Beruflich Dokumente
Kultur Dokumente
www.3Com.com
Part Number: 10014923 Rev. AD
Published: November, 2007
3Com Corporation
350 Campus Drive
Marlborough, MA
USA 01752-3064
Copyright 2006, 2007 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any
form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without
written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time
without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or
expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality,
and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement
included with the product as a separate document, in the hard copy documentation, or on the removable media in a
directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will
be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to
you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is
delivered as Commercial Computer Software as defined in DFARS 252.227-7014 (June 1995) or as a commercial item
as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Coms standard commercial
license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or
FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided
on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered
in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
Funk RADIUS is a registered trademark of Funk Software, Inc.
Aegis is a registered trademark of Aegis Group PLC.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are
registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a
registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed
to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards.
Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
CONTENTS
53
LOGIN COMMANDS
authentication-mode 61
auto-execute command 62
copyright-info enable 63
databits 64
display telnet-server source-ip 64
display telnet source-ip 65
display user-interface 65
display users 67
display web users 68
free user-interface 68
header 69
history-command max-size 71
idle-timeout 71
ip http shutdown 72
lock 73
parity 73
protocol inbound 74
screen-length 75
send 75
service-type 76
set authentication password 77
CONTENTS
shell 78
speed 79
stopbits 79
telnet 80
telnet ipv6 81
telnet source-interface 81
telnet source-ip 82
telnet-server source-interface
telnet-server source-ip 83
user-interface 84
user privilege level 84
83
XRN COMMANDS
Introduction 113
debugging dhcp xrn xha 113
display xrn-fabric 114
xrn-fabric authentication-mode
114
117
Contents
10
CONTENTS
11
12
13
Contents
14
15
16
221
CONTENTS
17
18
233
236
19
20
252
21
263
264
Contents
10
CONTENTS
22
23
24
316
323
Contents
25
11
12
CONTENTS
26
386
Contents
27
28
13
14
CONTENTS
29
30
469
470
31
485
Contents
32
33
15
16
CONTENTS
import-source 522
msdp 522
msdp-tracert 523
mtracert 525
originating-rp 526
peer connect-interface 526
peer description 527
peer mesh-group 527
peer minimum-ttl 528
peer request-sa-enable 529
peer sa-cache-maximum 529
peer sa-policy 530
peer sa-request-policy 531
reset msdp peer 531
reset msdp sa-cache 532
reset msdp statistics 532
shutdown 532
static-rpf-peer 533
timer retry 534
34
Contents
35
36
37
575
38
17
18
CONTENTS
39
588
40
607
Contents
41
42
661
19
20
CONTENTS
43
44
678
Contents
45
46
701
701
47
697
704
21
22
CONTENTS
gateway-list 734
nbns-list 735
netbios-type 736
network 737
option 737
reset dhcp server conflict 738
reset dhcp server ip-in-use 739
reset dhcp server statistics 739
static-bind client-identifier 740
static-bind ip-address 741
static-bind mac-address 741
tftp-server domain-name 742
tftp-server ip-address 743
voice-config 743
48
49
Contents
50
51
765
765
52
53
776
QOS COMMANDS
burst-mode enable 797
display protocol-priority 797
display qos cos-localprecedence-map 798
display qos-interface all 798
display qos-interface line-rate 800
display qos-interface mirrored-to 801
display qos-interface traffic-limit 802
display qos-interface traffic-priority 802
display qos-interface traffic-redirect 803
display qos-interface traffic-remark-vlanid 804
display qos-interface traffic-statistic 805
display queue-scheduler 805
line-rate 806
mirrored-to 807
priority 809
23
24
CONTENTS
54
810
811
55
56
57
58
847
Contents
display diagnostic-information
terminal debugging 848
59
847
60
61
MIRRORING COMMANDS
display mirror 873
display mirroring-group 873
mirroring-group 875
mirroring-group mirroring-port 875
mirroring-group monitor-port 876
mirroring-group reflector-port 877
mirroring-group remote-probe vlan 878
mirroring-port 878
monitor-port 879
remote-probe vlan 880
62
25
26
CONTENTS
63
64
65
886
Contents
ip-pool 922
logging-host 922
management-vlan 923
nm-interface Vlan-interface
reboot member 924
snmp-host 925
tftp get 925
tftp put 926
tftp-server 926
timer 927
tracemac 928
66
924
67
68
935
943
27
28
CONTENTS
69
70
71
Contents
72
73
SSH COMMANDS
display public-key local 1009
display public-key peer 1010
display rsa local-key-pair public 1011
display rsa peer-public-key 1011
display ssh server 1012
display ssh server-info 1013
display ssh user-information 1013
display ssh2 source-ip 1014
display ssh-server source-ip 1014
peer-public-key end 1015
protocol inbound 1015
public-key local create 1016
public-key local destroy 1017
public-key local export rsa 1017
public-key local export dsa 1018
public-key peer 1019
public-key peer import sshkey 1020
public-key-code begin 1020
public-key-code end 1021
rsa local-key-pair create 1022
rsa local-key-pair destroy 1023
rsa peer-public-key 1023
rsa peer-public-key import sshkey 1024
ssh authentication-type default 1024
ssh client assign 1025
ssh client first-time enable 1026
ssh server authentication-retries 1026
ssh server timeout 1027
29
30
CONTENTS
74
75
76
77
1055
1056
1059
Contents
78
79
80
31
32
CONTENTS
delete 1088
dir 1088
display sftp source-ip 1089
exit 1090
get 1090
help 1090
ls 1091
mkdir 1092
put 1092
pwd 1092
quit 1093
remove 1093
rename 1094
rmdir 1094
sftp 1094
sftp source-interface 1096
sftp source-ip 1096
81
82
Contents
83
1118
84
85
86
REMOTE-PING
CLIENT COMMANDS
count 1137
datasize 1137
destination-ip 1138
destination-port 1139
display remote-ping 1139
dns-server 1145
dns resolve-target 1145
filename 1146
frequency 1146
ftp-operation 1147
history-records 1148
http-operation 1148
http-string 1149
remote-ping 1149
remote-ping-agent enable 1150
jitter-interval 1150
jitter-packetnum 1151
33
34
CONTENTS
password 1152
probe-failtimes 1152
send-trap 1153
source-interface 1153
source-ip 1154
source-port 1155
test-type 1155
test-enable 1156
test-failtimes 1157
timeout 1157
tos 1158
username 1158
87
REMOTE-PING
SERVER COMMANDS
88
Contents
89
90
91
92
35
36
CONTENTS
93
94
95
ALPHABETICAL LISTING OF
COMMANDS
ABCDEFGHIJKLMNOPQRSTUVWX
A
abr-summary 347
access-limit 591
accounting 591
accounting domain 705
accounting optional 592
accounting optional 617
accounting-on enable 617
acl 773
acl 87
active region-configuration 263
add-member 907
address-check 745
administrator-address 908
aggregate 391
am enable 1215
am ip-pool 1215
am trap enable 1216
am user-bind 235
apply as-path 451
apply community 451
apply cost 441
apply cost 452
apply cost-type 453
apply ip next-hop 454
apply local-preference 454
apply origin 455
apply poe-profile 951
apply qos-profile 825
apply tag 441
apply tag 455
area 348
arp check enable 687
arp detection enable 687
arp detection trust 688
arp protective-down recover enable
688
arp protective-down recover interval
689
arp proxy enable 701
arp rate-limit 690
B
backup current-configuration 1055
bgp 392
bims-server 705
binary 1065
black-list 931
boot attribute-switch 1049
boot boot-loader 1050
boot boot-loader 855
boot boot-loader backup-attribute
1050
boot bootrom 855
boot web-package 1051
bootfile-name 706
bpdu-drop any 263
bpdu-tunnel 1133
bpdu-tunnel tunnel-dmac 1134
broadcast-suppression 173
bsr-policy 499
build 910
burst-mode enable 797
bye 1066
bye 1087
38
ABCDEFGHIJKLMNOPQRSTUVWX
C
cache-sa-enable 517
calling-station-id mode 619
c-bsr 500
cd 1035
cd 1066
cd 1087
cdup 1067
cdup 1088
change self-unit 883
change unit-id 883
check region-configuration 264
checkzero 327
clock datetime 837
clock summer-time 837
clock timezone 838
close 1068
cluster 912
cluster enable 912
cluster switch-to 913
cluster-mac 914
cluster-mac syn-interval 914
command-privilege level 55
compare-different-as- med 393
confederation id 393
confederation nonstandard 394
confederation peer-as 395
Conventions 53
copy 1036
copy configuration 174
copyright-info enable 63
count 1137
c-rp 501
crp-policy 501
cut connection 598
D
dampening 396
databits 64
data-flow-format 619
data-flow-format 645
datasize 1137
debugging 847
debugging dhcp xrn xha 113
default 350
default cost 327
default local-preference 397
default med 397
default-cost 351
default-route- advertise 352
39
ABCDEFGHIJKLMNOPQRSTUVWX
dhcp-snooping information enable
755
dhcp-snooping information format
756
dhcp-snooping information packet-format 756
dhcp-snooping information remote-id 757
dhcp-snooping information strategy
758
dhcp-snooping information vlan circuit-id 759
dhcp-snooping information vlan remote-id 760
dhcp-snooping trust 761
dir 1038
dir 1069
dir 1088
disconnect 1070
display acl 774
display am 1217
display am user-bind 236
display arp | 695
display arp 694
display arp count 696
display arp detection statistics interface 696
display arp proxy 701
display arp timer aging 697
display bgp group 398
display bgp network 399
display bgp paths 400
display bgp peer 401
display bgp routing 402
display bgp routing as-path-acl 404
display bgp routing cidr 404
display bgp routing community 405
display bgp routing community-list
406
display bgp routing dampened 406
display bgp routing different-origin-as 407
display bgp routing flap-info 408
display bgp routing peer 409
display bgp routing regular-expression 410
display bgp routing statistic 410
display boot-loader 1051
display boot-loader 856
display bootp client 770
display bpdu-tunnel 1134
40
ABCDEFGHIJKLMNOPQRSTUVWX
display ftp-server 1059
display ftp-server source-ip 1059
display ftp-user 1060
display garp statistics 165
display garp timer 166
display gvrp statistics 169
display gvrp status 170
display habp 577
display habp table 577
display habp traffic 578
display history-command 56
display hwtacacs 645
display icmp statistics 145
display igmp group 485
display igmp interface 485
display igmp-snooping configuration
535
display igmp-snooping group 535
display igmp-snooping statistics 537
display info-center 1105
display interface 179
display interface Vlan-interface 117
display ip host 1197
display ip interface 137
display ip interface brief 138
display ip ip-prefix 442
display ip ip-prefix 456
display ip routing-table 311
display ip routing-table acl 312
display ip routing-table ip-address
315
display ip routing-table ip-address1
ip-address2 316
display ip routing-table ip-prefix 317
display ip routing-table protocol 318
display ip routing-table radix 318
display ip routing-table statistics 319
display ip routing-table verbose 320
display ip socket 146
display ip source static binding 762
display ip statistics 147
display ipv6 fib 1165
display ipv6 host 1166
display ipv6 interface 1167
display ipv6 neighbors 1168
display ipv6 neighbors count 1170
display ipv6 route-table 1170
display ipv6 socket 1171
display ipv6 statistics 1172
display irf-fabric 885
display isolate port 221
41
ABCDEFGHIJKLMNOPQRSTUVWX
display ospf retrans-queue 366
display ospf routing 367
display ospf vlink 367
display packet-drop 183
display packet-filter 777
display password-control 1227
display password-control blacklist
1228
display password-control super 1228
display pim bsr-info 502
display pim interface 503
display pim neighbor 504
display pim routing-table 504
display pim rp-info 506
display poe disconnect 939
display poe interface 939
display poe interface power 941
display poe powersupply 942
display poe temperature- protection
943
display poe-profile 952
display port 125
display port combo 184
display port vlan-vpn 1123
display port-mac 250
display port-security 224
display power 860
display protocol-priority 797
display protocol-vlan interface 131
display protocol-vlan vlan 131
display public-key local 1009
display public-key peer 1010
display qos cos-localprecedence-map 798
display qos-interface all 798
display qos-interface line-rate 800
display qos-interface mirrored-to 801
display qos-interface traffic-limit 802
display qos-interface traffic-priority
802
display qos-interface traffic-redirect
803
display qos-interface traffic-remark-vlanid 804
display qos-interface traffic-statistic
805
display qos-profile 826
display queue-scheduler 805
display radius scheme 621
display radius statistics 622
display remote-ping 1139
42
ABCDEFGHIJKLMNOPQRSTUVWX
display telnet source-ip 65
display telnet-server source-ip 64
display tftp source-ip 1099
display this 107
display time-range 777
display transceiver alarm interface
860
display transceiver diagnosis interface
863
display transceiver interface 864
display transceiver manuinfo interface 865
display trapbuffer 1108
display udp ipv6 statistics 1178
display udp statistics 150
display udp-helper server 955
display unit 187
display user-interface 65
display users 67
display users 844
display version 845
display vlan 118
display vlan 159
display voice vlan error-info 157
display voice vlan oui 157
display voice vlan status 158
display vrrp 661
display vrrp interface vlan-interface
661
display vrrp statistics 662
display vrrp verbose 664
display web package 1052
display web users 68
display web-authentication configuration 1225
display web-authentication connection 1224
display webcache 833
display xrn-fabric 114
dldp 240
dldp authentication-mode 241
dldp delaydown-timer 244
dldp interval 242
dldp reset 242
dldp unidirectional-shutdown 243
dldp work-mode 244
dns domain 1197
dns resolve 1198
dns resolve-target 1145
dns server 1198
dns server ipv6 1179
dns-list 732
dns-server 1145
domain 603
domain-name 733
dot1x 558
dot1x authentication- method 559
dot1x dhcp-launch 560
dot1x free-ip 575
dot1x guest-vlan 561
dot1x handshake 562
dot1x max-user 563
dot1x port-control 564
dot1x port-method 565
dot1x quiet-period 566
dot1x re-authenticate 568
dot1x retry 567
dot1x retry-version-max 567
dot1x supp-proxy-check 569
dot1x timer 571
dot1x timer acl-timeout 575
dot1x timer reauth-period 573
dot1x url 576
dot1x version-check 573
duplex 190
E
enable log updown 190
enable snmp trap updown 965
execute 1039
exit 1090
expired 734
F
fabric member-auto-update software
enable 886
fabric save-unit-id 886
fabric-port enable 888
file prompt 1040
filename 1146
filter-policy export 331
filter-policy export 368
filter-policy export 411
filter-policy import 332
filter-policy import 369
filter-policy import 412
fixdisk 1041
flow interval 192
flow-control 191
flush enable control-vlan 1202
format 1041
43
ABCDEFGHIJKLMNOPQRSTUVWX
free user-interface 68
free web-users 87
frequency 1146
ftm fabric-vlan 889
ftp { cluster | remote-server }
source-interface 1072
ftp { cluster | remote-server } source-ip
1072
ftp 1071
ftp cluster 920
ftp disconnect 1060
ftp server enable 1061
ftp source-interface 1073
ftp source-ip 1073
ftp timeout 1062
ftp-operation 1147
ftp-server 920
ftp-server source-interface 1062
ftp-server source-ip 1063
G
garp timer 167
garp timer leaveall 168
gateway-list 734
get 1074
get 1090
giant-frame statistics enable 193
gratuitous-arp period-resending enable 697
gratuitous-arp-learning enable 698
group 412
gvrp 171
gvrp registration 171
H
habp enable 578
habp server vlan 579
habp timer 579
header 69
help 1090
history-command max-size 71
history-records 1148
holdtime 921
host-route 333
http-operation 1148
http-string 1149
hwtacacs nas-ip 647
hwtacacs scheme 647
I
icmp redirect send 151
icmp unreach send 152
idle-cut 604
idle-timeout 71
if-match { acl | ip-prefix } 458
if-match 443
if-match as-path 458
if-match community 459
if-match cost 444
if-match cost 460
if-match interface 445
if-match interface 460
if-match ip next-hop 445
if-match ip next-hop 461
if-match tag 446
if-match tag 462
igmp enable 487
igmp group-limit 487
igmp group-policy 488
igmp group-policy vlan 489
igmp host-join 549
igmp host-join port 490
igmp host-join port 548
igmp host-join vlan 491
igmp lastmember- queryinterval 492
igmp max-response-time 492
igmp proxy 493
igmp robust-count 493
igmp timer other-querier-present 494
igmp timer query 495
igmp version 495
igmp-snooping 538
igmp-snooping fast-leave 538
igmp-snooping general-query
source-ip 539
igmp-snooping group-limit 540
igmp-snooping group-policy 541
igmp-snooping host-aging-time 543
igmp-snooping max-response-time
543
igmp-snooping nonflooding-enable
544
igmp-snooping querier 545
igmp-snooping query-interval 545
igmp-snooping router-aging-time
546
igmp-snooping version 547
igmp-snooping vlan-mapping 547
import-route 333
import-route 370
44
ABCDEFGHIJKLMNOPQRSTUVWX
import-route 413
import-source 522
info-center channel name 1109
info-center console channel 1109
info-center enable 1110
info-center logbuffer 1111
info-center loghost 1112
info-center loghost source 1113
info-center monitor channel 1113
info-center snmp channel 1114
info-center source 1114
info-center switch-on 1117
info-center synchronous 1116
info-center timestamp 1118
info-center timestamp loghost 1118
info-center trapbuffer 1119
instance 269
Intended Readership 53
interface 193
interface Vlan-interface 120
Introduction 113
ip address 139
ip address bootp-alloc 771
ip address dhcp-alloc 770
ip as-path-acl 462
ip check source ip-address 763
ip community-list 463
ip forward-broadcast 152
ip forward-broadcast 153
ip host 1199
ip http acl 88
ip http shutdown 72
ip ip-prefix 447
ip ip-prefix 464
ip route-static 323
ip route-static detect-group 257
ip source static binding 764
ip-pool 922
ipv4-family 414
ipv6 address 1179
ipv6 address auto link-local 1180
ipv6 address eui-64 1181
ipv6 address link-local 1181
ipv6 host 1182
ipv6 icmp-error 1182
ipv6 nd dad attempts 1183
ipv6 nd hop-limit 1184
ipv6 nd ns retrans-timer 1184
ipv6 nd nud reachable-time 1185
ipv6 neighbor 1185
ipv6 neighbors max-learning-num
1186
ipv6 route-static 1186
irf-fabric authentication-mode 890
J
jitter-interval 1150
jitter-packetnum 1151
jumboframe enable 194
K
key 624
key 648
L
lacp enable 217
lacp port-priority 217
lacp system-priority 218
lcd 1075
level 605
line-rate 806
link-aggregation group 1203
link-aggregation group 1209
link-aggregation group description
218
link-aggregation group mode 219
link-delay 195
local-server 625
local-server nas-ip 626
local-user 606
local-user password-display- mode
607
lock 73
logging-host 922
log-peer-change 371
log-peer-change 414
loopback 195
loopback-detection control enable
196
loopback-detection enable 197
loopback-detection interval-time 198
loopback-detection per-vlan enable
198
ls 1075
ls 1091
M
mac-address 250
mac-address aging destination-hit
45
ABCDEFGHIJKLMNOPQRSTUVWX
enable 252
mac-address max-mac-count 252
mac-address multicast interface 477
mac-address multicast vlan 478
mac-address security 225
mac-address timer 253
mac-address-mapping 1129
mac-authentication 677
mac-authentication authmode usernameasmacaddress 678
mac-authentication authmode usernamefixed 679
mac-authentication authpassword
680
mac-authentication authusername
680
mac-authentication domain 681
mac-authentication guest-vlan 682
mac-authentication interface 677
mac-authentication max-auth-num
683
mac-authentication timer 681
mac-authentication timer
guest-vlan-reauth 684
management-vlan 923
mdi 199
mdi 200
memory 468
memory auto-establish disable 469
memory auto-establish enable 470
messenger 607
mirrored-to 807
mirroring-group 875
mirroring-group mirroring-port 875
mirroring-group monitor-port 876
mirroring-group reflector-port 877
mirroring-group remote-probe vlan
878
mirroring-port 878
mkdir 1042
mkdir 1076
mkdir 1092
monitor-link group 1210
monitor-port 879
more 1042
move 1043
msdp 522
msdp-tracert 523
mtracert 525
multicast route-limit 478
multicast routing-enable 479
N
name 120
name 608
nas-ip 627
nas-ip 649
nbns-list 735
ndp enable 896
ndp timer aging 896
ndp timer hello 897
netbios-type 736
network 334
network 372
network 415
network 737
nm-interface Vlan-interface 924
nslookup type 1200
nssa 373
ntdp enable 901
ntdp explore 902
ntdp hop 902
ntdp timer 903
ntdp timer hop-delay 904
ntdp timer port-delay 904
ntp-service access 998
ntp-service authentication enable
999
ntp-service authentication-keyid 999
ntp-service broadcast-client 1000
ntp-service broadcast-server 1001
ntp-service in-interface disable 1001
ntp-service max-dynamic-sessions
1002
ntp-service multicast-client 1002
ntp-service multicast-server 1003
ntp-service reliable authentication-keyid 1004
ntp-service source-interface 1004
ntp-service unicast-peer 1005
ntp-service unicast-server 1006
46
ABCDEFGHIJKLMNOPQRSTUVWX
O
open 1077
option 258
option 737
originating-rp 526
ospf 374
ospf authentication-mode 375
ospf cost 376
ospf dr-priority 376
ospf mib-binding 377
ospf mtu-enable 377
ospf network-type 378
ospf timer dead 379
ospf timer hello 380
ospf timer poll 381
ospf timer retransmit 381
ospf trans-delay 382
P
packet-filter 778
packet-filter 826
packet-filter vlan 779
parity 73
passive 1078
password 1152
password 1228
password 609
password-control aging 1229
password-control alert-before-expire
1232
password-control authentication-timeout 1233
password-control composition 1235
password-control enable 1233
password-control history 1232
password-control length 1230
password-control login-attempt
1231
password-control super 1236
password-control super composition
1237
peer 335
peer 383
peer advertise-community 415
peer allow-as-loop 416
peer as-number 417
peer as-path-acl export 417
peer as-path-acl import 418
peer connect-interface 419
peer connect-interface 526
47
ABCDEFGHIJKLMNOPQRSTUVWX
port hybrid protocol-vlan vlan 132
port hybrid pvid vlan 126
port hybrid vlan 127
port isolate 221
port link-aggregation group 219
port link-type 128
port link-type irf-fabric 890
port monitor-link group 1212
port smart-link group 1204
port trunk permit vlan 128
port trunk pvid vlan 129
port-mac 254
port-security authorization ignore
228
port-security enable 226
port-security intrusion-mode 227
port-security max-mac-count 229
port-security ntk-mode 230
port-security oui 230
port-security port-mode 231
port-security timer disableport 233
port-security trap 233
preference 336
preference 383
preference 433
primary accounting 628
primary accounting 649
primary authentication 628
primary authentication 650
primary authorization 651
priority 809
priority trust 809
probe-failtimes 1152
protocol inbound 1015
protocol inbound 74
protocol-priority protocol-type 810
protocol-vlan 133
public-key local create 1016
public-key local destroy 1017
public-key local export dsa 1018
public-key local export rsa 1017
public-key peer 1019
public-key peer import sshkey 1020
public-key-code begin 1020
public-key-code end 1021
put 1078
put 1092
pwd 1043
pwd 1079
pwd 1092
Q
qos cos-local- precedence-map 811
qos-profile 827
qos-profile port-based 828
queue-scheduler 812
queue-scheduler 814
quit 1079
quit 1093
quit 839
R
radius client 629
radius nas-ip 630
radius scheme 631
radius trap 632
radius-scheme 610
raw-vlan-id inbound 1130
reboot 866
reboot member 924
reflect between-clients 434
reflector cluster-id 434
refresh bgp 435
region-name 270
register-policy 511
Related Manuals 53
remotehelp 1080
remote-ping 1149
remote-ping-agent enable 1150
remote-ping-server enable 1161
remote-ping-server tcpconnect 1161
remote-ping-server udpecho 1162
remote-probe vlan 880
remove 1093
rename 1044
rename 1081
rename 1094
reset 336
reset arp 698
reset bgp 436
reset bgp dampening 436
reset bgp flap-info 437
reset bgp group 437
reset counters interface 201
reset dhcp server conflict 738
reset dhcp server ip-in-use 739
reset dhcp server statistics 739
reset dhcp-server 753
reset dns dynamic-host 1200
reset dns ipv6 dynamic-host 1187
reset dot1x statistics 574
48
ABCDEFGHIJKLMNOPQRSTUVWX
reset ftm statistics 891
reset garp statistics 169
reset hwtacacs statistics 652
reset igmp group 496
reset igmp-snooping statistics 552
reset ip routing-table statistics protocol 321
reset ip statistics 153
reset ipv6 neighbors 1187
reset ipv6 statistics 1188
reset lacp statistics 220
reset logbuffer 1120
reset mac-authentication 682
reset msdp peer 531
reset msdp sa-cache 532
reset msdp statistics 532
reset multicast forwarding-table 482
reset multicast routing-table 483
reset ndp statistics 898
reset ospf 384
reset ospf statistics 384
reset packet-drop interface 202
reset password-control blacklist 1239
reset password-control history-record
1238
reset password-control history-record
super 1238
reset pim neighbor 511
reset pim routing-table 512
reset radius statistics 632
reset recycle-bin 1044
reset saved-configuration 108
reset smart-link packets counter 1205
reset stop-accounting-buffer 633
reset stop-accounting-buffer 652
reset stp 270
reset tcp ipv6 statistics 1188
reset tcp statistics 154
reset traffic-statistic 815
reset trapbuffer 1120
reset udp ipv6 statistics 1188
reset udp statistics 154
reset udp-helper packet 955
reset vrrp statistics 665
resilient-arp enable 703
resilient-arp interface vlan-interface
704
restore startup-configuration 1056
retry 259
retry 633
retry realtime-accounting 634
S
save 109
schedule reboot at 866
schedule reboot delay 867
schedule reboot regularity 868
scheme 610
screen-length 75
secondary accounting 636
secondary accounting 653
secondary authentication 637
secondary authentication 654
secondary authorization 655
security-policy-server 658
self-service-url 611
49
ABCDEFGHIJKLMNOPQRSTUVWX
send 75
send-trap 1153
server-type 638
service-type 612
service-type 76
service-type multicast 552
set authentication password 77
set unit name 891
sftp 1094
sftp server enable 1085
sftp source-interface 1096
sftp source-ip 1096
sftp timeout 1085
shell 78
shutdown 121
shutdown 203
shutdown 532
silent-interface 385
smart-link flush enable 1205
smart-link group 1207
smart-link group 1213
snmp-agent 966
snmp-agent calculate-password 966
snmp-agent community 88
snmp-agent community 967
snmp-agent group 89
snmp-agent group 968
snmp-agent local-engineid 969
snmp-agent log 970
snmp-agent mib-view 970
snmp-agent packet max-size 972
snmp-agent sys-info 972
snmp-agent target-host 973
snmp-agent trap enable 974
snmp-agent trap enable ospf 386
snmp-agent trap ifmib 975
snmp-agent trap life 976
snmp-agent trap queue-size 977
snmp-agent trap source 977
snmp-agent usm-user 90
snmp-agent usm-user 978
snmp-host 925
source-interface 1153
source-ip 1154
source-lifetime 514
source-policy 515
source-port 1155
speed 203
speed 204
speed 79
speed auto 205
spf-schedule-interval 387
spt-switch-threshold 513
ssh authentication-type default 1024
ssh client assign 1025
ssh client first-time enable 1026
ssh server authentication-retries 1026
ssh server timeout 1027
ssh user 1028
ssh user assign 1028
ssh user authentication-type 1029
ssh user service-type 1030
ssh2 1030
ssh2 source-interface 1032
ssh2 source-ip 1032
ssh-server source-interface 1033
ssh-server source-ip 1033
standby detect-group 259
startup bootrom-access enable 1052
startup saved-configuration 111
state 613
state 638
static-bind client-identifier 740
static-bind ip-address 741
static-bind mac-address 741
static-rp 515
static-rpf-peer 533
stop-accounting-buffer enable 639
stopbits 79
storm-constrain 205
storm-constrain control 206
storm-constrain enable 207
storm-constrain interval 208
stp 272
stp bpdu-protection 272
stp bridge-diameter 273
stp compliance 274
stp config-digest-snooping 275
stp cost 277
stp dot1d-trap 278
stp edged-port 278
stp interface 279
stp interface config-digest- snooping
280
stp interface cost 281
stp interface edged-port 282
stp interface loop-protection 284
stp interface mcheck 284
stp interface no-agreement-check
285
stp interface point-to-point 286
stp interface port priority 287
50
ABCDEFGHIJKLMNOPQRSTUVWX
stp interface root-protection 288
stp interface transmit-limit 289
stp loop-protection 289
stp max-hops 290
stp mcheck 291
stp mode 292
stp no-agreement-check 292
stp pathcost-standard 293
stp point-to-point 295
stp port priority 296
stp portlog 297
stp portlog all 297
stp priority 298
stp region-configuration 298
stp root primary 299
stp root secondary 300
stp root-protection 301
stp tc-protection 302
stp tc-protection threshold 302
stp timer forward-delay 303
stp timer hello 304
stp timer max-age 305
stp timer-factor 306
stp transmit-limit 307
stub 387
summary 343
summary 438
super 56
super authentication-mode 57
super password 58
sysname 840
sysname 892
system-guard ip detect-maxnum 583
system-guard ip detect-threshold 584
system-guard ip enable 585
system-guard l3err enable 585
system-guard l3err enable 588
system-guard tcn enable 586
system-guard tcn rate-threshold 587
system-monitor enable 869
system-view 841
T
tcp ipv6 timer fin-timeout 1189
tcp ipv6 timer syn-timeout 1189
tcp ipv6 window 1190
tcp timer fin-timeout 154
tcp timer syn-timeout 155
tcp window 155
telnet 80
51
ABCDEFGHIJKLMNOPQRSTUVWX
traffic-limit 829
traffic-priority 818
traffic-priority 830
traffic-priority vlan 819
traffic-redirect 821
traffic-remark-vlanid 822
traffic-share-across-interface 345
traffic-statistic 823
U
udp-helper enable 956
udp-helper port 956
udp-helper server 957
undelete 1045
undo synchronization 439
undo vrrp vrid 665
unicast-suppression 209
unknown-multicast drop enable 484
update fabric 1046
update fabric 870
update fabric 949
user 1082
user privilege level 84
user-interface 84
username 1158
user-name-format 643
user-name-format 658
V
verbose 1083
virtual-cable-test 210
vlan 121
vlan to 122
vlan-assignment- mode 614
vlan-mapping modulo 308
vlan-vpn enable 1123
vlan-vpn inner-cos-trust 1124
vlan-vpn priority 1125
vlan-vpn tpid 1126
vlan-vpn tunnel 308
vlan-vpn vid 1131
vlink-peer 388
voice vlan 159
voice vlan aging 160
voice vlan enable 160
voice vlan legacy 161
voice vlan mac-address 162
voice vlan mode 163
voice vlan security enable 163
voice-config 743
vrrp method 666
vrrp ping-enable 666
vrrp vlan-interface vrid track 667
vrrp vrid authentication-mode 668
vrrp vrid preempt-mode 669
vrrp vrid priority 670
vrrp vrid timer advertise 671
vrrp vrid track 672
vrrp vrid track detect-group 261
vrrp vrid track detect-group 673
vrrp vrid virtual-ip 674
W
web-authentication cut connection
1222
web-authentication enable 1219
web-authentication free-ip 1221
web-authentication free-user 1221
web-authentication max-connection
1223
web-authentication select method
1220
web-authentication timer idle-cut
1223
web-authentication web-server 1219
webcache address 833
webcache redirect-vlan 835
wred 824
X
xmodem get 870
xrn-fabric authentication-mode 114
52
ABCDEFGHIJKLMNOPQRSTUVWX
This guide provides all the information you need to use the configuration
commands supported by the 3Com Switch 5500 Family.
The features available in the 3Com Switch 5500 Family include a subset of those
available in other 3Com Switch products. Depending on the capabilities of your
hardware platform, some commands described in this guide may not be available
on your switch. Unavailable commands may display on the command line
interface (CLI), but if you try to use them, an error message displays.
CAUTION: Any command that displays on the CLI, but is not described in this
guide, is not supported in software version 3.2. 3Com only supports the
commands described in this guide. Other commands may result in the loss of data,
and are entered at the users risk.
Intended Readership
Conventions
Network administrators
Network engineers
Related Manuals
Notice Type
Description
Information note
Caution
Warning
The 3Com 3Com Switch 5500 Family Getting Started Guide provides information
about installation.
The 3Com 3Com Switch 5500 Family Configuration Guide provides information
about configuring your network using the commands described in this guide.
54
1
command-privilege
level
Syntax
View
Parameters
System view
level level: Command level to be set, in the range of 0 to 3.
view view: CLI view. It can be any CLI view that the Ethernet switch support.
command: Command for which the level is to be set.
Description
The level of the commands used to diagnose network is visit (level 0).
Commands such as ping, tracert, and telnet are at this level.
The level of the commands used to maintain the system and diagnose service
faults is monitor (level 1). Commands such as debugging and terminal are at
this level.
The level of the commands that are associated with the basic operation
modules and support modules of the system is manage (level 3). Commands
concerning file system, FTP/TFTP/XMODEM downloading, user management,
and level setting are at this level.
56
Example
display
history-command
Syntax
View
display history-command
Any view
Parameters
None
Description
Example
super
Syntax
View
super [ level ]
User view
Parameters
Description
Use the super command to switch from the current user level to a specified level.
Executing this command without the level argument will switch the current user
level to level 3 by default.
Users logged into the switch fall into four user levels, which correspond to the
four command levels respectively. Users at a specific level can only use the
commands at the same level or lower levels.
super authentication-mode
57
You can switch between user levels after logging into a switch successfully. The
high-to-low user level switching is unlimited. However, the low-to-high user
level switching requires the corresponding authentication.
For security purpose, the password entered is not displayed when you switch to
another user level. You will remain at the original user level if you have tried
three times but failed to enter the correct authentication information.
super
authentication-mode
Syntax
View
Parameters
Description
The two authentication modes are available at the same time to provide
authentication redundancy. When both the two authentication modes are
specified, the order to perform the two types of authentication is determined by
the order in which they are specified, as described below.
58
Example
super password
Syntax
View
Parameters
System view
level level: User level, in the range of 1 to 3. It is 3 by default.
cipher: Stores the password in the configuration file in ciphered text.
simple: Stores the password in the configuration file in plain text.
password: Password to be set. If the simple keyword is used, you must provide a
plain-text password, that is, a string of 1 to 16 characters. If the cipher keyword is
used, you can provide a password in either of the two ways:
Description
Use the super password command to set a switching password for a specified
user level, which will be used when users switch from a lower user level to the
specified user level.
Use the undo super password command to restore the default configuration.
By default, no such password is set.
super password
n
Example
59
No matter whether a plain-text or cipher-text password is set, users must enter the
plain-text password during authentication.
# Set the switching password for level 3 to 0123456789 in plain text.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] super password level 3 simple 0123456789
60
LOGIN COMMANDS
2
n
authentication-mode
Syntax
View
Parameters
Description
If you specify the password keyword to authenticate users using the local
password, remember to set the local password using the set authentication
password { cipher | simple } password command at the same time.
If you specify to perform local authentication when a user logs in through the
console port, a user can log into the switch with the password not configured. But
for a VTY user interface, a password is needed for a user to log into the switch
through it under the same circumstance.
By default, users logging in through the console port are not authenticated,
whereas modem users and Telnet users are authenticated.
62
CAUTION: For a VTY user interface, to specify the none keyword or password
keyword for login users, make sure that SSH is not enabled in the user interface.
Otherwise, the configuration fails. Refer to the section entitled protocol inbound
on page 74 for related information.
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP
22, ports for Telnet and SSH services respectively, will be enabled or disabled after
corresponding configurations.
Example
If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be
disabled.
If the authentication mode is scheme, there are three scenarios: when the
supported protocol is specified as telnet, TCP 23 will be enabled; when the
supported protocol is specified as SSH, TCP 22 will be enabled; when the
supported protocol is specified as all, both the TCP 23 and TCP 22 port will be
enabled.
# Configure to authenticate users using the local password on the console port.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface aux 0
[5500-ui-aux0] authentication-mode password
auto-execute
command
Syntax
View
Parameters
Description
Use the auto-execute command command to set the command that is executed
automatically after a user logs in.
Use the undo auto-execute command command to disable the specified
command from being automatically executed.
By default, no command is executed automatically after a user logs in.
Normally, the telnet command is specified to be executed automatically to enable
the user to Telnet to a specific network device automatically.
CAUTION:
copyright-info enable
Example
63
After the above configuration, when a user logs onto the device through VTY 0,
the device automatically executes the configured command and logs off the
current user.
copyright-info enable
Syntax
copyright-info enable
undo copyright-info enable
View
System view
Parameters
None
Description
Example
64
<5500>
databits
Syntax
databits { 7 | 8 }
undo databits
View
Parameters
Description
Use the databits command to set the databits for the user interface.
Use the undo databits command to revert to the default data bits.
The default data bits is 8.
Example
display telnet-server
source-ip
Syntax
View
Parameters
None
Description
Example
If the source interface is also configured for the switch, this command displays
the IP address of the source interface.
# Display the source IP address configured for the switch operating as the Telnet
server.
<5500> display telnet-server source-ip
The source IP you specified is 192.168.1.1
65
display telnet
source-ip
Syntax
View
Parameters
None
Description
Use the display telnet source-ip command to display the source IP address
configured for the switch operating as the Telnet client.
Example
If the source interface is also configured for the switch, this command displays
the IP address of the source interface.
# Display the source IP address configured for the switch operating as the Telnet
client.
<5500> display telnet source-ip
The source IP you specified is 192.168.1.1
display user-interface
Syntax
View
Parameters
In relative user interface number scheme, the type argument is required. In this
case, AUX user interfaces are numbered from AUX0 through AUX7; VTY user
interfaces are numbered from VTY0 through VTY4.
In absolute user interface number scheme, the type argument is not required.
In this case, user interfaces are numbered from 0 to 12.
66
Example
Int
-
+
: Current user-interface is active.
F
: Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi: The privilege of user-interface.
Auth : The authentication mode of user-interface.
Int : The physical location of UIs.
A
: Authenticate use AAA.
N : Current UI need not authentication.
P : Authenticate use current UIs password.
Description
The user interface is in use.
Idx
Type
Tx/Rx
Modem
Privi
Auth
Authentication mode
Int
Description
0:UXXX XXXX/8:UUUU X
display users
67
Description
total UI in use.
display users
Syntax
View
Parameters
Description
Use the display users command to display the user information about user
interfaces.
If you do not specify the all keyword, only the user information about the current
user interface is displayed.
Example
AUX 0
VTY 0
00:00:00
00:06:08
Userlevel
3
3
TEL
192.168.0.3
Description
UI
The numbers in the left sub-column are the absolute user interface
indexes, and those in the right sub-column are the relative user
interface indexes.
Delay
Type
User type
Ipaddress
Username
The login name of the user that logs into the user interface.
Userlevel
The level of the commands available to the users logging into the user
interface
The information is about the current user interface, and the current
user interface operates in asynchronous mode.
68
Parameters
None
Description
Use the display web users command to display the information about the
current on-line Web users.
Example
Level
Management
Login Time
06:16:32
Description
ID
ID of a Web user
Name
Language
Level
Login Time
free user-interface
Syntax
View
Parameters
Description
In relative user interface index scheme, the type argument is required. In this
case, AUX user interfaces are numbered from AUX0 through AUX7; VTY user
interfaces are numbered from VTY0 through VTY4.
In absolute user interface index scheme, the type argument is not required. In
this case, user interfaces are numbered from 0 to 12.
Use the free user-interface command to free a user interface. That is, this
command tears down the connection between a user and a user interface.
Note that the current user interface cannot be freed.
header
Example
69
After you perform the above operation, the user connection on user interface
VTY1 is torn down. The user in it must log in again to connect to the switch.
header
Syntax
View
Parameters
System view
incoming: Sets the login banner for users that log in through modems. If you
specify to authenticate login users, the banner appears after a user passes the
authentication. (The session does not appear in this case.)
legal: Sets the authorization banner, which is displayed when a user enters user
view.
login: Sets the login banner. The banner set by this keyword is valid only when
users are authenticated before they log into the switch and appears while the
switch prompts for user name and password. If a user logs in to the switch
through Web, the banner text configured will be displayed on the banner page.
shell: Sets the session banner, which appears after a session is established. If you
specify to authenticate login users, the banner appears after a user passes the
authentication.
text: Banner to be displayed. If no keyword is specified, this argument is the login
banner. You can provide this argument in two ways. One is to enter the banner in
the same line as the command (A command line can accept up to 254 characters.)
The other is to enter the banner in multiple lines (you can start a new line by
pressing Enter,) where you can enter a banner that can contain up to 2000
characters (including the invisible characters such as carriage return). Note that the
first character is the beginning character and the end character of the banner.
After entering the end character, you can press Enter to exit the interaction.
Description
Use the header command to set the banners that are displayed when a user logs
into a switch. The login banner is displayed on the terminal when the connection
is established. And the session banner is displayed on the terminal if a user
successfully logs in.
Use the undo header command to disable displaying a specific banner or all
banners.
By default, no banner is configured.
70
Examples
If you specify any one of the four keywords without providing the text
argument, the specified keyword will be regarded as the login information.
The banner configured with the header incoming command is displayed after
a modem user logs in successfully or after a modem user passes the
authentication when authentication is required. In the latter case, the shell
banner is not displayed.
The banner configured with the header legal command is displayed when you
enter the user interface. If password authentication is enabled or an
authentication scheme is specified, this banner is displayed before login
authentication.
The banner configured with the header shell command is displayed after a
non-modem user session is established.
# Configure banners.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] header login %Welcome to login!%
[5500] header shell %
Input banner text, and quit with the character '%'.
Welcome to shell!%
[5500] header incoming %
Input banner text, and quit with the character '%'.
Welcome to incoming!%
[5500] header legal %
Input banner text, and quit with the character '%'.
Welcome to legal!%
# Test the configuration remotely using Telnet. (only when login authentication is
configured can the login banner be displayed).
********************************************************************
* Copyright (c) 2004-2007 3Com Corporation. All rights reserved. *
* Without the owner's prior written consent,
*
* no decompiling or reverse-engineering shall be allowed.
*
********************************************************************
Welcome to legal!
Press Y or ENTER to continue, N to exit.
Welcome to login!
Login authentication
Password:
history-command max-size
71
Welcome to shell!
<5500>
history-command
max-size
Syntax
View
Parameters
value: Size of the history command buffer, ranging from 0 to 256 (in terms of
commands).
Description
Use the history-command max-size command to set the size of the history
command buffer.
Use the undo history-command max-size command to revert to the default
history command buffer size.
By default, the history command buffer can contain up to ten commands.
Example
# Set the size of the history command buffer of AUX 0 to 20 to enable it to store
up to 20 commands.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface aux 0
[5500-ui-aux0] history-command max-size 20
idle-timeout
Syntax
View
Parameters
Description
Use the idle-timeout command to set the timeout time. The connection to a user
interface is terminated if no operation is performed in the user interface within the
timeout time.
Use the undo idle-timeout command to revert to the default timeout time.
72
You can use the idle-timeout 0 command to disable the timeout function.
The default timeout time is 10 minutes.
Example
ip http shutdown
Syntax
ip http shutdown
undo ip http shutdown
View
System view
Parameters
None
Description
Use the ip http shutdown command to shut down the WEB Server.
Use the undo ip http shutdown command to launch the WEB Server.
By default, the WEB Server is launched.
c
Example
To improve security and prevent attacks to the unused Sockets, TCP 80 port for
HTTP service will be enabled or disabled after corresponding configurations.
TCP 80 port is enabled only after you use the undo ip http shutdown
command to enable the Web server.
If you use the ip http shutdown command to disabled the Web server, TCP 80
port is disabled.
CAUTION: After the Web file is upgraded, you need to use the boot
web-package command to specify a new Web file for the Web server to operate
properly. Refer to File System Configuration Commands on page 1035 for
information about the boot web-package command.
# Shut down the WEB Server.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ip http shutdown
lock
73
lock
Syntax
View
lock
User view
Parameters
None
Description
Use the lock command to lock the current user interface to prevent unauthorized
operations in the user interface.
After you execute this command, the system prompts you for the password and
prompts you to confirm the password. The user interface is locked only when the
password entered is correct.
To unlock a user interface, press Enter and then enter the password as prompted.
Note that if you set a password containing more than 16 characters, the system
matches only the first 16 characters of the password entered for unlocking the
user interface. That is, the system unlocks the user interface as long as the first 16
characters of the password entered are correct.
By default, the current user interface is not locked.
Example
Press Enter, enter a password, and then confirm it as prompted. (The password
entered is not displayed).
Password:
Again:
locked !
In this case, the user interface is locked. To operate the user interface again, you
need to press Enter and provide the password as prompted.
Password:
<5500>
parity
Syntax
View
Parameters
74
Use the parity command to set the check mode of the user interface.
Use the undo parity command to revert to the default check mode.
By default, no check is performed.
Example
protocol inbound
Syntax
View
Parameters
Description
Use the protocol inbound command to specify the protocols supported by the
user interface.
Both Telnet protocol and SSH protocol are supported by default.
Related command: user-interface vty.
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22
(ports for Telnet and SSH services respectively) will be enabled or disabled after
corresponding configurations.
If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be
disabled.
If the authentication mode is scheme, there are three scenarios: when the
supported protocol is specified as telnet, TCP 23 will be enabled; when the
supported protocol is specified as ssh, TCP 22 will be enabled; when the
supported protocol is specified as all, both the TCP 23 and TCP 22 port will be
enabled.
screen-length
c
Example
75
CAUTION: To configure a user interface to support SSH, you need to set the
authentication mode to scheme for users to log in successfully. If the
authentication mode is set to password or none for login users, the protocol
inbound ssh command will fail. Refer to authentication-mode on page 61 for
the related configuration.
# Configure that only SSH protocol is supported in VTY 0.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface vty 0
[5500-ui-vty0] protocol inbound ssh
screen-length
Syntax
screen-length screen-length
undo screen-length
View
Parameters
screen-length: Number of lines the screen can contain. This argument ranges from
0 to 512.
Description
Use the screen-length command to set the number of lines the terminal screen
can contain.
Use the undo screen-length command to revert to the default number of lines.
By default, the terminal screen can contain up to 24 lines.
You can use the screen-length 0 command to disable the function to display
information in pages.
Example
# Set the number of lines the terminal screen can contain to 20.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface aux 0
[5500-ui-aux0] screen-length 20
send
Syntax
View
Parameters
76
type: User interface type, which can be AUX (for AUX user interface) and VTY (for
VTY user interface).
number: User interface index. A user interface index can be relative or absolute.
Description
Example
In relative user interface index scheme, the type argument is required. In this
case, AUX user interfaces are numbered from AUX0 through AUX7; VTY user
interfaces are numbered from VTY0 through VTY4.
In absolute user interface index scheme, the type argument is not required. In
this case, user interfaces are numbered from 0 to 12.
Use the send command to send messages to a user interface or all the user
interfaces.
# Send hello to all user interfaces.
<5500> send all
Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
hello^Z
Send message? [Y/N]y
service-type
Syntax
View
Parameters
Description
Use the service-type command to specify the login type and the corresponding
available command level.
Use the undo service-type command to cancel login type configuration.
Commands fall into four command levels: visit, monitor, system, and manage,
which are described as follows:
77
Visit level: Commands at this level are used to diagnose network and change
the language mode of user interface, such as the ping, tracert, and
language-mode command. The telnet command is also at this level.
Commands at this level cannot be saved in configuration files.
Monitor level: Commands at this level are used to maintain the system, to
debug service problems, and so on. The display and debugging commands
are at monitor level. Commands at this level cannot be saved in configuration
files.
Manage level: Commands at this level are for the operation of the entire
system and the system supporting modules. Services are supported by these
commands. Commands concerning file system, file transfer protocol (FTP),
trivial file transfer protocol (TFTP), downloading using XModem, user
management, and level setting are at administration level.
# Configure commands at level 0 are available to the users logging in using the
user name of zbr.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] local-user zbr
[5500-luser-zbr] service-type telnet level 0
# To verify the above configuration, you can quit the system, log in again using the
user name of zbr, and then list the available commands, as listed in the
following.
[5500] quit
<5500> ?
User view commands:
cluster
Run cluster command
display
Display current system information
nslookup Query Internet name servers
ping
Ping function
quit
Exit from current command view
super
Set the current user priority level
telnet
Establish one TELNET connection
tracert
Trace route function
undo
Cancel current setting
set authentication
password
Syntax
View
78
Parameters
Description
When you enter the password in plain text containing no more than 16
characters (such as 123), the system converts the password to the
corresponding 24-character encrypted password.
When you enter the password in cipher text containing 24 characters, make
sure you are aware of the corresponding password in plaintext. For example,
the plain text 123456 corresponds to the cipher text
OUM!K%F<+$[Q=^QMAF4<1!!.
Use the set authentication password command to set the local password.
Use the undo set authentication password command to remove the local
password.
Note that only plain text passwords are expected when users are authenticated.
n
Example
shell
Syntax
shell
undo shell
View
Parameters
None
Description
speed
79
Example
# Disable terminal services in VTY 0 through VTY 4 (assuming that you log in
through an AUX user interface).
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface vty 0 4
[5500-ui-vty0-4] undo shell
% Disable ui-vty0-4 , are you sure ? [Y/N]y
speed
Syntax
speed speed-value
undo speed
View
Parameters
speed-value: Transmission speed (in bps). This argument can be 300, 600, 1200,
2400, 4800, 9600, 19,200, 38,400, 57,600, and 115,200.
Description
Use the speed command to set the transmission speed of the user interface.
Use the undo speed command to revert to the default transmission speed.
By default, the transmission speed is 9,600 bps.
Example
# Set the transmission speed of the user interface AUX 0 to 115,200 bps.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface aux 0
[5500-ui-aux0] speed 115200
stopbits
Syntax
stopbits { 1 | 1.5 | 2 }
undo stopbits
View
Parameters
80
Use the stopbits command to set the stop bits of the user interface.
Use the undo stopbits command to revert to the default stop bits.
Execute these two commands in AUX user interface view only.
By default, the stop bits is 1.
n
Example
Changing the stop bits value of the switch to a value different from that of the
terminal emulation utility does not affect the communication between them.
telnet
Syntax
View
Parameters
Description
Use the telnet command to establish a Telnet connection from one switch to
another to manage it remotely. You can terminate a Telnet connection by pressing
Ctrl+K or typing the quit command.
The default Telnet port number is 23.
Example
# Telnet to the switch with the host name of 3Com2 and IP address of
129.102.0.1 from the current switch (with the host name of 3Com1).
<55001> telnet 129.102.0.1
Trying 129.102.0.1 ...
Press CTRL+K to abort
Connected to 129.102.0.1 ...
telnet ipv6
81
**************************************************************************
* Copyright(c) 2004-2007 3Com Corporation. All rights reserved.
*
* Without the owners prior written consent,
*
* no decompiling or reverse-switch fabricering shall be allowed.
*
**************************************************************************
<55002>
telnet ipv6
Syntax
View
Parameters
Description
Example
Use the telnet ipv6 command to establish a Telnet connection from one device to
another to perform remote management operations. You can terminate a Telnet
session by pressing Ctrl+K.
# Telnet to the device with IPv6 address 3001::1.
<5500> telnet ipv6 3001::1
Trying 3001::1 ...
Press CTRL+K to abort
Connected to 3001::1 ...
**********************************************************************
* Copyright (c) 2004-2007 3Com Corporation. All rights reserved.*
* Without the owner's prior written consent,
*
* no decompiling or reverse-engineering shall be allowed.
*
***********************************************************************
<5500>
telnet source-interface
Syntax
View
System view
82
Parameters
Description
Use the telnet source-interface command to specify the source interface for a
Telnet client.
Use the undo telnet source-interface command to clear the specified source
interface configuration.
With this command configured, when a device logs in to the Telnet server as a
Telnet client, the source IP address is the IP address of the specified interface
When the telnet source-interface command is executed, if the interface
specified does not exist, the device prompts that this configuration fails.
Example
telnet source-ip
Syntax
View
System view
Parameters
Description
Use the telnet source-ip command to specify the source IP address for a Telnet
client.
Use the undo telnet source-ip command to cancel the source IP address
configuration.
With the telnet source-ip command configured, the specified IP address
functions as the source IP address when a device logs into a Telnet server as a
Telnet client.
When the telnet source-ip command is executed, if the IP address specified is not
an IP address of the local device, your configuration fails.
Example
telnet-server source-interface
83
telnet-server
source-interface
Syntax
View
System view
Parameters
Description
Example
telnet-server source-ip
Syntax
View
System view
Parameters
Description
84
The source Telnet server IP address configured for a switch is valid when the switch
operates as a Telnet server.
Note that the source Telnet server IP address must be previously assigned to the
local device.
Example
user-interface
Syntax
View
Parameters
In relative user interface index scheme, the type argument is required. In this
case, AUX user interfaces are numbered from AUX0 through AUX7; VTY user
interfaces are numbered from VTY0 through VTY4.
In absolute user interface index scheme, the type argument is not required. In
this case, user interfaces are numbered from 0 to 12.
Example
Use the user-interface command to enter one or more user interface views to
perform configuration.
# Enter VTY0 user interface.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface vty 0
[5500-ui-vty0]
View
85
Parameters
Description
Use the user privilege level command to configure the command level available
to the users logging into the user interface.
Use the undo user privilege level command to revert to the default command
level.
By default, the commands at level 3 are available to the users logging into the
AUX user interface. The commands at level 0 are available to the users logging
into VTY user interfaces.
Commands fall into four command levels: visit, monitor, system, and manage,
which are described as follows:
Visit level: Commands at this level, such as the ping, tracert, and telnet
commands are used to diagnose the network. Commands at this level cannot
be saved in configuration files.
Monitor level: Commands at this level are used to maintain the system, to
debug service problems, and so on. The display and debugging commands
are at monitor level. Commands at this level cannot be saved in configuration
files.
Manage level: Commands at this level are for the operation of the entire
system and the system supporting modules. Services are supported by these
commands. Commands concerning file system, file transfer protocol (FTP),
trivial file transfer protocol (TFTP), downloading using XModem, user
management, and level setting are at administration level.
# Configure that commands at level 1 are available to the users logging into VTY
0.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface vty 0
[5500-ui-vty0] user privilege level 1
# You can verify the above configuration by Telnetting to VTY 0 and displaying the
available commands, as listed in the following.
<5500> ?
User view commands:
cluster
debugging
display
msdp-tracert
mtracert
nslookup
86
ping
quit
reset
send
super
telnet
terminal
tracert
undo
Ping function
Exit from current command view
Reset operation
Send information to other user terminal interfaces
Set the current user priority level
Establish one TELNET connection
Set the terminal line characteristics
Trace route function
Cancel current setting
3
acl
Syntax
View
Parameters
inbound: Applies the ACL for the users Telnetting to the current switch.
outbound: Applies the ACL for the users Telnetting to other switches from the
current switch. This keyword is unavailable to Layer 2 ACLs.
Description
Example
# Apply ACL 2000 (a basic ACL) for the users Telnetting to the current switch
(assuming that ACL 2000 already exists.)
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface vty 0 4
[5500-ui-vty0-4] acl 2000 inbound
free web-users
Syntax
View
88
Parameters
Description
Example
Use the free web-users command to disconnect a specified Web user or all Web
users by force.
# Disconnect all Web users by force.
<5500> free web-users all
ip http acl
Syntax
View
System view
Parameters
Description
Use the ip http acl command to apply an ACL to filter Web users.
Use the undo ip http acl command to disable the switch from filtering Web users
using the ACL.
By default, the switch does not use the ACL to filter Web users.
Example
# Apply ACL 2000 to filter Web users (assuming that ACL 2000 already exists.)
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ip http acl 2000
snmp-agent
community
Syntax
View
Parameters
System view
read: Specifies that the community has read-only permission in the specified view.
snmp-agent group
89
write: Specifies that the community has read/write permission in the specified
view.
community-name: Community name, a string of 1 to 32 characters.
acl acl-number: Specifies an ACL number for the community. The acl-number
argument ranges from 2000 to 2999.
mib-view view-name: Sets the name of the MIB view accessible to the
community. The view-name argument is a string of 1 to 32 characters.
Description
Example
# Set the community name to h123, enable users to access the switch in the name
of the community (with read-only permission). Apply ACL 2000 for network
management users (assuming that ACL 2000 already exists.)
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent community read h123 acl 2000
snmp-agent group
Syntax
View
Parameters
System view
v1: Specifies to adopt v1 security scheme.
v2c: Specifies to adopt v2c security scheme.
v3: Specifies to adopt v3 security scheme.
90
Use the snmp-agent group command to create an SNMP group. You can also
optionally use this command to apply an ACL to filter network management users.
Use the undo snmp-agent group command to remove a specified SNMP group.
By default, the SNMP group configured through the snmp-agent group v3
command is not authenticated or encrypted.
Example
# Create an SNMP group named h123 and apply ACL 2001 for network
management users (assuming that basic ACL 2001 already exists).
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent group v1 h123 acl 2001
snmp-agent usm-user
Syntax
snmp-agent usm-user
91
System view
v1: Specifies to adopt v1 security scheme.
v2c: Specifies to adopt v2c security scheme.
v3: Specifies to adopt v3 security scheme.
user-name: User name, a string of 1 to 32 characters.
group-name: Name of the group to which the user corresponds. This argument is
a string of 1 to 32 characters.
cipher: Specifies the authentication or encryption password to be in ciphertext.
authentication-mode: Requires authentication. If this keyword is not provided,
neither authentication nor encryption is performed.
md5: Adopts HMAC-MD5 algorithm.
sha: Adopts HMAC-SHA algorithm.
auth-password: Authentication password, a string of 1 to 64 characters.
privacy: Encrypts packets.
des56: Specifies data encryption standard (DES) for encrypting.
aes128: Specifies advanced encryption standard (AES) for encrypting.
priv-password: Encrypted password, a string of 1 to 64 characters.
acl-number: Basic ACL number, ranging from 2000 to 2999.
local: Specifies local entity users.
switch fabricid-string: Engine ID associated with the user, a string of even number
of hexadecimal numbers and comprising of 10 to 64 hexadecimal digits.
Description
Use the snmp-agent usm-user command to add a user to an SNMP group. You
can also optionally use this command to apply an ACL for network management
users.
Use the undo snmp-agent usm-user command to remove an SNMP user from
the corresponding SNMP group and to remove the ACL configuration on the user.
Example
# Add a user named aaa to an SNMP group named group1, specify to require
authentication, specify the authentication protocol as HMAC-MD5-96 and
authentication password as 123, and apply ACL 2002 to filter network
management users (assuming that ACL 2002 already exists).
92
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent usm-user v3 aaa group1 authentication-mode md5 123 acl 2002
4
n
File path and file name can be represented in one of the following ways:
URL starting with flash:/. This method can be used to specify the files saved in
the flash of the current unit;
Inputting the path name or file name directly. This method can be used to
specify the path to go to or a file in the current work directory.
display
current-configuration
Syntax
View
Parameters
94
Meaning
Note
None
[]
()
display current-configuration
Description
95
Parameters that are the same as the default are not displayed.
The configured parameter whose corresponding function does not take effect
is not displayed.
96
interface Ethernet1/0/12
port access vlan 20
dhcp-snooping trust
arp detection trust
#
interface Ethernet1/0/13
port access vlan 20
arp detection trust
#
interface Ethernet1/0/14
port access vlan 20
#
interface Ethernet1/0/15
#
interface Ethernet1/0/16
#
interface Ethernet1/0/17
#
interface Ethernet1/0/18
#
interface Ethernet1/0/19
#
interface Ethernet1/0/20
#
interface Ethernet1/0/21
#
interface Ethernet1/0/22
#
interface Ethernet1/0/23
#
interface Ethernet1/0/24
#
interface GigabitEthernet1/1/1
priority trust
#
interface GigabitEthernet1/1/2
priority trust
#
interface GigabitEthernet1/1/3
#
interface GigabitEthernet1/1/4
#
interface NULL0
#
interface LoopBack0
#
return
display current-configuration
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
GigabitEthernet1/0/1
GigabitEthernet1/0/2
GigabitEthernet1/0/3
GigabitEthernet1/0/4
GigabitEthernet1/0/5
GigabitEthernet1/0/6
GigabitEthernet1/0/7
GigabitEthernet1/0/8
GigabitEthernet1/0/9
GigabitEthernet1/0/10
GigabitEthernet1/0/11
GigabitEthernet1/0/12
GigabitEthernet1/0/13
GigabitEthernet1/0/14
GigabitEthernet1/0/15
GigabitEthernet1/0/16
GigabitEthernet1/0/17
GigabitEthernet1/0/18
GigabitEthernet1/0/19
GigabitEthernet1/0/20
GigabitEthernet1/0/21
GigabitEthernet1/0/22
GigabitEthernet1/0/23
GigabitEthernet1/0/24
GigabitEthernet1/0/25
GigabitEthernet1/0/26
GigabitEthernet1/0/27
GigabitEthernet1/0/28
GigabitEthernet1/0/29
97
98
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
shutdown
#
interface
shutdown
#
interface
shutdown
#
interface
shutdown
#
interface
#
interface
#
interface
#
interface
GigabitEthernet1/0/30
GigabitEthernet1/0/31
GigabitEthernet1/0/32
GigabitEthernet1/0/33
GigabitEthernet1/0/34
GigabitEthernet1/0/35
GigabitEthernet1/0/36
GigabitEthernet1/0/37
GigabitEthernet1/0/38
GigabitEthernet1/0/39
GigabitEthernet1/0/40
GigabitEthernet1/0/41
GigabitEthernet1/0/42
GigabitEthernet1/0/43
GigabitEthernet1/0/44
GigabitEthernet1/0/45
GigabitEthernet1/0/46
GigabitEthernet1/0/47
GigabitEthernet1/0/48
GigabitEthernet1/0/49
GigabitEthernet1/0/50
GigabitEthernet1/0/51
GigabitEthernet1/0/52
Cascade1/2/1
Cascade1/2/2
NULL0
LoopBack0
display current-configuration
99
# Display the lines that include the strings matching 10* in the configuration
information for a Switch 5500. (The character * means that the character 0 in the
string before it can appear multiple times or does not appear.)
<5500> display current-configuration | include 10*
vlan 1
interface Vlan-interface1
ip address 192.168.0.36 255.255.255.0
interface Aux1/0/0
interface Ethernet1/0/1
interface Ethernet1/0/2
interface Ethernet1/0/3
port hybrid vlan 1 3 untagged
port hybrid protocol-vlan vlan 3 1
interface Ethernet1/0/4
mirroring-group 1 monitor-port
interface Ethernet1/0/5
port trunk permit vlan 1 25
interface Ethernet1/0/6
interface Ethernet1/0/7
interface Ethernet1/0/8
interface Ethernet1/0/9
interface Ethernet1/0/10
interface Ethernet1/0/11
interface Ethernet1/0/12
interface Ethernet1/0/13
interface Ethernet1/0/14
interface Ethernet1/0/15
interface Ethernet1/0/16
interface Ethernet1/0/17
interface Ethernet1/0/18
interface Ethernet1/0/19
interface Ethernet1/0/20
interface Ethernet1/0/21
interface Ethernet1/0/22
interface Ethernet1/0/23
interface Ethernet1/0/24
interface GigabitEthernet1/1/1
interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/3
interface GigabitEthernet1/1/4
route-policy song permit node 1
set authentication password simple 1
# Display the lines that include the strings matching 10* in the configuration
information for a Switch 5500G. (The character * means that the character 0 in
the string before it can appear multiple times or does not appear.)
<5500G> display current-configuration | include 10*
rule 0 permit source 20.1.0.0 0.0.255.255
vlan 1
interface Vlan-interface1
ip address 192.168.0.57 255.255.255.0
100
interface Aux1/0/0
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
interface GigabitEthernet1/0/8
interface GigabitEthernet1/0/9
interface GigabitEthernet1/0/10
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/12
interface GigabitEthernet1/0/13
interface GigabitEthernet1/0/14
interface GigabitEthernet1/0/15
interface GigabitEthernet1/0/16
interface GigabitEthernet1/0/17
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
interface GigabitEthernet1/0/20
interface GigabitEthernet1/0/21
interface GigabitEthernet1/0/22
interface GigabitEthernet1/0/23
interface GigabitEthernet1/0/24
interface GigabitEthernet1/0/25
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
interface GigabitEthernet1/0/29
interface GigabitEthernet1/0/30
interface GigabitEthernet1/0/31
interface GigabitEthernet1/0/32
interface GigabitEthernet1/0/33
interface GigabitEthernet1/0/34
interface GigabitEthernet1/0/35
interface GigabitEthernet1/0/36
interface GigabitEthernet1/0/37
interface GigabitEthernet1/0/38
interface GigabitEthernet1/0/39
interface GigabitEthernet1/0/40
interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/42
interface GigabitEthernet1/0/43
interface GigabitEthernet1/0/44
interface GigabitEthernet1/0/45
interface GigabitEthernet1/0/46
interface GigabitEthernet1/0/47
interface GigabitEthernet1/0/48
interface GigabitEthernet1/0/49
interface GigabitEthernet1/0/50
interface GigabitEthernet1/0/51
interface GigabitEthernet1/0/52
interface Cascade1/2/1
interface Cascade1/2/2
undo fabric-port Cascade1/2/1 enable
undo fabric-port Cascade1/2/2 enable
ip address 20.1.1.1 255.255.0.0
101
bgp 1
network 10.1.0.0 255.255.0.0
network 20.1.0.0 255.255.0.0
peer aaa route-policy 1 export
peer 192.168.0.56 group aaa
route-policy 1 permit node 10
apply community 11:22
display
current-configuration
vlan
Syntax
View
Parameters
Description
Example
102
display
saved-configuration
Syntax
View
Parameters
Description
Examples
display saved-configuration
103
104
#
interface GigabitEthernet1/1/4
#TOPOLOGYCFG. MUST NOT DELETE
#
undo irf-fabric authentication-mode
#GLBCFG. MUST NOT DELETE
#
interface NULL0
#
user-interface aux 0 4
idle-timeout 0 0
user-interface aux 5 7
user-interface vty 0 4
authentication-mode none
user privilege level 3
set authentication password simple 1
#
return
# Display the initial configuration file saved in the storage device for a Switch
5500G.
<5500G> display saved-configuration
#
sysname 5500G
#
radius scheme system
#
domain system
#
stp mode rstp
#
vlan 1
#
interface Vlan-interface1
ip address 192.168.0.57 255.255.255.0
#LOCCFG. MUST NOT DELETE
#
interface Aux1/0/0
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
display saved-configuration
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
interface
#
GigabitEthernet1/0/10
GigabitEthernet1/0/11
GigabitEthernet1/0/12
GigabitEthernet1/0/13
GigabitEthernet1/0/14
GigabitEthernet1/0/15
GigabitEthernet1/0/16
GigabitEthernet1/0/17
GigabitEthernet1/0/18
GigabitEthernet1/0/19
GigabitEthernet1/0/20
GigabitEthernet1/0/21
GigabitEthernet1/0/22
GigabitEthernet1/0/23
GigabitEthernet1/0/24
GigabitEthernet1/0/25
GigabitEthernet1/0/26
GigabitEthernet1/0/27
GigabitEthernet1/0/28
GigabitEthernet1/0/29
GigabitEthernet1/0/30
GigabitEthernet1/0/31
GigabitEthernet1/0/32
GigabitEthernet1/0/33
GigabitEthernet1/0/34
GigabitEthernet1/0/35
GigabitEthernet1/0/36
GigabitEthernet1/0/37
GigabitEthernet1/0/38
105
106
interface GigabitEthernet1/0/39
#
interface GigabitEthernet1/0/40
#
interface GigabitEthernet1/0/41
#
interface GigabitEthernet1/0/42
#
interface GigabitEthernet1/0/43
#
interface GigabitEthernet1/0/44
#
interface GigabitEthernet1/0/45
#
interface GigabitEthernet1/0/46
#
interface GigabitEthernet1/0/47
#
interface GigabitEthernet1/0/48
#
interface GigabitEthernet1/0/49
shutdown
#
interface GigabitEthernet1/0/50
shutdown
#
interface GigabitEthernet1/0/51
shutdown
#
interface GigabitEthernet1/0/52
shutdown
#
interface Cascade1/2/1
#
interface Cascade1/2/2
#TOPOLOGYCFG. MUST NOT DELETE
#GLBCFG. MUST NOT DELETE
#
interface NULL0
#
user-interface aux 0 7
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
return
display startup
Syntax
display this
View
107
Any view
Parameters
Description
Example
flash:/config.cfg
flash:/config.cfg
flash:/config.cfg
enabled
Description
Current Startup
saved-configuration file
enabled indicates you can access the Boot ROM with the
user-defined password.
display this
Syntax
View
Parameters
Description
Use the display this command to display the current configuration performed in
the current view. To verify the configuration performed in a view, you can use this
command to display the parameters that are valid in the current view.
Note that:
Parameters that are the same as the default are not displayed.
The configured parameter whose corresponding function does not take effect
is not displayed.
108
Execution of this command in any user interface view displays the valid
configuration parameters in all user interfaces.
# Display the configuration parameters that take effect in all user interface views.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] user-interface aux 0
[5500-ui-aux0] display this
#
user-interface aux 0 4
idle-timeout 0 0
user-interface aux 5 7
user-interface vty 0
authentication-mode none
user privilege level 3
set authentication password simple 123
idle-timeout 0 0
user-interface vty 1 4
authentication-mode none
user privilege level 3
set authentication password simple 1
idle-timeout 0 0
#
return
reset
saved-configuration
Syntax
View
Parameters
Description
You may need to erase the configuration file for one of these reasons:
save
109
After you upgrade software, the old configuration file does not match the new
software.
The startup configuration file is corrupted or not the one you need.
CAUTION:
This command will permanently delete the configuration file from the switch.
An error occurs when you execute this command if the configuration file to be
erased does not exist.
save
Syntax
View
Parameters
Description
Use the save command to save the current configuration to a configuration file in
the Flash.
When you use this command to save the configuration file,
If the main and backup keywords are not specified, the current configuration
will be saved to the main configuration file.
If the cfgfile argument is specified, but the file specified by it does not exist, the
system will create the file and then save the current configuration to it. The file
attribute is neither main nor backup.
If the cfgfile argument is specified and the file specified by it exists, the system
will save the current configuration to the specified file. The file attribute is the
original attribute of the file.
110
If the cfgfile argument is not specified, the system will save the current
configuration to the configuration file used for this startup. If the switch starts
up without loading the configuration file, the system will save the current
configuration with the default name (config.cfg) in the root directory.
The system supports two modes for saving the current configuration file.
Fast saving mode. This is the mode when you use the save command without
the safely keyword. The mode saves the file quicker but is likely to lose the
original configuration file if the switch reboots or the power fails during the
process.
Safe mode. This is the mode when you use the save command with the safely
keyword. The mode saves the file slower but can retain the original
configuration file in the flash even if the switch reboots or the power fails
during the process.
When you use the save safely command to save the configuration file, if the
switch reboots or the power fails during the saving process, the switch initializes
itself in the following two conditions when it starts up next time:
If a configuration file with the extension .cfg exists in the Flash, the switch uses
the configuration file to initialize itself when it starts up next time.
If there is no .cfg configuration file in the Flash, but there is a configuration file
with the extension .cfgbak (backup configuration file containing the original
configuration information) or/and a configuration file with the extension
.cfgtmp (temporary configuration file containing the current configuration
information) in the Flash, you can change the extension .cfgbak or .cfgtmp to
.cfg using the rename command. The switch will use the renamed
configuration file to initialize itself when it starts up next time.
Example
3Com recommends that you use fast saving mode for stable power conditions
safe mode for unstable power conditions and remote maintenance.
If you use the save command after a fabric is formed on the switch, the units
in the fabric save their own startup configuration files automatically.
# Save the current configuration to 123.cfg as the main configuration file for the
next startup.
<5500> save main
The configuration will be written to the device.
Are you sure?[Y/N]y
Please input the file name(*.cfg)(To leave the existing filename
unchanged press the enter key):123.cfg
Now saving current configuration to the device.
Saving configuration. Please wait...
............
Unit1 save configuration flash:/123.cfg successfully
startup saved-configuration
111
startup
saved-configuration
Syntax
View
Parameters
User view
cfgfile: Path name or file name of a configuration file in the Flash, a string of 5 to
56 characters.
backup: Specifies the configuration file to be the backup configuration file.
main: Specifies the configuration file to be the main configuration file.
unit unit-id: Specifies the unit ID of a switch.
Description
CAUTION: The configuration file must use .cfg as its extension name and the
startup configuration file must be saved at the root directory of the switch.
Related command: display startup.
Example
# Configure the configuration file named config.cfg as the main configuration file
of all the switches in the fabric.
<5500> startup saved-configuration config.cfg main
Please wait......Done!
112
# Configure the configuration file named 123.cfg as the backup configuration file
of unit1.
<5500> startup saved-configuration unit1>flash:/123.cfg backup
Please wait......Done!
XRN COMMANDS
5
Introduction
Use the debugging dhcp xrn xha command to enable BOOTP client hot backup
debugging.
Use the undo debugging dhcp xrn xha command to disable BOOTP client hot
backup debugging.
Syntax
Parameters
Default
Example
None
By default, BOOTP client hot backup debugging is disabled.
To enable BOOTP client hot backup debugging, enter the following:
<SW5500>debugging dhcp xrn xha
View
User view
114
display xrn-fabric
Purpose
Syntax
Parameters
Example
Use the display xrn-fabric command to view the information of the entire
fabric, including unit ID, unit name, operation mode.
display xrn-fabric [ port ]
port
View
Description
Any view
An asterisk (*) is used to indicate which unit you have connected to via a console
connection.
xrn-fabric
authentication-mode
Purpose
Syntax
Parameters
Default
password
key
xrn-fabric authentication-mode
Example
115
To set the authentication mode of the Fabric to simple, with the password "hello",
enter the following:
<SW5500>system-view
System View: return to User View with Ctrl+Z.
[SW5500]xrn-fabric authentication-mode simple hello
View
System view
Description
CAUTION: All units must have the same Fabric authentication settings in order to
form a stack of units.
116
6
description
Syntax
description text
undo description
View
Parameter
Description
Use the description command to assign a description string to the current VLAN
or VLAN interface.
Use the undo description command to restore the default description string.
By default, the description string of the current VLAN is its VLAN ID, such as VLAN
0001; the description string of the current VLAN interface is its name, such as
Vlan-interface 1 Interface.
Related commands: display vlan and display interface Vlan-interface.
Example
display interface
Vlan-interface
Syntax
View
118
Parameter
Description
Example
Description
Hardware address
Internet Address
Description
display vlan
Syntax
View
Parameters
display vlan
119
static: Displays information about the static VLANs (which are created through
manual configuration).
Description
Use the display vlan command to display the information about the specified
VLANs or all VLANs.
If the vlan-id argument is specified, information about the specified VLAN will
be displayed.
If the vlan-id argument is not specified, the VLAN IDs of all the existing VLANs
will be displayed.
Ethernet1/0/3
Ethernet1/0/6
Ethernet1/0/9
Ethernet1/0/12
Ethernet1/0/15
Ethernet1/0/18
Ethernet1/0/21
Ethernet1/0/24
Description
VLAN ID
VLAN ID
VLAN Type
Route Interface
IP Address
Subnet Mask
Description
Name
VLAN name
Tagged Ports
Ports through which packets are sent with VLAN tag kept.
Untagged Ports
Port through which packets are sent with VLAN tag stripped.
120
interface
Vlan-interface
Syntax
View
Parameter
Description
System view
vlan-id: ID of the VLAN interface, in the range of 1 to 4,094.
Use the interface Vlan-interface command to create a VLAN interface and enter
VLAN interface view.
Use the undo interface Vlan-interface command to delete the VLAN interface.
Related command: display interface Vlan-interface
n
Example
Before you can create a VLAN interface, you must create the corresponding VLAN.
name
Syntax
name text
undo name
View
Parameter
Description
VLAN view
text: VLAN name, in the range of 1 character to 32 characters. It can contain
special characters and spaces.
Use the name command to assign a name to the current VLAN.
Use the undo name command to restore to the default VLAN name.
By default, the name of a VLAN is its VLAN ID, such as VLAN 0001.
Example
shutdown
121
[5500] vlan 2
[5500-vlan2] name test vlan
shutdown
Syntax
shutdown
undo shutdown
View
Parameters
None
Description
When all the Ethernet ports in the VLAN are down, the VLAN interface of the
VLAN is down, that is, the VLAN interface is disabled.
When one or more Ethernet ports in the VLAN are up, the VLAN interface of
the VLAN is up, that is, the VLAN interface is enabled.
If you disable the VLAN interface, the status of the VLAN interface will always be
down, regardless of the status of the ports in the VLAN.
You can use the undo shutdown command to enable a VLAN interface when its
related parameters and protocols are configured. When a VLAN interface fails, you
can use the shutdown command to disable the interface, and then use the undo
shutdown command to enable this interface again, which may restore the
interface.
The operation of enabling/disabling a VLAN interface does not influence the status
of the Ethernet ports belonging to this VLAN.
Example
vlan
Syntax
vlan vlan-id
undo vlan vlan-id
122
View
Parameter
Description
System view
vlan-id: ID of the VLAN which you want to create and whose view you want to
enter. This argument ranges from 1 to 4,094.
Use the vlan command to enter VLAN view. If the VLAN identified by the vlan-id
argument does not exist, this command creates the VLAN and then enters VLAN
view.
Use the undo vlan command to remove the specified VLAN.
Examples
CAUTION:
When you use the undo vlan command to remove a VLAN which is the
default VLAN of a trunk port or a hybrid port on the device, the configuration
of the default VLAN of the trunk port or hybrid port does not change after the
undo vlan command is executed, that is, the trunk port or the hybrid port will
use the removed VLAN (the already non-existing VLAN) as its default VLAN.
The VLANs kept by protocol , voice VLAN, management VLAN, the control
VLAN of SmartLink and the probe VLAN for remote mirroring cannot be
removed using the undo vlan command.
# Remove VLAN 5.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] undo vlan 5
vlan to
Syntax
View
Parameters
System view
vlan-id1: ID of the initial VLAN to be created, in the range of 1 to 4,094.
to: Specifies the VLAN range.
vlan-id2: ID of the terminal VLAN to be created, in the range of 1 to 4,094. The
value of the argument is no smaller than that of the vlan-id1 argument
vlan to
123
all: If the all keyword in the vlan to command is specified, all VLANs (VLAN 1 to
4094) will be created at a time. If the all keyword in the undo vlan to command
is specified, all existing VLANs will be removed.
Description
c
Examples
CAUTION: The undo vlan to command or the undo vlan all command cannot
be used to remove the VLANs kept by protocol, the voice VLAN, the default VLAN
(VLAN 1), the management VLAN, the control VLAN of SmartLink and the probe
VLAN for remote mirroring.
# Create VLAN 4 through VLAN 100.
<5500>
System
[5500]
Please
system-view
View: return to User View with Ctrl+Z.
vlan 4 to 100
wait............. Done.
# Remove VLAN 2 through VLAN 9 in bulk, in which VLAN 5 is the voice VLAN.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] undo vlan 2 to 9
Note:The VLAN kept by protocol, the voice VLAN, the default VLAN,
the management VLAN and the remote probe VLAN will not be deleted!
Please wait... Done.
[5500] display vlan
The following VLANs exist:
1(default), 5
The above output information indicates that among VLAN 2 through VLAN 9,
VLAN 5 (the voice VLAN) cannot be removed by the undo vlan command, while
other VLANs are removed by the command successfully.
124
7
display port
Syntax
View
Parameters
Description
Example
Use the display port command to display any existing hybrid or trunk ports.
# Display the existing hybrid ports.
<5500> display port hybrid
The following hybrid ports exist:
Ethernet1/0/1
Ethernet1/0/2
The above information shows the current system has two hybrid ports: Ethernet
1/0/1 and Ethernet 1/0/2.
port
Syntax
port interface-list
undo port interface-list
View
Parameters
Description
VLAN view
interface-list: List of Ethernet ports to be added to or removed from a VLAN.
Provide this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where:
The port number to the right of the to keyword must be larger than or equal to
the one to the left of the keyword.
126
View
Parameter
c
Description
Example
View
Parameter
Description
127
c
Example
Caution: The local and remote hybrid ports must use the same default VLAN ID
for the traffic of the default VLAN to be transmitted properly.
# Set the default VLAN ID of the hybrid port Ethernet 1/0/1 to 100.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface ethernet1/0/1
[5500-Ethernet1/0/1] port link-type hybrid
[5500-Ethernet1/0/1] port hybrid pvid vlan 100
View
Parameters
Description
Use the port hybrid vlan command to assign the hybrid port into specified
VLANs.
Use the undo port hybrid vlan command to remove the hybrid port from
specified VLANs.
A hybrid port can belong to multiple VLANs. When you use the command multiple
times, all VLANs specified in the commands will be allowed to pass through the
port.
The VLAN specified by the vlan-id argument must exist. Otherwise, this command
is invalid.
128
Assign the hybrid port Ethernet 1/0/1 to VLAN 2, VLAN 4, and VLAN 50 through
VLAN 100, configuring the port to keep VLAN tags when the packets of the
specified VLANs are forwarded on the port.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] vlan 2
[5500-vlan2] quit
[5500] interface ethernet 1/0/1
[5500-Ethernet1/0/1] port link-type hybrid
[5500-Ethernet1/0/1] port hybrid vlan 2 4 50 to 100 tagged
Operation complete, except these VLAN(s):
Non-existent VLAN(s)
port link-type
Syntax
View
Parameters
Description
Use the port link-type command to set the link type of the current Ethernet port.
Use the undo port link-type command to restore the default link type.
By default, the link type of an Ethernet port is access.
The three types of ports can coexist on an Ethernet switch. You can change the
link type of an Ethernet port. However, you cannot change the link type of a port
directly from hybrid to trunk or vice versa. To do that, you must first set the link
type to access.
Example
View
Parameters
129
Description
Use the port trunk permit vlan command to assign the trunk port into the
specified VLANs.
Use the undo port trunk permit vlan command to remove the hybrid port from
the specified VLANs.
A trunk port can belong to multiple VLANs. When you use the command multiple
times, all VLANs specified in the commands will be allowed to pass through the
port.
Related command: port link-type
Example
# Assign the trunk port Ethernet 1/0/1 to VLAN 2, VLAN 4 and VLAN 50 through
VLAN 100.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface ethernet 1/0/1
[5500-Ethernet1/0/1] port link-type trunk
[5500-Ethernet1/0/1] port trunk permit vlan 2 4 50 to 100
Please wait... Done.
View
Parameter
Description
Example
# Set the default VLAN ID of the trunk port Ethernet 1/0/1 to 100.
<5500> system-view
System View: return to User View with Ctrl+Z.
130
PROTOCOL-BASED VLAN
CONFIGURATION COMMANDS
8
display protocol-vlan
interface
Syntax
View
Parameters
Description
Example
display protocol-vlan
vlan
Syntax
View
132
Parameters
Description
Example
# Display the protocol information and protocol indexes configured for VLAN 10
through VLAN 20.
<5500> display protocol-vlan vlan 10 to 20
VLAN ID: 10
VLAN Type: Protocol-based VLAN
Protocol-Index
Protocol-Type
0
ip
1
ip
2
ipx ethernetii
3
at
VLAN ID: 15
VLAN Type: Protocol-based VLAN
Protocol-Index
Protocol-Type
0
ip
1
snap etype 0x0abcd
port hybrid
protocol-vlan vlan
Syntax
View
Parameters
protocol-vlan
133
removes the associations between the port and all the protocol indexes of the
specified protocol-based VLAN.
Description
Use the port hybrid protocol-vlan vlan command to associate the port with the
specified protocol-based VLAN.
Use the undo port hybrid protocol-vlan vlan command to remove the
association between the specified protocol-based VLAN and the port.
Before you associate a port with the protocol-based VLAN, make sure the port
belongs to the protocol-based VLAN.
protocol-vlan
Syntax
View
Parameters
VLAN view
at: Specifies the VLAN to be an AppleTalk-based VLAN.
ip: Specifies the VLAN to be an IP-based VLAN.
ipx: Specifies the VLAN to be an IPX-based VLAN. The ethernetii, llc, raw and
snap keywords specify the four IPX encapsulation types.
mode: Configures user-defined protocol templates.
ethernetii etype-id: Matches the Ethernet II encapsulation format and the
corresponding protocol type value of the packet. The etype-id argument ranges
from 0x0600 to 0xFFFF.
134
Description
When you use the mode keyword to configure a user-defined protocol template,
if you set the etype-id argument for Ethernet II or SNAP packets to 0x0800,
0x8137, or 0x809B, the matching packets have the same format as that of IP, IPX,
and AppleTalk packets respectively. To prevent two commands from processing
packets of the same protocol type in different ways, the switch will prompt that
you cannot set the etype-id argument for Ethernet II or SNAP packets to 0x0800,
0x8137, or 0x809B..
Use the protocol-vlan command to configure the protocol template used for
classifying protocol-based VLANs.
Use the undo protocol-vlan command to disable the configuration.
Related command: display protocol-vlan vlan
Example
CAUTION: Because the IP protocol is closely associated with the ARP protocol, you
are recommended to configure the ARP protocol type when configuring the IP
protocol type and associate the two protocol types with the same port, in case
that ARP packets and IP packets are not assigned to the same VLAN, which will
cause IP address resolution failure.
# Configure an ARP protocol template. The code for the ARP protocol is 0x0806.
protocol-vlan
135
136
IP ADDRESS CONFIGURATION
COMMANDS
9
display ip interface
Syntax
View
Parameters
Description
Example
138
Description
Internet Address
Broadcast address
Broadcast address
Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0
display ip interface
brief
Syntax
View
Parameters
Description
Use the display ip interface brief command to display brief information about a
specified or all Layer 3 interfaces.
ip address
139
With no argument included, the command displays information about all layer 3
interfaces; with only the interface type specified, it displays information about all
layer 3 interfaces of the specified type; with both the interface type and interface
number specified, it displays information about the specified interface.
Related command: display ip interface.
Example
Description
Vlan-inte...
Description
*down
(s)
Interface
Interface name
IP Address
Physical
Protocol
Description
ip address
Syntax
View
Parameters
Description
Use the ip address command to specify an IP address and mask for a VLAN or
loopback interface.
Use the undo ip address command to remove an IP address and mask of a VLAN
or loopback interface.
140
If you execute the undo ip address command without any parameter, the
switch deletes both primary and secondary IP addresses of the interface.
You can assign at most five IP addresses for the Switch 5500 for seven IP addresses
for the Switch 5500 G to an interface, among which one is the primary IP address
and the others are secondary IP addresses. A newly specified primary IP address
overwrites the previous one if there is any.
The primary and secondary IP addresses of an interface cannot reside on the same
network segment; the IP address of a VLAN interface must not be in the same
network segment as that of a loopback interface on a device.
A VLAN interface cannot be configured with a secondary IP address if the interface
has been configured to obtain an IP address through BOOTP or DHCP.
Related command: display ip interface.
Example
IP PERFORMANCE CONFIGURATION
COMMANDS
10
display fib
Syntax
View
display fib
Any view
Parameters
None
Description
Use the display fib command to display all forwarding information base (FIB)
information.
Example
Description
Flag
Flags:
U: A route is up and available.
G: Gateway route
H: Local host route
B: Blackhole route
D: Dynamic route
S: Static route
R: Rejected route
E: Multi-path equal-cost route
L: Route generated by ARP or ESIS
Destination/Mask
Nexthop
TimeStamp
Timestamp
Interface
Forwarding interface
142
View
Parameters
Description
Examples
Use the display fib ip-address command to view the FIB entries matching the
specified destination IP address.
# Display the FIB entries whose destination addresses match 12.158.10.0 in the
natural mask range.
<5500> display fib 12.158.10.0 longer
Route Entry Count: 1
Flag:
U:Usable
G:Gateway
H:Host
B:Blackhole D:Dynamic
S:Static
R:Reject
E:Equal cost multi-path
L:Generated by ARP or ESIS
Destination/Mask
Nexthop
Flag TimeStamp
Interface
12.158.10.0/24
12.158.10.1
U
t[85391]
Vlan-interface10
# Display the FIB entries whose destination addresses are in the range of
12.158.10.0/24 to 12.158.10.6/24.
<5500> display fib 12.158.10.0 255.255.255.0 12.158.10.6 255.255.255.0
Route Entry Count: 1
Flag:
U:Usable
G:Gateway
H:Host
B:Blackhole D:Dynamic
S:Static
R:Reject
E:Equal cost multi-path
L:Generated by ARP or ESIS
Destination/Mask
Nexthop
Flag TimeStamp
Interface
12.158.10.0/24
12.158.10.1
U
t[85391]
Vlan-interface10
143
Examples
display fib |
Syntax
View
Parameters
Description
Use the display fib | command to output the FIB entries related to the specific
character string from the buffer according to the regular expression.
144
Example
# Display the entries starting from the first one containing the string 169.254.0.0.
<5500> display fib | begin 169.254.0.0
169.254.0.0/16 2.1.1.1
U
t[0]
Vlan-interface1
2.0.0.0/16
2.1.1.1
U
t[0]
Vlan-interface1
Examples
ip-prefix / mask
211.71.75.0/24
GE
--
LE
--
Parameters
None
Description
Use the display fib statistics command to display the total number of FIB entries.
Example
145
Parameters
None
Description
Use the display icmp statistics command to display the statistics about ICMP
packets.
Related commands: display ip interface, reset ip statistics.
Example
bad checksum
destination unreachable
redirects
parameter problem
information request
mask replies
0
0
0
0
0
0
destination unreachable
redirects
parameter problem
information reply
0
mask replies
0
0
0
Description
bad formats
bad checksum
echo
destination unreachable
source quench
redirects
echo reply
parameter problem
timestamp
information request
mask requests
mask replies
information reply
time exceeded
146
display ip socket
Syntax
View
Parameters
Description
Example
Use the display ip socket command to display the information of the current
socket.
# Display the information about the socket of the TCP type.
<5500> display ip socket socktype 1
SOCK_STREAM:
Task = VTYD(18), socketid = 1, Proto = 6,
LA = 0.0.0.0:23, FA = 0.0.0.0:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_SENDVPNID SO_SETKEEPALIVE,
socket state = SS_PRIV SS_ASYNC
Task = VTYD(18), socketid = 2, Proto = 6,
LA = 10.153.17.99:23, FA = 10.153.17.56:1161,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_KEEPALIVE SO_OOBINLINE SO_SENDVPNID SO_SETKEEPALIVE,
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC
Task = VTYD(18), socketid = 3, Proto = 6,
LA = 10.153.17.99:23, FA = 10.153.17.82:1121,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_KEEPALIVE SO_OOBINLINE SO_SENDVPNID SO_SETKEEPALIVE,
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC
Description
SOCK_STREAM
Task
Task ID
socketid
Socket ID
Proto
sndbuf
rcvbuf
sb_cc
Current data size in the sending buffer. The value makes sense
only for the socket of TCP type, because only TCP is able to
cache data.
rb_cc
socket option
Option of a socket
socket state
State of a socket
display ip statistics
147
display ip statistics
Syntax
View
display ip statistics
Any view
Parameters
None
Description
Use the display ip statistics command to display the statistics about IP packets.
Related commands: display ip interface, reset ip statistics.
Example
local
bad format
bad options
local
no route
112
0
0
27
2
output
couldnt fragment 0
timeouts
0
Output:
Fragment:
Reassembling:
Description
sum
local
bad protocol
bad format
bad checksum
bad options
forwarding
local
dropped
no route
compress fails
input
output
dropped
fragmented
couldnt fragment
sum
timeouts
148
Parameters
None
Description
Use the display tcp statistics command to display the statistics about TCP
packets.
Related commands: display tcp status, reset tcp statistics.
Example
149
Sent packets:
Description
Total
packets in sequence
checksum error
offset error
short error
duplicate packets
out-of-order packets
ACK packets
Total
urgent packets
control packets
data packets
ACK-only packets: 40
Retransmitted timeout
Keepalive timeout
keepalive probe
Initiated connections
accepted connections
established connections
Closed connections
150
Description
Parameters
None
Description
Use the display tcp status command to display the state of all the TCP
connections so that you can monitor TCP connections in real time.
Example
Foreign Add:port
State
0.0.0.0:0
Listening
100.0.0.253:65508 Established
Description
TCPCB
Local Add:port
Foreign Add:port
State
Parameters
None
Description
Use the display udp statistics command to display the statistics about UDP
packets.
Related command: reset udp statistics.
Example
151
Description
Total
checksum error
no socket on port
View
System view
Parameters
None
Description
Use the icmp redirect send command to enable the device to send ICMP
redirection packets.
Use the undo icmp redirect send command to disable the device from sending
ICMP redirection packets.
152
View
System view
Parameters
None
Description
Use the icmp unreach send command to enable the device to send ICMP
destination unreachable packets.
Use the undo icmp unreach send command to disable the device from sending
ICMP destination unreachable packets.
By default, the device is enabled to send ICMP destination unreachable packets.
Example
ip forward-broadcast
Syntax
View
Parameter
Description
Interface view
acl-number: Access control list number, ranging from 2000 to 3999.
Use the ip forward-broadcast command in interface view to enable an interface
to forward broadcast packets from directly-connected network segment.
Use the undo ip forward-broadcast command to disable an interface to forward
broadcast packets from directly-connected network segment.
By default, an interface is disabled to forward broadcast packets from
directly-connected network segment.
ip forward-broadcast
n
Example
153
ip forward-broadcast
Syntax
ip forward-broadcast
undo ip forward-broadcast
View
System view
Parameters
None
Description
Example
reset ip statistics
Syntax
View
reset ip statistics
User view
Parameters
None
Description
Use the reset ip statistics command to clear the statistics about IP packets.
Related commands: display ip interface, display ip statistics.
154
Example
Parameters
None
Description
Use the reset tcp statistics command to clear the statistics about TCP packets.
Related command: display tcp statistics.
Example
Parameters
None
Description
Use the reset udp statistics command to clear the statistics about UDP packets.
Related command: display udp statistics.
Example
View
Parameter
System view
time-value: TCP finwait timer value, in seconds, with the value ranging from 76 to
3600.
Description
155
Use the tcp timer fin-timeout command to configure the TCP finwait timer.
Use the undo tcp timer fin-timeout command to restore the default value of the
TCP finwait timer.
By default, the value of the TCP finwait timer is 675 seconds.
When the TCP connection state changes from FIN_WAIT_1 to FIN_WAIT_2, the
finwait timer is enabled. If the switch does not receive FIN packets before finwait
timer times out, the TCP connection will be terminated.
Related commands: tcp timer syn-timeout, tcp window.
Example
View
Parameter
Description
System view
time-value: TCP synwait timer value, in seconds, with the value ranging from 2 to
600.
Use the tcp timer syn-timeout command to configure the TCP synwait timer.
Use the undo tcp timer syn-timeout command to restore the default value of
the TCP synwait timer.
By default, the value of the TCP synwait timer is 75 seconds.
When sending the SYN packet, TCP starts the synwait timer. If the response packet
is not received before synwait times out, the TCP connection will be terminated.
Related commands: tcp timer fin-timeout, tcp window.
Example
tcp window
Syntax
156
Description
System view
window-size: Size of the transmission and receiving buffers of the
connection-oriented socket, measured in kilobytes (KB), in the range of 1 to 32.
Use the tcp window command to configure the size of the transmission and
receiving buffers of the connection-oriented socket.
Use the undo tcp window command to restore the default size of the
transmission and receiving buffers of the connection-oriented socket.
By default, the size of the transmission and receiving buffers is 8 KB.
Related commands: tcp timer fin-timeout, tcp timer syn-timeout.
Example
11
display voice vlan
error-info
Syntax
View
Parameters
None
Description
Use the display voice vlan error-info command to display the ports on which
the voice VLAN function fails to be enabled.
n
Examples
When ACL number applied to a port reaches to its threshold, voice VLAN cannot
be enabled on this port.
# Display the ports on which voice VLAN fails to be enabled on a Switch 5500.
<5500> display voice vlan error-info
No voice VLAN error information!
# Display the ports on which voice VLAN fails to be enabled on a Switch 5500G.
<5500G> display voice vlan error-info
Fail to apply voice VLAN ACL rules to the following port(s):
GigabitEthernet1/0/10
GigabitEthernet1/0/15
Parameters
None
Description
Use the display voice vlan oui command to display the currently supported OUI
addresses and the related information.
Related commands: voice vlan, voice vlan enable.
158
Example
# Display the OUI addresses and the related information of the voice VLAN.
<5500> display voice vlan oui
Oui Address
Mask
0003-6b00-0000 ffff-ff00-0000
000f-e200-0000 ffff-ff00-0000
00d0-1e00-0000 ffff-ff00-0000
00e0-7500-0000 ffff-ff00-0000
00e0-bb00-0000 ffff-ff00-0000
Description
Cisco phone
3Com Aolynk phone
Pingtel phone
Polycom phone
3Com phone
Parameters
None
Description
Use the display voice vlan status command to display voice VLAN-related
information, including voice VLAN operation mode, port mode (manual or
automatic ), and so on.
Related commands: voice vlan, voice vlan enable.
Example
Field
Description
Voice Vlan ID
CAUTION: The Current voice vlan enable port mode field lists the ports with the
voice VLAN function enabled. Note that a port listed in this field may not currently
operate in a voice VLAN. To view the ports operating in the voice VLAN currently,
display vlan
159
use the display vlan command, which is described in the display vlan section
below.
display vlan
Syntax
View
Parameter
vlan-id: Voice VLAN ID in the range of 1 to 4094. VLAN 1 can not be enabled with
voice VLAN function.
Description
Use the display vlan command to display all the ports in the voice VLAN currently.
Related command: voice vlan.
Example
# Display all the ports in the current voice VLAN, assuming that the current voice
VLAN is VLAN 6.
<5500> display vlan 6
VLAN ID: 6
VLAN Type: static
Route Interface: not configured
Description: VLAN 0006
Name: VLAN 0006
Tagged
Ports:
Ethernet1/0/5
Untagged Ports:
Ethernet1/0/6
The output indicates that Ethernet1/0/5 and Ethernet1/0/6 are in the voice VLAN
currently.
voice vlan
Syntax
View
Parameter
Description
System view
vlan-id: ID of the VLAN that needs to be enabled with the voice VLAN function,
ranging from 2 to 4094.
Use the voice vlan command to enable voice VLAN globally.
Use the undo voice vlan enable command to disable voice VLAN globally.
CAUTION:
160
If you enable the voice VLAN function for a specified VLAN, the specified VLAN
must exist, otherwise, your configuration fails.
If you want to delete a VLAN with voice VLAN function enabled, you must
disable the voice VLAN function first.
The voice VLAN function can be enabled for only one VLAN at one time.
# After the voice VLAN function of VLAN 2 is enabled, if you enable the voice
VLAN function for other VLANs, the system will prompt that your configuration
fails.
[5500] voice vlan 4 enable
Cant change voice vlan configuration when other voice vlan is running
View
System view
Parameter
minutes: Aging time (in minutes) to be set for a voice VLAN, ranges from 5 to
43,200.
Description
Use the voice vlan aging command to set the aging time for a voice VLAN.
Use the undo voice vlan aging command to restore the default value.
By default, the aging time for a voice VLAN is 1,440 minutes.
Related command: display voice vlan status.
Example
161
Parameters
None
Description
Use the voice vlan enable command to enable voice VLAN on a port.
Use the undo voice vlan enable command to disable voice VLAN on a port.
The voice VLAN function takes effect on a port only when it is enabled in both
system view and port view. Note that the operation to enable the voice VLAN
function for a port is independent of that to enable the function globally, which
means you may first enable the function on a port and then enable it globally.
Related command: display voice vlan status.
Examples
View
Parameters
None
Description
Use the voice vlan legacy command to enable the voice VLAN legacy function.
This function realizes the communication between 3Coms device and other
vendors voice device by automatically adding the voice VLAN tag to the voice
data coming from other vendors voice device.
Use the undo voice vlan legacy command to disable the voice VLAN legacy
function.
By default, the voice VLAN legacy function is disabled.
162
Examples
voice vlan
mac-address
Syntax
View
Parameters
System view
oui: MAC address, in the format of H-H-H.
oui-mask: MAC address valid length, indicated by a mask in the format of H-H-H.
text: Description string of the MAC address, containing 1 to 30 characters.
Description
Use the voice vlan mac-address command to set a MAC address used by a voice
VLAN to identify a voice device.
Use the undo voice vlan mac-address command to cancel the configuration.
The maximum number of MAC addresses can be identified by the OUI address
system is 16. If the number increases, the system processes no more. After a
switch starts, there are five default OUI addresses.
Table 18 Default OUI addresses of a switch
Number
OUI addresses
Vendor
0003-6b00-0000
Cisco phone
000f-e200-0000
00d0-1e00-0000
Pingtel phone
00e0-7500-0000
Polycom phone
00e0-bb00-0000
3Com phone
163
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] voice vlan mac-address 00aa-bb00-0000 mask ffff-ff00-0000 description
ABC
View
Parameters
None
Description
Use the voice vlan mode auto command to configure the voice VLAN operation
mode on an Ethernet port to automatic.
Use the undo voice vlan mode auto command to configure the voice VLAN
operation mode on an Ethernet port to manual.
By default, the voice VLAN operation mode on an Ethernet port is automatic.
Related command: display voice vlan status.
Examples
View
Parameters
System view
None
164
Description
Use the voice vlan security enable command to enable the voice VLAN security
mode.
Use the undo voice vlan security enable command to disable the voice VLAN
security mode.
In security mode, the ports in a voice VLAN and with voice devices attached to can
only forward voice data. Data packets with their MAC addresses not among the
OUI addresses that can be identified by the system will be filtered out. This mode
has no effects on other VLANs.
By default, the voice VLAN security mode is enabled.
Related command: display voice vlan status.
Example
12
display garp statistics
Syntax
View
Parameters
interface interface-list: Specifies an Ethernet port list. You need to provide the
interface-list argument in the format of { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, where the interface-type argument
represents the port type, the interface-number argument represents the port
number, and & <1-10> means that you can provide up to 10 port indexes/port
index ranges for this argument.
Description
Use the display garp statistics command to display the GARP statistics of
specified ports or all ports.
If the interface interface-list keyword-argument combination is not specified, this
command displays the GARP statistics on all the ports. Otherwise, only the GARP
statistics on the specified Ethernet port is displayed.
Examples
: 0
: 0
: 0
: 0
: 0
: 0
166
Description
Parameters
interface interface-list: Specifies an Ethernet port list. You need to provide the
interface-list argument in the format of { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, where the interface-type argument
represents the port type, the interface-number argument represents the port
number, and & <1-10> means that you can provide up to 10 port indexes/port
index ranges for this argument.
Description
Use the display garp timer command to display the settings of the GARP timers
on specified ports or all ports.
If the interface interface-list keyword-argument combination is not specified, this
command displays the GARP timer settings of all ports. Otherwise, only the GARP
timer settings of the specified Ethernet port are displayed.
This command displays the settings of the following timers:
Join timer
Leave timer
LeaveAll timer
Hold timer
Join Time
Leave Time
LeaveAll Time
Hold Time
:
:
:
:
20 centiseconds
60 centiseconds
1000 centiseconds
10 centiseconds
garp timer
167
Join Time
Leave Time
LeaveAll Time
Hold Time
:
:
:
:
20 centiseconds
60 centiseconds
1000 centiseconds
10 centiseconds
garp timer
Syntax
View
Parameters
Description
Use the garp timer command to set a GARP timer (that is, the Hold timer, the Join
timer, or the Leaver timer) for an Ethernet port.
Use the undo garp timer command to restore the default setting of a GARP
timer.
By default, the Hold, Join, and Leave timers are set to 10, 20, and 60 centiseconds.
Note that:
The timeout ranges of the timers vary depending on the timeout values you set
for other timers. If you want to set the timeout time of a timer to a value out of
the current range, you can set the timeout time of the associated timer to
another value to change the timeout range of this timer.
168
Lower threshold
Upper threshold
Hold
10 centiseconds
Join
Leave
LeaveAll
View
Parameter
System view
timer-value: Setting (in centiseconds) of the GARP LeaveAll timer. You need to set
this argument with the Leave timer settings of other Ethernet ports as references.
That is, this argument needs to be larger than the Leave timer settings of any
169
Ethernet ports. Also note that this argument needs to be a multiple of 5 and
cannot be larger than 32,765.
Description
Use the garp timer leaveall command to set the GARP LeaveAll timer.
Use the undo garp timer leaveall command to restore the default setting of the
GARP LeaveAll timer.
By default, the LeaveAll timer is set to 1,000 centiseconds, that is, 10 seconds.
Related command: display garp timer.
Example
Parameters
interface interface-list: Specifies an Ethernet port list. You need to provide the
interface-list argument in the format of { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, where the interface-type argument
represents the port type, the interface-number argument represents the port
number, and & <1-10> means that you can provide up to 10 port indexes/port
index ranges for this argument.
Description
Use the reset garp statistics command to clear the GARP statistics (such as the
information about the packets received/sent/discarded by GVRP) on specified or all
ports.
Executing the reset garp statistics command without any parameter clears the
GARP statistics of all ports.
Related command: display garp statistics.
Example
170
Parameters
interface interface-list: Specifies an Ethernet port list. You need to provide the
interface-list argument in the format of { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, where the interface-type argument
represents the port type, the interface-number argument represents the port
number, and & <1-10> means that you can provide up to 10 port indexes/port
index ranges for this argument.
Description
Use the display gvrp statistics command to display the GVRP statistics of all
trunk ports.
This command displays the following information:
Examples
GVRP status
# Display the GVRP statistics of Ethernet1/0/1, assuming that the port is a trunk
port.
<5500> display gvrp statistics interface Ethernet 1/0/1
GVRP statistics on port Ethernet1/0/1
GVRP
GVRP
GVRP
GVRP
Status
Failed Registrations
Last Bpdu Origin
Registration Type
: Enabled
: 0
: 0000-0000-0000
: Normal
Status
Failed Registrations
Last Pdu Origin
Registration Type
:
:
:
:
Enabled
0
0000-0000-0000
Normal
Parameters
None
Description
Use the display gvrp status command to display the global GVRP status (enabled
or disabled).
gvrp
Example
171
gvrp
Syntax
gvrp
undo gvrp
View
Parameters
None
Description
Use the gvrp command to enable GVRP globally (in system view) or for a port (in
Ethernet port view).
Use the undo gvrp command to disable GVRP globally (in system view) or on a
port (in Ethernet port view).
By default, GVRP is disabled both globally and on ports.
Note that:
To enable GVRP for a port, you need to enable GVRP globally first.
After you enable GVRP on a trunk port, you cannot change the port to other
types.
gvrp registration
Syntax
View
172
Parameters
fixed: Specifies the fixed GVRP registration mode. A port operating in this mode
cannot register or remove the registration VLAN information dynamically. It only
propagates static VLAN information. Besides, the port permits only static VLANs,
that is, it propagates only static VLAN information to the other GARP members.
forbidden: Specifies the forbidden GVRP registration mode. A port operating in
this mode cannot register or remove the registration VLAN information
dynamically. It permits only VLAN 1, that is, it propagates only the information
about VLAN 1 to the other GARP members.
normal: Specifies the normal mode. A port operating in this mode can
dynamically register or remove the registration VLAN information and can
propagate both dynamic and static VLAN information.
Description
Use the gvrp registration command to configure the GVRP registration mode on
a port.
Use the undo gvrp registration command to restore the default GVRP
registration mode on a port.
By default, the registration mode is normal.
Note that these commands only apply to trunk ports.
Related command: display gvrp statistics
Examples
13
broadcast-suppression
Syntax
View
Parameters
Description
In system view, the max-pps argument is in the range from 1 to 262,143 for
the Switch 5500 and 1 to 14,880,000 for the Switch 5500G.
In Ethernet port view, the max-pps argument is in the range 1 to 148,810 for
an Ethernet port, and 1 to 262,143 for a GigabitEthernet port for the Switch
5500. In Ethernet port view, the max-pps argument is in the range of 1 to
1,488,000 for the Switch 5500G.
174
Examples
# Set the maximum number of broadcast packets that can be received per second
by the Ethernet 1/0/1 port to 1,000.
[5500-Ethernet1/0/1] broadcast-suppression pps 1000
# Set the maximum number of broadcast packets that can be received per second
by the GigabitEthernet1/0/1 port to 1000 pps.
[5500G-GigabitEthernet1/0/1] broadcast-suppression pps 1000
copy configuration
Syntax
View
Parameters
copy configuration
175
If you specify a source aggregation group ID, the system uses the port with the
smallest port number in the aggregation group as the source.
The copy command can only be used to copy the configuration of LACPs enable
state, but not to copy the configuration of aggregation group, i.e., you can not
add a port to the aggregation group bye the command.
QoS configuration includes traffic policing, packet priority marking, port priority,
traffic accounting, VLAN mapping, port rate limiting, priority trust mode, QoS
profile (the qos-profile port-based configuration cannot be duplicated).
STP configuration includes STP enable/disable status on the port, link attribute on
the port (point-to-point or non-point-to-point), STP priority, path cost, packet
transmission rate limit, whether loop protection is enabled, whether root
protection is enabled, and whether the port is an edge port.
Generic attribute registration protocol (GARP) configuration includes GVRP
enable/disable status, timer settings, and registration mode.
Port configuration: includes the ports link type, port rate, and duplex mode.
The Switch 5500G
The configuration that can be copied includes: VLAN configuration,
protocol-based VLAN configuration, LACP configuration, QoS configuration,
GARP configuration, STP configuration and initial port configuration.
176
VLAN configuration: includes IDs of the VLANs allowed on the port and the
default VLAN ID of the port;
QoS configuration: includes rate limit, port priority, and default 802.1p priority
on the port;
STP configuration: includes STP enable/disable status on the port, link attribute
on the port (point-to-point or non-point-to-point), STP priority, path cost,
packet transmission rate limit, whether loop protection is enabled, whether
root protection is enabled, and whether the port is an edge port;
Port configuration: includes the ports link type, port rate, and duplex mode.
Examples
# Copy the configuration of Ethernet 1/0/1 to Ethernet 1/0/2 and Ethernet 1/0/3.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] copy configuration source ethernet 1/0/1 destination ethernet
1/0/2
ethernet 1/0/3
Note: The following will be removed from destination port list:
Aggregation port(s),Voice vlan port(s).
Copying VLAN configuration...
Copying Protocol based VLAN configuration...
Copying LACP configuration...
Copying QOS configuration...
Copying GARP configuration...
Copying STP configuration...
Copying speed/duplex configuration...
Any aggregation group port you input in the destination port list will be
removed from the list and the copy command will not take effect on the port.
If you want an aggregation group port to have the same configuration with
description
177
the source port, you can specify the aggregation group of the port as the
destination (with the destination-agg-id argument).
Any voice-VLAN-enabled port you input in the destination port list will be
removed from the list.
description
Syntax
description text
undo description
View
Parameter
Description
Examples
View
Parameters
178
n
Description
Currently, for the port types other than Ethernet port, this command only displays
the link state, and shows -- in all other configuration information fields.
Related command: display interface.
Example
Description
Interface
Port type
Link
display interface
179
Description
Speed
Link rate
Duplex
Duplex attribute
Type
PVID
Default VLAN ID
Description
display interface
Syntax
View
Parameters
Description
Example
180
Untagged VLAN ID : 1
Last 300 seconds input: 0 packets/sec 0 bytes/sec
Last 300 seconds output: 0 packets/sec 0 bytes/sec
Input(total): 0 packets, 0 bytes
0 broadcasts, 0 multicasts, - pauses
Input(normal): - packets, - bytes
- broadcasts, - multicasts, - pauses
Input: 0 input errors, 0 runts, 0 giants, - throttles, 0 CRC
0 frame, - overruns, 0 aborts, 0 ignored, - parity errors
Output(total): 0 packets, 0 bytes
0 broadcasts, 0 multicasts, 0 pauses
Output(normal): - packets, - bytes
- broadcasts, - multicasts, - pauses
Output: 0 output errors, - underruns, - buffer failures
0 aborts, 0 deferred, 0 collisions, 0 late collisions
0 lost carrier, - no carrier
Description
Hardware address
Media type
Media type
Broadcast MAX-ratio
Unicast MAX-ratio
Multicast MAX-ratio
PVID
Mdi type
Port link-type
Tagged VLAN ID
Untagged VLAN ID
display interface
181
Description
Switch 5500
0 broadcasts, 0 multicasts, 0 (As 10GE ports and Fabric ports do not support statistics on
pauses
giant frames, "-" is displayed in the corresponding fields for
ports of these two types.)
Input(normal): - packets, - bytes
- broadcasts, - multicasts, pauses
Input: 0 input errors, 0 runts, 0
giants, - throttles, 0 CRC
0 frame, - overruns, 0
aborts, 0 ignored, - parity
errors
Output(total): 0 packets, 0 bytes Statistics on the outgoing packets and errors on the port
0 broadcasts, 0 multicasts, 0 The - indicates that the statistical item is not supported.
pauses
Output(normal): - packets, bytes
- broadcasts, - multicasts, pauses
Output: 0 output errors, underruns, - buffer failures
0 aborts, 0 deferred, 0
collisions, 0 late collisions
0 lost carrier, - no carrier
Switch 5500G
182
Description
Switch 5500G
Output(total): 0 packets, 0 bytes The - indicates that the statistical item is not supported.
0 broadcasts, 0 multicasts, 0
pauses
Output(normal): - packets, bytes
- broadcasts, - multicasts, pauses
Output: 0 output errors, underruns, - buffer failures
0 aborts, 0 deferred, 0
collisions, 0 late collisions
0 lost carrier, - no carrier
display link-delay
Syntax
View
display link-delay
Any view
Parameters
None
Description
Use the display link-delay command to display the information about the ports
with the link-delay command configured, including the port name and the
configured delay.
Related command: link-delay.
Example
# Display the information about the ports with the link-delay command
configured.
<5500> display link-delay
Interface
Time Delay
===================== =================
Ethernet1/0/1
8
Ethernet1/0/2
5
display
loopback-detection
Syntax
View
Parameters
display loopback-detection
Any view
None
display packet-drop
Description
Example
183
Description
Port Ethernet1/0/1
loopback-detection is running
system Loopback-detection is
running
display packet-drop
Syntax
View
Parameters
Description
Use the display packet-drop command to display the statistics on the packets
dropped on a port or all the ports.
If the interface type and interface number arguments are not provided, this
command displays the statistics on the packets dropped on all ports. Otherwise,
the command displays the statistics of the packets dropped on the port identified
by the interface type and interface number arguments.
Examples
# Display the summary statistics on the packets dropped on all the ports.
184
# Display the summary information about the packets dropped on all the ports.
<5500G> display packet-drop summary
All GigabitEthernet interfaces:
Packets dropped By GBP full or insufficient bandwidth: 0
Packets dropped By others: 0
Filed
Description
Parameters
None
Description
Use the display port combo command to display combo ports in the current
system.
Example
Inactive
GigabitEthernet1/0/51
GigabitEthernet1/0/49
GigabitEthernet1/0/52
GigabitEthernet1/0/50
display storm-constrain
185
display
storm-constrain
Syntax
View
Parameters
Meaning
Description
186
Description
Example
Character
Meaning
Description
Description
PortName
StormType
LowerLimit
UpperLimit
Ctr-mode
Status
Trap
Log
Swi-num
display unit
187
display unit
Syntax
View
Parameter
Description
Examples
188
display unit
189
Description
Switch 5500
Aux1/0/0
Description : Aux Interface
Switch 5500G
Cascade1/2/1 current state
190
Description
UP Cascade port
duplex
Syntax
View
Parameters
Description
Use the duplex command to set the duplex mode of the current port.
Use the undo duplex command to restore the default duplex mode, that is,
auto-negotiation.
By default, the port is in auto-negotiation mode.
n
Examples
The duplex mode of Combo optical port can only be configured as auto or full,
otherwise the port can not be up.
The duplex mode of Combo electrical port can be configured as auto, half or
full.
flow-control
Syntax
191
View
Parameters
None
Description
Use the enable log updown command to allow the port to output Up/Down log
information.
Use the undo log enable updown command to disable the port from outputting
Up/Down log information).
By default, a port is allowed to output Up/Down log information.
Example
flow-control
Syntax
flow-control
undo flow-control
View
Parameters
192
Description
Use the flow-control command to enable flow control on the current Ethernet
port.
Use the undo flow-control command to disable flow control on the port.
Suppose flow control is enabled on both the local and peer switches. When
congestion occurs on the local switch,
the local switch sends a message to notify the peer switch of stopping sending
packets to itself or reducing the sending rate temporarily,
the peer switch will stop sending packets to the local switch or reduce the sending
rate temporarily when it receives the message; and vice versa. By this way, packet
loss is avoided and the network service operates normally.
By default, flow control is disabled on a port.
Examples
flow interval
Syntax
flow-interval interval
undo flow-interval
View
Parameter
Description
193
average rates in the interval. For example, if you set the interval to 100 seconds,
the displayed information is as follows:
Last 100 seconds input: 0 packets/sec 0 bytes/sec
Last 100 seconds output: 0 packets/sec 0 bytes/sec
# Set the interval to perform statistics on the Ethernet 1/0/1 port to 100 seconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface ethernet 1/0/1
[5500-Ethernet 1/0/1] flow-interval 100
giant-frame statistics
enable
Syntax
View
System view
Parameters
None
Description
Example
interface
Syntax
194
View
Parameters
System view
interface-type: Port type, which can be Aux, Ethernet, GigabitEthernet, LoopBack,
NULL or VLAN-interface.
interface-number: Port number, in the format of Unit ID/slot number/port number,
where:
Unit ID is in the range of 1 to 8;
The slot number is 0 if the port is an Ethernet port, the slot number is 1 if the port
is a GigabitEthernet port.
The port number is relevant to the device.
Description
Example
Use the interface command to enter specific port view. To configure an Ethernet
port, you need to enter Ethernet port view first.
# Enter Ethernet 1/0/1 port view.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1]
jumboframe enable
Syntax
jumboframe enable
undo jumboframe enable
View
Parameters
None
Description
Use the jumboframe enable command to allow jumbo frames that are not larger
than 9,216 bytes to pass through the current Ethernet port.
Use the undo jumboframe enable command to allow frames that are not larger
than 1,536 bytes to pass through the current Ethernet port.
By default, frames that are not larger than 9,216 bytes are allowed to pass
through the Ethernet port.
Example
# Allow frames that are not larger than 1536 bytes to pass through Ethernet1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface ethernet 1/0/1
[5500-Ethernet1/0/1] jumboframe enable
link-delay
195
link-delay
Syntax
link-delay delay-time
undo link-delay
View
Parameter
Description
n
Example
The port state change delay takes effect when the port goes down but not
when the port goes up.
The delay configured in this way does not take effect for ports in DLDP down
state. For information about the DLDP down state, refer to DLDP.
loopback
Syntax
View
Parameters
Description
Use the loopback command to perform a loopback test on the current Ethernet
port to check whether the Ethernet port works normally. The loopback test
terminates automatically after running for a specific period.
By default, no loopback test is performed on the Ethernet port.
196
Examples
loopback-detection
control enable
Syntax
View
Parameters
None
Description
loopback-detection enable
Example
197
loopback-detection
enable
Syntax
loopback-detection enable
undo loopback-detection enable
View
Parameters
None
Description
If loopback is found on an access port, the switch will set the port to a
controlled working state.
For a trunk or hybrid port, the loopback detection control feature can be
implemented by using this command and the loopback-detection control
enable command together.
The loopback detection feature takes effect on a specified port only when the
loopback detection feature is enabled in both system view and the specified port
view.
By default, the loopback detection feature is disabled on any port.
Related command: loopback-detection control enable.
Example
198
loopback-detection
interval-time
Syntax
View
Parameter
Description
System view
time: Time interval for loopback detection, in the range of 5 to 300 (in seconds). It
is 30 seconds by default.
Use the loopback-detection interval-time command to set time interval for
loopback detection.
Use the undo loopback-detection interval-time command to restore the
default time interval.
Example
loopback-detection
per-vlan enable
Syntax
View
Parameters
None
Description
mdi
199
# Configure the system to run loopback detection on all VLANs of the trunk port
Ethernet 1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface ethernet 1/0/1
[5500-Ethernet1/0/1] port link-type trunk
[5500-Ethernet1/0/1] loopback-detection per-vlan enable
mdi
View
Parameters
Description
To connect two RJ-45 interfaces operating in the same MDI mode, use a
crossover cable; to connect two RJ-45 interfaces operating in different MDI
modes, use a straight-through cable.
Use the mdi command to set the MDI mode for a port.
Use the undo mdi command to restore the default setting.
200
mdi
View
Parameters
Description
Example
multicast-suppression
Syntax
View
Parameters
201
Examples
# Allow the incoming multicast traffic on Ethernet 1/0/1 to occupy at most 20% of
the transmission capacity of the port, and suppress the multicast traffic that
exceeds the specified range.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface ethernet 1/0/1
[5500-Ethernet1/0/1] multicast-suppression 20
# Set the maximum number of multicast packets that can be received per second
by Ethernet 1/0/1 to 1,000.
[5500-Ethernet1/0/1] multicast-suppression pps 1000
# Set the maximum number of multicast packets that can be received per second
by the GigabitEthernet1/0/1 port to 1000 pps.
[5500G-GigabitEthernet1/0/1] multicast-suppression pps 1000
reset counters
interface
Syntax
View
Parameters
202
Use the reset counters interface command to clear the statistics of the port,
preparing for a new statistics collection.
If you specify neither port type nor port number, the command clears statistics of
all ports.
If specify only port type, the command clears statistics of all ports of this type.
If specify both port type and port number, the command clears statistics of the
specified port.
The statistics of the 802.1x-enabled ports cannot be cleared.
Examples
reset packet-drop
interface
Syntax
View
Parameters
Description
Use the reset packet-drop interface command to clear the statistics on the
packets dropped on a port or all the ports.
If the interface type and interface number arguments are not provided, this
command clears the statistics on the packets dropped on all the ports. Otherwise,
the command clears the statistics on the packets dropped on the port identified by
the interface type and interface number arguments.
Example
shutdown
203
shutdown
Syntax
shutdown
undo shutdown
View
Parameters
None
Description
Example
You can use the display port combo command to display the current state of
combo ports. The port in the Active state is available and the port in the Inactive
state is unavailable.
If you execute the shutdown command on a port in the Active state, the port
will become Inactive.
If you execute the undo shutdown command on a port in the Inactive state,
the port will become Active.
# Enable GigabitEthernet1/0/1.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet 1/0/1
[5500G-GigabitEthernet1/0/1] shutdown
[5500G-GigabitEthernet1/0/1] undo shutdown
speed
View
204
Parameters
Description
Example
speed
View
Parameters
Description
The speed of Combo optical port can only be configured as auto or 1000
Mbps, otherwise the port can not be up.
speed auto
Example
205
The speed of Combo electrical port can be configured as auto, 10, 100 or 1000
Mbps.
speed auto
Syntax
View
Parameters
Description
Examples
storm-constrain
Syntax
206
Description
Use the storm-constrain command to set the upper and lower thresholds of the
broadcast/multicast/unicast traffic received on the port.
Use the undo storm-constrain command to cancel the threshold configuration.
Related command: display storm-constrain.
Examples
# Set the upper and lower thresholds of broadcast traffic on Ethernet1/0/1 to 100
pps and 10 pps respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] storm-constrain broadcast 100 10 pps
storm-constrain
control
Syntax
View
storm-constrain enable
Parameters
207
block: Blocks and stops forwarding those types of traffic exceeding the upper
thresholds.
shutdown: Shutdowns the port if the broadcast/multicast/unicast traffic exceeds
the upper threshold, and stops receiving and forwarding all types of traffic on the
port.
Description
Use the storm-constrain control command to set the action to be taken when
the broadcast/multicast/unicast traffic on the port exceeds the upper threshold.
Use the undo storm-constrain control command to cancel the configured
action.
By default, no action is taken.
If the fabric function is enabled on a port of a device, you cannot configure the
storm control function on all ports of the device.
You are not recommended to set the upper and lower traffic thresholds to the
same value.
The system can take one of the actions when the broadcast/multicast/unicast
traffic received on a port exceeds the upper threshold: block and shutdown.
The block action blocks only those types of traffic that exceed the upper
thresholds instead of all types of traffic. When a type of traffic is blocked, it is
still counted by the system and contained in the traffic statistics. The
shutdown action automatically shutdowns the port when a type of traffic on
the port exceeds the upper threshold. If you want to bring up the port again,
you can execute the undo shutdown command or the undo
storm-constrain { all | broadcast | multicast | unicast } command.
storm-constrain
enable
Syntax
208
Description
Example
storm-constrain
interval
Syntax
View
Parameter
Description
System view
interval-value: Interval to collect traffic statistics, in the range of 1 to 300 (in
seconds).
Use the storm-constrain interval command to set the interval to collect traffic
statistics.
Use the undo storm-constrain interval command to restore the default setting.
By default, the interval is 10 seconds.
Related command: display storm-constrain, storm-constrain.
unicast-suppression
Example
209
unicast-suppression
Syntax
View
Parameters
Description
Examples
# Set the maximum number of unknown unicast packets that can be received per
second by Ethernet 1/0/1 to 1,000.
[5500-Ethernet1/0/1] unicast-suppression pps 1000
210
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet 1/0/1
[5500G-GigabitEthernet1/0/1] unicast-suppression 20
# Set the maximum number of unknown unicast packets that can be received per
second by the GigabitEthernet1/0/1 port to 1000 pps.
[5500G-GigabitEthernet1/0/1] unicast-suppression pps 1000
virtual-cable-test
Syntax
virtual-cable-test
View
Parameters
None
Description
Use the virtual-cable-test command to enable the system to test the cable
connected to a specific port and to display the results. The system can test these
attributes of the cable:
Cable status, including normal, abnormal, abnormal-open, abnormal-short and
failure
Cable length
If the cable is in normal state, the displayed length value is the total length of
the cable.
If the cable is in any other state, the displayed length value is the length from
the port to the faulty point.
Pair skew
Pair swap
Pair polarity
Insertion loss
Return loss
Near-end crosstalk
By default, the system does not test the cable connected to the Ethernet port.
Optical port (including Combo optical port) does not support VCT
(virtual-cable-test) function.
Currently, only cable status and cable length can be tested. A hyphen (-)
indicates that the corresponding test item is not supported.
virtual-cable-test
Examples
211
212
14
display
link-aggregation
interface
Syntax
View
Parameters
Description
Examples
214
Local:
Port-Priority: 32768, Oper key: 2, Flag: 0x45
Remote:
System ID: 0x8000, 0000-0000-0000
Port Number: 0, Port-Priority: 32768 , Oper-key: 0, Flag: 0x38
Received LACP Packets: 0 packet(s), Illegal: 0 packet(s)
Sent LACP Packets: 0 packet(s)
Description
Selected AggID
Local
Port-Priority
Port priority
Oper key
Operation key
Flag
Remote
System ID
Remote device ID
Port number
Port number
display
link-aggregation
summary
Syntax
View
Parameters
None
Description
Example
1
2
S
M
0x8000,0000-0000-0000 0
none
1
0
215
NonS Ethernet1/0/2
NonS Ethernet1/0/3
Description
Aggregation
Group Type
Aggregation group type: D for dynamic, S for static, and M for manual
Loadsharing Type
Load sharing type: Shar for load sharing and NonS for non-load sharing
Actor ID
Local device ID
AL ID
Aggregation group ID
AL Type
Partner ID
Select Ports
Unselect Ports
Share Type
Master Port
display
link-aggregation
verbose
Syntax
View
Parameter
Description
Example
216
-------------------------------------------------------------------------Ethernet1/0/2
S
32768
1
{}
Ethernet1/0/3
U
32768
1
{}
Remote:
Actor
Partner Priority Key
SystemID
Flag
-------------------------------------------------------------------------Ethernet1/0/2
0
0
0
0x0000,0000-0000-0000 {}
Ethernet1/0/3
0
0
0
0x0000,0000-0000-0000 {}
Description
Loadsharing Type
Flags
Aggregation ID
Aggregation group ID
Aggregation Description
Aggregation Type
System ID
Device ID
Port Status
Parameters
None
Description
Use the display lacp system-id command to display the device ID of the local
system, including the system priority and the MAC address.
=Example
The Actor System ID field is the device ID (consisting of the system priority and the
system MAC address) of the local system.
lacp enable
217
lacp enable
Syntax
lacp enable
undo lacp enable
View
Parameters
None
Description
Use the lacp enable command to enable LACP on the current port.
Use the undo lacp enable command to disable LACP.
By default, LACP is disabled on a port.
Example
lacp port-priority
Syntax
View
Parameter
Description
Examples
218
lacp system-priority
Syntax
View
Parameter
Description
System view
system-priority: System priority, ranging from 0 to 65,535.
Use the lacp system-priority command to set the system priority.
Use the undo lacp system-priority command to restore the default system
priority.
By default, the system priority is 32,768.
Example
link-aggregation
group description
Syntax
View
Parameters
System view
agg-id: Aggregation group ID, in the range of 1 to 416 for the Switch 5500 and
from 1 to 464 for the Switch 5500G.
agg-name: Aggregation group description, a string of 1 to 32 characters.
Description
219
If you have saved the current configuration with the save command, after system
reboot, the configuration concerning manual and static aggregation groups and
their descriptions still exists, but that of the dynamic aggregation groups and their
descriptions gets lost.
Related command: display link-aggregation verbose.
Example
link-aggregation
group mode
Syntax
View
Parameters
System view
agg-id: Aggregation group ID, in the range of 1 to 416 for the Switch 5500 and
from 1 to 464 for the Switch 5500G .
manual: Creates a manual aggregation group.
static: Creates a static aggregation group.
Description
Example
port link-aggregation
group
Syntax
View
220
Parameter
Description
agg-id: Aggregation group ID, in the range of 1 to 416 for the Switch 5500 and
from 1 to 464 for the Switch 5500G.
Use the port link-aggregation group command to add the current Ethernet port
to a manual or static aggregation group.
Use the undo port link-aggregation group command to remove the current
Ethernet port from the aggregation group.
Related command: display link-aggregation verbose.
Example
View
Parameters
Description
Use the reset lacp statistics command to clear LACP statistics on specified
port(s), or on all ports if no port is specified.
Related command: display link-aggregation interface.
Example
15
display isolate port
Syntax
View
Parameters
None
Description
Use the display isolate port command to display information about the Ethernet
ports added to the isolation group.
Example
# Display information about the Ethernet ports added to the isolation group.
<5500> display isolate port
Isolated port(s) on UNIT 1:
Ethernet1/0/2, Ethernet1/0/3, Ethernet1/0/4
port isolate
Syntax
port isolate
undo port isolate
View
Parameters
222
Description
Use the port isolate command to add an Ethernet port to the isolation group.
Use the undo port isolate command to remove an Ethernet port from the
isolation group.
The Switch 5500 supports cross-device port isolation if IRF fabric is enabled.
16
display mac-address
security
Syntax
View
Parameter
Description
Examples
PORT INDEX
AGING TIME(s)
GigabitEthernet1/0/1
NOAGED
GigabitEthernet1/0/1
NOAGED
GigabitEthernet1/0/1
NOAGED
GigabitEthernet1/0/1
NOAGED
224
display port-security
Syntax
View
Parameter
Description
This command will display global and all ports security configuration information
if the interface-list argument is not specified.
This command will display particular ports security configuration information if
the interface-list argument is specified.
Example
mac-address security
225
Description
Equipment port-security is
enabled
Disableport Timeout: 20 s
OUI value
Ethernet1/0/1 is link-down
NeedtoKnow mode is
needtoknowonly
Authorization is permit
mac-address security
Syntax
In system view:
mac-address security mac-address interface interface-type interface-number
vlan vlan-id
undo mac-address security [ [ mac-address [ interface interface-type
interface-number ] ] vlan vlan-id ]
In Ethernet port view:
mac-address security mac-address vlan vlan-id
undo mac-address security [ [ mac-address ] vlan vlan-id ]
View
226
Parameter
Description
Use the mac-address security command to manually add a security MAC address
to a port.
Use the undo mac-address security command to remove a security MAC
address from a port.
By default, no security MAC address is configured.
n
Examples
You can manually add a security MAC address to a port only when port security is
enabled globally and the port-security port-mode autolearn command is
configured on the port.
# Add 0001-0001-0001 as a security MAC address to Ethernet 1/0/1 in VLAN 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] port-security enable
[5500] interface Ethernet1/0/1
[5500-Ethernet1/0/1] port-security max-mac-count 100
[5500-Ethernet1/0/1] port-security port-mode autolearn
[5500-Ethernet1/0/1] mac-address security 0001-0001-0001 vlan 1
port-security enable
Syntax
port-security enable
undo port-security enable
View
Parameter
Description
System view
None
Use the port-security enable command to enable port security.
Use the undo port-security enable command to disable port security.
port-security intrusion-mode
227
CAUTION: Enabling port security resets the following configurations on the ports
to the defaults (as shown in parentheses below):
802.1x (disabled), port access control method (mac-based), and port access
control mode (auto)
port-security
intrusion-mode
Syntax
View
Parameter
Description
By checking the source MAC addresses in inbound data frames or the username
and password in 802.1x authentication requests on a port, intrusion protection
detects illegal packets (packets with illegal MAC address) or events and takes a
228
pre-set action accordingly. The actions you can set include: disconnecting the port
temporarily/permanently and blocking packets with invalid MAC addresses.
The following cases can trigger intrusion protection on a port:
A packet with unknown source MAC address is received on the port while
MAC address learning is disabled on the port.
A packet with unknown source MAC address is received on the port while the
amount of security MAC addresses on the port has reached the preset
maximum number.
n
Examples
port-security
authorization ignore
Syntax
View
Parameter
Description
port-security max-mac-count
229
By default, the port uses (does not ignore) the authorization information delivered
by the RADIUS server.
Examples
port-security
max-mac-count
Syntax
View
Parameter
Description
Example
# Set the maximum number of MAC addresses allowed on the port to 100.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] port-security enable
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] port-security max-mac-count 100
230
port-security
ntk-mode
Syntax
View
Parameter
Description
Use the port-security ntk-mode command to configure the NTK feature on the
port.
Use the undo port-security ntk-mode command to restore the default setting.
Be default, NTK is disabled on a port, namely all frames are allowed to be sent.
n
Examples
By checking the destination MAC addresses of the data frames to be sent from a
port, the NTK feature ensures that only successfully authenticated devices can
obtain data frames from the port, thus preventing illegal devices from intercepting
network data.
# Set the NTK feature to ntk-withbroadcasts on Ethernet 1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] port-security enable
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] port-security ntk-mode ntk-withbroadcasts
port-security oui
Syntax
port-security port-mode
231
System view
OUI-value: OUI value. You can input a full MAC address (in hexadecimal format)
for this argument and the system will calculate the OUI value from your input.
Note that it must not be a multicast MAC address.
index-value: OUI index, ranging from 1 to 16.
n
Description
CAUTION:
The OUI value set by this command takes effect only when the security mode
of the port is set to userLoginWithOUI by the port-security port-mode
command.
You need only to input a full MAC address in hexadecimal format for the
OUI-value argument in this command. The system will automatically convert the
address from hexadecimal format to binary format and then take the higher 24
bits of the resulting binary data as the OUI value.
Related command: port-security port-mode.
Example
port-security
port-mode
Syntax
View
232
Parameter
Description
Use the port-security port-mode command to set the security mode of the port.
Use the undo port-security port-mode command to restore the default mode.
By default, the port is in the noRestriction mode, namely access to the port is not
restricted.
Port security defines various security modes that allow devices to learn legal source
MAC addresses, in order for you to implement different network security
management as needed. With port security, packets whose source MAC addresses
cannot be learned by your switch in a security mode are considered illegal.
Examples
233
port-security timer
disableport
Syntax
View
Parameter
Description
System view
timer: This argument ranges from 20 to 300, in seconds.
Use the port-security timer disableport command to set the time during which
the system temporarily disables a port.
Use undo port-security timer disableport command restore the default time.
By default, the system disables a port for 20 seconds.
n
Example
port-security trap
Syntax
View
Parameter
System view
addresslearned: Enables/disables sending MAC address learning trap messages.
dot1xlogfailure: Enables/disables sending 802.1x authentication failure trap
messages.
dot1xlogoff: Enables/disables sending 802.1x-authenticated user logoff trap
messages.
234
n
Description
This command is based on the Trap feature, which enables the switch to send trap
messages when special data packets (generated by illegal intrusion, abnormal user
logon/logoff, or other special activities) are passing through a port, so as to help
the network administrator to monitor special activities.
When you use the display port-security command to display global information,
the system will display which types of trap messages are allowed to send.
Related command: display port-security.
Example
am user-bind
235
17
PORT BINDING COMMANDS
am user-bind
Syntax
In system view:
am user-bind mac-addr mac-address ip-addr ip-address interface
interface-type interface-number
undo am user-bind mac-addr mac-address ip-addr ip-address interface
interface-type interface-number
In Ethernet port view:
am user-bind mac-addr mac-address ip-addr ip-address
undo am user-bind mac-addr mac-address ip-addr ip-address
View
Parameter
Description
Use the am user-bind command to bind the MAC address and IP address of a
user to a specified port.
Use the undo am user-bind command to cancel the binding.
After the binding, the switch forwards only the packets from the bound MAC
address and IP address when received on the port.
By default, no user MAC address or IP address is bound to a port.
236
Example
# In Ethernet port view, bind the MAC address 000f-e200-5102 and IP address
10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to Ethernet
1/0/2.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet1/0/2
[5500-Ethernet1/0/2] am user-bind mac-addr 00e0-fc00-5102 ip-addr 10
.153.1.2
# In Ethernet port view, bind the MAC address 000f-e200-5102 and IP address
10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to
GigabitEthernet 1/0/2.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet1/0/2
[5500G-GigabitEthernet1/0/2] am user-bind mac-addr 000f-e200-5102
ip-addr 10.153.1.2
display am user-bind
Syntax
View
Parameter
Description
Examples
The above output displays that two port binding settings exist on unit 1:
238
18
display dldp
Syntax
View
Parameters
Description
Example
Use the display dldp command to display the DLDP configuration of a unit or a
port.
# Display information about all DLDP-enabled ports on unit 1.
<5500> display dldp 1
dldp interval 10
dldp work-mode enhance
dldp authentication-mode md5, cipher is none
dldp unidirectional-shutdown manual
dldp delaydown-timer 1
The port number of unit 1 with DLDP is 1.
interface GigabitEthernet1/1/1
dldp port state : advertisement
dldp link state : up
The neighbor number of the port is 1.
neighbor mac address : 000f-e20f-710d
neighbor port index : 372
neighbor state : two way
neighbor aged time : 12
Description
dldp interval
dldp work-mode
dldp authentication-mode
dldp unidirectional-shutdown
240
Description
dldp delaydown-timer
interface GigabitEthernet1/1/1
neighbor state
dldp
Syntax
View
Parameters
None
Description
In system view,
Use the dldp enable command to enable DLDP on all the optical ports.
Use the dldp disable command to disable DLDP on all the optical ports.
In Ethernet port view,
Use the dldp enable command to enable DLDP for the current port.
Use the dldp disable command to disable DLDP for the current port.
This command applies to non-optical ports as well as optical ports.
By default, DLDP is disabled.
n
Example
When you use the dldp enable/dldp disable command in system view to
enable/disable DLDP on all optical ports of the switch, the configuration takes
effect on the existing optical ports, instead of those added subsequently.
# Enable DLDP on all the optical ports of the switch.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dldp enable
dldp authentication-mode
241
dldp
authentication-mode
Syntax
View
Parameters
System view
none: Sets the authentication mode on the port to none (performs no
authentication).
simple: Sets the authentication mode on the port to plain text.
simple-password: Authentication password in plain text, a string of 1 to 16
characters.
md5: Sets the authentication mode on the port to MD5.
md5-password: MD5 authentication password, a string in plain text consisting of
1 to 16 characters or a string in cipher text corresponding to the string in plain
text.
Description
Example
# Set the DLDP authentication mode and password to plain text and abc on the
ports connected with a fiber cable or copper twisted pair between 3Com A and
3Com B.
Configure 3Com A
<5500A> system-view
System View: return to User View with Ctrl+Z.
[5500A] dldp authentication-mode simple abc
Configure 3Com B
242
<5500B> system-view
System View: return to User View with Ctrl+Z.
[5500B] dldp authentication-mode simple abc
dldp interval
Syntax
View
System view
Parameters
Description
Use the dldp interval command to set the interval between sending
advertisement packets for all DLDP-enabled ports in the advertisement state.
Use the undo dldp interval command to restore the interval to the default value.
By default, the interval between sending advertisement packets is 10 seconds.
Note that:
Example
The interval must be shorter than one-third of the STP convergence time. If too
long an interval is set, an STP loop may occur before DLDP shuts down
unidirectional links. On the contrary, if too short an interval is set, network
traffic increases, and port bandwidth is reduced. Generally, the STP
convergence time is 30 seconds.
# Set the interval between sending advertisement packets to 20 seconds for all
DLDP-enabled ports in the advertisement state.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dldp interval 20
dldp reset
Syntax
View
dldp reset
System view, Ethernet port view
Parameters
None
Description
In system view:
dldp unidirectional-shutdown
243
Use the dldp reset command to reset the DLDP status of all the ports disabled by
DLDP.
In Ethernet port view:
Use the dldp reset command to reset the DLDP status of the current port disabled
by DLDP.
After the dldp reset command is executed, the DLDP status of a port changes
from disable to active and DLDP restarts to detect the link status of the fiber
cable or copper twisted pair.
Related command: dldp and dldp unidirectional-shutdown.
Example
dldp
unidirectional-shutdo
wn
Syntax
View
Parameters
System view
auto: Disables automatically the corresponding port when DLDP detects an
unidirectional link or finds in the enhanced mode that the peer port is down.
manual: Prompts the user to disable manually the corresponding port when DLDP
detects an unidirectional link or finds in the enhanced mode that the peer port is
down. After the port is disabled, it stops sending and receiving DLDP packets.
Description
Example
244
dldp work-mode
Syntax
View
Parameters
System view
enhance: Configures DLDP to work in enhanced mode. In this mode, DLDP
detects whether neighbors exist when neighbor tables are aging.
normal: Configures DLDP to work in normal mode. In this mode, DLDP does not
detect whether neighbors exist when neighbor tables are aging.
Description
Use the dldp work-mode command to set the DLDP operating mode.
Use the undo dldp work-mode command to restore the default DLDP operating
mode.
By default, DLDP works in normal mode.
Example
When DLDP works in normal mode, the system can identify only the
unidirectional links caused by fiber cross-connection.
When the DLDP protocol works in enhanced mode, the system can identify
two types of unidirectional links: one is caused by fiber cross-connection and
the other is caused by one fiber being not connected or being disconnected.
dldp delaydown-timer
Syntax
View
Parameter
Description
System view
delaydown-time: Delaydown timer to be set (in seconds). This argument ranges
from 1 to 5.
Use the dldp delaydown-timer command to set the delaydown timer.
Use the undo dldp delaydown-timer command to restore the default
delaydown timer setting.
dldp delaydown-timer
245
246
19
n
This chapter describes the management of static, dynamic, and blackhole MAC
address entries. For information about the management of multicast MAC address
entries, refer to Common Multicast Configuration Commands on page 471.
display mac-address
aging-time
Syntax
View
Parameters
None
Description
Use the display mac-address aging-time command to display the aging time of
the dynamic MAC address entries in the MAC address table.
Related command: mac-address, mac-address timer, display mac-address.
Example
The output information indicates that the aging time of the dynamic MAC address
entries is 300 seconds.
<5500> display mac-address aging-time
Mac address aging time: no-aging
The output information indicates that dynamic MAC address entries do not age
out.
display mac-address
Syntax
View
Parameter
248
Description
count
statistics
Examples
AGING TIME(s)
AGING
# Display the MAC address entries for the port Ethernet 1/0/4.
<5500> display mac-address 000f-e20f-0101
MAC ADDR VLAN ID STATEPORT INDEX
AGING TIME(s)
000f-e20f-01011LearnedEthernet1/0/1 AGING
display mac-address
249
AGING TIME(s)
AGING
AGING
AGING
AGING
AGING
AGING
AGING
# Display the MAC address entries for the port GigabitEthernet 1/0/4.
<5500G> display mac-address interface GigabitEthernet 1/0/4
Unit 1
MAC ADDR
VLAN ID
STATE
PORT INDEX AGING TIME(s)
000d-88f6-44ba 1
Learned
GigabitEthernet1/0/4
AGING
000d-88f7-9f7d 1
Learned
GigabitEthernet1/0/4
AGING
000f-e200-00cc 1
Learned
GigabitEthernet1/0/4
AGING
000f-e200-2201 1
Learned
GigabitEthernet1/0/4
AGING
000f-e207-f2e0 1
Learned
GigabitEthernet1/0/4
AGING
000f-e209-ecf9 1
Learned
GigabitEthernet1/0/4
AGING
--- 7 mac address(es) found on port GigabitEthernet1/0/4 ---
Description
MAC ADDR
MAC address
VLAN ID
STATE
The state of the MAC address. The value of this field can be
Static, Learned, and so on.
PORT INDEX
AGING TIME(s)
250
display port-mac
Syntax
View
display port-mac
Any view
Parameters
None
Description
Use the display port-mac command to display the configured start MAC address
of Ethernet ports on a local device.
Related commands: port-mac
Example
# Display the configured start MAC address of Ethernet ports on a local device.
<5500> display port-mac
Port MAC start address : 000f-e200-0001
mac-address
Syntax
In system view:
mac-address
251
Description
{ static | dynamic | blackhole } Removes the static, dynamic, or blackhole MAC address
entries concerning a specified port.
interface interface-type
interface-number
{ static | dynamic | blackhole } Removes the static, dynamic, or blackhole MAC address
vlan vlan-id
entries concerning a specified VLAN.
{ static | dynamic | blackhole } Removes a specified static, dynamic, or blackhole MAC
mac-address [ interface
address entry.
interface-type interface-number
] vlan vlan-id
interface interface-type
interface-number
vlan vlan-id
mac-address [ interface
Removes a specified MAC address entry.
interface-type interface-number
] vlan vlan-id
Description
Example
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] mac-address static 000f-e20f-0101 interface Ethernet 1/0/1 vlan 2
252
mac-address aging
destination-hit enable
Syntax
View
System view
Parameters
None
Description
Examples
mac-address
max-mac-count
Syntax
View
Parameter
Description
mac-address timer
253
to cancel this limit so that the port can learn MAC addresses without the number
limitation. By default, no number limitation is set to the port for MAC address
learning.
Related command: mac-address, mac-address timer.
Example
# Set the maximum number of MAC addresses Ethernet 1/0/3 port can learn to
600.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/3
[5500-Ethernet1/0/3] mac-address max-mac-count 600
mac-address timer
Syntax
View
Parameters
System view
aging age: Specifies the aging time (in seconds) for dynamic MAC address entries.
The age argument ranges from 10 to 1000000.
no-aging: Specifies not to age dynamic MAC address entries.
Description
Use the mac-address timer command to set the aging time for dynamic MAC
address entries.
Use the undo mac-address timer command to restore the default.
By default, the aging time of dynamic MAC address entries is 300 seconds.
Set the aging time of dynamic MAC address entries as required but ensure that
the aging time does not decrease the layer 2 packet forwarding performance of
the switch.
Example
If the aging time is too short, the MAC address entries that are still valid may be
removed. Upon receiving a packet destined for a MAC address that is already
removed, the switch broadcasts the packet through all its ports in the VLAN
which the packet belongs to. This decreases the operating performance of the
switch.
If the aging time is too long, MAC address entries may still exist even if they
turn invalid. This causes the switch to be unable to update its MAC address
table in time. In this case, the MAC address table cannot reflect the position
changes of network devices in time.
254
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] mac-address timer aging 500
port-mac
Syntax
port-mac start-mac-address
undo port-mac
View
System view
Parameter
Description
Use the port-mac command to configure the start MAC address of Ethernet ports
on a local device, that is, the MAC address of port Ethernet 1/0/1.
Use the undo port-mac command to remove the configuration.
Example
20
n
detect-group
Syntax
detect-group group-number
undo detect-group group-number
View
System view
Parameter
group-number: Detected group number ranging from 1 to 25 for the Switch 5500
and 1 to 50 for the Switch 5500G.
Description
Use the detect-group command to create a detected group and enter detected
group view.
Use the undo detect-group command to remove a detected group.
c
Example
detect-list
Syntax
View
256
Parameters
Description
Example
# Add the IP address of 202.13.1.55 to detected group 10, with list-number set to
1, the next hop IP address set to 1.2.3.4.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] detect-group 10
[5500-detect-group-10] detect-list 1 ip address 202.13.1.55 nexthop 1.2.3.4
display detect-group
Syntax
View
Parameter
Description
Example
ip route-static detect-group
257
Description
detect-group 1
detect ip count
detect-list
ip address
IP address to be detected
next hop
ip route-static
detect-group
Syntax
View
Parameters
System view
ip-address: IP address in dotted decimal notation.
mask: Subnet mask.
mask-length: Length of the subnet mask, that is, the number of successive bits in
the subnet mask whose values are 1.
interface-type: Interface type.
interface-number: Interface number.
next-hop: Next hop IP address in dotted decimal notation.
preference-value: Priority of the route. This argument ranges from 1 to 255.
reject: Specifies the route to be unreachable. If you specify this keyword when
executing this command, any packet destined for the specified IP address is
discarded, and the system informs the source that the destination is unreachable.
258
blackhole: Specifies the route to be a blackhole route. If you specify this keyword
when executing this command, all outbound interfaces of the static route are the
NULL 0 interfaces regardless of the next hop. In addition, the system discards any
packet transmitted along this route without informing the source.
group-number: Detected group number ranging from 1 to 25 for the Switch 5500
and 1 to 50 for the Switch 5500G.
Description
option
Syntax
option [ and | or ]
undo option
View
Parameters
Description
Use the option command to specify the way to generate detecting results.
Use the undo option command to restore the default way to generate detecting
results.
By default, the and keyword is specified.
When a detecting operation is being carried out, the switch detects each IP
address contained in the detected group in turn by their sequence number.
If you specify the and keyword, the switch returns unreachable as the
detecting result when the switch fails to reach one IP address contained in the
detected group and stops detecting.
retry
Example
259
If you specify the or keyword, the switch returns reachable as the detecting
result if the switch succeeds to reach one IP address contained in the detected
group and stops detecting.
retry
Syntax
retry retry-times
undo retry
View
Parameter
Description
Example
standby detect-group
Syntax
View
Parameter
group-number: Detected group number ranging from 1 to 25 for the Switch 5500
and 1 to 50 for the Switch 5500G.
Description
Use the standby detect-group command to enable the VLAN interface backup
function by using the auto detect function.
Use the undo standby detect-group command to disable the VLAN interface
backup function.
260
You can enable VLAN interface backup function according to auto detecting
results in the following ways:
Example
When the link between the active VLAN interface and the destination resumes,
that is, the detected group is reachable again, the system shuts down the
standby.
timer loop
Syntax
View
Parameter
seconds: Detecting interval. This argument ranges form 1 to 86,400 (in seconds)
and defaults to 15.
Description
Use the timer loop command to set the detecting interval, that is, the frequency
to perform auto detect operations.
Use the undo timer loop command to restore the default.
By default, auto detect operations are performed on all detected groups every 15
seconds.
Example
timer wait
Syntax
View
Parameter
Description
261
seconds: Timeout waiting for an ICMP reply. This argument ranges from 1 to 30
(in seconds) and defaults to 2.
Use the timer wait command to set a timeout waiting for an ICMP reply.
Use the undo timer wait command to restore the default.
By default, timeout waiting for an ICMP reply in an auto detect operation is 2
seconds.
Example
# Set a timeout of 3 seconds waiting for an ICMP reply in detected group 10.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] detect-group 10
[5500-detect-group-10] timer wait 3
View
Parameters
Description
Use the vrrp vrid track detect-group command to specify an auto detected
group for a VRRP group.
Use the undo vrrp vrid track detect-group command to cancel the
configuration.
To enable Auto Detect on the master switch in a VRRP group, use the Auto Detect
function to detect the routes from the master switch to other networks, and use
the detection results (reachable or unreachable) to control the priority of the
master switch, so as to realize the automatic master-backup switchover:
The master switch remains the master when the detected group is reachable.
The priority of the master switch decreases and thus becomes a backup when
the detected group is unreachable.
262
Example
21
active
region-configuration
Syntax
View
active region-configuration
MST region view
Parameters
None
Description
Example
bpdu-drop any
Syntax
bpdu-drop any
undo bpdu-drop any
View
264
Parameters
None
Description
Use the bpdu-drop any command to enable BPDU dropping on the Ethernet
port.
Use the undo bpdu-drop any command to disable BPDU dropping on the
Ethernet port.
By default, BPDU dropping is disabled.
IBridge Protocol Data Unit (BPDU) packets are used to exchange Spanning Tree
information. When a switch receives BPDU packets, it updates its own Spanning
Tree information and forwards the BPDU packets on to other switches. It can also
send its own BPDU packets to update other switches of topology changes. If
many incoming BPDU packets are being processed by the switch CPU, the CPU
becomes busy. In an STP-enabled network, malicious users may try to exploit this
and send BPDU packets to the switch continuously in order to attack the network,
trying to overburden CPU of the switch or cause errors in the protocol state of the
BPDU packets.
In order to avoid this problem, you can enable BPDU dropping on Ethernet ports.
This sets up an ingress filter that blocks BPDU packets coming into the switch In
this way, the switch is protected against the BPDU packet attacks. It continues to
send its own BPDU packets.
Example
check
region-configuration
Syntax
View
check region-configuration
MST region view
Parameters
None
Description
display stp
265
Vlans Mapped
1 to 9, 11 to 4094
10
Description
Format selector
Region name
Revision level
display stp
Syntax
View
Parameters
266
Description
Use the display stp command to display the state and statistical information
about one or all spanning trees.
The state and statistical information about MSTP can be used to analyze and
maintain the topology of a network. It can also be used to make MSTP operate
properly.
If neither MSTI nor port list is specified, the command displays spanning tree
information about all MSTIs on all ports in the order of port number.
If only one MSTI is specified, the command displays information about the
specified MSTI on all ports in the order of the port number.
If only a port list is specified, the command displays information about all MSTIs
on these ports in the order of the port numbers.
If both an MSTI ID list and a port list are specified, the command displays
spanning tree information about the specified MSTIs and the specified ports in
the order of MSTI ID.
# Display the state information about MSTI 0 on Ethernet 1/0/1 through Ethernet
1/0/4.
<5500> display stp instance 0 interface Ethernet 1/0/1
1/0/4 brief
MSTID
Port
Role STP State
0
Ethernet1/0/1
ALTE DISCARDING
0
Ethernet1/0/2
DESI FORWARDING
0
Ethernet1/0/3
DESI FORWARDING
0
Ethernet1/0/4
DESI FORWARDING
to Ethernet
Protection
LOOP
NONE
NONE
NONE
267
Description
MSTID
Port
Role
Port role
STP State
Protection
display stp
abnormalport
Syntax
View
Parameters
None
Description
Use the display stp abnormalport command to display the ports that are
blocked by STP guard functions.
Example
Block Reason
------------Root-Protection
Loop-Protection
Description
MSTID
Port
Port number
Block Reason
Parameters
None
Description
Use the display stp portdown command to display the ports that are shut down
by STP guard functions.
268
Example
# Display the ports that are shut down by STP guard functions.
<5500> display stp portdown
Port
Down Reason
--------------------- -----------Ethernet1/0/20
BPDU-Protection
Description
Port
Port number
Down Reason
display stp
region-configuration
Syntax
View
Parameters
None
Description
Example
region-configuration
:0
:hello
:0
Vlans Mapped
21 to 4094
1 to 10
11 to 20
Description
Format selector
Region name
Revision level
instance
View
269
Any view
Parameters
None
Description
Use the display stp root command to display information about the root ports in
the MSTP region where the switch resides.
Example
# Display information about the root ports in the MSTP region where the switch
resides.
<5500> display stp root
MSTID
Root Bridge ID
ExtPathCost
-------- -------------------- -----------0
32768.00e0-fc53-d908 0
IntPathCost
Root Port
------------- ----------200
Ethernet1/0/18
Description
MSTID
Root Bridge ID
ExtPathCost
Cost of the external path from the switch to the root bridge
IntPathCost
Cost of the internal path from the switch to the root bridge
Root Port
Root port
instance
Syntax
View
Parameters
Description
270
Note that a VLAN cannot be mapped to multiple MSTIs at the same time. A
VLAN-to-MSTI mapping is automatically removed if you map the VLAN to another
MSTI.
Related command: region-name, revision-level, vlan-mapping modulo,
check region-configuration, and active region-configuration.
Example
region-name
Syntax
region-name name
undo region-name
View
Parameter
Description
Example
reset stp
Syntax
View
revision-level
Parameter
Description
271
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
Use the reset stp command to clear spanning tree statistics.
The spanning tree statistics includes the numbers of TCN BPDUs, configuration
BPDUs, RST BPDUs, and MST BPDUs sent/received through one or more specified
ports or all ports (note that BPDUs and TCN BPDUs are counted only for CISTs.)
This command clears the spanning tree statistics on specified ports if you specify
the interface-list argument. If you do not specify the interface-list argument, this
command clears the spanning tree statistics on all ports.
Related command: display stp.
Example
# Clear the spanning tree statistics on Ethernet 1/0/1 through Ethernet 1/0/3.
<5500> reset stp interface Ethernet 1/0/1 to Ethernet 1/0/3
revision-level
Syntax
revision-level level
undo revision-level
View
Parameter
Description
Example
272
stp
Syntax
View
Parameters
Description
Example
stp bpdu-protection
Syntax
stp bpdu-protection
undo stp bpdu-protection
View
Parameters
System view
None
stp bridge-diameter
Description
273
Use the stp bpdu-protection command to enable the BPDU guard function on
the switch.
Use the undo stp bpdu-protection command to restore to the default state of
the BPDU guard function.
By default, the BPDU guard function is disabled.
Normally, the access ports of the devices operating on the access layer are directly
connected to terminals (such as PCs) or file servers. These ports are usually
configured as edge ports to implement rapid transition. But they resume non-edge
ports automatically upon receiving configuration BPDUs, which causes spanning
trees recalculation and network topology jitter.
Normally, no configuration BPDU will reach edge ports. But malicious users can
attack a network by sending configuration BPDUs deliberately to edge ports to
cause network jitter. You can prevent such attacks by enabling the BPDU guard
function. With this function enabled on a switch, the switch shuts down the edge
ports that receive configuration BPDUs and then reports these cases to the
administrator. If an edge port is shut down, only the administrator can restore it.
Example
CAUTION: As Gigabit ports of the Switch 5500 cannot be shut down, the BPDU
guard function is not applicable to these ports even if you enable the BPDU guard
function and specify these ports to be MSTP edge ports.
stp bridge-diameter
Syntax
View
Parameter
Description
System view
bridgenum: Network diameter to be set for a switched network. This argument
ranges from 2 to 7.
Use the stp bridge-diameter command to set the network diameter of a
switched network. The network diameter of a switched network is represented by
the maximum possible number of switches between any two terminal devices in a
switched network.
Use the undo stp bridge-diameter command to restore the network diameter to
the default value.
By default, the network diameter is 7.
274
After you configure the network diameter of a switched network, MSTP adjusts its
hello time, forward delay, and max age settings accordingly. With the network
diameter set to the default value 7, the three time-relate settings, including hello
time, forward delay, and max age, are set to their default values as well.
The stp bridge-diameter command only applies to CIST. It is invalid for MSTIs.
Related command: stp timer forward-delay, stp timer hello, and stp timer
max-age.
Example
stp compliance
Syntax
View
Parameters
Description
Use the stp compliance command to set the mode in which a port recognizes
and sends MSTP packets.
Use the undo stp compliance command to restore the default.
By default, a port recognizes and sends MSTP packets in the automatic mode.
A port can be configured to recognize and send MSTP packets in the following
modes.
Automatic mode. Ports in this mode determine the format of the MSTP packets
to be sent according to the format of the received packets.
stp config-digest-snooping
275
If the format of the received packets changes repeatedly, MSTP will shut down
the corresponding port to prevent network storm. A port shut down in this
way can only be brought up again by the network administrator.
The port only recognizes and sends MSTP packets in legacy format. In this case,
the port can only communicate with the peer through packets in legacy
format.
If packets in dot1s format are received, the port turns to discarding state to
prevent network storm.
Example
The port only recognizes and sends MSTP packets in dot1s format. In this case,
the port can only communicate with the peer through packets in dot1s format.
If packets in legacy format are received, the port turns to discarding state to
prevent network storm.
# Configure Ethernet 1/0/1 to recognize and send MSTP packets in dot1s format.
<5500> system-view
Enter system view, return to user view with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] stp compliance dot1s
# Restore the default mode in which a port recognizes and send MSTP packets.
[5500-Ethernet1/0/1] undo stp compliance
stp
config-digest-snooping
Syntax
stp config-digest-snooping
undo stp config-digest-snooping
View
Parameters
None
Description
276
When the digest snooping feature is enabled on a port, the port turns to the
discarding state. That is, the port stops sending BPDU packets. The port is not
involved in the STP calculation until it receives BPDU packets from the peer port.
The digest snooping feature is needed only when your switch is connected to
another manufacturers switches adopting proprietary spanning tree protocols.
To enable the digest snooping feature successfully, you must first enable it on all
the switch ports that connect to another manufacturers switches adopting
proprietary spanning tree protocols and then enable it globally.
To enable the digest snooping feature, the interconnected switches and another
manufacturers switch adopting proprietary spanning tree protocols must be
configured with exactly the same MST region-related configurations (including
region name, revision level, and VLAN-to-MSTI mapping).
The digest snooping feature must be enabled on all the switch ports that connect
to another manufacturers switches adopting proprietary spanning tree protocols
in the same MST region.
When the digest snooping feature is enabled globally, the VLAN-to-MSTI mapping
table cannot be modified.
The digest snooping feature is not applicable to boundary ports in an MST region.
The digest snooping function is not applicable to edge ports in an MST region.
Example
stp cost
277
stp cost
Syntax
View
Parameters
Description
With the IEEE 802.1D-1998 standard selected, the path cost of an Ethernet
port ranges from 1 to 65535.
With the IEEE 802.1t standard selected, the path cost of an Ethernet port
ranges from 1 to 200,000,000.
With the proprietary standard selected, the path cost of an Ethernet port
ranges from 1 to 200,000.
Use the stp cost command to set the path cost of the current port in a specified
MSTI.
Use the undo stp cost command to restore the default path cost of the current
port in the specified MSTI.
By default, a switch automatically calculates the path costs of a port in different
MSTIs based on a specified standard.
If you specify the instance-id argument to be 0 or do not specify this argument,
the stp cost command sets the path cost of the port in CIST.
The path cost of a port affects its port role. By configuring different path costs for
the same port in different MSTIs, you can make flows of different VLANs travel
along different physical links, so as to achieve VLAN-based load balancing.
Changing the path cost of a port in an MSTI may change the role of the port in the
instance and put it in state transition.
Related command: stp interface cost.
Example
278
stp dot1d-trap
Syntax
View
Parameters
System view
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to CIST. With this
argument specified, the trap messages sent are only of the MSTI identified by this
argument.
newroot: Sends trap messages conforming to 802.1d standard to the network
management device when the switch becomes the root bridge of an instance.
topologychange: Sends trap messages conforming to 802.1d standard to the
network management device when the switch detects network topology changes.
Description Use the stp dot1d-trap command to enable a switch to send trap
messages conforming to 802.1d standard when MSTP network topology changes.
Use the undo stp dot1d-trap command to disable this function.
A switch sends trap messages conforming to 802.1d standard to the network
management device when:
Example
stp edged-port
Syntax
View
Parameters
stp interface
Description
279
Use the stp edged-port enable command to configure the current Ethernet port
as an edge port.
Use the stp edged-port disable command to configure the current Ethernet port
as a non-edge port.
Use the undo stp edged-port command to restore the current Ethernet port to
its default state.
By default, all Ethernet ports of a switch are non-edge ports.
An edge port is a port that is directly connected to a user terminal instead of
another switch or shared network segment. Rapid transition to the forwarding
state is applied to edge ports because on these ports no loops can be incurred by
network topology changes. You can enable a port to turn to the forwarding state
rapidly by setting it to an edge port. And you are recommended to configure the
Ethernet ports directly connected to user terminals as edge ports to enable them
to turn to the forwarding state rapidly.
Normally, configuration BPDUs cannot reach an edge port because the port is not
connected to another switch. But when the BPDU guard function is disabled on an
edge port, configuration BPDUs sent deliberately by a malicious user may reach
the port. If an edge port receives a BPDU, it turns to a non-edge port.
Related command: stp interface edged-port.
c
Example
CAUTION: With the loop guard function enabled, the root guard function and
the edge port configuration are mutually exclusive.
# Configure Ethernet 1/0/1 as a non-edge port.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] stp edged-port disable
stp interface
Syntax
View
Parameters
280
Description
Use the stp interface command to enable or disable MSTP on specified ports in
system view.
By default, MSTP is enabled on the ports of a switch if MSTP is globally enabled on
the switch, and MSTP is disabled on the ports if MSTP is globally disabled.
An MSTP-disabled port does not participate in any spanning tree calculation and is
always in the forwarding state.
Example
stp interface
config-digestsnooping
Syntax
View
Parameter
Description
System view
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the format of interface-list ={ interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
Use the stp interface config-digest-snooping command to enable the digest
snooping feature on specific ports.
Use the undo stp interface config-digest-snooping command to disable the
digest snooping feature on specific ports.
By default, the digest snooping feature is disabled on a port.
According to IEEE 802.1s, two interconnected MSTP switches can work with each
other through MSTIs in an MST region only when the two switches have the same
MST region-related configuration. Interconnected MSTP switches determine
whether or not they are in the same MST region by checking the configuration IDs
of the BPDUs between them. (A configuration ID contains information such as
region ID and configuration digest.)
As some another manufacturers switches adopt proprietary spanning tree
protocols, they cannot work with other switches in an MST region even if they are
281
configured with the same MST region-related settings as other switches in the
MST region.
This kind of problems can be overcome by implementing the digest snooping
feature. If a switch port is connected to another manufacturers switch that has
the same MST region-related settings but adopts a proprietary spanning tree
protocol, you can enable the digest snooping feature on the port when it receives
BPDU packets from another manufacturers switch. Then the switch considers
these BPDU packets to be from its own MST region and records the configuration
digests carried in the BPDU packets received from the switch, which will be put in
the BPDU packets to be sent to the another manufacturers switch. In this way, the
switch can work with another manufacturers switches in an MST region.
When the digest snooping feature is enabled on a port, the port turns to the
discarding state. That is, the port stops sending BPDU packets. The port is not
involved in the STP calculation until it receives BPDU packets from the peer port.
The digest snooping feature is needed only when your switch is connected to
another manufacturers switches adopting proprietary spanning tree protocols.
To enable the digest snooping feature successfully, you must first enable it on all
the switch ports that connect to another manufacturers switches adopting
proprietary spanning tree protocols and then enable it globally.
To enable the digest snooping feature, the interconnected switches and another
manufacturers switch adopting proprietary spanning tree protocols must be
configured with exactly the same MST region-related configurations (including
region name, revision level, and VLAN-to-MSTI mapping).
The digest snooping feature must be enabled on all the switch ports that connect
to another manufacturers switches adopting proprietary spanning tree protocols
in the same MST region.
When the digest snooping feature is enabled globally, the VLAN-to-MSTI mapping
table cannot be modified.
The digest snooping feature is not applicable to boundary ports in an MST region.
The digest snooping function is not applicable to edge ports in an MST region.
Example
View
System view
282
Parameters
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST.
cost: Path cost to be set for the port. The range of the cost argument varies with
the standard used for calculating the default path cost of a port as follows:
Description
With the IEEE 802.1D-1998 standard selected, the path cost of an Ethernet
port ranges from 1 to 65535.
With the IEEE 802.1t standard selected, the path cost of an Ethernet port
ranges from 1 to 200000000.
With the proprietary standard selected, the path cost of an Ethernet port
ranges from 1 to 200000.
Use the stp interface cost command to set the path cost(s) of the specified
port(s) in a specified MSTI in system view.
Use the undo stp interface cost command to restore the default value of the
path cost(s) of the specified port(s) in the specified MSTI in system view.
By default, a switch automatically calculates the path costs of a port in different
MSTIs based on a specified standard.
If you specify the instance-id argument to be 0 or do not specify this argument,
the stp interface cost command sets the path cost(s) of the specified port(s) in
the CIST.
The path cost of a port affects its port role. By configuring different path costs for
the same port in different MSTIs, you can make flows of different VLANs travel
along different physical links, so as to achieve VLAN-based load balancing.
Changing the path cost of a port in an MSTI may change the role of the port in the
instance and put it in state transition.
The default port path cost varies with port speed. Refer to Table 43 for details.
Related command: stp cost.
Example
stp interface
edged-port
Syntax
283
System view
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
enable: Configures the specified Ethernet port to be an edge port.
disable: Configures the specified Ethernet port to be a non-edge port.
Description
Use the stp interface edged-port enable command to configure the specified
Ethernet ports as edge ports in system view.
Use the stp interface edged-port disable command to configure the specified
Ethernet ports as non-edge ports in system view.
Use the undo stp interface edged-port command to restore the specified
Ethernet ports to the default state.
By default, all Ethernet ports of a switch are non-edge ports.
An edge port is a port that is directly connected to a user terminal instead of
another switch or a network segment. Rapid transition to the forwarding state is
applied to edge ports because on these ports no loops can be incurred by network
topology changes. You can enable a port to turn to the forwarding state rapidly by
setting it to an edge port. And you are recommended to configure the Ethernet
ports directly connected to user terminals as edge ports to enable them to turn to
the forwarding state rapidly.
Normally, configuration BPDUs cannot reach an edge port because the port is not
connected to another switch. But when the BPDU guard function is disabled on an
edge port, configuration BPDUs sent deliberately by a malicious user may reach
the port. If an edge port receives a BPDU, it turns to a non-edge port.
Related command: stp edged-port.
c
Example
CAUTION: With the loop guard function enabled, the root guard function and
the edge port configuration are mutually exclusive.
# Configure Ethernet 1/0/3 as an edge port.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp interface Ethernet 1/0/3 edged-port enable
284
stp interface
loop-protection
Syntax
View
Parameter
Description
System view
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
Use the stp interface loop-protection command to enable the loop guard
function in system view.
Use the undo stp interface loop-protection command to restore the default
state of the loop guard function in system view.
The loop guard function is disabled by default.
Related command: stp loop-protection.
c
Example
CAUTION: With the loop guard function enabled, the root guard function and
the edge port configuration are mutually exclusive.
# Enable the loop guard function for Ethernet 1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp interface Ethernet 1/0/1 loop-protection
Description
285
stp interface
no-agreement-check
Syntax
View
Parameters
System view
interface-type: Port type.
interface-number: Port number.
Description
286
The rapid transition feature can be enabled on root ports or alternate ports only.
You can enable the rapid transition feature on the designated port, however, the
feature does not take effect on the port.
Example
stp interface
point-to-point
Syntax
View
Parameters
System view
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
force-true: Specifies that the links connected to the specified Ethernet ports are
point-to-point links.
force-false: Specifies that the links connected to the specified Ethernet ports are
not point-to-point links.
auto: Specifies to automatically determine whether or not the links connected to
the specified Ethernet ports are point-to-point links.
Description
Use the stp interface point-to-point command to specify whether the links
connected to the specified Ethernet ports are point-to-point links in system view.
Use the undo stp interface point-to-point command to restore the links
connected to the specified ports to their default link types, which are
automatically determined by MSTP.
If no keyword is specified in the stp interface point-to-point command, the
auto keyword is used by default, and so MSTP automatically determines the types
of the links connected to the specified ports.
The rapid transition feature is not applicable to ports connected to
non-point-to-point links.
If an Ethernet port is the master port of aggregated ports or operates in full-duplex
mode, the link connected to the port is a point-to-point link. You are
recommended to let MSTP automatically determine the link types.
287
These two commands apply to CIST and MSTIs. If you configure the link to which
a port is connected to be a point-to-point link (or a non-point-to-point link), the
configuration applies to all MSTIs (that is, the port is configured to connect to a
point-to-point link (or a non-point-to-point link) in all MSTIs). If the actual physical
link is not a point-to-point link and you configure the link to which the port is
connected to be a point-to-point link, loops may temporarily occur.
Related command: stp point-to-point.
Example
View
Parameters
System view
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST.
priority: Port priority to be set. This argument ranges from 0 to 240 and must be a
multiple of 16 (such as 0, 16, 32, and so on).
Description
Use the stp interface port priority command to set a port priority for the
specified ports in the specified MSTI in system view.
Use the undo stp interface port priority command to restore the default
priority of the specified ports in the specified MSTI in system view.
The default port priority of a port in an MSTI is 128.
If you specify the instance-id argument to 0, the two commands apply to the port
priorities on the CIST. The role a port plays in an MSTI is affected by its port priority
in the instance. A port on an MSTP-enabled switch can have different port
priorities and play different roles in different MSTIs. This enables packets of
different VLANs to be forwarded along different physical paths, so as to
implement VLAN-based load balancing. Changing port priorities results in port
role recalculation and may cause state transition.
Related command: stp port priority.
288
Example
stp interface
root-protection
Syntax
View
Parameter
Description
System view
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
Use the stp interface root-protection command to enable the root guard
function on specified port(s) in system view.
Use the undo stp interface root-protection command to restore the root guard
function to the default state on specified port(s) in system view.
By default, the root guard function is disabled.
Because of configuration errors or malicious attacks, the root bridge in the
network may receive configuration BPDUs with priorities higher than that of a root
bridge, which causes new root bridge to be elected and network topology jitter to
occur. In this case, flows that should have traveled along high-speed links are led
to low-speed links, which causes network congestion.
You can avoid this problem by enabling the root guard function.
Root-guard-enabled ports can only be kept as designated ports in all MSTIs. When
a port of this type receives configuration BPDUs with higher priorities, that is,
when it is to become a non-designated port, it turns to the discarding state and
stops forwarding packets (as if it is disconnected from the link).
Related command: stp root-protection.
c
Example
CAUTION: With the loop guard function enabled, the root guard function and
edge port configuration are mutually exclusive.
# Enable the root guard function for Ethernet 1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp interface Ethernet 1/0/1 root-protection
289
stp interface
transmit-limit
Syntax
View
Parameters
System view
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
packetnum: Maximum number of configuration BPDUs a port can send in each
hello time. This argument ranges from 1 to 255 and defaults to 10.
Description
Use the stp interface transmit-limit command to set the maximum number of
configuration BPDUs each specified port can send in each hello time.
Use the undo stp interface transmit-limit command to restore the maximum
number to the default value.
The larger the packetnum argument is, the more packets a port can transmit in
each hello time, while the more switch resources are occupied. Configure the
packetnum argument to a proper value to limit the number of BPDUs a port can
send in each hello time to prevent MSTP from occupying too much bandwidth
resources when network topology jitter occur.
Related command: stp transmit-limit.
Example
stp loop-protection
Syntax
stp loop-protection
undo stp loop-protection
View
Parameters
None
Description
Use the stp loop-protection command to enable the loop guard function on the
current port.
290
Use the undo stp loop-protection command to restore the loop guard function
to the default state on the current port.
By default, the loop guard function is disabled.
A switch maintains the states of the root port and other blocked ports by receiving
and processing BPDUs from the upstream switch. These BPDUs may get lost
because of network congestion or unidirectional link failures. If a switch does not
receive BPDUs from the upstream switch for a certain period, the switch selects a
new root port; the original root port becomes a designated port; and the blocked
ports turn to the forwarding state. This may cause loops in the network.
The loop guard function suppresses loops. With this function enabled, if link
congestions or unidirectional link failures happen, a root port becomes a
designated port, and the port turns to the discarding state. The blocked port also
becomes the designated port and the port turns to the discarding state, that is,
the port does not forward packets and thereby loops can be prevented.
Example
stp max-hops
Syntax
View
Parameter
Description
System view
hops: Maximum hop count to be set. This argument ranges from 1 to 40.
Use the stp max-hops command to set the maximum hop count for the MST
region the current switch belongs to.
Use the undo stp max-hops command to restore the maximum hop count to the
default.
By default, the maximum hop count of an MST region is 20.
The maximum hop count configured on the region roots of an MST region limits
the size of the MST region.
A configuration BPDU contains a field that maintains the remaining hops of the
configuration BPDU. And a switch discards the configuration BPDUs whose
remaining hops are 0. After a configuration BPDU reaches a root bridge of a
spanning tree in a MST region, the value of the remaining hops field in the
configuration BPDU is decreased by 1 every time the configuration BPDU passes
one switch. Such a mechanism disables the switches that are beyond the
stp mcheck
291
maximum hops from participating in spanning tree calculation, and thus limits the
size of an MST region.
With such a mechanism, the maximum hops configured on the switch operating
as the root bridge of the CIST or an MSTI in a MST region becomes the network
diameter of the spanning tree, which limits the size of the spanning tree in the
current MST region. The switches that are not root bridges in an MST region adopt
the maximum hop settings of the root bridge.
Example
# Set the maximum hop count of the current MST region to 35.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp max-hops 35
stp mcheck
Syntax
View
stp mcheck
System view, Ethernet port view
Parameters
None
Description
Use the stp mcheck command to perform the mCheck operation on the current
port.
When a port on an MSTP-enabled upstream switch connects with an STP-enabled
downstream switch, the port operates in the STP-compatible mode automatically.
But when the STP-enabled downstream switch is then replaced by an
MSTP-enabled switch, the port cannot automatically transit to the MSTP mode but
still remains in the STP-compatible mode. In this case, you can force the port to
transit to the MSTP mode by performing the mCheck operation on the port.
Similarly, when a port on an RSTP-enabled upstream switch connects with an
STP-enabled downstream switch, the port operates in the STP-compatible mode.
But when the STP-enabled downstream switch is then replaced by an
MSTP-enabled switch, the port cannot automatically transit to the MSTP mode but
remains in the STP-compatible mode. In this case, you can force the port to transit
to the MSTP-compatible mode by performing the mCheck operation on the port.
Related command: stp mode, and stp interface mcheck.
Example
292
stp mode
Syntax
View
Parameters
System view
stp: Specifies the STP-compatible mode.
mstp: Specifies the MSTP mode.
rstp: Specifies the RSTP-compatible mode.
Description
Use the stp mode command to set the operating mode of an MSTP-enabled
switch.
Use the undo stp mode command to restore the default operating mode of an
MSTP-enabled switch.
By default, an MSTP-enabled switch operates in MSTP mode.
To make a switch compatible with STP and RSTP, MSTP provides following three
operating modes.
MSTP mode, where the ports of a switch send MSTP BPDUs and STP BPDUs (if
the switch is connected to STP-enabled switches) to neighboring devices. In
this case, the switch is MSTP-capable.
Related command: stp mcheck, stp, stp interface, and stp interface mcheck.
Example
stp
no-agreement-check
Syntax
stp no-agreement-check
stp pathcost-standard
293
Parameters
None
Description
The rapid transition feature can be enabled on only root ports or alternate ports.
You can enable the rapid transition feature on the designated port. However, the
feature does not take effect on the port.
Example
stp pathcost-standard
Syntax
View
System view
294
Parameters
dot1d-1998: Uses the IEEE 802.1D-1998 standard to calculate the default path
costs of ports.
dot1t: Uses the IEEE 802.1t standard to calculate the default path costs of ports.
legacy: Uses the proprietary standard to calculate the default path costs of ports.
Description
Operating mode
(half-/full-duplex)
802.1D-1998
IEEE 802.1t
Proprietary
standard
65,535
200,000,000
200,000
Half-duplex/Full-duplex
100
10 Mbps
100 Mbps
1,000 Mbps
10 Gbps
200,000
2,000
1,000,000
1,800
666,666
1,600
500,000
1,400
Half-duplex/Full-duplex
19
200,000
200
100,000
180
66,666
160
50,000
140
Full-duplex
200,000
20
10,000
18
6,666
16
5,000
14
Full-duplex
200,000
1,000
666
500
Normally, when a port operates in full-duplex mode, the corresponding path cost
is slightly less than that when the port operates in half-duplex mode.
When the path cost of an aggregated link is calculated, the 802.1D-1998 standard
does not take the number of the ports on the aggregated link into account,
whereas the 802.1T standard does. The following formula is used to calculate the
path cost of an aggregated link:
Path cost = 200,000 / link speed,
In this formula, the link speed is the sum of the speeds of the unblocked ports on
the aggregated link, which is measured in 100 Kbps.
stp point-to-point
Example
295
# Configure to use the IEEE 802.1D-1998 standard to calculate the default path
costs of ports.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp pathcost-standard dot1d-1998
# Configure to use the IEEE 802.1t standard to calculate the default path costs of
ports.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp pathcost-standard dot1t
stp point-to-point
Syntax
View
Parameters
Description
Use the stp point-to-point command to specify whether the link connected to
the current Ethernet port is a point-to-point link.
Use the undo stp point-to-point command to restore the link connected to the
current Ethernet port to its default link type, which is automatically determined by
MSTP.
By default, whether the link type of a port is point-to-point is automatically
determined by the switch.
If no keyword is specified in the stp point-to-point command, the auto keyword
is used by default, and so MSTP automatically determines the type of the link
connected to the current port.
The rapid transition feature is not applicable to ports on non-point-to-point links.
If an Ethernet port is the master port of aggregation ports or operates in
full-duplex mode, the link connected to the port is a point-to-point link. You are
recommended to let MSTP automatically determine the link types of ports.
The two commands only apply to CISTs and MSTIs. If you configure the link to
which a port is connected is a point-to-point link (or a non-point-to-point link), the
296
configuration applies to all MSTIs (that is, the port is configured to connect to a
point-to-point link (or a non-point-to-point link) in all MSTIs). If the actual physical
link is not a point-to-point link and you configure the link to which the port is
connected to be a point-to-point link, temporary loops may occur.
Related command: stp interface point-to-point.
Example
View
Parameters
Description
Use the stp port priority command to set the port priority of the current port in
the specified MSTI.
Use the undo stp port priority command to restore the default port priority of
the current port in the specified MSTI.
The default port priority of a port in any MSTI is 128.
If you specify the instance-id argument to 0 or do not specify the argument, the
two commands apply to the port priorities of ports on the CIST. The role a port
plays in an MSTI is determined by the port priority in the instance. A port on a
MSTP-enabled switch can have different port priorities and play different roles in
different MSTIs. This enables packets of different VLANs to be forwarded along
different physical links, so as to implement VLAN-based load balancing. Changing
port priorities result in port role recalculation and state transition.
Related command: stp interface port priority.
Example
stp portlog
297
stp portlog
Syntax
View
Parameter
Description
System view
instance instance-id: Specifies an MSTI ID, ranging from 0 to 16. The value of 0
indicates the CIST.
Use the stp portlog command to enable log and trap message output for the
ports of a specified instance.
Use the undo stp portlog command to disable this function.
By default, log and trap message output is disabled.
Executing the stp portlog command (without using the instance instance-id
parameters) will enable log and trap message output for the ports of instance 0.
Example
# Enable log and trap message output for the ports of instance 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp instance 1 portlog
View
System view
Parameters
None
Description
Use the stp portlog all command to enable log and trap message output for the
ports of all instances.
Use the undo stp portlog all command to disable this function.
By default, log and trap message output is disabled on the ports of all instances.
Example
# Enable log and trap message output for the ports of all instances.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp portlog all
298
stp priority
Syntax
View
Parameters
System view
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST.
priority: The priority at which to set the switch. This argument ranges from 0 to
61,440 and must be a multiple of 4,096 (such as 0, 4,096, and 8,192). There are
16 available switch priorities.
Description
Use the stp priority command to set the priority of the switch in the specified
MSTI.
Use the undo stp priority command to restore the switch priority to the default
priority in the specified MSTI.
The default priority of a switch is 32,768.
The switchs priorities are used for spanning tree calculation. Switch priorities are
spanning tree-specific. That is, you can set different priorities for the same switch
in different MSTIs.
If you do not specify the instance-id argument, the two commands apply to only
the CIST.
Example
stp
region-configuration
Syntax
stp region-configuration
undo stp region-configuration
View
System view
Parameters
None
Description
299
All VLANs are mapped to the CIST in the VLAN-to-MSTI mapping table
You can modify the three parameters after entering MST region view by using the
stp region-configuration command.
n
Example
NTDP packets sent by devices in a cluster can be transmitted in only the instances
where the management VLAN of the cluster resides.
# Enter MST region view.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp region-configuration
[5500-mst-region]
View
Parameters
System view
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST.
bridgenum: Network diameter of the specified spanning tree. This argument
ranges from 2 to 7 and defaults to 7.
centi-seconds: Hello time in centiseconds of the specified spanning tree. This
argument ranges from 100 to 1,000 and defaults to 200.
Description
Use the stp root primary command to configure the current switch as the root
bridge of a specified MSTI.
Use the undo stp root command to cancel the current configuration.
By default, a switch is not configured as a root bridge.
If you do not specify the instance-id argument, these two commands apply to only
the CIST.
You can specify the current switch as the root bridge of an MSTI regardless of the
priority of the switch. You can also specify the network diameter of the switched
network by using the stp root primary command. The switch will then figure out
the following three time parameters: hello time, forward delay, and max age. As
300
the hello time figured out by the network diameter is not always the optimal one,
you can set it manually through the hello-time centi-seconds parameter.
Generally, you are recommended to obtain the forward delay and max age
parameters through setting the network diameter.
CAUTION: You can configure only one root bridge for an MSTI and can configure
one or more secondary root bridges for an MSTI. Specifying multiple root bridges
for an MSTI causes unpredictable spanning tree calculation results.
Once a switch is configured as the root bridge or a secondary root bridge, its
priority cannot be modified.
Example
# Configure the current switch as the root bridge of MSTI 1, set the network
diameter of the switched network to 4, and set the hello time to 500
centiseconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp instance 1 root primary bridge-diameter 4 hello-time 500
View
Parameters
System view
instance-id: MSTI ID ranging from 0 to 16. The value of 0 refers to the CIST.
bridgenum: Network diameter of the specified spanning tree. This argument
ranges from 2 to 7 and defaults to 7.
centi-seconds: Hello time in centiseconds of the specified spanning tree. This
argument ranges from 100 to 1,000 and defaults to 200.
Description
Use the stp root secondary command to configure the current switch as a
secondary root bridge of a specified MSTI.
Use the undo stp root command to cancel the current configuration.
By default, a switch does not operate as a secondary root bridge.
If you do not specify the instance-id argument, the two commands apply to only
the CIST.
You can configure one or more secondary root bridges for an MSTI. If the switch
operating as the root bridge fails or is turned off, the secondary root bridge with
the least MAC address becomes the root bridge.
stp root-protection
301
You can specify the network diameter and the hello time of the switch when you
are configuring it as a secondary root bridge. The switch will then figure out the
other two time parameters: forward delay and max age. If the instance-id
argument is specified to 0 in this command, the current switch is configured as the
secondary root bridge of the CIST. You can configure only one root bridge for an
MSTI but you can configure one or more secondary root bridges for an MSTI.
Once a switch is configured as the root bridge or a secondary root bridge, its
priority cannot be modified.
Example
# Configure the current switch as a secondary root bridge of MSTI 4, setting the
network diameter of the switched network to 5 and the hello time of the current
switch to 300 centiseconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] stp instance 4 root secondary bridge-diameter 5 hello-time 300
stp root-protection
Syntax
stp root-protection
undo stp root-protection
View
Parameters
None
Description
Use the stp root-protection command to enable the root guard function on the
current switch.
Use the undo stp root-protection command to restore the root guard function
to the default state on the current switch.
By default, the root guard function is disabled.
Because of configuration errors or malicious attacks, the valid root bridge in the
network may receive configuration BPDUs with their priorities higher than that of
the root bridge, which causes new root bridge to be elected and network
topology jitter to occur. In this case, flows that should have traveled along
high-speed links are led to low-speed links, causing network congestion.
You can avoid this problem by utilizing the root guard function.
Root-guard-enabled ports can only be kept as designated ports in all MSTIs. When
a port of this type receives configuration BPDUs with higher priorities, it turns to
the discarding state before it is specified as a non-designated port and stops
forwarding packets (as if it is disconnected from the link). It resumes the normal
state if it does not receive any configuration BPDUs with higher priorities for a
specified period.
Related command: stp interface root-protection.
302
Example
stp tc-protection
Syntax
View
System view
Parameters
None
Description
Use the stp tc-protection enable command to enable the TC-BPDU attack guard
function.
Use the stp tc-protection disable command to disable the TC-BPDU attack
guard function.
By default, the TC-BPDU guard attack function is enabled, and the MAC address
table and ARP entries can be removed for up to six times within 10 seconds.
Normally, a switch removes the MAC address table and ARP entries upon receiving
TC-BPDUs. If a malicious user sends a large amount of TC-BPDUs to a switch in a
short period, the switch may be busy in removing the MAC address table and ARP
entries frequently, which may affect spanning tree calculation, occupy large
amount of bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing
operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by
default) at the same time. Before the timer expires, the switch only performs the
removing operation for limited times (up to six times by default) regardless of the
number of the TC-BPDUs it receives. Such a mechanism prevents a switch from
being busy in removing the MAC address table and ARP entries.
Example
stp tc-protection
threshold
Syntax
View
303
System view
Parameter
number: Maximum number of times that a switch can remove the MAC address
table and ARP entries within each 10 seconds, in the range of 1 to 255.
Description
Use the stp tc-protection threshold command to set the maximum number of
times that a switch can remove the MAC address table and ARP entries within
each 10 seconds.
Use the undo stp tc-protection threshold command to restore the default.
Normally, a switch removes the MAC address table and ARP entries upon receiving
a TC-BPDU. If a malicious user sends large amount of TC-BPDUs to a switch in a
short period, the switch may be busy in removing the MAC address table and ARP
entries, which may affect spanning tree calculation, occupy a large amount of
bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing
operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by
default) at the same time. Before the timer expires, the switch only performs the
removing operation for limited times (up to six times by default) regardless of the
number of the TC-BPDUs it receives. Such a mechanism prevents a switch from
being busy in removing the MAC address table and ARP entries.
You can use the stp tc-protection threshold command to set the maximum
times for a switch to remove the MAC address table and ARP entries in a specific
period. When the number of the TC-BPDUs received within a period is less than
the maximum times, the switch performs a removing operation upon receiving a
TC-BPDU. After the number of the TC-BPDUs received reaches the maximum
times, the switch stops performing the removing operation. For example, if you set
the maximum times for a switch to remove the MAC address table and ARP
entries to 100 and the switch receives 200 TC-BPDUs in the period, the switch
removes the MAC address table and ARP entries for only 100 times within the
period.
Example
# Set the maximum times for a switch to remove the MAC address table and ARP
entries within 10 seconds to 5.
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500] stp tc-protection threshold 5
stp timer
forward-delay
Syntax
View
System view
304
Parameter
Description
Example
View
Parameter
System view
centi-seconds: Hello time to be set, in the range of 100 to 1,000 (in centiseconds).
Description
305
Use the stp timer hello command to set the hello time of the switch.
Use the undo stp timer hello command to restore the hello time of the switch to
the default value.
By default, the hello time of the switch is 200 centiseconds.
A root bridge regularly sends out configuration BPDUs to maintain the stability of
existing spanning trees. If the switch does not receive BPDU packets in a specified
period, spanning trees will be recalculated because BPDU packets time out. When
a switch becomes a root bridge, it regularly sends BPDUs at the interval specified
by the hello time you have configured on it. The other none-root-bridge switches
adopt the interval specified by the hello time.
As for the configuration of the three time-related parameters (namely, the hello
time, forward delay, and max age parameters), the following formulas must be
met to prevent frequent network jitter.
2 x (forward delay - 1 second) >= max age
Max age >= 2 x (hello time + 1 second)
You are recommended to specify the network diameter of the switched network
and the hello time by using the stp root primary or stp root secondary
command. After that, the three proper time-related parameters are automatically
calculated by MSTP.
Related command: stp timer forward-delay, stp timer max-age, and stp
bridge-diameter.
Example
View
Parameter
Description
System view
centi-seconds: Max age to be set, in the range of 600 to 4,000 (in centiseconds).
Use the stp timer max-age command to set the max age of the switch.
Use the undo stp timer max-age command to restore the default max age.
By default, the max age of a switch is 2,000 centiseconds.
306
stp timer-factor
Syntax
View
Parameter
Description
System view
number: Hello time factor to be set, in the range of 1 to 10.
Use the stp timer-factor command to set the timeout time of a switch in the
form of a multiple of the hello time.
Use the undo stp timer-factor command to restore the hello time factor to the
default value.
By default, the hello time factor of the switch is 3.
A switch regularly sends protocol packets to its neighboring devices at the interval
specified by the hello time parameter to test the links. Generally, a switch regards
its upstream switch faulty if the former does receive any protocol packets from the
stp transmit-limit
307
latter in a period three times of the hello time and then initiates the spanning tree
recalculation process.
Spanning trees may be recalculated even in a steady network if an upstream
switch is always busy. You can configure the hello time factor to a larger number
to avoid this problem. Normally, the timeout time can be four (or more) times of
the hello time. For a steady network, the timeout time can be five to seven times
of the hello time.
Example
stp transmit-limit
Syntax
View
Parameter
Description
Example
308
vlan-mapping modulo
Syntax
View
Parameter
modulo: Modulo by which VLANs are mapped to MSTIs, in the range of 1 to 16.
Description
Use the vlan-mapping modulo command to set the modulo by which VLANs are
mapped to MSTIs.
By default, all VLANs in a network are mapped to the CIST (MSTI 0).
MSTP uses a VLAN mapping table to describe VLAN-to-MSTI mappings. You can
use this command to establish the VLAN mapping table and map VLANs to MSTIs
in a specific way.
Note that a VLAN cannot be mapped to multiple different MSTIs at the same time.
A VLAN-to-MSTI mapping becomes invalid when you map the VLAN to another
MSTI.
You can map VLANs to the specific MSTIs rapidly by using the vlan-mapping
modulo modulo command. The ID of the MSTI to which a VLAN is mapped can
be figured out by using the following formula:
(VLAN ID-1) % modulo + 1.
In this formula, (VLAN ID-1) % modulo yields the module of (VLAN ID-1) with
regards to the modulo argument. For example, if you set the modulo argument to
16, then VLAN 1 is mapped to MSTI 1, VLAN 2 is mapped to MSTI 2, ..., VLAN 16
is mapped to MSTI 16, VLAN 17 is mapped to MSTI 1, and so on.
Related command: check region-configuration, revision-level, region-name,
and active region-configuration.
Example
vlan-vpn tunnel
Syntax
vlan-vpn tunnel
undo vlan-vpn tunnel
View
System view
vlan-vpn tunnel
309
Parameters
None
Description
Use the vlan-vpn tunnel command to enable the VLAN-VPN tunnel function for
a switch.
Use the undo vlan-vpn tunnel command to disable the VLAN-VPN tunnel
function.
The VLAN-VPN tunnel function enables BPDUs to be transparently transmitted
between geographically dispersed user networks through specified VLAN VPNs in
operators networks, through which spanning trees can be calculated across these
user networks and are independent of those of the operators network.
By default, the VLAN-VPN tunnel function is disabled.
Example
310
display ip routing-table
311
22
IP ROUTING TABLE CONFIGURATION
COMMANDS
The term router in this chapter refers to a router in a generic sense or an Ethernet
switch running a routing protocol.
display ip
routing-table
Syntax
View
Parameter
Description
Use the display ip routing-table command to display the routing table summary.
This command displays the summary of the routing table. Each line represents one
route, containing destination address/mask length, protocol, preference, cost, next
hop, and output interface.
This command displays only the currently used routes, that is, the optimal routes.
Example
Nexthop
1.1.1.1
127.0.0.1
2.2.2.1
127.0.0.1
3.3.3.1
127.0.0.1
4.4.4.1
Interface
Vlan-interface1
InLoopBack0
Vlan-interface2
InLoopBack0
Vlan-interface3
InLoopBack0
Vlan-interface4
312
4.4.4.1/32
127.0.0.0/8
127.0.0.1/32
DIRECT
DIRECT
DIRECT
0
0
0
0
0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
127.0.0.1 InLoopBack0
# Display the routing information from the entry containing the character string
interface4 in the current routing table.
<5500> display ip routing-table
Routing Table: public net
4.4.4.0/24
DIRECT
4.4.4.1/32
DIRECT
127.0.0.0/8
DIRECT
127.0.0.1/32
DIRECT
| begin interface4
0
0
0
0
0
0
0
0
4.4.4.1
127.0.0.1
127.0.0.1
127.0.0.1
Vlan-interface4
InLoopBack0
InLoopBack0
InLoopBack0
# Display the routing information containing the character string interface4 in the
current routing table.
<5500> display ip routing-table | include interface4
Routing Table: public net
Destination/Mask
Protocol
Pre Cost
Nexthop
4.4.4.0/24
DIRECT
0
0
4.4.4.1
Interface
Vlan-interface4
# Display the routing information without the character string interface4 in the
current routing table.
<5500> display ip routing-table | exclude interface4
Routing Table: public net
Destination/Mask
Protocol
Pre Cost
Nexthop
1.1.1.0/24
DIRECT
0
0
1.1.1.1
1.1.1.1/32
DIRECT
0
0
127.0.0.1
2.2.2.0/24
DIRECT
0
0
2.2.2.1
2.2.2.1/32
DIRECT
0
0
127.0.0.1
3.3.3.0/24
DIRECT
0
0
3.3.3.1
3.3.3.1/32
DIRECT
0
0
127.0.0.1
4.4.4.1/32
DIRECT
0
0
127.0.0.1
127.0.0.0/8
DIRECT
0
0
127.0.0.1
127.0.0.1/32
DIRECT
0
0
127.0.0.1
Interface
Vlan-interface1
InLoopBack0
Vlan-interface2
InLoopBack0
Vlan-interface3
InLoopBack0
InLoopBack0
InLoopBack0
InLoopBack0
Description
Destination/Mask
Protocol
Routing protocol
Pre
Route preference
Cost
Route cost
Nexthop
Interface
display ip
routing-table acl
Syntax
View
Parameter
313
verbose: With this keyword specified, detailed information of routes in the active
or inactive state that match the ACL is displayed. With this keyword not specified,
brief information of only the routes in the active state that match the ACL is
displayed.
Description
Example
For details about the display acl command, refer to the chapter entitled ACL
Configuration Commands on page 773.
# Display the information of routes that match ACL 2100.
<5500> display ip routing-table acl 2100
Routes matched by access-list 2100:
Summary count: 2
Destination/Mask
Protocol Pre Cost
192.168.1.0/24
DIRECT
0
0
192.168.1.2/32
DIRECT
0
0
Nexthop
192.168.1.2
127.0.0.1
Interface
Vlan-interface2
InLoopBack0
Description
Destination
Destination address
Mask
Subnet mask
314
Description
Protocol
Preference
Route preference
Nexthop
Interface
State
Blackhole
Delete
A route is to be deleted.
Gateway
An indirect route.
Hidden
Holddown
Int
NoAdvise
NotInstall
Reject
Retain
Static
Unicast
A unicast route.
Age
Cost
Cost of a route.
315
display ip
routing-table
ip-address
Syntax
View
Parameter
Description
This command only displays the routes exactly matching the specified destination
address and mask.
This command displays all destination address routes matching the specified
destination address in the natural mask range.
This command displays all destination address routes matching the specified
destination address in the specified mask range.
Example
316
display ip
routing-table
ip-address1
ip-address2
Syntax
View
Parameter
Description
Example
317
display ip
routing-table ip-prefix
Syntax
View
Parameter
Description
Example
Interface
Vlan-interface1
InLoopBack0
318
display ip
routing-table protocol
Syntax
View
Parameter
inactive: With this argument provided, this command displays the inactive route
information. Without this argument provided, this command displays both active
and inactive route information.
verbose: With this keyword specified, detailed information of routes in the active
or inactive state is displayed. With this keyword not specified, brief information of
only the routes in the active state is displayed.
Description
Example
Nexthop
Interface
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
Nexthop
Interface
127.0.0.1
InLoopBack0
display ip
routing-table radix
Syntax
View
319
Any view
Parameter
None
Description
Example
Description
INET
Address suite
Inodes
Number of nodes
Routes
Number of routes
display ip
routing-table statistics
Syntax
View
Parameter
Description
Example
deleted
1
0
0
0
0
320
O_NSSA
Total
0
28
0
5
0
29
0
1
Description
Proto
O_ASE: OSPF_ASE
Route
Active
Added
Number of routes added after the router is rebooted or the routing table is
cleared last time.
Deleted
Total
display ip
routing-table verbose
Syntax
View
Parameter
Description
Example
321
Description
Holddown
Delete
Hidden
reset ip routing-table
statistics protocol
Syntax
View
Parameter
Description
Examples
deleted
8
0
0
0
0
0
8
# Clear the routing statistics of all protocols from the IP routing table.
<5500> reset ip routing-table statistics protocol all
deleted
0
0
0
0
0
0
322
O_NSSA
AGGRE
Total
0
0
13
0
0
12
0
0
0
0
0
0
The above information shows that the routing statistics in the IP routing table is
cleared.
323
23
STATIC ROUTE CONFIGURATION
COMMANDS
n
delete static-routes all
The term router in this chapter refers to a router in a generic sense or an Ethernet
switch running a routing protocol.
Syntax
delete static-routes all
View
Parameter
Description
System view
None
Use the delete static-routes all command to delete all static routes.
The system will request your confirmation before it deletes all the configured static
routes.
Related command: ip route-static and display ip routing-table.
Example
ip route-static
Syntax
View
Parameter
System view
ip-address: Destination IP address, in dotted decimal notation.
324
Description
If you specify the next-hop outgoing interface when configuring a static route,
the type of outgoing interface can be Null only.
If the destination IP address and the mask are both 0.0.0.0, what you are
configuring is a default route. All the packets that fail to find a routing entry
will be forwarded through this default route.
You cannot configure an interface address of the local switch as the next hop
address of a static route.
ip route-static
Example
325
326
checkzero
327
24
RIP CONFIGURATION COMMANDS
The term router in this chapter refers to a router in a generic sense or an Ethernet
switch running a routing protocol.
checkzero
Syntax
checkzero
undo checkzero
View
Parameter
Description
RIP view
None
Use the checkzero command to enable the must be zero field check for RIP-1
packets.
Use the undo checkzero command to disable the must be zero field check for
RIP-1 packets.
By default, RIP-1 performs the must be zero field check.
According to the protocol (RFC 1058) specifications, some fields in RIP-1 packets
must be zero and these fields are called zero fields. You can use the checkzero
command to enable/disable the must be zero field check for RIP-1 packets. When
the must be zero field check is enabled, if the must be zero field in an incoming
RIP-1 packet is non-zero, the packet will be rejected.
Example
default cost
Syntax
328
View
Parameter
Description
RIP view
value: Default cost, in the range of 1 to 16.
Use the default cost command to set the default cost for redistributed routes.
Use the undo default cost command to restore the default.
By default, the default cost of a redistributed route is 1.
If no cost is specified when you use the import-route command to redistribute
routes from another routing protocol, the routes will be redistributed with the
default cost specified with the default cost command.
Related command: import-route.
Example
# Set the default cost of the routes redistributed from other routing protocols to 3.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] rip
[5500-rip] default cost 3
display rip
Syntax
View
Parameter
Description
Example
display rip
Any view
None
Use the display rip command to display the current RIP operation state and RIP
configuration.
# Display the current RIP operation state and configuration.
<5500> display rip
RIP is running
Checkzero is on
Default cost : 1
Summary is on
Preference : 100
Traffic-share-across-interface is off
Period update timer : 30
Timeout timer : 180
Garbage-collection timer : 120
No peer router
Network :
202.38.168.0
Description
RIP is running
RIP is active.
329
Description
Checkzero
on: Enabled
off: Disabled
Default cost
Summary
on: Enabled
off: Disabled
Preference
RIP preference
Timeout timer
Garbage-collection timer
No peer router
Network
Traffic-share-across-interface
on: Enabled
off: Disabled
Interface
Vlan-interface100
Ver
2
Description
Address
IP address of the interface running RIP (You need to use the network
command to enable the network segment on which the address resides.)
Interface
Ver
MetrIn/Out
Input
Indicates whether to allow the interface to receive RIP packets (on means
yes; off means no).
330
Description
Output
Indicates whether to allow the interface to send RIP packets (on means
yes; off means no).
Split-horizon
Indicates whether split horizon is enabled (on means yes; off means no)
I = Inactive
T = Trigger RIP
Destination/Mask
192.168.110.0/24
200.1.1.0/24
130.1.0.0/16
Cost
1
1
1
G = Garbage collection
NextHop
31.31.31.8
31.31.31.8
31.31.31.8
Age
7s
7s
7s
SourceGateway
31.31.31.8
31.31.31.8
31.31.31.8
Description
Destination/Mask
Destination address/Mask
Cost
Cost
NextHop
Age
SourceGateway
Att
Attributes of a route:
A: Active route
I: Inactive route
C: Change state
T: Triggered RIP
Att
A
A
A
filter-policy export
331
filter-policy export
Syntax
View
Parameter
RIP view
acl-number: Number of the basic or advanced ACL used to filter routing
information by destination address, in the range of 2000 to 3999.
ip-prefix-name: Name of the address ip-prefix list used to filter routing information
by destination address, a string of 1 to 19 characters.
route-policy-name: Name of the route-policy used to filter routing information, a
string of 1 to 19 characters.
protocol: Filters routing protocol redistributed from the protocol. Currently, this
argument can be bgp, direct, ospf, ospf-ase, ospf-nssa, or static.
process-id: Process ID of the routing protocol whose routing information is to be
filtered, in the range of 1 to 65535. This argument is valid only for ospf,
ospf-ase, and ospf-nssa.
Description
Use the filter-policy export command to enable RIP to filter the outgoing routing
information.
Use the undo filter-policy export command to disable RIP from filtering the
outgoing routing information.
By default, RIP does not filter advertised routing information.
Related commands: filter-policy import, ip ip-prefix, and ACL.
For ACL details see ACL Configuration Commands on page 773.
Example
332
filter-policy import
Syntax
View
Parameter
RIP view
acl-number: Number of the ACL used to filter routing information by destination
address, in the range of 2000 to 3999.
ip-prefix-name: Name of the address prefix list used to filter routing information by
destination address, a string of 1 to 19 characters.
gateway ip-prefix-name: Name of the address prefix list used to filter routing
information by the address of the neighbor router advertising the information, a
string of 1 to 19 characters.
route-policy-name: Name of the route-policy used to filter routing information, a
string of 1 to 19 characters.
Description
Use the filter-policy gateway command to enable RIP to filter the routing
information advertised by a specified address.
Use the undo filter-policy gateway command to disable RIP from filtering the
routing information advertised by a specified address.
Use the filter-policy import command to enable RIP to filter the incoming
routing information.
Use the undo filter-policy import command to disable RIP from filtering the
incoming routing information.
By default, RIP does not filter the received routing information.
Related commands: ACL, filter-policy export, and ip ip-prefix.
For details about ACL, refer to ACL Configuration Commands on page 773.
Example
host-route
333
host-route
Syntax
host-route
undo host-route
View
Parameter
Description
RIP view
None
Use the host-route command to enable RIP to receive host routes.
Use the undo host-route command to disable RIP from receiving host routes.
By default, RIP is enabled to receive host routes.
In some special cases, RIP receives a great number of host routes from the same
network segment. These routes are of little help to addressing but occupy a lot of
resources. In this case, the undo host-route command can be used to disable RIP
from receiving host routes to save network resources.
Example
import-route
Syntax
View
Parameter
RIP view
protocol: Source routing protocol from which routes are redistributed by RIP. At
present, RIP can redistribute routes from protocols: bgp, direct, ospf, ospf-ase,
ospf-nssa and static.
process-id: Process ID of a routing protocol from which routes are redistributed, in
the range of 1 to 65,535. This argument is valid only for ospf, ospf-ase, and
ospf-nssa.
allow-ibgp: Allows the redistribution of IBGP routes when redistributing routes
from BGP (available on the Switch 5500G only).
334
value: Cost for redistributed routes, in the range of 0 to 16. If no cost is specified
when redistributing routes, the default cost defined by the default cost
command will be used.
route-policy-name: Name of a routing policy, a string of 1 to 19 characters.
Description
Use the import-route command to enable RIP to redistribute routes from other
protocols.
Use the undo import-route command to disable RIP from redistributing routes
from other protocols.
By default, RIP does not redistribute routes from other protocols.
If the value is not specified, routes will be redistributed with the default cost
defined by the default cost command. If the cost of a redistributed route is 16,
RIP does not stop advertising the route to other routers until the Garbage
Collection timer expires (the timer length defaults to 120 seconds).
n
c
Caution: Use the import-route bgp allow-ibgp command with care, because it
redistributes IBGP routes without keeping the AS_PATH attribute, which may lead
to routing loops between ASs.
Related command: default cost.
Example
# Set the default cost and redistribute OSPF routes with the default cost.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] rip
[5500-rip] default cost 3
[5500-rip] import-route ospf
network
Syntax
network network-address
undo network network-address
View
RIP view
peer
Parameter
Description
335
The rip work command enables an interface to receive and send RIP packets.
peer
Syntax
peer ip-address
undo peer ip-address
View
Parameter
Description
RIP view
ip-address: IP address of the interface receiving RIP packets in the unicast mode on
the neighbor router, in dotted decimal notation.
Use the peer command to enable RIP to send RIP packets to the specified
destination in the unicast mode.
Use the undo peer command to restore the default.
By default, RIP-1 sends RIP packets in the broadcast mode while RIP-2 sends RIP
packets in the multicast mode.
This command is used for non-broadcast networks where the broadcast mode is
not suitable. Generally you are not recommended to use this command.
Example
336
[5500] rip
[5500-rip] peer 202.38.165.1
preference
Syntax
preference value
undo preference
View
Parameter
Description
RIP view
value: Preference level, in the range of 1 to 255.
Use the preference command to configure the preference of RIP routes.
Use the undo preference command to restore the default.
By default, the preference of RIP routes is 100.
Every routing protocol has its own preference. Its default value is determined by
the specific routing policy. The preferences of routing protocols will finally
determine which routing algorithms routes will be selected as the optimal routes
in the IP routing table. You can use the preference command to modify the
preference of RIP routes manually.
Example
reset
Syntax
View
Parameter
Description
reset
RIP view
None
Use the reset command to reset the system configuration parameters of RIP.
When you need to reconfigure the RIP parameters, you can use this command to
restore the default settings.
Example
rip
337
[5500-rip] reset
% Reset RIPs configuration and restart RIP? [Y/N]y
rip
Syntax
rip
undo rip
View
Parameter
Description
System view
None
Use the rip command to enable RIP or enter RIP view.
Use the undo rip command to disable RIP.
By default, the system does not run RIP.
You must enable RIP and enter RIP view before configuring RIP global parameters.
You can, however, configure the interface-related parameters no matter whether
RIP is enabled.
n
Example
rip
authentication-mode
Syntax
View
Parameter
Interface view
simple: Specifies to use plain text authentication mode.
password: Plain text authentication key, containing 1 to 16 characters.
md5: Specifies to use MD5 cipher text authentication mode.
338
rfc2453: Specifies that MD5 cipher text authentication packets will use a packet
format (IETF standard) stipulated by RFC2453.
rfc2082: Specifies that MD5 cipher text authentication packets will use a packet
format stipulated by RFC2082.
key-string: MD5 cipher text authentication key. If it is typed in the plain text mode,
the length does not exceed 16 characters. If it is typed in the cipher text mode, the
length is 24 characters. The system will display the MD5 cipher text authentication
key with a length of 24 characters in the cipher text mode when you execute the
display current-configuration command.
key-id: MD5 cipher text authentication identifier, ranging from 1 to 255.
Description
Example
# Specify VLAN-interface 10 to use the MD5 cipher text authentication, with the
authentication key of aaa and the packet format of rfc2453.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] rip authentication-mode md5 rfc2453 aaa
rip input
Syntax
rip input
undo rip input
View
Parameter
Description
Interface view
None
Use the rip input command to enable an interface to receive RIP packets.
rip metricin
339
Use the undo rip input command to disable an interface from receiving RIP
packets.
By default, all interfaces, except loopback interfaces, can receive RIP packets.
Related commands: rip output, rip work.
Example
rip metricin
Syntax
View
Parameter
Description
Interface view
value: Additional metric of RIP routes received on an interface, in the range of 0 to
16.
Use the rip metricin command to configure an additional metric for RIP routes
received on an interface.
Use the undo rip metricin command to restore the default.
By default, the additional metric of RIP routes received on an interface is 0.
Before a valid RIP route received on an interface is added to the routing table, the
additional metric will be added to the route. Therefore, if you increase the
additional metric, the metric of RIP routes received on the interface will increase
accordingly.
Related command: rip metricout.
Example
# Set the additional metric of RIP routes received on the interface VLAN-interface
10 to 2.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] rip metricin 2
rip metricout
Syntax
340
Interface view
Parameter
value: Additional metric of RIP routes sent out of an interface, in the range of 1 to
16.
Description
Use the rip metricout command to configure an additional metric for RIP routes
sent out of an interface.
Use the undo rip metricout command to restore the default.
By default, the additional metric of RIP routes sent out of an interface is 1.
The rip metricout configuration only applies to the RIP routes learnt by the router
and those generated by the router itself. It does not apply to any route
redistributed by RIP from any other routing protocol.
Related command: rip metricin.
Example
# Set the additional metric of RIP routes sent out of the interface VLAN-interface
10 to 2.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] rip metricout 2
rip output
Syntax
rip output
undo rip output
View
Parameter
Description
Interface view
None
Use the rip output command to enable an interface to transmit RIP packets.
Use the undo rip output command to disable an interface from transmitting RIP
packets.
By default, all interfaces except loopback interfaces are enabled to transmit RIP
packets.
Related command: rip input, rip work.
Example
rip split-horizon
341
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] undo rip output
rip split-horizon
Syntax
rip split-horizon
undo rip split-horizon
View
Parameter
Description
Interface view
None
Use the rip split-horizon command to enable the split horizon function.
Use the undo rip split-horizon command to disable the split horizon function.
By default, the split horizon function is enabled.
Normally, split horizon is necessary for avoiding routing loops. Only in some special
cases the split horizon function needs to be disabled to ensure the correct
execution of the protocol. So, disable the split horizon function only when
necessary.
Example
rip version
Syntax
View
Parameter
Interface view
1: Specifies the version of RIP running on an interface as RIP-1.
2: Specifies the version of RIP running on an interface as RIP-2.
broadcast: Sends RIP-2 packets in the broadcast mode.
multicast: Sends RIP-2 packets in the multicast mode.
342
Description
Use the rip version command to specify the version of RIP running on an
interface.
Use the undo rip version command to restore the default.
By default, the version of RIP running on an interface is RIP-1 and RIP-1 packets are
sent in the broadcast mode.
If RIP-2 runs on an interface, RIP packets are sent in the multicast mode by default.
Table 52 Receive mode of RIP packets
RIP version
RIP-1 broadcast
packet
RIP-2 broadcast
packet
RIP-1
RIP-2 broadcast
mode
RIP-1 broadcast
packet
RIP-2 broadcast
packet
RIP-1
RIP-2 broadcast
mode
Example
# Run RIP-2 on the interface VLAN-interface 10 and send RIP packets in the
broadcast mode.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] rip version 2 broadcast
rip work
Syntax
rip work
undo rip work
View
Parameter
Description
Interface view
None
Use the rip work command to enable the interface to receive and send RIP
packets.
Use the undo rip work command to disable the interface from neither receiving
nor sending RIP packets.
summary
343
By default, all interfaces except loopback interfaces are enabled to receive and
send RIP packets.
The differences between the rip work, rip input, and rip output commands are
as follows:
The rip work command controls the receiving and sending of RIP packets on
an interface.
The rip input command controls only the receiving of RIP packets on an
interface.
The rip output command controls only the sending of RIP packets on an
interface.
# Disable the interface VLAN-interface 10 from receiving and sending RIP packets.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] undo rip work
summary
Syntax
summary
undo summary
View
Parameter
Description
RIP view
None
Use the summary command to enable RIP-2 automatic route summarization.
Use the undo summary command to disable RIP-2 automatic route
summarization.
By default, RIP-2 automatic route summarization is enabled.
Route summarization can be used to reduce the routing traffic on the network as
well as to reduce the size of the routing table. The summary routes contain the
natural masks when advertised.
If RIP-2 is used, route summarization can be disabled with the undo summary
command when it is necessary to broadcast subnet routes.
The undo summary command is invalid for RIP-1.
Related command: rip version.
344
Example
# Set RIP version on the interface VLAN-interface 10 as RIP-2 and disable route
summarization.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] rip version 2
[5500-Vlan-interface10] quit
[5500] rip
[5500-rip] undo summary
timers
Syntax
View
Parameter
RIP view
update-timer: Length of the Period Update timer in seconds, in the range of 1 to
3,600.
timeout-timer: Length of the Timeout timer in seconds, in the range of 1 to 3,600.
Description
Use the timers command to modify the lengths of the three RIP timers: Period
Update, Timeout, and Garbage-collection (which is usually set to a length four
times that of the Period Update timer).
Use the undo timers command to restore the default settings.
By default, the lengths of the Period Update, Timeout, and Garbage-collection
timers are 30 seconds, 180 seconds, and 120 seconds, respectively.
Generally, it is regarded that the value of the Garbage-collection timer is fixed at
four times that of the Period Update timer. Adjusting the Period Update timer will
affect the Garbage-collection timer.
The modification of RIP timers is validated immediately.
Related command: display rip.
Example
# Set the values of the Period Update timer and the Timeout timer of RIP to 10
seconds and 30 seconds respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] rip
[5500-rip] timers update 10 timeout 30
traffic-share-across-interface
345
traffic-share-across-int
erface
Syntax
traffic-share-across-interface
undo traffic-share-across-interface
View
Parameter
Description
RIP view
None
Use the traffic-share-across-interface command to enable traffic to be
forwarded along multiple equivalent RIP routes.
Use the undo traffic-share-across-interface command to disable this function.
By default, this function is disabled.
When the number of equivalent routes reaches the upper limit:
Example
If this function is enabled, the newly learned equivalent route replaces the
existing equivalent route in the routing table.
If this function is disabled, the first aged route entry is replaced by the newly
learned route. If no route entry is aged, the newly learned equivalent route will
be dropped.
346
abr-summary
347
25
OSPF CONFIGURATION COMMANDS
The term router in this chapter refers to a router in a generic sense or an Ethernet
switch running a routing protocol.
abr-summary
Syntax
View
Parameter
Description
Example
348
[5500-ospf-1] area 1
[5500-ospf-1-area-0.0.0.1] network 36.42.10.0 0.0.0.255
[5500-ospf-1-area-0.0.0.1] network 36.42.110.0 0.0.0.255
[5500-ospf-1-area-0.0.0.1] abr-summary 36.42.0.0 255.255.0.0
area
Syntax
area area-id
undo area area-id
View
Parameter
Description
OSPF view
area-id: ID of an OSPF area, which can be a decimal integer (ranging from 0 to
4294967295) or in the form of an IP address.
Use the area command to enter OSPF area view.
Use the undo area command to cancel the specified area.
Example
asbr-summary
Syntax
View
Parameter
OSPF view
ip-address: IP address of the summary route, in dotted decimal notation.
mask: IP address mask, in dotted decimal notation.
not-advertise: Specifies not to advertise the summary route. If this argument is
not provided, the summary route will be advertised.
tag value: Tag value, which is mainly used to control route advertisement through
a route-policy. It ranges from 0 to 4,294,967,295 and defaults to 1.
Description
authentication-mode
349
authentication-mode
Syntax
View
Parameter
Description
350
default
Syntax
default { cost value | interval seconds | limit routes | tag tag | type type } *
undo default { cost | interval | limit | tag | type } *
View
Parameter
OSPF view
value: Default cost of an external route redistributed by OSPF, in the range of 0 to
16,777,214.
seconds: Default interval for redistributing external routes in seconds, in the range
of 1 to 2,147,483,647.
routes: Default limit of external routes that can be redistributed at one time, in the
range of 200 to 2,147,483,647.
tag: Default tag of routes redistributed by OSPF, in the range of 0 to
4,294,967,295.
type: Default type of external routes redistributed by OSPF. The value of this
argument is 1 or 2.
Description
Use the default command to configure the default parameters for redistributed
routes, including cost, interval, limit, tag, and type.
Use the undo default cost command to restore the default.
By default, the cost, interval, limit, tag, and type are 1, 1, 1,000, 1, and 2,
respectively.
When OSPF redistributes external routes and propagates them in the entire
autonomous system
The cost of external routes can influence route selection and calculation.
default-cost
351
# Set the default cost, interval, limit, tag, and type of redistributed routes to 10, 20
seconds, 300, 15, and 1, respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ospf 1
[5500-ospf-1] default cost 10 interval 20 limit 300 tag 15 type 1
default-cost
Syntax
default-cost value
undo default-cost
View
Parameter
Description
Example
# Set area 1 to a Stub area and the cost of the default route advertised to this Stub
area to 60.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ospf 1
[5500-ospf-1] area 1
[5500-ospf-1-area-0.0.0.1] network 20.0.0.0 0.255.255.255
[5500-ospf-1-area-0.0.0.1] stub
[5500-ospf-1-area-0.0.0.1] default-cost 60
352
default-routeadvertise
Syntax
View
Parameter
OSPF view
always: Generates a default external route in an ASE LSA into the OSPF routing
domain in the case that the router has no default route configured. Without this
keyword, you have to configure a default route to redistribute an ASE LSA into the
OSPF routing domain.
cost value: Specifies the cost value of the default route in an ASE LSA. The value
of value ranges from 0 to 16,777,214 and defaults to 1.
type type-value: Specifies the type of the route in an ASE LSA. The value of
type-value ranges is 1 or 2 and defaults 2.
route-policy route-policy-name: If the default route matches the route-policy
specified by route-policy-name, the route-policy will affect the value in an ASE
LSA. The route-policy-name argument is a string of 1 to 19 characters.
Description
Example
# Generate a default route in an ASE LSA into the OSPF routing domain if a
default route is configured on the local router.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ospf 1
[5500-ospf-1] default-route-advertise
# Generate a default route in an ASE LSA into the OSPF routing domain if no
default route is configured on the local router.
[5500-ospf-1] default-route-advertise always
display router id
353
display router id
Syntax
View
Parameter
Description
Example
display router id
Any view
None
Use the display router id command to display the router ID.
# Display the router ID.
<5500> display router id
Configured router id is 1.1.1.1
Parameter
process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a
process ID, this command applies to all current OSPF processes.
Description
Use the display ospf abr-asbr command to display the information about the
ABR and ASBR of OSPF.
Example
Interface
Vlan-interface1
Description
Destination
Area
Cost
Cost of the route from the local router to the ABR or ASBR
Nexthop
Interface
display ospf
asbr-summary
Syntax
354
View
Parameter
Any view
process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a
process ID, this command applies to all current OSPF processes.
ip-address: Matched IP address, in dotted decimal notation.
mask: Subnet mask, in dotted decimal notation.
Description
Example
Description
net
mask
tag
status
Parameter
Description
Example
355
process-id: OSPF process ID, in the range of 1 to 65,535. If you do not specify a
process ID, this command applies to all current OSPF processes.
Use the display ospf brief command to display brief OSPF information.
# Display brief OSPF information.
<5500> display ospf brief
OSPF Process 1 with Router ID 7.7.7.7
OSPF Protocol Information
RouterID: 7.7.7.7 Border Router: Nssa Area AS
Spf-schedule-interval: 5
Routing preference: Inter/Intra: 10 External: 150
Default ASE parameters: Metric: 1 Tag: 1 Type: 2
SPF computation count: 30
Area Count: 2
Nssa Area Count: 1
Area 0.0.0.0:
Authtype: none
Flags: <>
SPF scheduled: <>
Interface: 192.168.0.39 (Vlan-interface1)
Cost: 10 State: DROther
Type: Broadcast
Priority: 1
Designated Router: 192.168.0.153
Backup Designated Router: 192.168.0.154
Timers: Hello 10, Dead 40, Poll 40, Retransmit 5, Transmit Delay 1
Area 0.0.0.2:
Authtype: none
Flags: <Nssa>
SPF scheduled: <>
7/5 translator state: Enabled
Interface: 30.1.1.1 (Vlan-interface2)
Cost: 10 State: BackupDR
Type: Broadcast
Priority: 1
Designated Router: 30.1.1.2
Backup Designated Router: 30.1.1.1
Timers: Hello 10, Dead 40, Poll 40, Retransmit 5, Transmit Delay 1
Description
RouterID
Border Router
Spf-schedule-interval
Routing preference
356
Description
Area Count
Area
Area ID
Authtype
Flags
Area type
SPF scheduled
Interface
Cost
Cost of routes
State
State information
Type
Priority
Priority
Designated Router
Timers
Transmit Delay
display ospf
cumulative
Syntax
View
Parameter
Description
Example
Input
Output
Hello
0
10430
DB Description
0
0
Link-State Req
0
0
Link-State Update
0
0
Link-State Ack
0
0
ASE: 0 Checksum Sum: 0
LSAs originated by this router
Router: 180 SumNet: 116
LSAs Originated: 296 LSAs Received: 0
Area 0.0.0.0:
Neighbors: 0 Interfaces: 0
Spf: 2 Checksum Sum 15B27
rtr: 1 net: 0 sumasb: 0 sumnet: 1
Area 0.0.0.1:
Neighbors: 0 Interfaces: 1
Spf: 3 Checksum Sum 383C
rtr: 1 net: 0 sumasb: 0 sumnet: 0
Area 0.0.0.2:
Neighbors: 0 Interfaces: 0
Spf: 1 Checksum Sum 15D26
rtr: 1 net: 0 sumasb: 0 sumnet: 1
Routing Table:
Intra Area: 1
Inter Area: 0
ASE: 0
Description
Type
Input
Output
ASE
Checksum sum
LSAs
Originated
Received
Router
SumNet
SumASB
Area
Routing Table
Neighbors
Interfaces
Spf
rtr, net,
sumasb,
sumnet
Intra Area
Inter Area
ASE
357
358
Description
Example
0:
0:
0:
0:
0:
0:
0:
0:
0:
0:
0:
0:
0:
1:
0:
0:
0:
Description
359
Description
360
Description
Example
Use the display ospf interface command to display the OSPF interface
information.
# Display the OSPF interface information of Vlan-interface 1.
<5500> display ospf interface vlan-interface 1
OSPF Process 1 with Router ID 1.1.1.1
Interfaces
Interface: 10.110.10.2 (Vlan-interface1)
Cost: 1 State: BackupDR
Type: Broadcast
Priority: 1
Designated Router: 10.110.10.1
Backup Designated Router: 10.110.10.2
Timers: Hello 10, Dead 40, Poll 10, Retransmit 5, Transmit Delay 1
Description
Cost
State
Type
Priority
Designated Router
Timers
Transmit Delay
Hello
Dead
Poll
Interval of poll
Retransmit
display ospf process-id area-id lsdb [ brief | [ [ asbr | network | nssa | router |
summary ] [ ip-address ] ] [ originate-router ip-address | self-originate ] ]
display ospf [ process-id ] lsdb [ brief | [ [ asbr | ase | network | nssa | router |
summary ] [ ip-address ] ] [ originate-router ip-address | self-originate ] ]
View
Parameter
Any view
process-id: OSPF Process ID. If you do not specify a process ID, this command
applies to all current OSPF processes.
area-id: OSPF area ID, which can be a decimal integer (ranging from 0 to
4294967295) or in the form of an IP address.
brief: Displays brief database information.
asbr: Displays the database information about Type-4 LSAs (summary-Asbr-LSAs).
361
ase: Displays the database information about the Type-5 LSAs (AS-external-LSAs).
This argument is unavailable if you have provided a value for area-id.
network: Displays the database information about the Type-2 LSAs
(network-LSAs).
nssa: Displays the database information about the Type-7 LSAs
(NSSA-external-LSAs).
router: Displays the database information about the Type-1 LSAs (router-LSAs).
summary: Displays the database information about the Type-3 LSAs
(summary-net-LSAs).
ip-address: Link state identifier (in the form of an IP address).
originate-router ip-address: Specifies the IP address of the router advertising the
LSAs.
self-originate: Displays the database information about the LSAs generated by
the local router (self-originate LSAs).
Description
Example
Description
Type
LinkStateID
AdvRouter
Age
Len
Sequence
362
Description
Metric
Cost from the router that advertises the LSA to LSA destination
Where
Description
type
ls id
adv rtr
ls age
len
seq#
chksum
Options
Net mask
Network mask
E type
Forwarding Address
Forwarding address
Tag
Tag
Description
Example
363
Description
Next hops
Address
Type
Refcount
Reference count of the next hop, namely, number of routes using the next
hop
Intf Addr
Intf Name
Description
Example
Use the display ospf peer command to display the information of OSPF
neighbors.
# Display the information of OSPF neighbors.
<5500> display ospf peer
OSPF Process 1 with Router ID 1.1.1.1
Neighbors
Area 0.0.0.0 interface 10.153.17.88(Vlan-interface1)s neighbor(s)
RouterID: 2.2.2.2
Address: 10.153.17.89
State: Full Mode: Nbr is Master Priority: 1
DR: 10.153.17.89 BDR: 10.153.17.88
Dead timer expires in 31s
Neighbor has been up for 01:14:14
Description
RouterID
ID of a neighbor router
Address
364
Description
State
State of a neighbor
Mode
Priority
DR
BDR
Lifetime of neighbor
State
Full/BDR
Description
Router ID
Address
Pri
DeadTime(s)
Interface
State
Down
Init
Attempt
2-Way
Exstart
Exchange
Loading
Full
Down
0
0
1
1
365
Description
Area ID
Area ID
Down
Initial state for OSPF to establish neighbor relation, which indicates that
OSPF router does not receive the message from a certain neighbor
router within a period of time
Attempt
Init
It indicates that OSPF router has received Hello packet from a neighbor
router, but its IP address is not contained in the Hello packet. Therefore,
a two-way communication between them has not been established.
2-Way
ExStart
Exchange
Loading
Full
Total
display ospf
request-queue
Syntax
View
Parameter
Description
Example
Age:35
366
Description
RouterID
ID of a neighbor router
Address
Interface
Area
LSID
AdvRouter
Sequence
Sequence number of the LSA, used to discover old and repeated LSAs
Age
display ospf
retrans-queue
Syntax
View
Parameter
Description
Example
Description
RouterID
ID of a neighbor router
Address
Interface
Retrans list
Retransmit list
Area
Type
LSID
AdvRouter
367
Parameter
process-id: OSPF process ID, in the range of 1 to 65535. If you do not specify a
process ID, this command applies to all current OSPF processes.
Description
Use the display ospf routing command to display the information about OSPF
routing table.
Example
Inter Area: 0
ASE: 0
AdvRouter
10.10.10.1
3.3.3.3
Area
0.0.0.0
0.0.0.0
NSSA: 0
Description
Destination
Cost
Cost of a route
Type
Type of route
NextHop
AdvRouter
Area
Area ID
Total Nets
Intra Area
Inter Area
ASE
NSSA
368
Description
Example
Use the display ospf vlink command to display the information about OSPF
virtual links.
# Display OSPF virtual link information.
<5500> display ospf vlink
OSPF Process 1 with Router ID 1.1.1.1
Virtual Links
Virtual-link Neighbor-id -> 2.2.2.2, State: Full
Cost: 0 State: Full
Type: Virtual
Transit Area: 0.0.0.2
Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1
Description
Virtual-link Neighbor-id
State
Cost
Type
Transit Area
ID of transit area
Timers
Transmit Delay
filter-policy export
Syntax
View
Parameter
OSPF view
acl-number: Number of an ACL used to match the destination address in routing
information, in the range of 2000 to 3999.
ip-prefix-name: Name of the address prefix list used to match the destination
address in routing information, a string of up to 19 characters.
protocol: Filters outgoing routes redistributed from the routing protocol, including
bgp, direct, rip, and static.
Description
filter-policy import
369
In some cases, it may be required that only the routing information meeting some
conditions can be advertised. You can use the filter-policy command to set the
filtering conditions for the routing information to be advertised. Only the routing
information passing the filtration can be advertised.
This command filters routes redistributed (with the import-route command) by
OSPF. If the protocol argument is specified, this command filters only the outgoing
routes redistributed from the protocol. If the protocol argument is not specified,
the outgoing routes redistributed from all protocols will be filtered.
Related command: acl, ip ip-prefix.
For details about ACL, refer to ACL Configuration Commands on page 773.
Example
filter-policy import
Syntax
View
Parameter
OSPF view
acl-number: Number of an ACL used to match destination addresses in routing
information, in the range 2000 to 3999.
ip-prefix-name: Name of the IP prefix list used to match destination addresses in
routing information, a string of 1 to 19 characters.
gateway ip-prefix-name: Specifies the name of the IP prefix list used to filter the
routes from the specified neighbors. The IP prefix list name is a string of 1 to 19
characters.
Description
370
The filter-policy import command only filters the routes calculated with the SPF
algorithm. Only the routes passing the filtration can be added to the routing table.
OSPF is a dynamic routing protocol based on link state, with routing information
contained in LSAs.
For the filtering of incoming routes, routes to be filtered are calculated by SPF and
installed in the OSPF routing table.
For the filtering of outing routes, denied LSAs will not be generated for
advertisement.
Example
import-route
Syntax
View
Parameter
OSPF view
protocol: Source routing protocol whose routes will be imported. At present, it can
be bgp, direct, static, rip, ospf, ospf-ase, and ospf-nssa
process-id: OSPF Process ID, in the range of 1 to 65535. This argument is valid only
when the routing protocol is ospf, ospf-ase, or ospf-nssa.
allow-ibgp: Allows the redistribution of IBGP routes when redistributing routes
from BGP. This is available on the 5500G only.
route-policy: Redistributes only the routing information matching the routing
policy.
route-policy-name: Name of a routing policy, a string of up to 19 characters.
cost value: Specifies the cost of redistributed routes. The cost value ranges from 0
to 16,777,214 and defaults to 1.
type value: Specifies the type of redistributed routes. The type value is 1 or 2 and
defaults to 2.
tag value: Specifies the tag of redistributed routes. The tag value ranges from 0 to
4,294,967,295 and defaults to 1.
Description
log-peer-change
371
n
c
Example
Caution:
3Com recommends that you configure the route type, cost and tag together
in one command. When you configure them individually, the new
configuration for an attribute will overwrite the old configuration for the
attribute.
# Redistribute routes from RIP and specify the type as type-2, tag as 33, and cost
as 50 for redistributed routes.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ospf 1
[5500-ospf-1] import-route rip type 2 tag 33 cost 50
log-peer-change
Syntax
log-peer-change
undo log-peer-change
View
Parameter
Description
OSPF view
None
Use the log-peer-change command to enable logging of OSPF neighbor state
changes.
Use the undo log-peer-change command to disable logging of OSPF neighbor
state changes.
By default, logging of OSPF neighbor state changes is disabled.
n
Example
With logging enabled, the system outputs log information when a neighbor
changes to the Full state or to the Down state. Neighbor states include Down, Init,
Attempt, 2-Way, Exstart, Exchange, Loading and Full.
# Enable logging of neighbor state changes.
372
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ospf 1
[5500-ospf-1] log-peer-change
multi-path-number
Syntax
multi-path-number value
undo multi-path-number
View
OSPF view
Parameter
value: Number of equal cost multi-path (ECMP) routes, in the range of 1 to 3 for
the Switch 5500 and 10 to 4 for the Switch 5500G.
Description
Use the multi-path-number command to set the number of OSPF ECMP routes.
Use the undo multi-path-number command to restore the default.
By default, the number of OSPF ECMP routes is 3 for the Switch 5500 and 10 to 4
for the Switch 5500G.
Example
network
Syntax
View
Parameter
Description
Use the network command to enable an interface to run the OSPF protocol.
Use the undo network command to disable an interface from running OSPF.
By default, the interface does not belong to any area.
nssa
373
To run OSPF on an interface, the master IP address of this interface must be in the
range of the network segment specified by this command. If only the slave IP
address of the interface is in the range of the network segment specified by this
command, this interface will not run OSPF.
Related command: ospf.
Example
# Specify the interfaces whose master IP addresses are in the segment range of
10.110.36.0/24 to run OSPF and specify the number of the OSPF area (where
these interfaces reside) as 6.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ospf 1
[5500-ospf-1] area 6
[5500-ospf-1-area-0.0.0.6] network 10.110.36.0 0.0.0.255
nssa
Syntax
View
Parameter
Description
374
If the Type-7 LSAs translator state is Elected after the election, the ABR
translates Type-7 LSAs into Type-5 LSAs.
If the Type-7 LSAs translator state is Disabled after the election, the ABR does
not translate Type-7 LSAs into Type-5 LSAs.
With the translate-always keyword used on the ABR, if the ABR has any
neighbor in the FULL state in the backbone area, then the Type-7 LSAs translator
state is enabled and the ABR will translate Type-7 LSAs into Type-5 LSAs.
Example
ospf
Syntax
View
Parameter
System view
process-id: OSPF process ID, in the range of 1 to 65535. By default, the process ID
is 1. process-id is locally significant.
router-id: Router ID of an OSPF process, in dotted decimal notation.
Description
Use the ospf command to enable an OSPF process or enter OSPF view.
Use the undo ospf command to disable an OSPF process.
By default, the system does not run any OSPF process.
Related command: network.
ospf authentication-mode
Example
375
ospf
authentication-mode
Syntax
View
Parameter
Interface view
simple: Plain authentication.
md5: MD5 authentication.
password: Password of plain. The password argument is a string of up to eight
characters.
key-id: ID of the authentication key in MD5 authentication mode, ranging from 1
to 255.
key: MD5 authentication key. If it is input in a plain text form, MD5 key is a string
of 1 to 16 characters. It is displayed in a cipher text form with 24 characters in
length when the display current-configuration command is executed. Inputting
the MD5 key in a cipher text form with 24 characters in length is also supported.
Description
Example
376
[5500-ospf-1] area 1
[5500-ospf-1-area-0.0.0.1] network 131.119.0.0 0.0.255.255
[5500-ospf-1-area-0.0.0.1] authentication-mode md5
[5500-ospf-1-area-0.0.0.1] quit
[5500-ospf-1] quit
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] ospf authentication-mode md5 15 abc
ospf cost
Syntax
View
Parameter
Description
Interface view
value: Cost for running an OSPF process on an interface, in the range of 1 to
65,535.
Use the ospf cost command to configure the OSPF cost on an interface.
Use the undo ospf cost command to restore the default.
By default, the OSPF cost on an interface is 10.
Example
ospf dr-priority
Syntax
View
Parameter
Description
Interface view
priority: Designated router (DR) election priority of the interface, in the range of 0
to 255.
Use the ospf dr-priority command to configure the DR election priority of the
interface.
Use the undo ospf dr-priority command to restore the default.
By default, the DR election priority of an interface is 1.
ospf mib-binding
377
ospf mib-binding
Syntax
View
Parameter
Description
System view
process-id: OSPF process ID, in the range of 1 to 65,535.
Use the ospf mib-binding command to bind MIB operations to the specified
OSPF process.
Use the undo ospf mib-binding command to restore the default.
By default, MIB operations are bound to the first enabled OSPF process.
When OSPF enables the first process, OSPF always binds MIB operation to this
process. You can use this command to bind MIB operation to another OSPF
process.
To cancel the binding, use the undo ospf mib-binding command. OSPF will
automatically re-bind MIB operation to the first process that it enables.
Example
ospf mtu-enable
Syntax
ospf mtu-enable
undo ospf mtu-enable
View
Parameter
Interface view
None.
378
Description
Use the ospf mtu-enable command to add the interface MTU to the MTU field in
DD packets.
Use the undo ospf mtu-enable command to restore the default.
By default, the MTU field in DD packets is 0. That is, no interface MTU is added to
the MTU field in DD packets.
Database description (DD) packets are used to describe its own LSDB when the
router running OSPF protocol is synchronizing the database.
The default MTU value in DD packet is 0. You can use this command to add the
interface MTU to the MTU field in DD packets.
Example
# Add the MTU of the interface VLAN-interface 3 to the MTU field in DD packets.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface vlan-interface 3
[5500-Vlan-interface3] ospf mtu-enable
ospf network-type
Syntax
View
Parameter
Interface view
broadcast: Specifies the network type as broadcast.
nbma: Specifies the network type as NBMA.
p2mp: Specifies the network type as point-to-multipoint.
unicast: Sends packets to unicast addresses.
p2p: Specifies the network type as point-to-point.
Description
Use the ospf network-type command to configure the network type for an
interface.
Use the undo ospf network-type command to restore the default network type.
OSPF divides networks into four types based on link layer protocol:
379
Point-to-Multipoint (P2MP): OSPF will not default the network type of any link
layer protocol to P2MP. The general undertaking is to change a partially
connected NBMA network to P2MP network.
Point-to-point (P2P): If PPP, LAPB or POS is adopted, OSPF defaults the network
type to P2P.
If the unicast keyword is not specified, the interface sends packets to multicast
addresses.
Note that you must use the peer command to configure the peer if the network
type of the interface is NBMA or manually changed to NBMA with the ospf
network-type command.
Related command: ospf dr-priority.
Example
View
Parameter
Interface view
seconds: Dead interval of the OSPF neighbor. It is in seconds and ranges from 1 to
65,535.
380
Description
Use the ospf timer dead command to configure the dead interval of the OSPF
neighbor.
Use the undo ospf timer dead command to restore the default.
By default, the dead interval is
The dead interval of OSPF peers means that, within this interval, if no Hello
message is received from the peer, the peer will be considered to be invalid. The
value of dead seconds should be at least four times of that of the Hello seconds.
The dead seconds for the routers on the same network segment must be
identical.
Related command: ospf timer hello.
Example
View
Parameter
Description
Interface view
seconds: Interval, in seconds, at which an interface transmits hello packet. It
ranges from 1 to 255.
Use the ospf timer hello command to configure the interval for transmitting
Hello messages on an interface.
Use the undo ospf timer hello command to restore the interval to the default.
By default, the Hello interval is
381
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface vlan-interface 10
[5500-Vlan-interface10] ospf timer hello 20
View
Parameter
Description
Interface view
seconds: Poll Hello interval in seconds. It ranges from 1 to 65,535.
Use the ospf timer poll command to configure the poll interval on NBMA and
P2MP networks.
Use the undo ospf timer poll command to restore the default.
By default, the poll interval is 40 seconds.
On an NBMA or P2MP network, if a neighbor becomes invalid, Hello packets will
be transmitted at intervals of poll seconds. You can configure the poll seconds to
specify how often the interface transmits Hello packets before it establishes
neighbor relationship with the router. The poll interval should be no less than 3
times the Hello interval.
Example
View
Parameter
Description
Interface view
interval: Interval, in seconds, for retransmitting LSA on an interface. It ranges from
1 to 3600.
Use the ospf timer retransmit command to configure the interval for
retransmitting an LSA on an interface.
382
Use the undo ospf timer retransmit command to restore the default.
By default, the interval for retransmitting an LSA is 5 seconds.
If a router running OSPF transmits a link state advertisement (LSA) to the peer, it
needs to wait for the acknowledgement packet from the peer. If no
acknowledgement is received from the peer within the LSA retransmission interval,
this LSA will be retransmitted.
The LSA retransmit between adjacent routers should not be set too short;
otherwise, unexpected retransmission will occur (See RFC2328).
Example
# Set the interval for retransmitting LSA between the interface VLAN-interface10
and the adjacent routers to 12 seconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface vlan-interface 10
[5500-Vlan-interface10] ospf timer retransmit 12
ospf trans-delay
Syntax
View
Interface view
Parameter
Description
Use the ospf trans-delay command to configure the LSA transmission delay on
an interface.
Use the undo ospf trans-delay command to restore the default.
By default, the LSA transmission delay on an interface is 1 second.
LSA ages in the link state database (LSDB) of the router as time goes by (1 added
every second), but it does not age during network transmission. Therefore, it is
necessary to add a delay to the aging time for LSA transmission.
Example
peer
383
peer
Syntax
View
Parameter
OSPF view
ip-address: IP address of an interface on the neighbor router.
dr-priority: Value of the corresponding priority of a neighbor in the NBMA
network. It ranges from 0 to 255 and defaults to 1.
Description
Example
preference
Syntax
View
Parameter
OSPF view
value: OSPF protocol preference, in the range of 1 to 255.
ase: Indicates the preference of a redistributed external route of the AS.
Description
Use the preference command to configure the preference of the OSPF protocol.
Use the undo preference command to restore the default.
By default, the preference of an internal OSPF route is 10 and that of an external
OSPF route is 150.
Because multiple dynamic routing protocols could be running on a router, there is
the problem of routing information sharing among routing protocols and
selection. Therefore, a default preference is specified for each routing protocol.
When a route is identified by different protocols, the protocol with the highest
preference selected for forwarding IP packets.
384
Example
reset ospf
Syntax
View
Parameter
Description
After this command is issued, the system will prompt you to confirm whether to
re-enable OSPF.
Example
Description
Use the reset ospf statistics command to clear the statistic of OSPF process(es).
router id
Example
385
router id
Syntax
router id router-id
undo router id
View
Parameter
Description
System view
router-id: Router ID, in dotted decimal notation.
Use the router id command to configure the ID of a router running the OSPF
protocol.
Use the undo router id command to cancel the router ID that has been set.
Related command: ospf.
Example
silent-interface
Syntax
View
Parameter
OSPF view
silent-interface-type: Interface type
silent-interface-number: Interface number.
Description
386
Example
snmp-agent trap
enable ospf
Syntax
View
Parameter
System view
process-id: OSPF process ID, in the range of 1 to 65,535. If you do not specify a
process ID, this command applies to all current OSPF processes.
ifstatechange, virifstatechange, nbrstatechange, virnbrstatechange,
ifcfgerror, virifcfgerror, ifauthfail, virifauthfail, ifrxbadpkt, virifrxbadpkt,
iftxretransmit, viriftxretransmit, originatelsa, maxagelsa, lsdboverflow,
lsdbapproachoverflow: Types of TRAP packets that the switch produces in case
of OSPF anomalies.
Description
Use the snmp-agent trap enable ospf command to enable the OSPF TRAP
function.
Use the undo snmp-agent trap enable ospf command to disable the OSPF
TRAP function.
This command does not apply to the OSPF processes that are started after the
command is executed.
By default, the switch does not send TRAP packets in case of OSPF anomalies.
For details on configuring SNMP TRAP, refer to the section entitled File System
Configuration Commands on page 1035.
Example
spf-schedule-interval
387
spf-schedule-interval
Syntax
spf-schedule-interval interval
undo spf-schedule-interval
View
Parameter
Description
OSPF view
interval: SPF calculation interval of OSPF, in seconds. It ranges from 1 to 10.
Use the spf-schedule-interval command to configure the SPF calculation interval
of OSPF.
Use the undo spf-schedule-interval command to restore the default.
By default, the SPF calculation interval of OSPF is 5 seconds.
According to the Link State Database (LSDB), the router running OSPF can
calculate the shortest path tree taking itself as the root and determine the next
hop to the destination network according to the shortest path tree. Adjusting SPF
calculation interval restrains frequent network changes, which may occupy too
many bandwidth resources and router resources.
Example
stub
Syntax
stub [ no-summary ]
undo stub
View
Parameter
Description
388
vlink-peer
Syntax
View
Parameter
Description
vlink-peer
389
# Create a virtual link to 10.110.0.3 and use the MD5 cipher authentication mode.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ospf 1
[5500-ospf-1] area 10.0.0.0
[5500-ospf-1-area-10.0.0.0] vlink-peer 10.110.0.3 md5 3 345
390
26
n
The term router in this chapter refers to a router in a generic sense or an Ethernet
switch running a routing protocol.
This chapter applies to the Switch 5500G only (not the Switch 5500)
aggregate
Syntax
Views
Parameters
Description
392
Example
Keyword
Description
as-set
detail-suppressed
suppress-policy
origin-policy
attribute-policy
bgp
Syntax
bgp as-number
undo bgp [ as-number ]
View
Parameter
Description
System view
as-number: Specified local AS number, in the range of 1 to 65,535.
Use the bgp command to enable a BGP process and enter BGP view.
Use the undo bgp command to disable one or all BGP processes.
By default, no BGP processes are enabled.
This command is used to enable a BGP process and specify the local AS number of
the BGP process.
Example
compare-different-as- med
393
compare-different-asmed
Syntax
compare-different-as-med
undo compare-different-as-med
View
Parameters
None
Description
Example
confederation id
Syntax
confederation id as-number
undo confederation id
View
Parameter
Description
BGP view
as-number: The ID of BGP AS confederation. It is equal to the AS number which
contains the AS numbers of multiple sub-ASs. The range is 1 to 65535.
Use the confederation id command to configure confederation identifier.
Use the undo confederation id command to cancel the BGP confederation
specified by the as-number argument.
By default, no confederation ID is configured.
394
Confederation can be adopted to solve the problem of too many IBGP full
connections in a large AS domain. The solution is, first dividing the AS domain into
several smaller sub-ASs, and each sub-ASs remains full-connected. These sub-ASs
form a confederation. Key BGP attributes of the route, such as next hop, MED,
local preference, are not discarded across each sub-ASs. The sub-ASs still look like
a whole from the point of view of a confederation although these sub-ASs have
EBGP relations. This can assure the integrality of the former AS domain, and ease
the problem of too many connections in the domain
Related commands: confederation nonstandard, confederation peer-as.
Example
# Confederation 9 consists of four sub-ASs, namely, 38, 39, 40, and 41. Here, the
peer 10.1.1.1 is an internal member of the AS confederation while the peer
200.1.1.1 is an external member of the AS confederation. For external members,
Confederation 9 is a unified AS domain. The following gives an example of the
configuration of AS 41.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 41
[5500G-bgp] confederation id 9
[5500G-bgp] confederation peer-as 38 39 40
[5500G-bgp] group Confed38 external
[5500G-bgp] peer Confed38 as-number 38
[5500G-bgp] peer 10.1.1.1 group Confed 38
[5500G-bgp] group Remote98 external
[5500G-bgp] peer Remote98 as-number 98
[5500G-bgp] peer 200.1.1.1 group Remote98
confederation
nonstandard
Syntax
confederation nonstandard
undo confederation nonstandard
View
BGP view.
Parameters
None
Description
confederation peer-as
Example
395
confederation peer-as
Syntax
View
Parameters
BGP view
as-number: Sub-AS numbers, in the range of 1 to 65535.
&<1-32>: Indicates you can enter as-number up to 32 times.
Description
Example
396
dampening
Syntax
View
Parameters
BGP view
half-life-reachable: Semi-dampening of a reachable route, in the range of 1 to 45
minutes. The default value is 15 minutes.
half-life-unreachable: Semi-dampening of an unreachable, in the range of 1 to 45
minutes. The default value is 15 minutes.
reuse: Threshold for disabling route suppression. When the penalty value is below
this threshold, the route will be reused. The range is 1 to 20000. The default value
is 750.
suppress: Threshold for enabling route suppression. When the penalty value is
above the threshold, the route is suppressed. The range is 1 to 20000. The default
value is 2000.
ceiling: Upper penalty threshold, that is, the penalty value stops increasing when it
reaches the upper threshold. The range is 1001 to 20000. The value of this
argument must be greater than that of the suppress argument. The default value
is 16000.
route-policy-name: Name of a route policy, in the range of 1 to 19 characters.
If no value is specified for the arguments, their default values are used. The
half-life-reachable, half-life-unreachable, reuse, suppress, and ceiling arguments
are independent of each other. Therefore, if you specify a value for any of these
arguments, you must specify a value for all the others.
Description
Use the dampening command to configure BGP route dampening or modify BGP
route dampening parameters.
Use the undo dampening command to disable BGP route dampening.
By default, BGP route dampening is disabled.
Related commands: reset bgp dampening, reset bgp flap-info, display bgp
routing dampened, display bgp routing flap-info.
Example
# Enable BGP route dampening and configure BGP route dampening parameters.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] dampening 15 15 1000 2000 10000
default local-preference
397
default
local-preference
Syntax
View
Parameter
Description
Example
# Two routers A and B in the same autonomous area are connected with external
autonomous areas. Set the default local preference of B to 180 so that the route
through B is selected first when two routes go through both A and B to the same
destination.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] default local-preference 180
default med
Syntax
View
Parameter
Description
398
The multi-exit discriminator (MED) is an external route metric. Different from the
local preference, the MED is exchanged between autonomous systems. After the
MED enters an autonomous system, it will not be sent out of this autonomous
system. The MED attribute is used to select the optimal route, that is, the route
with a smaller MED value is selected. When a router running the BGP obtains
routes with the same destination address but different next hops through different
external peers, the route selection will be based on the MED value. In the case that
all other conditions are the same, the system first selects the route with the smaller
MED value as an external route of the autonomous system.
Example
default-route
imported
Syntax
default-route imported
undo default-route imported
View
Parameters
None
Description
Use the default-route imported command to import the default route to the
BGP routing table.
Use the undo default-route imported command to restore the default.
By default, it is forbidden to import the default route to the BGP routing table.
Example
# Import the default route from the OSPF routing table to the BGP routing table.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] default-route imported
[5500G-bgp] import-route ospf 1
Parameters
399
Description
Example
Use the display bgp group command to view the information of peer groups.
# View the information of the peer group aaa.
<5500G> display bgp group aaa
Group : aaa type : external
as-number : 200
members in this group :
10.1.1.1
11.1.1.1
configuration within the group :
no export policy route-policy
no export policy filter-policy
no export policy as-path-acl
no export policy ip-prefix
route-policy specified in import policy : aaa
no import policy filter-policy
no import policy as-path-acl
no import policy ip-prefix
Description
Group
type
as-number
filter-policy
as-path-acl
ip-prefix
400
Example
Description
Network
Network address
Mask
Mask
Route-policy
Description
Id
Hash-Index
Value of Hash-index
References
Aggregator
401
Description
Origin
As-path
View
Parameters
Any view
multicast: Specifies multicast address family.
ip-address: IP address of the peer to be displayed.
verbose: Displays detailed information of the specified peer.
Description
Example
Use the display bgp peer command to display the information about the
specified BGP peer.
# Display detailed information of the peer 11.2.4.3.
<5500G> display bgp peer 11.2.4.3 verbose
Peer: 11.2.4.3+1047
Local: 11.2.4.4+179
Type: Internal
State: Established
Flags: <>
Expiring Time: 00:02:16
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Options: <>
Peer Version: 4 Peer ID: 192.168.0.56 Local ID: 192.168.0.57
Active Holdtime: 180s, Keepalive: 60s
Group Bit: 0
Send state: in sync
Last traffic (seconds): Received 44
Sent 17 Checked 17
Input messages: Total 2293
Updates 8
Octets 43831
Output messages: Total 2292
Updates 6
Octets 43770
Peer capabilities:
402
Description
Peer
Local
Type
State
State of peer
Flags
Flags of peer
Last State
Last Event
Last Error
Options
Options
Description
Example
Use the display bgp routing command to display all the BGP routing
information.
# Display all the BGP routing information.
<5500G> display bgp routing
Flags:
# - valid
D - damped
^ - active
H - history
403
I - internal
S - aggregate suppressed
Dest/Mask
Next-Hop
Med
Local-pref Origin Path
-------------------------------------------------------------------#^ 1.1.0.0/16
0.0.0.0
0
100
IGP
#^ 10.1.0.0/16
12.16.1.136
0
100
IGP
100
#^I 20.1.0.0/16
12.16.1.57
0
100
IGP
Routes total: 3
Description
Flags
Dest/Mask
Destination address/mask
Next Hop
Med
Local-Pref
Origin
Path
IGP: The route is inside the AS. BGP treats the aggregation route
and the route defined by the network command inside AS, and
the origin type as IGP.
404
Description
Example
Use the display bgp routing as-path-acl command to view routes that match an
as-path acl.
# Display routes that match as-path-acl 1.
<5500G> display bgp routing as-path-acl 1
Flags:
# - valid
D - damped
^ - active
H - history
I - internal
S - aggregate suppressed
Dest/Mask
Next-Hop
Med
Local-pref Origin Path
-------------------------------------------------------------------#^ 1.1.1.0/24
192.168.0.57
0
100
IGP
2
Example
# - valid
D - damped
^ - active
H - history
I - internal
S - aggregate suppressed
Dest/Mask
Next-Hop
Med
Local-pref Origin Path
-------------------------------------------------------------------#^ 10.1.0.0/16
12.16.1.65
0
100
IGP
2
#^ 10.1.2.2/32
12.16.1.136
0
100
IGP
100
#^I 20.1.0.0/16
12.16.1.57
0
100
IGP
405
For detailed description of the fields in the output information, see Table 75.
View
Parameters
Description
Example
Use the display bgp routing community command to view the routing
information related to the specified BGP community number in the routing table.
# Display the routing information matching BGP community number 11:22.
<5500G> display bgp routing community 11:22
Flags:
# - valid
D - damped
^ - active
H - history
I - internal
S - aggregate suppressed
Dest/Mask
Next-Hop
Med
Local-pref Origin
Path
-------------------------------------------------------------------#^ 10.1.2.2/32
12.16.1.136
0
100 IGP
100
#^I 20.1.0.0/16
12.16.1.57
0
100 IGP
For detailed description of the fields in the output information, see Table 75.
406
View
Parameters
Description
Example
Use the display bgp routing community-list command to view the routing
information matching the specified BGP community list.
# Display the routing information matching BGP community list 1.
<5500G> display bgp routing community-list 1
Flags:
# - valid
D - damped
^ - active
H - history
I - internal
S - aggregate suppressed
Dest/Mask
Next-Hop
Med
Local-pref Origin Path
-------------------------------------------------------------------#^ 10.1.0.0/16
132.16.10.136
0
100
IGP
100
For detailed description of the fields in the output information, see Table 75.
Parameters
None
Description
Use the display bgp routing dampened command to display dampened BGP
routes.
Example
# - valid
D - damped
^ - active
H - history
I - internal
S - aggregate suppressed
407
Dest/Mask
Source
Damping-limit Origin Path
-------------------------------------------------------------------#D 10.10.10.0/24
192.168.0.58
8:30
IGP
100
Description
#D
Dest/Mask
Source
Damping-limit
Example
# - valid
D - damped
^ - active
H - history
I - internal
S - aggregate suppressed
Dest/Mask
Next-Hop
Med
Local-pref Origin Path
-------------------------------------------------------------------#^I 10.1.0.0/16
12.16.1.57
0
100
IGP
#
10.1.0.0/16
12.16.1.65
0
100
IGP
2
For detailed description of the fields in the output information, see Table 75.
408
View
Parameters
Description
Use the display bgp routing flap-info command to view BGP flap-info.
If no value is specified, the display bgp routing flap-info command displays flap
information of all BGP routes. If a value is specified for the network-address mask
argument, the command displays the flap information of the specified route only.
Example
# - valid
D - damped
Dest/Mask
^ - active
H - history
I - internal
S - aggregate suppressed
Source
Keepup
Damping
Flap Origin As-path
time
limit times
-------------------------------------------------------------------#D 10.1.0.0/16
12.16.1.65
2:02
0
1
IGP
2
Description
Flags
State flags:
# - valid (valid)
^ - active (selected)
D - damped (discarded)
H - history (history)
409
Description
#D
Dest/Mask
Source
Keepup time
Damping limit
The time before dampening turns invalid and the route can be
reused.
Flap times
Origin
Origin attribute of route, which indicates that the route updates its
origin relative to the route originating it from AS. It has three
optional values:
As-path
AS-path attribute of route, which records all AS areas that the route
passes. With it, route loop can be avoided
View
Parameters
Description
Example
Use the display bgp routing peer command to view the routing information the
specified BGP peer advertised or received.
# Display the routing information advertised by BGP peer 1.1.1.2.
410
Here, Appendant Flags indicates the appended flag, @ the route to be sent, ! the
reachable route, and ~ to cancel route. For detailed description of the fields in the
output information, see Table 75.
Description
Example
Use the display bgp routing regular-expression command to view the routing
information matching the specified AS regular expression
# Display the routing information matched with ^200$.
<5500G> display bgp routing regular-expression ^200$
Flags:
# - valid
D - damped
^ - active
H - history
I - internal
S - aggregate suppressed
Dest/Mask
Next-Hop
Med
Local-pref Origin Path
-------------------------------------------------------------------#^ 1.1.1.0/24
12.16.1.57
0
100
IGP
200
For detailed description of the fields in the output information, see Table 75.
filter-policy export
Example
411
filter-policy export
Syntax
View
Parameters
Description
Use the filter-policy export command to filter the advertised routes and only the
routes passing the filter can be advertised by BGP.
Use the undo filter-policy export command to cancel the filtration to the
advertised routes.
By default, filtration to the received routing information is not configured.
If a value is specified for the protocol argument, only the imported route
generated by the specified protocol is filtered and the imported routes generated
by other protocols are not affected. If no value is specified for the protocol
argument, the imported route generated by any protocol will be filtered.
Example
412
filter-policy import
Syntax
View
Parameters
Description
Use the filter-policy gateway import command to filter the learned routing
information advertised by the peer with the specified address.
Use the undo filter-policy gateway import command to cancel the filtration to
the routing information advertised by the peer with specified address.
Use the filter-policy import command to filter the received global routing
information. Use the undo filter-policy import command to remove the
filtration to the received global routing information.
By default, filtration to the received routing information is not configured.
Example
group
Syntax
View
Parameters
BGP view
group-name: Name of the peer group, containing 1 to 47 characters.
internal: Creates an IBGP peer group.
external: Creates an EBGP peer group, including other sub-ASs in the
confederation.
import-route
Description
413
Example
import-route
Syntax
View
Parameters
Description
414
The origin attribute of the route imported to the BGP routing table by using the
import-route command is Incomplete.
Example
ipv4-family
Syntax
ipv4-family multicast
undo ipv4-family multicast
View
Parameters
None
Description
Use the ipv4-family multicast command to enter IPv4 multicast address family
view.
Use the undo ipv4-family multicast command to remove all the configuration
performed in IPv4 multicast address family view.
Example
log-peer-change
Syntax
log-peer-change
undo log-peer-change
View
BGP view
Parameters
None
Description
network
415
network
Syntax
View
Parameters
Description
Use the network command to advertise the network segment route to the BGP
routing table.
Use the undo network command to cancel the existing configuration.
By default, the BGP does not advertise any network segment routes.
n
Example
The network segment route to be exported must exist in the local IP routing
table so that the route policy can control the route more flexibly.
The origin attribute of the network segment route advertised to the BGP
routing table by using the network command is IGP.
peer
advertise-community
Syntax
416
View
Parameter
Description
Example
peer allow-as-loop
Syntax
View
Parameters
Description
Use the peer allow-as-loop command to allow the local AS number to appear in
the AS_PATH attribute of the received route and configure the repeated times.
Use the undo peer allow-as-loop command to cancel the function.
Related commands: display current-configuration, display bgp routing peer,
display bgp routing group.
Example
# Set the times of repeating the local AS that learns routes from 1.1.1.1 to 2.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer 1.1.1.1 allow-as-loop 2
peer as-number
417
peer as-number
Syntax
View
Parameters
BGP view
group-name: Name of a peer group, containing 1 to 47 characters.
as-number: AS number of the peer or peer group, in the range of 1 to 65535.
Description
Use the peer as-number command to configure the AS number of a peer group.
Use the undo peer as-number command to delete the AS number of a peer
group.
By default, no AS number is configured for a peer group.
Example
peer as-path-acl
export
Syntax
View
Parameters
Description
Use the peer as-path-acl export command to configure filtering Policy of BGP
advertised routes based on AS path list.
Use the undo peer as-path-acl command to cancel the existing configuration.
By default, there is no route policy based on an AS path ACL.
418
You can use the peer as-path-acl export command on a peer group. In the peer
as-path-acl export command, the acl-number argument is the AS path list
number. It is configured by using the ip as-path-acl command, instead of the acl
command.
Related command: ip as-path-acl.
Example
# Filter routes exported to the peer group (named test) based on AS path ACL 1.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test as-path-acl 1 export
peer as-path-acl
import
Syntax
View
Parameters
Description
Use the peer as-path-acl import command to configure filtering policy of BGP
received routes based on AS path list.
Use the undo peer as-path-acl import command to cancel the existing
configuration.
By default, the peer/peer group has no AS path list.
Related commands: ip as-path-acl in the part discussing IP routing policy
configuration commands
Example
# Apply AS path ACL 1 in the peer group named test to filter BGP received routes.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test as-path-acl 1 import
peer connect-interface
419
peer connect-interface
Syntax
View
Parameters
BGP view
group-name: Name of the peer group, containing 1 to 47 characters.
ip-address: IP address of the peer.
interface-type interface-num: Interface type and interface number.
null: No interface type or interface number is specified.
Description
Example
# Specify the source interface that sends route update packets to the peer group
named test as Loopback 0.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test connect-interface loopback 0
peer default-routeadvertise
Syntax
View
Parameter
420
Description
Example
peer description
Syntax
View
Parameters
BGP view
group-name: Name of the peer group, containing 1 to 47 characters.
ip-address: IP address of the peer.
text: Description information configured, which can be letters or numbers. It is a
string of up to 79 characters.
Description
Example
peer ebgp-max-hop
421
peer ebgp-max-hop
Syntax
View
Parameters
BGP view
group-name: Name of the peer group, containing 1 to 47 characters.
hop-count: Maximum hop value, in the range of 1 to 255. By default, the value is
64.
Description
Use the peer ebgp-max-hop command to establish EBGP connection with the
peer on indirectly connected network.
Use the undo peer ebgp-max-hop command to cancel the existing
configuration.
By default, it is not allowed to establish any EBGP connection with a peer on an
indirectly connected network.
By setting hop-count, you can also configure the maximum hop value of an EBGP
connection.
Example
# Allow to establishing EBGP connection with the peer group named test indirectly
connected.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test ebgp-max-hop
peer enable
Syntax
View
Parameters
422
Description
Use the peer enable command to enable the specified peer/peer group.
Use the undo peer enable command to disable the specified peer/peer group.
By default, BGP peer/peer group is enabled.
If the specified peer/peer group is disabled, the router will not exchange routing
information with the specified peer/peer group.
Example
peer filter-policy
export
Syntax
View
Parameters
Description
Example
# Filter the routes advertised to the peer group named test by using ACL 2000.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test filter-policy 2000 export
423
peer filter-policy
import
Syntax
View
Parameters
Description
Example
peer group
Syntax
View
Parameters
Description
Use the peer group command to add a peer to the existing peer group.
424
View
Parameters
Description
Use the peer ip-prefix export command to reference an IP prefix list to filter
routes destined for a peer group.
Use the undo peer ip-prefix export command to remove the filtering.
By default, the filtering is not configured.
Example
# Apply ip-prefix list1 to filter the routes advertised to peer group group1.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer group1 ip-prefix list1 export
peer next-hop-invariable
View
Parameters
425
Description
Use the peer ip-prefix import command to reference an IP prefix list to filter
routes from a peer/peer group.
Use the undo peer ip-prefix import command to remove the filtering.
By default, the filtering is not configured.
The priority of the inbound filtering configured for a peer is higher than that for its
peer group.
Example
# Apply ip-prefix list1 to filter the routes received from peer group group1.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer group1 ip-prefix list1 import
peer
next-hop-invariable
Syntax
View
Parameter
Description
Example
# Keep the next hop unchanged when BGP exports routes to the peer group
named test.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test next-hop-invariable
426
peer next-hop-local
Syntax
View
Parameter
Description
Example
# When BGP distributes the routes to the peer group test, it will take its own
address as the next hop.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test next-hop-local
peer password
Syntax
View
Parameters
BGP view
group-name: Name of the peer group, containing 1 to 47 characters.
ip-address: IP address of the peer.
cipher: Displays the configured password in cipher text mode.
simple: Displays the configured password in simple text mode.
password: Password in character string form with 1 to 16 characters when simple
parameter is configured in the command or in the event of inputting the password
in simple text mode but cipher parameter is configured in the command; with 24
characters in the event of inputting the password in cipher text mode when
parameter cipher is configured in the command.
Description
Use the peer password command to configure MD5 authentication for BGP
during TCP connection setup.
peer public-as-only
427
# Adopt MD5 authentication on the TCP connection set up between the local
router at 10.1.100.1 and the peer router at 10.1.100.2.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer 10.1.100.2 password simple abc
# Perform the similar configuration on the peer.
[5500G-bgp] peer 10.1.100.1 password simple abc
peer public-as-only
Syntax
View
Parameter
Description
Example
# Configure not to carry the private AS number when transmitting BGP update
packets to the peer group named test.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
428
peer reflect-client
Syntax
View
Parameter
Description
Example
peer route-limit
Syntax
View
Parameters
BGP view
group-name: Name of a BGP peer group, a string of 1 to 47 characters.
ip-address: IP address of a BGP peer, in dotted decimal notation.
prefix-number: Number of route prefixes that the router can learn, ranging from 1
to 131,072. If the number of route prefixes learned from the specified peer/peer
group exceeds prefix-number, the router automatically disconnects from the
peer/peer group.
peer route-limit
429
alert-only: Specifies to only output alert information and maintain the connection
between the router and the specified peer/peer group if the number of route
prefixes learned from the peer/peer group exceeds prefix-number.
reconnect reconnect-time: Sets the interval at which the router reconnects to the
peer/peer group. Reconnect-time is the interval in seconds, at which the router
reconnects to the peer/peer group. This argument ranges from 1 to 65,535, with
no default value.
percentage-value: Threshold for the router to send a notification (that is, the
router sends a notification when the percentage of the number of route prefixes
learned to prefix-number reaches percentage-value). It ranges from 1 to 100 and
defaults to 75.
Description
Use the peer route-limit command to set a limit on the number of route prefixes
that can be learned from a specified peer/peer group.
Use the undo peer route-limit command to cancel the configuration.
By default, there is no limit on the number of route prefixes that can be learned
from a peer/peer group.
Examples
# Limit the number of route prefixes that can be learned from peer 100.1.1.1 to
10,000.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer 100.1.1.1 route-limit 10000
# Limit the number of route prefixes that can be learned from the peer group
named external to 10,000, specifying to output alert information when the
number of route prefixes learned from external reaches 10,000 and to output
notification information when this number reaches 8,000.
[5500G-bgp] peer external route-limit 10000 alert-only 80
# Limit the number of route prefixes that can be learned from the peer group
named external to 10,000, specifying to reconnect the router to external in 120
seconds and to output notification information when the number of route prefixes
learned from external reaches 8,000.
[5500G-bgp] peer external route-limit 10000 reconnect 120 80
# Limit the number of route prefixes that can be learned from the peer group
named external to 10,000, specifying to output notification information when this
number reaches 8,000.
[5500G-bgp] peer external route-limit 10000 80
# Cancel the limit on the number of route prefixes that can be learned from peer
100.1.1.1.
[5500G-bgp] undo peer 100.1.1.1 route-limit
430
peer route-policy
export
Syntax
View
Parameters
Description
Use the peer route-policy export command to apply the Route-policy to the
routes advertised to the peer group.
Use the undo peer route-policy export command to delete the specified
Route-policy.
By default, no route-policy is configured for the routes advertised to the peer
group.
Related command: peer route-policy import
Example
# Apply the Route-policy test-policy to the routes advertised to peer group test.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test route-policy test-policy export
peer route-policy
import
Syntax
View
Parameters
Description
Use the peer route-policy import command to assign the Route-policy to the
route coming from the peer/peer group.
peer route-update-interval
431
Use the undo peer route-policy import command to delete the specified
Route-policy.
By default, no route-policy is specified for the routes received from a peer/peer
group.
The priority of the ingress routing policy configured for the peer is higher than that
for the peer group.
Related command: peer route-policy export
Example
# Apply route-policy test-policy to the routes received from peer group test.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test route-policy test-policy import
peer
route-update-interval
Syntax
View
Parameters
BGP view
group-name: Peer group name, containing 1 to 47 characters.
seconds: Minimum interval at which UPDATE packets are sent. It is in the range of
0 to 600 seconds.
Description
Example
# Configure the interval for sending the same update to peer group test as 10
seconds.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] peer test route-update-interval 10
432
peer shutdown
Syntax
View
Parameters
BGP view
group-name: Name of a peer group, ranging from 1 to 47 characters.
ip-address: IP address of a peer.
Description
Use the peer shutdown command to shutdown the session with a specified peer
or peer group.
undo peer shutdown command to restore the session.
Example
peer timer
Syntax
View
Parameters
BGP view
group-name: Name of peer group, containing 1 to 47 characters.
ip-address: IP address of the peer.
keepalive-interval: Keepalive timer in seconds. It is in the range of 1 to 65535.
holdtime-interval: Holdtime timer in seconds. It is in the range of 3 to 65535.
Description
Use the peer timer command to configure the Keepalive and holdtime timers for
a peer/peer group.
Use the undo peer timer command to restore the default value of the timer.
The keepalive interval defaults to 60 seconds, and the holdtime interval defaults to
180 seconds.
preference
Example
433
The timer configured by using this command has a higher priority than the one
configured by using the timer command.
The holdtime timer must be at least three times the keepalive timer.
preference
Syntax
View
Parameters
Description
Use the preference command to set preference values for. routes learned from
external peers, routes learned from internal peers, and local-originated routes.
Use the undo preference command to restore the default preference values.
The default preference values of external, internal, and local routes are 256, 256,
and 130, respectively.
You can set preference values for different types of BGP routes.
Example
# Set the preferences of EBGP, IBGP and locally generated routes to 170.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] preference 170 170 170
434
reflect
between-clients
Syntax
reflect between-clients
undo reflect between-clients
View
Parameters
None
Description
Example
reflector cluster-id
Syntax
View
Parameter
Description
refresh bgp
435
By default, each route reflector uses its Router ID as the cluster ID.
Generally, there is only one route reflector in a cluster. In this case, Router ID of the
route reflector is used to identify the cluster. Setting multiple route reflectors
enhances network stability. If multiple route reflectors are in a cluster, use this
command to configure the same cluster ID for all the route reflectors to prevent
route loop.
Related commands: reflect between-clients and peer reflect-client
Example
# A local router is one of the route reflectors in a cluster. Set the cluster ID of the
route reflector as 80.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] reflector cluster-id 80
refresh bgp
Syntax
View
Parameters
Description
Use the refresh bgp command to manually refresh BGP connections. Refreshing
BGP connections can refresh the BGP routing table without interruption any BGP
connection and apply a new policy.
After a BGP connection is created, only incremental routes are sent. However, in
some cases, such as when BGP routing policy changes, the peer needs to
re-advertise .routes or to be resent routes so that the routes are filtered again
according to the new policy.
Example
436
reset bgp
Syntax
View
Parameters
Description
Use the reset bgp ip-address command to reset the connection of BGP with a
specified BGP peer.
Use the reset bgp all command to reset all the connections with BGP.
Use the reset bgp group group-name command to reset the BGP connection
with a specified peer group.
After a BGP routing policy or protocol configuration changes, resetting the BGP
connection will make the new configured policy take effect immediately.
Example
Description
Use the reset bgp dampening command to clear the dampening information
and release suppressed routes.
Related commands: dampening, display bgp routing dampened
Example
# Clear dampening information for the route 20.1.0.0/16 and release it.
<5500G> reset bgp dampening 20.1.0.0 255.255.0.0
437
View
Parameters
Description
Use the reset bgp flap-info command to clear the flap info of a route.
If no value is specified, the flap info of all routes will be reset.
Related command: dampening
Example
# Clear the flap-info of all the routes that go through filter list 1.
<5500G> reset bgp flap-info as-path-acl 1
Example
438
router id
Syntax
router id router-id
undo router id
View
Parameter
Description
System view
router-id: Router ID, in dotted decimal notation.
Use the router id command to specify a router ID.
Use the undo router-id command to remove the router ID.
Example
summary
Syntax
summary
undo summary
View
Parameters
None
Description
Example
timer
439
timer
Syntax
View
Parameters
BGP view
keepalive-interval: Keepalive interval, in the range 1 to 65535.
holdtime-interval: Holdtime interval, in the range 3 to 65535.
Description
Use the timer command to configure the Keepalive and Hold-time intervals of
BGP. connections
Use the undo timer command to restore the default.
By default, the keepalive and holdtime intervals of BGP connections are 60
seconds and 180 seconds respectively.
Example
# Configure the Keepalive timer as 120 seconds and Hold-time timer as 360
seconds.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] bgp 100
[5500G-bgp] timer keepalive 120 hold 360
undo synchronization
Syntax
View
undo synchronization
BGP view
Parameters
None
Description
440
Example
27
n
The term router in this chapter refers to a router in a generic sense or an Ethernet
switch running a routing protocol.
This chapter applies the the Switch 5500 only (not the Switch 5500G).
apply cost
Syntax
View
Parameter
Description
Example
# Create a routing policy named policy and node 1 with the matching mode being
permit. Apply the cost 120 to routes matching ACL 2000.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] route-policy policy permit node 1
%New sequence of this list
[5500-route-policy] if-match acl 2000
[5500-route-policy] apply cost 120
apply tag
Syntax
442
Example
# Create a routing policy named policy and node 1 with the matching mode being
permit. Apply the tag 100 to routes matching ACL 2000.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] route-policy policy permit node 1
%New sequence of this list
[5500-route-policy] if-match acl 2000
[5500-route-policy] apply tag 100
display ip ip-prefix
Syntax
View
Parameter
Description
Example
# Display the information about the address prefix list named p1.
<5500> display ip ip-prefix p1
name
index
conditions
p1
10
permit
ip-prefix / mask
10.1.0.0/16
GE
17
LE
18
display route-policy
443
Description
name
Name of an IP-prefix
index
conditions
permit
deny
ip-prefix / mask
GE
LE
display route-policy
Syntax
View
Parameter
Description
Example
Description
Route-policy
Permit 10
Matching conditions
if-match
Syntax
444
Description
Example
if-match cost
Syntax
View
Parameter
Description
Example
if-match interface
445
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] route-policy policy permit node 1
%New sequence of this list
[5500-route-policy] if-match cost 8
if-match interface
Syntax
View
Parameter
Description
Example
if-match ip next-hop
Syntax
View
Parameter
446
ip-prefix ip-prefix-name: Name of the IP address prefix list used for filtering, a
string of 1 to 19 characters.
Description
Use the if-match ip next-hop command to match routes with next hops
specified in an ACL or IP prefix list.
Use the undo if-match ip next-hop command to remove the matching rule with
an ACL.
Use the undo if-match ip next-hop ip-prefix command to remove the matching
rule with an IP prefix list.
By default, no next hop matching rule is defined.
Related commands: if-match interface, if-match acl, if-match ip-prefix,
if-match cost, if-match tag, route-policy, apply cost, and apply tag.
Example
# Define an if-match clause to match routes with next hops specified in the IP
address prefix list p1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] route-policy policy permit node 1
%New sequence of this list
[5500-route-policy] if-match ip next-hop ip-prefix p1
if-match tag
Syntax
View
Description
Use the if-match tag command to configure the tag matching rule for routing
information.
Use the undo if-match tag command to remove the matching rule.
By default, no the tag matching rule for routing information is defined.
Related commands: if-match interface, if-match acl, if-match ip-prefix,
if-match ip next-hop, if-match cost, route-policy, apply cost, and apply tag.
Example
# Define an if-match clause to match OSPF routes having the tag value 8.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] route-policy policy permit node 1
ip ip-prefix
447
ip ip-prefix
Syntax
View
Parameter
System view
ip-prefix-name: Name of an IP-prefix, a string of up to 19 characters. It identifies
an address prefix list uniquely.
index-number: Identifier of an entry in the IP address prefix list, in the range 1 to
2047. The entry with a smaller index-number will be tested first.
permit: Specifies the match mode of the defined IP-prefix entries as permit
mode. If the permit mode is specified and the IP address to be filtered is in the
ip-prefix range specified by the entry, the entry is filtered through and the next
entry is not tested. If the IP address to be filtered is not in the ip-prefix range
specified by the entry, the next entry is tested
deny: Specifies the match mode of the defined IP-prefix entries as deny mode. If
the deny mode is specified and the IP address to be filtered is in the ip-prefix range
specified by the entry, the entry is not filtered through and the next entry is not
tested; otherwise, the next entry is tested.
network: IP address prefix (IP address), in dotted decimal notation.
len: IP address prefix length (mask length), in the range of 0 to 32.
greater-equal, less-equal: Address prefix range [greater-equal, less-equal] to be
matched after the address prefix network len has been matched. The meaning of
greater-equal is greater than or equal to, and the meaning of less-equal is less
than or equal to. The range is len <= greater-equal <= less-equal <= 32. When
only greater-equal is used, it denotes the prefix range [greater-equal, 32]. When
only less-equal is used, it denotes the prefix range [len, less-equal].
Description
Use the ip ip-prefix command to configure an IP-prefix list or one of its entries.
Use the undo ip ip-prefix command to delete an IP-prefix list or one of its entries.
By default, no IP-prefix list is configured.
An IP-prefix list is used for IP address filtering. An IP prefix list may contain several
entries, and each entry specifies one address prefix range. The inter-entry filtering
relation is OR. That is, passing an entry means filtering through this address prefix
list. Not filtering through any entry means not filtering through this IP-prefix.
448
The address prefix range may contain two parts, which are determined by len and
[greater-equal, less-equal], respectively. If the prefix ranges of these two parts are
both specified, the IP to be filtered must match the prefix ranges of these two
parts.
If you specify network len as 0.0.0.0 0, it matches the default route only.
To match all the routes, use 0.0.0.0 0 less-equal 32.
Example
# Define an ip-prefix named p1 to permit only the routes whose mask lengths are
17 or 18 on network segment 10.0.192.0/8 to pass.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ip ip-prefix p1 permit 10.0.192.0 8 greater-equal 17 less-equal 18
route-policy
Syntax
View
Parameter
System view
route-policy-name: Name of a routing policy, a string of 19 characters. This
argument identifies a routing policy uniquely.
permit: Specifies the match mode of the defined routing policy node as permit.
When a route entry meets all the if-match clauses of the node, the entry is
permitted to filter through the node and the apply clause of the node will be
performed. If a route entry does not meet the if-match clause of the node, the
next node of the route-policy will be tested.
deny: Specifies the match mode of the defined Route-policy node as deny mode.
When a route entry meets all the if-match clauses of the node, the entry is
prohibited from filtering through the node and the next node will not be tested.
node: Specifies a node index in a routing policy.
node-number: Index of the node in a routing policy, in the range 0 to 2047. When
this routing policy is used, the node with smaller node-number will be matched
first.
Description
route-policy
449
An if-match clause defines the match rules of this node. An apply clause defines
the actions after filtering through this node. The filtering relationship between the
if-match clauses of the node is AND. That is, all if-match clauses of the node must
be met.
The filtering relation between Route-policy nodes is OR. That is, filtering through
one node means filtering through this Route-policy. If the information does not
filter through any node, it cannot filter through this Route-policy.
Related commands: if-match interface, if-match acl, if-match ip-prefix,
if-match ip next-hop, if-match cost, if-match tag, apply cost, and apply tag.
Example
# Configure Route-policy policy1, with the node number of 10 and the match
mode of permit, and enter Route policy view.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] route-policy policy1 permit node 10
%New sequence of this list
[5500-route-policy]
450
28
n
The term router in this chapter refers to a router in a generic sense or an Ethernet
switch running a routing protocol.
This chapter applies the the Switch 5500G only (not the Switch 5500).
apply as-path
Syntax
View
Parameters
Description
Use the apply as-path command to add AS number before original AS path in
Router-policy.
Use the undo apply as-path command to remove the added AS number.
By default, AS number is not set.
If the Route-policy matching conditions are met, AS attributes of the transmission
route will be changed by the apply as-path command.
Example
apply community
Syntax
452
View
Parameters
Description
Example
# Create a Route-policy named setcommunity and set its node sequence number
as 16 and matching mode as permit. Enter route policy view and set matching
conditions and execute attribute change command
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G]route-policy 10 permit node 10
[5500G] route-policy setcommunity permit node 16
[5500G-route-policy] if-match as-path 8
[5500G-route-policy] apply community no-export
apply cost
Syntax
View
apply cost-type
Parameter
Description
453
Example
# Create a routing policy named policy and node 1 with the matching mode
being permit. Apply the cost 120 to routes matching ACL 2000.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] route-policy policy permit node 1
%New sequence of this list
[5500G-route-policy] if-match acl 2000
[5500G-route-policy] apply cost 120
apply cost-type
Syntax
View
Parameters
Description
Use the apply cost-type command to set the routing cost type of routing
information.
Use the undo apply cost-type command to cancel the setting argument.
By default, routing cost is not set.
Example
454
apply ip next-hop
Syntax
View
Parameter
Description
Example
# Define an apply statement to set the next hop in the routing information to
193.1.1.8.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G]route-policy 10 permit node 10
[5500G-route-policy] apply ip next-hop 193.1.1.8
apply local-preference
Syntax
View
Parameter
Description
apply origin
Example
455
# Define an apply statement to set local preference for the routing information to
130.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G]route-policy 10 permit node 10
[5500G-route-policy] apply local-preference 130
apply origin
Syntax
View
Parameters
Description
Use the apply origin command to set BGP routing information source.
Use the undo apply origin command to cancel the apply statement setting.
Related commands: if-match interface, if-match acl, if-match ip-prefix,
if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip
next-hop, apply local-preference, apply cost and apply tag
Example
# Define an apply statement to specify that the BGP routing information source is
igp.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G]route-policy 10 permit node 10
[5500G-route-policy] apply origin igp
apply tag
Syntax
View
Parameter
456
Description
Example
# Create a routing policy named policy and node 1 with the matching mode being
permit. Apply the tag 100 to routes matching ACL 2000.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] route-policy policy permit node 1
%New sequence of this list
[5500G-route-policy] if-match acl 2000
[5500G-route-policy] apply tag 100
display ip ip-prefix
Syntax
View
Parameter
Description
Example
# Display the information about the address prefix list named p1.
<5500G> display ip ip-prefix p1
name
index
conditions
p1
10
permit
ip-prefix / mask
10.1.0.0/16
Description
name
Name of an IP-prefix
index
GE
17
LE
18
display route-policy
457
Description
conditions
permit
deny
ip-prefix / mask
GE
LE
display route-policy
Syntax
View
Parameter
Description
Example
Description
Route-policy
Permit 10
apply cost 100: Apply the cost 100 to the routes satisfying the
matching conditions.
458
if-match { acl |
ip-prefix }
Syntax
View
Parameters
Description
Use the if-match command to match routes permitted by an ACL or IP prefix list.
Use the undo if-match command to remove the configuration.
By default, the if-match clause is not configured.
Related commands: if-match interface, if-match ip next-hop, if-match cost,
if-match tag, route-policy, apply cost, and apply tag
Example
if-match as-path
Syntax
View
Parameter
Description
if-match community
459
# Create as-path 2, which permits the routing information of AS 200 and AS 300.
Then create a Route-policy named test, and define an if-match statement quoting
the definitions of as-path 2 for node 10 of the Route-policy.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] ip as-path-acl 2 permit 200:300
[5500G] route-policy test permit node 10
[5500G-route-policy] if-match as-path 2
if-match community
Syntax
View
Parameters
Description
Example
460
if-match cost
Syntax
View
Parameter
Description
Example
if-match interface
Syntax
View
Parameter
Description
if-match ip next-hop
461
if-match ip next-hop
Syntax
View
Parameters
Description
Use the if-match ip next-hop command to match routes with next hops
specified in an ACL or IP prefix list.
Use the undo if-match ip next-hop command to remove the matching rule with
an ACL.
Use the undo if-match ip next-hop ip-prefix command to remove the matching
rule with an IP prefix list.
By default, no next hop matching rule is defined.
Related commands: if-match interface, if-match acl, if-match ip-prefix,
if-match cost, if-match tag, route-policy, apply cost, and apply tag
Example
# Define an if-match clause to match routes with next hops specified in the IP
address prefix list p1.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] route-policy policy permit node 1
%New sequence of this list
[5500G-route-policy] if-match ip next-hop ip-prefix p1
462
if-match tag
Syntax
View
Parameter
Description
Example
# Define an if-match clause to match OSPF routes having the tag value 8.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] route-policy policy permit node 1
%New sequence of this list
[5500G-route-policy] if-match tag 8
ip as-path-acl
Syntax
View
Parameters
System view
acl-number: AS path list number, ranging from 1 to 199.
as-regular-expression: AS path regular expression
Description
ip community-list
Example
463
ip community-list
Syntax
View
Parameters
System view
basic-comm-list-number: Basic community list number, ranging from 1 to 99.
adv-comm-list-number: Advanced community list number, ranging from 100 to
199.
permit: Specifies to allow access to matching conditions.
deny: Specifies to deny access to matching conditions.
aa:nn: Community number. The value ranges of aa and nn are both from 1 to
65535.
&<1-12>: Indicates you can enter aa:nn up to 12 times.
internet: Specifies to advertise all routes.
no-export-subconfed: Specifies not to send matching routes out of
sub-autonomous system.
no-advertise: Specifies not to send matching routes to any peer entities.
no-export: Specifies not to send routes out of sub-autonomous system or
federation but to send to the other sub-autonomous systems in the federation.
comm-regular-expression: Community attribute in regular expression.
Description
464
Example
# Define a community list, and specify not to send the routes with the community
attributes out of the local autonomous system.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] ip community-list 6 permit no-export-subconfed
ip ip-prefix
Syntax
View
Parameters
System view
ip-prefix-name: Name of an IP-prefix, a string of up to 19 characters. It identifies
an address prefix list uniquely.
index-number: Identifier of an entry in the IP address prefix list, in the range 1 to
2047. The entry with a smaller index-number will be tested first.
permit: Specifies the match mode of the defined IP-prefix entries as permit mode.
If the permit mode is specified and the IP address to be filtered is in the ip-prefix
range specified by the entry, the entry is filtered through and the next entry is not
tested. If the IP address to be filtered is not in the ip-prefix range specified by the
entry, the next entry is tested
deny: Specifies the match mode of the defined IP-prefix entries as deny mode. If
the deny mode is specified and the IP address to be filtered is in the ip-prefix range
specified by the entry, the entry is not filtered through and the next entry is not
tested; otherwise, the next entry is tested.
network: IP address prefix (IP address), in dotted decimal notation.
len: IP address prefix length (mask length), in the range of 0 to 32.
greater-equal, less-equal: Address prefix range [greater-equal, less-equal] to be
matched after the address prefix network len has been matched. The meaning of
greater-equal is greater than or equal to, and the meaning of less-equal is less
than or equal to. The range is len <= greater-equal <= less-equal <= 32. When
only greater-equal is used, it denotes the prefix range [greater-equal, 32]. When
only less-equal is used, it denotes the prefix range [len, less-equal].
Description
Use the ip ip-prefix command to configure an IP-prefix list or one of its entries.
Use the undo ip ip-prefix command to delete an IP-prefix list or one of its entries.
By default, no IP-prefix list is configured.
An IP-prefix list is used for IP address filtering. An IP prefix list may contain several
entries, and each entry specifies one address prefix range. The inter-entry filtering
route-policy
465
relation is OR. That is, passing an entry means filtering through this address prefix
list. Not filtering through any entry means not filtering through this IP-prefix.
The address prefix range may contain two parts, which are determined by len and
[greater-equal, less-equal], respectively. If the prefix ranges of these two parts are
both specified, the IP to be filtered must match the prefix ranges of these two
parts.
If you specify network len as 0.0.0.0 0, it matches the default route only.
To match all the routes, use 0.0.0.0 0 less-equal 32.
Example
# Define an ip-prefix named p1 to permit only the routes whose mask lengths are
17 or 18 on network segment 10.0.192.0/8 to pass.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] ip ip-prefix p1 permit 10.0.192.0 8 greater-equal 17
less-equal 18
route-policy
Syntax
View
Parameters
System view
route-policy-name: Name of a routing policy, a string of 19 characters. This
argument identifies a routing policy uniquely.
permit: Specifies the match mode of the defined routing policy node as permit.
When a route entry meets all the if-match clauses of the node, the entry is
permitted to filter through the node and the apply clause of the node will be
performed. If a route entry does not meet the if-match clause of the node, the
next node of the route-policy will be tested.
deny: Specifies the match mode of the defined Route-policy node as deny mode.
When a route entry meets all the if-match clauses of the node, the entry is
prohibited from filtering through the node and the next node will not be tested.
node: Specifies a node index in a routing policy.
node-number: Index of the node in a routing policy, in the range 1 to 2047. When
this routing policy is used, the node with smaller node-number will be matched
first.
Description
466
# Configure Route-policy policy1, with the node number of 10 and the match
mode of permit, and enter Route policy view.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] route-policy policy1 permit node 10
%New sequence of this list
[5500G-route-policy]
29
n
The term router in this chapter refers to a router in a generic sense or an Ethernet
switch running a routing protocol.
display memory
Syntax
Mode
Parameter
Description
Example
Description
Unit
Specifies a Unit ID
Used Rate
468
Description
Use the display memory limit command to display the memory setting and state
information of the switch.
This command displays the current memory limit configuration, free memory, and
state information about connections, such as the number of disconnection times,
times it reconnected, and whether the current state is normal.
Example
Description
auto-establish enabled
Free Memory
Normal
Exigence
memory
Syntax
View
Parameter
System view
safety-value: Safety free memory of the switch , in Mbytes. Its value range
depends on the free memory of the current switch. This default value is 15.
limit-value: Lower limit of the switch free memory, in Mbytes. Its value range
depends on the free memory of the current switch. This value defaults to 12.
Description
469
Use the memory limit limit-value command to configure the lower limit of the
switch free memory.
When the free memory of the switch is less than the limit-value, all the routing
protocol connections will be disconnected forcibly.
Use the memory safety safety-value command to configure the safety value of
the switch free memory.
If you use the memory auto-establish enable command (the default
configuration), the routing protocol connection that is forcibly disconnected
automatically recovers when the free memory of the switch reaches the
safety-value.
Use the memory safety safety-value limit limit-value command to change both
the safety value and lower limit of the switch free memory.
Use the undo memory command to restore the default safety value and lower
limit of the switch free memory.
Related command: memory auto-establish disable, memory auto-establish
enable, and display memory limit.
n
Example
When you configure the memory command, the safety-value argument in the
command must be greater than the limit-value argument; otherwise, the
configuration will fail.
# Set the lower limit of the switch free memory to 1 MB and the safety value to 3
MB.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] memory safety 3 limit 1
memory
auto-establish disable
Syntax
View
Parameter
Description
470
After this command is used, connections of all the routing protocols will not
recover when the free memory of the switch recovers to a safety value. In this
case, you need to restart the routing protocol to recover the connections.
Use this command with caution.
Related command: memory auto-establish enable, memory, display memory
limit.
Example
# Disable automatic restoration of the routing protocol connections when the free
memory of the current switch recovers.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] memory auto-establish disable
memory
auto-establish enable
Syntax
View
Parameter
Description
Example
# Enable automatic connections of all routing protocols when the free memory of
the current switch recovers.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] memory auto-establish enable
COMMON MULTICAST
CONFIGURATION COMMANDS
30
display mac-address
multicast
Syntax
View
Parameter
Description
Example
Use the display mac-address multicast command to display the multicast MAC
address entry/entries manually configured on the switch.
Executing this command with neither mac-address vlan vlan-id nor vlan
vlan-id will display the information about all the multicast MAC address entries
manually added on the switch, including the multicast MAC address, VLAN ID,
state of the MAC address, port number and aging time.
Executing this command with vlan vlan-id but without mac-address will display
the information about all the multicast MAC address entries manually added in
the specified VLAN, including the multicast MAC address, VLAN ID, state of the
MAC address, port number and aging time.
Executing this command with both mac-address and vlan vlan-id will display
the information about the multicast MAC address entries manually added in
the specified VLAN with the specified multicast MAC address, including the
multicast MAC address, VLAN ID, state of the MAC address, port number and
aging time.
Executing this command with count will display the information about the
number of multicast MAC address entries added on the switch.
# Display all the multicast MAC address entries manually added in VLAN 1.
472
display mpm
forwarding-table
Syntax
View
Parameter
Description
Example
# Display the information about all the multicast forward tables containing port
information.
<5500> display mpm forwarding-table
Total 1 entry(entries)
00001. (120.0.0.2, 225.0.0.2)
iif Vlan-interface1200
1 oif(s):
Vlan-interface32
Ethernet1/0/19
Total 1 entry(entries) Listed
Description
Total 1 entry(entries)
00001
Entry number
(120.0.0.2, 225.0.0.2)
iif Vlan-interface1200
1 oif(s):
Vlan-interface32
Ethernet1/0/19
Total 1 entry(entries) Listed
473
Description
Example
Description
Vlan(id):1200.
IP group(s):the following ip
group(s) match to one mac
group
IP group address
MAC group(s):
Host port(s)
474
Description
Host port(s)
display multicast
forwarding-table
Syntax
View
Parameter
Description
Example
The following table describes the fields in the displayed information above:
Table 86 Description of the display multicast forwarding-table command fields
Field
Description
Total 1 entries
00001
475
Description
(10.0.0.4, 225.1.1.1)
(s,g)
122 packets that are 183,000 bytes in all match the (s,g)
entry, and 0 wrong packet matches the (s,g) entry.
Forwarded 122 pkts(183000 122 packets that are 183,000 bytes in all are forwarded.
bytes)
display multicast
routing-table
Syntax
View
Parameter
Description
Example
# Display the information about the routing entries in the multicast routing table.
<5500> display multicast routing-table
Multicast Routing Table
Total 3 entries
(4.4.4.4, 224.2.149.17)
Uptime: 00:15:16, Timeout in 272 sec
Upstream interface: Vlan-interface1(4.4.4.6)
Downstream interface list:
Vlan-interface2(2.2.2.4), Protocol 0x1: IGMP
(4.4.4.4, 224.2.254.84)
Uptime: 00:15:16, Timeout in 272 sec
476
Description
Total 3 entries
(4.4.4.4, 224.2.149.17)
Upstream interface:
Vlan-interface1(4.4.4.6)
Vlan-interface2(2.2.2.4),
Protocol 0x1: IGMP
Matched 3 entries
display
multicast-source-deny
Syntax
View
Parameter
Description
If you specify neither the port type nor the port number, the multicast source
port suppression information about all the ports on the switch is displayed.
If you specify the port type only, the multicast source port suppression
information about all ports of this type is displayed.
If you specify both the port type and the port number, the multicast source port
suppression information about the specified port is displayed.
Examples
477
The information mentioned above shows that multicast source port suppression is
disabled on Ethernet 1/0/1.
# Display the multicast source port suppression state of GigabitEthernet1/0/1.
<5500G> display multicast-source-deny interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1
Multicast-source-deny disabled.
The information mentioned above shows that multicast source port suppression is
disabled on GigabitEthernet1/0/1.
mac-address multicast
interface
Syntax
View
Parameter
System view
mac-address: Multicast MAC address.
vlan-id: VLAN ID.
interface-list: Defines one or multiple forwarding ports. You can provide up to 10
port lists, by each of which you can specify an individual port in the form of
interface-type interface-number, or a port range in the form of interface-type
start-interface-number to interface-type end-interface-number, where the end
port number must be greater than the start port number. Refer to Port Basic
Configuration Commands on page 173.
Description
Use the mac-address multicast command to add a multicast MAC address entry.
Use the undo mac-address multicast command to remove a multicast MAC
address entry.
Each multicast MAC address entry contains multicast address, forward port, VLAN
ID, and so on.
Related command: display mac-address multicast static.
Examples
478
mac-address multicast
vlan
Syntax
View
Parameter
Description
Use the mac-address multicast vlan command to add a multicast MAC address
entry.
Use the undo mac-address multicast vlan command to remove a multicast
MAC address entry.
Each multicast MAC address entry contains multicast address, VLAN ID, and so on.
Related command: display mac-address multicast static.
Examples
multicast route-limit
Syntax
multicast routing-enable
479
System view
Parameter
limit: Limit on the capacity of the multicast routing table, in the range of 0 to 256
on the Switch 5500 and 0 to 1024 on the Switch 5500G.
Description
Use the multicast route-limit command to limit the capacity of the multicast
routing table. The router will drop the protocol and data packets of the new (S, G)
when the limit is reached.
Use the undo multicast route-limit command to restore the default limit on the
capacity of the multicast routing table.
By default, the limit on the capacity of the multicast routing table is 256 on the
Switch 5500 and 1024 on the Switch 5500G.
If the number of existing routing entries exceeds the value to be configured when
you configure this command, the existing entries in the routing table will not be
removed. Instead, the system will prompt that the number of existing routing
entries is more than the limit to be configured.
If you execute this command again, the new configuration will overwrite the
former configuration.
Example
# Set the limit on the capacity of the multicast routing table to 100.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] multicast route-limit 100
multicast
routing-enable
Syntax
multicast routing-enable
undo multicast routing-enable
View
Parameter
Description
System view
None
Use the multicast routing-enable command to enable the IP multicast routing
feature.
Use the undo multicast routing-enable command to disable the IP multicast
routing feature.
IP multicast routing is disabled by default.
Related command: pim dm, pim sm.
480
Example
multicast
storing-enable
Syntax
multicast storing-enable
undo multicast storing-enable
View
Parameter
Description
System view
None
Use the multicast storing-enable command to enable the multicast packet
buffering feature.
Use the undo multicast storing-enable command to disable the multicast
packet buffering feature.
With the multicast packet buffering feature enabled, multicast packets delivered
to the CPU are buffered while the corresponding multicast forwarding entries are
being created and forwarded out according to the multicast forwarding entries
after entry creation.
By default, this function is not enabled.
Example
multicast
storing-packet
Syntax
View
Parameters
Description
multicast-source-deny
Examples
481
multicast-source-deny
Syntax
View
Parameter
Description
Examples
# Enable the multicast source port suppression feature on all the ports of the
switch.
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500] multicast-source-deny
482
reset multicast
forwarding-table
Syntax
View
Parameter
Description
Example
# Clear the forwarding entries whose group address is 225.5.4.3 in the MFC
forwarding table.
<5500> reset multicast forwarding-table 225.5.4.3
483
# Clear the statistics about the forwarding entries whose group address is
225.5.4.3 in the MFC forwarding table.
<5500> reset multicast forwarding-table statistics 225.5.4.3
reset multicast
routing-table
Syntax
View
Parameter
Description
Use the reset multicast routing-table command to clear the routing entries in
the multicast core routing table and remove the corresponding forwarding entries
in the MFC forwarding table.
The order of the group-address argument and the source-address argument can
be reversed. However, you must input valid group addresses and source addresses;
otherwise, the system prompts an error.
Related command: reset pim routing-table, reset multicast
forwarding-table, display multicast forwarding-table.
Example
# Clear the routing entries whose group address is 225.5.4.3 from the multicast
core routing table.
<5500> reset multicast routing-table 225.5.4.3
484
unknown-multicast
drop enable
Syntax
View
Parameter
Description
System view
None
Use the unknown-multicast drop enable command to enable the unknown
multicast drop feature on the switch.
Use the undo unknown-multicast drop enable command to disable the
unknown multicast drop feature on the switch.
Example
31
display igmp group
Syntax
View
Parameter
Description
Use the display igmp group command to display the member information of an
IGMP multicast group.
You can specify to display the information of a group or the member information
of the multicast group on an interface. The displayed information contains the
multicast groups that are added by downstream hosts through IGMP or through
command line.
Related command: igmp host-join.
Example
Description
Group address
Last Reporter
Uptime
Time elapsed since multicast group was discovered (hh: mm: ss).
Expires
486
View
Any view
Parameter
Description
Use the display igmp interface command to display the IGMP configuration and
running information on an interface.
Example
Description
IGMP version
IGMP version
query interval
querier timeout
robust count
query timeout
IGMP querier
igmp enable
487
igmp enable
Syntax
igmp enable
undo igmp enable
View
Parameter
Description
Interface view
None
Use the igmp enable command to enable IGMP on an interface.
Use the undo igmp enable command to disable IGMP on an interface.
By default, IGMP is disabled on an interface. .
These commands do not take effect until the multicast routing feature is enabled.
You need to use this command before you can configure other IGMP features.
Related command: multicast routing-enable.
Example
igmp group-limit
Syntax
View
Parameter
Description
Interface view
limit: Quantity of multicast groups, in the range of 0 to 256.
Use the igmp group-limit command to configure the maximum number of
multicast groups allowed on the interface. The router does not process any new
IGMP report messages if the number of multicast groups on the interface reaches
the limit.
Use the undo igmp group-limit command to restore the default setting.
By default, up to 256 multicast groups can be joined to an interface.
If you use the command for a second time, the new configuration overwrites the
old one.
488
Example
CAUTION:
After the maximum number of multicast groups is reached, the interface will
not join any new multicast group.
If the number of existing multicast groups is larger than the configured limit on
the number of joined multicast groups on the interface, the system will remove
the oldest entries automatically until the number of multicast groups on the
interface is conforming to the configured limit.
igmp group-policy
Syntax
View
Parameter
Interface view
acl-number: Number of the basic IP ACL number, defining a multicast group
range. The value ranges from 2,000 to 2,999.
1: Specifies IGMP version 1.
2: Specifies IGMP version 2. If IGMP version is not specified, version 2 will be used
by default.
port interface-list: Defines one or multiple forwarding ports. You can provide up
to 10 port lists, by each of which you can specify an individual port in the form of
interface-type interface-number, or a port range in the form of interface-type
start-interface-number to interface-type end-interface-number, where the end
port number must be greater than the start port number. Refer to the parameter
description in the Port Basic Configuration Commands on page 173.
In LoopBack interface view, this command does not support the port interface-list
option.
Description
Use the igmp group-policy command to configure a multicast group filter on the
interface to control the access to IP multicast groups.
Use undo igmp group-policy command to remove the filter configured.
By default, no filter is configured; that is, a host can join any multicast group.
489
If you do not want the hosts on the network attached to the interface to join some
multicast groups and to receive packets from the multicast groups, use this
command to limit the range of the multicast groups serviced by the interface.
Related command: igmp host-join.
c
Example
# Configure that only the hosts matching ACL 2000 rules on VLAN-interface10
can be added to the multicast group whose IGMP version is specified as 2.
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] igmp group-policy 2000 2
igmp group-policy
vlan
Syntax
View
Parameter
Description
Use the igmp group-policy vlan command to set the filter of multicast groups
on a port to control the access to the IP multicast groups.
Use the undo igmp group-policy vlan command to remove the configured filter.
By default, no filter is configured; that is, a host can join any multicast group.
To restrict the hosts on the network attached to an interface from joining certain
multicast groups, you can use this command to limit the range of multicast groups
that the interface serves. This command performs the same function as the igmp
group-policy command does. Note that the configured port must belong to the
specified VLAN, and the IGMP protocol must be enabled on this port; otherwise,
the configuration does not take effect.
490
# Configure that only the hosts matching ACL 2000 rules on Ethernet1/0/1 can be
added to the multicast group.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 10
[5500-Vlan-interface10] igmp enable
[5500-Vlan-interface10] quit
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] port access vlan 10
[5500-Ethernet1/0/1] igmp group-policy 2000 vlan 10
# Configure that only the hosts matching ACL 2000 rules on GigabitEthernet1/0/1
can be added to the multicast group.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface Vlan-interface 10
[5500G-Vlan-interface10] igmp enable
[5500G-Vlan-interface10] quit
[5500G] interface GigabitEthernet 1/0/1
[5500G-GigabitEthernet1/0/1] port access vlan 10
[5500G-GigabitEthernet1/0/1] igmp group-policy 2000 vlan 10
View
Parameter
Interface view
group-address: Multicast address of the multicast group that an interface will join.
port interface-list: Defines one or multiple forwarding ports. You can provide up
to 10 port lists, by each of which you can specify an individual port in the form of
interface-type port-number, or a port range in the form of interface-type
start-interface-number to interface-type end-interface-number, where the end
port number must be greater than the start port number. For details, refer to Port
Basic Configuration Commands on page 173.
In LoopBack interface view, this command does not support the port interface-list
option.
Description
Use the igmp host-join port command to enable a port in the VLAN interface of
a switch to join a multicast group.
Use undo igmp host-join port command to remove the configuration.
By default, simulated joining is disabled.
Examples
491
View
Parameter
Description
Use the igmp host-join vlan command to enable an Ethernet port to join a
multicast group.
Use the undo igmp host-join vlan command to disable the configuration.
By default, simulated joining is disabled.
Related command: igmp group-policy.
Example
492
igmp lastmemberqueryinterval
Syntax
View
Interface view
Parameter
seconds: Interval for the IGMP querier to send IGMP group-specific query
messages when it receives IGMP leave messages from the host. It is in the range of
one to five seconds.
Description
Use the igmp lastmember-queryinterval command to set the interval for the
IGMP querier to send IGMP group-specific query messages when it receives IGMP
leave messages from the host.
Use the undo igmp lastmember-queryinterval command to restore the default
value.
The interval for the IGMP querier to send IGMP group-specific query messages is
one second by default.
Related command: igmp robust-count, display igmp interface.
Example
igmp
max-response-time
Syntax
View
Interface view
Parameter
Description
igmp proxy
493
igmp proxy
Syntax
View
Parameter
Description
Interface view
interface-number: Proxy interface number.
Use the igmp proxy command to specify an interface of the Layer 3 switch as the
IGMP proxy interface of another interface.
Use the undo igmp proxy command to disable this configuration.
The IGMP proxy feature is disabled by default.
You must enable the PIM protocol on the interface before configuring the igmp
proxy command on the interface. One interface cannot serve as the IGMP proxy
interface of two or more interfaces.
If the IGMP proxy feature is configured repeatedly on the same interface, the last
configuration takes effect.
Related command: pim neighbor-policy.
Example
igmp robust-count
Syntax
494
View
Parameter
Interface view
robust-value: IGMP robustness variable, namely the number of IGMP
group-specific query messages the switch sends after receiving an IGMP Leave
message. This value ranges from 2 to 5.
Description
Use the igmp robust-count command to set the number of IGMP group-specific
query messages the switch sends after receiving an IGMP Leave message.
Use the undo igmp robust-count command to restore the default value.
By default, an IGMP querier sends two IGMP group-specific query messages after
receiving an IGMP Leave message.
Related command: igmp lastmember-queryinterval, display igmp interface.
Example
igmp timer
other-querier-present
Syntax
View
Interface view
Parameter
Description
495
View
Interface view
Parameter
seconds: Interval at which a router transmits IGMP query messages, in the range
of 1 to 65,535 seconds.
Description
Use the igmp timer query command to configure the interval at which a router
interface sends IGMP query messages.
Use the undo igmp timer query command to restore the default value.
By default, a router interface transmits IGMP query messages at the interval of 60
seconds.
A multicast router periodically sends out IGMP general query messages to
attached segments to find hosts that belong to different multicast groups. The
query interval can be modified according to the practical conditions of the
network.
Related command: igmp timer other-querier-present.
Example
igmp version
Syntax
igmp version { 1 | 2 }
496
Interface view
1: Specifies IGMP Version 1.
2: Specifies IGMP Version 2.
Description
Use the igmp version command to specify the version of IGMP that a router uses.
Use the undo igmp version command to restore the default value.
The default IGMP version is IGMP version 2.
All routers on a subnet must support the same version of IGMP. After detecting
the presence of IGMP Version 1 system, a router cannot automatically switch to
Version 1.
Example
View
Parameter
Description
Example
Use the reset igmp group command to delete an existing multicast group from
the interface. The deleted group can be added to the VLAN interface again.
# Delete all multicast groups on all the interfaces.
<5500> reset igmp group all
498
32
bsr-policy
Syntax
bsr-policy acl-number
undo bsr-policy
View
Parameter
Description
PIM view
acl-number: ACL number imported in BSR filtering policy, in the range of 2000 to
2999.
Use the bsr-policy command to limit the range of legal BSRs to prevent BSR
spoofing.
Use the undo bsr-policy command to restore the default setting; that is, no range
limit is set and all received messages are taken as legal.
In the PIM SM network using BSR (bootstrap router) mechanism, every router can
set itself as C-BSR (candidate BSR) and take the authority to advertise RP
information in the network once it wins in the contention. To prevent malicious
BSR spoofing in the network, the following two measures need to be taken:
Prevent the router from being spoofed by hosts though faking legal BSR
messages to modify RP mapping. BSR messages are of multicast type and their
TTL is 1, so this type of attacks often hit edge routers. Fortunately, BSRs are
inside the network, while assaulting hosts are outside; therefore, neighbor and
RPF checks can be used to stop this type of attacks.
Problems may still exist if a legal BSR is attacked, though these two measures can
effectively guarantee high BSR security.
500
The source keyword in the rule command is translated into BSR address in the
bsr-policy command.
Example
c-bsr
Syntax
View
Parameter
PIM view
interface-type interface-number: Specifies an interface. This configuration takes
effect only after PIM-SM is enabled on the interface.
hash-mask-len: Length of the hash mask used to calculate RP. The value ranges
from 0 to 32. If you do not provide this parameter, the system uses the
corresponding global value.
priority: C-BSR priority. The value ranges from 0 to 255. If you do not provide this
parameter, the system uses the corresponding global value. The greater the value
of the priority, the higher the priority of the C-BSR.
Description
Example
# Configure the switch as a C-BSR with a priority of 2 (and the C-BSR address is
designated as the IP address of VLAN-interface 10).
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] multicast routing-enable
[5500] pim
[5500-pim] c-bsr vlan-interface 10 24 2
c-rp
501
c-rp
Syntax
View
Parameter
PIM view
interface-type interface-number: Specifies an interface of which the IP address will
be advertised as a C-RP address.
acl-number: Number of the basic ACL that defines a group range. This range is the
service range of the advertised RP. The value ranges from 2,000 to 2,999.
priority-value: C-RP priority, in the range of 0 to 255, 0 by default. The greater the
value, the lower the priority level.
all: Removes all candidate RP configurations.
Description
Example
# Configure the switch to advertise the BSR that the switch itself acts as the C-RP
in the PIM. Basic ACL 2000 defines the groups related to the RP. The address of
C-RP is designated as the IP address of VLAN-interface 10.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] multicast routing-enable
[5500] acl number 2000
[5500-acl-basic-2000] rule permit source 225.0.0.0 0.255.255.255
[5500] pim
[5500-pim] c-rp vlan-interface 10 group-policy 2000
crp-policy
Syntax
crp-policy acl-number
undo crp-policy
View
PIM view
502
Parameter
Description
acl-number: Advanced ACL number, ranging from 3000 to 3999. When defining
the ACL, use the source keyword in the rule command to specify a C-RP address
and use the destination keyword to specify a multicast address range that the
C-RP will serve.
Use the crp-policy command to configure a valid C-RP address range and a
multicast address range that a C-RP serves, so as to prevent C-RP spoofing.
Use the undo crp-policy command to restore the default setting.
By default, there is no limit on the C-RP address range or the multicast address
range that a C-RP serves, that is, all the C-RP-Adv messages are considered to
valid.
Example
# Configure a valid C-RP address range and a multicast group range that the C-RP
serves, allowing only multicast devices in the range of 1.1.1.1/32 to be C-RPs serve
only the multicast groups in the range of 225.1.0.0/16.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] multicast routing-enable
[5500] pim
[5500-pim] crp-policy 3000
[5500-pim] quit
[5500] acl number 3000
[5500-acl-adv-3000] rule 0 permit source 1.1.1.1 0 destination 225.1
.0.0 0.0.255.255
Example
Description
BSR address
503
Description
Priority
Priority of BSR
Mask Length: 30
Length of mask
Expires: 00:01:55
Description
Example
Description
PIM version
Version of PIM
PIM mode
Hello interval
PIM DR
Designated router
504
Example
Uptime
1637
Expires
89
Description
Neighbor Address
Neighbor address
Interface
Uptime
Expires
display pim
routing-table
Syntax
View
Parameter
505
Use the display pim routing-table command to display information about the
PIM multicast routing table.
The displayed information about the PIM multicast routing table includes the SPT
information and RPF information.
Example
Description
Total number of (S, G), (*, G) and (*, *, RP) entries in the
PIM routing table
(*, 228.0.0.0)
RP
Rendezvous point
Protocol
Flag
Uptime
Upstream interface
Incoming interface
Upstream neighbor
Upstream neighbor
506
Description
RPT neighbor
Description
Example
Description
RP-Set
Group/MaskLen: 224.0.0.0/4
RP 4.4.4.6
Version: 2
Priority: 0
Uptime: 00:39:50
Expires: 00:01:40
pim
507
pim
Syntax
pim
undo pim
View
Parameter
Description
System view
None
Use the pim command to enter PIM view and configure the global PIM
parameters. You cannot use the pim command to enable the PIM protocol.
Use the undo pim command to exit to system view and clear the global PIM
parameter configurations.
Example
pim bsr-boundary
Syntax
pim bsr-boundary
undo pim bsr-boundary
View
Parameter
Description
Interface view
None
Use the pim bsr-boundary command to configure an interface of the switch as
the PIM-SM domain border.
Use the undo pim bsr-boundary command to remove the configured PIM-SM
domain border.
By default, no PIM-SM domain border is configured on the switch.
After you use this command to set a PIM-SM domain border on an interface, no
Bootstrap message can cross this domain border. However, the other PIM packets
can pass this domain border. In this way, you can divide the PIM-SM-running
network into multiple domains, each of which uses a different Bootstrap router.
Note that you cannot use this command to set up a multicast boundary. Instead,
this command configures just a PIM Bootstrap packet boundary.
508
pim dm
Syntax
pim dm
undo pim dm
View
Parameter
Description
Interface view
None
Use the pim dm command to enable PIM-DM.
Use the undo pim dm command to disable PIM-DM.
By default, PIM-DM is disabled.
Before enabling PIM-DM, make sure you enable multicast routing protocol by
using the multicast routing-enable command in system view.
Example
pim neighbor-limit
Syntax
View
Parameter
Interface view
limit: Upper limit on the number of PIM neighbors on the VLAN interface, in the
range of 0 to 128.
pim neighbor-policy
Description
509
Use the pim neighbor-limit command to limit the number of PIM neighbors on a
router interface. No neighbor can be added to the router any more when the limit
is reached.
Use the undo pim neighbor-limit command to restore the default setting.
By default, the number of PIM neighbors on a VLAN interface can be up to 128.
If the number of existing PIM neighbors exceeds the configured limit, they will not
be deleted.
Example
pim neighbor-policy
Syntax
Parameter
Description
Example
510
pim sm
Syntax
pim sm
undo pim sm
View
Parameter
Description
Interface view
None
Use the pim sm command to enable the PIM-SM protocol.
Use the undo pim sm command to disable the PIM-SM protocol.
By default, the PIM-SM protocol is disabled on the switch.
You must enable the PIM-SM protocol on each interface respectively. Generally,
the PIM-SM protocol is enabled on each interface.
Related command: multicast routing-enable.
Example
View
Parameter
Description
Interface view
seconds: Hello interval in seconds, in the range of 1 to 18,000.
Use the pim timer hello command to set the interval at which the current
interface sends Hello messages.
Use the undo pim timer hello command to restore the default value of the
interval.
By default, an interface sends Hello messages at the interval of 30 seconds.
When the PIM-SM protocol is enabled on an interface, the switch periodically
sends Hello messages to the network devices supporting PIM to discover
neighbors. If the interface receives Hello messages, it means that the interface is
register-policy
511
connected to neighboring network devices that support PIM, and the interface will
add the neighbors to its own neighbor list. If the interface does not receive any
Hello message from a neighbor in its neighbor list within the specified time, the
neighbor is considered to have left the multicast group.
Example
register-policy
Syntax
register-policy acl-number
undo register-policy
View
Parameter
Description
PIM view
acl-number: Number of IP advanced ACL that defines the rule for filtering the
source and group addresses. The value ranges from 3000 to 3999. Only register
messages that match the permit statement can be accepted by the RP.
Use the register-policy command to configure a rule for filtering register
messages.
Use the undo register-policy command to remove a rule for filtering register
messages.
By default, no rule for filtering register messages is configured.
Example
512
View
Parameter
User view
all: Specifies all PIM neighbors.
neighbor-address: Neighbor address.
interface-type interface-number: Specifies an interface.
Description
Use the reset pim neighbor command to clear all PIM neighbors or PIM
neighbors on the specified VLAN interface.
Related command: display pim neighbor.
Example
reset pim
routing-table
Syntax
View
Parameter
Description
Use the reset pim routing-table command to clear all PIM route entries or the
specified PIM route entry.
You can type in a source address before a group address in the command, as long
as they are valid. An error message will be given if you type in an invalid address.
spt-switch-threshold
513
# Clear the route entries with group address 225.5.4.3 from the PIM routing table.
<5500> reset pim routing-table 225.5.4.3
spt-switch-threshold
Syntax
View
Parameter
PIM view
infinity: Specifies to disable RPT-to-SPT switchover.
group-policy acl-number: Specifies to enable this configuration in a multicast
group that matches the specified group policy. acl-number indicates a basic ACL
number, ranging from 2000 to 2999. If this parameter is not provided, the
configuration applies to all the multicast groups.
order order-value: Specifies the order number of the ACL in the group-policy list,
where order-value has an effective range of 1 to (the largest order value in the
existing group-policy list + 1), but the value range should not include the original
order value of the ACL in the group-policy list. If you have assigned an order-value
to a certain ACL, do not specify the same order-value for another ACL; otherwise
the system gives error information. If you do not specify an order-value, the order
value of the ACL will remain the same in the group-policy list.
Description
514
Example
To adjust the order of an ACL that already exists in the group-policy list, you
can use the acl-number argument to specify this ACL and set its order-value.
This will insert the ACL to the position of order-value in the group-policy list.
The order of the other existing ACLs in the group-policy list will remain
unchanged.
To use an ACL in the group-policy list, you can use the acl-number argument to
specify this ACL and set its order-value. This will insert the ACL to the position
of order-value in the group-policy list. If you do not include the order
order-value option in your command, the ACL will be appended to the end of
the group-policy list.
If you use this command multiple times on the same multicast group, the first
matched traffic rate configuration in sequence will take effect.
source-lifetime
Syntax
source-lifetime interval
undo source-lifetime
View
PIM view
Parameter
Description
c
Example
CAUTION: The aging time configuration acts on all (S, G) entries in the PIM
routing table and the multicast routing table rather, but not on specific (S, G)
entry. The configuration changes the aging time of all the existing (S, G) entries.
# Set the multicast source lifetime to 3000 seconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] pim
me 3000
[5500-pim] s
ource-lifeti
source-policy
Syntax
source-policy acl-number
undo source-policy
View
Parameter
Description
PIM view
acl-number: Basic or advanced ACL, in the range of 2000 to 3999.
Use the source-policy command to configure the router to filter the received
multicast data packets according to the source address or group address.
Use the undo source-policy command to remove the configuration.
If resource address filtering and basic ACLs are configured, the router filters the
resource addresses of all multicast data packets received. Those not matched will
be discarded.
If resource address filtering and advanced ACLs are configured, the router filters
the resource and group addresses of all multicast data packets received. Those not
matched will be discarded.
When this feature is configured, the router filters not only multicast data, but also
the multicast data encapsulated in the registration packets.
The new configuration overwrites the old one if you run the command for a
second time.
Example
# Configure to receive the multicast data packets from any source address and
discard those from 10.10.1.1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] multicast routing-enable
[5500] pim
[5500-pim] source-policy 2000
[5500-pim] quit
[5500] acl number 2000
[5500-acl-basic-2000] rule deny source 10.10.1.1 0
[5500-acl-basic-2000] rule permit source any
static-rp
Syntax
516
View
Parameter
PIM view
rp-address: Static RP address. It must be a legal unicast IP address.
acl-number: Basic ACL, used to control the range of multicast group served by
static RP. Its value ranges from 2000 to 2999. If no ACL is specified upon
configuration, static RP will serve all multicast groups; if an ACL is specified, static
RP will only serve the multicast group passing the ACL.
Description
Example
33
cache-sa-enable
Syntax
cache-sa-enable
undo cache-sa-enable
View
Parameter
Description
MSDP view
None
Use the cache-sa-enable command to enable the SA message caching
mechanism.
Use the undo cache-sa-enable command to disable the SA message caching
mechanism.
By default, the switch caches all (S, G) entries it received.
With the SA message caching mechanism enabled, the switch sends no SA
request message to the specified MSDP peer when it receives a Join message.
Example
Example
518
Up/Down time
00:00:13
AS
100
SA Count
0
Reset Count
0
Description
Peers Address
State
State
Up/Down time
Up/down time
AS
AS number
SA Count
SA count
Reset Count
display msdp
peer-status
Syntax
View
Parameter
Description
Example
Incoming
/outgoing SA
messages: 0/0
Incoming/outgoing SA requests: 0/0
Incoming/outgoing SA responses: 0/0
Incoming/outgoing data packets: 0/0
Description
MSDP Peer
AS
State
Shutdown: Deactivated
Resets
Up/Down time
Connection interface
SA requests information
520
Description
Incoming/outgoing SA messages:
Number of SA messages received and
sent
Incoming/outgoing SA responses:
Number of SA responses received and
sent
Description
Use the display msdp sa-cache command to display (S, G) entries in the MSDP
cache.
Note that:
This command gives the corresponding output only after the cache-sa-enable
command is executed.
If you do not provide a source address, this command will display the
information of all sources in the specified multicast group.
If you do not provide a group address and a source address, this command will
display the information of all cached entries.
If you do not provide an AS number, this command will display the information
related to all ASs.
Example
521
Origin RP
10.10.10.10
10.10.10.10
10.10.10.10
10.10.10.10
10.10.10.10
Pro
?
?
?
?
AS
?
?
?
?
?
Uptime
Expires
00:00:10 00:05:50
00:00:11 00:05:49
00:00:11 00:05:49
00:00:11 00:05:49
?
00:00:11 00:05:49
Description
(Source, Group)
Origin RP
Pro
AS
Uptime
Length of time for which the cached (S, G) entry has been existing,
in hours:minutes:seconds
Expires
Example
522
Description
Peers Address
Number of SA
AS
Number of source
Number of group
import-source
Syntax
View
MSDP view
Parameter
Description
Use the import-source command to specify the (S, G) entries in this domain that
need to be advertised when an MSDP peer creates an SA message.
Use the undo import-source command to cancel the configuration.
By default, an SA message advertise all the (S, G) entries in the domain.
In addition, you can use the peer sa-policy import command or the peer
sa-policy export command to filter forwarded SA messages.
Example
# Configure the (S, G) entries in the multicast routing table to be advertised when
an MSDP peer creates an SA message.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] acl number 3101
[5500-acl-adv-3101] rule permit ip source 10.10.0.0 0.0.255.255
destination 225.1.0.0 0.0.255.255
[5500-acl-adv-3101] quit
[5500] msdp
[5500-msdp] import-source acl 3101
msdp
Syntax
msdp
msdp-tracert
523
undo msdp
View
Parameter
Description
System view
None
Use the msdp command to enable MSDP and enter MSDP view.
Use the undo msdp command to clear all configurations in MSDP view, release
resources occupied by MSDP, and restore the initial state.
Related command: peer.
Example
msdp-tracert
Syntax
View
Parameter
Description
Example
Use the msdp-tracert command to trace the path along which an SA message
travels, so as to locate message loss and minimize configuration errors. After
determining the path of the SA message, you can prevent SA flooding through
correct configuration.
# Trace path information of 10.10.1.1, 225.2.2.2, and 20.20.20.20.
524
# Specify the maximum number of hops to be traced and collect the detailed SA
and MSDP peer information.
<5500> msdp-tracert 10.10.1.1 225.2.2.2 20.20.20.20 max-hops 10 sa-info
peer-info
MSDP tracert: press CTRL_C to break
D-bit: set if have this (S,G) in cache but with a different RP
RP-bit: set if this router is an RP
NC-bit: set if this router is not caching SAs
C-bit: set if this (S,G,RP) tuple is in the cache
MSDP trace route path information:
Router Address: 20.20.1.1
Fixed-length response info:
Peer Uptime: 10 minutes, Cache Entry Uptime: 30 minutes
D-bit: 0, RP-bit: 1, NC-bit: 0, C-bit: 1
Return Code: Reached-max-hops
Next Hop info:
Next-Hop Router Address: 0.0.0.0
SA info:
Count of SA messages received for this (S,G,RP): 0
Count of encapsulated data packets received for this (S,G,RP):0
SA cache entry uptime: 00:30:00 , SA cache entry expiry time: 00:03:32
Peering info:
Peering Uptime: 10 minutes, Count of Peering Resets: 3
Description
Router Address
Peer Uptime
D-bit: 1
RP-bit: 1
NC-bit: 0
C-bit: 1
Return Code:
Reached-max-hops
Length of time for which the cached (S, G) entry has been
existing, in hours:minutes:seconds
mtracert
525
Description
mtracert
Syntax
View
Parameter
Description
Example
Use the mtracert command to trace the transmission path of the packet sent by
the multicast source over the network.
# Trace the packets sent by the multicast source at 192.168.4.1.
<5500> mtracert 192.168.4.1
Type Ctrl+C to quit multicast traceroute facility
From last-hop router(192.168.2.2), trace reverse path to source 192.168.4.1
via
RPF rules
-1 192.168.2.2
Incoming Interface Address: 192.168.2.2
Previous-Hop Router Address: 192.168.2.1
Input packet count on incoming interface: 0
Output packet count on outgoing interface: 0
Total number of packets for this source-group pair: 0
Protocol: PIM
Forwarding TTL: 0
Forwarding Code: No error
-2 192.168.2.1
Incoming Interface Address: 192.168.3.2
Previous-Hop Router Address: 192.168.3.1
Input packet count on incoming interface: 0
Output packet count on outgoing interface: 0
Total number of packets for this source-group pair: 0
Protocol: PIM
Forwarding TTL: 0
Forwarding Code: No error
-3 192.168.3.1
Incoming Interface Address: 192.168.4.2
Previous-Hop Router Address: 0.0.0.0
Input packet count on incoming interface: 0
Output packet count on outgoing interface: 0
Total number of packets for this source-group pair: 0
Protocol: PIM
526
Forwarding TTL: 0
Forwarding Code: No error
originating-rp
Syntax
View
Parameter
Description
MSDP view
interface-type interface-number: Specifies an interface.
Use the originating-rp command to configure the address of the specified
interface as the RP address in SA messages.
Use the undo originating-rp command to cancel configuration.
By default, the RP address in an SA message is the RP address configured by PIM.
Example
peer connect-interface
Syntax
View
Parameter
MSDP view
peer-address: IP address of the MSDP peer.
interface-type interface-number: Specifies an interface. The switch will use the
primary address of this interface as the source IP to establish a TCP connection
with the remote MSDP peer.
Description
Use the peer connect-interface command to specify an MSDP peer and connect
the switch with the MSDP peer through the specified interface.
Use the undo peer connect-interface command to remove an MSDP peering
connection.
peer description
527
If an MSDP peer of the switch is a BGP peer to this switch at the same time, the
same IP address must be used for both the MSDP peering connection and the BGP
peering connection.
Related command: static-rpf-peer.
Example
# Configure the router whose IP address is 125.10 .7.6 as the MSDP peer of the
switch and establish a peering connection with the MSDP peer through
VLAN-interface 100.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] msdp
[5500-msdp] peer 125.10.7.6 connect-interface Vlan-interface 100
peer description
Syntax
View
Parameter
MSDP view
peer-address: IP address of the MSDP peer.
text: Descriptive text, case-sensitive. The maximum length is 80 characters.
Description
Use the peer description command to configure the descriptive text for an MSDP
peer so that the administrator can easily distinguish MSDP peers.
Use the undo peer description command to remove the configured descriptive
text.
By default, no descriptive text is configured for any MSDP peer.
Related command: display msdp peer-status.
Example
# Add the description text router CstmrA for the router 125.10.7.6, meaning
that router is customer A.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] msdp
[5500-msdp] peer 125.10.7.6 description router CstmrA
peer mesh-group
Syntax
528
View
Parameter
MSDP view
peer-address: IP address of an MSDP peer in a mesh group.
name: Name of a mesh group, case-sensitive and containing 1 to 32 characters.
Description
Use the peer mesh-group command to add an MSDP peer to a mesh group.
Use the undo peer mesh-group command to cancel the configuration.
By default, an MSDP peer does not belong to any mesh group.
Example
peer minimum-ttl
Syntax
View
Parameter
MSDP view
peer-address: IP address of the MSDP peer to which the minimum TTL setting
applies.
ttl-value: Minimum required TTL value, ranging from 0 to 255.
Description
Use the peer minimum-ttl command to configure the minimum required TTL
value for a multicast packet encapsulated in an SA message to be forwarded to
the specified MSDP peer.
Use the undo peerminimum-ttl command to restore the system default.
By default, the minimum required TTL value is 0.
Related command: peer.
Example
peer request-sa-enable
529
peer
request-sa-enable
Syntax
View
Parameter
Description
MSDP view
peer-address: IP address of the MSDP peer.
Use the peer request-sa-enable command to enable the router to send an SA
request message to the specified MSDP peer upon receipt of a Join message.
Use the undo peer request-sa-enable command to remove the configuration.
By default, upon receipt of a Join message, the router sends no SA request
message to the MSDP peer but waits for the next SA message.
Related command: cache-sa-enable.
Example
peer
sa-cache-maximum
Syntax
View
Parameter
MSDP view
peer-address: IP address of the MSDP peer.
sa-limit: Maximum number of SA messages cached, ranging from 1 to 2,048.
Description
530
peer sa-policy
Syntax
View
Parameter
MSDP view
import: Filters the SA messages from the specified MSDP peer.
export: Filters the SA messages to be forwarded to the specified MSDP peer.
peer-address: IP address of an MSDP peer.
acl acl-number: Specifies an advanced ACL number, ranging from 3000 to 3999. If
no ACL is specified, all (S, G) entries will be filtered out.
Description
Use the peer sa-policy command to configure a filtering rule for receiving or
forwarding SA messages.
Use the undo peer sa-policy command to remove the configuration.
By default, no SA message filter is configured; namely, all SA messages are
received or forwarded.
Related command: peer.
Example
# Configure a filtering rule so that only those SA messages permitted by the ACL
3100 are forwarded to the MSDP peer 125.10.7.6.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] acl number 3100
[5500-acl-adv-3100] rule permit ip source 170.15.0.0 0.0.255.255 destination
225.1.0.0 0.0.255.255
[5500-acl-adv-3100] quit
[5500] msdp
[5500-msdp] peer 125.10.7.6 connect-interface Vlan-interface 100
[5500-msdp] peer 125.10.7.6 sa-policy export acl 3100
peer sa-request-policy
531
peer sa-request-policy
Syntax
View
Parameter
MSDP view
peer-address: IP address of an MSDP peer, the SA request messages sent from
which will be filtered
acl-number: Basic IP ACL number, describing a multicast group address and in the
range of 2000 to 2999. If no ACL is specified, all SA request messages will be
ignored.
Description
Use the peer sa-request-policy command to limit the SA request messages that
the router receives from an MSDP peer.
Use the undo peer sa-request-policy command to remove the limitation.
By default, the router receives all SA request messages from the MSDP peer.
If no ACL is specified, all SA requests will be ignored. If an ACL is specified, only
those SA request messages from the groups that match the ACL rule will be
processed and others are ignored.
Related command: peer.
Example
# Configure an ACL so that SA request messages from the group address range of
225.1.1.0/24 and from the MSDP peer 175.58.6.5 are received and other SA
messages are ignored.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] acl number 2001
[5500-acl-basic-2001] rule permit source 225.1.1.0 0.0.0.255
[5500-acl-basic-2001] quit
[5500] msdp
[5500-msdp] peer 175.58.6.5 sa-request-policy acl 2001
532
# Reset the TCP connection with the MSDP peer 125.10.7.6 and the statistics of
the MSDP peer.
<5500> reset msdp peer 125.10.7.6
Parameter
group-address: Group address; the cached (S, G) entries matching this address are
to be deleted from the SA cache. If no multicast group address is specified, all
cached SA entries will be cleared.
Description
Use the reset msdp sa-cache command to clear cached SA entries of the MSDP
peer.
Related command: cache-sa-enable, display msdp sa-cache.
Example
# Clear the cached entries whose group address is 225.5.4.3 from the SA cache.
<5500> reset msdp sa-cache 225.5.4.3
Parameter
peer-address: Address of the MSDP peer whose statistics, reset information and
input/output information will be cleared. If no MSDP peer address is specified, the
statistics information of all MSDP peers will be cleared.
Description
Use the reset msdp statistics command to clear the statistics information of one
or more MSDP peers without resetting the MSDP peer(s).
Example
shutdown
Syntax
shutdown peer-address
undo shutdown peer-address
static-rpf-peer
View
Parameter
Description
533
MSDP view
peer-address: IP address of an MSDP peer.
Use the shutdown command to shut down the connection with the specified
MSDP peer.
Use the undo shutdown command to reactive an MSDP peering connection.
By default, no MSDP peering connection is shut down.
Related command: peer.
Example
static-rpf-peer
Syntax
View
Parameter
MSDP view
peer-address: Address of the static RPF peer receiving SA messages.
rp-policy ip-prefix-name: Specifies a filtering policy based on RP addresses to filter
RPs in SA messages. ip-prefix-name is the IP address prefix list containing 1 to 19
characters.
Description
In the case that all the peers use the rp-policy keyword: Multiple static RPF
peers take effect at the same time. RPs in SA messages are filtered according to
the prefix list configured; only SA messages whose RP addresses pass the
filtering are received. If multiple static RPF peers using the same rp-policy
keyword are configured, when any of the peers receives an SA message, it will
forward the SA message to the other peers.
534
In the case that none of the peers use the rp-policy keyword: According to the
configuration sequence, only the first static RPF peer whose connection state is
UP is active. All the SA messages from this peer will be received and those from
other static RPF peers will be discarded. Once the active static RPF peer fails
(because the configuration is removed or the connection is terminated), based
on the configuration sequence, the subsequent first static RPF peer whose
connection is in the UP state will be selected as the active static RPF peer.
timer retry
Syntax
View
Parameter
Description
MSDP view
seconds: Connection request retry interval in seconds, ranging from 1 to 60.
Use the timer retry command to configure a connection request retry interval.
Use the undo timer retry command to restore the default value.
By default, the connection request retry interval is 30 seconds.
Related command: peer.
Example
34
display
igmp-snooping
configuration
Syntax
View
Parameter
Description
Example
display
igmp-snooping group
Syntax
View
536
Parameter
Description
Example
# Display the information about the multicast groups under all the VLANs.
<5500> display igmp-snooping group
Total 1 IP Group(s).
Total 1 MAC Group(s).
Vlan(id):99.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Static Router port(s):
Ethernet1/0/11
Dynamic Router port(s):
Ethernet1/0/22
IP group(s):the following ip group(s) match to one mac group.
IP group address:228.0.0.0
Static host port(s):
Ethernet1/0/23
Dynamic host port(s):
Ethernet1/0/10
MAC group(s):
MAC group address:0100-5e00-0000
Host port(s):Ethernet1/0/10
Ethernet1/0/23
Description
Total 1 IP Group(s).
IP group address:
MAC group(s):
Host port(s)
Member ports
537
display
igmp-snooping
statistics
Syntax
View
Parameter
Description
Example
538
igmp-snooping
Syntax
Views
Parameter
Description
Use the igmp-snooping enable command to enable the IGMP Snooping feature.
Use the igmp-snooping disable command to disable the IGMP Snooping
feature.
By default, the IGMP Snooping feature is disabled.
Example
CAUTION:
Although both Layer 2 and Layer 3 multicast protocols can run on the same
switch simultaneously, they cannot run simultaneously in the same VLAN and
on the corresponding VLAN interface.
If IGMP Snooping and VLAN VPN are enabled on a VLAN at the same time,
IGMP queries are likely to fail to pass the VLAN. You can solve this problem by
configuring VLAN tags for the IGMP queries. For details, see igmp-snooping
vlan-mapping igmp-snooping vlan-mapping.
igmp-snooping
fast-leave
Syntax
View
Parameter
Description
539
Example
The fast leave processing function works for a port only if the host attached to
the port runs IGMPv2 or IGMPv3.
The configuration performed in system view takes effect on all ports of the
switch if no VLAN is specified; if one or more VLANs are specified, the
configuration takes effect on all ports in the specified VLAN(s).
The configuration performed in Ethernet port view takes effect on the port no
matter which VLAN it belongs to if no VLAN is specified; if one or more VLANs
are specified, the configuration takes effect on the port only if the port belongs
to the specified VLAN(s).
igmp-snooping
general-query
source-ip
Syntax
View
Parameter
VLAN view
current-interface: Specifies the current interface whose IP address is selected by
the Layer 2 multicast switch.
ip-address: Source IP address of the general query messages.
540
Description
Example
# Configure the Layer 2 multicast switch to send general query messages with the
source IP address 2.2.2.2 in VLAN 3.
<5500> system-view
System view, return to user view with Ctrl+Z.
[5500] igmp-snooping enable
[5500] vlan 3
[5500-vlan3] igmp-snooping enable
[5500-vlan3] igmp-snooping querier
[5500-vlan3] igmp-snooping general-query source-ip 2.2.2.2
igmp-snooping
group-limit
Syntax
View
Parameter
Description
igmp-snooping group-policy
541
Example
When the number of multicast groups exceeds the configured limit, the switch
removes its multicast forwarding entries starting from the oldest one. In this
case, the multicast packets for the removed multicast group(s) will be flooded
in the VLAN as unknown multicast packets. As a result, non-member ports can
receive multicast packets within a period of time.
The keyword overflow-replace does not apply to IGMPv3 Snooping, that is,
with IGMPv3 Snooping enabled, even if the keyword overflow-replace is
configured, a new multicast group will not replace an existing multicast group
when the number of multicast groups reaches the maximum value.
igmp-snooping
group-policy
Syntax
View
Parameter
Description
542
Example
Allow the port(s) to join only the multicast group(s) defined in the rule by a
permit statement.
Inhibit the port(s) from joining the multicast group(s) defined in the rule by a
deny statement.
A port can belong to multiple VLANs, you can configure only one ACL rule per
VLAN on a port.
The configuration performed in system view takes effect on all ports of the
switch if no VLAN is specified; if one or more VLANs are specified, the
configuration takes effect on all ports in the specified VLAN(s).
The configuration performed in Ethernet port view takes effect on the port no
matter which VLAN it belongs to if no VLAN is specified; if one or more VLANs
are specified, the configuration takes effect on the port only if the port belongs
to the specified VLAN(s).
# Configure ACL 2000 to allow users under Ethernet1/0/1 to access the multicast
streams in groups 225.0.0.0 to 225.255.255.255.
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500] acl number 2000
[5500-acl-basic-2000] rule permit source 225.0.0.0 0.255.255.255
[5500-acl-basic-2000] quit
[5500] vlan 2
[5500-vlan2] port Ethernet 1/0/1
[5500-vlan2] quit
Configure ACL 2000 on Ethernet1/0/1 to allow this VLAN 2 port to join only
the IGMP multicast groups defined in the rule of ACL 2000.
# Configure ACL 2001 to allow users under Ethernet1/0/2 to access the multicast
streams in any groups except groups 225.0.0.0 to 225.0.0.255.
igmp-snooping host-aging-time
543
[5500] vlan 2
[5500-vlan2] port Ethernet 1/0/2
[5500-vlan2] quit
Configure ACL 2001 on Ethernet1/0/2 to allow this VLAN 2 port to join any
IGMP multicast groups except those defined in the deny rule of ACL 2001.
igmp-snooping
host-aging-time
Syntax
View
System view
Parameter
seconds: Aging time (in seconds) of multicast member ports, in the range of 200
to 1,000.
Description
Example
igmp-snooping
max-response-time
Syntax
544
System view
seconds: Query response timeout time in seconds, in the range of 1 to 25.
Use the igmp-snooping max-response-time command to configure the query
response timeout time.
Use the undo igmp-snooping max-response-time command to restore the
default timeout time.
By default, the query response timeout time is 10 seconds.
Related command: igmp-snooping, igmp-snooping router-aging-time.
Example
igmp-snooping
nonflooding-enable
Syntax
igmp-snooping nonflooding-enable
undo igmp-snooping nonflooding-enable
View
Parameter
Description
System view
None
Use the igmp-snooping nonflooding-enable command to enable the IGMP
Snooping non-flooding function.
Use the undo igmp-snooping nonflooding-enable command to disable the
IGMP Snooping non-flooding function.
By default, the IGMP Snooping non-flooding function is disabled.
You can configure this command only after IGMP Snooping is enabled globally. If
IGMP Snooping is disabled globally, the configuration of the igmp-snooping
nonflooding-enable command is also removed.
igmp-snooping querier
545
port suppression takes effect. In this case, multicast data received on the
blocked port will be dropped.
Example
# Enable IGMP Snooping non-flooding after you enable IGMP Snooping globally
and disable both port stacking and unknown-multicast dropping.
<5500>
System
[5500]
[5500]
system-view
View: return to User View with Ctrl+Z.
igmp-snooping enable
igmp-snooping nonflooding-enable
igmp-snooping
querier
Syntax
igmp-snooping querier
undo igmp-snooping querier
View
Parameter
Description
VLAN view
None
Use the igmp-snooping querier command to enable the IGMP Snooping querier
feature on the current VLAN of the Layer 2 multicast switch.
Use the undo igmp-snooping querier command to disable the IGMP Snooping
querier feature on the current VLAN of the Layer 2 multicast switch.
By default, the IGMP Snooping querier feature of the Layer 2 multicast switch is
disabled.
Example
# Enable the IGMP Snooping feature on VLAN 3 of the Layer 2 multicast switch.
<5500> system-view
System view, return to user view with Ctrl+Z.
[5500] igmp-snooping enable
[5500] vlan 3
[5500-vlan3] igmp-snooping enable
[5500-vlan3] igmp-snooping querier
igmp-snooping
query-interval
Syntax
View
VLAN view
546
Parameter
seconds: Interval for the Layer 2 multicast switch to send general queries, ranging
from 1 to 300, in seconds.
Description
Example
# Configure the Layer 2 multicast switch to send general queries at the interval of
100 seconds in VLAN 3.
<5500> system-view
System view, return to user view with Ctrl+Z.
[5500] igmp-snooping enable
[5500] vlan 3
[5500-vlan3] igmp-snooping enable
[5500-vlan3] igmp-snooping querier
[5500-vlan3] igmp-snooping query-interval 100
igmp-snooping
router-aging-time
Syntax
View
System view
Parameter
seconds: Aging time (in seconds) of the router port, in the range of 1 to 1,000.
Description
igmp-snooping version
Example
547
igmp-snooping
version
Syntax
View
Parameter
Description
VLAN view
version-number: IGMP version, in the range of 2 to 3 and defaulting to 2.
Use the igmp-snooping version command to configure the IGMP Snooping
version in the current VLAN.
Use the undo igmp-snooping version command to restore the default IGMP
Snooping version.
Example
igmp-snooping
vlan-mapping
Syntax
View
Parameter
Description
System view
vlan-id: VLAN ID, in the range of 1 to 4094.
Use the igmp-snooping vlan-mapping vlan command to transmit IGMP
general and group-specific query messages sent or forwarded by IGMP Snooping
in a specific VLAN.
Use the undo igmp-snooping vlan-mapping command to cancel the
configuration.
548
By default, the VLAN tag carried in IGMP general and group-specific query
messages sent or forwarded by IGMP Snooping is not changed.
Example
View
Parameters
Description
Use the igmp host-join port command to enable simulated joining on the
specified port(s) in VLAN interface view.
Use the undo igmp host-join port command to remove the configuration.
By default, simulated joining is disabled.
Example
igmp host-join
549
igmp host-join
Syntax
View
Parameter
Description
Use the igmp host-join command to configure the current port as a simulated
multicast group member host.
Use the undo igmp host-join command to remove the current port as a
simulated multicast group member host.
c
Example
CAUTION:
Before configuring a simulated host, enable IGMP Snooping in VLAN view first.
The current port must belong to the specified VLAN; otherwise this
configuration does not take effect.
# Configure Ethernet 1/0/1 as a simulated host for multicast source 1.1.1.1 and
multicast group 225.0.0.1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500]igmp-snooping enable
Enable IGMP-Snooping ok.
[5500]vlan 1
[5500-vlan1]igmp-snooping enable
[5500-vlan1]igmp-snooping version 3
[5500-vlan1]quit
[5500] interface Ethernet 1/0/1
[5500-Ethernet 1/0/1] igmp host-join 225.0.0.1 source-ip 1.1.1.1
vlan 10
multicast static-group
interface
Syntax
View
550
Parameter
Description
n
Example
The ports configured with this command handle Layer 2 multicast traffic only,
rather than Layer 3 multicast traffic.
# Configure ports Ethernet 1/0/1 to Ethernet 1/0/3 on VLAN-interface 1 as static
members ports for multicast group 225.0.0.1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 1
[5500-Vlan-interface1] multicast static-group 225.0.0.1 interface Ethernet 1
/0/1 to Ethernet 1/0/3
multicast static-group
vlan
Syntax
View
Parameter
Description
Use the multicast static-group vlan command to configure the current port in
the specified VLAN(s) as a static member port for the specified multicast group.
Use the undo multicast static-group vlan command to remove the current port
in the specified VLAN(s) as a static member port for the specified multicast group.
By default, no port is configured as a static multicast group member port.
multicast static-router-port
n
Example
551
The port configured with this command handles Layer 2 multicast traffic only,
rather than Layer 3 multicast traffic.
# Configure port Ethernet1/0/1 in VLAN 2 as a static member port for multicast
group 225.0.0.1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500]interface Ethernet 1/0/1
[5500-Ethernet1/0/1] multicast static-group 225.0.0.1 vlan 2
multicast
static-router-port
Syntax
View
Parameter
Description
VLAN view
interface-type interface-number: Type and number of an Ethernet port.
Use the multicast static-router-port command to configure the specified port in
the current VLAN as a static router port.
Use the undo multicast static-router-port command to remove the specified
port in the current VLAN as a static router port.
By default, the static router port function is disabled.
Example
multicast
static-router-port vlan
Syntax
View
Parameter
Description
552
Use the undo multicast static-router-port vlan command to remove the current
port in the specified VLAN as a static router port.
By default, the static router port function is disabled.
Example
reset igmp-snooping
statistics
Syntax
View
Parameter
Description
Example
service-type multicast
Syntax
service-type multicast
undo service-type multicast
View
Parameter
Description
VLAN view
None
Use the service-type multicast command to configure the current VLAN as a
multicast VLAN.
Use the undo service-type multicast command to remove the current VLAN as a
multicast VLAN.
By default, no VLAN is a multicast VLAN.
In an IGMP Snooping environment, by configuring a multicast VLAN and adding
ports to the multicast VLAN, you can allow users in different VLANs to share the
service-type multicast
553
same multicast VLAN. This saves bandwidth because multicast streams are
transmitted only within the multicast VLAN. In addition, because the multicast
VLAN is isolated from user VLANs, this method also enhances the information
security.
Example
The multicast member port must be in the same multicast VLAN with the
router port. Otherwise, the port cannot receive multicast packets.
554
39
access-limit
Syntax
View
Parameters
Description
Use the access-limit command to set the maximum number of access users that
can be contained in current ISP domain.
Use the undo access-limit command to restore the default setting.
By default, there is no limit on the number of access users in an ISP domain.
Because resource contention may occur among access users, there is a need to
limit the number of access users in an ISP domain so as to provide reliable
performance to the current users in the ISP domain.
Example
accounting
Syntax
592
View
Parameters
Description
Use the accounting command to configure an accounting scheme for current ISP
domain.
Use the undo accounting command to cancel the accounting scheme
configuration for current ISP domain.
By default, no separate accounting scheme is configured for an ISP domain.
When you use the accounting command to reference a RADIUS or HWTACACS
scheme in current ISP domain, the RADIUS or HWTACACS scheme must already
exist.
The accounting command takes precedence over the scheme command. If the
accounting command is used in ISP domain view, the system uses the scheme
referenced in the accounting command to charge the users in the domain.
Otherwise, the system uses the scheme referenced in the scheme command to
charge the users.
Related commands: scheme, radius scheme, and hwtacacs scheme
Example
# Specify radius as the RADIUS accounting scheme that will be referenced by ISP
domain aabbcc.net.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc.net
New Domain added.
[5500-isp-aabbcc.net] accounting radius-scheme radius
accounting optional
Syntax
accounting optional
undo accounting optional
View
Parameters
attribute
Description
593
Example
If the system does not find any available accounting server or fails to
communicate with any accounting server when it performs accounting for an
online user, it will not disconnect the user as usual as long as the accounting
optional command has been executed.
The accounting optional command is commonly used in the cases where only
authentication is needed and accounting is not needed.
# Open the accounting-optional switch for the ISP domain named aabbcc.net.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc.net
New Domain added.
[5500-isp-aabbcc.net] accounting optional
attribute
Syntax
View
Parameters
594
nas-ip ip-address: Sets the IP address of an access server, so that the user can be
bound to a port on the server. Here, ip-address is in dotted decimal notation and is
127.0.0.1 by default (representing this device). When binding the user to a remote
port, you must use nas-ip ip-address to specify a remote access server IP address.
When binding the user to a local port, you need not use nas-ip ip-address.
port port-number: Sets the port to which you want to bind the user. Here,
port-number is in the format of device ID/slot number/port number; the device ID
ranges from 1 to 8, the slot number ranges from 0 to 15 (if the bound port has no
slot number, just input 0 for this item) and the port number ranges from 1 to 255.
Description
Use the attribute command to set the attributes of a user whose service type is
lan-access.
Use the undo attribute command to cancel attribute settings of the user.
Related command: display local-user
Example
authentication
Syntax
View
Parameters
Description
authentication super
595
# Reference the RADIUS scheme radius as the authentication scheme of the ISP
domain aabbcc.net.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc.net
New Domain added.
[5500-isp-aabbcc.net] authentication radius-scheme radius
# Reference the RADIUS scheme rd as the authentication scheme and the local
scheme as the secondary authentication scheme of the ISP domain aabbcc.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc
New Domain added.
[5500-isp-aabbcc] authentication radius-scheme rd local
authentication super
Syntax
596
View
Parameter
Description
The Switch 5500s adopt hierarchical protection for command lines so as to inhibit
users at lower levels from using higher level commands to configure the switches.
For details about configuring a HWTACACS authentication scheme for low-to-high
user level switching, refer to Switching User Level in the Switch 5500
Configuration Guide.
Related command: hwtacacs scheme
Example
# Set the HWTACACS scheme to ht for user level switching in the current ISP
domain aabbcc.net.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc.net
New Domain added.
[5500-isp-aabbcc.net] authentication super hwtacacs-scheme ht
authorization
Syntax
View
Parameters
Description
authorization vlan
597
# Allow users in ISP domain aabbcc.net to access network services without being
authorized.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc.net
New Domain added.
[5500-isp-aabbcc.net] authorization none
authorization vlan
Syntax
View
Parameter
string: Number or descriptor of the authorization VLAN for the current user, a
string of 1 to 32 characters. If it is a numeral string and there is a VLAN with the
number configured, it specifies the VLAN. If it is a numeral string but no VLAN is
present with the number, it specifies the VLAN using it as the VLAN descriptor.
Description
n
Example
For local RADIUS authentication or local authentication to take effect, the VLAN
assignment mode must be set to string after you specify authorization VLANs for
local users.
# Configure the authorization VLAN of the local user 00-14-22-2C-AA-69 to be
VLAN 2.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] local-user 00-14-22-2C-AA-69
[5500-luser-00-14-22-2C-AA-69] authorization vlan 2
598
authentication super
Syntax
View
Parameter
Description
The Switch 5500 Family adopts hierarchical protection for command lines so as to
inhibit users at lower levels from using higher level commands to configure the
switches. For details on configuring an HWTACACS authentication scheme for
low-to-high user level switching, refer to the section entitled Switching User
Level in the Switch 5500 Configuration Guide.
Related command: hwtacacs scheme
Example
# Set the HWTACACS scheme to ht for user level switching in the current ISP
domain aabbcc.net.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc.net
New Domain added.
[5500-isp-aabbcc.net] authentication super hwtacacs-scheme ht
cut connection
Syntax
View
display connection
Parameters
599
Description
Use the cut connection command to forcibly cut down one user connection, one
type of user connections, or all user connections.
This command cannot cut down the connections of Telnet and FTP users.
Related command: display connection
Example
# Cut down all user connections under the ISP domain aabbcc.net.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] cut connection domain aabbcc.net
display connection
Syntax
600
View
Parameters
Any view
access-type { dot1x | mac-authentication }: Displays user connections of a
specified access type. Here, dot1x is used to display all 802.1x user connections,
and mac-authentication is used to display all MAC authentication user
connections.
domain isp-name: Displays all user connections under specified ISP domain. Here,
isp-name is the name of an ISP domain, a string of up to 128 characters. You can
only specify an existing ISP domain.
interface interface-type interface-number: Displays all user connections on a
specified port.
ip ip-address: Displays all user connections with a specified IP address.
mac mac-address: Displays the user connection with a specified MAC address.
Here, mac-address is in hexadecimal format (in the form of H-H-H).
radius-scheme radius-scheme-name: Displays all user connections using a
specified RADIUS scheme. Here, radius-scheme-name is a string of up to 32
characters.
hwtacacs-scheme hwtacacs-scheme-name: Displays all user connections using a
specified RADIUS scheme. Here, hwtacacs-scheme-name is a string of up to 32
characters.
vlan vlan-id: Displays all user connections of a specified VLAN. Here, vlan-id
ranges from 1 to 4094.
ucibindex ucib-index: Displays the user connection with a specified connection
index. Here, ucib-index ranges from 0 to 2071.
user-name user-name: Displays the connection of a specified user. Here,
user-name is a character string in the format of pure-username@domain-name.
The pure-username cannot be longer than 55 characters, the domain-name
cannot be longer than 24 characters, and the entire user-name cannot be longer
than 184 characters.
Description
Example
display domain
601
MAC=000f-3d80-4ce5 , IP=0.0.0.0
On Unit 1: Total 1 connections matched, 1 listed.
27 to 24 bit
23 to 20 bit
UNIT ID
Slot number
19 to 12 bit
11 to 0 bit
VLAN ID
display domain
Syntax
View
Parameter
Description
Example
602
Description
Domain
Domain name
State
Scheme
AAA scheme
Access-Limit
Vlan-assignment-mode
Idle-Cut
Self-service
Status of self-service
Messenger Time
display local-user
Syntax
View
Parameters
Description
Use the display local-user command to display information about specified or all
local users.
Related command: local-user
domain
Example
603
T--Telnet
Description
State
ServiceType Mask
Idle-Cut
Access-Limit
Current AccessNum
Bind location
Vlan ID
Authorization VLAN
IP address
MAC address
domain
Syntax
View
Parameters
System view
isp-name: Name of an ISP domain, a string of up to 128 characters. This string
cannot contain the following characters: /:*?<>|. If the domain name includes one
or more ~ characters and the last ~ is followed by numerals, it must be
followed by at least five numerals to avoid confusion. This is because any domain
name longer than 16 characters will appear in the form of system prompt-the
first 15 characters of the domain name~4-digit index in the view prompt to
avoid word wrap.
604
default: Manually configures the default ISP domain, which is system by default.
There is one and only one default ISP domain.
disable: Disables the configured default ISP domain.
enable: Enables the configured default ISP domain.
Description
Use the domain command to create an ISP domain and enter its view, or enter
the view of an existing ISP domain, or configure the default ISP domain.
Use the undo domain command to delete a specified ISP domain.
The ISP domain system is used as the default ISP domain before you manually
configure the default ISP domain, and you can use the display domain command
to check the settings of the default ISP domain system.
After you execute the domain command, the system creates a new ISP domain if
the specified ISP domain does not exist. Once an ISP domain is created, it is in the
active state. You can manually specify an ISP domain as the default domain only
when the specified domain already exists.
Related commands: access-limit, scheme, state, and display domain
Example
# Create a new ISP domain named 01234567891234567 (note that it will appear
as 012345678912345~0001 in the view prompt).
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500]domain 01234567891234567
New Domain added.
[5500-isp-012345678912345~0001]
idle-cut
Syntax
View
Parameters
level
Description
605
Use the idle-cut command to set the user idle-cut function in current ISP domain.
By default, this function is disabled.
Related command: domain
Example
# Enable the idle-cut function on users in ISP domain aabbcc.net, with the
maximum idle time of 50 minutes and the minimum data flow of 500 bytes. As a
result, for a user in the domain, if the total traffic of the user within 50 minutes is
less than 500 bytes, the user connection will be cut down.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc.net
New Domain added.
[5500-isp-aabbcc.net] idle-cut enable 50 500
level
Syntax
level level
undo level
View
Parameter
Description
606
local-user
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { ftp | lan-access | ssh | telnet |
terminal } ] }
View
Parameters
System view
user-name: Local user name, a string of up to 184 characters. This string cannot
contain the following characters: /:*?<>. It can contain no more than one @
character. The pure user name (user ID, that is, the characters or numbers before
the @) cannot be longer than 55 characters, and the domain name (the characters
or numbers behind @) cannot be longer than 128 characters. If the user name
includes one or more ~ characters and the last ~ is followed by numerals, it
must be followed by at least five numerals to avoid confusion. This is because any
user name longer than 16 characters will appear in the form of system
prompt-the first 15 characters of the user name~4-digit index in the view
prompt to avoid word wrap. The user-name parameter is case-insensitive, so that
UserA is the same as usera.
all: Specifies all local users.
service-type: Specifies the local users of a specified type. You can specify one of
the following user types: ftp, lan-access (generally, this type of users are Ethernet
access users, for example, 802.1x users), ssh, telnet, and terminal (terminal user
who logs into the switch through the Console port).
Description
Use the local-user command to add a local user and enter local user view.
Use the undo local-user command to delete one or more local users of the
specified type.
By default, there is no local user in the system.
Related commands: display local-user and service-type
Example
607
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500]local-user 01234567891234567
New local user added.
[5500-luser-012345678912345~0000]
local-user
password-displaymode
Syntax
View
Parameters
System view
cipher-force: Adopts the forcible cipher mode so that all local users the
passwords will be displayed in cipher text.
auto: Adopts the automatic mode so that each local users password will be
displayed in the mode you have set for the user by the password command.
Description
Example
# Specify to display all local user passwords in cipher text in whatever cases.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] local-user password-display-mode cipher-force
messenger
Syntax
View
608
Parameters
limit: Time limit in minutes, ranging from 1 to 60. The switch will send prompt
messages at regular intervals to users whose remaining online time is less than this
limit.
interval: Interval to send prompt messages (in minutes). This argument ranges
from 5 to 60 and must be a multiple of 5.
Description
Use the messenger time enable command to enable the messenger function
and set the related parameters.
Use the messenger time disable command to disable the messenger function.
Use the undo messenger time command to restore the messenger function to
its default state.
By default, the messenger function is disabled on the switch.
The purpose of this function is to remind online users of their remaining online
time through clients by message dialog box.
Example
name
Syntax
name string
undo name
View
Parameter
Description
VLAN view
string: Assigned VLAN name, a string of up to 32 characters.
Use the name command to set a VLAN name, which will be used for VLAN
assignment.
Use the undo name command to cancel the VLAN name.
By default, a VLAN uses its VLAN ID (like VLAN 0001) as its assigned VLAN name.
This command is used in conjunction with the dynamic VLAN assignment
function. For details about dynamic VLAN assignment, refer to the
vlan-assignment-mode command on page 614.
Related command: vlan-assignment-mode
password
Example
609
password
Syntax
View
Parameters
For simple mode, the password you input must be a plain-text password.
Use the password command to set a password for the local user.
Use the undo password command to cancel the password of the local user.
Note that:
# Set the password of user1 to 20030422 and specify to display the password in
plain text.
<5500> system-view
System View: return to User View with Ctrl+Z.
610
radius-scheme
Syntax
View
radius-scheme radius-scheme-name
ISP domain view
Parameter
Description
Use the radius-scheme command to configure a RADIUS scheme for current ISP
domain.
After an ISP domain is initially created, it uses the local AAA scheme instead of any
RADIUS scheme by default.
The RADIUS scheme you specified in the radius-scheme command must already
exist. This command is equivalent to the scheme radius-scheme command.
Related commands: radius scheme, scheme, and display radius scheme
Example
# Configure the ISP domain 3com163.net to use the RADIUS scheme 3com.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain 3com163.net
New Domain added.
[5500-isp-3com163.net] radius-scheme 3com
scheme
Syntax
View
Parameters
Description
Use the scheme command to configure an AAA scheme for current ISP domain.
self-service-url
611
Use the undo scheme command to restore the default AAA scheme
configuration for the ISP domain.
By default, the ISP domain uses the local AAA scheme.
Note that:
If you execute the scheme local or scheme none command to adopt local or
none as the primary scheme, the local authentication is performed or no
authentication is performed. In this case you cannot specify any RADIUS
scheme at the same time.
Both the radius-scheme command and the scheme command can be used to
specify the RADIUS scheme to be quoted for the ISP domain. Their functions
are the same and the system takes the latest configuration.
# Configure the ISP domain aabbcc.net to use RADIUS scheme radius1 as the
primary AAA scheme and use the local scheme as the secondary authentication
scheme.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc.net
New Domain added.
[5500-isp-aabbcc.net] scheme radius-scheme raduis1 local
self-service-url
Syntax
View
Parameter
612
mark ?. If the actual URL of the self-service server contains a question mark, you
should change it to an elect bar |.
Description
Example
After this command is executed on the switch, a user can locate the self-service
server through the following operation: choose [change user password] on the
802.1x client, the client opens the default browser (for example, IE or
Netscape) and locates the URL page used to change user password on the
self-service server. Then, the user can change the password.
A user can choose the [change user password] option on the client only after
passing the authentication. If the user fails the authentication, this option is in
grey and is unavailable.
# Under the default ISP domain system, set the URL of the web page used to
modify user password on the self-service server to
http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain system
[5500-isp-system] self-service-url enable
http://10.153.89.94/selfservice/modPasswd1x.jsp|userName
service-type
Syntax
View
Parameters
state
613
Use the service-type command to authorize the user to access specified type(s) of
service.
Use the undo service-type command to inhibit the user from accessing specified
type(s) of service.
By default, the user is inhibited from accessing any type of service.
Example
state
Syntax
View
Parameters
Description
Use the state command to set the status of current ISP domain (in ISP domain
view) or current local user (in local user view).
By default, an ISP domain/local user is in the active state once it is created.
After an ISP domain is set to the block state, except for online users, users in this
domain are inhibited from accessing the network.
After a local user is set to the block state, the user is inhibited from accessing the
network unless the user is already online.
Related command: domain
614
Examples
# Set the ISP domain aabbcc.net to the block state, so that all its offline users
cannot access the network.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] domain aabbcc.net
New Domain added.
[5500-isp-aabbcc.net] state block
vlan-assignmentmode
Syntax
View
Parameters
Description
Integer: If the RADIUS authentication server assigns integer type of VLAN IDs,
you can set the VLAN assignment mode to integer on the switch (this is also
the default mode on the switch). Then, upon receiving an integer ID assigned
by the RADIUS authentication server, the switch adds the port to the VLAN
whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the
switch first creates a VLAN with the assigned ID, and then adds the port to the
newly created VLAN.
vlan-assignment- mode
615
String: If the RADIUS authentication server assigns string type of VLAN IDs, you
can set the VLAN assignment mode to string on the switch. Then, upon
receiving a string ID assigned by the RADIUS authentication server, the switch
compares the ID with existing VLAN names on the switch. If it finds a match, it
adds the port to the corresponding VLAN. Otherwise, the VLAN assignment
fails and the user fails the authentication.
The switch supports two dynamic VLAN assignment modes to adapt to different
authentication servers. You are recommended to configure the switch according
to the dynamic VLAN assignment mode used by the server.
Table 110 lists several commonly used RADIUS servers and their dynamic VLAN
assignment modes.
Table 110 Commonly used servers and their dynamic VLAN assignment modes
Server
CAMS
Integer
For the latest CAMS version, you can determine the
assignment mode by attribute value.
ACS
String
FreeRADIUS
String
Steel-Belted Radius
Administrator
String
In string mode, if the VLAN ID assigned by the RADIUS server is a character string
containing only digits (for example, 1024), the switch first regards it as an integer
VLAN ID: the switch transforms the string to an integer value and judges if the
value is in the valid VLAN ID range; if it is, the switch adds the authenticated port
to the VLAN with the value as the VLAN ID (VLAN 1024, for example).
Related command: name
Example
616
RADIUS CONFIGURATION
COMMANDS
40
accounting optional
Syntax
accounting optional
undo accounting optional
View
Parameter
Description
Example
If the system does not find any available accounting server or fails to
communicate with any accounting server when it performs accounting for an
online user, it will not disconnect the user as usual as long as the accounting
optional command has been executed. This command is commonly used in
the cases where only authentication is needed and accounting is not needed.
This configuration takes effect only on the ISP domains using this RADIUS
scheme.
accounting-on enable
Syntax
618
View
Parameters
Description
The switch sends the Accounting-On message to the CAMS at regular intervals.
Once the switch receives the response from the CAMS, it stops sending
Accounting-On messages.
If the switch does not receive any response from the CAMS after it has tried the
configured maximum number of times to send the Accounting-On message, it
will not send the Accounting-On message any more.
calling-station-id mode
Example
619
# Enable the user re-authentication at restart function for the RADIUS scheme
named CAMS.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme CAMS
[5500-radius-CAMS] accounting-on enable
calling-station-id
mode
Syntax
View
Parameters
Description
Use the calling-station-id mode command to configure the MAC address format
of the Calling-Station-Id (Type 31) field in RADIUS packets.
Use the undo calling-station-id mode command to restore the default format.
By default, the MAC address format is XXXX-XXXX-XXXX, in lowercase.
Example
data-flow-format
Syntax
View
620
Parameters
data: Sets the data unit of outgoing RADIUS flows, which can be byte, giga-byte,
kilo-byte, or mega-byte.
packet: Sets the packet unit of outgoing RADIUS flows, which can be one-packet,
giga-packet, kilo-packet, or mega-packet.
Description
Use the data-flow-format command to set the units of RADIUS data flows to
RADIUS servers.
Use the undo data-flow-format command to restore the default units.
By default, the data unit and packet unit of outgoing RADIUS flows are byte and
one-packet respectively.
Related command: display radius scheme
Example
display local-server
statistics
Syntax
View
Parameter
Description
Example
# Display the RADIUS message statistics about local RADIUS authentication server.
<5500> display local-server statistics
On Unit 1:
The localserver packet statistics:
Receive:
30
Send:
Discard:
0
Receive Packet Error:
Auth Receive:
10
Auth Send:
Acct Receive:
20
Acct Send:
30
0
10
20
621
Example
Description
SchemeName
Index
Type
Accounting method
Accounting method
622
Description
TimeOutValue(in second)
RetryTimes
RealtimeACCT(in minute)
Quiet-interval(min)
Time that the switch must wait before it can restore the
status of a primary server to active
Username format
Packet unit
calling_station_id format
display radius
statistics
Syntax
View
Parameter
Description
Example
AuthSucc=0
RLTWait=0
Stop=0
display stop-accounting-buffer
623
,
,
,
,
,
,
,
,
,
,
,
,
,
,
Err=0
Err=0
Err=0
Err=0
Err=0
Err=0
Err=0
Err=0
Err=0
Err=0
Err=0
Err=0
Err=0
Err=0
,
,
,
,
,
,
,
,
,
,
,
,
,
,
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
Succ=0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
display
stop-accounting-buffe
r
Syntax
View
Parameters
624
key
Syntax
View
Parameters
Description
local-server
625
Use the undo key command to restore the corresponding default shared key
setting.
By default, no shared key exists.
Both RADIUS client and server adopt MD5 algorithm to encrypt RADIUS messages
before exchanging the messages with each other. The two parties verify the
validity of the RADIUS messages received from each other by using the shared keys
that have been set on them, and can accept and respond to the messages only
when both parties have same shared key. The authentication/authorization shared
key and the accounting shared key you set on the switch must be respectively
consistent with the shared key on the authentication/authorization server and the
shared key on the accounting server.
Related commands: primary accounting, primary authentication and radius
scheme
Example
# Set ok as the shared key for RADIUS accounting messages in RADIUS scheme
radius1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] key accounting ok
local-server
Syntax
local-server enable
undo local-server
View
Parameter
Description
System view
None
Use the local-server enable command to enable UDP port for local RADIUS
authentication server.
Use the undo local-server command to disable UDP port for local RADIUS
authentication server.
By default, the UDP port for local RADIUS authentication server is enabled.
626
local-server nas-ip
Syntax
View
Parameters
System view
nas-ip ip-address: Sets the IP address of a network access server (NAS), so that the
NAS is allowed by the local RADIUS authentication server. Here, ip-address is in
dotted decimal notation.
key password: Sets the shared key between the local RADIUS authentication
server and the NAS. Here, password is a string of up to 16 characters.
Description
Use the local-server nas-ip command to set the related parameters of the local
RADIUS authentication server.
Use the undo local-server nas-ip command to cancel a specified NAS setting for
the local RADIUS authentication server.
By default, the local RADIUS authentication server is enabled and it allows the
access of NAS 127.0.0.1. That is, the local device serves as both a RADIUS
authentication server and a network access server, and all authentications are
performed locally. The default share key is null.
Note that:
The switch not only supports the traditional RADIUS client service to
accomplish user AAA management through remote
authentication/authorization server and accounting server, but also provides a
simple local RADIUS server function for authentication and authorization. This
function is called local RADIUS authentication server function.
When you use the local RADIUS authentication server function, the UDP port
number of the authentication/authorization server must be 1645, the UDP port
number of the accounting server must be 1646.
The message encryption key set by the local-server nas-ip ip-address key
password command must be identical with the authentication/authorization
message encryption key set by the key authentication command in the
RADIUS scheme view of the RADIUS scheme on the specified NAS that uses
this switch as its authentication server.
nas-ip
627
The switch supports the IP addresses and shared keys of at most 16 network
access servers (including the local device); that is, when the switch serves as a
RADIUS authentication server, it can provide authentication service to at most
16 NASs simultaneously.
When serving as a local RADIUS authentication server, the switch does not
support EAP authentication.
nas-ip
Syntax
nas-ip ip-address
undo nas-ip
View
Parameter
Description
The nas-ip command in RADIUS scheme view has the same function as the
radius nas-ip command in system view; and the configuration in RADIUS scheme
view takes precedence over that in system view.
You can set the source IP address of outgoing RADIUS messages to avoid
messages returned from RADIUS server from being unable to reach their
destination due to physical interface trouble. 3Com recommends that you use a
loopback interface address as the source IP address.
Related commands: display radius scheme, and radius nas-ip
Example
# Set source IP address 10.1.1.1 for outgoing RADIUS messages in RADIUS scheme
radius1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
628
primary accounting
Syntax
View
Parameters
Description
Use the primary accounting command to set the IP address and port number of
the primary RADIUS accounting server to be used by the current scheme.
Use the undo primary accounting command to restore the default IP address
and port number of the primary RADIUS accounting server, which are 0.0.0.0 and
1813 respectively.
In the system default RADIUS scheme system, the default IP address of the
primary accounting server is 127.0.0.1 and the default UDP port number is 1646.
In a new RADIUS scheme, the default IP address of the primary accounting server
is 0.0.0.0 and the default UDP port number is 1813.
Related commands: key, radius scheme and state
Example
# Set the IP address and UDP port number of the primary accounting server for
RADIUS scheme radius1 to 10.110.1.2 and 1813 respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] primary accounting 10.110.1.2 1813
primary
authentication
Syntax
View
radius client
Parameters
629
Description
Use the primary authentication command to set the IP address and port number
of the primary RADIUS authentication/authorization server used by the current
RADIUS scheme.
Use the undo primary authentication command to restore the default IP
address and port number of the primary RADIUS authentication/authorization
server, which are 0.0.0.0 and 1812 respectively.
In the system default RADIUS scheme system, the default IP address of the
primary authentication/authorization server is 127.0.0.1 and the default UDP port
number is 1645. In a new RADIUS scheme, the default IP address of the primary
authentication/authorization server is 0.0.0.0 and the default UDP port number is
1812.
Note that:
After creating a new RADIUS scheme, you should configure the IP address and
UDP port number of each RADIUS server you want to use in this scheme. These
RADIUS servers fall into two types: authentication/authorization, and
accounting. For each kind of server, you can configure two servers in a RADIUS
scheme: primary and secondary servers.
radius client
Syntax
View
System view
630
Parameter
Description
None
Use the radius client enable command to enable RADIUS authentication and
accounting ports.
Use the undo radius client command to disable RADIUS authentication and
accounting ports.
By default, RADIUS authentication and accounting ports are enabled.
Related command: radius scheme
Example
radius nas-ip
Syntax
View
Parameter
Description
System view
ip-address: Source IP address to be set, an IP address of this device. This address
can neither be the all 0s address nor be a Class-D address.
Use the radius nas-ip command to set the source IP address of outgoing RADIUS
messages.
Use the undo radius nas-ip command to restore the default setting.
By default, no source IP address is set, and the IP address of corresponding
outbound interface is used as the source IP address of RADIUS messages.
The nas-ip command in RADIUS scheme view has the same function as the
radius nas-ip command in system view; and the configuration in RADIUS scheme
view takes precedence over that in system view.
Note that:
You can set the source IP address of outgoing RADIUS messages to avoid
messages returned from RADIUS server from being unable to reach their
destination due to physical interface trouble. 3Com recommends that you use
a loopback interface address as the source IP address.
You can set only one source IP address by using this command. When you
re-execute this command again, the newly set source IP address will overwrite
the old one.
radius scheme
631
radius scheme
Syntax
View
System view
Parameter
Description
Use the radius scheme command to create a RADIUS scheme and enter its view.
Use the undo radius scheme command to delete a specified RADIUS scheme.
By default, a RADIUS scheme named system has already been created in the
system.
Note that:
All the attributes of RADIUS scheme system take the default values, which
you can see by using the display radius scheme command.
The undo radius scheme command cannot delete the default RADIUS
scheme. In addition, you are not allowed to delete a RADIUS scheme which is
being used by an online user.
632
radius trap
Syntax
View
Parameters
System view
authentication-server-down: Enables/disables the switch to send trap messages
when a RADIUS authentication server turns down.
accounting-server-down: Enables/disables the switch to send trap messages
when a RADIUS accounting server turns down.
Description
Use the radius trap command to enable the switch to send trap messages when a
RADIUS server turns down.
Use the undo radius trap command to disable the switch from sending trap
messages when a RADIUS authentication server or a RADIUS accounting server
turns down.
By default, this function is disabled.
This configuration takes effect on all RADIUS scheme.
The switch considers a RADIUS server as being down if it has tried the configured
maximum number of times to send a message to the RADIUS server but does not
receive any response.
Example
# Enable the switch to send trap messages when a RADIUS authentication server
turns down.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius trap authentication-server-down
reset stop-accounting-buffer
Example
633
reset
stop-accounting-buffe
r
Syntax
View
Parameters
Description
Example
retry
Syntax
retry retry-times
undo retry
634
View
Parameter
Description
# Set the maximum number of RADIUS request transmission attempts for RADIUS
scheme radius1 to five.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] retry 5
retry
realtime-accounting
Syntax
View
Parameter
Description
retry stop-accounting
635
retry stop-accounting
Syntax
636
View
Parameter
Description
Example
# In RADIUS scheme radius1, specify that the switch can transmit a buffered
stop-accounting request at most 1000 times
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] retry stop-accounting 1000
secondary accounting
Syntax
View
Parameters
Description
Use the secondary accounting command to set the IP address and port number
of the secondary RADIUS accounting server to be used by the current scheme.
secondary authentication
637
Use the undo secondary accounting command to restore the default IP address
and port number of the secondary RADIUS accounting server, which are 0.0.0.0
and 1813 respectively.
Related commands: key, radius scheme and state
Example
# Set the IP address and UDP port number of the secondary accounting server for
RADIUS scheme radius1 to 10.110.1.1 and 1813 respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] secondary accounting 10.110.1.1 1813
secondary
authentication
Syntax
View
Parameters
Description
Use the secondary authentication command to set the IP address and port
number of the secondary RADIUS authentication/authorization server to be used
by the current scheme.
Use the undo secondary authentication command to restore the default IP
address and port number of the secondary RADIUS authentication/authorization
server, which is 0.0.0.0 and 1812 respectively.
Related commands: key, radius scheme and state
Example
638
server-type
Syntax
View
Parameters
Description
Use the server-type command to configure the switch to support a specified type
of RADIUS server.
Use the undo server-type command to restore the default setting.
By default, the switch supports RADIUS servers of the standard type, and the
RADIUS server type in the default scheme named system is extended.
Related command: radius scheme
Example
state
Syntax
View
Parameters
stop-accounting-buffer enable
639
block: Sets the status of the specified RADIUS server to block (that is, the down
state).
active: Sets the status of the specified RADIUS server to active (that is, the normal
working state).
Description
When the switch fails to communicate with the primary server due to some
server trouble, the switch will turn to the secondary server and exchange
messages with the secondary server.
After the primary server remains in the block state for a set time (set by the
timer quiet command), the switch will try to communicate with the primary
server again when it receives a RADIUS request. If it finds that the primary
server has recovered, the switch immediately restores the communication with
the primary server instead of communicating with the secondary server, and at
the same time restores the status of the primary server to active while keeping
the status of the secondary server unchanged.
When both primary and secondary servers are in the active or block state, the
switch sends messages only to the primary server.
# Set the status of the secondary authentication server in RADIUS scheme radius1
to active.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] state secondary authentication active
stop-accounting-buffe
r enable
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
Parameters
640
Description
Example
# Enable the switch to buffer the stop-accounting requests that get no response
from the servers in RADIUS scheme radius1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] stop-accounting-buffer enable
timer
Syntax
timer seconds
undo timer
View
Parameter
Description
Use the timer command to set the response timeout time of RADIUS servers (that
is, the timeout time of the response timeout timer of RADIUS servers).
Use the undo timer command to restore the default response timeout timer of
RADIUS servers.
By default, the response timeout time of RADIUS servers is 3 seconds.
Note that:
timer quiet
641
called the response timeout time of RADIUS servers, and the corresponding
timer in the switch system is called the response timeout timer of RADIUS
servers. You can use the timer command to set the timeout time of this timer,
and if the switch gets no answer before the response timeout timer expires, it
needs to retransmit the request to ensure that the user can obtain RADIUS
service.
Appropriately setting the timeout time of this timer according to your network
situation can improve the performance of your system.
The timer command has the same function with the timer response-timeout
command.
# Set the timeout time of the response timeout timer for RADIUS scheme radius1
to 5 seconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] timer 5
timer quiet
Syntax
View
Parameter
minutes: Wait time before primary server state restoration, ranging from 1 to 255
minutes.
Description
Use the timer quiet command to set the time that the switch waits before it tries
to re-communicate with the primary server and restore the status of the primary
server to active.
Use the undo timer quiet command to restore the default wait time.
By default, the switch waits five minutes.
Related command: display radius scheme
Example
# Configure the switch to wait 10 minutes before it tries to restore the status of
the primary server to active.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] timer quiet 10
642
timer
realtime-accounting
Syntax
View
Parameter
Description
To control the interval at which users are charged in real time, you can set the
real-time accounting interval. After the setting, the switch periodically sends
online users accounting information to the RADIUS server at the set interval.
1 to 99
100 to 499
500 to 999
12
1000
15
timer response-timeout
643
timer
response-timeout
Syntax
View
Parameter
Description
Use the timer response-timeout command to set the response timeout time of
RADIUS servers.
Use the undo timer response-timeout command to restore the default response
timeout time of RADIUS servers.
By default, the response timeout time of RADIUS servers is 3 seconds.
Note that:
Appropriately setting the timeout time of this timer according to your network
situation can improve the performance of your system.
This command has the same function with the timer command.
# Set the response timeout time in RADIUS scheme radius1 to five seconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] timer response-timeout 5
user-name-format
Syntax
View
644
Parameters
with-domain: Specifies to include ISP domain names in the user names to be sent
to RADIUS server.
without-domain: Specifies to exclude ISP domain names from the user names to
be sent to RADIUS server.
Description
Use the user-name-format command to set the format of the user names to be
sent to RADIUS server
By default, except for the default RADIUS scheme system, the user names sent
to RADIUS servers in any RADIUS scheme carry ISP domain names.
Note that:
For a RADIUS scheme, if you have specified to exclude ISP domain names from
user names, you should not use this RADIUS scheme in more than one ISP
domain. Otherwise, such errors may occur: the RADIUS server regards two
different users having the same name but belonging to different ISP domains
as the same user (because the user names sent to it are the same).
For an 802.1x user, if you have specified to use EAP authentication, the switch
will encapsulate and send the contents from the client directly to the server. In
this case, the configuration of the user-name-format command is not effective.
# Specify to exclude ISP domain names from the user names to be sent to RADIUS
server in RADIUS scheme radius1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] radius scheme radius1
New Radius scheme
[5500-radius-radius1] user-name-format without-domain
HWTACACS CONFIGURATION
COMMANDS
41
data-flow-format
Syntax
View
Parameters
Description
Use the data-flow-format command to set the units of data flows to TACACS
servers.
Use the undo data-flow-format command to restore the default units.
By default, the data unit and packet unit for outgoing HWTACACS flows are byte
and one-packet respectively.
Related command: display hwtacacs
Example
system-view
View: return to User View with Ctrl+Z.
hwtacacs scheme hwt1
hwtacacs-hwt1] data-flow-format data kilo-byte
hwtacacs-hwt1] data-flow-format packet kilo-packet
display hwtacacs
Syntax
View
646
Parameters
Description
Example
display
stop-accounting-buffer
Syntax
View
Parameters
Description
hwtacacs nas-ip
Example
647
hwtacacs nas-ip
Syntax
View
Parameter
Description
System view
ip-address: Source IP address to be set, an IP address of this device. This address
can neither be the all 0s address nor be a Class D address.
Use the hwtacacs nas-ip command to set the source address of outgoing
HWTACACS messages.
Use the undo hwtacacs nas-ip command to restore the default setting.
By default, no source address is specified, and the IP address of corresponding
outbound interface is used as the source address.
Note that:
You can specify the source address of outgoing HWTACACS messages to avoid
messages returned from server from being unable to reach their destination
due to physical interface trouble. 3Com recommends that you use a loopback
interface address as the source IP address.
You can specify only one source IP address by using this command. When you
re-execute this command again, the newly set source IP address will overwrite
the old one.
hwtacacs scheme
Syntax
View
System view
648
Parameter
Description
n
Example
If the fabric function is enabled on the switch, you cannot create an HWTACACS
scheme because they are exclusive to each other.
# Create an HWTACACS scheme named hwt1 and enter the corresponding
HWTACACS scheme view.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme hwt1
[5500-hwtacacs-hwt1]
key
Syntax
View
Parameters
Description
Use the key command to configure a shared key for HWTACACS authentication,
authorization or accounting messages.
Use the undo key command to delete such a configuration.
By default, no key is set for HWTACACS messages.
Related command: display hwtacacs
Example
# Use hello as the shared key for HWTACACS accounting messages in HWTACACS
scheme hwt1.
<5500> system-view
System View: return to User View with Ctrl+Z.
nas-ip
649
nas-ip
Syntax
nas-ip ip-address
undo nas-ip
View
Parameter
Description
You can set the source address of HWTACACS messages to avoid messages
returned from server from being unable to reach their destination due to
physical interface trouble. 3Com recommends that you use a loopback
interface address as the source IP address.
You can set only one source IP address by using this command. When you
re-execute this command again, the newly set source IP address will overwrite
the old one.
primary accounting
Syntax
View
Parameters
650
port: Port number of the primary accounting server, ranging from 1 to 65535.
Description
Use the primary accounting command to set the IP address and port number of
the primary HWTACACS accounting server to be used by the current scheme.
Use the undo primary accounting command to restore the default IP address
and port number of the primary HWTACACS accounting server, which are 0.0.0.0
and 49 respectively.
Note that:
Example
You are not allowed to set the same IP address for both primary and secondary
accounting servers. If you do this, your setting will fail.
If you re-execute the command, the new setting will overwrite the old one.
You can remove an accounting server setting only when there is no active TCP
connection that is sending accounting messages to the server.
# Set the IP address and UDP port number of the primary accounting server for
HWTACACS scheme test1 to 10.163.155.12 and 49 respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme test1
[5500-hwtacacs-test1] primary accounting 10.163.155.12 49
primary
authentication
Syntax
View
Parameters
Description
Use the primary authentication command to set the IP address and port number
of the primary HWTACACS authentication server to be used by the current
scheme.
Use the undo primary authentication command to restore the default IP
address and port number of the primary HWTACACS authentication server, which
are 0.0.0.0 and 49 respectively.
Note that:
You are not allowed to set the same IP address for both primary and secondary
authentication servers. If you do this, your setting will fail.
primary authorization
651
If you re-execute the command, the new setting will overwrite the old one.
You can remove an authentication server setting only when there is no active
TCP connection that is sending authentication messages to the server.
# Set the IP address and UDP port number of the primary authentication server for
HWTACACS scheme hwt1 to 10.163.155.13 and 49 respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme hwt1
[5500-hwtacacs-hwt1] primary authentication 10.163.155.13 49
primary authorization
Syntax
View
Parameters
Description
Use the primary authorization command to set the IP address and port number
of the primary HWTACACS authorization server to be used by the current scheme.
Use the undo primary authorization command to restore the default IP address
and port number of the primary authorization server, which are 0.0.0.0 and 49
respectively.
Note that:
You are not allowed to set the same IP address for both primary and secondary
authorization servers. If you do this, your setting will fail.
If you re-execute the command, the new setting will overwrite the old one.
You can remove an authorization server setting only when there is no active
TCP connection that is sending authorization messages to the server.
# Set the IP address and UDP port number of the primary authorization server for
HWTACACS scheme hwt1 to 10.163.155.13 and 49 respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme hwt1
[5500-hwtacacs-hwt1] primary authorization 10.163.155.13 49
652
reset hwtacacs
statistics
Syntax
View
Parameters
Description
Example
reset
stop-accounting-buffer
Syntax
View
Parameters
Description
Example
retry stop-accounting
Syntax
secondary accounting
View
Parameter
Description
653
Example
secondary accounting
Syntax
View
Parameters
Description
Use the secondary accounting command to set the IP address and port number
of the secondary HWTACACS accounting server to be used by the current scheme.
Use the undo secondary accounting command to restore the default IP address
and port number of the secondary HWTACACS accounting server, which are
0.0.0.0 and 49 respectively.
Note that:
You are not allowed to set the same IP address for both primary and secondary
accounting servers. If you do this, your setting will fail.
If you re-execute the command, the new setting will overwrite the old one.
654
Example
You can remove an accounting server setting only when there is no active TCP
connection that is sending accounting messages to the server.
# Set the IP address and UDP port number of the secondary accounting server for
HWTACACS scheme hwt1 to 10.163.155.12 and 49 respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme hwt1
[5500-hwtacacs-hwt1] secondary accounting 10.163.155.12 49
secondary
authentication
Syntax
View
Parameters
Description
Use the secondary authentication command to set the IP address and port
number of the secondary HWTACACS authentication server to be used by the
current scheme.
Use the undo secondary authentication command to restore the default IP
address and port number of the secondary HWTACACS authentication server,
which are 0.0.0.0 and 49 respectively.
Note that:
You are not allowed to set the same IP address for both primary and secondary
authentication servers. If you do this, your setting will fail.
If you re-execute the command, the new setting overwrites the old one.
You can remove an authentication server setting only when there is no active
TCP connection that is sending authentication messages to the server.
# Set the IP address and UDP port number of the secondary authentication server
for HWTACACS scheme hwt1 to 10.163.155.13 and 49 respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme hwt1
[5500-hwtacacs-hwt1] secondary authentication 10.163.155.13 49
secondary authorization
655
secondary
authorization
Syntax
View
Parameters
Description
Use the secondary authorization command to set the IP address and port
number of the secondary HWTACACS authorization server to be used by the
current scheme.
Use the .undo secondary authorization command to restore the default IP
address and port number of the secondary HWTACACS authorization server,
which are 0.0.0.0 and 49 respectively.
Note that:
You are not allowed to set the same IP address for both primary and secondary
authorization servers.
If you re-execute the command, the new setting will overwrite the old one.
You can remove an authorization server setting only when there is no active
TCP connection that is sending authorization messages to the server.
# Set the IP address and UDP port number of the secondary authorization server
for HWTACACS scheme hwt1 to 10.163.155.13 and 49 respectively.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme hwt1
[5500-hwtacacs-hwt1] secondary authorization 10.163.155.13 49
timer quiet
Syntax
View
656
Parameter
minutes: Wait time before primary server state restoration, ranging from 1 to 255
minutes.
Description
Use the timer quiet command to set the time that the switch waits before it tries
to re-communicate with the primary server and restore the status of the primary
server to active.
Use the undo timer quiet command to restore the default wait time.
By default, the switch waits five minutes.
Related command: display hwtacacs
Example
# Configure the switch to wait 10 minutes before it tries to restore the status of
the primary server to active.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme hwt1
[5500-hwtacacs-hwt1] timer quiet 10
timer
realtime-accounting
Syntax
View
Parameter
Description
To control the interval at which users are charged in real time, you can set the
real-time accounting interval. After the setting, the switch periodically sends
online users accounting information to TACACS accounting server at the set
interval.
timer response-timeout
657
the number of users is over 1000). The following table lists the recommended
intervals for different numbers of users.
Table 113 Numbers of users and recommended intervals
Example
Number of users
1 to 99
100 to 499
500 to 999
12
1000
15
timer
response-timeout
Syntax
View
Parameter
Description
Example
# Set the response timeout time of TACACS servers to 30 seconds for HWTACACS
scheme hwt1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme hwt1
[5500-hwtacacs-hwt1] timer response-timeout 30
658
user-name-format
Syntax
View
Parameters
Description
Use the user-name-format command to set the format of the user names to be
sent to TACACS server.
By default, the user names sent to TACACS server in a HWTACACS scheme carry
ISP domain names.
Note that:
For a HWTACACS scheme, if you have specified to exclude ISP domain names
from user names, you should not use this scheme in more than one ISP
domain. Otherwise, such errors may occur: the TACACS server regards two
different users having the same name but belonging to different ISP domains
as the same user (because the user names sent to it are the same).
# Specify to exclude ISP domain names from the user names to be sent to TACACS
server in HWTACACS scheme hwt1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] hwtacacs scheme hwt1
[5500-hwtacacs-hwt1] user-name-format without-domain
security-policy-server
Syntax
security-policy-server ip-address
undo security-policy-server { ip-address | all }
security-policy-server
View
Parameters
659
Description
Example
660
35
display dot1x
Syntax
View
Parameters
Description
Example
556
Description
display dot1x
557
Description
Handshake is enabled
Transmit Period
Handshake Period
ReAuth Period
Re-authentication interval
ReAuth MaxTimes
Quiet Period
Supp Timeout
Server Timeout
free-ip
acl-timeout
url
558
Description
Version-Check is disabled
ReAuthenticate is disabled
...
dot1x
Syntax
View
Parameter
Description
If you do not provide the interface-list argument, the dot1x command enables
802.1x globally.
559
If you specify the interface-list argument, the dot1x command enables 802.1x
for the specified Ethernet ports.
In Ethernet port view, the interface-list argument is not available and the
command enables 802.1x for only the current Ethernet port.
You can perform 802.1x-related configurations (globally or on specified ports)
before or after 802.1x is enabled. If you do not previously perform other
802.1x-related configurations when enabling 802.1x globally, the switch adopts
the default 802.1x settings.
802.1x-related configurations take effect on a port only after 802.1x is enabled
both globally and on the port.
The settings of 802.1x and MAC address learning limit are mutually exclusive.
Enabling 802.1x on a port will prevent you from setting the limit on MAC address
learning on the port and vice versa.
The settings of 802.1x and aggregation group member are mutually exclusive.
Enabling 802.1x on a port will prevent you from adding the port to an
aggregation group and vice versa.
Related command: display dot1x.
Examples
dot1x authenticationmethod
Syntax
560
System view
chap: Authenticates using challenge handshake authentication protocol (CHAP).
pap: Authenticates using password authentication protocol (PAP).
eap: Authenticates using extensible authentication protocol (EAP).
Description
n
Example
When the current device operates as the authentication server, EAP authentication
is unavailable.
# Specify the authentication method to be PAP.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dot1x authentication-method pap
dot1x dhcp-launch
Syntax
dot1x dhcp-launch
undo dot1x dhcp-launch
View
Parameters
System view
None
dot1x guest-vlan
Description
561
Example
dot1x guest-vlan
Syntax
View
Parameters
Description
Use the dot1x guest-vlan command to enable the Guest VLAN function for
ports.
Use the undo dot1x guest-vlan command to disable the Guest VLAN function
for ports.
In system view,
If you do not provide the interface-list argument, these two commands apply
to all the ports of the switch.
If you specify the interface-list argument, these two commands apply to the
specified ports.
IIIn Ethernet port view, the interface-list argument is not available and the
commands apply to only the current port.
562
Example
CAUTION:
The Guest VLAN function is available only when the switch operates in the
port-based authentication mode.
dot1x handshake
Syntax
View
System view
Parameters
None
Description
Use the dot1x handshake enable command to enable the online user
handshaking function.
Use the undo dot1x handshake enable command to disable the online user
handshaking function.
By default, the online user handshaking function is enabled.
Example
CAUTION:
To enable the proxy detecting function, you need to enable the online user
handshaking function first.
dot1x max-user
563
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dot1x handshake enable
dot1x max-user
Syntax
View
Parameters
Description
Use the dot1x max-user command to set the maximum number of users an
Ethernet port can accommodate.
Use the undo dot1x max-user command to revert to the default maximum user
number.
By default, a port can accommodate up to 256 users.
In system view:
If you do not provide the interface-list argument, these two commands apply
to all the ports of the switch.
If you specify the interface-list argument, these two commands apply to the
specified ports.
IIn Ethernet port view, the interface-list argument is not available and the
commands apply to only the current port.
Related command: display dot1x.
Example
# Configure the maximum number of users that Ethernet 1/01 port can
accommodate to be 32.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dot1x max-user 32 interface Ethernet 1/0/1
564
dot1x port-control
Syntax
View
Parameters
Description
Use the dot1x port-control command to specify the access control mode for
specified Ethernet ports.
Use the undo dot1x port-control command to revert to the default access
control mode.
The default access control mode is auto.
Use the dot1x port-control command to configure the access control mode for
specified 802.1x-enabled ports.
In system view:
If you do not provide the interface-list argument, these two commands apply
to all the ports of the switch.
IIn Ethernet port view, the interface-list argument is not available and the
commands apply to only the current port.
Related command: display dot1x.
dot1x port-method
Examples
565
dot1x port-method
Syntax
View
Parameters
Description
Use the dot1x port-method command to specify the access control method for
specified Ethernet ports.
Use the undo dot1x port-method command to revert to the default access
control method .
By default, the access control method is macbased.
This command specifies the way in which the users are authenticated.
In port-based authentication mode, all the users connected to the port can
access the network without being authenticated if a user among them passes
the authentication. When the user logs off, the network is not accessible by all
other supplicant systems too.
566
In system view:
If you do not provide the interface-list argument, these two commands apply
to all the ports of the switch.
IIn Ethernet port view, the interface-list argument is not available and the
commands apply to only the current Ethernet port.
Related command: display dot1x.
Example
dot1x quiet-period
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameters
None
Description
dot1x retry
Example
567
dot1x retry
Syntax
View
System view
Parameter
Description
Use the dot1x retry command to specify the maximum number of times that a
switch sends authentication request packets to a user.
Use the undo dot1x retry command to revert to the default value.
By default, a switch sends authentication request packets to a user for up to 2
times.
After a switch sends an authentication request packet to a user, it sends another
authentication request packet if it does not receive response from the user after a
specific period of time. If the switch still receives no response when the configured
maximum number of authentication request transmission attempts is reached, it
stops sending requests to the user. This command applies to all ports.
Related command: display dot1x.
Example
# Specify the maximum number of times that the switch sends authentication
request packets to be 9.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dot1x retry 9
dot1x
retry-version-max
Syntax
View
Parameter
System view
max-retry-version-value: Maximum number of times that a switch sends version
request packets to a user. This argument ranges from 1 to 10.
568
Description
Example
# Configure the maximum number of times that the switch sends version request
packets to be 6.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dot1x retry-version-max 6
dot1x re-authenticate
Syntax
View
Parameter
Description
If you do not specify the interface-list argument, this command will enable
802.1x re-authentication on all ports.
If you specify the interface-list argument, the command will enable 802.1x on
the specified ports.
dot1x supp-proxy-check
569
In Ethernet port view, the interface-list argument is not available and 8021.x
re-authentication is enabled on the current Ethernet port only.
n
Example
802.1x must be enabled globally and on the current port before 802.1x
re-authentication can be configured on a port.
# Enable 802.1x re-authentication on port Ethernet 1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dot1x
802.1X is enabled globally.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] dot1x
802.1X is enabled on port Ethernet1/0/1 already.
[5500-Ethernet1/0/1] dot1x re-authenticate
Re-authentication is enabled on port Ethernet1/0/1
dot1x
supp-proxy-check
Syntax
View
Parameters
Description
Use the dot1x supp-proxy-check command to enable 802.1x proxy checking for
specified ports.
Use the undo dot1x supp-proxy-check command to disable 802.1x proxy
checking for specified ports.
By default, 802.1x proxy checking is disabled on all Ethernet ports.
In system view:
570
If you specify the interface-list argument, these two commands apply to the
specified Ethernet ports.
IIn Ethernet port view, the interface-list argument is not available and the
commands apply to only the current Ethernet port.
The proxy checking function takes effect on a port only when the function is
enabled both globally and on the port.
802.1x proxy checking checks for:
Whether or not a user logs in through multiple network adapters (that is, when
the user attempts to log in, it contains more than one active network adapters.)
A switch can optionally take the following actions in response to any of the above
three cases:
Only disconnects the user but sends no Trap packets, which can be achieved by
using the dot1x supp-proxy-check logoff command.
Sends Trap packets without disconnecting the user, which can be achieved by
using the dot1x supp-proxy-check trap command.
This function needs the cooperation of 802.1x clients and the CAMS server:
Multiple network adapter checking, proxy checking, and IE proxy checking are
enabled on the 802.1x client.
The CAMS server is configured to disable the use of multiple network adapters,
proxies, and IE proxy.
The 802.1x proxy checking function requires 3Coms 802.1x client program.
The proxy checking function takes effect only after the client version checking
function is enabled on the switch (using the dot1x version-check command).
system-view
View: return to User View with Ctrl+Z.
dot1x supp-proxy-check logoff
dot1x supp-proxy-check logoff interface Ethernet 1/0/1 to Ethernet 1/
# Configure the switch to send Trap packets if the users connected to Ethernet
1/0/9 port is detected logging in through proxies.
dot1x timer
571
dot1x timer
Syntax
View
Parameters
System view
handshake-period handshake-period-value: Sets the handshake timer. This timer
sets the handshake-period and is triggered after a supplicant system passes the
authentication. It sets the interval for a switch to send handshake request packets
to online users. If you set the number of retries to N by using the dot1x retry
command, an online user is considered offline when the switch does not receive
response packets from it in a period N times of the handshake-period.
The handshake-period-value argument ranges from 5 to 1,024 (in seconds). By
default, the handshake timer is set to 15 seconds.
quiet-period quiet-period-value: Sets the quiet-period timer. This timer sets the
quiet-period. When a supplicant system fails to pass the authentication, the switch
quiets for the set period (set by the quiet-period timer) before it processes another
authentication request re-initiated by the supplicant system. During this quiet
period, the switch does not perform any 802.1x authentication-related actions for
the supplicant system.
The quiet-period-value argument ranges from 10 to 120 (in seconds). By default,
the quiet-period timer is set to 60 seconds.
server-timeout server-timeout-value: Sets the RADIUS server timer. This timer sets
the server-timeout period. After sending an authentication request packet to the
572
RADIUS server, a switch sends another authentication request packet if it does not
receive the response from the RADIUS server when this timer times out.
The server-timeout-value argument ranges from 100 to 300 (in seconds). By
default, the RADIUS server timer is set to 100 seconds.
supp-timeout supp-timeout-value: Sets the supplicant system timer. This timer
sets the supp-timeout period and is triggered by the switch after the switch sends
a request/challenge packet to a supplicant system (The packet is used to request
the supplicant system for the MD5 encrypted string.) The switch sends another
request/challenge packet to the supplicant system if the switch does not receive
the response from the supplicant system when this timer times out.
The supp-timeout-value argument ranges from 10 to 120 (in seconds). By default,
the supplicant system timer is set to 30 seconds.
tx-period tx-period-value: Sets the transmission timer. This timer sets the
tx-period and is triggered in two cases. The first case is when the client requests
for authentication. The switch sends a unicast request/identity packet to a
supplicant system and then triggers the transmission timer. The switch sends
another request/identity packet to the supplicant system if it does not receive the
reply packet from the supplicant system when this timer times out. The second
case is when the switch authenticates the 802.1x client who cannot request for
authentication actively. The switch sends multicast request/identity packets
periodically through the port enabled with 802.1x function. In this case, this timer
sets the interval to send the multicast request/identity packets.
The tx-period-value argument ranges from 10 to 120 (in seconds). By default, the
transmission timer is set to 30 seconds.
ver-period ver-period-value: Sets the client version request timer. This timer sets
the version period and is triggered after a switch sends a version request packet.
The switch sends another version request packet if it does receive version response
packets from the supplicant system when the timer expires.
The ver-period-value argument ranges from 1 to 30 (in seconds). By default, the
client version request timer is set to 30 seconds.
Description
Example
573
dot1x timer
reauth-period
Syntax
View
Parameter
Description
System view
reauth-period reauth-period-value: Specifies re-authentication interval, in
seconds. After this timer expires, the switch initiates 802.1x re-authentication. The
value of the reauth-period-value argument ranges from 60 to 7,200.
Use the dot1x timer reauth-period command to configure the interval for
802.1x re-authentication.
Use the undo dot1x timer reauth-period command to restore the default
802.1x re-authentication interval.
By default, the 802.1x re-authentication interval is 3,600 seconds.
Example
dot1x version-check
Syntax
View
Parameter
Description
Use the dot1x version-check command to enable 802.1x client version checking
for specified Ethernet ports.
574
Use the undo dot1x version-check command to disable 802.1x client version
checking for specified Ethernet ports.
By default, 802.1x client version checking is disabled on all the Ethernet ports.
In system view:
If you do not provide the interface-list argument, these two commands apply
to all the ports of the switch.
IIn Ethernet port view, the interface-list argument is not available and the
commands apply to only the current Ethernet port.
Example
# Configure Ethernet 1/0/1 port to check the version of the 802.1x client upon
receiving authentication packets.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] dot1x version-check
Description
If the interface-list argument is not specified, this command clears the global
802.1x statistics and the 802.1x statistics on all the ports.
36
dot1x free-ip
Syntax
View
Parameters
System view
ip-address: Free IP address, in dotted decimal notation.
mask-address: Subnet mask of the free IP address, in dotted decimal notation.
mask-length: Length of the subnet mask of the free IP address, in the range 0 to
32.
Description
Use the dot1x free-ip command to configure a free IP range. A free IP range is an
IP range that users can access before passing 802.1x authentication.
Use the undo dot1x free-ip command to remove a specified free IP range or all
free IP ranges.
By default, no free IP range is configured.
You must configure the URL for HTTP redirection before configuring a free IP
range. The device supports up to two free IP ranges.
Example
dot1x timer
acl-timeout
Syntax
View
System view
576
Parameter
Description
Example
dot1x url
Syntax
View
Parameter
Description
System view
url-string: URL for HTTP redirection, in the format of http://x.x.x.x.
Use the dot1x url command to configure the URL for HTTP redirection.
Use the undo dot1x url command to remove the configuration.
By default, no URL is configured for HTTP redirection.
Related command: dot1x configuration commands
Example
37
display habp
Syntax
View
display habp
Any view
Parameters
None
Description
Use the display habp command to display HABP configuration and status.
Example
Description
HABP Mode
Bypass VLAN
Parameters
None
Description
Use the display habp table command to display the MAC address table
maintained by HABP.
Example
578
Description
MAC
Holdtime
Receive Port
Parameters
None
Description
Use the display habp traffic command to display the statistics on HABP packets.
Example
Description
Packets output
Input
ID error
Type error
Version error
Sent failed
habp enable
Syntax
habp enable
undo habp enable
View
Parameters
System view
None
Description
579
Example
# Enable HABP.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] habp enable
View
Parameter
Description
System view
vlan-id: VLAN ID, ranging from 1 to 4094.
Use the habp server vlan command to configure a switch to operate as an HABP
server. This command also specifies the VLAN where HABP packets are broadcast.
Use the undo habp server vlan command to revert to the default HABP mode.
By default, a switch operates as an HABP client.
To specify a switch to operate as an HABP server, you need to enable HABP (using
the habp enable command) for the switch first. When HABP is not enabled, the
habp server vlan command cannot take effect.
Example
# Specify the switch to operate as an HABP server and the HABP packets to be
broadcast in VLAN 2. (Assume that HABP is enabled.)
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] habp server vlan 2
habp timer
Syntax
View
System view
580
Parameter
Description
interval: Interval (in seconds) to send HABP request packets. This argument ranges
from 5 to 600.
Use the habp timer command to set the interval for a switch to send HABP
request packets.
Use the undo habp timer command to revert to the default interval.
The default interval for a switch to send HABP request packets is 20 seconds.
Use these two commands on switches operating as HABP servers only.
Example
# Configure the switch to send HABP request packets once in every 50 seconds
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] habp timer 50
38
n
The following System Guard Configuration Commands apply to the Switch 5500
only (not the Switch 5500G).
display system-guard
ip state
Syntax
View
Parameters
None
Description
Use the display system-guard ip state command to view the monitoring results
and parameter settings of System Guard against IP attacks.
Example
# View the monitoring result and parameter settings of System Guard against IP
attacks.
<5500> display system-guard ip state
System-guard IP is running!
IP-record threshold: 30
Deny threshold: 1
Isolated times of aging time: 3
Number of suspicious hosts that can be detected: 30
Number of suspicious hosts detected: 0
Disable destination IP address learning from all ip address in the list
Description
System-guard IP is running
IP-record threshold
Deny threshold
582
display system-guard
ip-record
Syntax
View
Parameters
None
Description
Example
# View the information about IP packets received by the CPU of the switch in the
current monitoring cycle.
<5500> display system-guard ip-record
M: Master port of link aggregation
Index
Source IP
Destination IP
Port
-------------------------------------------------1
000.000.000.000 000.000.000.000 0/0/0
2
000.000.000.000 000.000.000.000 0/0/0
3
000.000.000.000 000.000.000.000 0/0/0
4
000.000.000.000 000.000.000.000 0/0/0
5
000.000.000.000
......
000.000.000.000
0/0/0
Description
Index
Index
Source IP
Source IP address
Destination IP
Destination IP address
Port
Incoming port
display system-guard
l3err state
Syntax
View
Parameters
None
Description
Use the display system-guard l3err state command to view the status of Layer
3 error control.
Example
583
display system-guard
tcn state
Syntax
View
Parameters
None
Description
Use the display system-guard tcn state command to view the status of TCN
System Guard.
Example
system-guard ip
detect-maxnum
Syntax
View
Parameter
Description
System view
number: Maximum number of hosts that can be monitored, in the range of 1 to
100.
Use the system-guard ip detect-maxnum command to set the maximum
number of infected hosts that can be monitored currently.
Use the undo system-guard ip detect-maxnum command to restore the
maximum number of infected hosts that can be monitored to the default setting.
By default, System Guard can monitor a maximum of 30 infected hosts.
Example
# Set the maximum number of infected hosts that can be concurrently monitored
to 50.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] system-guard ip detect-maxnum 50
584
system-guard ip
detect-threshold
Syntax
View
Parameters
System view
ip-record-threshold: Maximum number of IP addresses that can be learned within
a 10-second cycle, in the range of 1 to 100.
record-times-threshold: Maximum number of times an IP address must be hit
before an action can be taken; which ranges from 1 to 10.
isolate-time: The isolation time, ranging from 3 to 100. After System Guard takes
an action on a suspected IP address, the system waits the isolate-time before it
learns the destination address(es) again for that source IP address.
Description
Example
# Set the maximum number of addresses that the system can learn to 50, set the
maximum number of times an address can be hit to 3, and set the address
isolation time to 5 times the MAC address aging time.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] system-guard ip detect-threshold 50 3 5
system-guard ip enable
585
system-guard ip
enable
Syntax
system-guard ip enable
undo system-guard ip enable
View
System view
Parameters
None
Description
Example
system-guard l3err
enable
Syntax
View
Parameters
System view
None
586
Description
Use the system-guard l3err enable command to enable Layer 3 error control.
Use the undo system-guard l3err enable command to disable Layer 3 error
control.
By default, this feature is enabled.
The Layer 3 error control feature determines how the switch disposes of Layer
packets which the switch considers to be error packets:
With the Layer 3 error control feature disabled, the switch delivers all Layer 3
packets which the switch considers to be error packets (including IP packets with
the options field) to the CPU for further processing;
With the Layer 3 error control feature enabled, the switch directly discards all Layer
3 packets which the switch considers to be error packets without delivering them
to the CPU.
n
Example
In normal situations, we recommend that you enable this feature. Because the
switch cannot forward error packets and IP packets with the Options field set,
delivering all these packets to the CPU will affect the normal work of the CPU.
# Enable Layer 3 error control.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] system-guard l3err enable
system-guard tcn
enable
Syntax
View
System view
Parameters
None
Description
Use the system-guard tcn enable command to enable System Guard against
TCN attacks.
Use the undo system-guard tcn enable command to disable System Guard
against TCN attacks.
With this feature enabled, System Guard monitors the TCN/TC packet receiving
rate on the ports. If the rate exceeds the preset threshold, the system will output
trap and log information to notify the user and starts to send only on TCN/TC
packet to the CPU in a 10-second cycle. This can prevent MAC and ARP entries
from being frequently deleted by STP or RSTP; in addition, when the TCN/TC
packet rate exceeds the preset threshold, proper measures can be taken based on
the output trap and log information.
587
system-guard tcn
rate-threshold
Syntax
View
Parameter
Description
System view
rate-threshold: TCN/TC packet receiving rate in packets per second (pps), with an
effective range of 1 to 20.
Use the system-guard tcn rate-threshold command to set the threshold of
TCN/TC packet receiving rate, which will trigger the output of trap and log
information.
Use the undo system-guard tcn rate-threshold command to restore the default
threshold of TCN/TC packet receiving rate.
By default, the default threshold of TCN/TC packet receiving rate is 1 pps.
As the system monitoring cycle is 10 seconds, the system sends trap or log
information, by default, if more than 10 TCN/TC packets are received within 10
seconds.
n
Example
If the TCN/TC packet receiving rate is lower than the set threshold within a
10-second monitoring cycle, the system will not send trap or log information in
the next 10-second monitoring cycle.
# Sets the threshold of TCN/TC receiving rate to 20 pps.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] system-guard tcn rate-threshold 20
588
The following System Guard Configuration Commands apply to the Switch 5500G
only (not the Switch 5500).
display system-guard
l3err state
Syntax
View
Parameters
None
Description
Use the display system-guard l3err state command to view the status of Layer
3 error control.
Example
system-guard l3err
enable
Syntax
View
System view
Parameters
None
Description
Use the system-guard l3err enable command to enable Layer 3 error control.
Use the undo system-guard l3err enable command to disable Layer 3 error
control.
By default, this feature is enabled.
The Layer 3 error control feature determines how the switch disposes of Layer
packets which the switch considers to be error packets:
With the Layer 3 error control feature disabled, the switch delivers all Layer 3
packets which the switch considers to be error packets (including IP packets with
the options field) to the CPU for further processing;
589
With the Layer 3 error control feature enabled, the switch directly discards all Layer
3 packets which the switch considers to be error packets without delivering them
to the CPU.
n
Example
In normal situations, we recommend that you enable this feature. Because the
switch cannot forward error packets and IP packets with the Options field set,
delivering all these packets to the CPU will affect the normal work of the CPU.
# Enable Layer 3 error control.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] system-guard l3err enable
590
42
display vrrp
Syntax
View
display vrrp
Any view
Parameters
None
Description
Use the display vrrp command to display the VRRP state information.
Example
# Display the VRRP state information about all the VRRP groups on the switch.
<5500> display vrrp
Run Method
: VIRTUAL-MAC
Virtual Ip Ping : Disable
The total number of the virtual routers: 1
Interface
VRID State
Run
Adver. Auth Virtual
Pri
Time
Type IP
-------------------------------------------------------------------Vlan2
2
Initialize 100
1
NONE
173.160.0.1
Description
Run Method
Virtual IP Ping
Interface
VRID
State
Run Pri
Running priority
Auth Type
Authentication type
Track IF
Virtual IP
662
View
Parameters
Any view
vlan-interface vlan-id: Specifies a VLAN interface by its ID. The vlan-id argument
is the ID of a VLAN interface.
virtual-router-id: VRRP VRRP group ID, ranging from 1 to 255.
Description
Example
Use the display vrrp interface vlan-interface command to display the VRRP
state information.
If only the VLAN interface is specified, this command displays the VRRP state
information about all the VRRP groups on the specified VLAN interface.
If both the VLAN interface and VRRP group are specified, this command
displays the VRRP state information about the specified VRRP group on the
specified VLAN interface.
# Display the VRRP state information about the VRRP groups on VLAN-interface 1.
<5500> display vrrp interface Vlan-interface 1
Run Method
: VIRTUAL-MAC
Virtual Ip Ping : Disable
The total number of the virtual routers: 1
Interface
VRID State
Run
Adver. Auth
Virtual
Pri
Time
Type
IP
-------------------------------------------------------------------Vlan2
2
Initialize 100
1
NONE
173.160.0.1
Table 115 Description on the fields of display vrrp interface vlan-interface command
Field
Description
Run Method
Virtual IP ping
Interface
VRID
State
Run Pri
Running priority
Adver.Timer
Auth Type
Virtual IP
View
Parameters
663
Example
Use the display vrrp statistics command to display the VRRP statistics
information of VRRP VRRP group(s).
If only a VLAN interface is specified, the statistics information about all the
VRRP groups on the specified interface is displayed.
If both a VLAN interface and a VRRP group are specified, the statistics
information about the specified VRRP group on the specified interface is
displayed.
# Display the VRRP statistics information about all the VRRP groups.
<5500> display vrrp statistics
Interface
: Vlan-interface1
VRID
: 1
CheckSum Errors
: 0
Version Errors
VRID Errors
: 0
Advertisement Interval Errors
IP TTL Errors
: 0
Auth Failures
Invalid Auth Type
: 0
Auth Type Mismatch
Packet Length Errors
: 0
Address List Errors
Become Master
: 1
Priority Zero Pkts Rcvd
Advertise Rcvd
: 0
Priority Zero Pkts Sent
Invalid Type Pkts Rcvd : 0
:
:
:
:
:
:
:
0
0
0
0
0
0
0
Description
Interface
VRID
CheckSum Errors
Version Errors
VRID Errors
IP TTL Errors
Auth Failures
Become Master
Advertise Rcvd
664
Description
Example
Use the display vrrp verbose command to display detailed VRRP information.
If neither a VLAN interface nor a VRRP group is specified, the detailed VRRP
information about all the VRRP groups on the switch is displayed.
If only a VLAN interface is specified, the detailed VRRP information about all
the VRRP groups on the specified interface is displayed.
If both a VLAN interface and a VRRP group are specified, the detailed VRRP
information about the specified VRRP group on the specified interface is
displayed.
Adver. Timer
State
Run Pri
Delay Time
:
:
:
:
1
Master
100
0
Description
Run Method
Virtual Ip Ping
Interface
VRID
Adver. Timer
Admin Status
State
Config Pri
Configured priority
Run Pri
Running priority
665
Description
Preempt Mode
Delay Time
Preemption delay
Auth Type
Authentication type
Virtual IP
Virtual MAC
Master IP
Description
Use the reset vrrp statistics command to clear the VRRP statistics information.
When you execute this command,
Example
If only an interface is specified, the statistics information about all the VRRP
groups on the specified interface is cleared.
If both an interface and a VRRP group are specified, the statistics information
about the specified VRRP group on the specified interface is cleared.
# Clear the VRRP statistics information about all the interfaces on the switch.
<5500> reset vrrp statistics
666
Description
Use the undo vrrp vrid command to remove all the configurations of the
specified VRRP group on the VLAN interface.
Example
vrrp method
Syntax
View
Parameters
System view
real-mac: Maps the real MAC address of a switch VLAN interface to virtual router
IP addresses.
virtual-mac: Maps the virtual MAC address of a switch VLAN interface to virtual
router IP addresses.
Description
Use the vrrp method command to map the MAC address of a VRRP group to the
virtual router IP addresses. You can map the real or virtual MAC address of a
switch VLAN interface to virtual router IP addresses.
Use the undo vrrp method command to restore the default map settings.
By default, the virtual MAC address of a VRRP group is mapped to the IP address
of the virtual router.
Note that as the mapping relationship between the MAC addresses of a VRRP
group and a virtual router IP address cannot be configured after the VRRP group is
created, configure the mapping relationship before you create a VRRP group.
Example
# Map the real MAC address of a VLAN interface to a virtual router IP address.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] vrrp method real-mac
vrrp ping-enable
Syntax
vrrp ping-enable
undo vrrp ping-enable
View
System view
667
Parameters
None
Description
Use the vrrp ping-enable command to enable a VRRP group to respond to ping
operations destined for its virtual router IP address.
Use the undo vrrp ping-enable command to restore the default situation.
By default, a VRRP group does not respond to ping operations destined for its
virtual router IP address.
Example
# Enable a VRRP group to respond to ping operations destined for its virtual router
IP address.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] vrrp ping-enable
vrrp vlan-interface
vrid track
Syntax
View
Parameters
Description
Use the vrrp vlan-interface vrid track command to enable the port tracking
function on the physical ports of a VRRP group.
Use the undo vrrp vlan-interface vrid track command to disable the port
tracking function.
By default, the value by which the priority of an Ethernet port decreases is 10.
The VRRP VRRP group port tracking function can track a specified port and
decrease the priority of the switch when the port fails.
Using this function, you can enable the priority of a master switch to decrease by
the specified value when the uplink port of the master switch fails. This in turn
triggers the new master to be determined in the VRRP group.
668
Examples
The port to be tracked can be in the VLAN which the VRRP group VLAN
interface belongs to.
# Configure that the priority of the switch decreases by 50 if its Ethernet 1/0/1
port fails.
<5500> system-view
[5500] vlan 2
[5500-vlan2] port Ethernet1/0/1
[5500-vlan2] quit
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] vrrp vlan-interface 2 vrid 1 track reduced 50
vrrp vrid
authentication-mode
Syntax
View
Parameters
Description
When the authentication type is simple, the authentication key can contain up
to eight characters.
When the authentication type is md5, the authentication key can be a string of
up to eight characters in plain text or a 24-character encrypted string.
669
Use the undo vrrp vrid authentication-mode command to clear the configured
authentication type and authentication key for a VRRP VRRP group.
By default, no authentication is performed for a VRRP VRRP group.
If the simple or md5 authentication is configured, the authentication key is
required.
This command sets the authentication type and authentication key for all the VRRP
VRRP groups on an interface. This is determined by the protocol which defines
that all the VRRP groups on an interface share the same authentication type and
authentication key. Besides, all the members joining the same VRRP group also
share the same authentication type and authentication key.
Note that the authentication key is case-sensitive.
Example
vrrp vrid
preempt-mode
Syntax
View
Parameters
Description
670
In a VRRP group where the preemptive mode is not enabled, once a switch in
the VRRP group becomes the master switch, other switches, even if they are
with a higher priority later, do not preempt the master switch as long as the
master switch is not down.
In a VRRP group where switches are enabled with the preemptive mode, a
backup switch sends out VRRP advertisements to trigger a new master switch
election if it finds its priority is higher than that of the current master switch,
and finally becomes the new master switch. The former master switch
becomes a backup switch accordingly.
You can also set the preemptive delay for the switches in a VRRP group. Setting a
delay period aims at:
n
Example
You can use the undo vrrp vrid preempt-mode command to set a switch in a
VRRP group to operate in non-preemptive mode.
# Configure the switch to operate in the preemptive mode.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 2
[5500-Vlan-interface2] vrrp vrid 1 preempt-mode
View
Parameters
671
priority: The priority at which the switch is to be set. This argument ranges from 1
to 254.
Description
Use the vrrp vrid priority command to set the priority of a switch in a VRRP
group.
Use the undo vrrp vrid priority command to restore the default priority.
By default, the priority of a switch in a VRRP group is 100.
Switch priority determines the possibility for the switch to become a master
switch. A switch with higher priority is more likely to become a master switch.
Switch priority ranges from 0 to 255 (a larger number indicates a higher switch
priority) and defaults to 100. Note that only 1 through 254 are available to users.
Switch priority 0 and 255 are reserved for special uses and IP address owner
respectively. If a switch is an IP address owner, its priority is always 255 and you
cannot configure it. So if an IP address owner exists in a VRRP group, the switch
(the IP address owner) becomes the master switch of the VRRP group.
Example
# Set the priority to 120 on VLAN-interface 2 for the switch in the VRRP group.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 2
[5500-Vlan-interface2] vrrp vrid 1 priority 120
View
Parameters
Description
Use the vrrp vrid timer advertise command to set the interval for the master
switch of a VRRP group to send VRRP packets.
Use the undo vrrp vrid timer advertise command to revert to the default
interval.
Note that configuration error occurs if switches of the same VRRP group are
configured with different adver-interval values.
By default, the interval for the master switch in a VRRP group to send VRRP
packets is 1 second.
672
Example
# Set the interval for the master switch to send VRRP packets to 15 seconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 2
[5500-Vlan-interface2] vrrp vrid 1 timer advertise 15
View
Parameters
Description
Use the vrrp vrid track command to set a VLAN interface to be tracked.
Use the undo vrrp vrid track command to disable a VLAN interface from being
tracked.
By default, the value by which the priority of the VLAN interface decreases is 10.
The VLAN interface tracking function extends the use of the backup function.
With this function enabled, the backup function is applicable to the VLAN
interface that belongs to a VRRP group and those that do not belong to a VRRP
group. You can utilize the VLAN interface tracking function by specifying
monitored VLAN interfaces.
With the VLAN interface tracking function enabled, the priority of a master switch
decreases by the value set by the value-reduced argument when a tracked VLAN
interface on the switch goes down. And other switches in the VRRP group, whose
priorities are higher than the decreased priority of the master switch, may become
the master switch.
n
Example
673
View
Parameters
Description
Use the vrrp vrid track detect-group command to enable the auto detect
function when employing VRRP.
Use the undo vrrp vrid track detect-group command to disable the auto detect
implementation in VRRP.
By default, the priority of the detected group decreases by 10.
You can control the priority of the VRRP group according to the auto detect result
to enable automatic switch between the master and the backup.
n
Examples
Decrease the priority of a VRRP group when the result of the detected group is
unreachable.
Restore the priority of a VRRP group when the result of the detected group is
reachable.
674
View
Parameters
Description
Use the vrrp vrid virtual-ip command to add a virtual router IP address to an
existing VRRP group.
Use the undo vrrp vrid virtual-ip command to remove a virtual router IP address
from an existing VRRP group.
The vrrp vrid virtual-ip command can also be used to create a VRRP group. You
can add up to 16 virtual router IP addresses to a VRRP group. The undo vrrp vrid
virtual-ip command can also be used to remove an existing VRRP group or an IP
address in the existing group. A VRRP group is removed if all the virtual router IP
addresses configured for it are removed.
n
Examples
You are not recommended to configure features related to VRRP VRRP groups on
Layer 3 interfaces of a remote-probe VLAN. Otherwise, packet mirroring may be
affected.
# Create a VRRP group.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 2
[5500-Vlan-interface2] vrrp vrid 1 virtual-ip 10.10.10.10
43
display
mac-authentication
Syntax
View
Parameter
Description
Example
The following commands are the MAC address authentication Basic Function
Configuration Commands.
display mac-authentication [ interface interface-list ]
Any view
interface interface-list: List of Ethernet ports. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
Use the display mac-authentication command to display information about
MAC address authentication.
# Display the global information about MAC address authentication.
<5500> display mac-authentication
Mac address authentication is Enabled.
Authentication mode is UsernameAsMacAddress usernameformat with-hyphen
lowercase
Fixed username:mac
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60 second(s).
Server response timeout value is 100s
Guest VLAN re-authenticate period is 30s
Max allowed user number is 1024
Current user number amounts to 1
Current domain: not configured, use default domain
Silent Mac User info:
MAC ADDR
From Port
Port Index
--- On unit 1, 1 silent mac address(es) found. --0016-e0be-e201
Ethernet1/0/2
1(vlan:1)
--- 1 silent mac address(es) found. --Ethernet1/0/1 is link-up
MAC address authentication is Enabled
max-auth-num is 256
Guest VLAN is 2
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR
Authenticate state
AuthIndex
000d-88f8-4e71
MAC_AUTHENTICATOR_SUCCESS
0
676
Description
Authentication mode
Fixed username
Fixed password
Quiet period
Server timeout timer, which sets the timeout time for the
connection between a switch and the RADIUS server. By
default, it is 100 seconds.
Current domain
The information about the silent user. When the user fails to
pass MAC address authentication because of inputting error
user name and password, the switch sets the user to be in
quiet state. During quiet period, the switch does not process
the authentication request of this user.
max-auth-num
Guest VLAN
MAC ADDR
Authenticate state
AuthIndex
MAC_AUTHENTICATOR_CONNECTING: Connecting
MAC_AUTHENTICATOR_SUCCESS: Authentication
passed
MAC_AUTHENTICATOR_LOGOFF: Offline
mac-authentication
677
mac-authentication
Syntax
mac-authentication
undo mac-authentication
View
Parameter
Description
n
Examples
mac-authentication
interface
Syntax
View
Parameter
System view
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
678
Examples
You cannot configure the maximum number of dynamic MAC address entries
for a port (through the mac-address max-mac-count command) with MAC
address authentication enabled. Likewise, you cannot enable the MAC address
authentication feature on a port with a limit of dynamic MAC addresses
configured.
mac-authentication
authmode
usernameasmacaddre
ss
Syntax
View
Parameter
System view
usernameformat: Specifies the input format of the username and password.
with-hyphen: Uses hyphened MAC addresses as usernames and passwords, for
example, 00-05-e0-1c-02-e3.
679
Example
# Use the user name in MAC address mode for MAC address authentication,
requiring hyphened lowercase MAC addresses as the usernames and passwords.
<5500>
System
[5500]
hyphen
system-view
View: return to User View with Ctrl+Z.
mac-authentication authmode usernameasmacaddress usernameformat withlowercase
mac-authentication
authmode
usernamefixed
Syntax
View
Parameter
Description
System view
None
Use the mac-authentication authmode usernamefixed command to set the
user name in fixed mode for MAC address authentication.
Use the undo mac-authentication authmode command to restore the default
user name mode for MAC address authentication.
By default, the MAC address mode is used.
Example
# Use the user name in fixed mode for MAC address authentication.
680
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] mac-authentication authmode usernamefixed
mac-authentication
authpassword
Syntax
View
Parameter
Description
System view
password: Password to be set, a string comprising 1 to 63 characters.
Use the mac-authentication authpassword command to set a password for
MAC address authentication when the user name in fixed mode is used.
Use the undo mac-authentication authpassword command to cancel the
configured password.
By default, no password is configured.
Example
mac-authentication
authusername
Syntax
View
Parameter
Description
System view
username: User name used in authentication, a string of 1 to 55 characters.
Use the mac-authentication authusername command to set a user name in
fixed mode.
Use the undo mac-authentication authusername command to restore the
default user name.
By default, the user name in fixed mode is mac.
Example
mac-authentication domain
681
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] mac-authentication authusername vipuser
mac-authentication
domain
Syntax
View
System view
Parameter
isp-name: ISP domain name, a string of 1 to 128 characters. Note that this
argument cannot be null and cannot contain these characters: /, :, *, ?, <, and >.
Description
Example
mac-authentication
timer
Syntax
View
Parameter
System view
offline-detect-value: Offline detect timer (in seconds) setting. This argument
ranges from 1 to 65,535 and defaults to 300. The offline detect timer sets the
time interval for a switch to test whether a user goes offline.
quiet-value: Quiet timer (in seconds) setting. This argument ranges from 1 to
3,600 and defaults to 60. After a user fails to pass the authentication performed
by a switch, the switch quiets for a specific period (the quiet period) before it
authenticates the user again.
682
Example
reset
mac-authentication
Syntax
View
Parameter
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] } &<1-10>, where
&<1-10> means that you can provide up to 10 port indexes/port index ranges for
this argument.
Description
Example
# Clear the MAC address authentication statistics for port Ethernet 1/0/1.
<5500> reset mac-authentication statistics interface Ethernet 1/0/1
mac-authentication
guest-vlan
Syntax
View
mac-authentication max-auth-num
683
Parameter
vlan-id: ID of the Guest VLAN configured for the current port. This argument is in
the range of 1 to 4,094.
Description
CAUTION:
If more than one client are connected to a port, you cannot configure a Guest
VLAN for this port.
When a Guest VLAN is configured for a port, only one MAC address
authentication user can access the port. Even if you set the limit on the number
of MAC address authentication users to more than one, the configuration does
not take effect.
The undo vlan command cannot be used to remove the VLAN configured as a
Guest VLAN. If you want to remove this VLAN, you must remove the Guest
VLAN configuration for it. Refer to the undo vlan command in the chapter
entitled VLAN Configuration Commands on page 117.
Only one Guest VLAN can be configured for a port, and the VLAN configured
as the Guest VLAN must be an existing VLAN. Otherwise, the Guest VLAN
configuration does not take effect. If you want to change the Guest VLAN for a
port, you must remove the current Guest VLAN and then configure a new
Guest VLAN for this port.
The Guest VLAN function for MAC address authentication does not take effect
when port security is enabled.
mac-authentication
max-auth-num
Syntax
684
View
Parameter
Description
Example
CAUTION:
If both the limit on the number of MAC address authentication users and the
limit on the number of users configured in the port security function are
configured for a port at the same time, the smaller value of the two configured
limits is adopted as the maximum number of MAC address authentication
users allowed to access this port. Refer to Port Security Commands on page
223 for a description of the port security function.
mac-authentication
timer
guest-vlan-reauth
Syntax
View
Parameter
System view
interval: Interval at which the switch re-authenticates users in Guest VLANs. This
argument is in the range of 1 to 3,600 in seconds.
Description
685
Example
686
44
arp check enable
Syntax
View
System view
Parameters
None
Description
Use the arp check enable command to enable the ARP entry checking function
on a switch.
Use the undo arp check enable command to disable the ARP entry checking
function.
With the ARP entry checking function enabled, the switch cannot learn any ARP
entry with a multicast MAC address. Configuring such a static ARP entry is not
allowed either; otherwise, the system prompts error information.
After the ARP entry checking function is disabled, the switch can learn the ARP
entry with a multicast MAC address, and you can also configure such a static ARP
entry on the switch.
By default, the ARP entry checking function is enabled.
Example
View
Parameters
VLAN view
None
688
Description
Use the arp detection enable command to enable the ARP attack detection
function on all ports in the specified VLAN. When receiving an ARP packet from a
port in this VLAN, the switch will check the source IP address, source MAC
address, number of the receiving port, and the VLAN of the port. If the mapping
of the source IP address and source MAC address is not included in the DHCP
snooping entries or IP static binding entries, or the number of the receiving port
and the VLAN of the port do not match the DHCP snooping entries or IP static
binding entries, the ARP packet will be discarded.
Use the undo arp detection enable command to disable the ARP attack
detection function on all ports in the specified VLAN.
By default, ARP attack detection is disabled on the switch.
Example
View
Parameters
None
Description
Use the arp detection trust command to specify the current port as a trusted
port, that is, ARP packets received on this port are regarded as legal ARP packets
and will not be checked.
Use the undo arp detection trust command to specify the current port as a
non-trusted port in ARP detection.
By default, a port is an non-trusted port in ARP detection.
Example
arp protective-down
recover enable
Syntax
689
System view
Parameters
None
Description
Use the arp protective-down recover enable command to enable the port state
auto-recovery function on the switch.
Use the undo arp protective-down recover enable command to disable the
port state auto-recovery function of a switch.
With this function enabled, the switch can automatically bring up a port that has
been shut down due to an excessive ARP packet receiving rate after a specified
period.
By default, the port state auto-recovery function is disabled.
Example
arp protective-down
recover interval
Syntax
View
Parameter
Description
System view
interval: Recovery time (in seconds) of a port which is shut down due to an
excessive ARP packet receiving rate. The effective range is 10 to 86,400.
Use the arp protective-down recover interval command to specify a recovery
interval. After the interval, a port that has been shut down due to an excessive
ARP packet receiving rate will be brought up.
Use the undo arp protective-down recover interval command to restore the
default.
By default, when the port state auto-recovery function is enabled, the recovery
interval is 300 seconds.
Note that:
You need to enable the port state auto-recovery feature before you can
configure the auto-recovery interval.
690
Example
system-view
View: return to User View with Ctrl+Z.
arp protective-down recover enable
arp protective-down recover interval 30
arp rate-limit
Syntax
View
Parameter
Description
n
Example
You must enable the ARP packet rate limit function before you can specify the
maximum ARP packet receiving rate on the port by using the arp rate-limit
command.
# Set the maximum ARP packet receiving rate on Ethernet 1/0/11 to 100 pps.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface ethernet 1/0/11
[5500-Ethernet1/0/11] arp rate-limit enable
[5500-Ethernet1/0/11] arp rate-limit 100
View
691
Parameters
None
Description
Use the arp rate-limit enable command to enable the ARP packet rate limit
function on the port, that is, to limit the rate of ARP packets passing through the
port.
Use the undo arp rate-limit enable command to disable the ARP packet rate
limit function on the port.
With ARP packet rate limit function enabled on a port, the maximum ARP packet
rate allowed on the port is 15 pps by default.
By default, the ARP packet rate limit function is disabled, that is, ARP packet rate is
not limited on a port.
Example
arp
restricted-forwarding
enable
Syntax
View
VLAN view
Parameters
None
Description
Syntax
692
[5500] vlan 1
[5500-vlan1] arp restricted-forwarding enable
arp send-gratuitous
enable vrrp
Syntax
View
System view
Parameters
None
Description
Use the arp send-gratuitous enable vrrp command to enable the master switch
of a VRRP backup group to send gratuitous ARP packets periodically.
Use the undo arp send-gratuitous enable vrrp command to disable this
function.
By default, this function is disabled.
Note that before enabling the master switch of a VRRP backup group to send
gratuitous ARP packets periodically, you need to create the VRRP backup group
and perform corresponding configurations. Refer to the chapter entitled VRRP
Configuration Commands on page 661 for details.
Example
# Enable the master switch of the VRRP backup group to send gratuitous ARP
packets periodically.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] arp send-gratuitous enable vrrp
arp static
Syntax
View
Parameters
693
vlan-id: ID of the VLAN to which the static ARP entry belongs, in the range of 1 to
4,094.
interface-type: Type of the port to which the static ARP entry belongs.
interface-number: Number of the port to which the static ARP entry belongs.
Description
Static ARP entries are valid as long as the Ethernet switch operates normally.
But some operations, such as removing a VLAN, or removing a port from a
VLAN, will make the corresponding ARP entries invalid and therefore removed
automatically.
As for the arp static command, the value of the vlan-id argument must be the
ID of an existing VLAN, and the port identified by the interface-type and
interface-number arguments must belong to the VLAN.
# Create a static ARP mapping entry, with the IP address of 202.38.10.2, the MAC
address of 000f-e20f-0000. The ARP mapping entry belongs to Ethernet 1/0/1
which belongs to VLAN 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] arp static 202.38.10.2 000f-e20f-0000 1 Ethernet 1/0/1
View
Parameter
Description
System view
aging-time: Aging time (in minutes) of the dynamic ARP entries. This argument
ranges from 1 to 1,440.
Use the arp timer aging command to configure the aging time for dynamic ARP
entries.
Use the undo arp timer aging command to restore the default.
694
display arp
Syntax
View
Parameters
Description
Use the display arp command to display specific ARP mapping entries.
If you execute this command with no keyword/argument specified, all the ARP
entries are displayed.
Related commands: arp static, and reset arp.
Example
14 entries found
Port Name / AL ID
N/A
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
Ethernet1/0/2
---
Description
IP Address
MAC Address
Aging
N/A
13
14
14
15
15
16
16
17
18
18
20
20
20
Type
S
D
D
D
D
D
D
D
D
D
D
D
D
D
display arp |
695
Description
VLAN ID
Port Name / AL ID
Aging
Type
display arp |
Syntax
View
Parameters
Description
Use the display arp | command to display the ARP entries related to string in a
specified way.
Related commands: arp static, and reset arp.
Example
# Display all the ARP entries that contain the string 77.
<5500> display arp | include 77
Type: S-Static
D-Dynamic
IP Address
MAC Address
VLAN ID
192.168.0.77
0000-e8f5-6a4a 1
---
1 entry found
Port Name / AL ID
Ethernet1/0/2
Aging Type
12
D
---
# Display all the ARP entries that do not contain the string 68.
<5500> display arp | exclude 68
Type: S-Static
D-Dynamic
IP Address
MAC Address
VLAN ID
10.2.72.162
000a-000a-0aaa N/A
---
1 entry found
---
Port Name / AL ID
N/A
Aging Type
N/A
S
696
View
Parameters
Description
Use the display arp count command to display the number of the specified ARP
entries. If no parameter is specified, the total number of ARP entries is displayed.
Related commands: arp static, and reset arp.
Example
Description
Example
697
Use the display arp detection statistics interface command to display the
statistics about non-trusted ARP packets dropped by the specified port.
# Display the statistics about non-trusted ARP packets dropped by Ethernet 1/0/10
on the switch.
[5500] display arp detection statistics interface ethernet1/0/10
ARP DETECTION : ENABLE
ARP PORT TRUST : DISABLE
INVALID ARP PACKETS : 31
Table 120 Description of the display arp detection statistics interface command fields
Field
Description
ARP DETECTION
Parameters
None
Description
Use the display arp timer aging command to display the setting of the ARP
aging time.
Related command: arp timer aging
Example
The displayed information shows that the ARP aging time is set to 20 minutes.
gratuitous-arp
period-resending
enable
This command applies to the Switch 5500 only (not the Switch 5500G).
Syntax
View
Parameters
698
Description
Example
gratuitous-arp-learnin
g enable
Syntax
gratuitous-arp-learning enable
undo gratuitous-arp-learning enable
View
System view
Parameters
None
Description
Example
reset arp
Syntax
View
Parameters
reset arp
Example
699
700
45
arp proxy enable
Syntax
View
Parameters
None
Description
Example
Description
702
The display arp proxy command with the interface Vlan-interface vlan-id
option displays the proxy ARP configuration of the specified VLAN interface;
without this option, this command displays the proxy ARP configuration of all the
VLAN interfaces.
Related command: arp proxy enable
Example
Description
Interface
46
display resilient-arp
Syntax
View
Parameter
Description
Use the display resilient-arp command to display the Resilient ARP state
information of each unit and the VLAN interface that can transmit Resilient ARP
packets.
If the unit-id argument is not specified, this command is to display the Resilient
ARP state information of all units. If the unit-id argument is specified, this
command is to display the Resilient ARP state information of the specified unit.
Example
The above output information means that the current Resilient ARP state of unit 1
is L3Master, and VLAN interfaces through which the Resilient ARP packets are sent
are VLAN-interface 1 and VLAN-interface 2.
resilient-arp enable
Syntax
resilient-arp enable
undo resilient-arp enable
View
Parameters
System view
None
704
Description
Use the resilient-arp enable command to enable the Resilient ARP function.
Use the undo resilient-arp enable command to disable the Resilient ARP
function.
By default, the Resilient ARP function is enabled.
Related command: display resilient-arp
Example
resilient-arp interface
vlan-interface
Syntax
View
Parameter
Description
System view
vlan-id: VLAN interface ID.
Use the resilient-arp interface Vlan-interface command to configure the VLAN
interface through which Resilient ARP packets are sent.
Use the undo resilient-arp interface Vlan-interface command to remove the
VLAN interface through which Resilient ARP packets are sent.
By default, Resilient ARP packets are sent through the VLAN-interface 1.
Related command: display resilient-arp
Example
47
accounting domain
Syntax
View
Parameter
Description
Use the accounting domain command to enable the DHCP accounting function.
Use the undo accounting domain command to disable the DHCP accounting
function.
Example
# Enable the DHCP accounting function (assuming that domain 123 already
exists).
[5500-dhcp-pool-test] accounting domain 123
bims-server
Syntax
View
Parameter
706
port port-number: Specifies the port number of the remote BIMS. The
port-number argument ranges from 1 to 65534.
sharekey key: Specifies the shared key of the remote BIMS server. The key
argument is a string containing 1 to 16 characters. It cannot be null.
Description
Use the bims-server command to specify the IP address, port number, and shared
key of a BIMS server in the DHCP global address pool for the client.
Use the undo bims-server command to remove specified BIMS server
information from the DHCP global address pool.
By default, the related information of the BIMS server is not specified.
If you execute the bims-server command repeatedly, the latest configuration will
overwrite the previous one.
Related command: dhcp server bims-server
Example
# Specify the IP address 192.168.0.1, port number 651, shared key aaa of the
BIMS server in the DHCP global address pool for the client.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dhcp server ip-pool test
[5500-dhcp-pool-test] bims-server ip 192.168.0.1 port 651 sharekey aaa
bootfile-name
Syntax
bootfile-name bootfile-name
undo bootfile-name
View
Parameter
bootfile-name: Boot file name (with the extension name .cfg), a string of 1 to 63
characters.
Description
Use the bootfile-name command to specify a bootfile name in the DHCP global
address pool for the client.
Use the undo bootfile-name command to remove the specified bootfile name
from the DHCP global address pool.
By default, no bootfile name is specified.
If you execute the bootfile-name command repeatedly, the latest configuration
will overwrite the previous one.
Example
# Specify the bootfile name aaa.cfg in DHCP global address pool 0 for the client.
<5500> system-view
Enter system view, return to user view with Ctrl+Z.
dhcp enable
707
dhcp enable
Syntax
dhcp enable
undo dhcp enable
View
System view
Parameters
None
Description
To improve security and avoid malicious attacks to the unused socket, the Switch
5500 provides the following functions:
UDP ports 67 and UDP 68 used by DHCP are enabled or disabled only when
DHCP is enabled or disabled.
Example
After DHCP is enabled by executing the dhcp enable command, if the DHCP
server and DHCP relay functions are not configured, UDP ports 67 and 68 are
disabled; if the DHCP server and DHCP relay functions are configured, UDP
ports 67 and 68 are enabled.
After DHCP is disabled by executing the undo dhcp enable command, even if
the DHCP server and DHCP relay functions are configured, UDP ports 67 and
68 are disabled.
# Enable DHCP.
[5500] dhcp enable
708
Description
Use the dhcp select global command to configure the specified interface(s) or all
interfaces to operate in global DHCP address pool mode. Upon receiving a DHCP
packet from a DHCP client through an interface operating in global DHCP address
pool mode, the DHCP server chooses an IP address from a global DHCP address
pool of the DHCP server and assigns the address to the DHCP client.
Use the undo dhcp select command to restore the default DHCP packet
processing mode.
By default, an interface operates in DHCP server global address pool mode.
Before configuring an interface to operate in DHCP interface address pool mode,
you need to configure an IP address for the interface.
Example
# Configure all interfaces to operate in global DHCP address pool mode, so that
when a DHCP packet is received from a DHCP client through any interface, the
DHCP server assigns an IP address in global DHCP address pools to the DHCP
client.
[5500] dhcp select global all
709
Description
Use the dhcp select interface command to configure the specified interface(s) to
operate in DHCP interface address pool mode. Upon receiving a DHCP packet
from a DHCP client through an interface operating in interface address pool mode,
the DHCP server chooses an IP address from the interface address pool of the
DHCP server and assigns the address to the DHCP client.
Use the undo dhcp select command to restore the default DHCP packet
processing mode.
By default, an interface operates in DHCP server global address pool mode.
To improve security and avoid malicious attack to the unused SOCKETs, the Switch
5500 provides the following functions:
UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is
enabled.
Example
After a DHCP interface address pool is created by executing the dhcp select
interface command, UDP 67 and UDP 68 ports used by DHCP are enabled.
After a DHCP interface address pool is deleted by executing the undo dhcp
select interface command and all other DHCP functions are disabled, UDP 67
and UDP 68 ports used by DHCP are disabled accordingly.
# Configure all interfaces to operate in DHCP interface address pool mode, so that
when a DHCP packet is received from a DHCP client through any interface, the
710
DHCP server assigns an IP address in the interface DHCP address pool to the DHCP
client.
[5500] dhcp select interface all
dhcp server
bims-server
Syntax
View
Parameters
System view
port port-number: Specifies the port number of the remote BIMS server. The
port-number argument ranges from 1 to 65534.
sharekey key: Specifies the shared key of the remote BIMS server. The key
argument is a string containing 1 to 16 characters. It cannot be null.
interface interface-type interface-number [ to interface-type interface-number ]:
Specifies a port operating in the interface address pool mode.
all: Specifies all ports.
Description
Use the dhcp server bims-server command to specify the IP address, port
number, and shared key of a BIMS server in the DHCP interface address pool(s) for
the client.
Use the undo dhcp server bims-server command to remove specified BIMS
server information from the DHCP interface address pool(s).
By default, no IP address, port number, or shared key of a BIMS server is specified
in the DHCP interface address pool(s) for the clients.
Related command: bims-server
Example
# Specify the IP address 192.168.0.2, port number 111, shared key aaa of the
BIMS server in the DHCP interface address pool of VLAN-interface 2 for the client.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dhcp server bims-server ip 192.168.0.2 port 111 sharekey aaa interface
Vlan-interface 2
711
dhcp server
bootfile-name
Syntax
In VLAN interface view, use the following commands to specify the bootfile name
in the current interface address pool for the client:
dhcp server bootfile-name bootfile-name
undo dhcp server bootfile-name
In system view, use the following commands to specify the bootfile name in the
specified interface address pool for the client:
dhcp server bootfile-name bootfile-name { all | interface interface-type
interface-number }
undo dhcp server bootfile-name { all | interface interface-type
interface-number }
Views
Parameters
Description
Use the dhcp server bootfile-name command to specify the bootfile name in
interface address pool for the client.
Use the undo dhcp server bootfile-name command to remove the bootfile
name from interface address pool.
No bootfile name is specified in an interface address pool by default.
If you execute the dhcp server bootfile-name command repeatedly, the new
configuration will overwrite the previous one.
Related command: bootfile-name
Example
712
View
System view
Parameters
None
Description
Use the dhcp server detect command to enable the private DHCP server
detecting function.
Use the undo dhcp server detect command to disable the private DHCP server
detecting function.
By default, the private DHCP server detecting function is disabled.
Example
In VLAN interface view, use the following commands to specify the DNS server IP
address in the current DHCP interface address pool for the client.
dhcp server dns-list ip-address&<1-8>
undo dhcp server dns-list { ip-address | all }
In system view, use the following commands to specify the DNS server IP address
in multiple DHCP interface address pools for the client.
dhcp server dns-list ip-address&<1-8> { interface interface-type
interface-number [ to interface-type interface-number ] | all }
undo dhcp server dns-list { ip-address | all } { interface interface-type
interface-number [ to interface-type interface-number ] | all }
Views
Parameters
713
Use the dhcp server dns-list command to specify the DNS server IP address in the
DHCP interface address pool for the client.
Use the undo dhcp server dns-list command to remove the DNS server IP
address specified in the DHCP interface address pool.
By default, no DNS server IP address is specified for the client.
If you execute the dhcp server dns-list command repeatedly, the new
configuration overwrites the previous one.
Related command: dns-list
Example
# Configure the DNS server IP address 1.1.1.254 for the DHCP address pool of the
VLAN-interface 1 for the client.
[5500-Vlan-interface1] dhcp server dns-list 1.1.1.254
dhcp server
domain-name
Syntax
In VLAN interface view, use the following commands to configure a domain name
suffix for the DHCP clients whose IP addresses are from the current DHCP interface
address pool.
dhcp server domain-name domain-name
undo dhcp server domain-name
In system view, use the following commands to configure a domain name suffix
for the DHCP clients whose IP addresses are from multiple DHCP interface address
pools.
dhcp server domain-name domain-name { interface interface-type
interface-number [ to interface-type interface-number ] | all }
714
Description
Use the dhcp server domain-name command to configure a domain name suffix
for the DHCP clients whose IP addresses are from the specified interface address
pool(s).
Use the undo dhcp server domain-name command to remove the configured
domain name suffix.
By default, no domain name suffix is configured for the DHCP client.
Related command: domain-name
Examples
# Configure the domain name suffix aabbcc.com for the DHCP clients whose IP
addresses are from the current DHCP interface address pool.
[5500-Vlan-interface1] dhcp server domain-name aabbcc.com
In VLAN interface view, use the following commands to configure the lease time
of the IP addresses in the current DHCP interface address pool.
dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited }
undo dhcp server expired
In system view, use the following commands to configure the lease time of the IP
addresses in multiple DHCP interface address pools.
715
dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } {
interface interface-type interface-number [ to interface-type interface-number ] |
all }
undo dhcp server expired { interface interface-type interface-number [ to
interface-type interface-number ] | all }
Views
Parameters
Description
Use the dhcp server expired command to configure the lease time of the IP
addresses dynamically obtained in the specified DHCP interface address pool(s).
Use the undo dhcp server expired command to restore the default lease time.
The default lease time is one day.
Related command: expired
Examples
# Set the lease time of the IP addresses dynamically obtained in all DHCP interface
address pools to be 1 day, 2 hours and 3 minutes.
[5500] dhcp server expired day 1 hour 2 minute 3 all
dhcp server
forbidden-ip
Syntax
716
View
Parameters
System view
low-ip-address: IP address that is not available for being assigned to DHCP clients
automatically (An IP address of this kind is known as a forbidden IP address). This
argument also marks the lower end of the range of the forbidden IP addresses.
high-ip-address: IP address that is not available for being assigned to DHCP clients.
This argument also marks the higher end of the range of the forbidden IP
addresses. Note that this argument cannot be less than the low-ip-address
argument. If you do not provide this argument, only the IP address specified by the
low-ip-address argument is forbidden.
Description
Use the dhcp server forbidden-ip command to forbid the specified IP addresses
in a DHCP address pool to be automatically assigned.
Use the undo dhcp server forbidden-ip command to cancel the forbiddance.
By default, all IP addresses in an address pool are allowed to be automatically
assigned.
Related commands: dhcp server ip-pool, network, static-bind ip-address and
dhcp server static-bind
Example
When you execute the undo dhcp server forbidden-ip command, make sure
that the specified address range does not contain any statically-bound IP
address.
View
System view
717
Parameter
pool-name: Name of a DHCP address pool, which uniquely identifies the address
pool. This argument is a string of 1 to 35 characters.
Description
Use the dhcp server ip-pool command to create a global DHCP address pool and
enter DHCP address pool view. If the address pool identified by the pool-name
argument already exists, this command leads you to DHCP address pool view.
Use the undo dhcp server ip-pool command to remove a specified DHCP
address pool.
By default, no global DHCP address pool is created.
Related command: dhcp enable
To improve security and avoid malicious attack to the unused SOCKETs, the Switch
5500 provides the following functions:
UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is
enabled.
Example
After a DHCP address pool is created by executing the dhcp server ip-pool
command, the UDP 67 and UDP 68 ports used by DHCP are enabled.
After a DHCP address pool is deleted by executing the undo dhcp server
ip-pool command and all other DHCP functions are disabled, UDP 67 and UDP
68 ports used by DHCP are disabled.
In VLAN interface view, use the following commands to configure WINS server IP
address(es) in the current DHCP interface address pool for the client.
dhcp server nbns-list ip-address&<1-8>
undo dhcp server nbns-list { ip-address | all }
In system view, use the following commands to configure WINS server IP addresses
in multiple DHCP interface address pools for the client.
dhcp server nbns-list ip-address&<1-8> { interface interface-type
interface-number [ to interface-type interface-number ] | all }
718
Description
Use the dhcp server nbns-list command to configure WINS server IP address(es)
in the specified DHCP interface address pool(s) for the client.
Use the undo dhcp server nbns-list command to remove the WINS server IP
address(es) configured in the specified DHCP interface address pool(s) for the
clients.
By default, no WINS server IP address is configured for the client.
If you execute the dhcp server nbns-list command repeatedly, the new
configuration overwrites the previous one.
Related commands: nbns-list and dhcp server netbios-type
Example
# Configure the WINS server IP address 10.12.1.99 in all the DHCP interface
address pools for the DHCP client.
[5500] dhcp server nbns-list 10.12.1.99 all
dhcp server
netbios-type
Syntax
In VLAN interface view, use the following commands to configure the NetBIOS
node type of the DHCP clients whose IP addresses are from the current DHCP
interface address pool.
dhcp server netbios-type { b-node | h-node | m-node | p-node }
719
Description
Use the dhcp server netbios-type command to configure the NetBIOS node type
of the DHCP clients whose IP addresses are from the specified DHCP interface
address pool(s).
Use the undo dhcp server netbios-type command to restore the default
NetBIOS node type.
By default, no NetBIOS node type is specified. After the WINS server IP address is
configured for the client in the DHCP interface address pool, the client uses the
hybrid node (h-node).
Related commands: netbios-type and dhcp server nbns-list
Example
# Specify p-node as the NetBIOS node type of the DHCP clients whose IP addresses
are from the DHCP interface address pool of VLAN-interface 1.
[5500] interface vlan-interface 1
[5500-Vlan-interface1] dhcp server netbios-type p-node
720
In VLAN interface view, use the following commands to customize DHCP options
for the current DHCP interface address pool.
dhcp server option code { ascii ascii-string | hex hex-string&<1-10> | ip-address
ip-address&<1-8> }
undo dhcp server option code
In system view, use the following commands to customize DHCP options for
multiple DHCP interface address pools.
dhcp server option code { ascii ascii-string | hex hex-string&<1-10> | ip-address
ip-address&<1-8> } { interface interface-type interface-number [ to interface-type
interface-number ] | all }
undo dhcp server option code { interface interface-type interface-number [ to
interface-type interface-number ] | all }
Views
Parameters
Description
Use the dhcp server option command to customize DHCP options for the
specified DHCP interface address pool(s).
Use the undo dhcp server option command to remove the customized DHCP
options.
If you execute the dhcp server option command repeatedly, the new
configuration overwrites the previous one.
721
For commands related to Option 184, refer to dhcp server voice-config on page
725.
Related command: option
Example
# Configure option 100 to be 0x11 and 0x22 for all DHCP interface address pools.
[5500] dhcp server option 100 hex 11 22 all
View
Parameters
System view
packets number: Specifies the maximum number of the echo request packets.
The number argument ranges from 0 to 10 and defaults to 2. Value 0 means no
ping operation will be performed.
timeout milliseconds: Specifies the timeout time (in milliseconds) the device waits
for an echo response. The milliseconds argument ranges from 0 to 10,000 and
defaults to 500.
Description
Use the dhcp server ping command to set the maximum number of the echo
request packets and the maximum timeout time the device waits for an echo
response packet.
Use the undo dhcp server ping command to restore the default settings.
Example
# Set the maximum number of the echo request packets to 10, and the response
timeout time to 300 milliseconds.
[5500] dhcp server ping packets 10
[5500] dhcp server ping timeout 300
722
View
System view
Parameters
None
Description
Use the dhcp server relay information enable command to enable the DHCP
server to handle Option 82.
Use the undo dhcp server relay information enable command to configure
the DHCP server to ignore Option 82.
By default, the DHCP server handles Option 82.
Example
View
Parameters
Description
Use the dhcp server static-bind command to statically bind an IP address of the
current DHCP interface address pool to a MAC address.
Use the undo dhcp server static-bind command to cancel an IP-MAC address
binding.
723
Example
An IP address can be statically bound to only one MAC address or one client ID.
A MAC address or client ID can be bound with only one IP address statically.
# Statically bind the client ID aaaa-bbbb to the IP address 10.1.1.1 (Assume that
the DHCP interface address pool of VLAN-interface 1 already exists and the IP
address belongs to the address pool).
[5500] interface vlan-interface 1
[5500-Vlan-interface1] dhcp server static-bind ip-address 10.1.1.1 c
lient-identifier aaaa-bbbb
dhcp server
tftp-server
domain-name
Syntax
In VLAN interface view, use the following commands to specify the TFTP server
name in the current DHCP interface address pool for the client:
dhcp server tftp-server domain-name domain-name
undo dhcp server tftp-server domain-name
In system view, use the following commands to specify the TFTP server name in the
specified DHCP interface address pool for the client:
dhcp server tftp-server domain-name domain-name { all | interface
interface-type interface-number }
undo dhcp server tftp-server domain-name { all | interface interface-type
interface-number }
Views
Parameters
724
Use the dhcp server tftp-server domain-name command to specify the TFTP
server name in a DHCP interface address pool for the client.
Use the undo dhcp server tftp-server domain-name command to remove the
TFTP server name from a DHCP interface address pool for the client.
No TFTP server name is specified in a DHCP interface address pool by default.
If you use the dhcp server tftp-server domain-name command repeatedly, the
new configuration overwrites the previous one.
Related command: tftp-server domain-name
Example
# Specify the TFTP server name as domain1 in the DHCP interface address pool of
VLAN interface 1 for the client.
<5500> system-view
Enter system view, return to user view with Ctrl+Z.
[5500] interface Vlan-interface 1
[5500-Vlan-interface1] dhcp server tftp-server domain-name domain1
dhcp server
tftp-server ip-address
Syntax
In VLAN interface view, use the following commands to specify the TFTP server IP
address in the current DHCP interface address pool for the client:
dhcp server tftp-server ip-address ip-address
undo dhcp server tftp-server ip-address
In system view, use the following commands to specify the TFTP server IP address
in the specified DHCP interface address pool for the client:
dhcp server tftp-server ip-address ip-address { all | interface interface-type
interface-number }
undo server tftp-server ip-address ip-address { all | interface interface-type
interface-number }
Views
Parameters
Description
725
Use the dhcp server tftp-server ip-address command to specify the TFTP server
address in DHCP interface address pool for the client.
Use the undo dhcp server tftp-server ip-address command to remove the TFTP
server address from DHCP interface address pool for the client.
No TFTP server address is specified in a DHCP interface address pool by default.
Using the dhcp server tftp-server ip-address command repeatedly will
overwrite the previous configuration.
Related command: tftp-server ip-address
Example
# Specify the TFTP server IP address 10.1.1.1 in the DHCP interface address pool of
VLAN interface 1 for the client.
<5500> system
Enter system view, return to user view with Ctrl+Z.
[5500] interface Vlan-interface 1
[5500-Vlan-interface1] dhcp server tftp-server ip-address 10.1.1.1
dhcp server
voice-config
Syntax
In VLAN interface view, use the following commands to configure specified Option
184 and its sub-options in the current DHCP interface address pool for the client:
dhcp server voice-config { ncp-ip ip-address | as-ip ip-address | voice-vlan
vlan-id { enable | disable } | fail-over ip-address dialer-string }
undo dhcp server voice-config [ ncp-ip | as-ip | voice-vlan | fail-over ]
In system view, use the following commands to configure specified Option 184
and its sub-options in multiple DHCP interface address pools for the client:
dhcp server voice-config { ncp-ip ip-address | as-ip ip-address | voice-vlan
vlan-id { enable | disable } | fail-over ip-address dialer-string } { interface
interface-type interface-number [ to interface-type interface-number ] | all }
undo dhcp server voice-config [ ncp-ip | as-ip | voice-vlan | fail-over ] {
interface interface-type interface-number [ to interface-type interface-number ] |
all }
View
Parameters
726
disable: Disables the specified VLAN, meaning DHCP clients will not take this
VLAN as their voice VLAN.
enable: Enables the specified VLAN, meaning DHCP clients will take this VLAN
as their voice VLAN.
Use the dhcp server voice-config command to enable the DHCP server to assign
IP addresses with Option 184 and its sub-options from the specified interface
address pool.
Use the undo dhcp server voice-config command to disable the DHCP server
from assigning IP addresses with Option 184 and its sub-options from the
specified interface address pool.
The DHCP server answers Option 184 and the corresponding sub-options only
after the DHCP client requests for Option 184.
Before configuring other sub-options, you must configure the sub-option ncp-ip;
otherwise other sub-options do not take effect.
By default, a DHCP server interface address pool does not assign Option 184 and
the corresponding sub-options to the client.
Related command: voice-config
Example
# Enable the DHCP server to support all the sub-options of Option 184 in
VLAN-interface 1. The NCP IP address is 1.1.1.1 and the IP address of the alternate
server is 2.2.2.2. The voice VLAN is enabled, with the ID being 3. The fail-over IP
address is 3.3.3.3 and the dial number string is 99*.
[5500-Vlan-interface1]
[5500-Vlan-interface1]
[5500-Vlan-interface1]
[5500-Vlan-interface1]
[5500-Vlan-interface1]
dhcp
dhcp
dhcp
dhcp
dhcp
select
server
server
server
server
interface
voice-config
voice-config
voice-config
voice-config
ncp-ip 1.1.1.1
as-ip 2.2.2.2
voice-vlan 3 enable
fail-over 3.3.3.3 99*
727
Description
Use the display dhcp server conflict command to display the statistics of IP
address conflicts on the DHCP server.
Related command: reset dhcp server conflict
Example
Table 122 Description of the display dhcp server conflict command fields
Field
Description
Address
Conflicting IP address
Discover Time
View
Parameters
728
Description
Example
Use the display dhcp server expired command to display the lease expiration
information about one IP address, or the lease expiration information about all IP
addresses in one or all DHCP address pools. When all the IP addresses in an
address pool are assigned, the DHCP server assigns the expired IP addresses to
DHCP clients.
# Display the lease expiration information about the IP addresses in all DHCP
address pools.
<5500> display dhcp server expired all
Global pool:
IP address
Client-identifier/
Lease expiration
Hardware address
Interface pool:
IP address
Client-identifier/
Hardware address
--- total 0 entry ---
Lease expiration
Type
Type
Table 123 Description of the display dhcp server expired command fields
Field
Description
Global pool
Interface pool
IP address
Bound IP addresses
Client-identifier/Hardware
address
Lease expiration
Type
Parameters
None
Description
Use the display dhcp server free-ip command to display the free (that is,
unassigned) IP addresses.
Example
192.168.3.255
729
View
Parameters
Description
Use the display dhcp server ip-in-use command to display the address binding
information of one IP address, the specified DHCP address pool(s) or all DHCP
address pools.
Related command: reset dhcp server ip-in-use
Example
Type
Client-identifier/
Lease expiration
Type
Hardware address
3030-6530-2d66-6331- Apr 6 2000 00:52:06 AM
342d-3030-3062-566c616e-2d69-6e74-65726661-6365-3130-30
Table 124 Description of the display dhcp server ip-in-use command fields
Field
Description
Global pool
Interface pool
IP address
Bound IP address
Client-identifier/Hardware
address
Lease expiration
Type
730
Parameters
None
Description
Use the display dhcp server statistics command to display the statistics on a
DHCP server.
Related command: reset dhcp server statistics
Example
Table 125 Description of the display dhcp server statistics command fields
Field
Description
Global Pool
Interface Pool
Pool Number
Auto
Manual
Expire
731
Table 125 Description of the display dhcp server statistics command fields
Field
Description
Boot Request:
Dhcp Discover:
Dhcp Request:
Dhcp Decline:
Dhcp Release:
Dhcp Inform:
Boot Reply:
0
4
Dhcp Offer:
Dhcp Ack:
Dhcp Nak:
Bad Messages
View
Parameters
Description
Example
Use the display dhcp server tree command to display information about address
pool tree.
# Display the information about address pool tree.
<5500> display dhcp server tree all
Global pool:
Pool name: test123
network 10.0.0.0 mask 255.0.0.0
Child node:test1234
option 30 hex AA BB
expired 1 0 0
Pool name: test1234
network 10.1.1.0 mask 255.255.255.0
Parent node:test123
option 30 hex AA BB
732
expired 1 0 0
Interface pool:
Pool name: Vlan-interface2
network 192.168.2.0 mask 255.255.255.0
gateway-list 192.168.2.1
expired 1 0 0
Table 126 Description of the display dhcp server tree command fields
Field
Description
Global pool
Interface pool
Pool name
network
Child node
option
expired
gateway-list
dns-list
Syntax
dns-list ip-address&<1-8>
undo dns-list { ip-address | all }
View
Parameters
Description
Use the dns-list command to configure one or multiple DNS server IP addresses in
a DHCP global address pool for the DHCP client.
domain-name
733
Use the undo dns-list command to remove one or all DNS server IP addresses
configured for the DHCP client.
By default, no DNS server IP address is configured.
If you execute the dns-list command repeatedly, the new configuration overwrites
the previous one.
Related commands: dhcp server dns-list and dhcp server ip-pool
Example
# Configure the DNS server IP address 1.1.1.254 in DHCP global address pool 0 for
the DHCP client.
[5500] dhcp server ip-pool 0
[5500-dhcp-pool-0] dns-list 1.1.1.254
domain-name
Syntax
domain-name domain-name
undo domain-name
View
Parameter
domain-name: Domain name suffix for the DHCP client of a DHCP global address
pool, a string of 3 to 50 characters.
Description
Example
# Configure the domain name suffix mydomain.com in the DHCP global address
pool 0 for the DHCP client.
[5500] dhcp server ip-pool 0
[5500-dhcp-pool-0] domain-name mydomain.com
734
expired
Syntax
View
Parameters
Description
Use the expired command to configure the lease time of the IP addresses to be
assigned dynamically in the DHCP global address pool.
Use the undo expired command to restore the default lease time.
The default lease time is one day.
Related commands: dhcp server ip-pool and dhcp server expired
Example
# Set the lease time of the IP addresses to be dynamically assigned in the DHCP
global address pool 0 to 1 day, 2 hours and 3 minutes.
[5500] dhcp server ip-pool 0
[5500-dhcp-pool-0] expired day 1 hour 2 minute 3
gateway-list
Syntax
gateway-list ip-address&<1-8>
undo gateway-list { ip-address | all }
View
Parameters
nbns-list
735
Example
# Configure the gateway IP address 10.110.1.99 in the DHCP global address pool
0 for the client.
[5500] dhcp server ip-pool 0
[5500-dhcp-pool-0] gateway-list 10.110.1.99
nbns-list
Syntax
nbns-list ip-address&<1-8>
undo nbns-list { ip-address | all }
View
Parameters
Description
Use the nbns-list command to configure one or multiple WINS server IP addresses
in the DHCP global address pool for the DHCP client.
Use the undo nbns-list command to remove one or all WINS server IP addresses
configured for the DHCP client.
By default, no WINS server IP address is configured.
If you execute the nbns-list command repeatedly, the new configuration
overwrites the previous one.
Related commands: dhcp server ip-pool, dhcp server nbns-list and
netbios-type
736
Example
# Configure the WINS server IP address 10.12.1.99 in the global DHCP address
pool 0 for the DHCP client.
[5500] dhcp server ip-pool 0
[5500-dhcp-pool-0] nbns-list 10.12.1.99
netbios-type
Syntax
View
Parameters
Description
Use the netbios-type command to configure the NetBIOS node type in the DHCP
global address pool for the DHCP client.
Use the undo netbios-type command to remove the configured NetBIOS node
type.
By default, no NetBIOS node type is specified in a DHCP global address pool for
the DHCP client. After the WINS server IP address is configured for the client in the
DHCP global address pool, the client uses the hybrid node (h-node).
Related commands: dhcp server ip-pool, dhcp server netbios-type and
nbns-list
Example
# Specify b-node as the NetBIOS node type in the DHCP global address pool 0 for
the clients.
network
737
network
Syntax
View
Parameters
Description
Example
option
Syntax
View
738
Parameters
code: Customized option number ranging from 2 to 254. Note that this argument
cannot be 3, 6, 15, 44, 46, 50 through 55, 57 through 61, 66, 67, 82, 150, 184,
or 217.
ascii ascii-string: Specifies a string that is of 1 to 63 characters. Note that each
character of the string needs to be an ASCII character.
hex hex-string&<1-10>: Specifies strings, each of which comprises of 1 to 8
hexadecimal digits. The &<1-10> means that you can provide up to 10 such
strings. When entering more than one strings, separate two neighboring strings
with a space. The device currently supports total 64 hex digits, not including
spaces.
ip-address ip-address&<1-8>: Specifies IP addresses. The &<1-8> string means
that you can provide up to eight IP addresses. When entering more than one IP
addresses, separate two neighboring IP addresses with a space.
Description
Use the option command to customize DHCP options for a DHCP global address
pool.
Use the undo option command to remove the customized DHCP options.
If you execute the option command repeatedly, the new configuration overwrites
the previous one.
For commands related to Option 184, refer to voice-config on page 743.
Related commands: dhcp server ip-pool and dhcp server option
Example
# Configure option 100 to be 0x11 and 0x22 for the DHCP global address pools.
[5500] dhcp server ip-pool 0
[5500-dhcp-pool-0] option 100 hex 11 22
Description
Use the reset dhcp server conflict command to clear address conflict statistics.
739
View
Parameters
Description
Use the reset dhcp server ip-in-use command to clear the specified or all
dynamic address binding information.
Related command: display dhcp server ip-in-use
Example
# Clear the dynamic address binding information about the IP address 10.110.1.1.
<5500> reset dhcp server ip-in-use ip 10.110.1.1
740
Description
Use the reset dhcp server statistics command to clear the statistics on a DHCP
server, such as the number of DHCP unrecognized packets/request
packets/response packets.
Related command: display dhcp server statistics
Example
static-bind
client-identifier
Syntax
View
Parameter
Description
# Bind the host aaaa-bbbb with the IP address 10.1.1.1. The mask is
255.255.255.0.
static-bind ip-address
741
static-bind ip-address
Syntax
View
Parameters
Description
# Bind the IP address 10.1.1.1 (with the subnet mask 255.255.255.0) to the MAC
address 0000-e03f-0305.
[5500] dhcp server ip-pool 0
[5500-dhcp-pool-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0
[5500-dhcp-pool-0] static-bind mac-address 0000-e03f-0305
static-bind
mac-address
Syntax
742
Parameter
mac-address: MAC address of the host to which the IP address is to be bound. You
need to provide this argument in the form of H-H-H.
Description
# Bind the IP address 10.1.1.1 (with the subnet mask 255.255.255.0) to the MAC
address 0000-e03f-0305.
[5500] dhcp server ip-pool 0
[5500-dhcp-pool-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0
[5500-dhcp-pool-0] static-bind mac-address 0000-e03f-0305
tftp-server
domain-name
Syntax
View
Parameter
Description
tftp-server ip-address
743
Use the undo tftp-server domain-name command to remove the TFTP server
name from a global address pool.
By default, no TFTP server name is specified.
Using the tftp-server domain-name command repeatedly will overwrite the
previous configuration.
Related command: dhcp server tftp-server domain-name
Example
# Specify the TFTP server name as aaa in the global address pool 1.
<5500> system-view
Enter system view, return to user view with Ctrl+Z.
[5500] dhcp server ip-pool 1
[5500-dhcp-1] tftp-server domain-name domain1
tftp-server ip-address
Syntax
View
Parameter
Description
Example
# Specify the TFTP server address 10.1.1.1 in the global address pool 1.
<5500> system-view
Enter system view, return to user view with Ctrl+Z.
[5500] dhcp server ip-pool 1
[5500-dhcp-1] tftp-server tftp-server ip-address 10.1.1.1
voice-config
Syntax
744
disable: Disables the specified VLAN, meaning DHCP clients will not take this
VLAN as their voice VLAN.
enable: Enables the specified VLAN, meaning DHCP clients will take this VLAN
as their voice VLAN.
Use the voice-config command to configure Option 184 and its sub-options in
the global address pool.
Use the undo voice-config command to remove Option 184 and its sub-options
from the global address pool.
The DHCP server answers Option 184 and the corresponding sub-options only
after the DHCP client requests Option 184.
By default, a DHCP server global address pool does not assign Option 184 and the
corresponding sub-options to the client.
Related command: dhcp server voice-config
Example
# Enable the DHCP server to support Option 184 in global address pool 123. The
NCP IP address is 1.1.1.1 and the IP address of the alternate server is 2.2.2.2. The
voice VLAN is enabled, with the ID being 3. The fail-over IP address is 3.3.3.3 and
the dialer string is 99*.
[5500] dhcp select global all
[5500] dhcp server ip-pool 123
[5500-dhcp-pool-123] voice-config
[5500-dhcp-pool-123] voice-config
[5500-dhcp-pool-123] voice-config
[5500-dhcp-pool-123] voice-config
ncp-ip 1.1.1.1
as-ip 2.2.2.2
voice-vlan 3 enable
fail-over 3.3.3.3 99*
48
address-check
Syntax
address-check enable
address-check disable
View
Parameters
None
Description
Example
dhcp-relay hand
Syntax
View
Parameters
System view
None
746
Description
Use the dhcp relay hand enable command to enable the DHCP relay handshake
function.
Use the dhcp relay hand disable command to disable the DHCP relay handshake
function.
By default, the DHCP relay handshake function is enabled.
n
Example
Currently, the DHCP relay agent handshake function a Switch 5500 can only
operate with a Windows 2000 DHCP server.
# Disable the DHCP relay handshake function.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dhcp relay hand disable
dhcp relay
information enable
Syntax
View
System view
Parameters
None
Description
Use the dhcp relay information enable command to enable Option 82 support
on a DHCP relay agent.
Use the undo dhcp relay information enable command to disable Option 82
support on a DHCP relay agent.
By default, this function is disabled.
By default, with the Option 82 support function enabled on the DHCP relay agent,
the DHCP relay agent will adopt the replace strategy to process the request
packets containing Option 82. However, if other strategies are configured before,
then enabling the 82 supporting on the DHCP relay will not change the configured
strategies.
Related command: dhcp relay information strategy
Example
747
dhcp relay
information strategy
Syntax
View
Parameters
System view
drop: Specifies to drop messages containing Option 82.
keep: Specifies to forward messages containing Option 82 without any change.
replace: Specifies to forward messages containing Option 82 after replacing the
original Option 82 with the Option 82 padded with the specified content.
Description
Use the dhcp relay information strategy command to configure the DHCP relay
agent handling strategy for messages containing Option 82 sent by the DHCP
client.
Use the undo dhcp relay information strategy command to restore the default
handling strategy.
By default, the handling strategy for messages containing Option 82 is replace.
Related command: dhcp relay information enable
Example
# Configure the DHCP relay agent handling strategy for messages containing
Option 82 sent by the DHCP client as drop.
[5500] dhcp relay information strategy drop
dhcp-security static
Syntax
View
Parameters
System view
ip-address: User IP address.
mac-address: User MAC address.
all: Removes all user address entries.
748
Example
# Configure a static address binding entry, with the IP address being 1.1.1.1 and
the MAC address being 0005-5D02-F2B3.
[5500] dhcp-security static 1.1.1.1 0005-5D02-F2B3
dhcp-security tracker
Syntax
View
Parameters
System view
interval: Refreshing interval in seconds, in the range of 1 to 120.
auto: Specifies the auto refreshing interval, which is automatically calculated
according to the number of binding entries.
Description
The default handshake interval is auto, the value of 60 seconds divided by the
number of binding entries.
Use the dhcp-security tracker command to set the interval at which the DHCP
relay agent refreshes dynamic binding entries.
Use the undo dhcp-security tracker command to restore the default interval.
By default, the refreshing interval is automatically calculated according to the
number of binding entries.
Example
dhcp-server
749
dhcp-server
Syntax
dhcp-server groupNo
undo dhcp-server
View
Parameter
Description
Before referencing a DHCP server group, you need to use the dhcp-server
groupNo ip ip-address&<1-8> command to configure the DHCP server group.
To improve security and avoid malicious attack to the unused SOCKETs, the Switch
5500s provide the following functions:
UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is
enabled.
Example
When the mapping between a VLAN interface and a DHCP server group is
removed with the undo dhcp-server command, DHCP services are disabled.
At the same time, UDP 67 and UDP 68 ports used by DHCP are disabled.
750
dhcp-server detect
Syntax
dhcp-server detect
undo dhcp-server detect
View
System view
Parameters
None
Description
Use the dhcp-server detect command to enable the switch serving as a DHCP
relay agent to detect unauthorized DHCP servers.
Use the undo dhcp-server detect command to disable the unauthorized DHCP
server detection function.
By default, the unauthorized DHCP server detection function is disabled
Related commands: dhcp server and display dhcp-server
Example
dhcp-server ip
Syntax
View
Parameters
System view
groupNo: DHCP server group number, ranging from 0 to 19.
ip-address&<1-8>: IP address of the DHCP server. &<1-8> indicates that up to
eight IP addresses can be input, with any two IP addresses separated by a space.
Description
display dhcp-security
751
Use the undo dhcp-server command to remove all DHCP server IP addresses in a
DHCP server group.
Related commands: dhcp-server, and display dhcp-server
Example
# Configure three DHCP server IP addresses 1.1.1.1, 2.2.2.2, and 3.3.3.3 for DHCP
server group 1, so that this group contains three DHCP servers (server 1, server 2
and server 3).
[5500] dhcp-server 1 ip 1.1.1.1 2.2.2.2 3.3.3.3
display dhcp-security
Syntax
View
Parameters
Description
Example
Description
IP Address
MAC Address
IP Address Type
display dhcp-server
Syntax
752
View
Parameter
Description
Any view
groupNo: DHCP server group number, ranging from 0 to 19.
Use the display dhcp-server command to display information about a specified
DHCP server group.
Related commands: dhcp-server ip, dhcp-server, and display dhcp-server
interface vlan-interface
Example
Description
IP address of DHCP server group DHCP server IP addresses of DHCP server group 0
0:
Messages from this server group Number of the packets the DHCP relay receives from the
DHCP server group
Messages to this server group
Messages from this server group Number of the packets the DHCP relay sends to the DHCP
to clients
clients
DHCP_OFFER messages
DHCP_ACK messages
DHCP_NAK messages
753
Description
DHCP_DECLINE messages
DHCP_DISCOVER messages
DHCP_REQUEST messages
DHCP_INFORM messages
DHCP_RELEASE messages
BOOTP_REQUEST messages
BOOTP_REPLY messages
display dhcp-server
interface
Syntax
View
Parameter
Description
Example
reset dhcp-server
Syntax
View
Parameter
Description
754
49
dhcp-snooping
Syntax
dhcp-snooping
undo dhcp-snooping
View
System view
Parameters
None
Description
Example
dhcp-snooping
information enable
Syntax
View
Parameters
System view
None
756
Description
Example
dhcp-snooping
information format
Syntax
View
Parameters
Description
n
Example
dhcp-snooping
information
packet-format
Syntax
View
Parameters
757
System view
extended: Specifies the padding format for Option 82 as the extended format.
standard: Specifies the padding format for Option 82 as the standard format.
Description
Example
dhcp-snooping
information remote-id
Syntax
View
Parameters
System view
sysname: Uses the system name (sysname) of the DHCP snooping device to pad
the remote ID sub-option in Option 82.
string: Customized content of the remote ID sub-option, a string of 1 to 63 ASCII
characters.
Description
Example
758
dhcp-snooping
information strategy
Syntax
Views
Parameters
Description
Example
CAUTION:
# Configure the keep handling policy for DHCP requests that contain Option 82
on the DHCP snooping device.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dhcp-snooping information strategy keep
759
dhcp-snooping
information vlan
circuit-id
Syntax
View
Parameters
Description
Example
# Set the circuit ID field in Option 82 of the DHCP messages sent through Ethernet
1/0/1 to abc
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet1/0/1
[5500-Ethernet1/0/1] dhcp-snooping information circuit-id string abc
760
dhcp-snooping
information vlan
remote-id
Syntax
View
Parameters
Description
Example
dhcp-snooping trust
761
dhcp-snooping trust
Syntax
dhcp-snooping trust
undo dhcp-snooping trust
View
Parameters
None
Description
Example
display dhcp-snooping
Syntax
View
Parameter
Description
Use the display dhcp-snooping command to display the user IP-MAC address
mapping entries recorded by the DHCP snooping function.
Related command: dhcp-snooping
Example
# Display the user IP-MAC address mapping entries recorded by the DHCP
snooping function.
<5500> display dhcp-snooping
DHCP-Snooping is enabled.
762
10.1.1.1
000f-e200-0006
200
1 dhcp-snooping item(s) of unit 1 found
1
Ethernet1/0/1
---
display dhcp-snooping
trust
Syntax
View
Parameters
None
Description
Example
# Display the state of the DHCP snooping function and the trusted ports.
<5500> display dhcp-snooping trust
DHCP-Snooping is enabled.
DHCP-Snooping trust become effective.
Interface
Trusted
===================== =================
Ethernet1/0/10
Trusted
The above display information indicates that the DHCP snooping function is
enabled, and the Ethernet 1/0/10 port is a trusted port.
View
Parameters
Description
Example
763
Use the display ip source static binding command to display the IP static
binding entries configured. If you specify a VLAN, all the IP static binding entries
for the specified VLAN will be displayed. If you specify a port, all the IP static
binding entries for the specified port will be displayed.
# Display all IP static binding entries configured.
<5500> display ip source static binding
Type IP Address
MAC Address
Remaining
lease
==== =============== =============== =========
S
192.168.0.25
0015-e20f-0101 infinite
S
192.168.0.58
0001-e201-4f01 infinite
S
192.168.0.101
000f-0101-0204 infinite
S
192.168.0.122
000f-e20f-21a3 infinite
S
192.168.0.144
0015-e943-712f infinite
--5 static binding item(s) found
---
VLAN Interface
==== =================
1
Ethernet1/0/2
1
Ethernet1/0/3
1
Ethernet1/0/2
1
Ethernet1/0/3
1
Ethernet1/0/2
ip check source
ip-address
Syntax
View
Parameter
Description
Example
# Enable the filtering of the IP packets received through port Ethernet 1/0/11
based on the source IP address of the packets.
<5500> system-view
System View: return to User View with Ctrl+Z.
764
ip source static
binding
Syntax
View
Parameters
Description
Use the ip source static binding ip-address command to configure the static
binding among source IP address, source MAC address, and the port number so as
to generate static binding entries.
Use the undo ip source static binding ip-address command to remove the
static binding among source IP address, source MAC address, and the port.
By default, no binding among source IP address, source MAC address, and the
port number is configured.
To create a static binding after IP filtering is enabled with the mac-address
keyword included on a port, the mac-address argument must be specified;
otherwise, the packets sent from this IP address cannot pass the IP filtering.
Related command: ip check source ip-address
Examples
# Configure static binding among source IP address 1.1.1.1, source MAC address
0015-e20f-0101, and Ethernet 1/0/3.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/3
[5500-Ethernet1/0/3] ip source static binding ip-address 1.1.1.1 mac
-address 0015-e20f-0101
# Configure static binding among source IP address, source MAC address, and
GigabitEthernet 1/0/3.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet 1/0/3
[5500G-GigabitEthernet1/0/3] ip source static binding ip-address
1.1.1.1 mac-address 0015-e20f-0101
50
dhcp protective-down
recover enable
Syntax
View
System view
Parameters
None
Description
Use the dhcp protective-down recover enable command to enable port state
auto-recovery on the switch.
Use the undo dhcp protective-down recover enable command to disable port
state auto-recovery.
By default, the port state auto-recovery function on the switch is disabled.
Example
dhcp protective-down
recover interval
Syntax
View
Parameter
System view
interval: Interval (in seconds) for a port disabled due to the DHCP traffic exceeding
the set threshold to be brought up again. This argument ranges from 10 to
86,400.
766
Description
Examples
Before configuring the port state auto-recovery interval, you must enable port
state auto-recovery on the switch first.
The new port state auto-recovery interval only applies to the ports that are shut
down after the dhcp protective-down recover interval command is last
executed.
system-view
View: return to User View with Ctrl+Z.
dhcp protective-down recover enable
dhcp protective-down recover interval 30
# Set the DHCP traffic threshold to 100 pps for port GigabitEthernet 1/0/11.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet 1/0/11
[5500G-GigabitEthernet1/0/11] dhcp rate-limit enable
[5500G-GigabitEthernet1/0/11] dhcp rate-limit 100
dhcp rate-limit
Syntax
View
Parameter
rate: Maximum rate of DHCP traffic in pps. This argument ranges from 10 to 150.
Description
Use the dhcp rate-limit command to set the maximum rate of DHCP traffic for a
port.
Use the undo dhcp rate-limit command to restore the default value.
By default, the maximum rate of DHCP traffic is 15 pps.
Note that:
767
You need to enable the function to limit DHCP traffic (see dhcp rate-limit on
page 766) for a port before executing either of these two commands.
Example
# Set the DHCP traffic threshold to 100 pps for port Ethernet 1/0/11.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface ethernet 1/0/11
[5500-Ethernet1/0/11] dhcp rate-limit enable
[5500-Ethernet1/0/11] dhcp rate-limit 100
View
Parameters
None
Description
Use the dhcp rate-limit enable command to enable the function to limit DHCP
traffic for an Ethernet port. You can use this command to limit the DHCP traffic
passing through an Ethernet port.
Use the undo dhcp rate-limit enable command to disable the function. You can
use this command to relieve the DHCP traffic limit configured on an Ethernet port.
With the function to limit DHCP traffic enabled on an Ethernet port, the default
DHCP traffic limit on the port is 15 pps.
By default, the function to limit DHCP traffic is disabled on an Ethernet port. That
is, DHCP traffic passing through an Ethernet port is not limited.
Example
# Enable the function to limit DHCP traffic for Ethernet 1/0/11 port.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface ethernet 1/0/11
[5500-Ethernet1/0/11] dhcp rate-limit enable
768
DHCP/BOOTP CLIENT
CONFIGURATION
51
display dhcp client
Syntax
View
Parameter
Description
Example
Description
Vlan-interface1
Allocated IP
lease
Lease period
T1
T2
Lease from....to....
Server IP
Transaction ID
Transaction ID
770
Description
Default router
Gateway address
Next timeout will happen after 0 days 11 hours 56 The timer expires in 11 hours, 56
minutes 1 seconds.
minutes, and 1 second.
ip address dhcp-alloc
Syntax
ip address dhcp-alloc
undo ip address dhcp-alloc
View
Parameters
None
Description
Example
To improve security and avoid malicious attacks to the unused sockets, the UDP
ports 67 and 68 used by DHCP are enabled or disabled only when DHCP is enabled
or disabled. The implementation is as follows:
After the DHCP client is disabled by executing the undo ip address dhcp-alloc
command, UDP port 68 is disabled.
ip address bootp-alloc
Description
Example
771
Description
Vlan-interface1
Allocated IP
Transaction ID
Mac Address
Default router
Default router
ip address bootp-alloc
Syntax
ip address bootp-alloc
undo ip address bootp-alloc
View
Parameters
None
Description
Example
772
52
acl
Syntax
View
Parameters
System view
all: Specifies to remove all ACLs.
number acl-number: Specifies the number of an existing access control list (ACL)
or an ACL to be defined. ACL number identifies the type of an ACL as follows.
An ACL number in the range 3000 to 3999 identifies an advanced ACL. Note
that 3998 and 3999 cannot be configured because they are reserved for cluster
management.
match-order: Specifies the match order for ACL rules. Following two match
orders exist.
config: Specifies to match ACL rules in the order they are defined.
Use the acl command to define an ACL and enter the corresponding ACL view.
Use the undo acl command to remove all the rules of the specified ACL or all the
ACLs.
By default, ACL rules are matched in the order they are defined.
Only after the rules in an existing ACL are fully removed can you modify the match
order of the ACL.
In ACL view, you can use the rule command to add rules to the ACL.
774
description
Syntax
description text
undo description
View
Parameter
Description
Basic ACL view, advanced ACL view, Layer 2 ACL view, user-defined ACL view
text: Description string to be assigned to an ACL, a string of 1 to 127 characters.
Use the description command to assign a description string to an ACL.
Use the undo description to remove the description string of the ACL.
By default, no description string is assigned for an ACL.
Example
display acl
Syntax
View
Parameters
Description
Example
Use the display acl command to display the configuration of a specified or all
ACLs.
# Display information about ACL 2000.
775
display drv
qacl_resource
Field
Description
1 rule
Acls step is 1
This description applies to the Switch 5500 only (not the Switch 5500G).
Syntax
View
Parameters
None
Description
Use the display drv qacl_resource to display the use of ACL resources on a switch.
According to the output, you can view the information of the consumed ACL
resources, and determine whether the exhaustion of ACL resources causes that
ACL rules cannot be assigned.
Example
spare-rule
211
211
211
111
111
111
111
Description
block
used-mask
used-rule
spare-mask
776
display drv-module
qacl qacl_resource
Syntax
View
Field
Description
spare-rule
This description applies to the Switch 5500G only (not the Switch 5500).
Parameters
None
Description
Use the display drv-module qacl qacl_resource command to display the use of
ACL resources on a device.
According to the output, you can view the information of the consumed ACL
resources, and determine whether the exhaustion of ACL resources prevents that
ACL rules from being assigned.
Example
spare-rule
UNIT 0 :
0
1
2
3
4
5
6
7
8
9
10
11
7
7
7
7
8
7
7
7
7
7
7
7
18
18
18
18
19
18
18
18
18
18
18
18
9
9
9
9
8
9
9
9
9
9
9
9
110
110
110
110
109
110
110
110
110
110
110
110
UNIT 1 :
0
1
2
3
4
5
6
7
8
9
10
11
7
7
7
7
7
7
7
7
7
7
7
7
18
18
18
18
18
18
18
18
18
18
18
18
9
9
9
9
9
9
9
9
9
9
9
9
110
110
110
110
110
110
110
110
110
110
110
110
display packet-filter
777
Table 133 Description of the display drv-module qacl qacl_resource command fields
Field
Description
UNIT
block
used-mask
used-rule
spare-mask
spare-rule
display packet-filter
Syntax
View
Parameters
Description
Example
Description
Ethernet 1/0/1
Inbound
running
display time-range
Syntax
View
778
Parameters
Description
Use the display time-range command to display the configuration and status of
a time range or all the time ranges. For active time ranges, this command displays
Active; for inactive time ranges, this command displays Inactive.
Related command: time-range
Example
Description
Time-range
Active
packet-filter
Syntax
View
Parameters
packet-filter vlan
779
ip-group acl-number
link-group acl-number
user-group acl-number
Apply a rule of an ACL that is of ip-group acl-number rule rule-id link-group acl-number
IP type and a rule of a Layer 2
rule rule-id
ACL
In Table 136:
Description
The rule rule-id keyword specifies a rule of an ACL. The rule argument ranges
from 0 to 65534. If you do not specify this argument, all the rules of the ACL
are applied.
Use the packet-filter command to apply ACL rules on a port to filter packets.
Use the undo packet-filter command to remove the application of ACL rules on
a port.
Example
packet-filter vlan
Syntax
View
System view
780
Parameters
Description
Use the packet-filter vlan command to apply ACL rules to a VLAN to filter
packets.
Use the undo packet-filter vlan command to remove the application of ACL
rules to a VLAN.
Example
View
Parameters
Function
Description
source { sour-addr
sour-wildcard | any }
fragment
--
781
n
Parameters of the undo
rule command
Parameter
Function
Description
time-range time-name
sour-wildcard is the complement of the wildcard mask of the source subnet mask.
For example, you need to input 0.0.255.255 to specify the subnet mask
255.255.0.0.
rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID
of an ACL rule by using the display acl command.
fragment: Removes the settings concerning non-tail fragments in the ACL rule.
source: Removes the settings concerning source address in the ACL rule.
time-range: Removes the settings concerning time range in the ACL rule.
Description
Example
With the config match order specified for the basic ACL, you can modify any
existent rule. The unmodified part of the rule remains. With the auto match
order specified for the basic ACL, you cannot modify any existent rule;
otherwise the system prompts error information.
If you do not specify the rule-id argument when creating an ACL rule, the rule
will be numbered automatically. If the ACL has no rules, the rule is numbered
0; otherwise, it is the maximum rule number plus one.
The content of a modified or created rule cannot be identical with the content
of any existing rule; otherwise the rule modification or creation will fail, and the
system prompts that the rule already exists.
With the auto match order specified, the newly created rules will be inserted in
the existent ones by depth-first principle, but the numbers of the existent rules
are unaltered.
782
View
Parameter
Type
Function
Description
Source address
Specifies the
destination address
information for the
ACL rule
precedence
precedence
Packet priority
Specifies an IP
precedence.
783
Arguments/
Keywords
Type
Function
Description
tos tos
Packet priority
Specifies a ToS
preference.
dscp dscp
Packet priority
Specifies a DSCP
priority.
fragment
Fragment
information
time-range
time-name
Time range
information
af11
10
001010
af12
12
001100
af13
14
001110
af21
18
010010
af22
20
010100
af23
22
010110
af31
26
011010
af32
28
011100
af33
30
011110
af41
34
100010
af42
36
100100
af43
38
100110
be
000000
cs1
001000
cs2
16
010000
cs3
24
011000
cs4
32
100000
cs5
40
101000
cs6
48
110000
cs7
56
111000
ef
46
101110
If you specify the precedence keyword, you can directly input a value ranging
from 0 to 7 or input one of the keywords listed in Table 140 as IP precedence.
784
IP Precedence in decimal
IP Precedence in binary
routine
000
priority
001
immediate
010
flash
011
flash-override
100
critical
101
internet
110
network
111
If you specify the tos keyword, you can directly input a value ranging from 0 to 15
or input one of the keywords listed in Table 141 as the ToS value.
Table 141 ToS value and the corresponding keywords
Keyword
ToS in decimal
ToS in binary
normal
0000
min-monetary-cost
0001
max-reliability
0010
max-throughput
0100
min-delay
1000
If the protocol type is TCP or UDP, you can also define the information listed in
Table 142.
785
Type
Function
source-port operator
port1 [ port2 ]
Source port
destination-port
Destination port
operator port1 [ port2 ]
Description
TCP-specific
argument
When advanced ACLs are applied to ports or VLANs of the Switch 5500, only the
rules configured with the operator argument specified as eq are valid.
If TCP or UDP port number is represented by name, you can also define the
information listed in Table 143.
786
Value
TCP
CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain
(53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher
(70), hostname (101), irc (194), klogin (543), kshell (544), login (513),
lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111),
tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43),
www (80)
UDP
biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90),
echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42),
netbios-dgm (138), netbios-ns (139), netbios-ssn (139), ntp (123), rip
(520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds
(65), talk (517), tftp (69), time (37), who (513), xdmcp (177)
If the protocol type is ICMP, you can also define the information listed in
Table 144.
Table 144 ICMP-specific ACL rule information
Parameter
Type
Function
Description
icmp-type icmp-type
icmp-code
icmp-type: ICMP
message type,
ranging from 0 to
255
icmp-code: ICMP
message code,
ranging from 0 to
255
If the protocol type is ICMP, you can also just input the ICMP message name after
the icmp-type keyword. Table 145 lists some common ICMP messages.
Table 145 ICMP messages
Name
ICMP type
ICMP code
echo
Type=8
Code=0
echo-reply
Type=0
Code=0
fragmentneed-DFset
Type=3
Code=4
host-redirect
Type=5
Code=1
host-tos-redirect
Type=5
Code=3
host-unreachable
Type=3
Code=1
information-reply
Type=16
Code=0
information-request
Type=15
Code=0
net-redirect
Type=5
Code=0
net-tos-redirect
Type=5
Code=2
net-unreachable
Type=3
Code=0
parameter-problem
Type=12
Code=0
port-unreachable
Type=3
Code=3
protocol-unreachable
Type=3
Code=2
reassembly-timeout
Type=11
Code=1
source-quench
Type=4
Code=0
787
Name
ICMP type
ICMP code
source-route-failed
Type=3
Code=5
timestamp-reply
Type=14
Code=0
timestamp-request
Type=13
Code=0
ttl-exceeded
Type=11
Code=0
rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID
of an ACL rule by using the display acl command.
source: Removes the settings concerning the source address in the ACL rule.
source-port: Removes the settings concerning the source port in the ACL rule.
This keyword is only available to the ACL rules with their protocol types set to TCP
or UDP.
destination: Removes the settings concerning the destination address in the ACL
rule.
destination-port: Removes the settings concerning the destination port in the
ACL rule. This keyword is only available to the ACL rules with their protocol types
set to TCP or UDP.
icmp-type: Removes the settings concerning the ICMP type and message code in
the ACL rule. This keyword is only available to the ACL rules with their protocol
type set to ICMP.
precedence: Removes the precedence-related settings in the ACL rule.
tos: Removes the ToS-related settings in the ACL rule.
dscp: Removes the DSCP-related settings in the ACL rule.
time-range: Removes the time range settings in the ACL rule.
fragment: Removes the settings concerning non-tail fragments in the ACL rule.
Description
With the config match order specified for the advanced ACL, you can modify
any existent rule. The unmodified part of the rule remains. With the auto
match order specified for the ACL, you cannot modify any existent rule;
otherwise the system prompts error information.
788
Example
If you do not specify the rule-id argument when creating an ACL rule, the rule
will be numbered automatically. If the ACL has no rules, the rule is numbered
0; otherwise, the number of the rule will be the greatest rule number plus one.
If the current greatest rule number is 65534, however, the system will display
an error message and you need to specify a number for the rule.
The content of a modified or created rule cannot be identical with the content
of any existing rules; otherwise the rule modification or creation will fail, and
the system prompts that the rule already exists.
If the ACL is created with the auto keyword specified, the newly created rules
will be inserted in the existent ones by depth-first principle, but the numbers of
the existent rules are unaltered.
# Configure ACL 3000 to permit the TCP packets sourced from the network
129.9.0.0/16 and destined for the network 202.38.160.0/24 and with the
destination port number being 80.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] acl number 3000
[5500-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination
202.38.160.0 0.0.0.255 destination-port eq 80
View
Parameters
Type
Function
Description
format-type
Link layer
encapsulation type
789
Type
Function
Description
lsap lsap-code
lsap-wildcard
lsap field
source {
source-mac-addr
source-mac-mask |
vlan-id }*
source-mac-addr:
Source MAC
address, in the
format of H-H-H.
source-mac-mask:
Mask of the source
MAC address, in the
format of H-H-H.
vlan-id: Source VLAN
ID, in the range of 1
to 4,094.
dest dest-mac-addr
dest-mac-mask
Destination MAC
address information
Specifies the
destination MAC
address range for the
ACL rule
dest-mac-addr:
Destination MAC
address, in the
format of H-H-H.
dest-mac-mask:
Mask of the
destination MAC
address, in the
format of H-H-H.
n
Description
cos cos
Priority
c-tag-vlan
c-tag-vlan-begin [ to
c-tag-vlan-end ]
Inner VLAN
information
Specifies information
about inner VLAN of
the rule
c-tag-vlan-begin,
c-tag-vlan-end:
VLAN ID, in the
range of 1 to 4094.
time-range
time-name
Time range
information
time-name: specifies
the name of the time
range in which the
rule is active; a string
comprising 1 to 32
characters.
type protocol-type
protocol-mask
Protocol type of
Ethernet frames
protocol-type:
Protocol type.
protocol-mask:
Protocol type mask.
When layer 2 ACLs are applied to ports or VLANs of the 3Com Switch 5500, rules
configured with the format-type argument and the lsap keyword are invalid.
Use the rule command to define an ACL rule.
Use the undo rule command to remove an ACL rule.
790
To remove an ACL rule using the undo rule command, you need to provide the ID
of the ACL rule. You can obtain the ID of an ACL rule by using the display acl
command.
Note that:
Example
You can modify any existent rule of the Layer 2 ACL and the unmodified part of
the ACL remains.
If you do not specify the rule-id argument when creating an ACL rule, the rule
will be numbered automatically. If the ACL has no rules, the rule is numbered
0; otherwise, the number of the rule will be the greatest rule number plus one.
If the current greatest rule number is 65534, however, the system will display
an error message and you need to specify a number for the rule.
The content of a modified or created rule cannot be identical with the content
of any existing rules; otherwise the rule modification or creation will fail, and
the system prompts that the rule already exists.
# Configure ACL 4000 to deny packets sourced from the MAC address
000d-88f5-97ed, destined for the MAC address 0011-4301-991e, and with their
802.1p priority being 3.
<5500> system-view
[5500] acl number 4000
[5500-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed
ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff
View
Parameters
791
The maximum value of the maximum valuemask offset of the rule becomes
one byte less when the rule-string argument has two more hexadecimal
numerals. For example, when the rule-string contains two hexadecimal
numerals, the maximum value of offset is 79 bytes; when the rule-string
contains four hexadecimal numerals, the maximum value of offset is 78 bytes,
and so on.
The valid length of the mask offset is 128 hexadecimal numerals (64 bytes). For
example, assume that you specify a rule string of aa and set its offset to 2. If
you continue to specify a rule string of bb, its offset must be in the range from
3 to 65 bytes. If you set the offset of the rule string aa to 3, the offset of the
rule string bb must be in the range of 4 to 66 bytes, and so on. However, the
offset of the rule string bb cannot be greater than 79 bytes.
As shown in Table 147, the hardware rule of the Switch 5500 Family logically
divides the rule mask offset of a user-defined string into multiple offset units,
each of which is 4-byte long. Available offset units fall into eight groups, which
are numbered from Offset1 to Offset8.
With the Switch 5500, a user-defined rule string may or may not contain
spaces and can be up to 32 bytes in length. It can occupy up to eight mask
offset units and any two of the offset units cannot belong to the same offset
group. Otherwise, the ACL cannot be applied successfully.
Offset2
Offset3
Offset4
Offset5
Offset6
Offset7
Offset8
0 to 3
4 to 7
8 to 11
12 to 15
16 to 19
20 to 23
24 to 27
28 to 31
2 to 5
6 to 9
10 to 13
14 to 17
18 to 21
22 to 25
26 to 29
30 to 33
6 to 9
10 to 13
14 to 17
18 to 21
22 to 25
26 to 29
30 to 33
34 to 37
12 to 15
16 to 19
20 to 23
24 to 27
28 to 31
32 to 35
36 to 39
40 to 43
20 to 23
24 to 27
28 to 31
32 to 35
36 to 39
40 to 43
44 to 47
48 to 51
30 to 33
34 to 37
38 to 41
42 to 45
46 to 49
50 to 53
54 to 57
58 to 61
42 to 45
46 to 49
50 to 53
54 to 57
58 to 61
62 to 65
66 to 69
70 to 73
56 to 59
60 to 63
64 to 67
68 to 71
72 to 75
76 to 79
0 to 3
4 to 7
You can modify any existing rule of a user-defined ACL. If you modify only the
time range and/or action, the unmodified parts of the rule remain the same. If
792
you modify the rule-string rule-mask offset combinations, however, the new
combinations will replace all of the original ones.
Examples
If you do not specify the rule-id argument when creating an ACL rule, the rule
will be numbered automatically. If the ACL has no rules, the rule is numbered
0; otherwise, the number of the rule will be the greatest rule number plus one.
If the current greatest rule number is 65534, however, the system will display
an error message and you need to specify a number for the rule.
The content of a modified or created rule cannot be identical with the content
of any existing rules; otherwise the rule modification or creation will fail, and
the system prompts that the rule already exists.
When configuring a rule that matches specific fields of packets, take the following
two items into account:
If VLAN-VPN is not enabled, each packet in the switch carries one VLAN tag,
which is 4 bytes long.
If VLAN-VPN is enabled on a port, each packet in the switch carries two VLAN
tags, which occupy two 8 bytes.
# Configure ACL 5000, specifying a 32-byte rule string, a rule mask of all Fs, and
an offset of 4. Then, apply the ACL to Ethernet 1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] acl number 5000
[5500-acl-user-5000] rule deny
1234567890123456789012345678901234567890123456789012345678901234
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 4
[5500-acl-user-5000] quit
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] packet-filter inbound user-group 5000
In this example, the 32-byte rule string occupies eight offset units:
4 to 7 (Offset2), 8 to 11 (Offset3), 12 to 15 (Offset4), 16 to 19
(Offset5), 20 to 23 (Offset1), 24 to 27 (Offset7), 28 to 31
(Offset8), and 32 to 35 (Offset6), as shown in Table 1-16. The rule
can be assigned successfully.
# Configure ACL 5001, specifying a 32-byte rule string, a rule mask of all Fs, and
an offset of 24. Then, apply the ACL to Ethernet 1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] acl number 5001
[5500-acl-user-5001] rule deny
1234567890123456789012345678901234567890123456789012345678901234
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 24
[5500-acl-user-5001] quit
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] packet-filter inbound user-group 5001
Applying Acl 5001 rule 0 failed!
Reason: This type of ACL rule is not supported by the command which
is attempting to use the ACL!(Ethernet1/0/1)
rule comment
793
In this example, the 32-byte rule string does not comply with the rule that a
user-defined rule string can contain up to eight mask offset units, and any two
offset units cannot belong to the same offset group. The ACL cannot be assigned.
rule comment
Syntax
View
Parameters
Description
Use the rule comment command to define a comment for the ACL rule.
Use the undo rule comment command to remove the comment defined for the
ACL rule.
By default, an ACL rule has no comment.
Before defining a comment for an ACL rule, make sure that the ACL rule exists.
Example
time-range
Syntax
View
Parameters
System view
all: Removes all the time ranges.
time-name: Name of a time range, a case insensitive string of 1 to 32 characters
that starts with a to z or A to Z. To avoid confusion, it cannot be all.
794
Numeral (0 to 6)
from start-time start-date: Specifies the start date of an absolute time range, in
the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD. The start-time
start-date and end-time end-date argument jointly define a period in which the
absolute time range takes effect. If the start date is not specified, the time range
starts from 1970/01/01 00:00.
to end-time end-date: Specifies the end date of an absolute time range, in the
form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD. The start-time start-date
and end-time end-date argument jointly define a period in which the absolute
time range takes effect. If the end date is not specified, the time range ends at
2100/12/31 23:59.
Description
Example
If only a periodic time section is defined in a time range, the time range is
active only when the system time is within the defined periodic time section. If
multiple periodic time sections are defined in a time range, the time range is
active only when the system time is within one of the periodic time sections.
If only an absolute time section is defined in a time range, the time range is
active only when the system time is within the defined absolute time section. If
multiple absolute time sections are defined in a time range, the time range is
active only when the system time is within one of the absolute time sections.
If both a periodic time section and an absolute time section are defined in a
time range, the time range is active only when the periodic time range and the
absolute time range are both matched. Assume that a time range defines an
absolute time section from 00:00 January 1, 2004 to 23:59 December 31,
2004, and a periodic time section from 12:00 to 14:00 every Wednesday. This
time range is active only when the system time is within 12:00 to 14:00 every
Wednesday in 2004.
# Define an absolute time range that is active from 12:00 January 1, 2008 to
12:00 June 1, 2008.
time-range
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] time-range test from 12:00 1/1/2008 to 12:00 1/1/2008
795
796
QOS COMMANDS
53
burst-mode enable
Syntax
burst-mode enable
undo burst-mode enable
View
System view
Parameters
None
Description
c
Example
Caution: With the IRF function enabled, do not enable the burst function. Refer
to the IRF Fabric section of the Switch 5500 Family Configuration Guide for
detailed information about IRF.
# Enable the burst function.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] burst-mode enable
display
protocol-priority
Syntax
View
display protocol-priority
Any view
Parameters
None
Description
798
Example
Parameters
None
Description
Example
display qos-interface
all
Syntax
View
Parameters
Description
Examples
Use the display qos-interface all command to display all the QoS-related
configuration of a port or a unit.
# Display all the QoS-related configuration of Ethernet 1/0/1.
<5500> display qos-interface Ethernet 1/0/1 all
Ethernet1/0/1: traffic-limit
Inbound:
Matches: Acl 2000 rule 0 running
Target rate: 64 Kbps
Exceed action: remark-dscp cs7
Ethernet1/0/1: traffic-priority
Inbound:
Matches: Acl 2000 rule 0 running
Priority action: dscp cs6
Ethernet1/0/1: traffic-redirect
Inbound:
Matches: Acl 2000 rule 0 running
Redirected to: interface Ethernet1/0/2
Ethernet1/0/1: traffic-statistic
Inbound:
Matches: Acl 2000 rule 0 running
0 packet inprofile
0 packet outprofile
Ethernet1/0/1: mirrored-to
Inbound:
Matches: Acl 2000 rule 0 running
Mirrored to: monitor interface
Ethernet1/0/1: line-rate
Inbound: 64 Kbps
Ethernet1/0/1:
Queue scheduling mode: strict-priority
Ethernet1/0/1: traffic-remark-vlanid
Inbound:
Matches: Acl 2000 rule 0 running
Remark vlan: 2
799
800
Outbound: 64 Kbps
GigabitEthernet1/0/1:
Queue scheduling mode: strict-priority
GigabitEthernet1/0/1: traffic-remark-vlanid
Inbound:
Matches: Acl 2000 rule 0 running
Remark vlan: 2
Description
Ethernet 1/0/1
GigabitEthernet 1/0/1
traffic-limit, TP configuration
Inbound
Packet direction
Matches
Target rate
TP target rate
Exceed action
TP action
Priority action
Redirected to
inprofile
outprofile
Mirrored to
Remark vlan
display qos-interface
line-rate
Syntax
View
Parameters
801
Description
Examples
display qos-interface
mirrored-to
Syntax
View
Parameters
Description
Examples
802
Inbound:
Matches: Acl 2000 rule 0 running
Mirrored to: monitor interface
display qos-interface
traffic-limit
Syntax
View
Parameters
Description
Examples
display qos-interface
traffic-priority
Syntax
View
Parameters
803
Any view
interface-type interface-number: Port type and port number.
unit-id: Unit ID of the switch whose priority marking configuration is to be
displayed.
Description
Example
display qos-interface
traffic-redirect
Syntax
View
Parameters
Description
Examples
804
display qos-interface
traffic-remark-vlanid
Syntax
View
Parameters
Description
Examples
805
display qos-interface
traffic-statistic
Syntax
View
Parameters
Description
Example
display
queue-scheduler
Syntax
View
display queue-scheduler
Any view
Parameters
None
Description
806
line-rate
Syntax
Switch 5500:
line-rate { inbound | outbound } target-rate [ burst-bucket burst-bucket-size ]
undo line-rate{ inbound | outbound }
Switch 5500G:
line-rate outbound target-rate [ burst-bucket burst-bucket-size ]
undo line-rate outbound
View
Parameters
The granularity of port rate limit is 64 kibps. Assume that the value you provide for
the target-rate argument is in the range N*64 to (N+1)*64 (N is a natural
number), it will be rounded off to (N+1)*64.
burst-bucket burst-bucket-size: Specifies the maximum burst traffic size (in kbs)
allowed. The burst-bucket-size argument must be an integer power of 2. It ranges
from 4 to 512 and defaults to 512.
Description
Use the line-rate command to limit the rate of the inbound or outbound packets
on a port.
Use the undo line-rate command to cancel the line rate (LR) configuration.
Examples
mirrored-to
807
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet1/0/1
[5500-Ethernet1/0/1] line-rate inbound 128
mirrored-to
Syntax
Switch 5500:
mirrored-to { inbound | outbound } acl-rule { monitor-interface | cpu }
undo mirrored-to { inbound | outbound } acl-rule
Switch 5500G:
irrored-to inbound acl-rule { monitor-interface | cpu }
undo mirrored-to inbound acl-rule
View
Parameters
ip-group acl-number
link-group acl-number
user-group acl-number
808
Description
ip-group acl-number
link-group acl-number
user-group acl-number
rule-id
Examples
priority
809
priority
Syntax
priority priority-level
undo priority
View
Parameter
Description
Examples
priority trust
Syntax
priority trust
undo priority
View
Parameters
810
Description
Use the priority trust command to configure the switch to trust the 802.1p
priority of a packet.
Use the undo priority command to restore the default settings.
By default, port priority is trusted.
Example
protocol-priority
protocol-type
Syntax
View
Parameters
System view
protocol-type protocol-type: Specifies the protocol type, which could be Telnet,
SNMP, ICMP, or OSPF.
ip-precedence ip-precedence: Specifies the IP precedence, in the range 0 to 7.
You can also enter the keywords listed in Table 151 as the IP precedence.
Table 151 IP precedence keywords and the corresponding decimal/binary values
Keyword
IP precedence value
(decimal)
IP precedence value
(binary)
routine
000
priority
001
immediate
010
flash
011
flash-override
100
critical
101
internet
110
network
111
dscp dscp-value: Specifies the DSCP precedence, in the range of 0 to 63. You can
also enter the keywords listed in Table 152 as the DSCP precedence.
Table 152 DSCP precedence keywords and the corresponding decimal/binary values
Keyword
af11
10
001010
af12
12
001100
811
Table 152 DSCP precedence keywords and the corresponding decimal/binary values
Description
Keyword
af13
14
001110
af21
18
010010
af22
20
010100
af23
22
010110
af31
26
011010
af32
28
011100
af33
30
011110
af41
34
100010
af42
36
100100
af43
38
100110
be (the default)
000000
cs1
001000
cs2
16
010000
cs3
24
011000
cs4
32
100000
cs5
40
101000
cs6
48
110000
cs7
56
111000
ef
46
101110
n
Example
On a Switch 5500 switch, you can set the priority for protocol packets of Telnet,
OSPF, SNMP, and ICMP.
# Set the IP precedence to 3 for SNMP protocol packets.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] protocol-priority protocol-type snmp ip-precedence 3
qos cos-localprecedence-map
Syntax
View
System view
812
Parameters
Description
Example
802.1p priority
Local precedence
queue-scheduler
queue-scheduler
813
Syntax
In system view
View
Parameters
Bandwidth granularity is 64 kbps. Assume that the value provided is in the range
N*64 to (N+1)*64 (N is a natural number), it will be round off to (N+1)*64
automatically. A value of 0 means the corresponding queue adopts the SP
algorithm for queue scheduling.
wrr: Adopts the weighted round robin (WRR) algorithm for queue scheduling.
queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight
queue5-weight queue6-weight queue7-weight: Weights to be assigned to queue
0 through queue 7. The value ranges from 0 to 15 in both system view and
Ethernet port view. A value of 0 means the corresponding queue adopts the SP
algorithm for queue scheduling.
Description
814
A Switch 5500 port supports eight output queues, to which these queue
scheduling algorithms are applicable: SP, WRR, and WFQ. With WRR (or WFQ)
adopted, if you set the weight or the bandwidth of one or multiple queues to 0,
the device will add the queue or these queues to the SP group, where SP is
adopted. For other queues, WRR (or WFQ) still applies. In this case, both SP and
WRR (or WFQ) are adopted.
If the weight (or bandwidth value) specified in system view for a queue of WRR
queuing or WFQ queuing cannot meet the requirement of a port, you can
modify the weight (or bandwidth value) for this port in the corresponding
Ethernet port view. The new weight (or bandwidth value) takes effect only on
the port.
If the weight (or bandwidth value) specified in system view for a queue of
SP-WRR queuing or SP-WFQ queuing in the command cannot meet the
requirement of a port, you can modify the weight (or bandwidth value) for this
port in the corresponding Ethernet port view. The new weight (or bandwidth
value) takes effect only on the port.
The display queue-scheduler command cannot display the queue weight (or
bandwidth value) specified in Ethernet port view.
# Configure Ethernet 1/0/1 to adopt the WRR queue scheduling algorithm, setting
the weights of queue 0 through queue 7 to 1, 2, 3, 4, 5, 6, 7, and 8.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] queue-scheduler wrr 1 2 3 4 5 6 7 8
queue-scheduler
Syntax
In system view
queue-scheduler { strict-priority | wrr queue0-weight queue1-weight
queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight
queue7-weight }
undo queue-scheduler
In Ethernet port view
queue-scheduler wrr queue0-weight queue1-weight queue2-weight
queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight
undo queue-scheduler
Views
reset traffic-statistic
Parameters
815
strict-priority: Adopts the strict priority (SP) algorithm for queue scheduling.
wrr: Adopts the weighted round robin (WRR) algorithm for queue scheduling.
queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight
queue5-weight queue6-weight queue7-weight: Weights to be assigned to queue
0 through queue 7. The value ranges from 0 to 15. A value of 0 means the
corresponding queue adopts the SP algorithm for queue scheduling.
Description
If the weight specified in system view for a queue of WRR queuing cannot
meet the requirement of a port, you can modify the weight for this port in the
corresponding Ethernet port view. The new weight takes effect only on the
port.
A Switch 5500G port supports eight output queues. These queue scheduling
algorithms are available: SP, WRR. With WRR adopted, if you set the weight of one
or multiple queues to 0, the device will add the queue or these queues to the SP
group, where SP is adopted. For other queues, WRR still applies. In this case, both
SP + WRR are adopted.
Related command: display queue-scheduler
Example
reset traffic-statistic
Syntax
View
816
Parameters
inbound: Specifies to clear the statistics of the inbound packets on the port.
acl-rule: ACL rules to be applied. This argument can be the combination of
multiple ACLs. For more information about this argument, refer to Table 149 and
Table 150.
Description
Example
traffic-limit
Syntax
View
Parameters
traffic-limit
817
When you configure the TP on a port, an ACL rule can only be applied to one
egress port. If you configure the same ACL rule for different egress ports, only
the last configuration takes effect. To apply the same ACL rule to multiple
egress ports, you need to specify different ACL numbers or rule numbers for
the ACL rule.
If the IRF function is enabled, the egress port can only be a port of the local
unit. For information about IRF, refer to IRF Fabric Commands on page 883.
target-rate: Target packet rate (in kbps) to be set. The range of this argument
varies by port type as follows.
The granularity of rate limit is 64 kbps. If the number you input is in the range
N*64 to (N+1)*64 (N is a natural number), it will be rounded off to (N+1)*64.
burst-bucket burst-bucket-size: Specifies the maximum burst traffic size (in KB)
allowed. The burst-bucket-size argument ranges from 4 to 512 and defaults to
512. Note that it must be an integer power of 2.
exceed action: Specifies the action to be taken when the traffic rate exceeds the
threshold. The action argument can be:
Description
remark-dscp value: Sets a new DSCP value for the packets and then forwards
the packets.
Use the traffic-limit command to enable TP and set the related settings.
Use the undo traffic-limit command to disable TP for packets matching specific
ACL rules.
Related command: display qos-interface traffic-limit
Examples
# Enable TP for inbound packets matching ACL 4000 on Ethernet 1/0/1, setting
the target packet rate to 128 kbps and configuring to drop the packets exceeding
the target packet rate.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
818
traffic-priority
Syntax
Switch 5500:
traffic-priority { inbound | outbound } acl-rule { { dscp dscp-value |
ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } |
local-precedence pre-value }*
undo traffic-priority { inbound | outbound } acl-rule
Switch 5500G:
traffic-priority inbound acl-rule { { dscp dscp-value | ip-precedence { pre-value |
from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }*
undo traffic-priority inbound acl-rule
View
Parameters
traffic-priority vlan
819
Table 154 802.1p priority keywords and the corresponding decimal/binary values
Keyword
best-effort
000
background
001
Spare
010
excellent-effort
011
controlled-load
100
Video
101
Voice
110
Network-management
111
Examples
# Set the 802.1p priority to 1 on Ethernet 1/0/1 for the inbound packets matching
ACL 4000.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] traffic-priority inbound link-group 4000 cos 1
# Set the 802.1p priority to 1 on GigabitEthernet 1/0/1 for the inbound packets
matching ACL 4000.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet 1/0/1
[5500G-GigabitEthernet1/0/1] traffic-priority inbound link-group
4000 cos 1
traffic-priority vlan
Syntax
Switch 5500:
traffic-priority vlan vlan-id { inbound | outbound } acl-rule { { dscp dscp-value |
ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } |
local-precedence pre-value }*
undo traffic-priority vlan vlan-id { inbound | outbound } acl-rule
820
Switch 5500G
traffic-priority vlan vlan-id inbound acl-rule { { dscp dscp-value |
ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } |
local-precedence pre-value }*
undo traffic-priority vlan vlan-id inbound acl-rule
View
Parameters
System view
vlan-id: VLAN ID.
inbound : Remarks the priority for the received packets.
outbound : Remarks the priority for the packet to be transmitted.
acl-rule: ACL rules to be applied. This argument can be the combination of
multiple ACLs. For more information about this argument, refer to Table 149 and
Table 150. Note that the ACL rules referenced must be those defined with the
permit keyword specified.
dscp dscp-value: Sets the DSCP preference, which is in the range 0 to 63. You can
also provide one of the keywords listed in Table 152 for the dscp-value argument.
ip-precedence { pre-value | from-cos }: Sets the IP preference. The pre-value
argument is in the range of 0 to 7. You can also provide one of the keywords listed
in Table 151 for this argument. The from-cos keyword specifies to use the 802.1p
preference as the IP preference.
cos { pre-value | from-ipprec }: Sets the 802.1p preference. The pre-value is in the
range 0 to 7. You can also provide one of the keywords listed in Table 154 for the
argument. The from-ipprec keyword specifies to use the IP preference as the
802.1p preference.
local-precedence pre-value: Sets the local preference, which is in the range 0 to
7.
Description
Use the traffic-priority vlan command to configure priority marking for the
packets of a VLAN.
Use the undo traffic-priority vlan command to remove the priority marking
configuration for the packets of a VLAN.
Related command: display qos-interface traffic-priority
n
Example
traffic-redirect
821
traffic-redirect
Syntax
Switch 5500
traffic-redirect { inbound | outbound } acl-rule { cpu | { interface interface-type
interface-number | link-aggregation-group agg-id } [ untagged ] }
undo traffic-redirect { inbound | outbound } acl-rule
Switch 5500G
traffic-redirect inbound acl-rule { cpu | { interface interface-type
interface-number | link-aggregation-group agg-id } [ untagged ] }
undo traffic-redirect inbound acl-rule
View
Parameters
Description
822
Examples
When the traffic redirecting function is used in conjunction with the selective
QinQ function, you can specify the untagged keyword as required (that is,
remove the outer VLAN tag of a packet after the packet is redirected to the
uplink port) in a tree network with a single uplink port (or an aggregation
group). Do not specify the untagged keyword in a ring network or a network
with multiple uplink ports. Refer to VLAN-VPN Configuration Commands on
page 1123 for information about selective QinQ.
# Redirect the inbound packets matching ACL 2000 to Ethernet 1/0/7 on Ethernet
1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] traffic-redirect inbound ip-group 2000 interfac
e Ethernet1/0/7
traffic-remark-vlanid
Syntax
View
Parameters
Description
Use the traffic-remark-vlanid command to enable VLAN mapping and set the
target VLAN ID for packets matching specific ACL rules.
traffic-statistic
823
# Enable VLAN mapping on Ethernet 1/0/1 to map the VLAN IDs of the inbound
packets matching ACL 4001 to 1001.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet1/0/1
[5500-Ethernet1/0/1] traffic-remark-vlanid inbound link-group 4001 r
emark-vlan 1001
# Enable VLAN mapping on GigabitEthernet 1/0/1 to map the VLAN IDs of the
inbound packets matching ACL 4001 to 1001.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet1/0/1
[5500G-GigabitEthernet1/0/1] traffic-remark-vlanid inbound
link-group 4001 remark-vlan 1001
traffic-statistic
Syntax
View
Parameters
Description
Use the traffic-statistic command to enable the traffic traffic accounting for
packets matching specific ACL rules.
Use the undo traffic-statistic command to disable the traffic traffic accounting.
Related command: display qos-interface traffic-statistic
Example
# Enable the traffic traffic accounting on Ethernet 1/0/1 for the inbound packets
matching ACL 2000.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet1/0/1
[5500-Ethernet1/0/1] traffic-statistic inbound ip-group 2000
824
# Enable the traffic statistics function on GigabitEthernet 1/0/1 for the inbound
packets matching ACL 2000.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet1/0/1
[5500G-GigabitEthernet1/0/1] traffic-statistic inbound ip-group 2000
wred
This command applies to the Switch 5500 only (not the Switch 5500G).
Syntax
View
Parameters
Description
Example
# Enable the WRED function for queue 2 on Ethernet 1/0/1, specifying to drop
packets at random when the number of packets in queue 2 exceeds 64 and
setting the dropping probability to 20%.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet1/0/1
[5500-Ethernet1/0/1] wred 2 64 20
apply qos-profile
825
54
QOS PROFILE CONFIGURATION
COMMANDS
apply qos-profile
Syntax
In system view
apply qos-profile profile-name interface interface-list
undo apply qos-profile profile-name interface interface-list
In Ethernet port view
apply qos-profile profile-name
undo apply qos-profile profile-name
View
Parameters
Description
Use the apply qos-profile command to apply a QoS profile to a port or multiple
ports.
Use the undo apply qos-profile command to remove a QoS profile from a port
or multiple ports.
Examples
# Apply the QoS profile named a123 to Ethernet 1/0/1 through Ethernet 1/0/4.
<5500> system-view
System View: return to User View with Ctrl+Z.
826
display qos-profile
Syntax
View
Parameters
Description
Example
packet-filter
Syntax
Switch 5500
packet-filter { inbound | outbound } acl-rule
undo packet-filter { inbound | outbound } acl-rule
Parameters
Description
Use the packet-filter command to add the packet filtering action to a QoS
profile.
Use the undo packet-filter command to remove the packet filtering action from
a QoS profile.
You cannot remove the packet filtering action of a QoS profile that has been
applied to a port.
Example
# Add the packet filtering action to the QoS profile named a123 to filter the
inbound packets matching ACL 4000.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] qos-profile a123
[5500-qos-profile-a123] packet-filter inbound link-group 4000
qos-profile
Syntax
qos-profile profile-name
undo qos-profile profile-name
View
Parameter
Description
System view
profile-name: QoS profile name, a string of 1 to 32 characters and starting with
English letters [a-z, A-Z]. Note that a QoS profile name cannot be all,
interface, user, undo, or name.
Use the qos-profile command to create a QoS profile and enter QoS profile view.
If the QoS profile already exists, this command leads you to the corresponding QoS
profile view.
Use the undo qos-profile command to remove a QoS profile.
828
qos-profile port-based
Syntax
qos-profile port-based
undo qos-profile port-based
View
Parameters
None
Description
Example
traffic-limit
829
traffic-limit
Syntax
Switch 5500:
traffic-limit inbound acl-rule [ union-effect ] [ egress-port interface-type
interface-number ] target-rate [ burst-bucket burst-bucket-size ] [ exceed action ]
undo traffic-limit inbound acl-rule
Switch 5500G:
traffic-limit inbound acl-rule [ union-effect ] target-rate [ burst-bucket
burst-bucket-size ] [ exceed action ]
undo traffic-limit inbound acl-rule
View
Parameters
When you configure the TP over a port, an ACL rule can only be applied to one
egress port. If you configure the same ACL rule for different egress ports, only
the last configuration takes effect. To apply the same ACL rule to multiple
egress ports, you need to specify different ACL numbers or rule numbers for
the ACL rule.
If the IRF function is enabled, the egress port can only be a port of the local
unit. For information about IRF, refer to IRF Fabric Commands on page 883.
830
target-rate: Target packet rate (in kbps) to be set, in the range 64 to 1,000,000.
The granularity of rate limit is 64 kbps. If the number you input is in the ranges
N*64 to (N+1)*64 (N is a natural number), it will be rounded off to (N+1)*64.
burst-bucket-size: Maximum burst traffic size (in KB) allowed, in the range 4 to
512. This argument defaults to 512 and must be an integer power of 2.
exceed action: Specifies the action to be taken when the traffic rate exceeds the
threshold. The action can be:
Description
remark-dscp value: Sets a new DSCP value for the packets and then forwards
the packets.
Example
# Add TP action to the QoS profile named a123 to limit the rate of the inbound
packets matching ACL 2000 to 128 kbps and drop the packets exceeding 128
kbps.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] qos-profile a123
[5500-qos-profile-a123] traffic-limit inbound
traffic-priority
Syntax
Switch 5500:
traffic-priority { inbound | outbound } acl-rule { { dscp dscp-value |
ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } |
local-precedence pre-value }*
undo traffic-priority { inbound | outbound } acl-rule
Switch 5500G:
traffic-priority inbound acl-rule { { dscp dscp-value | ip-precedence { pre-value |
from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }*
undo traffic-priority inbound acl-rule
View
Parameters
traffic-priority
831
n
Example
832
55
n
Web cache redirection is only available on the Switch 5500 (not the Switch
5500G).
display webcache
Syntax
View
Parameter
Description
Example
display webcache
Any view
None
Use the display webcache command to view Web cache redirection
configuration and the status of Web cache.
# Display Web cache redirection configuration and the status of Web cache.
[5500] display webcache
webcache IP address: 1.1.1.1
webcache MAC address: 000f-e20f-0000
webcache port: Ethernet1/0/1
webcache VLAN: 1
webcache TCP port: 80
webcache redirect VLAN:
VLAN 2 Valid
webcache status: accessible
Description
webcache IP address
webcache port
webcache VLAN
webcache status
webcache address
Syntax
In system view:
834
Description
Example
Make sure the route between the switch and Web cache server is reachable for
the Web cache redirection function to take effect.
Make sure the interface of the VLAN that the Web cache server belongs to is
up for the Web cache redirection function to take effect.
A switch can have only one Web cache server configured. That is, a newly
configured Web cache server replaces the existing one.
# Enable the Web cache redirection function in system view, configuring the Web
cache server with the following parameters: IP address to be 1.1.1.1, MAC address
to be 0012-0990-2250, VLAN ID to be 40, the port through which the switch is
connected to the Web cache server to be Ethernet 1/0/4, and the default TCP port
for HTTP.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] webcache address 1.1.1.1 mac 0012-0990-2250 vlan 40 port Ethernet 1/0/4
# Enable the Web cache redirection function in Ethernet 1/0/4 port view,
configuring Web cache server with the following parameters: IP address to be
webcache redirect-vlan
835
webcache
redirect-vlan
Syntax
View
Parameter
Description
System view
vlan-id: ID of the VLAN whose HTTP traffic is to be redirected.
Use the webcache redirect-vlan command to enable the Web cache redirection
function for a VLAN, that is, specify a VLAN whose HTTP traffic is to be redirected.
Use the undo webcache redirect-vlan command to disable the Web cache
redirection function for a VLAN.
By default, no HTTP traffic is redirected to the Web cache server.
Note that if you do not specify the vlan-id argument when executing the undo
webcache redirect-vlan command, the Web cache redirection function is
disabled in all the VLANs.
n
Example
Make sure the VLAN interfaces corresponding to the Web cache redirection
VLANs are up for the Web cache redirection function to take effect.
A switch does not redirect the HTTP traffic of the VLAN where the Web cache
server resides, to the Web cache server.
836
56
clock datetime
Syntax
View
Parameters
Description
Use the clock datetime command to set the current date and time of the
Ethernet switch.
By default, it is 23:55:00 04/01/2000 when the system starts up.
In an implementation where exact absolute time is required, it is necessary to use
this command to set the current date and time of the Ethernet switch.
Related command: display clock
Example
# Set the current date and time of the Ethernet switch to 0:0:0 2001/01/01.
<5500> clock datetime 0:0:0 2001/01/01
<5500> display clock
00:00:04 UTC Mon 01/01/2001
Time Zone : add 00:00:00
clock summer-time
Syntax
View
Parameters
User view
zone-name: Name of the summer time, a string of 1 to 32 characters.
838
one-off: Sets the summer time for only one year (the specified year).
repeating: Sets the summer time for every year starting from the specified year.
start-time: Start time of the summer time, in the form of HH:MM:SS.
start-date: Start date of the summer time, in the form of YYYY/MM/DD or
MM/DD/YYYY.
end-time: End time of the summer time, in the form of HH:MM:SS.
end-date: end date of the summer time, in the form of YYYY/MM/DD or
MM/DD/YYYY.
offset-time: Offset of the summer time relative to the standard time, in the form of
HH:MM:SS.
Description
Use the clock summer-time command to set the name, time range and time
offset of the summer time.
After the setting, you can use the display clock command to check the results.
Example
# Set the summer time named abc1, which starts from 06:00:00 2005/08/01, ends
until 06:00:00 2005/09/01, and is one hour ahead of the standard time.
<5500> clock summer-time abc1 one-off 06:00:00 08/01/2005 06:00:00 0
9/01/2005 01:00:00
<5500> display clock
00:02:36 UTC Mon 01/01/2001
Time Zone : add 00:00:00
Summer-Time : abc1 one-off 06:00:00 08/01/2005 06:00:00 09/01/2005
01:00:00
# Set the summer time named abc2, which starts from 06:00:00 08/01, ends until
06:00:00 09/01, and is one hour ahead of the standard time every year from 2005
on.
<5500> clock summer-time abc2 repeating 06:00:00 08/01/2005 06:00:00
09/01/2005 01:00:00
<5500> display clock
00:01:25 UTC Mon 01/01/2001
Time Zone : add 00:00:00
Summer-Time : abc2 repeating 06:00:00 08/01/2005 06:00:00 09/01/2005
01:00:00
clock timezone
Syntax
View
User view
quit
Parameters
839
Description
Use the clock timezone command to set the local time zone.
Use the undo clock timezone command to restore the local time zone to the
default UTC time zone.
After the setting, you can use the display clock command to check the setting.
The log information time and the debugging information time adopts the local
time after the time zone and the summer time have been adjusted.
Related commands: clock summer-time and display clock.
Example
# Set the local time zone named z5, which is five hours earlier than the UTC time.
<5500> clock timezone z5 add 05:00:00
<5500> display clock
05:03:17 z5 Mon 01/01/2001
Time Zone : z5 add 05:00:00
Summer-Time : abc1 one-off 06:00:00 08/01/2005 06:00:00 09/01/2005
01:00:00
quit
Syntax
View
quit
Any view
Parameters
None
Description
Use the quit command to return from current view to a lower level view, or exit
the system if current view is user view.
The following lists the three levels of views available on a switch (from lower level
to higher level):
User view
System view
840
Example
return
Syntax
View
return
System view and higher-level views
Parameters
None
Description
Use the return command to return from current view to user view. The composite
key <Ctrl+Z> has the same effect with the return command.
Related command: quit
Example
sysname
Syntax
sysname sysname
undo sysname
View
System view
Parameter
Description
Use the sysname command to set the system name of an Ethernet switch. Use
the undo sysname command to restore the default system name of the Ethernet
switch.
Changing the system name will affect the CLI prompt. For example, if the system
name of the switch is 5500, the prompt for user view is <5500>.
Example
system-view
system-view
Syntax
View
system-view
User view
Parameters
None
Description
Use the system-view command to enter system view from user view.
Related commands: quit and return
Example
841
842
57
display clock
Syntax
View
display clock
Any view
Parameters
None
Description
Use the display clock command to display the current date, time, timezone and
summertime of the system, so that you can adjust them if they are wrong.
The maximum date and time that can be displayed by this command is 23:59:59
9999/12/31.
Related commands: clock datetime, clock timezone and clock summer-time
Example
Description
Time Zone
Summer-Time
display debugging
Syntax
View
Parameters
Any view
fabric: Specifies to display the enabled debugging of the switches in the Fabric.
844
Example
display users
Syntax
View
Parameter
Description
Example
Ipaddress
Username
192.168.0.200
192.168.0.3
192.168.0.115
Userlevel
3
3
3
3
Table 157 Description for the output user terminal interface information
Item
Description
UI
User interface
Delay
Type
display version
845
Table 157 Description for the output user terminal interface information
Item
Description
Ipaddress
Username
User name
User level
User level
display version
Syntax
View
display version
Any view
Parameters
None
Description
Use the display version command to display the version information about the
switch system.
Specifically, you can use this command to check the software version and release
time, the basic hardware configuration, and some other information about the
switch.
Example
846
58
debugging
Syntax
View
Parameters
User view
module-name: Module name.
debugging-option: Debugging option.
all: Specifies to disable all debugging.
Description
Example
display
diagnostic-informatio
n
Syntax
View
display diagnostic-information
Any view
848
Parameters
None
Description
Example
<Omitted>
terminal debugging
Syntax
terminal debugging
State
Normal
Normal
terminal debugging
849
User view
Parameters
None
Description
Use the terminal debugging command to enable terminal display for debugging
information.
Use the undo terminal debugging command to disable terminal display for
debugging information.
By default, terminal display for debugging information is disabled.
Related command: debugging
Example
850
59
ping
Syntax
View
Parameters
852
-q: Specifies to display only the statistics without the details. By default, all the
information including the details and statistics will be displayed.
-s packestize: Specifies the size (in bytes) of each ICMP ECHO-REQUEST packet
(excluding the IP and ICMP headers). The packetsize argument ranges from 20 to
32,000 and defaults to 56 bytes.
-t timeout: Specifies the timeout time (in milliseconds) before an ICMP
ECHO-REPLY packet is received after an ICMP ECHO-REQUEST packet is sent. The
timeout argument ranges from 0 to 65535 ms and defaults to 2,000 ms.
-tos tos: Specifies the ToS value of the ICMP ECHO-REQUEST packets in the range
0 to 255. By default, this value is 0.
-v: Specifies to display other ICMP packets received (that is, non-ECHO-REPLY
packets). By default, other ICMP packets like non-ECHO-REPLY packets are not
displayed.
host: Domain name or IP address of the destination host.
Description
Use the ping command to check the IP network connectivity and that a host can
be reached.
The executing procedure of the ping command is as follows: First, the source host
sends an ICMP ECHO-REQUEST packet to the destination host. If the connection
to the destination network is normal, the destination host receives this packet and
responds with an ICMP ECHO-REPLY packet.
You can use the ping command to check the network connectivity and the quality
of a network line. This command can output the following information:
Final statistics, including the numbers of sent packets and received response
packets, the responsive packet percentage, and the minimum, average and
maximum values of response time.
You can set a relatively long timeout time if the network transmission speed is
slow.
Related command: tracert
Example
=
=
=
=
=
1ms
2ms
1ms
3ms
2ms
tracert
853
tracert
Syntax
View
Parameters
Description
Use the tracert command to trace the gateways that the test packets pass
through from the source to the destination. This command is mainly used to check
the network connectivity and help locate the network faults.
The executing procedure of the tracert command is as follows: First, the source
sends a packet with the TTL of 1, and the first hop device returns an ICMP error
message indicating that it cannot forward this packet because of TTL timeout.
Then, the source resends a packet with the TTL of 2, and the second hop device
also returns an ICMP TTL timeout message. This procedure goes on and on until a
854
packet gets to the destination or the maximum TTL is reached. During the
procedure, the system records the source address of each ICMP TTL timeout
message in order to offer the path that the packets pass through to the
destination.
If you find that the network is faulty by using the ping command, you can use the
tracert command to find where the fault is in the network.
The tracert command can output the IP addresses of all the gateways that the
packets pass through to the destination. It outputs the string *** if the
response from a gateway times out.
Example
# Trace the gateways that the packets pass through to the destination with IP
address 18.26.0.115.
<5500> tracert 18.26.0.115
tracert to 18.26.0.115 (18.26.0.115), 30 hops max,40 bytes packet
1 128.3.112.1 (128.3.112.1) 0 ms 0 ms 0 ms
2 128.32.216.1 (128.32.216.1) 19 ms 19 ms 19 ms
3 128.32.206.1 (128.32.206.1) 39 ms 19 ms 19 ms
4 128.32.136.23 (128.32.136.23) 19 ms 39 ms 39 ms
5 128.32.168.22 (128.32.168.22) 20 ms 39 ms 39 ms
6 128.32.197.4 (128.32.197.4) 59 ms 119 ms 39 ms
7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 39 ms
8 129.140.70.13 (129.140.70.13) 80 ms 79 ms 99 ms
9 129.140.71.6 (129.140.71.6) 139 ms 139 ms 159 ms
10 129.140.81.7 (129.140.81.7) 199 ms 180 ms 300 ms
11 129.140.72.17 (129.140.72.17) 300 ms 239 ms 239 ms
12 * * *
13 128.121.54.72 (128.121.54.72) 259 ms 499 ms 279 ms
14 * * *
15 * * *
16 * * *
17 * * *
18 18.26.0.115 (18.26.0.115) 339 ms 279 ms 279 ms
60
boot boot-loader
Syntax
View
Parameters
Description
Use the boot boot-loader command to specify the host software that will be
used when the switch starts up next time.
You can use this command to specify a .bin file in the Flash as the host software to
be adopted at next startup.
Example
# Specify the host software that will be used when the current switch starts up
next time.
<5500> boot boot-loader S5500.BIN
The specified file will be booted next time on unit 1!
boot bootrom
Syntax
View
Parameters
856
Description
Example
Use the boot bootrom command to update the Boot ROM. The updated Boot
ROM is used at next startup.
# Update the Boot ROM of the switch using the file named S5500.btm.
<5500> boot bootrom S5500.btm
This will update Bootrom on unit 1.
Upgrading Bootrom, please wait...
Upgrade Bootrom succeeded!
Continue? [Y/N] y
display boot-loader
Syntax
View
Parameter
Description
Example
Table 158 Description for the fields of the display boot-loader command
Field
Description
display cpu
Syntax
View
Parameter
Description
Example
display device
857
Table 159 Description for the fields of the display cpu command
Field
Description
display device
Syntax
View
Parameters
Description
Use the display device command to display the information, such as the module
type and operating status, about each board (main board and sub-board) of a
specified switch.
You can use this command to display the following information about each board,
including slot number, sub-slot number, the number of ports, versions of PCB,
FPGA, CPLD and Boot ROM software, address learning mode, interface board
type, and so on.
Example
Description
SlotNo
SubSNo
PortNum
Number of ports
PCBVer
State
Normal
Normal
858
Description
FPGAVer
CPLDVer
BootRomVer
AddrLM
Type
Card type
State
Running state
display environment
Syntax
View
display environment
User view
Parameters
None
Description
Use the display environment command to display the environment where the
switch is used.
Example
The displayed information above shows that the operating temperature of the
slot, subslot, and power is normal.
display fan
Syntax
View
Parameters
Description
Example
Use the display fan command to view the working states of fans in a switch.
# Display the working states of the fans.
display memory
859
display memory
Syntax
View
Parameters
Description
Example
Use the display memory command to display the memory usage of a specified
switch.
# Display the memory usage of this switch.
<5500> display memory
Unit 1
System Available Memory(bytes): 30045312
System Used Memory(bytes): 15698468
Used Rate: 52%
Table 161 Description for the fields of the display memory command
Field
Description
Used Rate
860
display power
Syntax
View
Parameters
Description
Example
Use the display power command to display the working state of the power
supply of the switch.
# Display the working state of the power supply.
<5500> display power
Unit 1
power
1
State
: Normal
Type
: AC
The above information indicates that the power supply type is AC, and works
normally.
display schedule
reboot
Syntax
View
Parameters
None
Description
Example
display transceiver
alarm interface
Syntax
View
861
Any view
Parameters
Description
Use the display transceiver alarm interface command to display the current
alarm information of a single or all transceivers.
If no error occurs, None is displayed.
Table 162 shows the alarm information that may occur for the four types of
transceivers.
Table 162 Description on the fields of display transceiver alarm interface
Field
Remarks
GBIC/SFP
RX loss of signal
RX signal is lost.
RX power high
RX power is high.
RX power low
RX power is low.
TX fault
TX fault
TX bias high
TX bias low
TX power high
TX power is high.
TX power low
TX power is low.
Temp high
Temperature is high.
Temp low
Temperature is low.
Voltage high
Voltage is high.
Voltage low
Voltage is low.
XFP
RX loss of signal
RX signal is lost.
RX not ready
RX is not ready
RX power high
RX power is high.
RX power low
RX power is low.
TX not ready
TX is not ready.
TX fault
TX fault
TX bias high
TX bias low
TX power high
TX power is high.
TX power low
TX power is low.
862
Remarks
TEC fault
Wavelength unlocked
Temp high
Temperature is high.
Temp low
Temperature is low.
Voltage high
Voltage is high.
Voltage low
Voltage is low.
XENPAK
WIS local fault
RX power high
RX power is high.
RX power low
RX power is low.
TX fault
TX fault
TX bias high
TX bias low
TX power high
TX power is high.
TX power low
TX power is low.
Temp high
Temperature is high.
Temp low
Temperature is low.
n
Example
863
For pluggable transceivers supported by the Switch5500 and Switch 5500G, refer
to the Switch 5500 Family Getting Started Guide.
# Display the alarm information of the transceiver on interface GigabitEthernet
1/1/1.
<5500> display transceiver alarm interface gigabitethernet 1/1/1
GigabitEthernet1/1/1 transceiver current alarm information:
TX fault
Table 163 Field descriptions of the display transceiver alarm interface command
Field
Description
TX fault
TX fault
display transceiver
diagnosis interface
Syntax
View
Parameters
Description
Examples
Table 164 Field descriptions of the display transceiver diagnosis interface command
Field
Description
Temp.(C)
Voltage(V)
864
Table 164 Field descriptions of the display transceiver diagnosis interface command
Field
Description
Bias(mA)
RX power(dBM)
TX power(dBM)
display transceiver
interface
Syntax
View
Parameters
Description
Examples
Description
transceiver information
Transceiver Type
Transceiver type
Connector Type
Wavelength(nm)
865
Description
Transfer distance(xx)
Vendor Name
Ordering Name
YES: supported
N/A is displayed.
display transceiver
manuinfo interface
Syntax
View
Parameters
Description
Use the display transceiver manuinfo interface command to display part of the
electrical label information of a single or all anti-spoofing pluggable transceivers
customized by H3C.
Examples
866
Table 166 Field descriptions of the display transceiver manuinfo interface command
Field
Description
Manufacturing Date
Debugging and testing date.. The date takes the value of the
system clock of the computer that performs debugging and
testing.
Vendor Name
reboot
Syntax
View
Parameters
Description
n
Example
Before rebooting, the system checks whether there is any configuration change. If
yes, it prompts whether or not to proceed. This prevents the system from losing
the configurations in case of shutting down the system without saving the
configurations.
# Directly restart this switch without saving the current configuration.
<5500> reboot
Start to check configuration with next startup configuration file,
please wait......
This command will reboot the device. Current configuration will be
lost in next startup if you continue.
Continue? [Y/N] y
This will reboot device. Continue? [Y/N] y
<5500>
%Apr 2 00:06:01:148 2006 3Com DEV/5/DEV_LOG:- 1 Switch is rebooting...
Starting......
schedule reboot at
Syntax
View
Parameters
User view
hh:mm: Reboot time, where hh (hour) ranges from 0 to 23, and mm (minute)
ranges from 0 to 59.
867
mm/dd/yyyy or yyyy/mm/dd: Reboot date, where yyyy (year) ranges from 2,000 to
2,099, mm (month) ranges from 1 to 12, and the range of dd (day) depends on
the specific month. You cannot set the date 30 days later than the system current
date.
Description
Use the schedule reboot at command to schedule a reboot on the current switch
and set the reboot date and time.
Use the undo schedule reboot command to cancel the scheduled reboot.
By default, no scheduled reboot is set on the switch.
The switch timer can be set to a precision of one minute, that is, the switch will
reboot within one minute after the specified reboot date and time.
After you execute the schedule reboot at command with a specified future date,
the switch will reboot at the specified time with at most one minute delay.
After you execute the schedule reboot at command without specifying a date,
the switch will:
Reboot at the specified time on the current day if the specified time is later
than the current time.
Reboot at the specified time on the next day if the specified time is earlier than
the current time.
After you execute the command, the system will prompt you to confirm. Enter
Y or y for your setting to take effect, and your setting will overwrite the
previous one (if available).
If you adjust the system time by the clock command after executing the schedule
reboot at command, the schedule reboot at command will be invalid and the
scheduled reboot will not happen.
Related commands: reboot and display schedule reboot
Example
# Suppose the current time is 05:06, schedule a reboot so that the switch reboots
at 22:00 on the current day.
<5500> schedule reboot at 22:00
Reboot system at 22:00 2000/04/02(in 16 hours and 53 minutes)
confirm?[Y/N]:y
<5500>
View
User view
868
Parameters
hh:mm: Reboot waiting delay, where hh ranges from 0 to 720, and mm ranges
from 0 to 59. The value of hh:mm can be up to 720:00.
mm: Reboot waiting delay, ranging from 0 to 43,200 minutes.
Description
Use the schedule reboot delay command to schedule a reboot on the switch,
and set the reboot waiting delay.
Use the undo schedule reboot command to cancel the scheduled reboot.
By default, no scheduled reboot is set on the switch.
The switch timer can be set to a precision of one minute, that is, the switch will
reboot within one minute after the specified reboot date and time.
You can set the reboot waiting delay in two formats: the hour:minute format and
the absolute minute format, and both must be less than or equal to 30 x 24 x 60
(that is, 30 days).
After you execute the command, the system will prompt you to confirm. Enter
Y or y for your setting to take effect. Your setting will overwrite the previous
one (if available).
If you adjust the system time by the clock command after executing the schedule
reboot delay command, the schedule reboot delay command will be invalid
and the scheduled reboot will not happen.
Related commands: reboot, schedule reboot at, undo schedule reboot and
display schedule reboot
Example
# Suppose the current time is 05:02, schedule a reboot so that the switch reboots
after 70 minutes.
<5500> schedule reboot delay 70
Reboot system at 06:12 2000/04/02(in 1 hours and 10 minutes)
confirm?[Y/N]:y
<5500>
schedule reboot
regularity
Syntax
View
Parameters
System view
hh:mm: Reboot time of the switch, in the hour:minute format, where hh ranges
from 0 to 24, and mm ranges from 0 to 59.
period: Reboot period of the switch, in the format period = { daily | { monday |
tuesday | wednesday | thursday | friday | saturday | sunday }* }. daily
system-monitor enable
869
indicates the reboot period is one day, that is, the switch reboots at a specified
time every day. { monday | tuesday | wednesday | thursday | friday | saturday
| sunday }* indicates the week day when the switch reboots.
Description
Use the schedule reboot regularity command to enable the periodical reboot of
the switch and set the reboot time.
Use the undo schedule reboot regularity command to cancel the configured
reboot period.
By default, the reboot period of the switch is not configured.
The switch timer can be set to a precision of one minute, that is, the switch will
reboot within one minute after the specified reboot date and time.
After you execute the command, the system will prompt you to confirm. Enter
Y or y for your setting to take effect. Your setting will overwrite the previous
one (if available).
If you adjust the system time by the clock command after executing the schedule
reboot regularity command, the schedule reboot regularity command will be
invalid.
Related commands: reboot, schedule reboot at, undo schedule reboot and
display schedule reboot.
Example
system-monitor
enable
Syntax
system-monitor enable
undo system-monitor enable
View
System view
Parameters
None
Description
870
This function enables you to dynamically record the system running status, such as
CPU, thus facilitating analysis and solution of the problems of the device.
By default, real-time monitoring of the running status of the system is enabled.
c
Example
update fabric
Syntax
View
Parameters
Description
Use the update fabric command to upgrade the host software of the devices in a
Fabric.
Example
# Use the file named s5500.bin in the Flash memory of Unit2 to upgrade the host
software of the devices in a Fabric.
<5500> update fabric unit2>flash:/s5500.bin
This will update the Fabric. Continue? [Y/N] y
The software is verifying ...
The result of verification is :
Unit ID
Free space(bytes)
Enough
Version comparison
1
15281873
Y
Y
2
15409873
Y
Y
warning: the verification is completed, start the file transmission? [Y/N] y
The fabric is being updated, 100%
The s5500.bin is stored on unit 1 successfully!
The s5500.bin is stored on unit 2 successfully!
Do you want to set s5500.bin to be running agent next time to boot?[Y/N] y
The s5500.bin is configured successfully!
xmodem get
Syntax
View
xmodem get
Parameters
871
file-url: Path plus name of a host software file in the Flash, a string of 1 to 64
characters.
device-name: File name, in the form of unit[NO.]>flash:, which is used to indicate
that the specified file is stored in the Flash of a specified switch.
Description
Use the xmodem get command to download files from the local device
connected with the Console port of a switch through XModem. This command
can be configured only when the device logging onto a switch through the
Console port.
Note that, the communication parameter settings of the Console port of the
switch and those of the serial port of the local device must be consistent and, the
interface type of the Console port must be AUX.
Example
872
MIRRORING COMMANDS
61
display mirror
This command is valid on the Switch 5500 only (not the Switch 5500G).
Syntax
View
display mirror
Any view
Parameters
None
Description
Use the display mirror command to display the port mirroring configurations on
the switch.
Related commands: mirroring-port and monitor-port
Example
both
Description
Monitor-port
Mirroring-port
both
display
mirroring-group
Syntax
View
874
Parameters
Description
Group number
Group status
Group number
Group status
Group number
Group status
mirroring-group
875
status: active
mirroring port:
Ethernet1/0/1 both
monitor port: Ethernet1/0/4
mirroring-group
Syntax
View
Parameters
System view
group-id: Number of a port mirroring group, in the range 1 to 20.
all: Specifies to remove all mirroring groups.
local: Specifies the mirroring group as a local port mirroring group.
remote-destination: Specifies the mirroring group as the destination mirroring
group for remote port mirroring.
remote-source: Specifies the mirroring group as the source mirroring group for
remote port mirroring.
Description
Example
mirroring-group
mirroring-port
Syntax
Views
Parameters
876
Example
# Configure Ethernet 1/0/1 as the source port of local mirroring group 1, and
mirror all packets received on this port.
<5500>
System
[5500]
[5500]
system-view
View: return to User View with Ctrl+Z.
mirroring-group 1 local
mirroring-group 1 mirroring-port Ethernet 1/0/1 inbound
mirroring-group
monitor-port
Syntax
Views
Parameters
Description
mirroring-group reflector-port
877
system-view
View: return to User View with Ctrl+Z.
mirroring-group 1 local
mirroring-group 1 monitor-port Ethernet 1/0/4
mirroring-group
reflector-port
Syntax
Views
Parameters
Description
Example
You cannot modify the duplex mode, port rate, and MDI attribute of a reflector
port.
# Configure Ethernet 1/0/2 as the reflector port of remote source mirroring group
1.
<5500> system-view
System View: return to User View with Ctrl+Z.
878
mirroring-group
remote-probe vlan
Syntax
View
Parameters
System view
group-id: Number of a port mirroring group, in the range 1 to 20.
remote-probe vlan remote-probe-vlan-id: Specifies the remote-probe VLAN for
the mirroring group.
Description
Example
system-view
View: return to User View with Ctrl+Z.
mirroring-group 1 remote-source
mirroring-group 1 remote-probe vlan 100
mirroring-port
Syntax
View
monitor-port
Parameters
879
both: Specifies to mirror all packets received on and sent from the port.
inbound: Specifies to mirror the packets received on the port.
outbound: Specifies to mirror the packets sent from the port.
Description
Example
When you configure the mirroring source port on the Switch 5500, if mirroring
group 1 does not exist, the switch automatically creates group 1 and adds the
source port to the group; if local mirroring group 1 already exists, but is not a
local mirroring group, your configuration of the source port will fail.
When you configure the mirroring source port on the Switch 5500, you can
configure multiple source ports by executing the mirroring-port command on
different ports.
# Configure Ethernet 1/0/1 as the source port, and mirror all packets received on
and sent from this port.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] mirroring-port both
# Configure GigabitEthernet 1/0/1 as the source port, and mirror all packets
received on and sent from this port.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet 1/0/1
[5500G-GigabitEthernet1/0/1] mirroring-port both
monitor-port
Syntax
monitor-port
undo monitor-port
View
Parameters
None
Description
880
Examples
When you configure the mirroring destination port on the Switch 5500, if
mirroring group 1 does not exist, the switch automatically creates group 1 and
adds the destination port to the group; if local mirroring group 1 already exists,
but is not a local mirroring group, your configuration of the destination port
will fail.
When you configure mirroring destination port on the Switch 5500, if you
execute the monitor-port command on different ports, the last configuration
takes effect.
remote-probe vlan
Syntax
View
VLAN view
Parameters
None
Description
Use the remote-probe vlan enable command to configure the current VLAN as
the remote-probe VLAN.
Use the undo remote-probe vlan enable command to restore the remote-probe
VLAN to a normal VLAN.
Note that you cannot configure a default VLAN, a management VLAN, or a
dynamic VLAN as the remote-probe VLAN.
remote-probe vlan
Example
881
882
62
change self-unit
Syntax
View
Parameters
Description
Use the change self-unit command to change the unit ID of the current switch.
By default, the unit ID of a switch that belongs to no IRF fabric is 1. After a switch
is added to an IRF fabric, it is automatically numbered through FTM function with
its unit ID ranging from 1 to 8.
n
Example
If you do not bring up the fabric port, you cannot change the unit ID of a local
switch.
# Configure the unit ID of the current switch to be automatically numbered.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] change self-unit to auto-numbering
change unit-id
Syntax
View
Parameters
Description
Use the change unit-id command to configure the unit ID of a switch in an IRF
fabric to a new value. By default, when a switch is added to an IRF fabric, it uses
the automatically assigned unit ID.
884
If the modified unit ID does not exist in the fabric, the system sets its priority to
5 and saves it in the unit Flash memory.
If the modified unit ID is an existing one, the system prompt you to confirm if
you really want to change the unit ID. If you choose to change, the existing unit
ID is replaced and the priority is set to 5. Then you can use the fabric
save-unit-id command to save the modified unit ID into the unit Flash
memory and clear the information about the existing one.
If auto-numbering is selected, the system reserves the unit ID and sets the
unit priority to 10. You can use the fabric save-unit-id command to save the
modified unit ID into the unit Flash memory and clear the information about
the existing one.
# Change the unit ID of the switch from 6 to 4. Use the display ftm command to
display information about each unit in the fabric.
Total number of units in fabric : 8, My Unit ID : 6
UID CPU-Mac
Priority Fabric-Port Board-ID A/M
1 000f-e20f-5002 10
Left/Right
1
A
2 000f-e20f-5132 10
Left/Right
1
A
3 000f-e20f-5252 10
Left/Right
1
A
4 000f-e20f-8922 10
Left/Right
1
A
5 000f-cbb7-2142 10
Left/Right
1
A
*6 000f-cbb7-3264 10
Left/Right 1
A
7 000f-cbb7-2260 10
Left/Right
1
A
8 000f-cbb7-2734 10
Left/Right
1
A
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] change unit-id 6 to 4
The unit 4 already exists in fabric.
Continue? [Y/N] y
%Apr 2 00:48:34:574 2000 3Com FTM/3/DDPFLA:- 6 -Change unitid succe
ssful, un
it 4 saved UnitID(4) in flash!
[5500] display ftm topology-database
Total number of units in fabric : 8, My Unit ID : 4
UID CPU-Mac
Priority Fabric-Port Board-ID A/M
1 000f-e20f-5002 10
Left/Right
1
A
2 000f-e20f-5132 10
Left/Right
1
A
3 000f-e20f-5252 10
Left/Right
1
A
*4 000f-cbb7-3264 5
Left/Right 1
M
5 000f-cbb7-2142 10
Left/Right
1
A
6 000f-e20f-8922 10
Left/Right
1
A
7 000f-cbb7-2260 10
Left/Right
1
A
8 000f-cbb7-2734 10
Left/Right
1
A
From the above example, you can see the original unit ID of the device with MAC
address 000f-cbb7-3264 is 6. After the configuration, this unit ID changes to 4,
and the priority of the device changes to 5.
display ftm
885
display ftm
Syntax
View
Parameters
Description
Example
Use the display ftm command to display the protocol information or the
topology database information of the current fabric.
# Display the FTM module information of the switch.
<5500> display ftm information
FTM State
: HB STATE
Unit ID
: 2 (FTM-Master)
Fabric Type
Fabric Auth
Fabric Vlan ID
Left Port
Right Port
:
:
:
:
:
Line
NONE
4093
Disable
Normal
Advertise
Advertise ACK
Heart Beat
: Send = 5, Receive = 3
: Send = 0, Receive = 5
: Send = 20, Receive = 0
Left Port
Right Port
display irf-fabric
Syntax
Switch 5500:
display irf-fabric [ port | status ]
Switch 5500G:
display irf-fabric [ status ]
View
Parameters
Any view
port: Displays the fabric port information.
886
status: Displays operation status of the current fabric, including fabric name and
unit ID.
Description
Example
Use the display irf-fabric command to view the information of the entire fabric,
including unit ID, unit name, and operation mode of the system. If the fabric
information is displayed on the Console port of a device, an asterisk (*) will be
added to the unit ID of the current device.
# Display fabric information on the Console port of unit 1.
<5500> display irf-fabric
Fabric name is 3Com, system mode is L3.
Unit Name
First
Unit ID
1(*)
Unit ID
1(*)
Status
Master
fabric
member-auto-update
software enable
Syntax
View
System view
Parameters
None
Description
Example
fabric save-unit-id
Syntax
fabric save-unit-id
fabric save-unit-id
887
User view
Parameters
None
Description
Use the fabric save-unit-id command to save the unit IDs of all the units in an IRF
fabric into the unit Flash and set the unit priority to 5.
Use the undo fabric save-unit-id command to remove the saved unit IDs and
restore the unit priority to 10.
Example
# Save the unit IDs of all the units in an IRF fabric to the unit Flash memory.
<5500> display ftm topology-database
Total number of units in fabric : 8, My Unit ID : 1
UID CPU-Mac
Priority Fabric-Port Board-ID A/M
*1 000f-e20f-5002 10
Left/Right 1
A
2 000f-e20f-5132 10
Left/Right
1
A
3 000f-e20f-5252 10
Left/Right
1
A
4 000f-e20f-8922 10
Left/Right
1
A
5 000f-cbb7-2142 10
Left/Right
1
A
6 000f-cbb7-3264 10
Left/Right
1
A
7 000f-cbb7-2260 10
Left/Right
1
A
8 000f-cbb7-2734 10
Left/Right
1
A
<5500> fabric save-unit-id
The unit ID will be saved to the device.
Are you sure? [Y/N] y
%Apr 2 02:13:44:413 2000 5500 FTM/3/DDPFLA:- 4 -Save self unitid, u
nit 4 sav
ed UnitID(4) in flash!
Unit 1 saved unit ID successfully.
Unit 2 saved unit ID successfully.
Unit 3 saved unit ID successfully.
Unit 4 saved unit ID successfully.
Unit 5 saved unit ID successfully.
Unit 6 saved unit ID successfully.
Unit 7 saved unit ID successfully.
Unit 8 saved unit ID successfully.
<5500> display ftm topology-database
Total number of units in fabric : 8, My Unit ID : 1
UID CPU-Mac
Priority Fabric-Port Board-ID A/M
*1 000f-e20f-5002 5
Left/Right 1
M
2 000f-e20f-5132 5
Left/Right
1
M
3 000f-e20f-5252 5
Left/Right
1
M
4 000f-e20f-8922 5
Left/Right
1
M
5 000f-cbb7-2142 5
Left/Right
1
M
6 000f-cbb7-3264 5
Left/Right
1
M
7 000f-cbb7-2260 5
Left/Right
1
M
8 000f-cbb7-2734 5
Left/Right
1
M
From the above example, you can see the priority of each unit changes from 10 to
5, and the numbering mode changes from A (automatic numbering) to M (manual
numbering).
888
From the above example, you can see the priority of each unit restores to 10 and
the numbering mode changes from M (manual numbering) to A (automatic
numbering).
fabric-port enable
Syntax
View
Parameters
System view
interface-type: Port type, which can be only a GigabitEthernet port for the Switch
5500. or Cascade for the Switch 5500G.
interface-number: Port number.
Description
ftm fabric-vlan
Example
889
On a Switch 5500, when you have brought up fabric port function for a fabric
port group, if you need to change the fabric port group, you must disable the
fabric function of the current fabric port group before you execute the enable
command on another group. Otherwise, the system will prompt that the
current fabric port group is in use, you cannot change the fabric port group.
ftm fabric-vlan
This command is valid on the Switch 5500 only (not the Switch 5500G).
Syntax
View
Parameter
Description
System view
vlan-id: ID of the IRF fabric VLAN, in the range of 2 to 4094.
Use the ftm fabric-vlan command to specify the VLAN that the switch uses for
IRF fabric.
Use the undo ftm fabric-vlan command to restore the default VLAN.
By default, the number of the IRF Fabric VLAN is 4093.
You need to specify the IRF fabric VLAN before the IRF fabric is established.
Moreover, the VLAN you specified must be the one that has not been created.
Example
890
irf-fabric
authentication-mode
Syntax
This command is valid on the Switch 5500 only (not the Switch 5500G).
View
Parameters
System view
simple: Uses simple authentication mode.
password: Password for fabric authentication, a string of 1 to 16 characters.
md5: Uses MD5 encryption authentication mode.
key: MD5 key, a string of 1 to 16 characters.
Description
Example
# Set the authentication mode of the IRF fabric to simple, with the password
hello.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] irf-fabric authentication-mode simple hello
port link-type
irf-fabric
This command is valid on the Switch 5500 only (not the Switch 5500G).
Syntax
View
Parameters
None
Description
Use the port link-type command to configure an Ethernet port as the fabric port.
By default, no port is configured as the fabric port.
After an IRF fabric is established, if you change the link type of a fabric port to
Access, the fabric will be split and the system will prompt Warning! This
operation maybe split the fabric.. For detailed descriptions of the fabric port,
refer to the section IRF Fabric in this manual.
Example
After you use the port link-type irf-fabric command to specify a port as the
fabric port, you cannot use the port link-type command to change the port
to a port of other types. You need to use the undo fabric-port command first
to disable the fabric port function of the port to change the port type.
Parameters
None
Description
Example
Description
Example
891
Use the set unit name command to set a name for a device.
# Set the name to hello for the device with unit ID 1.
<5500> display irf-fabric
Fabric name is 3Com, system mode is L3.
Unit Name
Unit ID
First
1
Second
2(*)
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] set unit 1 name hello
[5500] display irf-fabric
Fabric name is 3Com, system mode is L3.
892
Unit Name
hello
Second
Unit ID
1
2(*)
sysname
Syntax
sysname sysname
undo sysname
View
Parameter
Description
System view
sysname: Fabric name to be set, a string of 1 to 30 characters.
Use the sysname command to set the name for the fabric where the current
device belongs. The modification will affect the prompt character in the command
line interface. For example, if the fabric name of the Ethernet switch is 5500, the
prompt character in user view is <5500>.
Use the undo sysname command to restore the default fabric name.
By default, the fabric name of the Switch 5500 is 5500.
Example
63
display ndp
Syntax
View
Parameter
interface interface-list: Specifies a port list. You need to provide the interface-list
argument in the form of { interface-type interface-number [ to interface-type
interface-number ] } &<1-10>, where to is used to specify a port range, and
&<1-10> means that you can provide up to ten port indexes/port index ranges for
this argument. The interface-number argument is in the format of unit ID/slot
number/port number.
Description
Use the display ndp command to display all NDP configuration and operating
information, including the global NDP status, the interval to send NDP packets, the
hold time of NDP information, and the NDP status and neighbor information on all
ports.
Use the display ndp interface command to display NDP configuration and
operating information on specified ports.
Example
894
Interface: Ethernet1/0/8
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0
Interface: Ethernet1/0/9
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0
Interface: Ethernet1/0/10
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0
Interface: Ethernet1/0/11
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0
Interface: Ethernet1/0/12
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0
Interface: Ethernet1/0/13
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0
Interface: Ethernet1/0/14
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0
display ndp
Interface:
Status:
Interface:
Status:
Interface:
Status:
Interface:
Status:
Interface:
Status:
GigabitEthernet1/0/10
Enabled, Pkts Snd: 0,
GigabitEthernet1/0/11
Enabled, Pkts Snd: 0,
GigabitEthernet1/0/12
Enabled, Pkts Snd: 0,
GigabitEthernet1/0/13
Enabled, Pkts Snd: 0,
GigabitEthernet1/0/14
Enabled, Pkts Snd: 0,
895
Table 168 Description of the display ndp and the display ndp interface command
fields
Field
Description
Hello Timer
Aging Timer
Interface
Status
Pkts Snd:
Pkts Rvd:
Pkts Err:
MAC Address
Port name
Software Ver
Device Name
Port Duplex
Product Ver
896
ndp enable
Syntax
View
Parameter
Description
Example
View
System view
Parameter
Description
897
Example
# Set the holdtime of the NDP information sent by this switch to 60 seconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ndp timer aging 60
View
Parameter
Description
System view
timer-in-seconds: Interval to send NDP packets, ranging from 5 to 254 seconds.
Use the ndp timer hello command to set the interval to send NDP packets.
Use the undo ndp timer hello command to restore the default interval.
By default, this interval is 60 seconds.
The NDP information hold on neighbors for this device should be updated
regularly to reflect this devices changes in real time. You can use the ndp timer
hello command to adjust the frequency in which neighbors update the NDP
information of this device.
Note that NDP information holdtime should be longer than the interval to send
NDP packets. Otherwise, NDP port neighbor table will become unstable.
898
Example
Description
Example
64
display ntdp
Syntax
View
display ntdp
Any view
Parameters
None
Description
Use the display ntdp command to display the global NTDP information.
The displayed information includes topology collection range (hop count),
topology collection interval (NTDP timer), device/port forward delay of topology
collection requests, and time used by the last topology collection.
Example
Description
NTDP is running.
Hops
Timer
Hop Delay
Port Delay
900
display ntdp
device-list
Syntax
View
Parameter
Description
Example
PLATFORM
S5500
S5500
Description
MAC
HOP
IP
PLATFORM
ntdp enable
Peer MAC
000f-e20f-1234
5600-0000-3334
Peer Port ID
Ethernet3/0/21
GigabitEthernet1/0/32
Native Port ID
Ethernet1/0/22
Ethernet1/0/4
901
Speed Duplex
100
FULL
100
FULL
Table 171 Description of the display ntdp device-list verbose command fields
Field
Description
Hostname
MAC
Hop
Platform
IP
Version
Cluster
Peer MAC
Peer Port ID
Native Port ID
Speed
Duplex
ntdp enable
Syntax
ntdp enable
undo ntdp enable
View
Parameters
None
Description
In system view:
Use the ntdp enable command to enable NTDP globally.
Use the undo ntdp enable command to disable NTDP globally.
In Ethernet port view:
Use the ntdp enable command to enable NTDP on the current port.
Use the undo ntdp enable command to disable NTDP on the current port.
By default, NTDP is enabled both globally and on ports.
Note that NTDP cannot take effect on a port if NDP is disabled on the port.
902
Example
ntdp explore
Syntax
View
ntdp explore
User view
Parameters
None
Description
Use the ntdp explore command to manually start a topology collection process.
NTDP is able to periodically collect topology information. In addition, you can use
this command to manually start a topology collection process at any moment. If
you do this, NTDP collects NDP information from all devices in a specific network
range as well as the connection information of all its neighbors. Through this
information, the management device or the network management software
knows the topology in the network range, and thus it can manage and monitor
the devices in the range.
Example
ntdp hop
Syntax
View
Parameter
Description
System view
hop-value: Maximum hops to collect topology information, ranging from 1 to 16.
Use the ntdp hop command to set the topology collection range.
Use the undo ntdp hop command to restore the default topology collection
range.
By default, the topology collection range is three hops.
With the ntdp hop command, you can specify to collect topology information
from the devices within a specified range to avoid infinite collection. That is, you
can limit the range of topology collection by setting the maximum hops from the
collecting device to the collected devices. For example, if you set the maximum
ntdp timer
903
hops to two, the switch initiating the topology collection collects topology
information from the switches within two hops.
Note that this command is only applicable to topology-collecting device, and a
wider collection range requires more memory of the topology-collecting device.
Example
ntdp timer
Syntax
View
Parameter
Description
System view
interval-in-minutes: Interval (in minutes) to collect topology information, ranging
from 0 to 65,535. A value of 0 disables topology information collection.
Use the ntdp timer command to configure the interval to collect topology
information periodically.
Use the undo ntdp timer command to restore the default interval.
By default, this interval is one minute.
After the interval is set to a non-zero value, the switch will collect topology
information periodically at this interval.
Note that:
Example
If the display ntdp command displays disable in the Timer field, it means
this device is not a management device and will not perform periodic topology
collection.
After a cluster is set up on the Switch 5500, the switch will collect the topology
information of the network at the topology collection interval you set and
automatically add the candidate devices it discovers into the cluster.
If you do not want the candidate switches to be automatically added into the
cluster, you can set the topology collection interval to zero.
904
View
System view
Parameter
time: Device forward delay in milliseconds. This argument ranges from 1 to 1,000.
Description
Use the ntdp timer hop-delay command to set the delay for devices to forward
topology collection requests.
Use the undo ntdp timer hop-delay command to restore the default device
forward delay.
By default, the device forward delay is 200 ms.
Network congestion may occur if large amount of topology response packets
reach the collecting device in a short period. To avoid this case, each collected
switch in the network delays for a period before it forwards a received topology
collection request through the first forwarding port. You can use the ntdp timer
hop-delay command to set the delay.
You can use the command on a collecting switch. The delay value you set by the
ntdp timer hop-delay command is carried in the topology collection requests
sent by the collecting switch, and is used by collected devices to determine how
long they should wait before they can forward the received topology collection
requests through their first port.
Example
# Set the delay for collected switches to forward topology collection requests
through their first port to 300 ms.
<aaa_0.3Com> system-view
System View: return to User View with Ctrl+Z.
[aaa_0.3Com] ntdp timer hop-delay 300
View
Parameter
Description
System view
time: Port forward delay in milliseconds. This argument ranges from 1 to 100.
Use the ntdp timer port-delay command to set the delay for collected switches
to forward topology collection requests through the next port.
905
Use the undo ntdp timer port-delay command to restore the default port
forward delay.
By default, the port forward delay is 20 ms.
Network congestion may occur if large amount of topology response packets
reach the collecting device in a short period. To avoid this case, after a collected
switch forwards a received topology collection request through a port, it delays for
a period before it forwards the request through the next port. You can use the
ntdp timer port-delay command to set the delay.
You can use the command on a collecting switch. The delay value you set by the
ntdp timer port-delay command is carried in the topology collection requests
sent by the collecting switch, and is used by collected devices to determine how
long they should wait before they forward the received topology collection
requests through the next port.
Example
# Set the delay for collected switches to forward topology collection requests
through the next port to 40 ms.
<aaa_0.3Com> system-view
System View: return to User View with Ctrl+Z.
[aaa_0.3Com] ntdp timer port-delay 40
906
CLUSTER CONFIGURATION
COMMANDS
65
add-member
Syntax
View
Parameters
Description
Example
After a cluster is established on the Switch 5500, switch will collect the
topology information of the network at the topology collection interval you set
and automatically add the candidate devices it discovers into the cluster.
If you do not want the candidate switches to be automatically added into the
cluster, you can set the topology collection interval to zero by using the ntdp
timer command. In this case, topology information collection is disabled.
# Add a candidate device to the cluster, setting the member number to 6. (Assume
that the MAC address and user password of the candidate device are
000f-e20f-35e7 and 123456.)
<aaa_0.3Com> system-view
System View: return to User View with Ctrl+Z.
908
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] add-member 6 mac-address 000f-e20f-35e7 password 123456
administrator-address
Syntax
View
Parameters
Cluster view
mac-address: MAC address of the management device to be set.
name: Name of an existing cluster, a string of up to 8 characters. Note that the
name of a cluster can only contain alphanumeric characters, minus signs (-), and
underscores (_).
Description
Example
auto-build
Syntax
View
Parameter
Description
auto-build [ recover ]
Cluster view
recover: Recovers all member devices automatically.
Use the auto-build command to start an automatic cluster building process.
auto-build
909
n
Example
After a cluster is built automatically, ACL 3998 and ACL 3999 will be generated
automatically.
After a cluster is built automatically, ACL 3998 and ACL 3999 neither can be
configured/modified nor removed.
910
%Apr 3 08:12:37:847 2000 aaa_0.3Com CLST/5/LOG:- 1 Member 000f-e200-7800 is joined in cluster aaa.
%Apr 3 08:12:37:863 2000 aaa_0.3Com CLST/5/LOG:- 1 Member 000f-e200-2420 is joined in cluster aaa.
%Apr 3 08:12:37:996 2000 aaa_0.3Com CLST/5/LOG:- 1 Member 000f-e200-2180 is joined in cluster aaa.
%Apr 3 08:12:38:113 2000 aaa_0.3Com CLST/5/LOG:- 1 Member 000f-e200-c201 is joined in cluster aaa.
%Apr 3 08:12:38:139 2000 aaa_0.3Com CLST/5/LOG:- 1 Member 000f-e200-5104 is joined in cluster aaa.
%Apr 3 08:12:38:367 2000 aaa_0.3Com CLST/5/LOG:- 1 Member 000f-e200-5600 is joined in cluster aaa.
Cluster auto-build Finish!
8 member(s) added successfully.
[aaa_0.3Com-cluster]
build
Syntax
build name
undo build
View
Parameter
Description
Cluster view
name: Name to be set for the cluster, a string of up to 8 characters, which can only
be alphanumeric characters, minus signs (-), and underscores (_).
Use the build command to build a cluster with a cluster name or change the
cluster name.
Use the undo build command to remove the cluster.
You can use this command on a candidate device as well as on a management
device.
Executing the build command on a candidate device will change the device to a
management device and assign a name to the cluster created on the device.
Executing the build command on a management device will change the cluster
name of the management device.
The member number of a management device is 0.
Note that, after a cluster is set up on the Switch 5500, the switch will collect the
topology information of the network at the topology collection interval you set
and automatically add the candidate devices it discovers into the cluster. If you do
not want the candidate switches to be automatically added into the cluster, you
can set the topology collection interval to zero (by the ntdp timer command),
which specifies not to perform periodic topology collection.
build
911
To reduce the risk of being attacked by malicious users against opened socket and
enhance switch security, the Switch 5500 provides the following functions, so that
a cluster socket is opened only when it is needed:
Opening UDP port 40000 (used for cluster) only when the cluster function is
implemented,
Closing UDP port 40000 at the same time when the cluster function is closed.
When you create a cluster by using the build or auto-build command, UDP
port 40000 is opened at the same time.
When you remove a cluster by using the undo build or undo cluster enable
command, UDP port 40000 is closed at the same time.
Example
When you execute the undo build command on the management device to
remove a cluster, UDP port 40000 of all the member devices in the cluster is
closed at the same time.
# Configure the current switch as a management device and set the cluster name
to aaa.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] cluster
[5500-cluster] build aaa
There is no base topology, if set up from local flash file?(Y/N)
n
#Apr 3 08:15:03:166 2000 aaa_0. 3Com CLST/5/Cluster_Trap:- 1 OID:1.3.6.1.4.1.2011.6.7.1.0.3(hgmpMemberStatusChange):member 00.00.
00.00.00.12.
a9.90.22.40 role change, NTDPIndex:0.00.00.00.00.00.12.a9.90.22.40,
Role:1
[aaa_0.3Com-cluster]
912
cluster
Syntax
View
cluster
System view
Parameters
None
Description
Example
cluster enable
Syntax
cluster enable
undo cluster enable
View
System view
Parameters
None
Description
To create a cluster on a device with the build command, you must first enable
the cluster function by executing the cluster enable command.
When you execute the undo cluster enable command on the management
device, the cluster and all its members are removed, the device stops operating
as a management device, and the cluster function is disabled on the device.
When you execute the undo cluster enable command on a member device,
the device leaves the cluster, and the cluster function is disabled on the device.
When you execute undo cluster enable command on a device that does not
belong to any cluster, the cluster function is disabled on the device.
You can use the two commands on any devices that support the cluster function.
Example
cluster switch-to
913
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] cluster enable
cluster switch-to
Syntax
View
Parameters
Description
Use the cluster switch-to command to switch between the management device
and a member device for configuration and management.
On the management device, you can switch to the view of a member device to
configure and manage the member device, and then switch back to the
management device.
Both switching directions (from the management device to a member device, and
from a member device to the management device) will use Telnet connection.
Switching is performed based on the following rules:
After you switch from the management device to a member device, the
member device view will inherit the user privilege level of the current
management device view.
After you switch from a member device to the management device, the
privilege level on the management device view will be determined by the
configuration on the management device.
If all the Telnet resources on the requested device are used up, the switching to
the device will not succeed.
When you execute this command on the management device with an inexistent
member number or a MAC address that is not in the member list, an error will
occur. In this case, you can enter quit to end the switching.
914
Example
# Switch from the management device to number-6 member device and then
switch back to the management device.
<aaa_0.3Com> cluster switch-to 6
<aaa_6.3Com> quit
<aaa_0.3Com>
cluster-mac
Syntax
cluster-mac H-H-H
undo cluster-mac
View
Parameter
Description
Cluster view
H-H-H: Multicast MAC address to be set for the cluster, in hexadecimal format.
This argument can be one of the following addresses: 0180-C200-0000,
0180-C200-000A, 0180-C200-0020 to 0180-C200-002F.
Use the cluster-mac command to configure a multicast MAC address for the
cluster.
Use the undo cluster-mac command to restore the default multicast MAC
address.
The default multicast MAC address is 0180-C200-000A.
Note that, you can only use this command on a management device.
The management device in a cluster is able to periodically send Switch Clustering
V2 multicast MAC synchronization packets. After you configure a multicast MAC
address on the management device, all the member/candidate devices of the
cluster will synchronize to the same multicast MAC address by receiving multicast
MAC synchronization packets. This guarantees that the member/candidate devices
of the cluster can receive the multicast packets from the management device.
Example
cluster-mac
syn-interval
Syntax
View
delete-member
915
Parameter
Description
Use the cluster-mac syn-interval command to set the interval for the
management device to send Switch Clustering V2 multicast MAC synchronization
packets periodically. You can only use this command on a management device.
By default, this interval is one minute.
If you set this interval to zero on a management device, the management device
will not send Switch Clustering V2 multicast MAC synchronization packets to
other devices.
Example
# Set the interval for the management device to send Switch Clustering V2
multicast MAC synchronization packets to one minute.
<aaa_0.3Com> system-view
System View: return to User View with Ctrl+Z.
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] cluster-mac syn-interval 1
delete-member
Syntax
View
delete-member member-number
Cluster view
Parameter
Description
Use the delete-member command to remove a member device from the cluster.
You can only perform the operation on a management device. Otherwise, error
will occur.
Note that, after a cluster is set up on a Switch 5500, the switch will collect the
topology information of the network at the topology collection interval you set
and automatically add the candidate devices it discovers into the cluster. If you do
not want the candidate switches to be automatically added into the cluster, you
can set the topology collection interval to zero (by the ntdp timer command),
which specifies not to perform periodic topology collection.
Example
916
display cluster
Syntax
View
display cluster
Any view
Parameters
None
Description
Use the display cluster command to display the status and statistics information
of the cluster to which the current switch belongs.
Executing this command on a member device will display the following
information: cluster name, member number of the current switch, MAC address
and status of the management device, holdtime, and interval to send handshake
packets.
Executing this command on a management device will display the following
information: cluster name, number of the member devices in the cluster, cluster
status, holdtime, and interval to send handshake packets.
Executing this command on a device that does not belong to any cluster will
display an error.
Example
917
Description
Cluster name
Role
Member number
Handshake timer
Handshake hold-time
Holdtime
Administrator status
display cluster
candidates
Syntax
View
Parameters
Description
Use the display cluster candidates command to display information about one
specified or all candidate devices of a cluster.
You can only use this command on a management device.
Note that, after a cluster is set up on the Switch 5500, the switch will collect the
topology information of the network at the topology collection interval you set
and automatically add the candidate devices it discovers into the cluster. As a
result, if the topology collection interval is too short (the default interval is 1
minute), the switches acting as candidate devices will not keep in candidate state
for a long time - they will change to member devices within a short time. If you do
not want the candidate switches to be automatically added into the cluster, you
can set the topology collection interval to zero (by using the ntdp timer
command), which specifies not to perform topology collection periodically.
Example
918
Description
MAC
Hop
IP
Platform
:
:
:
:
:
3Com
3600-0000-3334
2
S5500
16.1.1.11/24
Hostname
MAC
Hop
Platform
IP
:
:
:
:
:
3600-3
000f-e20f-3190
1
S5500
16.1.1.1/24
Table 174 Description of the display cluster candidates verbose command fields
Field
Description
Hostname
MAC
Hop
IP
Platform
display cluster
members
Syntax
View
Parameters
919
Use the display cluster members command to display information about one
specific or all devices in a cluster.
You can only use this command on a management device.
Example
Name
aaa_0.3Com
aaa_1.3Com
aaa_2.3600-3
Description
SN
Device
Device type
MAC Address
Status
Device status
Name
Device name
920
Version:
3Com Comware Platform Software
Comware Software, Version 3.10
Copyright(c)2004-2007 3Com Corporation All rights reserved.
S5500 3600-0002
Description
Member number
Name
Device name
Device
Device type
MAC Address
Member status
Device status
IP
Device IP address
Version
ftp cluster
Syntax
View
ftp cluster
User view
Parameters
None
Description
Use the ftp cluster command to connect to the shared FTP server of the cluster
and enter FTP Client view.
Example
ftp-server
Syntax
ftp-server ip-address
undo ftp-server
View
Cluster view
holdtime
Parameter
Description
921
Example
holdtime
Syntax
holdtime seconds
undo holdtime
View
Parameter
Description
Cluster view
seconds: Holdtime in seconds, ranging from 1 to 255.
Use the holdtime command to configure the holdtime of member switches.
Use the undo holdtime command to restore the default holdtime value.
By default, the holdtime is 60 seconds.
Note that:
Example
If the management switch does not receive NDP information from a member
device within the holdtime, it sets the state of the member device to down.
When the management device receives the NDP information from the device
again, the device will be re-added to the cluster automatically.
Note that, you need only execute the command on a management device,
which will advertise the holdtime value to all member devices in the cluster.
922
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] holdtime 30
ip-pool
Syntax
View
Parameters
Cluster view
administrator-ip-address: IP address for the device to be set as the management
device of a cluster.
ip-mask: Mask of the cluster IP address pool.
ip-mask-length: Mask length of the cluster IP address pool.
Description
Example
logging-host
Syntax
logging-host ip-address
undo logging-host
View
Parameter
Cluster view
ip-address: IP address of the device to be configured as the log host of a cluster.
management-vlan
Description
923
Use the logging-host command to configure a shared log host for a cluster on
the management device.
Use the undo logging-host command to remove the shared log host setting.
By default, no shared log host is configured.
After setting the IP address of a log host for the cluster, the member devices in the
cluster can send logs to the log host through the management device.
Example
# Configure the device with IP address 10.10.10.9 as the log host of a cluster.
<aaa_0.3Com> system-view
System View: return to User View with Ctrl+Z.
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] logging-host 10.10.10.9
management-vlan
Syntax
management-vlan vlan-id
undo management-vlan
View
Parameter
Description
System view
vlan-id: ID of the VLAN to be specified as the management VLAN.
Use the management-vlan command to specify the management VLAN on the
switch.
Use the undo management-vlan command to restore the default management
VLAN.
By default, VLAN 1 is used as the management VLAN.
When specifying the management VLAN, note that:
Example
The management VLANs on all the devices in a cluster must be the same.
You can specify the management VLAN on a device only when no cluster is
created on the device. You cannot change the management VLAN on a device
that already joins a cluster. If you want to change the management VLAN on a
device where a cluster has already been created, you must first remove the
cluster configuration on the device, then re-specify a VLAN as the management
VLAN, and finally re-created the cluster.
924
nm-interface
Vlan-interface
Syntax
View
Parameter
Description
n
Example
reboot member
Syntax
View
Parameters
Description
Use the reboot member command to reboot a specified member device on the
management device.
When a member device is in trouble due to some configuration errors, you can use
the remote control function on the management device to control the member
device remotely on the management device. For example, from the management
device, you can delete the configuration file on a member device and reboot the
member device to recover it to the normal state.
snmp-host
925
The eraseflash keyword specifies to delete the startup configuration file when
the member device reboots.
Example
snmp-host
Syntax
snmp-host ip-address
undo snmp-host
View
Parameter
Description
Cluster view
ip-address: IP address of a SNMP host to be configured for the cluster.
Use the snmp-host command to configure a shared SNMP host for the cluster on
the management device.
Use the undo snmp-host command to remove the shared SNMP host setting.
By default, no shared SNMP host is configured.
After setting the IP address of an SNMP host for the cluster, the member devices in
the cluster can send trap messages to the SNMP host through the management
device.
Note that, you can only use the commands on a management device.
Example
tftp get
Syntax
View
Parameters
926
source-file: Name of the file to be downloaded from the shared TFTP server of the
cluster.
destination-file: Name of the file to which the downloaded file will be saved on
the switch.
Description
Use the ftp { cluster | tftp-server } get command to download a file from a
specific directory on the shared TFTP server to the switch.
Related command: ftp { cluster | tftp-server } put
n
Example
# Download file LANSwitch.app from the shared TFTP server of the cluster to the
switch and save it as vs.app.
<123_1.3Com> tftp cluster get LANSwitch.app vs.app
tftp put
Syntax
View
Parameters
Description
Use the ftp { cluster | tftp-server } put command to upload a file from the switch
to a specified directory on the TFTP server.
Related command: ftp { cluster | tftp-server } get
n
Example
# Upload file config.cfg on the switch to the shared TFTP server of the cluster and
save it as temp.cfg.
<123_1.3Com> tftp cluster put config.cfg temp.cfg
tftp-server
Syntax
tftp-server ip-address
timer
927
undo tftp-server
View
Parameter
Description
Cluster view
ip-address: IP address of a TFTP server to be configured for the cluster.
Use the tftp-server command to configure a shared TFTP server for the cluster on
the management device.
Use the undo tftp-server command to remove the shared TFTP server setting.
By default, no shared TFTP server is configured.
After setting the IP address of a TFTP server for the cluster, the member devices in
the cluster can access the TFTP server through the management device.
Note that, you can only use the commands on a management device.
Example
timer
Syntax
timer interval
undo timer
View
Parameter
Description
Cluster view
interval: Interval (in seconds) to send handshake packets. This argument ranges
from 1 to 255.
Use the timer command to set the interval to send handshake packets.
Use the undo timer command to restore the default value of the interval.
By default, the interval to send handshake packets is 10 seconds.
In a cluster, the management device keeps connections with the member devices
through handshake packets. Through the periodic handshaking between the
management and member devices, the management device monitors the member
status and link status.
Note that, you need only execute the command on a management device, which
will advertise the handshake interval setting to all member devices in the cluster.
Example
928
<aaa_0.3Com> system-view
System View: return to User View with Ctrl+Z.
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] timer 3
tracemac
Syntax
View
Parameters
Description
Examples
Use the tracemac command to trace a device in a cluster through the specified
destination MAC address or IP address.
When using the destination IP address to trace a device, the switch looks up
the ARP entry corresponding to the IP address, and then looks up the MAC
address entry according to the ARP entry.
If the queried IP address has a corresponding ARP entry, but the corresponding
MAC address entry does not exist in the MAC address table, the trace of the
device fails.
To trace a specific device using the tracemac command, make sure that all the
devices passed support the tracemac function.
# Trace the device that belongs to VLAN 1 through its MAC address
00e0-f032-0005.
<aaa_0.5500> tracemac by-mac 000f-e232-0005 vlan 1
Tracing MAC address 000f-e232-0005 in vlan 1
1 000f-e232-0001H3C01Ethernet1/0/2
2 000f-e232-0002H3C02Ethernet1/0/7
3 000f-e232-0003H3C03Ethernet1/0/4
4 000f-e232-0005H3C05Local
# Trace the device that belongs to VLAN 1 through its IP address 192.168.1.5.
tracemac
929
930
66
black-list
Syntax
View
Parameters
Cluster view
mac-address: MAC address of the device to be added to the blacklist. The format
is H-H-H, for example, 0100-0498-e001.
all: Deletes all MAC address in the current cluster blacklist.
Description
Use the black-list add-mac command to add the MAC address of the specified
device to the cluster blacklist, so that this device cannot join the cluster.
Use the black-list delete-mac command to remove the MAC address of the
specified device or all MAC addresses from the current cluster blacklist.
n
Examples
You can only use this command on the cluster administrative device.
# Add the device with the MAC address 0010-3500-e001 to the blacklist.
<aaa_0.3Com> system-view
Enter system view, return to user view with Ctrl+Z.
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] black-list add-mac 0010-3500-e001
delete-member
Syntax
View
Parameters
932
n
Example
Use the delete-member command to remove the specified device from the
cluster.
You can only use this command on the cluster administrative device.
# Remove the device with the member ID 4 from the cluster and add this device to
the cluster blacklist.
<aaa_0.3Com> system-view
Enter system view, return to user view with Ctrl+Z.
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] delete-member 4 to-black-list
display cluster
base-members
Syntax
View
Parameters
None
Description
Example
# Display the information about all the devices in the base cluster topology.
<aaa_0.5500> display cluster base-members
SN
Device MAC Adress
Status
0
aaa_0.3Com 000f-e200-30a0 UP
1
aaa_1.S5500 000f-e200-86e4 UP
Description
SN
Device
Device name
MAC Address
Status
Device status:
933
display cluster
base-topology
Syntax
View
Parameters
Description
Example
display cluster
black-list
Syntax
View
Parameters
None
Description
Use the display cluster black-list command to display the information of devices
in the current cluster blacklist.
934
Example
Access port
Ethernet1/0/24
Ethernet1/0/1
Description
Device ID
Access Device ID
Access port
display cluster
current-topology
Syntax
View
Parameters
Description
n
Example
935
When you display the cluster topology information, the devices attached to the
switch that is listed in the backlist will not be displayed.
# Display the topology of the current cluster.
<aaa_0.3Com> display cluster current-topology
-------------------------------------------------------------------(PeerPort) ConnectFlag (NativePort) [SysName:DeviceMac]
-------------------------------------------------------------------ConnectFlag:
<--> normal connect
---> odd connect
**** in blacklist
???? lost device
++++ new device
-||- STP discarding
-------------------------------------------------------------------[aaa_0.3Com:00e0-fc02-2180]
|
|-(P_0/40)<-->(P_0/6)[5500:000f-e200-2200]
|
|-(P_0/28)<-->(P_3/0/1)[5500:00e0-fc00-1774]
|
|-(P_0/24)****(P_1/0/6)[clie:00e0-fc00-5502]
|
|-(P_0/22)<-->(P_1/0/2)[aaa_5.3Com:00e0-fc00-5111]
|
|-(P_0/18)<-->(P_3/0/2)[5500 S7503:000f-e218-d0d0]
|
|-(P_0/14)<-->(P_1/0/2)[5500:00e0-fc00-5601]
|
|-(P_0/10)<-->(P_1/0/1)[aaa_7.S5500-28C-SI:0012-a990-2241]
|
|-(P_0/4)<-->(P_0/2)[2024C:000f-e200-00cc]
|
-(P_0/1)****(P_0/1)[5500:00e0-fd34-bc66
display ntdp
single-device
mac-address
Syntax
View
Parameter
Description
Example
# Display the detailed information about the switch with the MAC address
00e0-fc00-3956.
<5500> display ntdp single-device mac-address 00e0-fc00-3956
Hostname :
MAC
:
Hop
:
Platform :
IP
:
Version
:
3Com Comware
3Com
00e0-fc00-3956
0
3Com S5500-28C-SI
Platform Software
936
Candidate switch
Peer MAC
00e0-fc39-1333
Peer Port ID
Ethernet1/0/4
Native Port ID
Ethernet1/0/10
100
Speed Duplex
FULL
Description
Hostname
MAC
Hop
Platform
IP
Version
Version information
Cluster
Peer MAC
Peer Port ID
Native Port ID
Speed
Duplex
topology accept
Syntax
View
Parameters
topology restore-from
Description
n
Examples
937
Use the topology accept command to accept the topology of the current cluster
as the standard topology, and save the standard topology to the Flash memory of
the administrative device so that the standard topology can be restored when
errors occur to the topology.
You can only use this command on the cluster management device.
# Save the current cluster topology as the base topology and save it in the local
flash.
<aaa_0.3Com> system-view
Enter system view, return to user view with Ctrl+Z.
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] topology accept all save-to local-flash
# Accept the device with the MAC address 0010-0f66-3022 as a member of the
base cluster topology.
<aaa_0.3Com> system-view
Enter system view, return to user view with Ctrl+Z.
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] topology accept mac-address 0010-0f66-3022
topology restore-from
Syntax
View
Parameter
Description
n
Example
# Restore the base cluster topology from the flash of the management device in
the cluster.
<aaa_0.3Com> system-view
Enter system view, return to user view with Ctrl+Z.
[aaa_0.3Com] cluster
[aaa_0.3Com-cluster] topology restore-from local-flash
938
topology save-to
Syntax
View
Parameters
None
Description
Use the topology save-to command to save the standard topology of the cluster
to the local Flash memory.
The topology file contains the white list and blacklist and has a uniformed file
name: topology.top.
You can only use this command on the administrative device.
Examples
67
display poe disconnect
Syntax
View
Parameters
None
Description
Use the display poe disconnect command to view the current PD disconnection
detection mode of the switch.
Example
Example
940
:low
:15400 mW
:460 mW
:552 mW
:547 mW
:10 mA
:51 V
Description
high: High
low: Low
Port current
Port voltage
Description
PORT INDEX
Port index
POWER
ENABLE
941
Description
PoE mode on the port:
MODE
STATUS
critical: Highest
high: High
low: Low
Example
<Omitted>
PORT INDEX
Ethernet1/0/2
Ethernet1/0/4
Ethernet1/0/6
Ethernet1/0/8
Ethernet1/0/10
POWER (mW)
0
0
0
0
12400
942
display poe
powersupply
Syntax
View
Parameters
None
Description
Use the display poe powersupply command to view the parameters of the
power sourcing equipment (PSE).
Example
Description
PSE ID
943
display poe
temperatureprotection
Syntax
View
Parameters
None
Description
Example
poe disconnect
Syntax
poe disconnect { ac | dc }
undo poe disconnect
View
Parameters
System view
ac: Specifies the PD disconnection detection mode as ac.
dc: Specifies the PD disconnection detection mode as dc.
Description
n
Example
944
poe enable
Syntax
poe enable
undo poe enable
View
Parameters
None
Description
Use the poe enable command to enable the PoE feature on a port.
Use the undo poe enable command to disable the PoE feature on a port.
By default, the PoE feature on a port is enabled by the default configuration file
when the device is delivered.
If you delete the default configuration file without specifying another one, the PoE
function on a port will be disabled after you restart the device.
Example
View
System view
Parameters
None
Description
Use the poe legacy enable command to enable the PD compatibility detection
function.
Use the undo poe legacy enable command to disable the PD compatibility
detection function.
PDs compliant with 802.3af standards are called standard PDs. When the PD
compatibility detection function is enabled, the switch can detect non-standard
PDs.
By default, the PD compatibility detection function is disabled.
Example
poe max-power
<5500>
System
[5500]
Legacy
945
system-view
View: return to User View with Ctrl+Z.
poe legacy enable
detection is enabled
poe max-power
Syntax
View
Parameter
Description
Example
poe mode
Syntax
View
Parameters
Description
Use the poe mode command to configure the PoE mode on the current port.
946
Use the undo poe mode command to restore the PoE mode on the current port
to the default mode.
By default, signal mode is adopted on a port.
n
Example
The Switch 5500 does not support the spare mode currently.
poe
power-management
Syntax
View
Parameters
System view
auto: Adopts the auto mode, namely, a PoE management mode based on PoE
priority of the port.
manual: Adopts the manual mode.
Description
Example
# Configure the PoE management mode on a port to auto, that is, adopt the PoE
management mode based on the PoE priority of the port.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] poe power-management auto
Auto Power Management is enabled
poe priority
Syntax
View
Parameters
947
Description
Use the poe priority command to configure the PoE priority of a port.
Use the undo poe priority command to restore the default PoE priority.
By default, the PoE priority of a port is low.
When the available power of the PSE is too small, the PoE priority and the PoE
management mode are used together to determine how to allocate PoE power for
the new PDs.
1 When the manual PoE management mode is adopted:
The switch will not supply power to the new PDs if the available power of the PSE
is less than 18.8 W.
2 When the auto PoE management mode is adopted:
Example
If a PD is plugged into the port with higher priority when the available power
of the PSE is less than 18.8 W, the power supply to the port with the biggest
number in the port group with the lowest priority is turned off, so that a part
of power is released for the new PD.
If the available power of the whole switch is less than 18.8 W and there is no
port with low priority, the port with the inserted PD cannot supply power.
poe temperatureprotection
Syntax
View
System view
Parameters
None
Description
948
poe update
Syntax
View
Parameter
Description
Example
Use the poe update command to update the PSE processing software online.
Use the full mode only when the refresh mode fails. In normal cases, use the
refresh mode.
When the PSE processing software is damaged (that is, all the PoE commands
cannot be successfully executed), you can use the full mode to update and
restore the software.
update fabric
<5500>
System
[5500]
Update
949
system-view
View: return to User View with Ctrl+Z.
poe update refresh 0400_001.S19
PoE board successfully
update fabric
Syntax
View
Parameters
Description
Example
Use the update fabric command to upgrade the PSE processing software of the
fabric switch remotely on any device in the fabric.
# Upgrade the PSE processing software poe2046.s19 in the flash of unit 2 to
upgrade the PSE processing software of all the units in the fabric.
<5500> update fabric unit2>flash:/poe2046.s19
This will update the Fabric. Continue? [Y/N] y
The software is verifying ...
The result of verification is :
Unit ID
Free space(bytes)
Enough
Version comparison
1
2588900
Y
Y
2
2591972
Y
Y
warning: the verification is completed, start the file transmission? [Y/N]
y
The fabric is being updated, 100%
The poe2046.s19 is stored on unit 1 successfully!
The poe2046.s19 is stored on unit 2 successfully!
Do you want to set poe2046.s19 to be running agent next time to boot?[Y/N]
y
The poe2046.s19 is configured successfully!
950
68
apply poe-profile
Syntax
View
Parameters
Description
Use the apply poe-profile command to apply the existing PoE profile
configuration to the specified Ethernet port.
Use the undo apply poe-profile command to cancel the PoE profile
configuration for the specified Ethernet port.
Only one PoE profile can be in use at any time for each Ethernet port.
PoE profile is a set of PoE configurations. One PoE profile can contain multiple PoE
features. When the apply poe-profile command is used to apply a PoE profile to
a port, some PoE features can be applied successfully while some cannot. PoE
profiles are applied to Switch 5500 according to the following rules:
952
Example
If one or more features in the PoE profile are not applied properly on a port,
the switch will prompt explicitly which PoE features in the PoE profile are not
applied properly on which ports.
display poe-profile
Syntax
View
Parameters
Description
Example
poe-profile
Syntax
poe-profile profile-name
undo poe-profile profile-name
View
System view
poe-profile
953
Parameter
Description
Use the poe-profile command to create a PoE profile and then enter PoE profile
view. If the PoE profile is already created, you will enter PoE profile view directly.
Use the undo poe-profile command to delete an existing PoE profile.
The following PoE features can be configured in the PoE profile mode:
poe enable
poe mode { signal | spare }
poe priority { critical | high | low }
poe max-power max-power
The maximum number of PoE profiles that can be configured for a Switch 5500 is
100.
Example
954
69
display udp-helper
server
Syntax
View
Parameter
Description
Example
The information above shows that the IP address of the destination server
corresponding to VLAN interface 1 is 192.1.1.2, and no packets have been
forwarded to the destination server.
reset udp-helper
packet
Syntax
View
Parameter
Description
Example
956
udp-helper enable
Syntax
udp-helper enable
undo udp-helper enable
View
Parameter
Description
System view
None
Use the udp-helper enable command to enable UDP Helper function.
Use the undo udp-helper enable command to disable UDP Helper function.
By default, UDP Helper is disabled.
Note that: On a Switch 5500, the reception of directed broadcast packets to a
directly connected network is disabled by default. As a result, UDP Helper is
available only when the ip forward-broadcast command is configured in system
view. For details about the ip forward-broadcast command, refer to IP Address
Configuration Commands on page 137.
Example
udp-helper port
Syntax
View
Parameter
System view
port-number: Number of the UDP port with which UDP packets are to be
forwarded, in the range 0 to 65535 (except for 67 and 68).
dns: Forwards domain name system (DNS) data packets. The corresponding UDP
port number is 53.
netbios-ds: Forwards NetBIOS data packets. The corresponding UDP port number
is 138.
netbios-ns: Forwards NetBIOS name service data packets. The corresponding UDP
port number is 137.
udp-helper server
957
tacacs: Forwards terminal access controller access control system (TACACS) data
packet. The corresponding UDP port number is 49.
tftp: Forwards trivial file transfer protocol (TFTP) data packets. The corresponding
UDP port number is 69.
time: Forwards time service data packets. The corresponding UDP port number is
37.
Description
Use the udp-helper port command to configure the UDP port with which
broadcast packets are to be forwarded.
Use the undo udp-helper port command to remove the configuration.
By default, the UDP Helper enabled device forwards broadcast packets with any of
the six UDP port numbers 53, 138, 137, 49, 69 and 37.
Note that:
Example
You need to enable the UDP Helper function before specifying any UDP port;
otherwise, the system prompts error information. When the UDP helper
function is disabled, all configured UDP ports are disabled, including the
default ports.
udp-helper server
Syntax
View
Parameter
958
Description
Use the udp-helper server command to specify the destination server to which
the UDP packets are to be forwarded.
Use the undo udp-helper server command to remove the specified destination
server.
No destination server is specified by default.
Note that:
70
display snmp-agent
Syntax
View
Parameters
Description
Use the display snmp-agent command to display the local SNMP entity switch
fabric ID or all the remote SNMP entity switch fabric IDs.
An SNMP switch fabric ID identifies an SNMP entity uniquely within an SNMP
domain. As an indispensable part of an SNMP entity, an SNMP switch fabric
performs the function of sending, receiving and authenticating SNMP messages,
extracting PDUs, packet assembling and the communication with SNMP
applications.
Examples
SNMP local EngineID in the above information represents the local SNMP entity
switch fabric ID.
display snmp-agent
community
Syntax
View
Parameters
960
Description
Example
Description
Community name
Community name
Group name
Group name
Storage-type
volatile
nonVolatile
permanent
readOnly
other
display snmp-agent
group
Syntax
View
Parameters
Description
Use the display snmp-agent group command to display the information about a
SNMP group, including group name, security mode, states of various views, and
storage mode.
If you do not specify the group-name argument, this command displays the
information about all the existing SNMP groups.
Example
961
Description
Group name
Security model
Readview
Writeview
Notifyview
storage-type
volatile
nonVolatile
permanent
readOnly
other
display snmp-agent
mib-view
Syntax
View
Parameters
Description
Use the display snmp-agent mib-view command to display the MIB view
configuration of the current Ethernet switch.
If you specify no keyword when executing this command, the configuration of all
the MIB views is displayed.
Example
962
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpVacmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpModules.18
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active
display snmp-agent
statistics
Syntax
View
Parameters
None
Description
Example
963
display snmp-agent
sys-info
Syntax
View
Parameters
Description
Use the display snmp-agent sys-info command to display the system SNMP
information about the current device.
This command displays all the system SNMP information if you execute it with no
keyword specified.
Example
display snmp-agent
trap-list
Syntax
View
Parameters
None
Description
Use the display snmp-agent trap-list command to display the states of the
Traps.
Related commands: snmp-agent trap enable.
Example
964
display snmp-agent
usm-user
Syntax
View
Parameters
Description
Example
Description
User name
Group name
The name of the SNMP group which the SNMP user belongs
to
Engine ID
Storage-type
volatile
nonVolatile
permanent
readOnly
other
965
Description
UserStatus
View
Parameters
None
Description
Use the enable snmp trap updown command to enable the sending of
port/interface Link Up and Link Down traps.
Use the undo enable snmp trap updown command to disable the sending of
Link Up and Link Down traps.
By default, the sending of port/interface Link Up and Link Down traps is enabled.
The enable snmp trap updown command need to be coupled with the
snmp-agent target-host command. You can use the snmp-agent target-host
command to specify the hosts that can receive Trap messages. To enable the
sending of Trap messages, you need to specify at least one host that is to receive
the Trap messages using the snmp-agent target-host command.
Examples
# Enable the port Ethernet 1/0/1 to send Link Up and Link Down SNMP Trap
messages to the NMS whose IP address is 10.1.1.1 using the community name
public.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent trap enable
[5500] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname public
[5500] interface Ethernet1/0/1
[5500-Ethernet1/0/1] enable snmp trap updown
# Enable the port GigabitEthernet 1/0/1 to send Link Up and Link Down SNMP
Trap messages to the NMS whose IP address is 10.1.1.1 using the community
name public.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] snmp-agent trap enable
[5500G] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname public
[5500G] interface GigabitEthernet1/0/1
[5500G-GigabitEthernet1/0/1] enable snmp trap updown
966
snmp-agent
Syntax
snmp-agent
undo snmp-agent
View
System view
Parameters
None
Description
Example
# Disable the SNMP agent (assuming that the SNMP agent is currently enabled).
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] undo snmp-agent
The Switch 5500 provides the following functions to prevent attacks through
unused UDP ports.
Executing the undo snmp-agent command disables the SNMP function and
closes UDP ports used by SNMP agents and SNMP trap as well.
snmp-agent
calculate-password
Syntax
View
Parameters
snmp-agent community
967
specified-switch fabricid: Uses the specified switch fabric ID to calculate the key.
switch fabricid: A case-insensitive hexadecimal string used for key calculation. The
system capitalizes the string. The length of the string must be an even number and
in the range 10 to 64 characters.
Description
n
Example
# Use the local switch fabric ID and the md5 algorithm to encrypt plain-text
password aaaa.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent calculate-password aaaa mode md5 local-switch fabricid
The result of the password is: B02A2E48346E2CBFFCE809C99CF1F6C
snmp-agent
community
Syntax
View
Parameters
System view
read: Specifies that the community to be created has read-only permission to MIB
objects. Communities of this type can only query MIBs for device information.
write: Specifies that the community to be created has read-write permission to
MIB objects. Communities of this type are capable of configuring devices.
community-name: Name of the community to be created, a string of 1 to 32
characters.
view-name: MIB view name, a string of 1 to 32 characters.
acl-number: ID of the ACL to be applied to the community, in the range 2000 to
2999.
Description
968
Examples
snmp-agent group
Syntax
1 Version 1 and version 2c
snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [
write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]
undo snmp-agent group { v1 | v2c } group-name
2 Version 3
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view
read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number
]
undo snmp-agent group v3 group-name [ authentication | privacy ]
View
Parameters
System view
v1: Specifies SNMPv1.
v2c: Specifies SNMPv2c.
v3: Specifies SNMPv3.
group-name: Name of the SNMP group to be created, a string of 1 to 32
characters.
authentication: Configures to authenticate but do not encrypt the packets.
privacy: Configures to authenticate and encrypt the packets.
read-view: Read-only view name, a string of 1 to 32 characters.
write-view: Read-write view name, a string of 1 to 32 characters.
snmp-agent local-engineid
969
Use the snmp-agent group command to create an SNMP group to map SNMP
users to the corresponding SNMP views.
Use the undo snmp-agent group command to remove an SNMP group.
By default, the SNMP groups created using the snmp-agent group v3 command
do not authenticate or encrypt packets.
Related commands: snmp-agent mib-view, snmp-agent usm-user.
Example
snmp-agent
local-engineid
Syntax
View
System view
Parameters
Description
Use the snmp-agent local-engineid command to set an engine ID for the local
SNMP entity.
Use the undo snmp-agent local-engineid command to restore the default
engine ID.
By default, the engine ID of an SNMP entity is formed by appending the device
information to the enterprise number. The device information can be determined
according to the device, which can be an IP address, a MAC address, or a
user-defined string comprising of hexadecimal digits.
Related command: snmp-agent usm-user
Example
970
snmp-agent log
Syntax
View
Parameters
System view
set-operation: Logs the set operations.
get-operation: Logs the get operations.
all: Logs both the set operations and get operations.
Description
Example
When SNMP logging is enabled on a device, SNMP logs are output to the
information center of the device. With the output destinations of the
information center set, the output destinations of SNMP logs will be decided.
The severity level of SNMP logs is informational, that is, the logs are taken as
general prompt information of the device. To view SNMP logs, you need to
enable the information center to output system information with
informational level.
# Enable logging for both the get and the set operations performed on the NMS.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent log all
snmp-agent mib-view
Syntax
View
System view
snmp-agent mib-view
Parameters
971
Description
If the bit number of a mask value is more than the number of sub-OIDs of the
MIB subtree OID, the bit number remains unchanged.
If the bit number of a mask value is less than the number of sub-OIDs of the
OID of a MIB subtree, the bit number is filled by 1(s) in a binary number by
default.
If no mask value is specified when you create a MIB view, the OID of the node
to be accessed must be the same as the sub-OID at the corresponding position
of the MIB subtree OID. The mask value is displayed as empty when the system
reads it.
# Create an SNMP MIB view with the name of view-a, MIB subtree of
1.3.6.1.5.4.3.4 and subtree mask of FE. MIB nodes with the OID of 1.3.6.1.5.4.3.x
are included in this view, with x indicating any integer number.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent mib-view included view-a 1.3.6.1.5.4.3.4 mask FE
972
snmp-agent packet
max-size
Syntax
View
System view
Parameters
byte-count: Maximum SNMP packet size (in bytes) to be set, ranging from 484 to
17,940.
Description
Use the snmp-agent packet max-size command to set the maximum SNMP
packet size allowed by an agent.
Use undo snmp-agent packet max-size command to restore the default
maximum SNMP packet size.
By default, the maximum SNMP packet size allowed by an agent is 1,500 bytes.
Example
# Set the maximum SNMP packet size allowed by the agent to 1,042 bytes.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent packet max-size 1042
snmp-agent sys-info
Syntax
View
Parameters
System view
sys-contact: Contact information for system maintenance, a string of up to 200
characters.
sys-location: Geographical location of the device, a string of up to 200 characters.
version: Specifies the SNMP version to be employed.
v1: Specifies SNMPv1.
v2c: Specifies SNMPv2c.
v3: Specifies SNMPv3.
snmp-agent target-host
973
all: Specifies all the SNMP versions available, that is, SNMPv1, SNMPv2c, and
SNMPv3.
Description
Use the snmp-agent sys-info command to set the system information, including
geographical location of the switch, contact information for system maintenance,
and the SNMP version employed by the switch.
Use the undo snmp-agent sys-info location command to restore the default
settings.
If the switch fails, you can contact the switch manufacturer according to the
system information.
By default, the contact information of a Switch 5500 is 3Com Corporation, the
geographical location is Marlborough, MA, and the SNMP version employed is
SNMPv3.
Related command: display snmp-agent sys-info.
Example
snmp-agent
target-host
Syntax
View
Parameters
System view
trap: Enables the host to receive SNMP Traps.
address: Specifies the destination for the SNMP Traps.
udp-domain: Specifies to use UDP to communicate with the target host.
ip-address: The IPv4 address of the host that is to receive the Traps.
port-number: Number of the UDP port that is to receive the Traps, in the range 1
to 65,535.
params: Specifies SNMP target host information to be used in the generation of
SNMP Traps.
974
Example
# Enable sending SNMP Traps to 10.1.1.1, and set the community name to public.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent trap enable standard
[5500] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname public
snmp-agent trap
enable
Syntax
View
System view
Parameters
975
Description
Use the snmp-agent trap enable command to enable a device to send SNMP
Traps that are of specified types.
Use the undo snmp-agent trap enable command to disable a device from
sending SNMP Traps that are of specified types.
By default, a device sends all types of SNMP Traps.
The snmp-agent trap enable command need to be coupled with the
snmp-agent target-host command. The snmp-agent target-host command
specifies the destination hosts for SNMP Traps. At least one destination host is
required for SNMP Traps.
Example
976
View
System view
Parameters
None
Description
Use the snmp-agent trap ifmib link extended command to configure the
extended Trap. p. Interface description and interface type are added into the
extended linkUp/linkDown Trap message.
Use the undo snmp-agent trap ifmib link extended command to restore the
default setting.
By default, the linkup/linkDown Trap message adopts the standard format defined
in IF-MIB (refer to RFC 1213 for detail). In this case, no MIB object name is added
after the OID field of the MIB object.
Example
View
System view
Parameters
seconds: SNMP Trap aging time (in seconds) to be set, ranging from 1 to
2,592,000.
Description
Use the snmp-agent trap life command to set the SNMP Trap aging time. SNMP
Traps exceeding the aging time will be discarded.
Use the undo snmp-agent trap life command to restore the default SNMP Trap
aging time.
By default, the SNMP Trap aging time is 120 seconds.
Related commands: snmp-agent trap enable, snmp-agent target-host.
Example
977
snmp-agent trap
queue-size
Syntax
View
System view
Parameters
size: Length of an SNMP Trap queue (that is, the maximum number of Traps the
queue can contain), an integer ranging from 1 to 1,000.
Description
Use the snmp-agent trap queue-size command to set the length of the queue
of the SNMP Traps to be sent to the destination.
Use the undo snmp-agent trap queue-size command to restore the default
queue length.
By default, an SNMP Trap queue can contain up to 100 SNMP Traps.
Related commands: snmp-agent trap enable, snmp-agent target-host, and
snmp-agent trap life.
Example
snmp-agent trap
source
Syntax
View
Parameters
System view
interface-type: Interface type.
interface-number: Interface number.
Description
Use the snmp-agent trap source command to configure the source address for
the SNMP Traps sent.
Use the undo snmp-agent trap source command to cancel the configuration.
SNMP Traps sent by a server share the same source IP address regardless of the
interfaces through which they are sent. You can use the snmp-agent trap source
command to specify the source IP address.
978
Before configuring an interface to be the source interface for the SNMP traps sent,
make sure the interface is assigned an IP address.
Related commands: snmp-agent trap enable, snmp-agent target-host.
Example
# Configure VLAN-interface 1 as the source interface for the SNMP Traps sent.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] snmp-agent trap source Vlan-interface 1
snmp-agent usm-user
Syntax
1 SNMPv1 and SNMPv2c
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]
undo snmp-agent usm-user { v1 | v2c } user-name group-name
2 SNMPv3
snmp-agent usm-user v3 user-name group-name [ cipher ] [
authentication-mode { md5 | sha } auth-password [ privacy-mode { des56 |
aes128 } priv-password ] ] [ acl acl-number ]
undo snmp-agent usm-user v3 user-name group-name { local | switch fabricid
switch fabricid-string }
View
Parameters
System view
v1: Specifies to use SNMPv1 security mode.
v2c: Specifies to use SNMPv2c security mode.
v3: Specifies to use SNMPv3 security mode.
user-name: Name of the user to be added, a string of 1 to 32 characters.
group-name: Name of the group corresponding to the user, a string of 1 to 32
characters.
cipher: Specifies the authentication or encryption password to be in ciphertext.
authentication-mode: Specifies the safety level as authentication required. If you
do not specify this keyword, neither authentication nor encryption is performed.
md5: Uses HMAC MD5 algorithm for authentication.
snmp-agent usm-user
979
Example
# Add a user named John to the SNMPv3 group named Johngroup. And set:
<5500>
System
[5500]
[5500]
hello
system-view
View: return to User View with Ctrl+Z.
snmp-agent group v3 Johngroup privacy
snmp-agent usm-user v3 John Johngroup authentication-mode md5
privacy-mode aes128 cfb128cfb128
980
71
display rmon alarm
Syntax
View
Parameters
Description
Use the display rmon alarm command to display the configuration of a specified
alarm entry or all the alarm entries. If you do not specify the entry-number
argument, the configuration of all the alarm entries is displayed.
Related commands: rmon alarm.
Example
Description
Alarm table
user1
Valid
Samples type
Variable formula
Sampling interval
Sampling interval
Rising threshold
Rising threshold
Falling threshold
Falling threshold
982
Description
Latest value
Parameters
Description
Use the display rmon event command to display the configuration of a specified
RMON event entry. If you do not specify the event-entry argument, the
configuration of all the RMON event entries is displayed.
This command displays the following information:
Event description
The time (in seconds) when the latest event is triggered (in terms of the time
elapsed since the system is started/initialized).
Description
Event table
VALID
Description
983
Description
last triggered at
Parameters
Description
Use the display rmon eventlog command to display the log of an RMON event.
If you do not specify the event-entry argument, the log of all the RMON events is
displayed.
This command displays the following information:
Example
The time (in seconds) when an event log is generated (in terms of the time
elapsed since the system is started or initialized)
Description
Event table
VALID
Description
984
Parameters
Description
Use the display rmon history command to display the RMON history information
about a specified port. The information about the latest sample, including
bandwidth utilization, the number of errors, the total number of packets, and so
on, is also displayed. If you do not provide the interface-type interface-number or
unit-number argument, this command displays the RMON history information
about all the ports/units.
Related commands: rmon history.
Example
10035
35
0
0
0
0
Description
VALID
Samples interface
Sampled interface
Sampling interval
Sampling interval
buckets
dropevents
octets
packets
broadcastpackets
multicastpackets
undersize packets
oversize packets
fragments
jabbers
collisions
utilization
Bandwidth utilization
985
Parameters
Description
Example
Description
Prialarm table
owned by user1
VALID
Samples type
Variable formula
Description
Description
Sampling interval
Sampling interval
Rising threshold
Rising threshold
Falling threshold
Falling threshold
986
Description
Latest value
Description
Use the display rmon statistics command to display the RMON statistics on a
specified port or a specified unit. If you do not specify the port or the unit, this
command displays the RMON statistics on all the ports or units.
The information displayed includes the number of:
Collisions
Undersize/Oversize packets
Broadcast/multicast packets
Received bytes
Received packets
Description
Statistics entry
VALID
:
:
:
:
:
217
25
0
0
0
rmon alarm
987
Description
Interface
etherStatsOctets
etherStatsPkts
etherStatsBroadcastPkts
etherStatsMulticastPkts
etherStatsUndersizePkts
etherStatsOversizePkts
etherStatsFragments
etherStatsJabbers
etherStatsCRCAlignErrors
etherStatsCollisions
etherStatsDropEvents
rmon alarm
Syntax
View
Parameters
System view
entry-number: Index of the alarm entry to be added/removed, in the range 1 to
65535.
alarm-variable: Alarm variable, a string comprising 1 to 256 characters in dotted
node OID format (such as 1.3.6.1.2.1.2.1.10.1). Only the variables that can be
resolved to ASN.1 INTEGER data type (that is, INTEGER, Counter, Gauge, or
TimeTicks) can be used as alarm variables.
sampling-time: Sampling interval (in seconds), in the range 5 to 65,535.
delta: Specifies to sample increments (that is, the current increment with regard
to the latest sample)
absolute: Specifies to sample absolute values.
rising_threshold threshold-value1: Specifies the upper threshold. The
threshold-value1 argument ranges from 0 to 2,147,483,647.
event-entry1: Index of the event entry corresponding to the upper threshold, in
the range of 0 to 65535.
988
Use the rmon alarm command to add an alarm entry to the alarm table. If you do
not specify the owner text keyword/argument combination, the owner of the
entry is displayed as null.
Use the undo rmon alarm command to remove an alarm entry from the alarm
table.
You can use the rmon alarm command to define an alarm entry so that a specific
alarm event can be triggered under specific circumstances. The act (such as
logging and sending Traps to NMS) taken after an alarm event occurs is
determined by the corresponding alarm entry.
Before adding an alarm entry, make sure the events to be referenced in the alarm
entry exist. Refer to the rmon event command on page 987 for related
information.
With an alarm entry defined in an alarm group, a network device performs the
following operations accordingly:
Comparing the sampled value with the set thresholds and performing the
corresponding operations, as described in Table 192.
Operation
The sample value is smaller than Triggering the event identified by the event-entry2
argument
the set lower threshold
(threshold-value2)
n
Example
Before adding an alarm entry, you need to use the rmon event command to
define the events to be referenced by the alarm entry.
Make sure the node to be monitored exists before executing the rmon alarm
command.
Upper threshold: 50
rmon event
Lower threshold: 5
Owner: user1.
989
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500]interface Ethernet 1/0/1
[5500-Ethernet1/0/1] rmon statistics 1
[5500-Ethernet1/0/1] quit
[5500] rmon event 1 log
[5500] rmon event 2 none
[5500]rmon alarm 1 1.3.6.1.2.1.16.1.1.1.4.1 10 absolute rising_threshold 50 1
falling_threshold 5 2 owner user1
rmon event
Syntax
View
Parameters
System view
event-entry: Event entry index, in the range of 1 to 65535.
description string: Specifies the event description, a string of 1 to 127 characters.
log: Logs events.
trap: Sends Traps to the NMS.
trap-community: Community name of the NMS that receives the Traps, a string of
1 to 127 characters.
log-trap: Logs the event and sends Traps to NMS.
log-trapcommunity: Community name of the NMS that receives the Traps, a
character string of 1 to 127 characters.
none: Specifies that the event triggers no action.
owner text: Specifies the owner of the event entry, a string of 1 to 127 characters.
Description
Use the rmon event command to add an entry to the event table. If you do not
specify the owner text keyword/argument combination, the owner of the entry is
displayed as null.
Use the undo rmon event command to remove an entry from the event table.
990
When adding an event entry to an event table, you need to specify the event
index. You need also to specify the corresponding actions, including logging the
event, sending Traps to the NMS, and the both, for the network device to perform
corresponding operation when an alarm referencing the event is triggered.
Example
# Add the event entry numbered 10 to the event table and configure it to be a log
event.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] rmon event 10 log
rmon history
Syntax
View
Parameters
Description
Use the rmon history command to add an entry to the history control table. If
you do not specify the owner text keyword/argument combination, the owner of
the entry is displayed as null.
Use the undo rmon history command to remove an entry from the history
control table.
You can use the rmon history command to sample a specific port. You can also
set the sampling interval and the number of the samples that can be saved. After
you execute this command, the RMON system samples the port periodically and
stores the samples for later retrieval. The sampled information includes utilization,
the number of errors, and total number of packets.
You can use the display rmon history command to display the statistics of the
history control table.
Examples
# Create the history control entry numbered 1 for Ethernet 1/0/1, with the table
size being 10, the sampling interval being 5 seconds, and the owner being user1.
<5500> system-view
System View: return to User View with Ctrl+Z.
rmon prialarm
991
rmon prialarm
Syntax
View
Parameters
System view
entry-number: Extended alarm entry index, in the range 1 to 65535.
prialarm-formula: Expression used to perform operations on the alarm variables, a
string of 1 to 256 characters. The alarm variables in the expression must be
represented by OIDs, for example, (.1.3.6.1.2.1.2.1.10.1)*8. The operations
available are addition, subtraction, multiplication and division operations. The
operation results are rounded to values that are of long integer type. To prevent
invalid operation results, make sure the operation results of each step are valid
long integers.
prialarm-des: Alarm description, a string of 1 to 128 characters.
sampling-timer: Sampling interval (in seconds), in the range 10 to 65,535.
delta | absolute | changeratio: Specifies the sample type.
threshold-value1: Upper threshold, in the range 0 to 2,147,483,647.
event-entry1: Index of the event entry that corresponds to the upper threshold, in
the range 0 to 65535.
threshold-value2: Lower threshold, in the range 0 to 2,147,483,647.
event-entry2: Index of the event entry that corresponds to the lower threshold, in
the range 0 to 65535.
forever: Specifies the corresponding RMON alarm instance is valid permanently.
cycle: Specifies the corresponding RMON alarm instance is valid periodically.
cycle-period: Life time (in seconds) of the RMON alarm instance, in the range 0 to
2,147,483,647.
owner text: Specifies the owner of the alarm entry, a string of 1 to 127
characters.
992
Description
Before adding an extended alarm entry, you need to use the rmon event
command to define the events to be referenced by the entry.
Make sure the node to be monitored exists before executing the rmon event
command.
With an extended alarm entry defined in an extended alarm group, the device
performs the following operations accordingly:
Comparing the operation result with the set thresholds and perform
corresponding operations, as described in Table 193.
Examples
Comparison
Operation
Upper threshold: 50
Lower threshold: 5
Event 1 is triggered when the change ratio is larger than the upper threshold.
Event 2 is triggered when the change ratio is less than the lower threshold.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500]interface Ethernet 1/0/1
[5500-Ethernet1/0/1] rmon statistics 1
[5500-Ethernet1/0/1] quit
[5500] rmon prialarm 2 ((.1.3.6.1.2.1.16.1.1.1.4.1)*100) test 10 changeratio
rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1
rmon statistics
993
# Remove the extended alarm entry numbered 2 from the extended alarm table.
[5500] undo rmon prialarm 2
rmon statistics
Syntax
View
Parameters
Description
Use the rmon statistics command to add an entry to the statistics table. If you do
not specify the owner text keyword/argument combination, the owner of the
entry is displayed as null.
Use the undo rmon statistics command to remove an entry from the statistics
table.
The RMON statistics management function is used to take statistics of the usage
of the monitored ports and errors occurred on them. The statistics includes the
number of the following items:
Collisions
Undersize/Oversize packets
Broadcast/Multicast packets
Received packets
Received bytes
For each port, only one RMON statistics entry can be created. That is, if an RMON
statistics entry was already created for a given port, you will fail to create a
statistics entry with a different index for the port.
You can use the display rmon statistics command to display the information
about the statistics entry.
Example
# Add the statistics entry numbered 20 to take statistics of Ethernet 1/0/1 port.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500]interface Ethernet 1/0/1
[5500-Ethernet1/0/1] rmon statistics 20
994
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G]interface GigabitEthernet 1/0/1
[5500G-GigabitEthernet1/0/1] rmon statistics 20
72
n
UDP port 123 is opened only when the NTP feature is enabled.
Execution of the undo form of one of the above six commands disables all
implementation modes of the NTP feature and closes UDP port 123 at the
same time.
display ntp-service
sessions
Syntax
View
Parameter
Description
Example
996
Description
source
reference
reach
Reachability count of the clock source. Zero indicates that the clock
source in unreachable
poll
Polling interval in seconds, that is, the maximum interval between two
successive messages
now
offset
delay
Network delay, that is, the round trip delay from the local switch to the
clock source, in milliseconds
disper
[12345]
Total associations
CAUTION: The Switch 5500 does not establish a session with its client when it
works in the NTP server mode, but does so when it works in other NTP
implementation modes.
display ntp-service
status
Syntax
View
Parameters
None
Description
Use the display ntp-service status command to display the status of NTP
services.
Example
997
Description
Clock status
Clock stratum
Reference clock ID
Nominal frequency
Actual frequency
Clock precision
Clock offset
Root delay
Root dispersion
Peer dispersion
Reference time
Reference timestamp
display ntp-service
trace
Syntax
View
Parameters
None
Description
Use the display ntp-service trace command to display the brief information of
each NTP time server along the time synchronization chain from the local switch to
the reference clock source.
Example
# View the brief information of each NTP time server along the time
synchronization chain from the local switch to the reference clock source.
998
trace
0.0019529,
0.0124263,
0.0019298,
0.0019298,
synch
synch
synch
synch
distance
distance
distance
distance
0.144135
0.115784
0.011993
0.011993 refid
The above information displays the time synchronization chain of server4: server4
is synchronized to server3, server3 to server2, server2 to server1, and server1 to
the reference clock source GPS receiver.
ntp-service access
Syntax
View
Parameters
System view
query: Control query right. This level of right permits the peer device to perform
control query to the NTP service on the local device but does not permit the peer
device to synchronize its clock to the local device. Control query refers to the NTP
service query state, including alarm information, authentication status, and clock
source information.
synchronization: Synchronization right. This level of right permits the peer device
to synchronize its clock to the local switch but does not permit the peer device to
perform control query.
server: Server right. This level of right permits the peer device to perform
synchronization and control query to the local switch but does not permit the local
switch to synchronize its clock to the peer device.
peer: Peer right. This level of right permits the peer device to perform
synchronization and control query to the local switch and also permits the local
switch to synchronize its clock to the peer device.
acl-number: Basic access control list (ACL) number, in the range of 2000 to 2999.
Description
Use the ntp-service access command to set the access control right to the local
NTP server.
Use the undo ntp-service access command to remove the configured access
control right to the local NTP server.
By default, the access control right to the local NTP server is peer.
The ntp-service access command only provides a minimal degree of security
measure. A more secure way is to perform identity authentication.
The right of a received access request is matched from the highest to the lowest in
order of peer, server, synchronization, and query.
Example
999
# Configure the peer in ACL 2076 to have the full access right to the local NTP
server, including time request, query control, and time synchronization.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ntp-service access peer 2076
# Configure the peer in ACL 2028 to have the right to access and query the local
NTP server.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ntp-service access server 2028
ntp-service
authentication enable
Syntax
View
System view
Parameters
None
Description
Example
ntp-service
authentication-keyid
Syntax
View
System view
1000
Parameters
Description
Example
# Configure an MD5 authentication key, with the key ID being 10 and the key
being BetterKey.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ntp-service authentication-keyid 10 authentication-mode md5 BetterKey
ntp-service
broadcast-client
Syntax
ntp-service broadcast-client
undo ntp-service broadcast-client
View
Parameters
None
Description
Example
# Configure the switch to operate in the broadcast client mode and receive NTP
broadcast messages through VLAN-interface 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface1
[5500-Vlan-interface1] ntp-service broadcast-client
ntp-service broadcast-server
1001
ntp-service
broadcast-server
Syntax
View
Parameters
Description
Example
ntp-service
in-interface disable
Syntax
View
Parameters
None
Description
Use the ntp-service in-interface disable command to disable the interface from
receiving NTP messages.
Use the undo ntp-service in-interface disable command to restore the default.
By default, the interface can receive NTP messages.
1002
Example
ntp-service
max-dynamic-sessions
Syntax
View
Parameter
Description
System view
number: Maximum number of the dynamic NTP sessions that can be established
locally. This argument ranges from 0 to 100.
Use the ntp-service max-dynamic-sessions command to set the maximum
number of dynamic NTP sessions that can be established locally.
Use the undo ntp-service max-dynamic-sessions command to restore the
default.
By default, up to 100 dynamic NTP sessions can be established locally.
Example
# Set the maximum number of dynamic NTP sessions that can be established
locally to 50.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ntp-service max-dynamic-sessions 50
ntp-service
multicast-client
Syntax
View
Parameter
Description
ntp-service multicast-server
1003
ntp-service
multicast-server
Syntax
View
Parameters
Description
Example
1004
ntp-service reliable
authentication-keyid
Syntax
View
Parameter
Description
System view
key-id: Authentication key ID, in the range of 1 to 4294967295.
Use the ntp-service reliable authentication-keyid command to specify an
authentication key as a trusted key.
If authentication is enabled, a client can only be synchronized to a server that can
provide a trusted key.
Use the undo ntp-service reliable authentication-keyid command to remove
the configuration.
By default, no trusted key is configured.
Example
# Enable NTP authentication. The encryption algorithm is MD5, the key ID is 37,
and the trusted key is BetterKey.
<5500>
System
[5500]
[5500]
[5500]
system-view
View: return to User View with Ctrl+Z.
ntp-service authentication enable
ntp-service authentication-keyid 37 authentication-mode md5 BetterKey
ntp-service reliable authentication-keyid 37
ntp-service
source-interface
Syntax
View
System view
Parameter
Description
ntp-service unicast-peer
1005
If you do not want the IP addresses of the other interfaces on the local switch to
be the destination addresses of response messages, you can use this command to
specify a specific interface to send all NTP packets. In this way, the IP address of
the interface is the source IP address of all NTP messages sent by the local device.
Example
# Specify the source IP addresses of all sent NTP messages as the IP address of
VLAN-interface 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ntp-service source-interface Vlan-interface 1
ntp-service
unicast-peer
Syntax
View
Parameters
System view
remote-ip: IP address of the NTP symmetric-passive peer. This argument cannot be
a broadcast address, a multicast address, or the IP address of the local reference
clock.
peer-name: Symmetric-passive peer host name, a string comprising 1 to 20
characters.
authentication-keyid key-id: Specifies the key ID used for sending messages to
the peer. The key-id argument ranges from 1 to 4294967295. By default,
authentication is not enabled.
priority: Specifies the peer identified by the remote-ip argument as the preferred
peer for synchronization.
source-interface Vlan-interface vlan-id: Specifies an interface whose IP address
serves as the source IP address of NTP message sent to the peer. vlan-id is the
VLAN interface number.
version number: Specifies the NTP version number. The version number ranges
from 1 to 3 and defaults to 3.
Description
If you use remote-ip to specify a remote device as the peer of the local Ethernet
switch, the local switch operates in the symmetric-active peer mode. In this case,
1006
the local Ethernet switch and the remote device can be synchronized to each
other.
Example
# Configure the local switch to obtain time information from the peer with the IP
address 128.108.22.44 and also to provide time information to the peer. Set the
NTP version number to 3. The source IP address of NTP messages is the IP address
of Vlan- interface1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ntp-service unicast-peer 128.108.22.44 version 3 source-interface Vlaninterface 1
ntp-service
unicast-server
Syntax
View
Parameters
System view
remote-ip: IP address of an NTP server. This argument cannot be a broadcast
address, multicast group address, or IP address of the local clock.
server-name: NTP server name, a string comprising 1 to 20 characters.
authentication-keyid key-id: Specifies the key ID used for sending messages to
the NTP server. The key-id argument ranges from 1 to 4294967295. You do not
need to configure authentication-keyid key-id if authentication is not required.
priority: Specifies the server identified by the remote-ip or the server-name
argument as the preferred server.
source-interface Vlan-interface vlan-id: Specifies an interface whose IP address
serves as the source IP address of NTP packets sent by the local switch to the
server.
version number: Specifies the NTP version number. The number argument ranges
from 1 to 3 and defaults to 3.
Description
The remote device specified by remote-ip serves as the NTP server and the local
Ethernet switch serves as the NTP client. The client can be synchronized to the
server while the server cannot be synchronized to the client.
ntp-service unicast-server
Example
1007
# Configure the local switch to be synchronized to the NTP server with the IP
address 128.108.22.44, and set the version number to 3.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ntp-service unicast-server 128.108.22.44 version 3
1008
SSH COMMANDS
73
display public-key
local
Syntax
View
Parameters
Description
Examples
Use the display public-key local command to display the public key of the local
RSA or DSA key pair.
# Display the public key of the local RSA key pair.
<5500> display public-key local rsa public
=====================================================
Time of Key pair created: 00:44:31 2000/04/13
Key name: H3C_Host
Key type: RSA encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100BB562B46A2
BEFB18CC8474F0D858AAAC5A7157C4D2DD432DCDACCF708C5BE905926CB61C2890B3
5E5A319C97B7C75FD1745D0284E1DA7BEBC3658FFED8208F654818ACADFACB4C0536
153C7B5E8E93952B999C0632A3DC952E8509C3197441A18B9C0727530DDE1C1ACDB8
9BFFD17AC98DBD5739D7CD424A52282230DF8CE3DF0203010001
1010
C8EE993B4F2DED30F48EDACE915F0281810082269009E14EC474BAF2932E69D3B1F18517AD9594184
CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02492B3959EC6499625BC4FA5082E22C5B374E1
6DD00132CE71B020217091AC717B612391C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810
561C21621C73D6DAAC028F4B1585DA7F42519718CC9B09EEF038184000281804B7E6A5D60A6B71C0B
585ED495C36F82C17072C0446CE099F2C733171E8C014B6D4F91C54C9998921CA35C7BD4385E55D39
B324F04DBE9F4CC91DE8ED949C7007C160D129ECB54D6C39E697DAD5BFB56BAF3281584B23CA7DFB4
6AAB5B8C56A5903F61B34A157022E68C6C2423D42B880FB20BA86135369F7CF3ACA46A55BEF8
display public-key
peer
Syntax
View
Parameters
Description
Use the display public-key peer command to display information about the peer
public keys. If no key name is specified, the command displays detailed
information about all peer public keys
CAUTION: Sometimes the public key modulo displayed with the display public-key
peer command is one bit smaller than the actual modulo. This is because the
actually generated key pair is one bit smaller than specified. For example, when
you specify a 1024-bit key pair, the actually generated key pair may have 1024 or
1023 bits.
Example
1011
display rsa
local-key-pair public
Syntax
View
Parameters
None
Description
Use the display rsa local-key-pair public command to display the public key of
the RSA host key pair on the server. If no key pair has been generated, the system
prompts % RSA keys not found.
Related command: rsa local-key-pair create
Example
# Display the public keys of the host key pair and server key pair on the server.
<5500> display rsa local-key-pair public
=====================================================
Time of Key pair created: 20:08:35 2000/04/02
Key name: 3Com_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
DE99B540 87B666B9 69C948CD BBCC2B60 997F9C18
9AA6651C 6066EF76 242DEAD1 DEFEA162 61677BD4
1A7BFAE7 668EDAA9 FB048C37 A0F1354D 5798C202
2253F4F5
0203
010001
display rsa
peer-public-key
Syntax
View
Parameters
Description
Use the display rsa peer-public-key command to display information about the
peer public keys. If no key name is specified, the command displays detailed
information about all peer public keys.
CAUTION: Sometimes the public key modulo displayed with the display rsa
peer-public-key command is one bit smaller than the actual modulo. This is
1012
because the actually generated key pair is one bit smaller than specified. For
example, when you specify a 1024-bit key pair, the actually generated key pair
may have 1024 or 1023 bits.
Example
Description
Use the display ssh server command to display status or session information
about the SSH Server.
Related commands: ssh server authentication-retries and ssh server timeout
Examples
1013
SerType
stelnet
sFTP
Username
kk
abc
Table 196 Description of the display ssh server session command fields
Field
Description
Conn
Ver
SSH version
Encry
State
Session status
Retry
SerType
Service type
Username
User name
Parameters
None
Description
Use the display ssh server-info command to display the association between the
server public keys configured on the client and the servers.
Example
# Display the association between the server public keys and the servers.
<5500> display ssh server-info
Server Name(IP)
Server public key name
_______________________________________________________________________
192.168.0.90
192.168.0.90
display ssh
user-information
Syntax
View
Parameter
1014
Description
Example
Parameters
None
Description
Use the display ssh2 source-ip command to display the current source IP address
or the IP address of the source interface specified for the SSH client. If neither
source IP address nor source interface is specified, the command displays 0.0.0.0.
Example
# Display the current source IP address specified for the SSH Client.
<5500> display ssh2 source-ip
The source IP you specified is 192.168.0.1
display ssh-server
source-ip
Syntax
View
Parameters
None
Description
Use the display ssh-server source-ip command to display the current source IP
address or the IP address of the source interface specified for the SSH server. If
neither source IP address nor source interface is specified, the command displays
0.0.0.0.
Example
# Display the current source IP address specified for the SSH Server.
<5500> display ssh-server source-ip
The source IP you specified is 192.168.1.1
peer-public-key end
1015
peer-public-key end
Syntax
View
peer-public-key end
Public key view
Parameters
None
Description
Use the peer-public-key end command to return from public key view to system
view.
Related commands: rsa peer-public-key, public-key-code begin, and
public-key peer
Example
protocol inbound
Syntax
View
Parameters
Description
CAUTION:
1016
Example
Description
Use the public-key local create command to create a local DSA key pair or RSA
key pair.
Note that:
Examples
After entering this command, you will be prompted to provide the length of
the key pair. The length of a server/host key must be in the range 512 to 2048
bits and defaults to 1024. If the key pair already exists, the system will ask you
whether you want to overwrite it.
The configuration of this command can survive a reboot. You only need to
configure it once.
1017
Generating keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+....
............
.......+..........+..............+.............+...+.....+..........
.....+..+...
...+.................+..........+...+....+.......+.....+............
+.........+.
........................+........+..........+..............+.....+..
.+..........
..............+.........+..........+...........+........+....+......
............
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
......
public-key local
destroy
Syntax
View
Parameters
Description
Examples
Use the public-key local destroy command to destroy the local DSA key pair or
RSA key pair.
# Destroy the local RSA key pair.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500]public-key local destroy dsa
% Confirm to destroy these keys? [Y/N]:y
......
1018
Parameters
Description
Use the public-key local export rsa command to display the RSA local public key
on the screen or export it to a specified file.
Related commands: public-key local create and rsa local-key-pair create
Examples
# Export the public key of the local RSA key pair in the format of OpenSSH and
save the public key file as pub_ssh_file2.
<5500> system-view
[5500] public-key local export rsa openssh pub_ssh_file2
# Export the public key of the local RSA key pair in the format of SSH1 and save
the public key file as pub_ssh_file3.
<5500> system-view
[5500] public-key local export rsa ssh1 pub_ssh_file3
# Export the public key of the local RSA key pair in the format of OpenSSH and
display it on the screen.
<5500> system-view
[5500] public-key local export rsa openssh
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgJp9xSd08CLsjJSP2ns9BezJpbBiT0e62hmPyUdF
JXS+ZYywnZ2oofy9lZAmQrGEqJtkifWpI1gqboM0LAqtGxS145Nlyz+MnVME+NH0XbuM
EIa2zI2l3XmwgyEOcMMaJ0RAQ4ui3O3ijAs4VuecgANyMy9ShSsvkNluru3ZrW1Z rsa
-key
Description
Use the public-key local export dsa command to display the DSA local public
key on the screen or export it to a specified file.
public-key peer
1019
public-key peer
Syntax
View
Parameter
Description
System view
keyname: Name of the public key, a string of 1 to 64 characters.
Use the public-key peer command to enter public key view.
Use the undo public-key peer command to delete the configuration of peer
public key.
1020
After configuring this command, you enter public key view. You can use this
command together with the public-key-code begin command to configure the
peer public key .
n
Example
Only the public key whose module is of 512 to 2,048 bits can be configured on
the Switch 5500 Family currently.
# Enter public key view
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500]public-key peer pub.ppk
PKEY public key view: return to System View with peer-public-key end.
[5500-peer-public-key]
View
Parameters
System view
keyname: Name of the public key , a string of 1 to 64 characters.
filename: Name of the file used to save the public key , a string of 1 to 142
characters.
Description
Use the public-key peer import sshkey command to import a peer public key
from the public key file.
Use the undo public-key peer command to remove the setting.
n
Example
Public key files only support the format of SSH1, SSH2, and OpenSSH.
Only the public key whose module is of 512 to 2,048 bits can be imported to
the server from the public key file of the user.
# Import the public key of the user from the public key file named pub.ppk and
name it as peer.pk.
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500] public-key peer peer_pk import sshkey pub.ppk
public-key-code begin
Syntax
View
public-key-code begin
Public key view
public-key-code end
Parameters
None
Description
Use the public-key-code begin command to enter public key edit view .
1021
After entering public key code view, you can input the key data. It must be a
hexadecimal string and coded compliant to PKCS.
Related commands: rsa peer-public-key and public-key peer, public-key-code
end
Example
public-key-code end
Syntax
View
public-key-code end
Public key edit view
Parameters
None
Description
Use the public-key-code end command to return from public key edit view to
public key view and save the public key you input.
After you use this command to end editing the public key, the system will check
the validity of the public key before saving the key.
If there is any illegal character in the key, your configuration fails. In this case, a
prompt is displayed and the key is discarded.
# Exit public key edit view and save the public key you input.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] rsa peer-public-key Switch003
RSA public key view: return to System View with peer-public-key end.
[5500-rsa-public-key] public-key-code begin
1022
RSA key code view: return to last view with public-key-code end.
[5500-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463
[5500-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913
[5500-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4
[5500-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC
[5500-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16
[5500-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125
[5500-rsa-key-code] public-key-code end
[5500-rsa-public-key]
rsa local-key-pair
create
Syntax
View
Parameters
None
Description
Use the rsa local-key-pair create command to generate an RSA host key pair.
Note that:
After entering this command, you will be prompted to provide the length of
the key pair. The length of a host key must be in the range 512 to 2,048 bits
and defaults to 1024. If the key pair already exists, the system will ask you
whether you want to overwrite it.
The configuration of this command can survive a reboot. You only need to
configure it once.
1023
rsa local-key-pair
destroy
Syntax
View
Parameters
None
Description
Use the rsa local-key-pair destroy command to destroy the RSA host key pairs.
Related command: rsa local-key-pair create
Example
rsa peer-public-key
Syntax
View
Parameter
Description
System view
keyname: Name of the public key to be configured , a string of 1 to 64 characters.
Use the rsa peer-public-key command to enter public key view.
Use the undo rsa peer-public-key command to remove the setting.
After using this command, you can use the public-key-code begin command to
configure the peer public key .
Related commands: public-key-code begin and public-key-code end
Example
1024
rsa peer-public-key
import sshkey
Syntax
View
Parameters
System view
keyname: Name of the public key to be configured, a string of 1 to 64 characters.
filename: Name of a public key file, a string of 1 to 142 characters.
Description
Use the rsa peer-public-key import sshkey command to import a peer public
key from the public key file.
Use the undo rsa peer-public-key command to remove the setting.
After execution of this command, the system automatically transforms the public
key file into PKCS format, and imports the peer public key. This requires that you
get a copy of the public key file from the peer through FTP/TFTP.
n
Example
The rsa peer-public-key import sshkey command can transform only RSA
public keys. If you need to transform DSA public keys, use the public-key peer
import sshkey command.
# Transform the format of client public key file abc and configure a public key
named 123.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] rsa peer-public-key 123 import sshkey abc
ssh
authentication-type
default
Syntax
View
Parameters
System view
all: Specifies either the password authentication or the public key authentication
for SSH users.
password: Specifies the authentication mode for SSH users as password
authentication.
1025
password-publickey: Specifies that both the password and the public key must
be authenticated for SSH users.
publickey: Specifies the authentication mode for the SSH user as public key (RSA
key or DSA key ) authentication.
rsa: Specifies the authentication mode for the SSH user as public key (RSA key or
DSA key ) authentication. The authentication modes specified by the rsa keyword
and public key keyword are implemented in the same way.
Description
Example
View
Parameters
System view
server-ip: IP address of the server.
server-name: Name of the server, a string of 1 to 184 characters.
keyname: Name of the public key of the server, a string of 1 to 64 characters.
n
Description
Both publickey and rsa-key indicate specifying the publickey key. They are
implemented with the same method.
Use the ssh client assign command to specify the name of the public key of the
server on the client so that the client can authenticate whether the server to be
accessed is reliable.
Use the undo ssh client assign command to remove the mapping between the
client and the public key of the server.
1026
Example
# Specify the name of the RSA public key of the server (whose IP address is
192.168.0.1) as pub.ppk on the client.
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500] ssh client 192.168.0.1 assign rsa-key pub.ppk
View
System view
Parameters
None
Description
Use the ssh client first-time enable command to enable the client to run
first-time authentication for the SSH server it accesses for the first time.
Use the undo ssh client first-time command to disable the client from running
first-time authentication.
ssh server
authentication-retries
Syntax
View
System view
Parameter
Description
1027
n
Example
If you have used the ssh user authentication-type command to configure the
authentication type of a user to password-publickey, you must set the
authentication retry times to a number greater than or equal to 2 (so that the user
can access the switch).
# Set the authentication retry times to four.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ssh server authentication-retries 4
View
Parameter
Description
System view
seconds: Authentication timeout time, ranging from 1 to 120 (in seconds).
Use the ssh server timeout command to set the authentication timeout time for
SSH connections.
Use the undo ssh server timeout command to restore the default timeout time
(that is, 60 seconds).
The configuration here will take effect at next login.
Related command: display ssh server
Example
1028
ssh user
Syntax
View
Parameter
Description
System view
username: Valid SSH user name, a string of 1 to 184 characters.
Use the ssh user command to create an SSH user.
Use the undo ssh user to delete a specified SSH user.
For an SSH user created by using this command, if you do not specify an
authentication type by using the ssh user authentication-type command for
this user, this SSH user adopts the default authentication type. On the other hand,
if the default authentication type is not specified, you need to specify an
authentication type for this SSH user.
n
Example
An SSH user is created on an SSH server for the purpose of specifying the
authentication type, the SSH service type, and the public key for the SSH user. An
existing SSH user will be removed automatically if it has none of the
authentication type, the SSH service type, and the public key configured.
# Specify the default authentication type as password authentication. Create an
SSH user with the name abc.
<5500> system-view
Enter system view, return to user view with Ctrl+Z.
[5500] ssh authentication-type default password
[5500] ssh user abc
View
Parameters
System view
username: Valid SSH user name, a string of 1 to 184 characters.
keyname: Name of a public key, a string of 1 to 64 characters.
Description
Use the ssh user assign command to assign an existing public key to a specified
SSH user.
Use the undo ssh user assign command to remove the association.
1029
The public key of the client is subject to the one assigned last time.
The new public key takes effect when the user logs in next time.
n
Example
Both publickey and rsa-key indicate specifying the publickey key. They are
implemented with the same method.
# Assign a public key named 127.0.0.1 to SSH client 1.
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500]ssh user 1 assign publickey 127.0.0.1
ssh user
authentication-type
Syntax
View
Parameters
System view
username: Valid SSH user name, a string of 1 to 184 characters.
all: Specifies that the authentication mode for the SSH user can be either
password authentication or public key authentication.
password: Specifies the authentication mode for the SSH user as password
authentication.
password-publickey: Specifies the authentication mode for the SSH user as
password and public key.
publickey: Specifies the authentication mode for the SSH user as public key (RSA
key or DSA key ) authentication.
rsa: Specifies the authentication mode for the SSH user as public key (RSA key or
DSA key ) authentication. The authentication modes specified by the rsa keyword
and public key keyword are implemented in the same way
Description
Example
1030
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500]ssh user kk authentication-type publickey
View
Parameters
System view
username: SSH user name, a string of 1 to 184 characters.
stelnet: Specifies that the user can access the secure Telnet service.
sftp: Specifies that the user can access the SFTP service.
all: Specifies that the user can access both services (secure Telnet and SFTP).
Description
Use the ssh user service-type command to configure service type for a user so
that the user can access specified service(s).
Use the undo ssh user service-type command to remove the service type
specified for an SSH user.
The default service type for an SSH user is stelnet.
Related command: display ssh user-information
Example
ssh2
Syntax
View
Parameters
ssh2
1031
port-num: Server port number. It is in the range of 0 to 65,535 and defaults to 22.
identity-key: Specifies the algorithm for publickey authentication, either dsa or
rsa. The default is rsa.
prefer_kex: Specifies the preferred key exchange algorithm. You can select one
from the following two algorithms.
n
Description
Use the ssh2 command to start the SSH client to establish a connection with an
SSH server, and at the same time specify the preferred key exchange algorithm,
encryption algorithms and HMAC algorithms between the server and client.
Note that when logging into the SSH server using public key authentication, an
SSH client needs to read the local private key for authentication. As two
algorithms (RSA or DSA) are available, the identity-key keyword must be used to
specify one algorithm in order to get the correct private key.
Example
1032
<5500>
System
[5500]
aes128
system-view
View: return to User View with Ctrl+Z.
ssh2 10.214.50.51 prefer_kex dh_exchange_group prefer_stoc_cipher
prefer_ctos_hmac md5 prefer_stoc_hmac sha1_96
ssh2 source-interface
Syntax
View
Parameters
System view
interface-type: Source interface type.
interface-number: Source interface number.
Description
Use the ssh2 source-interface command to specify a source interface for the SSH
client. If the specified interface does not exist, the command fails.
Use the undo ssh2 source-interface command to cancel the source interface
setting. Then, a local device address determined by the system is used to access an
SSH server.
Example
ssh2 source-ip
Syntax
View
Parameter
Description
System view
ip-address: Source IP address.
Use the ssh2 source-ip command to specify a source IP address for the SSH client.
If the specified IP address is not an address of the device, the command fails.
Use the undo ssh2 source-ip command to cancel the source IP address setting.
Then, a local device address determined by the system is used to access an SSH
server.
ssh-server source-interface
Example
1033
ssh-server
source-interface
Syntax
View
Parameters
System view
interface-type: Source interface type.
interface-number: Source interface number.
Description
Example
ssh-server source-ip
Syntax
View
Parameter
Description
System view
ip-address: IP address to be set as the source IP address.
Use the ssh-server source-ip command to specify a source IP address for the SSH
server. If the specified IP address is not an IP address of the device, the command
fails.
Use the undo ssh-server source-ip command to cancel the source IP address
setting. Then, a local device address determined by the system can be used by
users to access the switch.
1034
Example
74
n
The Switch 5500 Family supports Intelligent Resilient Framework (IRF), and allows
you to specify a file path and file name in one of the following ways:
In URL format and starting with flash:/. This method can be used to specify a
file in the Flash memory of the current unit.
Using the path name or file name directly. This method can be used to specify a
path or a file in the current directory.
Limit the lengths of device name, directory name, file path, and file name within
the following ranges regulated for the switch.
A file name plus its local path name should be no more than 127 characters.
A file name plus its complete path name should be no more than 142
characters.
cd
Syntax
View
Parameter
Description
cd directory
User view
directory: Target directory.
Use the cd command to enter a specified directory on the Ethernet switch.
The default directory when a user logs onto the switch is the root directory of
Flash memory.
Examples
1036
copy
Syntax
View
Parameter
Description
Example
delete
Syntax
View
Parameter
User view
/unreserved: Specifies to delete a file completely.
file-url: Path name or file name of a file in the Flash memory. You can use the *
character in this argument as a wildcard. For example, the delete *.txt command
deletes all the files with txt as their extensions.
running-files: Specifies to delete all the files with the main attribute.
standby-files: Specifies to delete all the files with the backup attribute.
/fabric: Specifies to delete all the specified files in the fabric.
delete
Description
1037
Use the delete command to delete a specified file from the Flash memory on a
switch.
If you execute the delete command with the /unreserved keyword specified, the
specified file is permanently deleted. That is, the file cannot be restored. If you
execute the delete command without the /unreserved keyword, the specified
file is removed to the recycle bin, and you can use the undelete command to
restore it.
You can delete files based on file attribute.
If you execute the delete running-files command, all the files with the main
attribute will be deleted.
If you execute the delete standby-files command, all the files with the
backup attribute will be deleted.
For a file that has both the main and backup attributes:
The delete running-files command only deletes its main attribute instead of
the file itself.
The delete standby-files command only deletes its backup attribute instead
of the file itself.
When you use the delete running-files or delete standby-files command, you
will be prompted to confirm whether to delete all files with the main/backup
attribute. If you choose yes, the corresponding files are deleted. If you choose no,
the system prompts you to confirm the following:
c
Example
CAUTION: For deleted files whose names are the same, only the latest deleted file
is stored in the recycle bin and can be restored.
# Delete the file test/test.txt on the local unit.
<5500> delete test/test.txt
Delete unit1>flash:/test/test.txt?[Y/N]:y
.
%Delete file unit1>flash:/test/test.txt...Done.
1038
dir
Syntax
View
Parameter
Description
Use the dir command to display the information about the specified files or
directories in the Flash memory on a switch.
Executed without the /all keyword, the dir command will not display information
about files in the recycle bin; executed with the /all keyword, the dir command
will display information about files in the recycle bin.
In the output information, files with the main, backup or main/backup attribute
are tagged with special characters:
n
Example
main: (*)
backup: (b)
main/backup: (*b)
In the output information of the dir /all command, deleted files (that is, those in
the recycle bin) are embraced in brackets.
# Display the information about all the ordinary files in the root directory of the file
system on the local unit.
<5500> dir
Directory of unit1>flash:/
1 (*)
-rw5792495
2 (*)
-rw1965
3
-rw5841301
4
-rw224
Apr
Apr
Apr
Apr
02
01
02
02
2000
2000
2000
2000
00:06:50
23:59:13
21:42:13
01:36:30
s4c03_test1.app
config.cfg
test2.bin
test3.bin
execute
1039
5
-rw279296 Apr 02 2000 00:22:01
test.abc
15367 KB total (3720 KB free)
(*) -with main attribute
(b) -with backup attribute
(*b) -with both main and backup attribute
# Display the information about all the files (including the files in the recycle bin) in
the root directory of the file system of the fabric.
<5500> dir /all /fabric
Directory of unit1>flash:/
1 (*)
-rw5792495 Apr 02 2000 00:06:50
test1.bin
2
-rwh
4 Apr 01 2000 23:55:26
snmpboots
3
-rwh
151 Apr 02 2000 00:05:53
private-data.txt
4 (*)
-rw1965 Apr 01 2000 23:59:13
config.cfg
5
-rw5841301 Apr 02 2000 21:42:13
test2.bin
6
-rw224 Apr 02 2000 01:36:30
test3.bin
7
-rw279296 Apr 02 2000 00:22:01
test.abc
8
-rw2370 Apr 02 2000 02:49:12
[1.cfg]
15367 KB total (3720 KB free)
Directory of unit2>flash:/
0
-rwh
4 Apr 01 2000 23:55:24
snmpboots
1 (*)
-rw4724347 Apr 01 2000 23:59:45
test1.bin
2 (*)
-rw1475 Apr 01 2000 23:59:53
config.cfg
3
-rw1737 Apr 02 2000 00:46:21
cfg.cfg
4
-rw279296 Apr 02 2000 00:21:55
love.rar
5
-rw428 Apr 02 2000 13:07:11
hostkey
6
-rwh
151 Apr 01 2000 23:58:39
private-data.txt
7
-rw572 Apr 02 2000 13:07:20
serverkey
8
-rw1589 Apr 02 2000 00:58:20
1.cfg
15367 KB total (10475 KB free)
(*) -with main attribute
(b) -with backup attribute
(*b) -with both main and backup attribute
# Display information about all the files whose names begin with the character t
(including those in the recycle bin) in the local directory unit1>flash:/test/.
<5500> dir /all test/t*
Directory of unit1>flash:/test/
0
-rw279296 Apr 04 2000 14:45:19
test.txt
15367 KB total (3720 KB free)
(*) -with main attribute
(b) -with backup attribute
(*b) -with both main and backup attribute
execute
Syntax
View
Parameter
Description
execute filename
System view
filename: Batch file, with the extension .bat.
Use the execute command to execute the specified batch file.
This command executes command lines in the batch file in sequence.
1040
Note that the batch file cannot contain any invisible character. If any invisible
character is found, the command will quit the current execution process and the
executed operations are not cancelled automatically.
The batch execution command is the automation of executing commands in a
batch file. However it
Example
Does not restrict the forms and contents of commands in the file.
# Execute the batch file named test.bat under the directory flash:/.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] execute test.bat
<5500>
....
%Created dir unit1>flash:/test3.
file prompt
Syntax
View
Parameter
Description
Use the file prompt command to configure the prompt mode for file-related
operations.
By default, alert mode is used, by which a switch prompts for confirmation before
performing file-related operations that have potential risks.
If you set the prompt mode of the file-related operations to quiet, the switch does
not prompt for confirmation before performing file-related operations. In this
case, the system is more likely to be damaged due to some bad operation. For
example, if the prompt mode is set to alert, the following messages will be
displayed when you delete a file:
<5500> delete unit1>flash:/te.txt
Delete unit1>flash:/te.txt?[Y/N]:y
......
%Delete file unit1>flash:/te.txt...Done.
The system waits for you to confirm for 30 seconds. If you do not input any
confirmation in 30 seconds, the system cancels this file operation, as shown in the
following:
fixdisk
1041
If the prompt mode is set to quiet, the following messages will be displayed when
you delete a file:
<5500> delete unit1>flash:/te.txt
....
%Delete file unit1>flash:/te.txt...Done.
Example
fixdisk
Syntax
View
Parameter
Description
fixdisk device
User view
device: Name of a device.
Use the fixdisk command to restore space on the Flash memory.
In case that space on the Flash memory may become unavailable for reasons such
as abnormal operations, you can run this command to restore the space.
Example
format
Syntax
View
Parameter
Description
c
Example
format device
User view
device: Name of a device.
Use the format command to format the Flash memory.
CAUTION: The format operation leads to the loss of all the files on the Flash
memory, and the operation is irretrievable.
# Format the Flash memory.
1042
<5500>format unit1>flash:
All data on unit1>flash: will be lost , proceed with format ? [Y/N]:y
..............................
%Format unit1>flash: completed.
mkdir
Syntax
View
Parameter
Description
mkdir directory
User view
directory: Name of a directory.
Use the mkdir command to create a subdirectory in the specified directory of a
Flash memory.
Note that the names of the directories and files in the same directory must be
unique.
Example
# Create a directory in the current directory, with the name being dd.
<5500> mkdir dd
....
%Created dir unit1>flash:/dd.
more
Syntax
View
Parameter
Description
more file-url
User view
file-url: Path name or file name of a file in the Flash memory.
Use the more command to display the contents of a specified file.
Currently, the file system only supports to display the contents of text files.
Example
move
1043
move
Syntax
View
Parameters
Description
Example
# Move the file 1.txt from flash:/ to flash:/a/ within unit1, with the name
unchanged.
<5500>move unit1>flash:/1.txt unit1>flash:/a/
Move unit1>flash:/1.txt to unit1>flash:/a/1.txt?[Y/N]:y
.
%Moved file unit1>flash:/1.txt to unit1>flash:/a/1.txt.
# Move the file flash:/22.txt to unit1>flash:/test/, and overwrite the file in the
directory unit1>flash:/test.
<5500>move 22.txt unit1>flash:/test
Move unit1>flash:/22.txt to unit1>flash:/test/22.txt?[Y/N]:y
The file unit1>flash:/test/22.txt exists. Overwrite it?[Y/N]:y
The file will be permanently deleted from flash, please wait.
....
%Moved file unit1>flash:/22.txt to unit1>flash:/test/22.txt.
pwd
Syntax
pwd
1044
View
User view
Parameters
None
Description
Use the pwd command to display the current working path of the login user.
Example
rename
Syntax
View
Parameters
Description
Example
reset recycle-bin
Syntax
View
Parameters
User view
file-url: Path name or file name of a file in the Flash memory. This argument
supports the wildcard *.
/force: Specifies not to prompt for confirmation before deleting files.
/fabric: Specifies to clear the recycle bins of all Flash memories in the fabric.
Description
Use the reset recycle-bin command to clear the recycle bin in the Flash memory.
rmdir
1045
The files deleted by the delete command without the /unreserved keyword are
moved to the recycle bin. To delete them permanently, you can use the reset
recycle-bin command.
n
Example
The system will not prompt you to confirm deletion of each file when you clear
recycle bins throughout the fabric.
# Clear the recycle bin in unit 1 of the fabric.
<5500>reset recycle-bin unit1>flash:/
Clear unit1>flash:/te.txt ?[Y/N]:y
Clearing files from flash may take a long time. Please wait...
.....
%Cleared file unit1>flash:/~/te.txt.
rmdir
Syntax
View
Parameter
Description
rmdir directory
User view
directory: Name of a directory.
Use the rmdir command to delete a directory.
As only empty directories can be deleted, you need to clear a directory before
deleting it.
Example
undelete
Syntax
View
Parameter
Description
undelete file-url
User view
file-url: Path name or file name of a file in the Flash memory.
Use the undelete command to restore a deleted file from the recycle bin.
If the name of the file to be restored is the same as that of an existing file, the
system prompts you for the confirmation to overwrite the latter.
Example
1046
update fabric
Syntax
View
Parameter
Description
Example
You can upgrade files with such extensions as .web, .bin and .btm.
The file used for upgrading must exist in the root directory of a unit in the
fabric.
After the upgrade is completed, the file used for upgrading will be copied to
the root directories of other units in the fabric.
When you execute the update fabric command, the system first collects the
free space information of each unit and then decides whether the available
Flash memory space is enough on each unit. The available space should be at
least 1 K larger than the size of file used for upgrading. If any space inefficiency
is found, the system will prompt the user to provide enough space on the Flash
memory of the unit. Otherwise, the upgrade cannot be implemented.
Before the file is copied to all units, the system collects version information of
files in the corresponding type, compares the version compatibility, and outputs
the result. If the file used for upgrading cannot replace the corresponding file
on any unit, the command fails and a message is given, describing the failure
reason.
# Upgrade all units in the fabric with the app file test.bin on the local unit.
<5500>display irf-fabric
Fabric name is fab, system mode is L3.
Fabric authentication : no authentication, number of units in stack: 1.
Unit Name
Unit ID
First
1(*)
First
2
First
8
<5500>update fabric test.bin
This will update the Fabric. Continue? [Y/N] y
The software is verifying ...
The result of verification is :
update fabric
1047
Unit ID
Free space(bytes)
Enough
Version comparison
1
2126848
Y
Y
2
2125824
Y
Y
8
1439744
Y
Y
warning: the verification is completed, start the file transmission [Y/N] y
The fabric is being updated, 100%
The test.bin is stored on unit 1 successfully
The test.bin is stored on unit 2 successfully
The test.bin is stored on unit 8 successfully
Do you want to set test.bin to be running agent next time to boot[Y/N] y
The test.bin is configured successfully
1048
75
n
The Switch 5500 Family supports intelligent resilient framework (IRF), and allows
you to specify a file path and file name in one of the following ways:
In URL format and starting with flash:/. This method can be used to specify a
file in the Flash memory of the current unit.
Using the path name or file name directly. This method can be used to specify a
path or a file in the current directory.
boot attribute-switch
Syntax
View
Parameter
Description
Example
Use the boot attribute-switch command to switch between the main and
backup attribute for all the files or a specified type of files. That is, change a file
with the main attribute to one with the backup attribute, or vice versa.
# Switch the attributes of all the files in the fabric.
<5500> boot attribute-switch all fabric
The boot, web and configuration files backup-attribute and main-attribute
will exchange.
Are you sure? [Y/N] y
The boot, web and configuration files backup-attribute and main-attribute
successfully exchanged on unit 1!
1050
boot boot-loader
Syntax
View
Parameter
Description
Use the boot boot-loader command to configure an app file of the fabric or of a
device in the fabric to be with the main attribute. The app file specified by this
command becomes the main startup file when the device starts up next time.
If you execute the boot boot-loader command without the fabric keyword, the
configuration applies to the local unit only.
c
Example
CAUTION: Before configuring the main or backup attribute for a file in the fabric,
make sure the file already exists on all devices in the fabric. This is because
Ethernet switches do not allows you to specify an app file in other units Flash
memory as the app startup file of the local unit.
# Configure the file boot.bin to be the main startup file of the fabric.
<5500> boot boot-loader boot.bin fabric
The specified file will be booted next time on unit 1!
The specified file will be booted next time on unit 2!
boot boot-loader
backup-attribute
Syntax
View
Parameter
Description
boot web-package
1051
CAUTION: Before configuring the main or backup attribute for a file in the fabric,
make sure the file already exists on all devices in the fabric. This is because
Ethernet switches do not allows you to specify an app file in other units Flash
memory as the app startup file of the local unit.
Example
# Configure the file named backup.bin to be the backup startup file of the fabric.
<5500> boot boot-loader backup-attribute backup.bin fabric
Set boot file backup-attribute successfully on unit 1!
Set boot file backup-attribute successfully on unit 2!
boot web-package
Syntax
View
Parameter
Description
Example
Use the boot web-package command to configure a Web file in the fabric to be
with the main or backup attribute.
CAUTION:
Before configuring the main or backup attribute for a Web file in the fabric,
make sure the file exists on all devices in the fabric.
The configuration of the main or backup attribute for a Web file takes effect
immediately without restarting the device.
After you upgrade a Web file, you need to specify the new Web file in the Boot
menu after restarting the switch or specify a new Web file by using the boot
web-package command. Otherwise, the Web server cannot function
normally.
# Configure the Web file named boot.web to be with the main attribute.
<5500> boot web-package boot.web main
display boot-loader
Syntax
View
1052
Parameter
Description
Example
Example
startup
bootrom-access
enable
Syntax
View
Parameter
User view
None
Description
1053
Example
# Specify to prompt users to use customized passwords to enter the BOOT menu.
<5500> startup bootrom-access enable
1054
76
backup
current-configuration
Syntax
View
Parameter
Description
Example
# Back up the current configuration of unit 8 to the file aaa.cfg on the TFTP server
whose IP address is 1.1.1.253.
<5500> backup unit 8 current-configuration to 1.1.1.253 aaa.cfg
Backup current configuration to 1.1.1.253. Please wait...
File will be transferred in binary mode.
Copying file to remote tftp server. Please wait...
TFTP:
1958 bytes sent in 2 second(s).
File uploaded successfully.
Unit 8: Backup current configuration finished!
# Back up the current configuration of the whole fabric to the file aaa.cfg on the
TFTP server whose IP address is 1.1.1.253.
<5500> backup fabric current-configuration to 1.1.1.253 aaa.cfg
Backup current configuration to 1.1.1.253. Please wait...
File will be transferred in binary mode.
1056
restore
startup-configuration
Syntax
View
Parameter
Description
Example
# Restore the startup configuration of unit 7 from the file aaa.cfg on the TFTP
server with the IP address 1.1.1.253.
<5500> restore unit 7 startup-configuration from 1.1.1.253 aaa.cfg
Restore startup configuration from 1.1.1.253. Please wait...
File will be transferred in binary mode.
Downloading file from remote tftp server, please wait...
TFTP:
1958 bytes sent in 0 second(s).
File downloaded successfully.
Unit 7: Restore startup current configuration finished!
# Restore the startup configuration of the whole fabric from the file bbb.cfg on
the TFTP server with the IP address 1.1.1.253.
<5500> restore fabric startup-configuration from 1.1.1.253 bbb.cfg
Restore startup configuration from 1.1.1.253. Please wait...
File will be transferred in binary mode.
Downloading file from remote tftp server, please wait...
restore startup-configuration
TFTP:
1057
1058
77
display ftp-server
Syntax
View
display ftp-server
Any view
Parameters
None
Description
Use the display ftp-server command to display the FTP server-related settings of
a switch when it operates as an FTP server.
You can use this command to verify FTP server-related configurations.
Example
# Display the FTP server-related settings of the switch (assuming that the switch is
operating as an FTP server).
<5500> display ftp-server
FTP server is running
Max user number
1
User count
0
Timeout value(in minute)
30
Description
User count
30
display ftp-server
source-ip
Syntax
View
Parameters
1060
Description
Example
Use the display ftp-server source-ip command to display the source IP address
set for an FTP server. If a source interface is specified for the FTP server, the IP
address of the source interface will be displayed. If neither source interface nor
source IP address is specified, 0.0.0.0 will be displayed.
# Display the source IP address set for the FTP server.
<5500> display ftp-server source-ip
The source IP you specified is 192.168.0.1
display ftp-user
Syntax
View
display ftp-user
Any view
Parameters
None
Description
Use the display ftp-user command to display the settings of the current FTP user,
including the user name, host IP address, port number, connection idle time, and
authorized directory.
Example
Port
1029
Idle
0
HomeDir
flash:
# If the user name exceeds ten characters, characters behind the tenth will be
displayed in the second line with a left-aligning mode. Take username
username@test for example, the result is:
<5500> display ftp-user
UserName
HostIP
administra
tor
192.168.0.152
Port
Idle
HomeDir
1031
flash:
ftp disconnect
Syntax
View
Parameter
Description
n
Example
1061
With a 3Com Switch 5500 acting as the FTP server, if you attempt to disconnect a
user that is uploading or downloading data to or from the FTP server, the Switch
5500 will disconnect the user after the data transmission is complete.
# Display the current online FTP users.
<5500> display ftp-user
UserName
HostIP
admin
192.168.0.152
Port
1029
Idle
0
HomeDir
flash:
View
System view
Parameters
None
Description
Use the ftp server enable command to enable the FTP server for users to log in.
Use the undo ftp server command to disable the FTP server.
By default, the FTP server is disabled to avoid potential security risks.
n
Example
To protect unused sockets from being attacked by malicious users, the Switch
5500 provides the following functions:
1062
ftp timeout
Syntax
View
Parameter
Description
System view
minutes: Connection idle time (in minutes) in the range 1 to 35,791.
Use the ftp timeout command to set the connection idle time.
Use the undo ftp timeout command to restore the default connection idle time.
By default, the connection idle time is 30 minutes.
If an FTP connection between an FTP server and an FTP client breaks down
abnormally, the FTP server is not acknowledged with this and will keep this
connection as usual.
You can set a connection idle time, so that the FTP server considers a FTP
connection to be invalid and terminates it if no data exchange occurs on it in a
specific period known as connection idle time.
Example
ftp-server
source-interface
Syntax
View
Parameters
System view
interface-type: Type of the source interface.
interface-number: Number of the source interface.
Description
Use the ftp-server source-interface command to specify the source interface for
an FTP server. If the specified interface does not exist, a prompt appears to show
the configuration fails.
Use the undo ftp-server source-interface command to cancel the source
interface setting. After you execute this command, the FTP server system decides
which interface will be used for being accessed by FTP clients.
ftp-server source-ip
Example
1063
ftp-server source-ip
Syntax
View
Parameter
Description
System view
ip-address: IP address that is to be specified as the source IP address.
Use the ftp-server source-ip command to specify the source IP address for an FTP
server. The value of argument ip-address must be an IP address on the device
where the configuration is performed. Otherwise, a prompt appears to show the
configuration fails.
Use the undo ftp-server source-ip command to cancel the source IP address
setting. After you execute this command, the FTP server system decides which IP
address on it will be used for being accessed by FTP clients.
Example
1064
78
ascii
Syntax
View
ascii
FTP client view
Parameters
None
Description
Use the ascii command to specify that files be transferred in ASCII mode. That is,
data is transferred in ASCII characters.
By default, files are transferred in ASCII mode.
Example
binary
Syntax
View
binary
FTP client view
Parameters
None
Description
Use the binary command to specify that program files be transferred in binary
mode.
1066
Example
bye
Syntax
View
bye
FTP client view
Parameters
None
Description
Use the bye command to terminate the control connection and data connection
with the remote FTP server and return to user view.
This command has the same effect as that of the quit command.
Example
# Terminate the connections with the remote FTP server and return to user view.
[ftp] bye
221 Server closing.
<5500>
cd
Syntax
cd pathname
cdup
View
Parameter
Description
1067
Example
cdup
Syntax
View
cdup
FTP client view
Parameters
None
Description
Use the cdup command to exit the current working directory and enter the parent
directory.
Example
1068
close
Syntax
View
close
FTP client view
Parameters
None
Description
Use the close command to terminate an FTP connection without quitting FTP
client view.
This command has the same effect as that of the disconnect command.
Example
delete
Syntax
View
delete remotefile
FTP client view
dir
Parameter
Description
Example
1069
dir
Syntax
View
Parameters
Description
Use the dir command to query specified files on a remote FTP server, or to display
file information in the current directory. The output information, which includes
the name, size and creation time of files, will be saved in a local file.
If you do not specify the filename argument, the information about all the files in
the current directory is displayed.
Example
1070
# Display the information about all the files in the current directory on the remote
FTP server.
[ftp] dir
227 Entering Passive Mode (192,168,0,152,4,0).
125 ASCII mode data connection already open, transfer starting for *.
-rwxrwxrwx 1 noone nogroup 377424 Apr 26 13:05 s3r01.btm
-rwxrwxrwx 1 noone nogroup 377424 Oct 10 2006 s3r01_15.btm
-rwxrwxrwx 1 noone nogroup 2833 May 11 17:58 config.cfg
-rwxrwxrwx 1 noone nogroup 225295 Apr 26 12:21 default.diag
-rwxrwxrwx 1 noone nogroup 377424 Apr 30 16:58 s5500si-btm-116.btm
drwxrwxrwx 1 noone nogroup 0 Apr 28 11:41 test
-rwxrwxrwx 1 noone nogroup 2145 Apr 28 13:13 test.txt
-rwxrwxrwx 1 noone nogroup 13 Apr 28 13:21 mytest.bak
-rwxrwxrwx 1 noone nogroup 9 Apr 28 13:24 a.txt
-rwxrwxrwx 1 noone nogroup 142 Sep 10 2006 myopenssh
-rwxrwxrwx 1 noone nogroup 5292802 Apr 30 17:02 s5500si-cmw520-r1205p02.b
in
-rwxrwxrwx 1 noone nogroup 15 Apr 26 17:45 public
-rwxrwxrwx 1 noone nogroup 15 Apr 26 17:56 temp.c
-rwxrwxrwx 1 noone nogroup 5286666 Oct 18 2006
s5500si-cmw520-r1205.bin
-rwxrwxrwx 1 noone nogroup 306 May 13 11:17 swithc001
226 Transfer complete.
FTP: 1025 byte(s) received in 0.019 second(s) 53.00K byte(s)/sec.
[ftp] dir 4. config.cfg temp1
227 Entering Passive Mode (192,168,0,152,4,3).
125 ASCII mode data connection already open, transfer starting for config.cfg.
.....226 Transfer complete.
FTP: 67 byte(s) received in 5.818 second(s) 11.00 byte(s)/sec.
# Display the information about the file config.cfg and save the output
information in the file named temp1.
[ftp] dir config.cfg temp1
227 Entering Passive Mode (192,168,0,152,4,3).
125 ASCII mode data connection already open, transfer starting for config.cfg.
.....226 Transfer complete.
FTP: 67 byte(s) received in 5.818 second(s) 11.00 byte(s)/sec.
disconnect
Syntax
View
disconnect
FTP client view
Parameters
None
Description
Use the disconnect command to terminate a FTP connection without quitting FTP
client view.
This command has the same effect as that of the close command.
Example
1071
Connected.
220 FTP service ready.
User(none):admin
331 Password required for admin.
Password:
230 User logged in.
[ftp]
Parameters
None
Description
Use the display ftp source-ip command to display the source IP address that the
FTP client uses every time it connects to an FTP server. If a source interface is
specified for the FTP client, the IP address of the source interface will be displayed.
If neither a source IP address nor source interface is specified for the FTP client,
0.0.0.0 will be displayed.
Example
# Display the source IP address that the FTP client uses every time it connects to an
FTP server.
<5500> display ftp source-ip
The source IP you specified is 192.168.0.1
ftp
Syntax
View
Parameters
Description
Use the ftp command to establish a control connection with an FTP server and
enter FTP client view.
1072
Example
ftp { cluster |
remote-server }
source-interface
Syntax
View
Parameters
Description
Example
ftp { cluster |
remote-server }
source-ip
Syntax
View
Parameters
ftp source-interface
Description
Example
1073
ftp source-interface
Syntax
View
Parameters
System view
interface-type: Type of the source interface.
interface-number: Number of the source interface.
Description
Use the ftp source-interface command to specify a source interface as the source
interface the FTP client uses every time it connects to an FTP server. The system
prompts that the configuration fails if the specified interface does not exist.
Use the undo ftp source-interface command to cancel the source interface
setting. After you execute this command, the FTP client system decides which
interface will be used for accessing FTP servers.
Example
ftp source-ip
Syntax
View
Parameter
Description
System view
ip-address: IP address that is to be specified as the source IP address.
Use the ftp source-ip command to specify the source IP address of an FTP client
that the FTP client uses every time it connects to an FTP server. The value of
1074
# Specify 192.168.0.1 as the source IP address that the FTP client uses every time it
connects to an FTP server.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ftp source-ip 192.168.0.1
get
Syntax
View
Parameters
Description
Use the get command to download a remote file and save it as a local file.
If you do not specify the localfile argument, the downloaded file is saved with its
original name.
Example
CAUTION: When using the get command to download files from a remote FTP
server, note to limit the length of file path and file name within the following
ranges regulated for a 3Com Switch 5500.
A file name plus its local path name should be no more than 127 characters.
A file name plus its complete path name should be no more than 142
characters.
lcd
1075
lcd
Syntax
View
lcd
FTP client view
Parameters
None
Description
Use the lcd command to display the local working directory on the FTP client.
Example
ls
Syntax
View
Parameters
ls [ remotefile [ localfile ] ]
FTP client view
remotefile: Name of the remote file to be queried.
localfile: Name of the local file where the querying result is to be saved.
Description
Use the ls command to display the information about a specified file on a remote
FTP server.
If you do not specify the remotefile argument, names of all the files in the current
remote directory are displayed.
1076
c
Example
CAUTION: The ls command only displays file names, while the dir command
displays file information in more detail, including file size, creation date and so on.
# Enter FTP client view.
<5500> ftp 2.2.2.2
Trying ...
Press CTRL+K to abort
Connected.
220 FTP service ready.
User(none):admin
331 Password required for admin.
Password:
230 User logged in.
[ftp]
# Display the names of all the files in the current directory on the remote FTP
server.
[ftp] ls
227 Entering Passive Mode (2,2,2,2,4,4).
125 ASCII mode data connection already open, transfer starting for *.
s3r01.btm
s3r01_15.btm
config.cfg
default.diag
s5500si-btm-116.btm
test
test.txt
mytest.bak
a.txt
myopenssh
s5500si-cmw520-r1205p02.bin
public
temp.c
s5500si-cmw520-r1205.bin
swithc001
226 Transfer complete.
FTP: 200 byte(s) received in 0.145 second(s) 1.00Kbyte(s)/sec.
mkdir
Syntax
View
Parameter
Description
mkdir pathname
FTP client view
pathname: Path name.
Use the mkdir command to create a directory on an FTP server.
This command is available only to the FTP clients that are assigned the permission
to create directories on FTP servers.
Example
open
1077
open
Syntax
View
Parameters
Description
Use the open command to establish a control connection with an FTP server.
Related command: close
Example
# Establish a control connection with the FTP server whose IP address is 1.1.1.1.
[ftp]open 1.1.1.1
Trying ...
Press CTRL+K to abort
Connected.
220 FTP service ready.
User(none):abc
331 Password required for abc
Password:
230 User logged in.
1078
passive
Syntax
passive
undo passive
View
Parameters
None
Description
Use the passive command to set the data transfer mode to the passive mode.
Use the undo passive command to set the data transfer mode to the active
mode.
By default, the passive mode is adopted.
Example
put
Syntax
View
Parameters
Description
pwd
Example
1079
pwd
Syntax
View
pwd
FTP client view
Parameters
None
Description
Use the pwd command to display the work directory on an FTP server.
Example
quit
Syntax
quit
1080
View
Parameters
None
Description
Use the quit command to terminate FTP control connection and FTP data
connection and quit to user view.
This command has the same effect as that of the bye command.
Example
# Terminate the FTP control connection and FTP data connection and quit to user
view.
[ftp] quit
221 Server closing.
<5500>
remotehelp
Syntax
View
Parameter
Description
remotehelp [ protocol-command ]
FTP client view
protocol-command: FTP protocol command.
Use the remotehelp command to display the help information about an FTP
protocol command.
This command works only when the FTP server provides the help information
about FTP protocol commands.
Example
CAUTION:
This command is always valid when a 3Com switch operates as the FTP server.
If you use other FTP server software, refer to the documentation for that
software to determine whether the FTP server provides help information for the
FTP protocol commands.
rename
1081
rename
Syntax
View
Parameters
Description
Example
1082
rmdir
Syntax
View
Parameter
Description
rmdir pathname
FTP client view
pathname: Name of a directory on an FTP server.
Use the rmdir command to remove a specified directory on an FTP server.
Note that you can only use this command to remove directories that are empty.
Example
# Remove the directory flash:/temp1 on the FTP server. (Assume that the directory
is empty.)
[ftp] rmdir flash:/temp1
200 RMD command successful.
user
Syntax
View
Parameters
Description
Example
Use the user command to log in to an FTP server with the specified user name and
password.
# Enter FTP client view.
<5500> ftp 2.2.2.2
Trying ...
Press CTRL+K to abort
Connected.
220 FTP service ready.
verbose
1083
User(none):admin
331 Password required for admin.
Password:
230 User logged in.
[ftp]
# Log into the FTP server using the user account with the user name being tom
and the password being 111.
[ftp] user tom 111
331 Password required for tom.
230 User logged in.verbose
verbose
Syntax
verbose
undo verbose
View
Parameters
None
Description
Use the verbose command to enable the verbose function, which displays
execution and response information of other related commands.
Use the undo verbose command to disable the verbose function.
The verbose function is enabled by default.
Example
1084
79
sftp server enable
Syntax
View
System view
Parameters
None
Description
Use the sftp server enable command to enable the SFTP server.
Use the undo sftp server command to disable the SFTP server.
By default, the SFTP server is disabled.
Example
system-view
View: return to User View with Ctrl+Z.
sftp server enable
SFTP server
sftp timeout
Syntax
View
System view
Parameter
Description
Use the sftp timeout command to set the idle timeout time on an SFTP server.
Use the undo sftp timeout command to restore the idle timeout time to the
default value.
1086
If the idle timeout time exceeds the specified threshold, the system disconnects
the SFTP user automatically.
Example
80
bye
Syntax
View
bye
SFTP client view
Parameters
None
Description
Use the bye command to terminate a connection with the remote SFTP server and
return to system view.
This command has the same effect as that of the commands exit and quit.
Example
cd
Syntax
View
Parameter
Description
n
Example
cd [ remote-path ]
SFTP client view
remote-path: Name of the working path on the remote server.
Use the cd command to change the working path on the remote SFTP server. If no
remote path is specified, this command displays the current working path.
1088
cdup
Syntax
View
cdup
SFTP client view
Parameters
None
Description
Use the cdup command to change the working path on the remote SFTP server
and return to the parent directory.
Example
delete
Syntax
View
delete remote-file&<1-10>
SFTP client view
Parameter
Description
Use the delete command to delete a specified file from the remote SFTP server.
This command has the same effect as that of the remove command.
Example
dir
Syntax
View
dir [ -a | -l ] [ remote-path ]
SFTP client view
Parameters
1089
Description
Use the dir command to query a specified directory on the remote SFTP server.
If -a or -l is not specified, the command displays details about the files and folders
in the specified directory in a list.
If no remote path is specified, this command displays the files in the current
working directory.
This command has the same effect as that of the Is command.
Example
1759
225
283
225
0
0
225
Aug
Aug
Aug
Sep
Sep
Sep
Sep
23
24
24
28
28
28
28
06:52
08:01
07:39
08:28
08:24
08:18
08:30
config.cfg
pubkey2
pubkey1
pub1
new1
new2
pub2
Parameters
None
Description
Use the display sftp source-ip command to display the source IP address
specified for the current SFTP client.
If you have specified a source interface for the SFTP client, this command displays
the IP address of the source interface; otherwise, this command displays the IP
address 0.0.0.0.
Example
1090
exit
Syntax
View
exit
SFTP client view
Parameters
None
Description
Use the exit command to terminate a connection with the remote SFTP server and
return to system view.
This command has the same effect as that of the commands bye and quit.
Example
get
Syntax
View
Parameters
Description
Use the get command to download a file from the remote server.
By default, the remote file name is used for the file saved locally if no local file
name is specified.
Example
# Download the file tt.bak and save it with the name tt.txt.
sftp-client>get tt.bak tt.txt....
This operation may take a long time, please wait...
Remote file:tt.bak ---> Local file: tt.txt..
Received status: End of file
Received status: Success
Downloading file successfully ended
help
Syntax
View
ls
Parameters
1091
Description
Use the help command to display the help information about SFTP client
commands.
If no command is specified, this command displays all the command names.
Example
ls
Syntax
View
Parameters
ls [ -a | -l ] [ remote-path ]
SFTP client view
-a: Displays the file and folder names in a specified directory.
-l: Displays the details about files and folders in a specified directory in a list.
remote-path: Name of the path where the files and folders to be queried reside.
Description
Use the Is command to display files in a specified directory on the remote SFTP
server.
If -a or -l is not specified, the command displays details about the files and folders
in the specified directory in a list.
If no remote path is specified, this command displays the files in the current
working directory.
This command has the same effect as that of the dir command.
Example
1759
225
283
225
0
0
225
Aug
Aug
Aug
Sep
Sep
Sep
Sep
23
24
24
28
28
28
28
06:52
08:01
07:39
08:28
08:24
08:18
08:30
config.cfg
pubkey2
pubkey1
pub1
new1
new2
pub2
1092
mkdir
Syntax
View
Parameter
Description
Example
mkdir remote-path
SFTP client view
remote-path: Name of a directory on the remote SFTP server.
Use the mkdir command to create a directory on the remote SFTP server.
# Create a directory named hj on the remote SFTP server.
sftp-client>mkdir hj
Received status: Success
New directory created
put
Syntax
View
Parameters
Description
Use the put command to upload a local file to the remote SFTP server.
By default, the local file name is used for the remote file if no remote file name is
specified.
Example
# Upload the file named config.cfg to the remote SFTP server and save it as 1.txt.
sftp-client>put config.cfg 1.txt
This operation may take a long time, please wait...
Local file:config.cfg ---> Remote file: /1.txt
Received status: Success
Uploading file successfully ended
pwd
Syntax
View
Parameters
pwd
SFTP client view
None
quit
Description
Example
1093
Use the pwd command to display the working directory on the remote SFTP
server.
# Display the working directory on the remote SFTP server.
sftp-client> pwd
/
quit
Syntax
View
quit
SFTP client view
Parameters
None
Description
Use the quit command to terminate a connection with the remote SFTP server and
return to system view.
This command has the same effect as that of the commands bye and exit.
Example
remove
Syntax
View
remove remote-file&<1-10>
SFTP client view
Parameter
Description
Use the remove command to delete a specified file from the remote SFTP server.
This command has the same effect as that of the delete command.
Example
1094
rename
Syntax
View
Parameters
Description
Example
Use the rename command to rename a specified file on the remote SFTP server.
# Change the file name temp.bat to temp.txt.
sftp-client> rename temp.bat temp.txt
File successfully renamed
rmdir
Syntax
View
rmdir remote-path&<1-10>
SFTP client view
Parameter
Description
Use the rmdir command to remove a specified directory from the remote SFTP
server.
Example
sftp
Syntax
sftp
View
Parameters
1095
System view
host-ip: IP address of the server.
host-name: Host name of the server, a string of 1 to 20 characters.
port-num: Port number of the server, in the range of 0 to 65,535. The default
value is 22.
identity-key: The public key algorithm of the publickey authentication used.
prefer_kex: Specifies a preferred key exchange algorithm. You can select either of
the two algorithms.
Description
Use the sftp command to establish a connection with the remote SFTP server and
enter SFTP client view.
If you specify to authenticate a client through public key on the server, the client
needs to read the local private key when logging in to the SFTP server. Since both
RSA and DSA are available for public key authentication, you need to use the
identity-key key word to specify the algorithms to get correct local private key;
otherwise you will fail to log in.
1096
Example
# Connect the SFTP server with the IP address 10.1.1.2. Use the default encryption
algorithm.
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500]sftp 10.1.1.2
Input Username: kk
Trying 10.1.1.2...
Press CTRL+K to abort
Connected to 10.1.1.2 ...
The Server is not authenticated. Do you continue access it?(Y/N):y
Do you want to save the servers public key?(Y/N):y
Enter password:
sftp-client>
sftp source-interface
Syntax
View
Parameters
System view
interface-type: Type of a source interface. It can be loopback or VLAN interface.
interface-number: Number of a source interface.
Description
Use the sftp source-interface command to specify a source interface for the SFTP
client. If the specified interface does not exist, the system prompts that the
configuration fails.
Use the undo sftp source-interface command to remove the specified source
interface. Then the client accesses the SFTP server with the local device address
determined by the system.
Example
sftp source-ip
Syntax
View
Parameter
System view
ip-address: Source IP address to be set.
sftp source-ip
Description
1097
Use the sftp source-ip command to specify a source IP address for the SFTP client.
If the specified IP address is not the IP address of the local device, the system
prompts that the configuration fails.
Use the undo sftp source-ip command to remove the specified source IP address.
Then the client accesses the SFTP server with the local device address determined
by the system.
Example
1098
81
display tftp source-ip
Syntax
View
Parameters
None
Description
Use the display tftp source-ip display the source IP address that the TFTP client
uses every time it connects to a TFTP server. If a source interface is specified for the
TFTP client, the IP address of the source interface is displayed. If neither source IP
address nor source interface is specified for the TFTP client, 0.0.0.0 is displayed.
Example
# Display the source IP address that the TFTP client uses every time it connects to a
TFTP server.
<5500> display tftp source-ip
The source IP you specified is 192.168.0.1
tftp
Syntax
View
Parameters
Description
Use the tftp { ascii | binary } command to set the TFTP data transfer mode.
By default, the binary mode is adopted.
Example
1100
tftp get
Syntax
View
Parameters
Description
Use the tftp get command to download a file from a TFTP server to the local
switch.
Related command: tftp put
Example
# Download the file named abc.txt from the TFTP server whose IP address is
1.1.1.1 and save it as efg.txt (suppose free space of the flash memory is sufficient).
<5500> tftp 1.1.1.1 get abc.txt efg.txt
File will be transferred in binary mode.
Downloading file from remote tftp server, please wait......
TFTP:
35 bytes received in 0 second(s).
File downloaded successfully.
# Download the file temp.txt from the TFTP server (1.1.1.1) and save it as test1.txt
(suppose that free space of the flash memory is insufficient and the TFTP server
does not support file size negotiation).
<5500> tftp 1.1.1.1 get temp.txt test1.txt
File will be transferred in binary mode.
Downloading file from remote tftp server, please wait......
Not enough space; Writing to device failed; Downloaded data will be
deleted.............
Deleting file successful.
# Download the file temp.txt from the TFTP server (1.1.1.1) and save it as test2.txt
(suppose that free space of the flash memory is insufficient and the TFTP server
supports file size negotiation).
<5500> tftp 1.1.1.1 get temp.txt test2.txt
File will be transferred in binary mode.
Downloading file from remote tftp server, please wait......
Not enough space; Quit writing to device; Created file will be deleted
.............
Deleting file successful.
tftp put
Syntax
View
Parameters
1101
User view
tftp-server: IP address or the host name of a TFTP server.
source-file: Name of the file to be uploaded to the TFTP server.
dest-file: File name which the uploaded file is to be saved as.
Description
Use the tftp put command to upload a file to a specified directory on a TFTP
server.
Related command: tftp get
Example
# Upload the file named config.cfg to the TFTP server whose IP address is 1.1.1.1
and save it as temp.cfg.
<5500> tftp 1.1.1.1 put config.cfg temp.cfg
File will be transferred in binary mode.
Copying file to remote tftp server. Please wait... /
TFTP:
962 bytes sent in 0 second(s).
File uploaded successfully.
tftp tftp-server
source-interface
Syntax
View
Parameters
Description
1102
Example
# Connect to the remote TFTP server whose IP address is 192.168.8.8 through the
source interface VLAN-interface 1, and download the file named S5500.bin from
it.
<5500> tftp 192.168.8.8 source-interface Vlan-interface 1 get S5500.bin
tftp tftp-server
source-ip
Syntax
View
Parameters
Description
Use the tftp tftp-server source-ip command to connect to a TFTP server through
the specified source IP address, and perform download or upload operations. If
the specified source IP address does not exist, a prompt appears to show the
command fails to be executed.
Example
# Connect to the remote TFTP server whose IP address is 192.168.8.8 through the
source IP address 192.168.0.1, and download the file named S5500.bin from it.
<5500> tftp 192.168.8.8 source-ip 192.168.0.1 get S5500.bin
tftp source-interface
Syntax
View
Parameters
System view
interface-type: Type of the source interface.
interface-number: Number of the source interface.
tftp-server acl
Description
1103
Use the tftp source-interface command to specify the source interface of a TFTP
client that the TFTP client uses every time it connects to a TFTP server. The system
prompts that the configuration fails if the specified interface does not exist.
Use the undo tftp source-interface command to cancel the source interface
setting. After you execute this command, the TFTP client system decides which
interface will be used for accessing TFTP servers.
Example
# Specify VLAN-interface 1 as the source interface that the TFTP client uses every
time it connects to a TFTP server.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] tftp source-interface Vlan-interface 1
tftp-server acl
Syntax
View
Parameter
Description
System view
acl-number: Basic ACL number, in the range 2000 to 2999.
Use the tftp-server acl command to specify the ACL adopted for the connection
between a TFTP client and a TFTP server.
Use the undo tftp-server acl command to cancel all ACLs adopted.
Example
tftp source-ip
Syntax
View
Parameter
Description
System view
ip-address: IP address that is to be specified as the source IP address.
Use the tftp source-ip command to specify the source IP address of a TFTP client
that the TFTP client uses every time it connects with a TFTP server. The value of
argument ip-address must be an IP address on the device where the configuration
is performed. Otherwise, a prompt appears to show the configuration fails.
1104
Use the undo tftp source-ip command to cancel the source IP address setting.
After you execute this command, the TFTP client system decides which IP address
on it will be used for accessing TFTP servers.
Example
# Specify 192.168.0.1 as the source IP address that the TFTP client uses every time
it connects to a TFTP server.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] tftp source-ip 192.168.0.1
INFORMATION CENTER
CONFIGURATION COMMANDS
82
display channel
Syntax
View
Parameters
Description
Example
ENABLE DEBUG_LEVEL
Y
debugging
display info-center
Syntax
View
Parameter
Description
1106
Description
Information Center
Log host
Console
Monitor
SNMP Agent
Log buffer
Trap buffer
display logbuffer
1107
display logbuffer
Syntax
View
Parameters
Severity value
Description
emergencies
alerts
critical
Critical information
errors
Error information
warnings
Warnings
notifications
informational
Informational information to
be recorded
debugging
size buffersize: Specifies the size of the log buffer (number of messages the log
buffer holds) you want to display. The buffersize argument ranges from 1 to 1,024
and defaults to 512.
|: Filters output log information with a regular expression.
begin: Displays the log information beginning with the specified characters.
exclude: Displays the log information excluding the specified characters.
include: Displays the log information including the specified characters.
regular-expression: Regular expression.
Description
Example
Use the display logbuffer command to display the status of the log buffer and
the records in the log buffer.
# Display the status of the log buffer and the records in the log buffer.
<5500> display logbuffer
Logging buffer configuration and contents:enabled
Allowed max buffer size : 1024
Actual buffer size : 512
Channel number : 4 , Channel name : logbuffer
1108
Dropped messages : 0
Overwritten messages : 0
Current messages : 91
display logbuffer
summary
Syntax
View
Parameter
Description
Example
INFO DEBUG
1
0
display trapbuffer
Syntax
View
Parameters
Description
Use the display trapbuffer command to display the status of the trap buffer and
the records in the trap buffer.
If you execute the command with the size buffersize Parameters, the device will
display the trap records from the latest one.
Example
# Display the status of the trap buffer and the records in the trap buffer.
<5500> display trapbuffer
Trapping Buffer Configuration and contents:enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , Channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 19
1109
#Apr 1 23:55:35:859 2006 3Com L2INF/2/PORT LINK STATUS CHANGE:- 1 Trap 1.3.6.1.6.3.1.1.5.4(linkUp): portIndex is 4227762, ifAdminStatus is 1, ifOp
erStatus is 1
#Apr 1 23:55:36:059 2006 3Com L2INF/2/PORT LINK STATUS CHANGE:- 1 Trap 1.3.6.1.6.3.1.1.5.4(linkUp): portIndex is 4227794, ifAdminStatus is 1, ifOp
erStatus is 1
......
<Omitted>
info-center channel
name
Syntax
View
Parameters
System view
channel-number: Channel number, ranging from 0 to 9, corresponding to the 10
channels of the system.
channel-name: Channel name, up to 30 characters in length. The name must start
with an English letter, containing no special character but numbers and English
letters only.
Description
Use the info-center channel name command to name the channel whose
number is channel-number as channel-name.
Use the undo info-center channel command to restore the default name of the
channel whose number is channel-number.
By default, the name of channel 0 to channel 9 is (in turn) console, monitor,
loghost, trapbuffer, logbuffer, snmpagent, channel6, channel7, channel8,
channel9.
Do not configure two different channels with the same name.
Example
info-center console
channel
Syntax
1110
View
Parameters
System view
channel-number: Channel number, ranging from 0 to 9, corresponding to the 10
channels of the system.
channel-name: Channel name, by default, the name of channel 0 to channel 9 is
(in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent,
channel6, channel7, channel8, channel9.
Description
Use the info-center console channel command to set the channel through
which information is output to the console.
Use the undo info-center console channel command to restore the default
channel through which system information is output to the console.
By default, output of information to the console is enabled with channel 0 as the
default channel (known as console).
This command works only when the information center is enabled.
Related commands: info-center enable and display info-center
Example
info-center enable
Syntax
info-center enable
undo info-center enable
View
System view
Parameters
None
Description
info-center logbuffer
Example
1111
info-center logbuffer
Syntax
View
Parameters
System view
channel: Sets the channel through which information outputs to the log buffer.
channel-number: Channel number, ranging from 0 to 9, corresponding to the 10
channels of the system.
channel-name: Channel name, by default, the name of channel 0 to channel 9 is
(in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent,
channel6, channel7, channel8, channel9.
size buffersize: Specifies the size of the log buffer (number of messages the buffer
holds) you want to display. The buffersize argument ranges from 0 to 1,024 and
defaults to 512.
Description
Use the info-center logbuffer command to enable information output to the log
buffer.
Use the undo info-center logbuffer command to disable information output to
the log buffer.
By default, information output to the log buffer is enabled with channel 4
(logbuffer) as the default channel and a maximum buffer size of 512.
This command works only when the information center is enabled.
Related commands: info-center enable and display info-center
Example
# Configure the system to output information to the log buffer with the size of 50.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] info-center logbuffer size 50
1112
info-center loghost
Syntax
View
Parameters
System view
host-ip-addr: IP address of a log host.
channel: Sets the information channel for the log host.
channel-number: Channel number, ranging from 0 to 9, corresponding to the 10
channels of the system.
channel-name: Channel name, by default, the name of channel 0 to channel 9 is
(in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent,
channel6, channel7, channel8, channel9.
facility local-number: The logging facility of the log host. The local-number
argument ranges from local0 to local7, with the corresponding value ranging from
16 to 23. The default logging facility is local7, with the value being 23.
Description
Example
# Configure the system to output system information to the Unix log host whose
IP address is 202.38.160.1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] info-center loghost 202.38.160.1
1113
info-center loghost
source
Syntax
View
Parameters
System view
interface-type: Specifies an interface type.
interface-number: Specifies an interface number.
Description
Use the info-center loghost source command to configure the source interface
through which information is sent to the log host.
Use the undo info-center loghost source command to cancel the source
interface configuration.
Related commands: info-center enable and display info-center
Example
info-center monitor
channel
Syntax
View
Parameters
System view
channel-number: Channel number, ranging from 0 to 9, corresponding to the 10
channels of the system.
channel-name: Channel name, by default, the name of channel 0 to channel 9 is
(in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent,
channel6, channel7, channel8, channel9.
Description
Use the info-center monitor channel command to set the channel through
which information is output to user terminals.
Use the undo info-center monitor channel command to restore the default
channel through which information is output to user terminals.
1114
info-center snmp
channel
Syntax
View
Parameters
System view
channel-number: Channel number, ranging from 0 to 9, corresponding to the 10
channels of the system.
channel-name: Channel name, by default, the name of channel 0 to channel 9 is
(in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent,
channel6, channel7, channel8, channel9.
Description
Use the info-center snmp channel command to set the channel through which
information is output to the SNMP agent.
By default, output of system information to the SNMP NMS is enabled with a
default channel name of snmpagent and a default channel number of 5.
Related commands: snmp-agent and display info-center
Example
# Set the switch to output information to the SNMP agent through channel 6.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] info-center snmp channel 6
info-center source
Syntax
info-center source
View
Parameters
1115
System view
modu-name: Module name.
default: Defaults the settings of all modules.
channel-number: Number of information channel to be used.
channel-name: Channel name, by default, the name of channel 0 to channel 9 is
(in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent,
channel6, channel7, channel8, channel9.
log: Specifies to output log information.
trap: Specifies to output trap information.
debug: Specifies to output debugging information.
level: Specifies an information severity level.
severity: Information severity level. Refer to Table 199.
state: Sets the information state.
state: Can be on or off.
Description
Use the info-center source command to specify the information source in the
information center and the output destinaltion.
Use the undo info-center source command to cancel the configuration of
information source and output destinaltion.
This command can be used for filtering of log, trap or debugging information. For
example, it can control information output from the IP module to any direction.
You can configure to output information with severity higher than warning to
the log host, and information with severity higher than informational to the log
buffer, and configure to output trap information to the log host at the same time.
The info-center source command determines the output destinaltion according
to channel name or channel number. Each output destinaltion is assigned with a
default information channel, as shown in Table 200.
Table 200 Default information channel
Output destinaltion
Console
console
Monitor terminal
monitor
Log host
loghost
Log buffer
logbuffer
Trap buffer
trapbuffer
SNMP
snmpagent
1116
# Configure to output the log information of the VLAN module on the SNMP
channel, and only output the log information above the emergencies severity.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] info-center source vlan channel snmpagent log level emergencies
info-center
synchronous
Syntax
info-center synchronous
undo info-center synchronous
View
System view
Parameters
None
Description
Example
The synchronous information output function is used in the case that your
input is interrupted by a large amount of system output. With this function
enabled, the system echoes your previous input and you can continue your
operations from where you were stopped.
info-center switch-on
1117
info-center switch-on
Syntax
View
Parameters
System view
unit unit-id: Specifies a switch in the fabric by its unit ID.
master: Controls the switch that serves as master in the fabric.
all: Controls all switches within the fabric.
debugging: Enables the debugging information output.
logging: Enables the log information output.
trapping: Enables the trap information output.
Description
Example
# Enable trap information output for the switch whose Unit ID is 2 in the fabric.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] info-center switch-on unit 2 trapping
1118
info-center timestamp
Syntax
View
Parameters
System view
log: Specifies log information.
trap: Specifies trap information.
debugging: Specifies debugging information.
boot: Specifies to adopt the time elapsed since system boot, which is in the
format of xxxxxx.yyyyyy, where xxxxxx is the high 32 bits and yyyyyy the low 32
bits of the elapsed milliseconds.
date: Specifies to adopt the current system date and time, which is in the format
of Mmm dd hh:mm:ss:ms yyyy.
none: Specifies not to include time stamp in the specified output information.
Description
Use the info-center timestamp command to set the format of time stamp
included in the log/trap/debugging information.
Use the undo info-center timestamp command to restore the default setting of
time stamp format.
By default, the date time stamp is adopted for log and trap information, and the
boot time stamp is adopted for debugging information.
Example
info-center timestamp
loghost
Syntax
View
Parameters
System view
date: Specifies to adopt the current system date and time, in the format of Mmm
dd hh:mm:ss:ms yyyy.
info-center trapbuffer
1119
no-year-date: Specifies to adopt the current system date and time excluding the
year, in the format of Mmm dd hh:mm:ss:ms.
none: Specifies not to include time stamp in the output information.
Description
Use the info-center timestamp loghost command to set the format of time
stamp for the output information sent to the log host.
Use the undo info-center timestamp loghost command to restore the default
setting of time stamp format.
By default, the date time stamp is adopted.
Example
# Set the no-year-date time stamp for the output information sent to the log
host.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] info-center timestamp loghost no-year-date
info-center trapbuffer
Syntax
View
Parameters
System view
size: Sets the size of the trap buffer.
buffersize: Size of the trap buffer, represented by the number of messages it holds.
It ranges from 0 to 1,024 and defaults to 256.
channel: Sets the channel through which information is output to the trap buffer.
channel-number: Channel number, ranging from 0 to 9, corresponding to the 10
channels of the system.
channel-name: Channel name. By default, the name of channel 0 to channel 9 is
(in turn) console, monitor, loghost, trapbuffer, logbuffer, snmpagent,
channel6, channel7, channel8, channel9.
Description
1120
This command takes effect only after the information center function is enabled.
Related commands: info-center enable and display info-center
Example
# Enable the system to output trap information to the trap buffer, whose size is set
to 30.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] info-center trapbuffer size 30
reset logbuffer
Syntax
View
Parameter
Description
Example
reset trapbuffer
Syntax
View
Parameter
Description
Example
terminal debugging
Syntax
terminal debugging
undo terminal debugging
View
User view
terminal logging
1121
Parameters
None
Description
Example
terminal logging
Syntax
terminal logging
undo terminal logging
View
User view
Parameters
None
Description
Example
terminal monitor
Syntax
terminal monitor
undo terminal monitor
View
Parameters
User view
None
1122
Description
Example
Disabling the function has the same effect as executing the following three
commands: undo terminal debugging, undo terminal logging and undo
terminal trapping. That is, no debugging/log/trap information will be
displayed on the current terminal.
terminal trapping
Syntax
terminal trapping
undo terminal trapping
View
User view
Parameters
None
Description
Example
VLAN-VPN CONFIGURATION
COMMANDS
83
display port vlan-vpn
Syntax
View
Parameters
None
Description
Use the display port vlan-vpn command to display the information about
VLAN-VPN configuration of the current system.
Example
Description
Ethernet1/0/6
VLAN-VPN status
VLAN-VPN VLAN
VLAN-VPN inner-cos-trust
VLAN-VPN TPID
vlan-vpn enable
Syntax
vlan-vpn enable
undo vlan-vpn
View
1124
Parameters
None
Description
Use the vlan-vpn enable command to enable the VLAN-VPN feature for a port.
Use the undo vlan-vpn command to disable the VLAN-VPN feature for a port.
By default, the VLAN-VPN feature is disabled.
With the VLAN-VPN feature enabled, a received packet is tagged with the default
VLAN tag of the receiving port no matter whether or not the packet already carries
a VLAN tag.
c
Examples
If the packet already carries a VLAN tag, the packet becomes a dual-tagged
packet.
Otherwise, the packet becomes a packet carrying the default VLAN tag of the
port.
vlan-vpn
inner-cos-trust
Syntax
View
Parameters
None
Description
vlan-vpn priority
1125
# Enable the inner-to-outer tag priority replicating feature for Ethernet 1/0/2.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/2
[5500-Ethernet1/0/2] vlan-vpn inner-cos-trust enable
vlan-vpn priority
Syntax
View
Parameters
n
Description
IP Precedence (decimal)
Keyword
Best-effort
Background
Spare
Excellent-effort
Controlled-load
Video
Voice
Network-management
For the description on the priority values and the keywords listed in Table 202,
refer to QoS Profile Configuration Commands on page 825.
Use the vlan-vpn priority command to configure the mapping relationship
between the inner VLAN priority and the outer VLAN priority.
Use the undo vlan-vpn priority command to remove the configuration.
1126
When the outer VLAN tag is inserted, the VLAN-VPN feature assigns a priority to
the outer VLAN tag based on the inner VLAN tag priority according to the
configured mapping relationship.
By default, the priority in the outer VLAN tag is the port priority.
This command is mutually exclusive with the vlan-vpn inner-cos-trust command.
c
Example
# Enable the inner-to-outer tag priority mapping feature for GigabitEthernet 1/0/1.
Insert outer tags with the priorities being 5 to packets with the priorities of their
inner tags being 3.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet 1/0/1
[5500G-GigabitEthernet1/0/1] vlan-vpn priority 3 remark 5
vlan-vpn tpid
This command applies to the Switch 5500 only (not the Switch 5500G)
Syntax
View
Parameter
Description
vlan-vpn tpid
1127
n
Example
Protocol type
Value
ARP
0x0806
IP
0x0800
IPX
0x8137
LACP
0x8809
802.1x
0x888E
Besides the default TPID value, you can configure only one TPID value on Switch
5500.
# Set the TPID value to 0x9100 for Ethernet 1/0/2 port.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/2
[5500-Ethernet1/0/2] vlan-vpn tpid 9100
1128
84
mac-address-mapping
Syntax
View
Parameters
Description
CAUTION: VLAN 4093 is a special VLAN reserved for the IRF fabric feature. It can
not serve as the destination VLAN of the inter-VLAN MAC address replicating
feature to receive MAC address entries from the other VLANs.
Example
1130
raw-vlan-id inbound
Syntax
View
Parameters
QinQ view
vlan-id-list: Lists of VLAN IDs to be tagged as outer VLAN tags. You need to
provide this argument in the form of { vlan-id [ to vlan-id ] }&<1-10>, where the
VLAN ID after the to keyword must be larger than or equal to the VLAN ID before
the to keyword and &<1-10> means that you can specify up to 10 VLANs/VLAN
ranges for this argument.
all: Specifies not to tag any packet carrying an inner VLAN tag with an outer VLAN
tag.
Description
Use the raw-vlan-id inbound command to specify the outer tag for the packets
with the specified inner VLAN tags. This command must be configured on ports
receiving packets from the private network.
Use the undo raw-vlan-id inbound command to remove the configuration.
CAUTION: A packet cannot be tagged with different outer VLAN tags. To change
the outer VLAN tag of a packet, you need to remove the existing outer VLAN tag
configuration and configure a new outer VLAN tag.
Related command: vlan-vpn vid
Example
# Specify to add the tag of VLAN 20 as the outer tag to the packets with their
inner VLAN IDs being 8 through 15 for Ethernet 1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
vlan-vpn vid
1131
# Specify to add the tag of VLAN 20 as the outer tag to the packets with their
inner VLAN IDs being 8 through 15 for GigabitEthernet 1/0/1.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet 1/0/1
[5500G-GigabitEthernet1/0/1] vlan-vpn vid 20
[5500G-GigabitEthernet1/0/1-vid-20] raw-vlan-id inbound 8 to 15
vlan-vpn vid
Syntax
View
Parameter
Description
CAUTION: If IRF fabric is enabled on a device, the selective QinQ feature cannot
be enabled on any port of the device.
By default, the outer VLAN tag added in the selective QinQ feature is the VLAN tag
corresponding to the ports default VLAN ID.
This command must be coupled with the raw-vlan-id inbound command to add
different outer VLAN tags for packets of different VLANs.
Related command: raw-vlan-id inbound
Example
# Specify to add VLAN 20 tag as the outer tags to the packets with their inner
VLAN IDs being 2 through 14 for Ethernet 1/0/1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] vlan-vpn vid 20
[5500-Ethernet1/0/1-vid-20] raw-vlan-id inbound 2 to 14
1132
# Specify to add VLAN 20 tag as the outer tags to the packets with their inner
VLAN IDs being 2 through 14 for GigabitEthernet 1/0/1.
<5500G> system-view
System View: return to User View with Ctrl+Z.
[5500G] interface GigabitEthernet 1/0/1
[5500G-GigabitEthernet1/0/1] vlan-vpn vid 20
[5500G-GigabitEthernet1/0/1-vid-20] raw-vlan-id inbound 2 to 14
85
bpdu-tunnel
Syntax
bpdu-tunnel protocol-type
undo bpdu-tunnel { protocol-type | all }
View
Parameters
Description
cdp
hgmp
lacp
pagp
pvst
stp
vtp
udld
Use the bpdu-tunnel command to enable BPDU tunnel for the packets of a
specific protocol.
Use the undo bpdu-tunnel command to disable BPDU tunnel for the packets of a
specific protocol or all the protocols.
By default, BPDU tunnel is disabled.
CAUTION:
If this command is enabled for a specific protocol, the specific protocol cannot
be enabled on the port. For example, if you have configured the bpdu-tunnel
lacp command, the lacp enable command cannot be enabled on the port.
1134
Example
If IRF fabric is enabled on one port of a device, the BPDU tunnel feature cannot
be enabled on any port of the device.
bpdu-tunnel
tunnel-dmac
Syntax
View
System view
Parameter
Description
c
Example
CAUTION: To prevent the devices in the service provider network from processing
the tunnel packets as other protocol packets, the MAC address for tunnel packets
must be a multicast address specially for BPDU tunnels in the service provider
network.
# Set the destination MAC address for protocol packets transmitted along BPDU
tunnels to 010f-e266-c3ab.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] bpdu-tunnel tunnel-dmac 010f-e266-c3ab
display bpdu-tunnel
Syntax
display bpdu-tunnel
display bpdu-tunnel
View
1135
Any view
Parameters
None
Description
Use the display bpdu-tunnel command to display the private multicast MAC
address configured for packets transmitted along BPDU tunnels.
Example
# Display the private multicast MAC address configured for packets transmitted
along BPDU tunnels.
<5500> display bpdu-tunnel
Tunnel packets destination-mac-address: 010f-e2cd-0003
The above output information indicates that all the protocol packets transmitted
along the BPDU tunnels use 010f-e2cd-0003 as their destination MAC addresses.
1136
REMOTE-PING
86
CLIENT COMMANDS
count
Syntax
count times
undo count
View
Parameter
Description
Example
datasize
Syntax
datasize size
undo datasize
View
Parameter
1138
Value range
Default
Jitter
68 to 8100
68
ICMP
4 to 8100
56
Udpprivate
4 to 8100
100
Udppublic
4 to 8100
100
The packet size configuration applies to ICMP, UDP, and jitter tests only.
Description
Use the datasize command to configure the size of a test packet in a test.
Use the undo datasize command to restore the default.
Example
destination-ip
Syntax
destination-ip ip-address
undo destination-ip
View
Parameter
Description
n
Example
The destination address can be an IP address or a host name in HTTP test, while in
other types of tests, it must be an IP address.
# Set the destination IP address of an ICMP test to 169.254.10.3.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator icmp
[5500-remote-ping-administrator-icmp] test-type icmp
[5500-remote-ping-administrator-icmp] destination-ip 169.254.10.3
destination-port
1139
destination-port
Syntax
destination-port port-number
undo destination-port
View
Parameter
Description
Example
3Com recommends that you do not perform a TCP, UDP, or jitter test on a
well-known port (ports with a number ranging from 1 to 1023) or on a port
with a port number greater than 50,000. Otherwise, the remote-ping test will
fail or the corresponding service of the well-known port will become
unavailable.
display remote-ping
Syntax
View
Parameters
1140
Use the display remote-ping command to display the result of the last
remote-ping test or the history of remote-ping tests.
Without administrator-name test-operation-tag specified, the command displays
the results of all test groups; without administrator-name test-operation-tag
specified, the command displays the results of the specified test group.
Related command: test-enable
Example
# Display the result of the test group with the administrator name being
administrator, and the operation tag being icmp.
[5500-remote-ping-administrator-icmp] display remote-ping results administrator
icmp
remote-ping entry(admin administrator, tag icmp) test result:
Destinationip address:10.2.2.2
Send operation times: 10
Receive response times: 10
Min/Max/Average Round Trip Time: 1/2/1
Square-Sum of Round Trip Time: 13
Last succeeded test time: 2004-11-25 16:28:55.0
Extend result:
SD Maximal delay: 0
DS Maximal delay: 0
Packet lost in test: 0%
Disconnect operation number:0
Operation timeout number:0
System busy operation number:0
Connection fail number:0
Operation sequence errors:0
Drop operation number:0
Other operation errors:0
Description
Destination ip address
Destination IP address
SD Maximal delay
DS Maximal delay
display remote-ping
1141
Description
Response
Status
LasrRC
Time
# Display the result of the test group with the administrator name being
administrator, and the operation tag being http.
[5500-remote-ping-administrator-http] display remote-ping results administrator
http
remote-ping entry(admin administrator, tag http) test result:
Destination ip address:192.168.0.152
Send operation times: 10
Receive response times: 10
Min/Max/Average Round Trip Time: 47/87/74
Square-Sum of Round Trip Time: 57044
Last succeeded test time: 2000-4-2 20:41:50.4
Extend result:
SD Maximal delay: 0
DS Maximal delay: 0
Packet lost in test: 0%
Disconnect operation number: 0
Operation timeout number: 0
1142
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
Description
# Display the result of the test group with the administrator name being
administrator, and the operation tag being Jitter.
[5500-remote-ping-administrator-Jitter] display remote-ping results
administrator Jitter
remote-ping entry(admin administrator, tag Jitter) test result:
Destination ip address:10.2.2.2
Send operation times: 100
Receive response times: 100
Min/Max/Average Round Trip Time: 9/21/13
Square-Sum of Round Trip Time: 18623
Last succeeded test time: 2000-4-2 8:14:58.2
Extend result:
SD Maximal delay: 10
DS Maximal delay: 10
Packet lost in test: 0%
Disconnect operation number: 0
Operation timeout number: 0
System busy operation number: 0
Connection fail number: 0
Operation sequence errors: 0
Drop operation number: 0
Other operation errors: 0
Jitter result:
RTT Number:100
Min Positive SD:1
Min Positive DS:1
display remote-ping
1143
Description
RTT Number
Min Positive SD
Min Positive DS
Max Positive SD
Max Positive DS
Positive SD Number
Positive DS Number
Positive SD Sum
Positive DS Sum
Positive SD average
Positive DS average
Min Negative SD
Min Negative DS
Max Negative SD
Max Negative DS
Negative SD Number
Negative DS Number
Negative SD Sum
1144
Description
Negative DS Sum
Negative SD average
Negative DS average
# Display the result of the test group with the administrator name being
administrator, and the operation tag being dns.
[5500] display remote-ping results administrator dns
remote-ping entry(admin administrator, tag dns) test result:
Destination ip address:10.2.2.2
Send operation times: 10
Receive response times: 10
Min/Max/Average Round Trip Time: 6/10/8
Square-Sum of Round Trip Time: 756
Last succeeded test time: 2006-11-28 11:50:40.9
Extend result:
SD Maximal delay: 0
DS Maximal delay: 0
Packet lost in test: 0%
Disconnect operation number: 0
Operation timeout number: 0
System busy operation number: 0
Connection fail number: 0
Operation sequence errors: 0
Drop operation number: 0
Other operation errors: 0
Dns result:
DNS Resolve Current Time: 10
DNS Resolve Min Time: 6
DNS Resolve Times: 10
DNS Resolve Max Time: 10
DNS Resolve Timeout Times: 0
DNS Resolve Failed Times: 0
Field
Description
The description on a specific field is available for the test results of all types of
tests, so that not the description on the output information of all types of tests is
provided here.
dns-server
1145
dns-server
Syntax
dns-server ip-address
undo dns-server
View
Parameter
Description
n
Example
For an HTTP test, if configuring the destination address as the host name, you
must configure the IP address of the DNS server to resolve the host name into
an IP address, which is the destination IP address of this HTTP test
dns resolve-target
Syntax
View
Parameter
Description
1146
Example
filename
SyntaExamplex
filename file-name
undo filename
View
Parameter
Description
n
Example
frequency
Syntax
frequency interval
undo frequency
View
Parameter
ftp-operation
Description
1147
Example
The frequency command supports fabric only when the test type of this test
group is ICMP. With fabric enabled, you are allowed to configure the
frequency command and use the display command to check your
configuration, but unless the test type is ICMP, your configuration does not
take effect until fabric is disabled.
ftp-operation
Syntax
View
Parameters
Description
Use the ftp-operation command to configure the FTP operation mode, which can
be get and put.
By default, the FTP operation mode is get.
Related commands: username and password
n
Example
1148
history-records
Syntax
history-records number
undo history-records
View
Parameter
Number: Maximum number of history records that can be saved in a test group, in
the range of 0 to 50, and 50 by default.
Description
Use the history-records command to set the maximum number of history records
that can be saved in a test group.
Use the undo history-records to restore the default.
By default, up to 50 records can be saved in a test group.
Example
# Set the maximum number of history records that can be saved to 10.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator icmp
[5500-remote-ping-administrator-icmp] test-type icmp
[5500-remote-ping-administrator-icmp] history-records 10
http-operation
Syntax
View
Parameters
Description
Example
http-string
1149
http-string
Syntax
View
Parameters
Description
Use the http-string command to configure the HTTP operation string and version
in an HTTP test.
Use the undo http-string command to remove the configured HTTP operation
string and version.
By default, HTTP operation string and version are not configured.
The http-string command applies to HTTP tests only.
Related commands: http-operation
Example
# Set the webpage to be accessed by an HTTP test as /index.htm and the HTTP
version as HTTP/1.0.
<5500> system-view
[5500] remote-ping administrator http
[5500-remote-ping-administrator-http] test-type http
[5500-remote-ping-administrator-http] http-string /index.htm
HTTP/1.0
remote-ping
Syntax
View
Parameters
System view
administrator-name: Name of the administrator to create a remote-ping test
group, a string of 1 to 32 characters.
operation-tag: Operation tag, a string of 1 to 32 characters.
1150
Description
Use the remote-ping command to create an remote-ping test group and enter
remote-ping test group view. If the specified remote-ping test group already exists,
this command leads you to remote-ping test group view directly.
Use the undo remote-ping command to delete the test group.
Example
remote-ping-agent
enable
Syntax
remote-ping-agent enable
undo remote-ping-agent enable
View
System view
Parameters
None
Description
Example
jitter-interval
Syntax
jitter-interval interval
undo jitter-interval
View
jitter-packetnum
Parameter
Description
1151
interval: Interval in milliseconds between jitter test packets. The value is in the
range of 10 to 1000.
Use the jitter-interval command to configure the interval between sending jitter
test packets.
Use the undo jitter-interval command to restore the default.
By default, the interval between sending jitter test packets is 20 milliseconds.
Related command: jitter-packetnum
n
Example
jitter-packetnum
Syntax
jitter-packetnum number
undo jitter-packetnum
View
Parameter
Description
n
Example
1152
password
Syntax
password password
undo password
View
Parameter
Description
n
Example
# Set the password for logging into the FTP server as remote-ping in an FTP test.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator ftp
[5500-remote-ping-administrator-ftp] test-type ftp
[5500-remote-ping-administrator-ftp] password remote-ping
probe-failtimes
Syntax
probe-failtimes times
undo probe-failtimes
View
Parameter
Description
send-trap
1153
By default, the switch sends a trap about probe failure each time when a probe
fails.
Example
# Configure the switch to send a trap after the probe in an ICMP test fails for three
consecutive times.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator icmp
[5500-remote-ping-administrator-icmp] test-type icmp
[5500-remote-ping-administrator-icmp] probe-failtimes 3
send-trap
Syntax
View
Parameters
Description
Example
source-interface
Syntax
View
Parameter
1154
Description
For ICMP tests, use the source-interface command to specify a source interface
for sending ICMP requests. The corresponding IP address of the specified interface
is used as the source IP address of ICMP requests. For DHCP tests, use the
source-interface command to specify an interface for DHCP probes.
For ICMP tests, use the undo source-interface command to remove the specified
source interface, and its corresponding IP address is no longer used as the source
IP address of ICMP requests. For DHCP tests, use the undo source-interface
command to remove the specified interface for DHCP probes.
By default, no source interface is specified for ICMP tests and no interface is
configured for DHCP probes.
Example
For DHCP tests, this command is required. For ICMP tests, this command is
optional. This command does not apply to other tests.
For ICMP tests, if a source IP address has been configured with the source-ip
command, the source-interface command cannot change the configured IP
address.
For an ICMP test, if a source interface has been configured with the
source-interface command, the test destination address should be configured
as the address of the device directly connected to the interface. Otherwise, the
test will fail.
The interface to be specified must be Up; otherwise the test will fail.
# Configure the source interface that sends test packets in DHCP tests as
VLAN-interface 1.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator dhcp
[5500-remote-ping-administrator-dhcp] test-type dhcp
[5500-remote-ping-administrator-dhcp] source-interface Vlan-interface 1
source-ip
Syntax
source-ip ip-address
undo source-ip
View
Parameter
Description
source-port
n
Example
1155
For FTP tests, this command is required. This command does not apply to DHCP
tests. For other tests, this command is optional.
source-port
Syntax
source-port port-number
undo source-port
View
Parameter
Description
n
Example
This command does not apply to ICMP, DHCP, and DNS tests.
# Configure the source port number as 8000 for this ICMP test.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator icmp
[5500-remote-ping-administrator-icmp] test-type icmp
[5500-remote-ping-administrator-icmp] source-port 8000
test-type
Syntax
View
Parameter
test-type type
remote-ping test group view
type: Test type. It can be any of the following keywords:
1156
n
Example
test-enable
Syntax
test-enable
undo test-enable
View
Parameters
None
Description
n
Example
The result of the remote-ping test cannot be displayed automatically, and you
need to use the display remote-ping command to display the test result.
# Perform a remote-ping test on an ICMP test group with the administrator name
and operation tag being administrator and icmp respectively.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator icmp
test-failtimes
1157
test-failtimes
Syntax
test-failtimes times
undo test-failtimes
View
Parameter
Description
Example
# Configure the switch to send out a trap message after an ICMP test fails for
three consecutive times.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator icmp
[5500-remote-ping-administrator-icmp] test-type icmp
[5500-remote-ping-administrator-icmp] test-failtimes 3
timeout
Syntax
timeout time
undo timeout
View
Parameter
Description
Example
# Set the timeout time for one probe in an ICMP test to 10 seconds.
1158
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator icmp
[5500-remote-ping-administrator-icmp] test-type icmp
[5500-remote-ping-administrator-icmp] timeout 10
tos
Syntax
tos value
undo tos
View
Parameter
value: ToS value in a remote-ping test packet header, in the range of 0 to 255.
Description
Use the tos command to configure the ToS value in a remote-ping test packet
header.
Use the undo tos command to remove the ToS value in a remote-ping test packet
header.
By default, no ToS value is configured.
n
Example
username
Syntax
username name
undo username
View
Parameter
Description
username
n
Example
# Configure the username for logging into the FTP server in an FTP test as
administrator.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping administrator ftp
[5500-remote-ping-administrator-ftp] test-type ftp
[5500-remote-ping-administrator-ftp] username administrator
1159
1160
REMOTE-PING
87
n
SERVER COMMANDS
A remote-ping server is required for only jitter, TCP, and UDP tests.
remote-ping-server
enable
Syntax
remote-ping-server enable
undo remote-ping-server enable
View
System view
Parameters
None
Description
Example
remote-ping-server
tcpconnect
Syntax
1162
View
Parameters
System view
ip-address: IP address specified for a TCP listening service on the HWPing server.
port-number: Port number specified for a TCP listening service on the HWPing
server. The value ranges from 1 to 65535. It is not recommended to use the ports
with a number greater than 50000 or some special ports (that is, those used for
fixed functions, such as port 1701). Otherwise, the HWPing test may fail.
Description
Example
# Enable TCP listening, using 169.254.10.2 as the IP address and 9000 as the port
number.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping-server tcpconnect 169.254.10.2 9000
remote-ping-server
udpecho
Syntax
View
Parameters
System view
ip-address: IP address from which a remote-ping server performs UDP listening.
port-number: Port from which a remote-ping server performs UDP listening. The
value ranges from 1 to 65535. Note that the ports with a number greater than
49999 or some special ports (that is, those used for fixed functions, such as port
1701) cannot be configured.
Description
remote-ping-server udpecho
1163
CAUTION: The port number used by remote-ping server for UDP listening cannot
be set to a number greater than 49999 or to some special port numbers that are
for fixed functions, such as 1701.
Example
# Enable UDP listening, using 169.254.10.2 as the IP address and 9000 as the port
number.
<5500> system-view
System View: return to User View with Ctrl+Z
[5500] remote-ping-server udpecho 169.254.10.2 9000
1164
88
display dns ipv6
dynamic-host
Syntax
View
Parameters
None
Description
Use the display dns ipv6 dynamic-host command to display IPv6 dynamic
domain name information in the cache.
Example
TTL
6
Table 211 Description of the display dns ipv6 dynamic-host command fields
Field
Description
No.
Sequence number
Domain-name
Domain name
IPv6 Address
TTL
When you use the display dns ipv6 dynamic-host command to check the IPv6
dynamic domain names in the cache, the system will display the first 21 characters
of the domain names if they contain more than 21 characters. This is because the
domain name displayed in the Domain-name field can be up to 21 characters in
length.
1166
Description
Example
Use the display ipv6 fib command to display all the IPv6 FIB entries.
# Display all the IPv6 FIB entries.
<5500> display ipv6 fib
FIB Table:
Total number of Routes : 5
Flag:
U:Useable
G:Gateway
H:Host
B:Blackhole
Destination:
::1
NextHop
:
::1
TimeStamp :
Date- 5/7/2006, Time- 14:35:32
Interface :
InLoopBack0
Destination:
FE80::
NextHop
:
::
TimeStamp :
Date- 5/7/2006, Time- 14:35:32
Interface :
NULL0
Destination:
2008::
NextHop
:
2008::5600
TimeStamp :
Date- 5/7/2006, Time- 14:35:32
Interface :
Vlan-interface1
Destination:
2008::5600
NextHop
:
::1
TimeStamp :
Date- 5/7/2006, Time- 14:35:32
Interface :
InLoopBack0
Destination:
2001::
NextHop
:
2008::3610
TimeStamp :
Date- 5/7/2006, Time- 14:35:32
Interface :
Vlan-interface1
D:Dynamic
S:Static
PrefixLength : 128
Flag
: HU
PrefixLength : 10
Flag
: BU
PrefixLength : 64
Flag
: U
PrefixLength : 128
Flag
: HU
PrefixLength : 64
Flag
: GSU
Description
Destination
PrefixLength
NextHop
Flag
Route flag:
U - Usable route
G - Gateway route
H - Host route
B - Blackhole route
D - Dynamic route
S - Static route
TimeStamp
Interface
Description
Example
1167
Use the display ipv6 host command to display the mapping between host name
and IPv6 address.
# Display the mapping between host name and IPv6 address.
<5500> display ipv6 host
Host
Age
SWB
0
Description
Host
Host name
Age
Flags
IPv6Address (es)
Description
Use the display ipv6 interface command to display the IPv6 information of a
specified interface.
When neither the interface type nor the interface number is provided, the IPv6
information of all interfaces is displayed.
Example
1168
Description
Interface state
IPv6 is enabled
link-local address
MTU
ND reachable time
ND retransmit interval
Protocol
up
IPv6 Address
2008::5600
Table 215 Description of the display ipv6 interface brief command fields
Field
Description
*down
The interface is down, that is, the interface is disabled by using the
shutdown command.
(s)
Spoofing attribute of the interface, that is, the link protocol state of
the interface is up, but the link does not exist, or the link is
established on demand, instead of being permanent.
Interface
Physical
Protocol
IPv6 Address
View
Parameters
1169
Description
Example
State T Age
REACH S STALE D 22
STALE D 28
STALE D 28
Description
IPv6 Address
Link-layer
VID
Interface
State
State of a neighbor
Age
For a static entry, - is displayed. For a dynamic entry, the time (in seconds)
since it is reachable last time is displayed, and if it is never reachable, # is
displayed (for a dynamic neighbor only).
1170
View
Parameters
Description
Example
Use the display ipv6 neighbors count command to display the total number of
neighbor entries satisfying the specified condition.
# Display the total number of neighbor entries acquired dynamically.
<5500> display ipv6 neighbors dynamic count
Total dynamic entry(ies): 3
display ipv6
route-table
Syntax
View
Parameter
Description
Example
1171
Protocol: Direct
Protocol: Direct
Protocol: Direct
Protocol: Direct
Description
Destination
NextHop
Interface
Protocol
Description
Example
1172
SOCK_DGRAM:
SOCK_RAW:
Description
SOCK_STREAM
Task
socketid
Proto
Protocol ID
LA
FA
sndbuf
rcvbuf
sb_cc
rb_cc
socket option
socket state
SOCK_DGRAM
UDP socket
SOCK_RAW
Raw IP socket
Parameters
None
Description
Use the display ipv6 statistics command to display statistics of IPv6 packets and
ICMPv6 packets.
Example
forwarded:
discarded:
fragments:
0
0
0
hopcount exceeded:
option error:
fragments:
reassembly failed:
0
0
0
0
Total:
132
unreached:
hopcount exceeded:
parameter problem:
echo request:
neighbor solicit:
router solicit:
redirected:
Send failed:
ratelimited:
Received packets:
Total:
126
checksum error:
bad code:
unreached:
hopcount exceeded:
parameter problem:
echoed:
neighbor solicit:
router solicit:
redirected:
unknown info type:
Deliver failed:
bad length:
1173
0
0
0
30
43
0
0
too big:
reassembly timeout:
0
0
echo replied:
neighbor advert:
router advert:
17
42
0
other errors:
0
0
10
0
0
17
34
0
0
0
too short:
too big:
reassembly timeout:
unknown error type:
echo replied:
neighbor advert:
router advert:
router renumbering:
0
0
0
30
35
0
0
ratelimited:
Description
IPv6 Protocol:
Sent packets:
Total: 580
550
30
routing failed:
discarded:
fragments failed:
forwarded:
fragments:
Received packets:
Total:
572
local host:
572
format error:
protocol error:
reassembled:
hopcount exceeded:
0
reassembly timeout:
option error:
fragments:
reassembly failed:
0
ICMPv6 protocol:
1174
Description
Sent packets:
Total:
132
unreached:
too big:
hopcount exceeded:
timeout: 0
parameter problem:
echo request:
echo replied:
30
neighbor solicit:
router solicit:
redirected:
43
0
neighbor advert:
router advert:
42
Send failed:
ratelimited:
reassembly
other errors:
1175
Description
Received packets:
Total:
126
checksum error:
bad code:
too short:
unreached:
10
too big:
hopcount exceeded:
timeout: 0
parameter problem:
type: 0
echoed:
17
router solicit:
redirected:
unknown error
30
neighbor advert:
router advert:
router renumbering:
34
0
reassembly
echo replied:
neighbor solicit:
Deliver failed:
bad length:
ratelimited:
Parameters
None
Description
Use the display tcp ipv6 statistics command to display statistics of IPv6 TCP
packets.
Example
1176
Table 220 Description of the display tcp ipv6 statistics command fields
Field
Description
Received packets:
Total: 436
Sent packets:
Total: 331
urgent packets: 0
Retransmitted timeout
1177
Table 220 Description of the display tcp ipv6 statistics command fields
Field
Description
Keepalive timeout
Keepalive probe
accepted connections
established connections
Closed connections
dropped
initiated dropped
Parameters
None
Description
Use the display tcp ipv6 status command to display the IPv6 TCP connection
status.
Example
Foreign Address
::->0
State
Listening
Table 221 Description of the display tcp ipv6 status command fields
Field
Description
TCP6CB
Local Address
Foreign Address
1178
Table 221 Description of the display tcp ipv6 status command fields
Field
Description
State
Parameters
None
Description
Use the display udp ipv6 statistics command to display statistics of IPv6 UDP
packets.
Example
Table 222 Description of the display udp ipv6 statistics command fields
Field
Description
Total
checksum error
1179
Table 222 Description of the display udp ipv6 statistics command fields
Field
Description
View
Parameters
Description
Use the dns server ipv6 command to configure an IPv6 address for a DNS server.
Use the undo dns server ipv6 command to remove the configured DNS server.
By default, no DNS server is configured.
Example
ipv6 address
Syntax
View
Parameters
Interface view
ipv6-address: IPv6 address.
1180
Use the ipv6 address command to configure a site-local address or global unicast
address manually for an interface.
Use the undo ipv6 address command to remove the manually configured
interface address.
By default, no site-local address or global unicast address is configured for an
interface.
Note that:
Example
A 3Com Switch 5500 can have IPv6 unicast addresses configured on only one
VLAN interface. The total number of IPv6 global unicast addresses and
site-local addresses configured on an interface can be up to four.
You will remove all IPv6 addresses except the automatically configured
link-local address if you carry out the undo ipv6 address command without
any parameter specified.
# Set the aggregate global IPv6 unicast address of the VLAN 1 interface to
2001::1/64.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface vlan-interface 1
[5500-Vlan-interface1] ipv6 address 2001::1/64
View
Parameters
None
Description
Example
1181
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 1
[5500-Vlan-interface1] ipv6 address auto link-local
View
Parameter
Description
Use the ipv6 address eui-64 command to configure a site-local address or global
unicast address in the EUI-64 format for an interface.
Use the undo ipv6 address eui-64 command to remove the configured site-local
address or global unicast address in the EUI-64 format for an interface.
By default, no site-local address or global unicast address in the EUI-64 format is
configured on the interface.
Note that:
The prefix length should not be more than 64 bits when an aggregatae global
unicast address(es) or site-local address(es) in the EUI-64 format is configured.
Example
# Configure an IPv6 address in the EUI-64 format for the VLAN 1 interface.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 1
[5500-Vlan-interface1] ipv6 address 2001::1/64 eui-64
View
Parameter
1182
Description
Example
ipv6 host
Syntax
View
Parameters
System view
hostname: Host name, a string of up to 20 characters. The character string can
contain letters, numerals, _, -, or . and must contain at least one letter.
ipv6-address: IPv6 address.
Description
Use the ipv6 host command to configure the mapping between host name and
IPv6 address.
Use the undo ipv6 host command to remove the mapping between host name
and IPv6 address.
Each host name can correspond to only one IPv6 address A newly configured IPv6
address will overwrite the previous one.
Example
ipv6 icmp-error
Syntax
View
System view
Parameters
1183
Description
Use the ipv6 icmp-error command to configure the maximum number of IPv6
ICMP error packets sent within a specified time.
Use the undo ipv6 icmp-error command to restore the update period and the
capacity of the token bucket to the defaults.
By default, the size is 10 and the update period is 100 milliseconds. That is, at
most 10 IPv6 ICMP error packets can be sent within 100 milliseconds.
Example
# Set the capacity of the token bucket to 50 and the update period to 100
milliseconds. That is, at most 50 IPv6 ICMP error packets can be sent within 100
milliseconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ipv6 icmp-error bucket 50 ratelimit 100
View
Parameter
Description
Example
# Set the attempts to send a neighbor solicitation message for duplicate address
detection to 20.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 1
[5500-Vlan-interface1] ipv6 nd dad attempts 20
1184
ipv6 nd hop-limit
Syntax
View
Parameter
Description
System view
value: Number of hops, in the range of 0 to 255.
Use the ipv6 nd hop-limit command to configure the hop limit of ICMPv6 reply
packets.
Use the undo ipv6 nd hop-limit command to restore the default.
By default, the hop limit of ICMPv6 reply packets is 64.
Example
ipv6 nd ns
retrans-timer
Syntax
View
Parameter
Description
Example
1185
ipv6 nd nud
reachable-time
Syntax
View
Parameter
Description
Example
ipv6 neighbor
Syntax
View
Parameters
System view
ipv6-address: IPv6 address in a static neighbor entry.
mac-address: Link layer address in a static neighbor entry (48 bits long, in the
format of H-H-H).
vlan-id: VLAN ID corresponding to a static neighbor entry, in the range of 1 to
4094.
port-type port-number: Ethernet port type and port number corresponding to a
static neighbor entry.
interface-type interface-number: VLAN interface type and interface number
corresponding to a static neighbor entry.
Description
1186
Use the undo ipv6 neighbor command to remove a static neighbor entry.
Note that the corresponding VLAN interface must exist when you carry out the
command with the vlan-id port-type port-number argument. After you carry out
the command, the device relates the VLAN interface to an IPv6 address to uniquely
identify a static neighbor entry. You only need to specify the corresponding VLAN
interface before removing a static neighbor entry.
Example
ipv6 neighbors
max-learning-num
Syntax
View
Parameter
Description
Example
# Set the maximum number of neighbors that can be dynamically learned on the
interface VLAN-interface 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Vlan-interface 1
[5500-Vlan-interface1] ipv6 neighbors max-learning-num 10
ipv6 route-static
Syntax
View
Parameters
1187
System view
ipv6-address prefix-length: Destination IPv6 address and prefix length.
interface-type interface-number: Type of egress interface and interface number.
nexthop-address: IPv6 address of the next hop.
Description
Example
# Configure a static IPv6 route, with the destination address of 1:1:2::/48 and the
next hop address of 1:1:3::1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ipv6 route-static 1:1:2:: 48 1:1:3::1
Parameters
None
Description
Use the reset dns ipv6 dynamic-host command to clear IPv6 dynamic domain
name cache information.
Example
View
1188
Parameters
all: Clears the static and dynamic neighbor information on all interfaces.
dynamic: Clears the dynamic neighbor information on all interfaces.
interface interface-type interface-number: Clears all neighbor information of a
specified interface.
static: Clears the static neighbor information on all interfaces.
Description
Example
Use the reset ipv6 neighbors command to clear IPv6 neighbor information.
# Clear all neighbor information on all interfaces.
<5500> reset ipv6 neighbors all
Parameters
None
Description
Use the reset ipv6 statistics command to clear the statistics of IPv6 packets.
Example
Parameters
None
Description
Use the reset tcp ipv6 statistics command to clear the statistics of all IPv6 TCP
packets.
Example
View
1189
User view
Parameters
None
Description
Use the reset udp ipv6 statistics command to clear the statistics of all IPv6 UDP
packets.
Example
View
System view
Parameter
wait-time: Length of the finwait timer of IPv6 TCP packets in seconds, in the range
of 76 to 3,600.
Description
Use the tcp ipv6 timer fin-timeout command to set the finwait timer of IPv6 TCP
packets
Use the undo tcp ipv6 timer fin-timeout command to restore the finwait timer
length to the default.
By default, the length of the finwait timer is 675 seconds.
Example
# Set the finwait timer length of IPv6 TCP packets to 800 seconds.
<5500> system-view
[5500] tcp ipv6 timer fin-timeout 800
View
Parameter
System view
wait-time: Length of the synwait timer of IPv6 TCP packets in seconds, in the
range of 2 to 600.
1190
Description
Use the tcp ipv6 timer syn-timeout command to set the synwait timer of IPv6
TCP packets
Use the undo tcp ipv6 timer syn-timeout command to restore the synwait timer
length to the default.
By default, the length of the synwait timer of IPv6 TCP packets is 75 seconds.
Example
# Set the synwait timer length of IPv6 TCP packets to 800 seconds.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] tcp ipv6 timer syn-timeout 800
View
System view
Parameter
Description
Use the tcp ipv6 window command to set the size of IPv6 TCP receiving/sending
buffer.
Use the undo tcp ipv6 window command to restore the size of IPv6 TCP
receiving/sending buffer to the default.
By default, the size of the IPv6 TCP packet buffer is 8 KB.
Example
89
ping ipv6
Syntax
View
Parameters
If a response from the destination is received within the timeout time, the
interval to send the next ECHO-REQUEST equals to the actual response period
plus the value of interval.
If no response from the destination is received within the timeout time, the
interval to send the next ECHO-REQUEST equals to the timeout value plus the
value of interval.
-s packet-size: Specifies the size in bytes of packets sent for requesting ICMPv6
echo, ranging from 20 to 8,100, with the default of 56 bytes.
-t timeout: Specifies the timeout in milliseconds of receiving ICMPv6 echoes,
ranging from 0 to 65,535, with the default of 2,000 milliseconds.
remote-system: IPv6 address or host name (a string a 1 to 46 characters) of the
destination device.
-i interface-type interface-number: Specifies the type and number of an outgoing
interface. This argument takes effect only when the destination address is a
link-local address and the specified outgoing interface has a link-local address.
Description
Use the ping ipv6 command to test whether the destination is accessible.
After you execute the ping ipv6 command, you can press Ctrl+C to terminate the
ping operation.
Example
1192
The hop limit field in this prompt information has the same meaning as the
ttl field in the prompt information displayed by the IPv4 ping command,
indicating the TTL value in the ICMPv6 ECHO-REQUEST packets.
telnet ipv6
Syntax
View
Parameters
Description
Example
Use the telnet ipv6 command to log onto another device for remote
management from the local device. You can break Telnet logging-in by entering
<Ctrl+K>.
# Connect to a remote Telnet server with IPv6 address of 3001::1,
<5500> telnet ipv6 3001::1
Trying 3001::1 ...
Press CTRL+K to abort
Connected to 3001::1 ...
**************************************************************************
* Copyright(c) 2004-2007 3Com Corporation.
*
* Without the owners prior written consent,
*
* no decompiling or reverse-switch fabricering shall be allowed.
*
**************************************************************************
tftp ipv6
1193
<5500>
tftp ipv6
Syntax
View
Parameters
Description
Example
Download a file: Download a specified source file from TFTP server to local.
Upload a file: Upload a specified source file from local to TFTP server.
tracert ipv6
Syntax
View
Parameters
1194
-m max-ttl: Specifies the maximum TTL, that is, the maximum allowed number of
hops for a packet. The value ranges from 1 to 255, defaults to 30. It must be
greater than the first TTL.
-p port: Specifies the port number of the destination UDP, ranging from 1 to
65535, with the default of 33434.
-q packet-num: Specifies the maximum number of packets sent to a hop, ranging
from 1 to 65535, with the default of 3.
-w timeout: Specifies the timeout in milliseconds of waiting ICMPv6 echoes,
ranging from 1 to 65,535, with the default of 5,000 milliseconds.
remote-system: IPv6 address or host name (a string a 1 to 46 characters) of the
destination device.
Description
Example
Use the tracert ipv6 command to trace the route of the IPv6 packets from source
to destination.
# Trace the route of the IPv6 packets from source to destination 3002::1.
<5500> tracert ipv6 3002::1
traceroute to 3002::1 30 hops max,60 bytes packet
1 3003::1 30 ms 0 ms 0 ms
2 3002::1 10 ms 10 ms 0 ms
90
display dns domain
Syntax
View
Parameter
Description
Example
Description
No
Sequence number
Domain-name
DNS suffix
display dns
dynamic-host
Syntax
View
Parameters
None
Description
Use the display dns dynamic-host command to display the information in the
dynamic domain name cache.
Example
1196
Ipaddress
TTL
172.1.223.1
3564
Ipaddress
TTL
172.1.223.2 3564
Alias
Alias
Description
No
Sequence number
Domain-name
Domain name
Ipaddress
TTL
Alias
--->
<---
Parameter
Description
Use the display dns server command to display the DNS Server information.
Related command: dns server
Example
Description
Type
display ip host
1197
Field
Description
Domain-server
For details on IPv6 DNS, refer to IPv6 Configuration Commands on page 1165.
display ip host
Syntax
View
display ip host
Any view
Parameters
None
Description
Use the display ip host command to display mappings between host names and
IP addresses in the static DNS database.
Example
# Display mappings between host names and IP addresses in the static DNS
database.
<5500> display ip host
Host
host.com
Age
0
Flags Address
static 192.168.0.38
Description
Host
Host name
Age
Flags
Address
IP address of a host
dns domain
Syntax
View
System view
1198
Parameter
Description
n
Example
The DNS feature supported by the Switch 5500 should be used together with a
DNS server. DNS implementations vary with DNS servers. For example, the Switch
5500 supports a domain name containing _, while a Windows 2000 Server may
not be able to resolve the domain name.
# Configure com as a DNS suffix.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] dns domain com
dns resolve
Syntax
dns resolve
undo dns resolve
View
System view
Parameters
None
Description
Use the dns resolve command to enable dynamic domain name resolution.
Use the undo dns resolve command to disable dynamic domain name resolution.
Dynamic domain name resolution is disabled by default.
Example
dns server
Syntax
ip host
1199
System view
ip-address: IP address of the DNS Server.
Use the dns server command to configure an IP address for the DNS Server.
Use the undo dns server to remove the IP address of the DNS server.
No IP address is configured for the DNS Server by default.
You can configure a maximum of 6 DNS Servers.
Related command: display dns server
Example
ip host
Syntax
View
Parameters
System view
hostname: Host name, a string of 1 to 20 characters which can be letters,
numbers, hyphens (-), or dots (.). The host name must include at least one letter.
ip-address: IP address of the specified host, in dotted decimal notation.
Description
Use the ip host command to create a mapping between host name and IP address
in the static DNS database.
Use the undo ip host command to remove the mapping.
No mappings are created by default.
Each host name can correspond to only one IP address. When IP addresses are
configured for the same host for multiple times, only the IP address configured last
time is valid.
Related command: display ip host
Example
1200
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] ip host aaa 10.110.0.1
nslookup type
Syntax
View
Parameters
Description
Example
Use the nslookup type command to display DNS resolution result, namely, the
domain name for a specified IP address or IP address for a specified domain name.
# Display the corresponding domain name for 192.168.3.2.
<5500> nslookup type ptr 192.168.3.2
Trying DNS server (10.72.66.36)
Name:
www.host.com
Address: 192.168.3.2
reset dns
dynamic-host
Syntax
View
Parameters
None
Description
Use the reset dns dynamic-host command to clear information in the dynamic
domain name cache.
Related command: display dns dynamic-host
Example
91
display smart-link
flush
Syntax
View
Parameters
None
Description
Use the display smart-link flush command to view the information about how
the Smart Link device processes flush messages.
Example
# Display the information about how the Smart Link device processes flush
messages.
<5500> display smart-link flush
Flush interface :Ethernet1/0/1
Count of flush packets received
Time of last flush packet received
Source MAC of last flush packet received
Device ID of last flush packet received
Control VLAN ID of last flush packet received
:
:
:
:
:
1
22:52:23 2006/04/01
000f-e20f-5566
000f-e20f-5566
1
Description
Flush interface
Control VLAN ID of last flush packet received Control VLAN ID in the last legal flush message
received
A legal flush message refers to the message whose control VLAN ID is consistent
with the receiving control VLAN ID configured on the receiving port.
1202
display smart-link
group
Syntax
View
Parameters
Description
Example
Use the display smart-link group command to display the information about the
specific Smart Link group or all the Smart Link groups.
# Display the information about Smart Link group 1.
<5500> display smart-link group 1
Smart Link Group 1 information:
Device ID: 000f-e212-3456
Control-VLAN ID: 1
Member
Role
State
Flush-count Last-flush-time
-------------------------------------------------------------------------Ethernet1/0/1
MASTER ACTVIE
1
16:37:20 2006/04/21
AGG-1
SLAVE
STANDBY 2
17:45:20 2006/04/21
Description
Member
Role
Status
Flush-count
Last-flush-time
flush enable
control-vlan
Syntax
View
Parameter
Description
link-aggregation group
1203
link-aggregation
group
Syntax
View
Parameter
Description
Smart Link and STP cannot be enabled on an Ethernet port at the same time.
Make sure that STP is not enabled on the port of the link aggregation group
before configuring the link aggregation group as a member of the Smart Link
group.
Example
# Configure link aggregation group 8 as the slave port of Smart Link group 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] smart-link group 1
[5500-smlk-group1] link-aggregation group 2 slave
port
Syntax
1204
View
Parameter
Description
Use the port command to configure the specified port as a member of the Smart
Link group.
Use the undo port command to remove the specified port from the Smart Link
group.
Either a single port or a link aggregation group configured manually or statically
can serve as a member for a Smart Link group. However, a link aggregation group
configured dynamically cannot serve as a member for a Smart Link group. This
command is not applicable to member ports in a link aggregation group.
n
Example
Smart Link and STP cannot be enabled on an Ethernet port at the same time.
Make sure that STP is not enabled on the port of the link aggregation group
before configuring the link aggregation group as a member of the Smart Link
group.
# Configure Ethernet 1/0/6 as the slave port of Smart Link group 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] smart-link group 1
[5500-smlk-group1] port Ethernet 1/0/6 slave
View
Parameter
Description
Use the port smart-link group command to configure the current port as a
member of the Smart Link group.
Use the undo port smart-link group command to remove the current port from
the specified Smart Link group.
1205
n
Example
Smart Link and STP cannot be enabled on an Ethernet port at the same time.
Make sure that STP is not enabled on the port of the link aggregation group
before configuring the link aggregation group as a member of the Smart Link
group.
# Configure Ethernet 1/0/3 as the master port of Smart Link group 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/3
[5500-remote-ping-administrator-icmp] destination-ip 169.254.10.3
[5500-Ethernet1/0/3] port smart-link group 1 master
reset smart-link
packets counter
Syntax
View
Parameter
Description
Example
smart-link flush
enable
Syntax
In system view:
1206
The command executed in Ethernet port view has effect on the current port
only.
The command executed in system view has effect on the specified port only.
The VLAN configured as a control VLAN for sending or receiving flush messages
must exist. You cannot directly remove the control VLAN. When a dynamic VLAN
is configured as a control VLAN for the Smart Link group, this VLAN will become a
static VLAN, and related prompt information is displayed.
Examples
# Enable Ethernet 1/0/4 to process flush messages received from control VLAN 1. .
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/4
[5500-Ethernet1/0/4] smart-link flush enable control-vlan 1
smart-link group
1207
smart-link group
Syntax
View
Parameter
Description
System view
group-id: Smart link group ID, in the range of 1 to 24.
Use the smart-link group command to create a Smart Link group and enter
Smart Link group view. If the specified Smart Link group exists, this command
leads you into Smart Link group view directly.
Use the undo smart-link group command to remove the specified Smart Link
group.
After creating a Smart Link group, you must configure member ports for this
Smart Link group.
Related commands: port smart-link group, link-aggregation group, and port
n
Example
Make sure that the Smart Link group has no members before executing the undo
smart-link group command.
# Create a Smart Link group.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] smart-link group 1
New Smart Link Group has been created.
[5500-smlk-group1]
1208
92
display monitor-link
group
Syntax
View
Parameters
Description
Example
Use the display monitor-link group command to display Monitor Link group
information.
# Display the information about Monitor Link group 1.
<5500> display monitor-link group 1
Monitor link group 1 information:
Member Role
Status
Last-up-time
Last-down-time
---------------------------------------------------------------------SMLK-2 UPLINK
UP
16:37:20 2006/4/21
16:37:20 2006/4/20
AGG-1
DOWNLINK
UP
Description
Member
Role
Status
Last-up-time
Last-down-time
link-aggregation
group
Syntax
View
1210
Parameters
group-id: Link aggregation group ID, ranging from 1 to 416 for the Switch 5500
and 1 to 464 for the Switch 5500G (a link aggregation group can be a manual or
static link aggregation group only).
uplink: Configures the specified link aggregation group as the uplink port of the
Monitor Link group
downlink: Configures the specified link aggregation group as the downlink port
of the Monitor Link group
Description
n
Example
A port or a link aggregation group cannot serve as a member port for two Smart
Link groups. On the other hand, a port or a link aggregation group cannot serve
as a member of a Smart Link group and a Monitor Link group at the same time.
However, a Smart Link group can serve as the uplink member port of a Monitor
Link group.
# Configure link aggregation group 8 as the downlink port of the Monitor Link
group.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] monitor-link group 1
[5500-mtlk-group1] link-aggregation group 8 downlink
monitor-link group
Syntax
View
Parameter
Description
System view
group-id: Monitor Link group ID, ranging from 1 to 24.
Use the monitor-link group command to create a Monitor Link group and enter
Monitor Link group view.
Use the undo monitor-link group command to remove a Monitor Link group.
port
1211
After the Monitor Link group is configured, member ports of the Monitor Link
group need to be configured.
Related commands: port monitor-link group, link-aggregation group,
smart-link group, and port.
n
Example
Make sure that the Monitor Link group has no members before executing the
undo monitor-link group command
# Create a Monitor Link group.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] monitor-link group 1
New Monitor Link Group has been created.
[5500-mtlk-group1]
port
Syntax
View
Parameters
Description
Use the port command to configure the specified port as a member of the
Monitor Link group.
Use the undo port command to remove the specified port from the current
Monitor Link group.
In Monitor Link, a Monitor Link group member can be a single port, a static link
aggregation group, but not a dynamic link aggregation group. The uplink port of
a Monitor Link group can also be a Smart Link group.
Do not use this command on member ports of a link aggregation group or a Smart
Link group.
A port or a link aggregation group cannot serve as a member port for two Smart
Link groups. On the other hand, a port or a link aggregation group cannot serve
as a member for a Smart Link group and a Monitor Link group at the same time.
However, a Smart Link group can serve as the uplink member port of a Monitor
Link group.
1212
Example
port monitor-link
group
Syntax
View
Parameters
Description
Use the port monitor-link group command to configure the current port as a
member of the specified Monitor Link group.
Use the undo port monitor-link group command to remove the current port
from the specified Monitor Link group.
In Monitor Link, a Monitor Link group member can be a single port, a static link
aggregation group, but not a dynamic link aggregation group. Uplink port can
also be a Smart Link group.
Do not use this command on member ports of a link aggregation group or a Smart
Link group.
n
Example
A port or a link aggregation group cannot serve as a member port for two Smart
Link groups. On the other hand, a port or a link aggregation group cannot serve
as a member for a Smart Link group and a Monitor Link group at the same time.
However, a Smart Link group can serve as the uplink member port of a Monitor
Link group.
# Configure Ethernet 1/0/8 as a downlink port of Monitor Link group 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/8
[5500-Ethernet1/0/8] port monitor-link group 1 downlink
smart-link group
1213
smart-link group
Syntax
View
Parameters
Description
Use the smart-link group command to configure the specified Smart Link group
as the uplink port of the Monitor Link group.
Use the undo smart-link group command to remove the configuration.
A Smart Link group can belong to only one Monitor Link group and can be
configured only as an uplink port of the Monitor Link group.
Example
# Configure Smart Link group 1 as the uplink port of Monitor Link group 1.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] monitor-link group 1
[5500-mtlk-group1] smart-link group 1 uplink
1214
ACCESS MANAGEMENT
CONFIGURATION COMMANDS
93
am enable
Syntax
am enable
undo am enable
View
System view
Parameters
None
Description
Example
am ip-pool
Syntax
am ip-pool address-list
undo am ip-pool { all | address-list }
View
Parameters
1216
the range, and & < 1-10 > means you can specify up to ten IP addresses/IP address
ranges.
Description
Example
Before configuring the access management IP address pool of a port, you need
to configure the interface IP address of the VLAN to which the port belongs,
and the IP addresses in the access management IP address pool of a port must
be in the same network segment as the interface IP address of the VLAN which
the port belongs to.
am trap enable
Syntax
am trap enable
undo am trap enable
View
Parameters
System view
None
display am
Description
1217
Use the am trap enable command to enable the access management trap
function.
Use the undo am trap enable command to disable the access management trap
function.
By default, the access management trap function is disabled.
Example
display am
Syntax
View
Parameter
Description
display am [ interfaUce-list ]
Any view
interface-list: Port list. You need to provide this argument in the format of {
interface-type interface-number [ to interface-type interface-number ] } &<1-10>,
where interface-type is port type, interface-number is port number, and &<1-10>
means that you can specify up to ten ports/port lists.
Use the display am command to display the current access management
configuration, including the status (enabled/disabled), and the access
management IP address pool configuration information.
If you do not specify the interface-list argument, this command displays the
current access management configuration of all the ports.
Example
1218
Table 230
Field
Description
Status
IP Pools
WEB AUTHENTICATION
CONFIGURATION COMMANDS
94
web-authentication
web-server
Syntax
View
Parameters
System view
ip-address: HTTP server IP address. It must be a valid unicast address.
port-number: HTTP server port number. It ranges from 1 to 50000, with 80 as the
default.
Description
n
Example
Before enabling global Web authentication, you should first set the IP address of
the Web authentication server.
# Set the IP address and port number of the Web authentication server to
192.168.0.56 and 80.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] web-authentication web-server ip 192.168.0.56 port 80
web-authentication
enable
Syntax
web-authentication enable
undo web-authentication enable
1220
View
System view
Parameters
None
Description
n
Example
web-authentication
select method
Syntax
View
Parameters
Port view
shared: Sets the Web authentication access method on the port to shared.
designated: Sets the Web authentication access method on the port to
designated.
Description
shared: In this mode, the port allows multiple Web authentication users to be
online at the same time.
designated: In this mode, the port allows only one Web authentication user to
be online at a time.
This configuration takes effect only when Web authentication is enabled globally.
If Web authentication is not enabled globally, this configuration will only be saved.
web-authentication free-ip
n
Example
1221
# Enable Web authentication on Ethernet 1/0/1 and set the Web authentication
access method to shared.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] interface Ethernet 1/0/1
[5500-Ethernet1/0/1] web-authentication select method shared
web-authentication
free-ip
Syntax
View
Parameters
System view
ip-address: IP address.
mask-length: Mask length, ranging from 1 to 32.
mask: Mask address.
Description
n
Example
The to-be-set free IP address range cannot include the Web authentication
server's IP address.
web-authentication
free-user
Syntax
1222
System view
ip-address: IP address of a user.
mac-address: MAC address of the user, in the format of H-H-H (for example,
000d-88f6-44c1).
all: Deletes all authentication-free user settings.
Description
n
Example
# Set the user with IP address 192.168.0.108 and MAC address 0010-0020-0030
as an authentication-free user.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] web-authentication free-user ip 192.168.0.108 mac
0010-0020-0030
web-authentication
cut connection
Syntax
View
Parameters
Description
Example
1223
Use the web-authentication cut connection command to forcibly log out the
specified or all users.
# Forcibly log out all online users on Ethernet 1/0/2.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] web-authentication cut connection interface Ethernet1/0/2
web-authentication
timer idle-cut
Syntax
View
System view
Parameters
timer: Interval for checking whether an online user is idle. It ranges from 10 to
86400 seconds. Value 0 means the idle user checking function is disabled.
Description
Use the web-authentication timer idle-cut command to set the idle user
checking interval for Web authentication.
Use the undo web-authentication timer idle-cut command to restore the
default setting.
By default, the idle user checking interval is 900 seconds for Web authentication.
Example
The idle user checking interval is the interval at which the system checks whether a
user is idle. When a user is found idle, if the corresponding MAC address entry has
not been aged out, the system keeps the user online; otherwise, the system logs
off the user. You are recommended to set the interval to a value that is greater
than half of the MAC address entry aging time but less than the MAC address
entry aging time.
# Set the idle user checking interval to 500 seconds for Web authentication.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] web-authentication timer idle-cut 500
web-authentication
max-connection
Syntax
1224
View
Port view
Parameters
Description
Example
display
web-authentication
connection
Syntax
View
Parameters
Description
Example
1225
Description
Username
MAC
Interface
VLAN
Method
State
User status
Online-Time(s)
display
web-authentication
configuration
Syntax
View
Parameters
None
Description
Example
Description
Status
Web Server
1226
Description
Idle-cut time
Free IP
Free User
Interface
Configuration
Interface_number
method
max-connection
95
display
password-control
Syntax
View
display password-control
Any view
Parameters
None
Description
Example
# Display the information about the current password control for all users.
<5500]> display password-control
Global password settings for all users:
Password aging:
Enabled(90 days)
Password length:
Enabled(10 Characters)
Password composition:
Enabled(1 type(s), 1 character(s) per type)
Password history:
Enabled(Max history record:4)
Password alert before expire:
7 days
Password authentication-timeout:60 seconds
Password attempt times:
3 times
Password attempt-failed action: Lock for 120 minutes
The following table describes the output fields of the display password-control
command.
Table 233 Description of the display password-control command fields
Field
Description
Password aging
Password length
Password composition
Password history
Password
authentication-timeout
1228
display
password-control
blacklist
Syntax
View
Parameters
Description
Example
# Display the information about all the users who have been added to the blacklist
because of password attempt failure.
<5500> display password-control blacklist
USERNAME
IP
Jack
10.1.1.2
Total 1 blacklist item(s). 1 listed.
display
password-control
super
Syntax
View
Parameters
None
Description
Example
# Display the information about the password control for super passwords.
<5500> display password-control super
Supers password settings:
Password aging:
Enabled(90 days)
Password length:
Enabled(10 Characters)
Password composition:
Enabled(1 type(s), 1 character(s) per type)
password
Syntax
password
password-control aging
View
1229
Parameters
None
Description
Use the password command to set the system login password for a local user in
interactive mode.
Note that:
Example
# Configure the login password for the local user test to 9876543210.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] local-user test
New local user added.
[5500-luser-test] password
Password:**********
confirm:**********
Updating user password, please wait............
# Change the login password for the local user test to 0123456789.
[5500-luser-test] password
Password:**********
Confirm :**********
Updating user password, please wait............
password-control
aging
Syntax
View
Parameter
Description
1230
Example
The settings in system view have global significance, while those in local user
view only have local significance.
If both global and local settings are available, the local settings take effect.
# Set the password aging time for a local user test to 80 days.
[5500] local-user test
[5500-luser-test] password-control aging 80
password-control
length
Syntax
View
Parameter
Description
Example
The settings in system view have global significance, while those in local user
view only have local significance.
If both global and local settings are available, the local settings take effect.
password-control login-attempt
1231
password-control
login-attempt
Syntax
View
Parameters
System view
login-times: Number of login attempts allowed for each user. The effective range is
2 to 10.
exceed: Specifies the processing mode used after login failure.
lock: A processing mode. In this mode, a user who fails to log in is added to the
blacklist and cannot log in the device until the administrator manually removes this
user from the blacklist.
lock-time time: A processing mode. In this mode, a user who fails to log in is
inhibited from logging in to the device in a certain period, which ranges from 3 to
360 (in minutes). The default value of time is 120 minutes.
unlock: A processing mode. In this mode, a user who fails to log in can continue
to log into the switch without any inhibition.
Description
Example
# Set the number of login attempts allowed for each user to 3 and prevent the
user to re-log in to the device within 360 minutes after the password attempt
failure.
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500] password-control login-attempt 5 exceed lock-time 360
1232
password-control
history
Syntax
View
System view
Parameter
Description
Example
# Set the maximum number of history password records allowed for each user to
10.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] password-control history 10
password-control
alert-before-expire
Syntax
View
Parameter
Description
System view
alert-time: Alert time in days. When the remaining valid time of a password is no
more than this time, the user is alerted to the forthcoming password expiration.
The effective range is 1 to 30.
Use the password-control alert-before-expire alert-time command to
configure the password expiration alert time.
Use the undo password-control alert-before-expire command to restore the
default setting.
By default, the password expiration alter time is 7 days.
password-control authentication-timeout
Example
1233
password-control
authentication-timeou
t
Syntax
View
Parameter
Description
System view
authentication-timeout: Timeout time in seconds for user password
authentication. The effective range is 30 to 120.
Use the password-control authentication-timeout command to configure the
timeout time for user password authentication.
Use the undo password-control authentication-timeout command to restore
the default setting.
By default, the timeout time for user password authentication is 60 seconds.
Example
# Set the timeout time for user password authentication to 100 seconds.
<5500>system-view
System View: return to User View with Ctrl+Z.
[5500] password-control authentication-timeout 100
password-control
enable
Syntax
View
System view
Parameters
None
Description
1234
When the password used to log into the switch expires, the switch requires the
user to change the password, and automatically saves the history (old) password
to a file in the flash memory. In this way, the switch can prevent any user from
using one single password or the used password for a long time to enhance the
security.
# Enable the password aging feature and enable the password control feature
globally.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] password-control aging enable
Password control will be enabled globally. And all users password will be invi
sible. Are you sure? [Y/N]y
Password aging enabled for all users..........
password-control composition
State:
Idle-cut:
Access-limit:
Bind location:
Vlan ID:
Authorization VLAN:
MAC address:
FTP Directory:
Password-Aging:
Password-Length:
Password-Composition:
Password History was last
1235
Active
ServiceType Mask: F
Disable
Disable
Current AccessNum: 0
Disable
Disable
Disable
Disable
flash:
Enable
90 days
Enable
10 characters
Disable
reset 0 days ago.
# Disable the password aging feature. (This operation also disables the password
control feature globally.)
[5500] undo password-control aging enable
Password control will be disabled globally. And all users password
will be res
et. Are you sure? [Y/N]y
Password aging disabled for all users.
password-control
composition
Syntax
View
Parameters
n
Description
The product of policy-type and type-length must be equal to or less than 63.
1236
Example
If you use this command in system view, the configuration will take effect
globally. If you use this command in local user view, the configuration will take
effect for the local user only.
If you set the password control parameters for a local user, these settings will
override the global configuration. Otherwise, the global configuration will
apply.
# Configure a password composition policy for local user test: a password must
contain at least three character types and at least five characters of each type.
<5500> system-view
System View: return to User View with Ctrl+Z.
[5500] local-user test
[5500-luser-test] password-control composition type-number 3 type-length 5
password-control
super
Syntax
View
Parameters
System view
aging-time: Aging time for super passwords. It ranges from 1 day to 365 days.
min-length: Minimum length for super passwords. It ranges from 4 to 16
characters.
Description
Example
1237
password-control
super composition
Syntax
View
Parameters
System view
type-number policy-type: Sets the minimum number of character types that a
super user password should contain. The policy-type ranges from 1 to 4.
type-length type-length: Sets the minimum number of characters of each type.
The type-length ranges from 1 to 63.
n
Description
The product of policy-type and type-length must be equal to or less than 16.
Example
If you set the password control parameters for a super user, these settings will
override the global configuration. Otherwise, the global configuration will
apply.
type-length 5
1238
reset
password-control
history-record
Syntax
View
Parameter
Description
Example
If you input Y, the system deletes all the history password records of all users
and gives the following prompt:
All historical passwords have been cleared.
Updating user password, please wait............
If you input Y, the system deletes all the history password records of the
specified user and gives the following prompt:
All historical passwords have been cleared.
Updating user password, please wait............
reset
password-control
history-record super
Syntax
View
Parameter
Description
1239
Example
# Delete the history records of the super password for the users at level 2.
<5500> reset password-control history-record super level 2
Are you sure to delete supers history records of level 2?[Y/N]
If you input Y, the system deletes the history records of the super password for
the users at level 2.
All historical passwords have been cleared.
Updating user password, please wait............
reset
password-control
blacklist
Syntax
View
Parameter
Description
Example
# Check the user information in the blacklist; as you can see, the blacklist contains
three users: test, tes, and test2.
<5500> display password-control blacklist
USERNAME
IP
test
192.168.30.25
tes
192.168.30.24
test2
192.168.30.23
Total 3 blacklist item(s). 3 listed.
# Check the current user information in the blacklist; as you can see, the user test
has been deleted.
1240