
Description
Use the region-name command to set an MST region name for a switch.
Use the undo region-name command to restore the MST region name to the default value.
The default MST region name of a switch is its MAC address.
MST region name, along with VLAN-to-instance mapping table and MSTP revision level, determines
the MST region which a switch belongs to.
Related commands: instance, revision-level, check region-configuration, vlan-mapping modulo,
active region-configuration.
Examples
# Set the MST region name of the switch to hello.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp region-configuration
[Sysname-mst-region] region-name hello
reset stp
Syntax
reset stp [ interface interface-list ]
View
User view
Parameters
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
Use the reset stp command to clear spanning tree statistics.
The spanning tree statistics includes the numbers of TCN BPDUs, configuration BPDUs, RST BPDUs,
and MST BPDUs sent/received through one or more specified ports or all ports (note that BPDUs and
TCN BPDUs are counted only for CISTs.)
Note that:
z
If you specify the interface-list argument, this command clears the spanning tree statistics on
specified ports.
z
If you do not specify the interface-list argument, this command clears the spanning tree statistics
on all ports.
Related commands: display stp.
1-11
Examples
# Clear the spanning tree statistics on Ethernet 1/0/1 through Ethernet 1/0/3.
<Sysname> reset stp interface Ethernet 1/0/1 to Ethernet 1/0/3
revision-level
Syntax
revision-level level
undo revision-level
View
MST region view
Parameters
level: MSTP revision level to be set for the switch. This argument ranges from 0 to 65,535.
Description
Use the revision-level command to set the MSTP revision level for a switch.
Use the undo revision-level command to restore the revision level to the default value.
By default, the MSTP revision level of a switch is 0.
MSTP revision level, along with MST region name and VLAN-to-instance mapping table, determines
the MST region which a switch belongs to. When the MST region name and VLAN-to-instance mapping
table are both the same for two MST regions, you can still tell them apart by their MSTP revision levels.
Related commands: instance, region-name, check region-configuration, vlan-mapping modulo,
active region-configuration.
Examples
# Set the MSTP revision level of the MST region to 5.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp region-configuration
[Sysname-mst-region] revision-level 5
stp
Syntax
z
System view, Ethernet port view:
stp { enable | disable }
undo stp
z
System view:
stp interface interface-list { enable | disable }
View
System view, Ethernet port view
1-12
Parameters
enable: Enables MSTP.
disable: Disables MSTP.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp command in system view to enable/disable MSTP globally. Use the undo stp
command in system view to restore the MSTP state to the default globally.
z
Use the stp command in Ethernet port view to enable/disable MSTP on a port. Use the undo stp
command in Ethernet port view to restore the MSTP state to the default on a port.
z
Use the stp interface command in system view to enable or disable MSTP on specified ports.
By default, MSTP is enabled both globally and on ports.
Note that:
z
After you enable MSTP, the device works in STP-compatible mode, RSTP mode or MSTP mode
depending on the MSTP mode setting, which is configurable with the stp mode command.
z
To control MSTP flexibly, you can use the undo stp enable command to disable MSTP on ports
that are not intended to take part in spanning tree calculation and thus to save CPU resources.
z
After being enabled, MSTP dynamically maintains the spanning tree status of VLANs based on
received configuration BPDUs. After being disabled, it stops maintaining the spanning tree status.
Disabling MSTP on ports may result in data loops that can destabilize a network.
Related commands: stp mode.
Examples
# Enable MSTP globally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp enable
# Disable MSTP on Ethernet 1/0/1.
z
Disable MSTP on Ethernet 1/0/1 in Ethernet port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp disable
z
Disable MSTP on Ethernet 1/0/1 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 disable
1-13
# Disable MSTP on Ethernet 1/0/1 to Ethernet 1/0/4 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 to Ethernet 1/0/4 disable
stp bpdu-protection
Syntax
stp bpdu-protection
undo stp bpdu-protection
View
System view
Parameters
None
Description
Use the stp bpdu-protection command to enable the BPDU guard function on the switch.
Use the undo stp bpdu-protection command to restore to the default state of the BPDU guard
function.
By default, the BPDU guard function is disabled.
Normally, the access ports of the devices operating on the access layer are directly connected to
terminals (such as PCs) or file servers. These ports are usually configured as edge ports to implement
rapid transition. But they resume non-edge ports automatically upon receiving configuration BPDUs,
which causes spanning trees recalculation and network topology jitter.
Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by
sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent such
attacks by enabling the BPDU guard function. With this function enabled on a switch, the switch shuts
down the edge ports that receive configuration BPDUs and then reports these cases to the
administrator. If an edge port is shut down, only the administrator can restore it.
You are recommended to enable BPDU guard for devices with edge ports configured.
Examples
# Enable the BPDU guard function.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp bpdu-protection
1-14
stp bridge-diameter
Syntax
stp bridge-diameter bridgenum
undo stp bridge-diameter
View
System view
Parameters
bridgenum: Network diameter to be set for a switched network. This argument ranges from 2 to 7.
Description
Use the stp bridge-diameter command to set the network diameter of a switched network. The
network diameter of a switched network is represented by the maximum possible number of switches
between any two terminal devices in a switched network.
Use the undo stp bridge-diameter command to restore the network diameter to the default value.
By default, the network diameter is 7.
After you configure the network diameter of a switched network, MSTP adjusts its hello time, forward
delay, and max age settings accordingly. With the network diameter set to the default value 7, the three
time-relate settings, including hello time, forward delay, and max age, are set to their default values as
well.
The stp bridge-diameter command only applies to CIST. It is invalid for MSTIs.
Related commands: stp timer forward-delay, stp timer hello, stp timer max-age.
Examples
# Set the network diameter to 5.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp bridge-diameter 5
stp compliance
Syntax
z
Ethernet port view:
stp compliance { auto | legacy | dot1s }
undo stp compliance
z
System view:
stp interface interface-list compliance { auto | legacy | dot1s }
undo stp interface interface-list compliance
View
System view, Ethernet port view
1-15
Parameters
auto: Configures the port(s) to recognize the MSTP BPDU format automatically and accordingly
determine the format of MSTP BPDUs to send.
legacy: Configures the port(s) to receive and send only compatible-format MSTP BPDUs.
dot1s: Configures the port(s) to receive and send only standard-format (802.1s-compliant) MSTP
BPDUs.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
format of interface-list ={ interface-type interface-number [ to interface-type interface-number ] }
&<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this
argument.
Description
z
Use the stp compliance command in interface view to configure the mode the port(s) will use to
recognize and send MSTP BPDUs. Use the undo stp compliance command to restore the
system default.
z
Use the stp interface compliance command in system view to set the mode in which a port
recognizes and sends MSTP packets. Use the undo stp interface compliance command to
restore the default.
The default mode is auto, namely all ports recognize the BPDU format automatically.
Note that:
z
If the mode is set to auto on a port, the port automatically recognizes and resolves the received
compatible-format
BPDUs
or
802.1s-compliant
BPDUs,
and
sends,
when
needed,
compatible-format or 802.1s-compliant BPDUs.
z
If the mode is set to legacy or dot1s on a port, the port can only receive and send BPDUs of the
specified format. If the port is configured not to detect the packet format automatically while it works
in the MSTP mode, and if it receives a packet in the format other than the configured format, it will
become a designated port and remain in the discarding state to prevent the occurrence of a loop.
Examples
# Configure Ethernet 1/0/1 to recognize and send MSTP BPDUs in dot1s format.
z
In Ethernet port view.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp compliance dot1s
z
In system view.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] stp interface Ethernet1/0/1 compliance dot1s
# Configure Ethernet 1/0/2 to Ethernet 1/0/4 to recognize and send MSTP BPDUs in dot1s format.
<Sysname> system-view
[Sysname] stp interface Ethernet 1/0/2 to Ethernet1/0/4 compliance dot1s
1-16
stp config-digest-snooping
Syntax
z
System view, Ethernet port view:
stp config-digest-snooping
undo stp config-digest-snooping
z
System view:
stp interface interface-list config-digest-snooping
undo stp interface interface-list config-digest-snooping
View
System view, Ethernet port view
Parameters
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp config-digest-snooping command to enable the digest snooping feature. Use the
undo stp config-digest-snooping command to disable the digest snooping feature. Configured
in system view, the setting takes effect globally; configured in interface view, the setting takes
effect on the current port only.
z
Use the stp interface config-digest-snooping command in system view to enable the digest
snooping feature on specific ports. Use the undo stp interface config-digest-snooping
command in system view to disable the digest snooping feature on specific ports.
The digest snooping feature is disabled by default.
To enable the digest snooping feature successfully, you must first enable it on all the switch ports that
connect to the other manufacturer’s switches adopting proprietary spanning tree protocols and then
enable it globally.
According to IEEE 802.1s, two interconnected switches can interwork with each other through MSTIs in
an MST region only when the two switches have the same MST region-related configuration. With
MSTP enabled, interconnected switches determine whether or not they are in the same MST region by
checking the configuration IDs of the BPDUs between them. (A configuration ID contains information
such as region ID and configuration digest.)
As some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot
interwork with other switches in an MST region even if they are configured with the same MST
region-related settings as other switches in the MST region.
1-17
This kind of problem can be overcome by implementing the digest snooping feature. If a switch port is
connected to another manufacturer’s switch that has the same MST region-related settings but adopts
a proprietary spanning tree protocol, you can enable the digest snooping feature on the port that will be
receiving BPDU packets from another manufacturer's switch. Then the switch considers these BPDU
packets to be from its own MST region and records the configuration digests carried in the BPDU
packets received from the switch, which will be put in the BPDU packets to be sent to another
manufacturer’s switch. In this way, the switch can interwork with another manufacturer’s switches in an
MST region.
z
When the digest snooping feature is enabled on a port, the port turns to the discarding state. That is,
the port stops sending BPDU packets. The port is not involved in the STP calculation until it
receives BPDU packets from the peer port.
z
The digest snooping feature is needed only when your switch is connected to another
manufacturer’s switches adopting proprietary spanning tree protocols.
z
To enable the digest snooping feature, the interconnected switches and another manufacturer’s
switch adopting proprietary spanning tree protocols must be configured with exactly the same MST
region-related configurations (including region name, revision level, and VLAN-to-instance
mapping).
z
The digest snooping feature must be enabled on all the switch ports that connect to another
manufacturer’s switches adopting proprietary spanning tree protocols in the same MST region.
z
When the digest snooping feature is enabled globally, the VLAN-to-instance mapping table cannot
be modified.
z
The digest snooping feature is not applicable to boundary ports in an MST region.
z
The digest snooping function is not applicable to edge ports in an MST region.
Examples
# Enable the digest snooping feature on Ethernet 1/0/1.
z
Enable the digest snooping feature on Ethernet 1/0/1 in Ethernet port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp config-digest-snooping
[Sysname-Ethernet1/0/1] quit
[Sysname] stp config-digest-snooping
z
Enable the digest snooping feature on Ethernet 1/0/1 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 config-digest-snooping
[Sysname] stp config-digest-snooping
# Enable the digest snooping feature on Ethernet 1/0/2 to Ethernet 1/0/4.
<Sysname> system-view
[Sysname] stp interface Ethernet 1/0/2 to Ethernet1/0/4 config-digest-snooping
1-18
[Sysname] stp config-digest-snooping
stp cost
Syntax
z
Ethernet port view:
stp [ instance instance-id ] cost cost
undo stp [ instance instance-id ] cost
z
System view:
stp interface interface-list [ instance instance-id ] cost cost
undo stp interface interface-list [ instance instance-id ] cost
View
System view, Ethernet port view
Parameters
instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST.
cost: Path cost to be set for the port. STP uses path costs to indicate the quality of links. A smaller path
cost indicates a higher link quality. The range of the cost argument varies with the standard used for
calculating the default path cost of a port as follows:
z
With the IEEE 802.1D-1998 standard selected, the path cost of an Ethernet port ranges from 1 to
65535.
z
With the IEEE 802.1t standard selected, the path cost of an Ethernet port ranges from 1 to
200000000.
z
With the proprietary standard selected, the path cost of an Ethernet port ranges from 1 to 200000.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp cost command to set the path cost of the current port in a specified MSTI in ethernet
port view. Use the undo stp cost command to restore the default path cost of the current port in
the specified MSTI in ethernet port view.
z
Use the stp interface cost command to set the path cost(s) of the specified port(s) in a specified
MSTI in system view. Use the undo stp interface cost command to restore the default value of
the path cost(s) of the specified port(s) in the specified MSTI in system view.
By default, a switch automatically calculates the path costs of a port in different MSTIs based on a
specified standard.
Path cost is an important factor in spanning tree calculation. Setting different path costs for a port in
MSTIs allows VLAN traffic flows to be forwarded along different physical links, thus achieving
VLAN-based load balancing.
Note that:
z
If you specify the instance-id argument to be 0 or do not specify this argument, the stp cost
command sets the path cost of the port in CIST.
1-19
z
Changing the path cost of a port in an MSTI may change the role of the port in the instance and put
it in state transition.
z
Ports with different rates have different default path costs. For details, see Table 1-8.
Examples
# Set the path cost of Ethernet 1/0/1 in MSTI 2 to 200.
z
Set the path cost of Ethernet 1/0/1 in MSTI 2 to 200 in Ethernet port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp instance 2 cost 200
z
Set the path cost of Ethernet 1/0/1 in MSTI 2 to 200 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 instance 2 cost 200
# Set the path cost of Ethernet 1/0/2 to Ethernet 1/0/4 in MSTI 2 to 400 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 instance 2 cost 400
stp dot1d-trap
Syntax
stp dot1d-[ instance instance-id ] trap [ newroot | topologychange ] enable
undo stp [ instance instance-id ] dot1d-trap [ newroot | topologychange ] enable
View
System view
Parameters
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to CIST. With this argument specified,
the trap messages sent are only of the MSTI identified by this argument.
newroot: Sends trap messages conforming to 802.1d standard to the network management device
when the switch becomes the root bridge of an instance.
topologychange: Sends trap messages conforming to 802.1d standard to the network management
device when the switch detects network topology changes.
Description
Use the stp dot1d-trap command to enable a switch to send 802.1d-compliant traps when MSTP
network topology changes.
Use the undo stp dot1d-trap command to disable this function.
By default, the switch is not enabled to send 802.1d-compliant topology change information of spanning
tree instances 0 to 16 to the network management device.
By default, when the local switch becomes the regional root of a spanning tree instance in the range of
0 to 16, it sends newroot traps to the network management device.
1-20
When enabled, the switch sends the following two types of 802.1d-compliant traps to the network
management device:
z
When the switch is configured to be the root bridge of a spanning tree instance, it sends
802.1d-compliant newroot traps to the network management device.
z
When the switch detects a topology change, it sends 802.1d-compliant topology-change traps to
the network management device.
The stp instance instance-id
dot1d-trap enable command enables both newroot and
topology-change trap functions for the specified spanning tree instance at the same time.
Examples
# Enable a switch to send trap messages conforming to 802.1d standard to the network management
device when the switch becomes the root bridge of MSTI 1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp instance 1 dot1d-trap newroot enable
stp edged-port
Syntax
z
Ethernet port view:
stp edged-port { enable | disable }
undo stp edged-port
z
System view:
stp interface interface-list edged-port { enable | disable }
undo stp interface interface-list edged-port
View
System view, Ethernet port view
Parameters
enable: Configures the port as an edge port.
disable: Configures the port as a non-edge port.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp edged-port enable command to configure the current Ethernet port as an edge port.
Use the stp edged-port disable command to configure the current Ethernet port as a non-edge
port. Use the undo stp edged-port command to restore the current Ethernet port to its default
state.
z
Use the stp interface edged-port enable command to configure the specified Ethernet ports as
edge ports in system view. Use the stp interface edged-port disable command to configure the
specified Ethernet ports as non-edge ports in system view. Use the undo stp interface
edged-port command to restore the specified Ethernet ports to the default state.
1-21
By default, all Ethernet ports of a switch are non-edge ports.
An edge port is a port that is directly connected to a user terminal instead of another switch or shared
network segment. Rapid transition to the forwarding state (sometimes referred to as “Fast Start”) is
applied to edge ports because on these ports no loops can be incurred by network topology changes.
You can enable a port to turn to the forwarding state rapidly by setting it to an edge port. And you are
recommended to configure the Ethernet ports directly connected to user terminals as edge ports to
enable them to turn to the forwarding state rapidly.
Normally, configuration BPDUs cannot reach an edge port because the port is not connected to another
switch. But when the BPDU guard function is disabled on an edge port, configuration BPDUs sent
deliberately by a malicious user may reach the port. If an edge port receives a BPDU, it turns to a
non-edge port.
Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions
enabled on a port, any of the other two functions cannot take effect even if you have configured it on the
port.
Examples
# Configure Ethernet 1/0/1 as an edge port.
z
Configure Ethernet 1/0/1 as an edge port in Ethernet port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp edged-port enable
z
Configure Ethernet 1/0/1 as an edge port in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 edged-port enable
# Configure Ethernet 1/0/2 to Ethernet 1/0/4 as edge ports in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 edged-port enable
stp loop-protection
Syntax
z
Ethernet port view:
stp loop-protection
undo stp loop-protection
z
System view:
stp interface interface-list loop-protection
1-22
undo stp interface interface-list loop-protection
View
System view, Ethernet port view
Parameters
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp loop-protection command to enable the loop guard function on the current port. Use
the undo stp loop-protection command to restore the loop guard function to the default state on
the current port.
z
Use the stp interface loop-protection command to enable the loop guard function on specified
ports in system view. Use the undo stp interface loop-protection command to restore the default
state of the loop guard function on specified ports in system view.
By default, the loop guard function is disabled on the port.
A switch maintains the states of the root port and other blocked ports by receiving and processing
BPDUs from the upstream switch. These BPDUs may get lost because of network congestion or
unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for a certain
period, the switch selects a new root port; the original root port becomes a designated port; and the
blocked ports turn to the forwarding state. This may cause loops in the network.
The loop guard function suppresses loops. With this function enabled, if link congestions or
unidirectional link failures happen, a root port becomes a designated port, and the port turns to the
discarding state. The blocked port also becomes the designated port and the port turns to the
discarding state, that is, the port does not forward packets and thereby loops can be prevented.
z
You are recommended to enable loop guard on the root port and alternate port of a non-root bridge.
z
Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions
enabled on a port, any of the other two functions cannot take effect even if you have configured it
on the port.
Examples
# Enable the loop guard function on Ethernet 1/0/1.
z
Enable the loop guard function on Ethernet 1/0/1 in Ethernet port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp loop-protection
z
Enable the loop guard function on Ethernet 1/0/1 in system view.
1-23
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 loop-protection
# Enable the loop guard function on Ethernet 1/0/2 to Ethernet 1/0/4 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 loop-protection
stp max-hops
Syntax
stp max-hops hops
undo stp max-hops
View
System view
Parameters
hops: Maximum hop count to be set. This argument ranges from 1 to 40.
Description
Use the stp max-hops command to set the maximum hop count for the MST region the current switch
belongs to.
Use the undo stp max-hops command to restore the maximum hop count to the default.
By default, the maximum hop count of an MST region is 20.
The maximum hop count configured on the region roots of an MST region limits the size of the MST
region.
A configuration BPDU contains a field that maintains the remaining hops of the configuration BPDU.
And a switch discards the configuration BPDUs whose remaining hops are 0. After a configuration
BPDU reaches a root bridge of a spanning tree in a MST region, the value of the remaining hops field in
the configuration BPDU is decreased by 1 every time the configuration BPDU passes one switch. Such
a mechanism disables the switches that are beyond the maximum hops from participating in spanning
tree calculation, and thus limits the size of an MST region.
With such a mechanism, the maximum hops configured on the switch operating as the root bridge of the
CIST or an MSTI in a MST region becomes the network diameter of the spanning tree, which limits the
size of the spanning tree in the current MST region. The switches that are not root bridges in an MST
region adopt the maximum hop settings of the root bridge.
Examples
# Set the maximum hop count of the current MST region to 35.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp max-hops 35
1-24
stp mcheck
Syntax
z
Ethernet port view:
stp mcheck
z
System view:
stp [ interface interface-list ] mcheck
View
System view, Ethernet port view
Parameters
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp mcheck command to perform the mCheck operation on the current port in Ethernet
port view.
z
Use the stp interface mcheck command to perform the mCheck operation on specified port(s) in
system view. If the value of interface interface-list is not specified, this command performs the
mCheck operation on all MSTP-enabled ports of the device.
When a port on an MSTP-enabled/RSTP-enabled upstream switch connects with an STP-enabled
downstream switch, the port operates in the STP-compatible mode automatically. But when the
STP-enabled downstream switch is then replaced by an MSTP-enabled switch, the port cannot
automatically transit to the MSTP mode but still remains in the STP-compatible mode. In this case, you
can force the port to transit to the MSTP mode by performing the mCheck operation on the port.
Related commands: stp mode.
Examples
# Perform the mCheck operation on Ethernet 1/0/1.
z
Perform the mCheck operation on Ethernet 1/0/1 in Ethernet port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp mcheck
z
Perform the mCheck operation on Ethernet 1/0/1 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 mcheck
# Perform the mCheck operation on Ethernet 1/0/2 to Ethernet 1/0/4 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 mcheck
# Perform the mCheck operation on all the MSTP-enabled ports of your switch in system view.
1-25
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp mcheck
stp mode
Syntax
stp mode { stp | rstp | mstp }
undo stp mode
View
System view
Parameters
stp: Specifies the STP-compatible mode.
mstp: Specifies the MSTP mode.
rstp: Specifies the RSTP-compatible mode.
Description
Use the stp mode command to set the operating mode of an MSTP-enabled switch.
Use the undo stp mode command to restore the default operating mode of an MSTP-enabled switch.
By default, an MSTP-enabled switch operates in MSTP mode.
To make a switch compatible with STP and RSTP, MSTP provides following three operating modes.
z
STP-compatible mode, where the ports of a switch send STP BPDUs to neighboring devices. If
STP-enabled switches exist in a switched network, you can use the stp mode stp command to
configure an MSTP-enabled switch to operate in STP-compatible mode.
z
RSTP-compatible mode, where the ports of a switch send RSTP BPDUs to neighboring devices. If
RSTP-enabled switches exist in a switched network, you can use the stp mode rstp command to
configure an MSTP-enabled switch to operate in RSTP-compatible mode.
z
MSTP mode, where the ports of a switch send MSTP BPDUs and STP BPDUs (if the switch is
connected to STP-enabled switches) to neighboring devices. In this case, the switch is
MSTP-capable.
Related commands: stp mcheck, stp, stp interface, stp interface mcheck.
Examples
# Configure the MSTP operation mode as STP-compatible.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp mode stp
stp no-agreement-check
Syntax
z
Ethernet port view:
stp no-agreement-check
1-26
undo stp no-agreement-check
z
System view:
stp interface interface-type interface-number no-agreement-check
undo stp interface interface-type interface-number no-agreement-check
View
System view, Ethernet port view
Parameters
interface-type: Port type.
interface-number: Port number.
Description
z
Use the stp no-agreement-check command to enable the rapid transition feature on the current
port in Ethernet port view. Use the stp no-agreement-check command to disable the rapid
transition feature on the current port in Ethernet port view.
z
Use the stp interface no-agreement-check command to enable the rapid transition feature on the
specified port in system view. Use the undo stp interface no-agreement-check command to
disable the rapid transition feature on the specified port in system view.
By default, the rapid transition feature is disabled on a port.
Some manufactures' switches adopt proprietary spanning tree protocols that are similar to RSTP in the
way to implement rapid transition on designated ports. When a switch of this kind operates as the
upstream switch of a 3Com switch running MSTP, the upstream designated port fails to change their
states rapidly.
The rapid transition feature aims to resolve this problem. When a 3Com switch running MSTP is
connected in the upstream direction to another manufacture's switch adopting proprietary spanning tree
protocols, you can enable the rapid transition feature on the ports of the 3Com switch operating as the
downstream switch. Among these ports, those operating as the root ports will then actively send
agreement packets to their upstream ports after they receive proposal packets from the upstream
designated ports, instead of waiting for agreement packets from the upstream switch. This enables
designated ports of the upstream switch to change their states rapidly.
z
The rapid transition feature can be enabled on only root ports or alternate ports.
z
You can enable the rapid transition feature on the designated port. However, the feature does not
take effect on the port.
Examples
# Enable the rapid transition feature on Ethernet 1/0/1.
z
Enable the rapid transition feature on Ethernet 1/0/1 in Ethernet port view.
<Sysname> system-view
1-27
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp no-agreement-check
Enable the rapid transition feature on Ethernet 1/0/1 in system view.
z
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]stp interface Ethernet1/0/1 no-agreement-check
stp pathcost-standard
Syntax
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
undo stp pathcost-standard
View
System view
Parameters
dot1d-1998: The device calculates the default path cost for ports based on IEEE 802.1d-1998.
dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.
legacy: The device calculates the default path cost for ports based on a private standard.
Description
Use the stp pathcost-standard command to set the standard to be used to calculate the default path
costs of the links connected to the switch.
Use the undo stp pathcost-standard command to specify to use the default standard.
By default, the device calculates the default path cost for ports based on a private standard. STP uses
path costs to indicate the quality of links. A smaller path cost indicates a higher link quality. The path
cost of a port is related to the rate of the link connecting the port. The higher the link rate, the smaller the
path cost. The path cost of a port may vary when different standards are used to calculate it. For details,
see Table 1-8.
Table 1-8 Link speeds and the corresponding path costs
Link speed
0
10 Mbps
100 Mbps
Duplex state
Path cost in
802.1d-1998
standard
Path cost in
IEEE 802.1t
standard
Path cost in
private
standard
—
65,535
200,000,000
200,000
Half-duplex/Full-duplex
100
2,000,000
2,000
Aggregated link 2 ports
95
1,000,000
1,800
Aggregated link 3 ports
95
666,666
1,600
Aggregated link 4 ports
95
500,000
1,400
Half-duplex/Full-duplex
19
200,000
200
Aggregated link 2 ports
15
100,000
180
Aggregated link 3 ports
15
66,666
160
Aggregated link 4 ports
15
50,000
140
1-28
Link speed
1,000 Mbps
10 Gbps
Path cost in
802.1d-1998
standard
Duplex state
Path cost in
IEEE 802.1t
standard
Path cost in
private
standard
Full-duplex
4
20,000
20
Aggregated link 2 ports
3
10,000
18
Aggregated link 3 ports
3
6,666
16
Aggregated link 4 ports
3
5,000
14
Full-duplex
2
2,000
2
Aggregated link 2 ports
1
1,000
1
Aggregated link 3 ports
1
666
1
Aggregated link 4 ports
1
500
1
Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port
operating in half-duplex mode.
When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the
number of the ports on the aggregated link into account, whereas the 802.1T standard does. The
following formula is used to calculate the path cost of an aggregated link:
Path cost = 200,000,000 / link transmission rate
Where, “link transmission rate” is the sum of the rates of all the unblocked ports on the aggregated link
measured in 100 Kbps.
You can use the stp cost command to manually configure the path cost of a port in a specified MSTI.
For details, see stp cost.
Examples
# Configure to use the IEEE 802.1D-1998 standard to calculate the default path costs of ports.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp pathcost-standard dot1d-1998
# Configure to use the IEEE 802.1t standard to calculate the default path costs of ports.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp pathcost-standard dot1t
stp point-to-point
Syntax
z
Ethernet port view:
stp point-to-point { force-true | force-false | auto }
undo stp point-to-point
z
System view:
stp interface interface-list point-to-point { force-true | force-false | auto }
undo stp interface interface-list point-to-point
1-29
View
System view, Ethernet port view
Parameters
force-true: Specifies that the link connected to the current Ethernet port is a point-to-point link.
force-false: Specifies that the link connected to the current Ethernet port is not a point-to-point link.
auto: Specifies to automatically determine whether or not the link connected to the current Ethernet port
is a point-to-point link.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp point-to-point command to specify whether the link connected to the current Ethernet
port is a point-to-point link. Use the undo stp point-to-point command to restore the link
connected to the current Ethernet port to its default link type, which is automatically determined by
MSTP.
z
Use the stp interface point-to-point command to specify whether the links connected to the
specified Ethernet ports are point-to-point links in system view. Use the undo stp interface
point-to-point command to restore the links connected to the specified ports to their default link
types, which are automatically determined by MSTP.
The default setting is auto; namely the MSTP-enabled device automatically detects whether a port
connects to a point-to-point link.
If no keyword is specified in the stp point-to-point command, the auto keyword is used by default, and
so MSTP automatically determines the type of the link connected to the current port.
The rapid transition feature is not applicable to ports on non-point-to-point links.
Note that:
z
If the current Ethernet port operates in full duplex mode, the link connected to the port is a
point-to-point link. In this case, the default setting (where MSTP determines the link type
automatically) is recommended.
z
If the current Ethernet port belongs to an aggregation group and you configure the link connected
to the port as a point-to-point link, the configuration will be synchronized to the rest ports in the
aggregation group.
z
If a port is configured to connect to a point-to-point link (or non-point-to-point link), the port adopts
the same configuration in all spanning tree instances.
z
If a port connects to a non-point-to-point link, but the port is configured to connect to a point-to-point
link by mistake, loops may temporarily occur.
Examples
# Configure the link connected to Ethernet 1/0/1 as a point-to-point link.
z
Configure the link connected to Ethernet 1/0/1 as a point-to-point link in Ethernet port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp point-to-point force-true
1-30
z
Configure the link connected to Ethernet 1/0/1 as a point-to-point link in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 point-to-point force-true
# Configure the links connected to Ethernet 1/0/2 to Ethernet 1/0/4 as point-to-point links in system
view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 point-to-point force-true
stp port priority
Syntax
z
Ethernet port view:
stp [ instance instance-id ] port priority priority
undo stp [ instance instance-id ] port priority
z
System view:
stp interface interface-list instance instance-id port priority priority
undo stp interface interface-list instance instance-id port priority
View
System view, Ethernet port view
Parameters
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST.
port priority priority: Sets the port priority. The priority argument ranges from 0 to 240 and must be a
multiple of 16 (such as 0, 16, and 32).
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp port priority command to set the port priority of the current port in the specified MSTI.
Use the undo stp port priority command to restore the default port priority of the current port in
the specified MSTI.
z
Use the stp interface port priority command to set a port priority for the specified ports in the
specified MSTI in system view. Use the undo stp interface port priority command to restore the
default priority of the specified ports in the specified MSTI in system view.
The default port priority of a port in any MSTI is 128.
If you specify the instance-id argument to 0 or do not specify the argument, the two commands apply to
the port priorities of ports on the CIST. The role a port plays in a MSTI is determined by the port priority
in the instance. A port on a MSTP-enabled switch can have different port priorities and play different
roles in different MSTIs. This enables packets of different VLANs to be forwarded along different
physical links, so as to implement VLAN-based load balancing. Changing port priorities result in port
role recalculation and state transition.
1-31
Examples
# Set the port priority of Ethernet 1/0/1 in MSTI 2 to 16.
z
Set the port priority of Ethernet 1/0/1 in MSTI 2 to 16 in Ethernet port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp instance 2 port priority 16
z
Set the port priority of Ethernet 1/0/1 in MSTI 2 to 16 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 instance 2 port priority 16
# Set the port priority of Ethernet 1/0/2 to Ethernet 1/0/4 in MSTI 2 to 16 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 instance 2 port priority 16
stp portlog
Syntax
stp [ instance instance-id ] portlog
undo stp [ instance instance-id ] portlog
View
System view
Parameters
instance instance-id: Specifies an MSTI ID, ranging from 0 to 16. The value of 0 indicates the CIST.
Description
Use the stp portlog command to enable log and trap message output for the ports of a specified
instance.
Use the undo stp portlog command to disable this function.
By default, log and trap message output is disabled.
Executing the stp portlog command (without using the instance instance-id parameters) will enable
log and trap message output for the ports of instance 0.
Examples
# Enable log and trap message output for the ports of instance 1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp instance 1 portlog
1-32
stp portlog all
Syntax
stp portlog all
undo stp portlog all
View
System view
Parameters
None
Description
Use the stp portlog all command to enable log and trap message output for the ports of all instances.
Use the undo stp portlog all command to disable this function.
By default, log and trap message output is disabled on the ports of all instances.
Examples
# Enable log and trap message output for the ports of all instances.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp portlog all
stp priority
Syntax
stp [ instance instance-id ] priority priority
undo stp [ instance instance-id ] priority
View
System view
Parameters
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST.
priority: Switch priority to be set. This argument ranges from 0 to 61,440 and must be a multiple of 4,096
(such as 0, 4,096, and 8,192). There are totally 16 available switch priorities.
Description
Use the stp priority command to set the priority of the switch in the specified MSTI.
Use the undo stp priority command to restore the switch priority to the default priority in the specified
MSTI.
The default priority of a switch is 32,768.
The priorities of switches are used for spanning tree calculation. Switch priorities are spanning
tree-specific. That is, you can set different priorities for the same switch in different MSTIs.
1-33
If you do not specify the instance-id argument, the two commands apply to only the CIST.
Examples
# Set the bridge priority of the switch in MSTI 1 to 4,096.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp instance 1 priority 4096
stp region-configuration
Syntax
stp region-configuration
undo stp region-configuration
View
System view
Parameters
None
Description
Use the stp region-configuration command to enter MST region view.
Use the undo stp region-configuration command to restore the MST region-related settings to the
default.
MST region-related parameters include: region name, revision level, and VLAN-to-instance mapping
table. By default:
z
MST region name is the first MAC address of the switch
z
All VLANs are mapped to the CIST in the VLAN-to-instance mapping table
z
The MSTP revision level is 0
You can modify the three parameters after entering MST region view by using the stp
region-configuration command.
NTDP packets sent by devices in a cluster can be transmitted in only the instances where the
management VLAN of the cluster resides.
Examples
# Enter MST region view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp region-configuration
[Sysname-mst-region]
1-34
stp root primary
Syntax
stp [ instance instance-id ] root primary [ bridge-diameter bridgenum [ hello-time centi-seconds ] ]
undo stp [ instance instance-id ] root
View
System view
Parameters
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST.
bridgenum: Network diameter of the specified spanning tree. This argument ranges from 2 to 7 and
defaults to 7.
centi-seconds: Hello time in centiseconds of the specified spanning tree. This argument ranges from
100 to 1,000 and defaults to 200.
Description
Use the stp root primary command to configure the current switch as the root bridge of a specified
MSTI.
Use the undo stp root command to cancel the current configuration.
By default, a switch is not configured as a root bridge.
If you do not specify the instance-id argument, these two commands apply to only the CIST.
You can specify the current switch as the root bridge of an MSTI regardless of the priority of the switch.
You can also specify the network diameter of the switched network by using the stp root primary
command. The switch will then figure out the following three time parameters: hello time, forward delay,
and max age. As the hello time figured out by the network diameter is not always the optimal one, you
can set it manually through the hello-time centi-seconds parameter. Generally, you are recommended
to obtain the forward delay and max age parameters through setting the network diameter.
z
You can configure only one root bridge for an MSTI and can configure one or more secondary root
bridges for an MSTI. Specifying multiple root bridges for an MSTI causes unpredictable spanning
tree calculation results.
z
Once a switch is configured as the root bridge or a secondary root bridge, its priority cannot be
modified.
Examples
# Configure the current switch as the root bridge of MSTI 1, set the network diameter of the switched
network to 4, and set the hello time to 500 centiseconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
1-35
[Sysname] stp instance 1 root primary bridge-diameter 4 hello-time 500
stp root secondary
Syntax
stp [ instance instance-id ] root secondary [ bridge-diameter bridgenum
[ hello-time
centi-seconds ] ]
undo stp [ instance instance-id ] root
View
System view
Parameters
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST.
bridgenum: Network diameter of the specified spanning tree. This argument ranges from 2 to 7 and
defaults to 7.
centi-seconds: Hello time in centiseconds of the specified spanning tree. This argument ranges from
100 to 1,000 and defaults to 200.
Description
Use the stp root secondary command to configure the current switch as a secondary root bridge of a
specified MSTI.
Use the undo stp root command to cancel the current configuration.
By default, a switch does not operate as a secondary root bridge.
If you do not specify the instance-id argument, the two commands apply to only the CIST.
You can configure one or more secondary root bridges for an MSTI. If the switch operating as the root
bridge fails or is turned off, the secondary root bridge with the least MAC address becomes the root
bridge.
You can specify the network diameter and the hello time of the switch when you are configuring it as a
secondary root bridge. The switch will then figure out the other two time parameters: forward delay and
max age. If the instance-id argument is specified to 0 in this command, the current switch is configured
as the secondary root bridge of the CIST. You can configure only one root bridge for an MSTI but you
can configure one or more secondary root bridges for an MSTI.
Once a switch is configured as the root bridge or a secondary root bridge, its priority cannot be modified.
Examples
# Configure the current switch as a secondary root bridge of MSTI 4, setting the network diameter of the
switched network to 5 and the hello time of the current switch to 300 centiseconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp instance 4 root secondary bridge-diameter 5 hello-time 300
1-36
stp root-protection
Syntax
z
Ethernet port view:
stp root-protection
undo stp root-protection
z
System view:
stp interface interface-list root-protection
undo stp interface interface-list root-protection
View
System view, Ethernet port view
Parameters
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp root-protection command to enable the root guard function on the current port. Use
the undo stp root-protection command to restore the root guard function to the default state on
the current port.
z
Use the stp interface root-protection command to enable the root guard function on specified
port(s) in system view. Use the undo stp interface root-protection command to restore the root
guard function to the default state on specified port(s) in system view.
By default, the root guard function is disabled.
Because of configuration errors or malicious attacks, the valid root bridge in the network may receive
configuration BPDUs with their priorities higher than that of the root bridge, which causes new root
bridge to be elected and network topology jitter to occur. In this case, flows that should have traveled
along high-speed links are led to low-speed links, causing network congestion.
You can avoid this problem by utilizing the root guard function. Root-guard-enabled ports can only be
kept as designated ports in all MSTIs. When a port of this type receives configuration BPDUs with
higher priorities, it turns to the discarding state before it is specified as a non-designated port and stops
forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not
receive any configuration BPDUs with higher priorities for a specified period.
z
You are recommended to enable root guard on the designated ports of a root bridge.
z
Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions
enabled on a port, any of the other two functions cannot take effect even if you have configured it
on the port.
1-37
Examples
# Enable the root guard function on Ethernet 1/0/1.
z
Enable the root guard function on Ethernet 1/0/1 in Ethernet port view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp root-protection
z
Enable the root guard function on Ethernet 1/0/1 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 root-protection
# Enable the root guard function on Ethernet 1/0/2 to Ethernet 1/0/4 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 root-protection
stp tc-protection
Syntax
stp tc-protection enable
stp tc-protection disable
View
System view
Parameters
None
Description
Use the stp tc-protection enable command to enable the TC-BPDU attack guard function.
Use the stp tc-protection disable command to disable the TC-BPDU attack guard function.
By default, the TC-BPDU guard attack function is enabled, and the MAC address table and ARP entries
can be removed for up to six times within 10 seconds.
Normally, a switch removes the MAC address table and ARP entries upon receiving TC-BPDUs. If a
malicious user sends a large amount of TC-BPDUs to a switch in a short period, the switch may be busy
in removing the MAC address table and ARP entries frequently, which may affect spanning tree
calculation, occupy large amount of bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the switch only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch
from being busy in removing the MAC address table and ARP entries.
Examples
# Enable the TC-BPDU attack guard function on the switch.
1-38
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp tc-protection enable
stp tc-protection threshold
Syntax
stp tc-protection threshold number
undo stp tc-protection threshold
View
System view
Parameters
number: Maximum number of times that a switch can remove the MAC address table and ARP entries
within each 10 seconds, in the range of 1 to 255.
Description
Use the stp tc-protection threshold command to set the maximum number of times that a switch can
remove the MAC address table and ARP entries within each 10 seconds.
Use the undo stp tc-protection threshold command to restore the default.
Normally, a switch removes the MAC address table and ARP entries upon receiving a TC-BPDU. If a
malicious user sends large amount of TC-BPDUs to a switch in a short period, the switch may be busy
in removing the MAC address table and ARP entries, which may affect spanning tree calculation,
occupy a large amount of bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the switch only performs the removing operation for limited times (up to six times by
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch
from being busy in removing the MAC address table and ARP entries.
You can use the stp tc-protection threshold command to set the maximum times for a switch to
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the switch performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the switch stops performing the removing operation. For example, if you set the
maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch
receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for
only 100 times within the period.
Examples
# Set the maximum times for a switch to remove the MAC address table and ARP entries within 10
seconds to 5.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp tc-protection threshold 5
1-39
stp timer forward-delay
Syntax
stp timer forward-delay centi-seconds
undo stp timer forward-delay
View
System view
Parameters
centi-seconds: Forward delay in centiseconds to be set. This argument ranges from 400 to 3,000.
Description
Use the stp timer forward-delay command to set the forward delay of the switch.
Use the undo stp timer forward-delay command to restore the forward delay to the default value.
By default, the forward delay of the switch is 1,500 centiseconds.
To prevent the occurrence of temporary loops, when a port changes its state from discarding to
forwarding, it undergoes an intermediate state and waits for a specific period to synchronize with the
state transition of the remote switches. This state transition period is determined by the forward delay
configured on the root bridge.
The forward delay setting configured on a root bridge applies to all non-root bridges.
As for the configuration of the three time-related parameters (namely, the hello time, forward delay, and
max age parameters), the following formulas must be met to prevent frequent network jitter.
2 x (forward delay – 1 second) >= max age
Max age >= 2 x (hello time + 1 second)
You are recommended to specify the network diameter of the switched network and the hello time by
using the stp root primary or stp root secondary command. After that, the three proper time-related
parameters are automatically calculated by MSTP.
Related commands: stp timer hello, stp timer max-age, stp bridge-diameter.
Examples
# Set the forward delay to 2,000 centiseconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp timer forward-delay 2000
stp timer hello
Syntax
stp timer hello centi-seconds
undo stp timer hello
View
System view
1-40
Parameters
centi-seconds: Hello time to be set, in the range of 100 to 1,000 (in centiseconds).
Description
Use the stp timer hello command to set the hello time of the switch.
Use the undo stp timer hello command to restore the hello time of the switch to the default value.
By default, the hello time of the switch is 200 centiseconds.
A root bridge regularly sends out configuration BPDUs to maintain the stability of existing spanning
trees. If the switch does not receive BPDU packets in a specified period, spanning trees will be
recalculated because BPDU packets time out. When a switch becomes a root bridge, it regularly sends
BPDUs at the interval specified by the hello time you have configured on it. The other none-root-bridge
switches adopt the interval specified by the hello time.
As for the configuration of the three time-related parameters (namely, the hello time, forward delay, and
max age parameters), the following formulas must be met to prevent frequent network jitter.
2 × (forward delay – 1 second) >= max age
Max age >= 2 × (hello time + 1 second)
You are recommended to specify the network diameter of the switched network and the hello time by
using the stp root primary or stp root secondary command. After that, the three proper time-related
parameters are automatically calculated by MSTP.
Related commands: stp timer forward-delay, stp timer max-age, stp bridge-diameter.
Examples
# Set the hello time to 400 centiseconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp timer hello 400
stp timer max-age
Syntax
stp timer max-age centi-seconds
undo stp timer max-age
View
System view
Parameters
centi-seconds: Max age to be set, in the range of 600 to 4,000 (in centiseconds).
Description
Use the stp timer max-age command to set the max age of the switch.
Use the undo stp timer max-age command to restore the default max age.
By default, the max age of a switch is 2,000 centiseconds.
1-41
MSTP is capable of detecting link failures and automatically restoring redundant links to the forwarding
state. In CIST, switches use the max age parameter to judge whether or not a received configuration
BPDU times out. Spanning trees will be recalculated if a configuration BPDU received by a port times
out.
The max age is meaningless to MSTIs. The max age configured for the root bridge of the CIST applies
to all switches operating on the CIST, including the root bridge.
As for the configuration of the three time-related parameters (namely, the hello time, forward delay, and
max age parameters), the following formulas must be met to prevent frequent network jitter:
2 × (forward delay – 1 second) >= max age,
Max age >= 2 × (hello time + 1 second).
You are recommended to specify the network diameter of the switched network and the hello time
parameter by using the stp root primary or stp root secondary command. After that, the three proper
time-related parameters are automatically determined by MSTP.
Related commands: stp timer forward-delay, stp timer hello, stp bridge-diameter.
Examples
# Set the max age to 1,000 centiseconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp timer max-age 1000
stp timer-factor
Syntax
stp timer-factor number
undo stp timer-factor
View
System view
Parameters
number: Hello time factor to be set, in the range of 1 to 10.
Description
Use the stp timer-factor command to set the timeout time of a switch in the form of a multiple of the
hello time.
Use the undo stp timer-factor command to restore the hello time factor to the default value.
By default, the hello time factor of the switch is 3.
A switch regularly sends protocol packets to its neighboring devices at the interval specified by the hello
time parameter to test the links. Generally, a switch regards its upstream switch faulty if the former does
receive any protocol packets from the latter in a period three times of the hello time and then initiates the
spanning tree recalculation process.
Spanning trees may be recalculated even in a steady network if an upstream switch is always busy. You
can configure the hello time factor to a larger number to avoid this problem. Normally, the timeout time
1-42
can be four (or more) times of the hello time. For a steady network, the timeout time can be five to seven
times of the hello time.
Examples
# Set the hello time factor to 7.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp timer-factor 7
stp transmit-limit
Syntax
z
Ethernet port view:
stp transmit-limit packetnum
undo stp transmit-limit
z
System view:
stp interface interface-list transmit-limit packetnum
undo stp interface interface-list transmit-limit
View
System view, Ethernet port view
Parameters
packetnum: Maximum number of configuration BPDUs a port can transmit in each hello time. This
argument ranges from 1 to 255.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the
form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
z
Use the stp transmit-limit command to set the maximum number of configuration BPDUs the
current port can transmit in each hello time. Use the undo stp transmit-limit command to restore
the maximum number to the default value on the current port.
z
Use the stp interface transmit-limit command to set the maximum number of configuration
BPDUs each specified port can send in each hello time. Use the undo stp interface
transmit-limit command to restore the maximum number to the default value for each specified
port.
By default, the maximum number of configuration BPDUs a port can transmit in each hello time is 10.
A larger number configured by the stp transmit-limit command allows more configuration BPDUs to be
transmitted in each hello time, which may occupy more switch resources. So you are recommended
configure it to a proper value to avoid network topology jitter and prevent MSTP from occupying too
many bandwidth resources.
1-43
Examples
# Set the maximum number of configuration BPDUs that can be transmitted through Ethernet 1/0/1 in
each hello time to 15.
z
In Ethernet port view:
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] stp transmit-limit 15
z
In system view:
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/1 transmit-limit 15
# Set the maximum number of configuration BPDUs that can be transmitted through Ethernet 1/0/2,
Ethernet 1/0/3 and Ethernet 1/0/4 in each hello time to 15 in system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp interface Ethernet 1/0/2 to Ethernet 1/0/4 transmit-limit 15
vlan-mapping modulo
Syntax
vlan-mapping modulo modulo
View
MST region view
Parameters
modulo: Modulo by which VLANs are mapped to MSTIs, in the range of 1 to 16.
Description
Use the vlan-mapping modulo command to set the modulo by which VLANs are mapped to MSTIs.
By default, all VLANs in a network are mapped to the CIST (MSTI 0).
MSTP uses a VLAN-to-instance mapping table to describe VLAN-to-instance mappings. You can use
this command to establish the VLAN-to-instance mapping table and map VLANs to MSTIs in a specific
way.
Note that a VLAN cannot be mapped to multiple different MSTIs at the same time. A VLAN-to-instance
mapping becomes invalid when you map the VLAN to another MSTI.
1-44
You can map VLANs to the specific MSTIs rapidly by using the vlan-mapping modulo modulo
command. The ID of the MSTI to which a VLAN is mapped can be figured out by using the following
formula:
(VLAN ID-1) % modulo + 1.
In this formula, (VLAN ID-1) % modulo yields the module of (VLAN ID-1) with regards to the modulo
argument. For example, if you set the modulo argument to 16, then VLAN 1 is mapped to MSTI 1, VLAN
2 is mapped to MSTI 2, …, VLAN 16 is mapped to MSTI 16, VLAN 17 is mapped to MSTI 1, and so on.
Related
commands:
check
region-configuration,
revision-level,
region-name,
active
region-configuration.
Examples
# Map VLANs to MSTIs, with the modulo being 16.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] stp region-configuration
[Sysname-mst-region] vlan-mapping modulo 16
vlan-vpn tunnel
Syntax
vlan-vpn tunnel
undo vlan-vpn tunnel
View
System view
Parameters
None
Description
Use the vlan-vpn tunnel command to enable the VLAN-VPN tunnel function for a switch.
Use the undo vlan-vpn tunnel command to disable the VLAN-VPN tunnel function.
The VLAN-VPN tunnel function enables BPDUs to be transparently transmitted between geographically
dispersed user networks through specified VLAN VPNs in operator’s networks, through which spanning
trees can be calculated across these user networks and are independent of those of the operator’s
network.
By default, the VLAN-VPN tunnel function is disabled.
1-45
z
The VLAN-VPN tunnel function can only be enabled on STP-enabled devices.
z
To enable the VLAN-VPN tunnel function, make sure the links between operator’s networks are
trunk links.
Examples
# Enable the VLAN-VPN tunnel function for the switch.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan-vpn tunnel
1-46
Table of Contents
1 IGMP Snooping Configuration Commands ····························································································1-1
IGMP Snooping Configuration Commands·····························································································1-1
display igmp-snooping configuration ·······························································································1-1
display igmp-snooping group ··········································································································1-2
display igmp-snooping statistics······································································································1-3
igmp-snooping ·································································································································1-4
igmp-snooping fast-leave ················································································································1-5
igmp-snooping group-limit ···············································································································1-6
igmp-snooping group-policy ············································································································1-7
igmp-snooping host-aging-time ·······································································································1-9
igmp-snooping nonflooding-enable ·································································································1-9
igmp-snooping router-aging-time ··································································································1-11
igmp-snooping version ··················································································································1-11
igmp-snooping vlan-mapping ········································································································1-12
igmp host-join ································································································································1-12
multicast static-group interface······································································································1-13
multicast static-group vlan ·············································································································1-14
multicast static-router-port ·············································································································1-15
multicast static-router-port vlan ·····································································································1-16
reset igmp-snooping statistics ·······································································································1-16
service-type multicast ····················································································································1-17
2 Common Multicast Configuration Commands ·······················································································2-1
Common Multicast Configuration Commands ························································································2-1
display mac-address multicast static·······························································································2-1
mac-address multicast interface······································································································2-2
mac-address multicast vlan ·············································································································2-3
unknown-multicast drop enable·······································································································2-3
i
1
IGMP Snooping Configuration Commands
IGMP Snooping Configuration Commands
display igmp-snooping configuration
Syntax
display igmp-snooping configuration
View
Any view
Parameters
None
Description
Use the display igmp-snooping configuration command to display IGMP Snooping configuration
information.
If IGMP Snooping is disabled on this switch, this command displays a message showing that IGMP
Snooping is not enabled.
With IGMP Snooping enabled, this command displays the following information:
z
IGMP Snooping status
z
aging time of the router port
z
maximum response time in IGMP queries
z
aging time of multicast member ports
z
non-flooding feature status
Related
commands:
igmp-snooping,
igmp-snooping
router-aging-time,
igmp-snooping
host-aging-time.
Examples
# Display IGMP Snooping configuration information on the switch.
<Sysname> display igmp-snooping configuration
Enable IGMP Snooping.
The router port timeout is 105 second(s).
The max response timeout is 10 second(s).
The host port timeout is 260 second(s).
The above-mentioned information shows: IGMP Snooping is enabled, the aging time of the router port
is 105 seconds, the maximum response time in IGMP queries is 10 seconds, and the aging time of
multicast member ports is 260 seconds.
1-1
display igmp-snooping group
Syntax
display igmp-snooping group [ vlan vlan-id ]
View
Any view
Parameters
vlan vlan-id: Specifies the VLAN in which the multicast group information is to be displayed, where
vlan-id ranges from 1 to 4094.. If you do not specify a VLAN, this command displays the multicast group
information of all VLANs.
Description
Use the display igmp-snooping group command to display the IGMP Snooping multicast group
information.
Related commands: igmp-snooping, igmp host-join, multicast static-group interface, multicast
static-group vlan, multicast static-router-port, multicast static-router-port vlan
Examples
# Display the information about the multicast groups in VLAN 100.
<Sysname> display igmp-snooping group vlan 100
Total 1 IP Group(s).
Total 1 MAC Group(s).
Vlan(id):100.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Static Router port(s):
Ethernet1/0/11
Dynamic Router port(s):
Ethernet1/0/22
IP group(s):the following ip group(s) match to one mac group.
IP group address:228.0.0.1
Static host port(s):
Ethernet1/0/23
Dynamic host port(s):
Ethernet1/0/10
MAC group(s):
MAC group address:0100-5e00-0001
Host port(s):Ethernet1/0/10
Ethernet1/0/23
Table 1-1 display igmp-snooping group command output description
Field
Description
Total 1 IP Group(s).
Total number of IP multicast groups in all VLANs
1-2
Field
Description
Total 1 MAC Group(s).
Total number of MAC multicast groups in all
VLANs
Vlan(id):
ID of the VLAN whose multicast group
information is displayed
Total 1 IP Group(s).
Total number of IP multicast groups in VLAN 100
Total 1 MAC Group(s).
Total number of MAC multicast groups in VLAN
100
Static Router port(s):
Static router port
Dynamic Router port(s):
Dynamic router port
Static host port(s):
Static member port
Dynamic host port(s):
Dynamic member port
IP group address:
IP address of a multicast group
MAC group(s):
MAC multicast group
MAC group address:
Address of a MAC multicast group
Host port(s)
Member ports
display igmp-snooping statistics
Syntax
display igmp-snooping statistics
View
Any view
Parameters
None
Description
Use the display igmp-snooping statistics command to display IGMP Snooping statistics.
This command displays the following information: the numbers of the IGMP general query messages,
IGMP group-specific query messages, IGMPv1 report messages, IGMPv2 report messages, IGMP
leave messages and error IGMP packets received, and the number of the IGMP group-specific query
messages sent.
When IGMPv3 Snooping is enabled, the device makes statistics of IGMPv3 messages as IGMPv2
messages.
Related commands: igmp-snooping.
1-3
Examples
# Display IGMP Snooping statistics.
<Sysname> display igmp-snooping statistics
Received IGMP general query packet(s) number:1.
Received IGMP specific query packet(s) number:0.
Received IGMP V1 report packet(s) number:0.
Received IGMP V2 report packet(s) number:3.
Received IGMP leave packet(s) number:0.
Received error IGMP packet(s) number:0.
Sent IGMP specific query packet(s) number:0.
The information above shows that IGMP receives:
z
one IGMP general query messages
z
zero IGMP specific query messages
z
zero IGMPv1 report messages
z
three IGMPv2 report messages
z
zero IGMP leave messages
z
zero IGMP error packets
IGMP Snooping sends:
z
zero IGMP specific query messages
igmp-snooping
Syntax
igmp-snooping { enable | disable }
View
System view, VLAN view
Parameters
enable: Enables the IGMP Snooping feature.
disable: Disables the IGMP Snooping feature.
Description
Use the igmp-snooping enable command to enable the IGMP Snooping feature.
Use the igmp-snooping disable command to disable the IGMP Snooping feature.
By default, the IGMP Snooping feature is disabled.
1-4
z
Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system
view; otherwise the IGMP Snooping setting will not take effect.
z
If IGMP Snooping and VLAN VPN are enabled on a VLAN at the same time, IGMP queries are
likely to fail to pass the VLAN. You can solve this problem by configuring VLAN tags for the IGMP
queries. For details, see igmp-snooping vlan-mapping.
Examples
# Enable the IGMP Snooping feature on the switch.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] igmp-snooping enable
Enable IGMP-Snooping ok.
igmp-snooping fast-leave
Syntax
igmp-snooping fast-leave [ vlan vlan-list ]
undo igmp-snooping fast-leave [ vlan vlan-list ]
View
System view, Ethernet port view
Parameters
vlan vlan-list: Specifies a VLAN list. With the vlan-list argument, you can provide one or more individual
VLAN IDs (in the form of vlan-id) and/or one or more VLAN ID ranges (in the form of vlan-id1 to vlan-id2,
where vlan-id2 must be greater than vlan-id1). The effective range for a VLAN ID is 1 to 4094 and the
total number of individual VLANs plus VLAN ranges cannot exceed 10.
Description
Use the igmp-snooping fast-leave command to enable fast leave processing.
With this function enabled, when the switch receives an IGMP leave message on a port, it directly
removes that port from the forwarding table entry for the specific group.
Use the undo igmp-snooping fast-leave command to disable fast leave processing.
By default, fast leave processing is disabled.
1-5
z
The fast leave processing function works for a port only if the host attached to the port runs IGMPv2
or IGMPv3.
z
The configuration performed in system view takes effect on all ports of the switch if no VLAN is
specified; if one or more VLANs are specified, the configuration takes effect on all ports in the
specified VLAN(s).
z
The configuration performed in Ethernet port view takes effect on the port no matter which VLAN it
belongs to if no VLAN is specified; if one or more VLANs are specified, the configuration takes
effect on the port only if the port belongs to the specified VLAN(s).
z
If fast leave processing and unknown multicast packet dropping or non-flooding are enabled on a
port to which more than one host is connected, when one host leaves a multicast group, the other
hosts connected to port and interested in the same multicast group will fail to receive multicast data
for that group.
Examples
# Enable fast leave processing on Ethernet 1/0/1 in VLAN 2.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] igmp-snooping fast-leave vlan 2
igmp-snooping group-limit
Syntax
igmp-snooping group-limit limit [ vlan vlan-list ] [ overflow-replace ]
undo igmp-snooping group-limit [ vlan vlan-list ]
View
Ethernet port view
Parameters
limit: Maximum number of multicast groups the port can join, in the range of 1 to 256.
overflow-replace: Allows a new multicast group to replace an existing multicast group with the lowest
IP address.
vlan vlan-list: Specifies a VLAN list. With the vlan-list argument, you can provide one or more individual
VLAN IDs (in the form of vlan-id) and/or one or more VLAN ID ranges (in the form of vlan-id1 to vlan-id2,
where vlan-id2 must be greater than vlan-id1). The effective range for a VLAN ID is 1 to 4094 and the
total number of individual VLANs plus VLAN ranges cannot exceed 10.
Description
Use the igmp-snooping group-limit command to define the maximum number of multicast groups the
port can join.
1-6
Use the undo igmp-snooping group-limit command to restore the default setting.
If you do not specify any VLAN, the command will take effect for all the VLANs to which the current port
belongs; if you specify a VLAN or multiple VLANs, the command will take effect for the port only if the
port belongs to the specified VLAN(s). It is recommended to specify a VLAN or multiple VLANs to save
memory.
For the Switch 4210 series, the system default is 256.
z
To prevent bursting traffic in the network or performance deterioration of the device caused by
excessive multicast groups, you can set the maximum number of multicast groups that the switch
should process.
z
When the number of multicast groups exceeds the configured limit, the switch removes its
multicast forwarding entries starting from the oldest one. In this case, the multicast packets for the
removed multicast group(s) will be flooded in the VLAN as unknown multicast packets. As a result,
non-member ports can receive multicast packets within a period of time.
Examples
# Configure to allow Ethernet 1/0/1 in VLAN 2 to join a maximum of 200 multicast groups.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] igmp-snooping group-limit 200 vlan 2
igmp-snooping group-policy
Syntax
igmp-snooping group-policy acl-number [ vlan vlan-list ]
undo igmp-snooping group-policy [ vlan vlan-list ]
View
System view, Ethernet port view
Parameters
acl-number: Basic ACL number, in the range of 2000 to 2999.
vlan vlan-list: Specifies a VLAN list. With the vlan-list argument, you can provide one or more individual
VLAN IDs (in the form of vlan-id) and/or one or more VLAN ID ranges (in the form of vlan-id1 to vlan-id2,
where vlan-id2 must be greater than vlan-id1). The effective range for a VLAN ID is 1 to 4094 and the
total number of individual VLANs plus VLAN ranges cannot exceed 10.
Description
Use the igmp-snooping group-policy command to configure a multicast group filter.
Use the undo igmp-snooping group-policy command to remove the configured multicast group filter.
1-7
By default, no multicast group filter is configured.
The ACL rule defines a multicast address or a multicast address range (for example 224.0.0.1 to
239.255.255.255) and is used to:
z
Allow the port(s) to join only the multicast group(s) defined in the rule by a permit statement.
z
Inhibit the port(s) from joining the multicast group(s) defined in the rule by a deny statement.
z
A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port.
z
If no ACL rule is configured, all the multicast groups will be filtered.
z
Since most devices broadcast unknown multicast packets by default, this function is often used
together with the function of dropping unknown multicast packets to prevent multicast streams from
being broadcast as unknown multicast packets to a port blocked by this function.
z
The configuration performed in system view takes effect on all ports of the switch if no VLAN is
specified; if one or more VLANs are specified, the configuration takes effect on all ports in the
specified VLAN(s).
z
The configuration performed in Ethernet port view takes effect on the port no matter which VLAN it
belongs to if no VLAN is specified; if one or more VLANs are specified, the configuration takes
effect on the port only if the port belongs to the specified VLAN(s).
Examples
# Configure a multicast group filter to allow receivers attached to Ethernet 1/0/1 to access the multicast
streams for groups 225.0.0.0 to 225.255.255.255.
z
Configure ACL 2000.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 225.0.0.0 0.255.255.255
[Sysname-acl-basic-2000] quit
z
Create VLAN 2 and add Ethernet1/0/1 to VLAN 2.
[Sysname] vlan 2
[Sysname-vlan2] port Ethernet 1/0/1
[Sysname-vlan2] quit
z
Apply ACL 2000 on Ethernet1/0/1 to allow it to join only the IGMP multicast groups defined in the
rule of ACL 2000.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] igmp-snooping group-policy 2000 vlan 2
[Sysname-Ethernet1/0/1] quit
# Configure a multicast group filter to allow receivers attached to Ethernet 1/0/2 to access the multicast
streams for any groups except groups 225.0.0.0 to 225.0.0.255.
z
Configure ACL 2001.
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule deny source 225.0.0.0 0.0.0.255
1-8
[Sysname-acl-basic-2001] rule permit source any
[Sysname-acl-basic-2001] quit
z
Create VLAN 2 and add Ethernet1/0/2 to VLAN 2.
[Sysname] vlan 2
[Sysname-vlan2] port Ethernet 1/0/2
[Sysname-vlan2] quit
z
Configure ACL 2001 on Ethernet1/0/2 to it to join any IGMP multicast groups except those defined
in the deny rule of ACL 2001.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] igmp-snooping group-policy 2001 vlan 2
igmp-snooping host-aging-time
Syntax
igmp-snooping host-aging-time seconds
undo igmp-snooping host-aging-time
View
System view
Parameters
seconds: Aging time (in seconds) of multicast member ports, in the range of 200 to 1,000.
Description
Use the igmp-snooping host-aging-time command to configure the aging time of multicast member
ports.
Use the undo igmp-snooping host-aging-time command to restore the default aging time.
By default, the aging time of multicast member ports is 260 seconds.
The aging time of multicast member ports determines the refresh frequency of multicast group
members. In an environment where multicast group members change frequently, a relatively shorter
aging time is required.
Related commands: display igmp-snooping configuration.
Examples
# Set the aging time of multicast member ports to 300 seconds.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] igmp-snooping host-aging-time 300
igmp-snooping nonflooding-enable
Syntax
igmp-snooping nonflooding-enable
undo igmp-snooping nonflooding-enable
1-9
View
System view
Parameters
None
Description
Use the igmp-snooping nonflooding-enable command to enable the IGMP Snooping non-flooding
function. With this function enabled, unknown multicast packets are passed to the router ports of the
switch rather than being flooded in the VLAN.
Use the undo igmp-snooping nonflooding-enable command to disable the IGMP Snooping
non-flooding function.
By default, the IGMP Snooping non-flooding function is disabled, namely unknown multicast packets
are flooded in the VLAN.
The difference between the IGMP Snooping non-flooding function and the function of dropping
unknown multicast packets is in that the former passes unknown multicast packets to the router ports
while the latter directly discards unknown multicast packets.
You can configure this command only after IGMP Snooping is enabled globally. When IGMP Snooping
is disabled globally, the configuration of the igmp-snooping nonflooding-enable command is also
removed.
z
IGMP Snooping must be enabled globally and also in the VLAN before you enable the function of
unknown multicast flooding suppression.
z
If the function of dropping unknown multicast packets is enabled, you cannot enable unknown
multicast flooding suppression.
Related commands: unknown-multicast drop enable.
Examples
# Enable IGMP Snooping non-flooding after you enable IGMP Snooping globally and also in the VLAN
1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] igmp-snooping enable
[Sysname] vlan 1
[Sysname-vlan1] igmp-snooping enable
[Sysname-vlan1] quit
[Sysname] igmp-snooping nonflooding-enable
1-10
igmp-snooping router-aging-time
Syntax
igmp-snooping router-aging-time seconds
undo igmp-snooping router-aging-time
View
System view
Parameters
seconds: Aging time of router ports, in the range of 1 to 1,000, in seconds.
Description
Use the igmp-snooping router-aging-time command to configure the aging time of router ports.
Use the undo igmp-snooping router-aging-time command to restore the default aging time.
By default, the aging time of router ports is 105 seconds.
The aging time of router ports should be about 2.5 times the IGMP query interval.
Related commands: igmp-snooping.
Examples
# Set the aging time of the router port to 500 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] igmp-snooping router-aging-time 500
igmp-snooping version
Syntax
igmp-snooping version version-number
undo igmp-snooping version
View
VLAN view
Parameters
version-number: IGMP Snooping version, in the range of 2 to 3 and defaulting to 2.
Description
Use the igmp-snooping version command to configure the IGMP Snooping version in the current
VLAN.
Use the undo igmp-snooping version command to restore the default IGMP Snooping version.
This command can take effect only if IGMP Snooping is enabled in the VLAN.
Related commands: igmp-snooping enable.
1-11
Examples
# Set IGMP Snooping version to version 3 in VLAN 100.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] igmp-snooping enable
Enable IGMP-Snooping ok.
[Sysname] vlan 100
[Sysname -vlan100] igmp-snooping enable
[Sysname -vlan100] igmp-snooping version 3
igmp-snooping vlan-mapping
Syntax
igmp-snooping vlan-mapping vlan vlan-id
undo igmp-snooping vlan-mapping
View
System view
Parameters
vlan vlan-id: VLAN ID, in the range of 1 to 4094.
Description
Use the igmp-snooping vlan-mapping vlan command to configure to transmit IGMP general and
group-specific query messages in a specific VLAN.
Use the undo igmp-snooping vlan-mapping command to restore the default.
By default, the VLAN tag carried in IGMP general and group-specific query messages is not changed.
Examples
# Configure IGMP general and group-specific query messages to be transmitted in VLAN 2.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] igmp-snooping enable
[Sysname] igmp-snooping vlan-mapping vlan 2
igmp host-join
Syntax
igmp host-join group-address [source-ip source-address] vlan vlan-id
undo igmp host-join group-address [source-ip source-address] vlan vlan-id
View
Ethernet port view
1-12
Parameters
group-address: Address of the multicast group to join.
source-address: Address of the multicast source to join. You can specify a multicast source address
only when IGMPv3 Snooping is running in a VLAN.
vlan vlan-id: ID of the VLAN to which the port belongs, in the range of 1 to 4094.
Description
Use the igmp host-join command to configure the current port as a specified multicast group or source
and group member, namely configure the port as simulated member host for a specified multicast group
or source and group member.
Use the undo igmp host-join command to remove the current port as a simulated member host for the
specified multicast group or source-group.
Unlike a static member port, a port configured as a simulated member host will age out like a dynamic
member port.
Related commands: igmp-snooping enable, multicast static-group interface, multicast
static-group vlan
z
Before configuring a port as a simulated host, enable IGMP Snooping in VLAN view first.
z
The current port must belong to the specified VLAN; otherwise this configuration does not take
effect.
Examples
# Configure Ethernet 1/0/1 in VLAN 1 as a simulated member host for multicast source 1.1.1.1 and
multicast group 225.0.0.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]igmp-snooping enable
Enable IGMP-Snooping ok.
[Sysname]vlan 1
[Sysname-vlan1]igmp-snooping enable
[Sysname-vlan1]igmp-snooping version 3
[Sysname-vlan1]quit
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet 1/0/1] igmp host-join 225.0.0.1 source-ip 1.1.1.1 vlan 10
multicast static-group interface
Syntax
multicast static-group group-address interface interface-list
undo multicast static-group group-address interface interface-list
1-13
View
VLAN interface view
Parameters
group-address: IP address of the multicast group to join, in the range of 224.0.0.0 to 239.255.255.255.
interface interface-list: Specifies a port list. With the interface-list argument, you can define one or more
individual ports (in the form of interface-type interface-number) and/or one or more port ranges (in the
form of interface-type interface-number1 to interface-type interface-number2, where interface-number2
must be greater than interface-number1). The total number of individual ports plus port ranges cannot
exceed 10. For port types and port numbers, refer to the parameter description in the “Port Basic
Configuration” part in this manual.
Description
Use the multicast static-group interface command to configure the specified port(s) under the current
VLAN interface as static member port(s) for the specified multicast group.
Use the undo multicast static-group interface command to remove the specified port(s) in the
current VLAN as static member port(s) for the specified multicast group.
By default, no port is configured as a static multicast group member port.
Examples
# Configure ports Ethernet 1/0/1 to Ethernet 1/0/3 under VLAN-interface 1 as static members ports for
multicast group 225.0.0.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] multicast static-group 225.0.0.1 interface Ethernet 1/0/1 to
Ethernet 1/0/3
multicast static-group vlan
Syntax
multicast static-group group-address vlan vlan-id
undo multicast static-group group-address vlan vlan-id
View
Ethernet port view
Parameters
group-address: IP address of the multicast group to join, in the range of 224.0.0.0 to 239.255.255.255.
vlan vlan-id: Specifies the VLAN the Ethernet port belongs to, where vlan-id ranges from 1 to 4094.
Description
Use the multicast static-group vlan command to configure the current port as a static member port for
the specified multicast group and specify the VLAN the port belongs to.
1-14
Use the undo multicast static-group vlan command to remove the current port in the specified VLAN
as a static member port for the specified multicast group.
By default, no port is configured as a static multicast group member port.
Note that:
The impact of the configuration depends on whether the current port belongs to a multicast VLAN and
whether the port belongs to the specified VLAN.
z
If the current port belongs to neither a multicast VLAN nor the specified VLAN, the configuration
does not take effect.
z
If the current port does not belong to any multicast VLAN but it belongs to the specified VLAN, the
configuration takes effect in the specified VLAN.
z
If the current port belongs to a multicast VLAN, the configuration takes effect only in the multicast
VLAN no matter the port belongs to the specified VLAN or not.
Examples
# Configure port Ethernet1/0/1 in VLAN 2 as a static member port for multicast group 225.0.0.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] multicast static-group 225.0.0.1 vlan 2
multicast static-router-port
Syntax
multicast static-router-port interface-type interface-number
undo multicast static-router-port interface-type interface-number
View
VLAN view
Parameters
interface-type interface-number: Specifies a port by its type and number.
Description
Use the multicast static-router-port command to configure the specified port in the current VLAN as a
static router port.
Use the undo multicast static-router-port command to remove the specified port in the current VLAN
as a static router port.
By default, a port is not a static router port.
Examples
# Configure Ethernet 1/0/1 in VLAN 10 as a static router port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan 10
[Sysname-vlan10] multicast static-router-port Ethernet1/0/1
1-15
multicast static-router-port vlan
Syntax
multicast static-router-port vlan vlan-id
undo multicast static-router-port vlan vlan-id
View
Ethernet port view
Parameters
vlan-id: VLAN ID the port belongs to, in the range of 1 to 4094.
Description
Use the multicast static-router-port vlan command to configure the current port as a static router port
and specify the VLAN the port belongs to.
Use the undo multicast static-router-port vlan command to restore the default.
By default, no port is configured as a static router port.
Note that:
The impact of the configuration depends on whether the current port belongs to a multicast VLAN and
whether the port belongs to the specified VLAN.
z
If the current port belongs to neither a multicast VLAN nor the specified VLAN, the configuration
does not take effect.
z
If the current port does not belong to any multicast VLAN but it belongs to the specified VLAN, the
configuration takes effect in the specified VLAN.
z
If the current port belongs to a multicast VLAN, the configuration takes effect only in the multicast
VLAN no matter the port belongs to the specified VLAN or not.
Examples
# Configure Ethernet 1/0/1 in VLAN 10 as a static router port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet 1/0/1] multicast static-router-port vlan 10
reset igmp-snooping statistics
Syntax
reset igmp-snooping statistics
View
User view
Parameters
None
1-16
Description
Use the reset igmp-snooping statistics command to clear IGMP Snooping statistics.
Related commands: display igmp-snooping statistics.
Examples
# Clear IGMP Snooping statistics.
<Sysname> reset igmp-snooping statistics
service-type multicast
Syntax
service-type multicast
undo service-type multicast
View
VLAN view
Parameters
None
Description
Use the service-type multicast command to configure the current VLAN as a multicast VLAN.
Use the undo service-type multicast command to remove the current VLAN as a multicast VLAN.
By default, no VLAN is a multicast VLAN.
In an IGMP Snooping environment, by configuring a multicast VLAN and adding ports to the multicast
VLAN, you can allow users in different VLANs to share the same multicast VLAN. This saves bandwidth
because multicast streams are transmitted only within the multicast VLAN. In addition, because the
multicast VLAN is isolated from user VLANs, this method also enhances the information security.
z
One port belongs to only one multicast VLAN.
z
The port connected to a user terminal must be a hybrid port.
z
The multicast member port must be in the same multicast VLAN with the router port. Otherwise, the
port cannot receive multicast packets.
z
If a router port is in a multicast VLAN, the router port must be configured as a trunk port or a hybrid
port that allows tagged packets to pass for the multicast VLAN. Otherwise, all the multicast
member ports in this multicast VLAN cannot receive multicast packets.
z
If a multicast member port needs to receive multicast packets forwarded by a router port that does
not belong to any multicast VLAN, the multicast member port must be removed from the multicast
VLAN. Otherwise, the port cannot receive multicast packets.
1-17
Examples
# Configure VLAN 2 as a multicast VLAN.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan 2
[Sysname-vlan2] service-type multicast
1-18
2
Common Multicast Configuration Commands
Common Multicast Configuration Commands
display mac-address multicast static
Syntax
display mac-address multicast static [ [ mac-address ] vlan vlan-id ] [ count ]
View
Any view
Parameters
mac-address: Displays the static multicast MAC entry information for the specified MAC address.
Without this argument provided, this command displays the information of all static multicast MAC
entries in the specified VLAN.
vlan vlan-id: Displays the static multicast MAC entry information in the specified VLAN. Without a VLAN
specified, this command displays the static multicast MAC entry information in all VLANs.
count: Displays the number of static multicast MAC entries.
Description
Use the display mac-address multicast static command to display the information about the
multicast MAC address entry or entries manually configured on the switch.
Related commands: mac-address multicast interface, mac-address multicast vlan.
Examples
# Display the information of all static multicast MAC entries in VLAN 1.
<Sysname> display mac-address multicast static vlan 1
MAC ADDR
VLAN ID
STATE
PORT INDEX
AGING TIME(s)
0100-0001-0001
1
Config static
Ethernet1/0/1
NOAGED
Ethernet1/0/2
Ethernet1/0/3
Ethernet1/0/4
---
1 static mac address(es) found
---
Table 2-1 display mac-address multicast static command output description
Field
Description
MAC ADDR
MAC address
VLAN ID
The VLAN in which the MAC address is manually added
STATE
State of the MAC address, which includes only Config static,
indicating that the table entry is manually added.
2-1
Field
Description
PORT INDEX
Ports out which the multicast packets destined for the multicast MAC
address are forwarded
AGING TIME(s)
State of the aging timer. The aging timer for static multicast MAC
addresses has only one state: NOAGED, indicating that the entry
never expires.
mac-address multicast interface
Syntax
mac-address multicast mac-address interface interface-list vlan vlan-id
undo mac-address multicast [ mac-address [ interface interface-list ] vlan vlan-id ]
View
System view
Parameters
mac-address: Multicast MAC address, in the form of H-H-H.
interface interface-list: Specifies forwarding ports for the specified multicast MAC group address. With
the interface-list argument, you can define one or more individual ports (in the form of interface-type
interface-number) and/or one or more port ranges (in the form of interface-type interface-number1 to
interface-type interface-number2, where interface-number2 must be greater than interface-number1).
The total number of individual ports plus port ranges cannot exceed 10. For port types and port
numbers, refer to the parameter description in the “Port Basic Configuration” part in this manual.
vlan vlan-id: Specifies the VLAN to which the forwarding ports belong. The effective range for vlan-id is
1 to 4094.
Description
Use the mac-address multicast interface command to create a multicast MAC address entry.
Use the undo mac-address multicast interface command to remove the specified multicast MAC
address entry or all multicast MAC address entries.
Each multicast MAC address entry contains multicast address, forward port, VLAN ID, and so on.
Related commands: display mac-address multicast static.
Examples
# Create a multicast MAC address entry, with the multicast MAC address of 0100-5e0a-0805 and a
forwarding port of Ethernet 1/0/1 in VLAN 1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-address multicast 0100-5e0a-0805 interface Ethernet 1/0/1 vlan 1
2-2
mac-address multicast vlan
Syntax
mac-address multicast mac-address vlan vlan-id
undo mac-address multicast [ [ mac-address ] vlan vlan-id ]
View
Ethernet port view
Parameters
mac-address: Multicast MAC address in the form of H-H-H.
vlan vlan-id: Specifies the VLAN the current port belongs to. The effective range for vlan-id is 1 to 4094.
Description
Use the mac-address multicast vlan command to create a multicast MAC address entry on the
current port.
Use the undo mac-address multicast vlan command to remove the specified multicast MAC address
entry or all multicast MAC address entries on the current port.
Each multicast MAC address entry contains the multicast address, forwarding port, and VLAN ID
information.
Related commands: display mac-address multicast static.
Examples
# Create a multicast MAC address entry on Ethernet 1/0/1 in VLAN 1, with the multicast address of
0100-1000-1000.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] mac-address multicast 0100-1000-1000 vlan 1
unknown-multicast drop enable
Syntax
unknown-multicast drop enable
undo unknown-multicast drop enable
View
System view
Parameters
None
Description
Use the unknown-multicast drop enable command to enable the function of dropping unknown
multicast packets.
2-3
Use the undo unknown-multicast drop enable command to disable the function of dropping unknown
multicast packets.
By default, the function of dropping unknown multicast packets is disabled.
Examples
Enable the unknown multicast drop feature.
<Sysname> system-view
System view: return to user view with Ctrl+Z.
[Sysname] unknown-multicast drop enable
2-4
Table of Contents
1 802.1x Configuration Commands ············································································································1-1
802.1x Configuration Commands ···········································································································1-1
display dot1x····································································································································1-1
dot1x ················································································································································1-4
dot1x authentication-method ···········································································································1-5
dot1x dhcp-launch ···························································································································1-6
dot1x guest-vlan ······························································································································1-7
dot1x handshake ·····························································································································1-8
dot1x handshake secure ·················································································································1-9
dot1x max-user······························································································································1-10
dot1x port-control···························································································································1-11
dot1x port-method ·························································································································1-12
dot1x quiet-period··························································································································1-13
dot1x retry······································································································································1-13
dot1x retry-version-max·················································································································1-14
dot1x re-authenticate·····················································································································1-15
dot1x supp-proxy-check ················································································································1-16
dot1x timer·····································································································································1-18
dot1x timer reauth-period ··············································································································1-19
dot1x version-check·······················································································································1-20
reset dot1x statistics ······················································································································1-21
2 HABP Configuration Commands ·············································································································2-1
HABP Configuration Commands ············································································································2-1
display habp ····································································································································2-1
display habp table····························································································································2-2
display habp traffic···························································································································2-2
habp enable·····································································································································2-3
habp server vlan ······························································································································2-3
habp timer········································································································································2-4
3 System-Guard Configuration Commands·······························································································3-1
System-guard Configuration Commands································································································3-1
display system-guard config············································································································3-1
system-guard enable ·······················································································································3-1
system-guard mode·························································································································3-2
system-guard permit························································································································3-3
i
1
802.1x Configuration Commands
802.1x Configuration Commands
display dot1x
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list ]
View
Any view
Parameter
sessions: Displays the information about 802.1x sessions.
statistics: Displays the statistics on 802.1x.
interface: Display the 802.1x-related information about a specified port.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the display dot1x command to display 802.1x-related information, such as configuration
information, operation information (session information), and statistics.
When the interface-list argument is not provided, this command displays 802.1x-related information
about all the ports. The output information can be used to verify 802.1 x-related configurations and to
troubleshoot.
Related command: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control,
dot1x port-method, and dot1x timer.
Example
# Display 802.1x-related information.
<Sysname> display dot1x
Global 802.1X protocol is enabled
CHAP authentication is enabled
DHCP-launch is disabled
Handshake is enabled
Proxy trap checker is disabled
1-1
Proxy logoff checker is disabled
Configuration: Transmit Period
ReAuth Period
30 s,
3600 s,
Handshake Period
15 s
ReAuth MaxTimes
2
Quiet Period
60 s,
Quiet Period Timer is disabled
Supp Timeout
30 s,
Server Timeout
100 s
Interval between version requests is 30s
Maximal request times for version information is 3
The maximal retransmitting times
2
Total maximum 802.1x user resource number is 1024
Total current used 802.1x resource number is 1
Ethernet1/0/1
is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Version-Check is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Port-based
ReAuthenticate is disabled
Max number of on-line users is 256
Authentication Success: 4, Failed: 2
EAPOL Packets: Tx 7991, Rx 14
Sent EAP Request/Identity Packets : 7981
EAP Request/Challenge Packets: 0
Received EAPOL Start Packets : 5
EAPOL LogOff Packets: 1
EAP Response/Identity Packets : 4
EAP Response/Challenge Packets: 4
Error Packets: 0
1. Authenticated user : MAC address: 000d-88f6-44c1
Controlled User(s) amount to 1
Ethernet1/0/2
……
Table 1-1 Description on the fields of the display dot1x command
Field
Description
Equipment 802.1X protocol is
enabled
802.1x protocol (802.1x for short) is enabled on the switch.
CHAP authentication is enabled
CHAP authentication is enabled.
DHCP-launch is disabled
DHCP-triggered. 802.1x authentication is disabled.
Handshake is enabled
The online user handshaking function is enabled.
1-2
Field
Description
Whether or not to send Trap packets when detecting a
supplicant system logs in through a proxy.
z
Proxy trap checker is disabled
z
Disable means the switch does not send Trap packets
when it detects that a supplicant system logs in through a
proxy.
Enable means the switch sends Trap packets when it
detects that a supplicant system logs in through a proxy.
Whether or not to disconnect a supplicant system when
detecting it logs in through a proxy.
z
Proxy logoff checker is disabled
z
Disable means the switch does not disconnect a
supplicant system when it detects that the latter logs in
through a proxy.
Enable means the switch disconnects a supplicant system
when it detects that the latter logs in through a proxy.
Transmit Period
Setting of the Transmission period timer (the tx-period)
Handshake Period
Setting of the handshake period timer (the
handshake-period)
ReAuth Period
Re-authentication interval
ReAuth MaxTimes
Maximum times of re-authentications
Quiet Period
Setting of the quiet period timer (the quiet-period)
Quiet Period Timer is disabled
The quiet period timer is disabled here. It can also be
configured as enabled when necessary.
Supp Timeout
Setting of the supplicant timeout timer (supp-timeout)
Server Timeout
Setting of the server-timeout timer (server-timeout)
The maximal retransmitting times
The maximum number of times that a switch can send
authentication request packets to a supplicant system
Total maximum 802.1x user
resource number
The maximum number of 802.1x users that a switch can
accommodate
Total current used 802.1x resource
number
The number of online supplicant systems
Ethernet1/0/1 is link-down
Ethernet 1/0/1 port is down.
802.1X protocol is disabled
802.1x is disabled on the port
Whether or not to send Trap packets when detecting a
supplicant system in logging in through a proxy.
z
Proxy trap checker is disabled
z
Disable means the switch does not send Trap packets
when it detects that a supplicant system logs in through a
proxy.
Enable means the switch sends Trap packets when it
detects that a supplicant system logs in through a proxy.
Whether or not to disconnect a supplicant system when
detecting it in logging in through a proxy.
z
Proxy logoff checker is disabled
z
Disable means the switch does not disconnect a
supplicant system when it detects that the latter logs in
through a proxy.
Enable means the switch disconnects a supplicant system
when it detects that the latter logs in through a proxy.
1-3
Field
Version-Check is disabled
Description
Whether or not the client version checking function is
enabled:
z
z
Disable means the switch does not checks client version.
Enable means the switch checks client version.
The port is an authenticator
The port acts as an authenticator system.
Authentication Mode is Auto
The port access control mode is Auto.
Port Control Type is Mac-based
The access control method of the port is MAC-based. That is,
supplicant systems are authenticated based on their MAC
addresses.
ReAuthenticate is disabled
ReAuthenticate is disabled
Max number of on-line users
The maximum number of online users that the port can
accommodate
…
Information omitted here
dot1x
Syntax
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the dot1x command to enable 802.1x globally or for specified Ethernet ports.
Use the undo dot1x command to disable 802.1x globally or for specified Ethernet ports.
By default, 802.1x is disabled globally and also on all ports.
In system view:
z
If you do not provide the interface-list argument, the dot1x command enables 802.1x globally.
z
If you specify the interface-list argument, the dot1x command enables 802.1x for the specified
Ethernet ports.
In Ethernet port view, the interface-list argument is not available and the command enables 802.1x for
only the current Ethernet port.
802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the
port.
1-4
z
Configurations of 8021.x and the maximum number of MAX addresses that can be learnt are
mutually exclusive. That is, when 802.1x is enabled for a port, it cannot also have the maximum
number of MAX addresses to be learned configured at the same time. Conversely, if you configure
the maximum number of MAX addresses that can be learnt for a port, 802.1x is unavailable to it.
z
If you enable 802.1x for a port, it is not available to add the port to an aggregation group.
Meanwhile, if a port has been added to an aggregation group, it is prohibited to enable 802.1x for
the port.
Related command: display dot1x.
Example
# Enable 802.1x for Ethernet1/0/1 port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x interface Ethernet 1/0/1
# Enable 802.1x globally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x
dot1x authentication-method
Syntax
dot1x authentication-method { chap | pap | eap }
undo dot1x authentication-method
View
System view
Parameter
chap: Authenticates using challenge handshake authentication protocol (CHAP).
pap: Authenticates using password authentication protocol (PAP).
eap: Authenticates using extensible authentication protocol (EAP).
Description
Use the dot1x authentication-method command to set the 802.1x authentication method.
Use the undo dot1x authentication-method command to revert to the default 802.1x authentication
method.
The default 802.1x authentication method is CHAP.
PAP applies a two-way handshaking procedure. In this method, passwords are transmitted in plain text.
1-5
CHAP applies a three-way handshaking procedure. In this method, user names are transmitted rather
than passwords. Therefore this method is safer.
In EAP authentication, a switch authenticates supplicant systems by encapsulating 802.1x
authentication information in EAP packets and sending the packets to the RADIUS server, instead of
converting the packets into RADIUS packets before forwarding to the RADIUS server. You can use EAP
authentication in one of the four sub-methods: PEAP, EAP-TLS, EAP-TTLS and EAP-MD5.
Related command: display dot1x.
When the current device operates as the authentication server, EAP authentication is unavailable.
Example
# Specify the authentication method to be PAP.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x authentication-method pap
dot1x dhcp-launch
Syntax
dot1x dhcp-launch
undo dot1x dhcp-launch
View
System view
Parameter
None
Description
Use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to
authenticate a supplicant system when the supplicant system applies for a dynamic IP address through
DHCP.
Use the undo dot1x dhcp-launch command to disable an 802.1x-enabled switch from authenticating
a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.
By default, an 802.1x-enabled switch does not authenticate a supplicant system when the latter applies
for a dynamic IP address through DHCP.
Related command: display dot1x.
Example
# Configure to authenticate a supplicant system when it applies for a dynamic IP address through
DHCP.
1-6
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x dhcp-launch
dot1x guest-vlan
Syntax
dot1x guest-vlan vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
View
System view, Ethernet port view
Parameter
vlan-id: VLAN ID of a Guest VLAN, in the range 1 to 4094.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the dot1x guest-vlan command to enable the Guest VLAN function for ports.
Use the undo dot1x guest-vlan command to disable the Guest VLAN function for ports.
After 802.1x and guest VLAN are properly configured on a port:
z
If the switch receives no response from the port after sending EAP-Request/Identity packets to the
port for the maximum number of times, the switch will add the port to the guest VLAN.
z
Users in a guest VLAN can access the guest VLAN resources without 802.1x authentication.
However, they have to pass the 802.1x authentication to access the external resources.
In system view,
z
If you do not provide the interface-list argument, these two commands apply to all the ports of the
switch.
z
If you specify the interface-list argument, these two commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and these two commands apply to only
the current Ethernet port.
1-7
z
The Guest VLAN function is available only when the switch operates in the port-based
authentication mode.
z
Only one Guest VLAN can be configured on a switch.
z
The Guest VLAN function is unavailable when the dot1x dhcp-launch command is executed on
the switch, because the switch does not send authentication request packets in this case.
Example
# Configure the switch to operate in the port-based authentication mode.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x port-method portbased
# Enable the Guest VLAN function for all the ports.
[Sysname] dot1x guest-vlan 1
dot1x handshake
Syntax
dot1x handshake enable
undo dot1x handshake enable
View
System view
Parameter
None
Description
Use the dot1x handshake enable command to enable the online user handshaking function.
Use the undo dot1x handshake enable command to disable the online user handshaking function.
By default, the online user handshaking function is enabled.
1-8
z
To enable the proxy detecting function, you need to enable the online user handshaking function
first.
z
Handshaking packets need the support of the H3C-proprietary client. They are used to test
whether or not a user is online.
z
As clients that are not of H3C do not support the online user handshaking function, switches cannot
receive handshaking acknowledgement packets from them in handshaking periods. To prevent
users being falsely considered offline, you need to disable the online user handshaking function in
this case.
Example
# Enable the online user handshaking function.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x handshake enable
dot1x handshake secure
Syntax
dot1x handshake secure
undo dot1x handshake secure
View
Ethernet port view
Parameter
None
Description
Use the dot1x handshake secure command to enable the handshaking packet secure function,
preventing the device from attacks resulted from simulating clients.
Use the undo dot1x handshake secure command to disable the handshaking packet secure function.
By default, the handshaking packet secure function is disabled.
For the handshaking packet secure function to take effect, the clients that enable the function need to
cooperate with the authentication server. If either the clients or the authentication server does not
support the function, disabling the handshaking packet secure function is needed.
1-9
Example
# Enable the handshaking packet secure function.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] dot1x handshake secure
dot1x max-user
Syntax
dot1x max-user user-number [ interface interface-list ]
undo dot1x max-user [ interface interface-list ]
View
System view, Ethernet port view
Parameter
user-number: Maximum number of users a port can accommodate, in the range 1 to 256.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the dot1x max-user command to set the maximum number of users an Ethernet port can
accommodate.
Use the undo dot1x max-user command to revert to the default maximum user number.
By default, a port can accommodate up to 256 users.
In system view:
z
If you do not provide the interface-list argument, these two commands apply to all the ports of the
switch.
z
If you specify the interface-list argument, these two commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the
current port.
Related command: display dot1x.
Example
# Configure the maximum number of users that Ethernet1/01 port can accommodate to be 32.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x max-user 32 interface Ethernet 1/0/1
1-10
dot1x port-control
Syntax
dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]
undo dot1x port-control [ interface interface-list ]
View
System view, Ethernet port view
Parameter
auto: Specifies to operate in auto access control mode. When a port operates in this mode, all the
unauthenticated hosts connected to it are unauthorized. In this case, only EAPoL packets can be
exchanged between the switch and the hosts. And the hosts connected to the port are authorized to
access the network resources after the hosts pass the authentication. Normally, a port operates in this
mode.
authorized-force: Specifies to operate in authorized-force access control mode. When a port
operates in this mode, all the hosts connected to it can access the network resources without being
authenticated.
unauthorized-force: Specifies to operate in unauthorized-force access control mode. When a port
operates in this mode, the hosts connected to it cannot access the network resources.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the dot1x port-control command to specify the access control mode for specified Ethernet ports.
Use the undo dot1x port-control command to revert to the default access control mode.
The default access control mode is auto.
Use the dot1x port-control command to configure the access control mode for specified
802.1x-enabled ports.
In system view:
z
If you do not provide the interface-list argument, these two commands apply to all the ports of the
switch.
z
If you specify the interface-list argument, these commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the
current Ethernet port.
Related command: display dot1x.
Example
# Specify Ethernet1/0/1 port to operate in unauthorized-force access control mode.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x port-control unauthorized-force interface Ethernet 1/0/1
1-11
dot1x port-method
Syntax
dot1x port-method { macbased | portbased } [ interface interface-list ]
undo dot1x port-method [ interface interface-list ]
View
System view, Ethernet port view
Parameter
macbased: Performs MAC address-based authentication.
portbased: Performs port-based authentication.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the dot1x port-method command to specify the access control method for specified Ethernet
ports.
Use the undo dot1x port-method command to revert to the default access control method.
By default, the access control method is macbased.
This command specifies the way in which the users are authenticated.
z
If you specify to authenticate users by MAC addresses (that is, executing the dot1x port-method
command with the macbased keyword specified), all the users connected to the specified Ethernet
ports are authenticated separately. And if an online user logs off, others are not affected.
z
If you specify to authenticate supplicant systems by port numbers (that is, executing the dot1x
port-method command with the portbased keyword specified), all the users connected to a
specified Ethernet port are able to access the network without being authenticated if a user among
them passes the authentication. And when the user logs off, the network is inaccessible to all other
supplicant systems either.
z
Changing the access control method on a port by the dot1x port-method command will forcibly log
out the online 802.1x users on the port.
In system view:
z
If you do not provide the interface-list argument, these two commands apply to all the ports of the
switch.
z
If you specify the interface-list argument, these commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the
current Ethernet port.
Related command: display dot1x.
Example
# Specify to authenticate users connected to Ethernet1/0/1 port by port numbers.
<Sysname> system-view
1-12
System View: return to User View with Ctrl+Z.
[Sysname] dot1x port-method portbased interface Ethernet 1/0/1
dot1x quiet-period
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameter
None
Description
Use the dot1x quiet-period command to enable the quiet-period timer.
Use the undo dot1x quiet-period command to disable the quiet-period timer.
When a user fails to pass the authentication, the authenticator system (such as a 3Com series Ethernet
switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another
authentication. During the quiet period, the authenticator system performs no 802.1x authentication of
the user.
By default, the quiet-period timer is disabled.
Related commands: display dot1x, dot1x timer.
Example
# Enable the quiet-period timer.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x quiet-period
dot1x retry
Syntax
dot1x retry max-retry-value
undo dot1x retry
View
System view
Parameter
max-retry-value: Maximum number of times that a switch sends authentication request packets to a
user. This argument ranges from 1 to 10.
1-13
Description
Use the dot1x retry command to specify the maximum number of times that a switch sends
authentication request packets to a user.
Use the undo dot1x retry command to revert to the default value.
By default, a switch sends authentication request packets to a user for up to 2 times.
After a switch sends an authentication request packet to a user, it sends another authentication request
packet if it does not receive response from the user after a specific period of time. If the switch still
receives no response when the configured maximum number of authentication request transmission
attempts is reached, it no long sends an authentication request packet to the user. This command
applies to all ports.
Related command: display dot1x.
Example
# Specify the maximum number of times that the switch sends authentication request packets to be 9.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x retry 9
dot1x retry-version-max
Syntax
dot1x retry-version-max max-retry-version-value
undo dot1x retry-version-max
View
System view
Parameter
max-retry-version-value: Maximum number of times that a switch sends version request packets to a
user. This argument ranges from 1 to 10.
Description
Use the dot1x retry-version-max command to set the maximum number of times that a switch sends
version request packets to a user.
Use the undo dot1x retry-version-max command to revert to the default value.
By default, a switch sends version request packets to a user for up to 3 times.
After a switch sends a version request packet to a user, it sends another version request packet if it
does receive response from the user after a specific period of time (as determined by the client version
request timer). When the number set by this command has reached and there is still no response from
the user, the switch continues the following authentication procedures without sending version requests.
This command applies to all the ports with the version checking function enabled.
Related commands: display dot1x, dot1x timer.
1-14
Example
# Configure the maximum number of times that the switch sends version request packets to be 6.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x retry-version-max 6
dot1x re-authenticate
Syntax
dot1x re-authenticate [ interface interface-list ]
undo dot1x re-authenticate [ interface interface-list ]
View
System view/Ethernet port view
Parameter
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the dot1x re-authenticate command to enable 802.1x re-authentication on specific ports or on all
ports of the switch.
Use the undo dot1x re-authenticate command to disable 802.1x re-authentication on specific ports or
on all ports of the switch.
By default, 802.1x re-authentication is disabled on all ports.
In system view:
z
If you do not specify the interface-list argument, this command will enable 802.1x re-authentication
z
If you specify the interface-list argument, the command will enable 802.1x on the specified ports.
on all ports.
In Ethernet port view, the interface-list argument is not available and 8021.x re-authentication is
enabled on the current port only.
802.1x must be enabled globally and on the current port before 802.1x re-authentication can be
configured on a port.
Example
# Enable 802.1x re-authentication on port Ethernet 1/0/1.
<Sysname> system-view
1-15
System View: return to User View with Ctrl+Z.
[Sysname] dot1x
802.1X is enabled globally.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] dot1x
802.1X is enabled on port Ethernet1/0/1 already.
[Sysname-Ethernet1/0/1] dot1x re-authenticate
Re-authentication is enabled on port Ethernet1/0/1
dot1x supp-proxy-check
Syntax
dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
View
System view, Ethernet port view
Parameter
logoff: Disconnects a user upon detecting it logging in through a proxy or through multiple network
adapters.
trap: Sends Trap packets upon detecting a user logging in through a proxy or through multiple network
adapters.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the dot1x supp-proxy-check command to enable 802.1x proxy checking for specified ports.
Use the undo dot1x supp-proxy-check command to disable 802.1x proxy checking for specified
ports.
By default, 802.1x proxy checking is disabled on all Ethernet ports.
In system view:
z
If you do not specify the interface-list argument, the configurations performed by these two
commands are global.
z
If you specify the interface-list argument, these two commands apply to the specified Ethernet
ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the
current Ethernet port.
The proxy checking function takes effect on a port only when the function is enabled both globally and
on the port.
802.1x proxy checking checks for:
z
Users logging in through proxies
z
Users logging in through IE proxies
1-16
z
Whether or not a user logs in through multiple network adapters (that is, when the user attempts to
log in, it contains more than one active network adapters.)
A switch can optionally take the following actions in response to any of the above three cases:
z
Only disconnects the user but sends no Trap packets, which can be achieved by using the dot1x
z
Sends Trap packets without disconnecting the user, which can be achieved by using the dot1x
supp-proxy-check logoff command.
supp-proxy-check trap command.
This function needs the cooperation of 802.1x clients and the CAMS server:
z
Multiple network adapter checking, proxy checking, and IE proxy checking are enabled on the
802.1x client.
z
The CAMS server is configured to disable the use of multiple network adapters, proxies, and IE
proxy.
By default, proxy checking is disabled on 802.1x client. In this case, if you configure the CAMS server to
disable the use of multiple network adapters, proxies, and IE proxy, it sends messages to the 802.1x
client to ask the latter to disable the use of multiple network adapters, proxies, and IE proxy after the
user passes the authentication.
z
The 802.1x proxy checking function needs the cooperation of H3C's 802.1x client program.
z
The proxy checking function takes effect only after the client version checking function is enabled
on the switch (using the dot1x version-check command).
Related command: display dot1x.
Example
# Configure to disconnect the users connected to Ethernet1/0/1 through Ethernet1/0/8 ports if they are
detected logging in through proxies.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x supp-proxy-check logoff
[Sysname] dot1x supp-proxy-check logoff interface Ethernet 1/0/1 to Ethernet 1/0/8
# Configure the switch to send Trap packets if the users connected to Ethernet1/0/9 port is detected
logging in through proxies.
[Sysname] dot1x supp-proxy-check trap
[Sysname] dot1x supp-proxy-check trap interface Ethernet 1/0/9
1-17
dot1x timer
Syntax
dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value |
server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value |
ver-period ver-period-value }
undo dot1x timer { handshake-period | quiet-period | server-timeout | supp-timeout | tx-period |
ver-period }
View
System view
Parameter
handshake-period handshake-period-value: Sets the handshake timer. This timer sets the
handshake-period and is triggered after a supplicant system passes the authentication. It sets the
interval for a switch to send handshake request packets to online users. If you set the number of retries
to N by using the dot1x retry command, an online user is considered offline when the switch does not
receive response packets from it in a period N times of the handshake-period.
The handshake-period-value argument ranges from 5 to 1,024 (in seconds). By default, the handshake
timer is set to 15 seconds.
quiet-period quiet-period-value: Sets the quiet-period timer. This timer sets the quiet-period. When a
supplicant system fails to pass the authentication, the switch quiets for the set period (set by the
quiet-period timer) before it processes another authentication request re-initiated by the supplicant
system. During this quiet period, the switch does not perform any 802.1x authentication-related actions
for the supplicant system.
The quiet-period-value argument ranges from 10 to 120 (in seconds). By default, the quiet-period timer
is set to 60 seconds.
server-timeout server-timeout-value: Sets the RADIUS server timer. This timer sets the server-timeout
period. After sending an authentication request packet to the RADIUS server, a switch sends another
authentication request packet if it does not receive the response from the RADIUS server when this
timer times out.
The server-timeout-value argument ranges from 100 to 300 (in seconds). By default, the RADIUS
server timer is set to 100 seconds.
supp-timeout supp-timeout-value: Sets the supplicant system timer. This timer sets the supp-timeout
period and is triggered by the switch after the switch sends a request/challenge packet to a supplicant
system (The packet is used to request the supplicant system for the MD5 encrypted string.) The switch
sends another request/challenge packet to the supplicant system if the switch does not receive the
response from the supplicant system when this timer times out..
The supp-timeout-value argument ranges from 10 to 120 (in seconds). By default, the supplicant
system timer is set to 30 seconds.
tx-period tx-period-value: Sets the transmission timer. This timer sets the tx-period and is triggered in
two cases. The first case is when the client requests for authentication. The switch sends a unicast
request/identity packet to a supplicant system and then triggers the transmission timer. The switch
sends another request/identity packet to the supplicant system if it does not receive the reply packet
from the supplicant system when this timer times out. The second case is when the switch
1-18
authenticates the 802.1x client who cannot request for authentication actively. The switch sends
multicast request/identity packets periodically through the port enabled with 802.1x function. In this
case, this timer sets the interval to send the multicast request/identity packets.
The tx-period-value argument ranges from 1 to 120 (in seconds). By default, the transmission timer is
set to 30 seconds.
ver-period ver-period-value: Sets the client version request timer. This timer sets the version period
and is triggered after a switch sends a version request packet. The switch sends another version
request packet if it does receive version response packets from the supplicant system when the timer
expires.
The ver-period-value argument ranges from 1 to 30 (in seconds). By default, the client version request
timer is set to 30 seconds.
Description
Use the dot1x timer command to set a specified 802.1x timer.
Use the undo dot1x timer command to restore a specified 802.1x timer to the default setting.
During an 802.1x authentication process, multiple timers are triggered to ensure that the supplicant
systems, the authenticator systems, and the Authentication servers interact with each other in an
orderly way. To make authentications being processed in the desired way, you can use the dot1x timer
command to set the timers as needed. This may be necessary in some special situations or in tough
network environments. Normally, the defaults are recommended. (Note that some timers cannot be
adjusted.)
Related command: display dot1x.
Example
# Set the RADIUS server timer to 150 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x timer server-timeout 150
dot1x timer reauth-period
Syntax
dot1x timer reauth-period reauth-period-value
undo dot1x timer reauth-period
View
System view
Parameter
reauth-period reauth-period-value: Specifies re-authentication interval, in seconds. After this timer
expires, the switch initiates 802.1x re-authentication. The value of the reauth-period-value argument
ranges from 60 to 7,200.
Description
Use the dot1x timer reauth-period command to configure the interval for 802.1x re-authentication.
1-19
Use the undo dot1x timer reauth-period command to restore the default 802.1x re-authentication
interval.
By default, the 802.1x re-authentication interval is 3,600 seconds.
Example
# Set the 802.1x re-authentication interval to 150 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x timer reauth-period 150
dot1x version-check
Syntax
dot1x version-check [ interface interface-list ]
undo dot1x version-check [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the dot1x version-check command to enable 802.1x client version checking for specified Ethernet
ports.
Use the undo dot1x version-check command to disable 802.1x client version checking for specified
Ethernet ports.
By default, 802.1x client version checking is disabled on all the Ethernet ports.
In system view:
z
If you do not provide the interface-list argument, these two commands apply to all the ports of the
switch.
z
If you specify the interface-list argument, these commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the
current Ethernet port.
Example
# Configure Ethernet 1/0/1 port to check the version of the 802.1x client upon receiving authentication
packets.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] dot1x version-check
1-20
reset dot1x statistics
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Parameter
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet
port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists
can be provided.
Description
Use the reset dot1x statistics command to clear 802.1x-related statistics.
To retrieve the latest 802.1x-related statistics, you can use this command to clear the existing
802.1x-related statistics first.
When you execute this command,
If the interface-list argument is not specified, this command clears the global 802.1x statistics and the
802.1x statistics on all the ports.
If the interface-list argument is specified, this command clears the 802.1x statistics on the specified
ports.
Related command: display dot1x.
Example
# Clear 802.1x statistics on Ethernet 1/0/1 port.
<Sysname> reset dot1x statistics interface Ethernet 1/0/1
1-21
2
HABP Configuration Commands
HABP Configuration Commands
display habp
Syntax
display habp
View
Any view
Parameter
None
Description
Use the display habp command to display HABP configuration and status.
Example
# Display HABP configuration and status.
<Sysname> display habp
Global HABP information:
HABP Mode: Server
Sending HABP request packets every 20 seconds
Bypass VLAN: 2
Table 2-1 Description on the fields of the display habp command
Field
Description
HABP Mode
Indicates the HABP mode of the switch. A switch can operate
as an HABP server (displayed as Server) or an HABP client
(displayed as Client).
Sending HABP request packets
every 20 seconds
HABP request packets are sent once in every 20 seconds.
Bypass VLAN
Indicates the IDs of the VLANs to which HABP request
packets are sent.
2-1
display habp table
Syntax
display habp table
View
Any view
Parameter
None
Description
Use the display habp table command to display the MAC address table maintained by HABP.
Example
# Display the MAC address table maintained by HABP.
<Sysname> display habp table
MAC
Holdtime
Receive Port
001f-3c00-0030
53
Ethernet1/0/1
Table 2-2 Description on the fields of the display habp table command
Field
Description
MAC
MAC addresses contained in the HABP MAC address table.
Holdtime
Hold time of the entries in the HABP MAC address table. An entry is
removed from the table if it is not updated in a period determined by the hold
time.
Receive Port
The port from which a MAC address is learned
display habp traffic
Syntax
display habp traffic
View
Any view
Parameter
None
Description
Use the display habp traffic command to display the statistics on HABP packets.
Example
# Display the statistics on HABP packets.
<Sysname> display habp traffic
2-2
HABP counters :
Packets output: 0, Input: 0
ID error: 0, Type error: 0, Version error: 0
Sent failed: 0
Table 2-3 Description on the fields of the display habp traffic command
Field
Description
Packets output
Number of the HABP packets sent
Input
Number of the HABP packets received
ID error
Number of the HABP packets with ID errors
Type error
Number of the HABP packets with type errors
Version error
Number of the HABP packets with version errors
Sent failed
Number of the HABP packets that failed to be sent
habp enable
Syntax
habp enable
undo habp enable
View
System view
Parameter
None
Description
Use the habp enable command to enable HABP for a switch.
Use the undo habp enable command to disable HABP for a switch.
By default, HABP is enabled on a switch.
If an 802.1x-enabled switch does not have HABP enabled, it cannot manage the switches attached to it.
So, you need to enable HABP on specific switches in a network with 802.1x enabled.
Example
# Enable HABP.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] habp enable
habp server vlan
Syntax
habp server vlan vlan-id
2-3
undo habp server
View
System view
Parameter
vlan-id: VLAN ID, ranging from 1 to 4094.
Description
Use the habp server vlan command to configure a switch to operate as an HABP server. This
command also specifies the VLAN where HABP packets are broadcast.
Use the undo habp server vlan command to revert to the default HABP mode.
By default, a switch operates as an HABP client.
To specify a switch to operate as an HABP server, you need to enable HABP (using the habp enable
command) for the switch first. When HABP is not enabled, the habp server vlan command cannot take
effect.
Example
# Specify the switch to operate as an HABP server and the HABP packets to be broadcast in VLAN 2.
(Assume that HABP is enabled.)
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] habp server vlan 2
habp timer
Syntax
habp timer interval
undo habp timer
View
System view
Parameter
interval: Interval (in seconds) to send HABP request packets. This argument ranges from 5 to 600.
Description
Use the habp timer command to set the interval for a switch to send HABP request packets.
Use the undo habp timer command to revert to the default interval.
The default interval for a switch to send HABP request packets is 20 seconds.
Use these two commands on switches operating as HABP servers only.
Example
# Configure the switch to send HABP request packets once in every 50 seconds
<Sysname> system-view
2-4
System View: return to User View with Ctrl+Z.
[Sysname] habp timer 50
2-5
3
System-Guard Configuration Commands
System-guard Configuration Commands
display system-guard config
Syntax
display system-guard config
View
Any view
Parameter
None
Description
Use the display system-guard config command to display current system-guard configuration and
the attacked ports.
Example
# Display the information about system-guard.
<Sysname> display system-guard config
state
: disable
mode
: rate-limit
interval-time : 5
threshold
: 64
timeout
: 60
permit interfaces :
Ethernet1/0/1
attacked and controled interfaces:
system-guard enable
Syntax
system-guard enable
undo system-guard enable
View
System view
Parameter
None
3-1
Description
Use the system-guard enable command to enable the system-guard function.
Use the undo system-guard enable command to disable the system-guard function.
By default, the system-guard function is disabled.
Example
# Enable the system-guard function.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] system-guard enable
system-guard mode
Syntax
system-guard mode rate-limit interval-time threshold timeout
undo system-guard mode
View
System view
Parameter
rate-limit: Specifies that system-guard is achieved by limiting the rates of attacked ports.
interval-time: Interval to perform the system-guard operation.
threshold: Threshold in terms of the number of the packets received by the management port within the
period specified by the interval-time argument.
Timeout: Time period within which an attacked port is under control.
Description
Use the system-guard mode rate-limit command to implement the system-guard function by means
of port rate limit. A switch checks the management port for the number of the received packets once in
each period determined by the interval-time argument. If the number exceeds the threshold, the switch
considers the specific ports to be attacked ports and applies the port rate limit to these ports. The port
rate limit is invalidated after the time specified by the time-out argument elapses.
Use the undo system-guard mode command to revert to the default system-guard configuration.
Related command: display system-guard config.
Example
# Implement the system-guard function by means of port rate limit, with the checking interval being 5
seconds, the threshold being 100, and the timeout time being 30 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] system-guard mode rate-limit 5 100 30
3-2
Upon detection of an attacked port, Switch 4210 applies a port rate limit of 64 kbps to the port.
system-guard permit
Syntax
system-guard permit interface-list
undo system-guard permit interface-list
View
System view
Parameter
permit: Specifies the ports to which with the system-guard function is to be applied.
interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list
argument is in the format of interface-list = { interface-type interface-number [ to interface-type
interface-number ] } & <1-10>, where interface-type represents the port type, interface-number
represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index
lists for this argument. The start port number must be smaller than the end number and the two ports
must of the same type.
Description
Use the system-guard permit command to specify the ports to which the system-guard function is to
be applied to. A switch checks the ports with the system-guard function applied regularly for attacked
ports.
Use the undo system-guard permit command to disable the system-guard function for specified ports.
z
After system-guard is enabled on a port, if the number of packets the port received and sent to the
CPU in a specified interval exceeds the specified threshold, the system considers that the port is
under attack and begins to limit the packet receiving rate on the port (this function is also called
inbound rate limit). if the rate of incoming packets on the port exceeds the threshold of inbound rate
limit, any service packets, including BPDU packets, are possible to be dropped at random, which
may result in state transition of STP.
z
The system–guard function is not applicable to the uplink port of Switch 4210.
Example
# Apply the system-guard function to Ethernet1/0/1 through Ethernet1/0/10 ports.
<Sysname> system-view
3-3
System View: return to User View with Ctrl+Z.
[Sysname] system-guard permit Ethernet 1/0/1 to Ethernet 1/0/10
3-4
Table of Contents
1 AAA Configuration Commands················································································································1-1
AAA Configuration Commands ···············································································································1-1
access-limit······································································································································1-1
accounting ·······································································································································1-1
accounting optional··························································································································1-2
attribute············································································································································1-3
authentication ··································································································································1-4
authentication super ························································································································1-5
authorization ····································································································································1-6
authorization vlan ····························································································································1-7
cut connection ·································································································································1-8
display connection ···························································································································1-9
display domain·······························································································································1-10
display local-user···························································································································1-11
domain ···········································································································································1-13
domain delimiter ····························································································································1-14
idle-cut ···········································································································································1-15
level ···············································································································································1-16
local-user ·······································································································································1-16
local-user password-display-mode································································································1-17
messenger·····································································································································1-18
name··············································································································································1-19
password ·······································································································································1-19
radius-scheme ·······························································································································1-20
scheme ··········································································································································1-21
self-service-url ·······························································································································1-22
service-type ···································································································································1-23
state ···············································································································································1-24
vlan-assignment-mode ··················································································································1-25
RADIUS Configuration Commands·······································································································1-26
accounting optional························································································································1-26
accounting-on enable ····················································································································1-27
attribute-ignore ······························································································································1-29
calling-station-id mode···················································································································1-30
data-flow-format·····························································································································1-30
display local-server statistics·········································································································1-31
display radius scheme ···················································································································1-32
display radius statistics··················································································································1-34
display stop-accounting-buffer ······································································································1-35
key ·················································································································································1-36
local-server ····································································································································1-37
local-server nas-ip ·························································································································1-38
nas-ip ·············································································································································1-39
i
primary accounting ························································································································1-39
primary authentication ···················································································································1-40
radius client ···································································································································1-41
radius nas-ip ··································································································································1-42
radius scheme ·······························································································································1-43
radius trap······································································································································1-43
reset radius statistics ·····················································································································1-44
reset stop-accounting-buffer··········································································································1-45
retry················································································································································1-45
retry realtime-accounting ···············································································································1-46
retry stop-accounting ·····················································································································1-47
secondary accounting····················································································································1-48
secondary authentication···············································································································1-49
server-type·····································································································································1-50
state ···············································································································································1-50
stop-accounting-buffer enable·······································································································1-51
timer···············································································································································1-52
timer quiet······································································································································1-53
timer realtime-accounting ··············································································································1-53
timer response-timeout··················································································································1-54
user-name-format ··························································································································1-55
HWTACACS Configuration Commands································································································1-56
data-flow-format·····························································································································1-56
display hwtacacs ···························································································································1-57
display stop-accounting-buffer ······································································································1-58
hwtacacs nas-ip·····························································································································1-58
hwtacacs scheme ··························································································································1-59
key ·················································································································································1-60
nas-ip ·············································································································································1-60
primary accounting ························································································································1-61
primary authentication ···················································································································1-62
primary authorization ·····················································································································1-63
reset hwtacacs statistics················································································································1-63
reset stop-accounting-buffer··········································································································1-64
retry stop-accounting ·····················································································································1-64
secondary accounting····················································································································1-65
secondary authentication···············································································································1-66
secondary authorization ················································································································1-67
timer quiet······································································································································1-67
timer realtime-accounting ··············································································································1-68
timer response-timeout··················································································································1-69
user-name-format ··························································································································1-70
ii
1
AAA Configuration Commands
AAA Configuration Commands
access-limit
Syntax
access-limit { disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameters
disable: Specifies not to limit the number of access users that can be contained in current ISP domain.
enable max-user-number: Specifies the maximum number of access users that can be contained in
current ISP domain. The max-user-number argument ranges from 1 to 2,072.
Description
Use the access-limit command to set the maximum number of access users that can be contained in
current ISP domain.
Use the undo access-limit command to restore the default setting.
By default, there is no limit on the number of access users in an ISP domain.
Because resource contention may occur among access users, there is a need to limit the number of
access users in an ISP domain so as to provide reliable performance to the current users in the ISP
domain.
Examples
# Allow ISP domain aabbcc.net to contain at most 500 access users.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] access-limit enable 500
accounting
Syntax
accounting
{
none
|
radius-scheme
hwtacacs-scheme-name }
undo accounting
1-1
radius-scheme-name
|
hwtacacs-scheme
View
ISP domain view
Parameters
none: Specifies not to perform user accounting.
radius-scheme radius-scheme-name: Specifies to use a RADIUS accounting scheme. Here,
radius-scheme-name is the name of a RADIUS scheme; it is a string of up to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS accounting scheme.
Here, hwtacacs-scheme-name is the name of an HWTACACS scheme; it is a string of up to 32
characters.
Description
Use the accounting command to configure an accounting scheme for current ISP domain.
Use the undo accounting command to cancel the accounting scheme configuration for current ISP
domain.
By default, no separate accounting scheme is configured for an ISP domain.
When you use the accounting command to reference a RADIUS or HWTACACS scheme in current
ISP domain, the RADIUS or HWTACACS scheme must already exist.
The accounting command takes precedence over the scheme command. If the accounting
command is used in ISP domain view, the system uses the scheme referenced in the accounting
command to charge the users in the domain. Otherwise, the system uses the scheme referenced in the
scheme command to charge the users.
Related commands: scheme, radius scheme, hwtacacs scheme, accounting optional.
Examples
# Specify "radius" as the RADIUS accounting scheme that will be referenced by ISP domain
"aabbcc.net".
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] accounting radius-scheme radius
accounting optional
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameters
None
1-2
Description
Use the accounting optional command to open the accounting-optional switch.
Use the undo accounting optional command to close the accounting-optional switch so that the
system performs accounting for users unconditionally.
By default, the system performs accounting for users unconditionally..
Note that:
z
If the system does not find any available accounting server or fails to communicate with any
accounting server when it performs accounting for an online user, it will not disconnect the user as
long as the accounting optional command has been executed.
z
The accounting optional command is commonly used in the cases where only authentication is
needed and accounting is not needed.
z
If you configure the accounting optional command in ISP domain view, it is effective to all users in
the domain; if you configure it in RADIUS scheme view, it is effective to users the RADIUS scheme
is used for.
Examples
# Open the accounting-optional switch for the ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] accounting optional
attribute
Syntax
attribute { ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan
vlan-id | location { nas-ip ip-address port port-number | port port-number } }*
undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*
View
Local user view
Parameters
ip ip-address: Sets the IP address of the user.
mac mac-address: Sets the MAC address of the user. Here, mac-address is in H-H-H format.
idle-cut second: Enables the idle-cut function for the local user and sets the allowed idle time. Here,
second is the allowed idle time, which ranges from 60 to 7,200 seconds.
access-limit max-user-number: Sets the maximum number of users who can access the switch with
the current username. Here, max-user-number ranges from 1 to 1,024.
vlan vlan-id: Sets the VLAN attribute of the user (that is, specifies to which VLAN the user belongs).
Here, vlan-id is an integer ranging from 1 to 4094.
location: Sets the port binding attribute of the user.
1-3
nas-ip ip-address: Sets the IP address of an access server, so that the user can be bound to a port on
the server. Here, ip-address is in dotted decimal notation and is 127.0.0.1 by default (representing this
device). When binding the user to a remote port, you must use nas-ip ip-address to specify a remote
access server IP address. When binding the user to a local port, you need not use nas-ip ip-address.
port port-number: Sets the port to which you want to bind the user. Here, port-number is in the format of
device ID/slot number/port number; the device ID ranges from 1 to 8, the slot number ranges from 0 to
15 (if the bound port has no slot number, just input 0 for this item) and the port number ranges from 1 to
255.
Description
Use the attribute command to set the attributes of a user whose service type is lan-access.
Use the undo attribute command to cancel attribute settings of the user.
You may use display local-user command to view the settings of the attributes.
Examples
# Create local user user1 and set the IP address attribute of user1 to 10.110.50.1, allowing only the user
using the IP address of 10.110.50.1 to use the account user1 for authentication.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
New local user added.
[Sysname-luser-user1] password simple pass1
[Sysname-luser-user1] service-type lan-access
[Sysname-luser-user1] attribute ip 10.110.50.1
authentication
Syntax
authentication
{
radius-scheme
radius-scheme-name
[
local
]
|
hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local | none }
undo authentication
View
ISP domain view
Parameters
radius-scheme radius-scheme-name: Specifies to use a RADIUS authentication scheme. Here,
radius-scheme-name is a string of up to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS authentication scheme.
Here, hwtacacs-scheme-name is a string of up to 32 characters.
local: Specifies to use local authentication scheme.
none: Specifies not to perform authentication.
Description
Use the authentication command to configure an authentication scheme for current ISP domain.
1-4
Use the undo authentication command to restore the default authentication scheme setting of current
ISP domain.
By default, no separate authentication scheme is configured for an ISP domain.
Note that:
z
Before you can use the authentication command to reference a RADIUS scheme in current ISP
domain, the RADIUS scheme must already exist.
z
If you execute the authentication radius-scheme radius-scheme-name local command, the local
scheme is used as the secondary authentication scheme in case no RADIUS server is available.
That is, if the communication between the switch and a RADIUS server is normal, no local
authentication will be performed; otherwise, local authentication will be performed.
z
If you execute the authentication hwtacacs-scheme hwtacacs-scheme-name local command,
the local scheme is used as the secondary authentication scheme in case no TACACS server is
available. That is, if the communication between the switch and a TACACS server is normal, no
local authentication will be performed; otherwise, local authentication will be performed.
z
If you execute the authentication local command, the local scheme is used as the primary
scheme. In this case, there is no secondary authentication scheme.
z
If you execute the authentication none command, no authentication will be performed.
z
The authentication command takes precedence over the scheme command. If the
authentication command is configured in an ISP domain view, the system uses the authentication
scheme referenced in the command to authenticate the users in the domain; otherwise it uses the
scheme referenced in the scheme command to authenticate the users.
Related commands: scheme, radius scheme, hwtacacs scheme.
Examples
# Reference the RADIUS scheme "radius1" as the authentication scheme of the ISP domain
aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] authentication radius-scheme radius1
# Reference the RADIUS scheme "rd" as the authentication scheme and the local scheme as the
secondary authentication scheme of the ISP domain aabbcc.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc
New Domain added.
[Sysname-isp-aabbcc] authentication radius-scheme rd local
authentication super
Syntax
authentication super hwtacacs-scheme hwtacacs-scheme-name
undo authentication super
1-5
View
ISP domain view
Parameters
hwtacacs-scheme-name: Name of the HWTACACS authentication scheme, a string of 1 to 32
characters.
Description
Use the authentication super command to specify a HWTACACS authentication scheme for user level
switching in the current ISP domain.
Use the undo authentication super command to remove the specified HWTACACS authentication
scheme.
By default, no HWTACACS authentication scheme is configured for user level switching.
When you execute the authentication super command to specify a HWTACACS authentication
scheme for user level switching, the HWTACACS scheme must exist.
The Switch 4210 adopts hierarchical protection for command lines so as to inhibit users at lower levels
from using higher level commands to configure the switches. For details about configuring a
HWTACACS authentication scheme for low-to-high user level switching, refer to Switching User Level
in the Command Line Interface Operation.
Related commands: hwtacacs scheme.
Examples
# Set the HWTACACS scheme to ht for user level switching in the current ISP domain aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] authentication super hwtacacs-scheme ht
authorization
Syntax
authorization { none | hwtacacs-scheme hwtacacs-scheme-name }
undo authorization
View
ISP domain view
Parameters
none: Specifies not to use any authorization scheme.
1-6
hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS scheme. Here,
hwtacacs-scheme-name is the name of an HWTACACS scheme; it is a string of up to 32 characters.
Description
Use the authorization command to configure an authorization scheme for current ISP domain.
Use the undo authorization command to restore the default authorization scheme setting of the ISP
domain.
By default, no separate authorization scheme is configured for an ISP domain.
Related commands: scheme, radius scheme, hwtacacs scheme.
Examples
# Allow users in ISP domain aabbcc.net to access network services without being authorized.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] authorization none
authorization vlan
Syntax
authorization vlan string
undo authorization vlan
View
Local user view
Parameters
string: Number or descriptor of the authorized VLAN for the current user, a string of 1 to 32 characters.
If it is a numeral string and there is a VLAN with the number configured, it specifies the VLAN. If it is a
numeral string but no VLAN is present with the number, it specifies the VLAN using it as the VLAN
descriptor.
Description
Use the authorization vlan command to specify an authorized VLAN for a local user. A user passing
the authentication of the local RADIUS server can access network resources in the authorized VLAN.
Use the undo authorization vlan command to remove the configuration.
By default, no authorized VLAN is specified for a local user.
For local RADIUS authentication to take effect, the VLAN assignment mode must be set to string after
you specify authorized VLANs for local users.
1-7
Examples
# Specify the authorized VLAN for local user 00-14-22-2C-AA-69 as VLAN 2.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user 00-14-22-2C-AA-69
[Sysname-luser-00-14-22-2C-AA-69] authorization vlan 2
cut connection
Syntax
cut connection { all | access-type { dot1x | mac-authentication } | domain isp-name | interface
interface-type
interface-number
|
ip
ip-address
|
mac
mac-address
|
radius-scheme
radius-scheme-name | vlan vlan-id | ucibindex ucib-index | user-name user-name }
View
System view
Parameters
all: Cuts down all user connections.
access-type { dot1x | mac-authentication }: Cuts down user connections of a specified access type.
dot1x is used to cut down all 802.1x user connections, and mac-authentication is used to cut down all
MAC authentication user connections.
domain isp-name: Cuts down all user connections in a specified ISP domain. Here, isp-name is the
name of an ISP domain, a string of up to 128 characters. You can only specify an existing ISP domain.
interface interface-type interface-number: Cuts down all user connections under a specified port. Here,
interface-type is a port type and interface-number is a port number.
ip ip-address: Cuts down all user connections with a specified IP address.
mac mac-address: Cuts down the user connection with a specified MAC address. Here, mac-address is
in H-H-H format.
radius-scheme radius-scheme-name: Cuts down all user connections using a specified RADIUS
scheme. Here, radius-scheme-name is a string of up to 32 characters.
vlan vlan-id: Cuts down all user connections of a specified VLAN. Here, vlan-id ranges from 1 to 4094.
ucibindex ucib-index: Cuts down the user connection with a specified connection index. Here,
ucib-index ranges from 0 to 1047.
user-name user-name: Cuts down the connection of a specified user. Here, user-name is a string of up
to 184 characters..
Description
Use the cut connection command to forcibly cut down one user connection, one type of user
connections, or all user connections.
This command cannot cut down the connections of Telnet and FTP users.
Related commands: display connection.
1-8
Examples
# Cut down all user connections under the ISP domain aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] cut connection domain aabbcc.net
display connection
Syntax
display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface
interface-type
interface-number
|
ip
ip-address
|
mac
mac-address
|
radius-scheme
radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | vlan vlan-id | ucibindex
ucib-index | user-name user-name ]
View
Any view
Parameters
access-type { dot1x | mac-authentication }: Displays user connections of a specified access type.
Here, dot1x is used to display all 802.1x user connections, and mac-authentication is used to display
all MAC authentication user connections.
domain isp-name: Displays all user connections under specified ISP domain. Here, isp-name is the
name of an ISP domain, a string of up to 128 characters. You can only specify an existing ISP domain.
interface interface-type interface-number: Displays all user connections on a specified port.
ip ip-address: Displays all user connections with a specified IP address.
mac mac-address: Displays the user connection with a specified MAC address. Here, mac-address is
in hexadecimal format (in the form of H-H-H).
radius-scheme radius-scheme-name: Displays all user connections using a specified RADIUS
scheme. Here, radius-scheme-name is a string of up to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Displays all user connections using a specified RADIUS
scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters.
vlan vlan-id: Displays all user connections of a specified VLAN. Here, vlan-id ranges from 1 to 4094.
ucibindex ucib-index: Displays the user connection with a specified connection index. Here, ucib-index
ranges from 0 to 1047.
user-name user-name: Displays the connection of a specified user. Here, user-name is a character
string in the format of [email protected] The pure-username cannot be longer than 55
characters, the domain-name cannot be longer than 24 characters, and the entire user-name cannot be
longer than 184 characters.
Description
Use the display connection command to display information about specified or all user connections.
If you execute this command without specifying any parameter, all user connections will be displayed.
This command cannot display information about the connections of FTP users.
Related commands: cut connection.
1-9
Examples
# Display information about all user connections.
<Sysname> display connection
------------------unit 1-----------------------Index=40 , [email protected]
MAC=000f-3d80-4ce5
, IP=0.0.0.0
On Unit 1: Total 1 connections matched, 1 listed.
# Display information about the user connection with index 0.
[Sysname] display connection ucibindex 0
Index=0
, [email protected]
MAC=000f-3d80-4ce5
Access=8021X
, IP=192.168.0.3
,Auth=CHAP
,Port=Ether
,Port NO=0x10003001
Initial VLAN=1, Authorization VLAN=1
ACL Group=Disable
CAR=Disable
Priority=Disable
Start=2000-04-03 02:51:53 ,Current=2000-04-03 02:52:22 ,Online=00h00m29s
On Unit 1:Total 1 connections matched, 1 listed.
Total 1 connections matched, 1 listed.
Here, Port NO=0x10003001 means (by the binary bits):
Table 1-1 Description of the Port NO field
31 to 28 bit
UNIT ID
27 to 24 bit
Slot number
23 to 20 bit
Sub-slot number
19 to 12 bit
Port number
11 to 0 bit
VLAN ID
display domain
Syntax
display domain [ isp-name ]
View
Any view
Parameters
isp-name: Name of an ISP domain, a string of up to 128 characters. This must be the name of an
existing ISP domain.
Description
Use the display domain command to display configuration information about one specific or all ISP
domains.
Related commands: access-limit, domain, scheme, state.
1-10
Examples
# Display configuration information about all ISP domains.
<Sysname> display domain
0
Domain = system
State = Active
Scheme = LOCAL
Access-limit = 512
Vlan-assignment-mode = Integer
Domain User Template:
Idle-cut = = Enable Time = 60(min) Flow = 200(byte)
Self-service URL = http://aabbcc.net
Messenger Time Maxlimit = 30(min) span = 10(min)
Default Domain Name: system
Total 1 domain(s).1 listed.
Table 1-2 Description on the fields of the display domain command
Field
Description
Domain
Domain name
State
Status of the domain, which can be active or
block.
Scheme
AAA scheme that the domain uses
Access-Limit
Maximum number of local user connections in
the domain
Vlan-assignment-mode
VLAN assignment mode, which can be Integer or
String.
Domain User Template
Domain user template settings, that is, attribute
settings for all users in the domain.
Idle-Cut
Status of the idle-cut function
Self-service URL
Self-service URL for password changing
Settings of the messenger time service, which is
for reminding online users of their remaining
online time.
Messenger Time
The setting in this example indicates that the
system starts to remind an online user (at an
interval of 10 minutes) when the remaining
online time is 30 minutes.
Default Domain Name
Default ISP domain of the system
display local-user
Syntax
display local-user [ domain isp-name | idle-cut { disable | enable } | vlan vlan-id | service-type { ftp
| lan-access | ssh | telnet | terminal } | state { active | block } | user-name user-name ]
1-11
View
Any view
Parameters
domain isp-name: Displays all local users belonging to a specified ISP domain. Here, isp-name is the
name of an ISP domain, a string of up to 128 characters. You can only specify an existing ISP domain.
idle-cut { disable | enable }: Displays the local users who are inhibited from enabling the idle-cut
function, or the local users who are allowed to enable the idle-cut function. Here, disable specifies the
inhibited local users and enable specifies the allowed local users.
vlan vlan-id: Displays the local users belonging to a specified VLAN. Here, vlan-id ranges from 1 to
4094.
service-type: Displays the local users of a specified type. You can specify one of the following user
types: ftp, lan-access (generally, this type of users are Ethernet access users, for example, 802.1x
users), ssh, telnet, and terminal (this type of user is a terminal user who logs into the switch through
the Console port).
state { active | block }: Displays the local users in a specified state. Here active represents the users
allowed to request network services, and block represents the users inhibited from requesting network
services.
user-name user-name: Displays the local user with a specified username. Here, user-name is a string
of up to 184 characters.
Description
Use the display local-user command to display information about specified or all local users.
Related commands: local-user.
Examples
# Display information about all local users.
<Sysname> display local-user
0
The contents of local user test:
State:
Active
ServiceType Mask: L
Idle-cut:
Enable
Idle TimeOut: 3600 seconds
Access-limit:
Enable
Current AccessNum: 1
Max AccessNum:
1024
Bind location:
127.0.0.1/1/0/2 (NAS/UNITID/SUBSLOT/PORT)
Vlan ID:
1
Authorization VLAN:
2
IP address:
192.168.0.108
MAC address:
000d-88f6-44c1
Total 1 local user(s) Matched, 1 listed.
ServiceType Mask Meaning: C--Terminal
F--FTP
L--LanAccess
S--SSH
T--Telnet
Table 1-3 describes the fields in the above display output.
Table 1-3 Description on the fields of the display local-user command
Field
Description
State
Status of the local user
1-12
Field
Description
Service type mask:
T means Telnet service.
S means SSH service.
C means client service.
ServiceType Mask
LM means lan-access service.
F means FTP service.
None means no defined service.
Idle-cut
Status of the idle-cut function
Access-limit
Limit on the number of access users
Current AccessNum
Number of current access users
Bind location
Whether or not bound to a port
Vlan ID
VLAN of the user
Authorization VLAN
Authorized VLAN of the user
IP address
IP address of the user
MAC address
MAC address of the user
domain
Syntax
domain { isp-name | default { disable | enable isp-name } }
undo domain isp-name
View
System view
Parameters
isp-name: Name of an ISP domain, a string of up to 128 characters. This string cannot contain the
following characters: /\:*?<>|. If the domain name includes one or more “~” characters and the last “~” is
followed by numerals, it must be followed by at least five numerals to avoid confusion. This is because
any domain name longer than 16 characters will appear in the form of “system prompt-the first 15
characters of the domain name~4-digit index” in the view prompt to avoid word wrap.
default: Manually changes the default ISP domain, which is "system" by default. There is one and only
one default ISP domain.
disable: Disables the configured default ISP domain.
enable: Enables the configured default ISP domain.
Description
Use the domain command to create an ISP domain and enter its view, or enter the view of an existing
ISP domain, or configure the default ISP domain.
Use the undo domain command to delete a specified ISP domain.
1-13
The ISP domain "system" is used as the default ISP domain before you manually configure the default
ISP domain, and you can use the display domain command to check the settings of the default ISP
domain "system".
After you execute the domain command, the system creates a new ISP domain if the specified ISP
domain does not exist. Once an ISP domain is created, it is in the active state. You can manually
specify an ISP domain as the default domain only when the specified domain already exists.
Related commands: access-limit, scheme, state, display domain.
Examples
# Create a new ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net]
# Create a new ISP domain named 01234567891234567 (note that it will appear as
012345678912345~0001 in the view prompt).
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]domain 01234567891234567
New Domain added.
[Sysname-isp-012345678912345~0001]
domain delimiter
Syntax
domain delimiter { at | dot }
undo domain delimiter
View
System view
Parameters
at: Specifies “@” as the delimiter between the username and the ISP domain name.
dot: Specifies “.” as the delimiter between the username and the ISP domain name.
Description
Use the domain delimiter command to specify the delimiter form between the username and the ISP
domain name.
Use the undo domain delimiter command to restore the delimiter form to the default setting.
By default, the“@” character is used as the delimiter between the username and the ISP domain name.
1-14
z
If you have configured to use "." as the delimiter, for a username that contains multiple ".", the first
"." will be used as the domain delimiter.
z
If you have configured to use "@" as the delimiter, the "@" must not appear more than once in the
username. If “.” is the delimiter, the username must not contain any “@”.
Related commands: domain.
Examples
# Specify “.” as the delimiter between the username and the ISP domain name.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] domain delimiter dot
idle-cut
Syntax
idle-cut { disable | enable minute flow }
View
ISP domain view
Parameters
disable: Disables the idle-cut function for the domain.
enable: Enables the idle-cut function for the domain.
minute: Maximum idle time in minutes, ranging from 1 to 120.
flow: Minimum traffic in bytes, ranging from 1 to 10,240,000.
Description
Use the idle-cut command to set the user idle-cut function in current ISP domain. If a user’s traffic in the
specified period of time is less than the specified amount, the system will disconnect the user.
By default, this function is disabled.
Note that if the authentication server assigns the idle-cut settings, the assigned ones take precedence
over the settings configured here.
Related commands: domain.
Examples
# Enable the idle-cut function for ISP domain aabbcc.net, setting the maximum idle time to 50 minutes
and the minimum traffic to 500 bytes. After this configuration, if a user in the domain has no traffic or has
less than 500 bytes of traffic within 50 minutes, the system will tear down the user’s connection.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
1-15
New Domain added.
[Sysname-isp-aabbcc.net] idle-cut enable 50 500
level
Syntax
level level
undo level
View
Local user view
Parameters
level: Privilege level to be set for the user. It is an integer ranging from 0 to 3.
Description
Use the level command to set the privilege level of the user. The privilege level of the user corresponds
to the command level of the user. For detailed information, refer to the description of the
command-privilege level command in the command line interface part.
Use the undo level command to restore the default privilege level of the user.
The default privilege level is 0.
Note that:
z
If the configured authentication method is none or password authentication, the command level
that a user can access after login is determined by the level of the user interface.
z
If the configured authentication method requires a username and a password, the command level
that a user can access after login is determined by the privilege level of the user. For SSH users
using RSA shared key for authentication, the commands they can access are determined by the
levels sets on their user interfaces.
Related commands: local-user.
Examples
# Set the level of user1 to 3.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
New local user added.
[Sysname-luser-user1] level 3
local-user
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { ftp | lan-access | ssh | telnet | terminal } ] }
View
System view
1-16
Parameters
user-name: Local username, a string of up to 184 characters, case-sensitive. This string cannot contain
the following characters: /:*?<>. It can contain no more than one @ character. The pure username (user
ID, that is, the part before @) cannot be longer than 55 characters, and the domain name (the part
behind @) cannot be longer than 128 characters. If the username includes one or more “~” characters
and the last “~” is followed by numerals, it must be followed by at least five numerals to avoid confusion.
This is because any username longer than 16 characters will appear in the form of “system prompt-the
first 15 characters of the username~4-digit index” in the view prompt to avoid word wrap.
all: Specifies all local users.
service-type: Specifies the local users of a specified type. You can specify one of the following user
types: ftp, lan-access (generally, this type of users are Ethernet access users, for example, 802.1x
users), ssh, telnet, and terminal (terminal user who logs into the switch through the Console port).
Description
Use the local-user command to add a local user and enter local user view.
Use the undo local-user command to delete one or more local users of the specified type.
By default, there is no local user in the system.
Related commands: display local-user, service-type.
Examples
# Add a local user named user1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
New local user added.
[Sysname-luser-user1]
# Add a local user named 01234567891234567 (note that it will appear as 012345678912345~0000 in
the view prompt).
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]local-user 01234567891234567
New local user added.
[Sysname-luser-012345678912345~0000]
local-user password-display-mode
Syntax
local-user password-display-mode { cipher-force | auto }
undo local-user password-display-mode
View
System view
1-17
Parameters
cipher-force: Adopts the forcible cipher mode so that all local users' the passwords will be displayed in
cipher text.
auto: Adopts the automatic mode so that each local user's password will be displayed in the mode you
have set for the user by the password command.
Description
Use the local-user password-display-mode command to set the password display mode of all local
users.
Use the undo local-user password-display-mode command to restore the default password display
mode of all local users.
By default, the password display mode of all access users is auto.
If the cipher-force mode is adopted, all passwords will be displayed in cipher text even though you
have specified to display some users passwords in plain text by using the password command with the
simple keyword.
Related commands: display local-user, password.
Examples
# Specify to display all local user passwords in cipher text in whatever cases.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user password-display-mode cipher-force
messenger
Syntax
messenger time { enable limit interval | disable }
undo messenger time
View
ISP domain view
Parameters
limit: Time limit in minutes, ranging from 1 to 60. The switch will send prompt messages at regular
intervals to users whose remaining online time is less than this limit.
interval: Interval to send prompt messages (in minutes). This argument ranges from 5 to 60 and must be
a multiple of 5.
Description
Use the messenger time enable command to enable the messenger function and set the related
parameters.
Use the messenger time disable command to disable the messenger function.
Use the undo messenger time command to restore the messenger function to its default state.
By default, the messenger function is disabled on the switch.
1-18
The purpose of this function is to remind online users of their remaining online time through clients by
message dialog box.
Examples
# Enable the switch to send prompt messages at intervals of 5 minutes to the users in the ISP domain
"system" after their remaining online time is less than 30 minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] messenger time enable 30 5
name
Syntax
name string
undo name
View
VLAN view
Parameters
string: Assigned VLAN name, a string of up to 32 characters.
Description
Use the name command to set a VLAN name, which will be used for VLAN assignment.
Use the undo name command to cancel the VLAN name.
By default, a VLAN uses its VLAN ID (like VLAN 0001) as its assigned VLAN name.
This command is used in conjunction with the dynamic VLAN assignment function. For details about
dynamic VLAN assignment, refer to the vlan-assignment-mode command.
Related commands: vlan-assignment-mode.
Examples
# Set the name of VLAN 100 to test.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan 100
[Sysname-vlan100] name test
password
Syntax
password { simple | cipher } password
undo password
View
Local user view
1-19
Parameters
simple: Specifies the password in plain text.
cipher: Specifies the password in cipher text.
password: Password to be set:
z
For simple mode, the password you input must be a plain-text password.
z
For cipher mode, the password can be either a cipher-text password or a plain-text password, and
what it is depends on your input.
A password in plain text can be a string of up to 63 consecutive characters, for example, aabbcc. A
password
in
cipher
text
can
be
a
string
of
24
or
88
characters,
for
example,
(TT8F]Y\5SQ=^Q`MAF4<1!!.
Description
Use the password command to set a password for the local user.
Use the undo password command to cancel the password of the local user.
Note that:
z
With the local-user password-display-mode cipher-force command configured, the password is
always displayed in cipher text, regardless of the configuration of the password command.
z
With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted
into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text
will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters,
if the system can decrypt the password, the system treats it as a password in cipher text. Otherwise,
the system treats it as a password in plain text.
Related commands: display local-user.
Examples
# Set the password of user1 to 20030422 and specify to display the password in plain text.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
New local user added.
[Sysname-luser-user1] password simple 20030422
radius-scheme
Syntax
radius-scheme radius-scheme-name
View
ISP domain view
Parameters
radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters.
Description
Use the radius-scheme command to configure a RADIUS scheme for current ISP domain.
1-20
After an ISP domain is initially created, it uses the local AAA scheme instead of any RADIUS scheme by
default.
The RADIUS scheme you specified in the radius-scheme command must already exist. This
command is equivalent to the scheme radius-scheme command.
Related commands: radius scheme, scheme, display radius scheme.
Examples
# Configure the ISP domain "aabbcc.net" to use the RADIUS scheme "extended".
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] radius-scheme extended
scheme
Syntax
scheme { local | none | radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme
hwtacacs-scheme-name [ local ] }
undo scheme [ none | radius-scheme | hwtacacs-scheme ]
View
ISP domain view
Parameters
radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters.
hwtacacs-scheme-name: Name of a HWTACACS scheme, a string of up to 32 characters.
local: Specifies to use local authentication.
none: Specifies not to perform authentication.
Description
Use the scheme command to configure an AAA scheme for current ISP domain.
Use the undo scheme command to restore the default AAA scheme configuration for the ISP domain.
By default, the ISP domain uses the local AAA scheme.
Note that:
z
When you execute the scheme command to reference a RADIUS scheme in current ISP domain,
the referenced RADIUS scheme must already exist.
z
If you execute the scheme radius-scheme radius-scheme-name local command, the local
scheme is used as the secondary scheme in case no RADIUS server is available. That is, if the
communication between the switch and a RADIUS server is normal, no local authentication is
performed; otherwise, local authentication is performed.
z
If you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local command, the local
scheme is used as the secondary scheme in case no TACACS server is available. That is, if the
communication between the switch and a TACACS server is normal, no local authentication is
1-21
performed; If the TACACS server is not reachable or there is a key error or NAS IP error, local
authentication is performed.
z
If you execute the scheme local or scheme none command to use local or none as the primary
scheme, the local authentication is performed or no authentication is performed. In this case, no
secondary scheme can be specified and therefore no scheme switching will occur.
z
Both the radius-scheme command and the scheme command can be used to specify the
RADIUS scheme to be quoted for the ISP domain. Their functions are the same and the system
takes the latest configuration.
Related commands: radius scheme, display domain.
Examples
# Configure the ISP domain aabbcc.net to use RADIUS scheme radius1 as the primary AAA scheme
and use the local scheme as the secondary authentication scheme.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] scheme radius-scheme raduis1 local
self-service-url
Syntax
self-service-url { disable | enable url-string }
undo self-service-url
View
ISP domain view
Parameters
url-string: URL of the web page used to modify user password on the self-service server. It is a string of
1 to 64 characters. This string cannot contain any question mark "?". If the actual URL of the self-service
server contains a question mark, you should change it to an elect bar "|".
Description
Use the self-service-url enable command to enable the self-service server location function
Use the self-service-url disable command to disable the self-service server location function
Use the undo self-service-url command to restore the default state of this function.
By default, this function is disabled.
Note that:
z
This command must be used with the cooperation of a self-service-supported RADIUS server
(such as CAMS). Through self-service, users can manage and control their accounts or card
numbers by themselves. A server installed with the self-service software is called a self-service
server.
z
After this command is executed on the switch, a user can locate the self-service server through the
following operation: choose [change user password] on the 802.1x client, the client opens the
1-22
default browser (for example, IE or Netscape) and locates the URL page used to change user
password on the self-service server. Then, the user can change the password.
z
A user can choose the [change user password] option on the client only after passing the
authentication. If the user fails the authentication, this option is in grey and is unavailable.
Examples
# Under the default ISP domain "system", set the URL of the web page used to modify user password
on the self-service server to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system]
self-service-url
enable
http://10.153.89.94/selfservice/modPasswd1x.jsp|userName
service-type
Syntax
service-type { ftp | lan-access | { telnet | ssh | terminal }* [ level level ] }
undo service-type { ftp | lan-access | { telnet | ssh | terminal }* }
View
Local user view
Parameters
ftp: Specifies that this is an FTP user.
lan-access: Specifies that this is a LAN access user (who is generally an Ethernet access user, for
example, 802.1x user).
telnet: Authorizes the user to access the Telnet service.
ssh: Authorizes the user to access the SSH service.
terminal: Authorizes the user to access the terminal service (that is, allows the user to log into the
switch through the Console port).
level level: Specifies the level of the Telnet, terminal or SSH user. Here, level is an integer ranging from
0 to 3 and defaulting to 0.
Description
Use the service-type command to authorize a user to access one or more types of services.
Use the undo service-type command to inhibit a user from accessing specified types of services.
By default, a user is inhibited from accessing any type of service.
You may user the display local-user command to view the types of services that a user is authorized to
access.
Examples
# Authorize user1 to access the Telnet service.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
1-23
[Sysname] local-user user1
New local user added.
[Sysname-luser-user1] service-type telnet
state
Syntax
state { active | block }
View
ISP domain view, local user view
Parameters
active: Activates the current ISP domain (in ISP domain view) or local user (in local user view), to allow
users in current ISP domain or current local user to access the network.
block: Blocks the current ISP domain (in ISP domain view) or local user (in local user view), to inhibit
users in current ISP domain or current local user from accessing the network.
Description
Use the state command to set the status of current ISP domain (in ISP domain view) or current local
user (in local user view).
By default, an ISP domain/local user is in the active state once it is created.
After an ISP domain is set to the block state, except for online users, users in this domain are inhibited
from accessing the network.
After a local user is set to the block state, the user is inhibited from accessing the network unless the
user is already online.
Related commands: domain, local-user.
You may use the display domain command or the display local-user command to view the status
information.
Examples
# Set the ISP domain aabbcc.net to the block state, so that all its offline users cannot access the
network.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] state block
# Set user1 to the block state.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-user-user1] state block
1-24
vlan-assignment-mode
Syntax
vlan-assignment-mode { integer | string | vlan-list }
View
ISP domain view
Parameters
integer: Sets the VLAN assignment mode to integer.
string: Sets the VLAN assignment mode to string.
vlan-list: Set the VLAN assignment mode to VLAN list.
Description
Use the vlan-assignment-mode command to set the VLAN assignment mode (integer, string, or VLAN
list) on the switch.
By default, the VLAN assignment mode is integer, that is, the switch supports its RADIUS authentication
server to assign integer VLAN IDs.
The dynamic VLAN assignment feature enables a switch to dynamically add the ports of successfully
authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so
as to control the network resources that different users can access.
In actual applications, to use this feature together with Guest VLAN, you are recommended to set port
control to port-based mode.
Currently, the switch supports the following types of assigned VLAN IDs: integer, string, and VLAN list.
z
Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the
VLAN assignment mode to integer on the switch (this is also the default mode on the switch). Then,
upon receiving an integer ID assigned by the RADIUS authentication server, the switch assigns the
port to the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the
switch first creates a VLAN with the assigned ID, and then assigns the port to the newly created
VLAN.
z
String: If the RADIUS authentication server assigns string type of VLAN IDs, you can set the VLAN
assignment mode to string on the switch. Then, upon receiving a string ID assigned by the RADIUS
authentication server, the switch compares the ID with existing VLAN names on the switch. If it
finds a match, it assigns the port to the corresponding VLAN. Otherwise, the VLAN assignment
fails and the user fails the authentication.
z
VLAN list: The switch assigns the port to all the VLANs specified in the VLAN list issued by the
RADIUS authentication server. If the VLAN corresponding to a VLAN ID in the list does not exist,
the switch first creates the VLAN and then assigns the port to the VLAN.
The switch supports three dynamic VLAN assignment modes (integer, string, and VLAN list) to adapt to
different authentication servers. You need to configure the switch according to the dynamic VLAN
assignment mode used by the RADIUS authentication server.
Table 1-4 lists several commonly used RADIUS servers and their dynamic VLAN assignment modes.
1-25
Table 1-4 Commonly used servers and their dynamic VLAN assignment modes
Server
Dynamic VLAN assignment mode
Integer
VLAN list
CAMS
For the latest CAMS version, you can determine
the assignment mode by attribute value.
String
ACS
VLAN list
You can determine the assignment mode by
attribute value (for example, 100 is integer; “100”
is string).
FreeRADIUS
String
Shiva Access Manager
VLAN list
String
Steel-Belted Radius Administrator
z
VLAN list
In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only
digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms
the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch
adds the authenticated port to the VLAN with the value as the VLAN ID (VLAN 1024, for example).
z
To use this feature together with Guest VLAN, you are recommended to set the port control mode
to port-based.
Related commands: name.
Examples
# Set the VLAN assignment mode of the domain aabbcc.net to string.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] vlan-assignment-mode string
RADIUS Configuration Commands
accounting optional
Syntax
accounting optional
undo accounting optional
1-26
View
RADIUS scheme view
Parameters
None
Description
Use the accounting optional command to open the accounting-optional switch.
Use the undo accounting optional command to close the accounting-optional switch so that the
system performs accounting for users unconditionally.
By default, the system performs accounting for users unconditionally.
Note that:
z
If the system does not find any available accounting server or fails to communicate with any
accounting server when it performs accounting for an online user, it will not disconnect the user as
long as the accounting optional command has been executed. This command is commonly used
in the cases where only authentication is needed and accounting is not needed.
z
This configuration takes effect only on the ISP domains using this RADIUS scheme.
z
If you configure the accounting optional command in ISP domain view, it is effective to all users in
the domain; if you configure it in RADIUS scheme view, it is effective to users the RADIUS scheme
is used for.
Examples
# Open the accounting-optional switch in RADIUS scheme radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] accounting optional
accounting-on enable
Syntax
accounting-on enable [ send times | interval interval ]
undo accounting-on { enable | send | interval }
View
RADIUS scheme view
Parameters
times: Maximum number of attempts to send an Accounting-On message, ranging from 1 to 256 and
defaulting to 15. If the maximum number has been reached but the switch still receives no response
from the CAMS, the switch stops sending Accounting-On messages.
interval: Interval to send Accounting-On messages (in seconds), ranging from 1 to 30 and defaulting to
3.
1-27
Description
Use the accounting-on enable command to enable the user re-authentication at restart function.
Use the undo accounting-on enable command to disable the user re-authentication at restart function
and restore the default interval and maximum number of attempts to send Accounting-On messages.
Use the undo accounting-on send command to restore the default maximum number of attempts to
send Accounting-On messages.
Use the undo accounting-on interval command to restore the default interval to send Accounting-On
messages.
By default, the user re-authentication at restart function is disabled.
The purpose of this function is to solve this problem: users cannot re-log into the switch after the switch
restarts because they are regarded as already online. After this function is enabled, every time the
switch restarts, it sends an Accounting-On message to the RADIUS server to tell the server that it has
restarted and ask the server to log out its users. The following gives the operations after the switch
restarts:
1)
The switch generates an Accounting-On message, which mainly contains the following information:
NAS-ID, NAS-IP-address (source IP address), and session ID. You can configure the
NAS-IP-address argument manually by using the nas-ip command. When configuring the
NAS-IP-address argument, be sure to specify an appropriate valid IP address. If you do not
configure the NAS-IP-address argument, the switch automatically uses the IP address of a VLAN
interface as the NAS-IP-address.
2)
The switch sends the Accounting-On message to the CAMS at regular intervals.
3)
Once the CAMS receives the Accounting-On message, it sends a response to the switch. At the
same time it finds and deletes the original online information of the users who were accessing the
network through the switch before the restart according to the information (NAS-ID,
NAS-IP-address and session ID) contained in the message, and ends the accounting of the users
based on the last accounting update message.
4)
Once the switch receives the response from the CAMS, it stops sending Accounting-On messages.
5)
If the switch does not receive any response from the CAMS after it has tried the configured
maximum number of times to send the Accounting-On message, it will not send the Accounting-On
message any more.
z
After configuring the accounting-on enable command, you need to execute the save command
so that the command can take effect when the switch restarts.
z
This function requires the cooperation of the H3C CAMS system.
Related commands: nas-ip.
Examples
# Enable the user re-authentication at restart function for the RADIUS scheme named radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
1-28
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on enable
attribute-ignore
Syntax
attribute-ignore { standard | vendor vendor-id } type type-value
undo attribute-ignore { all | standard | vendor vendor-id }
View
RADIUS scheme view
Parameters
standard: Specifies the standard RADIUS attributes.
vendor vendor-id: Specifies the proprietary RADIUS attributes of a vendor. The vendor ID is in the
range 1 to 16777215.
type-value: Type of the RADIUS attribute, in the range 1 to 255. A command can have up to eight
type-value arguments.
all: Disables the ignoring of all the specified RADIUS attributes for the RADIUS scheme.
Description
Use the attribute-ignore command to configure a RADIUS scheme to ignore certain RADIUS
authorization attributes that are assigned after successful authentication.
Use the undo attribute-ignore command to disable the ignoring of RADIUS attributes.
By default, a RADIUS scheme does not ignore any RADIUS authorization attributes.
For a RADIUS scheme, you can configure up to one standard attribute ignoring command, up to one
proprierity attribute ignoring command for a vendor, and up to three attribute ignoring commands.
Examples
# Configure RADIUS scheme radius1 to ignore the standard RADIUS attribute numbered 28.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute-ignore standard type 28
# Disable the RADIUS scheme from ignoring the standard RADIUS attributes, making the scheme to
accept all standard RADIUS attributes assigned to it.
[Sysname-radius-radius1] undo attribute-ignore standard
# Disable the RADIUS scheme from ignoring any attributes, making the scheme to accept all RADIUS
attributes assigned to it.
1-29
[Sysname-radius-radius1] undo attribute-ignore all
calling-station-id mode
Syntax
calling-station-id mode { mode1 | mode2 } { lowercase | uppercase }
undo calling-station-id mode
View
RADIUS scheme view
Parameters
mode1: Sets the MAC address format to XXXX-XXXX-XXXX, where each X represents a hexadecimal
number.
mode2: Sets the MAC address format to XX-XX-XX-XX-XX-XX.
lowercase: Uses lowercase letters in the MAC address.
uppercase: Uses uppercase letters in the MAC address.
Description
Use the calling-station-id mode command to configure the MAC address format of the
Calling-Station-Id (Type 31) field in RADIUS packets.
Use the undo calling-station-id mode command to restore the default format.
By default, the MAC address format is XXXX-XXXX-XXXX, in lowercase.
Examples
# Set the MAC address format of the Calling-Station-Id field to XX-XX-XX-XX-XX-XX, in uppercase.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]radius scheme system
[Sysname-radius-system]calling-station-id mode mode2 uppercase
data-flow-format
Syntax
data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet
| mega-packet | one-packet }
undo data-flow-format
View
RADIUS scheme view
Parameters
data: Sets the data unit of outgoing RADIUS flows, which can be byte, giga-byte, kilo-byte, or
mega-byte.
1-30
packet: Sets the packet unit of outgoing RADIUS flows, which can be one-packet, giga-packet,
kilo-packet, or mega-packet.
Description
Use the data-flow-format command to set the units of RADIUS data flows to RADIUS servers.
Use the undo data-flow-format command to restore the default units.
By default, the data unit and packet unit of outgoing RADIUS flows are byte and one-packet
respectively.
Note that the specified unit of data flows sent to the RADIUS server must be consistent with the traffic
statistics unit of the RADIUS server. Otherwise, accounting cannot be performed correctly.
Related commands: display radius scheme.
Examples
# Specify to measure data and packets in data flows to RADIUS servers in kilo-bytes and kilo-packets
respectively in RADIUS scheme radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
display local-server statistics
Syntax
display local-server statistics
View
Any view
Parameters
None
Description
Use the display local-server statistics command to display the RADIUS message statistics about
local RADIUS server.
Related commands: local-server.
Examples
# Display the RADIUS message statistics about local RADIUS server.
<Sysname> display local-server statistics
On Unit 1:
The localserver packet statistics:
Receive:
30
Send:
30
Discard:
0
Receive Packet Error:
0
Auth Receive:
10
Auth Send:
10
Acct Receive:
20
Acct Send:
20
1-31
display radius scheme
Syntax
display radius scheme [ radius-scheme-name ]
View
Any view
Parameters
radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters.
Description
Use the display radius scheme command to display configuration information about one specific or all
RADIUS schemes
Related commands: radius scheme.
Examples
# Display configuration information about all RADIUS schemes.
<Sysname> display radius scheme
-----------------------------------------------------------------SchemeName
=system
Index=0
Primary Auth IP
=127.0.0.1
Port=1645
Primary Acct IP
=127.0.0.1
Port=1646
Second
Auth IP
=0.0.0.0
Port=1812
Second
Acct IP
=0.0.0.0
Port=1813
Type=extended
Auth Server Encryption Key= Not configured
Acct Server Encryption Key= Not configured
Accounting method = required
Accounting-On packet enable, send times = 15 , interval = 3s
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts
=5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min)
=5
Username format
=without-domain
Data flow unit
=Byte
Packet unit
=1
calling_station_id format
=XXXX-XXXX-XXXX in lowercase
unit 1 :
Primary Auth State=active,
Second Auth State=block
Primary Acc
Second Acc
State=active,
State=block
-----------------------------------------------------------------Total 1 RADIUS scheme(s). 1 listed
1-32
Table 1-5 Description on the fields of the display radius scheme command
Field
Description
SchemeName
Name of the RADIUS scheme
Index
Index number of the RADIUS scheme
Type
Type of the RADIUS servers
Primary Auth IP/Port
IP address/port number
authentication server
of
the
primary
Primary Acct IP/Port
IP address/port number
accounting server
of
the
primary
Second Auth IP/Port
IP address/port number of the secondary
authentication server
Second Acct IP/Port
IP address/port number of the secondary
accounting server
Auth Server Encryption Key
Shared key for the authentication servers
Acct Server Encryption Key
Shared key for the accounting servers
Accounting method
Accounting method
Accounting-On packet enable, send times = 15 ,
interval = 3s
The switch sends up to 15 Accounting-On
messages at intervals of 3 seconds after
restarting.
TimeOutValue(in second)
RADIUS server response timeout time
RetryTimes
Maximum number of transmission attempts of a
RADIUS request
RealtimeACCT(in minute)
Real-time accounting interval in minutes
Permitted send realtime PKT failed counts
maximum allowed number
real-time accounting failures
Retry
sending
acct-stop-PKT
Maximum number of transmission attempts of
the buffered stop-accounting requests
times
of
noresponse
of
continuous
Quiet-interval(min)
Time that the switch must wait before it can
restore the status of a primary server to active
Username format
Username format
Data flow unit
Data unit of data flow
Packet unit
Packet unit of data flow
calling_station_id format
MAC address format of the Calling-Station-Id
(Type 31) field in RADIUS packets
Primary Auth State
Status of the primary authentication server
Second Auth State
Status of the secondary authentication server
Primary Acc State
Status of the primary accounting server
Second Acc State
Status of the secondary accounting server
1-33
display radius statistics
Syntax
display radius statistics
View
Any view
Parameters
None
Description
Use the display radius statistics command to display the RADIUS message statistics.
Related commands: radius scheme.
Examples
# Display RADIUS message statistics.
<Sysname> display radius statistics
state statistic(total=1048):
DEAD=1048
AuthProc=0
AuthSucc=0
AcctStart=0
RLTSend=0
RLTWait=0
AcctStop=0
OnLine=0
Stop=0
StateErr=0
Received and Sent packets statistic:
Unit 1........................................
Sent PKT total
:0
Received PKT total:0
RADIUS received packets statistic:
Code= 2,Num=0
,Err=0
Code= 3,Num=0
,Err=0
Code= 5,Num=0
,Err=0
Code=11,Num=0
,Err=0
Running statistic:
RADIUS received messages statistic:
Normal auth request
, Num=0
, Err=0
, Succ=0
EAP auth request
, Num=0
, Err=0
, Succ=0
Account request
, Num=0
, Err=0
, Succ=0
Account off request
, Num=0
, Err=0
, Succ=0
PKT auth timeout
, Num=0
, Err=0
, Succ=0
PKT acct_timeout
, Num=0
, Err=0
, Succ=0
Realtime Account timer
, Num=0
, Err=0
, Succ=0
PKT response
, Num=0
, Err=0
, Succ=0
EAP reauth_request
, Num=0
, Err=0
, Succ=0
PORTAL access
, Num=0
, Err=0
, Succ=0
Update ack
, Num=0
, Err=0
, Succ=0
PORTAL access ack
, Num=0
, Err=0
, Succ=0
1-34
Session ctrl pkt
, Num=0
, Err=0
, Succ=0
Set policy result
, Num=0
, Err=0
, Succ=0
RADIUS sent messages statistic:
Auth accept
, Num=0
Auth reject
, Num=0
EAP auth replying
, Num=0
Account success
, Num=0
Account failure
, Num=0
Cut req
, Num=0
Set policy result
, Num=0
RecError_MSG_sum:0
SndMSG_Fail_sum :0
Timer_Err
:0
Alloc_Mem_Err
:0
State Mismatch
:0
Other_Error
:0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
display stop-accounting-buffer
Syntax
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id |
time-range start-time stop-time | user-name user-name }
View
Any view
Parameters
radius-scheme radius-scheme-name: Displays the buffered stop-accounting requests of a specified
RADIUS scheme. Here, radius-scheme-name is a string of up to 32 characters.
session-id session-id: Displays the buffered stop-accounting requests of a specified session. Here,
session-id is a string of up to 50 characters.
time-range start-time stop-time: Displays the buffered stop-accounting requests generated in a
specified time range. Here, start-time is the start time of the time range, stop-time is the end time of the
time range, and both are in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd. The
parameters here are used to display all the buffered stop-accounting requests generated from start-time
to stop-time.
user-name user-name: Displays the buffered stop-accounting requests of a specified user. Here,
user-name is a string of up to 184 characters.
Description
Use the display stop-accounting-buffer command to display the non-response stop-accounting
requests buffered in the device.
1-35
z
You can choose to display the buffered stop-accounting requests of a specified RADIUS scheme,
session (by session ID), or user (by username). You can also specify a time range to display those
generated within the specified time range. The displayed information helps you diagnose and
resolve RADIUS problems.
z
If the switch gets no response in a specified time period after sending a stop-accounting request to
a RADIUS server, it will buffer the request and transmit the buffered one until the maximum number
of transmission attempts (set by the retry stop-accounting command) is reached.
Related
commands:
reset
stop-accounting-buffer,
stop-accounting-buffer
enable,
retry
stop-accounting.
Examples
# Display the buffered stop-accounting requests generated from 0:0:0 08/31/2002 to 23:59:59
08/31/2002.
<Sysname>
display
stop-accounting-buffer
time-range
00:00:00-08/31/2002
23:59:59-08/31/2002
Total find
0 record
key
Syntax
key { accounting | authentication } string
undo key { accounting | authentication }
View
RADIUS scheme view
Parameters
accounting: Sets a shared key for RADIUS accounting messages.
authentication: Sets a shared key for RADIUS authentication/authorization messages.
string: Shared key to be set, a string of up to 16 characters.
Description
Use the key command to set a shared key for RADIUS authentication/authorization messages or
accounting messages.
Use the undo key command to restore the corresponding default shared key setting.
By default, no shared key exists.
Note that:
z
Both RADIUS client and server adopt MD5 algorithm to encrypt RADIUS messages before
exchanging the messages with each other.
1-36
z
The two parties verify the validity of the RADIUS messages received from each other by using the
shared keys that have been set on them, and can accept and respond to the messages only when
both parties have same shared key.
z
The authentication/authorization shared key and the accounting shared key you set on the switch
must be respectively consistent with the shared key on the authentication/authorization server and
the shared key on the accounting server.
Related commands: primary accounting, primary authentication, radius scheme.
Examples
# Set "hello" as the shared key for RADIUS authentication/authorization messages in RADIUS scheme
radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] key authentication hello
# Set "ok" as the shared key for RADIUS accounting messages in RADIUS scheme radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] key accounting ok
local-server
Syntax
local-server enable
undo local-server
View
System view
Parameters
None
Description
Use the local-server enable command to enable the UDP ports for local RADIUS services.
Use the undo local-server command to disable the UDP ports for local RADIUS services.
By default, the UDP ports for local RADIUS services are enabled.
In addition to functioning as a RADIUS client to provide remote RADIUS authentication, authorization,
and accounting services, the switch can act as a local RADIUS server to provide simple RADIUS server
functions locally. For the switch to act as a local server, you need to use this command to enable the
service ports. The UDP port for local RADIUS authentication/authorization service is 1645, and that for
local RADIUS accounting service is 1646.
Related commands: radius scheme, state, local-server nas-ip.
1-37
Examples
# Enable UDP ports for local RADIUS services.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-server enable
local-server nas-ip
Syntax
local-server nas-ip ip-address key password
undo local-server nas-ip ip-address
View
System view
Parameters
nas-ip ip-address: Specifies the IP address of a network access server (NAS) that can use the local
RADIUS services. Here, ip-address is in dotted decimal notation.
key password: Sets the shared key between the local RADIUS server and the NAS. Here, password is
a string of up to 16 characters.
Description
Use the local-server nas-ip command to set the related parameters of the local RADIUS server.
Use the undo local-server nas-ip command to cancel a specified NAS setting for the local RADIUS
server.
By default, the local RADIUS server is enabled and it allows the access of NAS 127.0.0.1. That is, the
local device serves as both a RADIUS server and a network access server, and all authentications are
performed locally. The default share key is null.
Note that:
z
The message encryption key set by the local-server nas-ip ip-address key password command
must be identical with the authentication/authorization message encryption key set by the key
authentication command in the RADIUS scheme view of the RADIUS scheme on the specified
NAS that uses this switch as its authentication server.
z
The switch supports the IP addresses and shared keys of at most 16 network access servers
(including the local device); that is, when the switch serves as a RADIUS server, it can provide
authentication service to at most 16 NASs simultaneously.
z
When serving as a local RADIUS server, the switch does not support EAP authentication (that is
you
cannot
set
the
802.1x
authentication
method
as
eap
by
using
the
authentication-method eap command).
Related commands: radius scheme, state, local-server enable.
Examples
# Allow the local RADIUS server to provide services to NAS 10.110.1.2 with shared key aabbcc.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
1-38
dot1x
[Sysname] local-server nas-ip 10.110.1.2 key aabbcc
nas-ip
Syntax
nas-ip ip-address
undo nas-ip
View
RADIUS scheme view
Parameters
ip-address: Source IP address for RADIUS messages, an IP address of this device. This address can
neither be the all 0's address nor be a Class-D address.
Description
Use the nas-ip command to set the source IP address of outgoing RADIUS messages.
Use the undo nas-ip command to remove the source IP address setting.
By default, the IP address of the outbound interface is used as the source IP address of RADIUS
messages.
The nas-ip command in RADIUS scheme view has the same function as the radius nas-ip command
in system view; and the configuration in RADIUS scheme view takes precedence over that in system
view.
You can set the source IP address of outgoing RADIUS messages to avoid messages returned from
RADIUS server from being unable to reach their destination due to physical interface trouble. It is
recommended to use a Loopback interface address as the source IP address.
Related commands: display radius scheme, radius nas-ip.
Examples
# Set source IP address 10.1.1.1 for outgoing RADIUS messages in RADIUS scheme radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] nas-ip 10.1.1.1
primary accounting
Syntax
primary accounting ip-address [ port-number ]
1-39
undo primary accounting
View
RADIUS scheme view
Parameters
ip-address: IP address of the primary accounting server to be used, in dotted decimal notation.
port-number: UDP port number of the primary accounting server, ranging from 1 to 65535.
Description
Use the primary accounting command to set the IP address and port number of the primary RADIUS
accounting server to be used by the current scheme.
Use the undo primary accounting command to restore the default IP address and port number of the
primary RADIUS accounting server, which are 0.0.0.0 and 1813 respectively.
In the system default RADIUS scheme “system”, the default IP address of the primary accounting
server is 127.0.0.1 and the default UDP port number is 1646. In a new RADIUS scheme, the default IP
address of the primary accounting server is 0.0.0.0 and the default UDP port number is 1813.
Related commands: key, radius scheme, state.
Examples
# Set the IP address and UDP port number of the primary accounting server for RADIUS scheme
radius1 to 10.110.1.2 and 1813 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813
primary authentication
Syntax
primary authentication ip-address [ port-number ]
undo primary authentication
View
RADIUS scheme view
Parameters
ip-address: IP address of the primary authentication/authorization server to be used, in dotted decimal
notation.
port-number: UDP port number of the primary authentication/authorization server, ranging from 1 to
65535.
Description
Use the primary authentication command to set the IP address and port number of the primary
RADIUS authentication/authorization server used by the current RADIUS scheme.
1-40
Use the undo primary authentication command to restore the default IP address and port number of
the primary RADIUS authentication/authorization server, which are 0.0.0.0 and 1812 respectively.
In the system default RADIUS scheme “system”, the default IP address of the primary
authentication/authorization server is 127.0.0.1 and the default UDP port number is 1645. In a new
RADIUS scheme, the default IP address of the primary authentication/authorization server is 0.0.0.0
and the default UDP port number is 1812.
Note that:
z
After creating a new RADIUS scheme, you should configure the IP address and UDP port number
of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types:
authentication/authorization, and accounting. For each kind of server, you can configure two
servers in a RADIUS scheme: primary and secondary servers.
z
In an actual network environment, you can make RADIUS server-related configuration as required.
But you should configure at least one authentication/authorization server and one accounting
server, and at the same time, you should keep the RADIUS server port settings on the switch
consistent with those on the RADIUS servers.
Related commands: key, radius scheme, state.
Examples
# Set the IP address and UDP port number of the primary authentication/authorization server for
RADIUS scheme radius1 to 10.110.1.1 and 1812 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812
radius client
Syntax
radius client enable
undo radius client
View
System view
Parameters
None
Description
Use the radius client enable command to enable RADIUS authentication and accounting ports.
Use the undo radius client command to disable RADIUS authentication and accounting ports.
By default, RADIUS authentication and accounting ports are enabled.
If you want to use the switch as a RADIUS client, you need to ensure that the ports for RADIUS
authentication and accounting are open. Otherwise, you can disable the ports to improve security of the
switch.
1-41
Related commands: radius scheme.
Examples
# Disable the RADIUS authentication and accounting ports.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] undo radius client enable
radius nas-ip
Syntax
radius nas-ip ip-address
undo radius nas-ip
View
System view
Parameters
ip-address: Source IP address to be set, an IP address of this device. This address can neither be the
all 0's address nor be a Class-D address.
Description
Use the radius nas-ip command to set the source IP address of outgoing RADIUS messages.
Use the undo radius nas-ip command to restore the default setting.
By default, no source IP address is set, and the IP address of corresponding outbound interface is used
as the source IP address of RADIUS messages.
The nas-ip command in RADIUS scheme view has the same function as the radius nas-ip command
in system view; and the configuration in RADIUS scheme view takes precedence over that in system
view.
Note that:
z
You can set the source IP address of outgoing RADIUS messages to avoid messages returned
from RADIUS server from being unable to reach their destination due to physical interface trouble.
It is recommended to use a Loopback interface address as the source IP address.
z
You can set only one source IP address by using this command. When you re-execute this
command again, the newly set source IP address will overwrite the old one.
Related commands: nas-ip.
Examples
# Set source address 129.10.10.1 for outgoing RADIUS messages.
<Sysname> system-view
1-42
System View: return to User View with Ctrl+Z.
[Sysname] radius nas-ip 129.10.10.1
radius scheme
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
View
System view
Parameters
radius-scheme-name: Name of the RADIUS scheme to be created, a string of up to 32 characters.
Description
Use the radius scheme command to create a RADIUS scheme and enter its view.
Use the undo radius scheme command to delete a specified RADIUS scheme.
By default, a RADIUS scheme named "system" has already been created in the system.
Note that:
z
All the attributes of RADIUS scheme "system" take the default values, which you can see by using
the display radius scheme command.
z
The RADIUS protocol configuration is performed on a RADIUS scheme basis. For each RADIUS
scheme, you should specify at least the IP addresses and UDP port numbers of the RADIUS
authentication/authorization and accounting servers, and the parameters required for the RADIUS
client to interact with the RADIUS servers. You should first create a RADIUS scheme and enter its
view before performing RADIUS protocol configurations.
z
A RADIUS scheme can be referenced by multiple ISP domains simultaneously.
z
The undo radius scheme command cannot delete the default RADIUS scheme. In addition, you
are not allowed to delete a RADIUS scheme which is being used by an online user.
Related commands: key, retry realtime-accounting, scheme, timer realtime-accounting,
stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format,
retry, display radius scheme, display radius statistics.
Examples
# Create a RADIUS scheme named radius1 and enter its view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1]
radius trap
Syntax
radius trap { authentication-server-down | accounting-server-down }
1-43
undo radius trap { authentication-server-down | accounting-server-down }
View
System view
Parameters
authentication-server-down: Enables/disables the switch to send trap messages when a RADIUS
authentication server turns down.
accounting-server-down: Enables/disables the switch to send trap messages when a RADIUS
accounting server turns down.
Description
Use the radius trap command to enable the switch to send trap messages when a RADIUS server
turns down.
Use the undo radius trap command to disable the switch from sending trap messages when a
RADIUS authentication server or a RADIUS accounting server turns down.
By default, this function is disabled.
This configuration takes effect on all RADIUS scheme.
The switch considers a RADIUS server as being down if it has tried the configured maximum number of
times to send a message to the RADIUS server but does not receive any response.
Examples
# Enable the switch to send trap messages when a RADIUS authentication server turns down.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius trap authentication-server-down
reset radius statistics
Syntax
reset radius statistics
View
User view
Parameters
None
Description
Use the reset radius statistics command to clear RADIUS message statistics.
1-44
Related commands: display radius scheme.
Examples
# Clear RADIUS message statistics.
<Sysname> reset radius statistics
reset stop-accounting-buffer
Syntax
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id |
time-range start-time stop-time | user-name user-name }
View
User view
Parameters
radius-scheme radius-scheme-name: Deletes the buffered stop-accounting requests of a specified
RADIUS scheme. Here, radius-scheme-name is the name of a RADIUS scheme, which is a string of up
to 32 characters that does not contain any of the following characters: /:*?<>.
session-id session-id: Deletes the buffered stop-accounting requests of a specified session. Here,
session-id is a session ID, which is a string of up to 50 characters.
time-range start-time stop-time: Deletes the buffered stop-accounting requests generated within a
specified time period. Here, start-time is the start time of the time period, stop-time is the end time of the
time period, and both are in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
user-name user-name: Deletes the buffered stop-accounting requests of a specified user. Here,
user-name is the name of a user, which is a string of up to 184 characters.
Description
Use the reset stop-accounting-buffer command to delete stop-accounting requests that are buffered
on the switch due to getting no response.
Related
commands:
stop-accounting-buffer
enable,
retry
stop-accounting,
display
stop-accounting-buffer.
Examples
# Delete the stop-accounting requests buffered for user [email protected]
<Sysname> reset stop-accounting-buffer user-name [email protected]
# Delete the stop-accounting requests buffered from 0:0:0 08/31/2002 to 23:59:59 08/31/2002.
<Sysname> reset stop-accounting-buffer time-range 00:00:00-08/31/2002 23:59:59-08/31/2002
retry
Syntax
retry retry-times
undo retry
1-45
View
RADIUS scheme view
Parameters
retry-times: Maximum number of transmission attempts of a RADIUS request, ranging from 1 to 20.
Description
Use the retry command to set the maximum number of transmission attempts of a RADIUS request.
Use the undo retry command to restore the default maximum number of transmission attempts.
By default, the maximum number of RADIUS request transmission attempts is 3.
Note that:
z
The communication in RADIUS is unreliable because this protocol adopts UDP packets to carry its
data. Therefore, it is necessary for the switch to retransmit a RADIUS request if it gets no response
from the RADIUS server after the server response timeout timer expires. If the switch gets no
answer after it has tried the maximum number of times to transmit a RADIUS request, the switch
considers that the request fails.
z
Appropriately setting this maximum number of transmission attempts according to your network
situation can improve the reacting speed of the system.
Related commands: radius scheme.
Examples
# Set the maximum number of RADIUS request transmission attempts for RADIUS scheme radius1 to
five.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] retry 5
retry realtime-accounting
Syntax
retry realtime-accounting retry-times
undo retry realtime-accounting
View
RADIUS scheme view
Parameters
retry-times: Maximum allowed number of continuous real-time accounting failures, ranging from 1 to
255.
Description
Use the retry realtime-accounting command to set the maximum allowed number of continuous
real-time accounting failures.
1-46
Use the undo retry realtime-accounting command to restore the default maximum number of
continuous real-time accounting failures.
By default, the maximum number of continuous real-time accounting failures is five.
Note that:
z
Generally, a RADIUS server uses the connection timeout timer to determine whether a user is
currently online. If the RADIUS server receives no real-time accounting message for a specified
period of time, it considers that the switch or the line is in trouble and stop accounting for the user.
To make the switch cooperate with the RADIUS server in this feature, it is necessary to cut down
the user connection on the switch to synchronize with the RADIUS server when the server
terminates the accounting and connection of a user in case of unforeseen trouble. You can limit the
number of continuous real-time accounting requests that fail due to getting no response, and then
the switch will cut down user connection if the limit is reached.
z
A real-time account request may be transmitted multiple times in an accounting attempt (the
maximum number of transmission attempts is set by the retry command in RADIUS scheme view).
If no response is received after the switch tries the maximum number of attempts to send the
request, the switch considers the accounting fails. Suppose that the response timeout time of
RADIUS server is three seconds (set by the timer response-timeout command), the maximum
number of transmission attempts is 3 (set by the retry command), the real-time accounting interval
is 12 minutes (set by the timer realtime-accounting command), the maximum allowed number of
real-time accounting failures is 5 (set by the retry realtime-accounting command). In this case,
the switch initiates an accounting request every 12 minutes; if the switch does not receive a
response within 3 seconds after it sends out the accounting request, it resends the request; if the
switch continuously sends the accounting request for three times but does not receive any
response; it considers this real-time accounting a failure. Then, the switch reinitiates the
accounting request every 12 minutes; if five continuous accounting failures occur, the switch cuts
down the user connection.
Related commands: radius scheme, timer realtime-accounting.
Examples
# Set the maximum allowed number of continuous real-time accounting failures for RADIUS scheme
radius1 to 10.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] retry realtime-accounting 10
retry stop-accounting
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
RADIUS scheme view
1-47
Parameters
retry-times: Maximum number of transmission attempts of a buffered stop-accounting request, ranging
from 10 to 65,535.
Description
Use the retry stop-accounting command to set the maximum number of transmission attempts of a
stop-accounting request buffered due to no response.
Use the undo retry stop-accounting command to restore the default maximum number of
transmission attempts of a buffered stop-accounting request.
By default, the maximum number of stop-accounting request transmission attempts is 500.
Stop-accounting requests are critical to billing and will eventually affect the charges of users; they are
important to both users and ISPs. Therefore, the switch should do its best to transmit them to RADIUS
accounting servers. When getting no response to such a request, the switch should first buffer the
request on itself, and then retransmit the request to the RADIUS accounting server until it gets a
response, or the maximum number of transmission attempts is reached (in this case, it discards the
request).
Related
commands:
reset
stop-accounting-buffer,
radius
scheme,
display
stop-accounting-buffer.
Examples
# In RADIUS scheme radius1, specify that the switch can transmit a buffered stop-accounting request
at most 1000 times
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] retry stop-accounting 1000
secondary accounting
Syntax
secondary accounting ip-address [ port-number ]
undo secondary accounting
View
RADIUS scheme view
Parameters
ip-address: IP address of the secondary accounting server to be used, in dotted decimal notation.
port-number: UDP port number of the secondary accounting server, ranging from 1 to 65535.
Description
Use the secondary accounting command to set the IP address and port number of the secondary
RADIUS accounting server to be used by the current scheme.
1-48
Use the undo secondary accounting command to restore the default IP address and port number of
the secondary RADIUS accounting server, which are 0.0.0.0 and 1813 respectively.
Related commands: key, radius scheme, state.
Examples
# Set the IP address and UDP port number of the secondary accounting server for RADIUS scheme
radius1 to 10.110.1.1 and 1813 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813
secondary authentication
Syntax
secondary authentication ip-address [ port-number ]
undo secondary authentication
View
RADIUS scheme view
Parameters
ip-address: IP address of the secondary authentication/authorization server to be used, in dotted
decimal notation.
port-number: UDP port number of the secondary authentication/authorization server, ranging from 1 to
65535.
Description
Use the secondary authentication command to set the IP address and port number of the secondary
RADIUS authentication/authorization server to be used by the current scheme.
Use the undo secondary authentication command to restore the default IP address and port number
of the secondary RADIUS authentication/authorization server, which is 0.0.0.0 and 1812 respectively.
Related commands: key, radius scheme, state.
Examples
# Set the IP address and UDP port number of the secondary authentication/authorization server for
RADIUS scheme radius1 to 10.110.1.2 and 1812 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
1-49
server-type
Syntax
server-type { extended | standard }
undo server-type
View
RADIUS scheme view
Parameters
extended: Specifies to support H3C's RADIUS server (which is generally a CAMS), that is, use the
procedure and message format of private RADIUS protocol to interact with an H3C's RADIUS server.
standard: Specifies to support standard RADIUS server, that is, use the procedure and message
format of a standard RADIUS protocol (RFC 2865/2866 or above) to interact with a standard RADIUS
server.
Description
Use the server-type command to configure the switch to support a specified type of RADIUS server.
Use the undo server-type command to restore the default setting.
By default, the switch supports RADIUS servers of the standard type, and the RADIUS server type in
the default scheme named system is extended.
Related commands: radius scheme.
Examples
# Configure the switch to support H3C's RADIUS server in RADIUS scheme radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] server-type extended
state
Syntax
state { primary | secondary } { accounting | authentication } { block | active }
View
RADIUS scheme view
Parameters
primary: Specifies that the server to be set is a primary RADIUS server.
secondary: Specifies that the server to be set is a secondary RADIUS server.
accounting: Specifies that the server to be set is a RADIUS accounting server.
authentication: Specifies that the server to be set is a RADIUS authentication/authorization server.
block: Sets the status of the specified RADIUS server to block (that is, the down state).
1-50
active: Sets the status of the specified RADIUS server to active (that is, the normal working state).
Description
Use the state command to set the status of a RADIUS server.
By default, all RADIUS servers in any customized RADIUS scheme are in the block state; the primary
RADIUS servers in the default RADIUS scheme "system" are in the active state, and the secondary
RADIUS servers in "system" are in the block state.
For the primary and secondary servers (authentication/authorization servers, or accounting servers) in
a RADIUS scheme, note that:
z
When the switch fails to communicate with the primary server due to some server trouble, the
switch will turn to the secondary server and exchange messages with the secondary server.
z
After the primary server remains in the block state for a set time (set by the timer quiet command),
the switch will try to communicate with the primary server again when it receives a RADIUS request.
If it finds that the primary server has recovered, the switch immediately restores the communication
with the primary server instead of communicating with the secondary server, and at the same time
restores the status of the primary server to active while keeping the status of the secondary server
unchanged.
z
When both primary and secondary servers are in the active or block state, the switch sends
messages only to the primary server.
Related commands: radius scheme, primary authentication, secondary authentication, primary
accounting, secondary accounting.
Examples
# Set the status of the secondary authentication server in RADIUS scheme radius1 to active.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] state secondary authentication active
stop-accounting-buffer enable
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
RADIUS scheme view
Parameters
None
Description
Use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting
requests that get no response.
1-51
Use the undo stop-accounting-buffer enable command to disable the switch from buffering the
stop-accounting requests that get no response.
By default, the switch is enabled to buffer the stop-accounting requests that get no response.
Stop-accounting requests are critical to billing and will eventually affect the charges; they are important
to both users and ISPs. Therefore, the switch should do its best to transmit them to RADIUS accounting
servers. When getting no response to such a request, the switch should first buffer the request on itself,
and then retransmit the request to the RADIUS accounting server until it gets a response, or the
maximum number of transmission attempts is reached (in this case, it discards the request).
Related
commands:
reset
stop-accounting-buffer,
radius
scheme,
display
stop-accounting-buffer.
Examples
# In RADIUS scheme radius1, enable the switch to buffer the stop-accounting requests that get no
response from the servers.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] stop-accounting-buffer enable
timer
Syntax
timer seconds
undo timer
View
RADIUS scheme view
Parameters
seconds: Response timeout time of RADIUS servers, ranging from 1 to 10 seconds.
Description
Use the timer command to set the response timeout time of RADIUS servers (that is, the timeout time
of the response timeout timer of RADIUS servers).
Use the undo timer command to restore the default response timeout timer of RADIUS servers.
By default, the response timeout time of RADIUS servers is 3 seconds.
Note that:
z
After sending out a RADIUS request (authentication/authorization request or accounting request)
to a RADIUS server, the switch waits for a response from the server. The maximum time that the
switch can wait for the response is called the response timeout time of RADIUS servers, and the
corresponding timer in the switch system is called the response timeout timer of RADIUS servers.
You can use the timer command to set the timeout time of this timer, and if the switch gets no
answer before the response timeout timer expires, it needs to retransmit the request to ensure that
the user can obtain RADIUS service.
1-52
z
Appropriately setting the timeout time of this timer according to your network situation can improve
the performance of your system.
z
The timer command has the same function with the timer response-timeout command.
Related commands: radius scheme, retry.
Examples
# Set the timeout time of the response timeout timer for RADIUS scheme radius1 to 5 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] timer 5
timer quiet
Syntax
timer quiet minutes
undo timer quiet
View
RADIUS scheme view
Parameters
minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes.
Description
Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with
the primary server and restore the status of the primary server to active.
Use the undo timer quiet command to restore the default wait time.
By default, the switch waits five minutes.
Related commands: display radius scheme.
Examples
# Configure the switch to wait 10 minutes before it tries to restore the status of the primary server to
active.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] timer quiet 10
timer realtime-accounting
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
1-53
View
RADIUS scheme view
Parameters
minutes: Real-time accounting interval, in minutes. It ranges from 3 to 60 and must be a multiple of 3.
Description
Use the timer realtime-accounting command to set the real-time accounting interval.
Use the undo timer realtime-accounting command to restore the default real-time accounting
interval.
By default, this interval is 12 minutes.
Note that:
To control the interval at which users are charged in real time, you can set the real-time accounting
z
interval. After the setting, the switch periodically sends online users' accounting information to the
RADIUS server at the set interval.
The setting of the real-time accounting interval depends, to some degree, on the performance of
z
the switch and the RADIUS server. The higher the performance of the switch and the RADIUS
server is, the shorter the interval can be. It is recommended to set the interval as long as possible
when the number of users is relatively great (≥1000). Table 1-6 lists the recommended intervals for
different numbers of users.
Table 1-6 Numbers of users and recommended intervals
Number of users
Real-time accounting interval
1 to 99
3
100 to 499
6
500 to 999
12
≥1000
≥15
Related commands: retry realtime-accounting, radius scheme.
Examples
# Set the real-time accounting interval of RADIUS scheme radius1 to 51 minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] timer realtime-accounting 51
timer response-timeout
Syntax
timer response-timeout seconds
undo timer response-timeout
1-54
View
RADIUS scheme view
Parameters
seconds: Response timeout time of RADIUS servers, ranging from 1 to 10 seconds.
Description
Use the timer response-timeout command to set the response timeout time of RADIUS servers.
Use the undo timer response-timeout command to restore the default response timeout time of
RADIUS servers.
By default, the response timeout time of RADIUS servers is 3 seconds.
Note that:
z
After sending out a RADIUS request (authentication/authorization request or accounting request)
to a RADIUS server, the switch waits for a response from the server. The maximum time that the
switch can wait for the response is called the response timeout time of RADIUS servers, and the
corresponding timer in the switch system is called the response timeout timer of RADIUS servers.
You can use the timer response-timeout command to set the timeout time of this timer, and if the
switch gets no answer before the response timeout timer expires, it needs to retransmit the request
to ensure that the user can obtain RADIUS service.
z
Appropriately setting the timeout time of this timer according to your network situation can improve
the performance of your system.
z
This command has the same function with the timer command.
Related commands: radius scheme, retry.
Examples
# Set the response timeout time in RADIUS scheme radius1 to five seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] timer response-timeout 5
user-name-format
Syntax
user-name-format { with-domain | without-domain }
View
RADIUS scheme view
Parameters
with-domain: Specifies to include ISP domain names in the usernames to be sent to RADIUS server.
without-domain: Specifies to exclude ISP domain names from the usernames to be sent to RADIUS
server.
1-55
Description
Use the user-name-format command to set the format of the usernames to be sent to RADIUS server
By default, except for the default RADIUS scheme "system", the usernames sent to RADIUS servers in
any RADIUS scheme carry ISP domain names.
Note that:
z
Generally, an access user is named in the [email protected] format. Here, isp-name behind the @
character represents the ISP domain name, by which the device determines which ISP domain a
user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP
domain names. In this case, it is necessary to remove domain names from usernames before
sending usernames to RADIUS server. For this reason, the user-name-format command is
designed for you to specify whether or not ISP domain names are carried in the usernames to be
sent to the RADIUS server.
z
For a RADIUS scheme, if you have specified to exclude ISP domain names from usernames, you
should not use this RADIUS scheme in more than one ISP domain. Otherwise, such errors may
occur: the RADIUS server regards two different users having the same name but belonging to
different ISP domains as the same user (because the usernames sent to it are the same).
z
For an 802.1x user, if you have specified to use EAP authentication, the switch will encapsulate
and send the contents from the client directly to the server. In this case, the configuration of the
user-name-format command is not effective.
Related commands: radius scheme.
Examples
# Specify to exclude ISP domain names from the usernames to be sent to RADIUS server in RADIUS
scheme radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] user-name-format without-domain
HWTACACS Configuration Commands
data-flow-format
Syntax
data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }
data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }
undo data-flow-format { data | packet }
View
HWTACACS scheme view
Parameters
data: Sets the data unit of outgoing HWTACACS data flows, which can be byte, giga-byte, kilo-byte, or
mega-byte.
1-56
packet: Sets the packet unit of outgoing HWTACACS data flows, which can be one-packet, giga-packet,
kilo-packet, or mega-packet.
Description
Use the data-flow-format command to set the units of data flows to TACACS servers.
Use the undo data-flow-format command to restore the default units.
By default, the data unit and packet unit for outgoing HWTACACS flows are byte and one-packet
respectively.
Note that the specified unit of data flows sent to the TACACS server must be consistent with the traffic
statistics unit of the TACACS server. Otherwise, accounting cannot be performed correctly.
Related commands: display hwtacacs.
Examples
# Specify to measure data and packets in data flows to TACACS servers in kilo-bytes and kilo-packets
respectively in HWTACACS scheme hwt1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname- hwtacacs-hwt1] data-flow-format data kilo-byte
[Sysname- hwtacacs-hwt1] data-flow-format packet kilo-packet
display hwtacacs
Syntax
display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]
View
Any view
Parameters
hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 characters. This name is
case-insensitive. If this argument is not specified, the system displays information about all
HWTACACS schemes.
statistics: Displays statistics about one or all HWTACACS schemes.
Description
Use the display hwtacacs command to display configuration or statistics information of one specified
or all HWTACACS schemes.
Related commands: hwtacacs scheme.
Examples
# Display configuration information of HWTACACS scheme ht1.
<Sysname> display hwtacacs ht1
-------------------------------------------------------------------template name
: ht1
Primary-authentication-server
: 172.31.1.11:49
1-57
HWTACACS-server
Primary-authorization-server
: 172.31.1.11:49
Primary-accounting-server
: 172.31.1.11:49
Secondary-authentication-server : 0.0.0.0:0
Secondary-authorization-server
: 0.0.0.0:0
Secondary-accounting-server
: 0.0.0.0:0
Current-authentication-server
: 172.31.1.11:49
Current-authorization-server
: 172.31.1.11:49
Current-accounting-server
: 172.31.1.11:49
Source-IP-address
: 0.0.0.0
key authentication
: 790131
key authorization
: 790131
key accounting
: 790131
Quiet-interval(min)
: 5
Response-timeout-Interval(sec)
: 5
Realtime-accouting-Interval(min): 12
Stop-acct-PKT resending times
: 100
Domain-included
: No
Traffic-unit
: B
Packet traffic-unit
: one-packet
display stop-accounting-buffer
Syntax
display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
View
Any view
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Displays the buffered stop-accounting requests of a
specified HWTACACS scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters.
Description
Use the display stop-accounting-buffer command to display stop-accounting requests buffered in the
switch.
Related
commands:
reset
stop-accounting-buffer,
stop-accounting-buffer
stop-accounting.
Examples
# Display stop-accounting requests buffered for HWTACACS scheme hwt1.
<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1
hwtacacs nas-ip
Syntax
hwtacacs nas-ip ip-address
undo hwtacacs nas-ip
1-58
enable,
retry
View
System view
Parameters
ip-address: Source IP address to be set, an IP address of this device. This address can neither be the
all 0's address nor be a Class D address.
Description
Use the hwtacacs nas-ip command to set the source address of outgoing HWTACACS messages.
Use the undo hwtacacs nas-ip command to restore the default setting.
By default, no source address is specified, and the IP address of corresponding outbound interface is
used as the source address.
Note that:
z
You can specify the source address of outgoing HWTACACS messages to avoid messages
returned from server from being unable to reach their destination due to physical interface trouble.
It is recommended to use a Loopback interface address as the source IP address.
z
You can specify only one source IP address by using this command. When you re-execute this
command again, the newly set source IP address will overwrite the old one.
Related commands: nas-ip.
Examples
# Configure the switch to use source address 129.10.10.1 for outgoing HWTACACS messages.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs nas-ip 129.10.10.1
hwtacacs scheme
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
View
System view
Parameters
hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 characters.
Description
Use the hwtacacs scheme command to create an HWTACACS scheme and enter its view.
Use the undo hwtacacs scheme command to delete an HWTACACS scheme.
By default, no HWTACACS scheme exists.
1-59
Examples
# Create an HWTACACS scheme named "hwt1" and enter the corresponding HWTACACS scheme
view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]
key
Syntax
key { accounting | authentication | authorization } string
undo key { accounting | authentication | authorization }
View
HWTACACS scheme view
Parameters
accounting: Sets a shared key for HWTACACS accounting messages.
authentication: Sets a shared key for HWTACACS authentication messages.
authorization: Sets a shared key for HWTACACS authorization messages.
string: Shared key to be set, a string of up to 16 characters.
Description
Use the key command to configure a shared key for HWTACACS authentication, authorization or
accounting messages.
Use the undo key command to delete such a configuration.
By default, no key is set for HWTACACS messages.
Related commands: display hwtacacs.
Examples
# Use hello as the shared key for HWTACACS accounting messages in HWTACACS scheme hwt1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key accounting hello
nas-ip
Syntax
nas-ip ip-address
undo nas-ip
1-60
View
HWTACACS scheme view
Parameters
ip-address: Source IP address to be set, an IP address of this device. This address can neither be the
all 0's address nor be a Class D address.
Description
Use the nas-ip command to set the source address of outgoing HWTACACS messages.
Use the undo nas-ip command to restore the default setting.
Note that:
z
You can set the source address of HWTACACS messages to avoid messages returned from
server from being unable to reach their destination due to physical interface trouble. It is
recommended to use a Loopback interface address as the source IP address.
z
You can set only one source IP address by using this command. When you re-execute this
command again, the newly set source IP address will overwrite the old one.
Related commands: display hwtacacs.
Examples
# Set source IP address 10.1.1.1 for outgoing HWTACACS messages in HWTACACS scheme hwt1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1
primary accounting
Syntax
primary accounting ip-address [ port ]
undo primary accounting
View
HWTACACS scheme view
Parameters
ip-address: IP address of the primary accounting server to be used, a valid unicast address in dotted
decimal notation.
port: Port number of the primary accounting server, ranging from 1 to 65535.
Description
Use the primary accounting command to set the IP address and port number of the primary
HWTACACS accounting server to be used by the current scheme.
Use the undo primary accounting command to restore the default IP address and port number of the
primary HWTACACS accounting server, which are 0.0.0.0 and 49 respectively.
Note that:
1-61
z
You are not allowed to set the same IP address for both primary and secondary accounting servers.
If you do this, your setting will fail.
z
If you re-execute the command, the new setting will overwrite the old one.
z
You can remove an accounting server setting only when there is no active TCP connection that is
sending accounting messages to the server.
Examples
# Set the IP address and UDP port number of the primary accounting server for HWTACACS scheme
test1 to 10.163.155.12 and 49 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme test1
[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49
primary authentication
Syntax
primary authentication ip-address [ port ]
undo primary authentication
View
HWTACACS scheme view
Parameters
ip-address: IP address of the primary authentication server to be used, a valid unicast address in dotted
decimal notation.
port: Port number of the primary authentication server, ranging from 1 to 65535.
Description
Use the primary authentication command to set the IP address and port number of the primary
HWTACACS authentication server to be used by the current scheme.
Use the undo primary authentication command to restore the default IP address and port number of
the primary HWTACACS authentication server, which are 0.0.0.0 and 49 respectively.
Note that:
z
You are not allowed to set the same IP address for both primary and secondary authentication
servers. If you do this, your setting will fail.
z
If you re-execute the command, the new setting will overwrite the old one.
z
You can remove an authentication server setting only when there is no active TCP connection that
is sending authentication messages to the server.
Related commands: display hwtacacs.
Examples
# Set the IP address and UDP port number of the primary authentication server for HWTACACS
scheme hwt1 to 10.163.155.13 and 49 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
1-62
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49
primary authorization
Syntax
primary authorization ip-address [ port ]
undo primary authorization
View
HWTACACS scheme view
Parameters
ip-address: IP address of the primary authorization server to be used, a valid unicast address in dotted
decimal notation.
port: Port number of the primary authorization server, ranging from 1 to 65535.
Description
Use the primary authorization command to set the IP address and port number of the primary
HWTACACS authorization server to be used by the current scheme.
Use the undo primary authorization command to restore the default IP address and port number of
the primary authorization server, which are 0.0.0.0 and 49 respectively.
Note that:
z
You are not allowed to set the same IP address for both primary and secondary authorization
servers. If you do this, your setting will fail.
z
If you re-execute the command, the new setting will overwrite the old one.
z
You can remove an authorization server setting only when there is no active TCP connection that is
sending authorization messages to the server.
Related commands: display hwtacacs.
Examples
# Set the IP address and UDP port number of the primary authorization server for HWTACACS scheme
hwt1 to 10.163.155.13 and 49 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49
reset hwtacacs statistics
Syntax
reset hwtacacs statistics { accounting | authentication | authorization | all }
View
User view
1-63
Parameters
accounting: Clears HWTACACS accounting statistics.
authentication: Clears HWTACACS authentication statistics.
authorization: Clears HWTACACS authorization statistics.
all: Clears all HWTACACS statistics.
Description
Use the reset hwtacacs statistics command to clear HWTACACS statistics.
Related commands: display hwtacacs.
Examples
# Clear all HWTACACS protocol statistics.
<Sysname> reset hwtacacs statistics all
reset stop-accounting-buffer
Syntax
reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
View
User view
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Deletes the buffered stop-accounting requests of a
specified HWTACACS scheme. Here, hwtacacs-scheme-name is the name of a HWTACACS scheme,
which is a string of up to 32 characters.
Description
Use the reset stop-accounting-buffer command to clear stop-accounting requests that are buffered
on the switch due to getting no response.
Related
commands:
stop-accounting-buffer
enable,
retry
stop-accounting,
stop-accounting-buffer.
Examples
# Delete the stop-accounting requests buffered for HWTACACS scheme hwt1.
<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1
retry stop-accounting
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
HWTACACS scheme view
1-64
display
Parameters
retry-times: Maximum number of transmission attempts of a stop-accounting request, ranging from 1 to
300.
Description
Use the retry stop-accounting command to enable the stop-accounting request retransmission
function and set the maximum number of attempts to transmit a stop-accounting request.
Use the undo retry stop-accounting command to restore the default setting.
By default, this function is enabled and the maximum number of transmission attempts is 100.
Related
commands:
reset
stop-accounting-buffer,
hwtacacs
scheme,
display
stop-accounting-buffer.
Examples
# Enable the stop-accounting request retransmission function and set the maximum number of
transmission attempts of a request to 50.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] retry stop-accounting 50
secondary accounting
Syntax
secondary accounting ip-address [ port ]
undo secondary accounting
View
HWTACACS scheme view
Parameters
ip-address: IP address of the secondary accounting server to be used, a valid unicast address in dotted
decimal notation.
port: Port number of the secondary accounting server, ranging from 1 to 65535.
Description
Use the secondary accounting command to set the IP address and port number of the secondary
HWTACACS accounting server to be used by the current scheme.
Use the undo secondary accounting command to restore the default IP address and port number of
the secondary HWTACACS accounting server, which are 0.0.0.0 and 49 respectively.
Note that:
z
You are not allowed to set the same IP address for both primary and secondary accounting servers.
If you do this, your setting will fail.
z
If you re-execute the command, the new setting will overwrite the old one.
z
You can remove an accounting server setting only when there is no active TCP connection that is
sending accounting messages to the server.
1-65
Examples
# Set the IP address and UDP port number of the secondary accounting server for HWTACACS
scheme hwt1 to 10.163.155.12 and 49 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49
secondary authentication
Syntax
secondary authentication ip-address [ port ]
undo secondary authentication
View
HWTACACS scheme view
Parameters
ip-address: IP address of the secondary authentication server to be used, a valid unicast address in
dotted decimal notation.
port: Port number of the secondary authentication server, ranging from 1 to 65535.
Description
Use the secondary authentication command to set the IP address and port number of the secondary
HWTACACS authentication server to be used by the current scheme.
Use the undo secondary authentication command to restore the default IP address and port number
of the secondary HWTACACS authentication server, which are 0.0.0.0 and 49 respectively.
Note that:
z
You are not allowed to set the same IP address for both primary and secondary authentication
servers. If you do this, your setting will fail.
z
If you re-execute the command, the new setting overwrites the old one.
z
You can remove an authentication server setting only when there is no active TCP connection that
is sending authentication messages to the server.
Related commands: display hwtacacs.
Examples
# Set the IP address and UDP port number of the secondary authentication server for HWTACACS
scheme hwt1 to 10.163.155.13 and 49 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49
1-66
secondary authorization
Syntax
secondary authorization ip-address [ port ]
undo secondary authorization
View
HWTACACS scheme view
Parameters
ip-address: IP address of the secondary authorization server, a valid unicast address in dotted decimal
notation.
port: Port number of the secondary authorization server, ranging from 1 to 65535.
Description
Use the secondary authorization command to set the IP address and port number of the secondary
HWTACACS authorization server to be used by the current scheme.
Use the .undo secondary authorization command to restore the default IP address and port number
of the secondary HWTACACS authorization server, which are 0.0.0.0 and 49 respectively.
Note that:
z
You are not allowed to set the same IP address for both primary and secondary authorization
servers.
z
If you re-execute the command, the new setting will overwrite the old one.
z
You can remove an authorization server setting only when there is no active TCP connection that is
sending authorization messages to the server.
Related commands: display hwtacacs.
Examples
# Set the IP address and UDP port number of the secondary authorization server for HWTACACS
scheme hwt1 to 10.163.155.13 and 49 respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49
timer quiet
Syntax
timer quiet minutes
undo timer quiet
View
HWTACACS scheme view
1-67
Parameters
minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes.
Description
Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with
the primary server and restore the status of the primary server to active.
Use the undo timer quiet command to restore the default wait time.
By default, the switch waits five minutes.
Related commands: display hwtacacs.
Examples
# Configure the switch to wait 10 minutes before it tries to restore the status of the primary server to
active.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet
10
timer realtime-accounting
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
HWTACACS scheme view
Parameters
minutes: Real-time accounting interval, in minutes. It ranges from 3 to 60 and must be a multiple of 3.
Description
Use the timer realtime-accounting command to set the real-time accounting interval.
Use the undo timer realtime-accounting command to restore the default real-time accounting
interval.
By default, the real-time accounting interval is 12 minutes.
Note that:
z
To control the interval at which users are charged in real time, you can set the real-time accounting
interval. After the setting, the switch periodically sends online users' accounting information to
TACACS accounting server at the set interval.
z
The setting of the real-time accounting interval depends, to some degree, on the performance of
the switch and the TACACS server. The higher the performance of the switch and the TACACS
server is, the shorter the interval can be. It is recommended to set the interval as long as possible
when the number of users is relatively great (≥1000). The following table lists the recommended
intervals for different numbers of users.
1-68
Table 1-7 Numbers of users and recommended intervals
Number of users
Real-time accounting interval
1 to 99
3
100 to 499
6
500 to 999
12
≥1000
≥15
Examples
# Set the real-time accounting interval in HWTACACS scheme hwt1 to 51 minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51
timer response-timeout
Syntax
timer response-timeout seconds
undo timer response-timeout
View
HWTACACS scheme view
Parameters
seconds: Response timeout time of TACACS servers, ranging from 1 to 300 seconds.
Description
Use the timer response-timeout command to set the response timeout time of TACACS servers.
Use the undo timer response-timeout command to restore the default response timeout time of
TACACS servers.
By default, the response timeout time of TACACS servers is five seconds.
As HWTACACS is based on TCP, both server response timeout and TCP timeout may cause
disconnection from TACACS server.
Related commands: display hwtacacs.
Examples
# Set the response timeout time of TACACS servers to 30 seconds for HWTACACS scheme hwt1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30
1-69
user-name-format
Syntax
user-name-format { with-domain | without-domain }
View
HWTACACS scheme view
Parameters
with-domain: Specifies to include ISP domain names in the usernames to be sent to TACACS server.
without-domain: Specifies to exclude ISP domain names from the usernames to be sent to TACACS
server.
Description
Use the user-name-format command to set the format of the usernames to be sent to TACACS server.
By default, the usernames sent to TACACS server in a HWTACACS scheme carry ISP domain names.
Note that:
z
Generally, an access user is named in the [email protected] format. Here, isp-name behind the @
character represents the ISP domain name, by which the device determines which ISP domain a
user belongs to. However, some old TACACS servers cannot accept the usernames that carry ISP
domain names. In this case, it is necessary to remove domain names from usernames before
sending usernames to TACACS server. For this reason, the user-name-format command is
designed for you to specify whether or not ISP domain names are carried in the usernames to be
sent to TACACS server.
z
For a HWTACACS scheme, if you have specified to exclude ISP domain names from usernames,
you should not use this scheme in more than one ISP domain. Otherwise, such errors may occur:
the TACACS server regards two different users having the same name but belonging to different
ISP domains as the same user (because the usernames sent to it are the same).
Related commands: hwtacacs scheme.
Examples
# Specify to exclude ISP domain names from the usernames to be sent to TACACS server in
HWTACACS scheme hwt1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
1-70
Table of Contents
1 MAC Address Authentication Configuration Commands ·····································································1-1
MAC Address Authentication Basic Function Configuration Commands ···············································1-1
display mac-authentication ··············································································································1-1
mac-authentication ··························································································································1-3
mac-authentication interface ···········································································································1-4
mac-authentication authmode usernameasmacaddress ································································1-5
mac-authentication authmode usernamefixed ················································································1-6
mac-authentication authpassword···································································································1-7
mac-authentication authusername ··································································································1-7
mac-authentication domain ·············································································································1-8
mac-authentication timer ·················································································································1-9
reset mac-authentication ·················································································································1-9
MAC Address Authentication Enhanced Function Configuration Commands······································1-10
mac-authentication guest-vlan ······································································································1-10
mac-authenticiaon intrusion-mode block-mac···············································································1-11
mac-authentication max-auth-num································································································1-12
mac-authentication timer guest-vlan-reauth ··················································································1-13
i
1
MAC Address Authentication Configuration
Commands
MAC Address Authentication Basic Function Configuration
Commands
display mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Parameters
interface interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this
argument in the form of interface-list = { interface-type interface-number [ to interface-type
interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port
index ranges for this argument.
Description
Use the display mac-authentication command to display information about MAC address
authentication.
Examples
# Display the global information about MAC address authentication.
<Sysname> display mac-authentication
Mac address authentication is Enabled.
Authentication mode is UsernameAsMacAddress
Usernameformat:with-hyphen lowercase
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60 second(s).
Server response timeout value
is 100s
Guest VLAN re-authenticate period is 30s
Max allowed user number is 1024
Current user number amounts to
1
Current domain: not configured, use default domain
Silent Mac User info:
MAC ADDR
From Port
0016-e0be-e201
Ethernet1/0/2
1-1
Port Index
1(vlan:1)
--- 1 silent mac address(es) found. --Ethernet1/0/1 is link-up
MAC address authentication
is Enabled
max-auth-num is 256
Guest VLAN is 2
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR
Authenticate state
AuthIndex
000d-88f8-4e71
MAC_AUTHENTICATOR_SUCCESS
0
……(The following is omitted)
Table 1-1 Description on the fields of the display mac-authentication command
Field
Description
Mac address authentication is Enabled
MAC address authentication is enabled.
Username type used in the MAC address
authentication:
z
Authentication mode
z
UsernameFixed: Uses the fixed username for
authentication.
UsernameAsMacAddress: Uses the MAC
address of a user as the username for
authentication.
The default is the MAC address
(UsernameAsMacAddress).
Meaning of this field varies by the username type
for MAC address authentication:
z
Fixed password
z
If the username type is MAC address, this
field indicates whether to use a fixed
password for authentication. By default, this
field is not configured, which means using the
MAC address of a user as the password for
authentication.
If the username type is fixed username, this
field indicates whether a fixed password is
configured. By default, this field is not
configured, which means the password is
null.
Fixed password
Password used in the fixed mode, which is not
configured by default.
Offline detect period
Offline detect timer, which sets the time interval
to check whether a user goes offline and defaults
to 300 seconds.
Quiet period
Quiet timer sets the quiet period. A switch goes
through a quiet period if a user fails to pass the
MAC address authentication. The default value
is 60 seconds.
Server response timeout value
Server timeout timer, which sets the timeout time
for the connection between a switch and the
RADIUS server. By default, it is 100 seconds.
Guest VLAN re-authenticate period
Re-authenticate timer, which sets the time
interval to reauthenticate the users in the Guest
VLAN and defaults to 30 seconds.
1-2
Field
Description
Max allowed user number
The maximum number of users supported by the
switch. It is 1,024 by default.
Current user number amounts to
The current number of users
Current domain
The current domain. It is not configured by
default.
Silent Mac User info
The information about the silent user. When the
user fails to pass MAC address authentication
because of inputting error user name and
password, the switch sets the user to be in quiet
state. During quiet period, the switch does not
process the authentication request of this user.
Ethernet1/0/1 is link-up
The link connected to Ethernet1/0/1 port is up.
MAC address authentication is Enabled
MAC address authentication is enabled for
Ethernet1/0/1 port.
max-auth-num
Maximum number of MAC address
authentication users that the port can
accommodate
Guest VLAN
Guest VLAN of the port
Authenticate success: 1, failed: 0
Statistics of the MAC address authentications
performed on the port, including the numbers of
successful and failed authentication operations.
Current online user number
The number of the users current access the
network through the port
MAC ADDR
Peer MAC address
The state of the users accessing the network
through the port, which can be:
z
Authenticate state
z
z
z
MAC_AUTHENTICATOR_CONNECTING:
Connecting
MAC_AUTHENTICATOR_SUCCESS:
Authentication passed
MAC_AUTHENTICATOR_FAILURE: Fail to
pass authentication
MAC_AUTHENTICATOR_LOGOFF: Offline
Index of the current MAC address with regard to
the authentication port
AuthIndex
mac-authentication
Syntax
mac-authentication
undo mac-authentication
View
System view, Ethernet port view
1-3
Parameters
None
Description
Use the mac-authentication command to enable MAC address authentication globally or on the
current port.
Use the undo mac-authentication command to disable MAC address authentication globally or on the
current port.
By default, MAC address authentication is disabled both globally and on a port.
When being executed in system view, the mac-authentication command enables MAC address
authentication globally.
When being executed in Ethernet port view, the mac-authentication command enables MAC address
authentication on the current port.
To make the MAC address authentication take effect, you must enable MAC address authentication
globally and on the relevant ports.
You can configure MAC address authentication on a port before enabling it globally. However, the
configuration will not take effect unless MAC address authentication is enabled globally.
Examples
# Enable MAC address authentication globally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication
MAC-Authentication is enabled globally.
# Enable MAC address authentication on port Ethernet 1/0/1.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] mac-authentication
mac-authentication interface
Syntax
mac-authentication interface interface-list
undo mac-authentication interface interface-list
View
System view
1-4
Parameters
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument
in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] }
&<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this
argument.
Description
Use the mac-authentication interface command to enable the MAC address authentication for on the
specified port(s).
Use the undo mac-authentication interface command to disable the MAC address authentication for
the specified port(s).
By default, MAC address authentication is disabled on a port.
z
This command is essential for MAC address authentication to work on a port or on particular ports
after MAC address authentication is globally enabled.
z
You cannot configure the maximum number of dynamic MAC address entries for a port (through
the mac-address max-mac-count command) with MAC address authentication enabled.
Likewise, you cannot enable the MAC address authentication feature on a port with a limit of
dynamic MAC addresses configured.
z
If you have enabled MAC address authentication on a port, you cannot add the port to an
aggregation group. If a port is already added to an aggregation group, you cannot enable MAC
address authentication on the port.
Examples
# Enable MAC address authentication for Ethernet1/0/1 port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication interface Ethernet 1/0/1
mac-authentication authmode usernameasmacaddress
Syntax
mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen |
without-hyphen } ] { lowercase | uppercase } | fixedpassword password ]
undo
mac-authentication
authmode
usernameasmacaddress
fixedpassword ]
View
System view
1-5
[
usernameformat
|
Parameters
usernameformat: Specifies the input format of the username and password.
with-hyphen: Uses hyphened MAC addresses as usernames and passwords, for example,
00-05-e0-1c-02-e3.
without-hyphen: Uses MAC addresses without hyphens as usernames and passwords, for example,
0005e01c02e3.
lowercase: Uses lowercase MAC addresses as usernames and passwords.
uppercase: Uses uppercase MAC addresses as usernames and passwords.
fixedpassword password: Specifies the password for MAC address authentication as the specified
fixed password instead of user MAC addresses. password is a string of 1 to 63 characters.
Description
Use the mac-authentication authmode usernameasmacaddress command to set the username
type for MAC address authentication to MAC address and specify the username format.
Use the undo mac-authentication authmode command to restore the default user name mode.
By default, the user name and password in MAC address mode are used for MAC address
authentication.
Examples
# Use the user name in MAC address mode for MAC address authentication, requiring hyphened
lowercase MAC addresses as the usernames and passwords.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen
lowercase
mac-authentication authmode usernamefixed
Syntax
mac-authentication authmode usernamefixed
undo mac-authentication authmode
View
System view
Parameters
None
Description
Use the mac-authentication authmode usernamefixed command to set the user name in fixed mode
for MAC address authentication.
Use the undo mac-authentication authmode command to restore the default user name mode for
MAC address authentication.
By default, the MAC address mode is used.
1-6
Examples
# Use the user name in fixed mode for MAC address authentication.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication authmode usernamefixed
mac-authentication authpassword
Syntax
mac-authentication authpassword password
undo mac-authentication authpassword
View
System view
Parameters
password: Password to be set, a string comprising 1 to 63 characters.
Description
Use the mac-authentication authpassword command to set a password for MAC address
authentication when the user name in fixed mode is used.
Use the undo mac-authentication authpassword command to cancel the configured password.
By default, no password is configured.
Examples
# Set the password to newmac.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication authpassword newmac
mac-authentication authusername
Syntax
mac-authentication authusername username
undo mac-authentication authusername
View
System view
1-7
Parameters
username: User name used in authentication, a string of 1 to 55 characters.
Description
Use the mac-authentication authusername command to set a user name in fixed mode.
Use the undo mac-authentication authusername command to restore the default user name.
By default, the user name in fixed mode is “mac”.
Examples
# Set the user name to vipuser in fixed mode.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication authusername vipuser
mac-authentication domain
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Parameters
isp-name: ISP domain name, a string of 1 to 128 characters. Note that this argument cannot be null and
cannot contain these characters: “/”, “:”, “*”, “?”, “<”, and “>”.
Description
Use the mac-authentication domain command to configure an ISP domain for MAC address
authentication.
Use the undo mac-authentication domain command to restore the default ISP domain for MAC
address authentication.
By default, no domain for MAC address authentication is configured.
Use the “default domain” as the ISP domain name.
Examples
# Configure the domain for MAC address authentication to be aabbcc.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication domain aabbcc
1-8
mac-authentication timer
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout
server-timeout-value }
undo mac-authentication timer { offline-detect | quiet | server-timeout }
View
System view
Parameters
offline-detect-value: Offline detect timer (in seconds) setting. This argument ranges from 1 to 65,535
and defaults to 300. The offline detect timer sets the time interval for a switch to test whether a user
goes offline.
quiet-value: Quiet timer (in seconds) setting. This argument ranges from 1 to 3,600 and defaults to 60.
After a user fails to pass the authentication performed by a switch, the switch quiets for a specific period
(the quiet period) before it authenticates the user again.
server-timeout-value: Server timeout timer setting (in seconds). This argument ranges from 1 to 65,535
and defaults to 100. During authentication, the switch prohibits a user from accessing the network if the
connection between the switch and the RADIUS server times out.
Description
Use the mac-authentication timer command to configure the timers used in MAC address
authentication.
Use the undo mac-authentication timer command to restore a timer to its default setting.
Related commands: display mac-authentication.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication timer server-timeout 150
reset mac-authentication
Syntax
reset mac-authentication statistics [ interface interface-list ]
View
User view
Parameters
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument
in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] }
&<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this
argument.
1-9
Description
Use the reset mac-authentication command to clear the MAC address authentication statistics. With
the interface keyword specified, the command clears the MAC address authentication statistics of the
specified port. Without this keyword, the command clears the global MAC address authentication
statistics.
Examples
# Clear the MAC address authentication statistics for port Ethernet 1/0/1.
<Sysname> reset mac-authentication statistics interface Ethernet 1/0/1
MAC Address Authentication Enhanced Function Configuration
Commands
mac-authentication guest-vlan
Syntax
mac-authentication guest-vlan vlan-id
undo mac-authentication guest-vlan
View
Ethernet port view
Parameters
vlan-id: ID of the guest VLAN configured for the current port. This argument is in the range of 1 to 4,094.
Description
Use the mac-authentication guest-vlan command to configure a guest VLAN for the current port. If
the client connected to the port fails in the authentication, the port will be added to the guest VLAN, and
thus the users accessing the port can access network resources in the guest VLAN.
Use the undo mac-authentication guest-vlan command to remove the guest VLAN configuration for
the port.
No guest VLAN is configured for a port by default.
The system will re-authenticate users in the guest VLAN at the interval configured by the
mac-authentication timer guest-vlan-reauth command. If the user of a port passes the
authentication, the port will leave the guest VLAN and return to the initial VLAN configured for it.
1-10
z
If more than one client are connected to a port, you cannot configure a Guest VLAN for this port.
z
When a Guest VLAN is configured for a port, only one MAC address authentication user can
access the port. Even if you set the limit on the number of MAC address authentication users to
more than one, the configuration does not take effect.
z
The undo vlan command cannot be used to remove the VLAN configured as a Guest VLAN. If you
want to remove this VLAN, you must remove the Guest VLAN configuration for it. Refer to the
VLAN module in this manual for the description on the undo vlan command.
z
Only one Guest VLAN can be configured for a port, and the VLAN configured as the Guest VLAN
must be an existing VLAN. Otherwise, the Guest VLAN configuration does not take effect. If you
want to change the Guest VLAN for a port, you must remove the current Guest VLAN and then
configure a new Guest VLAN for this port.
z
802.1x authentication cannot be enabled for a port configured with a Guest VLAN.
z
The Guest VLAN function for MAC address authentication does not take effect when port security
is enabled.
Related commands: mac-authentication timer guest-vlan-reauth.
Examples
# Configure VLAN 4 as the Guest VLAN for Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] mac-authentication guest-vlan 4
mac-authenticiaon intrusion-mode block-mac
Syntax
mac-authenticiaon intrusion-mode block-mac enable
undo mac-authenticiaon intrusion-mode block-mac enable
View
Ethernet port view
Parameter
None
Description
Use the mac-authenticiaon intrusion-mode block-mac enable command to enable the quiet MAC
function on a port. When this function is enabled, the MAC address connected to this port will be set as
a quiet MAC address if its authentication fails. When this function is disabled, the MAC address will not
become quiet no matter whether the authentication is failed.
Use the undo mac-authenticiaon intrusion-mode block-mac enable command to disable the quiet
MAC function on a port.
1-11
By default, quiet MAC function is enabled on a port.
Example
# Enable the quiet MAC function on port Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] mac-authenticiaon intrusion-mode block-mac enable
mac-authentication max-auth-num
Syntax
mac-authentication max-auth-num user-number
undo mac-authentication max-auth-num
View
Ethernet port view
Parameters
user-name: Maximum number of MAC address authentication users allowed to access a port. This
argument is in the range of 1 to 256.
Description
Use the mac-authentication max-auth-num command to configure the maximum number of MAC
address authentication users allowed to access the port. After the number of access users has
exceeded the configured maximum number, the switch will not trigger MAC address authentication for
subsequent access users, and thus these subsequent access users cannot access the network
normally.
Use the undo mac-authentication max-auth-num command to restore the maximum number of MAC
address authentication users allowed to access the port to the default value.
By default, the maximum number of MAC address authentication users allowed to access a port is 256.
z
If both the limit on the number of MAC address authentication users and the limit on the number of
users configured in the port security function are configured for a port at the same time, the smaller
value of the two configured limits is adopted as the maximum number of MAC address
authentication users allowed to access this port. Refer to the Port Security module in this manual
for the description on the port security function.
z
You cannot configure the maximum number of MAC address authentication users for a port if any
user connected to this port is online.
1-12
Examples
# Set the maximum number of MAC address authentication users allowed to access Ethernet 1/0/2 to
100.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] mac-authentication max-auth-num 100
mac-authentication timer guest-vlan-reauth
Syntax
mac-authentication timer guest-vlan-reauth interval
undo mac-authentication timer guest-vlan-reauth
View
System view
Parameters
interval: Interval at which the switch re-authenticates users in guest VLANs. This argument is in the
range of 1 to 3,600 in seconds.
Description
Use the mac-authentication timer guest-vlan-reauth command to configure the interval at which the
switch re-authenticates users in guest VLANs. If the user of a port passes the authentication, the port
will leave the guest VLAN and return to the initial VLAN configured for it.
Use the undo mac-authentication timer guest-vlan-reauth command to restore the re-authentication
interval to the default value.
The switch re-authenticates the users in guest VLANs at the interval of 30 seconds by default.
Examples
# Configure the switch to re-authenticate users in Guest VLANs at the interval of 60 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication timer guest-vlan-reauth 60
1-13
Table of Contents
1 ARP Configuration Commands················································································································1-1
ARP Configuration Commands···············································································································1-1
arp anti-attack valid-check enable···································································································1-1
arp check enable ·····························································································································1-1
arp static ··········································································································································1-2
arp timer aging·································································································································1-3
display arp ·······································································································································1-3
display arp | ·····································································································································1-4
display arp count ·····························································································································1-5
display arp timer aging ····················································································································1-6
gratuitous-arp-learning enable ········································································································1-7
reset arp ··········································································································································1-7
i
1
ARP Configuration Commands
ARP Configuration Commands
arp anti-attack valid-check enable
Syntax
arp anti-attack valid-check enable
undo arp anti-attack valid-check enable
View
System view
Parameters
None
Description
Use the arp anti-attack valid-check enable command to enable ARP source MAC address
consistency check.
Use the undo arp anti-attack valid-check enable command to disable this function.
By default, ARP source MAC address consistency check is disabled.
Examples
# Enable ARP source MAC address consistency check.
<sysname> system-view
[sysname] arp anti-attack valid-check enable
arp check enable
Syntax
arp check enable
undo arp check enable
View
System view
Parameters
None
Description
Use the arp check enable command to enable the ARP entry checking function on a switch.
1-1
Use the undo arp check enable command to disable the ARP entry checking function.
With the ARP entry checking function enabled, the switch cannot learn any ARP entry with a multicast
MAC address. Configuring such a static ARP entry is not allowed either; otherwise, the system prompts
error information.
After the ARP entry checking function is disabled, the switch can learn the ARP entry with a multicast
MAC address, and you can also configure such a static ARP entry on the switch.
By default, the ARP entry checking function is enabled.
Examples
# Disable the ARP entry checking function.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] undo arp check enable
arp static
Syntax
arp static ip-address mac-address [ vlan-id interface-type interface-number ]
arp static ip-address mac-address vlan-id (in Ethernet port view)
undo arp ip-address
View
System view, Ethernet port view
Parameters
ip-address: IP address contained in the ARP mapping entry to be created/removed.
mac-address: MAC address contained in the ARP mapping entry to be created, in the format of H-H-H.
vlan-id: ID of the VLAN to which the static ARP entry belongs, in the range of 1 to 4,094.
interface-type: Type of the port to which the static ARP entry belongs.
interface-number: Number of the port to which the static ARP entry belongs.
Description
Use the arp static command to create a static ARP entry.
Use the undo arp command to remove an ARP entry.
By default, the system ARP mapping table is empty and the address mapping entries are obtained by
ARP dynamically.
Note that:
z
Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations,
such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP
entries invalid and therefore removed automatically.
z
As for the arp static command, the value of the vlan-id argument must be the ID of an existing
VLAN, and the port identified by the interface-type and interface-number arguments must belong to
the VLAN.
z
Currently, static ARP entries cannot be configured on the ports of an aggregation group.
1-2
Related commands: reset arp, display arp.
Examples
# Create a static ARP mapping entry, with the IP address of 202.38.10.2, the MAC address of
000f-e20f-0000. The ARP mapping entry belongs to Ethernet 1/0/1 which belongs to VLAN 1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] arp static 202.38.10.2 000f-e20f-0000 1 Ethernet 1/0/1
arp timer aging
Syntax
arp timer aging aging-time
undo arp timer aging
View
System view
Parameters
aging-time: Aging time (in minutes) of the dynamic ARP entries. This argument ranges from 1 to 1,440.
Description
Use the arp timer aging command to configure the aging time for dynamic ARP entries.
Use the undo arp timer aging command to restore the default.
By default, the aging time for dynamic ARP entries is 20 minutes.
Related commands: display arp timer aging.
Examples
# Configure the aging time to be 10 minutes for dynamic ARP entries.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] arp timer aging 10
display arp
Syntax
display arp [ dynamic | static | ip-address ]
View
Any view
Parameters
dynamic: Displays dynamic ARP entries.
static: Displays static ARP entries.
ip-address: IP address. ARP entries containing the IP address are to be displayed.
1-3
Description
Use the display arp command to display specific ARP entries.
If you execute this command with no keyword/argument specified, all the ARP entries are displayed.
Related commands: arp static, reset arp.
Examples
# Display all the ARP entries.
<Sysname> display arp
Type: S-Static
D-Dynamic
IP Address
MAC Address
VLAN ID
Port Name / AL ID
Aging Type
10.2.72.162
000a-000a-0aaa
N/A
N/A
N/A
S
192.168.0.77
0000-e8f5-6a4a
1
Ethernet1/0/2
13
D
192.168.0.2
000d-88f8-4e88
1
Ethernet1/0/2
14
D
192.168.0.200
0014-222c-9d6a
1
Ethernet1/0/2
14
D
192.168.0.45
000d-88f6-44c1
1
Ethernet1/0/2
15
D
192.168.0.110
0011-4301-991e
1
Ethernet1/0/2
15
D
192.168.0.32
0000-e8f5-73ee
1
Ethernet1/0/2
16
D
192.168.0.3
0014-222c-aa69
1
Ethernet1/0/2
16
D
192.168.0.17
000d-88f6-379c
1
Ethernet1/0/2
17
D
192.168.0.115
000d-88f7-9f7d
1
Ethernet1/0/2
18
D
192.168.0.43
000c-760a-172d
1
Ethernet1/0/2
18
D
192.168.0.33
000d-88f6-44ba
1
Ethernet1/0/2
20
D
192.168.0.35
000f-e20f-2181
1
Ethernet1/0/2
20
D
192.168.0.5
000f-3d80-2b38
1
Ethernet1/0/2
20
D
---
14 entries found
---
Table 1-1 Description on the fields of the display arp command
Field
Description
IP Address
IP address contained in an ARP entry
MAC Address
MAC address contained in an ARP entry
VLAN ID
ID of the VLAN which an ARP entry corresponds to
Port Name / AL ID
Port which an ARP entry corresponds to
Aging
Type
Aging time (in minutes) of an ARP entry
N/A is displayed for static ARP entries.
Type of an ARP entry: D for dynamic, and S for static.
display arp |
Syntax
display arp [ dynamic | static] | { begin | exclude | include } regular-expression
1-4
View
Any view
Parameters
dynamic: Displays dynamic ARP entries.
static: Displays static ARP entries.
|: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about
regular expressions, refer to Configuration File Management Command in this manual.
begin: Displays the first ARP entry containing the specified string and all subsequent ARP entries.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries containing the specified string.
regular-expression: A case-sensitive character string.
Description
Use the display arp | command to display the ARP entries related to string in a specified way.
Related commands: arp static, reset arp.
Examples
# Display all the ARP entries that contain the string 77.
<Sysname> display arp | include 77
Type: S-Static
D-Dynamic
IP Address
MAC Address
VLAN ID
Port Name / AL ID
Aging Type
192.168.0.77
0000-e8f5-6a4a
1
Ethernet1/0/2
12
---
1 entry found
D
---
# Display all the ARP entries that do not contain the string 68.
<Sysname> display arp | exclude 68
Type: S-Static
D-Dynamic
IP Address
MAC Address
VLAN ID
Port Name / AL ID
Aging Type
10.2.72.162
000a-000a-0aaa
N/A
N/A
N/A
---
1 entry found
S
---
Refer to Table 1-1 for the description on the above output information.
display arp count
Syntax
display arp count [ [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] |
ip-address ]
View
Any view
1-5
Parameters
dynamic: Counts the dynamic ARP entries.
static: Counts the static ARP entries.
|: Uses a regular expression as the match criterion. For detailed information about regular expressions,
refer to Configuration File Management Command in this manual.
begin: Displays the number of ARP entries counted from the first one containing the specified string.
exclude: Displays the number of ARP entries that do not contain the specified string.
include: Displays the number of ARP entries containing the specified string.
regular-expression: A case-sensitive character string.
ip-address: IP address. The ARP entries containing the IP address are to be displayed.
Description
Use the display arp count command to display the number of the specified ARP entries. If no
parameter is specified, the total number of ARP entries is displayed.
Related commands: arp static, reset arp.
Examples
# Display the total number of ARP entries.
<Sysname> display arp count
14 entries found
display arp timer aging
Syntax
display arp timer aging
View
Any view
Parameters
None
Description
Use the display arp timer aging command to display the setting of the ARP aging time.
Related commands: arp timer aging.
Examples
# Display the setting of the ARP aging time.
<Sysname> display arp timer aging
Current ARP aging time is 20 minute(s)(default)
The displayed information shows that the ARP aging time is set to 20 minutes.
1-6
gratuitous-arp-learning enable
Syntax
gratuitous-arp-learning enable
undo gratuitous-arp-learning enable
View
System view
Parameters
None
Description
Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning
function. Then, a switch receiving a gratuitous ARP packet can add the IP and MAC addresses carried
in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in
the cache.
Use the undo gratuitous-arp-learning enable command to disable the gratuitous ARP packet
learning function.
By default, the gratuitous ARP packet learning function is disabled.
Examples
# Enable the gratuitous ARP packet learning function on a switch.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] gratuitous-arp-learning enable
reset arp
Syntax
reset arp [ dynamic | static | interface interface-type interface-number ]
View
User view
Parameters
dynamic: Clears dynamic ARP entries.
static: Clears static ARP entries.
interface interface-type interface-number: Clears ARP entries of the specified port.
Description
Use the reset arp command to clear specific ARP entries.
Related commands: arp static, display arp.
1-7
Examples
# Clear static ARP entries.
<Sysname> reset arp static
1-8
Table of Contents
1 DHCP Snooping Configuration Commands ···························································································1-1
DHCP Snooping Configuration Commands····························································································1-1
dhcp-snooping ·································································································································1-1
dhcp-snooping server-guard enable································································································1-1
dhcp-snooping server-guard method ······························································································1-2
dhcp-snooping server-guard source-mac························································································1-3
display dhcp-snooping·····················································································································1-3
display dhcp-snooping server-guard ·······························································································1-4
reset dhcp-snooping ························································································································1-5
2 DHCP/BOOTP Client Configuration ·········································································································2-1
DHCP Client Configuration Commands··································································································2-1
display dhcp client ···························································································································2-1
ip address dhcp-alloc·······················································································································2-2
BOOTP Client Configuration Commands ·······························································································2-3
display bootp client ··························································································································2-3
ip address bootp-alloc ·····················································································································2-4
i
1
DHCP Snooping Configuration Commands
DHCP Snooping Configuration Commands
dhcp-snooping
Syntax
dhcp-snooping
undo dhcp-snooping
View
System view
Parameters
None
Description
Use the dhcp-snooping command to enable the DHCP snooping function.
Use the undo dhcp-snooping command to disable the DHCP snooping function. After DHCP
snooping is disabled, all the ports can forward DHCP replies from the DHCP server without recording
the IP-to-MAC bindings of the DHCP clients.
By default, the DHCP snooping function is disabled.
Note that:
z
You need to disable DHCP relay agent before enabling DHCP snooping on the switch.
z
The clients connected to a DHCP snooping device cannot obtain an IP address through BOOTP.
Related commands: display dhcp-snooping.
Examples
# Enter system view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
# Enable the DHCP snooping function.
[Sysname] dhcp-snooping
dhcp-snooping server-guard enable
Syntax
dhcp-snooping server-guard enable
undo dhcp-snooping server-guard enable
1-1
View
Ethernet port view
Parameters
None
Description
Use the dhcp-snooping server-guard enable command to enable unauthorized DHCP server
detection on the port, through which DHCP-DISCOVER messages will be sent to detect unauthorized
DHCP servers.
Use the undo dhcp-snooping server-guard enable command to disable unauthorized DHCP server
detection on the port.
Note that: You need to enable DHCP snooping before enabling unauthorized DHCP server detection
on the switch.
Examples
# Enable unauthorized DHCP server detection on Ethernet 1/0/3.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet1/0/3
[Sysname-Ethernet1/0/3] dhcp-snooping server-guard enable
dhcp-snooping server-guard method
Syntax
dhcp-snooping server-guard method { trap | shutdown }
undo dhcp-snooping server-guard method
View
Ethernet port view
Parameters
trap: Sends a trap to notify the administrator when an unauthorized DHCP server is detected.
shutdown: Shuts down the port administratively when an unauthorized DHCP server is detected, and
sends a trap to notify the administrator.
Description
Use the dhcp-snooping server-guard method command to specify the method for handling
unauthorized DHCP servers. With the keyword trap specified, when an unauthorized DHCP server is