H3C S3600 Series Ethernet Switches Command Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 20090618-C-1.02 Product Version: Release 1602 Copyright © 2007-2009, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. Trademarks H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners. Notice The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. Technical Support [email protected] http://www.h3c.com About This Manual Organization H3C S3600 Series Ethernet Switches Command Manual-Release 1602 is organized as follows: Part Contents 1 CLI Introduces the commands used for switching between the command levels and command level setting. 2 Login Introduces the commands used for logging into the Ethernet switch. 3 Configuration File Management Introduces the commands used for configuration file management. 4 VLAN Introduces the commands used for configuring VLAN. 5 IP Address and Performance Introduces the commands used for IP address configuration and IP performance configuration. 6 Voice VLAN Introduces the commands used for voice VLAN configuration. 7 GVRP Introduces the commands used for GVRP configuration. 8 Port Basic Configuration Introduces the commands used for basic port configuration. 9 Link Aggregation Introduces the commands used for link aggregation. 10 Port Isolation Introduces the commands used for port isolation. 11 Port Security-Port Binding Introduces the commands used for port security configuration and port binding. 12 DLDP Introduces the commands used for DLDP configuration. 13 MAC Address Table Management Introduces the commands used for MAC address forwarding table management. 14 Auto Detect Introduces the commands used for auto detect configuration. 15 MSTP Introduces the STP-related commands. 16 Routing Protocol Introduces the commands used for routing protocol configuration. 17 Multicast Introduces the commands used for multicast configuration. 18 802.1x and System Guard Introduces the commands used for 802.1x and System Guard configuration. 19 AAA Introduces the commands used for AAA, RADIUS, HWTACACS, and EAD configuration. 20 Web Authentication Introduces the commands used for Web Authentication configuration. 21 MAC Address Authentication Introduces the commands used for MAC address authentication configuration. 22 VRRP Introduces the commands used for VRRP configuration. 23 ARP Introduces the ARP-related commands. 24 DHCP Introduces the commands used for DHCP server, DHCP relay, and DHCP-snooping configuration. 25 ACL Introduces the ACL-related commands. Part Contents 26 QoS-QoS Profile Introduces the commands used for QoS and QoS profile configuration. 27 Web Cache Redirection Introduces the commands used for Web cache redirection configuration. 28 Mirroring Introduces the commands used for port mirroring. 29 IRF Fabric Introduces the commands used for IRF fabric configuration. 30 Cluster Introduces the commands used for cluster management. 31 PoE-PoE Profile Introduces the commands used for PoE and PoE profile configuration. 32 UDP Helper Introduces the commands used for UDP Helper configuration. 33 SNMP-RMON Introduces the commands used for SNMP and RMON configuration. 34 NTP Introduces the NTP-related commands. 35 SSH Introduces the commands used for SSH configuration. 36 File System Management Introduces the commands used for file system management. 37 FTP–SFTP-TFTP Introduces the related commands of FTP, SFTP and TFTP. 38 Information Center Introduces the commands used for information center configuration. 39 System Maintenance and Debugging Introduces the commands used for system maintenance and debugging. 40 VLAN-VPN Introduces the commands used for VLAN VPN configuration. 41 HWPing Introduces the commands used for HWPing configuration. 42 IPv6 Management Introduces the commands used for IPv6 Management configuration. 43 DNS Introduces the commands used for DNS configuration. 44 Smart Link-Monitor Link Introduces the commands used for Smart Link and Monitor Link configuration. 45 Access Management Introduces the commands used for Access Management configuration 46 Appendix Lists all the commands described in this command manual in an alphabetic order. The parts and pages where the commands are described are also given. Conventions The manual uses the following conventions: Command conventions Convention Description Boldface The keywords of a command line are in Boldface. italic Command arguments are in italic. [] Items (keywords or arguments) in square brackets [ ] are optional. Convention Description { x | y | ... } Alternative items are grouped in braces and separated by vertical bars. One is selected. [ x | y | ... ] Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. { x | y | ... } * Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. [ x | y | ... ] * Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected. &<1-n> The argument(s) before the ampersand (&) sign can be entered 1 to n times. # A line starting with the # sign is comments. Symbols Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description. Related Documentation In addition to this manual, each H3C S3600 Series Ethernet Switches documentation set includes the following: Manual Description H3C S3600 Series Ethernet Switches Operation Manual-Release 1602 It is used for assisting the users in data configurations and typical applications. H3C S3600 Series Ethernet Switches Installation Manual It provides information for the system installation. Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. The following are the columns from which you can obtain different categories of product documentation: [Products & Solutions]: Provides information about products and technologies, as well as solutions. [Technical Support & Document > Technical Documents]: Provides several categories of product documentation, such as installation, configuration, and maintenance. [Technical Support & Document > Software Download]: Provides the documentation released with the software version. Documentation Feedback You can e-mail your comments about product documentation to [email protected] We appreciate your comments. Table of Contents 1 CLI Configuration Commands··················································································································1-1 CLI Configuration Commands·················································································································1-1 command-privilege level··················································································································1-1 display history-command·················································································································1-3 super················································································································································1-4 super authentication-mode··············································································································1-5 super password ·······························································································································1-5 i 1 CLI Configuration Commands The super authentication-mode command is added. For details, see super authentication-mode. CLI Configuration Commands command-privilege level Syntax command-privilege level level view view command undo command-privilege view view command View System view Parameters level level: Command level to be set, in the range of 0 to 3. view view: CLI view. It can be any CLI view that the Ethernet switch supports. The S3600 series support only the CLI views listed in Table 1-1: Table 1-1 Available CLI views for the view argument CLI view Description acl-adv Advanced ACL view acl-basic Basic ACL view acl-ethernetframe Layer 2 ACL view acl-user User-defined ACL view aux Aux 1/0/0 port view, that is, console port view cluster Cluster view detect-group Detected group view dhcp-pool DHCP address pool view, which is supported by only the S3600-EI series ethernet 100M Ethernet port view ftp-client FTP client view gigabitethernet GigabitEthernet port view 1-1 CLI view Description hwping HWPing test group view hwtacacs HWTACACS view isp ISP domain view loopback Loopback interface view luser Local user view manage-vlan Management VLAN view msdp MSDP view, which is supported by only the S3600-EI series mst-region MST region view mtlk-group Monitor link group view null NULL interface view ospf OSPF view, which is supported by only the S3600-EI series ospf-area OSPF area view, which is supported by only the S3600-EI series peer-key-code Public key editing view peer-public-key Public key view pim PIM view, which is supported by only the S3600-EI series poe-profile PoE profile view qinq QinQ view qos-profile QoS profile view radius-template RADIUS scheme view rip RIP view route-policy Routing policy view shell User view smlk-group Smart link group view system System view user-interface User interface view vlan VLAN view vlan-interface VLAN interface view command: Command for which the level is to be set. Description Use the command-privilege level command to set the level of a specified command in a specified view. Use the undo command-privilege view command to restore the default. Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage (level 3). The administrator can change the level of a command as required. For example, the administrator can 1-2 change a command from a higher level to a lower level so that the lower level users can use the command. The default levels of commands are described in the following table: Table 1-2 Default levels of commands Level Name Command 0 Visit level Commands used to diagnose network, such as ping, tracert, and telnet commands. 1 Monitor level Commands used to maintain the system and diagnose service fault, such as debugging, terminal and reset commands. 2 System level All configuration commands except for those at the manage level. Manage level Commands associated with the basic operation modules and support modules of the system, such as file system, FTP/TFTP/XMODEM downloading, user management, and level setting commands. 3 Examples # Set the level of the system-view command in user view (shell) to 0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] command-privilege level 0 view shell system-view display history-command Syntax display history-command View Any view Parameters None Description Use the display history-command command to display the history commands of the current user, so that the user can check the configurations performed formerly. History commands are those commands that was successfully executed recently and saved in the history command buffer. You can set the size of the buffer by the history-command max-size command. When the history command buffer is full, the earlier commands will be overwritten by the new ones. By default, the CLI can save 10 history commands for each user. Related commands: history-command max-size in login module. Examples # Display the history commands of the current user. 1-3 <Sysname> display history-command system-view quit display history-command super Syntax super [ level ] View User view Parameters level: User level, in the range of 0 to 3. Description Use the super command to switch from the current user level to a specified level. Executing this command without the level argument will switch the current user level to level 3 by default. Note that: Users logged into the switch fall into four user levels, which correspond to the four command levels z respectively. Users at a specific level can only use the commands at the same level or lower levels. You can switch between user levels after logging into a switch successfully. The high-to-low user z level switching is unlimited. However, the low-to-high user level switching requires the corresponding authentication. The authentication mode can be set through the super authentication-mode command. For security purpose, the password entered is not displayed when you switch to another user level. z You will remain at the original user level if you have tried three times but failed to enter the correct authentication information. Related commands: super authentication-mode, super password. Examples # Switch from the current user level to user level 3, using super password authentication. <Sysname> super 3 Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE # Switch from the current user level to level 3, using HWTACACS authentication. <Sysname> super 3 Username: [email protected] Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE 1-4 super authentication-mode Syntax super authentication-mode { super-password | scheme }* undo super authentication-mode View User interface view Parameters super-password: Adopts super password authentication for low-to-high user level switching. scheme: Adopts Huawei terminal access controller access control system (HWTACACS) authentication for low-to-high user level switching. Description Use the super authentication-mode command to specify the authentication mode used for low-to-high user level switching. Use the undo super authentication-mode command to restore the default. By default, super password authentication is adopted for low-to-high user level switching. Note that the two authentication modes are available at the same time to provide authentication redundancy. When both the two authentication modes are specified, the order to perform the two types of authentication is determined by the order in which they are specified, as described below. z If the super authentication-mode super-password scheme command is executed to specify the authentication mode for user level switching, the super password authentication is preferred and the HWTACACS authentication mode is the backup. z If the super authentication-mode scheme super-password command is executed to specify the authentication mode for low-to-high user level switching, the HWTACACS authentication is preferred and the super password authentication mode is the backup. z When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the HWTACACS authentication server is unreachable), the backup authentication mode is adopted. Examples # Specify HWTACACS authentication as the preferred authentication mode when a VTY 0 user switches from the current level to a higher level, with the super password authentication as the backup authentication mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] super authentication-mode scheme super-password super password Syntax super password [ level level ] { cipher | simple } password 1-5 undo super password [ level level ] View System view Parameters level level: User level, in the range of 1 to 3. It is 3 by default. cipher: Stores the password in the configuration file in ciphered text. simple: Stores the password in the configuration file in plain text. password: Password to be set. If the simple keyword is used, you must provide a plain-text password, that is, a string of 1 to 16 characters. If the cipher keyword is used, you can provide a password in either of the two ways: z Input a plain-text password, that is, a string of 1 to 16 characters, which will be automatically converted into a 24-character cipher-text password. z Directly input a cipher-text password, that is, a string of 1 to 24 characters, which must correspond to a plain-text password. For example, The cipher-text password “_(TT8F]Y\5SQ=^Q`MAF4<1!!” corresponds to the plain-text password 1234567. Description Use the super password command to set a switching password for a specified user level, which will be used when users switch from a lower user level to the specified user level. Use the undo super password command to restore the default configuration. By default, no such password is set. Note that, no matter whether a plain-text or cipher-text password is set, users must enter the plain-text password during authentication. Examples # Set the switching password for level 3 to 0123456789 in plain text. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] super password level 3 simple 0123456789 1-6 Table of Contents 1 Login Commands ······································································································································1-1 Login Commands ····································································································································1-1 authentication-mode ························································································································1-1 auto-execute command ···················································································································1-3 copyright-info enable ·······················································································································1-4 databits ············································································································································1-4 display telnet-server source-ip ········································································································1-5 display telnet source-ip····················································································································1-6 display user-interface ······················································································································1-6 display users····································································································································1-9 display web users ····························································································································1-9 free user-interface ·························································································································1-10 header ···········································································································································1-11 history-command max-size ···········································································································1-13 idle-timeout ····································································································································1-13 ip http shutdown ····························································································································1-14 lock ················································································································································1-15 parity ··············································································································································1-16 protocol inbound ····························································································································1-16 screen-length·································································································································1-17 send ···············································································································································1-18 service-type ···································································································································1-19 set authentication password··········································································································1-20 shell ···············································································································································1-21 speed ·············································································································································1-22 stopbits ··········································································································································1-22 telnet ··············································································································································1-23 telnet ipv6 ······································································································································1-24 telnet source-interface ···················································································································1-25 telnet source-ip ······························································································································1-25 telnet-server source-interface········································································································1-26 telnet-server source-ip···················································································································1-26 user-interface·································································································································1-27 user privilege level·························································································································1-28 2 Commands for User Control ····················································································································2-1 Commands for Controlling Logging in Users ··························································································2-1 acl ····················································································································································2-1 free web-users·································································································································2-1 ip http acl ·········································································································································2-2 snmp-agent community ···················································································································2-2 snmp-agent group ···························································································································2-3 snmp-agent usm-user······················································································································2-4 i 1 Login Commands The commands use to enable/disable copyright information displaying are newly added. Refer to copyright-info enable for related information. Login Commands authentication-mode Syntax authentication-mode { password | scheme [ command-authorization ] | none } View User interface view Parameters none: Specifies not to authenticate users. password: Authenticates users using the local password. scheme: Authenticates users locally or remotely using usernames and passwords. command-authorization: Performs command authorization on TACACS authentication server. Description Use the authentication-mode command to specify the authentication mode. z If you specify the password keyword to authenticate users using the local password, remember to set the local password using the set authentication password command. Otherwise, AUX users can log in to the switch successfully without password, but VTY users will fail the login. VTY users must enter the correct authentication password to log in to the switch. z If you specify the scheme keyword to authenticate users locally or remotely using usernames and passwords, the actual authentication mode, that is, local or remote, depends on other related AAA scheme configuration of the domain. z If this command is executed with the command-authorization keyword specified, authorization is performed on the TACACS server whenever you attempt to execute a command, and the command can be executed only when you pass the authorization. Normally, a TACACS server contains a list of the commands available to different users. By default, the authentication mode is none for AUX users and password for VTY users. 1-1 For a VTY user interface, to specify the none keyword or password keyword for login users, make sure that SSH is not enabled in the user interface. Otherwise, the configuration fails. Refer to the protocol inbound command for related configuration. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. z If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. z If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled. z If the authentication mode is scheme, there are three scenarios: when the supported protocol is specified as telnet, TCP 23 will be enabled; when the supported protocol is specified as SSH, TCP 22 will be enabled; when the supported protocol is specified as all, both the TCP 23 and TCP 22 port will be enabled. Examples z Example of the password authentication mode configuration # Configure to authenticate users using the local password on the console port, and set the authentication password to aabbcc in plain text. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] authentication-mode password [Sysname-ui-aux0] set authentication password simple aabbcc After the configuration, when a user logs in to the switch through the console port, the user must enter the correct password. z Example of the scheme authentication mode configuration # Configure the authentication mode as scheme for VTY users logging in through Telnet. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] authentication-mode scheme [Sysname-ui-vty0] quit # Specify domain system as the default domain, and set the scheme authentication mode to local for the domain. [Sysname] domain default enable system [Sysname] domain system [Sysname-isp-system] scheme local 1-2 [Sysname-ui-vty0] quit # Configure the local authentication username and password. [Sysname] local-user guest [Sysname-luser-guest] password simple 123456 [Sysname-luser-guest] service-type telnet level 2 After the configuration, when a user logs in to the switch through VTY0, the user must enter the configured username and password. auto-execute command Syntax auto-execute command text undo auto-execute command View VTY user interface view Parameters text: Command to be executed automatically. Description Use the auto-execute command command to set the command that is executed automatically after a user logs in. Use the undo auto-execute command command to disable the specified command from being automatically executed. By default, no command is configured to be executed automatically after a user logs in. Normally, the telnet command is specified to be executed automatically to enable the user to Telnet to a specific network device automatically. z The auto-execute command command may cause you unable to perform common configuration in the user interface, so use it with caution. z Before executing the auto-execute command command and save your configuration, make sure you can log in to the switch in other modes and cancel the configuration. Examples # Configure the telnet 10.110.100.1 command to be executed automatically after users log in to VTY 0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] auto-execute command telnet 10.110.100.1 % This action will lead to configuration failure through ui-vty0. Are you sure?[ 1-3 Y/N]y After the above configuration, when a user logs onto the device through VTY 0, the device automatically executes the configured command and logs off the current user. copyright-info enable Syntax copyright-info enable undo copyright-info enable View System view Parameters None Description Use the copyright-info enable command to enable copyright information displaying. Use the undo copyright-info enable command to disable copyright information displaying. By default, copyright information displaying is enabled. That is, the copyright information is displayed after a user logs into a switch successfully. Note that these two commands apply to users logging in through the console port and by means of Telnet. Examples # Disable copyright information displaying. ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. * * ************************************************************************** <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo copyright-info enable # After the above configuration, no copyright information is displayed after a user logs in, as shown below. <Sysname> databits Syntax databits { 7 | 8 } undo databits 1-4 View AUX user interface view Parameters 7: Sets the databits to 7. 8: Sets the databits to 8. Description Use the databits command to set the databits for the user interface. Use the undo databits command to revert to the default databits. The default databits is 8. Examples # Set the databits to 7. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] databits 7 display telnet-server source-ip Syntax display telnet-server source-ip View Any view Parameters None Description Use the display telnet-server source-ip command to display the source IP address configured for the switch operating as the Telnet server. That is, when the switch operates as the Telnet server, the client uses this IP address to log in to the switch. z If the source IP address or source interface is specified for the switch, this command displays the IP address or the primary IP address of the source interface. z If neither source IP address nor source interface is specified, 0.0.0.0 is displayed. That is, as long as there is a route between the switch and client, the client can log in to the switch using the IP address of any Layer 3 interface on the switch. 1-5 When you use the display telnet-server source-ip command to display the source IP address, the primary IP address of an interface will be displayed even if you have specified a secondary IP address of the interface as the source IP address. Examples # Display the source IP address configured for the switch operating as the Telnet server. <Sysname> display telnet-server source-ip The source IP you specified is 192.168.1.1 display telnet source-ip Syntax display telnet source-ip View Any view Parameters None Description Use the display telnet source-ip command to display the source IP address configured for the switch operating as the Telnet client. That is, the source IP address of the Telnet service packets sent when the switch operates as the Telnet client to log in to the remote device. z If the source interface is specified for the switch, this command displays the IP address of the source interface. z If no source address or source IP interface is specified for the switch, 0.0.0.0 is displayed. That is, the source IP address of Telnet service packets is that of the outbound interface. Examples # Display the source IP address configured for the switch operating as the Telnet client. <Sysname> display telnet source-ip The source IP you specified is 192.168.1.1 display user-interface Syntax display user-interface [ type number | number ] [ summary ] View Any view 1-6 Parameters type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface). number: User interface index. A user interface index can be relative or absolute. In relative user interface number scheme, the type argument is required. In this case, AUX user z interfaces are numbered from AUX0 through AUX7; VTY user interfaces are numbered from VTY0 through VTY4. In absolute user interface number scheme, the type argument is not required. In this case, user z interfaces are numbered from 0 to 12. summary: Displays the summary information about a user interface. Description Use the display user-interface command to display the information about a specified user interface or all user interfaces. If the summary keyword is not specified, this command displays user interface type, absolute/relative user interface index, transmission speed, available command level, authentication mode, and physical position. If the summary keyword is specified, this command displays the number and type of the user interfaces, including those that are in use and those that are not in use. Examples # Display the information about user interface 0. <Sysname> display user-interface 0 Idx F 0 Type Tx/Rx Modem Privi Auth Int Super AUX 0 9600 - - S 3 N + : Current user-interface is active. F : Current user-interface is active and work in async mode. Idx : Absolute index of user-interface. Type : Type and relative index of user-interface. Privi: The privilege of user-interface. Auth : The authentication mode of user-interface. Int : The physical location of UIs. Super: The Super authentication mode of UIs. A : Authentication use AAA. N : Current UI need not authentication. P : Authentication use current UI's password. S : Authentication use super password. Table 1-1 Descriptions on the fields of the display user-interface command Filed Description + The user interface is in use. F The user interface operates in asynchronous mode. Idx The absolute index of the user interface Type User interface type and the relative index Tx/Rx Transmission speed of the user interface Modem Indicates whether or not a modem is used. 1-7 Filed Description Privi Available command level Auth Authentication mode Int Physical position of the user interface The authentication mode used for a user to switch from the current lower user level to a higher level, including S, A, SA and AS. S: Super password authentication A: HWTACACS authentication Super SA: Super password authentication is preferred, with HWTACACS authentication being a backup AS: HWTACACS authentication is preferred, with super password authentication being a backup For details about the four authentication modes, refer to the CLI part of the manual. A The current user authentication mode is scheme. N The current user authentication mode is none. P The current user authentication mode is password. S Super password authentication # Display the summary information about the user interface. <Sysname> display user-interface summary User interface type : [AUX] 0:UXXX XXXX User interface type : [VTY] 8:UUUU X 5 character mode users. (U) 8 UI never used. (X) 5 total UI in use Table 1-2 Description on the fields of the display user-interface summary command Field Description User interface type User interface type: AUX or VTY 0:UXXX XXXX/8:UUUU X 0 and 8 represent the least absolute number for AUX user interfaces and VTY user interfaces. “U” and “X” indicate the usage state of an interface: U indicates that the corresponding user interface is used; X indicates that the corresponding user interface is idle. The total number of Us and Xs is the total number of user interfaces that are available. character mode users. UI never used. total UI in use. (U) (X) The number of current users, that is, the number of Us The number of user interfaces not being used currently, that is, the number of Xs The total number of user interfaces being used currently, that is, the total number of users currently logging in to the switch successfully 1-8 display users Syntax display users [ all ] View Any view Parameters all: Displays the user information about all user interfaces. Description Use the display users command to display the user information about user interfaces. If you do not specify the all keyword, only the user information about the current user interface is displayed. Examples # Display the user information about the current user interface. <Sysname> display users UI + 8 VTY 0 Delay Type Ipaddress 00:00:00 TEL 192.168.0.208 Username + : Current operation user. F : Current operation user work in async mode. Userlevel 3 Table 1-3 Descriptions on the fields of the display users command Field Description UI The numbers in the left sub-column are the absolute user interface indexes, and those in the right sub-column are the relative user interface indexes. Delay The period (in seconds) the user interface idles for. Type User type Ipaddress The IP address from which the user logs in. Username The login name of the user that logs into the user interface. Userlevel The level of the commands available to the users logging in to the user interface F The information is about the current user interface, and the current user interface operates in asynchronous mode. + The user interface is in use. display web users Syntax display web users 1-9 View Any view Parameters None Description Use the display web users command to display the information about the current on-line Web users. Examples # Display the information about the current on-line Web users. <Sysname> display web users ID Name Language Level Login Time Last Req. Time 00800003 admin English Management 06:16:32 06:18:35 Table 1-4 Description on the fields of the display web users command Field Description ID ID of a Web user Name Name of a Web user Language Language a Web user uses Level Level of a Web user Login Time Time when a Web user logs in Last Req. Time Time when the latest request is made free user-interface Syntax free user-interface [ type ] number View User view Parameters type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface). number: User interface index. A user interface index can be relative or absolute. z In relative user interface index scheme, the type argument is required. In this case, AUX user interfaces are numbered from AUX0 through AUX7; VTY user interfaces are numbered from VTY0 through VTY4. z In absolute user interface index scheme, the type argument is not required. In this case, user interfaces are numbered from 0 to 12. 1-10 Description Use the free user-interface command to free a user interface. That is, this command tears down the connection between a user and a user interface. Note that the current user interface cannot be freed. Examples # Release user interface VTY 1. <Sysname> free user-interface vty 1 Are you sure you want to free user-interface vty1 [Y/N]? y [OK] After you perform the above operation, the user connection on user interface VTY1 is torn down. The user in it must log in again to connect to the switch. header Syntax header [ incoming | legal | login | shell ] text undo header { incoming | legal | login | shell } View System view Parameters incoming: Sets the login banner for users that log in through modems. If you specify to authenticate login users, the banner appears after a user passes the authentication. (The session does not appear in this case.) legal: Sets the authorization banner, which is displayed when a user enters user view. login: Sets the login banner. The banner set by this keyword is valid only when users are authenticated before they log in to the switch and appears while the switch prompts for user name and password. If a user logs in to the switch through Web, the banner text configured will be displayed on the banner page. shell: Sets the session banner, which appears after a session is established. If you specify to authenticate login users, the banner appears after a user passes the authentication. text: Banner to be displayed. If no keyword is specified, this argument is the login banner. You can provide this argument in two ways. One is to enter the banner in the same line as the command (A command line can accept up to 254 characters.) The other is to enter the banner in multiple lines (you can start a new line by pressing Enter,) where you can enter a banner that can contain up to 2000 characters (including the invisible characters such as carriage return). Note that the first character is the beginning character and the end character of the banner. After entering the end character, you can press Enter to exit the interaction. Description Use the header command to set the banners that are displayed when a user logs into a switch. The login banner is displayed on the terminal when the connection is established. And the session banner is displayed on the terminal if a user successfully logs in. Use the undo header command to disable displaying a specific banner or all banners. 1-11 By default, no banner is configured. Note the following: z If you specify any one of the four keywords without providing the text argument, the specified keyword will be regarded as the login information. z The banner configured with the header incoming command is displayed after a modem user logs in successfully or after a modem user passes the authentication when authentication is required. In the latter case, the shell banner is not displayed. z The banner configured with the header legal command is displayed when you enter the user interface. If password authentication is enabled or an authentication scheme is specified, this banner is displayed before login authentication. z With password authentication enabled or an authentication scheme specified, the banner configured with the header login command is displayed after the banner configured with the header legal command and before login authentication. z The banner configured with the header shell command is displayed after a non-modem user session is established. Examples # Configure banners. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] header login %Welcome to login!% [Sysname] header shell % Input banner text, and quit with the character '%'. Welcome to shell!% [Sysname] header incoming % Input banner text, and quit with the character '%'. Welcome to incoming!% [Sysname] header legal % Input banner text, and quit with the character '%'. Welcome to legal!% z The character % is the starting/ending character of text in this example. Entering % after the displayed text quits the header command. z As the starting and ending character, % is not a part of a banner. # Test the configuration remotely using Telnet. (only when login authentication is configured can the login banner be displayed). ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** 1-12 * * Welcome to legal! Press Y or ENTER to continue, N to exit. Welcome to login! Login authentication Password: Welcome to shell! <Sysname> history-command max-size Syntax history-command max-size value undo history-command max-size View User interface view Parameters value: Size of the history command buffer, ranging from 0 to 256 (in terms of commands). Description Use the history-command max-size command to set the size of the history command buffer. Use the undo history-command max-size command to revert to the default history command buffer size. By default, the history command buffer can contain up to ten commands. Related commands: display history-command. Examples # Set the size of the history command buffer of AUX 0 to 20 to enable it to store up to 20 commands. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] history-command max-size 20 idle-timeout Syntax idle-timeout minutes [ seconds ] undo idle-timeout View User interface view 1-13 Parameters minutes: Number of minutes. This argument ranges from 0 to 35,791. seconds: Number of seconds. This argument ranges from 0 to 59. Description Use the idle-timeout command to set the timeout time. The connection to a user interface is terminated if no operation is performed in the user interface within the timeout time. Use the undo idle-timeout command to revert to the default timeout time. You can use the idle-timeout 0 command to disable the timeout function. The default timeout time is 10 minutes. Examples # Set the timeout time of AUX 0 to 1 minute. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] idle-timeout 1 ip http shutdown Syntax ip http shutdown undo ip http shutdown View System view Parameters None Description Use the ip http shutdown command to shut down the WEB Server. Use the undo ip http shutdown command to launch the WEB Server. By default, the WEB Server is launched. To improve security and prevent attacks to the unused Sockets, TCP 80 port for HTTP service will be enabled or disabled after corresponding configurations. z TCP 80 port is enabled only after you use the undo ip http shutdown command to enable the Web server. z If you use the ip http shutdown command to disabled the Web server, TCP 80 port is disabled. 1-14 After the Web file is upgraded, you need to use the boot web-package command to specify a new Web file or specify a new Web file from the boot menu after reboot for the Web server to operate properly. Refer to the File System Management part in this manual for information about the boot web-package command. Examples # Shut down the WEB Server. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip http shutdown # Launch the WEB Server. [Sysname] undo ip http shutdown lock Syntax lock View User view Parameters None Description Use the lock command to lock the current user interface to prevent unauthorized operations in the user interface. After you execute this command, the system prompts you for the password and prompts you to confirm the password. The user interface is locked only when the password entered is correct. To unlock a user interface, press Enter and then enter the password as prompted. Note that if you set a password containing more than 16 characters, the system matches only the first 16 characters of the password entered for unlocking the user interface. That is, the system unlocks the user interface as long as the first 16 characters of the password entered are correct. By default, the current user interface is not locked. Examples # Lock the current user interface. <Sysname> lock Press Enter, enter a password, and then confirm it as prompted. (The password entered is not displayed). Password: 1-15 Again: locked ! In this case, the user interface is locked. To operate the user interface again, you need to press Enter and provide the password as prompted. Password: <Sysname> parity Syntax parity { even | none | odd | } undo parity View AUX user interface view Parameters even: Performs even checks. none: Does not check. odd: Performs odd checks. Description Use the parity command to set the check mode of the user interface. Use the undo parity command to revert to the default check mode. By default, no check is performed. Examples # Set to perform even checks. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] parity even protocol inbound Syntax protocol inbound { all | ssh | telnet } View VTY user interface view Parameters all: Supports both Telnet protocol and SSH protocol. ssh: Supports SSH protocol. telnet: Supports Telnet protocol. 1-16 Description Use the protocol inbound command to specify the protocols supported by the user interface. Both Telnet protocol and SSH protocol are supported by default. Related commands: user-interface vty. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22 (ports for Telnet and SSH services respectively) will be enabled or disabled after corresponding configurations. z If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. z If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled. z If the authentication mode is scheme, there are three scenarios: when the supported protocol is specified as telnet, TCP 23 will be enabled; when the supported protocol is specified as ssh, TCP 22 will be enabled; when the supported protocol is specified as all, both the TCP 23 and TCP 22 port will be enabled. To configure a user interface to support SSH, you need to set the authentication mode to scheme for users to log in successfully. If the authentication mode is set to password or none for login users, the protocol inbound ssh command will fail. Refer to the authentication-mode command for the related configuration. Examples # Configure that only SSH protocol is supported in VTY 0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] protocol inbound ssh screen-length Syntax screen-length screen-length undo screen-length View User interface view 1-17 Parameters screen-length: Number of lines the screen can contain. This argument ranges from 0 to 512. Description Use the screen-length command to set the number of lines the terminal screen can contain. Use the undo screen-length command to revert to the default number of lines. By default, the terminal screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Examples # Set the number of lines the terminal screen can contain to 20. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] screen-length 20 send Syntax send { all | number | type number } View User view Parameters all: Sends messages to all user interfaces. type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface). number: User interface index. A user interface index can be relative or absolute. z In relative user interface index scheme, the type argument is required. In this case, AUX user interfaces are numbered from AUX0 through AUX7; VTY user interfaces are numbered from VTY0 through VTY4. z In absolute user interface index scheme, the type argument is not required. In this case, user interfaces are numbered from 0 to 12. Description Use the send command to send messages to a user interface or all the user interfaces. Examples # Send “hello” to all user interfaces. <Sysname> send all Enter message, end with CTRL+Z or Enter; abort with CTRL+C: hello^Z Send message? [Y/N]y The current user interface will receive the following information: 1-18 <Sysname> *** *** ***Message from vty1 to vty1 *** hello service-type Syntax service-type { ftp | lan-access | { ssh | telnet | terminal }* [ level level ] } undo service-type { ftp | lan-access | { ssh | telnet | terminal }* } View Local user view Parameters ftp: Specifies the users to be of FTP type. lan-access: Specifies the users to be of LAN-access type, which normally means Ethernet users, such as 802.1x users. ssh: Specifies the users to be of SSH type. telnet: Specifies the users to be of Telnet type. terminal: Makes terminal services available to users logging in through the console port. level level: Specifies the user level for Telnet users, Terminal users, or SSH users. The level argument ranges from 0 to 3 and defaults to 0. Description Use the service-type command to specify the login type and the corresponding available command level. Use the undo service-type command to cancel login type configuration. Commands fall into four command levels: visit, monitor, system, and manage, which are described as follows: z Visit level: Commands at this level are used to diagnose network and change the language mode of user interface, such as the ping, tracert, and language-mode command. The telnet command is also at this level. Commands at this level cannot be saved in configuration files. z Monitor level: Commands at this level are used to maintain the system, to debug service problems, and so on. The display and debugging commands are at monitor level. Commands at this level cannot be saved in configuration files. z System level: Commands at this level are used to configure services. Commands concerning routing and network layers are at system level. You can utilize network services by using these commands. z Manage level: Commands at this level are for the operation of the entire system and the system supporting modules. Services are supported by these commands. Commands concerning file 1-19 system, file transfer protocol (FTP), trivial file transfer protocol (TFTP), downloading using XModem, user management, and level setting are at administration level. Refer to CLI for detailed introduction to the command level. Examples # Configure commands at level 0 are available to the users logging in using the user name of zbr. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] local-user zbr [Sysname-luser-zbr] service-type telnet level 0 # To verify the above configuration, you can quit the system, log in again using the user name of zbr, and then list the available commands, as listed in the following. <Sysname> ? User view commands: cluster Run cluster command display Display current system information nslookup Query Internet name servers ping Ping function quit Exit from current command view super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function undo Cancel current setting set authentication password Syntax set authentication password { cipher | simple } password undo set authentication password View User interface view Parameters cipher: Specifies to save the local password in cipher text. simple: Specifies to save the local password in plain text. password: Password to be set. The password must be in plain text if you specify the simple keyword in the set authentication password command. If you specify the cipher keyword, the password can be in either cipher text or plain text, as described in the following. z When you enter the password in plain text containing no more than 16 characters (such as 123), the system converts the password to the corresponding 24-character encrypted password. z When you enter the password in cipher text containing 24 characters, make sure you are aware of the corresponding password in plaintext. For example, the plain text “123456” corresponds to the cipher text “OUM!K%F<+$[Q=^Q`MAF4<1!!”. 1-20 Description Use the set authentication password command to set the local password. Use the undo set authentication password command to remove the local password. Note that only plain text passwords are expected when users are authenticated. By default, password authentication is performed when a user logs in through a modem or Telnet. If no password is set, the user cannot establish a connection with the switch. Examples # Set the local password of VTY 0 to “123”. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] set authentication password simple 123 shell Syntax shell undo shell View User interface view Parameters None Description Use the shell command to enable terminal services. Use the undo shell command to disable terminal services. By default, terminal services are disabled in all user interfaces. Note the following when using the undo shell command: z Terminal services cannot be disabled in AUX user interfaces. z This command is unavailable in the current user interface. z The execution of this command requires user confirmation. Examples # Disable terminal services in VTY 0 through VTY 4 (assuming that you log in through an AUX user interface). <Sysname> system-view 1-21 System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] undo shell % Disable ui-vty0-4 , are you sure ? [Y/N]y speed Syntax speed speed-value undo speed View AUX user interface view Parameters speed-value: Transmission speed (in bps). This argument can be 300, 600, 1200, 2400, 4800, 9600, 19,200, 38,400, 57,600, and 115,200. Description Use the speed command to set the transmission speed of the user interface. Use the undo speed command to revert to the default transmission speed. By default, the transmission speed is 9,600 bps. Examples # Set the transmission speed of the user interface AUX 0 to 115,200 bps. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] speed 115200 stopbits Syntax stopbits { 1 | 1.5 | 2 } undo stopbits View AUX user interface view Parameters 1: Sets the stopbits to 1. 1.5: Sets the stopbits to 1.5. 2: Sets the stopbits to 2. Description Use the stopbits command to set the stopbits of the user interface. 1-22 Use the undo stopbits command to revert to the default stopbits. Execute these two commands in AUX user interface view only. By default, the stopbits is 1. z The S3600 series do not support communication with a terminal emulation program with stopbits set to 1.5. z Changing the stop bits value of the switch to a value different from that of the terminal emulation utility does not affect the communication between them. Examples # Set the stop bits to 2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] stopbits 2 telnet Syntax telnet { hostname | ip-address } [ service-port ] [ source-interface interface-type interface-number | source-ip ip-address ] View User view Parameters hostname: Host name of the remote device, a string of 1 to 20 characters. ip-address: IPv4 address of the remote device. service-port: Number of the TCP port through which the remote device provides Telnet service. This argument ranges from 0 to 65535, and defaults to 23. source-interface interface-type interface-number: Specifies the type and number of the source interface. source-ip ip-address: Specifies the source IP address. Description Use the telnet command to Telnet to another device from the current switch to manage the former remotely. You can terminate a Telnet connection by pressing Ctrl+K or by executing the quit command. Examples # Telnet from Ethernet switch Switch A to Switch B whose IP address is 129.102.0.1. <SwitchA> telnet 129.102.0.1 1-23 Trying 129.102.0.1 ... Press CTRL+K to abort Connected to 129.102.0.1 ... ************************************************************************** * Copyright(c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************** <SwitchB> telnet ipv6 Syntax telnet ipv6 remote-system [ -i interface-type interface-number ] [ port-number ] View User view Parameters remote-system: IPv6 address or host name of the remote system. An IPv6 address can be up to 46 characters; a host name is a string of 1 to 20 characters. -i interface-type interface-number: Specifies the outbound interface by interface type and interface number. The outbound interface is required when the destination address is a local link address. port-number: TCP port number assigned to Telnet service on the remote system, in the range 0 to 65535 and defaults to 23. Description Use the telnet ipv6 command to Telnet to a device from the current device to perform remote management operation. You can terminate a Telnet session by pressing Ctrl+K. Example # Telnet to the device with IPv6 address 3001::1. <Sysname> telnet ipv6 3001::1 Trying 3001::1 ... Press CTRL+K to abort Connected to 3001::1 ... ************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************** <Sysname> 1-24 telnet source-interface Syntax telnet source-interface interface-type interface-number undo telnet source-interface View System view Parameters interface-type interface-number: Interface type and interface number. Description Use the telnet source-interface command to specify the source interface for a Telnet client. Use the undo telnet source-interface command to remove the specified source interface. The source interface can be a loopback interface or a VLAN interface. If the specified interface does not exist, the system prompts that this configuration fails. With this command configured, when a device logs in to the Telnet server as a Telnet client, the source IP address is the IP address of the specified interface, the login succeeds only when there is a route between the specified source interface and the Telnet server. Examples # Specify VLAN-interface 2 as the source interface for the Telnet client. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] telnet source-interface Vlan-interface 2 telnet source-ip Syntax telnet source-ip ip-address undo telnet source-ip View System view Parameters ip-address: IP address to be set. Description Use the telnet source-ip command to specify the source IP address for a Telnet client. Use the undo telnet source-ip command to remove the source IP address. With the telnet source-ip command configured, the specified IP address functions as the source IP address when a device logs into a Telnet server as a Telnet client, and the login succeeds only when there is a route between the specified source IP address and the Telnet server. 1-25 Note that when the telnet source-ip command is executed, if the IP address specified is not an IP address of the local device, your configuration fails. Examples # Set the source IP address to 192.168.1.1 for the Telnet client. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] telnet source-ip 192.168.1.1 telnet-server source-interface Syntax telnet-server source-interface interface-type interface-number undo telnet-server source-interface View System view Parameters interface-type interface-number: Interface type and interface number. Description Use the telnet-server source-interface command to specify the source interface for a Telnet server. Use the undo telnet-server source-interface command to remove the source interface. The source interface can be a loopback interface or a VLAN interface. If the specified interface does not exist, the system prompts that this configuration fails, and the login succeeds only when there is a route between the Telnet client and the specified source interface. With the telnet-server source-interface command configured, the client can log in to the local device using only the primary IP address of the specified interface. Examples # Specify VLAN-interface 2 as the source interface for the Telnet server. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] telnet source-interface Vlan-interface 2 telnet-server source-ip Syntax telnet-server source-ip ip-address undo telnet-server source-ip View System view 1-26 Parameters ip-address: Source IP address to be set. Description Use the telnet-server source-ip command to specify the source Telnet server IP address. Use the undo telnet-server source-ip command to remove the source Telnet server IP address. With the telnet-server source-ip command configured, the client can log in to the local device using the specified IP address only, and the login succeeds only when there is a route between the client and specified source IP address. z If the specified IP address is not an address on the local switch, the system prompts configuration failure. z If the specified IP address is a secondary IP address of a Layer 3 interface, a client can log in to the switch using only the primary IP address of the interface. Examples # Specify the source IP address of the Telnet server as 192.168.1.1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] telnet-server source-ip 192.168.1.1 user-interface Syntax user-interface [ type ] first-number [ last-number ] View System view Parameters type: User interface type, which can be AUX (for AUX user interface) and VTY (for VTY user interface). first-number: User interface index identifying the first user interface to be configured. A user interface index can be relative or absolute. z In relative user interface index scheme, the type argument is required. In this case, AUX user interfaces are numbered from AUX0 through AUX7; VTY user interfaces are numbered from VTY0 through VTY4. z In absolute user interface index scheme, the type argument is not required. In this case, user interfaces are numbered from 0 to 12. last-number: User interface number identifying the last user interface to be configured. The value of this argument must be larger than that of the first-number argument. 1-27 Description Use the user-interface command to enter one or more user interface views to perform configuration. Examples # Enter VTY0 user interface. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] user privilege level Syntax user privilege level level undo user privilege level View User interface view Parameters level: Command level ranging from 0 to 3. Description Use the user privilege level command to configure the command level available to the users logging in to the user interface. Use the undo user privilege level command to revert to the default command level. By default, the commands at level 3 are available to the users logging in to the AUX user interface. The commands at level 0 are available to the users logging in to VTY user interfaces. Commands fall into four command levels: visit, monitor, system, and manage, which are described as follows: z Visit level: Commands at this level are used to diagnose network, such as the ping, tracert, and telnet command. Commands at this level cannot be saved in configuration files. z Monitor level: Commands at this level are used to maintain the system, to debug service problems, and so on. The display and debugging commands are at monitor level. Commands at this level cannot be saved in configuration files. z System level: Commands at this level are used to configure services. Commands concerning routing and network layers are at system level. You can utilize network services by using these commands. z Manage level: Commands at this level are for the operation of the entire system and the system supporting modules. Services are supported by these commands. Commands concerning file system, file transfer protocol (FTP), trivial file transfer protocol (TFTP), downloading using XModem, user management, and level setting are at administration level. Refer to CLI Configuration for information about command level. 1-28 Examples # Configure that commands at level 1 are available to the users logging in to VTY 0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 [Sysname-ui-vty0] user privilege level 1 # You can verify the above configuration by Telnetting to VTY 0 and displaying the available commands, as listed in the following. <Sysname> ? User view commands: cluster Run cluster command debugging Enable system debugging functions display Display current system information msdp-tracert MSDP trace route to source RP mtracert Trace route to multicast source nslookup Query Internet name servers ping Ping function quit Exit from current command view reset Reset operation send Send information to other user terminal interfaces super Set the current user priority level telnet Establish one TELNET connection terminal Set the terminal line characteristics tracert Trace route function undo Cancel current setting 1-29 2 Commands for User Control Commands for Controlling Logging in Users acl Syntax acl acl-number { inbound | outbound } undo acl acl-number { inbound | outbound } View User interface view Parameters acl-number: ACL number. This argument can identify different types of ACLs, as listed below. z 2000 to 2999, for basic ACLs z 3000 to 3999, for advanced ACLs z 4000 to 4999, for Layer 2 ACLs inbound: Applies the ACL for the users Telnetting to the local switch from the current user interface. outbound: Applies the ACL for the users Telnetting to other devices from the current user interface. This keyword is unavailable to Layer 2 ACLs. Description Use the acl command to apply an ACL for Telnet users. Use the undo acl command to cancel the configuration. By default, no ACL is applied. Examples # Apply ACL 2000 (a basic ACL) for the users Telnetting to the current switch (assuming that ACL 2000 already exists.) <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound free web-users Syntax free web-users { all | user-id user-id | user-name user-name } 2-1 View User view Parameters all: Specifies all Web users. user-id: Web user ID, an eight-digit hexadecimal number. user-name: User name of the Web user. This argument can contain 1 to 80 characters. Description Use the free web-users command to disconnect a specified Web user or all Web users by force. Examples # Disconnect all Web users by force. <Sysname> free web-users all ip http acl Syntax ip http acl acl-number undo ip http acl View System view Parameters acl-number: ACL number ranging from 2000 to 2999. Description Use the ip http acl command to apply an ACL to filter Web users. Use the undo ip http acl command to disable the switch from filtering Web users using the ACL. By default, the switch does not use the ACL to filter Web users. Examples # Apply ACL 2000 to filter Web users (assuming that ACL 2000 already exists.) <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip http acl 2000 snmp-agent community Syntax snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]* undo snmp-agent community community-name 2-2 View System view Parameters read: Specifies that the community has read-only permission in the specified view. write: Specifies that the community has read/write permission in the specified view. community-name: Community name, a string of 1 to 32 characters. acl acl-number: Specifies an ACL number for the community. The acl-number argument ranges from 2000 to 2999. mib-view view-name: Sets the name of the MIB view accessible to the community. The view-name argument is a string of 1 to 32 characters. Description Use the snmp-agent community command to set a community name and to enable users to access the switch through SNMP. You can also optionally use this command to apply an ACL to perform access control for network management users. Use the undo snmp-agent community command to cancel community-related configuration for the specified community. By default, SNMPv1 and SNMPv2c access a switch by community names. Examples # Set the community name to h123, enable users to access the switch in the name of the community (with read-only permission). Apply ACL 2000 for network management users (assuming that ACL 2000 already exists.) <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent community read h123 acl 2000 snmp-agent group Syntax In SNMPv1 and SNMPv2c: snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] undo snmp-agent group { v1 | v2c } group-name In SNMPv3: snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] undo snmp-agent group v3 group-name [ authentication | privacy ] View System view 2-3 Parameters v1: SNMPv1. v2c: SNMPv2c. v3: SNMPv3. group-name: Group name. This argument can be of 1 to 32 characters. authentication: Specifies to authenticate SNMP data without encrypting the data. privacy: Authenticates and encrypts packets. read-view: Name of the view to be set to read-only. This argument can be of 1 to 32 characters. write-view: Name of the view to be set to readable & writable. This argument can be of 1 to 32 characters. notify-view: Name of the view to be set to a notifying view. This argument can be of 1 to 32 characters. acl acl-number: Specifies an ACL. The acl-number argument ranges from 2,000 to 2,999. Description Use the snmp-agent group command to create an SNMP group. You can also optionally use this command to apply an ACL to filter network management users. Use the undo snmp-agent group command to remove a specified SNMP group. By default, the SNMP group configured through the snmp-agent group v3 command is not authenticated or encrypted. Examples # Create an SNMP group named h123 and apply ACL 2001 for network management users (assuming that basic ACL 2001 already exists). <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent group v1 h123 acl 2001 snmp-agent usm-user Syntax For SNMPv1 and SNMPv2c: snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] undo snmp-agent usm-user { v1 | v2c } user-name group-name For SNMPv3: snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | des56 } priv-password ] ] [ acl acl-number ] undo snmp-agent usm-user v3 user-name group-name { engineid engineid-string | local } View System view Parameters v1: SNMPv1. 2-4 v2c: SNMPv2c. v3: SNMPv3. user-name: User name, a string of 1 to 32 characters. group-name: Name of the group to which the user corresponds. This argument is a string of 1 to 32 characters. cipher: Specifies the authentication or encryption password to be in ciphertext. authentication-mode: Requires authentication. If this keyword is not provided, neither authentication nor encryption is performed. md5: Adopts HMAC-MD5 algorithm. sha: Adopts HMAC-SHA algorithm. auth-password: Authentication password, a string of 1 to 64 characters in plain text, a 32-bit hexadecimal number in cipher text if MD5 algorithm is used, and a 40-bit hexadecimal number in cipher text if SHA algorithm is used. privacy: Encrypts packets. des56: Specifies data encryption standard (DES) for encrypting. aes128: Specifies advanced encryption standard (AES) for encrypting. priv-password: Encryption password, a string of 1 to 64 characters in plain text, a 32-bit hexadecimal number in cipher text if MD5 algorithm is used, and a 40-bit hexadecimal number in cipher text if SHA algorithm is used. acl-number: Basic ACL number, ranging from 2000 to 2999. local: Specifies local entity users. engineid-string: Engine ID associated with the user, a string of even number of hexadecimal numbers and comprising of 10 to 64 hexadecimal digits. Description Use the snmp-agent usm-user command to add a user to an SNMP group. You can also optionally use this command to apply an ACL for network management users. Use the undo snmp-agent usm-user command to remove an SNMP user from the corresponding SNMP group and to remove the ACL configuration on the user. Examples # Add a user named aaa to an SNMP group named group1, specify to require authentication, specify the authentication protocol as HMAC-MD5-96 and authentication password as 123, and apply ACL 2002 to filter network management users (assuming that ACL 2002 already exists). <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent usm-user v3 aaa group1 authentication-mode md5 123 acl 2002 2-5 Table of Contents 1 Configuration File Management Commands ··························································································1-1 File Attribute Configuration Commands ··································································································1-1 display current-configuration ···········································································································1-1 display current-configuration vlan····································································································1-6 display saved-configuration·············································································································1-6 display startup ·································································································································1-9 display this·····································································································································1-10 reset saved-configuration ··············································································································1-11 save ···············································································································································1-12 startup saved-configuration ···········································································································1-14 i 1 Configuration File Management Commands The S3600 series Ethernet switches support Intelligent Resilient Framework (IRF), and allow you to access a file on the switch in one of the following ways: z To access a file on the specified unit, you need to enter the file universal resource locator (URL) starting with unit[No.]>flash:/, where [No.] represents the unit ID of the switch. For example, if the unit ID of the switch is 1, the URL of the file named text.txt in the root directory of the switch is unit1>flash:/text.txt. z To access a file on the current unit, you need to enter the file URL starting with flash:/. For example, the URL of file text.txt in the root directory of the Flash on the current unit is flash:/text.txt. z To access a file on the current directory, enter the path name or file name directly. For example, to access file text.txt in the current directory, you can directly input the file name text.txt as the file URL. File Attribute Configuration Commands display current-configuration Syntax display current-configuration [ configuration [ configuration-type ] | interface [ interface-type ] [ interface-number ] ] [ by-linenum ] [ | { begin | exclude | include } regular-expression ] View Any view Parameters configuration configuration-type: Specifies to display non-interface configuration. If configuration-type is not specified, all the non-interface configurations are displayed; if configuration-type is specified, the specified type of configuration is displayed. The configuration type you can specify is based on your current configuration. For example: z acl-adv: Indicates the advanced Access Control List (ACL) configuration. z acl-basic: Indicates the basic ACL configuration. z acl-ethernetframe: Indicates the Layer 2 ACL configuration. z acl-user: Indicates the user-defined ACL configuration. z hwping: Indicates the HWPing configuration. z isp: Indicates the internet service provider configuration. z radius-template: Indicates the radius template configuration. 1-1 z system: Indicates the system configuration. z user-interface: Indicates the user interface configuration. interface: Displays port/interface configuration. interface-type: Port/interface type, which can be one of the following: Aux, Ethernet, GigabitEthernet, Loopback, NULL and VLAN-interface. interface-number: Port/interface number. by-linenum: Displays configuration information with line numbers. |: Uses a regular expression to filter the configuration of the switch to be displayed. By specifying a regular expression, you can locate and query the needed information quickly. regular-expression: A regular expression, case sensitive. It supports the following match rules: z begin: Displays the line that matches the regular expression and all the subsequent lines. z exclude: Displays the lines that do not match the regular expression. z include: Displays only the lines that match the regular expression. A regular expression also supports some special characters. For match rules of the special characters, refer to Table 1-1 for details. Table 1-1 Special characters in regular expression Character Meaning Remarks ^ Starting sign, the string to the right of this character appears only at the beginning of a line. For example, regular expression ^user matches lines beginning with user, not Auser. $ Ending sign, the string to the left of this character appears only at the end of a line. For example, regular expression user$ matches lines ending with user, not userA. . Full stop, a wildcard used in place of any character, including blank None * Asterisk, the character to the left of the asterisk should match zero or more consecutive times. For example, zo* can match z and zoo, and so on, but not zo. + Plus sign, the character to the left of the plus sign should match one or more consecutive times. For example, zo+ can match zo and zoo, and so on, but not z. - Hyphen. It connects two values (the smaller one before it and the bigger one after it) to indicate a range together with [ ]. For example, 1-9 means numbers from 1 to 9 (inclusive); a-h means from a to h (inclusive). [] Square brackets. Specifies a range of characters, and matches any character in the specified range. For example, [1-36A] can match a string containing any character among 1, 2, 3, 6, and A. Parenthesis. Specifies a character group. It is usually used with + or *. For example, (123A) means a character group 123A; 408(12)+ can match 40812 or 408121212. But it cannot match 408. That is, 12 can appear continuously and it must at least appear once. () Description Use the display current-configuration command to display the current configuration of a switch. 1-2 After you finish a set of configurations, you can execute the display current-configuration command to display the parameters that take effect currently. Note that: z Parameters that are the same as the default are not displayed. z The configured parameter whose corresponding function does not take effect is not displayed. Related commands: save, reset saved-configuration, display saved-configuration. Examples # Display configuration information about all the interfaces on the current switch. <Sysname> display current-configuration interface # interface Vlan-interface1 ip address 192.168.0.36 255.255.255.0 igmp enable # interface Vlan-interface20 ip address 10.10.10.10 255.255.255.0 # interface Aux1/0/0 # interface Ethernet1/0/1 # interface Ethernet1/0/2 port monitor-link group 3 uplink # interface Ethernet1/0/3 port monitor-link group 3 downlink port access vlan 1040 # interface Ethernet1/0/4 port monitor-link group 3 downlink # interface Ethernet1/0/5 # interface Ethernet1/0/6 # interface Ethernet1/0/7 # interface Ethernet1/0/8 # interface Ethernet1/0/9 # interface Ethernet1/0/10 # interface Ethernet1/0/11 # interface Ethernet1/0/12 1-3 port access vlan 20 dhcp-snooping trust arp detection trust # interface Ethernet1/0/13 port access vlan 20 arp detection trust # interface Ethernet1/0/14 port access vlan 20 # interface Ethernet1/0/15 # interface Ethernet1/0/16 # interface Ethernet1/0/17 # interface Ethernet1/0/18 # interface Ethernet1/0/19 # interface Ethernet1/0/20 # interface Ethernet1/0/21 # interface Ethernet1/0/22 # interface Ethernet1/0/23 # interface Ethernet1/0/24 # interface GigabitEthernet1/1/1 priority trust # interface GigabitEthernet1/1/2 priority trust # interface GigabitEthernet1/1/3 # interface GigabitEthernet1/1/4 # interface NULL0 # interface LoopBack0 # return # Display the lines that include the strings matching 10* in the configuration information. (The character * means that the character 0 in the string before it can appear multiple times or does not appear.) 1-4 <Sysname> display current-configuration | include 10* vlan 1 interface Vlan-interface1 ip address 192.168.0.36 255.255.255.0 interface Aux1/0/0 interface Ethernet1/0/1 interface Ethernet1/0/2 interface Ethernet1/0/3 port hybrid vlan 1 3 untagged port hybrid protocol-vlan vlan 3 1 interface Ethernet1/0/4 mirroring-group 1 monitor-port interface Ethernet1/0/5 port trunk permit vlan 1 25 interface Ethernet1/0/6 interface Ethernet1/0/7 interface Ethernet1/0/8 interface Ethernet1/0/9 interface Ethernet1/0/10 interface Ethernet1/0/11 interface Ethernet1/0/12 interface Ethernet1/0/13 interface Ethernet1/0/14 interface Ethernet1/0/15 interface Ethernet1/0/16 interface Ethernet1/0/17 interface Ethernet1/0/18 interface Ethernet1/0/19 interface Ethernet1/0/20 interface Ethernet1/0/21 interface Ethernet1/0/22 interface Ethernet1/0/23 interface Ethernet1/0/24 interface GigabitEthernet1/1/1 interface GigabitEthernet1/1/2 interface GigabitEthernet1/1/3 interface GigabitEthernet1/1/4 route-policy song permit node 1 set authentication password simple 1 # Display the configuration information starting with the string user. <Sysname> display current-configuration | include ^user user-interface aux 0 7 user-interface vty 0 4 1-5 display current-configuration vlan Syntax display current-configuration vlan [ vlan-id ] [ by-linenum ] View Any view Parameters vlan vlan-id: VLAN ID, in the range 1 to 4094. by-linenum: Displays configuration information with line numbers. Description Use the display current-configuration vlan command to display the current VLAN configuration of the switch. Without the vlan-id argument specified, this command displays configuration information about all the VLANs that exist on the switch. If there are contiguous VLANs without any configuration, the system combines these VLANs together in the format of vlan-id to vlan-id when displaying the VLAN configuration information. Related commands: save, reset saved-configuration, display saved-configuration. Examples # Display the VLAN configuration information of the current switch. <Sysname> display current-configuration vlan # vlan 1 # vlan 5 to 69 # vlan 70 description Vlan 70 # vlan 71 to 100 # return display saved-configuration Syntax display saved-configuration [ unit unit-id ] [ by-linenum ] View Any view 1-6 Parameters unit unit-id: Specifies the unit ID of a switch. With this keyword-argument combination specified, this command can display the initial configuration file of the specified unit. by-linenum: Displays configuration information with line numbers. Description Use the display saved-configuration command to display the initial configuration file of a switch. Note that: If the switch starts up without a configuration file, the system will display that no configuration file z exists upon execution of the command. If you have saved configuration after the switch starts up, the command displays the last saved z configuration. Related commands: save, reset saved-configuration, display current-configuration. Examples # Display the initial configuration file of the current switch. <Sysname> display saved-configuration # sysname Sysname # gvrp # MAC-authentication # vlan 1 # interface Vlan-interface1 ip address 192.168.0.36 255.255.255.0 #LOCCFG. MUST NOT DELETE # interface Aux1/0/0 # interface Ethernet1/0/1 priority 7 webcache address 1.1.1.1 mac 0000-0000-0001 vlan 1 traffic-limit inbound ip-group 3001 rule 1 640 exceed remark-dscp 4 traffic-priority inbound ip-group 2000 rule 0 dscp ef line-rate inbound 128 # interface Ethernet1/0/2 voice vlan enable # interface Ethernet1/0/3 port link-type hybrid port hybrid vlan 1 3 untagged voice vlan enable 1-7 port hybrid protocol-vlan vlan 3 1 port hybrid protocol-vlan vlan 3 2 # interface Ethernet1/0/4 mirroring-group 1 monitor-port # interface Ethernet1/0/5 port link-type trunk port trunk permit vlan 1 25 # interface Ethernet1/0/6 # interface Ethernet1/0/7 # interface Ethernet1/0/8 # interface Ethernet1/0/9 voice vlan enable # interface Ethernet1/0/10 port link-type hybrid port hybrid vlan 1 3 to 4 untagged port hybrid protocol-vlan vlan 4 0 lacp enable # interface Ethernet1/0/11 # interface Ethernet1/0/12 # interface Ethernet1/0/13 # interface Ethernet1/0/14 # interface Ethernet1/0/15 # interface Ethernet1/0/16 # interface Ethernet1/0/17 # interface Ethernet1/0/18 # interface Ethernet1/0/19 # interface Ethernet1/0/20 # interface Ethernet1/0/21 # interface Ethernet1/0/22 1-8 # interface Ethernet1/0/23 # interface Ethernet1/0/24 # interface GigabitEthernet1/1/1 # interface GigabitEthernet1/1/2 # interface GigabitEthernet1/1/3 # interface GigabitEthernet1/1/4 #TOPOLOGYCFG. MUST NOT DELETE # undo irf-fabric authentication-mode #GLBCFG. MUST NOT DELETE # interface NULL0 # user-interface aux 0 4 idle-timeout 0 0 user-interface aux 5 7 user-interface vty 0 4 authentication-mode none user privilege level 3 set authentication password simple 1 # return The configuration information output above in turn is the system configuration, logical interface configuration, physical port configuration, and user interface configuration. display startup Syntax display startup [ unit unit-id ] View Any view Parameters unit unit-id: Specifies the unit ID of a switch. With this keyword-argument combination specified, this command can display the startup configuration file information of the specified unit. Description Use the display startup command to display the startup configuration of a switch. Note that: 1-9 If the switch is not a unit of a fabric, this command displays the startup configuration file information z of the current switch no matter whether you have specified the unit-id argument or not. If the switch is a unit of a fabric, without unit-id specified, this command displays the startup z configuration file information of all the units in the fabric; with unit-id specified, this command displays the startup configuration file information of the specified unit. Related commands: startup saved-configuration. Examples # Display the startup configuration file information of the current switch, which is not in any fabric. <Sysname> display startup UNIT1: Current Startup saved-configuration file: flash:/config.cfg Next main startup saved-configuration file: flash:/config.cfg Next backup startup saved-configuration file: flash:/backup.cfg Bootrom-access enable state: enabled Table 1-2 Description on the fields of the display startup command Field Description Current Startup saved-configuration file The configuration file used for the current startup Next main startup saved-configuration file The main configuration file used for the next startup Next backup startup saved-configuration file The backup configuration file used for the next startup Whether you can use the user-defined password to access the Boot ROM: z Bootrom-access enable state z enabled indicates you can access the Boot ROM with the user-defined password. disabled indicates you cannot access the Boot ROM with the user-defined password. For related information, refer to the startup bootrom-access enable command in the File System Management part of the manual. display this Syntax display this [ by-linenum ] View Any view Parameters by-linenum: Displays configuration information with line numbers. 1-10 Description Use the display this command to display the current configuration performed in the current view. To verify the configuration performed in a view, you can use this command to display the parameters that are valid in the current view. Note that: z Effective parameters that are the same as the default are not displayed. z The configured parameter whose corresponding function does not take effect is not displayed. z Execution of this command in any user interface view or VLAN view displays the valid configuration parameters in all user interfaces or VLANs. Related commands: save, reset saved-configuration, display saved-configuration, display current-configuration. Examples # Display the configuration parameters that take effect in all user interface views. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] user-interface aux 0 [Sysname-ui-aux0] display this # user-interface aux 0 4 idle-timeout 0 0 user-interface aux 5 7 user-interface vty 0 authentication-mode none user privilege level 3 set authentication password simple 123 idle-timeout 0 0 user-interface vty 1 4 authentication-mode none user privilege level 3 set authentication password simple 1 idle-timeout 0 0 # return reset saved-configuration Syntax reset saved-configuration [ backup | main ] View User view Parameters backup: Erases the backup configuration file. main: Erases the main configuration file. 1-11 Description Use the reset saved-configuration command to erase the configuration file saved in the Flash of a switch. The following two situations exist: While the reset saved-configuration [ main ] command erases the configuration file with main z attribute, it only erases the main attribute of a configuration file having both main and backup attribute. While the reset saved-configuration backup command erases the configuration file with backup z attribute, it only erases the backup attribute of a configuration file having both main and backup attribute. You may need to erase the configuration file for one of these reasons: z After you upgrade software, the old configuration file does not match the new software. z The startup configuration file is corrupted or not the one you need. z This command will permanently delete the configuration file from the switch. z An error occurs when you execute this command if the configuration file to be deleted does not exist. Related commands: save. Examples # Erase the main configuration file to be used in the next startup. <Sysname> reset saved-configuration main The saved configuration will be erased. Are you sure?[Y/N]y Configuration in flash memory is being cleared. Please wait ... .... Unit1 reset saved-configuration successfully. save Syntax save [ cfgfile | [ safely ] [ backup | main ] ] View Any view Parameters cfgfile: Path name or file name of a configuration file in the Flash, a string of 5 to 56 characters. safely: Saves the current configuration in the safe mode. 1-12 backup: Saves the configuration to the backup configuration file. main: Saves the configuration to the main configuration file. Description Use the save command to save the current configuration to a configuration file in the Flash. When you use this command to save the configuration file, z If the main and backup keywords are not specified, the current configuration will be saved to the main configuration file. z If the cfgfile argument is specified, but the file specified by it does not exist, the system will create the file and then save the current configuration to it. The file attribute is neither main nor backup. z If the cfgfile argument is specified and the file specified by it exists, the system will save the current configuration to the specified file. The file attribute is the original attribute of the file. z If the cfgfile argument is not specified, the system will save the current configuration to the configuration file used for this startup. If the switch starts up without loading the configuration file, the system will save the current configuration with the default name (config.cfg) in the root directory. The system supports two modes for saving the current configuration file. z Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process. z Safe mode. This is the mode when you use the save command with the safely keyword. The mode saves the file slower but can retain the original configuration file in the Flash even if the switch reboots or the power fails during the process. When you use the save safely command to save the configuration file, if the switch reboots or the power fails during the saving process, the switch initializes itself in the following two conditions when it starts up next time: z If a configuration file with the extension .cfg exists in the Flash, the switch uses the configuration file to initialize itself when it starts up next time. z If there is no .cfg configuration file in the Flash, but there is a configuration file with the extension .cfgbak (backup configuration file containing the original configuration information) or/and a configuration file with the extension .cfgtmp (temporary configuration file containing the current configuration information) in the Flash, you can change the extension .cfgbak or .cfgtmp to .cfg using the rename command. The switch will use the renamed configuration file to initialize itself when it starts up next time. For details of the rename command, refer to the File System Management part of the manual. z It is recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. z If you use the save command after a fabric is formed on the switch, the units in the fabric save their own startup configuration files automatically. z The extension name of the configuration file must be .cfg. 1-13 Examples # Save the current configuration to 123.cfg as the main configuration file for the next startup. <Sysname> save main The configuration will be written to the device. Are you sure?[Y/N]y Please input the file name(*.cfg)(To leave the existing filename unchanged press the enter key):123.cfg Now saving current configuration to the device. Saving configuration. Please wait... ............ Unit1 save configuration flash:/123.cfg successfully # Save the current configuration to 234.cfg in unit 1. <Sysname> save unit1>flash:/234.cfg The current configuration will be saved to unit1>flash:/234.cfg [Y/N]:y Now saving current configuration to the device. Saving configuration. Please wait... ........... Unit1 save configuration unit1>flash:/234.cfg successfully startup saved-configuration Syntax startup saved-configuration cfgfile [ backup | main ] undo startup saved-configuration [ unit unit-id ] View User view Parameters cfgfile: Path name or file name of a configuration file in the Flash, a string of 5 to 56 characters. backup: Specifies the configuration file to be the backup configuration file. main: Specifies the configuration file to be the main configuration file. unit unit-id: Specifies a switch by its unit ID. You can configure a switch in the fabric to use null configuration when it restarts by specifying the switch unit ID in unit unit-id. Description Use the startup saved-configuration command to specify a configuration file to be the main configuration file or the backup configuration file to be used for the next startup of the switch. Use the undo startup saved-configuration command to specify a switch to use null configuration when it restarts. Note that: z If you execute the startup saved-configuration command with neither the backup nor the main keyword specified, the configuration file identified by the cfgfile argument is specified as the main configuration file to be used for the next startup of the switch. 1-14 If the switch has not joined any fabric, the startup saved-configuration command specifies the z configuration file to be used for the next startup of the switch; if the switch has joined a fabric, this command specifies the configuration file to be used for the next startup of all the switches in the fabric. If the switch has joined a fabric, without the unit keyword, the undo startup saved-configuration z command will specify all the switches in the fabric to use null configuration when they restart; with the unit keyword specified, this command will specify the specified unit in the fabric to use null configuration when it restarts. The configuration file must use .cfg as its extension name and the startup configuration file must be saved at the root directory in the Flash of the switch. Related commands: display startup. Examples # Configure the configuration file named config.cfg as the main configuration file to be used for the next startup of the current switch, which is not in any fabric. <Sysname> startup saved-configuration config.cfg main Please wait......Done! # When a fabric is formed, configure the configuration file named 123.cfg as the backup configuration file to be used for the next startup of unit 1 in the fabric. <Sysname> startup saved-configuration unit1>flash:/123.cfg backup Please wait......Done! 1-15 Table of Contents 1 VLAN Configuration Commands··············································································································1-1 VLAN Configuration Commands·············································································································1-1 description ·······································································································································1-1 display interface Vlan-interface ·······································································································1-2 display vlan······································································································································1-3 interface Vlan-interface····················································································································1-5 name················································································································································1-5 shutdown ·········································································································································1-6 vlan ··················································································································································1-7 Port-Based VLAN Configuration Commands··························································································1-9 display port ······································································································································1-9 port···················································································································································1-9 port access vlan·····························································································································1-10 port hybrid pvid vlan ······················································································································1-11 port hybrid vlan ······························································································································1-11 port link-type ··································································································································1-12 port trunk permit vlan·····················································································································1-13 port trunk pvid vlan ························································································································1-14 Protocol-Based VLAN Configuration Commands ·················································································1-15 display protocol-vlan interface·······································································································1-15 display protocol-vlan vlan ··············································································································1-16 port hybrid protocol-vlan vlan ········································································································1-17 protocol-vlan ··································································································································1-18 i 1 VLAN Configuration Commands VLAN Configuration Commands description Syntax description text undo description View VLAN view, VLAN interface view Parameters text: Case sensitive character string to describe the current VLAN or VLAN interface. Special characters and spaces are allowed. It has: z 1 to 32 characters for a VLAN description. z 1 to 80 characters for a VLAN interface description. Description Use the description command to configure the description of the current VLAN or VLAN interface. You can use the description to provide information helping identify the devices or network segment attached to the VLAN or VLAN interface, and so on. Use the undo description command to restore the default. By default, the description of a VLAN is its VLAN ID, for example VLAN 0001; the description of a VLAN interface is its name, for example Vlan-interface 1 Interface. You can display the description of a VLAN or VLAN interface with the display vlan or display interface Vlan-interface command. Examples # Configure the description of VLAN 10 as connect to LAB1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 10 [Sysname-vlan10] description connect to LAB1 # Configure the description of VLAN-interface 10 as gateway of LAB1. [Sysname-vlan10] quit [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] description gateway of LAB1 1-1 display interface Vlan-interface Syntax display interface Vlan-interface [ vlan-id ] View Any view Parameters vlan-id: Specifies a VLAN interface number. Description Use the display interface Vlan-interface command to display information about the specified VLAN interface or all VLAN interfaces already created if no VLAN interface is specified. The output of this command shows the state, IP address, description and other information of a VLAN interface. You can use the information to troubleshoot network problems. Related commands: interface Vlan-interface. Examples # Display information about all existing VLAN interfaces. <Sysname> display interface Vlan-interface Vlan-interface1 current state :UP Line protocol current state :UP IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc14-000b Internet Address is 192.168.0.31/24 Primary Description : Vlan-interface1 Interface The Maximum Transmit Unit is 1500 Vlan-interface20 current state :DOWN Line protocol current state :DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc14-000b Internet Address is 1.1.1.1/24 Primary Internet Address is 1.1.2.1/24 Sub Description : Vlan-interface20 Interface The Maximum Transmit Unit is 1500 # Display information about VLAN-interface 2. <Sysname> display interface Vlan-interface 2 Vlan-interface2 current state : DOWN Line protocol current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e207-4101 Internet Address is 10.1.1.1/24 Primary Description : Vlan-interface2 Interface The Maximum Transmit Unit is 1500 1-2 Table 1-1 Description on the fields of the display interface Vlan-interface command Field Description The state of the VLAN interface, which can be one of the following: z z Vlan-interface2 current state z Administratively DOWN: This VLAN interface has been manually disabled with the shutdown command. DOWN: The administrative state of this VLAN interface is up, but its physical state is down. It indicates that the VLAN corresponding to this interface does not contain ports in up state (possibly because the lines have failed). UP: The administrative and physical states of this VLAN interface are both up. The link layer protocol state of the VLAN interface, which can be one of the following: z Line protocol current state z DOWN: The protocol state of this VLAN interface is down, usually because no IP address is configured. UP: The protocol state of this VLAN interface is up. IP Sending Frames' Format is PKTFMT_ETHNT_2 Format of the frames sent from the VLAN interface. PKTFMT_ETHNT 2 indicates that this VLAN interface sends Ethernet II frames. Refer to the VLAN configuration part in the accompanied operation manual for information about frame formats. Hardware address MAC address corresponding to the VLAN interface Internet Address IP address corresponding to the VLAN interface 10.1.1.1/24 Primary Primary IP address of this VLAN interface 1.1.2.1/24 Sub Secondary IP address of this VLAN interface Description Description string of the VLAN interface The Maximum Transmit Unit Maximum transmission unit (MTU) For information about how to configure an IP address for a VLAN interface, refer to the description on the ip address command in the IP Address and Performance Command part. display vlan Syntax display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | static ] View Any view 1-3 Parameters vlan-id1: Specifies the ID of a VLAN of which information is to be displayed, in the range of 1 to 4094. to vlan-id2: In conjunction with vlan-id1, define a VLAN range to display information about all existing VLANs in the range. The vlan-id2 argument takes a value in the range of 1 to 4094, and must not be less than that of vlan-id1. all: Displays information about all the VLANs. dynamic: Displays the number of dynamic VLANs and the ID of each dynamic VLAN. Dynamic VLANs refer to VLANs that are generated through GVRP or those distributed by a RADIUS server. static: Displays the number of static VLANs and the ID of each static VLAN. Static VLANs refer to VLANs manually created. Description Use the display vlan command to display information about VLANs. The output shows the ID, type, VLAN interface state and member ports of a VLAN. If no keyword or argument is specified, the command displays the number of existing VLANs in the system and the ID of each VLAN. Related commands: vlan. Examples # Display information about VLAN 1. <Sysname> display vlan 1 VLAN ID: 1 VLAN Type: static Route Interface: configured IP Address: 192.168.0.39 Subnet Mask: 255.255.255.0 Description: VLAN 0001 Name: VLAN 0001 Tagged Ports: Ethernet1/0/1 Untagged Ports: Ethernet1/0/2 Table 1-2 Description on the fields of the display vlan command Field Description VLAN ID VLAN ID. VLAN Type VLAN type (dynamic or static). Route Interface Indicates whether the VLAN interface of the VLAN is configured with an IP address for routing. IP Address Primary IP address of the VLAN interface (available only on a VLAN interface configured with an IP address). You can use the display interface vlan-interface command in any view or the display this command in VLAN interface view to display its secondary IP address(es), if any. Subnet Mask Subnet mask of the IP address of the VLAN interface. 1-4 Field Description Description Description of the VLAN. Name VLAN name. Tagged Ports Ports out of which packets are sent tagged. Untagged Ports Ports out of which packets are sent untagged. interface Vlan-interface Syntax interface Vlan-interface vlan-id undo interface Vlan-interface vlan-id View System view Parameters vlan-id: Specifies the ID of a VLAN interface, in the range of 1 to 4094. Description Use the interface Vlan-interface command to create the VLAN interface for a VLAN and enter VLAN interface view. Use the undo interface Vlan-interface command to delete a VLAN interface. You can create a VLAN interface only for an existing VLAN and must ensure that the ID of the VLAN interface is the same as the VLAN ID. You can use the ip address command in VLAN interface view (refer to the IP Address and Performance Command part for the command description) to configure an IP address for this VLAN interface to enable it to route packets for the devices in the corresponding VLAN. Related commands: display interface Vlan-interface. Examples # Create the VLAN interface for VLAN 1 and enter VLAN-interface 1 view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] name Syntax name text undo name 1-5 View VLAN view Parameters text: VLAN name, a description of 1 to 32 characters. It can contain special characters and spaces. Description Use the name command to assign a name to the current VLAN. Use the undo name command to restore the default VLAN name. When 802.1x or MAC address authentication is configured on the switch, a RADIUS server may be used to deploy VLANs (either named or numbered) on the ports that have passed authentication. If a named VLAN is deployed, you must use the name command to associate the VLAN name with the intended VLAN ID. The name of a VLAN must be unique among all VLANs. By default, the name of a VLAN is its VLAN ID, VLAN 0001 for example. Examples # Specify the name of VLAN 2 as test vlan. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 2 [Sysname-vlan2] name test vlan shutdown Syntax shutdown undo shutdown View VLAN interface view Parameters None Description Use the shutdown command to administratively shut down the VLAN interface. Use the undo shutdown command to bring up the VLAN interface. By default, a VLAN interface is administratively enabled. In this case, the physical state of the VLAN interface is affected by that of the ports in the VLAN. z When all the Ethernet ports in the VLAN are down, the VLAN interface of the VLAN is down, that is, disabled. z When one or more Ethernet ports in the VLAN are up, the VLAN interface of the VLAN is up, that is, enabled. If you shut down the VLAN interface manually, the administrative state of the VLAN interface will always be down, regardless of the state of the ports in the VLAN. 1-6 You can use the undo shutdown command to enable a VLAN interface when its related parameters and protocols are configured. When a VLAN interface fails, you can use the shutdown command to disable the interface, and then use the undo shutdown command to enable this interface again, which may restore the interface. Enabling or disabling a VLAN interface does not influence the state of the Ethernet ports belonging to this VLAN. Related commands: display interface Vlan-interface. Examples # Disable the VLAN-interface2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] shutdown vlan Syntax vlan { vlan-id1 [ to vlan-id2 ] | all } undo vlan { vlan-id1 [ to vlan-id2 ] | all } View System view Parameters vlan-id1: Specifies the ID of the VLAN you want to create or remove, in the range of 1 to 4094. to vlan-id2: In conjunction with vlan-id1, specify a VLAN ID range you want to create or remove. The vlan-id2 argument takes a value in the range of 1 to 4094, and must not be less than that of vlan-id1. all: Creates or removes all existing VLANs except those configured with other functions. 1-7 Description Use the vlan command to create VLANs. If you create only one VLAN, you enter the view of the VLAN upon its creation; if the specified VLAN already exists, you enter its VLAN view directly. Use the undo vlan command to remove VLANs. By default, only VLAN 1 exists in the system. z VLAN 1 is the default VLAN and cannot be removed. z You cannot use the undo vlan command to directly remove the VLANs reserved by the protocol, voice VLAN, control VLANs for Smart Link, probe VLANs for remote mirroring, or VLANs used for performing any other features. To remove them, you must remove the associations of them with the features. After you use the undo vlan command to remove a VLAN functioning as the default VLAN of a z trunk or a hybrid port, the configuration of the default VLAN on the trunk port or hybrid port does not change. The port will continue to use the removed VLAN as its default VLAN. Examples # Create VLAN 5 and enter its VLAN view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 5 [Sysname-vlan5] # Remove VLAN 5. [Sysname-vlan5] quit [Sysname] undo vlan 5 # Create VLAN 4 through VLAN 100. [Sysname] vlan 4 to 100 Please wait............. Done. # Remove VLAN 2 through VLAN 9 in bulk. VLAN 7 is the voice VLAN. [Sysname] undo vlan 2 to 9 Note:The VLAN kept by protocol, the voice VLAN, the default VLAN, the management VLAN and the remote probe VLAN will not be deleted! Please wait... Done. [Sysname] display vlan The following VLANs exist: 1(default), 7 The above output information indicates that VLAN 7 (the voice VLAN) cannot be removed, while the other VLANs are removed successfully. 1-8 Port-Based VLAN Configuration Commands display port Syntax display port { hybrid | trunk } View Any view Parameters hybrid: Displays hybrid ports. trunk: Displays trunk ports. Description Use the display port command to display the existing hybrid or trunk ports, if any. For information about port type configuration, refer to the port link-type command. Examples # Display the existing hybrid ports. <Sysname> display port hybrid The following hybrid ports exist: Ethernet1/0/1 Ethernet1/0/2 The above information shows the current system has two hybrid ports: Ethernet 1/0/1 and Ethernet 1/0/2. port Syntax port interface-list undo port interface-list View VLAN view Parameters interface-list: List of the Ethernet ports to be added to or removed from the current VLAN. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value no less than interface-number1. The total number of individual ports and port ranges defined in the list must not exceed 10. Description Use the port command to assign one or multiple access ports to the current VLAN. Use the undo port command to remove the specified access port(s) from the current VLAN. 1-9 The command applies to access ports only. For information about how to assign to or remove from a VLAN trunk or hybrid ports, refer to the port hybrid vlan command and the port trunk permit vlan command. For port type configuration, refer to the port link-type command. Related commands: display vlan. Examples # Assign Ethernet1/0/2 through Ethernet1/0/4 to VLAN 2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/2 to Ethernet 1/0/4 port access vlan Syntax port access vlan vlan-id undo port access vlan View Ethernet port view Parameters vlan-id: Specifies the ID of the VLAN to which you want to assign the current port, in the range of 1 to 4094. The specified VLAN must already exist. By default, all access ports belong to VLAN 1. You cannot assign an access port to or remove an access port from VLAN 1 with the port access vlan command or its undo form. To assign an access port that has been assigned to a VLAN other than VLAN 1, you can use the undo port access vlan command. Description Use the port access vlan command to assign the current access port to the specified VLAN. Use the undo port access vlan command to remove the access port from the specified VLAN. After that, the access port joins VLAN 1 automatically. Examples # Assign Ethernet 1/0/1 to VLAN 3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port access vlan 3 1-10 port hybrid pvid vlan Syntax port hybrid pvid vlan vlan-id undo port hybrid pvid View Ethernet port view Parameters vlan-id: Specifies the default VLAN ID of the current hybrid port, in the range of 1 to 4094. The specified VLAN can be one already created or not. Description Use the port hybrid pvid vlan command to set the default VLAN ID of the hybrid port. Use the undo port hybrid pvid command to restore the default VLAN ID of the hybrid port. If the specified default VLAN has been removed or is not carried on the hybrid port, the port will be unable to receive VLAN untagged packets. You can configure a hybrid port to permit the packets of its default VLAN to pass through with the port hybrid vlan command. Related commands: port link-type, port hybrid vlan. The local and remote hybrid ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted properly. Examples # Set the default VLAN ID of the hybrid port Ethernet 1/0/1 to 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/1 [Sysname-Ethernet1/0/1] port link-type hybrid [Sysname-Ethernet1/0/1] port hybrid pvid vlan 100 port hybrid vlan Syntax port hybrid vlan vlan-id-list { tagged | untagged } undo port hybrid vlan vlan-id-list View Ethernet port view 1-11 Parameters vlan-id-list: List of the VLANs that the current hybrid port will be assigned to or removed from. In this list, you can specify individual VLAN IDs (each in the form of vlan-id) and VLAN ID ranges (each in the form of vlan-id1 to vlan-id2). Specify each VLAN ID in the range of 1 to 4094 and ensure that vlan-id2 is no less than vlan-id1. The total number of individual VLAN IDs and VLAN ID ranges defined in the list must not exceed 10. Be sure that the specified VLANs already exist. tagged: Keeps VLAN tags when the packets of the specified VLANs are forwarded on the port. untagged: Removes VLAN tags when the packets of the specified VLANs are forwarded on the port. Description Use the port hybrid vlan command to assign the hybrid port to one or multiple VLANs and configure the port to send packets tagged or untagged for the VLAN(s). Use the undo port hybrid vlan command to remove the hybrid port from the specified VLAN(s). By default, a hybrid port only allows packets from VLAN 1 to pass through untagged. You can configure the port hybrid vlan vlan-id-list { tagged | untagged } command multiple times. The VLANs specified each time does not overwrite those configured before, if any. The VLAN specified by the vlan-id argument must already exist. Otherwise, this command is invalid. Related commands: port link-type. Examples # Assign hybrid port Ethernet 1/0/1 to VLAN 2, VLAN 4, and VLAN 50 through VLAN 100; configure the port to keep VLAN tags when sending the packets of these VLANs. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type hybrid [Sysname-Ethernet1/0/1] port hybrid vlan 2 4 50 to 100 tagged port link-type Syntax port link-type { access | hybrid | trunk | irf-fabric } undo port link-type View Ethernet port view Parameters access: Sets the link type of the current port to access. hybrid: Sets the link type of the current port to hybrid. trunk: Sets the link type of the current port to trunk. irf-fabric: This argument is used for configuring a fabric port and is beyond the scope of VLAN Command. For how to use the keyword, refer to IRF Fabric Command of this manual. 1-12 Description Use the port link-type command to set the link type of the Ethernet port. Use the undo port link-type command to restore the default link type. The default link type of an Ethernet port is access. To change the link type of a port from hybrid to trunk or vice versa, you need to change the link type to access first. Examples # Configure Ethernet 1/0/1 as a trunk port. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk port trunk permit vlan Syntax port trunk permit vlan { vlan-id-list | all } undo port trunk permit vlan { vlan-id-list | all } View Ethernet port view Parameters vlan-id-list: List of the VLANs that the current trunk port will be assigned to or removed from. In this list, you can specify individual VLAN IDs (each in the form of vlan-id) and VLAN ID ranges (each in the form of vlan-id1 to vlan-id2). Specify each VLAN ID in the range of 1 to 4094 and ensure that vlan-id2 is no less than vlan-id1. The total number of individual VLAN IDs and VLAN ID ranges defined in the list must not exceed 10. all: Assigns the trunk port to all VLANs. On a GVRP-enabled trunk port, you must configure the port trunk permit vlan all command to ensure that the traffic of all dynamically registered VLANs can pass through. However, When GVRP is disabled, you are discouraged to configure the keyword. This is to prevent users of unauthorized VLANs from accessing restricted resources through the port. Description Use the port trunk permit vlan command to assign the trunk port to the specified VLAN(s), that is, to allow packets from these VLANs to pass through the port. Use the undo port trunk permit vlan command to remove the hybrid port from the specified VLAN(s). By default, a trunk port belongs to VLAN 1 only. 1-13 On a trunk port, only traffic of the default VLAN can pass through untagged. You can perform the command multiple times. The VLANs specified each time does not overwrite those configured before, if any. Related commands: port link-type. Examples # Assign the trunk port Ethernet 1/0/1 to VLAN 2, VLAN 4, and VLAN 50 through VLAN 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] port trunk permit vlan 2 4 50 to 100 Please wait... Done. port trunk pvid vlan Syntax port trunk pvid vlan vlan-id undo port trunk pvid View Ethernet port view Parameters vlan-id: Specifies the default VLAN ID of the current port, in the range of 1 to 4094. Description Use the port trunk pvid vlan command to set the default VLAN ID for the trunk port. A trunk port sends packets of the default VLAN untagged. Use the undo port trunk pvid command to restore the default. By default, the default VLAN ID of a trunk port is VLAN 1. After configuring the default VLAN of a trunk port, you need to use the port trunk permit vlan command to configure the trunk port to allow the packets of the default VLAN to pass through. If the specified default VLAN has been removed or is not carried on the trunk port, the port will be unable to receive VLAN untagged packets. The local and remote trunk ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted properly. Related commands: port link-type, port trunk permit vlan. 1-14 Examples # Set the default VLAN ID of the trunk port Ethernet 1/0/1 to 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] port trunk pvid vlan 100 Protocol-Based VLAN Configuration Commands display protocol-vlan interface Syntax display protocol-vlan interface { interface-type interface-number [ to interface-type interface-number ] | all } View Any view Parameters interface-type interface-number: Specify a port by its type and number to display the protocol VLAN(s) bound with the port. You can use the interface-type interface-number to interface-type interface-number keyword and argument combination to specify a port range to display the protocol template information of the ports bound with protocol VLAN(s) in the range. When defining a port range, note that the second port must not be less than the first port. all: Displays all the ports bound with at least one protocol VLAN and the associated protocol templates. Description Use the display protocol-vlan interface command to display information about protocol-based VLANs and protocol templates for the specified port(s). Related commands: port hybrid protocol-vlan vlan, protocol-vlan. Examples # Display the protocol VLAN information of ports Ethernet1/0/1 and Ethernet1/0/2. <Sysname> display protocol-vlan interface Ethernet 1/0/1 to Ethernet 1/0/2 Interface: Ethernet1/0/1 VLAN ID Protocol-Index Protocol-type 50 0 ip 80 1 ip 100 0 ip 100 1 ipx ethernetii Interface: Ethernet1/0/2 VLAN ID Protocol-Index Protocol-type 50 1 ipx raw 80 2 at 100 3 snap etype 0x0abc 1-15 100 4 llc dsap 0xac ssap 0xbd Table 1-3 Description on the fields of the display vlan command Field Description Interface Interface bound with at least one protocol VLAN VLAN ID ID of a protocol VLAN bound with the interface Protocol-Index Protocol template index Protocol-type Protocol type specified by the protocol template. Refer to the protocol-vlan command for detailed description. display protocol-vlan vlan Syntax display protocol-vlan vlan { vlan-id1 [ to vlan-id2 ] | all } View Any view Parameters vlan-id1: Specifies a VLAN ID in the range of 1 to 4094, of which the protocol VLAN configuration information is to be displayed. to vlan-id2: In conjunction with vlan-id1, define a VLAN range to display the protocol template configurations of all protocol VLANs in the range. The vlan-id2 argument takes a value in the range of 1 to 4094, and must not be less than that of vlan-id1. all: Displays all protocol VLANs and their protocol template information. Description Use the display protocol-vlan vlan command to display information about protocol VLANs. Related commands: protocol-vlan. Examples # Display the protocol information and protocol indexes configured for VLAN 10 through VLAN 20. <Sysname> display protocol-vlan vlan 10 to 20 VLAN ID: 10 VLAN Type: Protocol-based VLAN Protocol-Index Protocol-Type 0 ip 1 ip 2 ipx ethernetii 3 at VLAN ID: 15 VLAN Type: Protocol-based VLAN Protocol-Index 0 Protocol-Type ip 1-16 1 snap etype 0x0abcd Table 1-4 Description on the fields of the display protocol-vlan vlan command Field Description VLAN ID Protocol VLAN ID VLAN Type VLAN type. Here, it refers to Protocol-based VLAN Protocol-Index Protocol template index Protocol-Type Protocol type specified in the protocol template. Refer to the protocol-vlan command for detailed description. port hybrid protocol-vlan vlan Syntax port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-index-end ] | all } undo port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-index-end ] | all } View Ethernet port view Parameters vlan-id: Specifies the ID of the protocol VLAN bound with the port. The value range is 1 to 4094. At least one protocol template must have been configured for the VLAN. protocol-index: Specifies a protocol template, in the range of 0 to 4. to protocol-index-end: In conjunction with protocol-index, specify a protocol index range. The protocol-index-end argument takes a value in the range of 0 to 4 and must be greater than protocol-index. all: Specifies all protocol indexes. With the all keyword, the port hybrid protocol-vlan vlan command binds the port with all the protocol templates of the specified protocol VLAN, and the undo form of the command removes the associations between the port and all the protocol templates of the specified protocol VLAN. Description Use the port hybrid protocol-vlan vlan command to bind the port with the specified protocol template(s) of a protocol VLAN. Use the undo port hybrid protocol-vlan vlan command to remove the binding between the port and the specified protocol template(s) of a protocol VLAN. 1-17 z The port hybrid protocol-vlan vlan command is available on hybrid ports only. z Before you bind a port with a protocol VLAN, assign the port to the VLAN with the port hybrid vlan command. Otherwise, the binding will fail. To bind a protocol template to a port in a VLAN successfully, you must ensure that the protocol z template has been created in the VLAN. If the protocol template you are binding with the port has not been created in the VLAN, the system will display the operation failure message. If some of the protocol templates you are binding with the port have not been created in the VLAN, the system does not display error messages while binding those already created with the port. When you removes the binding between a port and a protocol template, the system will report z operation failure if the index of the specified protocol to be removed does not exist. If a part of the specified protocol indexes to be removed do not exist, the switch will remove the existing indexes when it prompts errors. Related commands: display protocol-vlan interface. Examples # Bind Ethernet 1/0/1 with the protocols indexed from 0 to 2 of VLAN 3 (assuming that VLAN 3 is a protocol VLAN). <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port hybrid protocol-vlan vlan 3 0 to 2 # Remove the binding between Ethernet 1/0/1 and protocols indexed from 1 to 4 of VLAN 3. [Sysname-Ethernet1/0/1] undo port hybrid protocol-vlan vlan 3 1 to 4 Protocol index 1 does not exist in VLAN 3 Protocol index 4 does not exist in VLAN 3 protocol-vlan Syntax protocol-vlan [ protocol-index ] { at | ip | ipx { ethernetii | llc | raw | snap } | mode { ethernetii etype etype-id | llc dsap dsap-id ssap ssap-id | snap etype etype-id } } undo protocol-vlan { protocol-index [ to protocol-index-end ] | all } View VLAN view Parameters at: Creates the AppleTalk-based protocol template. ip: Creates the IP-based protocol template. 1-18 ipx: Creates the IPX-based protocol template. The ethernetii, llc, raw and snap keywords represent four IPX encapsulation formats. For more information about encapsulation formats, refer to the accompanying operation manual. mode: Configures a user-defined protocol template. ethernetii etype-id: Creates the protocol template that matches the Ethernet II encapsulation format and the corresponding protocol type value of the packet. The etype-id argument indicates the protocol type value and ranges from 0x0600 to 0xFFFF(excluding 0x0800, 0x8137, and 0x809b). llc: Creates the protocol template that matches LLC encapsulation format. dsap-id: Destination service access point. This argument ranges 0x00 to 0xFF. ssap-id: Source service access point. This argument ranges from 0x00 to 0xFF. snap etype-id: Creates a protocol template that matches SNAP encapsulation format and the corresponding protocol type value of the packet. The etype-id argument indicates the protocol type value and ranges from 0x0600 to 0xFFFF. protocol-index: Beginning protocol index ranging from 0 to 4. If you do not specify this argument, the beginning protocol index will be determined by the system. protocol-index-end: End protocol index ranging from 0 to 4. Note that this argument must be larger than or equal to the protocol-index argument. all: Deletes all the protocol templates. When you use the mode keyword to configure a user-defined protocol template, if you set the etype-id argument for Ethernet II or SNAP packets to 0x0800, 0x8137, or 0x809B, the matching packets will have the same format as that of IP, IPX, and AppleTalk packets respectively. To prevent two commands from processing packets of the same matching conditions in different ways, the switch will prompt that you cannot set the etype-id argument for Ethernet II or SNAP packets to 0x0800, 0x8137, or 0x809B. Description Use the protocol-vlan command to configure the protocol template used for classifying protocol-based VLANs. Use the undo protocol-vlan command to disable the configuration. By default, no protocol template is configured. Related commands: display protocol-vlan vlan. Examples # Configure VLAN 3 as a protocol-based VLAN and assign IP packets to VLAN 3 for transmission. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 3 1-19 [Sysname-vlan3] protocol-vlan ip Because the IP protocol is closely associated with the ARP protocol, you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port, in case that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure. # Configure an ARP protocol template. The code for the ARP protocol is 0x0806. z Perform the following command when Ethernet encapsulation is used. [Sysname-vlan3] protocol-vlan mode ethernetii etype 0806 z Perform the following configuration when 802.3 encapsulation format is used. [Sysname-vlan3] protocol-vlan mode snap etype 0806 1-20 Table of Contents 1 IP Address Configuration Commands·····································································································1-1 IP Address Configuration Commands·····································································································1-1 display ip interface···························································································································1-1 display ip interface brief···················································································································1-2 ip address ········································································································································1-4 2 IP Performance Configuration Commands·····························································································2-1 IP Performance Configuration Commands ·····························································································2-1 display fib·········································································································································2-1 display fib ip-address·······················································································································2-2 display fib acl ···································································································································2-3 display fib |·······································································································································2-4 display fib ip-prefix···························································································································2-5 display fib statistics··························································································································2-5 display icmp statistics ······················································································································2-6 display ip socket ······························································································································2-7 display ip statistics···························································································································2-8 display tcp statistics·······················································································································2-10 display tcp status ···························································································································2-12 display udp statistics······················································································································2-13 icmp redirect send ·························································································································2-14 icmp unreach send ························································································································2-15 ip forward-broadcast······················································································································2-15 reset ip statistics ····························································································································2-16 reset tcp statistics ··························································································································2-16 reset udp statistics·························································································································2-17 tcp timer fin-timeout ·······················································································································2-17 tcp timer syn-timeout ·····················································································································2-18 tcp window·····································································································································2-18 i 1 IP Address Configuration Commands IP Address Configuration Commands display ip interface Syntax display ip interface [ interface-type interface-number ] View Any view Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display ip interface command to display information about a specified or all Layer 3 interfaces. If no argument is specified, information about all Layer 3 interfaces is displayed. Examples # Display information about VLAN-interface 1. <Sysname> display ip interface Vlan-interface 1 Vlan-interface1 current state :UP Line protocol current state :UP Internet Address is 192.168.0.39/24 Primary Broadcast address : 192.168.0.255 The Maximum Transmit Unit : 1500 bytes IP packets input number: 9678, bytes: 475001, multicasts: 7 IP packets output number: 8622, bytes: 391084, multicasts: 0 TTL invalid packet number: 0 ICMP packet input number: 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 Router advert: 0 Router solicit: 0 Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 1-1 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0 Table 1-1 Description on the fields of the display ip interface command Field Description Vlan-interface1 current state Current physical state of VLAN-interface 1 Line protocol current state Current state of the link layer protocol IP address of the interface followed by: Internet Address z z Primary: Identifies a primary IP address, or Sub: Identifies a secondary IP address. Broadcast address Directed broadcast address of the subnet attached to the interface The Maximum Transmit Unit Maximum transmission unit on the interface IP packets input number: 9678, bytes: 475001, multicasts: 7 IP packets output number: 8622, bytes: 391084, multicasts: 0 TTL invalid packet number ICMP packet input number: Total number of packets, bytes, and multicast packets forwarded and received on the interface Number of received invalid TTL packets 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 Router advert: 0 Router solicit: 0 Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0 Total number of received ICMP packets, including: Echo reply packet, unreachable packet, source quench packet, routing redirect packet, Echo request packet, router advert packet, router solicit packet, time exceed packet, IP header bad packet, timestamp request packet, timestamp reply packet, information request packet, information reply packet, netmask request packet, netmask reply packet, and unknown types of packets. display ip interface brief Syntax display ip interface brief [ interface-type [ interface-number ] ] 1-2 View Any view Parameters interface-type: Interface type. interface-number: Interface number. Description Use the display ip interface brief command to display brief information about a specified or all Layer 3 interfaces. With no argument included, the command displays information about all layer 3 interfaces; with only the interface type specified, it displays information about all layer 3 interfaces of the specified type; with both the interface type and interface number specified, it displays information about the specified interface. Related commands: display ip interface. Examples # Display brief information about VLAN-interface 1. <Sysname> display ip interface brief vlan-interface 1 *down: administratively down (l): loopback (s): spoofing Interface IP Address Vlan-interface1 192.168.0.39 Physical Protocol up up Description Vlan-inte... Table 1-2 Description on the fields of the display ip interface brief command Field Description *down The interface is administratively shut down with the shutdown command. (s) Spoofing attribute of the interface. It indicates that the interface whose link layer protocol is displayed up may have no such a link present or the link is set up only on demand. Interface Interface name IP Address IP address of the interface (If no IP address is configured, “unassigned” is displayed.) Physical Physical state of the interface Protocol Link layer protocol state of the interface Interface description information. Description If the description has no more than 12 characters, the whole description can be displayed. If it has more than 12 characters, only the first nine characters are displayed. 1-3 ip address Syntax ip address ip-address { mask | mask-length } [ sub ] undo ip address [ ip-address { mask | mask-length } [ sub ] ] View VLAN interface view, loopback interface view Parameters ip-address: IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Subnet mask length, the number of consecutive ones in the mask. It is in the range of 0 to 32. sub: Specifies a secondary IP address of a VLAN or loopback interface. Description Use the ip address command to specify an IP address and mask for a VLAN or loopback interface. Use the undo ip address command to remove an IP address and mask of a VLAN or loopback interface. By default, no IP address is configured for VLAN or loopback interface. Note that: z If you execute the undo ip address command without any parameter, the switch deletes both primary and secondary IP addresses of the interface. z The undo ip address ip-address { mask | mask-length } command is used to delete the primary IP address. z The undo ip address ip-address { mask | mask-length } sub command is used to delete specified secondary IP addresses. z You can assign at most five IP address to an interface, among which one is the primary IP address and the others are secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any. z The primary and secondary IP addresses of an interface cannot reside on the same network segment; the IP address of a VLAN interface must not be in the same network segment as that of a loopback interface on a device. z A VLAN interface cannot be configured with a secondary IP address if the interface has been configured to obtain an IP address through BOOTP or DHCP. Related commands: display ip interface. 1-4 Examples # Assign the primary IP address 129.12.0.1 and secondary IP address 129.12.1.1 to VLAN-interface 1 with subnet mask 255.255.255.0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 129.12.0.1 255.255.255.0 [Sysname-Vlan-interface1] ip address 129.12.1.1 255.255.255.0 sub 1-5 2 IP Performance Configuration Commands IP Performance Configuration Commands display fib Syntax display fib View Any view Parameters None Description Use the display fib command to display all forwarding information base (FIB) information. Examples # Display all FIB information. <Sysname> display fib Flag: U:Usable R:Reject G:Gateway H:Host E:Equal cost multi-path B:Blackhole D:Dynamic L:Generated by ARP or ESIS S:Static Destination/Mask Flag TimeStamp Interface 10.153.17.0/24 10.153.17.99 U t[37] Vlan-interface1 10.153.18.88/32 127.0.0.1 GHU t[37] InLoopBack0 10.153.18.0/24 10.153.18.88 U t[37] LoopBack0 10.153.17.99/32 127.0.0.1 GHU t[37] InLoopBack0 127.0.0.0/8 127.0.0.1 U t[33] InLoopBack0 2-1 Nexthop Table 2-1 Description on the fields of the display fib command Field Description Flags: U: A route is up and available. G: Gateway route H: Local host route Flag B: Blackhole route D: Dynamic route S: Static route R: Rejected route E: Multi-path equal-cost route L: Route generated by ARP or ESIS Destination/Mask Destination address/mask length Nexthop Next hop address TimeStamp Timestamp Interface Forwarding interface display fib ip-address Syntax display fib ip-address1 [ { mask1 | mask-length1 } [ ip-address2 { mask2 | mask-length2 } | longer ] | longer ] View Any view Parameters ip-address1, ip-address2: Destination IP addresses, in dotted decimal notation. ip-address1 and ip-address2 together define an address range. The FIB entries in this address range will be displayed. mask1, mask2: Subnet masks, in dotted decimal notation. mask-length1, mask-length2: Length of the subnet masks, the number of consecutive ones in the masks, in the range of 0 to 32. longer: Displays the FIB entries matching the specified address/mask and having masks longer than or equal to the specified mask. If no masks are specified, FIB entries that match the natural network address and have the masks longer than or equal to the natural mask will be displayed. 2-2 Description Use the display fib ip-address command to view the FIB entries matching the specified destination IP address. If no mask or mask length is specified, the FIB entry that matches the destination IP address and has the longest mask will be displayed; if the mask is specified, the FIB entry that exactly matches the specified destination IP address and mask will be displayed. Examples # Display FIB entry information which matches destination 12.158.10.0 and has a mask length no less than eight. <Sysname> display fib 12.158.10.0 longer Route Entry Count: 1 Flag: U:Usable G:Gateway H:Host B:Blackhole R:Reject E:Equal cost multi-path D:Dynamic S:Static L:Generated by ARP or ESIS Destination/Mask Nexthop Flag TimeStamp Interface 12.158.10.0/24 12.158.10.1 U Vlan-interface10 t[85391] # Display FIB entry information which has a destination in the range of 12.158.10.0/24 to 12.158.10.6/24 and has a mask length of 24. <Sysname> display fib 12.158.10.0 255.255.255.0 12.158.10.6 255.255.255.0 Route Entry Count: 1 Flag: U:Usable G:Gateway R:Reject E:Equal cost multi-path H:Host B:Blackhole D:Dynamic S:Static L:Generated by ARP or ESIS Destination/Mask Nexthop Flag TimeStamp Interface 12.158.10.0/24 12.158.10.1 U Vlan-interface10 t[85391] For details about the displayed information, see Table 2-1. display fib acl Syntax display fib acl acl-number View Any view Parameters acl-number: Basic ACL number, in the range of 2000 to 2999. Description Use the display fib acl command to display the FIB entries matching a specific ACL. For ACL, refer to the part discussing ACL in this manual. Examples # Configure and display ACL 2001. 2-3 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule permit source 211.71.75.0 0.0.0.255 [Sysname-acl-basic-2001] display acl 2001 Basic ACL 2001, 1 rule Acl's step is 1 rule 0 permit source 211.71.75.0 0.0.0.255 # Display the FIB entries filtered by ACL 2001. <Sysname> display fib acl 2001 Route Entry matched by access-list 2001 Summary Counts :1 Flag: U:Usable G:Gateway H:Host B:Blackhole R:Reject E:Equal cost multi-path D:Dynamic S:Static L:Generated by ARP or ESIS Destination/Mask Nexthop Flag TimeStamp Interface 211.71.75.0/24 1.1.1.2 GSU Vlan-interface2 t[250763] For details about the displayed information, see Table 2-1. display fib | Syntax display fib | { begin | exclude | include } regular-expression View Any view Parameters |: Uses a regular expression to match FIB entries. For detailed information about regular expression, refer to Configuration File Management Command. begin: Displays a specific FIB entry and all the FIB entries following it. The specific FIB entry is the first entry that matches the specified regular expression. exclude: Displays the FIB entries that do not match the specified regular expression. include: Displays the FIB entries that match the specified regular expression. regular-expression: A case-sensitive character string. Description Use the display fib | command to display the FIB entries filtered by the specified regular expression. Examples # Display the entries starting from the first one containing the string 169.254.0.0. <Sysname> display fib | begin 169.254.0.0 169.254.0.0/16 2.1.1.1 U t[0] Vlan-interface1 2.0.0.0/16 U t[0] Vlan-interface1 2.1.1.1 For details about the displayed information, see Table 2-1. 2-4 display fib ip-prefix Syntax display fib ip-prefix ip-prefix-name View Any view Parameters ip-prefix-name: IP prefix list name, in the range of 1 to 19 characters. Description Use the display fib ip-prefix command to display the FIB entries matching a specific IP prefix list. For details about IP prefix list, refer to the part discussing IP routing in this manual. Examples # Configure and display the IP prefix list abc. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip ip-prefix abc permit 211.71.75.0 24 [Sysname] display ip ip-prefix abc name index conditions ip-prefix / mask GE LE abc 10 permit 211.71.75.0/24 -- -- # Display the FIB entries matching IP prefix list abc. <Sysname> display fib ip-prefix abc Route Entry matched by prefix-list abc Summary Counts :1 Flag: U:Usable G:Gateway H:Host B:Blackhole R:Reject E:Equal cost multi-path D:Dynamic S:Static L:Generated by ARP or ESIS Destination/Mask Nexthop Flag TimeStamp Interface 211.71.75.0/24 1.1.1.2 GSU Vlan-interface2 t[250763] For details about the displayed information, see Table 2-1. display fib statistics Syntax display fib statistics View Any view Parameters None 2-5 Description Use the display fib statistics command to display the total number of FIB entries. Examples # Display the total number of FIB entries. <Sysname> display fib statistics Route Entry Count : 8 display icmp statistics Syntax display icmp statistics View Any view Parameters None Description Use the display icmp statistics command to display the statistics about ICMP packets. Related commands: display ip interface, reset ip statistics. Examples # Display the statistics about ICMP packets. <Sysname> display icmp statistics Input: bad formats 0 bad checksum 0 echo 5 destination unreachable 0 source quench 0 redirects 0 echo reply 10 parameter problem 0 timestamp 0 information request 0 mask replies 0 mask requests 0 time exceeded 0 Output:echo 10 destination unreachable 0 source quench 0 redirects 0 echo reply 5 parameter problem 0 timestamp 0 information reply mask requests 0 0 mask replies 0 time exceeded 0 Table 2-2 Description on the fields of the display icmp statistics command Field Input: Description bad formats Number of received wrong format packets bad checksum Number of received wrong checksum packets echo Number of received echo packets 2-6 Field Output: Description destination unreachable Number of received destination unreachable packets source quench Number of received source quench packets redirects Number of received redirection packets echo reply Number of received replies parameter problem Number of received parameter problem packets timestamp Number of received time stamp packets information request Number of received information request packets mask requests Number of received mask requests mask replies Number of received mask replies time exceeded Number of received expiration packets echo Number of sent echo packets destination unreachable Number of sent destination unreachable packets source quench Number of sent source quench packets redirects Number of sent redirection packets echo reply Number of sent replies parameter problem Number of sent parameter problem packets timestamp Number of sent time stamp packets information reply Number of sent information reply packets mask requests Number of sent mask requests mask replies Number of sent mask replies time exceeded Number of sent expiration packets display ip socket Syntax display ip socket [ socktype sock-type ] [ task-id socket-id ] View Any view Parameters socktype sock-type: Displays the socket information of this type. The sock type is in the range 1 to 3, corresponding to TCP, UDP and raw IP respectively. task-id: ID of a task, with the value ranging from 1 to 100. socket-id: ID of a socket, with the value ranging from 0 to 3072. Description Use the display ip socket command to display socket information. 2-7 Examples # Display the information about the socket of the TCP type. <Sysname> display ip socket socktype 1 SOCK_STREAM: Task = VTYD(18), socketid = 1, Proto = 6, LA = 0.0.0.0:23, FA = 0.0.0.0:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_SENDVPNID SO_SETKEEPALIVE, socket state = SS_PRIV SS_ASYNC Task = VTYD(18), socketid = 2, Proto = 6, LA = 10.153.17.99:23, FA = 10.153.17.56:1161, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_KEEPALIVE SO_OOBINLINE SO_SENDVPNID SO_SETKEEPALIVE, socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC Task = VTYD(18), socketid = 3, Proto = 6, LA = 10.153.17.99:23, FA = 10.153.17.82:1121, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_KEEPALIVE SO_OOBINLINE SO_SENDVPNID SO_SETKEEPALIVE, socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC Table 2-3 Description on the fields of the display ip socket command Field Description SOCK_STREAM Indicates the socket type is TCP SOCK_DGRAM Indicates the socket type is UDP SOCK_RAW Indicates the socket type is raw IP Task Task ID socketid Socket ID Proto Protocol number used by the socket sndbuf Sending buffer size of the socket rcvbuf Receiving buffer size of the socket sb_cc Current data size in the sending buffer. The value makes sense only for the socket of TCP type, because only TCP is able to cache data. rb_cc Current data size in the receiving buffer socket option Option of a socket socket state State of a socket display ip statistics Syntax display ip statistics 2-8 View Any view Parameters None Description Use the display ip statistics command to display the statistics about IP packets. Related commands: display ip interface, reset ip statistics. Examples # Display the statistics about IP packets. <Sysname> display ip statistics Input: Output: sum 7120 local 112 bad protocol 0 bad format 0 bad checksum 0 bad options 0 forwarding 0 local 27 dropped 0 no route 2 output 0 compress fails 0 Fragment:input 0 dropped 0 fragmented 0 couldn't fragment 0 0 timeouts Reassembling:sum 0 Table 2-4 Description on the fields of the display ip statistics command Field Description sum Total number of packets received local Total number of packets with destination being local Total number of unknown protocol packets. bad protocol Input: Output: Unknown protocol packets are destined to the local device, but the upper layer protocol specified in their IP header cannot be processed by the device. (For example, if a switch is not enabled with the Layer 3 multicast function, it considers IGMP packets as unknown protocol packets.) bad format Total number of packets with incorrect header format that contains a wrong version, or has a header length less than 20 bytes. bad checksum Total number of packets with incorrect checksum bad options Total number of packets with incorrect option forwarding Total number of IP packets forwarded by the local device local Total number of IP packets initiated from the local device dropped Total number of IP packets discarded no route Total number of IP packets for which no route is available compress fails Total number of IP packets failed to compress 2-9 Field Fragment: Description input Total number of fragments received output Total number of fragments sent dropped Total number of fragments discarded fragmented Total number of IP packets successfully fragmented couldn't fragment Total number of IP packets that cannot be fragmented sum Total number of IP packets reassembled timeouts Total number of reassembly timeout IP packets Reassembling: display tcp statistics Syntax display tcp statistics View Any view Parameters None Description Use the display tcp statistics command to display the statistics about TCP packets. Related commands: display tcp status, reset tcp statistics. Examples # Display the statistics about TCP connections. <Sysname> display tcp statistics Received packets: Total: 753 packets in sequence: 412 (11032 bytes) window probe packets: 0, window update packets: 0 checksum error: 0, offset error: 0, short error: 0 duplicate packets: 4 (88 bytes), partially duplicate packets: 5 (7 bytes) out-of-order packets: 0 (0 bytes) packets of data after window: 0 (0 bytes) packets received after close: 0 ACK packets: 481 (8776 bytes) duplicate ACK packets: 7, too much ACK packets: 0 Sent packets: Total: 665 2-10 urgent packets: 0 control packets: 5 (including 1 RST) window probe packets: 0, window update packets: 2 data packets: 618 (8770 bytes) data packets retransmitted: 0 (0 bytes) ACK-only packets: 40 (28 delayed) Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0 Keepalive timeout: 0, keepalive probe: 0, Keepalive timeout, so connections disconnected : 0 Initiated connections: 0, accepted connections: 0, established connections: 0 Closed connections: 0 (dropped: 0, initiated dropped: 0) Packets dropped with MD5 authentication: 0 Packets permitted with MD5 authentication: 0 Table 2-5 Description on the fields of the display tcp statistics command Field Received packets: Description Total Total number of packets received packets in sequence Number of packets arriving in sequence window probe packets Number of window probe packets received window update packets Number of window update packets received checksum error Number of checksum error packets received offset error Number of offset error packets received short error Number of received packets with length being too small duplicate packets Number of completely duplicate packets received partially duplicate packets Number of partially duplicate packets received out-of-order packets Number of out-of-order packets received packets of data after window Number of packets outside the receiving window packets received after close Number of packets that arrived after connection is closed ACK packets Number of ACK packets received duplicate ACK packets Number of duplicate ACK packets received too much ACK packets Number of ACK packets for data unsent 2-11 Field Description Total Total number of packets sent urgent packets Number of urgent packets sent control packets Number of control packets sent; in brackets are retransmitted packets window probe packets Number of window probe packets sent; in the brackets are resent packets window update packets Number of window update packets sent data packets Number of data packets sent data packets retransmitted Number of data packets retransmitted ACK-only packets: 40 Number of ACK packets sent; in brackets are delayed ACK packets Sent packets: Retransmitted timeout Number of retransmission timer timeouts connections dropped in retransmitted timeout Number of connections broken due to retransmission timeouts Keepalive timeout Number of keepalive timer timeouts keepalive probe Number of keepalive probe packets sent Keepalive timeout, so connections disconnected Number of connections broken due to keepalive probe failures Initiated connections Number of connections initiated accepted connections Number of connections accepted established connections Number of connections established Closed connections Number of connections closed; in brackets are connections closed accidentally (before receiving SYN from the peer) and connections closed initiatively (after receiving SYN from the peer) Packets dropped with MD5 authentication Number of packets dropped with MD5 authentication Packets permitted with MD5 authentication Number of packets permitted with MD5 authentication display tcp status Syntax display tcp status View Any view Parameters None 2-12 Description Use the display tcp status command to display the state of all the TCP connections so that you can monitor TCP connections in real time. Examples # Display the state of all the TCP connections. <Sysname> display tcp status *: TCP MD5 Connection TCPCB Local Add:port Foreign Add:port State 03e37dc4 0.0.0.0:4001 0.0.0.0:0 Listening 04217174 100.0.0.204:23 100.0.0.253:65508 Established Table 2-6 Description on the fields of the display tcp status command Field Description * If there is an asterisk before a connection, it means that the TCP connection is authenticated through the MD5 algorithm. TCPCB TCP control block Local Add:port Local IP address and port number Foreign Add:port Remote IP address and port number State State of the TCP connection display udp statistics Syntax display udp statistics View Any view Parameters None Description Use the display udp statistics command to display the statistics about UDP packets. Related commands: reset udp statistics. Examples # Display the statistics about UDP packets. <Sysname> display udp statistics Received packets: Total: 26320 checksum error: 0 shorter than header: 0, data length larger than packet: 0 no socket on port: 0 2-13 total broadcast or multicast packets : 25006 no socket broadcast or multicast packets: 24989 not delivered, input socket full: 0 input packets missing pcb cache: 1314 Sent packets: Total: 7187 Table 2-7 Description on the fields of the display udp statistics command Field Received packets: Sent packets: Description Total Total number of received UDP packets checksum error Total number of packets with incorrect checksum shorter than header Number of packets with data shorter than header data length larger than packet Number of packets with data longer than packet no socket on port Number of unicast packets with no socket on port total broadcast or multicast packets Total number of received broadcast or multicast packets no socket broadcast or multicast packets Total number of broadcast or multicast packets without socket on port not delivered, input socket full Number of not delivered packets due to a full socket cache input packets missing pcb cache Number of packets without matching PCB cache Total Total number of UDP packets sent icmp redirect send Syntax icmp redirect send undo icmp redirect send View System view Parameters None Description Use the icmp redirect send command to enable the device to send ICMP redirection packets. Use the undo icmp redirect send command to disable the device from sending ICMP redirection packets. By default, the device is enabled to send ICMP redirection packets. 2-14 Examples # Disable the device from sending ICMP redirection packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo icmp redirect send icmp unreach send Syntax icmp unreach send undo icmp unreach send View System view Parameters None Description Use the icmp unreach send command to enable the device to send ICMP destination unreachable packets. After enabled with this feature, the switch, upon receiving a packet with an unreachable destination, discards the packet and then sends a destination unreachable packet to the source host. Use the undo icmp unreach send command to disable the device from sending ICMP destination unreachable packets. By default, the device is enabled to send ICMP destination unreachable packets. Examples # Disable the device from sending ICMP destination unreachable packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo icmp unreach send ip forward-broadcast Syntax ip forward-broadcast undo ip forward-broadcast View System view Parameters None 2-15 Description Use the ip forward-broadcast command to enable the device to receive directed broadcasts to a directly connected network. Use the undo ip forward-broadcast command to disable the device from receiving directed broadcasts to a directly connected network. By default, the device is disabled from receiving directed broadcasts to a directly connected network. Examples # Enable the device to receive directed broadcasts to a directly connected network. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip forward-broadcast reset ip statistics Syntax reset ip statistics View User view Parameters None Description Use the reset ip statistics command to clear the statistics about IP packets. You can use the display ip statistics command to view the current IP packet statistics. Related commands: display ip interface. Examples # Clear the statistics about IP packets. <Sysname> reset ip statistics reset tcp statistics Syntax reset tcp statistics View User view Parameters None 2-16 Description Use the reset tcp statistics command to clear the statistics about TCP packets. You can use the display tcp statistics command to view the current TCP packet statistics. Examples # Clear the statistics about TCP packets. <Sysname> reset tcp statistics reset udp statistics Syntax reset udp statistics View User view Parameters None Description Use the reset udp statistics command to clear the statistics about UDP packets. You can use the display udp statistics command to view the current UDP packet statistics. Examples # Clear the statistics about UDP packets. <Sysname> reset udp statistics tcp timer fin-timeout Syntax tcp timer fin-timeout time-value undo tcp timer fin-timeout View System view Parameters time-value: TCP finwait timer, in seconds, with the value ranging from 76 to 3600. Description Use the tcp timer fin-timeout command to configure the TCP finwait timer. Use the undo tcp timer fin-timeout command to restore the default value of the TCP finwait timer. By default, the value of the TCP finwait timer is 675 seconds. When the TCP connection state changes from FIN_WAIT_1 to FIN_WAIT_2, the finwait timer is enabled. If the switch does not receive FIN packets before finwait timer times out, the TCP connection will be terminated. 2-17 Related commands: tcp timer syn-timeout, tcp window. Examples # Configure the value of the TCP finwait timer to 800 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] tcp timer fin-timeout 800 tcp timer syn-timeout Syntax tcp timer syn-timeout time-value undo tcp timer syn-timeout View System view Parameters time-value: TCP synwait timer, in seconds, with the value ranging from 2 to 600. Description Use the tcp timer syn-timeout command to configure the TCP synwait timer. Use the undo tcp timer syn-timeout command to restore the default value of the TCP synwait timer. By default, the value of the TCP synwait timer is 75 seconds. When sending the SYN packet, TCP starts the synwait timer. If the response packet is not received before synwait times out, the TCP connection will be terminated. Related commands: tcp timer fin-timeout, tcp window. Examples # Configure the value of the TCP synwait timer to 80 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] tcp timer syn-timeout 80 tcp window Syntax tcp window window-size undo tcp window View System view Parameters window-size: Size of the transmission and receiving buffers of the connection-oriented socket, measured in kilobytes (KB), in the range of 1 to 32. 2-18 Description Use the tcp window command to configure the size of the transmission and receiving buffers of the connection-oriented socket. Use the undo tcp window command to restore the default size of the transmission and receiving buffers of the connection-oriented socket. By default, the size of the transmission and receiving buffers is 8 KB. Related commands: tcp timer fin-timeout, tcp timer syn-timeout. Examples # Configure the size of the transmission and receiving buffers of the connection-oriented socket to 3 KB. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] tcp window 3 2-19 Table of Contents 1 Voice VLAN Configuration Commands ···································································································1-1 Voice VLAN Configuration Commands···································································································1-1 display voice vlan error-info·············································································································1-1 display voice vlan oui·······················································································································1-1 display voice vlan status··················································································································1-2 display vlan······································································································································1-3 voice vlan·········································································································································1-4 voice vlan aging·······························································································································1-5 voice vlan enable·····························································································································1-6 voice vlan legacy ·····························································································································1-6 voice vlan mac-address···················································································································1-7 voice vlan mode·······························································································································1-8 voice vlan security enable ···············································································································1-8 i 1 Voice VLAN Configuration Commands Voice VLAN Configuration Commands display voice vlan error-info Syntax display voice vlan error-info View Any view Parameters None Description Use the display voice vlan error-info command to display the ports on which the voice VLAN function fails to be enabled. When ACL number applied to a port reaches to its threshold, voice VLAN cannot be enabled on this port. Examples # Display the ports on which voice VLAN fails to be enabled. <Sysname> display voice vlan error-info Fail to apply voice VLAN ACL rules to the following port(s): Ethernet1/0/10 Ethernet1/0/15 display voice vlan oui Syntax display voice vlan oui View Any view Parameters None 1-1 Description Use the display voice vlan oui command to display the organizationally unique identifier (OUI) list used for identifying voice traffic. The output of the command displays the OUI addresses, their masks, and descriptions. By default, there are five pre-defined OUI addresses in the system. You can use the voice vlan mac-address command to add, modify, or remove OUI addresses. Examples # Display the OUI list for the voice VLAN. <Sysname> display voice vlan oui Oui Address Mask Description 0003-6b00-0000 ffff-ff00-0000 Cisco phone 000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone display voice vlan status Syntax display voice vlan status View Any view Parameters None Description Use the display voice vlan status command to display voice VLAN-related information. The output of the command displays information such as the voice VLAN security mode and voice VLAN assignment mode (manual or automatic). Related commands: voice vlan, voice vlan enable. Examples # Display the information about the voice VLAN. <Sysname> display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 100 minutes Current voice vlan enabled port mode: PORT MODE -------------------------------Ethernet1/0/2 AUTO Ethernet1/0/3 MANUAL 1-2 Table 1-1 Description on the fields of the display voice vlan status command Field Description Voice Vlan status The status of global voice VLAN function: enabled or disabled. Voice Vlan ID The VLAN which is currently enabled with voice VLAN. Voice Vlan security mode The status of voice VLAN security mode: enabled or disabled. Voice Vlan aging time The voice VLAN aging time Current voice vlan enable port mode The ports on which the voice VLAN function is enabled. The Current voice vlan enable port mode field lists the ports with the voice VLAN function enabled. Note that not all of them are transmitting packets in the voice VLAN. To view the ports operating in the voice VLAN currently, use the display vlan command. display vlan Syntax display vlan vlan-id View Any view Parameters vlan-id: Specifies the ID of the current voice VLAN in the range of 1 to 4094. Description Use the display vlan command to display information about the specified VLAN. For the voice VLAN, this command displays all the ports in the VLAN. Related commands: voice vlan, voice vlan enable. Examples # Display all the ports in the current voice VLAN, assuming that the current voice VLAN is VLAN 6. <Sysname> display vlan 6 VLAN ID: 6 VLAN Type: static Route Interface: not configured Description: VLAN 0006 Name: VLAN 0006 Tagged Ports: Ethernet1/0/5 1-3 Untagged Ports: Ethernet1/0/6 The output indicates that Ethernet 1/0/5 and Ethernet 1/0/6 are in the voice VLAN. voice vlan Syntax voice vlan vlan-id enable undo voice vlan enable View System view Parameters vlan-id: Specifies the ID of the VLAN to be enabled with the voice VLAN function, in the range of 2 to 4094. Note that the VLAN must already exist. Description Use the voice vlan command to configure the specified VLAN as the voice VLAN, that is, enable voice VLAN globally. Use the undo voice vlan enable command to remove the voice VLAN configuration from the specified VLAN. By default, voice VLAN is disabled globally. After a VLAN is configured as the voice VLAN, the switch will modify QoS priorities for the traffic in the VLAN to improve its transmission preference, guaranteeing that the voice data can be transmitted preferentially. To make the voice VLAN function take effect on a port, you must enable the function both globally and on the port with the voice vlan enable command. z If you want to delete a VLAN with voice VLAN function enabled, you must disable the voice VLAN function first. z The voice VLAN function can be enabled for only one VLAN at one time. Related commands: display voice vlan status. Examples # Create VLAN 2, and enable the voice VLAN function on it. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan 2 [Sysname-vlan2] quit [Sysname] voice vlan 2 enable 1-4 # After the voice VLAN function of VLAN 2 is enabled, if you enable the voice VLAN function for other VLANs, the system will prompt that your configuration fails. [Sysname] voice vlan 4 enable Can't change voice vlan configuration when other voice vlan is running voice vlan aging Syntax voice vlan aging minutes undo voice vlan aging View System view Parameters minutes: Sets the voice VLAN aging timer in minutes, in the range of 5 to 43200. Description Use the voice vlan aging command to set the voice VLAN aging timer. Use the undo voice vlan aging command to restore the default. By default, the voice VLAN aging timer is 1440 minutes. If a port is configured to work in automatic voice VLAN assignment mode, the switch automatically assigns the port to the voice VLAN when receiving a packet with the source MAC address matching an entry in the OUI list of the switch. As soon as the port is assigned to the voice VLAN, the voice VLAN aging timer starts. If no recognizable voice traffic has been received before the timer expires, the port is removed from the voice VLAN. The voice VLAN aging timer does not take effect on ports working in manual voice VLAN assignment mode, because these ports are assigned to the voice VLAN statically. When setting the voice VLAN aging timer, consider the usage frequency of IP phones. Note that: z A large voice VLAN aging timer setting can prevent a port from being assigned to or removed from the voice VLAN frequently, keeping voice communication stable. However, this may cause a port to stay in the voice VLAN even if it has not transmitted voice traffic for a long time, occupying system resources and bringing about security problems. Therefore, you are recommended to set a large voice VLAN aging timer in a network with credible network devices and many voice applications. z A small voice VLAN aging timer enables the switch to remove a port that has not transmitted voice traffic from the voice VLAN timely, thus improving network security. However, this may cause the port to be assigned to or removed from the voice VLAN frequently. Therefore, you are recommended to set a small voice VLAN aging timer in a network with only a few voice applications. Related commands: display voice vlan status. Examples # Set the aging time of the voice VLAN to 100 minutes. <Sysname> system-view System View: return to User View with Ctrl+Z. 1-5 [Sysname] voice vlan aging 100 voice vlan enable Syntax voice vlan enable undo voice vlan enable View Ethernet port view Parameters None Description Use the voice vlan enable command to enable the voice VLAN function on the port. Use the undo voice vlan enable command to disable the voice VLAN function on the port. By default, the voice VLAN function is disabled on all ports. To have the voice VLAN function take effect on a port, you must enable it both globally and on the port. Note that the operations are order independent. Related commands: display voice vlan error-info, display voice vlan status. Examples # Enable the voice VLAN function on Ethernet1/0/2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] voice vlan enable voice vlan legacy Syntax voice vlan legacy undo voice vlan legacy View Ethernet port view Parameters None Description Use the voice vlan legacy command to enable the voice VLAN legacy function. This function realizes the communication between H3C device and other vendors’ voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’ voice device. Use the undo voice vlan legacy command to disable the voice VLAN legacy function. 1-6 By default, the voice VLAN legacy function is disabled. Examples # Enable the voice VLAN legacy function on Ethernet1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] voice vlan legacy voice vlan mac-address Syntax voice vlan mac-address oui mask oui-mask [ description text ] undo voice vlan mac-address oui View System view Parameters oui: Specify a MAC address, in the format of H-H-H. oui-mask: Specify a MAC address mask, made up of consecutive Fs and consecutive 0s. It specifies the matching length of the OUI address. When the switch receives a packet, it matches the bits in the source MAC address corresponding to the Fs against the OUI list. text: Description of the MAC address, containing 1 to 30 characters. Description Use the voice vlan mac-address command to add an OUI entry to the OUI list for the specified MAC address. The OUI list contains the MAC addresses of recognizable voice devices. A packet is considered as a voice packet only when its source MAC address can match an entry in the OUI list. Use the undo voice vlan mac-address command to remove an OUI entry from the OUI list. By default, the OUI list contains the five pre-defined OUI addresses in Table 1-2. You can modify them with the voice vlan mac-address command. The OUI list can contain up to 16 OUI address entries. Table 1-2 Default OUI addresses of a switch Number OUI address Vendor 1 0003-6b00-0000 Cisco phone 2 000f-e200-0000 H3C Aolynk phone 3 00d0-1e00-0000 Pingtel phone 4 00e0-7500-0000 Polycom phone 5 00e0-bb00-0000 3Com phone Related commands: display voice vlan oui. 1-7 Examples # Add MAC address 00aa-bb00-0000 to the OUI list and configure its description as ABC. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] voice vlan mac-address 00aa-bb00-0000 mask ffff-ff00-0000 description ABC voice vlan mode Syntax voice vlan mode auto undo voice vlan mode auto View Ethernet port view Parameters None Description Use the voice vlan mode auto command to configure the voice VLAN assignment mode of the Ethernet port to automatic. Use the undo voice vlan mode auto command to configure the voice VLAN assignment mode of the Ethernet port to manual. You cannot and need not to assign a port working in automatic voice VLAN assignment mode to the voice VLAN manually. When the port receives a packet whose source MAC address matches the OUI list, the port is assigned to the voice VLAN automatically, and the packet is tagged with the voice VLAN tag. If the port has not received any voice data before the voice VLAN aging timer expires, the port is removed from the voice VLAN automatically. By default, an Ethernet port works in automatic voice VLAN assignment mode. A port working in manual voice VLAN assignment mode needs to be assigned to the voice VLAN manually. The port stays in the voice VLAN no matter whether voice data is present on the port, that is, the voice VLAN aging timer does not take effect on the port. Related commands: display voice vlan status. Examples # Configure the voice VLAN assignment mode on Ethernet1/0/2 to manual. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] undo voice vlan mode auto voice vlan security enable Syntax voice vlan security enable 1-8 undo voice vlan security enable View System view Parameters None Description Use the voice vlan security enable command to enable the voice VLAN security mode. Use the undo voice vlan security enable command to disable the voice VLAN security mode. In security mode, the ports in a voice VLAN and with voice devices attached to can only forward voice data. Data packets with their MAC addresses not among the OUI addresses that can be identified by the system will be filtered out. This mode has no effects on other VLANs. By default, the voice VLAN security mode is enabled. Related commands: display voice vlan status. Examples # Disable the voice VLAN security mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] undo voice vlan security enable 1-9 Table of Contents 1 GVRP Configuration Commands ·············································································································1-1 GARP Configuration Commands ············································································································1-1 display garp statistics ······················································································································1-1 display garp timer ····························································································································1-2 garp timer ········································································································································1-3 garp timer leaveall ···························································································································1-4 reset garp statistics··························································································································1-5 GVRP Configuration Commands ············································································································1-6 display gvrp statistics·······················································································································1-6 display gvrp status···························································································································1-7 gvrp··················································································································································1-7 gvrp registration·······························································································································1-8 i 1 GVRP Configuration Commands GARP Configuration Commands display garp statistics Syntax display garp statistics [ interface interface-list ] View Any view Parameters interface-list: Specifies a list of Ethernet ports for which the statistics about GARP are to be displayed. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1. The total number of individual ports and port ranges defined in the list must not exceed 10. Description Use the display garp statistics command to display the GARP statistics of the specified or all ports. If the interface interface-list keyword-argument combination is not specified, this command displays the GARP statistics on all the ports. The switch automatically collects statistics about GVRP packets sent, received and dropped on GVRP-enabled ports. Upon system reboot or the execution of the reset garp statistics command, the system automatically deletes the statistics and starts collecting statistics again. You can check whether GVRP is running normally on a port by checking the GVRP statistics on it: z If the number of received GVRP packets and the number of sent GVRP packets are the same as those on the remote port, it indicates that the ports are transmitting and receiving GVRP packets normally and no registration information is lost. z If the number of dropped GVRP packets is not 0, it indicates that the registration mode on the port may be fixed or forbidden. As in either mode dynamic VLANs cannot be registered, GVRP packet drop may occur on the port. Examples # Display the GARP statistics on Ethernet1/0/1 and Ethernet 1/0/2. <Sysname> display garp statistics interface Ethernet 1/0/1 to Ethernet 1/0/2 1-1 GARP statistics on port Ethernet1/0/1 Number Of GVRP Frames Received : 0 Number Of GVRP Frames Transmitted : 0 Number Of Frames Discarded : 0 GARP statistics on port Ethernet1/0/2 Number Of GVRP Frames Received : 0 Number Of GVRP Frames Transmitted : 0 Number Of Frames Discarded : 0 Table 1-1 Description on the fields of the display garp statistics command Field Description Number of GVRP Frames Received Number of the GVRP frames received on the port Number of GVRP Frames Transmitted Number of the GVRP frames transmitted through the port Number of Frames Discarded Number of GVRP frames discarded by the port display garp timer Syntax display garp timer [ interface interface-list ] View Any view Parameters interface-list: Specifies a list of Ethernet ports of which the GARP timer settings are to be displayed. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1. The total number of individual ports and port ranges defined in the list must not exceed 10. Description Use the display garp timer command to display the settings of the GARP timers on specified ports or all ports. If the interface interface-list keyword-argument combination is not specified, this command displays the GARP timer settings of all ports. This command displays the settings of the following timers: z Join timer z Leave timer z LeaveAll timer 1-2 z Hold timer Related commands: garp timer, garp timer leaveall. Examples # Display the settings of the GARP timers on port Ethernet1/0/1. <Sysname> display garp timer interface Ethernet 1/0/1 GARP timers on port Ethernet1/0/1 Garp Join Time : 20 centiseconds Garp Leave Time : 60 centiseconds Garp LeaveAll Time : 1000 centiseconds Garp Hold Time : 10 centiseconds garp timer Syntax garp timer { hold | join | leave } timer-value undo garp timer { hold | join | leave } View Ethernet port view Parameters hold: Sets the GARP Hold timer. join: Sets the GARP Join timer. leave: Sets the GARP Leave timer. timer-value: Timeout time (in centiseconds) of the GARP timer (Hold, Join or Leave) to be set. Description Use the garp timer command to set a GARP timer (that is, the Hold timer, the Join timer, or the Leaver timer) for an Ethernet port. Use the undo garp timer command to restore the default setting of a GARP timer. By default, the Hold, Join, and Leave timers are set to 10, 20, and 60 centiseconds. Note that: z The setting of each timer must be a multiple of 5 (in centiseconds). z The timeout ranges of the timers vary depending on the timeout values you set for other timers. If you want to set the timeout time of a timer to a value out of the current range, you can set the timeout time of the associated timer to another value to change the timeout range of this timer. The following table describes the relations between the timers: 1-3 Table 1-2 Relations between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one-half of the timeout time of the Join timer. You can change the threshold by changing the timeout time of the Join timer. Join This lower threshold is greater than or equal to twice the timeout time of the Hold timer. You can change the threshold by changing the timeout time of the Hold timer. This upper threshold is less than one-half of the timeout time of the Leave timer. You can change the threshold by changing the timeout time of the Leave timer. Leave This lower threshold is greater than twice the timeout time of the Join timer. You can change the threshold by changing the timeout time of the Join timer. This upper threshold is less than the timeout time of the LeaveAll timer. You can change the threshold by changing the timeout time of the LeaveAll timer. LeaveAll This lower threshold is greater than the timeout time of the Leave timer. You can change threshold by changing the timeout time of the Leave timer. 32,765 centiseconds In networking, the following GARP timer settings are recommended: z GARP hold timer: 100 centiseconds (1 second) z GARP Join timer: 600 centiseconds (6 seconds) z GARP Leave timer: 3000 centiseconds (30 seconds) Related commands: display garp timer. Examples # Set the GARP Join timer to 30 centiseconds for Ethernet1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] garp timer join 30 garp timer leaveall Syntax garp timer leaveall timer-value undo garp timer leaveall View System view 1-4 Parameters timer-value: Setting (in centiseconds) of the GARP LeaveAll timer. You need to set this argument with the Leave timer settings of other Ethernet ports as references. That is, this argument needs to be larger than the Leave timer settings of any Ethernet ports. Also note that this argument needs to be a multiple of 5 and cannot be larger than 32,765. Description Use the garp timer leaveall command to set the GARP LeaveAll timer. Use the undo garp timer leaveall command to restore the default setting of the GARP LeaveAll timer. By default, the LeaveAll timer is set to 1,000 centiseconds, that is, 10 seconds. In networking, you are recommended to set the GARP LeaveAll timer to 12000 centiseconds (2 minutes). Related commands: display garp timer. Examples # Set the GARP LeaveAll timer to 100 centiseconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] garp timer leaveall 100 reset garp statistics Syntax reset garp statistics [ interface interface-list ] View User view Parameters interface-list: Specifies a list of Ethernet ports. In this list, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1. The total number of individual ports and port ranges defined in the list must not exceed 10. Description Use the reset garp statistics command to clear the GARP statistics (including statistics about packets received/sent/discarded by GVRP) on the specified or all ports. You can use the display garp statistics command to view the NDP statistics before and after the execution of the reset garp statistics command to verify the execution result. 1-5 Executing the reset garp statistics command without any parameter clears the GARP statistics of all ports. Related commands: display garp statistics. Examples # Clear GARP statistics of all ports. <Sysname> reset garp statistics GVRP Configuration Commands display gvrp statistics Syntax display gvrp statistics [ interface interface-list ] View Any view Parameters interface interface-list: Specifies an Ethernet port list. By providing a value for this argument, you can display the GVRP statistics on the specified ports. You need to provide the interface-list argument in the format of { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where the interface-type argument represents the port type, the interface-number argument represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Note that, this command displays GVRP statistics only on the trunk ports included in the list. Statistics on non-trunk ports will not be displayed. Description Use the display gvrp statistics command to display the GVRP statistics of trunk ports. This command displays the following information: z GVRP status z Number of the GVRP entries that fail to be registered z Source MAC address of the previous GVRP PDU z GVRP registration type of a port Examples # Display the GVRP statistics of Ethernet1/0/1, assuming that the port is a trunk port. <Sysname> display gvrp statistics interface Ethernet 1/0/1 GVRP statistics on port Ethernet1/0/1 GVRP Status : Enabled GVRP Failed Registrations : 0 GVRP Last Pdu Origin : 0000-0000-0000 GVRP Registration Type : Normal 1-6 display gvrp status Syntax display gvrp status View Any view Parameters None Description Use the display gvrp status command to display the global GVRP status (enabled or disabled). Examples # Display the global GVRP status. <Sysname> display gvrp status GVRP is enabled The above information indicates that GVRP is enabled globally. gvrp Syntax gvrp undo gvrp View System view, Ethernet port view Parameters None Description Use the gvrp command to enable GVRP globally (in system view) or for a port (in Ethernet port view). Use the undo gvrp command to disable GVRP globally (in system view) or on a port (in Ethernet port view). By default, GVRP is disabled both globally and on ports. Note that: z To enable GVRP for a port, you need to enable GVRP globally first. GVRP does not take effect automatically on ports upon being enabled globally. z You can enable/disable GVRP only on trunk ports. z After you enable GVRP on a trunk port, you cannot change the port to other types. Related commands: display gvrp status. 1-7 Examples # Enable GVRP globally. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] gvrp GVRP is enabled globally. # Enable GVRP on Ethernet 1/0/1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] gvrp GVRP is enabled on port Ethernet1/0/5. gvrp registration Syntax gvrp registration { fixed | forbidden | normal } undo gvrp registration View Ethernet port view Parameters fixed: Specifies the fixed GVRP registration mode. A port operating in this mode cannot register or deregister VLAN information dynamically. It only propagates static VLAN information. Besides, the port permits only static VLANs, that is, it propagates only static VLAN information to the other GARP members. forbidden: Specifies the forbidden GVRP registration mode. A port operating in this mode cannot register or deregister VLAN information dynamically. It permits only VLAN 1, that is, it propagates only the information about VLAN 1 to the other GARP members. normal: Specifies the normal mode. A port operating in this mode can dynamically register or deregister VLAN information and can propagate both dynamic and static VLAN information. Description Use the gvrp registration command to configure the GVRP registration mode on a port. Use the undo gvrp registration command to restore the default GVRP registration mode on a port. By default, the GVRP registration mode is normal. Note that these commands only apply to trunk ports. Related commands: display gvrp statistics Examples # Configure Ethernet1/0/1 to operate in fixed GVRP registration mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] gvrp registration fixed 1-8 Table of Contents 1 Port Basic Configuration Commands······································································································1-1 Port Basic Configuration Commands······································································································1-1 broadcast-suppression ····················································································································1-1 copy configuration ···························································································································1-2 description ·······································································································································1-4 display brief interface·······················································································································1-5 display interface·······························································································································1-7 display link-delay ···························································································································1-11 display loopback-detection ············································································································1-11 display packet-drop ·······················································································································1-12 display storm-constrain··················································································································1-13 display unit·····································································································································1-14 duplex ············································································································································1-15 enable log updown ························································································································1-16 flow-control ····································································································································1-17 flow interval····································································································································1-18 giant-frame statistics enable··········································································································1-18 interface·········································································································································1-19 jumboframe enable························································································································1-20 link-delay ·······································································································································1-20 loopback ········································································································································1-21 loopback-detection control enable·································································································1-22 loopback-detection enable ············································································································1-23 loopback-detection interval-time····································································································1-24 loopback-detection per-vlan enable ······························································································1-24 mdi ·················································································································································1-25 multicast-suppression····················································································································1-25 reset counters interface ·················································································································1-26 reset packet-drop interface············································································································1-27 shutdown ·······································································································································1-27 speed ·············································································································································1-28 speed auto·····································································································································1-29 storm-constrain······························································································································1-30 storm-constrain control ··················································································································1-31 storm-constrain enable ··················································································································1-32 storm-constrain interval ·················································································································1-32 unicast-suppression·······················································································································1-33 virtual-cable-test ····························································································································1-34 i 1 Port Basic Configuration Commands z The displaying and maintaining of the statistics of dropped packets on a port or all ports was added to this manual. For related commands, refer to display packet-drop and reset packet-drop interface. z The configuration of disabling port Up/Down log output was added to this manual. For related command, refer to enable log updown. z The storm control function was added to this manual. For related commands, refer to display storm-constrain, storm-constrain, storm-constrain control, storm-constrain enable and storm-constrain interval. z The auto-negotiation speed configuration was added to this manual. For related command, refer to speed auto. z The command used to set the port state change delay was added to this manual. For details, refer to link-delay. Port Basic Configuration Commands broadcast-suppression Syntax broadcast-suppression { ratio | pps max-pps } undo broadcast-suppression View System view, Ethernet port view Parameters ratio: Maximum ratio of the broadcast traffic allowed on a port to the total transmission capacity of the port. The value ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio is, the less broadcast traffic is allowed. max-pps: Maximum number of broadcast packets allowed to be received per second on an Ethernet port (in pps). The following are the value ranges for the argument: z In system view, the value range is 1 to 262143. z In Ethernet port view, the value range is 1 to 148810 for an Ethernet port, and 1 to 262143 for a GigabitEthernet port. 1-1 Description Use the broadcast-suppression command to limit broadcast traffic allowed to be received on each port (in system view) or on a specified port (in Ethernet port view). Use the undo broadcast-suppression command to restore the default broadcast suppression setting. The broadcast-suppression command is used to enable broadcast suppression. By default, broadcast suppression is disabled. When incoming broadcast traffic exceeds the broadcast traffic threshold you set, the system drops the packets exceeding the threshold to reduce the broadcast traffic ratio to the specified range, so as to keep normal network service. You can use the undo broadcast-suppression command in system view to cancel the broadcast suppression settings on all ports, or use the broadcast-suppression command in system view to make a global setting. Executing the commands in Ethernet port view only takes effect on the current port. The global broadcast suppression setting configured by the broadcast-suppression command in system view takes effect on all Ethernet ports in the system except for the reflection ports, stack ports and ports having their own broadcast suppression settings. If you configure broadcast-suppression command in both system view and Ethernet port view, the configuration in Ethernet port view will take effect. Examples # Allow incoming broadcast traffic on Ethernet 1/0/1 to occupy at most 20% of the total transmission capacity of the port and suppress the broadcast traffic that exceeds the specified range. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] broadcast-suppression 20 # Set the maximum number of broadcast packets that can be received per second by the Ethernet 1/0/1 port to 1,000. [Sysname-Ethernet1/0/1] broadcast-suppression pps 1000 copy configuration Syntax copy configuration source { interface-type interface-number | aggregation-group source-agg-id } destination { interface-list [ aggregation-group destination-agg-id ] | aggregation-group destination-agg-id } View System view 1-2 Parameters interface-type: Port type. interface-number: Port number. source-agg-id: Source aggregation group number, in the range of 1 to 416. The port with the smallest port number in the aggregation group is used as the source port. destination-agg-id: Destination aggregation group number, in the range of 1 to 416. interface-list: Destination port list, interface-list = interface-type interface-number [ to interface-type interface-number ] &<1-10. &<1-10> means that you can input up to 10 ports/port ranges. Description Use the copy configuration command to duplicate the configuration of a port to specified ports to keep consistent configuration on them. z If you specify a source aggregation group ID, the system uses the port with the smallest port number in the aggregation group as the source. z If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port. Refer to Table 1-1 for the configurations that can be copied. Table 1-1 Configurations that can be copied Configuration category Contents VLAN VLANs carried on the port and the default VLAN ID. Protocol-based VLAN Protocol VLAN IDs and protocol indexes. The enable/disable status of LACP. LACP (Link Aggregation Control protocol) (As the configuration commands of manual and static link aggregation groups cannot be copied, you cannot assign a port to a link aggregation group with the copy command.) QoS Traffic policing, packet priority marking, port priority, traffic accounting, VLAN mapping, port rate limiting, priority trust mode, QoS profile (the qos-profile port-based configuration cannot be copied), and so on. STP The enable/disable state of STP on the port, link attribute of the port (point-to-point or non-point-to-point), STP priority, path cost, transmission rate limit, enable/disable state of loop protection, enable/disable state of root protection, and whether the port is an edge port. GARP GVRP enable/disable status, timer settings, and registration mode. Basic port configuration Link type of the port, port rate, and duplex mode. In case a configuration setting fails to be copied, the system will print the error message. 1-3 Examples # Copy the configurations of Ethernet 1/0/1 to Ethernet 1/0/2 and Ethernet 1/0/3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] copy configuration source ethernet 1/0/1 destination ethernet 1/0/2 ethernet 1/0/3 Note: The following will be removed from destination port list: Aggregation port(s), Voice vlan port(s). Copying VLAN configuration... Copying Protocol based VLAN configuration... Copying LACP configuration... Copying QOS configuration... Copying GARP configuration... Copying STP configuration... Copying speed/duplex configuration... z Any aggregation group port you input in the destination port list will be removed from the list and the copy command will not take effect on the port. If you want an aggregation group port to have the same configuration with the source port, you can specify the aggregation group of the port as the destination (with the destination-agg-id argument). z Any voice-VLAN-enabled port you input in the destination port list will be removed from the list. # Copy the configurations of GigabitEthernet 1/1/1 to Ethernet 1/0/1. [Sysname]copy configuration source g1/1/1 destination e1/0/1 Copying VLAN configuration... Copying Protocol based VLAN configuration... Copying LACP configuration... Copying QOS configuration... Copying GARP configuration... Copying STP configuration... Copying speed/duplex configuration... Copying speed configuration to interface Ethernet1/0/1 failed Copying QoS rate limit configuration to interface Ethernet1/0/2 failed The output shows that all configurations except port rate limiting and QoS traffic policing were copied successfully. description Syntax description text undo description 1-4 View Ethernet port view Parameters text: Port description, a string of 1 to 80 characters. Description Use the description command to configure a description for the port. Use the undo description command to remove the port description. By default, no description is configured for a port. You can use the display brief interface command to display the configured description. Examples # Set description string home for the Ethernet 1/0/1 port. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] description home display brief interface Syntax display brief interface [ interface-type [ interface-number ] ] [ | { begin | include | exclude } regular-expression ] View Any view Parameters interface-type: Port type. interface-number: Port number. |: Specifies to use a regular expression to filter the configuration information entries to be displayed. begin: Each entry must begin with a specified character string. include: Each entry must include a specified character string. exclude: Each entry must not include a specified character string. regular-expression: Regular expression, a string of 1 to 256 characters. For details about regular expression, refer to the Configuration File Management module in this manual. 1-5 Description Use the display brief interface command to display the brief configuration information about one or all interfaces, including: interface type, link state, link rate, duplex attribute, link type, default VLAN ID and description string. Currently, for the port types other than Ethernet port, this command only displays the link state, and shows "--" in all other configuration information fields. Related commands: display interface. Examples # Display the brief configuration information about the Ethernet 1/0/1 port. <Sysname> display brief interface Ethernet 1/0/1 Interface: Eth - Ethernet Loop - LoopBack GE - GigabitEthernet TENGE - tenGigabitEthernet Vlan - Vlan-interface Cas - Cascade Speed/Duplex: A - auto-negotiation Interface Link Speed Duplex Type PVID Description -----------------------------------------------------------------------Eth1/0/1 DOWN A A hybrid 1 home Table 1-2 Description on the fields of the display brief interface command Field Description Interface Port type Link Current link state: UP, DOWN or ADMINISTRATIVELY DOWN Speed Link rate Duplex Duplex attribute Type Link type: access, hybrid or trunk PVID Default VLAN ID Description Port description string The state of an Ethernet port can be UP, DOWN, or ADMINISTRATIVELY DOWN. The following table shows the port state transitions. 1-6 Table 1-3 Port state transitions Initial port state Not connected to any cable State after executing the undo shutdown command DOWN DOWN ADMINISTRATIVELY DOWN DOWN DOWN Connected to a cable State after executing the shutdown command ADMINISTRATIVELY DOWN DOWN UP UP ADMINISTRATIVELY DOWN UP display interface Syntax display interface [ interface-type | interface-type interface-number ] View Any view Parameters interface-type: Port type. interface-number: Port number. For details about the arguments, refer to the parameter description of the interface command. Description Use the display interface command to display port configuration. When using this command: z If you specify neither port type nor port number, the command displays information about all ports. z If you specify only port type, the command displays information about all ports of the specified type. z If you specify both port type and port number, the command displays information about the specified port. Examples # Display the configuration information of Ethernet 1/0/1. <Sysname> display interface ethernet 1/0/1 Ethernet1/0/1 current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0012-a990-2240 Media type is twisted pair, loopback not set Port hardware type is 100_BASE_TX 100Mbps-speed mode, full-duplex mode Link speed type is force link, link duplex type is force link Flow-control is enabled The Maximum Frame Length is 9216 1-7 Broadcast MAX-pps: 500 Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 1 Mdi type: auto Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 1 Last 300 seconds input: 0 packets/sec 0 bytes/sec Last 300 seconds output: Input(total): 0 packets/sec 0 bytes/sec 0 packets, 0 bytes 0 broadcasts, 0 multicasts, 0 pauses Input(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Input: 0 input errors, 0 runts, 0 giants, 0 frame, - throttles, 0 CRC - overruns, 0 aborts, 0 ignored, - parity errors Output(total): 0 packets, 0 bytes 0 broadcasts, 0 multicasts, 0 pauses Output(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Output: 0 output errors, - underruns, - buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier Table 1-4 Description on the fields of the display interface command Field Description Ethernet1/0/1 current state Current Ethernet port status: UP, DOWN or ADMINISTRATIVELY DOWN IP Sending Frames' Format Ethernet frame format Hardware address Port hardware address Media type Media type Port hardware type Port hardware type 100Mbps-speed mode, full-duplex mode Current speed mode and duplex mode Link speed type is force link, link duplex type is force link Link speed and duplex status ( force or auto-negotiation) Flow-control is enabled Status of flow-control on the port The Maximum Frame Length Maximum frame length allowed on the port Broadcast MAX-ratio Broadcast suppression ratio on the port Unicast MAX-ratio Unknown unicast suppression ratio on the port Multicast MAX-ratio Multicast suppression ratio on the port Allow jumbo frame to pass Whether Jumbo frame is allowed on the port. PVID Default VLAN ID of the port Mdi type Network cable type 1-8 Field Description Port link-type Port link type Tagged VLAN ID Identify the VLANs whose packets will be forwarded with tags on the port. Untagged VLAN ID Identify the VLANs whose packets will be forwarded without tags on the port. Last 300 seconds input: 0 packets/sec 0 bytes/sec Last 300 seconds output: 0 packets/sec 0 bytes/sec Input(total): 0 packets, 0 bytes 0 broadcasts, 0 multicasts, 0 pauses Average input and output rates (in pps and Bps) in the last 300 seconds Count in packets and in bytes of total incoming traffic on the port, including incoming normal packets, abnormal packets, and normal PAUSE frames The number of incoming broadcast packets, the number of incoming multicast packets, and the number of incoming PAUSE frames on the port. Count in packets and in bytes of incoming normal packets on the port, including incoming normal packets and normal PAUSE frames Input(normal): - packets, - bytes - broadcasts, - multicasts, - pauses The number of normal incoming broadcast packets, the number of normal incoming multicast packets, and the number of normal incoming PAUSE frames of the port A hyphen (-) indicates that the statistical item is not supported input errors The total number of incoming error frames The number of incoming runt frames runts A runt frame is of less than 64 bytes but has the correct format and CRC field The number of incoming giant frames giants (A giant frame is of more than 1518 bytes if untagged or more than 1522 bytes if tagged.) The number of throttles that occurred on the port - throttles (A throttle occurs when a port is shut down due to buffer or memory overload.) CRC The number of CRC error frames received in correct length frame The number of incoming CRC error frames with non-integer number of bytes - overruns The number of packets dropped because the receiving rate of the port exceeds the processing capability of the input queues 1-9 Field Description The total number of incoming illegal packets, including: z z aborts z z z Fragments: CRC error frames of less than 64 bytes (integer or non-integer). Jabber frames: CRC error frames of more than 1518 bytes if untagged or 1522 bytes if tagged (integer or non-integer). Symbol error frames: frames with at least one symbol error. Unknown operator frames: MAC control frames that are not Pause frames Length error frames: frames whose actual length (46-1500 bytes) is inconsistent with the length field in the 802.3 header. ignored The number of packets dropped due to insufficient receive buffer on the port - parity errors The number of incoming parity error frames Output(total): 0 packets, 0 bytes 0 broadcasts, 0 multicasts, 0 pauses Count in packets and in bytes of total outgoing traffic on the port, including normal packets, abnormal packets, and normal Pause frames The number of outgoing broadcast packets, the number of outgoing multicast packets, and the number of outgoing Pause frames on the port Count in packets and in bytes of outgoing normal packets on the port, including outgoing normal packets and normal Pause frames. Output(normal): - packets, - bytes - broadcasts, - multicasts, - pauses The number of normal outgoing broadcast packets, the number of normal outgoing multicast packets, and the number of normal outgoing Pause frames on the port. A hyphen (-) indicates that the statistical item is not supported. output errors The total number of outgoing error frames - underruns The number of packets dropped because the transmitting rate of the port exceeds the processing capacity of the output queue, which is a rare hardware error. - buffer failures The number of packets dropped due to insufficient transmit buffer on the port aborts The number of transmission failures due to various reasons, such as collisions deferred The number of first transmission attempts delayed because of detection of collisions The number of detected collisions collisions (Transmission of a frame will be aborted upon detection of a collision.) The number of detected late collisions late collisions (A late collision occurs if the transmission of a frame defers due to detection of collision after its first 512 bits have been transmitted.) 1-10 Field Description The lost carrier counter applicable to serial WAN interfaces lost carrier The counter increases by 1 upon each carrier loss detected during frame transmission. The no carrier counter applicable to serial WAN interfaces - no carrier The counter increases by 1 upon each carrier detection failure for frame transmission. display link-delay Syntax display link-delay View Any view Parameters None Description Use the display link-delay command to display the information about the ports with the link-delay command configured, including the port name and the configured delay. Related commands: link-delay. Examples # Display the information about the ports with the link-delay command configured. <Sysname> display link-delay Interface Time Delay ===================== ============== Ethernet1/0/5 8 display loopback-detection Syntax display loopback-detection View Any view Parameters None 1-11 Description Use the display loopback-detection command to display the loopback detection status on the port. If loopback detection is enabled, this information will also be displayed: time interval for loopback detection and the loopback ports. Examples # Display the loopback detection status on the port. <Sysname> display loopback-detection Port Ethernet1/0/1 loopback-detection is running system Loopback-detection is running Detection interval time is 30 seconds There is no port existing loopback link Table 1-5 Description on the fields of the display loopback-detection command Field Description Port Ethernet1/0/1 loopback-detection is running Loopback detection is enabled on the Ethernet 1/0/1. system Loopback-detection is running Loopback detection is enabled globally. Detection interval time is 30 seconds Time interval for loopback detection is 30 seconds. There is no port existing loopback link No loopback port exists. display packet-drop Syntax display packet-drop { interface [ interface-type interface-number ] | summary } View Any view Parameters interface-type: Port type. interface-number: Port number. summary: Displays the summary statistics on the packets dropped on all the ports. Description Use the display packet-drop command to display the statistics on the packets dropped on a port or all the ports. z If interface-type interface number is not specified, this command displays the statistics on the packets dropped on all the ports. z If interface-type interface number is specified, this command displays the statistics on the packets dropped on the port identified by interface-type interface number. Related commands: reset packet-drop interface. 1-12 Examples # Display the statistics on the packets dropped on Ethernet 1/0/1. <Sysname> display packet-drop interface Ethernet 1/0/1 Ethernet1/0/1: Packets dropped By GBP full or insufficient bandwidth: 0 Packets dropped By others: 0 # Display the summary statistics on the packets dropped on all the ports. <Sysname> display packet-drop summary All Ethernet interfaces: Packets dropped By GBP full or insufficient bandwidth: 0 Packets dropped By others: 605 Table 1-6 Description on the fields of the display packet-drop command Field Description Packets dropped By GBP full or insufficient bandwidth Number of packets dropped because the GBP is full or the bandwidth is insufficient. Packets dropped By others Number of packets dropped because of other reasons. display storm-constrain Syntax display storm-constrain [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] View Any view Parameters interface-type: Port type. interface-number: Port number. |: Uses a regular expression to filter the output configuration information. begin: Displays the configurations that begin with the string specified by regular-expression. exclude: Displays the configurations that do not contain the string specified by regular-expression. include: Displays the configurations that contain the string specified by regular-expression. regular-expression: Regular expression. Description Use the display storm-constrain command to display the storm control configurations. Examples # Display the storm control configurations. <Sysname> display storm-constrain Flow Statistic Interval: 5(second) 1-13 PortName StormType LowerLimit UpperLimit Ctr-mode Status Trap Log Swi-num -------------------------------------------------------------------------Eth1/0/1 broadcast 9 99 shutdown normal on off 3 Eth1/0/1 multicast 9 99 shutdown control on off 1 Eth1/0/2 unicast 99 shutdown normal on 0 9 off Table 1-7 Description on the fields of the display storm-constrain command Field Description Flow Statistic Interval Interval to collect traffic statistics. PortName Name of an Ethernet port StormType Traffic type, which can be unicast, multicast, and broadcast LowerLimit Lower threshold of traffic received on the port UpperLimit Upper threshold of traffic received on the port Ctr-mode Control action to be taken when the broadcast/multicast/unicast traffic exceeds the upper threshold, which can be block or shutdown. Status Current status of the port, which can be normal or control. Trap Log Swi-num on: trap information is output when a type of traffic received on the port exceeds the upper threshold or falls below the lower threshold. off: trap information is not output when a type of traffic received on the port exceeds the upper threshold or falls below the lower threshold. on: log information is output when traffic received on the port exceeds the upper threshold or falls below the lower threshold off: log information is not output when traffic received on the port exceeds the upper threshold or falls below the lower threshold Number of port state switchover display unit Syntax display unit unit-id interface View Any view Parameters unit-id: Unit ID, in the range of 1 to 8. Description Use the display unit command to display information about the ports on a specified unit. Examples # Display information about the ports on unit 1. <Sysname> display unit 1 interface Aux1/0/0 1-14 Description : Aux Interface Ethernet1/0/1 current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 000f-e290-2240 Media type is twisted pair, loopback not set Port hardware type is 100_BASE_TX 100Mbps-speed mode, full-duplex mode Link speed type is force link, link duplex type is force link Flow-control is enabled The Maximum Frame Length is 9216 Broadcast MAX-pps: 500 Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 1 Mdi type: auto Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 1 Last 300 seconds input: Last 300 seconds output: Input(total): 0 packets/sec 0 bytes/sec 0 packets/sec 0 bytes/sec 0 packets, 0 bytes 0 broadcasts, 0 multicasts, 0 pauses Input(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Input: 0 input errors, 0 runts, 0 giants, 0 frame, - throttles, 0 CRC - overruns, 0 aborts, 0 ignored, - parity errors Output(total): 0 packets, 0 bytes 0 broadcasts, 0 multicasts, 0 pauses Output(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Output: 0 output errors, - underruns, - buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier (The following displayed information is omitted) Table 1-8 Description on the fields of the display unit command Field Aux1/0/0 Description : Aux Interface Description The description string of the AUX port is Aux Interface. For the description of other fields, refer to Table 1-4. duplex Syntax duplex { auto | full | half } 1-15 undo duplex View Ethernet port view Parameters auto: Sets the port to auto-negotiation mode. full: Sets the port to full duplex mode. half: Sets the port to half duplex mode. Description Use the duplex command to set the duplex mode of the current port. Use the undo duplex command to restore the default duplex mode, that is, auto-negotiation. By default, the port is in auto-negotiation mode. Related commands: speed. Examples # Set the Ethernet 1/0/1 port to auto-negotiation mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] duplex auto enable log updown Syntax enable log updown undo enable log updown View Ethernet port view Parameters None Description Use the enable log updown command to enable Up/Down log information output. Use the undo log enable updown command to disable Up/Down log information output. By default, a port is allowed to output Up/Down log information. Examples # By default, a port is allowed to output the Up/Down log information. Execute the shutdown command or the undo shutdown command on Ethernet 1/0/1, and the system outputs Up/Down log information of Ethernet 1/0/1. <Sysname> system-view 1-16 System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] shutdown [Sysname-Ethernet1/0/1] %Apr 5 07:25:37:634 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 - Ethernet1/0/1 is DOWN [Sysname-Ethernet1/0/1] undo shutdown [Sysname-Ethernet1/0/1] %Apr 5 07:25:56:244 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 - Ethernet1/0/1 is UP # Disable Ethernet 1/0/1 from outputting Up/Down log information and execute the shutdown command or the undo shutdown command on Ethernet 1/0/1. No Up/Down log information is output for Ethernet 1/0/1. [Sysname-Ethernet1/0/1] undo enable log updown [Sysname-Ethernet1/0/1] shutdown [Sysname-Ethernet1/0/1] undo shutdown flow-control Syntax flow-control undo flow-control View Ethernet port view Parameters None Description Use the flow-control command to enable flow control on the current Ethernet port. Use the undo flow-control command to disable flow control on the port. Suppose flow control is enabled on both the local and peer switches. When congestion occurs on the local switch, the local switch sends a message to notify the peer switch of stopping sending packets to itself or reducing the sending rate temporarily, the peer switch will stop sending packets to the local switch or reduce the sending rate temporarily when it receives the message; and vice versa. By this way, packet loss is avoided and the network service operates normally. By default, flow control is disabled on a port. Examples # Enable flow control on the Ethernet 1/0/1 port. <Sysname> system-view System View: return to User View with Ctrl+Z. 1-17 [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] flow-control flow interval Syntax flow-interval interval undo flow-interval View Ethernet port view Parameters Interval: Interval (in seconds) to perform statistics on port information. This argument ranges from 5 to 300 (in step of 5) and is 300 by default. Description Use the flow-interval command to set the interval to perform statistics on port information. Use the undo flow-interval command to restore the default interval. By default, this interval is 300 seconds. When you use the display interface interface-type interface-number command to display the information of a port, the system performs statistical analysis on the traffic flow passing through the port during the specified interval and displays the average rates in the interval. For example, if you set the interval to 100 seconds, the displayed information is as follows: Last 100 seconds input: 0 packets/sec 0 bytes/sec Last 100 seconds output: 0 packets/sec 0 bytes/sec Related commands: display interface. Examples # Set the interval to perform statistics on the Ethernet 1/0/1 port to 100 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] flow-interval 100 giant-frame statistics enable Syntax giant-frame statistics enable undo giant-frame statistics enable View System view Parameters None 1-18 Description Use the giant-frame statistics enable command to enable the giant-frame statistics function. Use the undo giant-frame statistics enable command to disable the giant-frame statistics function. By default, the giant-frame statistics function is not enabled. After enabling the giant-frame statistics function, you can use the display interface command to view the statistics about giant frames. Giant frames refer to VLAN untagged frames of more than 1518 bytes and VLAN tagged frames of more than 1522 bytes. Examples # Enable the giant-frame statistics function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] giant-frame statistics enable interface Syntax interface interface-type interface-number View System view Parameters interface-type: Port type, which can be Aux, Ethernet, GigabitEthernet, LoopBack, NULL or VLAN-interface. interface-number: Port number, in the format of Unit ID/slot number/port number, where: Unit ID is in the range of 1 to 8; The slot number is 0 if the port is an Ethernet port, the slot number is 1 if the port is a GigabitEthernet port. The port number is relevant to the device. Description Use the interface command to enter specific port view. To configure an Ethernet port, you need to enter Ethernet port view first. Examples # Enter Ethernet 1/0/1 port view. <Sysname> system-view 1-19 System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] jumboframe enable Syntax jumboframe enable undo jumboframe enable View Ethernet port view Parameters None Description Use the jumboframe enable command to set the maximum frame size allowed on a port to 9,216 bytes. Use the undo jumboframe enable command to set the maximum frame size allowed on a port to 1,536 bytes. By default, the maximum frame size allowed on an Ethernet port is 9,216 bytes. Examples # Set the maximum frame size allowed on Ethernet 1/0/1 to 1,536 bytes. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] jumboframe enable link-delay Syntax link-delay delay-time undo link-delay View Ethernet port view Parameters delay-time: Port state change delay to be set. This argument is in the range 2 to 10 (in seconds). Description Use the link-delay command to set the port state change delay. Use the undo link-delay command to restore the default. By default, the port state change delay is 0 seconds, that is, the port state changes without any delay. 1-20 During a short period after you connect your switch to another device, the connecting port may go up and down frequently due to hardware compatibility, resulting in service interruption. To avoid situations like this, you may set a port state change delay. z The port state change delay takes effect when the port goes down but not when the port goes up. z The delay configured in this way does not take effect for ports in DLDP down state. For information about the DLDP down state, refer to DLDP. Examples # Set the port state change delay of Ethernet 1/0/5 to 8 seconds. <Sysname> system-view Enter system view, return to user view with Ctrl+Z. [Sysname] interface Ethernet1/0/5 [Sysname-Ethernet1/0/5] link-delay 8 loopback Syntax loopback { external | internal } View Ethernet port view Parameters external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch. The external loop test can locate the hardware failures on the port. For 100M port, the self-loop headers are made from four cores of the 8-core cables, for 1000M port, the self-loop headers are made from eight cores of the 8-core cables, and the packets forwarded by the port will be received by itself. internal: Performs internal loop test. In the internal loop test, self loop is established in the switching chip to locate the chip failure which is related to the port. Description Use the loopback command to perform a loopback test on the current Ethernet port to check whether the Ethernet port works normally. The loopback test terminates automatically after running for a specific period. 1-21 By default, no loopback test is performed on the Ethernet port. Examples # Perform an internal loop test on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] loopback internal Loopback internal succeeded. loopback-detection control enable Syntax loopback-detection control enable undo loopback-detection control enable View Ethernet port view Parameters None Description Use the loopback-detection control enable command to enable the loopback detection control feature on the current trunk or hybrid port. Use the undo loopback-detection control enable command to disable the loopback detection control feature on the trunk or hybrid port. This function needs to be used in conjunction with the loopback detection function. For details, refer to the loopback-detection enable command. When a loopback is detected in a VLAN on a trunk or hybrid port, you can use this function to control the working status of the port. z If this feature is enabled on a trunk or hybrid port, when loopback is found on the port, the system puts the port into the controlled working status and removes the MAC address entries corresponding to the port. z If this feature is disabled on a trunk or hybrid port, when loopback is found on the port, the system just reports a Trap message, and the port still works normally. By default, the loopback detection control feature is disabled on the trunk or hybrid port. Note that this command is invalid for an access port. Related commands: loopback-detection enable. Examples # Enable the loopback detection control feature on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk 1-22 [Sysname-Ethernet1/0/1] loopback-detection control enable loopback-detection enable Syntax loopback-detection enable undo loopback-detection enable View System view or Ethernet port view Parameters None Description Use the loopback-detection enable command to enable the loopback detection feature on ports to detect whether external loopback occurs on a port. Use the undo loopback-detection enable command to disable the loopback detection feature on port. z If loopback is found on an access port, the system disables the port, sends a Trap message to the client and removes the corresponding MAC forwarding entry. z If loopback is found on a trunk or hybrid port, the system sends a Trap message to the client. If the loopback port control function is enabled on the port (with the loopback-detection control enable command), the system disables the port, sends a Trap message to the client and removes the corresponding MAC forwarding entry. The loopback detection feature takes effect on a port only when the loopback detection feature is enabled in both system view and the specified port view. By default, the loopback detection feature is disabled on any port. Related commands: loopback-detection control enable. Examples # Enable the loopback detection feature on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] loopback-detection enable [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] loopback-detection enable 1-23 loopback-detection interval-time Syntax loopback-detection interval-time time undo loopback-detection interval-time View System view Parameters time: Time interval for loopback detection, in the range of 5 to 300 (in seconds). It is 30 seconds by default. Description Use the loopback-detection interval-time command to set time interval for loopback detection. Use the undo loopback-detection interval-time command to restore the default time interval. Examples # Set time interval for loopback detection to 10 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] loopback-detection interval-time 10 loopback-detection per-vlan enable Syntax loopback-detection per-vlan enable undo loopback-detection per-vlan enable View Ethernet port view Parameters None Description Use the loopback-detection per-vlan enable command to configure the system to run loopback detection on all VLANs of the current trunk or hybrid port. Use the undo loopback-detection per-vlan enable command to restore the default setting. By default, the system runs loopback detection only on the default VLAN of the trunk or hybrid port. Note that the command is invalid for any access port. Examples # Configure the system to run loopback detection on all VLANs of the trunk port Ethernet 1/0/1. <Sysname> system-view 1-24 System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] loopback-detection per-vlan enable mdi Syntax mdi { across | auto | normal } undo mdi View Ethernet port view Parameters across: Sets the MDI mode to medium dependent interface (MDI). normal: Sets the MDI mode to media dependent interface-X mode (MDI-X). auto: Sets the MDI mode to auto-sensing. Port operating in this mode adjust its MDI mode between MDI and MDI-X automatically. z An RJ-45 interface can operate in MDI or MDI-X mode. z To connect two RJ-45 interfaces operating in the same MDI mode, use a crossover cable; to connect two RJ-45 interfaces operating in different MDI modes, use a straight-through cable. z The MDI mode of an optical port is fixed to auto. Description Use the mdi command to set the MDI mode for a port. Use the undo mdi command to restore the default setting. By default, a port operates in auto-sensing MDI mode. Examples # Set the MDI mode of Ethernet 1/0/1 to MDI. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] mdi across multicast-suppression Syntax multicast-suppression { ratio | pps max-pps } 1-25 undo multicast-suppression View Ethernet port view Parameters ratio: Maximum ratio of the multicast traffic allowed on the port to the total transmission capacity of the port. This argument ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio, the less multicast traffic is allowed to be received. max-pps: Maximum number of multicast packets allowed to be received per second (in pps). This argument ranges from 1 to 148,810 (for Ethernet ports) or 1 to 262,143 (for GigabitEthernet ports). Description Use the multicast-suppression command to limit multicast traffic allowed to be received on the current port. Use the undo multicast-suppression command to restore the default multicast suppression setting on the current port. When incoming multicast traffic on the port exceeds the multicast traffic threshold you set, the system drops the packets exceeding the threshold to reduce the multicast traffic ratio to the reasonable range, so as to keep normal network service. By default, the switch does not suppress multicast traffic. Examples # Allow the incoming multicast traffic on Ethernet 1/0/1 to occupy at most 20% of the transmission capacity of the port, and suppress the multicast traffic that exceeds the specified range. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] multicast-suppression 20 # Set the maximum number of multicast packets that can be received per second by Ethernet 1/0/1 to 1,000. [Sysname-Ethernet1/0/1] multicast-suppression pps 1000 reset counters interface Syntax reset counters interface [ interface-type | interface-type interface-number ] View User view Parameters interface-type: Port type. interface-number: Port number. For details about the parameters, see the parameter description of the interface command. 1-26 Description Use the reset counters interface command to clear the statistics of the port, preparing for a new statistics collection. If you specify neither port type nor port number, the command clears statistics of all ports. If specify only port type, the command clears statistics of all ports of this type. If specify both port type and port number, the command clears statistics of the specified port. Note that the statistics of the 802.1x-enabled ports cannot be cleared. Examples # Clear the statistics of Ethernet 1/0/1. <Sysname> reset counters interface ethernet 1/0/1 reset packet-drop interface Syntax reset packet-drop interface [ interface-type interface-number ] View User view Parameters interface-type: Port type. Interface-number: Port number. Description Use the reset packet-drop interface command to clear the statistics on the packets dropped on a port or all the ports. z If interface-type interface number is not specified, this command clears the statistics on the packets dropped on all the ports. z If interface-type interface number is specified, this command clears the statistics on the packets dropped on the specified port. \ Related commands: display packet-drop. Examples # Clear the statistics on the packets dropped on Ethernet 1/0/1. <Sysname> reset packet-drop interface Ethernet 1/0/1 shutdown Syntax shutdown undo shutdown View Ethernet port view 1-27 Parameters None Description Use the shutdown command to shut down an Ethernet port. Use the undo shutdown command to bring up an Ethernet port. By default, an Ethernet port is in up state. Examples # Shut down Ethernet 1/0/1 and then bring it up. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] shutdown #Apr 13 23:13:53:600 2000 Sysname L2INF/2/PORT LINK STATUS CHANGE:- 1 Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227650, ifAdminStatus is 2, ifOperStatus is 2 %Apr 13 23:13:53:807 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 Ethernet1/0/4 is DOWN %Apr 13 23:13:53:927 2000 Sysname L2INF/5/VLANIF LINK STATUS CHANGE:- 1 Vlan-interface3 is DOWN %Apr 13 23:13:54:057 2000 Sysname IFNET/5/UPDOWN:- 1 -Line protocol on the interface Vlan-interface3 is DOWN # Enable Ethernet 1/0/1. [Sysname-Ethernet1/0/1] undo shutdown #Apr 13 23:14:54:454 2000 Sysname L2INF/2/PORT LINK STATUS CHANGE:- 1 Trap 1.3.6.1.6.3.1.1.5.4(linkUp): portIndex is 4227650, ifAdminStatus is 1, ifOperStatus is 1 %Apr 13 23:14:54:657 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 Ethernet1/0/4 is UP %Apr 13 23:14:54:777 2000 Sysname L2INF/5/VLANIF LINK STATUS CHANGE:- 1 Vlan-interface3 is UP %Apr 13 23:14:54:897 2000 Sysname IFNET/5/UPDOWN:- 1 -Line protocol on the interface Vlan-interface3 is UP speed Syntax speed { 10 | 100 | 1000 | auto } undo speed 1-28 View Ethernet port view Parameters 10: Specifies the port speed to 10 Mbps. 100: Specifies the port speed to 100 Mbps. 1000: Specifies the port speed to 1,000 Mbps (only available to GigabitEthernet ports). auto: Specifies the port speed to the auto-negotiation mode. Description Use the speed command to set the port speed. Use the undo speed command to restore the port speed to the default setting. By default, the port speed is in the auto-negotiation mode. Note that you can only specify the 1000 and auto keyword for Gigabit Ethernet ports. Related commands: duplex. Examples # Set the speed of Ethernet 1/0/1 to 10 Mbps. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] speed 10 speed auto Syntax speed auto [ 10 | 100 | 1000 ]* View Ethernet port view Parameters 10: Configures 10 Mbps as an auto-negotiation speed of the port. 100: Configures 100 Mbps as an auto-negotiation speed of the port. 1000: Configures 1,000 Mbps as an auto-negotiation speed of the port. Description Use the speed auto [ 10 | 100 | 1000 ]* command to configure auto-negotiation speed(s) for the current port. By default, the port speed is auto-negotiated. The last configuration will take effect if you configure the command for multiple times. Examples # Configure 10 Mbps and 1000 Mbps as the auto-negotiation speeds of Ethernet 1/0/1. 1-29 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] speed auto 10 1000 storm-constrain Syntax storm-constrain { broadcast | multicast | unicast } max-packets min-packets pps undo storm-constrain { all | broadcast | multicast | unicast } View Ethernet port view Parameters broadcast: Specifies to control broadcast traffic on the port. multicast: Specifies to control multicast traffic on the port. unicast: Specifies to control unicast traffic on the port. all: Cancels all the storm control threshold configurations on the port. max-packets: Upper threshold of the traffic on the port, in pps (packet per second). It ranges from 1 to 4,294,967,295 and must be greater than or equal to the lower threshold. min-packets: Lower threshold of the traffic on the port, in pps. It ranges from 1 to 4,294,967,295, and must be less than or equal to the upper threshold. Description Use the storm-constrain command to set the upper and lower thresholds of the broadcast/multicast/unicast traffic received on the port. Use the undo storm-constrain command to cancel the threshold configuration. z With traffic upper and lower thresholds specified on a port, the system periodically collects statistics about the broadcast/multicast/unicast/ traffic on the port. Once it finds that a type of traffic exceeds the specified upper threshold, it blocks this type of traffic on the port or directly shuts down the port, and outputs trap/log information according to your configuration. z When a type of traffic on the port falls back to the specified lower threshold, the system cancels the blocking of this type of traffic on the port or brings up the port to restore traffic forwarding for the port, and outputs log/trap information according to your configuration. Related commands: display storm-constrain, storm-constrain control, storm-constrain enable. Examples # Set the upper and lower thresholds of broadcast traffic on Ethernet 1/0/1 to 100 pps and 10 pps respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] storm-constrain broadcast 100 10 pps 1-30 storm-constrain control Syntax storm-constrain control { block | shutdown } undo storm-constrain control View Ethernet port view Parameters block: Blocks and stops forwarding those types of traffic exceeding the upper thresholds. shutdown: Shutdowns the port if the broadcast/multicast/unicast traffic exceeds the upper threshold, and stops receiving and forwarding all types of traffic on the port. Description Use the storm-constrain control command to set the action to be taken when the broadcast/multicast/unicast traffic on the port exceeds the upper threshold. Use the undo storm-constrain control command to cancel the configured action. By default, no action is taken. z If the fabric function is enabled on a port of a device, you cannot configure the storm control function on all ports of the device. z If the broadcast-suppression command, multicast-suppression command or unicast suppression command is configured on a port, you cannot configure the storm control function on the port, and vice versa. z You are not recommended to set the upper and lower traffic thresholds to the same value. z The system can take one of the actions when the broadcast/multicast/unicast traffic received on a port exceeds the upper threshold: block and shutdown. The block action blocks only those types of traffic that exceed the upper thresholds instead of all types of traffic. When a type of traffic is blocked, it is still counted by the system and contained in the traffic statistics. The shutdown action automatically shutdowns the port when a type of traffic on the port exceeds the upper threshold. If you want to bring up the port again, you can execute the undo shutdown command or the undo storm-constrain { all | broadcast | multicast | unicast } command. Related commands: display storm-constrain, storm-constrain. Examples # Set the control action on Ethernet 1/0/1 to block. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] storm-constrain control block 1-31 storm-constrain enable Syntax storm-constrain enable { log | trap } undo storm-constrain enable View Ethernet port view Parameters log: Enables log information to be output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. trap: Enables trap information to be output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. Description Use the storm-constrain enable command to enable log/trap information to be output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. Use the undo storm-constrain enable command to disable log/trap information from being output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. By default, log/trap information is output when traffic received on the port exceeds the upper threshold or falls below the lower threshold. Related commands: display storm-constrain, storm-constrain. Examples # Disable log information from being output when traffic received on Ethernet 1/0/1 exceeds the upper threshold or falls below the lower threshold. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] undo storm-constrain enable log storm-constrain interval Syntax storm-constrain interval interval-value undo storm-constrain interval View System view Parameters interval-value: Interval to collect traffic statistics, in the range of 1 to 300 (in seconds). Description Use the storm-constrain interval command to set the interval to collect traffic statistics. 1-32 Use the undo storm-constrain interval command to restore the default setting. By default, the interval is 10 seconds. Related commands: display storm-constrain, storm-constrain. Examples # Set the interval to collect traffic statistics to 2 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] storm-constrain interval 2 unicast-suppression Syntax unicast-suppression { ratio | pps max-pps } undo unicast-suppression View Ethernet port view Parameters ratio: Maximum ratio of the unknown unicast traffic allowed on the port to the total transmission capacity of the port. This argument ranges from 1 to 100 (in step of 1) and defaults to 100. The smaller the ratio, the lesser unknown unicast traffic is allowed to be received. max-pps: Maximum number of unknown unicast packets allowed to be received per second on the Ethernet port (in pps). This argument ranges from 1 to 148,810 (for Ethernet ports) or 1 to 262,143 (for GigabitEthernet ports). Description Use the unicast-suppression command to limit the unknown unicast traffic allowed to be received on the current port. Use the undo broadcast-suppression command to restore the default unknown unicast suppression setting on the port. When incoming unknown unicast traffic exceeds the unknown unicast traffic threshold you set, the system drops the packets exceeding the threshold to reduce the unknown unicast traffic ratio to the reasonable range, so as to keep normal network service. By default, the switch does not suppress unknown unicast traffic. Examples # Allow unknown incoming unicast traffic on Ethernet 1/0/1 to occupy at most 20% of the transmission capacity of the port, and suppress the unknown unicast traffic that exceeds the specified range. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] unicast-suppression 20 1-33 # Set the maximum number of unknown unicast packets that can be received per second by Ethernet 1/0/1 to 1,000. [Sysname-Ethernet1/0/1] unicast-suppression pps 1000 virtual-cable-test Syntax virtual-cable-test View Ethernet port view Parameters None Description Use the virtual-cable-test command to enable the system to test the cable connected to a specific port and to display the results. The system can test these attributes of the cable: z Cable status, including normal, abnormal, abnormal-open, abnormal-short and failure z Cable length z If the cable is in normal state, the displayed length value is the total length of the cable. z If the cable is in any other state, the displayed length value is the length from the port to the faulty point. z Pair impedance mismatch z Pair skew z Pair swap z Pair polarity z Insertion loss z Return loss z Near-end crosstalk By default, the system does not test the cable connected to the Ethernet port. Currently, only cable status and cable length can be tested. A hyphen (-) indicates that the corresponding test item is not supported. 1-34 Examples # Enable the system to test the cable connected to Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] virtual-cable-test Cable status: normal, 0 meter(s) Pair Impedance mismatch: Pair skew: - ns Pair swap: Pair polarity: Insertion loss: - db Return loss: - db Near-end crosstalk: - db 1-35 Table of Contents 1 Link Aggregation Configuration Commands··························································································1-1 Link Aggregation Configuration Commands ···························································································1-1 display link-aggregation interface····································································································1-1 display link-aggregation summary···································································································1-2 display link-aggregation verbose·····································································································1-3 display lacp system-id ·····················································································································1-4 lacp enable ······································································································································1-5 lacp port-priority·······························································································································1-5 lacp system-priority··························································································································1-6 link-aggregation group description ··································································································1-6 link-aggregation group mode···········································································································1-7 port link-aggregation group ·············································································································1-8 reset lacp statistics ··························································································································1-8 i 1 Link Aggregation Configuration Commands Link Aggregation Configuration Commands display link-aggregation interface Syntax display link-aggregation interface interface-type interface-number [ to interface-type interface-number ] View Any view Parameters interface-type: Port type. interface-number: Port number. to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends. Description Use the display link-aggregation interface command to display the link aggregation details about a specified port or port range. Note that as ports in a manual link aggregation groups do not acquire the information about their peers automatically, so the entries in the information about the peer ports displayed are all 0 instead of the actual values. Examples # Display the link aggregation details on Ethernet 1/0/1. <Sysname> display link-aggregation interface Ethernet1/0/1 Ethernet1/0/1: Selected AggID: 1 Local: Port-Priority: 32768, Oper key: 2, Flag: 0x45 Remote: System ID: 0x8000, 0000-0000-0000 Port Number: 0, Port-Priority: 32768 , Oper-key: 0, Flag: 0x38 Received LACP Packets: 0 packet(s), Illegal: 0 packet(s) Sent LACP Packets: 0 packet(s) 1-1 Table 1-1 Description on the fields of the display link-aggregation interface command Field Description Selected AggID ID of the aggregation group to which the specified port belongs Local Information about the local end Port-Priority Port priority Oper key Operation key Flag Protocol status flag Remote Information about the remote end System ID Remote device ID Port number Port number Received LACP Packets: 0 packet(s), Illegal: 0 packet(s) Statistics about received, invalid, and sent LACP packets Sent LACP Packets: 0 packet(s) display link-aggregation summary Syntax display link-aggregation summary View Any view Parameters None Description Use the display link-aggregation summary command to display summary information of all aggregation groups. Note that as ports in a manual link aggregation groups do not acquire the information about their peers automatically, so the entries in the information about the peer ports displayed are all 0 instead of the actual values. Examples # Display summary information of all aggregation groups. <Sysname> display link-aggregation summary Aggregation Group Type:D -- Dynamic, S -- Static , M -- Manual Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Actor ID: 0x8000, 000f-e20f-5104 AL AL ID Type Partner ID Select Unselect Share Master Ports Ports 1-2 Type Port -------------------------------------------------------------------------1 S 0x8000,0000-0000-0000 0 2 M none 1 0 NonS 1 Ethernet1/0/2 NonS Ethernet1/0/3 Table 1-2 Description on the fields of the display link-aggregation summary command Field Description Aggregation Group Type Aggregation group type: D for dynamic, S for static, and M for manual Loadsharing Type Load sharing type: Shar for load sharing and NonS for non-load sharing Actor ID Local device ID AL ID Aggregation group ID AL Type Aggregation group type: D (dynamic), S (static), or M (manual) ID of the remote device, including the system priority and system MAC address of the remote device Partner ID For a device belonging to an dynamic aggregation group or static aggregation group, if no LACP packet is received, the partner ID is displayed as 0x8000, 0000-0000-0000. Select Ports Number of the selected ports Unselect Ports Number of the unselected ports Share Type Load sharing type: Shar (load-sharing), or NonS (non-load-sharing) Master Port the smallest port number in an aggregation group display link-aggregation verbose Syntax display link-aggregation verbose [ agg-id ] View Any view Parameters agg-id: Aggregation group ID, which ranges from 1 to 416 and must be the ID of an existing aggregation group. Description Use the display link-aggregation verbose command to display the details about a specified aggregation group or all aggregation groups. Note that as ports in a manual link aggregation groups do not acquire the information about their peers automatically, so the entries in the information about the peer ports displayed are all 0 instead of the actual values. 1-3 Examples # Display the details about aggregation group 1. <Sysname> display link-aggregation verbose 1 Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Flags: A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation, D -- Synchronization, E -- Collecting, F -- Distributing, G -- Defaulted, H -- Expired Aggregation ID: 1, AggregationType: Manual, Loadsharing Type: NonS Aggregation Description: System ID: 0x8000, 000f-e214-000a Port Status: S -- Selected, U -- Unselected Local: Port Status Priority Key Flag -------------------------------------------------------------------------Ethernet1/0/2 S 32768 1 {} Ethernet1/0/3 U 32768 1 {} Remote: Actor Partner Priority Key SystemID Flag -------------------------------------------------------------------------Ethernet1/0/2 0 0 0 0x0000,0000-0000-0000 {} Ethernet1/0/3 0 0 0 0x0000,0000-0000-0000 {} Table 1-3 Description on the fields of the display link-aggregation verbose command Field Description Loadsharing Type Loadsharing type, including Loadsharing and Non-Loadsharing Flags Flag types of LACP Aggregation ID Aggregation group ID Aggregation Description Aggregation group description string AggregationType Aggregation group type System ID Device ID Port Status Port status, including selected and unselected display lacp system-id Syntax display lacp system-id View Any view Parameters None 1-4 Description Use the display lacp system-id command to display the device ID of the local system, including the system priority and the MAC address. Examples # Display the device ID of the local system. <Sysname> display lacp system-id Actor System ID: 0x8000, 000f-e20f-0100 The value of the Actor System ID field is the device ID. lacp enable Syntax lacp enable undo lacp enable View Ethernet port view Parameters None Description Use the lacp enable command to enable LACP on the current port. Use the undo lacp enable command to disable LACP. By default, LACP is disabled on a port. Examples # Enable the LACP protocol on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] lacp enable lacp port-priority Syntax lacp port-priority port-priority undo lacp port-priority View Ethernet port view Parameters port-priority: Port priority, ranging from 0 to 65,535. 1-5 Description Use the lacp port-priority command to set the priority of the current port. Use the undo lacp port-priority command to restore the default port priority. By default, the port priority is 32,768. You can use the display link-aggregation verbose command or the display link-aggregation interface command to check the configuration result. Examples # Set the priority of Ethernet 1/0/1 to 64. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] lacp port-priority 64 lacp system-priority Syntax lacp system-priority system-priority undo lacp system-priority View System view Parameters system-priority: System priority, ranging from 0 to 65,535. Description Use the lacp system-priority command to set the system priority. Use the undo lacp system-priority command to restore the default system priority. By default, the system priority is 32,768. Examples # Set the system priority to 64. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] lacp system-priority 64 link-aggregation group description Syntax link-aggregation group agg-id description agg-name undo link-aggregation group agg-id description View System view 1-6 Parameters agg-id: Aggregation group ID, in the range of 1 to 416. agg-name: Aggregation group name, a string of 1 to 32 characters. Description Use the link-aggregation group description command to set a description for an aggregation group. Use the undo link-aggregation group description command to remove the description of an aggregation group. If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of the dynamic aggregation groups and their descriptions gets lost. You can use the display link-aggregation verbose command to check the configuration result. Examples # Set the description abc for aggregation group 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] link-aggregation group 1 description abc link-aggregation group mode Syntax link-aggregation group agg-id mode { manual | static } undo link-aggregation group agg-id View System view Parameters agg-id: Aggregation group ID, in the range of 1 to 416. manual: Creates a manual aggregation group. static: Creates a static aggregation group. Description Use the link-aggregation group mode command to create a manual or static aggregation group. Use the undo link-aggregation group command to remove the specified aggregation group. Related commands: display link-aggregation summary. 1-7 Examples # Create manual aggregation group 22 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] link-aggregation group 22 mode manual port link-aggregation group Syntax port link-aggregation group agg-id undo port link-aggregation group View Ethernet port view Parameters agg-id: Aggregation group ID, in the range of 1 to 416. Description Use the port link-aggregation group command to add the current Ethernet port to a manual or static aggregation group. Use the undo port link-aggregation group command to remove the current Ethernet port from the aggregation group. Related commands: display link-aggregation verbose. Examples # Add Ethernet 1/0/1 to aggregation group 22. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] port link-aggregation group 22 reset lacp statistics Syntax reset lacp statistics [ interface interface-type interface-number [ to interface-type interface-number ] ] View User view Parameters interface-type: Port type interface-number: Port number to: Specifies a port index range, with the two interface-type interface-number argument pairs around it as the two ends. 1-8 Description Use the reset lacp statistics command to clear LACP statistics on specified port(s), or on all ports if no port is specified. Related commands: display link-aggregation interface. Examples # Clear LACP statistics on all Ethernet ports. <Sysname> reset lacp statistics 1-9 Table of Contents 1 Port Isolation Configuration Commands ································································································1-1 Port Isolation Configuration Commands ·································································································1-1 display isolate port···························································································································1-1 port isolate ·······································································································································1-1 i 1 Port Isolation Configuration Commands Port Isolation Configuration Commands display isolate port Syntax display isolate port View Any view Parameters None Description Use the display isolate port command to display the Ethernet ports assigned to the isolation group. Examples # Display the Ethernet ports added to the isolation group. <Sysname> display isolate port Isolated port(s) on UNIT 1: Ethernet1/0/2, Ethernet1/0/3, Ethernet1/0/4 The information above shows that Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/04 are in the isolation group. Neither Layer-2 nor Layer-3 packets can be exchanged between these ports. port isolate Syntax port isolate undo port isolate View Ethernet port view Parameters None Description Use the port isolate command to assign the Ethernet port to the isolation group. Use the undo port isolate command to remove the Ethernet port from the isolation group. 1-1 z Assigning or removing an aggregation member port to or from the isolation group can cause the other ports in the aggregation group join or leave the isolation group. z For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports. That is, the rest ports remain in the aggregation group and the isolation group. z Ports that belong to an aggregation group and the isolation group simultaneously are still isolated after they are removed from the aggregation group (in system view). z Assigning an isolated port to an aggregation group causes all the ports in the aggregation group on the local unit to join the isolation group. z The S3600 series Ethernet switches support cross-device port isolation if IRF fabric is enabled. By default, the isolation group contains no port. Examples # Assign Ethernet 1/0/1 and Ethernet 1/0/2 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/1 [Sysname-Ethernet1/0/1] port isolate [Sysname-Ethernet1/0/1] quit [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate After the configuration, packets cannot be exchanged between Ethernet 1/0/1 and Ethernet 1/0/2. # Remove Ethernet 1/0/1 from the isolation group. [Sysname-Ethernet1/0/1] undo port isolate 1-2 Table of Contents 1 Port Security Commands··························································································································1-1 Port Security Commands ························································································································1-1 display mac-address security ··········································································································1-1 display port-security·························································································································1-3 mac-address security ······················································································································1-5 port-security enable ·························································································································1-6 port-security intrusion-mode ············································································································1-7 port-security authorization ignore ····································································································1-9 port-security max-mac-count·········································································································1-10 port-security ntk-mode···················································································································1-11 port-security oui ·····························································································································1-12 port-security port-mode ·················································································································1-13 port-security timer disableport ·······································································································1-16 port-security trap····························································································································1-17 2 Port Binding Commands ··························································································································2-1 Port Binding Commands ·························································································································2-1 am user-bind····································································································································2-1 display am user-bind ·······················································································································2-2 i 1 Port Security Commands Two port security modes, macAddressAndUserLoginSecure and macAddressAndUserLoginSecureExt, were introduced. For details, refer to port-security port-mode. Port Security Commands display mac-address security Syntax display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] View Any view Parameters Interface interface-type interface-number: Specify a port by its type and number, of which the security MAC address information is to be displayed. vlan vlan-id: Specify a VLAN by its ID, of which the security MAC address information is to be displayed. The value range for the vlan-id argument is 1 to 4094. count: Displays the number of matching security MAC addresses. Description Use the display mac-address security command to display security MAC address entries. If no argument is specified, the command displays information about all security MAC address entries. For each security MAC address entry, the output of the command displays the MAC address, the VLAN that the MAC address belongs to, state of the MAC address (which is always security), port associated with the MAC address, and the remaining lifetime of the entry. By checking the output of this command, you can verify the current configuration. Examples # Display information about all security MAC address entries. <Sysname> display mac-address security MAC ADDR VLAN ID 0000-0000-0001 1 STATE PORT INDEX Security Ethernet1/0/20 1-1 AGING TIME(s) NOAGED 0000-0000-0002 1 Security Ethernet1/0/20 NOAGED 0000-0000-0003 1 Security Ethernet1/0/20 NOAGED 0000-0000-0004 1 Security Ethernet1/0/20 NOAGED 0000-0000-0001 2 Security Ethernet1/0/22 NOAGED 0000-0000-0007 2 Security Ethernet1/0/22 NOAGED --- 6 mac address(es) found --- # Display the security MAC address entries for port Ethernet 1/0/20. <Sysname> display mac-address security interface Ethernet 1/0/20 MAC ADDR VLAN ID STATE PORT INDEX 0000-0000-0001 1 Security Ethernet1/0/20 NOAGED 0000-0000-0002 1 Security Ethernet1/0/20 NOAGED 0000-0000-0003 1 Security Ethernet1/0/20 NOAGED 0000-0000-0004 1 Security Ethernet1/0/20 NOAGED --- AGING TIME(s) 4 mac address(es) found on port Ethernet1/0/20 --- # Display the security MAC address entries for VLAN 1. <Sysname> display mac-address security vlan 1 MAC ADDR VLAN ID STATE PORT INDEX 0000-0000-0001 1 Security Ethernet1/0/20 NOAGED 0000-0000-0002 1 Security Ethernet1/0/20 NOAGED 0000-0000-0003 1 Security Ethernet1/0/20 NOAGED 0000-0000-0004 1 Security Ethernet1/0/20 NOAGED --- AGING TIME(s) 4 mac address(es) found in vlan 1 --- # Display the total number of security MAC address entries. <Sysname> display mac-address security count 6 mac address(es) found # Display the number of security MAC address entries for VLAN 1. <Sysname> display mac-address security vlan 1 count 4 mac address(es) found in vlan 1 Table 1-1 Description on the fields of the display mac-address security command Field Description MAC ADDR Security MAC address VLAN ID VLAN that the MAC address belongs to STATE MAC address type, which is always security for a security MAC address PORT INDEX Port associated with the MAC address AGING TIME(s) Remaining lifetime of the MAC address entry mac address(es) found Number of matching security MAC addresses 1-2 display port-security Syntax display port-security [ interface interface-list ] View Any view Parameters interface interface-list: Specify a list of Ethernet ports of which the port security configurations are to be displayed. For the interface-list argument, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1. The total number of individual ports and port ranges defined in the list must not exceed 10. Description Use the display port-security command to display port security configurations. If no interface is specified, the command displays the port security configurations of all Ethernet ports. The output of the command includes the global configurations (such as whether port security is enabled on the switch and whether the sending of specified Trap messages is enabled) and port configurations (such as the security mode and the port security features). By checking the output of this command, you can verify the current configuration. Examples # Display the global port security configurations and those of all ports. <Sysname> display port-security Equipment port-security is enabled AddressLearn trap is Enabled Intrusion trap is Enabled Dot1x logon trap is Enabled Dot1x logoff trap is Enabled Dot1x logfailure trap is Enabled RALM logon trap is Enabled RALM logoff trap is Enabled RALM logfailure trap is Enabled Disableport Timeout: 20 s OUI value: Index is 5, OUI value is 000100 Ethernet1/0/1 is link-up Port mode is AutoLearn NeedtoKnow mode is needtoknowonly Intrusion mode is BlockMacaddress Max mac-address num is 4 Stored mac-address num is 0 Authorization is ignore 1-3 (The rest of the information is omitted.) # Display the port security configurations of ports Ethernet 1/0/1 to Ethernet 1/0/3. <Sysname> display port-security interface Ethernet 1/0/1 to Ethernet 1/0/3 Ethernet1/0/1 is link-up Port mode is AutoLearn NeedtoKnow mode is needtoknowonly Intrusion mode is BlockMacaddress Max mac-address num is 4 Stored mac-address num is 0 Authorization is ignore Ethernet1/0/2 is link-down Port mode is AutoLearn NeedtoKnow mode is disabled Intrusion mode is no action Max mac-address num is not configured Stored mac-address num is 0 Authorization is ignore Ethernet1/0/3 is link-down Port mode is AutoLearn NeedtoKnow mode is disabled Intrusion mode is BlockMacaddress Max mac-address num is not configured Stored mac-address num is 0 Authorization is ignore Table 1-2 Description on the fields of the display port-security command Field Description Equipment port security is enabled Port security is enabled on the switch. AddressLearn trap is Enabled The sending of address-learning trap messages is enabled. Intrusion trap is Enabled The sending of intrusion-detection trap messages is enabled. Dot1x logon trap is Enabled The sending of 802.1x user authentication success trap messages is enabled. Dot1x logoff trap is Enabled The sending of 802.1x user logoff trap messages is enabled. Dot1x logfailure trap is Enabled The sending of 802.1x user authentication failure trap messages is enabled. RALM logon trap is Enabled The sending of MAC-based authentication success trap messages is enabled. RALM logoff trap is Enabled The sending of logoff trap messages for MAC-based authenticated users is enabled. RALM logfailure trap is Enabled The sending of MAC-based authentication failure trap messages is enabled. Disableport Timeout: 20 s The temporary port-disabling time is 20 seconds. OUI value The next line displays OUI value. Index OUI index Ethernet1/0/1 is link-up The link status of port Ethernet 1/0/1 is up. 1-4 Field Description Port mode is AutoLearn The security mode of the port is autolearn. NeedtoKnow mode is needtoknowonly The NTK (Need To Know) mode is ntkonly. Intrusion mode is BlockMacaddress The intrusion detection mode is BlockMacaddress. Max mac-address num is 4 The maximum number of MAC addresses allowed on the port is 4. Stored mac-address num is 0 No MAC address is stored. Authorization is ignore Authorization information delivered by the Remote Authentication Dial-In User Service (RADIUS) server will not be applied to the port. mac-address security Syntax In system view: mac-address security mac-address interface interface-type interface-number vlan vlan-id undo mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] In Ethernet port view: mac-address security mac-address vlan vlan-id undo mac-address security [ [ mac-address ] vlan vlan-id ] View System view, Ethernet port view Parameters mac-address: Security MAC address, in the H-H-H format. interface interface-type interface-number: Specify the port on which the security MAC address is to be added. The interface-type interface-number arguments indicate the port type and port number. vlan vlan-id: Specify the VLAN to which the MAC address belongs. The vlan-id argument specifies a VLAN ID in the range 1 to 4094. Description Use the mac-address security command to create a security MAC address entry. Use the undo mac-address security command to remove a security MAC address. By default, no security MAC address entry is configured. 1-5 The mac-address security command can be configured successfully only when port security is z enabled and the security mode is autolearn. To create a security MAC address entry successfully, you must make sure that the specified VLAN z is carried on the specified port. Examples # Enable port security; configure the port security mode of Ethernet 1/0/1 as autolearn and create a security MAC address entry for 0001-0001-0001, setting the associated port to Ethernet 1/0/1 and assigning the MAC address to VLAN 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] port-security max-mac-count 100 [Sysname-Ethernet1/0/1] port-security port-mode autolearn [Sysname-Ethernet1/0/1] mac-address security 0001-0001-0001 vlan 1 # Use the display mac-address interface command to verify the configuration result. [Sysname]display mac-address interface Ethernet 1/0/1 MAC ADDR VLAN ID STATE 0001-0001-0001 1 Security --- PORT INDEX Ethernet1/0/1 1 mac address(es) found on port Ethernet1/0/1 --- port-security enable Syntax port-security enable undo port-security enable View System view Parameters None Description Use the port-security enable command to enable port security. 1-6 AGING TIME(s) NOAGED Use the undo port-security enable command to disable port security. By default, port security is disabled. Enabling port security resets the following configurations on the ports to the defaults (as shown in parentheses below): z 802.1x (disabled), port access control method (macbased), and port access control mode (auto) z MAC authentication (disabled) In addition, you cannot perform the above-mentioned configurations manually because these configurations change with the port security mode automatically. Related commands: display port-security. Examples # Enable port security. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled. Please wait... Done. port-security intrusion-mode Syntax port-security intrusion-mode { blockmac | disableport | disableport-temporarily } undo port-security intrusion-mode View Ethernet port view Parameters blockmac: Adds the source MAC addresses of illegal packets to the blocked MAC address list. As a result, the packets sourced from the blocked MAC addresses will be filtered out. A blocked MAC address will be unblocked three minutes (not user configurable) after the block action. disableport: Disables a port permanently once an illegal frame or event is detected on it. disableport-temporarily: Disables a port for a specified period of time after an illegal frame or event is detected on it. You can set the period with the port-security timer disableport command. Description Use the port-security intrusion-mode command to set intrusion protection. Use the undo port-security intrusion-mode command to disable intrusion protection. 1-7 By default, intrusion protection is not configured. By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses. The following cases can trigger intrusion protection on a port: A packet with unknown source MAC address is received on the port while MAC address learning is z disabled on the port. A packet with unknown source MAC address is received on the port while the amount of security z MAC addresses on the port has reached the preset maximum number. The user fails the 802.1x or MAC address authentication. z After executing the port-security intrusion-mode blockmac command, you can only use the display port-security command to view blocked MAC addresses. Related commands: display port-security, port-security timer disableport. Examples # Configure the intrusion protection mode on Ethernet 1/0/1 as blockmac. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security intrusion-mode blockmac # Display information about blocked MAC addresses after intrusion protection is triggered. <Sysname> display port-security Equipment port-security is enabled AddressLearn trap is Enabled Intrusion trap is Enabled Dot1x logon trap is Enabled Dot1x logoff trap is Enabled Dot1x logfailure trap is Enabled RALM logon trap is Enabled RALM logoff trap is Enabled RALM logfailure trap is Enabled Disableport Timeout: 20 s OUI value: Index is 5, OUI value is 000100 Blocked Mac info: MAC ADDR From Port Vlan --- On unit 1, 2 blocked mac address(es) found. --0000-0000-0003 Ethernet1/0/1 1 0000-0000-0004 Ethernet1/0/1 1 --- 2 blocked mac address(es) found. --- 1-8 Ethernet1/0/1 is link-up Port mode is Secure NeedtoKnow mode is disabled Intrusion mode is BlockMacaddress Max mac-address num is 2 Stored mac-address num is 2 Authorization is permit For description on the output information, refer to Table 1-2. # Configure the intrusion protection mode on Ethernet 1/0/1 as disableport-temporarily. As a result, the port will be disconnected when intrusion protection is triggered and then re-enabled 30 seconds later. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security timer disableport 30 [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily # Configure the intrusion protection mode on Ethernet 1/0/1 as disableport. As a result, when intrusion protection is triggered, the port will be disconnected permanently. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security intrusion-mode disableport You can bring up a port that has been permanently disabled by running the undo shutdown command or disabling port security on the port. port-security authorization ignore Syntax port-security authorization ignore undo port-security authorization ignore View Ethernet port view Parameters None Description Use the port-security authorization ignore command to configure the port to ignore the authorization information delivered by the RADIUS server. 1-9 Use the undo port-security authorization ignore command to restore the default configuration. By default, the port uses (does not ignore) the authorization information delivered by the RADIUS server. You can use the display port-security command to check whether the port will use the authorization information delivered by the RADIUS server. After a RADIUS user passes authentication, the RADIUS server authorizes the attributes configured for the user account such as the dynamic VLAN configuration. For more information, refer to AAA Command. Examples # Configure Ethernet 1/0/2 to ignore the authorization information delivered by the RADIUS server. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] port-security authorization ignore port-security max-mac-count Syntax port-security max-mac-count count-value undo port-security max-mac-count View Ethernet port view Parameters count-value: Maximum number of MAC addresses allowed on the port, in the range of 1 to 1024. Description Use the port-security max-mac-count command to set the maximum number of MAC addresses allowed on the port. Use the undo port-security max-mac-count command to cancel this limit. By default, there is no limit on the number of MAC addresses allowed on the port. 1-10 By configuring the maximum number of MAC addresses allowed on a port, you can: z Limit the number of users accessing the network through the port. z Limit the number of security MAC addresses that can be added on the port. When the maximum number of MAC addresses allowed on a port is reached, the port will not allow more users to access the network through this port. z The port-security max-mac-count command is irrelevant to the maximum number of MAC addresses that can be learned on a port configured in MAC address management. z When there are online users on a port, you cannot perform the port-security max-mac-count command on the port. Examples # Set the maximum number of MAC addresses allowed on the port to 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security max-mac-count 100 port-security ntk-mode Syntax port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts } undo port-security ntk-mode View Ethernet port view Parameters ntkonly: Allows the port to transmit only unicast packets with successfully-authenticated destination MAC addresses. ntk-withbroadcasts: Allows the port to transmit broadcast packets and unicast packets with successfully-authenticated destination MAC addresses. ntk-withmulticasts: Allows the port to transmit multicast packets, broadcast packets and unicast packets with successfully-authenticated destination MAC addresses. Description Use the port-security ntk-mode command to configure the NTK feature on the port. 1-11 Use the undo port-security ntk-mode command to restore the default setting. Be default, NTK is disabled on a port, namely all frames are allowed to be sent. By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data. Examples # Set the NTK feature to ntk-withbroadcasts on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security ntk-mode ntk-withbroadcasts port-security oui Syntax port-security oui OUI-value index index-value undo port-security oui index index-value View System view Parameters OUI-value: OUI value. You can input a 48-bit MAC address in the form of H-H-H for this argument and the system will take the first 24 bits as the OUI value and ignore the rest. index-value: OUI index, ranging from 1 to 16. The organizationally unique identifiers (OUIs) are assigned by the IEEE to different vendors. Each OUI uniquely identifies an equipment vendor in the world and is the higher 24 bits of a MAC address. Description Use the port-security oui command to set an OUI value for authentication. Use the undo port-security oui command to cancel the OUI value setting. 1-12 By default, no OUI value is set for authentication. The OUI value set by this command takes effect only when the security mode of the port is set to z userLoginWithOUI by the port-security port-mode command. The OUI value set by this command cannot be a multicast MAC address. z Related commands: port-security port-mode. Examples # Configure an OUI value of 00ef-ec00-0000, setting the OUI index to 5. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security oui 00ef-ec00-0000 index 5 port-security port-mode Syntax port-security port-mode { autolearn | mac-and-userlogin-secure | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac userlogin-secure-or-mac-ext | userlogin-withoui } undo port-security port-mode View Ethernet port view Parameters Table 1-3 shows the description on the security mode keywords. Table 1-3 Keyword description Keyword Security mode Description In this mode, MAC addresses learned on the port become security MAC addresses. autolearn When the number of security MAC addresses exceeds the maximum number of MAC addresses configured by the port-security max-mac-count command, the port security mode changes to secure automatically. autolearn After that, no more security MAC addresses can be added to the port and only the packets whose source MAC addresses are the security MAC addresses or already configured dynamic MAC addresses can pass through the port. 1-13 | Keyword mac-and-userlogin-secure Security mode macAddressAndUs erLoginSecure Description In this mode, users trying to assess the network through the port must first pass MAC address authentication and then 802.1x authentication. In this mode, only one user can access the network through the port at a time. mac-and-userlogin-secure -ext macAddressAndUs erLoginSecureExt This mode is similar to the macAddressAndUserLoginSecure mode, except that in this mode, more than one user can access the network through the port in this mode. mac-authentication macAddressWithRa dius In this mode, MAC address authentication is applied on users trying to access the network. mac-else-userlogin-secure macAddressElseUs erLoginSecure In this mode, MAC address authentication is first applied on users. If the authentication succeeds, the users can access the network successfully. If not, 802.1x authentication is applied. In this mode, only one 802.1x-authenticated user can access the network through the port. But at the same time, there can be more than one MAC-address-authenticated user on the port. macAddressElseUs erLoginSecureExt This mode is similar to the macAddressElseUserLoginSecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port. secure secure In this mode, MAC address learning is disabled on the current port. Only packets whose source MAC addresses are security MAC addresses, already configured static or dynamic MAC addresses can pass through the port. userlogin userlogin In this mode, 802.1x authentication is applied on users trying to access the network through the current port. mac-else-userlogin-secure -ext In this mode, MAC-based 802.1x authentication is applied on users trying to access the network through the port. The port will be enabled when the authentication succeeds and allow packets from authenticated users to pass through. userlogin-secure userLoginSecure In this mode, only one 802.1x-authenticated user can access the network through the port. When the security mode of the port changes from noRestriction to this mode, the old dynamic MAC address entries and authenticated MAC address entries kept on the port are deleted automatically. 1-14 Keyword userlogin-secure-ext Security mode Description userLoginSecureEx t This mode is similar to the userLoginSecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port. MAC address authentication and 802.1x authentication can coexist on a port, with 802.1x authentication having higher priority. 802.1x authentication can be applied on users who have already passed MAC address authentication. userlogin-secure-or-mac macAddressOrUser LoginSecure However, users who have already passed 802.1x authentication do not need to go through MAC address authentication. In this mode, only one 802.1x-authenticated user can access the network through the port. However, there can be more than one MAC-address-authenticated user on the port. userlogin-secure-or-mac-e xt userlogin-withoui macAddressOrUser LoginSecureExt userLoginWithOUI This mode is similar to the macAddressOrUserLoginSecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port. Similar to the userLoginSecure mode, in this mode, there can be only one 802.1x-authenticated user on the port. However, the port also allows packets with the OUI address to pass through. When the security mode of the port changes from noRestriction to this mode, the old dynamic MAC address entries and authenticated MAC address entries kept on the port are deleted automatically. Description Use the port-security port-mode command to set the security mode of the port. Use the undo port-security port-mode command to restore the default mode. By default, the port is in the noRestriction mode, namely access to the port is not restricted. 1-15 z Before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of MAC addresses allowed on the port. z When a port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port. z After setting the security mode to autolearn, you cannot configure static or blackhole MAC addresses on the port. z When the port security mode is not noRestriction, you need to use the undo port-security port-mode command to change it back to noRestriction before you change the port security mode to other modes. z Fabric devices do not support configuring the security mode to autolearn. On a port configured with a security mode, you cannot do the following: z Configure the maximum number of MAC addresses that can be learned. z Configure the port as a reflector port for port mirroring. z Configure the port as a Fabric port. z Configure link aggregation. Related commands: display port-security. Examples # Set the security mode of Ethernet 1/0/1 on the switch to userLogin. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security port-mode userlogin port-security timer disableport Syntax port-security timer disableport timer undo port-security timer disableport View System view Parameters timer: This argument ranges from 20 to 300, in seconds. Description Use the port-security timer disableport command to set the time during which the system temporarily disables a port. Use undo port-security timer disableport command restore the default time. 1-16 By default, the system disables a port for 20 seconds. The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled. Related commands: port-security intrusion-mode. Examples # Set the intrusion protection mode on Ethernet 1/0/1 to disableport-temporarily. It is required that when intrusion protection is triggered, the port be shut down temporarily and then go up 30 seconds later. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security timer disableport 30 [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily port-security trap Syntax port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } View System view Parameters addresslearned: Enables/disables sending traps for MAC addresses learning events. dot1xlogfailure: Enables/disables sending traps for 802.1x authentication failures. dot1xlogoff: Enables/disables sending traps for 802.1x-authenticated user logoff events. dot1xlogon: Enables/disables sending traps for 802.1x-authenticated user logon events. intrusion: Enables/disables sending traps for detections of intrusion packets. ralmlogfailure: Enables/disables sending traps for MAC authentication failures. ralmlogoff: Enables/disables sending traps for MAC-authenticated user logoff events. ralmlogon: Enables/disables sending traps for MAC-authenticated user logon events. 1-17 RADIUS authenticated login using MAC-address (RALM) refers to MAC-based RADIUS authentication. Description Use the port-security trap command to enable the sending of specified type(s) of trap messages. Use the undo port-security trap command to disable the sending of specified type(s) of trap messages. By default, the system disables the sending of any types of trap messages. This command is based on the device tracking feature, which enables the switch to send trap messages when special data packets (generated by illegal intrusion, abnormal user logon/logoff, or other special activities) are passing through a port, so as to help the network administrator to monitor special activities. When you use the display port-security command to display global information, the system will display which types of trap messages are allowed to send. Related commands: display port-security. Examples # Allow the sending of intrusion packet-detected trap messages. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security trap intrusion # Use the display port-security command to display the related configuration information. <Sysname> display port-security Equipment port-security is enabled Intrusion trap is Enabled Disableport Timeout: 20 s OUI value: Ethernet1/0/1 is link-down Port mode is AutoLearn NeedtoKnow mode is needtoknowonly Intrusion mode is disableportTemporarily Max mac-address num is 4 Stored mac-address num is 0 Authorization is ignore The rest of the information is omitted, if any. For description of the output information, refer to Table 1-2. 1-18 2 Port Binding Commands Port Binding Commands am user-bind Syntax In system view: am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number undo am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number In Ethernet port view: am user-bind mac-addr mac-address ip-addr ip-address undo am user-bind mac-addr mac-address ip-addr ip-address View System view, Ethernet port view Parameters interface interface-type interface-number: Specify the port to be bound. The interface-type interface-number arguments specify the port type and port number. ip-addr ip-address: Specify the IP address to be bound. mac-addr mac-address: Specify the MAC address to be bound. The mac-address argument is in the form of H-H-H. Description Use the am user-bind command to bind the MAC address and IP address of a user to a specified port. Use the undo am user-bind command to cancel the binding. After the binding, the switch forwards only the packets from the bound MAC address and IP address when received on the port. By default, no user MAC address or IP address is bound to a port. z An IP address can be bound with only one port at a time. z A MAC address can be bound with only one port at a time. 2-1 Examples # In system view, bind the MAC address 000f-e200-5101 and IP address 10.153.1.1 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] am user-bind mac-addr 000f-e200-5101 ip-addr 10.153.1.1 interface Ethernet1/0/1 # In Ethernet pot view, bind the MAC address 000f-e200-5102 and IP address 10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/2 [Sysname-Ethernet1/0/2] am user-bind mac-addr 000f-e200-5102 ip-addr 10.153.1.2 display am user-bind Syntax display am user-bind [ interface interface-type interface-number | ip-addr ip-address | mac-addr mac-address ] View Any view Parameters interface interface-type interface-number: Specify the port to be bound. The interface-type interface-number arguments indicate the port type and port number. ip-addr ip-address: Specify the IP address to be bound. mac-addr mac-address: Specify the MAC address to be bound. The mac-address argument is in the form of H-H-H. Description Use the display am user-bind command to display port binding information. If no keyword is specified, this command displays all port bindings. Related commands: am user-bind. Examples # Display all port bindings. <Sysname> display am user-bind Following User address bind have been configured: Mac IP Port 000f-e200-5101 10.153.1.1 Ethernet1/0/1 000f-e200-5102 10.153.1.2 Ethernet1/0/2 Unit 1:Total 2 found, 2 listed. Total: 2 found. The above output displays that two port binding settings exist on unit 1: 2-2 z MAC address 000f-e200-5101 and IP address 10.153.1.1 are bound to Ethernet 1/0/1. z MAC address 000f-e200-5102 and IP address 10.153.1.2 are bound to Ethernet 1/0/2. 2-3 Table of Contents 1 DLDP Configuration Commands··············································································································1-1 DLDP Configuration Commands·············································································································1-1 display dldp······································································································································1-1 dldp ··················································································································································1-2 dldp authentication-mode ················································································································1-3 dldp interval ·····································································································································1-4 dldp reset·········································································································································1-5 dldp unidirectional-shutdown···········································································································1-5 dldp work-mode ·······························································································································1-6 dldp delaydown-timer ······················································································································1-7 i 1 DLDP Configuration Commands DLDP Configuration Commands display dldp Syntax display dldp { unit-id | interface-type interface-number } View Any view Parameters unit-id: Unit number of a device. interface-type: Port type. interface-number: Port number. Description Use the display dldp command to display the DLDP configuration of a unit or a port. Examples # Display the DLDP configuration of unit 1. <Sysname> display dldp 1 dldp interval 10 dldp work-mode enhance dldp authentication-mode md5, cipher is ;)<01%^&;YGQ=^Q`MAF4<1!! dldp unidirectional-shutdown manual dldp delaydown-timer 1 The port number of unit 1 with DLDP is 1. interface GigabitEthernet1/1/1 dldp port state : advertisement dldp link state : up The neighbor number of the port is 1. neighbor mac address : 000f-e20f-7205 neighbor port index : 372 neighbor state : two way neighbor aged time : 12 1-1 Table 1-1 Description on the fields of the display dldp command Field Description dldp interval Interval for sending DLDP advertisement packets dldp work-mode DLDP work mode dldp authentication-mode DLDP authentication mode cipher DLDP authentication password dldp unidirectional-shutdown DLDP action to be performed on detecting a unidirectional link dldp delaydown-timer Setting of the DelayDown timer The port number of unit 1 with DLDP Number of the DLDP-enabled ports on unit 1 interface GigabitEthernet1/1/1 Port type and port number dldp port state DLDP state of a port dldp link state DLDP link state The neighbor number of the port Number of the neighbor ports neighbor mac address MAC address of a neighbor port neighbor port index Neighbor port index neighbor state Neighbor state, which can be two way or unknown. neighbor aged time Neighbor aging time dldp Syntax dldp { enable | disable } View System view, Ethernet port view Parameters None Description In system view, Use the dldp enable command to enable DLDP for all the optical ports. Use the dldp disable command to disable DLDP for all the optical ports. In Ethernet port view, Use the dldp enable command to enable DLDP for the current port. Use the dldp disable command to disable DLDP for the current port. This command applies to non-optical ports as well as optical ports. By default, DLDP is disabled. 1-2 When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently. Examples # Enable DLDP for all the optical ports of the switch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp enable # Enable DLDP on fiber-optic port GigabitEthernet 1/1/1. [Sysname] interface GigabitEthernet 1/1/1 [Sysname-GigabitEthernet1/1/1] dldp enable dldp authentication-mode Syntax dldp authentication-mode { none | simple simple-password | md5 md5-password } undo dldp authentication-mode View System view Parameters none: Sets the authentication mode to none (Performs no authentication). simple: Sets the authentication mode to plain text. simple-password: Authentication password in plain text, a string of 1 to 16 characters. md5: Sets the authentication mode to MD5. md5-password: MD5 authentication password, a string in plain text consisting of 1 to 16 characters or a string in cipher text corresponding to the string in plain text. Description Use the dldp authentication-mode command to set the DLDP authentication mode and password. Use the undo dldp authentication-mode to remove the DLDP authentication mode and password. By default, the authentication mode is none. 1-3 z When you configure a DLDP authentication mode and authentication password on a port, make sure that the same DLDP authentication mode and password are set on both the local port and the peer port. Otherwise, DLDP authentication fails. z DLDP cannot work before DLDP authentication succeeds. Examples # Set the DLDP authentication mode and password to plain text and abc on the ports fiber-connect devices A and B. z Configure device A <SysnameA> system-view System View: return to User View with Ctrl+Z. [SysnameA] dldp authentication-mode simple abc z Configure device B <SysnameB> system-view System View: return to User View with Ctrl+Z. [SysnameB] dldp authentication-mode simple abc dldp interval Syntax dldp interval timer-value undo dldp interval View System view Parameters timer-value: Interval for sending DLDP advertisement packets, in the range 1 to 100 (in seconds). Description Use the dldp interval command to set the interval for sending DLDP advertisement packets for all DLDP-enabled ports in the advertisement state. Use the undo dldp interval command to restore the default. By default, the interval for sending DLDP advertisement packets is 5 seconds. Note that: z The interval takes effect on all the DLDP-enabled ports. z It is recommended that you set the interval shorter than one-third of the STP convergence time (usually 30 seconds). If too long an interval is set, an STP loop may occur before DLDP shuts down unidirectional links. On the contrary, if too short an interval is set, network traffic increases, unnecessarily consuming port bandwidth. 1-4 Examples # Set the interval for sending DLDP advertisement packets to 6 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp interval 6 dldp reset Syntax dldp reset View System view, Ethernet port view Parameters None Description In system view: Use the dldp reset command to reset the DLDP status of all the ports disabled by DLDP. In Ethernet port view: Use the dldp reset command to reset the DLDP status of the current port disabled by DLDP. After the dldp reset command is executed, the DLDP status of a port changes from disable to active and DLDP restarts to detect the link status of the fiber cable or copper twisted pair. Examples # Reset the DLDP status of all the ports disabled by DLDP. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp reset dldp unidirectional-shutdown Syntax dldp unidirectional-shutdown { auto | manual } undo dldp unidirectional-shutdown View System view Parameters auto: Disables automatically the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down. 1-5 manual: Prompts the user to disable manually the corresponding port when DLDP detects an unidirectional link or finds in the enhanced mode that the peer port is down. After the port is disabled, it can only send and receive Recover Probe and Recover Echo packets. Description Use the dldp unidirectional-shutdown command to set the DLDP handling mode for unidirectional links. Use the undo dldp unidirectional-shutdown command to restore the default DLDP handling mode. By default, the DLDP handling mode after a unidirectional link is detected is auto. Examples # Configure DLDP to shut down the corresponding port on detecting a unidirectional link. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp unidirectional-shutdown auto dldp work-mode Syntax dldp work-mode { enhance | normal } undo dldp work-mode View System view Parameters enhance: Configures DLDP to work in enhanced mode. In this mode, DLDP detects whether neighbors exist when neighbor tables are aging. normal: Configures DLDP to work in normal mode. In this mode, DLDP does not detect whether neighbors exist when neighbor tables are aging. Description Use the dldp work-mode command to set the DLDP operating mode. Use the undo dldp work-mode command to restore the default DLDP operating mode. By default, DLDP works in normal mode. z When DLDP works in normal mode, the system can identify only the unidirectional links caused by fiber cross-connection. z When the DLDP protocol works in enhanced mode, the system can identify two types of unidirectional links: one is caused by fiber cross-connection and the other is caused by one fiber being not connected or being disconnected. 1-6 Examples # Configure DLDP to work in enhanced mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp work-mode enhance dldp delaydown-timer Syntax dldp delaydown-timer delaydown-time undo dldp delaydown-timer View System view Parameters delaydown-time: Delaydown timer to be set (in seconds). This argument ranges from 1 to 5. Description Use the dldp delaydown-timer command to set the delaydown timer. Use the undo dldp delaydown-timer command to restore the default delaydown timer setting. By default, the DelayDown timer is set to 1 second. A period of 5 seconds is recommended. When a device in the active, advertisement, or probe DLDP state receives a port down message, it does not remove the corresponding neighbor immediately, nor does it transit to the inactive state. Instead, it transits to the delaydown state and starts the DelayDown timer. In delaydown state, the device retains the related DLDP neighbor information. When the DelayDown timer expires, the DLDP neighbor information is removed. Examples # Set the delaydown timer to 5 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] dldp delaydown-timer 5 1-7 Table of Contents 1 MAC Address Table Management Configuration Commands ······························································1-1 MAC Address Table Management Configuration Commands································································1-1 display mac-address aging-time······································································································1-1 display mac-address························································································································1-2 display port-mac ······························································································································1-4 mac-address····································································································································1-4 mac-address aging destination-hit enable·······················································································1-5 mac-address max-mac-count··········································································································1-6 mac-address timer···························································································································1-7 port-mac ··········································································································································1-8 i 1 MAC Address Table Management Configuration Commands z This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the “Multicast Protocol” part of the manual. z The function of destination MAC address triggered update was introduced. For detailed description, refer to the description of the command mac-address aging destination-hit enable. z The function of assigning MAC addresses for Ethernet ports was introduced. For detailed description, refer to the description of the commands display port-mac and port-mac. MAC Address Table Management Configuration Commands display mac-address aging-time Syntax display mac-address aging-time View Any view Parameters None Description Use the display mac-address aging-time command to display the aging time of the dynamic MAC address entries in the MAC address table. Related commands: mac-address, mac-address timer, display mac-address. Examples # Display the aging time of the dynamic MAC address entries. <Sysname> display mac-address aging-time Mac address aging time: 300s The output information indicates that the aging time of the dynamic MAC address entries is 300 seconds. 1-1 <Sysname> display mac-address aging-time Mac address aging time: no-aging The output information indicates that dynamic MAC address entries do not age out. display mac-address Syntax display mac-address [ display-option ] View Any view Parameters display-option: Option used to display specific MAC address table information, as described in Table 1-1. Table 1-1 Description on the display-option argument Value Description mac-address [ vlan vlan-id ] Displays information about a specified MAC address entry. { static | dynamic | blackhole } [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] Displays information about dynamic, static, or blackhole MAC address entries. interface interface-type interface-number [ vlan vlan-id ] [ count ] Displays information about the MAC address entries concerning a specified port. vlan vlan-id [ count ] Displays information about the MAC address entries concerning a specified VLAN. count Displays the total number of the MAC address entries maintained by the switch. statistics Displays statistics of the MAC address entries maintained by the switch. mac-address: Specifies a MAC address, in the form of H-H-H. static: Displays static MAC address entries. dynamic: Displays dynamic MAC address entries. blackhole: Displays blackhole MAC address entries. interface-type interface-number: Specify a port by its interface type and number, of which the MAC address entries are displayed. vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094, in which the MAC address entries are displayed. count: Displays only the total number of the MAC address entries. statistics: Displays statistics of the MAC address entries maintained by the switch. 1-2 Description Use the display mac-address command to display information about MAC address entries in the MAC address table, including: MAC address, VLAN and port corresponding to the MAC address, the type (static or dynamic) of a MAC address entry, whether a MAC address is within the aging time and so on. Examples # Display information about MAC address 000f-e20f-0101. <Sysname> display mac-address 000f-e20f-0101 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 000f-e20f-0101 1 Learned Ethernet1/0/1 AGING # Display the MAC address entries for the port Ethernet 1/0/4. <Sysname> display mac-address interface Ethernet 1/0/4 MAC ADDR VLAN ID 000d-88f6-44ba 1 000d-88f7-9f7d 1 Learned Ethernet1/0/4 AGING 000d-88f7-b094 1 Learned Ethernet1/0/4 AGING 000f-e200-00cc 1 Learned Ethernet1/0/4 AGING 000f-e200-2201 1 Learned Ethernet1/0/4 AGING 000f-e207-f2e0 1 Learned Ethernet1/0/4 AGING 000f-e209-ecf9 1 Learned Ethernet1/0/4 AGING --- STATE PORT INDEX Learned Ethernet1/0/4 AGING TIME(s) AGING 7 mac address(es) found on port Ethernet1/0/4 --- # Display the total number of MAC address entries for VLAN 2. <Sysname> display mac-address vlan 2 count 9 mac address(es) found in vlan 2 Table 1-2 Description on the fields of the display mac-address command Field Description MAC ADDR MAC address VLAN ID ID of the VLAN to which the network device identified by the MAC address belongs The state of the MAC address entry, which can be one of the following: z STATE z z z Config static: Indicates a manually configured static address entry. Learned: Indicates a dynamically learnt address entry. Config dynamic: Indicates a manually configured dynamic address entry. Blackhole: Indicates a blackhole entry. PORT INDEX Outgoing port out of which the traffic destined for the MAC address should be sent. AGING TIME(s) Indicates whether the MAC address entry is aging. AGING indicates that the entry is aging; NOAGED indicates that the entry will never age out. 1-3 display port-mac Syntax display port-mac View Any view Parameters None Description Use the display port-mac command to display the configured start port MAC address for the Ethernet ports on the switch, that is, the MAC address of Ethernet 1/0/1. Related commands: port-mac. Examples # Display the start port MAC address. <Sysname> display port-mac Port MAC start address : 000f-e200-0001 mac-address Syntax z In system view: mac-address { static | dynamic | blackhole } mac-address interface interface-type interface-number vlan vlan-id undo mac-address [ mac-address-attribute ] z In Ethernet port view: mac-address { static | dynamic | blackhole } mac-address vlan vlan-id undo mac-address { static | dynamic | blackhole } mac-address vlan vlan-id View System view, Ethernet port view Parameters static: Specifies a static MAC address entry. dynamic: Specifies a dynamic MAC address entry. blackhole: Specifies a blackhole MAC address entry. mac-address: Specifies a MAC address, in the form of H-H-H. When entering the MAC address, you can omit the leading 0s in each segment. For example, you can input f-e2-1 for 000f-00e2-0001. interface-type interface-number: Specifies the outgoing port by its type and number for the MAC address. All traffic destined for the MAC address will be sent out the port. vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. The VLAN must already exist. 1-4 mac-address-attribute: Specifies the criteria for removing MAC address entries. Available syntax options for the argument are described in Table 1-3. Table 1-3 Available syntax options for the mac-address-attribute argument Syntax Description { static | dynamic | blackhole } interface interface-type interface-number Removes the static, dynamic, or blackhole MAC address entries concerning a specified port. { static | dynamic | blackhole } vlan vlan-id Removes the static, dynamic, or blackhole MAC address entries concerning a specified VLAN. { static | dynamic | blackhole } mac-address [ interface interface-type interface-number ] vlan vlan-id Removes a specified static, dynamic, or blackhole MAC address entry. interface interface-type interface-number Removes all the MAC address entries concerning a specified port. vlan vlan-id Removes all the MAC address entries concerning a specified VLAN. mac-address [ interface interface-type interface-number ] vlan vlan-id Removes a specified MAC address entry. Description Use the mac-address command to add or modify a MAC address entry. Use the undo mac-address command to remove one or more MAC address entries. In Ethernet port view, the MAC address entry configured with the mac-address command in Ethernet port view takes the current Ethernet port as the outgoing port. If the MAC address you input in the mac-address command already exists in the MAC address table, the system will modify the attributes of the corresponding MAC address entry according to your settings in the command. You can remove all unicast MAC address entries on a port, or remove a specific type of MAC address entries, such as the addresses learnt by the system, dynamic or static MAC address entries configured, or blackhole addresses. Examples # Configure a static MAC address entry with the following settings: z MAC address: 000f-e20f-0101 z Outbound port: Ethernet 1/0/1 port z Ethernet 1/0/1 port belongs to VLAN 2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-address static 000f-e20f-0101 interface Ethernet 1/0/1 vlan 2 mac-address aging destination-hit enable Syntax mac-address aging destination-hit enable undo mac-address aging destination-hit enable 1-5 View System view Parameters None Description Use the mac-address aging destination-hit enable command to enable the destination MAC address triggered update function. Use the undo mac-address aging destination-hit enable command to disable the function. With the destination MAC address triggered update function, the switch, when forwarding packets, updates the MAC address entries for the destination MAC addresses. This increases the MAC address table update frequency, improves the usability of the MAC address table, and reduces broadcasts. By default, the destination MAC address triggered update function is disabled. Examples # Enable destination MAC address triggered update. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-address aging destination-hit enable mac-address max-mac-count Syntax mac-address max-mac-count count undo mac-address max-mac-count View Ethernet port view Parameters count: Maximum number of MAC addresses a port can learn. This argument ranges from 0 to 4096. A value of 0 disables the port from learning MAC addresses. Description Use the mac-address max-mac-count command to set the maximum number of MAC addresses an Ethernet port can learn. Use the undo mac-address max-mac-count command to cancel the limitation on the number of MAC addresses an Ethernet port can learn. By default, the number of MAC addresses an Ethernet port can learn is unlimited. When you use the mac-address max-mac-count command, the port stops learning MAC addresses after the number of MAC addresses it learned reaches the value of the count argument you provided. You can use the undo command to cancel this limit so that the port can learn MAC addresses without the number limitation. By default, no number limitation is set to the port for MAC address learning. 1-6 To prevent illegal devices from accessing the network through a port, you can configure static MAC addresses and disable MAC address learning for the port. Thus, only the packets destined for the configured MAC addresses can be forwarded out the port. Related commands: mac-address, mac-address timer. Examples # Set the maximum number of MAC addresses Ethernet 1/0/3 port can learn to 600. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] mac-address max-mac-count 600 mac-address timer Syntax mac-address timer { aging age | no-aging } undo mac-address timer aging View System view Parameters aging age: Specifies the aging time (in seconds) for dynamic MAC address entries. The age argument ranges from 10 to 1000000. no-aging: Specifies not to age dynamic MAC address entries. Description Use the mac-address timer command to set the MAC address aging timer. Use the undo mac-address timer command to restore the default. The default MAC address aging timer is 300 seconds. The timer applies only to dynamic address entries, including both entries learnt and configured. Setting an appropriate MAC address aging timer is important for the switch to run efficiently. z If the aging timer is set too short, the MAC address entries that are still valid may be removed. Upon receiving a packet destined for a MAC address that is already removed, the switch broadcasts the packet through all its ports in the VLAN which the packet belongs to. This decreases the operating performance of the switch. z If the aging timer is set too long, MAC address entries may still exist even if they turn invalid. This causes the switch to be unable to update its MAC address table in time. In this case, the MAC address table cannot reflect the position changes of network devices in time. Examples # Set the aging time of MAC address entries to 500 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] mac-address timer aging 500 1-7 port-mac Syntax port-mac start-mac-address undo port-mac View System view Parameters start-mac-address: Start MAC address for the Ethernet ports on the switch, in the format of H-H-H. It must be a valid unicast address. Description Use the port-mac command to configure the start MAC address for the Ethernet ports on the device. This MAC address is assigned to port Ethernet 1/0/1, and is called the start port MAC address. Use the undo port-mac command to remove the configuration. Examples # Set the start port MAC address to 000f-e200-0001. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-mac 000f-e200-0001 1-8 Table of Contents 1 Auto Detect Configuration Commands ···································································································1-1 Auto Detect Configuration Commands ···································································································1-1 detect-group ····································································································································1-1 detect-list ·········································································································································1-2 display detect-group ························································································································1-2 ip route-static detect-group··············································································································1-3 option ···············································································································································1-4 retry··················································································································································1-5 standby detect-group·······················································································································1-6 timer loop·········································································································································1-7 timer wait ·········································································································································1-7 vrrp vrid track detect-group ·············································································································1-8 i 1 Auto Detect Configuration Commands Auto Detect Configuration Commands z Refer to the Routing Protocol part of the manual for information about static routing. z Refer to the VRRP part of the manual for information about VRRP. detect-group Syntax detect-group group-number undo detect-group group-number View System view Parameters group-number: Detected group number ranging from 1 to 25. Description Use the detect-group command to create a detected group and enter detected group view. Use the undo detect-group command to remove a detected group. When a detected group is used by applications, the detected group cannot be deleted unless you delete the applications first. Examples # Create detected group 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] detect-group 10 [Sysname-detect-group-10] 1-1 detect-list Syntax detect-list list-number ip address ip-address [ nexthop ip-address ] undo detect-list list-number View Detected group view Parameters list-number: Sequence number of the IP address to be detected. This argument ranges from 1 to 10. ip address ip-address: Specifies the destination IP address (in dotted decimal notation) to be detected. nexthop ip-address: Specifies the next hop IP address for Auto Detect. Description Use the detect-list command to add a detected object to a detected group and specify the detection sequence number of the detected object. Use the undo detect-list command to remove a specified detected object. When performing Auto Detect, a switch detects the configured detected objects in the order specified by their sequence numbers. If you have configured multiple detected objects, you can use the option command to set the logical relationships between the detected objects. Related commands: option. Examples # Add the detected object 202.13.1.55 to detected group 10, with the detection sequence number set to 1, and the next hop IP address set to 1.2.3.4. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] detect-group 10 [Sysname-detect-group-10] detect-list 1 ip address 202.13.1.55 nexthop 1.2.3.4 display detect-group Syntax display detect-group [ group-number ] View Any view Parameters group-number: Detected group number ranging from 1 to 25. 1-2 Description Use the display detect-group command to display the configuration of the specified detected group or all detected groups. Examples # Display the configuration of detected group 1. <Sysname> display detect-group 1 detect-group 1 : detect loop time(s) : 15 ping wait time(s) : 2 detect retry times : 2 detect ip option : and group state : not detecting register module num : 0 detect ip count : 1 detect-list ip address next hop 1 202.13.1.55 1.2.3.4 Table 1-1 Description on the fields of the display detect-group command Field Description detect-group 1 Detected group number 1 detect loop time(s) Detecting interval, in seconds. ping wait time(s) Timeout time of a ping operation, in seconds. detect retry times Number of retries of an auto detect operation. detect ip option The logic relationship between the detected objects in the detected group. It can be and or or. group state Current state of the detected group register module num Number of registered modules (that is, the number of the modules utilizing the detected group.) detect ip count Number of the IP addresses contained in a detected group detect-list Sequence number of an IP address contained in a detected group ip address IP address to be detected next hop Next hop IP address ip route-static detect-group Syntax ip route-static ip-address { mask | mask-length } { interface-type interface-number | next-hop } [ preference preference-value ] [ reject | blackhole ] detect-group group-number undo ip route-static ip-address { mask | mask-length } [ interface-type interface-number | next-hop ] [ preference preference-value ] 1-3 View System view Parameters ip-address: IP address in dotted decimal notation. mask: Subnet mask. mask-length: Length of the subnet mask, that is, the number of successive bits in the subnet mask whose values are 1. interface-type interface-number: Interface type and interface number. next-hop: Next hop IP address in dotted decimal notation. preference-value: Priority of the route. This argument ranges from 1 to 255. reject: Specifies the route to be unreachable. If you specify this keyword when executing this command, any packet destined for the specified IP address is discarded, and the system informs the source that the destination is unreachable. blackhole: Specifies the route to be a blackhole route. If you specify this keyword when executing this command, all outbound interfaces of the static route are the NULL 0 interfaces regardless of the next hop. In addition, the system discards any packet transmitted along this route without informing the source. group-number: Detected group number ranging from 1 to 25. Description Use the ip route-static detect-group command to configure a static route, whose validity depends on detecting results as follows: z The route is valid when the detecting result is reachable. z The route is invalid when the detecting result is unreachable. Use the undo ip route-static command to remove an existing static route. Examples # Configure a static route to 192.168.1.5/24 with 192.168.0.2 as the next hop, and control the static route validity using the detecting result of detected group 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip route-static 192.168.1.5 24 192.168.0.2 detect-group 10 After the configuration, if detected group 10 is reachable, the static route is valid; if detected group 10 is unreachable, the static route is invalid. option Syntax option [ and | or ] undo option View Detected group view 1-4 Parameters and: Specifies the relationship between detected objects as logic AND, which means that the detecting result is reachable only when all the detected objects contained in the detected group are reachable. or: Specifies the relationship between detected objects as logic OR, which means that the detecting result is reachable if one of the detected objects contained in the detected group is reachable. Description Use the option command to specify the way to generate detecting results. Use the undo option command to restore the default way to generate detecting results. By default, the relationship between the detected objects is and. When a detecting operation is being carried out, the switch detects each detected object contained in the detected group in turn by their sequence number. z If you specify the and keyword, the switch returns reachable as the detecting result only if all the detected objects in the detected group are detected reachable. z If you specify the or keyword, the switch returns reachable as the detecting result only if one of the detected objects in the detected group is detected reachable and the remaining detected objects will not be detected any more. Examples # Specify the relationship between the three detected objects in detected group 10 as or. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] detect-group 10 [Sysname-detect-group-10] detect-list 1 ip address 202.13.1.55 nexthop 1.2.3.4 [Sysname-detect-group-10] detect-list 2 ip address 202.13.1.56 nexthop 1.2.3.4 [Sysname-detect-group-10] detect-list 3 ip address 202.13.1.57 nexthop 1.2.3.4 [Sysname-detect-group-10] option or After the configuration, if one of the three detected objects is reachable, the system will consider detected group 10 reachable. retry Syntax retry retry-times undo retry View Detected group view Parameters retry-times: Maximum retry times during a detect operation. This argument ranges from 0 to 10 and defaults to 2. 1-5 Description Use the retry command to set the maximum retry times during a detect operation. Use the undo retry command to restore the default times. By default, the maximum retry times during a detect operation is two. Examples # Specify the maximum number of retires to 3 for detected group 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] detect-group 10 [Sysname-detect-group-10] retry 3 standby detect-group Syntax standby detect-group group-number undo standby detect-group View VLAN interface view Parameters group-number: Detected group number ranging from 1 to 25. Description Use the standby detect-group command to configure the interface backup function by using the auto detect function. Use the undo standby detect-group command to disable the interface backup function. After you configure the standby detect-group command, whether the backup interface is enabled depends on the auto detecting results: z The primary interface keeps in use when the detected group is reachable. z The backup interface is enabled when the detected group is unreachable. z The backup interface is disabled and the primary interface is re-enabled when the link between the primary interface and the destination resumes, that is, the detected group is reachable again. Examples # Specify to enable VLAN-interface 2 (the backup interface) when the detected group 10 is unreachable. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] standby detect-group 10 After the configuration, if detected group 10 is reachable, the backup interface VLAN-interface 2 will be in the disabled state, and if detected group 10 is unreachable, VLAN-interface 2 will be enabled. 1-6 timer loop Syntax timer loop interval undo timer loop View Detected group view Parameters seconds: Detecting interval. This argument ranges form 1 to 86,400 (in seconds) and defaults to 15. Description Use the timer loop command to set the detecting interval, that is, the frequency to perform auto detect operations. Use the undo timer loop command to restore the default. By default, auto detect operations are performed on all detected groups every 15 seconds. Examples # Set the detecting interval to 60 seconds for detected group 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] detect-group 10 [Sysname-detect-group-10] timer loop 60 timer wait Syntax timer wait seconds undo timer wait View Detected group view Parameters seconds: Timeout waiting for an ICMP reply. This argument ranges from 1 to 30 (in seconds) and defaults to 2. Description Use the timer wait command to set a timeout waiting for an ICMP reply. Use the undo timer wait command to restore the default. By default, timeout waiting for an ICMP reply in an auto detect operation is 2 seconds. Examples # Set a timeout of 3 seconds waiting for an ICMP reply in detected group 10. 1-7 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] detect-group 10 [Sysname-detect-group-10] timer wait 3 vrrp vrid track detect-group Syntax vrrp vrid virtual-router-id track detect-group group-number [ reduced value-reduced ] undo vrrp vrid virtual-router-id track detect-group [ group-number ] View VLAN interface view Parameters virtual-router-id: Virtual router ID ranging from 1 to 255. group-number: Detected group number ranging from 1 to 25. value-reduced: Value by which the priority is to be reduced. This argument ranges from 1 to 255 and defaults to 10. Description Use the vrrp vrid track detect-group command to specify an auto detected group for a VRRP group. Use the undo vrrp vrid track detect-group command to cancel the configuration. You can enable Auto Detect on the master switch in a VRRP group, use the Auto Detect function to detect the links from the master to other networks, and use the detection results (reachable/unreachable) to control the priority of the master, so as to realize the automatic master-backup switchover: z The master keeps as master when the detected group is reachable. z The priority of the master decreases and thus becomes a backup when the detected group is unreachable. Currently, auto detect in VRRP is only supported in S3600-EI series Ethernet switches. Examples # Specify to decrease the priority of the master switch in VRRP group 1 by 20 when the detected group 10 is unreachable. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] vrrp vrid 1 track detect-group 10 reduced 20 1-8 After this configuration, if detected group 10 is reachable, the master keeps as master, and if detected group 10 is unreachable, the master decreases its priority by 20 and becomes a backup. 1-9 Table of Contents 1 MSTP Configuration Commands ·············································································································1-1 MSTP Configuration Commands ············································································································1-1 active region-configuration ··············································································································1-1 bpdu-drop any ·································································································································1-2 check region-configuration ··············································································································1-2 display stp········································································································································1-3 display stp abnormalport ·················································································································1-7 display stp portdown························································································································1-8 display stp region-configuration·······································································································1-8 display stp root ································································································································1-9 instance ·········································································································································1-10 region-name ··································································································································1-11 reset stp·········································································································································1-11 revision-level··································································································································1-12 stp ··················································································································································1-13 stp bpdu-protection························································································································1-13 stp bridge-diameter························································································································1-14 stp compliance·······························································································································1-15 stp config-digest-snooping ············································································································1-16 stp cost ··········································································································································1-18 stp dot1d-trap ································································································································1-19 stp edged-port ·······························································································································1-19 stp interface ···································································································································1-20 stp interface compliance················································································································1-21 stp interface config-digest-snooping······························································································1-22 stp interface cost ···························································································································1-24 stp interface edged-port·················································································································1-25 stp interface loop-protection ··········································································································1-26 stp interface mcheck······················································································································1-27 stp interface no-agreement-check·································································································1-28 stp interface point-to-point·············································································································1-29 stp interface port priority ················································································································1-30 stp interface root-protection···········································································································1-31 stp interface transmit-limit··············································································································1-32 stp loop-protection ·························································································································1-32 stp max-hops ·································································································································1-33 stp mcheck ····································································································································1-34 stp mode········································································································································1-35 stp no-agreement-check················································································································1-35 stp pathcost-standard ····················································································································1-36 stp point-to-point····························································································································1-38 stp port priority·······························································································································1-39 stp portlog······································································································································1-39 i stp portlog all ·································································································································1-40 stp priority ······································································································································1-41 stp region-configuration ·················································································································1-41 stp root primary······························································································································1-42 stp root secondary ·························································································································1-43 stp root-protection··························································································································1-44 stp tc-protection ·····························································································································1-45 stp tc-protection threshold ·············································································································1-45 stp timer forward-delay ··················································································································1-46 stp timer hello ································································································································1-47 stp timer max-age··························································································································1-48 stp timer-factor·······························································································································1-49 stp transmit-limit ····························································································································1-50 vlan-mapping modulo ····················································································································1-50 vlan-vpn tunnel ······························································································································1-51 ii 1 MSTP Configuration Commands The following commands were added: z The commands concerning STP maintenance. Refer to stp portlog and stp portlog all. z The commands for displaying information about STP. Refer to display stp abnormalport, display stp portdown, and display stp root. z The command concerning sending trap messages conforming to 802.1d standard. Refer to stp dot1d-trap. MSTP Configuration Commands active region-configuration Syntax active region-configuration View MST region view Parameters None Description Use the active region-configuration command to activate the settings of a multiple spanning tree (MST) region. Configuring MST region-related parameters (especially the VLAN-to-MSTI mapping table) is probable to result in network topology jitter. To reduce network topology jitter caused by the configuration, multiple spanning tree protocol (MSTP) does not recalculate spanning trees immediately after the configuration; it does this only after you activate the new MST region-related settings or enable MSTP, and then the new settings can really take effect. When you carry out this command, MSTP will replace the currently running MST region–related parameters with the parameters you have just configured and will perform spanning tree recalculation. Related commands: instance, region-name, revision-level, vlan-mapping modulo, check region-configuration. Examples # Activate the MST region-related settings. 1-1 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] active region-configuration bpdu-drop any Syntax bpdu-drop any undo bpdu-drop any View Ethernet port view Parameters None Description Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port. Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port. By default, BPDU dropping is disabled. In a STP-enabled network, some users may send BPDU packets to the switch continuously in order to destroy the network. When a switch receives the BPDU packets, it will forward them to other switches. As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the switches or cause errors in the protocol state of the BPDU packets. In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is enabled on a port, the port will not receive or forward any BPDU packets. In this way, the switch is protected against the BPDU packet attack and the STP calculation correctness is ensured. Examples # Enable BPDU dropping on Ethernet 1/0/1. <Sysname>system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] bpdu-drop any check region-configuration Syntax check region-configuration View MST region view Parameters None 1-2 Description Use the check region-configuration command to display the MST region-related configuration which is being modified currently, including region name, revision level, and VLAN-to-MSTI mapping table. As specified in the MSTP protocol, the configurations of MST regions must be right, especially the VLAN-to-MSTI mapping table. MSTP-enabled switches are in the same region only when they have the same format selector (a 802.1s-defined protocol selector, which is 0 by default and cannot be configured), region name, VLAN-to-MSTI mapping table, and revision level. A switch cannot be in the expected region if any of the four MST region-related parameters mentioned above are not consistent with those of another switch in the region. The H3C series support only the MST region name, VLAN-to-MSTI mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region. This command is used to display the configuration information of inactivated MST regions. You can use this command to find the MST region the switch currently belongs to or check to see whether or not the MST region-related configuration is correct. Related commands: instance, region-name, revision-level, vlan-mapping modulo, active region-configuration. Examples # Display the MST region-related configuration. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] check region-configuration Admin Configuration Format selector :0 Region name :00e0fc003600 Revision level :0 Instance 0 16 Vlans Mapped 1 to 9, 11 to 4094 10 Table 1-1 Description on the fields of the check region-configuration command Field Description Format selector The selector specified by MSTP Region name The name of the MST region Revision level The revision level of the MST region Instance Vlans Mapped VLAN-to-MSTI mappings in the MST region display stp Syntax display stp [ instance instance-id ] [ interface interface-list | slot slot-number ] [ brief ] 1-3 View Any view Parameters instance-id: ID of the MSTI ranging from 0 to 16. The value of 0 refers to the common and internal spanning tree (CIST). interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. slot slot-number: Specifies a slot whose STP-related information is to be displayed. brief: Displays only port state and protection measures taken on the port. Description Use the display stp command to display the state and statistical information about one or all spanning trees. The state and statistical information about MSTP can be used to analyze and maintain the topology of a network. It can also be used to make MSTP operate properly. z If neither MSTI nor port list is specified, the command displays spanning tree information about all MSTIs on all ports in the order of port number. z If only one MSTI is specified, the command displays information about the specified MSTI on all ports in the order of the port number. z If only a port list is specified, the command displays information about all MSTIs on these ports in the order of the port numbers. z If both an MSTI ID list and a port list are specified, the command displays spanning tree information about the specified MSTIs and the specified ports in the order of MSTI ID. MSTP state information includes: 1) Global CIST parameters: Protocol operating mode, switch priority in the CIST instance, MAC address, hello time, max age, forward delay, max hops, the common root of the CIST, the external path cost for the switch to reach the CIST common root, region root, the internal path cost for the switch to reach the region root, CIST root port of the switch, the state of the BPDU guard function (enabled or disabled), the state of the digest snooping feature (enabled or disabled), and the state of the TC-BPDU attack guard function (enabled or disabled). 2) CIST port parameters: Port protocol, port role, port priority, path cost, designated bridge, designated port, edge port/non-edge port, whether or not the link on a port is a point-to-point link, format of the MST BPDUs that the port can send, the maximum transmitting speed, type of the enabled guard function, state of the digest snooping feature (enabled or disabled), VLAN mappings, hello time, max age, forward delay, Message-age time, and remaining hops. 3) Global MSTI parameters: MSTI instance ID, bridge priority of the instance, region root, internal path cost, MSTI root port, master bridge, and external path cost.. 4) MSTI port parameters: Port state, role, priority, path cost, designated bridge, designated port, remaining hops, and the number of VLANs mapped to the current MSTI. The statistical information includes: the numbers of the TCN BPDUs, the configuration BPDUs, the RST BPDUs, and the MST BPDUs transmitted/received by each port. Related commands: reset stp. 1-4 Examples # Display the brief state information of MSTI 0 on Ethernet 1/0/1 through Ethernet 1/0/4. <Sysname> display stp instance 0 interface Ethernet 1/0/1 to Ethernet 1/0/4 brief MSTID Port Role STP State Protection 0 Ethernet1/0/1 ALTE DISCARDING LOOP 0 Ethernet1/0/2 DESI FORWARDING NONE 0 Ethernet1/0/3 DESI FORWARDING NONE 0 Ethernet1/0/4 DESI FORWARDING NONE Table 1-2 Description on the fields of the display stp command Field Description MSTID ID of an MSTI in the MST region Port Port index corresponding to an MSTI Role Port role STP State STP state on the port, which can be forwarding, discarding, and learning. Protection type of the port, which can be one of the following: z Protection z z z ROOT: Root protection LOOP: Loop protection BPDU: BPDU protection NONE: No protection # Display the detailed MSTP status information and statistics information. <Sysname> display stp instance 0 interface Ethernet 1/0/2 -------[CIST Global Info][Mode MSTP]------CIST Bridge :32768.00e0-fc12-4001 Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root/ERPC :32768.000f-cb00-6600 / 200 CIST RegRoot/IRPC :32768.00e0-fc12-4001 / 0 CIST RootPortId :128.22 BPDU-Protection :disabled TC-Protection :enabled / Threshold=6 Bridge Config Digest Snooping :disabled TC or TCN received :0 Time since last TC :0 days 1h:33m:54s ----[Port2(Ethernet1/0/2)][DOWN]---Port Protocol :enabled Port Role :CIST Disabled Port Port Priority :128 Port Cost(Legacy) :Config=auto / Active=200000 Desg. Bridge/Port :32768.00e0-fc12-4001 / 128.2 Port Edged :Config=disabled / Active=disabled Point-to-point :Config=auto / Active=false Transmit Limit :10 packets/hello-time 1-5 Protection Type :None MSTP BPDU format :Config=auto / Active=legacy Port Config Digest Snooping :disabled Num of Vlans Mapped :1 PortTimes :Hello 2s MaxAge 20s FwDly 15s MsgAge 0s RemHop 20 BPDU Sent :0 TCN: 0, Config: 0, RST: 0, MST: 0 BPDU Received :0 TCN: 0, Config: 0, RST: 0, MST: 0 Table 1-3 display stp command output description Field CIST Bridge Description CIST bridge ID Major parameters for the bridge: z Bridge Times z z z Hello: Hello timer MaxAge: Max Age timer FwDly: Forward delay timer MaxHop: Max hops within the MST region CIST Root/ERPC CIST root and external path cost CIST RegRoot/IRPC CIST regional root and internal path cost CIST RootPortId CIST root port ID BPDU-Protection Indicates whether BPDU protection is enabled globally. TC-Protection*** / Threshold=** Indicates whether TC-BPDU attack guard function is enabled globally, and the maximum times that a switch can remove the MAC address table and ARP entries within each 10 seconds. Bridge Config Digest Snooping Indicates whether Digest Snooping is enabled globally on the bridge. TC or TCN received Number of received TC/TCN packets Time since last TC Time of the latest topology change Port Protocol Indicates whether STP is enabled on the port Port Role Port role, which can be Alternate, Backup, Root, Designated, Master, or Disabled Port Priority Port priority Port Cost(Legacy) Path cost of the port. The field in the bracket indicates the standard used for port path cost calculation, which can be legacy, dot1d-1998, or dot1t. Config indicates the configured value, and Active indicates the actual value. Designated bridge ID and port ID of the port Desg. Bridge/Port The port ID displayed is insignificant for a port which does not support port priority. Port Edged Indicates whether the port is an edge port. Config indicates the configured value, and Active indicates the actual value. Point-to-point Indicates whether the port is connected to a point-to-point link. Config indicates the configured value, and Active indicates the actual value. 1-6 Field Description Transmit Limit The maximum number of packets sent within each Hello time Protection Type Protection type on the port, including Root guard and Loop guard MST BPDU format Format of the MST BPDUs that the port can send, which can be legacy or 802.1s. Config indicates the configured value, and Active indicates the actual value. Port Config Digest Snooping Num of Vlans Mapped Indicates whether digest snooping is enabled on the port. Number of VLANs mapped to the current MSTI Major parameters for the port: Hello: Hello timer MaxAge: Max Age timer FwDly: Forward delay timer MsgAge: Message Age timer Remain Hop: Remaining hops z z PortTimes z z z BPDU Sent Statistics on sent BPDUs BPDU Received Statistics on received BPDUs display stp abnormalport Syntax display stp abnormalport View Any view Parameters None Description Use the display stp abnormalport command to display the ports that are blocked by STP guard functions. Examples # Display the ports that are blocked by STP guard functions. <Sysname> display stp abnormalport MSTID Port Block Reason --------- -------------------- ------------- 0 Ethernet1/0/20 Root-Protection 1 Ethernet1/0/21 Loop-Protection 1-7 Table 1-4 Description on the fields of the display stp abnormalport command Field Description MSTID MSTI ID in the MST region Port Port that has been blocked Block Reason The function blocking the port display stp portdown Syntax display stp portdown View Any view Parameters None Description Use the display stp portdown command to display the ports that are shut down by STP guard functions. Examples # Display the ports that are shut down by STP guard functions. <Sysname> display stp portdown Port Down Reason --------------------- ------------ Ethernet1/0/20 BPDU-Protection Table 1-5 Description on the fields of the display stp portdown command Field Description Port Port that has been shut down Down Reason The function shutting down the port display stp region-configuration Syntax display stp region-configuration View Any view Parameters None 1-8 Description Use the display stp region-configuration command to display the activated MST region configuration, including the region name, region revision level, and VLAN-to-STI mappings configured for the switch. Related commands: stp region-configuration. Examples # Display the configuration of the MST region. <Sysname> display stp region-configuration Oper Configuration Format selector :0 Region name :hello Revision level :0 Instance Vlans Mapped 0 21 to 4094 1 1 to 10 2 11 to 20 Table 1-6 Description on the fields of the display stp region-configuration command Field Description Format selector The selector specified by MSTP Region name The name of the MST region Revision level The revision level of the MST region Instance Vlans Mapped VLAN-to-STI mappings in the MST region display stp root Syntax display stp root View Any view Parameters None Description Use the display stp root command to display information about the root ports in the MSTP region where the switch resides. Examples # Display information about the root ports in the MSTP region where the switch resides. <Sysname> display stp root MSTID Root Bridge ID ExtPathCost 1-9 IntPathCost Root Port -------0 -------------------- ------------ ------------- ----------- 32768.00e0-fc53-d908 200 0 Ethernet1/0/18 Table 1-7 Description on the fields of the display stp root command Field Description MSTID MSTI ID in the MST region Root Bridge ID ID of the root bridge ExtPathCost Cost of the external path from the switch to the root bridge IntPathCost Cost of the internal path from the switch to the root bridge Root Port Root port (If a port on the current device is an MSTI root port, the port type and port number is displayed. Otherwise, the root port name is not displayed.) instance Syntax instance instance-id vlan vlan-list undo instance instance-id [ vlan vlan-list ] View MST region view Parameters instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST. vlan-list: List of VLANs. You need to provide this argument in the form of vlan-list = { vlan-id [ to vlan-id ] }&<1-10>, where &<1-10> means that you can provide up to 10 VLAN IDs/VLAN ID ranges for this argument. Normally, a VLAN ID can be a number ranging from 1 to 4094. Description Use the instance command to map specified VLANs to a specified MSTI. Use the undo instance command to remove the mappings from the specified VLANs to the specified MSTI and remap the specified VLANs to the CIST (MSTI 0). If you specify no VLAN in the undo instance command, all VLANs that are mapped to the specified MSTI are remapped to the CIST. By default, all VLANs are mapped to the CIST. VLAN-to-MSTI mappings are recorded in the VLAN-to-MSTI mapping table of an MSTP-enabled switch. So these two commands are actually used to manipulate the VLAN-to-MSTI mapping table. You can add/remove a VLAN to/from the VLAN-to-MSTI mapping table of a specific MSTI by using these two commands. Note that a VLAN cannot be mapped to multiple MSTIs at the same time. A VLAN-to-MSTI mapping is automatically removed if you map the VLAN to another MSTI. Related commands: region-name, revision-level, region-configuration, active region-configuration. 1-10 vlan-mapping modulo, check Examples # Map VLAN 2 to MSTI 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] instance 1 vlan 2 region-name Syntax region-name name undo region-name View MST region view Parameters name: MST region name to be set for the switch, a string of 1 to 32 characters. Description Use the region-name command to set an MST region name for a switch. Use the undo region-name command to restore the MST region name to the default value. The default MST region name of a switch is its MAC address. MST region name, along with VLAN-to-MSTI mapping table and MSTP revision level, determines the MST region which a switch belongs to. Related commands: instance, revision-level, check region-configuration, vlan-mapping modulo, active region-configuration. Examples # Set the MST region name of the switch to hello. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] region-name hello reset stp Syntax reset stp [ interface interface-list ] View User view 1-11 Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the reset stp command to clear spanning tree statistics. The spanning tree statistics includes the numbers of TCN BPDUs, configuration BPDUs, RST BPDUs, and MST BPDUs sent/received through one or more specified ports or all ports (note that BPDUs and TCN BPDUs are counted only for CISTs.) Note that: z If you specify the interface-list argument, this command clears the spanning tree statistics on specified ports. z If you do not specify the interface-list argument, this command clears the spanning tree statistics on all ports. Related commands: display stp. Examples # Clear the spanning tree statistics on Ethernet 1/0/1 through Ethernet 1/0/3. <Sysname> reset stp interface Ethernet 1/0/1 to Ethernet 1/0/3 revision-level Syntax revision-level level undo revision-level View MST region view Parameters level: MSTP revision level to be set for the switch. This argument ranges from 0 to 65,535. Description Use the revision-level command to set the MSTP revision level for a switch. Use the undo revision-level command to restore the revision level to the default value. By default, the MSTP revision level of a switch is 0. MSTP revision level, along with MST region name and VLAN-to-MSTI mapping table, determines the MST region which a switch belongs to. Related commands: instance, region-name, check region-configuration, vlan-mapping modulo, active region-configuration. Examples # Set the MSTP revision level of the MST region to 5. 1-12 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] revision-level 5 stp Syntax stp { enable | disable } undo stp View System view, Ethernet port view Parameters enable: Enables MSTP globally or on a port. disable: Disables MSTP globally or on a port. Description Use the stp command to enable/disable MSTP globally or on a port. Use the undo stp command to restore the MSTP state to the default globally or on a port. By default, MSTP is disabled. After MSTP is enabled, the actual operating mode, which can be STP-compatible mode, RSTP-compatible mode, or MSTP mode, is determined by the user-defined protocol mode. A switch becomes a transparent bridge if MSTP is disabled. After being enabled, MSTP maintains spanning trees by processing configuration BPDUs of different VLANs. After being disabled, it stops maintaining spanning trees. Related commands: stp mode, stp interface. Examples # Enable MSTP globally. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp enable # Disable MSTP on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp disable stp bpdu-protection Syntax stp bpdu-protection undo stp bpdu-protection 1-13 View System view Parameters None Description Use the stp bpdu-protection command to enable the BPDU guard function on the switch. Use the undo stp bpdu-protection command to restore to the default state of the BPDU guard function. By default, the BPDU guard function is disabled. Normally, the access ports of the devices operating on the access layer are directly connected to terminals (such as PCs) or file servers. These ports are usually configured as edge ports to implement rapid transition. But they resume non-edge ports automatically upon receiving configuration BPDUs, which causes spanning trees recalculation and network topology jitter. Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent such attacks by enabling the BPDU guard function. With this function enabled on a switch, the switch shuts down the edge ports that receive configuration BPDUs and then reports these cases to the administrator. If an edge port is shut down, only the administrator can restore it. Examples # Enable the BPDU guard function. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp bpdu-protection As Gigabit ports of an S3600 Ethernet switch cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports. stp bridge-diameter Syntax stp bridge-diameter bridgenum undo stp bridge-diameter View System view 1-14 Parameters bridgenum: Network diameter to be set for a switched network. This argument ranges from 2 to 7. Description Use the stp bridge-diameter command to set the network diameter of a switched network. The network diameter of a switched network is represented by the maximum possible number of switches between any two terminal devices in a switched network. Use the undo stp bridge-diameter command to restore the network diameter to the default value. By default, the network diameter is 7. After you configure the network diameter of a switched network, MSTP adjusts its hello time, forward delay, and max age settings accordingly. With the network diameter set to the default value 7, the three time-relate settings, including hello time, forward delay, and max age, are set to their default values as well. The stp bridge-diameter command only applies to CIST. It is invalid for MSTIs. Related commands: stp timer forward-delay, stp timer hello, stp timer max-age. Examples # Set the network diameter to 5. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp bridge-diameter 5 stp compliance Syntax stp compliance { auto | legacy | dot1s } undo stp compliance View Ethernet port view Parameters auto: Specifies the port to recognize and send MSTP packets in the automatic mode. legacy: Specifies the port to recognize and send MSTP packets in the legacy mode. dot1s: Specifies the port to recognize and send MSTP packets in the 802.1s mode. Description Use the stp compliance command to set the mode in which a port recognizes and sends MSTP packets. Use the undo stp compliance command to restore the default. By default, a port recognizes and sends MSTP packets in the automatic mode. A port can be configured to recognize and send MSTP packets in the following modes. z Automatic mode. Ports in this mode determine the format of the MSTP packets to be sent according to the format of the received packets. 1-15 z Legacy mode. Ports in this mode recognize/send packets in legacy format. z 802.1s mode. Ports in this mode recognize/send packets in dot1s format. A port acts as follows according to the format of MSTP packets forwarded by a peer switch or router. When a port operates in the automatic mode: z The port automatically determines the format (legacy or dot1s) of received MSTP packets and then determines the format of the packets to be sent accordingly, thus communicating with the peer devices. z If the format of the received packets changes repeatedly, MSTP will shut down the corresponding port to prevent network storm. A port shut down in this way can only be brought up again by the network administrator. When a port operates in the legacy mode: z The port only recognizes and sends MSTP packets in legacy format. In this case, the port can only communicate with the peer through packets in legacy format. z If packets in dot1s format are received, the port turns to discarding state to prevent network storm. When a port operates in the 802.1s mode: z The port only recognizes and sends MSTP packets in dot1s format. In this case, the port can only communicate with the peer through packets in dot1s format. z If packets in legacy format are received, the port turns to discarding state to prevent network storm. Examples # Configure Ethernet 1/0/1 to recognize and send MSTP packets in dot1s format. <Sysname> system-view Enter system view, return to user view with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp compliance dot1s # Restore the default mode in which a port recognizes and send MSTP packets. [Sysname-Ethernet1/0/1] undo stp compliance stp config-digest-snooping Syntax stp config-digest-snooping undo stp config-digest-snooping View System view, Ethernet port view Parameters None Description Use the stp config-digest-snooping command to enable the digest snooping feature globally. Use the undo stp config-digest-snooping command to disable the digest snooping feature globally. The digest snooping feature is disabled by default. 1-16 According to IEEE 802.1s, two interconnected switches can interwork with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration. With MSTP enabled, interconnected switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them. (A configuration ID contains information such as region ID and configuration digest.) As some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot interwork with other switches in an MST region even if they are configured with the same MST region-related settings as other switches in the MST region. This kind of problems can be overcome by implementing the digest snooping feature. If a switch port is connected to another manufacturer’s switch that has the same MST region-related settings but adopts a proprietary spanning tree protocol, you can enable the digest snooping feature on the port when it receives BPDU packets from another manufacturer's switch. Then the switch considers these BPDU packets to be from its own MST region and records the configuration digests carried in the BPDU packets received from the switch, which will be put in the BPDU packets to be sent to another manufacturer’s switch. In this way, the switch can interwork with another manufacturer’s switches in an MST region. z When the digest snooping feature is enabled on a port, the port turns to the discarding state. That is, the port stops sending BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. z The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols. z To enable the digest snooping feature successfully, you must first enable it on all the switch ports that connect to another manufacturer’s switches adopting proprietary spanning tree protocols and then enable it globally. z To enable the digest snooping feature, the interconnected switches and another manufacturer’s switch adopting proprietary spanning tree protocols must be configured with exactly the same MST region-related configurations (including region name, revision level, and VLAN-to-MSTI mapping). z The digest snooping feature must be enabled on all the switch ports that connect to another manufacturer’s switches adopting proprietary spanning tree protocols in the same MST region. z When the digest snooping feature is enabled globally, the VLAN-to-MSTI mapping table cannot be modified. z The digest snooping feature is not applicable to boundary ports in an MST region. z The digest snooping function is not applicable to edge ports in an MST region. Examples # Enable the digest snooping feature on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp config-digest-snooping [Sysname-Ethernet1/0/1] quit 1-17 [Sysname] stp config-digest-snooping stp cost Syntax stp [ instance instance-id ] cost cost undo stp [ instance instance-id ] cost View Ethernet port view Parameters instance-id: ID of an MSTI ranging from 0 to 16. The value of 0 refers to the CIST. cost: Path cost to be set for the port. The range of the cost argument varies with the standard used for calculating the default path cost of a port as follows: z With the IEEE 802.1D-1998 standard selected, the path cost of an Ethernet port ranges from 1 to 65535. z With the IEEE 802.1t standard selected, the path cost of an Ethernet port ranges from 1 to z With the proprietary standard selected, the path cost of an Ethernet port ranges from 1 to 200000. 200000000. Description Use the stp cost command to set the path cost of the current port in a specified MSTI. Use the undo stp cost command to restore the default path cost of the current port in the specified MSTI. By default, a switch automatically calculates the path costs of a port in different MSTIs based on a specified standard. If you specify the instance-id argument to be 0 or do not specify this argument, the stp cost command sets the path cost of the port in CIST. The path cost of a port affects its port role. By configuring different path costs for the same port in different MSTIs, you can make flows of different VLANs travel along different physical links, so as to achieve VLAN-based load balancing. Changing the path cost of a port in an MSTI may change the role of the port in the instance and put it in state transition. Related commands: stp interface cost. Examples # Set the path cost of Ethernet 1/0/3 in MSTI 2 to 200. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] stp instance 2 cost 200 1-18 stp dot1d-trap Syntax stp dot1d-[ instance instance-id ] trap [ newroot | topologychange ] enable undo stp [ instance instance-id ] dot1d-trap [ newroot | topologychange ] enable View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to CIST. With this argument specified, the trap messages sent are only of the MSTI identified by this argument. newroot: Sends trap messages conforming to 802.1d standard to the network management device when the switch becomes the root bridge of an instance. topologychange: Sends trap messages conforming to 802.1d standard to the network management device when the switch detects network topology changes. Description Use the stp dot1d-trap command to enable a switch to send trap messages conforming to 802.1d standard when MSTP network topology changes. Use the undo stp dot1d-trap command to disable this function. A switch sends trap messages conforming to 802.1d standard to the network management device when: z The switch becomes the root bridge of an MSTI. z Network topology changes are detected. Examples # Enable a switch to send trap messages conforming to 802.1d standard to the network management device when the switch becomes the root bridge of MSTI 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp instance 1 dot1d-trap newroot enable stp edged-port Syntax stp edged-port { enable | disable } undo stp edged-port View Ethernet port view Parameters enable: Configures the current Ethernet port as an edge port. disable: Configures the current Ethernet port as a non-edge port. 1-19 Description Use the stp edged-port enable command to configure the current Ethernet port as an edge port. Use the stp edged-port disable command to configure the current Ethernet port as a non-edge port. Use the undo stp edged-port command to restore the current Ethernet port to its default state. By default, all Ethernet ports of a switch are non-edge ports. An edge port is a port that is directly connected to a user terminal instead of another switch or shared network segment. Rapid transition to the forwarding state is applied to edge ports because on these ports no loops can be incurred by network topology changes. You can enable a port to turn to the forwarding state rapidly by setting it to an edge port. And you are recommended to configure the Ethernet ports directly connected to user terminals as edge ports to enable them to turn to the forwarding state rapidly. Normally, configuration BPDUs cannot reach an edge port because the port is not connected to another switch. But when the BPDU guard function is disabled on an edge port, configuration BPDUs sent deliberately by a malicious user may reach the port. If an edge port receives a BPDU, it turns to a non-edge port. Related commands: stp interface edged-port. With the loop guard function enabled, the root guard function and the edge port configuration are mutually exclusive. Examples # Configure Ethernet 1/0/1 as a non-edge port. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp edged-port disable stp interface Syntax stp interface interface-list { enable | disable } View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. enable: Enables MSTP on the specified ports. 1-20 disable: Disables MSTP on the specified ports. Description Use the stp interface command to enable or disable MSTP on specified ports in system view. By default, MSTP is enabled on the ports of a switch if MSTP is globally enabled on the switch, and MSTP is disabled on the ports if MSTP is globally disabled. An MSTP-disabled port does not participate in any spanning tree calculation and is always in the forwarding state. Disabling MSTP on ports may result in loops. Related commands: stp mode, stp. Examples # Enable MSTP on Ethernet 1/0/1 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 enable stp interface compliance Syntax stp interface interface-list compliance { auto | legacy | dot1s } undo stp interface interface-list compliance View System view Parameter interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the format of interface-list ={ interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. auto: Specifies the port to recognize and send MSTP packets in the automatic mode. legacy: Specifies the port to recognize and send MSTP packets in the legacy mode. dot1s: Specifies the port to recognize and send MSTP packets in the 802.1s mode. Description Use the stp interface compliance command to set the mode in which a port recognizes and sends MSTP packets. Use the undo stp interface compliance command to restore the default. 1-21 By default, a port recognizes and sends MSTP packets in the automatic mode. A port can be configured to recognize and send MSTP packets in the following modes. z Automatic mode. Ports in this mode determine the format of the MSTP packets to be sent according to the format of the received packets. z Legacy mode. Ports in this mode recognize/send packets in legacy format. z 802.1s mode. Ports in this mode recognize/send packets in dot1s format. A port acts as follows according to the format of MSTP packets forwarded by a peer switch or router. When a port operates in the automatic mode: z The port automatically determines the format (legacy or dot1s) of received MSTP packets and then determines the format of the packets to be sent accordingly, thus communicating with the peer devices. z If the format of the received packets changes repeatedly, MSTP will shut down the corresponding port to prevent network storm. A port shut down in this way can only be brought up again by the network administrator. When a port operates in the legacy mode: z The port only recognizes and sends MSTP packets in legacy format. In this case, the port can only communicate with the peer through packets in legacy format. z If packets in dot1s format are received, the port turns to discarding state to prevent network storm. When a port operates in the 802.1s mode: z The port only recognizes and sends MSTP packets in dot1s format. In this case, the port can only communicate with the peer through packets in dot1s format. z If packets in legacy format are received, the port turns to discarding state to prevent network storm. Example # Configure Ethernet 1/0/1 to recognize and send MSTP packets in dot1s format. <Sysname> system-view Enter system view, return to user view with Ctrl+Z. [Sysname] stp interface Ethernet1/0/1 compliance dot1s # Restore the default mode in which a port recognizes and send MSTP packets. [Sysname] undo stp interface Ethernet1/0/1 compliance stp interface config-digest-snooping Syntax stp interface interface-list config-digest-snooping undo stp interface interface-list config-digest-snooping View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the format of interface-list ={ interface-type interface-number [ to interface-type interface-number ] } 1-22 &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp interface config-digest-snooping command to enable the digest snooping feature on specific ports. Use the undo stp interface config-digest-snooping command to disable the digest snooping feature on specific ports. By default, the digest snooping feature is disabled on a port. According to IEEE 802.1s, two interconnected MSTP switches can interwork with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration. Interconnected MSTP switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them. (A configuration ID contains information such as region ID and configuration digest.) As some another manufacturer’s switches adopt proprietary spanning tree protocols, they cannot interwork with other switches in an MST region even if they are configured with the same MST region-related settings as other switches in the MST region. This kind of problems can be overcome by implementing the digest snooping feature. If a switch port is connected to another manufacturer’s switch that has the same MST region-related settings but adopts a proprietary spanning tree protocol, you can enable the digest snooping feature on the port when it receives BPDU packets from another manufacturer's switch. Then the switch considers these BPDU packets to be from its own MST region and records the configuration digests carried in the BPDU packets received from the switch, which will be put in the BPDU packets to be sent to the another manufacturer’s switch. In this way, the switch can interwork with another manufacturer’s switches in an MST region. 1-23 z When the digest snooping feature is enabled on a port, the port turns to the discarding state. That is, the port stops sending BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. z The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols. z To enable the digest snooping feature successfully, you must first enable it on all the switch ports that connect to another manufacturer’s switches adopting proprietary spanning tree protocols and then enable it globally. z To enable the digest snooping feature, the interconnected switches and another manufacturer’s switch adopting proprietary spanning tree protocols must be configured with exactly the same MST region-related configurations (including region name, revision level, and VLAN-to-MSTI mapping). z The digest snooping feature must be enabled on all the switch ports that connect to another manufacturer’s switches adopting proprietary spanning tree protocols in the same MST region. z When the digest snooping feature is enabled globally, the VLAN-to-MSTI mapping table cannot be modified. z The digest snooping feature is not applicable to boundary ports in an MST region. z The digest snooping function is not applicable to edge ports in an MST region. Examples # Enable the digest snooping feature for Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 config-digest-snooping stp interface cost Syntax stp interface interface-list [ instance instance-id ] cost cost undo stp interface interface-list [ instance instance-id ] cost View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. cost: Path cost to be set for the port. The range of the cost argument varies with the standard used for calculating the default path cost of a port as follows: z With the IEEE 802.1D-1998 standard selected, the path cost of an Ethernet port ranges from 1 to 65535. 1-24 z With the IEEE 802.1t standard selected, the path cost of an Ethernet port ranges from 1 to 200000000. z With the proprietary standard selected, the path cost of an Ethernet port ranges from 1 to 200000. Description Use the stp interface cost command to set the path cost(s) of the specified port(s) in a specified MSTI in system view. Use the undo stp interface cost command to restore the default value of the path cost(s) of the specified port(s) in the specified MSTI in system view. By default, a switch automatically calculates the path costs of a port in different MSTIs based on a specified standard. If you specify the instance-id argument to be 0 or do not specify this argument, the stp interface cost command sets the path cost(s) of the specified port(s) in the CIST. The path cost of a port affects its port role. By configuring different path costs for the same port in different MSTIs, you can make flows of different VLANs travel along different physical links, so as to achieve VLAN-based load balancing. Changing the path cost of a port in an MSTI may change the role of the port in the instance and put it in state transition. The default port path cost varies with port speed. Refer to Table 1-8 for details. Related commands: stp cost. Examples # Set the path cost of Ethernet 1/0/3 in MSTI 2 to 400. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/3 instance 2 cost 400 stp interface edged-port Syntax stp interface interface-list edged-port { enable | disable } undo stp interface interface-list edged-port View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. enable: Configures the specified Ethernet port to be an edge port. disable: Configures the specified Ethernet port to be a non-edge port. Description Use the stp interface edged-port enable command to configure the specified Ethernet ports as edge ports in system view. 1-25 Use the stp interface edged-port disable command to configure the specified Ethernet ports as non-edge ports in system view. Use the undo stp interface edged-port command to restore the specified Ethernet ports to the default state. By default, all Ethernet ports of a switch are non-edge ports. An edge port is a port that is directly connected to a user terminal instead of another switch or a network segment. Rapid transition to the forwarding state is applied to edge ports because on these ports no loops can be incurred by network topology changes. You can enable a port to turn to the forwarding state rapidly by setting it to an edge port. And you are recommended to configure the Ethernet ports directly connected to user terminals as edge ports to enable them to turn to the forwarding state rapidly. Normally, configuration BPDUs cannot reach an edge port because the port is not connected to another switch. But when the BPDU guard function is disabled on an edge port, configuration BPDUs sent deliberately by a malicious user may reach the port. If an edge port receives a BPDU, it turns to a non-edge port. Related commands: stp edged-port. With the loop guard function enabled, the root guard function and the edge port configuration are mutually exclusive. Examples # Configure Ethernet 1/0/3 as an edge port. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/3 edged-port enable stp interface loop-protection Syntax stp interface interface-list loop-protection undo stp interface interface-list loop-protection View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp interface loop-protection command to enable the loop guard function in system view. 1-26 Use the undo stp interface loop-protection command to restore the default state of the loop guard function in system view. The loop guard function is disabled by default. Related commands: stp loop-protection. With the loop guard function enabled, the root guard function and the edge port configuration are mutually exclusive. Examples # Enable the loop guard function for Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 loop-protection stp interface mcheck Syntax stp [ interface interface-list ] mcheck View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp interface mcheck command to perform the mCheck operation on specified port(s) in system view. A port on an MSTP-enabled switch migrates to the STP-/RSTP-compatible mode automatically if an STP-/RSTP-enabled switch has been connected to it. But when the STP-/RSTP-enabled switch is disconnected from the port, the port cannot migrate back to the MSTP mode automatically. In this case, you can force the port to migrate to the MSTP mode by performing the mCheck operation on the port. Related commands: stp mcheck, stp mode. 1-27 Examples # Perform the mCheck operation for Ethernet 1/0/3 in system view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/3 mcheck stp interface no-agreement-check Syntax stp interface interface-type interface-number no-agreement-check undo stp interface interface-type interface-number no-agreement-check View System view Parameters interface-type: Port type. interface-number: Port number. Description Use the stp interface no-agreement-check command to enable the rapid transition feature on the specified port. Use the undo stp interface no-agreement-check command to disable the rapid transition feature on the specified port. The rapid transition feature is disabled on any port by default. Some manufactures' switches adopt proprietary spanning tree protocols that are similar to RSTP in the way to implement rapid transition on designated ports. When a switch of this kind operates as the upstream switch of H3C series switches running MSTP, the upstream designated port fails to change their states rapidly. The rapid transition feature is developed on the H3C series switches to avoid this case. When an H3C series switch running MSTP is connected in the upstream direction to a manufacture's switch adopting proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch. This enables designated ports of the upstream switch to change their states rapidly. Related commands: stp no-agreement-check. 1-28 z The rapid transition feature can be enabled on root ports or alternate ports only. z You can enable the rapid transition feature on the designated port, however, the feature does not take effect on the port. Examples # Enable the rapid transition feature for Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]stp interface Ethernet 1/0/1 no-agreement-check stp interface point-to-point Syntax stp interface interface-list point-to-point { force-true | force-false | auto } undo stp interface interface-list point-to-point View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. force-true: Specifies that the links connected to the specified Ethernet ports are point-to-point links. force-false: Specifies that the links connected to the specified Ethernet ports are not point-to-point links. auto: Specifies to automatically determine whether or not the links connected to the specified Ethernet ports are point-to-point links. Description Use the stp interface point-to-point command to specify whether the links connected to the specified Ethernet ports are point-to-point links in system view. Use the undo stp interface point-to-point command to restore the links connected to the specified ports to their default link types, which are automatically determined by MSTP. If no keyword is specified in the stp interface point-to-point command, the auto keyword is used by default, and so MSTP automatically determines the types of the links connected to the specified ports. The rapid transition feature is not applicable to ports connected to non-point-to-point links. If an Ethernet port is the master port of aggregated ports or operates in full-duplex mode, the link connected to the port is a point-to-point link. You are recommended to let MSTP automatically determine the link types. 1-29 These two commands apply to CIST and MSTIs. If you configure the link to which a port is connected to be a point-to-point link (or a non-point-to-point link), the configuration applies to all MSTIs (that is, the port is configured to connect to a point-to-point link (or a non-point-to-point link) in all MSTIs). If the actual physical link is not a point-to-point link and you configure the link to which the port is connected to be a point-to-point link, loops may temporarily occur. Related commands: stp point-to-point. Examples # Configure the link connected to Ethernet 1/0/3 as a point-to-point link. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/3 point-to-point force-true stp interface port priority Syntax stp interface interface-list instance instance-id port priority priority undo stp interface interface-list instance instance-id port priority View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. priority: Port priority to be set. This argument ranges from 0 to 240 and must be a multiple of 16 (such as 0, 16, 32, and so on). Description Use the stp interface port priority command to set a port priority for the specified ports in the specified MSTI in system view. Use the undo stp interface port priority command to restore the default priority of the specified ports in the specified MSTI in system view. The default port priority of a port in an MSTI is 128. If you specify the instance-id argument to 0, the two commands apply to the port priorities on the CIST. The role a port plays in an MSTI is affected by its port priority in the instance. A port on an MSTP-enabled switch can have different port priorities and play different roles in different MSTIs. This enables packets of different VLANs to be forwarded along different physical paths, so as to implement VLAN-based load balancing. Changing port priorities results in port role recalculation and may cause state transition. Related commands: stp port priority. 1-30 Examples # Set the port priority of Ethernet 1/0/3 in MSTI 2 to 16. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/3 instance 2 port priority 16 stp interface root-protection Syntax stp interface interface-list root-protection undo stp interface interface-list root-protection View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. Description Use the stp interface root-protection command to enable the root guard function on specified port(s) in system view. Use the undo stp interface root-protection command to restore the root guard function to the default state on specified port(s) in system view. By default, the root guard function is disabled. Because of configuration errors or malicious attacks, the root bridge in the network may receive configuration BPDUs with priorities higher than that of a root bridge, which causes new root bridge to be elected and network topology jitter to occur. In this case, flows that should have traveled along high-speed links are led to low-speed links, which causes network congestion. You can avoid this problem by enabling the root guard function. Root-guard-enabled ports can only be kept as designated ports in all MSTIs. When a port of this type receives configuration BPDUs with higher priorities, that is, when it is to become a non-designated port, it turns to the discarding state and stops forwarding packets (as if it is disconnected from the link). Related commands: stp root-protection. With the loop guard function enabled, the root guard function and edge port configuration are mutually exclusive. 1-31 Examples # Enable the root guard function for Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/1 root-protection stp interface transmit-limit Syntax stp interface interface-list transmit-limit packetnum undo stp interface interface-list transmit-limit View System view Parameters interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument. packetnum: Maximum number of configuration BPDUs a port can send in each hello time. This argument ranges from 1 to 255 and defaults to 10. Description Use the stp interface transmit-limit command to set the maximum number of configuration BPDUs each specified port can send in each hello time. Use the undo stp interface transmit-limit command to restore the maximum number to the default value. The larger the packetnum argument is, the more packets a port can transmit in each hello time, while the more switch resources are occupied. Configure the packetnum argument to a proper value to limit the number of BPDUs a port can send in each hello time to prevent MSTP from occupying too much bandwidth resources when network topology jitter occur. Related commands: stp transmit-limit. Examples # Set the maximum transmitting speed of Ethernet 1/0/3 to 15. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp interface Ethernet 1/0/3 transmit-limit 15 stp loop-protection Syntax stp loop-protection undo stp loop-protection 1-32 View Ethernet port view Parameters None Description Use the stp loop-protection command to enable the loop guard function on the current port. Use the undo stp loop-protection command to restore the loop guard function to the default state on the current port. By default, the loop guard function is disabled. A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch. These BPDUs may get lost because of network congestion or unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for a certain period, the switch selects a new root port; the original root port becomes a designated port; and the blocked ports turn to the forwarding state. This may cause loops in the network. The loop guard function suppresses loops. With this function enabled, if link congestions or unidirectional link failures happen, a root port becomes a designated port, and the port turns to the discarding state. The blocked port also becomes the designated port and the port turns to the discarding state, that is, the port does not forward packets and thereby loops can be prevented. Examples # Enable the loop guard function on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp loop-protection stp max-hops Syntax stp max-hops hops undo stp max-hops View System view Parameters hops: Maximum hop count to be set. This argument ranges from 1 to 40. Description Use the stp max-hops command to set the maximum hop count for the MST region the current switch belongs to. Use the undo stp max-hops command to restore the maximum hop count to the default. By default, the maximum hop count of an MST region is 20. 1-33 The maximum hop count configured on the region roots of an MST region limits the size of the MST region. A configuration BPDU contains a field that maintains the remaining hops of the configuration BPDU. And a switch discards the configuration BPDUs whose remaining hops are 0. After a configuration BPDU reaches a root bridge of a spanning tree in a MST region, the value of the remaining hops field in the configuration BPDU is decreased by 1 every time the configuration BPDU passes one switch. Such a mechanism disables the switches that are beyond the maximum hops from participating in spanning tree calculation, and thus limits the size of an MST region. With such a mechanism, the maximum hops configured on the switch operating as the root bridge of the CIST or an MSTI in a MST region becomes the network diameter of the spanning tree, which limits the size of the spanning tree in the current MST region. The switches that are not root bridges in an MST region adopt the maximum hop settings of the root bridge. Examples # Set the maximum hop count of the current MST region to 35. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp max-hops 35 stp mcheck Syntax stp mcheck View System view, Ethernet port view Parameters None Description Use the stp mcheck command to perform the mCheck operation on the current port. When a port on an MSTP-enabled upstream switch connects with an STP-enabled downstream switch, the port operates in the STP-compatible mode automatically. But when the STP-enabled downstream switch is then replaced by an MSTP-enabled switch, the port cannot automatically transit to the MSTP mode but still remains in the STP-compatible mode. In this case, you can force the port to transit to the MSTP mode by performing the mCheck operation on the port. Similarly, when a port on an RSTP-enabled upstream switch connects with an STP-enabled downstream switch, the port operates in the STP-compatible mode. But when the STP-enabled downstream switch is then replaced by an MSTP-enabled switch, the port cannot automatically transit to the MSTP mode but remains in the STP-compatible mode. In this case, you can force the port to transit to the MSTP-compatible mode by performing the mCheck operation on the port. Related commands: stp mode, stp interface mcheck. Examples # Perform the mCheck operation on Ethernet 1/0/1. 1-34 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp mcheck stp mode Syntax stp mode { stp | rstp | mstp } undo stp mode View System view Parameters stp: Specifies the STP-compatible mode. mstp: Specifies the MSTP mode. rstp: Specifies the RSTP-compatible mode. Description Use the stp mode command to set the operating mode of an MSTP-enabled switch. Use the undo stp mode command to restore the default operating mode of an MSTP-enabled switch. By default, an MSTP-enabled switch operates in MSTP mode. To make a switch compatible with STP and RSTP, MSTP provides following three operating modes. z STP-compatible mode, where the ports of a switch send STP BPDUs to neighboring devices. If STP-enabled switches exist in a switched network, you can use the stp mode stp command to configure an MSTP-enabled switch to operate in STP-compatible mode. z RSTP-compatible mode, where the ports of a switch send RSTP BPDUs to neighboring devices. If RSTP-enabled switches exist in a switched network, you can use the stp mode rstp command to configure an MSTP-enabled switch to operate in RSTP-compatible mode. z MSTP mode, where the ports of a switch send MSTP BPDUs and STP BPDUs (if the switch is connected to STP-enabled switches) to neighboring devices. In this case, the switch is MSTP-capable. Related commands: stp mcheck, stp, stp interface, stp interface mcheck. Examples # Configure the MSTP operation mode as STP-compatible. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp mode stp stp no-agreement-check Syntax stp no-agreement-check 1-35 undo stp no-agreement-check View Ethernet port view Parameters None Description Use the stp no-agreement-check command to enable the rapid transition feature on a port. Use the stp no-agreement-check command to disable the rapid transition feature. By default, the rapid transition feature is disabled on a port. Some manufactures' switches adopt proprietary spanning tree protocols that are similar to RSTP in the way to implement rapid transition on designated ports. When a switch of this kind operates as the upstream switch of an H3C series switch running MSTP, the upstream designated port fails to change their states rapidly. The rapid transition feature aims to resolve this problem. When an H3C series switch running MSTP is connected in the upstream direction to another manufacture's switch adopting proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will then actively send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch. This enables designated ports of the upstream switch to change their states rapidly. Related commands: stp interface no-agreement-check. z The rapid transition feature can be enabled on only root ports or alternate ports. z You can enable the rapid transition feature on the designated port. However, the feature does not take effect on the port. Examples # Enable the rapid transition feature on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp no-agreement-check stp pathcost-standard Syntax stp pathcost-standard { dot1d-1998 | dot1t | legacy } undo stp pathcost-standard 1-36 View System view Parameters dot1d-1998: Uses the IEEE 802.1D-1998 standard to calculate the default path costs of ports. dot1t: Uses the IEEE 802.1t standard to calculate the default path costs of ports. legacy: Uses the proprietary standard to calculate the default path costs of ports. Description Use the stp pathcost-standard command to set the standard to be used to calculate the default path costs of the links connected to the switch. Use the undo stp pathcost-standard command to specify to use the default standard. By default, a switch uses the legacy standard to calculate the default path costs of ports. Table 1-8 Link speeds and the corresponding path costs Operating mode (half-/full-duplex) Link speed 0 10 Mbps 100 Mbps 1,000 Mbps 10 Gbps 802.1D-1998 IEEE 802.1t Proprietary standard — 65,535 200,000,000 200,000 Half-duplex/Full-duplex 100 200,000 2,000 Aggregated link 2 ports 95 1,000,000 1,800 Aggregated link 3 ports 95 666,666 1,600 Aggregated link 4 ports 95 500,000 1,400 Half-duplex/Full-duplex 19 200,000 200 Aggregated link 2 ports 15 100,000 180 Aggregated link 3 ports 15 66,666 160 Aggregated link 4 ports 15 50,000 140 Full-duplex 4 200,000 20 Aggregated link 2 ports 3 10,000 18 Aggregated link 3 ports 3 6,666 16 Aggregated link 4 ports 3 5,000 14 Full-duplex 2 200,000 2 Aggregated link 2 ports 1 1,000 1 Aggregated link 3 ports 1 666 1 Aggregated link 4 ports 1 500 1 Normally, when a port operates in full-duplex mode, the corresponding path cost is slightly less than that when the port operates in half-duplex mode. When the path cost of an aggregated link is calculated, the 802.1D-1998 standard does not take the number of the ports on the aggregated link into account, whereas the 802.1T standard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000 / link speed, In this formula, the link speed is the sum of the speeds of the unblocked ports on the aggregated link, which is measured in 100 Kbps. 1-37 Examples # Configure to use the IEEE 802.1D-1998 standard to calculate the default path costs of ports. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp pathcost-standard dot1d-1998 # Configure to use the IEEE 802.1t standard to calculate the default path costs of ports. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp pathcost-standard dot1t stp point-to-point Syntax stp point-to-point { force-true | force-false | auto } undo stp point-to-point View Ethernet port view Parameters force-true: Specifies that the link connected to the current Ethernet port is a point-to-point link. force-false: Specifies that the link connected to the current Ethernet port is not a point-to-point link. auto: Specifies to automatically determine whether or not the link connected to the current Ethernet port is a point-to-point link. Description Use the stp point-to-point command to specify whether the link connected to the current Ethernet port is a point-to-point link. Use the undo stp point-to-point command to restore the link connected to the current Ethernet port to its default link type, which is automatically determined by MSTP. By default, whether the link type of a port is point-to-point is automatically determined by the switch. If no keyword is specified in the stp point-to-point command, the auto keyword is used by default, and so MSTP automatically determines the type of the link connected to the current port. The rapid transition feature is not applicable to ports on non-point-to-point links. If an Ethernet port is the master port of aggregation ports or operates in full-duplex mode, the link connected to the port is a point-to-point link. You are recommended to let MSTP automatically determine the link types of ports. The two commands only apply to CISTs and MSTIs. If you configure the link to which a port is connected is a point-to-point link (or a non-point-to-point link), the configuration applies to all MSTIs (that is, the port is configured to connect to a point-to-point link (or a non-point-to-point link) in all MSTIs). If the actual physical link is not a point-to-point link and you configure the link to which the port is connected to be a point-to-point link, temporary loops may occur. Related commands: stp interface point-to-point. 1-38 Examples # Configure the link connected to Ethernet 1/0/3 as a point-to-point link. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] stp point-to-point force-true stp port priority Syntax stp [ instance instance-id ] port priority priority undo stp [ instance instance-id ] port priority View Ethernet port view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. port priority priority: Sets the port priority. The priority argument ranges from 0 to 240 and must be a multiple of 16 (such as 0, 16, and 32). Description Use the stp port priority command to set the port priority of the current port in the specified MSTI. Use the undo stp port priority command to restore the default port priority of the current port in the specified MSTI. The default port priority of a port in any MSTI is 128. If you specify the instance-id argument to 0 or do not specify the argument, the two commands apply to the port priorities of ports on the CIST. The role a port plays in a MSTI is determined by the port priority in the instance. A port on a MSTP-enabled switch can have different port priorities and play different roles in different MSTIs. This enables packets of different VLANs to be forwarded along different physical links, so as to implement VLAN-based load balancing. Changing port priorities result in port role recalculation and state transition. Related commands: stp interface port priority. Examples # Set the port priority of Ethernet 1/0/3 in MSTI 2 to 16. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] stp instance 2 port priority 16 stp portlog Syntax stp [ instance instance-id ] portlog 1-39 undo stp [ instance instance-id ] portlog View System view Parameters instance instance-id: Specifies an MSTI ID, ranging from 0 to 16. The value of 0 indicates the CIST. Description Use the stp portlog command to enable log and trap message output for the ports of a specified instance. Use the undo stp portlog command to disable this function. By default, log and trap message output is disabled. Executing the stp portlog command (without using the instance instance-id parameters) will enable log and trap message output for the ports of instance 0. Examples # Enable log and trap message output for the ports of instance 1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp instance 1 portlog stp portlog all Syntax stp portlog all undo stp portlog all View System view Parameters None Description Use the stp portlog all command to enable log and trap message output for the ports of all instances. Use the undo stp portlog all command to disable this function. By default, log and trap message output is disabled on the ports of all instances. Examples # Enable log and trap message output for the ports of all instances. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp portlog all 1-40 stp priority Syntax stp [ instance instance-id ] priority priority undo stp [ instance instance-id ] priority View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. priority: Switch priority to be set. This argument ranges from 0 to 61,440 and must be a multiple of 4,096 (such as 0, 4,096, and 8,192). There are totally 16 available switch priorities. Description Use the stp priority command to set the priority of the switch in the specified MSTI. Use the undo stp priority command to restore the switch priority to the default priority in the specified MSTI. The default priority of a switch is 32,768. The priorities of switches are used for spanning tree calculation. Switch priorities are spanning tree-specific. That is, you can set different priorities for the same switch in different MSTIs. If you do not specify the instance-id argument, the two commands apply to only the CIST. Examples # Set the bridge priority of the switch in MSTI 1 to 4,096. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp instance 1 priority 4096 stp region-configuration Syntax stp region-configuration undo stp region-configuration View System view Parameters None Description Use the stp region-configuration command to enter MST region view. Use the undo stp region-configuration command to restore the MST region-related settings to the default. 1-41 MST region-related parameters include: region name, revision level, and VLAN-to-MSTI mapping table. By default: z MST region name is the first MAC address of the switch z All VLANs are mapped to the CIST in the VLAN-to-MSTI mapping table z The MSTP revision level is 0 You can modify the three parameters after entering MST region view by using the stp region-configuration command. NTDP packets sent by devices in a cluster can be transmitted in only the instances where the management VLAN of the cluster resides. Examples # Enter MST region view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] stp root primary Syntax stp [ instance instance-id ] root primary [ bridge-diameter bridgenum [ hello-time centi-seconds ] ] undo stp [ instance instance-id ] root View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree. This argument ranges from 2 to 7 and defaults to 7. centi-seconds: Hello time in centiseconds of the specified spanning tree. This argument ranges from 100 to 1,000 and defaults to 200. Description Use the stp root primary command to configure the current switch as the root bridge of a specified MSTI. Use the undo stp root command to cancel the current configuration. By default, a switch is not configured as a root bridge. If you do not specify the instance-id argument, these two commands apply to only the CIST. 1-42 You can specify the current switch as the root bridge of an MSTI regardless of the priority of the switch. You can also specify the network diameter of the switched network by using the stp root primary command. The switch will then figure out the following three time parameters: hello time, forward delay, and max age. As the hello time figured out by the network diameter is not always the optimal one, you can set it manually through the hello-time centi-seconds parameter. Generally, you are recommended to obtain the forward delay and max age parameters through setting the network diameter. z You can configure only one root bridge for an MSTI and can configure one or more secondary root bridges for an MSTI. Specifying multiple root bridges for an MSTI causes unpredictable spanning tree calculation results. z Once a switch is configured as the root bridge or a secondary root bridge, its priority cannot be modified. Examples # Configure the current switch as the root bridge of MSTI 1, set the network diameter of the switched network to 4, and set the hello time to 500 centiseconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp instance 1 root primary bridge-diameter 4 hello-time 500 stp root secondary Syntax stp [ instance instance-id ] root secondary [ bridge-diameter bridgenum [ hello-time centi-seconds ] ] undo stp [ instance instance-id ] root View System view Parameters instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST. bridgenum: Network diameter of the specified spanning tree. This argument ranges from 2 to 7 and defaults to 7. centi-seconds: Hello time in centiseconds of the specified spanning tree. This argument ranges from 100 to 1,000 and defaults to 200. Description Use the stp root secondary command to configure the current switch as a secondary root bridge of a specified MSTI. Use the undo stp root command to cancel the current configuration. 1-43 By default, a switch does not operate as a secondary root bridge. If you do not specify the instance-id argument, the two commands apply to only the CIST. You can configure one or more secondary root bridges for an MSTI. If the switch operating as the root bridge fails or is turned off, the secondary root bridge with the least MAC address becomes the root bridge. You can specify the network diameter and the hello time of the switch when you are configuring it as a secondary root bridge. The switch will then figure out the other two time parameters: forward delay and max age. If the instance-id argument is specified to 0 in this command, the current switch is configured as the secondary root bridge of the CIST. You can configure only one root bridge for an MSTI but you can configure one or more secondary root bridges for an MSTI. Once a switch is configured as the root bridge or a secondary root bridge, its priority cannot be modified. Examples # Configure the current switch as a secondary root bridge of MSTI 4, setting the network diameter of the switched network to 5 and the hello time of the current switch to 300 centiseconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp instance 4 root secondary bridge-diameter 5 hello-time 300 stp root-protection Syntax stp root-protection undo stp root-protection View Ethernet port view Parameters None Description Use the stp root-protection command to enable the root guard function on the current switch. Use the undo stp root-protection command to restore the root guard function to the default state on the current switch. By default, the root guard function is disabled. Because of configuration errors or malicious attacks, the valid root bridge in the network may receive configuration BPDUs with their priorities higher than that of the root bridge, which causes new root bridge to be elected and network topology jitter to occur. In this case, flows that should have traveled along high-speed links are led to low-speed links, causing network congestion. You can avoid this problem by utilizing the root guard function. Root-guard-enabled ports can only be kept as designated ports in all MSTIs. When a port of this type receives configuration BPDUs with higher priorities, it turns to the discarding state before it is specified as a non-designated port and stops forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not receive any configuration BPDUs with higher priorities for a specified period. 1-44 Related commands: stp interface root-protection. Examples # Enable the root guard function on Ethernet 1/0/1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp root-protection stp tc-protection Syntax stp tc-protection enable stp tc-protection disable View System view Parameters None Description Use the stp tc-protection enable command to enable the TC-BPDU attack guard function. Use the stp tc-protection disable command to disable the TC-BPDU attack guard function. By default, the TC-BPDU guard attack function is enabled, and the MAC address table and ARP entries can be removed for up to six times within 10 seconds. Normally, a switch removes the MAC address table and ARP entries upon receiving TC-BPDUs. If a malicious user sends a large amount of TC-BPDUs to a switch in a short period, the switch may be busy in removing the MAC address table and ARP entries frequently, which may affect spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization. With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the timer expires, the switch only performs the removing operation for limited times (up to six times by default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch from being busy in removing the MAC address table and ARP entries. Examples # Enable the TC-BPDU attack guard function on the switch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp tc-protection enable stp tc-protection threshold Syntax stp tc-protection threshold number 1-45 undo stp tc-protection threshold View System view Parameters number: Maximum number of times that a switch can remove the MAC address table and ARP entries within each 10 seconds, in the range of 1 to 255. Description Use the stp tc-protection threshold command to set the maximum number of times that a switch can remove the MAC address table and ARP entries within each 10 seconds. Use the undo stp tc-protection threshold command to restore the default. Normally, a switch removes the MAC address table and ARP entries upon receiving a TC-BPDU. If a malicious user sends large amount of TC-BPDUs to a switch in a short period, the switch may be busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation, occupy a large amount of bandwidth and increase switch CPU utilization. With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the timer expires, the switch only performs the removing operation for limited times (up to six times by default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch from being busy in removing the MAC address table and ARP entries. You can use the stp tc-protection threshold command to set the maximum times for a switch to remove the MAC address table and ARP entries in a specific period. When the number of the TC-BPDUs received within a period is less than the maximum times, the switch performs a removing operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the maximum times, the switch stops performing the removing operation. For example, if you set the maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for only 100 times within the period. Examples # Set the maximum times for a switch to remove the MAC address table and ARP entries within 10 seconds to 5. <Sysname>system-view System View: return to User View with Ctrl+Z. [Sysname] stp tc-protection threshold 5 stp timer forward-delay Syntax stp timer forward-delay centi-seconds undo stp timer forward-delay View System view 1-46 Parameters centi-seconds: Forward delay in centiseconds to be set. This argument ranges from 400 to 3,000. Description Use the stp timer forward-delay command to set the forward delay of the switch. Use the undo stp timer forward-delay command to restore the forward delay to the default value. By default, the forward delay of the switch is 1,500 centiseconds. To prevent the occurrence of temporary loops, when a port changes its state from discarding to forwarding, it undergoes an intermediate state and waits for a specific period to synchronize with the state transition of the remote switches. This state transition period is determined by the forward delay configured on the root bridge. The forward delay setting configured on a root bridge applies to all non-root bridges. As for the configuration of the three time-related parameters (namely, the hello time, forward delay, and max age parameters), the following formulas must be met to prevent frequent network jitter. 2 x (forward delay – 1 second) >= max age Max age >= 2 x (hello time + 1 second) You are recommended to specify the network diameter of the switched network and the hello time by using the stp root primary or stp root secondary command. After that, the three proper time-related parameters are automatically calculated by MSTP. Related commands: stp timer hello, stp timer max-age, stp bridge-diameter. Examples # Set the forward delay to 2,000 centiseconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp timer forward-delay 2000 stp timer hello Syntax stp timer hello centi-seconds undo stp timer hello View System view Parameters centi-seconds: Hello time to be set, in the range of 100 to 1,000 (in centiseconds). Description Use the stp timer hello command to set the hello time of the switch. Use the undo stp timer hello command to restore the hello time of the switch to the default value. By default, the hello time of the switch is 200 centiseconds. 1-47 A root bridge regularly sends out configuration BPDUs to maintain the stability of existing spanning trees. If the switch does not receive BPDU packets in a specified period, spanning trees will be recalculated because BPDU packets time out. When a switch becomes a root bridge, it regularly sends BPDUs at the interval specified by the hello time you have configured on it. The other none-root-bridge switches adopt the interval specified by the hello time. As for the configuration of the three time-related parameters (namely, the hello time, forward delay, and max age parameters), the following formulas must be met to prevent frequent network jitter. 2 × (forward delay – 1 second) >= max age Max age >= 2 × (hello time + 1 second) You are recommended to specify the network diameter of the switched network and the hello time by using the stp root primary or stp root secondary command. After that, the three proper time-related parameters are automatically calculated by MSTP. Related commands: stp timer forward-delay, stp timer max-age, stp bridge-diameter. Examples # Set the hello time to 400 centiseconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp timer hello 400 stp timer max-age Syntax stp timer max-age centi-seconds undo stp timer max-age View System view Parameters centi-seconds: Max age to be set, in the range of 600 to 4,000 (in centiseconds). Description Use the stp timer max-age command to set the max age of the switch. Use the undo stp timer max-age command to restore the default max age. By default, the max age of a switch is 2,000 centiseconds. MSTP is capable of detecting link failures and automatically restoring redundant links to the forwarding state. In CIST, switches use the max age parameter to judge whether or not a received configuration BPDU times out. Spanning trees will be recalculated if a configuration BPDU received by a port times out. The max age is meaningless to MSTIs. The max age configured for the root bridge of the CIST applies to all switches operating on the CIST, including the root bridge. As for the configuration of the three time-related parameters (namely, the hello time, forward delay, and max age parameters), the following formulas must be met to prevent frequent network jitter: 1-48 2 × (forward delay – 1 second) >= max age, Max age >= 2 × (hello time + 1 second). You are recommended to specify the network diameter of the switched network and the hello time parameter by using the stp root primary or stp root secondary command. After that, the three proper time-related parameters are automatically determined by MSTP. Related commands: stp timer forward-delay, stp timer hello, stp bridge-diameter. Examples # Set the max age to 1,000 centiseconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp timer max-age 1000 stp timer-factor Syntax stp timer-factor number undo stp timer-factor View System view Parameters number: Hello time factor to be set, in the range of 1 to 10. Description Use the stp timer-factor command to set the timeout time of a switch in the form of a multiple of the hello time. Use the undo stp timer-factor command to restore the hello time factor to the default value. By default, the hello time factor of the switch is 3. A switch regularly sends protocol packets to its neighboring devices at the interval specified by the hello time parameter to test the links. Generally, a switch regards its upstream switch faulty if the former does receive any protocol packets from the latter in a period three times of the hello time and then initiates the spanning tree recalculation process. Spanning trees may be recalculated even in a steady network if an upstream switch is always busy. You can configure the hello time factor to a larger number to avoid this problem. Normally, the timeout time can be four (or more) times of the hello time. For a steady network, the timeout time can be five to seven times of the hello time. Examples # Set the hello time factor to 7. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp timer-factor 7 1-49 stp transmit-limit Syntax stp transmit-limit packetnum undo stp transmit-limit View Ethernet port view Parameters packetnum: Maximum number of configuration BPDUs a port can transmit in each hello time. This argument ranges from 1 to 255. Description Use the stp transmit-limit command to set the maximum number of configuration BPDUs the current port can transmit in each hello time. Use the undo stp transmit-limit command to restore the maximum number to the default value. By default, the maximum number of configuration BPDUs a port can transmit in each hello time is 10. A larger number configured by the stp transmit-limit command allows more configuration BPDUs to be transmitted in each hello time, which may occupy more switch resources. So you are recommended configure it to a proper value to avoid network topology jitter and prevent MSTP from occupying too many bandwidth resources. Related commands: stp interface transmit-limit. Examples # Set the maximum number of configuration BPDUs that can be transmitted through Ethernet 1/0/1 in each hello time to 15. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp transmit-limit 15 vlan-mapping modulo Syntax vlan-mapping modulo modulo View MST region view Parameters modulo: Modulo by which VLANs are mapped to MSTIs, in the range of 1 to 16. Description Use the vlan-mapping modulo command to set the modulo by which VLANs are mapped to MSTIs. By default, all VLANs in a network are mapped to the CIST (MSTI 0). 1-50 MSTP uses a VLAN-to-MSTI mapping table to describe VLAN-to-MSTI mappings. You can use this command to establish the VLAN-to-MSTI mapping table and map VLANs to MSTIs in a specific way. Note that a VLAN cannot be mapped to multiple different MSTIs at the same time. A VLAN-to-MSTI mapping becomes invalid when you map the VLAN to another MSTI. You can map VLANs to the specific MSTIs rapidly by using the vlan-mapping modulo modulo command. The ID of the MSTI to which a VLAN is mapped can be figured out by using the following formula: (VLAN ID-1) % modulo + 1. In this formula, (VLAN ID-1) % modulo yields the module of (VLAN ID-1) with regards to the modulo argument. For example, if you set the modulo argument to 16, then VLAN 1 is mapped to MSTI 1, VLAN 2 is mapped to MSTI 2, …, VLAN 16 is mapped to MSTI 16, VLAN 17 is mapped to MSTI 1, and so on. Related commands: check region-configuration, revision-level, region-name, active region-configuration. Examples # Map VLANs to MSTIs, with the modulo being 16. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] stp region-configuration [Sysname-mst-region] vlan-mapping modulo 16 vlan-vpn tunnel Syntax vlan-vpn tunnel undo vlan-vpn tunnel View System view Parameters None Description Use the vlan-vpn tunnel command to enable the VLAN-VPN tunnel function for a switch. Use the undo vlan-vpn tunnel command to disable the VLAN-VPN tunnel function. The VLAN-VPN tunnel function enables BPDUs to be transparently transmitted between geographically dispersed user networks through specified VLAN VPNs in operator’s networks, through which spanning trees can be calculated across these user networks and are independent of those of the operator’s network. 1-51 By default, the VLAN-VPN tunnel function is disabled. z The VLAN-VPN tunnel function can only be enabled on STP-enabled devices. z To enable the VLAN-VPN tunnel function, make sure the links between operator’s networks are trunk links. z If a fabric port exists on a switch, you cannot enable the VLAN-VPN function for any port of the switch. Examples # Enable the VLAN-VPN tunnel function for the switch. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] vlan-vpn tunnel 1-52 Table of Contents 1 IP Routing Table Commands····················································································································1-1 IP Routing Table Commands··················································································································1-1 display ip routing-table·····················································································································1-1 display ip routing-table acl···············································································································1-3 display ip routing-table ip-address···································································································1-5 display ip routing-table ip-address1 ip-address2·············································································1-7 display ip routing-table ip-prefix·······································································································1-7 display ip routing-table protocol·······································································································1-8 display ip routing-table radix············································································································1-9 display ip routing-table statistics····································································································1-10 display ip routing-table verbose·····································································································1-11 reset ip routing-table statistics protocol ·························································································1-12 2 Static Route Configuration Commands ··································································································2-1 Static Route Configuration Commands···································································································2-1 delete static-routes all······················································································································2-1 ip route-static ···································································································································2-1 3 RIP Configuration Commands ·················································································································3-1 RIP Configuration Commands ················································································································3-1 checkzero ········································································································································3-1 default cost ······································································································································3-2 display rip ········································································································································3-2 display rip interface··························································································································3-3 display rip routing ····························································································································3-4 filter-policy export ····························································································································3-5 filter-policy import ····························································································································3-6 host-route ········································································································································3-7 import-route ·····································································································································3-8 network ············································································································································3-9 peer··················································································································································3-9 preference ·····································································································································3-10 reset···············································································································································3-11 rip···················································································································································3-11 rip authentication-mode ·················································································································3-12 rip input··········································································································································3-13 rip metricin ·····································································································································3-14 rip metricout···································································································································3-14 rip output········································································································································3-15 rip split-horizon ······························································································································3-15 rip version ······································································································································3-16 rip work ··········································································································································3-17 summary········································································································································3-18 timers ·············································································································································3-19 traffic-share-across-interface·········································································································3-19 i 4 OSPF Configuration Commands··············································································································4-1 OSPF Configuration Commands ············································································································4-1 abr-summary ···································································································································4-1 area··················································································································································4-2 asbr-summary··································································································································4-2 authentication-mode ························································································································4-3 default··············································································································································4-4 default-cost ······································································································································4-5 default-route-advertise·····················································································································4-6 display router id ·······························································································································4-7 display ospf abr-asbr ·······················································································································4-8 display ospf asbr-summary ·············································································································4-9 display ospf brief····························································································································4-10 display ospf cumulative ·················································································································4-13 display ospf error ···························································································································4-14 display ospf interface·····················································································································4-17 display ospf lsdb ····························································································································4-18 display ospf nexthop······················································································································4-21 display ospf peer ···························································································································4-22 display ospf request-queue ···········································································································4-25 display ospf retrans-queue ············································································································4-26 display ospf routing························································································································4-26 display ospf vlink ···························································································································4-27 filter-policy export ··························································································································4-29 filter-policy import ··························································································································4-30 import-route ···································································································································4-31 log-peer-change ····························································································································4-32 multi-path-number ·························································································································4-32 network ··········································································································································4-33 nssa ···············································································································································4-33 ospf ················································································································································4-35 ospf authentication-mode ··············································································································4-36 ospf cost ········································································································································4-37 ospf dr-priority································································································································4-37 ospf mib-binding ····························································································································4-38 ospf mtu-enable·····························································································································4-39 ospf network-type ··························································································································4-39 ospf timer dead······························································································································4-41 ospf timer hello ······························································································································4-41 ospf timer poll ································································································································4-42 ospf timer retransmit······················································································································4-43 ospf trans-delay ·····························································································································4-43 peer················································································································································4-44 preference ·····································································································································4-45 reset ospf·······································································································································4-45 reset ospf statistics ························································································································4-46 router id ·········································································································································4-46 silent-interface ·······························································································································4-47 ii snmp-agent trap enable ospf·········································································································4-48 spf-schedule-interval ·····················································································································4-49 stub ················································································································································4-49 vlink-peer ·······································································································································4-50 5 IP Routing Policy Configuration Commands··························································································5-1 IP Routing Policy Configuration Commands···························································································5-1 apply cost ········································································································································5-1 apply tag ··········································································································································5-2 display ip ip-prefix····························································································································5-2 display route-policy··························································································································5-3 if-match { acl | ip-prefix } ··················································································································5-4 if-match cost ····································································································································5-4 if-match interface ·····························································································································5-5 if-match ip next-hop ·························································································································5-6 if-match tag······································································································································5-6 ip ip-prefix ········································································································································5-7 route-policy ······································································································································5-8 6 Route Capacity Configuration Commands ·····························································································6-1 Route Capacity Configuration Commands······························································································6-1 display memory ·······························································································································6-1 display memory limit ························································································································6-2 memory············································································································································6-3 memory auto-establish disable········································································································6-4 memory auto-establish enable ········································································································6-4 iii 1 IP Routing Table Commands z The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. z The S3600-SI series do not support OSPF. z The feature of specifying the ABR of an NSSA area as the Type-7 LSAs translator is added. For the command used, refer to nssa. z The feature of configuring an OSPF interface to unicast packets on a P2MP network is added. For the command used, refer to ospf network-type. IP Routing Table Commands display ip routing-table Syntax display ip routing-table [ | { begin | exclude | include } regular-expression ] View Any view Parameters regular-expression: Regular expression, a string of 1 to 256 case-sensitive characters used for specifying routing entries. |: Uses the regular expression to match the output routing information. begin: Displays the routing information from the route entry containing the specified character string. include: Displays all routing information containing the specified character string. exclude: Displays all routing information without the specified character string. For details about regular expressions, refer to Configuration File Management Operation of this manual. 1-1 Description Use the display ip routing-table command to display the routing table summary. This command displays the summary of the routing table. Each line represents one route, containing destination address/mask length, protocol, preference, cost, next hop, and output interface. This command displays only the currently used routes, that is, the optimal routes. Examples # Display the summary of the current routing table. <Sysname> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost Nexthop Interface 1.1.1.0/24 DIRECT 0 0 1.1.1.1 Vlan-interface1 1.1.1.1/32 DIRECT 2.2.2.0/24 DIRECT 0 0 127.0.0.1 InLoopBack0 0 0 2.2.2.1 Vlan-interface2 2.2.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 3.3.3.0/24 DIRECT 0 0 3.3.3.1 Vlan-interface3 3.3.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 4.4.4.0/24 DIRECT 0 0 4.4.4.1 Vlan-interface4 4.4.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 # Display the routing information from the entry containing the character string interface4 in the current routing table. <Sysname> display ip routing-table | begin interface4 Routing Table: public net 4.4.4.0/24 DIRECT 0 0 4.4.4.1 Vlan-interface4 4.4.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 # Display the routing information containing the character string interface4 in the current routing table. <Sysname> display ip routing-table | include interface4 Routing Table: public net Destination/Mask Protocol 4.4.4.0/24 DIRECT Pre Cost 0 0 Nexthop Interface 4.4.4.1 Vlan-interface4 # Display the routing information without the character string interface4 in the current routing table. <Sysname> display ip routing-table | exclude interface4 Routing Table: public net Destination/Mask Protocol Pre Cost Nexthop Interface 1.1.1.0/24 DIRECT 0 0 1.1.1.1 Vlan-interface1 1.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 2.2.2.0/24 DIRECT 0 0 2.2.2.1 Vlan-interface2 2.2.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 3.3.3.0/24 DIRECT 0 0 3.3.3.1 Vlan-interface3 3.3.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 4.4.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 1-2 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 Table 1-1 Description on the fields of the display ip routing-table command Field Description Destination/Mask Destination address/mask length Protocol Routing protocol Pre Route preference Cost Route cost Nexthop Next hop address Interface Output interface, through which the data packets destined for the destination network segment are sent display ip routing-table acl Syntax display ip routing-table acl acl-number [ verbose ] View Any view Parameters acl-number: Basic access control list number, in the range of 2000 to 2999. verbose: With this keyword specified, detailed information of routes in the active or inactive state that match the ACL is displayed. With this keyword not specified, brief information of only the routes in the active state that match the ACL is displayed. Description Use the display ip routing-table acl command to display the information of routes that match the specified ACL. Examples # Display the information of ACL 2100. <Sysname> display acl 2100 Basic ACL 2100, 1 rule Acl's step is 1 rule 0 permit source 192.168.1.0 0.0.0.255 For details about the display acl command, refer to ACL Command. # Display the information of routes that match ACL 2100. <Sysname> display ip routing-table acl 2100 Routes matched by access-list 2100: Summary count: 2 Destination/Mask Protocol Pre Cost Nexthop 192.168.1.0/24 DIRECT 0 0 192.168.1.2 1-3 Interface Vlan-interface2 192.168.1.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0 For descriptions of the above fields, refer to Table 1-1. # Display the detailed information of routes that match ACL 2100. <Sysname> display ip routing-table acl 2100 verbose Routes matched by access-list 2100: + = Active Route, - = Last Active, # = Both * = Next hop in use Summary count: 3 **Destination: 192.168.1.0 Protocol: #DIRECT *NextHop: 192.168.1.2 Mask: 255.255.255.0 Preference: 0 Interface: 192.168.1.2(Vlan-interface2) State: <Int ActiveU Retain Unicast> Age: 21:34:13 **Destination: 192.168.1.2 Protocol: #DIRECT *NextHop: 127.0.0.1 Cost: 0/0 Mask: 255.255.255.255 Preference: 0 Interface: 127.0.0.1(InLoopBack0) State: <NoAdvise Int ActiveU Retain Gateway Unicast> Age: 21:34:13 Cost: 0/0 Table 1-2 Description on the fields of the display ip routing-table command Field Description Destination Destination address Mask Subnet mask Protocol Protocol that discovers the route Preference Route preference Nexthop Next hop to the destination Interface Outbound interface through which data packets are forwarded to the destination network segment. 1-4 Field Description Description of route state: State ActiveU An active unicast route, where “U” represents unicast. Blackhole A blackhole route is similar to a reject route, but no ICMP unreachable message is sent to the source. Delete A route is to be deleted. Gateway An indirect route. Hidden An existing route that is temporarily unavailable for some reason (for example, suppressed by a routing policy or down interface). However, deletion is not expected. It is therefore hidden so that it can recover later. Holddown Number of routes that are held down. Holddown is a route advertisement policy that some D-V based routing protocols (for example, RIP) use to avoid the spread of wrong routes but speed up the correct spread of ICMP unreachable messages. A certain route is advertised at intervals, no matter whether the currently discovered route to the same destination changes. For details, refer to the specific routing protocols. Int A route discovered by IGP. NoAdvise A routing protocol does not advertise any NoAdvise route when advertising routes in accordance with a routing policy. NotInstall A NotInstall route cannot be added to the core routing table, but may be advertised. A route with the highest priority is generally selected from the routing table, added to the core routing table, and then advertised. Reject The routes marked with reject do not guide the router to forward packets as a normal route does. The router discards the packets matching reject routes and sends an ICMP unreachable message to the source. Reject routes are usually used for network tests. Retain The routes marked with retain will not be deleted when you delete routes in the core routing table. You can mark static routes with retain to make them stay in the core routing table. Static The routes marked with static will not be deleted from the routing table after you perform a save operation and restart the router. The routes manually configured on a router are marked with static. Unicast A unicast route. Age Lifetime of a route in the routing table, in the format of HH:MM:SS. Cost Cost of a route. display ip routing-table ip-address Syntax display ip routing-table ip-address [ mask | mask-length ] [ longer-match ] [ verbose ] View Any view 1-5 Parameters ip-address: Destination IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Length of a subnet mask, in the range of 0 to 32. longer-match: Specifies all the routes that lead to the destination address and match the specified mask. If you do not specify the mask argument, those that match the natural mask are specified. verbose: Displays the detailed information of routes. Description Use the display ip routing-table ip-address command to display the routing information of the specified destination address. With different arguments provided, the command output is different. The following is the command output with different arguments provided: display ip routing-table ip-address z If the destination address ip-address corresponds to a route in the natural mask range, this command displays the route that is the longest match of the destination address ip-address and is active. display ip routing-table ip-address mask z This command only displays the routes exactly matching the specified destination address and mask. display ip routing-table ip-address longer-match z This command displays all destination address routes matching the specified destination address in the natural mask range. display ip routing-table ip-address mask longer-match z This command displays all destination address routes matching the specified destination address in the specified mask range. Examples # Display the brief information of routes with a natural mask. <Sysname> display ip routing-table 169.0.0.0 Destination/Mask Protocol Pre Cost Nexthop Interface 169.0.0.0/16 Static 2.1.1.1 LoopBack1 60 0 For descriptions of the above fields, see Table 1-1. # Display the detailed information of routes with a natural mask. <Sysname> display ip routing-table 169.253.0.0 verbose Routing Tables: + = Active Route, - = Last Active, # = Both * = Next hop in use Summary count:1 **Destination: 169.0.0.0 Protocol: #Static *NextHop: 2.1.1.1 Mask: 255.0.0.0 Preference: -60 Interface: 2.1.1.1(LoopBack1) State: <Int ActiveU Static Unicast> Age: 3:47 Cost: 0/0 For descriptions of the above fields, see Table 1-2. 1-6 display ip routing-table ip-address1 ip-address2 Syntax display ip routing-table ip-address1 { mask1 | mask-length1 } ip-address2 { mask2 | mask-length2 } [ verbose ] View Any view Parameters ip-address1, ip-address2: Destination IP address in dotted decimal notation. ip-address1 {mask1 | mask-length1} and ip-address2 {mask2 | mask-length2} determine one address range together. ip-address1 ANDed with {mask1 | mask-length1} specifies the start of the range, while ip-address2 ANDed with {mask2 | mask-length2} specifies the end. This command displays the route in this address range. mask1, mask2: Subnet mask, in dotted decimal notation. mask-length1, mask-length2: Mask length, in the ranges of 0 to 32. verbose: With the verbose argument provided, this command displays the verbose information of both active and inactive routes. Without this argument provided, this command displays the summary of active routes only. Description Use the display ip routing-table ip-address1 ip-address2 command to display the route information in the specified destination address range. Examples # Display the routing information of destination addresses ranging from 1.1.1.0 to 2.2.2.0. <Sysname>display ip routing-table 1.1.1.0 24 2.2.2.0 24 Routing tables: Summary count: 3 Destination/Mask Protocol Pre Cost 1.1.1.0/24 DIRECT 0 0 1.1.1.1/32 DIRECT 0 0 2.2.2.0/24 DIRECT 0 0 Nexthop Interface 1.1.1.1 127.0.0.1 InLoopBack0 2.2.2.1 For descriptions of the above fields, see Table 1-1. display ip routing-table ip-prefix Syntax display ip routing-table ip-prefix ip-prefix-name [ verbose ] View Any view Parameters ip-prefix-name: IP prefix list name, a string of 1 to 19 characters. 1-7 Vlan-interface1 Vlan-interface2 verbose: With this keyword specified, detailed information of routes in the active or inactive state that match the IP prefix list is displayed. With this keyword not specified, brief information of only the routes in the active state that match the prefix list is displayed. Description Use the display ip routing-table ip-prefix command to display the information of routes matching the specified IP prefix list. Examples # Display the brief information of routes in the active state that match the prefix list abc2. <Sysname>system-view System View: return to User View with Ctrl+Z. [Sysname] ip ip-prefix abc2 permit 10.1.1.0 24 less-equal 32 [Sysname] display ip routing-table ip-prefix abc2 Routes matched by ip-prefix abc2: Summary count: 2 Destination/Mask 10.1.1.0/24 10.1.1.2/32 Protocol Pre DIRECT DIRECT Cost 0 Nexthop 0 0 Interface 10.1.1.2 0 127.0.0.1 Vlan-interface1 InLoopBack0 For descriptions of the above fields, see Table 1-1. # Display the detailed information of routes in the active or inactive state that match the prefix list abc2. [Sysname] display ip routing-table ip-prefix abc2 verbose Routes matched by ip-prefix abc2: + = Active Route, - = Last Active, # = Both * = Next hop in use Summary count: 2 **Destination: 10.1.1.0 Protocol: #DIRECT *NextHop: 10.1.1.2 Mask: 255.255.255.0 Preference: 0 Interface: 10.1.1.2(Vlan-interface1) State: <Int ActiveU Retain Unicast> Age: 3:23:44 **Destination: 10.1.1.2 Protocol: #DIRECT *NextHop: 127.0.0.1 Cost: 0/0 Mask: 255.255.255.255 Preference: 0 Interface: 127.0.0.1(InLoopBack0) State: <NoAdvise Int ActiveU Retain Gateway Unicast> Age: 3:23:44 Cost: 0/0 For descriptions of the above fields, see Table 1-2. display ip routing-table protocol Syntax display ip routing-table protocol protocol [ inactive | verbose ] View Any view 1-8 Parameters protocol: You can provide one of the following values for this argument. z direct: Displays direct-connect route information z ospf: Displays OSPF route information. z ospf-ase: Displays OSPF ASE route information. z ospf-nssa: Displays OSPF not-so-stubby area (NSSA) route information. z rip: Displays RIP route information. z static: Displays static route information. inactive: With this argument provided, this command displays the inactive route information. Without this argument provided, this command displays both active and inactive route information. verbose: With this keyword specified, detailed information of routes in the active or inactive state is displayed. With this keyword not specified, brief information of only the routes in the active state is displayed. Description Use the display ip routing-table protocol command to display the route information of a specific protocol. Examples # Display the summary of all direct-connect routes. <Sysname> display ip routing-table protocol direct DIRECT Routing tables: Summary count: 4 DIRECT Routing tables status:<active>: Summary count: 3 Destination/Mask Protocol Pre Cost Nexthop Interface 20.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 Cost Nexthop Interface 0 127.0.0.1 InLoopBack0 DIRECT Routing tables status:<inactive>: Summary count: 1 Destination/Mask Protocol 210.0.0.1/32 DIRECT Pre 0 For detailed description of the output information, see Table 1-1. display ip routing-table radix Syntax display ip routing-table radix View Any view Parameters None 1-9 Description Use the display ip routing-table radix command to display the route information in a tree structure. Examples <Sysname> display ip routing-table radix Radix tree for INET (2) inodes 7 routes 5: +-32+--{210.0.0.1 +--0+ | | +--8+--{127.0.0.0 | | | +-32+--{127.0.0.1 | +--1+ | +--8+--{20.0.0.0 | +-32+--{20.1.1.1 Table 1-3 Description on the fields of the display ip routing-table radix command Field Description INET Address suite Inodes Number of nodes Routes Number of routes display ip routing-table statistics Syntax display ip routing-table statistics View Any view Parameters None Description Use the display ip routing-table statistics command to display the integrated routing information. The integrated routing information includes the total number of routes, the number of active routes, the number of routes added by protocols, and the number of routes deleted. Examples # Display the integrated route information. <Sysname> display ip routing-table statistics Routing tables: Proto route active added deleted DIRECT 24 4 25 1 STATIC 4 1 4 0 RIP 0 0 0 0 OSPF 0 0 0 0 1-10 O_ASE 0 0 0 0 O_NSSA 0 0 0 0 Total 28 5 29 1 Table 1-4 Description on the fields of the display ip routing-table statistics command Field Description Routing protocol type O_ASE: OSPF_ASE Proto O_NSSA: OSPF NSSA AGGRE: Aggregation protocol Route Total number of routes Active Number of active routes Added Number of routes added after the router is rebooted or the routing table is cleared last time. Deleted Number of routes deleted (Such routes will be freed in a period of time) Total Total number of the different kinds of routes display ip routing-table verbose Syntax display ip routing-table verbose View Any view Parameters None Description Use the display ip routing-table verbose command to display the detailed information of a routing table, including inactive routes and null routes. The information displayed includes route state descriptor, statistics of the routing table, and detailed information of each route. Examples # Display the verbose routing table information. <Sysname> display ip routing-table verbose Routing Tables: + = Active Route, - = Last Active, # = Both Destinations: 3 Holddown: 0 Routes: 3 Delete: 62 **Destination: 1.1.1.0 Protocol: #DIRECT *NextHop: 1.1.1.1 Hidden: 0 Mask: 255.255.255.0 Preference: 0 Interface: 1.1.1.1(Vlan-interface1) State: <Int ActiveU Retain Unicast> Age: 20:17:41 * = Next hop in use Cost: 0/0 1-11 **Destination: 1.1.1.1 Mask: 255.255.255.255 Protocol: #DIRECT *NextHop: 127.0.0.1 Preference: 0 Interface: 127.0.0.1(InLoopBack0) State: <NoAdvise Int ActiveU Retain Gateway Unicast> Age: 20:17:42 Cost: 0/0 **Destination: 2.2.2.0 Mask: 255.255.255.0 Protocol: #DIRECT *NextHop: 2.2.2.1 Preference: 0 Interface: 2.2.2.1(Vlan-interface2) State: <Int ActiveU Retain Unicast> Age: 20:08:05 Cost: 0/0 For descriptions of route states, see Table 1-2. Table 1-5 lists the statistics of the routing table. Table 1-5 Description on the fields of the display ip routing-table verbose command Field Description Holddown Number of suppressed routes Delete Number of deleted routes Hidden Number of hidden routes reset ip routing-table statistics protocol Syntax reset ip routing-table statistics protocol { all | protocol } View User view Parameters all: Specifies all protocols. protocol: Specifies a protocol, which can be direct, ospf, ospf_ase, ospf_nssa, rip, or static. Description Use the reset ip routing-table statistics protocol command to clear the statistics of routes in a routing table. Examples # Before executing the reset ip routing-table statistics protocol command, use the display ip routing-table statistics command to display the routing statistics: <Sysname> display ip routing-table statistics Routing tables: Proto route active added deleted DIRECT 4 4 12 8 STATIC 0 0 0 0 RIP 0 0 0 0 OSPF 0 0 0 0 1-12 O_ASE 0 0 0 0 O_NSSA 0 0 0 0 Total 4 4 12 8 # Clear the routing statistics of all protocols from the IP routing table. <Sysname> reset ip routing-table statistics protocol all # Display the routing statistics in the IP routing table. <Sysname> display ip routing-table statistics Routing tables: Proto route active added deleted DIRECT 4 4 0 0 STATIC 0 0 0 0 RIP 0 0 0 0 OSPF 0 0 0 0 O_ASE 0 0 0 0 O_NSSA 0 0 0 0 Total 4 4 0 0 The above information shows that the routing statistics in the IP routing table is cleared. 1-13 2 Static Route Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. Static Route Configuration Commands delete static-routes all Syntax delete static-routes all View System view Parameters None Description Use the delete static-routes all command to delete all static routes. The system will request your confirmation before it deletes all the configured static routes. Related commands: ip route-static, display ip routing-table. Examples # Delete all the static routes in the router. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] delete static-routes all Are you sure to delete all the unicast static routes?[Y/N]y ip route-static Syntax ip route-static ip-address { mask | mask-length } { interface-type interface-number | next-hop } [ preference preference-value ] [ reject | blackhole ] [ detect-group group number ] [ description text ] 2-1 undo ip route-static ip-address { mask | mask-length } [ interface-type interface-number | next-hop ] [ preference preference-value ] View System view Parameters ip-address: Destination IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Mask length, in the range of 0 to 32. interface-type interface-number: Next-hop outbound interface. next-hop: Next hop IP address of the route, in dotted decimal notation. preference preference-value: Preference level of a static route, in the range of 1 to 255. The default preference is 60. reject: Indicates the destination is unreachable. If a static route to a destination is marked with reject, all IP packets destined for this destination will be discarded, and the source host will be informed that the destination is unreachable. blackhole: Indicates a blackhole route. If a static route to a destination is marked with blackhole, the outbound interface of this route is the Null 0 interface regardless of the next hop address, and all the IP packet addresses destined for this destination are dropped without the source host being notified. description text: Provides a description for the current route, which is a string of 1 to 60 characters. detect-group group number: Specifies a detect group number, which ranges from 1 to 25. z If you specify the next-hop outgoing interface when configuring a static route, the type of outgoing interface can be Null only. z The packets sent to a Null interface, which is a virtual interface, will be discarded immediately. This can decrease the system load. z For automatic detection information, refer to the part discussing Auto Detect. Description Use the ip route-static command to configure a static route. Use the undo ip route-static command to delete a static route. By default, the system can obtain the subnet route directly connected to the router. When you configure a static route, if no preference is specified for the route, the preference defaults to 60, and if the route is not specified as reject or blackhole, the route will be reachable by default. When configuring a static route, note the following points: z If the destination IP address and the mask are both 0.0.0.0, what you are configuring is a default route. All the packets that fail to find a routing entry will be forwarded through this default route. 2-2 z You cannot configure an interface address of the local switch as the next hop address of a static route. z You can configure a different preference to implement flexible route management policy. Related commands: display ip routing-table. Examples # Configure the next hop of the default route as 129.102.0.2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip route-static 0.0.0.0 0.0.0.0 129.102.0.2 2-3 3 RIP Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. RIP Configuration Commands checkzero Syntax checkzero undo checkzero View RIP view Parameters None Description Use the checkzero command to enable the must be zero field check for RIP-1 packets. Use the undo checkzero command to disable the must be zero field check for RIP-1 packets. By default, RIP-1 performs the must be zero field check. According to the protocol (RFC 1058) specifications, some fields in RIP-1 packets must be zero and these fields are called zero fields. You can use the checkzero command to enable/disable the must be zero field check for RIP-1 packets. When the must be zero field check is enabled, if the must be zero field in an incoming RIP-1 packet is non-zero, the packet will be rejected. Examples # Disable the must be zero field check for RIP-1 packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] undo checkzero 3-1 default cost Syntax default cost value undo default cost View RIP view Parameters value: Default cost, in the range of 1 to 16. Description Use the default cost command to set the default cost for redistributed routes. Use the undo default cost command to restore the default. By default, the default cost of a redistributed route is 1. If no cost is specified when you use the import-route command to redistribute routes from another routing protocol, the routes will be redistributed with the default cost specified with the default cost command. Related commands: import-route. Examples # Redistribute static routes and set the default cost of the redistributed routes to 3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] import-route static [Sysname-rip] default cost 3 display rip Syntax display rip View Any view Parameters None Description Use the display rip command to display the current RIP operation state and RIP configuration. Examples # Display the current RIP operation state and configuration. <Sysname> display rip 3-2 RIP is running Checkzero is on Default cost : 1 Summary is on Preference : 100 Traffic-share-across-interface is off Period update timer : 30 Timeout timer : 180 Garbage-collection timer : 120 No peer router Network : 202.38.168.0 Table 3-1 Description on the fields of the display rip command Field RIP is running Description RIP is active. State of the must be zero field check for RIP-1 packets Checkzero on: Enabled off: Disabled Default cost Default cost for redistributed routes State of the automatic route summarization function: Summary on: Enabled off: Disabled Preference RIP preference Period update timer Length of the period update timer in seconds Timeout timer Length of the timeout timer in seconds Garbage-collection timer Length of the garbage-collection timer in seconds No peer router No destination address of a transmission is specified Network Network segment on which RIP is enabled State of load sharing among interfaces: Traffic-share-across-interface on: Enabled off: Disabled display rip interface Syntax display rip interface View Any view Parameters None 3-3 Description Use the display rip interface command to display RIP interface information. Examples # Display RIP interface information. <Sysname> display rip interface RIP Interface: public net Address Interface Ver MetrIn/Out Input Output 1.0.0.1 Vlan-interface100 2 0/1 on on Split-horizon on Table 3-2 Description on the fields of the display rip interface command Field Description Address IP address of the interface running RIP (You need to use the network command to enable the network segment on which the address resides.) Interface Name of the interface running RIP. The IP address of the interface corresponds to that in the Address field. Ver Version of RIP running on the interface MetrIn/Out Additional metric added when a route is received/sent Input Indicates whether to allow the interface to receive RIP packets (on means yes; off means no). Output Indicates whether to allow the interface to send RIP packets (on means yes; off means no). Split-horizon Indicates whether split horizon is enabled (on means yes; off means no) display rip routing Syntax display rip routing View Any view Parameters None Description Use the display rip routing command to display RIP routing information. Examples # Display the information of the RIP routing table. <Sysname> display rip routing RIP routing table: public net 3-4 A = Active I = Inactive C = Change T = Trigger RIP G = Garbage collection Destination/Mask Cost NextHop Age SourceGateway Att 192.168.110.0/24 1 31.31.31.8 7s 31.31.31.8 A 200.1.1.0/24 1 31.31.31.8 7s 31.31.31.8 A 130.1.0.0/16 1 31.31.31.8 7s 31.31.31.8 A Table 3-3 Description on the fields of the display rip routing command Field Description Destination/Mask Destination address/Mask Cost Cost NextHop Net hop address Age Time elapsed after the route is advertised SourceGateway Gateway originating the route Attributes of a route: A: Active route Att I: Inactive route G: Working state of the garbage collection timer C: Change state T: Triggered RIP filter-policy export Syntax filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol [ process-id ] ] undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol [ process-id ] ] filter-policy route-policy route-policy-name export undo filter-policy route-policy route-policy-name export View RIP view Parameters acl-number: Number of the basic or advanced ACL used to filter routing information by destination address, in the range of 2000 to 3999. ip-prefix-name: Name of the address ip-prefix list used to filter routing information by destination address, a string of 1 to 19 characters. route-policy-name: Name of the route-policy used to filter routing information, a string of 1 to 19 characters. protocol: Filters routing protocol redistributed from the protocol. Currently, this argument can be direct, ospf, ospf-ase, ospf-nssa, or static. 3-5 process-id: Process ID of the routing protocol whose routing information is to be filtered, in the range of 1 to 65535. This argument is valid only for ospf, ospf-ase, and ospf-nssa. Description Use the filter-policy export command to enable RIP to filter the outgoing routing information. Use the undo filter-policy export command to disable RIP from filtering the outgoing routing information. Note that, if protocol is specified, RIP filters only the outgoing routes redistributed from the specified routing protocol. Otherwise, RIP filters all routes to be advertised. By default, RIP does not filter advertised routing information. Related commands: acl, filter-policy import, ip ip-prefix. For details about ACL, refer to ACL Operation. Examples # Apply ACL 2000 to filter the outgoing routing information. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] filter-policy 2000 export filter-policy import Syntax filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] | route-policy route-policy-name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] | route-policy route-policy-name } import filter-policy gateway ip-prefix-name import undo filter-policy gateway ip-prefix-name import View RIP view Parameters acl-number: Number of the ACL used to filter routing information by destination address, in the range of 2000 to 3999. ip-prefix-name: Name of the address prefix list used to filter routing information by destination address, a string of 1 to 19 characters. gateway ip-prefix-name: Name of the address prefix list used to filter routing information by the address of the neighbor router advertising the information, a string of 1 to 19 characters. route-policy-name: Name of the route-policy used to filter routing information, a string of 1 to 19 characters. 3-6 Description Use the filter-policy gateway command to enable RIP to filter the routing information advertised by a specified address. Use the undo filter-policy gateway command to disable RIP from filtering the routing information advertised by a specified address. Use the filter-policy import command to enable RIP to filter the incoming routing information. Use the undo filter-policy import command to disable RIP from filtering the incoming routing information. By default, RIP does not filter the received routing information. Related commands: acl, filter-policy export, ip ip-prefix. For details about ACL, refer to ACL Operation. Examples # Apply ACL 2000 to filter the incoming routing information. <Sysname>system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] filter-policy 2000 import host-route Syntax host-route undo host-route View RIP view Parameters None Description Use the host-route command to enable RIP to receive host routes. Use the undo host-route command to disable RIP from receiving host routes. By default, RIP is enabled to receive host routes. In some special cases, RIP receives a great number of host routes from the same network segment. These routes are of little help to addressing but occupy a lot of resources. In this case, the undo host-route command can be used to disable RIP from receiving host routes to save network resources. Examples # Disable RIP from receiving host routes. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip 3-7 [Sysname-rip] undo host-route import-route Syntax import-route protocol [process-id ] [ cost value | route-policy route-policy-name ]* undo import-route protocol [ process-id ] View RIP view Parameters protocol: Source routing protocol from which routes are redistributed by RIP. At present, RIP can redistribute routes from protocols: direct, ospf, ospf-ase, ospf-nssa and static. process-id: Process ID of a routing protocol from which routes are redistributed, in the range of 1 to 65535. This argument is valid only for ospf, ospf-ase, and ospf-nssa. value: Cost for redistributed routes, in the range of 0 16. If no cost is specified when redistributing routes, the default cost defined by the default cost command will be used. route-policy-name: Name of a routing policy, a string of 1 to 19 characters. Description Use the import-route command to enable RIP to redistribute routes from other protocols. Use the undo import-route command to disable RIP from redistributing routes from other protocols. By default, RIP does not redistribute routes from other protocols. If the value is not specified, routes will be redistributed with the default cost defined by the default cost command. If the cost of a redistributed route is 16, RIP does not stop advertising the route to other routers until the Garbage Collection timer expires (the timer length defaults to 120 seconds). Related commands: default cost. Examples # Redistribute static routes with the cost of 4. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] import-route static cost 4 # Set the default cost and redistribute OSPF routes with the default cost. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] default cost 3 [Sysname-rip] import-route ospf 3-8 network Syntax network network-address undo network network-address View RIP view Parameters network-address: Network/IP address of an interface, in dotted decimal notation. Description Use the network command to enable RIP on an interface attached to the specified network segment. Use the undo network command to disable RIP on the interface attached to the specified network segment. RIP runs only on the interface attached to the specified network. For an interface not on the specified network, RIP neither receives/sends routes on it nor forwards interface route through it. Therefore, you need to specify the network after enabling RIP to validate RIP on a specific interface. By default, RIP is disabled on all interfaces. The differences between the network and rip work commands are as follows: z The network command enables RIP on an interface attached to the specified network segment. z The rip work command enables an interface to receive and send RIP packets. Related commands: rip work. Examples # Enable RIP on the interface with the network address 129.102.0.0. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] network 129.102.0.0 peer Syntax peer ip-address undo peer ip-address View RIP view Parameters ip-address: IP address of the interface receiving RIP packets in the unicast mode on the neighbor router, in dotted decimal notation. 3-9 Description Use the peer command to specify the IP address of a neighbor, where routing updates destined for the peer are unicast, rather than multicast or broadcast. Use the undo peer command to remove the IP address of a neighbor. By default, no neighbor is specified. This command is used for non-broadcast networks where the broadcast mode is not suitable. Generally you are not recommended to use this command. Examples # Send RIP packets in the unicast mode to the destination 202.38.165.1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] peer 202.38.165.1 preference Syntax preference value undo preference View RIP view Parameters value: Preference level, in the range of 1 to 255. Description Use the preference command to configure the preference of RIP routes. Use the undo preference command to restore the default. By default, the preference of RIP routes is 100. Every routing protocol has its own preference. Its default value is determined by the specific routing policy. The preferences of routing protocols will finally determine which routing algorithm's routes will be selected as the optimal routes in the IP routing table. You can use the preference command to modify the preference of RIP routes manually. Examples # Specify the RIP preference as 20. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] preference 20 3-10 reset Syntax reset View RIP view Parameters None Description Use the reset command to reset the system configuration parameters of RIP. When you need to re-configure the parameters of RIP, you can use this command to restore the default. Examples # Reset the RIP system configuration. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] reset % Reset RIP's configuration and restart RIP? [Y/N]y rip Syntax rip undo rip View System view Parameters None Description Use the rip command to enable RIP or enter RIP view. Use the undo rip command to disable RIP. By default, the system does not run RIP. You must enable RIP and enter RIP view before configuring RIP global parameters. You can, however, configure the interface-related parameters no matter whether RIP is enabled. 3-11 Note that the interface-related parameters configured previously would be invalid after RIP is disabled. Examples # Enable RIP and enter RIP view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] rip authentication-mode Syntax rip authentication-mode { simple password | md5 { rfc2082 key-string key-id | rfc2453 key-string } } undo rip authentication-mode View Interface view Parameters simple: Specifies to use plain text authentication mode. password: Plain text authentication key, containing 1 to 16 characters. md5: Specifies to use MD5 cipher text authentication mode. rfc2082: Specifies that MD5 cipher text authentication packets will use the packet format stipulated by RFC2082. rfc2453: Specifies that MD5 cipher text authentication packets will use the packet format stipulated by RFC2453. key-string: MD5 cipher text authentication key. If it is typed in the plain text mode, the length does not exceed 16 characters. If it is typed in the cipher text mode, the length is 24 characters. The system will display the MD5 cipher text authentication key with a length of 24 characters in the cipher text mode when you execute the display current-configuration command. key-id: MD5 cipher text authentication identifier, ranging from 1 to 255. Description Use the rip authentication-mode command to configure RIP-2 authentication mode and its parameters. Use the undo rip authentication-mode command to remove authentication. Only one authentication key is supported each time authentication is performed. An authentication key newly input overwrites an old one. Related commands: rip version. 3-12 You can configure RIPv1 authentication mode in interface view, but the configuration will not take effect because RIPv1 does not support authentication. Examples # Specify the interface VLAN-interface 10 to use the simple authentication with the authentication key of aaa. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] rip authentication-mode simple aaa # Specify VLAN-interface 10 to use the MD5 cipher text authentication, with the authentication key of aaa and the packet format of rfc2453. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] rip authentication-mode md5 rfc2453 aaa rip input Syntax rip input undo rip input View Interface view Parameters None Description Use the rip input command to enable an interface to receive RIP packets. Use the undo rip input command to disable an interface from receiving RIP packets. By default, all interfaces, except loopback interfaces, can receive RIP packets. Related commands: rip work. Examples # Disable the interface VLAN-interface 10 from receiving RIP packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname]interface Vlan-interface 10 [Sysname-Vlan-interface10] undo rip input 3-13 rip metricin Syntax rip metricin value undo rip metricin View Interface view Parameters value: Additional metric of RIP routes received on an interface, in the range of 0 to 16. Description Use the rip metricin command to configure an additional metric for RIP routes received on an interface. Use the undo rip metricin command to restore the default. By default, the additional metric of RIP routes received on an interface is 0. Before a valid RIP route received on an interface is added to the routing table, the additional metric will be added to the route. Therefore, if you increase the additional metric, the metric of RIP routes received on the interface will increase accordingly. If the sum of the additional metric and the original metric is greater than 16, the metric of the route will be 16. Related commands: rip metricout. Examples # Set the additional metric of RIP routes received on the interface VLAN-interface 10 to 2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] rip metricin 2 rip metricout Syntax rip metricout value undo rip metricout View Interface view Parameters value: Additional metric of RIP routes sent out of an interface, in the range of 1 to 16. Description Use the rip metricout command to configure an additional metric for RIP routes sent out of an interface. Use the undo rip metricout command to restore the default. 3-14 By default, the additional metric of RIP routes sent out of an interface is 1. With the command configured on an interface, the metric of RIP routes sent on the interface will be increased. Related commands: rip metricin. Examples # Set the additional metric of RIP routes sent out of the interface VLAN-interface 10 to 2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] rip metricout 2 rip output Syntax rip output undo rip output View Interface view Parameters None Description Use the rip output command to enable an interface to transmit RIP packets. Use the undo rip output command to disable an interface from transmitting RIP packets. By default, all interfaces except loopback interfaces are enabled to transmit RIP packets. Related commands: rip input, rip work. Examples # Disable the interface VLAN-interface 10 from transmitting RIP packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] undo rip output rip split-horizon Syntax rip split-horizon undo rip split-horizon View Interface view 3-15 Parameters None Description Use the rip split-horizon command to enable the split horizon function. Use the undo rip split-horizon command to disable the split horizon function. By default, the split horizon function is enabled. The split horizon function disables an interface from sending routes received from the interface to prevent routing loops between adjacent routers. Therefore, normally, split horizon is necessary for avoiding routing loops. Only in some special cases the split horizon function needs to be disabled to ensure the correct execution of the protocol. So, disable the split horizon function only when necessary. Examples # Disable the split horizon function on the interface VLAN-interface 10. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] undo rip split-horizon rip version Syntax rip version { 1 | 2 [ broadcast | multicast ] } undo rip version View Interface view Parameters 1: Specifies the version of RIP running on an interface as RIP-1. 2: Specifies the version of RIP running on an interface as RIP-2. broadcast: Sends RIP-2 packets in the broadcast mode. multicast: Sends RIP-2 packets in the multicast mode. Description Use the rip version command to specify the version of RIP running on an interface. Use the undo rip version command to restore the default. By default, the version of RIP running on an interface is RIP-1 and RIP-1 packets are sent in the broadcast mode. If RIP-2 runs on an interface, RIP packets are sent in the multicast mode by default, which reduces resource consumption. 3-16 Table 3-4 Receive mode of RIP packets RIP-1 broadcast packet RIP version RIP-2 broadcast packet RIP-2 multicast packet RIP-1 √ √ — RIP-2 broadcast mode √ √ — RIP-2 multicast mode — — √ Table 3-5 Send mode of RIP packets RIP-1 broadcast packet RIP version RIP-2 broadcast packet RIP-2 multicast packet RIP-1 √ — — RIP-2 broadcast mode — √ — RIP-2 multicast mode — — √ Examples # Run RIP-2 on the interface VLAN-interface 10 and send RIP packets in the broadcast mode. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] rip version 2 broadcast rip work Syntax rip work undo rip work View Interface view Parameters None Description Use the rip work command to enable the interface to receive and send RIP packets. Use the undo rip work command to disable the interface from neither receiving nor sending RIP packets. By default, all interfaces except loopback interfaces are enabled to receive and send RIP packets. The differences between the rip work, rip input, and rip output commands are as follows: z The rip work command controls the receiving and sending of RIP packets on an interface. z The rip input command controls only the receiving of RIP packets on an interface. z The rip output command controls only the sending of RIP packets on an interface. 3-17 Related commands: rip input, rip output. Examples # Disable the interface VLAN-interface 10 from receiving or sending RIP packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] undo rip work summary Syntax summary undo summary View RIP view Parameters None Description Use the summary command to enable RIP-2 automatic route summarization. Use the undo summary command to disable RIP-2 automatic route summarization. By default, RIP-2 automatic route summarization is enabled. Route summarization can be used to reduce the routing traffic on the network as well as to reduce the size of the routing table. The summary routes contain the natural masks when advertised. If RIP-2 is used, route summarization can be disabled with the undo summary command when it is necessary to broadcast subnet routes. RIP-1 always uses automatic route summarization, but the undo summary command is invalid for RIP-1. Related commands: rip version. Examples # Set RIP version on the interface VLAN-interface 10 as RIP-2 and disable route summarization. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] rip version 2 [Sysname-Vlan-interface10] quit [Sysname] rip [Sysname-rip] undo summary 3-18 timers Syntax timers { update update-timer | timeout timeout-timer } * undo timers { update | timeout } * View RIP view Parameters update-timer: Length of the Period Update timer in seconds, in the range of 1 to 3600. timeout-timer: Length of the Timeout timer in seconds, in the range of 1 to 3600. Description Use the timers command to modify the lengths of the three RIP timers: Period Update, Timeout, and Garbage-collection (which is usually set to a length four times that of the Period Update timer). Use the undo timers command to restore the default settings. By default, the lengths of the Period Update, Timeout, and Garbage-collection timers are 30 seconds, 180 seconds, and 120 seconds, respectively. Generally, it is regarded that the value of the Garbage-collection timer is fixed at four times that of the Period Update timer. Adjusting the Period Update timer will affect the Garbage-collection timer. The modification of RIP timers is validated immediately. As specified in RFC 1058, RIP is controlled by the above three timers: z The update timer defines the interval between routing updates. z The timeout timer defines the route aging time. If no routing update related to a route is received within the aging time, the metric of the route is set to 16 in the routing table. z The garbage-collect timer defines the interval from when the metric of a route becomes 16 to when it is deleted from the routing table. During the Garbage-Collect timer length, RIP advertises the route with the routing metric set to 16. If no routing update is announced for that route after the Garbage-Collect timer expires, the route will be deleted from the routing table. Related commands: display rip. Examples # Set the values of the Period Update timer and the Timeout timer of RIP to 10 seconds and 30 seconds respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] timers update 10 timeout 30 traffic-share-across-interface Syntax traffic-share-across-interface undo traffic-share-across-interface 3-19 View RIP view Parameters None Description Use the traffic-share-across-interface command to enable traffic to be forwarded along multiple equivalent RIP routes. Use the undo traffic-share-across-interface command to disable this function. By default, this function is disabled. When the number of equivalent routes reaches the upper limit: z If this function is enabled, the newly learned equivalent route replaces the existing equivalent route in the routing table. z If this function is disabled, the first aged route entry is replaced by the newly learned route. If no route entry is aged, the newly learned equivalent route will be dropped. Examples # Enable traffic to be forwarded along multiple equivalent RIP routes. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] rip [Sysname-rip] traffic-share-across-interface 3-20 4 OSPF Configuration Commands z The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. z The S3600-SI series do not support OSPF OSPF Configuration Commands abr-summary Syntax abr-summary ip-address mask [ advertise | not-advertise ] undo abr-summary ip-address mask View OSPF area view Parameters ip-address: Network address of the summary route, in dotted decimal notation. mask: Subnet mask of the summary route, in dotted decimal notation. advertise: Advertises the summary route. If this argument is not provided, the summary route will be advertised. not-advertise: Specifies not to advertise the summary route. Description Use the abr-summary command to enable route summarization on an area border router (ABR). Use the undo abr-summary command to disable route summarization on an ABR. By default, route summarization is disabled on an ABR. This command is applicable to ABRs only and is used for route summarization of routes described by Type-3 LSAs in an area. It allows an ABR to advertise the summary route in a Type-3 LSA to other areas instead of other more specific routes. You can configure multiple summary routes for an area. With the undo abr-summary command used, summarized routes will be advertised. 4-1 Examples # Summarize subnets 36.42.10.0/24 and 36.42.110.0/24, in OSPF area 1 with summary route 36.42.0.0/16 and advertise it to other areas. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 1 [Sysname-ospf-1-area-0.0.0.1] network 36.42.10.0 0.0.0.255 [Sysname-ospf-1-area-0.0.0.1] network 36.42.110.0 0.0.0.255 [Sysname-ospf-1-area-0.0.0.1] abr-summary 36.42.0.0 255.255.0.0 area Syntax area area-id undo area area-id View OSPF view Parameters area-id: ID of an OSPF area, which can be a decimal integer (ranging from 0 to 4294967295) or in the form of an IP address. Description Use the area command to enter OSPF area view. Use the undo area command to cancel the specified area. Examples # Enter OSPF area 0 view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 0 [Sysname-ospf-1-area-0.0.0.0] asbr-summary Syntax asbr-summary ip-address mask [ not-advertise | tag value ] undo asbr-summary ip-address mask View OSPF view 4-2 Parameters ip-address: IP address of the summary route, in dotted decimal notation. mask: IP address mask, in dotted decimal notation. not-advertise: Specifies not to advertise the summary route. If this argument is not provided, the summary route will be advertised. tag value: Tag value, which is mainly used to control route advertisement through a route-policy. It ranges from 0 to 4294967295 and defaults to 1. Description Use the asbr-summary command to enable OSPF to summarize redistributed routes. Use the undo asbr-summary command to disable the summarization function. By default, redistributed routes are not summarized. After the summarization of redistributed routes is configured, if the local router is an autonomous system border router (ASBR), this command summarizes the redistributed Type-5 LSAs falling into the specified network. If an NSSA area is configured, this command also summarizes the redistributed Type-7 LSAs falling into the specified network. If the local router acts as an NSSA ABR, this command summarizes Type-5 LSAs translated from Type-7 LSAs falling into the specified network. This command does not take effect on non NSSA ABRs. Related commands: display ospf asbr-summary. Examples # Configure two ASBR summary routes, and specify tag values of 8 and 10 for the routes respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] asbr-summary 10.2.0.0 255.255.0.0 tag 8 [Sysname-ospf-1] asbr-summary 20.2.0.0 255.255.0.0 tag 10 authentication-mode Syntax authentication-mode { simple | md5 } undo authentication-mode View OSPF area view Parameters simple: Specifies the simple text authentication mode. md5: Specifies the MD5 cipher text authentication mode. Description Use the authentication-mode command to configure one area of OSPF to support the authentication attribute. 4-3 Use the undo authentication-mode command to cancel the authentication attribute of this area. By default, an area does not support authentication attribute. All the routers in one area must use the same authentication mode (no authentication, simple text authentication, or MD5 cipher text authentication). If the mode of supporting authentication is configured, all routers on the same segment must use the same authentication key. Use the ospf authentication-mode simple command to configure a simple text authentication key. Use the ospf authentication-mode md5 command to configure the MD5 cipher text authentication key if the area is configured to support MD5 cipher text authentication mode. After you configure one OSPF area to support the authentication attribute, you need to use the ospf authentication-mode command to set the authentication mode on interfaces. When configuring virtual link authentication, you can use the authentication-mode command to specify the authentication mode as MD5 cipher text or simple text for the backbone area. Related commands: ospf authentication-mode, vlink-peer. Examples # Enter area 0 view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 0 # Specify the OSPF area 0 to support MD5 cipher text authentication. [Sysname-ospf-1-area-0.0.0.0] authentication-mode md5 default Syntax default { cost value | interval seconds | limit routes | tag tag | type type } * undo default { cost | interval | limit | tag | type } * View OSPF view Parameters value: Default cost of an external route redistributed by OSPF, in the range of 0 to 16777214. seconds: Default interval for redistributing external routes in seconds, in the range of 1 to 2147483647. routes: Default limit of external routes that can be redistributed at one time, in the range of 200 to 2147483647. tag: Default tag of routes redistributed by OSPF, in the range of 0 to 4294967295. 4-4 type: Default type of external routes redistributed by OSPF. The value of this argument is 1 or 2. Description Use the default command to configure the default parameters for redistributed routes, including cost, interval, limit, tag, and type. Use the undo default cost command to restore the default. By default, the cost, interval, limit, tag, and type are 1, 1, 1000, 1, and 2, respectively. When OSPF redistributes external routes and propagates them in the entire autonomous system z The cost of external routes can influence route selection and calculation. z The performance of the device will be degraded significantly if OSPF redistributes routes frequently. z The performance will also be degraded significantly if OSPF redistributes a large number of routes at one time. Therefore, it is necessary to reasonably set the default cost of redistributed routes, the default interval for redistributing routes, and the limit of routes that can be redistributed at one time. Examples # Set the default cost, interval, limit, tag, and type of redistributed routes to 10, 20 seconds, 300, 15, and 1, respectively. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] default cost 10 interval 20 limit 300 tag 15 type 1 default-cost Syntax default-cost value undo default-cost View OSPF area view Parameters value: Cost of the default route, in the range of 0 to 16777214. Description Use the default-cost command to configure the cost of the default route advertised by OSPF to a Stub area or NSSA. Use the undo default-cost command to restore the default. By default, the cost of the default route advertised by OSPF to a Stub area or NSSA is 1. This command only applies to an ABR in a Stub area or NSSA. To configure a Stub area, you need to use the stub and default-cost commands. 4-5 You must use the stub command on all the routers connected to a Stub area to configure the area with the stub attribute. Use the default-cost command to configure the cost of the default route advertised by an ABR to a Stub area or NSSA. OSPF advertises a default route in the following cases: z When a (totally) stub area is configured, the ABR of the area automatically generates a default route. z After the nssa no-summary command is used on the ABR of an NSSA area, the NSSA ABR advertises a default route into the area. z After the nssa default-route-advertise command is configured on an NSSA ABR, the ABR generates a default route into the NSSA regardless of whether the default route is available. If the nssa default-route-advertise command is configured on an NSSA ASBR, only when a default route is available on the ASBR can the router generate the default route into the attached area. Related commands: stub, nssa. Examples # Set area 1 to a Stub area and the cost of the default route advertised to this Stub area to 60. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 1 [Sysname-ospf-1-area-0.0.0.1] network 20.0.0.0 0.255.255.255 [Sysname-ospf-1-area-0.0.0.1] stub [Sysname-ospf-1-area-0.0.0.1] default-cost 60 default-route-advertise Syntax default-route-advertise [ always | cost value | type type-value | route-policy route-policy-name ]* undo default-route-advertise [ always | cost | type | route-policy ]* View OSPF view Parameters always: Generates a default external route in an ASE LSA into the OSPF routing domain in the case that the router has no default route configured. Without this keyword, you have to configure a default route to redistribute an ASE LSA into the OSPF routing domain. 4-6 cost value: Specifies the cost value of the default route. The default route with the lowest cost value is preferred. The value of value ranges from 0 to 16777214. If no cost is specified, the default cost specified by the default cost command applies. type type-value: Specifies the type of the route. If type-value is 2, the cost value of the default route is equal to that specified by cost value, and all the routers in the OSPF domain use the same cost. If type-value is 1, the cost value of the default route is equal to the sum of the cost from the local router to the corresponding ASBR and the cost specified by cost value. The value of type-value is 1 or 2. If no type-value is specified, the default route type specified by the default type command applies. route-policy route-policy-name: Specifies a route policy. .The route-policy-name argument is a string of 1 to 19 characters. Description Use the default-route-advertise command to generate a default route in the OSPF routing domain. Use the undo default-route-advertise command to disable OSPF from redistributing a default route. By default, OSPF does not redistribute any default route. The import-route command cannot redistribute any default route. To redistribute the default route to the route area, the default-route-advertise command must be used. If the local router is not configured with a default route, the keyword always must be specified so that a default route can be generated in an ASE LSA. Related commands: import-route. Examples # Generate a default route in an ASE LSA into the OSPF routing domain if a default route is configured on the local router. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] default-route-advertise # Generate a default route in an ASE LSA into the OSPF routing domain if no default route is configured on the local router. [Sysname-ospf-1] default-route-advertise always display router id Syntax display router id View Any view Parameters None Description Use the display router id command to display the router ID. 4-7 Related commands: router id. Examples # Display the router ID. <Sysname> display router id Configured router id is 1.1.1.1 display ospf abr-asbr Syntax display ospf [ process-id ] abr-asbr View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf abr-asbr command to display the information about the ABR and ASBR of OSPF. If you use this command on routers in a stub area, no ASBR information is displayed. Examples # Display the information about the OSPF ABRs and ASBRs. <Sysname> display ospf abr-asbr OSPF Process 1 with Router ID 1.1.1.1 Routing Table to ABR and ASBR I = Intra i = Inter A = ASBR B = ABR S = SumASBR Destination Area Cost Nexthop Interface IA 2.2.2.2 0.0.0.0 10 10.153.17.89 Vlan-interface1 Table 4-1 Description on the fields of the display ospf abr-asbr command Field Description Type of the route to the ABR or ASBR: Intra: intra-area route I = Intra i = Inter Inter: Inter-area route A = ASBR B = ABR S = SumASBR ASBR: Route to the ASBR ABR: Route to the ABR SumASBR: Summary route to the ASBR Destination Router ID of the ABR or ASBR Area Area where the router is connected to the ABR or ASBR Cost Cost of the route from the local router to the ABR or ASBR 4-8 Field Description Nexthop IP address of the next hop Interface Local output interface display ospf asbr-summary Syntax display ospf [ process-id ] asbr-summary [ ip-address mask ] View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. ip-address: Matched IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. Description Use the display ospf asbr-summary command to display the summary information of OSPF redistributed routes. If you do not specify an IP address or subnet mask, the summary information of all OSPF redistributed routes will be displayed. Related commands: asbr-summary. Examples # Display the summary information of all OSPF redistributed routes. <Sysname> display ospf asbr-summary OSPF Process 1 with Router ID 1.1.1.1 Summary Addresses Total summary address count: 2 Summary Address net : 168.10.0.0 mask : 255.254.0.0 tag : 1 status : Advertise The Count of Route is 0 Summary Address net : 1.1.0.0 mask : 255.255.0.0 tag : 100 status : DoNotAdvertise 4-9 The Count of Route is 0 Table 4-2 Description on the fields of the display ospf asbr-summary command. Field Description net Network address of the summary route mask Subnet mask of the summary route tag Tag of the summary route Advertisement state of the summary route, including status DoNotAdvertise: The summary can not be advertised. Advertise: The summary can be advertised. display ospf brief Syntax display ospf [ process-id ] brief View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf brief command to display brief OSPF information. Examples # Display brief OSPF information. <Sysname> display ospf brief OSPF Process 1 with Router ID 7.7.7.7 OSPF Protocol Information RouterID: 7.7.7.7 Border Router: Nssa Area AS Spf-schedule-interval: 5 Routing preference: Inter/Intra: 10 External: 150 Default ASE parameters: Metric: 1 Tag: 1 Type: 2 SPF computation count: 30 Area Count: 2 Nssa Area Count: 1 Area 0.0.0.0: Authtype: none Flags: <> SPF scheduled: <> Interface: 192.168.0.39 (Vlan-interface1) Cost: 10 State: DROther Type: Broadcast 4-10 Priority: 1 Designated Router: 192.168.0.153 Backup Designated Router: 192.168.0.154 Timers: Hello 10, Dead 40, Poll 40, Retransmit 5, Transmit Delay 1 Area 0.0.0.2: Authtype: none Flags: <Nssa> SPF scheduled: <> 7/5 translator state: Enabled Interface: 30.1.1.1 (Vlan-interface2) Cost: 10 State: BackupDR Type: Broadcast Priority: 1 Designated Router: 30.1.1.2 Backup Designated Router: 30.1.1.1 Timers: Hello 10, Dead 40, Poll 40, Retransmit 5, Transmit Delay 1 Table 4-3 Description on the fields of the display ospf brief command Field RouterID Description Router ID of the router Whether the router is a border router: Border Router Area: ABR AS: ASBR Nssa Area AS: NSSA ABR Spf-schedule-interval Interval of SPF schedule OSPF route preference, including Routing preference Inter/Intra: Inter-area/intra-area route preference External: External route preference Default ASE parameters of OSPF redistributed routes, including Default ASE parameters Metric: Route cost Tag: Route tag Type: Route type SPF computation count SPF computation count since OSPF is enabled Area Count Areas for connection to this router Nssa Area Count Number of NSSA areas Area Area ID OSPF authentication type of the area: Authtype None: Non-authentication Simple: simple authentication MD5: MD5 authentication 4-11 Field Description Area type flag: Nssa: NSSA area NssaDefault: A default route is generated into the NSSA. NssaNoSummary: ABR is disabled from advertising Type-3 LSAs into NSSA. Flags NssaNoRedistribution: Prohibits advertisement of redistributed routes into NSSA. Stub: Stub area StubDefault: A default route is generated into Stub area. StubNoSummary: ABR is disabled from advertising Type-3 LSAs to Stub area. SPF scheduled SPF scheduled (flag). It indicates what type of route calculation is being performed. Type-7 LSAs translator state: 7/5 translator state Enabled: manually configured Type-7 LSAs translator Elected: automatically elected Type-7 LSAs translator Disabled: non-Type-7 LSAs translator Interface Name of interface belonging to this area Cost Cost of routes State of the interface state machine: DOWN: No protocol packet is sent or received on the interface. Waiting: The interface starts sending and receiving Hello packets and is trying to identify the (Backup) designated router for the network. State PtoP: The interface sends Hello packets at the interval of HelloInterval, and tries to establish an adjacency with the peer router. DR: The router itself is the designated router on the attached network. BDR: The router itself is the backup designated router on the attached network. DROther: The interface is on a network on which another router has been selected to be the designated router. Type Network type of OSPF interface. It can be Broadcast, NBMA, P2MP, or P2P. Priority Router priority Designated Router IP address of a designated router (DR) Backup Designated Router IP address of a backup designated router (BDR) OSPF timers, including Hello: Hello interval Timers Dead: Dead interval Poll: Poll interval Retransmit: LSA retransmission interval Transmit Delay Delay time in transmitting LSA 4-12 display ospf cumulative Syntax display ospf [ process-id ] cumulative View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf cumulative command to display cumulative OSPF statistics. Examples # Display cumulative OSPF statistics. <Sysname> display ospf cumulative OSPF Process 1 with Router ID 1.1.1.1 Cumulations IO Statistics Type Input Output Hello 0 10430 DB Description 0 0 Link-State Req 0 0 Link-State Update 0 0 Link-State Ack 0 0 ASE: 0 Checksum Sum: 0 LSAs originated by this router Router: 180 SumNet: 116 LSAs Originated: 296 LSAs Received: 0 Area 0.0.0.0: Neighbors: 0 Spf: 2 Interfaces: 0 Checksum Sum 15B27 rtr: 1 net: 0 sumasb: 0 sumnet: 1 Area 0.0.0.1: Neighbors: 0 Spf: 3 Interfaces: 1 Checksum Sum 383C rtr: 1 net: 0 sumasb: 0 sumnet: 0 Area 0.0.0.2: Neighbors: 0 Spf: 1 Interfaces: 0 Checksum Sum 15D26 4-13 rtr: 1 net: 0 sumasb: 0 sumnet: 1 Routing Table: Intra Area: 1 Inter Area: 0 ASE: 0 Table 4-4 Description on the fields of the display ospf cumulative command Field Description Type of input/output OSPF packet: Hello: Hello packet Type IO Statistics DB Description: Database Description packet Link-State Req: Link-State Request packet Link-State Update: Link-State Update packet Link-State Ack: Link-State Acknowledge packet Input Number of received packets Output Number of transmitted packets ASE Number of all ASE LSAs Checksum Sum Checksum of ASE LSA LSAs Originated Number of originated LSAs Received Number of received LSAs generated by other routers Router Number of all Router LSAs SumNet Number of all Sumnet LSAs SumASB Number of all SumASB LSAs Area Routing Table Neighbors Number of neighbors in this area Interfaces Number of interfaces in this area Spf Number of SPF computation count in this area rtr, net, sumasb, sumnet Number of all LSAs in this area Intra Area Number of intra-area routes Inter Area Number of inter-area routes ASE Number of external routes display ospf error Syntax display ospf [ process-id ] error View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. 4-14 Description Use the display ospf error command to display OSPF error information. Examples # Display the OSPF error information. <Sysname> display ospf error OSPF Process 1 with Router ID 1.1.1.1 OSPF packet error statistics: 0: IP: received my own packet 0: OSPF: wrong packet type 0: OSPF: wrong version 0: OSPF: wrong checksum 0: OSPF: wrong area id 0: OSPF: area mismatch 0: OSPF: wrong virtual link 0: OSPF: wrong authentication type 0: OSPF: wrong authentication key 0: OSPF: too small packet 0: OSPF: packet size > ip length 0: OSPF: transmit error 0: OSPF: interface down 0: OSPF: unknown neighbor 0: HELLO: netmask mismatch 0: HELLO: hello timer mismatch 0: HELLO: dead timer mismatch 0: HELLO: extern option mismatch 0: HELLO: router id confusion 0: HELLO: virtual neighbor unknown 0: HELLO: NBMA neighbor unknown 0: DD: neighbor state low 0: DD: router id confusion 0: DD: extern option mismatch 0: DD: unknown LSA type 0: LS ACK: neighbor state low 0: LS ACK: wrong ack 0: LS ACK: duplicate ack 0: LS ACK: unknown LSA type 0: LS ACK: ACK length wrong 0: LS REQ: neighbor state low 0: LS REQ: empty request 0: LS REQ: wrong request 0: LS REQ: wrong length 0: LS UPD: neighbor state low 0: LS UPD: newer self-generate LSA 0: LS UPD: LSA checksum wrong 0: LS UPD: received less recent LSA 0: LS UPD: unknown LSA type 0: DD: MTU option mismatch 0: OSPF routing: next hop not exist 0: ROUTETYPE: wrong type value 0: LS UPD: LSA length wrong Table 4-5 Description on the fields of the display ospf error command Field Description IP: received my own packet Received my own packet OSPF: wrong packet type OSPF packet type error OSPF: wrong version OSPF version error OSPF: wrong checksum OSPF checksum error OSPF: wrong area id OSPF area ID error OSPF: area mismatch OSPF area mismatch OSPF: wrong virtual link OSPF virtual link error OSPF: wrong authentication type OSPF authentication type error OSPF: wrong authentication key OSPF authentication key error OSPF: too small packet OSPF packet too small 4-15 Field Description OSPF: packet size > ip length OSPF packet size exceeds IP packet length OSPF: transmit error OSPF transmission error OSPF: interface down OSPF interface is down, unavailable OSPF: unknown neighbor OSPF neighbors are unknown HELLO: netmask mismatch Network mask mismatch HELLO: hello timer mismatch Interval of HELLO packet is mismatched HELLO: dead timer mismatch Interval of dead neighbor packet is mismatched HELLO: extern option mismatch Extern option of Hello packet is mismatched HELLO: router id confusion Hello packet: Router ID confusion HELLO: virtual neighbor unknown Hello packet: unknown virtual neighbor HELLO: NBMA neighbor unknown Hello packet: unknown NBMA neighbor DD: neighbor state low Database description (DD) packet: asynchronous neighbor state DD: router id confusion DD packet: router id unidentifiable DD: extern option mismatch DD packet: external route flag error DD: unknown LSA type DD packet: unknown LSA type LS ACK: neighbor state low Link state acknowledgment (LS ACK) packet: asynchronous neighbor state LS ACK: wrong ack Link state acknowledgment packet: ack error LS ACK: duplicate ack Link state acknowledgment packet: ack duplication LS ACK: unknown LSA type Link state acknowledgment packet: unknown LSA type LS ACK: ACK length wrong Link state acknowledgment packet: ACK length error LS REQ: neighbor state low Link state request (LS REQ) packet: asynchronous neighbor state LS REQ: empty request Link state request packet: empty request LS REQ: wrong request Link state request packet: erroneous request LS REQ: wrong length Link state request packet: length error LS UPD: neighbor state low Link state update packet: asynchronous neighbor state LS UPD: newer self-generate LSA Link state update packet: newer LSA generated by itself LS UPD: LSA checksum wrong Link state update packet: LSA checksum error LS UPD:received less recent LSA Link state update packet: received less recent LSA LS UPD: unknown LSA type Link state update packet: unknown LSA type OSPF routing: next hop not exist Next hop of OSPF routing does not exist DD: MTU option mismatch MTU option of DD packet is mismatched ROUTETYPE: wrong type value Route type: the value of the type is wrong LS UPD: LSA length wrong Link state update packet: LSA length error 4-16 display ospf interface Syntax display ospf [ process-id ] interface [ interface-type interface-number ] View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. interface-type interface-number: Interface type and interface number. Description Use the display ospf interface command to display the OSPF interface information. Examples # Display the OSPF interface information of VLAN-interface 1. <Sysname> display ospf interface vlan-interface 1 OSPF Process 1 with Router ID 1.1.1.1 Interfaces Interface: 10.110.10.2 (Vlan-interface1) Cost: 1 State: BackupDR Type: Broadcast Priority: 1 Designated Router: 10.110.10.1 Backup Designated Router: 10.110.10.2 Timers: Hello 10, Dead 40, Poll 10, Retransmit 5, Transmit Delay 1 Table 4-6 Description on the fields of the display ospf interface command Field Cost Description Cost of the interface State of the interface state machine: DOWN: No protocol packet is sent or received on the interface. Waiting: The interface starts sending and receiving Hello packets and is trying to identify the (Backup) designated router for the network. State PtoP: The interface sends Hello packets at the interval of HelloInterval, and tries to establish an adjacency with the peer router. DR: The router itself is the designated router on the attached network. BDR: The router itself is the backup designated router on the attached network. DROther: The interface is on a network on which another router has been selected to be the designated router. Type Network type of OSPF interface. It can be Broadcast, NBMA, P2MP, or P2P. 4-17 Field Description Priority Priority of DR for interface election Designated Router DR on the network in which the interface resides Backup Designated Router BDR on the network in which the interface resides OSPF timers, defined as follows: Timers Transmit Delay Hello Interval of hello packet Dead Interval of dead neighbors Poll Interval of poll Retransmit Interval of retransmitting LSA Delay time of transmitting LSA display ospf lsdb Syntax display ospf process-id area-id lsdb [ brief | [ [ asbr | network | nssa | router | summary ] [ ip-address ] ] [ originate-router ip-address | self-originate ] ] display ospf [ process-id ] lsdb [ brief | [ [ asbr | ase | network | nssa | router | summary ] [ ip-address ] ] [ originate-router ip-address | self-originate ] ] View Any view Parameters process-id: OSPF Process ID. If you do not specify a process ID, this command applies to all current OSPF processes. area-id: OSPF area ID, which can be a decimal integer (ranging from 0 to 4294967295) or in the form of an IP address. brief: Displays brief database information. asbr: Displays the database information about Type-4 LSAs (summary-Asbr-LSAs). ase: Displays the database information about the Type-5 LSAs (AS-external-LSAs). This argument is unavailable if you have provided a value for area-id. network: Displays the database information about the Type-2 LSAs (network-LSAs). nssa: Displays the database information about the Type-7 LSAs (NSSA-external-LSAs). router: Displays the database information about the Type-1 LSAs (router-LSAs). summary: Displays the database information about the Type-3 LSAs (summary-net-LSAs). ip-address: Link state identifier (in the form of an IP address). originate-router ip-address: Specifies the IP address of the router advertising the LSAs. self-originate: Displays the database information about the LSAs generated by the local router (self-originate LSAs). 4-18 Description Use the display ospf lsdb command to display the database information about OSPF connecting state. If no OSPF process is specified, LSDB information of all OSPF processes is displayed. Examples # Display the database information about OSPF connection state. <Sysname> display ospf lsdb OSPF Process 1 with Router ID 1.1.1.1 Link State Database Area: 0.0.0.0 Type LinkState ID AdvRouter Age Len Rtr 2.2.2.2 2.2.2.2 465 36 8000000c 0 SpfTree Rtr 1.1.1.1 1.1.1.1 449 36 80000004 0 SpfTree Net 10.153.17.89 2.2.2.2 465 32 80000004 0 SpfTree SNet 10.153.18.0 1.1.1.1 355 28 Sequence Metric 80000003 Where 10 Inter List Area: 0.0.0.1 Type LinkState ID AdvRouter Age Len Sequence Metric Rtr 1.1.1.1 1.1.1.1 449 36 80000004 0 SpfTree Rtr 3.3.3.3 3.3.3.3 429 36 8000000a 0 Clist Net 10.153.18.89 3.3.3.3 429 32 80000003 0 SpfTree 1.1.1.1 355 28 80000003 10 SNet 10.153.17.0 ASB 2.2.2.2 1.1.1.1 355 28 80000003 Where Inter List 10 SumAsb List AS External Database: Type LinkState ID AdvRouter Age Len Sequence Metric Where ASE 10.153.18.0 1.1.1.1 1006 36 80000002 1 Ase List ASE 10.153.16.0 2.2.2.2 798 36 80000002 1 Uninitialized ASE 10.153.17.0 2.2.2.2 623 36 80000003 1 Uninitialized ASE 10.153.17.0 1.1.1.1 1188 36 80000002 1 Ase List Table 4-7 Description on the fields of the display ospf lsdb command Field Description Type Type of the LSA LinkStateID Link state ID of the LSA AdvRouter Router ID of the router that advertises the LSA Age Age of the LSA Len Length of the LSA Sequence Sequence number of the LSA Metric Cost from the router that advertises the LSA to LSA destination 4-19 Field Description Location of the LSA, used to indicate in which stage of the route calculation the LSA is: Uninitialized: The LSA is not initialized or is originated by another router. Clist: The LSA is on the candidate list. SpfTree: The LSA is in the SPF tree. SumAsb List: The LSA is in the AS border reachable to the attached area. SumNet List: The LSA is in another area reachable to the attached area. Where Inter List: The LSA is in another area. Sum Infinity: The LSA is in an unreachable area. Ase List: The LSA is outside the AS and is reachable. Ase Infinity: The LSA is outside the AS and is unreachable. Nssa List: The LSA is in an NSSA. Nssa Infinity: The LSA is in an unreachable NSSA. <Sysname> display ospf lsdb ase OSPF Process 1 with Router ID 1.1.1.1 Link State Database Type : ASE Ls id : 10.0.0.0 Adv rtr : 2.2.2.2 Ls age : 87 Len : 36 Seq# : 80000001 Chksum : 0xb45d Options : (DC) Net mask : 255.0.0.0 Tos 0 metric: 1 E type : 2 Forwarding Address :192.168.0.37 Tag: 1 Table 4-8 Description on the fields of the display ospf lsdb ase command Field Description type Type of the LSA ls id Link state ID of the LSA adv rtr Router ID of the router that advertises the LSA ls age Age of the LSA len Length of the LSA seq# Sequence number of the LSA chksum Checksum of the LSA 4-20 Field Description Options of the LSA: O: Opaque LSA advertisement and reception capability E: AS External LSA reception capability EA: External extended LSA reception and forwarding capability Options DC: On-demand link support N: NSSA external LSA support P: Capability of an NSSA ABR to translate Type-7 LSAs into Type-5 LSAs. Net mask Network mask Type of external route: E type 1: Type-1 external route 2: Type-2 external route Forwarding Address Forwarding address Tag Tag display ospf nexthop Syntax display ospf [ process-id ] nexthop View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf nexthop command to display the OSPF next-hop information. Examples # Display the OSPF next-hop information. <Sysname> display ospf nexthop OSPF Process 1 with Router ID 1.1.1.1 Next hops: Address Type Refcount Intf Addr Intf Name --------------------------------------------------------------202.38.160.1 Direct 3 202.38.160.1 Vlan-interface2 202.38.160.2 Neighbor 1 202.38.160.1 Vlan-interface2 4-21 Table 4-9 Description on the fields of the display ospf nexthop command Field Description Next hops Detailed information of next hops Address IP address of next hop Type Type of next hop Refcount Reference count of the next hop, namely, number of routes using the next hop Intf Addr IP address of the interface to the next hop Intf Name Name of the interface to the next hop display ospf peer Syntax display ospf [ process-id ] peer [ brief | statistics ] View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. brief: Displays brief information of OSPF neighbors. statistics: Displays the statistics of OSPF neighbors. Description Use the display ospf peer command to display the information of OSPF neighbors. Examples # Display the information of OSPF neighbors. <Sysname> display ospf peer OSPF Process 1 with Router ID 1.1.1.1 Neighbors Area 0.0.0.0 interface 10.153.17.88(Vlan-interface1)'s neighbor(s) RouterID: 2.2.2.2 State: Full Address: 10.153.17.89 Mode: Nbr is Master DR: 10.153.17.89 Priority: 1 BDR: 10.153.17.88 Dead timer expires in 31s Neighbor has been up for 01:14:14 Table 4-10 Description on the fields of the display ospf peer command Field Description RouterID ID of a neighbor router Address IP address of the interface on a neighbor router 4-22 Field Description State of a neighbor: Down: This is the initial state of a neighbor conversation. Init: In this state, the router has seen a Hello packet from the neighbor. However, the router has not established bidirectional communication with the neighbor (the router itself did not appear in the neighbor's hello packet). Attempt: Available only in an NBMA network, Under this state, the OSPF router has not received any information from a neighbor for a period but can send Hello packets with a longer interval to keep neighbor relationship. State 2-Way: In this state, communication between the two routers is bidirectional. The router itself appears in the neighbor's Hello packet. Exstart: The goal of this state is to decide which router is the master, and to decide upon the initial Database Description (DD) sequence number. Exchange: In this state, the router is sending DD packets to the neighbor, describing its entire link-state database. Loading: In this state, the router sends Link State Request packets to the neighbor, requesting more recent LSAs. Full: In this state, the neighboring routers are fully adjacent. Mode Master/Slave mode formed by negotiation in exchanging DD packet Priority Priority of DR/BDR for neighbor election DR DR in the subnet the interface is attached to BDR BDR in the subnet the interface is attached to Dead timer expires in 31s If no hello packet is received from the neighbor within this interval, the neighbor will be considered dead. Neighbor has been up for 01:14:14 Lifetime of neighbor # Display the brief information about every peer. <Sysname> display ospf peer brief OSPF Process 1 with Router ID 1.1.1.1 Neighbor Brief Information Area 0.0.0.1: Router ID Address Pri 2.2.2.2 192.168.0.2 1 DeadTime(s) 39 Interface Vlan-interface 1 State Full/BDR Table 4-11 Description on the fields of the display ospf peer brief command Field Description Router ID Router ID of neighbor router Address IP address of the interface of a neighbor router Pri Priority of a neighbor router DeadTime(s) Dead time, in seconds, of neighbor router Interface Type and number of the local router interface connected to the neighbor router 4-23 Field Description State of a neighbor router, including Down Init Attempt 2-Way Exstart State Exchange Loading Full If the neighbor router is a designated router, DR will be attached to the state. If the neighbor route is a backup designated router, BDR will be attached. If the neighbor route is neither a DR, nor a BDR, only the state is displayed. # Display OSPF neighbor statistics. <Sysname> display ospf peer statistics OSPF Process 1 with Router ID 1.1.1.1 Neighbor Statistics Area ID Down 0.0.0.1 0 Total 0 Attempt Init 2-Way ExStart Exchange Loading Full Total 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 Table 4-12 Description on the fields of the display ospf peer statistics command Field Description Area ID Area ID Down Initial state for OSPF to establish neighbor relation, which indicates that OSPF router does not receive the message from a certain neighbor router within a period of time Attempt It is enabled in an NBMA environment, such as Frame Relay, X.25 or ATM. It indicates that OSPF router does not receive the message from a certain neighbor router within a period of time, but still attempts to send Hello packet to the adjacent routers for their communications with a lower frequency. Init It indicates that OSPF router has received Hello packet from a neighbor router, but its IP address is not contained in the Hello packet. Therefore, a two-way communication between them has not been established. 2-Way It indicates that a two-way communication between OSPF router and neighbor router has been established. DR and BDR can be selected in this state (or higher state). ExStart In this state, the router determines the sequence number of initial database description (DD) packet used for data exchange, so that it can obtain the latest link state information Exchange It indicates that OSPF router sends DD packet to its neighbor routers to exchange link state information Loading In this state, OSPF router requests neighbor routers based on the updated link state information from neighbor routers and its expired information, and waits for response from neighbor routers 4-24 Field Description Full It indicates that database synchronization between the routers that have established neighbor relation has been completed, and their link state databases have been consistent Total Total number of neighbors in various states display ospf request-queue Syntax display ospf [ process-id ] request-queue View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf request-queue command to display the information about the OSPF request-queue. Examples # Display the information about the OSPF request-queue. <Sysname> display ospf request-queue The Router's Neighbors is RouterID: 1.1.1.1 Interface: 1.1.1.3 LSID:1.1.1.3 Address: 1.1.1.1 Area: 0.0.0.0 AdvRouter:1.1.1.3 Sequence:80000017 Age:35 Table 4-13 Description on the fields of the display ospf request-queue command Field Description RouterID ID of a neighbor router Address IP address of the interface on a neighbor router Interface IP address of the interface on the local router Area Area number of OSPF LSID Link state ID in the LSA AdvRouter Router ID of the router that advertised the LSA Sequence Sequence number of the LSA, used to discover old and repeated LSAs Age Age of the LSA 4-25 display ospf retrans-queue Syntax display ospf [ process-id ] retrans-queue View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf retrans-queue command to display the information about the OSPF retransmission queue. Examples # Display the information about the OSPF retransmission queue. <Sysname> display ospf retrans-queue OSPF Process 200 with Router ID 103.160.1.1 Retransmit List The Router's Neighbors is RouterID: 162.162.162.162 Address: 103.169.2.2 Interface: 103.169.2.5 Area: 0.0.0.1 Retrans list: Type: ASE LSID:129.11.77.0 Type: ASE LSID:129.11.108.0 AdvRouter:103.160.1.1 AdvRouter:103.160.1.1 Table 4-14 Description on the fields of the display ospf retrans-queue command Field Description RouterID ID of a neighbor router Address IP address of the interface on a neighbor router Interface IP address of the interface on the local router Retrans list Retransmit list Area Area number of OSPF Type Type of the LSA LSID Link State ID of the LSA AdvRouter Router ID of the router that advertises the LSA display ospf routing Syntax display ospf [ process-id ] routing 4-26 View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf routing command to display the information about OSPF routing table. Examples # Display OSPF routing information. <Sysname> display ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination Cost Type NextHop 10.110.0.0/16 1 Net 10.110.10.1 10.10.0.0/16 1 Stub 10.10.0.1 AdvRouter Area 10.10.10.1 0.0.0.0 3.3.3.3 0.0.0.0 Total Nets: 2 Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0 Table 4-15 Description on the fields of the display ospf routing command Field Description Destination IP address of the destination network Cost Cost of a route Type Type of route NextHop Next hop of route AdvRouter ID of the router that advertises the route Area Area ID Total Nets Total number of intra-area routes, inter-area routes, external routes, and NSSA routes Intra Area Number of intra-area routes Inter Area Number of inter-area routes ASE Number of external routes NSSA Number of NSSA routes display ospf vlink Syntax display ospf [ process-id ] vlink 4-27 View Any view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. Description Use the display ospf vlink command to display the information about OSPF virtual links. Examples # Display OSPF virtual link information. <Sysname> display ospf vlink OSPF Process 1 with Router ID 1.1.1.0 Virtual Links Virtual-link Neighbor-id -> 1.1.1.1, State: Full Interface: 192.168.0.37 (Vlan-interface1) Cost: 10 State: PtoP Type: Virtual Transit Area: 0.0.0.2 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay Table 4-16 Description on the fields of the display ospf vlink command Field Description Virtual-link Neighbor-id ID of a virtual-link neighbor router State State of a neighbor router. It can be Down, Init, Attempt, 2-Way, Exstart, Exchange, Loading, or Full. Cost Route cost of the interface State of the interface state machine: DOWN: No protocol packet is sent or received on the interface. Waiting: The interface starts sending and receiving Hello packets and is trying to identify the (Backup) designated router for the network. State PtoP: The interface sends Hello packets at the interval of HelloInterval, and tries to establish an adjacency with the peer router. DR: The router itself is the designated router on the attached network. BDR: The router itself is the backup designated router on the attached network. DROther: Tthe interface is on a network on which another router has been selected to be the designated router. Type Type: virtual link Transit Area ID of transit area 4-28 Field Description OSPF timers, including Hello: Hello interval Timers Dead: Dead neighbor interval Poll: Poll interval Retransmit: Interval for retransmitting LSA Transmit Delay Delay time of transmitting LSA filter-policy export Syntax filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol ] undo filter-policy { acl-number | ip-prefix ip-prefix-name} export [ protocol ] View OSPF view Parameters acl-number: Number of an ACL used to match the destination address in routing information, in the range of 2000 to 3999. ip-prefix-name: Name of the address prefix list used to match the destination address in routing information, a string of up to 19 characters. protocol: Filters outgoing routes redistributed from the routing protocol, including direct, rip, and static. For details about IP prefix list information, refer to the section IP Route Policy Configuration. Description Use the filter-policy export command to configure the filtering of outgoing redistributed routes. Use the undo filter-policy export command to disable such filtering. By default, filtering of outgoing redistributed routes is not configured. In some cases, it may be required that only the routing information meeting some conditions can be advertised. You can use the filter-policy command to set the filtering conditions for the routing information to be advertised. Only the routing information passing the filtration can be advertised. This command filters routes redistributed (with the import-route command) by OSPF. If the protocol argument is specified, this command filters only the outgoing routes redistributed from the protocol. If the protocol argument is not specified, the outgoing routes redistributed from all protocols will be filtered. Related commands: acl, ip ip-prefix. For details about ACL, refer to the section ACL Operation. Examples # Reference ACL 2000 to filter outgoing redistributed routing information. <Sysname> system-view System View: return to User View with Ctrl+Z. 4-29 [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] ospf [Sysname-ospf-1] filter-policy 2000 export filter-policy import Syntax filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix-list-name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name | gateway ip-prefix-name } import View OSPF view Parameters acl-number: Number of an ACL used to match destination addresses in routing information, in the range 2000 to 3999. ip-prefix-name: Name of the IP prefix list used to match destination addresses in routing information, a string of 1 to 19 characters. gateway ip-prefix-name: Name of an IP address prefix list used to filter routes based on the next hop of the routing information, a string of 1 to 19 characters. For details about IP prefix lists, refer to the section IP Route Policy Configuration. Description Use the filter-policy import command to configure the filtering of incoming routes. Use the undo filter-policy import command to disable such filtering. By default, no filtering of incoming routes is configured. In some cases, it may be required that only the routing information meeting some conditions can be received. You can use the filter-policy import command to set the matching rules for the routing information to be received. Only the routing information matching the rules will be received. The filter-policy import command only filters the routes calculated with the SPF algorithm. Only the routes passing the filtration can be added to the routing table. OSPF is a dynamic routing protocol based on link state, with routing information contained in LSAs. For the filtering of incoming routes, routes to be filtered are calculated by SPF and installed in the OSPF routing table. For the filtering of outing routes, denied LSAs will not be generated for advertisement. Examples # Reference ACL 2000 to filter incoming routing information. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl ospf [Sysname-ospf-1] filter-policy 2000 import 4-30 import-route Syntax import-route protocol [ process-id ] [ cost value | type value | tag value | route-policy route-policy-name ] * undo import-route protocol [ process-id ] View OSPF view Parameters protocol: Source routing protocol whose routes will be imported. At present, it can be direct, ospf, ospf-ase, ospf-nssa, rip, or static. process-id: OSPF Process ID, in the range of 1 to 65535. This argument is valid only when the routing protocol is ospf, ospf-ase, or ospf-nssa. route-policy: Redistributes only the routing information matching the routing policy. route-policy-name: Name of a routing policy, a string of up to 19 characters. cost value: Specifies the cost of redistributed routes. The cost value ranges from 0 to 16777214 and defaults to 1. type value: Specifies the type of redistributed routes. The type value is 1 or 2 and defaults to 2. tag value: Specifies the tag of redistributed routes. A tag can be used by a route policy. The tag value ranges from 0 to 4294967295 and defaults to 1. Description Use the import-route command to redistribute external routes. Use the undo import-route command to disable importing redistribution from other protocols. You are recommended to configure the route type, cost and tag together in one command. When you configure them individually, the new configuration for an attribute will overwrite the old configuration for the attribute. By default, OSPF does not redistribute any routing information of other protocols. Examples # Redistribute routes from RIP and specify the type as type-2, tag as 33, and cost as 50 for redistributed routes. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] import-route rip type 2 tag 33 cost 50 4-31 log-peer-change Syntax log-peer-change undo log-peer-change View OSPF view Parameters None Description Use the log-peer-change command to enable logging of OSPF neighbor state changes. Use the undo log-peer-change command to disable logging of OSPF neighbor state changes. By default, logging of OSPF neighbor state changes is disabled. Note that: With the logging enabled, the system will output log information when a neighbor changes to the Full state or to the Down state. Neighbor states include Down, Init, Attempt, 2-Way, Exstart, Exchange, Loading and Full. Examples # Enable logging of neighbor state changes. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] log-peer-change multi-path-number Syntax multi-path-number value undo multi-path-number View OSPF view Parameters value: Number of equal cost multi-path (ECMP) routes, in the range of 1 to 3. Description Use the multi-path-number command to set the number of OSPF ECMP routes. Use the undo multi-path-number command to restore the default. By default, the number of OSPF ECMP routes is 3. 4-32 Examples # Set the number of OSPF ECMP routes to 2. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] multi-path-number 2 network Syntax network ip-address wildcard-mask undo network ip-address wildcard-mask View OSPF area view Parameters ip-address: IP address of the network segment where the interface resides, in dotted decimal notation. wildcard-mask: Wildcard mask, in dotted decimal notation. The wildcard mask is the exact reverse, bit for bit, of the subnet mask. For example, if the subnet mask is 255.0.0.0, the wildcard mask is 0.255.255.255. Description Use the network command to enable an interface to run the OSPF protocol. Use the undo network command to disable an interface from running OSPF. By default, the interface does not belong to any area. To run OSPF on an interface, the master IP address of this interface must be in the range of the network segment specified by this command. If only the slave IP address of the interface is in the range of the network segment specified by this command, this interface will not run OSPF. Related commands: ospf. Examples # Specify the interfaces whose master IP addresses are in the segment range of 10.110.36.0/24 to run OSPF and specify the number of the OSPF area (where these interfaces reside) as 6. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 6 [Sysname-ospf-1-area-0.0.0.6] network 10.110.36.0 0.0.0.255 nssa Syntax nssa [ default-route-advertise | no-import-route | no-summary | translate-always ] * undo nssa 4-33 View OSPF area view Parameters default-route-advertise: Redistributes a default route into an NSSA. no-import-route: Redistributes no routes into an NSSA. no-summary: Advertises only a default route in a Type-3 summary LSA into the NSSA area and disables the ABR from transmitting any other Type-3 LSAs to an NSSA translate-always: Specifies the ABR as the Type-7 LSAs translator of the NSSA area. This keyword takes effect only on the ABR of an NSSA area. Description Use the nssa command to configure an OSPF area as an NSSA area. Use the undo nssa command to cancel the function. By default, no NSSA area is configured. For all the routers connected to the NSSA area, the nssa command must be used to configure the area as an NSSA. The default-route-advertise keyword is available only on an NSSA ABR or ASBR. If this keyword is configured on an NSSA ABR, the ABR generates a default route in a Type-7 LSA into the NSSA regardless of whether the default route is available. If it is configured on an ASBR, only when a default route is available on the ASBR can it generate the default route in a Type-7 LSA into the attached area. The no-import-route keyword is usable only on an NSSA ABR that is also the ASBR of the OSPF routing domain. It disables redistributed routes from entering the NSSA area, but allows them to enter other OSPF areas. The no-summary keyword is usable only on an NSSA ABR to advertise only a default route in a Type-3 summary LSA into the NSSA area. In this way, all the other summary LSAs are not advertised into the area. Such an area is known as an NSSA totally stub area. The translate-always keyword is used to specify the ABR of an NSSA area as the Type-7 LSAs translator. In the NSSA area, the Type-7 LSAs translator state determines whether the ABR needs to translate Type-7 LSAs into Type-5 LSAs. You can use the display ospf brief command to display the Type-7 LSAs translator state. If the translate-always keyword is not used on the ABR, the ABR will take part in the Type-7 LSAs translator election among all the ABRs in the NSSA area. z If the Type-7 LSAs translator state is Elected after the election, the ABR translates Type-7 LSAs into Type-5 LSAs. z If the Type-7 LSAs translator state is Disabled after the election, the ABR does not translate Type-7 LSAs into Type-5 LSAs. If the ABR that has the translate-always keyword configured and has a neighbor in the FULL state in the backbone area, its Type-7 LSAs translator state becomes Enabled and it will translate Type-7 LSAs into Type-5 LSAs. 4-34 After an OSPF area is configured as a Stub area, the ABR in the area automatically advertises a default route into the attached NSSA area. After an area is configured as an NSSA area, however, no ABR or ASBR in the area will automatically advertise a default route into the attached NSSA. Examples # Configure area 1 as NSSA area. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 1 [Sysname-ospf-1-area-0.0.0.1] network 36.0.0.0 0.255.255.255 [Sysname-ospf-1-area-0.0.0.1] nssa ospf Syntax ospf [ process-id [ router-id router-id ] ] undo ospf [ process-id ] View System view Parameters process-id: OSPF process ID, in the range of 1 to 65535. By default, the process ID is 1. process-id is locally significant. router-id: Router ID of an OSPF process, in dotted decimal notation. Description Use the ospf command to enable one or more OSPF processes or enter OSPF view. Use the undo ospf command to disable an OSPF process. By default, the system does not run any OSPF process. Related commands: network. 4-35 z To run OSPF, a router must have a router ID specified. If no router ID is specified, the system will automatically select one of the router interface IP addresses as the router ID. z If a router runs multiple OSPF processes, you are recommended to specify a router ID for each process by using the ospf command. Examples # Enable OSPF process 120, with the Router ID being 10.110.1.8. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] router id 10.110.1.8 [Sysname] ospf 120 router-id 10.110.1.8 [Sysname-ospf-120] ospf authentication-mode Syntax ospf authentication-mode { simple password | md5 key-id key } undo ospf authentication-mode { simple | md5 } View Interface view Parameters simple: Plain authentication. md5: MD5 authentication. password: Password of plain. The password argument is a string of up to eight characters. key-id: ID of the authentication key in MD5 authentication mode, ranging from 1 to 255. key: MD5 authentication key. If it is input in a plain text form, MD5 key is a string of 1 to 16 characters. It is displayed in a cipher text form with 24 characters in length when the display current-configuration command is executed. Inputting the MD5 key in a cipher text form with 24 characters in length is also supported. Description Use the ospf authentication-mode command to configure the authentication mode and key between adjacent routers. Use the undo ospf authentication-mode command to cancel the authentication key that has been set. By default, the interface does not authenticate the OSPF packets. The passwords for authentication keys of the routers on the same network segment must be identical. In addition, you need to use the authentication-mode command to set the authentication type of the area, so as to validate the configuration. Related commands: authentication-mode. 4-36 Examples # Configure area 1 where the network segment 131.119.0.0 of interface VLAN-interface 10 resides to support MD5 cipher text authentication. Set the authentication key identifier to 15 and the authentication key to abc. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 1 [Sysname-ospf-1-area-0.0.0.1] network 131.119.0.0 0.0.255.255 [Sysname-ospf-1-area-0.0.0.1] authentication-mode md5 [Sysname-ospf-1-area-0.0.0.1] quit [Sysname-ospf-1] quit [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf authentication-mode md5 15 abc ospf cost Syntax ospf cost value undo ospf cost View Interface view Parameters value: Cost for running an OSPF process on an interface, in the range of 1 to 65535. Description Use the ospf cost command to configure the OSPF cost on an interface. Use the undo ospf cost command to restore the default. By default, the OSPF cost on an interface is 10. You can use the display ospf brief command to display the OSPF cost information. Related commands: display ospf brief. Examples # Specify the OSPF cost on the interface as 33. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf cost 33 ospf dr-priority Syntax ospf dr-priority priority 4-37 undo ospf dr-priority View Interface view Parameters priority: Designated router (DR) election priority of the interface, in the range of 0 to 255. Description Use the ospf dr-priority command to configure the DR election priority of the interface. Use the undo ospf dr-priority command to restore the default. By default, the DR election priority of an interface is 1. The DR election priority of an interface determines the qualification of the interface. The interface with a higher priority will be preferred when an election conflict occurs. An interface with a DR priority of 0 does not take part in any DR election. The priority of a router affects the DR and BDR election. However, a router that has a higher priority specified after the DR and BDR have been selected cannot become the DR or BDR immediately. Examples # Set the DR election priority of the interface VLAN-interface 10 to 8. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] ospf dr-priority 8 ospf mib-binding Syntax ospf mib-binding process-id undo ospf mib-binding View System view Parameters process-id: OSPF process ID, in the range of 1 to 65535. Description Use the ospf mib-binding command to bind MIB operations to the specified OSPF process. Use the undo ospf mib-binding command to restore the default. By default, MIB operations are bound to the first enabled OSPF process. When OSPF enables the first process, OSPF always binds MIB operation to this process. You can use this command to bind MIB operation to another OSPF process. To cancel the binding, use the undo ospf mib-binding command. OSPF will automatically re-bind MIB operation to the first process that it enables. 4-38 Examples # Bind MIB operations to OSPF process 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf mib-binding 100 ospf mtu-enable Syntax ospf mtu-enable undo ospf mtu-enable View Interface view Parameters None Description Use the ospf mtu-enable command to add the interface MTU to the MTU field in DD packets. Use the undo ospf mtu-enable command to restore the default. By default, the MTU field in DD packets is 0. That is, no interface MTU is added to the MTU field in DD packets. The default MTU value in DD packet is 0. You can use this command to add the interface MTU to the MTU field in DD packets. When a router starts, it sends a Hello packet via the OSPF interface, and the router that receives the hello packet checks parameters carried in the packet. If parameters of the two routers match, they become neighbors. Not every pair of neighboring routers become adjacent, which depends on network types. Only by synchronizing the LSDB via exchanging DD packets and LSAs can two routers become adjacent. If the MTU values of the DD packets sent by two neighboring routers are different, they will not receive DD packets from each other and therefore they will not become adjacent. Examples # Add the MTU of the interface VLAN-interface 3 to the MTU field in DD packets. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ospf mtu-enable ospf network-type Syntax ospf network-type { broadcast | nbma | p2mp [ unicast ] | p2p } undo ospf network-type 4-39 View Interface view Parameters broadcast: Specifies the network type as broadcast. nbma: Specifies the network type as NBMA. p2mp: Specifies the network type as point-to-multipoint. unicast: Sends packets to unicast addresses. p2p: Specifies the network type as point-to-point. Description Use the ospf network-type command to configure the network type for an interface. Use the undo ospf network-type command to restore the default network type. OSPF divides networks into four types based on link layer protocol: z Broadcast: If Ethernet or FDDI is adopted, OSPF defaults the network type to broadcast. z Non-Broadcast Multi-access (NBMA): If Frame Relay, ATM, HDLC or X.25 is adopted, OSPF defaults the network type to NBMA. z Point-to-Multipoint (P2MP): OSPF will not default the network type of any link layer protocol to P2MP. The general undertaking is to change a partially connected NBMA network to P2MP network. z Point-to-point (P2P): If PPP, LAPB or POS is adopted, OSPF defaults the network type to P2P. If there is any router not supporting multicast addresses on a broadcast network, the network type of the interface can be changed to NBMA. For a non-broadcast multi-accessible network to be of NBMA type, any two routers in the network must be directly reachable to each other through a virtual circuit. In other words, the network must be fully-meshed. For a network not meeting this condition, the network type of the interface must be changed to point-to-multipoint. In this way, routing information can be exchanged between two routers not directly reachable to each other through another router that is directly reachable to the two routers. If only two routers run OSPF in the same network segment, the network type of the interface can also be changed to point-to-point. For a P2MP interface, z If the unicast keyword is not specified, the interface sends packets to multicast addresses. z If the unicast keyword is specified, the interface sends packets to unicast addresses. In this case, you must use the peer command to specify the neighbor. Note that you must use the peer command to configure the peer if the network type of the interface is NBMA or manually changed to NBMA with the ospf network-type command. Related commands: ospf dr-priority. Examples # Set the network type of the interface VLAN-interface 10 to NBMA. <Sysname> system-view System View: return to User View with Ctrl+Z. 4-40 [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf network-type nbma ospf timer dead Syntax ospf timer dead seconds undo ospf timer dead View Interface view Parameters seconds: Dead interval of the OSPF neighbor. It is in seconds and ranges from 1 to 65535. Description Use the ospf timer dead command to configure the dead interval of the OSPF neighbor. Use the undo ospf timer dead command to restore the default. By default, the dead interval is z 40 seconds for the OSPF peers of p2p and broadcast interfaces z 120 seconds for those of p2mp and nbma interfaces The dead interval of OSPF peers means that, within this interval, if no Hello message is received from the peer, the peer will be considered to be invalid. The value of dead seconds should be at least four times of that of the Hello seconds. The dead seconds for the interfaces on the same network segment must be identical. Related commands: ospf timer hello. Examples # Set the peer dead interval on the interface VLAN-interface 10 to 80 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf timer dead 80 ospf timer hello Syntax ospf timer hello seconds undo ospf timer hello View Interface view Parameters seconds: Interval, in seconds, at which an interface transmits hello packet. It ranges from 1 to 255. 4-41 Description Use the ospf timer hello command to configure the interval for transmitting Hello messages on an interface. Use the undo ospf timer hello command to restore the interval to the default. By default, the Hello interval is z 10 seconds for an interface of p2p or broadcast z 30 seconds for an interface of p2mp or nbma Hello packets are periodically sent to find and maintain neighbors and used for DR/BDR election. The hello seconds value must be identical on interfaces attached to the same network segment. Otherwise, neighbor relationships cannot be established between routers. Related commands: ospf timer dead. Examples # Configure the interval of transmitting Hello messages on the interface VLAN-interface 10 to 20 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf timer hello 20 ospf timer poll Syntax ospf timer poll seconds undo ospf timer poll View Interface view Parameters seconds: Poll Hello interval in seconds. It ranges from 1 to 65535. Description Use the ospf timer poll command to configure the poll interval at which the interface sends hello packets to the neighbor in the Down state. Use the undo ospf timer poll command to restore the default. By default, the poll interval is 40 seconds. On an NBMA network, if a neighbor becomes invalid, Hello packets will be transmitted at intervals of poll seconds. You can configure the poll seconds to specify how often the interface transmits Hello packets before it establishes neighbor relationship with the router. The poll interval should be no less than 4 times the Hello interval. Examples # Configure to transmit poll Hello packet through interface VLAN-interface 20 every 130 seconds. 4-42 <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 20 [Sysname-Vlan-interface20] ospf timer poll 130 ospf timer retransmit Syntax ospf timer retransmit interval undo ospf timer retransmit View Interface view Parameters interval: Interval, in seconds, for retransmitting LSA on an interface. It ranges from 1 to 3600. Description Use the ospf timer retransmit command to configure the interval for retransmitting an LSA on an interface. Use the undo ospf timer retransmit command to restore the default. By default, the interval for retransmitting an LSA is 5 seconds. If a router running OSPF transmits a link state advertisement (LSA) to the peer, it needs to wait for the acknowledgement packet from the peer. If no acknowledgement is received from the peer within the LSA retransmission interval, this LSA will be retransmitted. The LSA retransmit between adjacent routers should not be set too short; otherwise, unexpected retransmission will occur (See RFC2328). Examples # Set the interval for retransmitting LSA between the interface VLAN-interface 10 and the adjacent routers to 12 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf timer retransmit 12 ospf trans-delay Syntax ospf trans-delay seconds undo ospf trans-delay View Interface view 4-43 Parameters seconds: LSA transmission delay in seconds on an interface. It ranges from 1 to 3600. Description Use the ospf trans-delay command to configure the LSA transmission delay on an interface. Use the undo ospf trans-delay command to restore the default. By default, the LSA transmission delay on an interface is 1 second. Each LSA in the LSDB has an age that is incremented by 1 every second, but the age does not change during transmission. Therefore, it is necessary to add a transmission delay into its age time, which is important for low speed networks. Examples # Set the LSA transmission delay on the interface VLAN-interface 10 to 3 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ospf trans-delay 3 peer Syntax peer ip-address [ dr-priority dr-priority ] undo peer ip-address View OSPF view Parameters ip-address: IP address of a neighbor router. dr-priority: Value of the corresponding priority of a neighbor in the NBMA network. It ranges from 0 to 255 and defaults to 1. Description Use the peer command to specify a neighbor and its DR priority on an NBMA network. Use the undo peer command to remove this configuration. On an NBMA network, you can configure mappings to make the network fully meshed (any two routers have a direct link in between), so OSPF can handle DR/BDR election as it does on a broadcast network. However, since routers on the network cannot find neighbors via broadcasting hello packets, you need to specify neighbors and neighbor DR priorities on the routers. Related commands: ospf dr-priority. Examples # Specify a neighbor with IP address 10.1.1.1. <Sysname> system-view System View: return to User View with Ctrl+Z. 4-44 [Sysname] ospf 1 [Sysname-ospf-1] peer 10.1.1.1 preference Syntax preference [ ase ] value undo preference [ ase ] View OSPF view Parameters value: OSPF protocol preference, in the range of 1 to 255. ase: Indicates the preference of a redistributed external route of the AS. Description Use the preference command to configure the preference of the OSPF protocol. Use the undo preference command to restore the default. By default, the preference of an internal OSPF route is 10 and that of an external OSPF route is 150. Because multiple dynamic routing protocols could be running on a router, there is the problem of routing information sharing among routing protocols and selection. Therefore, a default preference is specified for each routing protocol. When a route is identified by different protocols, the protocol with the highest preference selected for forwarding IP packets. Examples # Specify the preference of an imported external route of the AS as 160. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] preference ase 160 reset ospf Syntax reset ospf { all | process-id } View User view Parameters all: Resets all OSPF processes. process-id: OSPF process ID, in the range of 1 to 65535. Description Use the reset ospf command to reset OSPF process(es). 4-45 After you use this command to reset an OSPF process: z Invalid LSA is cleared immediately before LSA times out. z A new Router ID takes effect if the Router ID changes. z DR and BDR are re-elected conveniently. z OSPF configuration before the restart will not lose. After this command is issued, the system will prompt you to confirm whether to re-enable OSPF. Examples # Reset all the OSPF processes. <Sysname> reset ospf all # Reset OSPF process 200. <Sysname> reset ospf 200 reset ospf statistics Syntax reset ospf statistics { all | process-id } View User view Parameters all: Clears the statistics of all OSPF processes. process-id: OSPF process ID, in the range of 1 to 65535. Description Use the reset ospf statistics command to clear the statistic of OSPF process(es). Examples # Clear the statistics of all OSPF processes. <Sysname> reset ospf statistics all router id Syntax router id router-id undo router id View System view Parameters router-id: Router ID, in dotted decimal notation. Description Use the router id command to configure the ID of a router running the OSPF protocol. 4-46 Use the undo router id command to cancel the router ID that has been set. If the router-id command is not used, a router ID is set following these rules: z If loopback interfaces configured with IP addresses exist, the greatest loopback interface IP address will be used as the router ID. z If no loopback interface IP address exists, the greatest IP address of other interfaces will be used as the router ID, regardless of whether the interfaces are up or down. z A new router ID is selected only after the existing router ID is deleted or modified. Other cases, for example, when the interface with the router ID goes down, when a loopback interface address is configured after a non-loopback interface address is selected as the router ID, or when a greater interface IP address is configured, cannot trigger a new router ID selection process, z To validate a new router ID, you need to execute the reset command. Related commands: ospf. Examples # Set the router ID to 10.1.1.3. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] router id 10.1.1.3 silent-interface Syntax silent-interface silent-interface-type silent-interface-number undo silent-interface silent-interface-type silent-interface-number View OSPF view Parameters silent-interface-type: Interface type silent-interface-number: Interface number. Description Use the silent-interface command to disable an interface from transmitting OSPF packet. Use the undo silent-interface command to restore the default. By default, the interface is enabled to transmit OSPF packet. To prevent the router on some network from receiving the OSPF routing information, you can use this command to disable this interface from transmitting OSPF packet. On the switch, this command can be used to enable/disable OSPF packet transmission through the specified VLAN interface. 4-47 Examples # Disable interface VLAN-interface 20 from transmitting OSPF packet. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] silent-interface Vlan-interface 20 snmp-agent trap enable ospf Syntax snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa | nbrstatechange | originatelsa | virifauthfail | virifcfgerror | virifrxbadpkt | virifstatechange | viriftxretransmit | virnbrstatechange ] * undo snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa | nbrstatechange | originatelsa | virifauthfail | virifcfgerror | virifrxbadpkt | virifstatechange | viriftxretransmit | virnbrstatechange ] * View System view Parameters process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a process ID, this command applies to all current OSPF processes. ifstatechange, virifstatechange, nbrstatechange, virnbrstatechange, ifcfgerror, virifcfgerror, ifauthfail, virifauthfail, ifrxbadpkt, virifrxbadpkt, iftxretransmit, viriftxretransmit, originatelsa, maxagelsa, lsdboverflow, lsdbapproachoverflow: Types of TRAP packets that the switch produces in case of OSPF anomalies. Description Use the snmp-agent trap enable ospf command to enable the OSPF TRAP function. Use the undo snmp-agent trap enable ospf command to disable the OSPF TRAP function. This command does not apply to the OSPF processes that are started after the command is executed. By default, the switch does not send TRAP packets in case of OSPF anomalies. For detailed configuration of SNMP TRAP, refer to the SNMP-RMON part in this manual. Examples # Enable the TRAP function for OSPF process 100. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] snmp-agent trap enable ospf 100 4-48 spf-schedule-interval Syntax spf-schedule-interval interval undo spf-schedule-interval View OSPF view Parameters interval: SPF calculation interval of OSPF, in seconds. It ranges from 1 to 10. Description Use the spf-schedule-interval command to configure the SPF calculation interval of OSPF. Use the undo spf-schedule-interval command to restore the default. By default, the SPF calculation interval of OSPF is 5 seconds. According to the link state database (LSDB), the router running OSPF can calculate the shortest path tree taking itself as the root and determine the next hop to the destination network according to the shortest path tree. Adjusting SPF calculation interval restrains frequent network changes, which may occupy too many bandwidth resources and router resources. Examples # Set the OSPF route calculation interval of H3C to 6 seconds. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] spf-schedule-interval 6 stub Syntax stub [ no-summary ] undo stub View OSPF area view Parameters no-summary: Disables an ABR from transmitting Type-3 LSAs to a Stub area. Description Use the stub command to configure the type of an OSPF area as "Stub". Use the undo stub command to restore the default. By default, no area is set to a Stub area. 4-49 To configure an area as a stub area, all routers attached to it must be configured with this command. If the router is an ABR, it will send a default route to the connected Stub area. Use the default-cost command to configure the default route cost. In addition, you can specify the no-summary argument in the stub command to disable the receiving of Type-3 LSAs by the Stub area connected to the ABR (such a stub area is known as a totally stub area). Note the following when configuring a (totally) stub area: z The backbone area cannot be a (totally) stub area. z To configure an area as a stub area, the stub command must be configured on routers in the area. z A (totally) stub area cannot have an ASBR because AS external routes cannot be distributed into the stub area. z Virtual links cannot transit (totally) stub areas. Related commands: default-cost. Examples # Set OSPF area 1 to a Stub area. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ospf 1 [Sysname-ospf-1] area 1 [Sysname-ospf-1-area-0.0.0.1] stub vlink-peer Syntax vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | simple password | md5 keyid key ] * undo vlink-peer router-id View OSPF area view Parameters route-id: Router ID of virtual link peer. hello seconds: Specifies the interval, in seconds, at which the router transmits hello packet. It ranges from 1 to 8192 and defaults to 10. This value must equal the hello seconds value of the router virtually linked to the interface. retransmit seconds: Specifies the interval, in seconds, for retransmitting the LSA packets on an interface. It ranges from 1 to 3600 and defaults to 5. trans-delay seconds: Specifies the delay, in seconds, for transmitting LSA packets on an interface. It ranges from 1 to 3600 and defaults to 1. dead seconds: Specifies the interval, in seconds, of death timer. It ranges from 1 to 8192 and defaults to 40. This value must equal the dead seconds of the router virtually linked to it and must be at least four times of the hello seconds. simple password: Specifies the simple text authentication password, which contains up to eight characters, of the interface. This value must equal the authentication key of the virtually linked peer. 4-50 keyid: MD5 authentication key ID. It ranges from 1 to 255. It must be equal to the authentication key ID of the virtually linked peer. key: MD5 authentication key. If you use simple text authentication key, you can input a string containing 1 to 16 characters. When you use the display current-configuration command to display system information, the MD5 authentication key is displayed in the form of cipher text with a length of 24 characters. Inputting the key in the form of cipher text with a length of 24 characters is also supported. Description Use the vlink-peer command to create and configure a virtual link. Use the undo vlink-peer command to cancel an existing virtual link. According to RFC2328, an OSPF area must be connected to the backbone network. You can use the vlink-peer command to keep the connectivity. Virtual link can be regarded as a common interface that uses OSPF because the principle for configuring the parameters such as hello, retransmit, and trans-delay on it is similar. Considerations on parameters: z The smaller the hello interval is, the faster the network converges and the more network resources are consumed. z A too small retransmission interval will lead to unnecessary retransmissions. A big value is appropriate for a low speed link. z You need to specify an appropriate transmission delay with the trans-delay keyword. Note that, virtual link authentication adopts the MD5 cipher text or simple text authentication mode set with the authentication-mode command for Area 0. Therefore, you need to specify the authentication mode for Area 0 on both ABRs interconnected by the virtual link. Related commands: authentication-mode, display ospf. Examples # Create a virtual link between Router A and Router B and use the MD5 cipher authentication mode (The router ID of Router A is 10.1.1.1 and that of Router B is 10.1.1.2). z Configure Router A <RouterA> system-view System View: return to User View with Ctrl+Z. [RouterA] ospf 1 [RouterA-ospf-1-area-0.0.0.0] authentication-mode md5 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] area 10.0.0.0 [RouterA-ospf-1-area-10.0.0.0] vlink-peer 10.1.1.2 md5 3 345 z Configure RouterB <RouterB> system-view System View: return to User View with Ctrl+Z. [RouterB] ospf 1 [RouterB-ospf-1-area-0.0.0.0] authentication-mode md5 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] area 10.0.0.0 [RouterB-ospf-1-area-10.0.0.0] vlink-peer 10.1.1.1 md5 3 345 4-51 5 IP Routing Policy Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. IP Routing Policy Configuration Commands apply cost Syntax apply cost value undo apply cost View Route policy view Parameters value: Cost for matched routes, in the range of 0 to 4294967295. Description Use the apply cost command to apply a cost to routes satisfying matching rules. Use the undo apply cost command to remove the configuration. By default, no cost is applied to routes satisfying matching rules. The apply clause is one that sets a cost for the routes satisfying matching rules in a routing policy. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply tag. Examples # Create a routing policy named policy and node 1 with the matching mode being permit. Apply the cost 120 to routes matching ACL 2000. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match acl 2000 [Sysname-route-policy] apply cost 120 5-1 apply tag Syntax apply tag value undo apply tag View Route policy view Parameters value: Tag value of a route, in the range of 0 to 4294967295. Description Use the apply tag command to configure a tag for a route. Use the undo apply tag command to remove the configuration. By default, no tag is configured for a route. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply cost. Examples # Create a routing policy named policy and node 1 with the matching mode being permit. Apply the tag 100 to routes matching ACL 2000. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match acl 2000 [Sysname-route-policy] apply tag 100 display ip ip-prefix Syntax display ip ip-prefix [ ip-prefix-name ] View Any view Parameters ip-prefix-name: Name of an IP-prefix, a string of up to 19 characters. Description Use the display ip ip-prefix command to display information about an IP-prefix(es). When ip-prefix-name is not specified, information about all the configured IP-prefixes is displayed. Related commands: ip ip-prefix. 5-2 Examples # Display the information about the address prefix list named p1. <Sysname> display ip ip-prefix p1 name index conditions ip-prefix / mask GE LE p1 10 permit 10.1.0.0/16 17 18 Table 5-1 Description on the fields of the display ip ip-prefix command Field Description name Name of an IP-prefix index Internal sequence number of an IP-prefix Matching mode, including conditions permit deny ip-prefix / mask IP prefix/mask length for matching IP prefixes GE Greater-equal, that is, lower limit of subnet mask length of the matched IP address LE Less-equal, that is upper limit of subnet mask length of the matched IP address display route-policy Syntax display route-policy [ route-policy-name ] View Any view Parameters route-policy-name: Name of a routing policy, a string of up to 19 characters. Description Use the display route-policy command to display information about routing policies. If you do not specify a route policy name, this command displays all route-policies configured. Related commands: route-policy. Examples # Display information about routing policy named policy1. <Sysname> display route-policy policy1 Route-policy : policy1 Permit 10 : if-match (ip-prefix) p1 apply cost 100 5-3 Table 5-2 Description on the fields of the display route-policy command Field Route-policy Description Name of a routing policy Information about the routing policy with the matching mode configured as permit and the node as 10. Permit 10 if-match (ip-prefix) p1 Matching conditions apply cost 100 Apply the cost 100 to the routes satisfying the matching conditions. if-match { acl | ip-prefix } Syntax if-match { acl acl-number | ip-prefix ip-prefix-name } undo if-match { acl | ip-prefix } View Route policy view Parameters acl-number: Number of the ACL used for filtering, in the range of 2000 to 3999. ip-prefix-name: Name of the IP prefix list used for filtering, a string of up to 19 characters. Description Use the if-match command to match routes permitted by an ACL or IP prefix list. Use the undo if-match command to remove the configuration. By default, the if-match clause is not configured. Related commands: if-match interface, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply cost, apply tag. Examples # Define an if-match clause to match routing information permitted by IP-prefix p1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match ip-prefix p1 if-match cost Syntax if-match cost value undo if-match cost 5-4 View Route policy view Parameters value: Route cost, in the range of 0 to 4294967295. Description Use the if-match cost command to configure a cost matching rule for routing information. Use the undo if-match cost command to remove the configuration. By default, no cost matching rule is defined. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match tag, route-policy, apply cost, apply tag. Examples # Define an if-match clause to match routes with the cost of 8. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match cost 8 if-match interface Syntax if-match interface interface-type interface-number undo if-match interface View Route policy view Parameters interface-type interface-number: Specifies the interface type and interface number. Description Use the if-match interface command to match routes having the specified outgoing interface. Use the undo if-match interface command to remove the match rule. By default, no such a matching rule is configured. This command matches routes having next hops pass through the specified interface. Related commands: if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply cost, apply tag. Examples # Define an if-match clause to match routes with the outbound interface VLAN-interface 1. <Sysname> system-view System View: return to User View with Ctrl+Z. 5-5 [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match interface Vlan-interface 1 if-match ip next-hop Syntax if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name } undo if-match ip next-hop [ ip-prefix ] View Route policy view Parameters acl acl-number: Number of a basic ACL used for filtering, in the range of 2000 to 2999. ip-prefix ip-prefix-name: Name of the IP address prefix list used for filtering, a string of 1 to 19 characters. Description Use the if-match ip next-hop command to match routes with next hops specified in an ACL or IP prefix list. Use the undo if-match ip next-hop command to remove the matching rule with an ACL. Use the undo if-match ip next-hop ip-prefix command to remove the matching rule with an IP prefix list. By default, no next hop matching rule is defined. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match cost, if-match tag, route-policy, apply cost, apply tag. Examples # Define an if-match clause to match routes with next hops specified in the IP address prefix list p1. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match ip next-hop ip-prefix p1 if-match tag Syntax if-match tag value undo if-match tag View Route policy view 5-6 Parameters value: Tag value, in the range of 0 to 4294967295. Description Use the if-match tag command to configure the tag matching rule for routing information. Use the undo if-match tag command to remove the matching rule. By default, no the tag matching rule for routing information is defined. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, route-policy, apply cost, apply tag. Examples # Define an if-match clause to match OSPF routes having the tag value 8. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] route-policy policy permit node 1 %New sequence of this list [Sysname-route-policy] if-match tag 8 ip ip-prefix Syntax ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } network len [ greater-equal greater-equal | less-equal less-equal ] * undo ip ip-prefix ip-prefix-name [ index index-number | permit | deny ] View System view Parameters ip-prefix-name: Name of an IP-prefix, a string of up to 19 characters. It identifies an address prefix list uniquely. index-number: Identifier of an entry in the IP address prefix list, in the range 1 to 2047. The entry with a smaller index-number will be tested first. permit: Specifies the match mode of the defined IP-prefix entries as permit mode. If the permit mode is specified and the IP address to be filtered is in the ip-prefix range specified by the entry, the entry is filtered through and the next entry is not tested. If the IP address to be filtered is not in the ip-prefix range specified by the entry, the next entry is tested deny: Specifies the match mode of the defined IP-prefix entries as deny mode. If the deny mode is specified and the IP address to be filtered is in the ip-prefix range specified by the entry, the entry is not filtered through and the next entry is not tested; otherwise, the next entry is tested. network: IP address prefix (IP address), in dotted decimal notation. len: IP address prefix length (mask length), in the range of 0 to 32. greater-equal, less-equal: Address prefix range [greater-equal, less-equal] to be matched after the address prefix network len has been matched. The meaning of greater-equal is "greater than or equal 5-7 to", and the meaning of less-equal is "less than or equal to". The range is len <= greater-equal <= less-equal <= 32. When only greater-equal is used, it denotes the prefix range [greater-equal, 32]. When only less-equal is used, it denotes the prefix range [len, less-equal]. When both greater-equal and less-equal are specified, the prefix range is [ less-equal,greater-equal ]. Description Use the ip ip-prefix command to configure an IP-prefix list or one of its entries. Use the undo ip ip-prefix command to delete an IP-prefix list or one of its entries. By default, no IP-prefix list is configured. An IP-prefix list is used for IP address filtering. An IP prefix list may contain several entries, and each entry specifies one address prefix range. The inter-entry filtering relation is OR. That is, passing an entry means filtering through this address prefix list. Not filtering through any entry means not filtering through this IP-prefix. The address prefix range may contain two parts, which are determined by len and [greater-equal, less-equal], respectively. If the prefix ranges of these two parts are both specified, the IP to be filtered must match the prefix ranges of these two parts. If you specify network len as 0.0.0.0 0, it matches the default route only. To match all the routes, use 0.0.0.0 0 less-equal 32. Examples # Define an ip-prefix named p1 to permit only the routes whose mask lengths are 17 or 18 on network segment 10.0.192.0/8 to pass. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] ip ip-prefix p1 permit 10.0.192.0 8 greater-equal 17 less-equal 18 route-policy Syntax route-policy route-policy-name { permit | deny } node node-number undo route-policy route-policy-name [ permit | deny | node node-number ] View System view Parameters route-policy-name: Name of a routing policy, a string of 19 characters. This argument identifies a routing policy uniquely. permit: Specifies the match mode of the defined routing policy node as permit. When a route entry meets all the if-match clauses of the node, the entry is permitted to filter through the node and the apply clause of the node will be performed. If a route entry does not meet the if-match clause of the node, the next node of the route-policy will be tested. deny: Specifies the match mode of the defined Route-policy node as deny mode. When a route entry meets all the if-match clauses of the node, the entry is prohibited from filtering through the node and the next node will not be tested. 5-8 node: Specifies a node index in a routing policy. node-number: Index of the node in a routing policy, in the range 0 to 2047. When this routing policy is used, the node with smaller node-number will be matched first. Description Use the route-policy command to create a routing policy or enter the Route-policy view. Use the undo route-policy command to delete the created Route-policy. By default, no Route-policy is defined. Route-policy is used for route information filter. A Route-policy comprises some nodes and each node comprises some if-match clauses and apply clauses. An if-match clause defines the match rules of this node. An apply clause defines the actions after filtering through this node. The filtering relationship between the if-match clauses of the node is AND. That is, all if-match clauses of the node must be met. The filtering relation between Route-policy nodes is OR. That is, filtering through one node means filtering through this Route-policy. If the information does not filter through any node, it cannot filter through this Route-policy. Related commands: if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, apply cost, apply tag. Examples # Configure Route-policy policy1, with the node number of 10 and the match mode of permit, and enter Route policy view. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] route-policy policy1 permit node 10 %New sequence of this list [Sysname-route-policy] 5-9 6 Route Capacity Configuration Commands The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a z routing protocol. The S3600-SI series do not support route capacity configuration. z Route Capacity Configuration Commands display memory Syntax display memory [ unit unit-id ] Mode Any view Parameters unit-id: Unit ID. Description Use the display memory command to display the memory usage. Examples # Display the current memory usage of the switch. <Sysname> display memory Unit 1 System Available Memory(bytes): 33631488 System Used Memory(bytes): 16122304 Used Rate: 47% The following table describes the fields of the command: Table 6-1 Description on the fields of the display memory command Field Description Unit Specifies a Unit ID System Available Memory(bytes) Free memory size, in bytes, of the switch System Used Memory(bytes) Occupied memory size, in bytes, of the switch 6-1 Field Description Used Rate Memory occupation rate display memory limit Syntax display memory limit Mode Any view Parameters None Description Use the display memory limit command to display the memory setting and state information of the switch. This command displays the current memory limit configuration, free memory, and state information about connections, such as times of disconnection, times of reconnection, and whether the current state is normal. Examples # Display the current memory setting and state information. <Sysname> display memory limit Current memory limit configuration information: system memory safety: 5 (MBytes) system memory limit: 4 (MBytes) auto-establish enabled Free Memory: 17506496 (Bytes) The state information about connection: The times of disconnect: 0 The times of reconnect: 0 The current state: Normal Table 6-2 Description on the fields of the display memory limit command Field Description system memory safety Safety value of the switch memory. system memory limit Lower limit of the switch memory. auto-establish enabled Automatic connection is enabled (If automatic connection is disabled, auto-establish disabled is displayed). Free Memory Size of the current free memory in bytes The times of disconnect: Number of disconnections of the routing protocol 6-2 Field The times of reconnect Description Number of reconnections of the routing protocol Current memory state, including The current state Normal Exigence memory Syntax memory { safety safety-value | limit limit-value }* undo memory [ safety | limit ] View System view Parameters safety-value: Safety free memory of the switch , in Mbytes. Its value range depends on the free memory of the current switch. This value defaults to 5. limit-value: Lower limit of the switch free memory, in Mbytes. Its value range depends on the free memory of the current switch. This value defaults to 4. Description Use the memory limit limit-value command to configure the lower limit of the switch free memory. When the free memory of the switch is less than the limit-value, all the routing protocol connections will be disconnected forcibly. Use the memory safety safety-value command to configure the safety value of the switch free memory. If you use the memory auto-establish enable command (the default configuration), the routing protocol connection that is forcibly disconnected automatically recovers when the free memory of the switch reaches the safety-value. Use the memory safety safety-value limit limit-value command to change both the safety value and lower limit of the switch free memory. Use the undo memory command to restore the default safety value and lower limit of the switch free memory. Related commands: memory auto-establish disable, memory auto-establish enable, display memory limit. When you configure the memory command, the safety-value argument in the command must be greater than the limit-value argument; otherwise, the configuration will fail. 6-3 Examples # Set the lower limit of the switch free memory to 1 MB and the safety value to 3 MB. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] memory safety 3 limit 1 memory auto-establish disable Syntax memory auto-establish disable View System view Parameters None Description Use the memory auto-establish disable command to disable the automatic restoration of routing protocol connection (even if the free memory recovers to a safety value). By default, when the free memory of the switch recovers to a safety value, connections of all the routing protocols will always recover (when the free memory of the switch decreases to a lower limit, the connection will be disconnected forcibly). After this command is used, connections of all the routing protocols will not recover when the free memory of the switch recovers to a safety value. In this case, you need to restart the routing protocol to recover the connections. Use this command with caution. Related commands: memory auto-establish enable, memory, display memory limit. Examples # Disable automatic restoration of the routing protocol connections when the free memory of the current switch recovers. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] memory auto-establish disable memory auto-establish enable Syntax memory auto-establish enable View System view Parameters None 6-4 Description Use the memory auto-establish enable command to enable automatic connections of routing protocols when the free memory of the switch recovers to the specified value. Use the memory auto-establish disable command to disable this function. By default, when the free memory of the switch recovers to a safety value, connections of all the routing protocols will always recover (when the free memory of the switch decreases to a lower limit, the connection will be disconnected forcibly). By default, this function is enabled. Related commands: memory auto-establish disable, memory, display memory limit. Examples # Enable automatic connections of all routing protocols when the free memory of the current switch recovers. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] memory auto-establish enable 6-5 Table of Contents 1 Common Multicast Configuration Commands ·······················································································1-1 Common Multicast Configuration Commands ························································································1-1 display mac-address multicast static·······························································································1-1 display mpm forwarding-table ·········································································································1-2 display mpm group ··························································································································1-3 display multicast forwarding-table ···································································································1-4 display multicast routing-table ·········································································································1-6 display multicast-source-deny ·········································································································1-7 mac-address multicast interface······································································································1-8 mac-address multicast vlan ·············································································································1-9 mtracert ···········································································································································1-9 multicast route-limit························································································································1-11 multicast routing-enable ················································································································1-12 multicast storing-enable·················································································································1-12 multicast storing-packet·················································································································1-13 multicast-source-deny ···················································································································1-13 reset multicast forwarding-table ····································································································1-14 reset multicast routing-table ··········································································································1-15 unknown-multicast drop enable·····································································································1-16 2 IGMP Configuration Commands ··············································································································2-1 IGMP Configuration Commands ·············································································································2-1 display igmp group ··························································································································2-1 display igmp interface······················································································································2-2 igmp enable ·····································································································································2-3 igmp group-limit ·······························································································································2-4 igmp group-policy ····························································································································2-5 igmp group-policy vlan·····················································································································2-6 igmp host-join port ···························································································································2-7 igmp host-join vlan···························································································································2-8 igmp lastmember-queryinterval ·······································································································2-8 igmp max-response-time ·················································································································2-9 igmp proxy ························································&middo