H3C S5120-SI Series Ethernet Switches

Command Reference

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Manual Version: 6W105-20110810

Product Version: Release 1101
Copyright © 2009-2011, Hangzhou H3C Technologies Co., Ltd. and its licensors

All Rights Reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,

SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
 Preface

The H3C S5120-SI Series Ethernet Switches Command Reference, Release 1101 describes the
commands available in the H3C S5120-SI series software release 1101.
This preface includes:
1) About This Document
z Audience
z Organization
z Conventions
2) Documentation Guide
z Related Documentation
z Obtaining Documentation
z Technical Support
z Documentation Feedback

2-1
1 About This Document

Audience
This documentation is intended for:
z Network planners
z Field technical support and servicing engineers
z Network administrators working with the S5120-SI series

Organization
The H3C S5120-SI Series Ethernet Switches Command Reference, Release 1101 comprises these
chapters:
Chapter Content

01-CLI CLI Configuration Commands

z Commands for Logging into an Ethernet Switch
02-Login
z Commands for Controlling Login Users
03-Ethernet Port Ethernet Port Configuration Commands

04-Loopback Interface
Loopback Interface and Null Interface Configuration Commands
and Null Interface

05-Ethernet Link
Ethernet Link Aggregation Configuration Commands
Aggregation

06-Port Isolation Port Isolation Configuration Commands

07-Port Mirroring Port Mirroring Configuration Commands

08-LLDP LLDP Configuration Commands

z VLAN Configuration Commands
09-VLAN z Port-Based VLAN Configuration Commands
z Voice VLAN Configuration Commands
10-MSTP MSTP Configuration Commands

11-IP Addressing IP Addressing Configuration Commands

12-IP Performance
IP Performance Optimization Configuration Commands
Optimization
z ARP Configuration Commands
13-ARP
z ARP Active Acknowledgement Configuration Commands
z DHCP Relay Agent Configuration Commands
z DHCP Client Configuration Commands
14-DHCP
z DHCP Snooping Configuration Commands
z BOOTP Client Configuration Commands

2-1
 Chapter Content
z FTP Server Configuration Commands
15-FTP and TFTP z FTP Client Configuration Commands
z TFTP Client Configuration Commands
16-IP Routing Basics
Routing-table Display and Reset Commands
Configuration

17-Static Routing Static Routing Configuration Commands

z IGMP Snooping Configuration Commands
18-Mulitcast
z Multicast VLAN Configuration Commands
z Class Configuration Commands
z Traffic Behavior Configuration Commands
z QoS Policy Configuration and Application Commands
19-QoS
z Priority Mapping Configuration Commands
z Line Rate Configuration Commands
z Congestion Management Configuration Commands
20-802.1X 802.1X Configuration Commands
z AAA Configuration Commands
21-AAA
z RADIUS Configuration Commands
22-PKI PKI Configuration Commands

23-SSL SSL Configuration Commands

24-SSH2.0 SSH2.0 Configuration Commands

25-Public Key Public Key Configuration Commands

26-HABP HABP Configuration Commands

27-ACL ACL Configuration Commands

28-Device Management Device Management Commands

29-NTP NTP Configuration Commands

30-SNMP SNMP Configuration Commands

31-RMON RMON Configuration Commands

32-File System z File System Management Commands

Management z Configuration File Management Commands
33-System Maintaining z System Maintaining Commands
and Debugging z System Debugging Commands
34-Basic System
Basic Configuration Commands
Configuration

35-Information Center Information Center Configuration Commands

36-MAC Address Table MAC Address Table Configuration Commands

z NDP Configuration Commands
37-Cluster Management z NTDP Configuration Commands
z Cluster Configuration Commands
z HTTP Configuration Commands
38-HTTP
z HTTPS Configuration Commands
39-Stack Management z Stack Management Configuration Commands

40-PoE PoE Configuration Commands

2-2
 Chapter Content

41-IP Source Guard IP Source Guard Configuration Commands

42-Appendix Command Index

Conventions
This section describes the conventions used in this documentation set.

Command conventions
Convention Description

Boldface Bold text represents commands and keywords that you enter literally as shown.

italic Italic text represents arguments that you replace with actual values.

Square brackets enclose syntax choices (keywords or arguments) that are

[]
optional.

Braces enclose a set of required syntax choices separated by vertical bars,

{ x | y | ... }
from which you select one.

Square brackets enclose a set of optional syntax choices separated by vertical

[ x | y | ... ]
bars, from which you select one or none.

Asterisk marked braces enclose a set of required syntax choices separated by

{ x | y | ... } *
vertical bars, from which you select at least one.

Asterisk marked square brackets enclose optional syntax choices separated by

[ x | y | ... ] *
vertical bars, from which you may select multiple choices or none.

The argument or keyword and argument combination before the ampersand (&)
&<1-n>
sign can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions
Convention Description

Window names, button names, field names, and menu items are in Boldface.
Boldface
For example, the New User window appears; click OK.

Multi-level menus are separated by angle brackets. For example, File > Create
>
> Folder.

Symbols
Convention Description

Means reader be extremely careful. Improper operation may cause bodily

injury.

Means reader be careful. Improper operation may cause data loss or damage to
equipment.

Means an action or information that needs special attention to ensure

successful configuration or good performance.

Means a complementary description.

2-3
Convention Description

Means techniques helpful for you to make configuration with ease.

2-4
2 Documentation Guide

Related Documentation
The H3C S5120-SI documentation set also includes:

Category Documents Purposes

Product
description and Marketing brochures Describe product specifications and benefits.
specifications

Compliance and safety Provides regulatory information and the safety instructions that
manual must be followed during installation.

z Provides a complete guide to hardware installation and

hardware specifications.
Hardware Installation guide
specifications z Provides a complete guide to software and hardware
and installation troubleshooting.

H3C Pluggable SFP

[SFP+][XFP] Guides you through installing SFP/SFP+/XFP transceiver
Transceiver Modules modules.
Installation Guide

Power Provides the RPS and switch compatibility matrix and RPS cable
RPS ordering guide
configuration specifications.

Software Configuration guide Describes software features and configuration procedures.

configuration Command reference Provides a quick reference to all available commands.

Login password Tells how to find the lost password or recover the password
recovery manual when the login password is lost.
Operations and Provide information about the product release, including the
maintenance version history, hardware and software compatibility matrix,
Release notes
version upgrade information, technical support information, and
software upgrading.

Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at this URL:
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
z [Technical Support & Documents > Technical Documents] – Provides hardware installation,
software upgrading, and software feature configuration and maintenance documentation.
z [Products & Solutions] – Provides information about products and technologies, as well as
solutions.

2-1
 z [Technical Support & Documents > Software Download] – Provides the documentation released
with the software version.

Technical Support
customer_service@h3c.com
http://www.h3c.com

Documentation Feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.

2-2
 Table of Contents

1 CLI Commands ··········································································································································1-1

CLI Commands ·······································································································································1-1
display history-command·················································································································1-1
quit ···················································································································································1-1
return ···············································································································································1-2
screen-length disable ······················································································································1-3
system-view·····································································································································1-3

i
1 CLI Commands

CLI Commands
display history-command

Syntax

display history-command

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display history-command command to display commands saved in the history buffer.
The system will save validated history commands performed last in current user view to the history
buffer, which can save up to ten commands by default. You can use the history-command max-size
command to set the size of the history buffer. Refer to the history-command max-size command in
Login Commands in the Command Reference- Part 1- Login for related configuration.

Examples

# Display validated history commands in current user view (the display information varies with
configuration).
<Sysname> display history-command
display history-command
system-view
vlan 2
quit

quit

Syntax

quit

View

Any view

1-1
Default Level

0: Visit level (in user view)

2: System level (in other views)

Parameters

None

Description

Use the quit command to exit to a lower-level view. If the current view is user view, the quit command
terminates the current connection and quits the system.

Examples

# Switch from GigabitEthernet1/0/1 interface view to system view, and then to user view.
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] quit
<Sysname>

return

Syntax

return

View

Any view except user view

Default Level

2: System level

Parameters

None

Description

Use the return command to return to user view from current view (non user view).
You can also use the hot key Ctrl+Z to return to user view from the current view (non user view), which
equals execution of the return command.
Related commands: quit.

Examples

# Return to user view from GigabitEthernet1/0/1 view.

[Sysname-GigabitEthernet1/0/1] return
<Sysname>

1-2
screen-length disable

Syntax

screen-length disable
undo screen-length disable

View

User view

Default Level

1: Monitor level

Parameters

None

Description

Use the screen-length disable command to disable the multiple-screen output function of the current
user.
Use the undo screen-length disable command to enable the multiple-screen output function of the
current user.
By default, a login user uses the settings of the screen-length command. The default settings of the
screen-length command are: multiple-screen output is enabled and 24 lines are displayed on the next
screen. (For the details of the screen-length command, refer to Login Commands in the Command
Reference- Part 1- Login.)
Note that this command is applicable to the current user only and when a user re-logs in, the settings
restore to the system default.

Examples

# Disable multiple-screen output of the current user.

<Sysname> screen-length disable

system-view

Syntax

system-view

View

User view

Default Level

2: System level

Parameters

None

1-3
Description

Use the system-view command to enter system view from the current user view.
Related commands: quit, return.

Examples

# Enter system view from the current user view.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]

1-4
 Table of Contents

1 Commands for Logging into an Ethernet Switch···················································································1-1

Commands for Logging into an Ethernet Switch ····················································································1-1
activation-key···································································································································1-1
authentication-mode ························································································································1-2
auto-execute command ···················································································································1-3
databits ············································································································································1-4
display telnet client configuration ····································································································1-5
display user-interface ······················································································································1-5
display users····································································································································1-7
display web users ····························································································································1-8
escape-key ······································································································································1-9
flow-control ····································································································································1-10
free user-interface ·························································································································1-11
history-command max-size ···········································································································1-11
idle-timeout ····································································································································1-12
ip http enable ·································································································································1-13
lock ················································································································································1-13
parity ··············································································································································1-14
protocol inbound ····························································································································1-15
screen-length·································································································································1-16
send ···············································································································································1-16
set authentication password··········································································································1-17
shell ···············································································································································1-18
speed ·············································································································································1-19
stopbits ··········································································································································1-20
sysname ········································································································································1-21
telnet ··············································································································································1-21
telnet client source·························································································································1-22
telnet server enable ·······················································································································1-23
terminal type ··································································································································1-23
user-interface·································································································································1-24
user privilege level·························································································································1-25

2 Commands for Controlling Login Users ·································································································2-1

Commands for Controlling Login Users ··································································································2-1
acl ····················································································································································2-1
free web-users·································································································································2-2
ip http acl ·········································································································································2-2

i
1 Commands for Logging into an Ethernet Switch

Commands for Logging into an Ethernet Switch

activation-key

Syntax

activation-key character
undo activation-key

View

AUX interface view

Default Level

3: Manage level

Parameters

character: Shortcut key for starting terminal sessions, a character or its ASCII decimal equivalent in the
range 0 to 127; or a string of 1 to 3 characters.

Description

Use the activation-key command to define a shortcut key for starting a terminal session.
Use the undo activation-key command to restore the default shortcut key.
You can use a single character (or its corresponding ASCII code value in the range 0 to 127) or a string
of 1 to 3 characters to define a shortcut key. In the latter case, the system takes only the first character
to define the shortcut key. For example, if you input an ASCII code value 97, the system will set the
shortcut key to <a>; if you input the string b@c, the system will set the shortcut key to <b>.
You may use the display current-configuration command to verify the shortcut key you have defined.
By default, pressing Enter key will start a terminal session.

Examples

# Set the shortcut key for starting terminal sessions to <s>.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] activation-key s

To verify the configuration, do the following:

# Exit the terminal session on the aux port, and enter <s> at the prompt of “Please press ENTER”. You
will see the terminal session being started.
[Sysname-ui-aux0] return
<Sysname> quit

1-1
 **************************************************************************
* Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
**************************************************************************
User interface aux0 is available.

Please press ENTER.

<Sysname>
%Apr 28 04:33:11:611 2005 Sysname SHELL/5/LOGIN: Console login from aux0

authentication-mode

Syntax

authentication-mode { none | password | scheme }

View

User interface view

Default Level

3: Manage level

Parameters

none: Does not authenticate users.

password: Authenticates users using the local password.
scheme: Authenticates users locally or remotely using usernames and passwords.

Description

Use the authentication-mode command to specify the authentication mode.

z If you specify the password keyword to authenticate users using the local password, remember to
set the local password using the set authentication password { cipher | simple } password
command.
z If you specify the scheme keyword to authenticate users locally or remotely using usernames and
passwords, the actual authentication mode depends on other related configuration. Refer to the
AAA-RADIUS module of this manual for more.
After you specify to perform local password authentication, when a user logs in through the Console
port, a user can log into the switch even if the password is not configured on the switch. But for a VTY
user interface, a password is needed for a user to log into the switch through it under the same
condition.
By default, users logging in through the Console port are not authenticated.

1-2
 For VTY user interface, if you want to set the login authentication mode to none or password, you must
first verify that the SSH protocol is not supported by the user interface. Otherwise, your configuration
will fail. Refer to protocol inbound.

Examples

# Configure to authenticate users using the local password.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] authentication-mode password

auto-execute command

Syntax

auto-execute command text

undo auto-execute command

View

User interface view

Default Level

3: Manage level

Parameters

text: Command to be executed automatically.

Description

Use the auto-execute command command to set the command that is executed automatically after a
user logs in.
Use the undo auto-execute command command to disable the specified command from being
automatically executed.
Use these two commands in the VTY user interface only.
Normally, the telnet command is specified to be executed automatically to enable the user to Telnet to a
specific network device automatically.
By default, no command is automatically executed.

1-3
 z The auto-execute command command may cause you unable to perform common configuration
in the user interface, so use it with caution.
z Before executing the auto-execute command command and save your configuration, make sure
you can log into the switch in other modes and cancel the configuration.

Examples

# Configure the telnet 10.110.100.1 command to be executed automatically after users log into VTY 0.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] auto-execute command telnet 10.110.100.1
% This action will lead to configuration failure through ui-vty0. Are you sure?[Y/N]y

After the above configuration, when a user logs onto the device through VTY 0, the device automatically
executes the configured command and logs off the current user.

databits

Syntax

databits { 5 | 6 | 7 | 8 }
undo databits

View

AUX interface view

Default Level

2: System level

Parameters

5: Five data bits.

6: Six data bits.
7: Seven data bits.
8: Eight data bits.

Description

Use the databits command to set the databits for the user interface.
Use the undo databits command to revert to the default data bits.
The default data bits is 8.

1-4
 H3C S5120-SI Switch Series only supports data bits 7 and 8. To establish the connection again, you
need to modify the configuration of the termination emulation utility running on your PC accordingly.

Examples

# Set the data bits to 7.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] databits 7

display telnet client configuration

Syntax

display telnet client configuration

View

Any view

Default Level

1: Monitor level

Parameter

None

Description

Use the display telnet client configuration command to display the source IP address or source
interface configured for the current device.

Example

# Display the source IP address or source interface configured for the current device.
<Sysname> display telnet client configuration
The source IP address is 1.1.1.1.

display user-interface

Syntax

display user-interface [ type number | number ] [ summary ]

View

Any view

1-5
Default Level

1: Monitor level

Parameters

type: User interface type.

number: Absolute or relative index of the user interface. This argument can be an absolute user
interface index (if you do not provide the type argument) or a relative user interface index (if you provide
the type argument).
summary: Displays the summary information about a user interface.

Description

Use the display user-interface command to view information about the specified or all user interfaces.
When the summary keyword is absent, the command will display the type of the user interface, the
absolute or relative number, the speed, the user privilege level, the authentication mode and the
physical location.
When the summary keyword is present, the command will display all the number and type of user
interfaces under use and without use.

Examples

# Display the information about user interface 0.

<Sysname> display user-interface 0
Idx Type Tx/Rx Modem Privi Auth Int
F 0 AUX 0 9600 - 3 N -

+ : Current user-interface is active.

F : Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi: The privilege of user-interface.
Auth : The authentication mode of user-interface.
Int : The physical location of UIs.
A : Authenticate use AAA.
L : Authentication use local database.
N : Current UI need not authentication.
P : Authenticate use current UI's password.

Table 1-1 Descriptions on the fields of the display user-interface command

Filed Description
+ The information displayed is about the current user interface.
The information displayed is about the current user interface. And the
F
current user interface operates in asynchronous mode.
Idx The absolute index of the user interface
Type User interface type and the relative index
Tx/Rx Transmission speed of the user interface

1-6
 Filed Description
Modem Indicates whether or not a modem is used.
Privi The available command level
Auth The authentication mode

Int The physical position of the user interface

display users

Syntax

display users [ all ]

View

Any view

Default Level

1: Monitor level

Parameters

all: Displays the information about all user interfaces.

Description

Use the display users command to display the information about user interfaces. If you do not specify
the all keyword, only the information about the current user interface is displayed.

Examples

# Display the information about the current user interface.

<Sysname> display users
The user application information of the user interface(s):
Idx UI Delay Type Userlevel
1 VTY 0 00:11:45 TEL 3
2 VTY 1 00:16:35 TEL 3
3 VTY 2 00:16:54 TEL 3
+ 4 VTY 3 00:00:00 TEL 3

Following are more details.

VTY 0 :
Location: 192.168.0.123
VTY 1 :
Location: 192.168.0.43
VTY 2 :
Location: 192.168.0.2
VTY 3 :
User name: user
Location: 192.168.0.33
+ : Current operation user.

1-7
 F : Current operation user work in async mode.

Table 1-2 Descriptions on the fields of the display users command

Field Description
+ The information displayed is about the current user interface.
The information is about the current user interface, and the current user interface
F
operates in asynchronous mode.
Idx The absolute user interface indexes
UI The relative user interface indexes.

Delay The period in seconds the user interface idles for.

Type User type
Userlevel The level of the commands available to the users logging into the user interface

Location The IP address form which the user logs in.

User name The login name of the user that logs into the user interface.

display web users

Syntax

display web users

View

Any view

Parameter

None

Description

Use the display web users command to display information about web users.

Example

# Display information about the current web users.

<Sysname> display web users
UserID Name Language Level State LinkCount LoginTime LastTime
ab820000 admin Chinese Management Enable 0 08:41:50 08:45:59

Table 1-3 Description on the fields of the display web users command

Field Description
UserID ID of a web user

Name Name of the web user

Language Login language used by the web user
Level Level of the web user
State State of the web user

1-8
 Field Description
LinkCount Number of tasks that the web user runs
LoginTime Time when the web user logged in
LastTime Last time when the web user accessed the switch

escape-key

Syntax

escape-key { default | character }

undo escape-key

View

User interface view

Default Level

3: Manage level

Parameters

default: Restores the default escape key combination <Ctrl + C>.

character: Specifies the shortcut key for aborting a task, a single character (or its corresponding ASCII
code value in the range 0 to 127) or a string of 1 to 3 characters.

Description

Use the escape-key command to define a shortcut key for aborting tasks.
Use the undo escape-key command to restore the default shortcut key.
You can use a single character (or its corresponding ASCII code value in the range 0 to 127) or a string
of 1 to 3 characters to define a shortcut key. But in fact, only the first character functions as the shortcut
key. For example, if you enter an ASCII value 113, the system will use its corresponding character <q>
as the shortcut key; if you input the string q@c, the system will use the first letter <q> as the shortcut
key.
By default, you can use <Ctrl + C> to terminate a task. You can use the display current-configuration
command to verify the shortcut key you have defined.

Examples

# Define <Q> as the escape key.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] escape-key Q

To verify the configuration, do the following:

# Run the ping command to test the connection.
<Sysname> ping –c 20 125.241.23.46
PING 125.241.23.46: 56 data bytes, press Q to break

1-9
 Request time out

--- 125.241.23.46 ping statistics ---

2 packet(s) transmitted
0 packet(s) received
100.00% packet loss

Enter <Q>, if the ping task is terminated and return to the current view, the configuration is correct.
<Sysname>

flow-control

Syntax

flow-control { hardware | none | software }

undo flow-control

View

AUX interface view

Default Level

2: System level

Parameters

hardware: Configures to perform hardware flow control.

none: Configures no flow control.
software: Configures to perform software flow control.

Description

Using flow-control command, you can configure the flow control mode on AUX port. Using undo
flow-control command, you can restore the default flow control mode.
By default, the value is none. That is, no flow control will be performed.

H3C S5120-SI Switch Series only supports none keyword.

Examples

# Configure software flow control on AUX port.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] flow-control none

1-10
free user-interface

Syntax

free user-interface [ type ] number

View

User view

Default Level

3: Manage level

Parameters

type: User interface type.

number: Absolute user interface index or relative user interface index.
z Relative user interface index: If you provide the type argument, number indicates the user interface
index of the type. When the type is AUX, the number is 0; when the type is VTY, the number ranges
from 0 to 15.
z Absolute user interface index: If you do not provide the type argument, number indicates absolute
user interface index, which ranges from 0 to 16.

Description

Use the free user-interface command to clear a specified user interface. If you execute this command,
the corresponding user interface will be disconnected.
Note that the current user interface can not be cleared.

Examples

# Log into user interface 0 and clear user interface 1.

<Sysname> free user-interface 1
Are you sure to free user-interface vty0
[Y/N]y
[OK]

After you execute this command, user interface 1 will be disconnected. The user in it must log in again
to connect to the switch.

history-command max-size

Syntax

history-command max-size value

undo history-command max-size

View

User interface view

Default Level

2: System level

1-11
Parameters

value: Size of the history command buffer. This argument ranges from 0 to 256 and defaults to 10. That
is, the history command buffer can store 10 commands by default.

Description

Use the history-command max-size command to set the size of the history command buffer.
Use the undo history-command max-size command to revert to the default history command buffer
size.

Examples

# Set the size of the history command buffer to 20 to enable it to store up to 20 commands.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] history-command max-size 20

idle-timeout

Syntax

idle-timeout minutes [ seconds ]

undo idle-timeout

View

User interface view

Default Level

2: System level

Parameters

minutes: Number of minutes. This argument ranges from 0 to 35,791.

seconds: Number of seconds. This argument ranges from 0 to 59.

Description

Use the idle-timeout command to set the timeout time. The connection to a user interface is terminated
if no operation is performed in the user interface within the specified period.
Use the undo idle-timeout command to revert to the default timeout time.
You can use the idle-timeout 0 command to disable the timeout function.
The default timeout time is 10 minutes.

Examples

# Set the timeout time of AUX 0 to 1 minute.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] idle-timeout 1 0

1-12
ip http enable

Syntax

ip http enable
undo ip http enable

View

System view

Parameter

None

Description

Use the ip http enable command to launch the Web server.

Use the undo ip http enable command to shut down the Web server.
By default, the Web server is enable.

Example

# Shut down the Web server.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] undo ip http enable

# Launch the Web server.

[Sysname] ip http enable

lock

Syntax

lock

View

User view

Default Level

3: Manage level

Parameters

None

Description

Use the lock command to lock the current user interface to prevent unauthorized users from operating
the user interface.
With the execution of this command, the system prompts to enter and confirm the password (up to 16
characters), and then locks the user interface.
To cancel the lock, press the Enter key and enter the correct password.

1-13
 By default, the system will not lock the current user interface automatically.

Examples

# Lock the current user interface.

<Sysname> lock
Please input password<1 to 16> to lock current user terminal interface:
Password:
Again:

locked !

# Cancel the lock.

Password:
Again:
<Sysname>

parity

Syntax

parity { even | mark | none | odd | space }

undo parity

View

AUX interface view

Default Level

2: System level

Parameters

even: Performs even checks.

mark: Performs mark checks.
none: Does not check.
odd: Performs odd checks.
space: Performs space checks.

Description

Use the parity command to set the check mode of the user interface.
Use the undo parity command to revert to the default check mode.
No check is performed by default.

1-14
 H3C S5120-SI switch series supports the even, none, and odd check modes only. To establish the
connection again, you need to modify the configuration of the termination emulation utility running on
your PC accordingly.

Examples

# Set to perform mark checks.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] parity mark

protocol inbound

Syntax

protocol inbound { all | ssh | telnet }

View

VTY interface view

Default Level

3: Manage level

Parameters

all: Supports both Telnet protocol and SSH protocol.

ssh: Supports SSH protocol.
telnet: Supports Telnet protocol.

Description

Use the protocol inbound command to configure the user interface to support specified protocols.
Both Telnet and SSH protocols are supported by default.
Related command: user-interface vty.

If you want to configure the user interface to support SSH, to ensure a successful login, you must first
configure the authentication mode to scheme on the user interface. If you set the authentication mode
to password or none, the protocol inbound ssh command will fail. Refer to authentication-mode.

1-15
Examples

# Configure VTY 0 to support only SSH protocol.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] protocol inbound ssh

screen-length

Syntax

screen-length screen-length
undo screen-length

View

User interface view

Default Level

2: System level

Parameters

screen-length: Number of lines the screen can contain. This argument ranges from 0 to 512 and
defaults to 24.

Description

Use the screen-length command to set the number of lines the terminal screen can contain.
Use the undo screen-length command to revert to the default number of lines.
You can use the screen-length 0 command to disable the function to display information in pages.

Examples

# Set the number of lines the terminal screen can contain to 20.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] screen-length 20

send

Syntax

send { all | number | type number }

View

User view

Default Level

1: Monitor level

1-16
Parameters

all: Specifies to send messages to all user interfaces.

type: User interface type.
number: Absolute user interface index or relative user interface index.
z Relative user interface index: If you provide the type argument, the number argument indicates the
user interface index of the type. When the type is AUX, number is 0; when the type is VTY, number
ranges from 0 to 15.
z Absolute user interface index: If you do not provide the type argument, the number argument
indicates the absolute user interface index, and ranges from 0 to 16.

Description

Use the send command to send messages to a specified user interface or all user interfaces.

Examples

# Send messages to all user interfaces.

<Sysname> send all
Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
hello^Z
Send message? [Y/N]y
<Sysname>

***
***
***Message from vty0 to vty0
***
hello

<Sysname>

set authentication password

Syntax

set authentication password { cipher | simple } password

undo set authentication password

View

User interface view

Default Level

3: Manage level

Parameters

cipher: Specifies to display the local password in encrypted text when you display the current
configuration.
simple: Specifies to display the local password in plain text when you display the current configuration.

1-17
 password: Password. The password must be in plain text if you specify the simple keyword in the set
authentication password command. If you specify the cipher keyword, the password can be in either
encrypted text or plain text. Whether the password is in encrypted text or plain text depends on the
password string entered. Strings containing up to 16 characters (such as 123) are regarded as plain text
passwords and are converted to the corresponding 24-character encrypted password (such
as !TP<\*EMUHL,408`W7TH!Q!!). A encrypted password must contain 24 characters and must be in
ciphered text (such as !TP<\*EMUHL,408`W7TH!Q!!).

Description

Use the set authentication password command to set the local password.
Use the undo set authentication password command to remove the local password.
Note that only plain text passwords are expected when users are authenticated.

By default, Telnet users need to provide their passwords to log in. If no password is set, the “Login
password has not been set !” message appears on the terminal when users log in.

Examples

# Set the local password of VTY 0 to “123”.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] set authentication password simple 123

shell

Syntax

shell
undo shell

View

User interface view

Default Level

3: Manage level

Parameters

None

Description

Use the shell command to make terminal services available for the user interface.
Use the undo shell command to make terminal services unavailable to the user interface.

1-18
 By default, terminal services are available in all user interfaces.
Note the following when using the undo shell command:
z This command is available in all user interfaces except the AUX user interface, because the AUX
port (also the Console) is exclusively used for configuring the switch.
z This command is unavailable in the current user interface.
z This command prompts for confirmation when being executed in any valid user interface.

Examples

# Log into user interface 0 and make terminal services unavailable in VTY 0 through VTY 4.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] undo shell
% Disable ui-vty0-4 , are you sure ? [Y/N]y

speed

Syntax

speed speed-value
undo speed

View

AUX interface view

Default Level

2: System level

Parameters

speed-value: Transmission speed (in bps). This argument can be 300, 600, 1200, 2400, 4800, 9600,
19,200, 38,400, 57,600, 115,200 and defaults to 9,600.

Description

Use the speed command to set the transmission speed of the user interface.
Use the undo speed command to revert to the default transmission speed.

After you use the speed command to configure the transmission speed of the AUX user interface, you
must change the corresponding configuration of the terminal emulation program running on the PC, to
keep the configuration consistent with that on the switch.

Examples

# Set the transmission speed of the AUX user interface to 9600 bps.

1-19
 <Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] speed 9600

stopbits

Syntax

stopbits { 1 | 1.5 | 2 }
undo stopbits

View

AUX interface view

Default Level

2: System level

Parameters

1: Sets the stop bits to 1.

1.5: Sets the stop bits to 1.5.
2: Sets the stop bits to 2.

Description

Use the stopbits command to set the stop bits of the user interface.
Use the undo stopbits command to revert to the default stop bits.
By default, the stop bits is 1.

z The S5120-SI series do not support communication with a terminal emulation program with
stopbits set to 1.5.
z Changing the stop bits value of the switch to a value different from that of the terminal emulation
utility does not affect the communication between them.

Examples

# Set the stop bits to 2.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] stopbits 2

1-20
sysname

Syntax

sysname string
undo sysname

View

System view

Default Level

2: System level

Parameters

string: System name of the switch. This argument can contain 1 to 30 characters and defaults to H3C.

Description

Use the sysname command to set a system name for the switch.
Use the undo sysname command to revert to the default system name.
The CLI prompt reflects the system name of a switch. For example, if the system name of a switch is
“H3C”, then the prompt of user view is <H3C>.

Examples

# Set the system name of the switch to ABC.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] sysname ABC
[ABC]

telnet

Syntax

telnet remote-system [ port-number ] [ source { ip ip-address | interface interface-type

interface-number } ]

View

User view

Default Level

0: Visit level

Parameters

remote-system: IP address or host name of the remote system. The host name is a string of 1 to 20
characters, which can be specified using the ip host command.
port-number: TCP port number assigned to Telnet service on the remote system, in the range 0 to
65535.
ip-address: Source IP address of the packets sent by the Telnet client.

1-21
 interface-type interface-number: Type and number of the interface through which the Telnet client sends
packets.

Description

Use the telnet command to Telnet to another switch from the current switch to manage the former
remotely. You can terminate a Telnet connection by pressing <Ctrl + K>.
Related commands: display tcp status, ip host.

Examples

# Telnet to the switch with the host name of Sysname2 and IP address of 129.102.0.1 from the current
switch (with the host name of Sysname1).
<Sysname1> telnet 129.102.0.1
Trying 129.102.0.1 ...
Press CTRL+K to abort
Connected to 129.102.0.1 ...
**************************************************************************
* Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
**************************************************************************

<Sysname2>

telnet client source

Syntax

telnet client source { ip ip-address | interface interface-type interface-number }

undo telnet client source

View

System view

Default Level

2: System level

Parameters

None

Description

Use the telnet client source command to specify the source IP address or source interface for the
Telnet packets to be sent.
Use the undo telnet client source command to remove the source IP address or source interface
configured for Telnet packets.
By default, source IP address or source interface of the Telnet packets sent is not configured.

1-22
Examples

# Specify the source IP address for Telnet packets.

<Sysname> system-view
[Sysname] telnet client source ip 129.102.0.2

# Remove the source IP address configured for Telnet packets.

[Sysname] undo telnet client source

telnet server enable

Syntax

telnet server enable

undo telnet server enable

View

System view

Default Level

3: Manage level

Parameters

None

Description

Use the telnet server enable command to make the switch to operate as a Telnet Server.
Use the undo telnet server enable command disable the switch from operating as a Telnet server.
By default, a switch does operate as a Telnet server.

Examples

# Make the switch to operate as a Telnet Server.

<Sysname> system-view
[Sysname] telnet server enable
% Start Telnet server

# Disable the switch from operating as a Telnet server.

[Sysname] undo telnet server enable
% Close Telnet server

terminal type

Syntax

terminal type { ansi | vt100 }

undo terminal type

View

User interface view

1-23
Default Level

2: System level

Parameters

ansi: Specifies the terminal display type to ANSI.

vt100: Specifies the terminal display type to VT100.

Description

Use the terminal type command to configure the type of terminal display .
Use the undo terminal type command to restore the default.
Currently, the system support two types of terminal display : ANSI and VT100.
By default, the terminal display type is ANSI. The device must use the same display type as the terminal.
If the terminal uses VT 100, the device should also use VT 100.

Examples

# Set the terminal display type to VTY 100.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] terminal type vt100

user-interface

Syntax

user-interface [ type ] first-number [ last-number ]

View

System view

Default Level

2: System level

Parameters

type: User interface type.

first-number: User interface index, which identifies the first user interface to be configured.
last-number: User interface index, which identifies the last user interface to be configured.

Description

Use the user-interface command to enter one or more user interface views to perform configuration.

Examples

# Enter VTY 0 user interface view.

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0

1-24
 [Sysname-ui-vty0]

user privilege level

Syntax

user privilege level level

undo user privilege level

View

User interface view

Default Level

3: Manage level

Parameters

level: Command level ranging from 0 to 3.

Description

Use the user privilege level command to configure the command level available to the users logging
into the user interface.
Use the undo user privilege level command to revert to the default command level.
By default, the commands of level 3 are available to the users logging into the AUX user interface. The
commands of level 0 are available to the users logging into VTY user interfaces.
Commands fall into four command levels: visit, monitor, system, and manage, which are described as
follows:
z Visit level: Commands of this level are used to diagnose network and change the language mode
of user interface, such as the ping, tracert. The Telnet command is also of this level. Commands
of this level cannot be saved in configuration files.
z Monitor level: Commands of this level are used to maintain the system, to debug service problems,
and so on. The display and debugging command are of monitor level. Commands of this level
cannot be saved in configuration files.
z System level: Commands of this level are used to configure services. Commands concerning
routing and network layers are of system level. You can utilize network services by using these
commands.
z Manage level: Commands of this level are for the operation of the entire system and the system
supporting modules. Services are supported by these commands. Commands concerning file
system, file transfer protocol (FTP), trivial file transfer protocol (TFTP), downloading using
XModem, user management, and level setting are of administration level.

Examples

# Configure that commands of level 0 are available to the users logging into VTY 0.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] user privilege level 0

1-25
# You can verify the above configuration by Telnetting to VTY 0 and displaying the available commands,
as listed in the following.
<Sysname> ?
User view commands:
ping Ping function
quit Exit from current command view
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
undo Undo a command or set to its default status

1-26
2 Commands for Controlling Login Users

Commands for Controlling Login Users

acl

Syntax

acl acl-number { inbound | outbound }

undo acl { inbound | outbound }

View

User interface view

Default Level

2: System level

Parameters

acl-number: ACL number ranging from 2000 to 4999, where:

z 2000 to 2999 for basic IPv4 ACLs
z 3000 to 3999 for advanced IPv4 ACLs
z 4000 to 4999 for Layer 2 ACLs
inbound: Filters the users Telnetting to the current switch.
outbound: Filters the users Telnetting to other switches from the current switch.

Description

Use the acl command to apply an ACL to filter Telnet users.

Use the undo acl command to disable the switch from filtering Telnet users using the ACL.
Note that if you use Layer 2 ACL rules, you can only choose the inbound keyword in the command
here.

Examples

# Apply ACL 2000 to filter users Telnetting to the current switch (assuming that ACL 2,000 already
exists.)
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0 15
[Sysname-ui-vty0-15] acl 2000 inbound

2-1
free web-users

Syntax

free web-users { all | user-id userid | user-name username }

View

User view

Parameter

userid: Web user ID.

username: User name of the Web user. This argument can contain 1 to 80 characters.
all: Specifies all Web users.

Description

Use the free web-users command to disconnect a specified Web user or all Web users by force.

Example

# Disconnect all Web users by force.

<Sysname> free web-users all

ip http acl

Syntax

ip http acl acl-number

undo ip http acl

View

System view

Parameter

acl-number: ACL number ranging from 2,000 to 2,999.

Description

Use the ip http acl command to apply an ACL to filter Web users.
Use the undo ip http acl command to disable the switch from filtering Web users using the ACL.

Example

# Apply ACL 2000 to filter Web users (assuming that ACL 2,000 already exists.)
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] ip http acl 2000

2-2
 Table of Contents

1 Ethernet Port Configuration Commands·································································································1-1

Ethernet Port Configuration Commands ·································································································1-1
broadcast-suppression ····················································································································1-1
description ·······································································································································1-2
display brief interface·······················································································································1-3
display loopback-detection ··············································································································1-5
display interface·······························································································································1-6
display port-group manual ·············································································································1-10
display storm-constrain··················································································································1-11
duplex ············································································································································1-12
flow-control ····································································································································1-13
flow-interval ···································································································································1-13
group-member ·······························································································································1-14
interface·········································································································································1-15
jumboframe enable························································································································1-15
loopback ········································································································································1-16
loopback-detection control enable·································································································1-17
loopback-detection enable ············································································································1-17
loopback-detection interval-time····································································································1-18
loopback-detection per-vlan enable ······························································································1-19
mdi ·················································································································································1-20
multicast-suppression····················································································································1-21
port auto-power-down····················································································································1-22
port-group manual ·························································································································1-23
port bridge enable··························································································································1-23
reset counters interface ·················································································································1-24
shutdown ·······································································································································1-25
speed ·············································································································································1-25
speed auto·····································································································································1-26
storm-constrain······························································································································1-27
storm-constrain control ··················································································································1-29
storm-constrain enable log ············································································································1-29
storm-constrain enable trap···········································································································1-30
storm-constrain interval ·················································································································1-31
unicast-suppression·······················································································································1-31
virtual-cable-test ····························································································································1-33

i
1 Ethernet Port Configuration Commands

Ethernet Port Configuration Commands

broadcast-suppression

Syntax

broadcast-suppression { ratio | pps max-pps | kbps max-bps }

undo broadcast-suppression

View

Ethernet port view, port group view

Default Level

2: System level

Parameters

ratio: Maximum percentage of broadcast traffic to the total transmission capability of an Ethernet port.
The smaller the ratio, the less broadcast traffic is allowed to pass through the interface. This argument
ranges from 1 to 100. The system default is 100.
pps max-pps: Specifies the maximum number of broadcast packets that can be forwarded on an
Ethernet port per second, in the range 1 to 1488100 (in pps, representing packets per second).
kbps max-bps: Specifies the maximum number of broadcast kilobits that can be forwarded on an
Ethernet port per second, in the range 1 to 1024000 (in kbps, representing kilobits per second).

Description

Use the broadcast-suppression command to set a broadcast traffic threshold on one or multiple
Ethernet ports.
Use the undo broadcast-suppression command to restore the default.
By default, broadcast traffic is not suppressed.
If you execute this command in Ethernet port view, the configuration takes effect only on the current
interface. If you execute this command in port-group view, the configuration takes effect on all the ports
in the port group.
When broadcast traffic exceeds the broadcast traffic threshold, the system begins to discard broadcast
packets until the broadcast traffic drops below the threshold to ensure operation of network services.

1-1
 z If you set different suppression ratios in Ethernet port view or port-group view for multiple times, the
latest configuration takes effect.
z Do not use the broadcast-suppression command along with the storm-constrain command.
Otherwise, the broadcast storm suppression ratio configured may get invalid.

Examples

# For Ethernet port GigabitEthernet 1/0/1, allow broadcast traffic equivalent to 20% of the total
transmission capability of GigabitEthernet 1/0/1 to pass.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] broadcast-suppression 20

# For all the ports of the manual port group named group1, allow broadcast traffic equivalent to 20% of
the total transmission capability of each port to pass and suppress excessive broadcast packets.
<Sysname> system-view
[Sysname] port-group manual group1
[Sysname-port-group-manual-group1] group-member gigabitethernet 1/0/1
[Sysname-port-group-manual-group1] group-member gigabitethernet 1/0/2
[Sysname-port-group-manual-group1] broadcast-suppression 20

description

Syntax

description text
undo description

View

Ethernet port view

Default Level

2: System level

Parameters

text: Description of an Ethernet port, a string of 1 to 80 characters. Currently, the device supports the
following types of characters or symbols: standard English characters (numbers and case-sensitive
letters), special English characters, spaces, and other characters or symbols that conform to the
Unicode standard.

1-2
 z A port description can be the mixture of English characters and other Unicode characters. The
mixed description cannot exceed the specified length.
z To use a type of Unicode characters or symbols in a port description, you need to install the
corresponding Input Method Editor (IME) and log in to the device through remote login software
that supports this character type.
z Each Unicode character or symbol (non-English characters) takes the space of two regular
characters. When the length of a description string reaches or exceeds the maximum line width on
the terminal software, the software starts a new line, possibly breaking a Unicode character into
two. As a result, garbled characters may be displayed at the end of a line.

Description

Use the description command to set the description string of the current interface.
Use the undo description command to restore the default.
By default, the description of an interface is the interface name followed by the “Interface” string,
GigabitEthernet1/0/1 Interface for example.
Related commands: display interface.

Examples

# Configure the description string of interface GigabitEthernet 1/0/1 as lanswitch-interface.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] description lanswitch-interface

display brief interface

Syntax

display brief interface [ interface-type [ interface-number ] ] [ | { begin | exclude | include }

regular-expression ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type: Type of a specified interface.

interface-number: Number of a specified interface.
|: Uses a regular expression to filter output information. For detailed description on regular expression,
refer to Basic System Configuration.
begin: Displays the line that matches the regular expression and all the subsequent lines.

1-3
 exclude: Displays the lines that do not match the regular expression.
include: Displays the lines that match the regular expression.
regular-expression: Regular expression, a string of 1 to 256 characters. Note that this argument is
case-sensitive.

Description

Use the display brief interface command to display brief interface information.
z If neither interface type nor interface number is specified, all interface information will be displayed.
z If only interface type is specified, then only information of this particular type of interface will be
displayed.
z If both interface type and interface number are specified, then only information of the specified
interface will be displayed.
Related commands: interface.

Examples

# Display the brief information of interfaces.

<Sysname> display brief interface

The brief information of interface(s) under route mode:

Interface Link Protocol-link Protocol type Main IP
Loop2 UP UP(spoofing) LOOP --
NULL0 UP UP(spoofing) NULL --
Vlan1 UP UP ETHERNET 192.168.0.28
The brief information of interface(s) under bridge mode:
Interface Link Speed Duplex Link-type PVID
GE1/0/1 DOWN auto auto access 1
GE1/0/2 DOWN auto auto access 1
GE1/0/3 DOWN auto auto access 1
GE1/0/4 DOWN auto auto access 1
GE1/0/5 DOWN auto auto access 1
GE1/0/6 DOWN auto auto access 1
GE1/0/7 DOWN auto auto access 1
GE1/0/8 DOWN auto auto access 1
GE1/0/9 DOWN auto auto access 1
GE1/0/10 DOWN auto auto access 1

# Display the information of interfaces beginning with the string “spoof”.

<Sysname> display brief interface | begin spoof
The brief information of interface(s) under route mode:
Interface Link Protocol-link Protocol type Main IP
Loop0 UP UP(spoofing) LOOP 5.5.5.5
NULL0 UP UP(spoofing) NULL --
Vlan999 UP UP ETHERNET 10.1.1.1

# Display the brief information of all UP interfaces.

<Sysname> display brief interface | include UP
The brief information of interface(s) under route mode:
Interface Link Protocol-link Protocol type Main IP

1-4
 Loop0 UP UP(spoofing) LOOP 5.5.5.5
NULL0 UP UP(spoofing) NULL --
Vlan999 UP UP ETHERNET 10.1.1.1

The brief information of interface(s) under bridge mode:

Interface Link Speed Duplex Link-type PVID
GE1/0/7 UP 100M(a) full(a) trunk 303
GE1/0/9 UP 100M(a) full(a) access 999

# Display the brief information of all interfaces excluding Ethernet ports.

<Sysname> display brief interface | exclude GE
The brief information of interface(s) under route mode:
Interface Link Protocol-link Protocol type Main IP
Loop0 UP UP(spoofing) LOOP 5.5.5.5
NULL0 UP UP(spoofing) NULL --
Vlan999 UP UP ETHERNET 10.1.1.1

Table 1-1 display brief interface command output description

Field Description
Interface Abbreviated interface name
Link Interface physical link state, which can be up or down
Protocol-link Interface protocol link state, which can be up or down
Protocol type Interface protocol type
Speed Interface rate, in bps
Duplex mode, which can be half (half duplex), full (full duplex), or auto
Duplex
(auto-negotiation).
PVID Default VLAN ID

display loopback-detection

Syntax

display loopback-detection

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display loopback-detection command to display loopback detection information on a port.

1-5
 If loopback detection is already enabled, this command will also display the detection interval and
information on the ports currently detected with a loopback.

Examples

# Display loopback detection information on a port.

<Sysname> display loopback-detection
Loopback-detection is running
Detection interval time is 30 seconds
No port is detected with loopback

display interface

Syntax

display interface [ interface-type [ interface-number ] ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type: Type of a specified interface.

interface-number: Number of a specified interface.

Description

Use the display interface command to display the current state of a specified interface and related
information.
z If neither interface type nor interface number is specified, all interface information will be displayed.
z If only interface type is specified, then only information of this particular type of interface will be
displayed.
z If both interface type and interface number are specified, then only information of the specified
interface will be displayed.
Related commands: interface.

Examples

# Display the current state of Layer 2 interface GigabitEthernet 1/0/1 and related information.
<Sysname> display interface gigabitethernet1/0/1
GigabitEthernet1/0/1 current state: DOWN
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-e2f9-f3c2
Description: GigabitEthernet1/0/1 Interface
Loopback is not set
Media type is twisted pair, Port hardware type is 1000_BASE_T
Unknown-speed mode, unknown-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
Flow-control is not enabled

1-6
 The Maximum Frame Length is 10240
Broadcast MAX-ratio: 100%
Unicast MAX-ratio: 100%
Multicast MAX-ratio: 100%
PVID: 1
Mdi type: auto
Port link-type: access
Tagged VLAN ID : none
Untagged VLAN ID : 1
Port priority: 0
Peak value of input: 0 bytes/sec, at 00-00-00 00:00:00
Peak value of output: 0 bytes/sec, at 00-00-00 00:00:00
Last 300 seconds input: 0 packets/sec 0 bytes/sec -%
Last 300 seconds output: 0 packets/sec 0 bytes/sec -%
Input (total): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts
Input (normal): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts
Input: 0 input errors, 0 runts, 0 giants, 0 throttles
0 CRC, 0 frame, 0 overruns, 0 aborts
0 ignored, 0 parity errors
Output (total): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses
Output (normal): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses
Output: 0 output errors, 0 underruns, 0 buffer failures
0 aborts, 0 deferred, 0 collisions, 0 late collisions
0 lost carrier, 0 no carrier

Table 1-2 display interface command output description

Field Description
GigabitEthernet1/0/1 current state Current physical link state of the Ethernet port
IP Packet Frame Type Frame type of the Ethernet port
Description Description of the interface
Unknown-speed mode, in which mode speed is negotiated
Unknown-speed mode
between the current host and the peer.
Unknown-duplex mode, in which mode speed is negotiated
unknown-duplex mode
between the current host and the peer.
The Maximum Frame Length The maximum frame length allowed on an interface
Broadcast storm suppression ratio (the maximum ratio of
Broadcast MAX-ratio allowed number of broadcast packets to overall traffic through
an interface)
Unicast storm suppression ratio (the maximum ratio of allowed
Unicast MAX-ratio number of unknown unicast packets to overall traffic over an
interface)

1-7
 Field Description
Multicast storm suppression ratio (the maximum ratio of
Multicast MAX-ratio allowed number of multicast packets to overall traffic through an
interface)
PVID Default VLAN ID

Mdi type Cable type

Port link-type Interface link type, which could be access, trunk, and hybrid.
VLANs whose packets are sent through the port with VLAN tag
Tagged VLAN ID
kept
VLANs whose packets are sent through the port with VLAN tag
Untagged VLAN ID
stripped off
Peak value of input Peak value of inbound traffic, in bytes/sec.
Peak value of output Peak value of outbound traffic, in bytes/sec.
Last 300 seconds input: 0
packets/sec 0 bytes/sec Average rate of input and output traffic in the last 300 seconds,
Last 300 seconds output: 0 in pps and Bps
packets/sec 0 bytes/sec

Packet statistics on the inbound direction of the interface,

Input (total): 0 packets, 0 bytes including the statistics of normal packets, and abnormal
0 unicasts, 0 broadcasts, 0 packets, in packets and bytes
multicasts Number of unicast packets, broadcast packets, and multicast
packets on the inbound direction of the interface
Normal packet statistics on the inbound direction of the
Input (normal): 0 packets, 0 bytes interface, including the statistics of normal packets, in packets
0 unicasts, 0 broadcasts, 0 and bytes
multicasts Number of unicast packets, broadcast packets, and multicast
packets on the inbound direction of the interface,
input errors Input packets with errors
Frames received that were shorter than 64 bytes, yet in correct
runts
formats, and contained valid CRCs
Frames received that were longer than the maximum frame
length supported on the interface:
z For an Ethernet port that permits jumbo frames, giants refer
giants to frames that are longer than 10236 bytes (without VLAN
tags) or 10240 bytes (with VLAN tags).
z For an Ethernet port that forbids jumbo frames, giants refer
to frames that are longer than 1536 bytes (without VLAN
tags) or 1540 bytes (with VLAN tags).
The number of times the receiver on the interface was disabled,
throttles
possibly because of buffer or CPU overload
Total number of packets received that had a normal length, but
CRC
contained checksum errors
Total number of frames that contained checksum errors and a
frame
non-integer number of bytes
Number of times the receive rate of the interface exceeded the
overruns
capacity of the input queue, causing packets to be discarded

1-8
 Field Description
Total number of illegal packets received, including:
z Fragment frames: Frames that were shorter than 64 bytes
(with an integral or non-integral length) and contained
checksum errors
z Jabber frames: Frames that were longer than the maximum
frame length supported on the Ethernet port and contained
checksum errors (the frame lengths in bytes may or may not
be integers). For an Ethernet port that permits jumbo
frames, jabber frames refer to frames that are longer than
10236 bytes (without VLAN tags) or 10240 bytes (with VLAN
tags) and contain checksum errors; for an Ethernet port that
forbids jumbo frames, jabber frames refer to frames that are
longer than 1536 bytes (without VLAN tags) or 1540 bytes
aborts (with VLAN tags) and contain checksum errors.
z Fragment frames: Frames that were shorter than 64 bytes
(with an integral or non-integral length) and contained
checksum errors
z Jabber frames: Frames that were longer than 1518 or 1522
bytes and contained checksum errors (the frame lengths in
bytes may or may not be integers)
z Symbol error frames: Frames that contained at least one
undefined symbol
z Unknown operation code frames: Frames that were MAC
control frames but not pause frames
z Length error frames: Frames whose 802.3 length fields did
not match the actual frame lengths (46 bytes to 1500 bytes)
Number of received packets ignored by the interface because
ignored
the interface hardware ran low on internal buffers

parity errors Total number of frames with parity errors

Packet statistics on the outbound direction of the interface,

including the statistics of normal packets, abnormal packets,
Output (total): 0 packets, 0 bytes
and normal pause frames, in packets and bytes
0 unicasts, 0 broadcasts, 0
Number of unicast packets, broadcast packets, multicast
multicasts, 0 pauses
packets, and pause frames on the outbound direction of the
interface
Normal packet statistics on the outbound direction of the
Output (normal): 0 packets, 0 interface, including the statistics of normal packets and pause
bytes frames, in packets and bytes
0 unicasts, 0 broadcasts, 0 Number of unicast packets, broadcast packets, multicast
multicasts, 0 pauses packets, and pause frames on the outbound direction of the
interface

output errors Output packets with errors

Number of times the transmit rate of the interface exceeded the

underruns capacity of the output queue, causing packets to be discarded.
This is a very rare hardware-related problem.
Number of packets dropped because the interface ran low on
buffer failures
output buffers
Number of packets that failed to be transmitted due to causes
aborts
such as Ethernet collisions
Number of frames whose first transmission attempt was
deferred delayed, due to traffic on the network media, and that were
successfully transmitted later

1-9
 Field Description
Number of times frames were delayed due to Ethernet
collisions
collisions detected during the transmission
Number of times frames were delayed due to the detection of
late collisions collisions after the first 512 bits of the frames were already on
the network
Number of times the carrier was lost during transmission. This
lost carrier
counter applies to serial WAN interfaces.
Number of times the carrier was not present in the
no carrier
transmission. This counter applies to serial WAN interfaces.

display port-group manual

Syntax

display port-group manual [ all | name port-group-name ]

View

Any view

Default Level

2: System level

Parameters

all: Specifies all the manual port groups.

name port-group-name: Specifies the name of a manual port group, a string of 1 to 32 characters.

Description

Use the display port-group manual command to display the information about a manual port group or
all the manual port groups.
z If you provide the port-group-name argument, this command displays the details for a specified
manual port group, including its name and the Ethernet port ports included.
z If you provide the all keyword, this command displays the details for all manual port groups,
including their names and the Ethernet port ports included.
z Absence of parameters indicates that the names of all the port groups will be displayed.

Examples

# Display the names of all the port groups.

<Sysname> display port-group manual
The following manual port group exist(s):
group1 group2

# Display details of all the manual port groups.

<Sysname> display port-group manual all
<Sysname> display port-group manual all
Member of group1:
GigabitEthernet1/0/3 GigabitEthernet1/0/4 GigabitEthernet1/0/5

1-10
 Member of group2:
None

# Display details of the port group named group1.

<Sysname> display port-group manual name group1
Member of group1:
GigabitEthernet1/0/6 GigabitEthernet1/0/7 GigabitEthernet1/0/8

Table 1-3 display port-group manual command output description

Field Description
Member of group Member of the manual port group

display storm-constrain

Syntax

display storm-constrain [ broadcast | multicast | unicast ] [ interface interface-type

interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

broadcast: Displays the information about storm constrain for broadcast packets.
multicast: Displays the information about storm constrain for multicast packets.
unicast: Displays the information about storm constrain for unicast packets.
interface interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display storm-constrain command to display the information about storm constrain.
If you provide no argument or keyword, this command displays the information about storm constrain
for all types of packets on all the interfaces.

Examples

# Display the information about storm constrain for all types of packets on all the interfaces.
<Sysname> display storm-constrain

Abbreviation: BC - broadcast; MC - multicast; UC – unicast

Flow Statistic Interval: 5(second)

PortName Type LowerLimit UpperLimit CtrMode Status Trap Log SwiNum Unit
------------------------------------------------------------------------------
GE1/0/4 UC 456 465891 N/A normal on on 0 pps

1-11
 Table 1-4 display storm-constrain command output description

Field Description
Flow Statistic Interval Interval for generating storm constrain statistics
PortName Abbreviated port name
Type of the packets for which storm constrain function is enabled,
StormType which can be broadcast (for broadcast packets), multicast (for
multicast packets), and unicast (for unicast packets).
LowerLimit Lower threshold (in pps, kbps or percentage)
UpperLimit Upper threshold (in pps, kbps or percentage)
Action to be taken when the upper threshold is reached, which can be
CtrMode
block, shutdown, and N/A.
Interface state, which can be normal (indicating the interface operates
Status
properly), control (indicating the interface is blocked or shut down).
State of trap messages sending. “on” indicates trap message sending
Trap
is enabled; “off” indicates trap message sending is disabled.
State of log sending. “on” indicates log sending is enabled; “off”
Log
indicates log sending is disabled.

Number of the forwarding state switching.

Swinum
This field is numbered modulo 65,535.

duplex

Syntax

duplex { auto | full | half }

undo duplex

View

Ethernet port view

Default Level

2: System level

Parameters

auto: Indicates that the interface is in auto-negotiation state.

full: Indicates that the interface is in full-duplex state.
half: Indicates that the interface is in half-duplex state. The optical interface of a SFP port does not
support the half keyword.

Description

Use the duplex command to configure the duplex mode for an Ethernet port.
Use the undo duplex command to restore the duplex mode for an Ethernet port to the default.
By default, the duplex mode for an Ethernet port is auto.
Related commands: speed.

1-12
Examples

# Configure the interface GigabitEthernet 1/0/1 to work in full-duplex mode.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] duplex full

flow-control

Syntax

flow-control
undo flow-control

View

Ethernet port view

Default Level

2: System level

Parameters

None

Description

Use the flow-control command to enable flow control on an Ethernet port.

Use the undo flow-control command to disable flow control on an Ethernet port.
By default, flow control on an Ethernet port is disabled.

The flow control function takes effect on the local Ethernet port only when it is enabled on both the local
and peer devices.

Examples

# Enable flow control on interface GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] flow-control

flow-interval

Syntax

flow-interval interval
undo flow-interval

1-13
View

Ethernet port view

Default Level

2: System level

Parameters

interval: Interval at which the interface collects statistics. It ranges from 5 to 300 seconds and must be a
multiple of 5. The default value is 300 seconds.

Description

Use the flow-interval command to configure the time interval for collecting interface statistics.
Use the undo flow-interval command to restore the default interval.

Examples

# Set the time interval for collecting interface statistics to 100 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] flow-interval 100

group-member

Syntax

group-member interface-list
undo group-member interface-list

View

Port group view

Default Level

2: System level

Parameters

interface-list: Ethernet port list, in the form of interface-type interface-number [ to interface-type

interface-number ] &<1-10>, where &<1-10> indicates that you can specify up to 10 port or port ranges.

Description

Use the group-member command to assign an Ethernet port or a list of Ethernet ports to the port
group.
Use the undo group-member command to remove an Ethernet port or a list of Ethernet ports from the
port group.
By default, there is no Ethernet port in a port group.

Examples

# Add interface GigabitEthernet 1/0/1 to the port group named group1.

1-14
 <Sysname> system-view
[Sysname] port-group manual group1
[Sysname-port-group-manual-group1] group-member gigabitethernet 1/0/1

interface

Syntax

interface interface-type interface-number

View

System view

Default Level

2: System level

Parameters

interface-type: Interface type.

interface-number: Interface number.

Description

Use the interface command to enter interface view.

Examples

# Enter GigabitEthernet 1/0/1 interface view.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1]

jumboframe enable

Syntax

jumboframe enable
undo jumboframe enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the jumboframe enable command to allow jumbo frames with 10240 bytes to pass through an
Ethernet port.

1-15
 Use the undo jumboframe enable command to prevent jumbo frames from passing through an
Ethernet port.
By default, the device allows frames no larger than 10240 bytes to pass through an Ethernet port.

Examples

# Enable jumbo frames to pass through all the Ethernet ports.

<Sysname> system-view
[Sysname] jumboframe enable

loopback

Syntax

loopback { external | internal }

View

Ethernet port view

Default Level

2: System level

Parameters

external: Enables external loopback testing on an Ethernet port.

internal: Enables internal loopback testing on an Ethernet port.

Description

Use the loopback command to perform loopback testing.

z Ethernet port loopback testing should be enabled while testing certain functionalities, such as
during the initial identification of any network failure.
z While enabled, Ethernet port loopback testing will work in full-duplex mode. The interface will return
to its original state upon completion of the loopback testing.
z Loopback testing is a one-time operation, and is not recorded in the configuration file.

Examples

# Enable loopback testing on GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] loopback internal
Loop internal succeeded!

1-16
loopback-detection control enable

Syntax

loopback-detection control enable

undo loopback-detection control enable

View

Ethernet port view

Default Level

2: System level

Parameters

None

Description

Use the loopback-detection control enable command to enable loopback detection for a trunk port or
hybrid port.
Use the undo loopback-detection control enable command to restore the default.
By default, loopback detection for a trunk port or hybrid port is disabled.
z With loopback detection enabled, when the device detects a loop on a port, the device puts the port
in control mode. In this mode, inbound packets on the port are all discarded, while outbound
packets on the port are forwarded normally. Meanwhile, the device sends trap messages to the
terminal, and deletes the corresponding MAC address forwarding entry.
z With loopback detection disabled, when the device detects a loop on a port, it only sends a trap
message to the terminal. In the mean time, the port still works normally.
Note that this command is not applicable to an access port as loopback detection is enabled on it by
default.

Examples

# Enable loopback detection control on trunk port GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] loopback-detection enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port link-type trunk
[Sysname-GigabitEthernet1/0/1] loopback-detection enable
[Sysname-GigabitEthernet1/0/1] loopback-detection control enable

loopback-detection enable

Syntax

loopback-detection enable
undo loopback-detection enable

1-17
View

System view, Ethernet port view

Default Level

2: System level

Parameters

None

Description

Use the loopback-detection enable command to enable loopback detection globally or on a specified
port.
Use the undo loopback-detection enable command to disable loopback detection globally or on a
specified port.
By default, loopback detection is disabled for an access, trunk, or hybrid port.
z When a loop is detected on an access port, the device puts the port in control mode. In this mode,
inbound packets on the port are all discarded, while outbound packets on the port are forwarded
normally. Meanwhile, the device sends trap messages to the terminal, and deletes the
corresponding MAC address forwarding entry.
z When a loop is detected on a trunk port or a hybrid port, the device sends a trap message to the
terminal. If loopback detection control is enabled on the port, the device places the port in control
mode and discards all inbound packets on the port while normally forwarding outbound packets on
it. Meanwhile, the device sends trap messages to the terminal, and deletes the corresponding MAC
address forwarding entry.

z Loopback detection on a given port is enabled only after the loopback-detection enable
command has been configured in both system view and interface view of the port.
z Loopback detection on all ports will be disabled after you configure the undo loopback-detection
enable command in system view.

Examples

# Enable loopback detection on GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] loopback-detection enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] loopback-detection enable

loopback-detection interval-time

Syntax

loopback-detection interval-time time

1-18
 undo loopback-detection interval-time

View

System view

Default Level

2: System level

Parameters

time: Time interval for performing port loopback detection, in the range 5 to 300 (in seconds).

Description

Use the loopback-detection interval-time command to configure time interval for performing port
loopback detection.
Use the undo loopback-detection interval-time command to restore the default time interval for port
loopback detection, which is 30 seconds.
Related commands: display loopback-detection.

Examples

# Set the time interval for performing port loopback detection to 10 seconds.
<Sysname> system-view
[Sysname] loopback-detection interval-time 10

loopback-detection per-vlan enable

Syntax

loopback-detection per-vlan enable

undo loopback-detection per-vlan enable

View

Ethernet port view

Default Level

2: System level

Parameters

None

Description

Use the loopback-detection per-vlan enable command to enable loopback detection in all VLANs
with trunk ports or hybrid ports.
Use the undo loopback-detection per-vlan enable command to enable loopback detection in the
default VLAN with trunk ports or hybrid ports.
By default, loopback detection is only enabled in the default VLAN(s) with trunk ports or hybrid ports.
Note that the loopback-detection per-vlan enable command is not applicable to access ports.

1-19
Examples

# Enable loopback detection in all the VLANs to which the hybrid port GigabitEthernet 1/0/1 belongs.
<Sysname> system-view
[Sysname] loopback-detection enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] loopback-detection enable
[Sysname-GigabitEthernet1/0/1] port link-type trunk
[Sysname-GigabitEthernet1/0/1] loopback-detection per-vlan enable

mdi

Syntax

mdi { across | auto | normal }

undo mdi

View

Ethernet port view

Default Level

2: System level

Parameters

across: Specifies the MDI mode as across.

auto: Specifies the MDI mode as auto.
normal: Specifies the MDI mode as normal.

Description

Use the mdi command to configure the MDI mode for an Ethernet port.
Use the undo mdi command to restore the system default.
By default, the MDI mode of an Ethernet port is auto, that is, the Ethernet port determines the physical
pin roles (transmit or receive) through negotiation.

The optical interfaces of SFP ports do not support this function.

Examples

# Set the MDI mode of GigabitEthernet 1/0/1 to across.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mdi across

1-20
multicast-suppression

Syntax

multicast-suppression { ratio | pps max-pps | kbps max-bps }

undo multicast-suppression

View

Ethernet port view, port group view

Default Level

2: System level

Parameters

ratio: Maximum percentage of multicast traffic to the total transmission capability of an Ethernet port, in
the range 1 to 100. The smaller the ratio is, the less multicast traffic is allowed to pass through the
interface.
pps max-pps: Specifies the maximum number of multicast packets allowed on an Ethernet port per
second. The max-pps argument ranges from 1 to 1488100 (in pps, representing packets per second).
kbps max-bps: Specifies the maximum number of multicast kilobits that can be forwarded on an
Ethernet port per second The max-bps argument ranges from 1 to 1024000 (in kbps, representing
kilobits per second).

Description

Use the multicast-suppression command to configure multicast storm suppression ratio on an

interface.
Use the undo multicast-suppression command to restore the default multicast suppression ratio.
By default, multicast traffic is not suppressed.
If you execute this command in Ethernet port view, the configurations take effect only on the current
interface. If you execute this command in port-group view, the configurations take effect on all ports in
the port group.
Note that when multicast traffic exceeds the maximum value configured, the system will discard the
extra packets so that the multicast traffic ratio can drop below the limit to ensure that the network
functions properly.

z If you set different suppression ratios in Ethernet port view or port-group view for multiple times, the
latest configuration takes effect.
z Do not use the multicast-suppression command along with the storm-constrain command.
Otherwise, the multicast storm suppression ratio configured may get invalid.

1-21
Examples

# For Ethernet port GigabitEthernet 1/0/1, allow multicast traffic equivalent to 20% of the total
transmission capability of GigabitEthernet 1/0/1 to pass.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/1] multicast-suppression 20

# For all the ports of the manual port group group1, allow multicast traffic equivalent to 20% of the total
transmission capability of each port to pass.
<Sysname> system-view
[Sysname] port-group manual group1
[Sysname-port-group-manual-group1] group-member gigabitethernet 1/0/1
[Sysname-port-group-manual-group1] group-member gigabitethernet 1/0/2
[Sysname-port-group-manual-group1] multicast-suppression 20

port auto-power-down

Syntax

port auto-power-down
undo port auto-power-down

View

Ethernet port view, port group view

Default Level

2: System level

Parameters

None

Description

Use the port auto-power-down command to enable auto power down on an Ethernet port.
Use the undo port auto-power-down to restore the default.
By default, auto power down is not enabled on an Ethernet port.

Examples

# Enable auto power down on GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port auto-power-down

# Enable auto power down on all member ports of manual port group group1.
<Sysname> system-view
[Sysname] port-group manual group1
[Sysname-port-group-manual-group1] group-member gigabitethernet 1/0/1
[Sysname-port-group-manual-group1] group-member gigabitethernet 1/0/2
[Sysname-port-group-manual-group1] port auto-power-down

1-22
port-group manual

Syntax

port-group manual port-group-name

undo port-group manual port-group-name

View

System view

Default Level

2: System level

Parameters

port-group-name: Specifies name of a port group, a string of 1 to 32 characters.

Description

Use the port-group manual command to create a port group and enter port group view.
Use the undo port-group manual command to remove a port group.
By default, no manual port group is created.

Examples

# Create a port group named group1.

<Sysname> system-view
[Sysname] port-group manual group1
[Sysname-port-group-manual-group1]

port bridge enable

Syntax

port bridge enable

undo port bridge enable

View

Ethernet port view

Default Level

2: System level

Parameters

None

Description

Use the port bridge enable command to enable bridging on an Ethernet port. When bridging is
enabled on an Ethernet port, the device forwards packets received on the interface through the
receiving interface itself when both the following conditions are met:

1-23
 z The destination MAC addresses of the received packets are already in the MAC address table of
the device.
z The egress interfaces in the corresponding MAC address table entries are the receiving interface.
Use the undo port bridge enable command to disable bridging on an Ethernet port.
By default, bridging is not enabled on an Ethernet port.

Examples

# Enable bridging on layer 2 Ethernet port GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port bridge enable

reset counters interface

Syntax

reset counters interface [ interface-type [ interface-number ] ]

View

User view

Default Level

2: System level

Parameters

interface-type: Interface type.

interface-number: Interface number.

Description

Use the reset counters interface command to clear the statistics of an interface.
Before sampling network traffic within a specific period of time on an interface, you need to clear the
existing statistics.
z If neither interface type nor interface number is specified, this command clears the statistics of all
the interfaces.
z If only the interface type is specified, this command clears the statistics of the interfaces that are of
the interface type specified.
z If both the interface type and interface number are specified, this command clears the statistics of
the specified interface.

Examples

# Clear the statistics of GigabitEthernet 1/0/1.

<Sysname> reset counters interface gigabitethernet 1/0/1

1-24
shutdown

Syntax

shutdown
undo shutdown

View

Ethernet port view

Default Level

2: System level

Parameters

None

Description

Use the shutdown command to shut down an Ethernet port.

Use the undo shutdown command to bring up an Ethernet port.
By default, an Ethernet port is in the up state.
In certain circumstances, modification to the interface parameters does not immediately take effect, and
therefore, you need to shut down the relative interface to make the modification work.

Examples

# Shut down interface GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] shutdown

# Bring up interface GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo shutdown

speed

Syntax

speed { 10 | 100 | 1000 | auto }

undo speed

View

Ethernet port view

Default Level

2: System level

1-25
Parameters

10: Specifies the interface rate as 10 Mbps. The optical interface of a SFP port does not support the 10
keyword.
100: Specifies the interface rate as 100 Mbps. The optical interface of a SFP port does not support the
100 keyword.
1000: Specifies the interface rate as 1,000 Mbps.
auto: Specifies to determine the interface rate through auto-negotiation.

Description

Use the speed command to configure Ethernet port data rate.

Use the undo speed command to restore Ethernet port data rate.
Note that:
z On the electrical interface of an Ethernet port, the purpose of using the speed command to set the
data transmission rate is to make it consistent with that of the peer.
z On an SFP port, the purpose of using the speed command to set the data transmission rate is to
make it consistent with that of the pluggable optical module.

Related commands: duplex, speed auto.

Examples

# Configure the interface rate as 100 Mbps for interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] speed 100

speed auto

Syntax

speed auto [ 10 | 100 | 1000 ] *

undo speed

View

Ethernet port view

Default Level

2: System level

Parameters

10: Specifies the interface auto-negotiation rate as 10 Mbps.

100: Specifies the interface auto-negotiation rate as 100 Mbps.
1000: Specifies the interface auto-negotiation rate as 1000 Mbps.

Description

Use the speed auto command to configure the auto-negotiation rate range of the current Ethernet port.

1-26
 Use the undo speed command to restore the default.
The default value of the command varies with your device models.
If you repeatedly use the speed command and the speed auto command to configure the rate of an
interface, only the latest configuration takes effect. For example, if you configure speed 100 after
configuring speed auto 100 1000 on an interface, the rate is 100 Mbps by force, with no negotiation
performed between the interface and the peer end; if you configure speed auto 100 1000 after
configuring speed 100 on the interface, the rate through negotiation can be either 100 Mbps or 1000
Mbps only.
Note that:

z If the auto negotiation rate range specified on the local port and that on the peer do not overlap,
for example, 10 Mbps and 100 Mbps are specified on one end while 1000 Mbps is specified on the
other, the auto negotiation of interface rate will fail.
z If the auto negotiation rate range specified on the local port and that on the peer overlap, for
example, 10 Mbps and 100 Mbps are specified on one end while 100 Mbps and 1000 Mbps are
specified on the other, the result of the interface rate auto negotiation is the overlapped part, that
is, 100 Mbps in the example.
z If the auto negotiation rate range specified on the local port and that on the peer are the same, for
example, 100 Mbps and 1000 Mbps are specified on both ends, the result of the interface rate
auto negotiation is the larger value, that is, 1000 Mbps in the example.

z This function is available for auto-negotiation-capable Gigabit Layer-2 Ethernet electrical ports
only..
z If you repeatedly use the speed and the speed auto commands to configure the transmission rate
on an port, only the latest configuration takes effect.

Examples

# Set the auto-negotiation rate of interface GigabitEthernet 1/0/1 to 10 Mbps or 1000 Mbps.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] speed auto 10 1000

storm-constrain

Syntax

storm-constrain { broadcast | multicast | unicast } pps max-values min-values

undo storm-constrain { all | broadcast | multicast | unicast }

1-27
View

Ethernet port view

Default Level

2: System level

Parameters

all: Disables the storm constrain function for all types of packets (that is, unicast packets, multicast
packets, and broadcast packets).
broadcast: Enables/Disables the storm constrain function for broadcast packets.
multicast: Enables/Disables the storm constrain function for multicast packets.
unicast: Enables/Disables the storm constrain function for unicast packets.
pps: Specifies the storm constrain threshold in packets.
max-values: Upper threshold to be set, in pps.
min-values: Lower threshold to be set, in pps, this value ranges from 1 to max-values.

Description

Use the storm-constrain command to enable the storm constrain function for specific type of packets
and set the upper and lower thresholds.
Use the undo storm-constrain command to disable the storm constrain function for specific type of
packets.
By default, the storm constrain function is not enabled.

z Do not use the storm-constrain command along with the unicast-suppression command, the
multicast-suppression command, or the broadcast-suppression command. Otherwise, traffics
may be suppressed in an unpredictable way.
z An upper threshold cannot be less than the corresponding lower threshold. Besides, do not
configure the two thresholds as the same value.

Examples

# Enable the storm constrain function for unicast packets on GigabitEthernet 1/0/1, setting the upper
and lower threshold to 200 pps and 150 pps.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] storm-constrain unicast pps 200 150

1-28
storm-constrain control

Syntax

storm-constrain control { block | shutdown }

undo storm-constrain control

View

Ethernet port view

Default Level

2: System level

Parameters

block: Blocks the traffic of a specific type on a port when the traffic detected exceeds the upper
threshold.
shutdown: Shuts down a port when a type of traffic exceeds the corresponding upper threshold. A port
shut down by the storm constrain function stops forwarding all types of packets.

Description

Use the storm-constrain control command to set the action to be taken when a type of traffic exceeds
the corresponding upper threshold.
Use the undo storm-constrain control command to restore the default.
By default, no action is taken when a type of traffic exceeds the corresponding threshold.

Examples

# Configure to block interface GigabitEthernet 1/0/1 when a type of traffic reaching it exceeds the
corresponding upper threshold.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] storm-constrain control block

storm-constrain enable log

Syntax

storm-constrain enable log

undo storm-constrain enable log

View

Ethernet port view

Default Level

2: System level

Parameters

None

1-29
Description

Use the storm-constrain enable log command to enable log sending. With log sending enabled, the
system sends logs when traffic reaching a port exceeds the corresponding threshold or when the traffic
drops down below the lower threshold after exceeding the upper threshold.
Use the undo storm-constrain enable log command to disable log sending.
By default, log sending is enabled.

Examples

# Disable log sending for GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo storm-constrain enable log

storm-constrain enable trap

Syntax

storm-constrain enable trap

undo storm-constrain enable trap

View

Ethernet port view

Default Level

2: System level

Parameters

None

Description

Use the storm-constrain enable trap command to enable trap message sending. With trap message
sending enabled, the system sends trap messages when traffic reaching a port exceeds the
corresponding threshold or the traffic drops down below the lower threshold after exceeding the upper
threshold.
Use the undo storm-constrain enable trap command to disable trap message sending.
By default, trap message sending is enabled.

Examples

# Disable trap message sending for GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo storm-constrain enable trap

1-30
storm-constrain interval

Syntax

storm-constrain interval seconds

undo storm-constrain interval

View

System view

Default Level

2: System level

Parameters

seconds: Interval for generating traffic statistics, in the range 1 to 300 (in seconds).

Description

Use the storm-constrain interval command to set the interval for generating traffic statistics.
Use the undo storm-constrain interval command to restore the default.
By default, the interval for generating traffic statistics is 10 seconds.

z The interval set by the storm-constrain interval command is specifically for the storm constrain
function. It is different form that set by the flow-interval command.
z For network stability consideration, configure the interval for generating traffic statistics to a value
that is not shorter than the default.

Examples

# Set the interval for generating traffic statistics to 60 seconds.

<Sysname> system-view
[Sysname] storm-constrain interval 60

unicast-suppression

Syntax

unicast-suppression { ratio | pps max-pps | kbps max-bps }

undo unicast-suppression

View

Ethernet port view, port group view

Default Level

2: System level

1-31
Parameters

ratio: Maximum percentage of unicast traffic to the total transmission capability of an Ethernet port, in
the range of 1 to 100. The smaller the ratio is, the less unicast traffic is allowed through the interface.
pps max-pps: Specifies the maximum number of unknown unicast packets passing through an Ethernet
port per second. The max-pps argument ranges from 1 to 1488100 (in pps, representing packets per
second).
kbps max-bps: Specifies the maximum number of unknown unicast kilobits passing through an
Ethernet port per second, The max-bps argument ranges from 1 to 1024000 (in kbps, representing
kilobits per second).

Description

Use the unicast-suppression command to configure a unicast storm suppression ratio.

Use the undo unicast-suppression command to restore the default unicast suppression ratio.
By default, unicast traffic is not suppressed.
If you execute this command in Ethernet port view, the configurations take effect only on the current
interface. If you execute this command in port-group view, the configurations take effect on all ports in
the port group
Note that when unicast traffic exceeds the maximum value configured, the system will discard the extra
packets so that the unknown unicast traffic ratio can drop below the limit to ensure that the network
functions properly.

z If you set different suppression ratios in Ethernet port view or port-group view repeatedly, the latest
configuration takes effect.
z Do not use the unicast-suppression command along with the storm-constrain command.
Otherwise, the unicast storm suppression ratio configured may get invalid.

Examples

# For Ethernet port GigabitEthernet 1/0/1, allow unknown unicast traffic equivalent to 20% of the total
transmission capability of the interface to pass and suppress the excessive unknown unicast packets.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] unicast-suppression 20

# For all the ports of the manual port group group1, allow unknown unicast traffic equivalent to 20% of
the total transmission capability of each port to pass and suppress excessive unknown unicast packets.
<Sysname> system-view
[Sysname] port-group manual group1
[Sysname-port-group-manual-group1] group-member gigabitethernet 1/0/1
[Sysname-port-group-manual-group1] group-member gigabitethernet 1/0/2
[Sysname-port-group-manual-group1] unicast-suppression 20

1-32
virtual-cable-test

Syntax

virtual-cable-test

View

Ethernet port view

Default Level

2: System level

Parameters

None

Description

Use the virtual-cable-test command to test the cable connected to the Ethernet port once and to
display the testing result. The tested items include:
Note that:
z When the cable is functioning properly, the cable length in the test result represents the total cable
length;
z When the cable is not functioning properly, the cable length in the test result represents the length
from the current interface to the failed position.

z The optical interface of a SFP port does not support this command.
z A link in the up state goes down and then up automatically if you execute this command on one of
the Ethernet ports forming the link.
z The test result is for your information only. The maximum error in the tested cable length is 5 m. A
hyphen “-” indicates that the corresponding test item is not supported.

Examples

# Enable the virtual cable test for the interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] virtual-cable-test
Cable status: normal, 1 metres
Pair Impedance mismatch: -
Pair skew: - ns
Pair swap: -
Pair polarity: -
Insertion loss: - db
Return loss: - db

1-33
Near-end crosstalk: - db

1-34
 Table of Contents

1 Loopback Interface and Null Interface Configuration Commands·······················································1-1

Loopback Interface and Null Interface Configuration Commands ··························································1-1
description ·······································································································································1-1
display interface loopback ···············································································································1-2
display interface null ························································································································1-3
interface loopback ···························································································································1-4
interface null ····································································································································1-5
reset counters interface ···················································································································1-6
shutdown ·········································································································································1-6

i
1 Loopback Interface and Null Interface
Configuration Commands

Loopback Interface and Null Interface Configuration Commands

description

Syntax

description text
undo description

View

Loopback interface view, Null 0 interface view

Default Level

2: System level

Parameters

text: Description of the interface, a string of 1 to 80 characters. Currently, the device supports the
following types of characters or symbols: standard English characters (numbers and case-sensitive
letters), special English characters, spaces, and other characters or symbols that conform to the
Unicode standard.

z A port description can be the mixture of English characters and other Unicode characters. The
mixed description cannot exceed the specified length.
z To use a type of Unicode characters or symbols in a port description, you need to install the
corresponding Input Method Editor (IME) and log in to the device through remote login software
that supports this character type.
z Each Unicode character or symbol (non-English characters) takes the space of two regular
characters. When the length of a description string reaches or exceeds the maximum line width on
the terminal software, the software starts a new line, possibly breaking a Unicode character into
two parts. As a result, garbled characters may be displayed at the end of a line.

Description

Use the description command to set a description for the current interface.
Use the undo description command to restore the default.

1-1
 By default, the description of an interface is the interface name followed by the word interface,
Loopback1 interface for example.
Related commands: display interface.

Examples

# Configure the description of loopback interface Loopback 1 as loopback1.

<Sysname> system-view
[Sysname] interface loopback 1
[Sysname- loopback1] description loopback1

display interface loopback

Syntax

display interface loopback [ interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-number: Loopback interface number, which can be the number of any existing Loopback
interface.

Description

Use the display interface loopback command to display the information about a Loopback interface. If
you do not specify the interface-number argument, this command will display the information about all
the existing Loopback interfaces.
Related commands: interface loopback.

Examples

# Display the information about Loopback 2 interface.

<Sysname> display interface loopback 2
LoopBack2 current state: UP
Line protocol current state: UP (spoofing)
Description: LoopBack2 Interface
The Maximum Transmit Unit is 1536
Internet protocol processing : disabled
Physical is Loopback
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 drops

1-2
 Table 1-1 display interface loopback command output description

Field Description
current state Physical state of the interface (up or administratively down)
Line protocol current state State of the data link layer protocol: up
Description Description string of the interface

The Maximum Transmit Unit Maximum transmit unit (MTU) of the interface

Internet protocol processing State of the network layer protocol (enabled or disabled)
Physical is Loopback Physical type of the interface is Loopback

Time when statistics on the logical interface were last

cleared by using the reset counters interface command.
Last clearing of counters If the statistics of the interface have never been cleared by
using the reset counters interface command since the
device starts, Never is displayed for this field.
Time when the statistics on the logical interface was last
Last clearing of counters
cleared
Average input rate over the last 300 seconds, where:
z packets/sec indicates the average number of packets
Last 300 seconds input: 0 bytes/sec 0 received per second.
bits/sec 0 packets/sec z bytes/sec indicates the average number of bytes
received per second.
z bits/sec indicates the average number of bits received
per second.
Average output rate over the last 300 seconds, where:
z packets/sec indicates the average number of packets
Last 300 seconds output: 0 bytes/sec sent per second.
0 bits/sec 0 packets/sec z bytes/sec indicates the average number of bytes sent
per second.
z bits/sec indicates the average number of bits sent per
second.
Total number and size (in bytes) of the input packets of the
0 packets input, 0 bytes, 0 drops
interface and the number of the dropped packets
Total number and size (in bytes) of the output packets of
0 packets output, 0 bytes, 0 drops
the interface and the number of the dropped packets

Because the S5120-SI switch series do not count the average input/output rate or input/output packets
of a loopback interface, these fields are displayed as “0” in the display interface loopback command
output.

display interface null

Syntax

display interface null [ 0 ]

1-3
View

Any view

Default Level

1: Monitor level

Parameters

0: Specifies the Null interface. This null interface number is fixed to 0.

Description

Use the display interface null command to display the information about the null interface. As Null 0
interface is the only null interface on a device, this command displays the information about Null 0
interface even if you do not specify the 0 keyword.
Related commands: interface null.

Examples

# Display information about null interface Null 0.

<Sysname> display interface null 0
NULL0 current state :UP
Line protocol current state :UP (spoofing)
Description : NULL0 Interface
The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
Physical is NULL DEV
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 drops
0 packets output, 0 bytes, 0 drops

Refer to Table 1-1 for the description on the fields in the display interface null command output.

Because the S5120-SI switch series do not count the average input/output rate or input/output packets
of interface Null 0, these fields are displayed as “0” in the display interface null command output.

interface loopback

Syntax

interface loopback interface-number

undo interface loopback interface-number

1-4
View

System view

Default Level

2: System level

Parameters

interface-number: Loopback interface number, ranging from 0 to 7.

Description

Use the interface loopback command to create a Loopback interface or enter Loopback interface
view.
Use the undo interface loopback command to remove a Loopback interface.
Related commands: display interface loopback.

Examples

# Create Loopback 5 interface.

<Sysname> system-view
[Sysname] interface loopback 5
[Sysname-LoopBack5]

interface null

Syntax

interface null 0

View

System view

Default Level

2: System level

Parameters

0: Specifies the null interface number.

Description

Use the interface null command to enter null interface view.

A device has only one null interface, the Null 0 interface. Null 0 interface is always up and cannot be
removed.
Related commands: display interface null.

Examples

# Enter Null 0 interface view.

<Sysname> system-view
[Sysname] interface null 0

1-5
 [Sysname-NULL0]

reset counters interface

Syntax

reset counters interface [ interface-type [ interface-number ] ]

View

User view

Default Level

2: System level

Parameters

interface-type: Logical interface type.

interface-number: Logical interface number.

Description

Use the reset counters interface command to clear the statistics of a logical interface.
Before collecting traffic statistics within a specific period of time on a logical interface, you need to clear
the existing statistics.
z If neither the interface type nor the interface number is specified, this command clears the statistics
on all interfaces in the system.
z If only the interface type is specified, this command clears the statistics on logical interfaces of the
specified interface type.
z If both the interface type and interface number are specified, this command clears the statistics on
the specified logical interface.

Examples

# Clear the statistics on loopback interface Loopback 5.

<Sysname> reset counters interface loopback 5

shutdown

Syntax

shutdown
undo shutdown

View

Loopback interface view

Default Level

2: System level

Parameters

None

1-6
Description

Use the shutdown command to shut down the current loopback interface.
Use the undo shutdown command to bring up the current loopback interface.
By default, a loopback interface is up.

Examples

# Shut down loopback interface Loopback 1.

<Sysname> system-view
[Sysname] interface loopback 1
[Sysname-Loopback1] shutdown

1-7
 Table of Contents

1 Ethernet Link Aggregation Configuration Commands ··········································································1-1

Ethernet Link Aggregation Configuration Commands ············································································1-1
description ·······································································································································1-1
display lacp system-id ·····················································································································1-1
display link-aggregation member-port ·····························································································1-2
display link-aggregation summary···································································································1-4
display link-aggregation verbose·····································································································1-6
enable snmp trap updown ···············································································································1-8
interface bridge-aggregation ···········································································································1-9
lacp port-priority·······························································································································1-9
lacp system-priority························································································································1-10
link-aggregation mode ···················································································································1-10
port link-aggregation group ···········································································································1-11
reset counters interface ·················································································································1-12
reset lacp statistics ························································································································1-13
shutdown ·······································································································································1-13

i
1 Ethernet Link Aggregation Configuration
Commands

Ethernet Link Aggregation Configuration Commands

description

Syntax

description text
undo description

View

Layer 2 aggregate interface view

Default Level

2: System level

Parameters

text: Description of the interface, a string of 1 to 80 characters.

Description

Use the description command to configure a description for an interface. You can include information
such as the purpose of the interface for the ease of management.
Use the undo description command to restore the default.
By default, the description of an interface is interface-name Interface. For example, the default
description of Bridge-Aggregation1 is Bridge-Aggregation1 Interface.

Examples

# Set the description of Layer 2 aggregate interface Bridge-Aggregation 1 to connect to the lab.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] description connect to the lab

display lacp system-id

Syntax

display lacp system-id

View

Any view

1-1
Default Level

1: Monitor level

Parameters

None

Description

Use the display lacp system-id command to display the system ID of the local system.
The system ID comprises the system LACP priority and the system MAC address.
You can use the lacp system-priority command to change the LACP priority of the local system. When
you do that, the LACP priority value you specify in the command is in decimal format. However, it is
displayed as a hexadecimal value with the display lacp system-id command.
Related commands: lacp system-priority.

Examples

# Display the local system ID.

<Sysname> display lacp system-id
Actor System ID: 0x8000, 0000-fc00-6504

Table 1-1 display lacp system-id command output description

Field Description
The local system ID, which comprises the LACP system priority
Actor System ID: 0x8000,
(0x8000 in this sample output) and the system MAC address
0000-fc00-6504
(0000-fc00-6504 in this sample output).

display link-aggregation member-port

Syntax

display link-aggregation member-port [ interface-list ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-list: Link aggregation member port list, in the form of interface-type interface-number [ to
interface-type interface-number ], where interface-type interface-number indicates port type and port
number.

Description

Use the display link-aggregation member-port command to display the detailed link aggregation
information on the specified member port(s) or all member ports if no interface is specified.

1-2
 For a member port in a static aggregation group, only its port number and operational key are displayed,
because it is not aware of the information of the partner.

Examples

# Display the detailed link aggregation information of GigabitEthernet 1/0/1, a member port of a static
aggregation group.
<Sysname> display link-aggregation member-port gigabitEthernet1/0/1

Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

GigabitEthernet1/0/1:
Aggregation Interface: Bridge-Aggregation1
Port Number: 1
Oper-Key: 1

# Display the detailed link aggregation information of GigabitEthernet 1/0/2, a member port of a
dynamic aggregation group.
<Sysname> display link-aggregation member-port gigabitEthernet1/0/2

Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

GigabitEthernet1/0/2:
Aggregation Interface: Bridge-Aggregation10
Local:
Port Number: 2
Port Priority: 32768
Oper-Key: 2
Flag: {ACDEF}
Remote:
System ID: 0x8000, 000f-e267-6c6a
Port Number: 26
Port Priority: 32768
Oper-Key: 2
Flag: {ACDEF}
Received LACP Packets: 5 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 7 packet(s)

1-3
 Table 1-2 display link-aggregation member-port command output description

Field Description
One-octet LACP state flags field. From the least to the most significant
bit, they are represented by A through H as follows:
z A indicates whether LACP is enabled. 1 for enabled and 0 for
disabled.
z B indicates the timeout control value. 1 for short timeout, and 0 for
long timeout.
z C indicates whether the link is considered as aggregatable by the
sending system. 1 for true, and 0 for false.
z D indicates whether the link is considered as synchronized by the
sending system. 1 for true, and 0 for false.
Flags z E indicates whether the sending system considers that collection of
incoming frames is enabled on the link. 1 for true and 0 for false.
z F indicates whether the sending system considers that distribution of
outgoing frames is enabled on the link. 1 for true and 0 for false.
z G indicates whether the receive state machine of the sending system
is using default operational partner information. 1 for true and 0 for
false.
z H indicates whether the receive state machine of the sending system
is in the expired state. 1 for true and 0 for false.
If a flag bit is set to 1, the corresponding English letter that otherwise is
not output is displayed.
Aggregation Interface Aggregate interface to which the current member port belongs
Local Information about the local end

Port Number Number of the port

Port Priority LACP priority of the port
Oper-key Operational key

Flag LACP protocol state flag

Remote Information about the remote end
System ID of the remote end, comprising the system LACP priority and
System ID
the system MAC address
Received LACP
Total number of LACP packets received
Packets
Illegal Total number of illegal packets
Sent LACP Packets Total number of LACP packets sent

display link-aggregation summary

Syntax

display link-aggregation summary

View

Any view

Default Level

1: Monitor level

1-4
Parameters

None

Description

Use the display link-aggregation summary command to display the summary information of all
aggregation groups.
You may find that information about the remote system for a static link aggregation group is either
displayed as none or not displayed at all. This is normal because this type of aggregation group is not
aware of its partner.

Examples

# Display the summary information of all aggregation groups.

<Sysname> display link-aggregation summary

Aggregation Interface Type:

BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation
Aggregation Mode: S -- Static, D -- Dynamic
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Actor System ID: 0x8000, 000f-e267-6c6a

AGG AGG Partner ID Select Unselect Share

Interface Mode Ports Ports Type
-------------------------------------------------------------------------
BAGG1 S none 1 0 Shar
BAGG10 D 0x8000, 000f-e267-57ad 2 0 Shar

Table 1-3 display link-aggregation summary command output description

Field Description
Aggregate interface type:
Aggregation Interface Type z BAGG for Layer 2 aggregate interface
z RAGG for Layer 3 aggregate interface
Aggregation group type:
Aggregation Mode z S for static link aggregation
z D for dynamic aggregation
Loadsharing type:
Loadsharing Type z Shar for load sharing
z NonS for non-load sharing
Local system ID, which comprises the system LACP priority
Actor System ID
and the system MAC address
AGG Interface Type and number of the aggregate interface
AGG Mode Aggregation group type
System ID of the partner, which comprises the system LACP
Partner ID
priority and the system MAC address
Select Ports Total number of selected ports
Unselect Ports Total number of unselected ports

1-5
 Field Description
Share Type Load sharing type

display link-aggregation verbose

Syntax

display link-aggregation verbose [ bridge-aggregation [ interface-number ] ]

View

Any view

Default Level

1: Monitor level

Parameters

bridge-aggregation: Displays detailed information about the Layer 2 aggregate groups corresponding
to Layer 2 aggregate interfaces.
interface-number: Aggregate interface number. Note that the aggregate interface you specify must
already exist.

Description

Use the display link-aggregation verbose command to display detailed information about the
aggregation groups corresponding to the aggregate interfaces.
Note that:
z To display the information of a specific Layer 2 aggregate group, use the display link-aggregation
verbose bridge-aggregation interface-number command.
z To display the information of all Layer 2 aggregate groups, use the display link-aggregation
verbose bridge-aggregation command.
z To display the information of all aggregate groups, use the display link-aggregation verbose
command.
z The bridge-aggregation keyword becomes available only after you create Layer 2 aggregate
interfaces on the device.

Examples

# Display the detailed information of the aggregation group corresponding to Layer 2 aggregate
interface Bridge-Aggregation 10.
<Sysname> display link-aggregation verbose bridge-aggregation 10

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregation Interface: Bridge-Aggregation10

1-6
Aggregation Mode: Dynamic
Loadsharing Type: Shar
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Oper-Key Flag
-------------------------------------------------------------------------------
GE1/0/2 S 32768 2 {ACDEF}
GE1/0/3 S 32768 2 {ACDEF}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
-------------------------------------------------------------------------------
GE1/0/2 S 32768 2 {ACDEF}
GE1/0/3 S 32768 2 {ACDEF}

Table 1-4 display link-aggregation verbose command output description

Field Description
Loadsharing type:
Loadsharing Type z Shar for load sharing
z NonS for non-load sharing
Port Status Port state: Selected or unselected.
One-octet LACP state flags field. From the least to the most
significant bit, they are represented by A through H as follows:
z A indicates whether LACP is enabled. 1 for enabled and 0
for disabled.
z B indicates the timeout control value. 1 for short timeout,
and 0 for long timeout.
z C indicates whether the link is considered as aggregatable
by the sending system. 1 for true, and 0 for false.
z D indicates whether the link is considered as synchronized
by the sending system. 1 for true, and 0 for false.
z E indicates whether the sending system considers that
Flags collection of incoming frames is enabled on the link. 1 for
true and 0 for false.
z F indicates whether the sending system considers that
distribution of outgoing frames is enabled on the link. 1 for
true and 0 for false.
z G indicates whether the receive state machine of the
sending system is using default operational partner
information. 1 for true and 0 for false.
z H indicates whether the receive state machine of the
sending system is in the expired state. 1 for true and 0 for
false.
If a flag bit is set to 1, the corresponding English letter that
otherwise is not output is displayed.
Aggregation Interface Name of the aggregate interface
Mode of the aggregation group: Static for static aggregation,
Aggregation Mode
and Dynamic for dynamic aggregation.
Local system ID, which comprises the system LACP priority
System ID
and the system MAC address.
Local Information about the local end
Port Port type and number

1-7
 Field Description
Status Port state: selected or unselected
Priority Port LACP priority
Oper-Key Operational key

Flag LACP protocol state flag

Remote Information about the remote end
Actor Local port type and number

Partner Remote port index

enable snmp trap updown

Syntax

enable snmp trap updown

undo enable snmp trap updown

View

Layer 2 aggregate interface view

Default Level

2: System level

Parameters

None

Description

Use the enable snmp trap updown command to enable link state trapping for the current aggregate
interface.
Use the undo enable snmp trap updown command to disable link state trapping for the current
aggregate interface.
By default, link state trapping is enabled for an aggregate interface.
With the link state trapping function enabled, an aggregate interface generates linkUp trap messages
when its link goes up and linkDown trap messages when its link goes down.
Note that for an aggregate interface to generate linkUp/linkDown traps when its link state changes, you
must also enable link state trapping globally with the snmp-agent trap enable [ standard [ linkdown |
linkup ] * ] command.
Refer to SNMP-RMON Commands for information about the snmp-agent trap enable command.

Examples

# Enable linkUp/linkDown trap generation on Layer 2 aggregate interface Bridge-Aggregation 1.

<Sysname> system-view
[Sysname] snmp-agent trap enable
[Sysname] interface bridge-aggregation 1

1-8
 [Sysname-Bridge-Aggregation1] enable snmp trap updown

interface bridge-aggregation

Syntax

interface bridge-aggregation interface-number

undo interface bridge-aggregation interface-number

View

System view

Default Level

2: System level

Parameters

interface-number: Layer 2 aggregate interface number, in the range of 1 to 26.

Description

Use the interface bridge-aggregation command to create a Layer 2 aggregate interface and enter the
Layer 2 aggregate interface view.
Use the undo interface bridge-aggregation command to remove a Layer 2 aggregate interface.
Upon creation of a Layer 2 aggregate interface, a Layer 2 aggregation group numbered the same is
created automatically. Removing the Layer 2 aggregate interface also removes the Layer 2 aggregation
group. At the same time, the member ports of the aggregation group, if any, leave the aggregation
group.

Examples

# Create Layer 2 aggregate interface Bridge-Aggregation 1 and enter its view.

<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1]

lacp port-priority

Syntax

lacp port-priority port-priority

undo lacp port-priority

View

Ethernet port view

Default Level

2: System level

1-9
Parameters

port-priority: Port LACP priority, in the range of 0 to 65535. The smaller this value, the higher the LACP
priority.

Description

Use the lacp port-priority command to set the LACP priority of a port.
Use the undo lacp port-priority command to restore the default.
The default LACP priority of a port is 32768.

Examples

# Set the port LACP priority of Gigabitethernet 1/0/1 to 64.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-Gigabitethernet1/0/1] lacp port-priority 64

lacp system-priority

Syntax

lacp system-priority system-priority

undo lacp system-priority

View

System view

Default Level

2: System level

Parameters

system-priority: LACP priority of the local system, in the range of 0 to 65535. The smaller this value, the
higher the system LACP priority.

Description

Use the lacp system-priority command to set the LACP priority of the local system.
Use the undo lacp system-priority command to restore the default.
By default, the system LACP priority is 32768.

Examples

# Set the system LACP priority to 64.

<Sysname> system-view
[Sysname] lacp system-priority 64

link-aggregation mode

Syntax

link-aggregation mode dynamic

1-10
 undo link-aggregation mode

View

Layer 2 aggregate interface view

Default Level

2: System level

Parameters

None

Description

Use the link-aggregation mode dynamic command to configure an aggregation group to work in
dynamic aggregation mode.
Use the undo link-aggregation mode command to restore the default.
By default, an aggregation group works in static aggregation mode.
To change the aggregation mode of an aggregation group that contains member ports, remove all the
member ports from the aggregation group first.

Examples

# Configure the aggregation group corresponding to Bridge-Aggregation 1 to work in dynamic

aggregation mode.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] link-aggregation mode dynamic

port link-aggregation group

Syntax

port link-aggregation group number

undo port link-aggregation group

View

Ethernet port view

Default Level

2: System level

Parameters

number: Number of the aggregate interface corresponding to an aggregation group, in the rang of 1 to
26

Description

Use the port link-aggregation group command to assign the current Ethernet interface to the
specified aggregation group.

1-11
 Use the undo port link-aggregation group command to remove the current Ethernet interface from
the aggregation group to which it currently belongs.
Note that, an Ethernet port can belong to only one aggregation group.

To achieve better load sharing results for data traffic among the member ports of a link aggregation
group, you are recommended to assign ports of the same type (all GE ports or all 10-GE optical ports) to
the link aggregation group.

Examples

# Assign Layer 2 Ethernet interface GigabitEthernet1/0/1 to Layer 2 aggregation group 1.

<Sysname> system-view
[Sysname] interface gigabitEthernet1/0/1
[Sysname-GigabitEthernet1/0/1] port link-aggregation group 1

reset counters interface

Syntax

reset counters interface [ bridge-aggregation [ interface-number ] ]

View

User view

Default Level

2: System level

Parameters

bridge-aggregation: Clears statistics for Layer 2 aggregate interfaces.

interface-number: Aggregate interface number. If the interface-number argument is not specified, this
command clears statistics of all aggregate interfaces of the specified type.

Description

Use the reset counters interface command to clear the statistics of the specified aggregate interface
or interfaces.
Before collecting statistics for a Layer 2 aggregate interface within a specific period, you need to clear
the existing statistics of the interface.
Note that:
z If none of the keywords and argument is specified, this command clears the statistics of all
interfaces in the system.
z If only the bridge-aggregation keyword is specified, the command clears the statistics of all Layer
2 aggregate interfaces.

1-12
 z If the bridge-aggregation interface-number keyword and argument combination is specified, this
command clears the statistics of the specified Layer 2 aggregate interface.
z The bridge-aggregation keyword becomes available only after you create Layer 2 aggregate
interfaces on the device.

Examples

# Clear the statistics of Layer 2 aggregate interface Bridge-Aggregation 1.

<Sysname> reset counters interface bridge-aggregation 1

reset lacp statistics

Syntax

reset lacp statistics [ interface interface-list ]

View

User view

Default Level

1: Monitor level

Parameters

interface-list: Link aggregation member port list, in the form of interface-type interface-number [ to
interface-type interface-number ], where interface-type interface-number indicates port type and port
number.

Description

Use the reset lacp statistics command to clear the LACP statistics on the specified member ports or all
member ports if no member ports are specified.
Related commands: display link-aggregation member-port.

Examples

# Clear the LACP statistics on all link aggregation member ports.

<Sysname> reset lacp statistics

shutdown

Syntax

shutdown
undo shutdown

View

Layer 2 aggregate interface view

Default Level

2: System level

1-13
Parameters

None

Description

Use the shutdown command to shut down the current aggregate interface/subinterface.
Use the undo shutdown command to bring up the current aggregate interface/subinterface.
By default, aggregate interfaces are up.

Examples

# Shut down Layer 2 aggregate interface Bridge-Aggregation 1.

<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] shutdown

1-14
 Table of Contents

1 Port Isolation Configuration Commands ································································································1-1

Port Isolation Configuration Commands ·································································································1-1
display port-isolate group ················································································································1-1
port-isolate enable ···························································································································1-2
port-isolate group·····························································································································1-3

i
1 Port Isolation Configuration Commands

Port Isolation Configuration Commands

display port-isolate group

Syntax

display port-isolate group [ group-number ]

View

Any view

Default Level

1: Monitor level

Parameters

group-number: Specifies an isolation group number.

Description

Use the display port-isolate group command to display information about one or all isolation groups.

If an isolation group is specified, this command displays information about the specified isolation group;
if not, the command displays information about all isolation groups.

Examples

# Display information about all isolation groups.

<Sysname> display port-isolate group
Port-isolate group information:
Uplink port support: NO
Group ID: 2
Group members:
GigabitEthernet1/0/1

Group ID: 5
Group members:
GigabitEthernet1/0/2 GigabitEthernet1/0/4

# Display information about isolation group 2.

<Sysname> display port-isolate group 2
Port-isolate group information:
Uplink port support: NO
Group ID: 2
Group members:

1-1
 GigabitEthernet1/0/1

Table 1-1 display port-isolate group command output description

Field Description
Port-isolate group information Display the information of a port-isolation group
Uplink port support Indicates whether the uplink port is supported.
Group ID Isolation group number
Group members Isolated ports in the isolation group

port-isolate enable

Syntax

port-isolate enable group group-number

undo port-isolate enable

View

Ethernet interface view, Layer-2 aggregate interface view, port group view

Default Level

2: System level

Parameters

group group-number: Specifies the ID of the group to which the ports are to be added.

Description

Use the port-isolate enable command to add a port in Ethernet interface view or a group of ports in
port group view to an isolation group as isolated ports.
Use the undo port-isolate enable command to remove the port or ports from the isolation group.
z In Ethernet interface view, the configuration applies to the current port.
z In port group view, the configuration applies to all ports in the port group.
z In Layer-2 aggregate interface view, the configuration applies to the Layer-2 aggregate interface
and all its member ports. After you make the configuration, the system starts applying the
configuration to the aggregate interface and its aggregation member ports. If the system fails to do
that on the aggregate interface, it stops applying the configuration to the aggregation member ports.
If it fails to do that on an aggregation member port, it simply skips the port and moves to the next
port. For detailed information about Layer-2 aggregate interfaces, refer to Link Aggregation
Configuration.
Note that: This command adds a port to the specified isolation group. In this case, you need to make
sure the isolation group already exists.

Examples

# On a multiple-isolation-group device, assign ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to

isolation group 2.

1-2
 <Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-isolate enable group 2
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] interface GigabitEthernet 1/0/2
[Sysname-GigabitEthernet1/0/2] port-isolate enable group 2

port-isolate group

Syntax

port-isolate group group-number

undo port-isolate group { group-number | all }

View

System view

Default Level

2: System level

Parameters

group-number: Specifies the number of the isolation group, the value ranges from 1 to 26.

all: Removes all isolation groups.

Description

Use the port-isolate group command to create an isolation group.

Use the undo port isolate group command to remove one or all isolation groups.

Examples

# Create isolation group 2.

<Sysname> system-view
[Sysname] port-isolate group 2

1-3
 Table of Contents

1 Port Mirroring Configuration Commands ·······························································································1-1

Port Mirroring Configuration Commands ································································································1-1
display mirroring-group····················································································································1-1
mirroring-group ································································································································1-2
mirroring-group mirroring-port ·········································································································1-2
mirroring-group monitor-port ···········································································································1-3
mirroring-port ···································································································································1-4
monitor-port ·····································································································································1-5

i
1 Port Mirroring Configuration Commands

Port Mirroring Configuration Commands

display mirroring-group

Syntax

display mirroring-group { group-id | local }

View

Any view

Default Level

2: System level

Parameters

group-id: Number of the mirroring group to be displayed, which can only be 1.

local: Displays local mirroring groups.

Description

Use the display mirroring-group command to display information about the specified mirroring group.

Examples

# Display information about mirroring group 1.

<Sysname> display mirroring-group 1
mirroring-group 1:
type: local
status: active
mirroring port:
GigabitEthernet1/0/2 both
monitor port: GigabitEthernet1/0/3

Field Description
mirroring-group Number of the mirroring group
type Type of the mirroring group, which can be local only.
status Status of the mirroring group, which can be active or inactive.

1-1
mirroring-group

Syntax

mirroring-group group-id local

undo mirroring-group { group-id | local }

View

System view

Default Level

2: System level

Parameters

group-id: Specifies the number of the mirroring group to be created or removed. Its value can only be 1.
local: Creates a local mirroring group or removes a local mirroring group with the undo command.

Description

Use the mirroring-group command to create a mirroring group.

Use the undo mirroring-group command to remove the specified mirroring group.
By default, no mirroring group exists on a device.

Examples

# Create a local mirroring group numbered 1.

<Sysname> system-view
[Sysname] mirroring-group 1 local

mirroring-group mirroring-port

Syntax

mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }

undo mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }

View

System view

Default Level

2: System level

Parameters

group-id: Number of a local mirroring group, which can only be 1.

mirroring-port-list: A list of source ports/port ranges to be assigned to or removed from the mirroring
group specified by groupid. You can specify up to eight single ports, port ranges, or combinations of
both for the list. A single port takes the form of interface-type interface-number. A port range takes the
form interface-type interface-number to interface-type interface-number, where the end port number
must be greater than the start port number.

1-2
 both: Mirrors both inbound and outbound packets on the specified port(s).
inbound: Mirrors only inbound packets on the specified port(s).
outbound: Mirrors only outbound packets on the specified port(s).

Description

Use the mirroring-group mirroring-port command to assign ports to a local mirroring group as
mirroring ports.
Use the undo mirroring-group mirroring-port command to remove mirroring ports from the mirroring
group.
By default, no source port is configured for any mirroring group.
Note that:
z When removing a source port from a mirroring group, make sure the traffic direction you specified
in the undo mirroring-group mirroring-port command matches the actual monitored direction
specified earlier in the mirroring-group mirroring-port command.
z The mirroring group specified by the group-id argument must already exist.
Related commands: mirroring-group.

Examples

# Create local mirroring group 1, and configure ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2 and
GigabitEthernet 1/0/3 as mirroring ports in the mirroring group 1..
<Sysname> system-view
[Sysname] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 to gigabitethernet 1/0/23
both

# Remove mirroring port GigabitEthernet 1/0/1 from mirroring group 1.

<Sysname> system-view
[Sysname] undo mirroring-group 1 mirroring-port gigabitethernet 1/0/1 to gigabitethernet
1/0/10 both

mirroring-group monitor-port

Syntax

mirroring-group groupid monitor-port monitor-port-id

undo mirroring-group groupid monitor-port monitor-port-id

View

System view

Default Level

2: System level

Parameters

groupid: Number of a local mirroring group, which can only be 1.

1-3
 monitor-port-id: Port to be assigned to the specified mirroring group as the monitor port. The argument
takes the form of interface-type interface-number, where interface-type specifies the port type and
interface-number specifies the port number.

Description

Use the mirroring-group monitor-port command to assign a port to a local mirroring group as the
monitor port.
Use the undo mirroring-group monitor-port command to remove the monitor port from the local
mirroring group.
By default, no monitor port is configured for a mirroring group.
In a local mirroring group, you must configure a monitor port. From this port, mirrored packets are sent
to the monitor device for analysis.
Note that:
z You can configure only one monitor port for a mirroring group.
z The mirroring group specified by group-id must already exist.
z In a mirroring group, you can configure only one monitor port. This port must not belong to any
other mirroring group.
Related commands: mirroring-group.

Examples

# Configure GigabitEthernet 1/0/1 as the monitor port in local mirroring group 1.

<Sysname> system-view
[Sysname] mirroring-group 1 local
[Sysname] mirroring-group 1 monitor-port gigabitethernet 1/0/1

mirroring-port

Syntax

[ mirroring-group groupid ] mirroring-port { inbound | outbound | both }

undo [ mirroring-group groupid ] mirroring-port { inbound | outbound | both }

View

Interface view

Default Level

2: System level

Parameters

groupid: Number of a local mirroring group, which can only be 1.

both: Mirrors both inbound and outbound packets on the current port.
inbound: Mirrors only inbound packets on the current port.
outbound: Mirrors only outbound packets on the current port.

1-4
Description

Use the mirroring-port command to assign the current port to a local mirroring group as a mirroring
port.
Use the undo mirroring-port command to remove the current port from the mirroring group.
By default, a port does not serve as a mirroring port for any mirroring group.
When assigning a port to a mirroring group as a mirroring port, note that:
z If no mirroring group is specified, the port is assigned to mirroring group 1.
z When removing a mirroring port from a mirroring group, make sure the traffic direction you
specified in the undo mirroring-group command matches the actual monitored direction of the
port.

Examples

# Configure GigabitEthernet 1/0/1 as a mirroring port in local mirroring group numbered 1.

<Sysname> system-view
[Sysname] mirroring-group 1 local
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mirroring-group 1 mirroring-port both

# Remove mirroring port GigabitEthernet 1/0/1 from mirroring group 1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo mirroring-group 1 mirroring-port gigabitethernet 1/0/1
both

monitor-port

Syntax

[ mirroring-group groupid ] monitor-port

undo [ mirroring-group groupid ] monitor-port

View

Interface view

Default Level

2: System level

Parameters

groupid: Number of a local mirroring group, which can only be 1.

Description

Use the monitor-port command to assign the current port to a local mirroring group as the monitor port.
Use the undo monitor-port command to remove the current port from the mirroring group.
When assigning a port to a mirroring group as the monitor port, note that:
z If no mirroring group is specified, the port is assigned to mirroring group 1.
z The port cannot belong to any other mirroring groups.

1-5
 Related commands: mirroring-group.

Examples

# Configure GigabitEthernet 1/0/1 as the monitor port in local mirroring group numbered 1.
<Sysname> system-view
[Sysname] mirroring-group 1 local
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] monitor-port

1-6
 Table of Contents

1 LLDP Configuration Commands ··············································································································1-1

LLDP Configuration Commands ·············································································································1-1
display lldp local-information ···········································································································1-1
display lldp neighbor-information·····································································································1-5
display lldp statistics ························································································································1-9
display lldp status ··························································································································1-10
display lldp tlv-config ·····················································································································1-12
lldp admin-status ···························································································································1-14
lldp check-change-interval·············································································································1-14
lldp compliance admin-status cdp ·································································································1-15
lldp compliance cdp ·······················································································································1-16
lldp enable ·····································································································································1-16
lldp encapsulation snap ·················································································································1-17
lldp fast-count ································································································································1-18
lldp hold-multiplier··························································································································1-18
lldp management-address-format string························································································1-19
lldp management-address-tlv ········································································································1-19
lldp notification remote-change enable··························································································1-20
lldp timer notification-interval·········································································································1-21
lldp timer reinit-delay ·····················································································································1-21
lldp timer tx-delay ··························································································································1-22
lldp timer tx-interval ·······················································································································1-22
lldp tlv-enable ································································································································1-23

i
1 LLDP Configuration Commands

LLDP Configuration Commands

display lldp local-information

Syntax

display lldp local-information [ global | interface interface-type interface-number ]

View

Any view

Default level

1: Monitor level

Parameters

global: Displays the global LLDP information to be sent.

interface interface-type interface-number: Displays the LLDP information to be sent out the port
specified by its type and number.

Description

Use the display lldp local-information command to display the LLDP information to be sent, which will
be contained in the LLDP TLVs and sent to neighbor devices.
If no keyword or argument is specified, this command displays all the LLDP information to be sent,
including the global LLDP information and the LLDP information about the LLDP-enabled ports in the up
state.

Examples

# Display all the LLDP information to be sent.

<Sysname> display lldp local-information
Global LLDP local-information:
Chassis ID : 00e0-fc00-5600
System name : Sysname
System description : System
System capabilities supported : Bridge,Router
System capabilities enabled : Bridge,Router

MED information
Device class: Connectivity device

HardwareRev : REV.A
FirmwareRev : 109

1-1
 SoftwareRev : 5.20 Alpha 2101
SerialNum : NONE
Manufacturer name : Manufacturer
Model name : Model
Asset tracking identifier : Unknown
LLDP local-information of port 1[GigabitEthernet1/0/1]:
Port ID subtype : Interface name
Port ID : GigabitEthernet1/0/1
Port description : GigabitEthernet1/0/1 Interface

Management address type : ipv4

Management address : 192.168.1.11
Management address interface type : IfIndex
Management address interface ID : 54
Management address OID : 0

Port VLAN ID(PVID): 1

Port and protocol VLAN ID(PPVID) : 1

Port and protocol VLAN supported : Yes
Port and protocol VLAN enabled : No

VLAN name of VLAN 1: VLAN 0001

Auto-negotiation supported : Yes

Auto-negotiation enabled : Yes
OperMau : speed(1000)/duplex(Full)

PoE supported: No

Link aggregation supported : Yes

Link aggregation enabled : No
Aggregation port ID : 0

Maximum frame Size: 1536

MED information
Media policy type : Unknown
Unknown Policy : Yes
VLAN tagged : No
Media policy VlanID : 0
Media policy L2 priority : 0
Media policy Dscp : 0

Table 1-1 display lldp local-information command output description

Field Description
Global LLDP local-information The global LLDP information to be sent

1-2
 Field Description
Chassis ID Bridge MAC address of the device

Supported capabilities, which can be:

System capabilities supported z Bridge, indicating switching
z Router, indicating routing
Currently enabled capabilities, which can be:
System capabilities enabled z Bridge, indicating switching is currently enabled.
z Router, indicating routing is currently enabled.
MED device class, which can be:
z Connectivity device, indicating a network device.
z Class I, indicating a normal terminal device. All terminal
devices that require the basic LLDP discovery services are
of this class.
z Class II, indicating a media terminal device. A device of this
Device class class is media-capable. In other words, besides the
capabilities of a normal terminal device, it also supports
media streams.
z Class III indicating a communication terminal device. A
device of this class supports IP communication systems of
end user. A device of this class supports all the capabilities
of a normal terminal device and a media terminal device and
can be used directly by end users.
HardwareRev Hardware version

FirmwareRev Firmware version

SoftwareRev Software version

SerialNum Serial number

Manufacturer name Device manufacturer

Model name Device model

Asset tracking identifier Asset tracking ID

LLDP local-information of port 1 LLDP information to be sent out port 1

Port ID subtype Port ID type, which can be MAC address or interface name

Port ID Port ID, the value of which depends on the port ID subtype

Port description Port description

Management address interface type Numbering type of the interface identified by the management address

Management address interface ID Index of the interface identified by the management address

Management address OID Management address object ID

Port VLAN ID(PVID) Port VLAN ID

Port and protocol VLAN ID(PPVID) Port protocol VLAN ID

Port and protocol VLAN supported Indicates whether protocol VLAN is supported on the port.

Port and protocol VLAN enabled Indicates whether protocol VLAN is enabled on the port.

VLAN name of VLAN 1 Name of VLAN 1

Auto-negotiation supported Indicates whether auto-negotiation is supported on the port.

Auto-negotiation enabled Indicates whether auto-negotiation is enabled

OperMau Current speed and duplex state of the port

PoE supported Indicates whether PoE is supported on the port.

1-3
 Field Description
PoE device type, which can be :
Power port class z PSE: power sourcing equipment
z PD: powered device
PSE power supported Indicates whether the device can operate as a PSE.

PSE power enabled Indicates whether the device is operating as a PSE.

PSE pairs control ability Indicates whether the PSE-PD pair control is available.

PoE mode, which can be Signal (PoE via signal lines) or Spare (PoE
Power pairs
via spare lines).

Port power classification of the PD, which can be:

z Class 0
Port power classification
z Class 1
z Class 2
z Class 3
z Class 4
Link aggregation supported Indicates whether link aggregation is supported.

Link aggregation enabled Indicates whether link aggregation is enabled.

Aggregation port ID Aggregation group ID, which is 0 if link aggregation is not enabled.

Maximum frame Size Maximum frame size supported

MED information MED LLDP information

Media policy type, which can be:

z unknown
z voice
z voiceSignaling
Media policy type
z guestVoice
z guestVoiceSignaling
z softPhoneVoice
z videoconferencing
z streamingVideo
z videoSignaling
Unknown Policy Indicates whether the media policy is unknown.

VLAN tagged Indicates whether packets of the media VLAN are tagged.

Media Policy VlanID ID of the media VLAN

Media Policy L2 priority Layer 2 priority

Media Policy Dscp DSCP precedence

Location information format, which can be:

z Invalid, indicating the format of the location information is
invalid.
Location format z Coordinate-based LCI, indicating the location information is
coordinate-based.
z Civic Address LCI, indicating normal address information.
z ECS ELIN, indicating a telephone number for urgencies.
PSE power type, which can be:

PoE PSE power source

z Unknown, indicating an unknown power supply
z Primary, indicating a primary power supply
z Backup, indicating a backup power supply

1-4
 Field Description
PoE power supply priority of PSE ports, which can be:
z Unknown
Port PSE Priority z Critical
z High
z Low
Port available power value Available PoE power on PSE ports, in watts

display lldp neighbor-information

Syntax

display lldp neighbor-information [ brief | interface interface-type interface-number [ brief ] | list

[ system-name system-name ] ]

View

Any view

Default level

1: Monitor level

Parameters

brief: Displays the summary of LLDP information sent from the neighboring devices. If this keyword is
not specified, this command displays the LLDP information sent from the neighboring devices in details.
interface interface-type interface-number: Displays the LLDP information sent from the neighboring
devices received through a port specified by its type and number. If this keyword-argument combination
is not specified, this command displays the LLDP information sent from the neighboring devices
received through all ports.
list: Displays the LLDP information sent from the neighboring devices in the form of a list.
system-name system-name: Displays the LLDP information sent from a neighboring device specified
by its system name. The system-name argument is a character string of 1 to 255 characters. If this
keyword-argument combination is not specified, this command displays the LLDP information sent from
all the neighboring devices in the form of a list.

Description

Use the display lldp neighbor-information command to display the LLDP information carried in LLDP
TLVs sent from the neighboring devices.

Examples

# Display the LLDP information sent from the neighboring devices received through all the ports.
<Sysname> display lldp neighbor-information

LLDP neighbor-information of port 1[GigabitEthernet1/0/1]:

Neighbor index : 1
Update time : 0 days,0 hours,1 minutes,1 seconds
Chassis type : MAC address

1-5
 Chassis ID : 000f-0055-0002
Port ID type : Interface name
Port ID : GigabitEthernet1/0/1
Port description : GigabitEthernet1/0/1 Interface
System name : Sysname
System description : System
System capabilities supported : Bridge,Router
System capabilities enabled : Bridge,Router

Management address type : ipv4

Management address : 192.168.1.55
Management address interface type : IfIndex
Management address interface ID : Unknown
Management address OID : 0

Port VLAN ID(PVID): 1

Port and protocol VLAN ID(PPVID) : 1

Port and protocol VLAN supported : Yes
Port and protocol VLAN enabled : No

VLAN name of VLAN 1: VLAN 0001

Auto-negotiation supported : Yes

Auto-negotiation enabled : Yes
OperMau : speed(1000)/duplex(Full)

Power port class : PD

PSE power supported : No
PSE power enabled : No
PSE pairs control ability : No
Power pairs : Signal
Port power classification : Class 0

Link aggregation supported : Yes

Link aggregation enabled : No
Aggregation port ID : 0

Maximum frame Size: 1536

# Display the LLDP information sent from all the neighboring devices in the form of a list.
<Sysname> display lldp neighbor-information list

System Name Local Interface Chassis ID Port ID

System1 GE1/0/1 000f-e25d-ee91 GigabitEthernet1/0/5
System2 GE1/0/2 000f-e25d-ee92 GigabitEthernet1/0/6
System3 GE1/0/3 000f-e25d-ee93 GigabitEthernet1/0/7

1-6
Table 1-2 display lldp neighbor-information command output description

Field Description
LLDP neighbor-information of port 1 LLDP information received through port 1

Time when the LLDP information about a neighboring device is latest

Update time
updated.

Chassis information, which can be:

z Chassis component
z Interface alias
Chassis type
z Port component
z MAC address
z Network address
z Interface name
z Locally assigned (indicating the local configuration)
ID that identifies the LLDP sending device, which can be a MAC
Chassis ID address, a network address, an interface or some other value
depending on the chassis type.

Port information, which can be:

z Interface alias
z Port component
Port ID type
z MAC address
z Network Address
z Interface name
z Agent circuit ID
z Locally assigned (indicating the local configuration)
Port ID Port ID, the value of which depends on the port ID type

System name System name of the neighboring device

System description System description of the neighboring device

Capabilities supported on the neighboring device, which can be:

System capabilities supported

z Repeater, indicating forwarding
z Bridge, indicating switching
z Router, indicating routing
Capabilities currently enabled on the neighboring device, which can
be:
System capabilities enabled z Repeater, indicating forwarding is currently enabled.
z Bridge, indicating switching is currently enabled.
z Router, indicating routing is currently enabled.
Management address OID Management address object ID

Port VLAN ID Port VLAN ID

Port and protocol VLAN ID(PPVID) Port protocol VLAN ID

Port and protocol VLAN supported Indicates whether protocol VLAN is supported.

Port and protocol VLAN enabled Indicates whether protocol VLAN is enabled.

VLAN name of VLAN 1 Name of VLAN 1

Auto-negotiation supported Indicates whether auto-negotiation is supported.

Auto-negotiation enabled State of auto-negotiation

OperMau Current speed and duplex state

1-7
 Field Description
PoE device type, which can be:
Power port class z PSE: power sourcing equipment
z PD: powered device
PSE power supported Indicates whether the device can operate as a PSE.

PSE power enabled Indicates whether the device is operating as a PSE.

PSE pairs control ability Indicates whether the PSE-PD pair control is available.

PoE mode, which can be Signal (PoE via signal lines) or Spare (PoE
Power pairs
via spare lines).

Port power classification of the PD, which can be the following:

z Class 0
Port power classification
z Class 1
z Class 2
z Class 3
z Class 4
Link aggregation supported Indicates whether link aggregation is supported.

Link aggregation enabled Indicates whether link aggregation is enabled.

Aggregation port ID Aggregation group ID, which is 0 if link aggregation is not enabled.

Maximum frame Size Maximum frame size supported

Location information format, which can be:

z Invalid, indicating the format of the location information is
invalid.
Location format z Coordinate-based LCI, indicating the location information is
coordinate-based.
z Civic Address LCI, indicating normal address information.
z ECS ELIN, indicating a telephone for urgencies.
Location Information Location information

PSE power type, which can be:

PoE PSE power source z Primary, indicating a primary power supply
z Backup, indicating a backup power supply
PoE service type PoE service type

PoE power supply priority of PSE ports, which can be:

z Unknown
Port PSE Priority z Critical
z High
z Low
Port available power value Available PoE power on PSE ports, in watts

TLV type Unknown basic TLV type

TLV information Information contained in the unknown basic TLV type

Unknown organizationally-defined
Unknown organizationally specific TLV
TLV

TLV OUI OUI of the unknown organizationally specific TLV

TLV subtype Unknown organizationally specific TLV subtype

Index Unknown organization index

TLV information Information contained in unknown organizationally specific TLV

Local Interface Local port that receives the LLDP information

1-8
display lldp statistics

Syntax

display lldp statistics [ global | interface interface-type interface-number ]

View

Any view

Default level

1: Monitor level

Parameters

global: Displays the global LLDP statistics.

interface interface-type interface-number: Specifies a port by its type and number.

Description

Use the display lldp statistics command to display the global LLDP statistics or the LLDP statistics of
a port.
If no keyword/argument is specified, this command displays the global LLDP statistics as well as the
LLDP statistics of all ports.

Examples

# Display the global LLDP statistics as well as the LLDP statistics of all ports.
<Sysname> display lldp statistics
LLDP statistics global Information:
LLDP neighbor information last change time:0 days,0 hours,4 minutes,40 seconds
The number of LLDP neighbor information inserted : 1
The number of LLDP neighbor information deleted : 1
The number of LLDP neighbor information dropped : 0
The number of LLDP neighbor information aged out : 1
LLDP statistics information of port 1 [GigabitEthernet1/0/1]:
The number of LLDP frames transmitted : 0
The number of LLDP frames received : 0
The number of LLDP frames discarded : 0
The number of LLDP error frames : 0
The number of LLDP TLVs discarded : 0
The number of LLDP TLVs unrecognized : 0
The number of LLDP neighbor information aged out : 0
The number of CDP frames transmitted : 0
The number of CDP frames received : 0
The number of CDP frames discarded : 0
The number of CDP error frames : 0

1-9
 Table 1-3 display lldp statistics command output description

Field Description
LLDP statistics global information Global LLDP statistics

LLDP neighbor information last change time Time the neighbor information is latest updated

The number of LLDP neighbor information inserted Number of times of adding neighbor information

The number of LLDP neighbor information deleted Number of times of removing neighbor information

Number of times of dropping neighbor information due

The number of LLDP neighbor information dropped
to lack of available memory space

Number of the neighbor information entries that have

The number of LLDP neighbor information aged out
aged out

LLDP statistics information of port 1 LLDP statistics of port 1

The number of LLDP frames transmitted Total number of the LLDPDUs transmitted

The number of LLDP frames received Total number of the LLDPDUs received

The number of LLDP frames discarded Total number of the LLDPDUs dropped

The number of LLDP error frames Total number of the LLDP error frames received

The number of LLDP TLVs discarded Total number of the LLDP TLVs dropped

Total number of the LLDP TLVs that cannot be

The number of LLDP TLVs unrecognized
recognized

Number of the LLDP neighbor information entries that

The number of LLDP neighbor information aged out
have aged out

The number of CDP frames transmitted Total number of the CDP frames transmitted

The number of CDP frames received Total number of the CDP frames received

The number of CDP frames discarded Total number of the CDP frames dropped

The number of CDP error frames Total number of the CDP error frames received

display lldp status

Syntax

display lldp status [ interface interface-type interface-number ]

View

Any view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

Description

Use the display lldp status command to display LLDP status information.
If no port is specified, this command displays the global LLDP status as well as the LLDP status
information of all ports.

1-10
Examples

# Display the global LLDP status as well as the LLDP status information of all ports.
<Sysname> display lldp status
Global status of LLDP: Enable
The current number of LLDP neighbors: 0
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days,0 hours,4 minutes,40 seconds
Transmit interval : 30s
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s
Trap interval : 5s
Fast start times : 3
Port 1 [GigabitEthernet1/0/1]:
Port status of LLDP : Enable
Admin status : Tx_Rx
Trap flag : No
Polling interval : 0s

Number of neighbors : 5
Number of MED neighbors : 2
Number of CDP neighbors : 0
Number of sent optional TLV : 12
Number of received unknown TLV : 5

Table 1-4 display lldp status command output description

Field Description
Global status of LLDP Indicating whether LLDP is globally enabled

The current number of LLDP

Total number of the LLDP neighbor devices
neighbors

The current number of CDP

The current number of CDP neighbors
neighbors

LLDP neighbor information last

Time the neighbor information is latest updated
changed time

Transmit interval LLDPDU transmit interval

Hold multiplier TTL multiplier

Reinit delay LLDP re-initialization delay

Transmit delay LLDPDU transmit delay

Trap interval Interval to send traps

Number of the LLDPDUs sent each time fast LLDPDU transmission is

Fast start times
triggered

Port 1 LLDP status of port 1

Port status of LLDP Indicates whether LLDP is enabled on the port.

1-11
 Field Description
LLDP mode of the port, which can be:
z TxRx. A port in this mode sends and receives LLDPDUs.
Admin status z Rx_Only. A port in this mode receives LLDPDUs only.
z Tx_Only. A port in this mode sends LLDPDUs only.
z Disable. A port in this mode does not send or receive
LLDPDUs.
Trap Flag Indicates whether trap is enabled.

Polling interval LLDP polling interval. A value of 0 indicates LLDP polling is disabled.

Number of neighbors Number of the LLDP neighbors connecting to the port

Number of MED neighbors Number of MED neighbors connecting to the port

Number of CDP neighbors Number of the CDP neighbors connecting to the port

Number of the optional TLVs contained in an LLDPDU sent through the

Number of sent optional TLV
port

Number of received unknown TLV Number of the unknown TLVs contained in a received LLDPDU

display lldp tlv-config

Syntax

display lldp tlv-config [ interface interface-type interface-number ]

View

Any view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

Description

Use the display lldp tlv-config command to display the types of advertisable optional LLDP TLVs of a
port.
If no port is specified, this command displays the types of advertisable optional TLVs of each port.

Examples

# Display the types of advertisable optional LLDP TLVs of each port.

<Sysname> display lldp tlv-config
LLDP tlv-config of port 1[GigabitEthernet1/0/1]:
NAME STATUS DEFAULT
Basic optional TLV:
Port Description TLV YES YES
System Name TLV YES YES
System Description TLV YES YES
System Capabilities TLV YES YES

1-12
Management Address TLV YES YES
IEEE 802.1 extend TLV:
Port VLAN ID TLV YES YES
Port And Protocol VLAN ID TLV YES YES
VLAN Name TLV YES YES
IEEE 802.3 extend TLV:
MAC-Physic TLV YES YES
Power via MDI TLV YES YES
Link Aggregation TLV YES YES
Maximum Frame Size TLV YES YES
LLDP-MED extend TLV:
Capabilities TLV YES YES
Network Policy TLV YES YES
Location Identification TLV NO NO
Extended Power via MDI TLV YES YES
Inventory TLV YES YES

Table 1-5 display lldp tlv-config command output description

Field Description
LLDP tlv-config of port 1 Advertisable optional TLVs of port 1

NAME TLV type

Indicates whether TLVs of a specific type are currently sent through a

STATUS
port

Indicates whether TLVs of a specific type are sent through a port by

DEFAULT
default

Basic TLVs, including:

z Port description TLV
Basic optional TLV
z System name TLV
z System description TLV
z System capabilities TLV
z Management address TLV
IEEE 802.1 organizationally specific TLVs, including:

IEEE 802.1 extended TLV

z Port VLAN ID TLV
z Port and protocol VLAN ID TLV
z VLAN name TLV
IEEE 802.3 organizationally specific TLVs, including:
z MAC-Physic TLV
IEEE 802.3 extended TLV z Power via MDI TLV
z Link aggregation TLV
z Maximum frame size TLV
LLDP-MED TLVs, including:
z Capabilities TLV
z Network Policy TLV
LLDP-MED extend TLV z Extended Power-via-MDI TLV
z Location Identification TLV
z Inventory TLV, which can be hardware revision TLV, firmware
revision TLV, software revision TLV, serial number TLV,
manufacturer name TLV, model name TLV, and asset id TLV.

1-13
lldp admin-status

Syntax

lldp admin-status { disable | rx | tx | txrx }

undo lldp admin-status

View

Layer 2 Ethernet port view, port group view

Default level

2: System level

Parameters

disable: Specifies the Disable mode. A port in this mode does not send or receive LLDPDUs.
rx: Specifies the Rx mode. A port in this mode receives LLDPDUs only.
tx: Specifies the Tx mode. A port in this mode sends LLDPDUs only.
txrx: Specifies the TxRx mode. A port in this mode sends and receives LLDPDUs.

Description

Use the lldp admin-status command to specify the LLDP operating mode for a port or all the ports in a
port group.
Use the undo lldp admin-status command to restore the default LLDP operating mode.
The default LLDP operating mode is TxRx.

Examples

# Configure the LLDP operating mode as Rx for GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] lldp admin-status rx

lldp check-change-interval

Syntax

lldp check-change-interval interval

undo lldp check-change-interval

View

Layer 2 Ethernet port view, port group view

Default level

2: System level

Parameters

interval: LLDP polling interval to be set, in the range 1 to 30 (in seconds).

1-14
Description

Use the lldp check-change-interval command to enable LLDP polling and set the polling interval.
Use the undo lldp check-change-interval command to restore the default.
By default, LLDP polling is disabled.

Examples

# Enable LLDP polling on GigabitEthernet 1/0/1, setting the polling interval to 30 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] lldp check-change-interval 30

lldp compliance admin-status cdp

Syntax

lldp compliance admin-status cdp { disable | txrx }

View

Layer 2 Ethernet port view, port group view

Default Level

2: System level

Parameters

disable: Specifies the disable mode, where CDP-compatible LLDP neither receives nor transmits CDP
packets.
txrx: Specifies the TxRx mode, where CDP-compatible LLDP can send and receive CDP packets.

Description

Use the lldp compliance admin-status cdp command to configure the operating mode of
CDP-compatible LLDP on a port or port group.
By default, CDP-compatible LLDP operates in disable mode.
To have your device work with Cisco IP phones, you must enable CDP-compatible LLDP globally and
then configure CDP-compatible LLDP to operate in TxRx mode on the specified port(s).
Related commands: lldp compliance cdp.

Examples

# Configure CDP-compatible LLDP to operate in TxRx mode on GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] lldp compliance admin-status cdp txrx

1-15
lldp compliance cdp

Syntax

lldp compliance cdp

undo lldp compliance cdp

View

System view

Default Level

2: System level

Parameters

None

Description

Use the lldp compliance cdp command to enable CDP compatibility globally.
Use the undo lldp compliance cdp command to restore the default.
By default, CDP compatibility is disabled globally.
Note that, as the maximum TTL allowed by CDP is 255 seconds, your TTL configuration, namely, the
product of the TTL multiplier and the LLDPDU transmit interval, must be no more than 255 seconds for
CDP-compatible LLDP to work properly with Cisco IP phones.
Related commands: lldp hold-multiplier, lldp timer tx-interval.

Examples

# Enable LLDP to be compatible with CDP globally.

<Sysname> system-view
[Sysname] lldp compliance cdp

lldp enable

Syntax

lldp enable
undo lldp enable

View

System view, Layer 2 Ethernet port view, port group view

Default level

2: System level

Parameters

None

1-16
Description

Use the lldp enable command to enable LLDP.

Use the undo lldp enable command to disable LLDP.
By default, LLDP is disabled globally and enabled on a port.
Note that LLDP takes effect on a port only when LLDP is enabled both globally and on the port.

Examples

# Disable LLDP on GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo lldp enable

lldp encapsulation snap

Syntax

lldp encapsulation snap

undo lldp encapsulation

View

Layer 2 Ethernet port view, port group view

Default level

2: System level

Parameters

None

Description

Use the lldp encapsulation snap command to configure the encapsulation format for LLDPDUs as
SNAP on a port or a group of ports.
Use the undo lldp encapsulation command to restore the default encapsulation format for LLDPDUs.
By default, Ethernet II encapsulation applies.

The command does not apply to LLDP-CDP packets, which use only SNAP encapsulation.

Examples

# Configure the encapsulation format for LLDPDUs as SNAP on GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] lldp encapsulation snap

1-17
lldp fast-count

Syntax

lldp fast-count count

undo lldp fast-count

View

System view

Default level

2: System level

Parameters

count: Number of the LLDPDUs sent each time fast LLDPDU transmission is triggered. This argument
ranges from 1 to 10.

Description

Use the lldp fast-count command to set the number of the LLDPDUs sent each time fast LLDPDU
transmission is triggered.
Use the undo lldp fast-count command to restore the default.
By default, the number is 3.

Examples

# Configure to send four LLDPDUs each time fast LLDPDU transmission is triggered.
<Sysname> system-view
[Sysname] lldp fast-count 4

lldp hold-multiplier

Syntax

lldp hold-multiplier value

undo lldp hold-multiplier

View

System view

Default level

2: System level

Parameters

value: TTL multiplier, in the range 2 to 10.

Description

Use the lldp hold-multiplier command to set the TTL multiplier.

Use the undo lldp hold-multiplier command to restore the default.

1-18
 The TTL multiplier defaults to 4.
You can set the TTL of the local device information by configuring the TTL multiplier.
The TTL of the information about a device is determined by the following expression:
TTL multiplier × LLDPDU transmit interval
Note that the TTL can be up to 65535 seconds. TTLs longer than 65535 will be rounded off to 65535
seconds.
Related commands: lldp timer tx-interval.

Examples

# Set the TTL multiplier to 6.

<Sysname> system-view
[Sysname] lldp hold-multiplier 6

lldp management-address-format string

Syntax

lldp management-address-format string

undo lldp management-address-format

View

Layer 2 Ethernet port view, port group view

Default Level

2: System level

Parameters

None

Description

Use the lldp management-address-format string command to encapsulate the management

address in the form of strings in TLVs.
Use the undo lldp management-address-format command to restore the default.
By default, the management address is encapsulated in the form of numbers in TLVs.

Examples

# Configure GigabitEthernet 1/0/1 to encapsulate the management address in the form of strings in
management address TLVs.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] lldp management-address-format string

lldp management-address-tlv

Syntax

lldp management-address-tlv [ ip-address ]

1-19
 undo lldp management-address-tlv

View

Layer 2 Ethernet port view, port group view

Default level

2: System level

Parameters

ip-address: Management address to be advertised in LLDPDUs.

Description

Use the lldp management-address-tlv command to enable management address advertising and set
the management address.
Use the undo lldp management-address-tlv command to disable management address advertising in
LLDPDUs.
By default, the management address is sent through LLDPDUs, and the management address is the
primary IP address of the VLAN with the smallest VLAN ID among the VLANs whose packets are
permitted on the port. If the primary IP address is not configured, the management address is 127.0.0.1.
Note that: an LLDPDU carries only one management address TLV. If you set the management address
repeatedly, the latest one takes effect.

Examples

# Set the management address to 192.6.0.1 for GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] lldp management-address-tlv 192.6.0.1

lldp notification remote-change enable

Syntax

lldp notification remote-change enable

undo lldp notification remote-change enable

View

Layer 2 Ethernet port view, port group view

Default level

2: System level

Parameters

None

Description

Use the lldp notification remote-change enable command to enable LLDP trapping for a port or all
the ports in a port group.

1-20
 Use the undo lldp notification remote-change enable command to restore the default.
By default, LLDP trapping is disabled on a port.

Examples

# Enable LLDP trapping for GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] lldp notification remote-change enable

lldp timer notification-interval

Syntax

lldp timer notification-interval interval

undo lldp timer notification-interval

View

System view

Default level

2: System level

Parameters

interval: Interval to send LLDP traps, in the range 5 to 3600 (in seconds).

Description

Use the lldp timer notification-interval command to set the interval to send LLDP traps.
Use the undo lldp timer notification-interval command to restore the default.
By default, the interval to send LLDP traps is 5 seconds.

Examples

# Set the interval to send LLDP traps to 8 seconds.

<Sysname> system-view
[Sysname] lldp timer notification-interval 8

lldp timer reinit-delay

Syntax

lldp timer reinit-delay delay

undo lldp timer reinit-delay

View

System view

Default level

2: System level

1-21
Parameters

delay: LLDP re-initialization delay to be set, in the range 1 to 10 (in seconds).

Description

Use the lldp timer reinit-delay command to set the LLDP re-initialization delay.
Use the undo lldp timer reinit-delay command to restore the default.
By default, the LLDP re-initialization delay is 2 seconds.

Examples

# Set the LLDP re-initialization delay to 4 seconds.

<Sysname> system-view
[Sysname] lldp timer reinit-delay 4

lldp timer tx-delay

Syntax

lldp timer tx-delay delay

undo lldp timer tx-delay

View

System view

Default level

2: System level

Parameters

delay: LLDPDU transmit delay, in the range 1 to 8192 (in seconds).

Description

Use the lldp timer tx-delay command to set the LLDPDU transmit delay.
Use the undo lldp timer tx-delay command to restore the default.
By default, the LLDPDU transmit delay is 2 seconds.

Examples

# Set the LLDPDU transmit delay to 4 seconds.

<Sysname> system-view
[Sysname] lldp timer tx-delay 4

lldp timer tx-interval

Syntax

lldp timer tx-interval interval

undo lldp timer tx-interval

1-22
View

System view

Default level

2: System level

Parameters

interval: LLDPDU transmit interval, in the range 5 to 32768 (in seconds).

Description

Use the lldp timer tx-interval command to set the LLDPDU transmit interval.
Use the undo lldp timer tx-interval command to restore the default.
By default, the LLDPDU transmit interval is 30 seconds.

Examples

# Set the LLDPDU transmit interval to 20 seconds.

<Sysname> system-view
[Sysname] lldp timer tx-interval 20

lldp tlv-enable

Syntax

lldp tlv-enable { basic-tlv { all | port-description | system-capability | system-description |

system-name } | dot1-tlv { all | port-vlan-id | protocol-vlan-id [ vlan-id ] | vlan-name [ vlan-id ] } |
dot3-tlv { all | link-aggregation | mac-physic | max-frame-size | power } | med-tlv { all | capability |
inventory | location-id { civic-address device-type country-code { ca-type ca-value }&<1-10> |
elin-address tel-number } | network-policy | power-over-ethernet } }
undo lldp tlv-enable { basic-tlv { all | port-description | system-capability | system-description |
system-name } | dot1-tlv { all | port-vlan-id | protocol-vlan-id | vlan-name } | dot3-tlv { all |
link-aggregation | mac-physic | max-frame-size | power } | med-tlv { all | capability | inventory |
location-id | network-policy | power-over-ethernet } }

View

Layer 2 Ethernet port view, port group view

Default level

2: System level

Parameters

all: Advertises all the basic LLDP TLVs, all the IEEE 802.1 organizationally specific LLDP TLVs, or all
the IEEE 802.3 organizationally specific LLDP TLVs when the all keyword is specified for basic-tlv,
dot1-tlv, or dot3-tlv; or advertises all the LLDP-MED TLVs except location identification TLVs when the
all keyword is specified for med-tlv.
basic-tlv: Advertises basic LLDP TLVs.
port-description: Advertises port description TLVs.

1-23
 system-capability: Advertises system capabilities TLVs.
system-description: Advertises system description TLVs.
system-name: Advertises system name TLVs.
dot1-tlv: Advertises IEEE 802.1 organizationally specific LLDP TLVs.
port-vlan-id: Advertises port VLAN ID TLVs.
protocol-vlan-id: Advertises port and protocol VLAN ID TLVs.
vlan-name: Advertises VLAN name TLVs.
vlan-id: ID of the VLAN in the TLVs to be advertised. This argument ranges from 1 to 4094 and defaults
to the least VLAN ID on the port.
dot3-tlv: Advertises IEEE 802.3 organizationally specific LLDP TLVs.
link-aggregation: Advertises link aggregation TLVs.
mac-physic: Advertises MAC/PHY configuration/status TLVs.
max-frame-size: Advertises maximum frame size TLVs.
power: Advertises power via MDI TLVs.
med-tlv: Advertises LLDP-MED TLVs.
capability: Advertises LLDP-MED capabilities TLVs.
inventory: Advertises hardware revision TLVs, firmware revision TLVs, software revision TLVs, serial
number TLVs, manufacturer name TLVs, model name TLVs, and asset ID TLVs.
location-id: Advertises location identification TLVs.
civic-address: Inserts the normal address information about the network device in location
identification TLVs .
device-type: Device type value, in the range of 0 to 2. A value of 0 specifies DHCP server; a value of 1
specifies switch, and a value of 2 specifies LLDP-MED endpoint.
country-code: Country code, confirming to ISO 3166.
{ ca-type ca-value }&<1-10>: Configures address information, where ca-type represents the address
information type, in the range 0 to 255, ca-value represents address information, which is a string of 1 to
250 characters, and &<1-10> indicates that you can enter up to ten such parameters.
elin-address: Inserts telephone numbers for urgencies in location identification TLVs.
tel-number: Telephone number for urgencies, a string of 10 to 25 characters.
network-policy: Advertises network policy TLVs.
power-over-ethernet: Advertises extended power-via-MDI TLVs.

Description

Use the lldp tlv-enable command to configure the types of advertisable TLVs for a port or all the ports
in a port group.
Use the undo lldp tlv-enable command to disable the advertising of specific types of TLVs.
By default, all types of LLDP TLVs, except location identification TLVs, are advertisable on a Layer 2
Ethernet port.
Note that:

1-24
 z To enable LLDP-MED TLV advertising , you must enable LLDP-MED capabilities TLV advertising
first. Conversely, to disable LLDP-MED capabilities TLV advertising , you must disable the
advertising of other LDP-MED TLV.
z To disable MAC/PHY configuration/status TLV advertising , you must disable LLDP-MED
capabilities TLV advertising first.
z Enabling the advertising of LLDP-MED capabilities TLVs also enables the advertising of MAC/PHY
configuration/status TLVs.
z Without specifying the all keyword, you can execute the lldp tlv-enable command repeatedly to
specify to advertise multiple types of TLVs.

Examples

# Enable the advertising of link aggregation TLVs of the IEEE 802.3 organizationally specific TLVs on
GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] lldp tlv-enable dot3-tlv link-aggregation

1-25
 Table of Contents

1 VLAN Configuration Commands··············································································································1-1

VLAN Configuration Commands·············································································································1-1
description ·······································································································································1-1
display interface vlan-interface········································································································1-2
display vlan······································································································································1-3
interface vlan-interface ····················································································································1-5
ip address ········································································································································1-6
name················································································································································1-6
shutdown ·········································································································································1-7
vlan ··················································································································································1-8
Port-Based VLAN Configuration Commands··························································································1-9
display port ······································································································································1-9
port·················································································································································1-10
port access vlan·····························································································································1-11
port hybrid pvid ······························································································································1-12
port hybrid vlan ······························································································································1-13
port link-type ··································································································································1-14
port trunk permit vlan·····················································································································1-16
port trunk pvid································································································································1-17

2 Voice VLAN Configuration Commands ···································································································2-1

Voice VLAN Configuration Commands···································································································2-1
display voice vlan oui·······················································································································2-1
display voice vlan state····················································································································2-2
voice vlan aging·······························································································································2-3
voice vlan enable·····························································································································2-4
voice vlan mac-address···················································································································2-4
voice vlan mode auto·······················································································································2-6
voice vlan security enable ···············································································································2-6

i
1 VLAN Configuration Commands

VLAN Configuration Commands

description

Syntax

description text
undo description

View

VLAN view, VLAN interface view

Default Level

2: System level

Parameters

text: Description of a VLAN or VLAN interface. Currently, the device supports the following types of
characters or symbols: standard English characters (numbers and case-sensitive letters), special
English characters, spaces, and other characters or symbols that conform to the Unicode standard.
z For a VLAN, the description string contains 1 to 32 characters.
z For a VLAN interface, the description string contains 1 to 80 characters.

z A port description can be the mixture of English characters and other Unicode characters. The
mixed description cannot exceed the specified length.
z To use a type of Unicode characters or symbols in a port description, you need to install the
corresponding Input Method Editor (IME) and log in to the device through remote login software
that supports this character type.
z Each Unicode character or symbol (non-English characters) takes the space of two regular
characters. When the length of a description string reaches or exceeds the maximum line width on
the terminal software, the software starts a new line, possibly breaking a Unicode character into
two parts. As a result, garbled characters may be displayed at the end of a line.

Case-sensitive string that describes the current VLAN or VLAN interface. Spaces can be included in the
description.
z For a VLAN, this is a string of 1 to 32 characters.
z For a VLAN interface, this is a string of 1 to 80 characters.

1-1
Description

Use the description command to configure the description of the current VLAN or VLAN interface.
Use the undo description command to restore the default.
For a VLAN, the default description is the VLAN ID, for example, VLAN 0001; for a VLAN interface, the
default description is the name of the interface, for example, Vlan-interface 1 Interface.
You can configure a description to describe the function or connection of a VLAN or VLAN interface for
management sake.

Examples

# Configure the description of VLAN 1 as RESEARCH.

<Sysname> system-view
[Sysname] vlan 1
[Sysname-vlan1] description RESEARCH

# Configure the description of VLAN-interface 2 as VLAN-INTERFACE-2.

<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] quit
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] description VLAN-INTERFACE-2

display interface vlan-interface

Syntax

display interface vlan-interface [ vlan-interface-id ]

View

Any view

Default Level

1: Monitor level

Parameters

vlan-interface-id: VLAN interface number.

Description

Use the display interface vlan-interface command to display information about a specified or all
VLAN interfaces if no interface is specified.
Related commands: interface vlan-interface.

Examples

# Display the information of VLAN-interface 2.

<Sysname> display interface vlan-interface 2
Vlan-interface2 current state: DOWN
Line protocol current state: DOWN
Description: Vlan-interface2 Interface

1-2
 The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-e249-8050
Last clearing of counters: Never
Last 300 seconds input: 0 bytes/sec 0 packets/sec
Last 300 seconds output: 0 bytes/sec 0 packets/sec
0 packets input, 0 bytes, 0 drops
0 packets output, 0 bytes, 0 drops

Table 1-1 display interface vlan-interface command output description

Field Description
The physical state of the VLAN interface, which can be one of
the following:
z DOWN ( Administratively ): The administrative state of the
VLAN interface is down because it has been manually shut
down with the shutdown command.
Vlan-interface2 current state z DOWN: The administrative state of this VLAN interface is
up, but its physical state is down. It indicates that the VLAN
corresponding to this interface does not contain any port in
the UP state (possibly because the ports are not physical
connected or the lines have failed).
z UP: both the administrative state and the physical state of
this VLAN interface are up.
The link layer protocol state of a VLAN interface, which can be
one of the following:
Line protocol current state z DOWN: The protocol state of this VLAN interface is down,
usually because no IP address is configured.
z UP: The protocol state of this VLAN interface is up.
Description The description string of a VLAN interface

The Maximum Transmit Unit The MTU of a VLAN interface

IP packets processing ability. Disabled indicates that the
Internet protocol processing :
interface is not configured with an IP address.
IP Packet Frame Type IPv4 outgoing frame format
Hardware address MAC address corresponding to a VLAN interface
Last 300 seconds input: 0
bytes/sec 0 packets/sec Average rate of input packets and output packets in the last 300
Last 300 seconds output: 0 seconds (in bps and pps)
bytes/sec 0 packets/sec
Total number and size (in bytes) of the received packets of the
0 packets input, 0 bytes, 0 drops
interface and the number of the dropped packets
Total number and size (in bytes) of the transmitted packets of
0 packets output, 0 bytes, 0 drops
the interface and the number of the dropped packets

display vlan

Syntax

display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | reserved | static ]

1-3
View

Any view

Default Level

1: Monitor level

Parameters

vlan-id1: Displays the information of a VLAN specified by VLAN ID in the range of 1 to 4094.
vlan-id1 to vlan-id2: Displays the information of a range of VLANs specified by a VLAN ID range.
all: Displays all current VLAN information except for the reserved VLANs.
dynamic: Displays the number of dynamic VLANs and the ID of each dynamic VLAN. Dynamic VLANs
refer to VLANs that are generated through GVRP or those distributed by a RADIUS server.
reserved: Displays information of the reserved VLANs. Protocol modules determine which VLANs are
reserved VLANs according to function implementation, and reserved VLANs serve protocol modules.
You cannot do any configuration on reserved VLANs.
static: Displays the number of static VLANs and the ID of each static VLAN. Static VLANs refer to
VLANs manually created.

Description

Use the display vlan command to display VLAN information.

Related commands: vlan.

Examples

# Display VLAN 2 information.

<Sysname> display vlan 2
VLAN ID: 2
VLAN Type: static
Route interface: not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged Ports: none
Untagged Ports:
GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3

# Display VLAN 3 information.

<Sysname> display vlan 3
VLAN ID: 3
VLAN Type: static
Route Interface: configured
IP Address: 1.1.1.1
Subnet Mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: none
Untagged Ports: none

1-4
 Table 1-2 display vlan command output description

Field Description
VLAN Type VLAN type (static or dynamic)
Whether a VLAN interface is configured for the VLAN: not configured
Route interface
or configured
Description Description of the VLAN
Name Name configured for the VLAN

Primary IP address of the VLAN interface (available only on a VLAN

interface configured with an IP address). You can use the display
IP Address interface vlan-interface command in any view or the display this
command in VLAN interface view to display its secondary IP
address(es), if any.
Subnet mask of the primary IP address (available only on a VLAN
Subnet Mask
interface configured with an IP address)
Tagged Ports Ports through which packets of the VLAN are sent tagged
Untagged Ports Ports through which packets of the VLAN are sent untagged

interface vlan-interface

Syntax

interface vlan-interface vlan-interface-id

undo interface vlan-interface vlan-interface-id

View

System view

Default Level

2: System level

Parameters

vlan-interface-id: VLAN interface number, in the range of 1 to 4094.

Description

Use the interface vlan-interface command to create a VLAN interface and enter its view or enter the
view of an existing VLAN interface.
Before you can create the VLAN interface of a VLAN, create the VLAN first.
Use the undo interface vlan-interface command to remove the specified VLAN interface.
You can use the ip address command in VLAN interface view to configure an IP address for a VLAN
interface to perform IP routing.
Related commands: display interface Vlan-interface.

Examples

# Create VLAN-interface 2.
<Sysname> system-view

1-5
 [Sysname] vlan 2
[Sysname-vlan2] quit
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2]

ip address

Syntax

ip address ip-address { mask | mask-length }

undo ip address [ ip-address { mask | mask-length } ]

View

VLAN interface view

Default Level

2: System level

Parameters

ip-address: IP address to be assigned to the current VLAN interface, in dotted decimal format.
mask: Subnet mask in dotted decimal notation.
mask-length: Subnet mask length, the number of consecutive ones in the mask. The value range is 0 to
32.

Description

Use the ip address command to assign an IP address and subnet mask to a VLAN interface.
Use the undo ip address command to remove the IP address and subnet mask for a VLAN interface.
By default, no IP address is assigned to any VLAN interface.
Related commands: display ip interface (IP Address Commands).

Examples

# Specify the IP address as 1.1.0.1, the subnet mask as 255.255.255.0 for VLAN-interface 1.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ip address 1.1.0.1 255.255.255.0

name

Syntax

name text
undo name

View

VLAN view

1-6
Default Level

2: System level

Parameters

text: VLAN name, a string of 1 to 32 characters. Spaces and special characters can be included in the
name.

Description

Use the name command to configure a name for the current VLAN.
Use the undo name command to restore the default name of the VLAN.
The default name of a VLAN is its VLAN ID, VLAN 0001 for example.
When 802.1X or MAC address authentication is configured on a switch, you can use a RADIUS server
to issue VLAN configuration to ports that have passed the authentication. Some servers can send IDs
or names of the issued VLANs to the switch. When there are a large number of VLANs, you can use
VLAN names rather than VLAN IDs to better locate VLANs.

Examples

# Configure the name of VLAN 2 as test vlan.

<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] name test vlan

shutdown

Syntax

shutdown
undo shutdown

View

VLAN interface view

Default Level

2: System level

Parameters

None

Description

Use the shutdown command to shut down a VLAN interface.

Use the undo shutdown command to bring up a VLAN interface.
By default, a VLAN interface is up except when all ports in the VLAN are down.
You can use the undo shutdown command to bring up a VLAN interface after configuring related
parameters and protocols for the VLAN interface. When a VLAN interface fails, you can shut down the
interface with the shutdown command and then bring it up with the undo shutdown command. In this
way, the interface may resume.

1-7
 The state of any Ethernet port in a VLAN is independent of the VLAN interface state.

Examples

# Shut down VLAN interface 2 and then bring it up.

<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] shutdown
[Sysname-Vlan-interface2] undo shutdown

vlan

Syntax

vlan { vlan-id1 [ to vlan-id2 ] }

undo vlan { vlan-id1 [ to vlan-id2 ] | all }

View

System view

Default Level

2: System level

Parameters

vlan-id1, vlan-id2: VLAN ID, in the range 1 to 4094.

vlan-id1 to vlan-id2: Specifies a VLAN range. A VLAN ID is in the range 1 to 4094.
all: Creates or removes all VLANs except reserved VLANs.

Description

Use the vlan vlan-id command to create a VLAN and enter its view or enter the view of an existing
VLAN.
Use the vlan vlan-id1 to vlan-id2 command to create a range of VLANs specified by vlan-id1 to vlan-id2,
except reserved VLANs.
Use the undo vlan command to remove the specified VLAN(s).

z As the default VLAN, VLAN 1 cannot be created or removed.

z You cannot create/remove reserved VLANs reserved for specific functions.
z You cannot use the undo vlan command to directly remove reserved VLANs, voice VLANs,
management VLANs, dynamic VLANs, VLANs configured with QoS policies, control VLANs
configured for port mirroring. To remove these VLANs, you need to first remove related
configurations.

Related commands: display vlan.

1-8
Examples

# Enter VLAN 2 view.

<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2]

# Create VLAN 4 through VLAN 100.

<Sysname> system-view
[Sysname] vlan 4 to 100
Please wait............. Done.

Port-Based VLAN Configuration Commands

display port

Syntax

display port { hybrid | trunk }

View

Any view

Default Level

1: Monitor level

Parameters

hybrid: Displays hybrid ports.

trunk: Displays trunk ports.

Description

Use the display port command to display information about the hybrid or trunk ports on the device,
including the port names, default VLAN IDs, and allowed VLAN IDs.

Examples

# Display information about the hybrid ports in the system.

<Sysname> display port hybrid
Interface PVID VLAN passing
GE1/0/4 100 Tagged: 1000, 1002, 1500, 1600-1611, 2000,
2555-2558, 3000, 4000
Untagged:1, 10, 15, 18, 20-30, 44, 55, 67, 100,
150-160, 200, 255, 286, 300-302

# Display information about the trunk ports in the system.

<Sysname> display port trunk
Interface PVID VLAN passing
GE1/0/8 2 1-4, 6-100, 145, 177, 189-200, 244, 289, 400,
555, 600-611, 1000, 2006-2008

1-9
 Table 1-3 display port command output description

Field Description
Interface Port name
PVID Default VLAN ID of the port
VLAN passing VLANs whose packets are allowed to pass through the port.
Tagged VLANs whose packets are required to pass through the port tagged.
Untagged VLANs whose packets are required to pass through the port untagged.

port

Syntax

port interface-list
undo port interface-list

View

VLAN view

Default Level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list or Layer 2 aggregate interface list, in the format of
interface-list = { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where
&<1-10> indicates that you can specify up to 10 ports or port ranges.

Description

Use the port command to assign the specified access port(s) to the current VLAN.
Use the undo port command to remove the specified access port(s) from the current VLAN.
By default, all ports are in VLAN 1.
Note that:
z This command is only applicable on access ports.
z All ports are access ports by default. However, you can manually configure the port type. For more
information, refer to port link-type.
z If you use this command to assign a Layer 2 aggregate interface to a VLAN, this command assigns
the Layer 2 aggregate interface but not its member ports to the current VLAN. For detailed
information about Layer 2 aggregate interfaces, refer to Link Aggregation Configuration.
Related commands: display vlan.

Examples

# Assign GigabitEthernet1/0/1 through GigabitEthernet1/0/3 to VLAN 2.

<Sysname> system-view
[Sysname] vlan 2

1-10
 [Sysname-vlan2] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3

# Assign Layer 2 aggregate interface Bridge-aggregation 1 to VLAN 2.

<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] port bridge-aggregation 1

port access vlan

Syntax

port access vlan vlan-id

undo port access vlan

View

Ethernet interface view, port group view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

vlan-id: VLAN ID, in the range of 1 to 4094. Be sure that the VLAN specified by the VLAN ID already
exists.

Description

Use the port access vlan command to assign the current access port(s) to the specified VLAN.
Use the undo port access vlan command to restore the default.
By default, all access ports belong to VLAN 1.
You can assign an access port to only one VLAN. When doing that, note the following:
z In port group view, this command applies to all ports in the port group. For information about port
groups, refer to Ethernet Interface Configuration.
z In Layer 2 aggregate interface view, this command applies to the Layer 2 aggregate interface and
all its member ports. After you perform the configuration, the system starts applying the
configuration to the aggregate interface and its aggregation member ports. If the system fails to do
that on the aggregate interface, it stops applying the configuration to the aggregation member ports.
If it fails to do that on an aggregation member port, it simply skips the port and moves to the next
port. For information about Layer 2 aggregate interfaces, refer to Link Aggregation Configuration.

Examples

# Assign GigabitEthernet1/0/1 to VLAN 3.

<Sysname> system-view
[Sysname] vlan 3
[Sysname-vlan3] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port access vlan 3

# Assign Layer 2 aggregate interface Bridge-aggregation 1 and its member ports to VLAN 3.
<Sysname> system-view

1-11
 [Sysname] vlan 3
[Sysname-vlan3] quit
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] port access vlan 3

port hybrid pvid

Syntax

port hybrid pvid vlan vlan-id

undo port hybrid pvid

View

Ethernet interface view, port group view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

vlan-id: VLAN ID, in the range of 1 to 4094.

Description

Use the port hybrid pvid command to configure the default VLAN ID of the hybrid port.
Use the undo port hybrid pvid command to restore the default.
By default, the default VLAN of a hybrid port is VLAN 1.
You can use a nonexistent VLAN as the default VLAN for a hybrid port. Removing the default VLAN of a
hybrid port with the undo vlan command does not affect the setting of the default VLAN on the port.
z In port group view, this command applies to all ports in the port group. For information about port
groups, refer to Ethernet Interface Configuration.
z In Layer 2 aggregate interface view, this command applies to the Layer 2 aggregate interface and
all its member ports. After you perform the configuration, the system starts applying the
configuration to the aggregate interface and its aggregation member ports. If the system fails to do
that on the aggregate interface, it stops applying the configuration to the aggregation member ports.
If it fails to do that on an aggregation member port, it simply skips the port and moves to the next
port. For information about Layer 2 aggregate interfaces, refer to Link Aggregation Configuration.
z You are recommended to set the same default VLAN ID for the local and remote hybrid ports.
z After configuring the default VLAN for a hybrid port, you must use the port hybrid vlan command
to configure the hybrid port to allow packets from the default VLAN to pass through, so that the port
can forward packets from the default VLAN.
Related commands: port link-type, port hybrid vlan.

Examples

# Configure VLAN 100 as the default VLAN of the hybrid port GigabitEthernet1/0/1.
<Sysname> system-view
[Sysname] vlan 100
[Sysname-vlan100] quit
[Sysname] interface gigabitethernet 1/0/1

1-12
 [Sysname-GigabitEthernet1/0/1] port link-type hybrid
[Sysname-GigabitEthernet1/0/1] port hybrid pvid vlan 100

# Configure VLAN 100 as the default VLAN of the hybrid Layer 2 aggregate interface
Bridge-aggregation 1.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] port link-type hybrid
[Sysname-Bridge-Aggregation1] port hybrid pvid vlan 100

port hybrid vlan

Syntax

port hybrid vlan vlan-id-list { tagged | untagged }

undo port hybrid vlan vlan-id-list

View

Ethernet interface view, port group view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

vlan-id-list: VLANs that the hybrid ports will be assigned to. This argument is expressed in the format of
[ vlan-id1 [ to vlan-id2 ] ]&<1-10>, where vlan-id ranges from 1 to 4094 and &<1-10> indicates that you
can specify up to 10 VLAN IDs or VLAN ID ranges. Be sure that the specified VLANs already exist.
tagged: Configures the port(s) to send the packets of the specified VLAN(s) with the tags kept.
untagged: Configures the port to send the packets of the specified VLAN(s) with the tags removed.

Description

Use the port hybrid vlan command to assign the current hybrid port(s) to the specified VLAN(s).
Use the undo port hybrid vlan command to remove the current hybrid port(s) from the specified
VLAN(s).
By default, a hybrid port only allows packets from VLAN 1 to pass through untagged.
A hybrid port can carry multiple VLANs. If you execute the port hybrid vlan command multiple times,
the VLANs the hybrid port carries are the set of VLANs specified by vlan-id-list in each execution.
z In port group view, this command applies to all ports in the port group. For information about port
groups, refer to Ethernet Interface Configuration.
z In Layer 2 aggregate interface view, this command applies to the Layer 2 aggregate interface and
all its member ports. After you perform the configuration, the system starts applying the
configuration to the aggregate interface and its aggregation member ports. If the system fails to do
that on the aggregate interface, it stops applying the configuration to the aggregation member ports.
If it fails to do that on an aggregation member port, it simply skips the port and moves to the next
port. For information about Layer 2 aggregate interfaces, refer to Link Aggregation Configuration.
Related commands: port link-type.

1-13
Examples

# Assign the hybrid port GigabitEthernet1/0/1 to VLAN 2, VLAN 4, and VLAN 50 through VLAN 100, and
configure GigabitEthernet1/0/1 to send packets of these VLANs with tags kept.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port link-type hybrid
[Sysname-GigabitEthernet1/0/1] port hybrid vlan 2 4 50 to 100 tagged

# Assign hybrid ports in port group 2 to VLAN 2, and configure these hybrid ports to send packets of
VLAN 2 with VLAN tags removed.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] quit
[Sysname] port-group manual 2
[Sysname-port-group-manual-2] group-member gigabitethernet 1/0/1 to gigabitethernet 1/0/6
[Sysname-port-group-manual-2] port link-type hybrid
[Sysname-port-group-manual-2] port hybrid vlan 2 untagged
Configuring GigabitEthernet1/0/1... Done.
Configuring GigabitEthernet1/0/2... Done.
Configuring GigabitEthernet1/0/3... Done.
Configuring GigabitEthernet1/0/4... Done.
Configuring GigabitEthernet1/0/5... Done.
Configuring GigabitEthernet1/0/6... Done.

# Assign the hybrid Layer 2 aggregate interface Bridge-aggregation 1 and its member ports to VLAN 2,
and configure them to send packets of VLAN 2 with tags removed.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] port link-type hybrid
[Sysname-Bridge-Aggregation1] port hybrid vlan 2 untagged
Please wait... Done.
Configuring GigabitEthernet1/0/2... Done.
Configuring GigabitEthernet1/0/3... Done.

Note that GigabitEthernet1/0/2 and GigabitEthernet1/0/3 are the member ports of the aggregation
group corresponding to Bridge-aggregation 1.

port link-type

Syntax

port link-type { access | hybrid | trunk }

undo port link-type

View

Ethernet interface view, port group view, Layer 2 aggregate interface view

Default Level

2: System level

1-14
Parameters

access: Configures the link type of a port as access.

hybrid: Configures the link type of a port as hybrid.
trunk: Configures the link type of a port as trunk.

Description

Use the port link-type command to configure the link type of a port.
Use the undo port link-type command to restore the default link type of a port.
By default, any port is an access port.
z In port group view, this command applies to all ports in the port group. For information about port
groups, refer to Ethernet Interface Configuration.
z In Layer 2 aggregate interface view, this command applies to the Layer 2 aggregate interface and
all its member ports. After you perform the configuration, the system starts applying the
configuration to the aggregate interface and its aggregation member ports. If the system fails to do
that on the aggregate interface, it stops applying the configuration to the aggregation member ports.
If it fails to do that on an aggregation member port, it simply skips the port and moves to the next
port. For information about Layer 2 aggregate interfaces, refer to Link Aggregation Configuration.

To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access
first.

Examples

# Configure GigabitEthernet1/0/1 as a trunk port.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port link-type trunk

# Configure all the ports in the manual port group group1 as hybrid ports.
<Sysname> system-view
[Sysname] port-group manual group1
[Sysname-port-group manual group1] group-member gigabitethernet 1/0/10
[Sysname-port-group manual group1] group-member gigabitethernet 1/0/11
[Sysname-port-group manual group1] port link-type hybrid

# Configure Layer 2 aggregate interface Bridge-aggregation 1 and its member ports as hybrid ports.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] port link-type hybrid

1-15
port trunk permit vlan

Syntax

port trunk permit vlan { vlan-id-list | all }

undo port trunk permit vlan { vlan-id-list | all }

View

Ethernet interface view, port group view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

vlan-id-list: VLANs that the trunk port(s) will be assigned to. This argument is expressed in the format of
[vlan-id1 [ to vlan-id2 ] ]&<1-10>, where vlan-id ranges from 1 to 4094 and &<1-10> indicates that you
can specify up to 10 VLAN IDs or VLAN ID ranges.
all: Permits all VLANs to pass through the trunk port(s). On GVRP-enabled trunk ports, you must
configure the port trunk permit vlan all command to ensure that the traffic of all dynamically registered
VLANs can pass through. However, When GVRP is disabled on a port, you are discouraged to
configure the command on the port. This is to prevent users of unauthorized VLANs from accessing
restricted resources through the port.

Description

Use the port trunk permit vlan command to assign the current trunk port(s) to the specified VLAN(s).
Use the undo port trunk permit vlan command to remove the trunk port(s) from the specified VLANs.
By default, a trunk port allows only packets from VLAN 1 to pass through.
A trunk port can carry multiple VLANs. If you execute the port trunk permit vlan command multiple
times, the VLANs the trunk port carries are the set of VLANs specified by vlan-id-list in each execution.
Note that on a trunk port, only traffic of the default VLAN can pass through untagged.
z In port group view, this command applies to all ports in the port group. For information about port
groups, refer to Ethernet Interface Configuration.
z In Layer 2 aggregate interface view, this command applies to the Layer 2 aggregate interface and
all its member ports. After you perform the configuration, the system starts applying the
configuration to the aggregate interface and its aggregation member ports. If the system fails to do
that on the aggregate interface, it stops applying the configuration to the aggregation member ports.
If it fails to do that on an aggregation member port, it simply skips the port and moves to the next
port. For information about Layer 2 aggregate interfaces, refer to Link Aggregation Configuration.
Related commands: port link-type.

Examples

# Assign the trunk port GigabitEthernet1/0/1 to VLAN 2, VLAN 4, and VLAN 50 through VLAN 100.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port link-type trunk
[Sysname-GigabitEthernet1/0/1] port trunk permit vlan 2 4 50 to 100

1-16
 Please wait........... Done.

# Assign the trunk Layer 2 aggregate interface Bridge-aggregation 1 to VLAN 2, assuming that
Bridge-aggregation 1 does not have member ports.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] port link-type trunk
[Sysname-Bridge-Aggregation1] port trunk permit vlan 2
Please wait... Done.

# Assign the trunk Layer 2 aggregate interface Bridge-aggregation 1 to VLAN 13 and VLAN 15.
Among the member ports of the aggregation group corresponding to Bridge-aggregation 1,
GigabitEthernet1/0/2 is an access port, and GigabitEthernet1/0/3 is a trunk port.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] port link-type trunk
[Sysname-Bridge-Aggregation1] port trunk permit vlan 13 15
Please wait... Done.
Error: Failed to configure on interface GigabitEthernet1/0/2! This port is not a Trunk port!
Configuring GigabitEthernet1/0/3... Done.

Among the output fields above, the message “Please wait... Done” indicates that the configuration on
Bridge-aggregation 1 succeeded; “Error: Failed to configure on interface GigabitEthernet1/0/2! This
port is not a Trunk port!” indicates that the configuration failed on GigabitEthernet1/0/2 because
GigabitEthernet1/0/2 was not a trunk port; “Configuring GigabitEthernet1/0/3... Done” indicates that the
configuration on GigabitEthernet1/0/3 succeeded.

port trunk pvid

Syntax

port trunk pvid vlan vlan-id

undo port trunk pvid

View

Ethernet interface view, port group view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

vlan-id: VLAN ID, in the range of 1 to 4094

Description

Use the port trunk pvid command to configure the default VLAN ID for the trunk port.
Use the undo port trunk pvid command to restore the default.
By default, the default VLAN of a trunk port is VLAN 1.
You can use a nonexistent VLAN as the default VLAN for a trunk port. Removing the default VLAN of a
trunk port with the undo vlan command does not affect the setting of the default VLAN on the port.

1-17
 z In port group view, this command applies to all ports in the port group. For information about port
groups, refer to Ethernet Interface Configuration.
z In Layer 2 aggregate interface view, this command applies to the Layer 2 aggregate interface and
all its member ports. After you perform the configuration, the system starts applying the
configuration to the aggregate interface and its aggregation member ports. If the system fails to do
that on the aggregate interface, it stops applying the configuration to the aggregation member ports.
If it fails to do that on an aggregation member port, it simply skips the port and moves to the next
port. For information about Layer 2 aggregate interfaces, refer to Link Aggregation Configuration.
z The local and remote trunk ports must use the same default VLAN ID for the traffic of the default
VLAN to be transmitted properly.
z After configuring the default VLAN for a trunk port, you must use the port trunk permit vlan
command to configure the trunk port to allow packets from the default VLAN to pass through, so
that the port can forward packets from the default VLAN.
Related commands: port link-type, port trunk permit vlan.

Examples

# Configure VLAN 100 as the default VLAN of the trunk port GigabitEthernet1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port link-type trunk
[Sysname-GigabitEthernet1/0/1] port trunk pvid vlan 100

# Configure VLAN 100 as the default VLAN of the trunk Layer 2 aggregate interface
Bridge-aggregation 1, assuming Bridge-aggregation 1 does not have member ports.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] port link-type trunk
[Sysname-Bridge-Aggregation1] port trunk pvid vlan 100

# Configure VLAN 100 as the default VLAN of the trunk Layer 2 aggregate interface
Bridge-aggregation 1. Among the member ports of the aggregation group corresponding to
Bridge-aggregation 1, GigabitEthernet1/0/2 is an access port and GigabitEthernet1/0/3 is a trunk port.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] port link-type trunk
[Sysname-Bridge-Aggregation1] port trunk pvid vlan 100
Error: Failed to configure on interface GigabitEthernet1/0/2! This port is not a Trunk port!

The output above shows that the configuration on Bridge-aggregation 1 and the member port
GigabitEthernet1/0/3 succeeded; the configuration on GigabitEthernet1/0/2 failed because
GigabitEthernet1/0/2 was not a trunk port.

1-18
2 Voice VLAN Configuration Commands

Voice VLAN Configuration Commands

display voice vlan oui

Syntax

display voice vlan oui

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display voice vlan oui command to display the currently supported organizationally unique
identifier (OUI) addresses, the OUI address masks, and the description strings.
Related commands: voice vlan mac-address.

In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique
identifier assigned to a vendor by IEEE. OUI addresses mentioned in this document, however, are
different from those in common sense. OUI addresses in this document are used to determine whether
a received packet is a voice packet. They are the results of the AND operation of the two arguments
mac-address and oui-mask in the voice vlan mac-address command.

Examples

# Display the currently supported OUI addresses.

<Sysname> display voice vlan oui
Oui Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone

2-1
 0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3com phone

Table 2-1 display voice vlan oui command output description

Field Description
Oui Address OUI addresses supported
Mask Masks of the OUI addresses supported
Description Description strings of the OUI addresses supported

display voice vlan state

Syntax

display voice vlan state

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display voice vlan state command to display voice VLAN configuration.
Related commands: voice vlan vlan-id enable, voice vlan enable, voice vlan qos cos-value
dscp-value, voice vlan qos trust.

Examples

# Display voice VLAN configurations.

<Sysname> display voice vlan state
Maximum of Voice VLANs: 1
Current Voice VLANs: 1
Voice VLAN security mode: Security
Voice VLAN aging time: 1440 minutes
Voice VLAN enabled port and its mode:
PORT VLAN MODE
-----------------------------------------------
GigabitEthernet1/0/1 2 AUTO
GigabitEthernet1/0/2 2 AUTO

2-2
 Table 2-2 display voice vlan state command output description

Field Description
Voice VLAN system capacity Maximum number of voice VLANs supported by the system
Current Voice VLAN Count Number of existing voice VLANs
Security mode of the voice VLAN: Security for security mode;
Voice VLAN security mode
Normal for normal mode
Voice VLAN aging time Aging time of the voice VLAN
Current voice vlan enabled port
Voice VLAN-enabled port and its voice VLAN assignment mode
and its mode
PORT Voice VLAN-enabled port name
VLAN ID of the voice VLAN enabled on the port
MODE Voice VLAN assignment mode of the port: manual or automatic.

voice vlan aging

Syntax

voice vlan aging minutes

undo voice vlan aging

View

System view

Default Level

2: System level

Parameters

minutes: Voice VLAN aging time, in the range 5 to 43200 minutes.

Description

Use the voice vlan aging command to configure the voice VLAN aging time.
Use the undo voice vlan aging command to restore the default.
By default, the voice VLAN aging time is 1440 minutes.
When a port in automatic voice VLAN assignment mode receives a voice packet, the system decides
whether to assign the port to the voice VLAN based on the source MAC address of the voice packet.
Upon assigning the port to the voice VLAN, the system starts the aging timer. If no voice packets are
received on the port until the aging time expires, the system automatically removes the port from the
voice VLAN. This aging time only applies to the ports in automatic voice VLAN assignment mode.
Related commands: display voice vlan state.

Examples

# Configure the voice VLAN aging time as 100 minutes.

<Sysname> system-view
[Sysname] voice vlan aging 100

2-3
voice vlan enable

Syntax

voice vlan vlan-id enable

undo voice vlan enable

View

Ethernet interface view

Default Level

2: System level

Parameters

vlan-id: VLAN to be configured as the voice VLAN for the current port.

Description

Use the voice vlan enable command to enable the voice VLAN feature and configure a VLAN as the
voice VLAN for the current Ethernet port.
Use the undo voice vlan enable command to disable the voice VLAN feature on an Ethernet port.
By default, the voice VLAN feature is disabled on ports.
You can enable the voice VLAN feature on a hybrid or trunk port operating in automatic voice VLAN
assignment mode but not on an access port operating in automatic voice VLAN assignment mode.

Examples

# Enable the voice VLAN feature on GigabitEthernet1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] voice vlan 2 enable

voice vlan mac-address

Syntax

voice vlan mac-address mac-address mask oui-mask [ description text ]

undo voice vlan mac-address oui

View

System view

Default Level

2: System level

Parameters

mac-address: Source MAC address of voice traffic, in the format of H-H-H, such as 1234-1234-1234.

2-4
 mask oui-mask: Specifies the valid length of the OUI address by a mask in the format of H-H-H, formed
by consecutive fs and 0s, for example, ffff-0000-0000. To filter the voice device of a specific vendor, set
the mask to ffff-ff00-0000.
description text: Specifies a string that describes the OUI address. The string is of 1 to 30
case-sensitive characters.
oui: Specifies the OUI address to be removed, in the format of H-H-H, such as 1234-1200-0000. An OUI
address is the logic AND result of mac-address and oui-mask. An OUI address cannot be a broadcast
address, a multicast address, or an address of all 0s. You can use the display voice vlan oui
command to display the OUI addresses supported currently.

Description

Use the voice vlan mac-address command to add a recognizable OUI address.
Use the undo voice vlan mac-address command to remove a recognizable OUI address.
The system supports up to 16 OUI addresses.
By default, the system is configured with the default OUI addresses, as illustrated in Table 2-3. You can
remove the default OUI addresses and then add recognizable OUI addresses manually.

Table 2-3 Default OUI addresses

Number OUI Vendor

1 0001-e300-0000 Siemens phone
2 0003-6b00-0000 Cisco phone
3 0004-0d00-0000 Avaya phone
4 00d0-1e00-0000 Pingtel phone
5 0060-b900-0000 Philips/NEC phone
6 00e0-7500-0000 Polycom phone
7 00e0-bb00-0000 3com phone

Related commands: display voice vlan oui.

Examples

# Add a recognizable OUI address 1234-1200-0000 by specifying the MAC address as

1234-1234-1234 and the mask as fff-ff00-0000, and configure its description string as PhoneA.
<Sysname> system-view
[Sysname] voice vlan mac-address 1234-1234-1234 mask ffff-ff00-0000 description PhoneA

# Display the supported OUI addresses to verify the above configuration.

<Sysname> display voice vlan oui
Oui Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone

2-5
 00e0-bb00-0000 ffff-ff00-0000 3com phone
1234-1200-0000 ffff-ff00-0000 PhoneA

# Remove the OUI address 1234-1200-0000.

<Sysname> system-view
[Sysname] undo voice vlan mac-address 1234-1200-0000

voice vlan mode auto

Syntax

voice vlan mode auto

undo voice vlan mode auto

View

Ethernet interface view

Default Level

2: System level

Parameters

None

Description

Use the voice vlan mode auto command to configure the current port to operate in automatic voice
VLAN assignment mode.
Use the undo voice vlan mode auto command to configure the current port to operate in manual voice
VLAN assignment mode.
By default, a port operates in automatic voice VLAN assignment mode.
The voice VLAN modes of different ports are independent of one another.
To make voice VLAN take effect on a port which is enabled with voice VLAN and operates in manual
voice VLAN assignment mode, you need to assign the port to the voice VLAN manually.

Examples

# Configure GigabitEthernet1/0/1 to operate in manual voice VLAN assignment mode.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo voice vlan mode auto

voice vlan security enable

Syntax

voice vlan security enable

undo voice vlan security enable

View

System view

2-6
Default Level

2: System level

Parameters

None

Description

Use the voice vlan security enable command to enable voice VLAN security mode.
Use the undo voice vlan security enable command to disable voice VLAN security mode.
After you enable the security mode for a voice VLAN, only voice traffic can be transmitted in the voice
VLAN. The device matches the source MAC addresses of the packets against the supported OUI
addresses to determine whether they are voice traffic and filters all non-voice traffic, guaranteeing high
priority and high quality for voice traffic. On the other hand, when a voice VLAN operates in common
mode, other service traffic is also allow to be transmitted in the voice VLAN.
By default, voice VLAN security mode is not enabled.

Examples

# Disable voice VLAN security mode.

<Sysname> system-view
[Sysname] undo voice vlan security enable

2-7
 Table of Contents

1 MSTP Configuration Commands ·············································································································1-1

MSTP Configuration Commands ············································································································1-1
active region-configuration ··············································································································1-1
check region-configuration ··············································································································1-2
display stp········································································································································1-3
display stp abnormal-port ················································································································1-8
display stp down-port·······················································································································1-9
display stp history ··························································································································1-10
display stp ignored-vlan·················································································································1-11
display stp region-configuration·····································································································1-11
display stp root ······························································································································1-12
display stp tc··································································································································1-13
instance ·········································································································································1-14
region-name ··································································································································1-15
reset stp·········································································································································1-16
revision-level··································································································································1-16
stp bpdu-protection························································································································1-17
stp bridge-diameter························································································································1-18
stp compliance·······························································································································1-18
stp config-digest-snooping ············································································································1-19
stp cost ··········································································································································1-20
stp edged-port ·······························································································································1-21
stp enable ······································································································································1-22
stp ignored vlan ·····························································································································1-23
stp loop-protection ·························································································································1-24
stp max-hops ·································································································································1-25
stp mcheck ····································································································································1-25
stp mode········································································································································1-26
stp no-agreement-check················································································································1-27
stp pathcost-standard ····················································································································1-28
stp point-to-point····························································································································1-29
stp port priority·······························································································································1-30
stp port-log·····································································································································1-31
stp priority ······································································································································1-32
stp region-configuration ·················································································································1-32
stp root primary······························································································································1-33
stp root secondary ·························································································································1-34
stp root-protection··························································································································1-34
stp tc-protection ·····························································································································1-35
stp tc-protection threshold ·············································································································1-36
stp timer forward-delay ··················································································································1-37
stp timer hello ································································································································1-37
stp timer max-age··························································································································1-38

i
stp timer-factor·······························································································································1-39
stp transmit-limit ····························································································································1-40
vlan-mapping modulo ····················································································································1-41

ii
1 MSTP Configuration Commands

MSTP Configuration Commands

active region-configuration

Syntax

active region-configuration

View

MST region view

Default Level

2: System level

Parameters

None

Description

Use the active region-configuration command to activate your MST region configuration.
Note that:
z The configuration of MST region–related parameters, especially the VLAN-to-instance mapping
table, will cause MSTP to launch a new spanning tree calculation process, which may result in
network topology instability. To reduce the possibility of topology instability caused by configuration,
MSTP will not immediately launch a new spanning tree calculation process when processing MST
region–related configurations; instead, such configurations will take effect only after you activate
the MST region–related parameters using this command, or enable MSTP using the stp enable
command in the case that MSTP is not enabled.
z Before running this command, you are recommended to use the check region-configuration
command to check whether the MST region pre-configurations are correct. You should run this
command only if the result returns positive.
Related commands: instance, region-name, revision-level, vlan-mapping modulo, check
region-configuration.

Examples

# Map VLAN 2 to MSTI 1 and activate MST region configuration manually.

<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region] instance 1 vlan 2
[Sysname-mst-region] active region-configuration

1-1
check region-configuration

Syntax

check region-configuration

View

MST region view

Default Level

2: System level

Parameters

None

Description

Use the check region-configuration command to view MST region pre-configuration information,
including the region name, revision level, and VLAN-to-instance mapping settings.
Note that:
z Two or more MSTP-enabled devices belong to the same MST region only if they are configured to
have the same format selector, MST region name, the same VLAN-to-instance mapping entries in
the MST region and the same MST region revision level, and they are interconnected via a physical
link.
z Before activating the configurations of an MST region, you are recommended to use this command
to check whether the MST region pre-configurations are correct. You should activate the MST
region pre-configurations only if the result returns positive.
Related commands: instance, region-name, revision-level, vlan-mapping modulo, active
region-configuration.

Examples

# View MST region pre-configurations.

<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region] check region-configuration
Admin Configuration
Format selector :0
Region name :000fe26a58ed
Revision level :0
Configuration digest :0x41b5018aca57daa8dcfdba2984d99d06

Instance Vlans Mapped

0 1 to 9, 11 to 4094
1 10

1-2
 Table 1-1 check region-configuration command output description

Field Description
Format selector of the MST region, which defaults to 0 and
Format selector
is not configurable.
Region name MST region name
Revision level Revision level of the MST region
Instance Vlans Mapped VLAN-to-instance mappings in the MST region

display stp

Syntax

display stp [ instance instance-id ] [ interface interface-list ] [ brief ]

View

Any view

Default Level

1: Monitor level

Parameters

instance instance-id: Displays the status and statistics of a particular MSTI. The minimum value of
instance-id is 0, representing the common internal spanning tree (CIST), and the maximum value is 3.
interface interface-list: Displays the MSTP status and statistics on the ports specified by a port list, in
the format of interface-list = { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 ports or port
ranges.
brief: Displays brief MSTP status and statistics.

Description

Use the display stp command to view the MSTP status and statistics.
Based on the MSTP status and statistics, you can analyze and maintain the network topology or check
whether MSTP is working normally.
Note that:
z If you do not specify any MSTI or port, this command will display the MSTP information of all MSTIs
on all ports. The displayed information is sorted by MSTI ID and by port name in each MSTI.
z If you specify an MSTI but not a port, this command will display the MSTP information on all ports in
that MSTI. The displayed information is sorted by port name.
z If you specify some ports but not an MSTI, this command will display the MSTP information of all
MSTIs on the specified ports. The displayed information is sorted by MSTI ID, and by port name in
each MSTI.
z If you specify both an MSTI ID and a port list, this command will display the MSTP information on
the specified ports in the specified MSTI. The displayed information is sorted by port name.
The MSTP status information includes:

1-3
 z CIST global parameters: Protocol work mode, device priority in the CIST (Priority), MAC address,
hello time, max age, forward delay, maximum hops, common root of the CIST, external path cost
from the device to the CIST common root, regional root, the internal path cost from the device to
the regional root, CIST root port of the device, and status of the BPDU guard function (enabled or
disabled).
z CIST port parameters: Port status, role, priority, path cost, designated bridge, designated port,
edge port/non-edge port, whether connecting to a point-to-point link, maximum transmission rate
(transmit limit), status of the root guard function (enabled or disabled), BPDU format, boundary
port/non-boundary port, hello time, max age, forward delay, message age, remaining hops, and
whether rapid state transition enabled for designated ports.
z MSTI global parameters: MSTI ID, bridge priority of the MSTI, regional root, internal path cost,
MSTI root port, and master bridge.
z MSTI port parameters: Port status, role, priority, path cost, designated bridge, designated port,
remaining hops, and whether rapid state transition enabled (for designated ports).
The statistics include:
z The number of TCN BPDUs, configuration BPDUs, RST BPDUs and MST BPDUs sent from each
port
z The number of TCN BPDUs, configuration BPDUs, RST BPDUs, MST BPDUs and wrong BPDUs
received on each port
z The number of BPDUs discarded on each port
Related commands: reset stp.

Examples

# View the brief MSTP status and statistics.

<Sysname> display stp instance 0 interface gigabitethernet 1/0/1 to gigabitethernet 1/0/4
brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
0 GigabitEthernet1/0/3 DESI FORWARDING NONE
0 GigabitEthernet1/0/4 DESI FORWARDING NONE

Table 1-2 display stp brief command output description

Field Description
MSTID MSTI ID in the MST region
Port Port name, corresponding to each MSTI
Port role, which can be one of the following:
z ALTE: The port is an alternate port
z BACK: The port is a backup port
Role z ROOT: The port is a root port
z DESI: The port is a designated port
z MAST: The port is a master port
z DISA: The port is disabled

1-4
 Field Description
MSTP status on the port, which can be:
z FORWARDING: The port learns MAC addresses and forwards user
traffic
STP State z DISCARDING: The port does not learn MAC addresses or forward
user traffic
z LEARNING: The port learns MAC addresses but does not forward
user traffic
Protection type on the port, which can be:
z ROOT: Root guard
Protection z LOOP: Loop guard
z BPDU: BPDU guard
z NONE: No protection

# View the MSTP status and statistics.

<Sysname> display stp
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge :32768.000f-e200-2200
Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :0.00e0-fc0e-6554 / 200200
CIST RegRoot/IRPC :32768.000f-e200-2200 / 0
CIST RootPortId :128.48
BPDU-Protection :disabled
Bridge Config-
Digest-Snooping :disabled
TC or TCN received :2
Time since last TC :0 days 0h:5m:42s

----[Port1(GigabitEthernet1/0/1)][FORWARDING]----
Port Protocol :enabled
Port Role :CIST Designated Port
Port Priority :128
Port Cost(Legacy) :Config=auto / Active=200
Desg. Bridge/Port :32768.000f-e200-2200 / 128.2
Port Edged :Config=disabled / Active=disabled
Point-to-point :Config=auto / Active=true
Transmit Limit :10 packets/hello-time
Protection Type :None
MST BPDU Format :Config=auto / Active=legacy
Port Config-
Digest-Snooping :disabled
Rapid transition :false
Num of Vlans Mapped :1
PortTimes :Hello 2s MaxAge 20s FwDly 15s MsgAge 2s RemHop 20
BPDU Sent :186
TCN: 0, Config: 0, RST: 0, MST: 186
BPDU Received :0
TCN: 0, Config: 0, RST: 0, MST: 0

1-5
-------[MSTI 1 Global Info]-------
MSTI Bridge ID :0.000f-e23e-9ca4
MSTI RegRoot/IRPC :0.000f-e23e-9ca4 / 0
MSTI RootPortId :0.0
MSTI Root Type :PRIMARY root
Master Bridge :32768.000f-e23e-9ca4
Cost to Master :0
TC received :0

# View the MSTP status and statistics when STP is not enabled.
<Sysname> display stp
Protocol Status :disabled
Protocol Std. :IEEE 802.1s
Version :3
CIST Bridge-Prio. :32768
MAC address :000f-e200-8048
Max age(s) :20
Forward delay(s) :15
Hello time(s) :2
Max hops :20

Table 1-3 display stp command output description

Field Description
CIST bridge ID, which comprises the device’s priority in the CIST and its
MAC address. For example, in output information
CIST Bridge “32768.000f-e200-2200”, the value preceding the period (“.”) is the
device’s priority in the CIST, and the value following the period is the
device’s MAC address.
Major parameters for the bridge:
z Hello: Hello timer
Bridge Times z MaxAge: Max Age timer
z FWDly: Forward delay timer
z Max Hop: Max hops within the MST region
CIST root ID and external path cost (the path cost from the device to the
CIST Root/ERPC
CIST root)
CIST regional root ID and internal path cost (the path cost from the device
CIST RegRoot/IRPC
to the CIST regional root)
CIST root port ID. “0.0” indicates that the device is the root and there is no
CIST RootPortId
root port.
BPDU-Protection Indicates whether BPDU protection is enabled globally.
Bridge Config-
Indicates whether Digest Snooping is enabled globally on the bridge.
Digest-Snooping
TC or TCN received Number of received TC/TCN packets
Time since last TC Time since the latest topology change

[FORWARDING] The port learns MAC addresses and forwards user traffic
[DISCARDING] The port does not learn MAC addresses or forward user traffic

1-6
 Field Description
[LEARNING] The port learns MAC addresses but does not forward user traffic
Port Protocol Indicates whether STP is enabled on the port
Port role, which can be Alternate, Backup, Root, Designated, Master, or
Port Role
Disabled
Port Priority Port priority
Path cost of the port. The field in the bracket indicates the standard used
for port path cost calculation, which can be legacy, dot1d-1998, or dot1t.
Port Cost(Legacy)
Config indicates the configured value, and Active indicates the actual
value.
Designated bridge ID and port ID of the port
Desg. Bridge/Port The port ID displayed is insignificant for a port which does not support
port priority.
Indicates whether the port is an edge port. Config indicates the
Port Edged
configured value, and Active indicates the actual value.
Indicates whether the port is connected to a point-to-point link. Config
Point-to-point
indicates the configured value, and Active indicates the actual value.
Transmit Limit The maximum number of packets sent within each Hello time
Protection type on the port, which can be one of the following:
z Root: Root guard
Protection Type z Loop: Loop guard
z BPDU: BPDU guard
z None: No protection
Format of the MST BPDUs that the port can send, which can be legacy or
MST BPDU Format 802.1s. Config indicates the configured value, and Active indicates the
actual value.
Port Config-
Indicates whether digest snooping is enabled on the port.
Digest-Snooping
Indicates whether the current port rapidly transitions to the forwarding
Rapid transition
state.
Num of Vlans Mapped Number of VLANs mapped to the current MSTI

Major parameters for the port:

z Hello: Hello timer
PortTimes z MaxAge: Max Age timer
z FWDly: Forward delay timer
z MsgAge: Message Age timer
z Remain Hop: Remaining hops
BPDU Sent Statistics on sent BPDUs
BPDU Received Statistics on received BPDUs
MSTI RegRoot/IRPC MSTI regional root/internal path cost
MSTI RootPortId MSTI root port ID
MSTI Root Type MSTI root type, which can be primary root or secondary root
Master Bridge MSTI root bridge ID
Cost to Master Path cost from the MSTI to the master bridge
TC received Number of received TC BPDUs

1-7
 Field Description
Protocol Status MSTP protocol status
Protocol Std. MSTP protocol standard
Version MSTP protocol version
CIST Bridge-Prio. The device’s priority in the CIST
MAC address MAC address of the device
Max age(s) Aging timer for BPDUs (in seconds)
Forward delay(s) Port state transition delay (in seconds)
Hello time(s) Interval for the root bridge to send BPDUs (in seconds)
Max hops Maximum hops in the MSTI

display stp abnormal-port

Syntax

display stp abnormal-port

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display stp abnormal-port command to view the information about abnormally blocked ports.
Any of the following reasons may cause a port to be abnormally blocked:
z Root guard function
z Loop guard function
z MSTP BPDU format incompatibility protection function

Examples

# View information about abnormally blocked ports.

<Sysname> display stp abnormal-port
MSTID Blocked Port Reason
1 GigabitEthernet1/0/1 ROOT-Protected
2 GigabitEthernet1/0/2 LOOP-Protected
2 GigabitEthernet1/0/3 Formatcompatibility–Protected

1-8
 Table 1-4 display stp abnormal-port command output description

Field Description
MSTID ID of the MSTI to which an abnormally blocked port belongs
Blocked Port Name of an abnormally blocked port
Reason that caused abnormal blocking of the port.
z ROOT-Protected: root guard function
Reason z LOOP-Protected: loop guard function
z Formatcompatibility-Protected: MSTP BPDU format incompatibility
protection function

display stp down-port

Syntax

display stp down-port

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display stp down-port command to display the information about ports blocked by STP
protection functions.
These functions include:
z BPDU attack guard function
z MSTP BPDU format frequent change protection function

Examples

# View the information about ports blocked by STP protection functions.

<Sysname> display stp down-port
Down Port Reason
GigabitEthernet1/0/1 BPDU-Protected
GigabitEthernet1/0/2 Formatfrequency-Protected

Table 1-5 display stp down-port command output description

Field Description
Down Port Name of a blocked port
Reason that caused the port to be blocked.
Reason z BPDU-Protected: BPDU attack guard function
z Formatfrequency-Protected: MSTP BPDU format frequent change
protection function

1-9
display stp history

Syntax

display stp [ instance instance-id ] history

View

Any view

Default Level

0: Visit level

Parameters

instance instance-id: Displays the historic port role calculation information of a particular MSTI. The
minimum value of instance-id is 0, representing the common internal spanning tree (CIST), and the
maximum value of instance-id is 3.

Description

Use the display stp history command to view the historic port role calculation information of the
specified MSTI or all MSTIs.
Note that:
z If you do not specify an MSTI ID, this command will display the historic port role calculation
information of all MSTIs. The displayed information is sorted by MSTI ID, and by port role
calculation time in each MSTI.
z If you specify an MSTI ID, this command will display the historic port role calculation information of
only this specified MSTI by the sequence of port role calculation time.

Examples

# View the historic port role calculation information in MSTI 2.

<Sysname> display stp instance 2 history
------------------- Instance 2 ---------------------
Port GigabitEthernet1/0/1
Role change : ROOT->DESI （Aged）
Time : 2006/08/08 00:22:56
Port priority : 0.00e0-fc01-6510 0 0.00e0-fc01-6510 128.1

Port GigabitEthernet1/0/2
Role change : ALTER->ROOT
Time : 2006/08/08 00:22:56
Port priority : 0.00e0-fc01-6510 0 0.00e0-fc01-6510 128.2

Table 1-6 display stp history command output description

Field Description
Port Port name

1-10
 Field Description
A role change of the port (“Age” means that the change was caused by
Role change
expiry of the received configuration BPDU)
Time Time of port role calculation
Port priority Port priority

display stp ignored-vlan

Syntax

display stp ignored-vlan

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display stp ignored-vlan command to display VLAN Ignore enabled VLANs.

Examples

# Display VLAN Ignore enabled VLANs.

<Sysname> display stp ignored-vlan
STP-Ignored VLAN: 1 to 2

Table 1-7 display stp ignored-vlan command output description

Field Description
STP-Ignored VLAN List of VLAN Ignore enabled VLANs

display stp region-configuration

Syntax

display stp region-configuration

View

Any view

Default Level

1: Monitor level

1-11
Parameters

None

Description

Use the display stp region-configuration command to view the currently effective configuration
information of the MST region, including the region name, revision level, and user-configured
VLAN-to-instance mappings.
Related commands: instance, region-name, revision-level, vlan-mapping modulo.

Examples

# View the currently effective MST region configuration information.

<Sysname> display stp region-configuration
Oper Configuration
Format selector :0
Region name :hello
Revision level :0
Configuration digest :0x5f762d9a46311effb7a488a3267fca9f

Instance Vlans Mapped

0 21 to 4094
1 1 to 10
2 11 to 20

Table 1-8 display stp region-configuration command output description

Field Description
MSTP-defined format selector, which defaults to 0 and is not
Format selector
configurable
Region name MST region name
Revision level of the MST region, which can be configured using the
Revision level
revision-level command and defaults to 0.
Instance Vlans Mapped VLAN-to-instance mappings in the MST region

display stp root

Syntax

display stp root

View

Any view

Default Level

1: Monitor level

Parameters

None

1-12
Description

Use the display stp root command to view the root bridge information of all MSTIs.

Examples

# View the root bridge information of all MSTIs.

<Sysname> display stp root
MSTID Root Bridge ID ExtPathCost IntPathCost Root Port
0 0.00e0-fc0e-6554 200200 0 GigabitEthernet1/0/1

Table 1-9 display stp root command output description

Field Description
MSTID MSTI ID
Root Bridge ID Root bridge ID
External path cost. The device can automatically calculate the default path
ExtPathCost cost of a port, or alternatively, you can use the stp cost command to configure
the path cost of a port.
Internal path cost. The device can automatically calculate the default path cost
IntPathCost of a port, or alternatively, you can use the stp cost command to configure the
path cost of a port.
Root port name (displayed only if a port of the current device is the root port of
Root Port
MSTIs)

display stp tc

Syntax

display stp [ instance instance-id ] tc

View

Any view

Default Level

0: Visit level

Parameters

instance instance-id: Displays the statistics of TC/TCN BPDUs received and sent by all ports in the
specified MSTI. The minimum value of instance-id is 0, representing the common internal spanning tree
(CIST), and the maximum value of instance-id is 3.

Description

Use the display stp tc command to view the statistics of TC/TCN BPDUs received and sent by all ports
in an MSTI or all MSTIs.
Note that:
z If you do not specify an MSTI ID, this command will display the statistics of TC/TCN BPDUs
received and sent by all ports in all MSTIs. The displayed information is sorted by instance ID and
by port name in each MSTI.

1-13
 z If you specify an MSTI ID, this command will display the statistics of TC/TCN BPDUs received and
sent by all ports in the specified MSTI, in port name order.

Examples

# View the statistics of TC/TCN BPDUs received and sent by all ports in MSTI 0.
<Sysname> display stp instance 0 tc
MSTID Port Receive Send
0 GigabitEthernet1/0/1 6 4
0 GigabitEthernet1/0/2 0 2

Table 1-10 display stp tc command output description

Field Description
MSTID MSTI ID
Port Port name
Receive Number of TC/TCN BPDUs received on each port
Send Number of TC/TCN BPDUs sent by each port

instance

Syntax

instance instance-id vlan vlan-list

undo instance instance-id [ vlan vlan-list ]

View

MST region view

Default Level

2: System level

Parameters

instance-id: MSTI ID. The minimum value is 0, representing the CIST, and the maximum value is 3.
vlan vlan-list: Specifies a VLAN list in the format of vlan-list = { vlan-id [ to vlan-id2 }&<1-10>, in which
vlan-id represents the VLAN ID and ranges from 1 to 4094. &<1-10> indicates you can specify up to 10
VLAN IDs or VLAN ID ranges.

Description

Use the instance command to map the specified VLANs to the specified MSTI.
Use the undo instance command to remap the specified VLAN or all VLANs to the CIST (MSTI 0).
By default, all VLANs are mapped to the CIST.
Notice that:
z If you specify no VLAN in the undo instance command, all VLANs mapped to the specified MSTI
will be remapped to the CIST.

1-14
 z You cannot map the same VLAN to different MSTIs. If you map a VLAN that has been mapped to
an MSTI to a new MSTI, the old mapping will be automatically removed.
z After configuring this command, you need to run the active region-configuration command to
activate the VLAN-to-instance mapping.
Related commands: display stp region-configuration, check region-configuration, active
region-configuration.

Examples

# Map VLAN 2 to MSTI 1.

<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region] instance 1 vlan 2

region-name

Syntax

region-name name
undo region-name

View

MST region view

Default Level

2: System level

Parameters

name: MST region name, a string of 1 to 32 characters.

Description

Use the region-name command to configure the MST region name.

Use the undo region-name command to restore the default MST region name.
By default, the MST region name of a device is its MAC address.
Note that:
z The MST region name, the VLAN-to-instance mapping table and the MSTP revision level of a
device jointly determine the MST region to which the device belongs.
z After configuring this command, you need to run the active region-configuration command to
activate the configured MST region name.
Related commands: instance, revision-level, vlan-mapping modulo, display stp
region-configuration, check region-configuration, active region-configuration.

Examples

# Set the MST region name of the device to hello.

<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region] region-name hello

1-15
reset stp

Syntax

reset stp [ interface interface-list ]

View

User view

Default Level

1: Monitor level

Parameters

interface interface-list: Clears the MSTP statistics of the ports specified in the format of interface-list =
{ interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10>
indicates that you can specify up to 10 ports or port ranges.

Description

Use the reset stp command to clear the MSTP statistics.

The MSTP statistics includes the numbers of TCN BPDUs, configuration BPDUs, RST BPDUs and
MST BPDUs sent/received through the specified ports (STP BPDUs and TCN BPDUs are counted only
for the CIST).
Note that this command clears the spanning tree-related statistics on the specified ports if you specify
the interface-list argument; otherwise, this command clears the spanning tree-related statistics on all
ports.
Related commands: display stp.

Examples

# Clear the spanning tree-related statistics on ports GigabitEthernet 1/0/1 through GigabitEthernet
1/0/3.
<Sysname> reset stp interface gigabitethernet 1/0/1 to gigabitethernet 1/0/3

revision-level

Syntax

revision-level level
undo revision-level

View

MST region view

Default Level

2: System level

Parameters

level: MSTP revision level, in the range of 0 to 65535.

1-16
Description

Use the region-level command to configure the MSTP revision level.

Use the undo region-level command to restore the default MSTP revision level.
By default, the MSTP revision level is 0.
Note that:
z The MSTP revision level, the MST region name and the VLAN-to-instance mapping table of a
device jointly determine the MST region to which the device belongs. When the MST region name
and VLAN-to-instance mapping table are both the same for two MST regions, you can still tell them
apart by their MSTP revision levels.
z After configuring this command, you need to run the active region-configuration command to
activate the configured MST region level.
Related commands: instance, region-name, vlan-mapping modulo, display stp
region-configuration, check region-configuration, active region-configuration.

Examples

# Set the MSTP revision level of the MST region to 5.

<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region] revision-level 5

stp bpdu-protection

Syntax

stp bpdu-protection
undo stp bpdu-protection

View

System view

Default Level

2: System level

Parameters

None

Description

Use the stp bpdu-protection command to enable the BPDU guard function.
Use the undo stp bpdu-protection command to disable the BPDU guard function.
By default, the BPDU guard function is disabled.

Examples

# Enable the BPDU guard function.

<Sysname> system-view
[Sysname] stp bpdu-protection

1-17
stp bridge-diameter

Syntax

stp bridge-diameter diameter

undo stp bridge-diameter

View

System view

Default Level

2: System level

Parameters

diameter: Specifies the switched network diameter, in the range of 2 to 7.

Description

Use the stp bridge-diameter command to specify the network diameter, namely the maximum possible
number of stations between any two terminal devices on the switched network.
Use the undo stp bridge-diameter command to restore the default.
By default, the network diameter of the switched network is 7.
Note that:
z An appropriate setting of hello time, forward delay and max age can speed up network
convergence. The values of these timers are related to the network size. You can set these three
timers indirectly by setting the network diameter. Based on the network diameter you configured,
MSTP automatically sets an optimal hello time, forward delay, and max age for the device. With the
network diameter set to 7 (the default), the three timer are also set to their defaults.
z This configuration must be configured on the root bridge and is effective for the CIST only, not for
MSTIs.
Related commands: stp timer forward-delay, stp timer hello, stp timer max-age.

Examples

# Set the network diameter of the switched network to 5.

<Sysname> system-view
[Sysname] stp bridge-diameter 5

stp compliance

Syntax

stp compliance { auto | dot1s | legacy }

undo stp compliance

View

Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

1-18
Default Level

2: System level

Parameters

auto: Configures the port(s) to recognize the MSTP BPDU format automatically and accordingly
determine the format of MSTP BPDUs to send.
dot1s: Configures the port(s) to receive and send only standard-format (802.1s-compliant) MSTP
BPDUs.
legacy: Configures the port(s) to receive and send only compatible-format MSTP BPDUs.

Description

Use the stp compliance command to configure the mode the specified port(s) will use to recognize and
send MSTP BPDUs.
Use the undo stp compliance command to restore the system default.
By default, a port automatically recognizes the formats of received MSTP packets and determines the
formats of MSTP packets to be sent based on the recognized formats.
Note that:
z Configured in Layer 2 Ethernet port view, the setting takes effect on the current port only;
configured in port group view, the setting takes effect on all ports in the port group.
z Configured in Layer 2 aggregate port view, the setting takes effect only on the aggregate port;
configured on a member port in an aggregation group, the setting can take effect only after the port
leaves the aggregation group.

Examples

# Configure GigabitEthernet 1/0/1 to receive and send only standard-format (802.1s) MSTP packets.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp compliance dot1s

stp config-digest-snooping

Syntax

stp config-digest-snooping
undo stp config-digest-snooping

View

System view, Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

None

1-19
Description

Use the stp config-digest-snooping command to enable Digest Snooping.

Use the undo stp config-digest-snooping command to disable Digest Snooping.
The feature is disabled by default.
Note that:
z Configured in system view, the setting takes effect globally; configured in Layer 2 Ethernet port
view, the setting takes effect on the current port only; configured in port group view, the setting
takes effect on all ports in the port group.
z Configured in Layer 2 aggregate port view, the setting takes effect only on the aggregate port;
configured on a member port in an aggregation group, the setting can take effect only after the port
leaves the aggregation group.
z You need to enable this feature both globally and on ports connected to third-party devices to make
it take effect. It is recommended to enable the feature on all associated ports first and then globally,
thus making all configured ports take effect at the same time to minimize the impact on the network.
Related commands: display stp.

Examples

# Enable Digest Snooping on GigabitEthernet 1/0/1 and then globally.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp config-digest-snooping
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] stp config-digest-snooping

stp cost

Syntax

stp [ instance instance-id ] cost cost

undo stp [ instance instance-id ] cost

View

Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

instance instance-id: Sets the path cost of the port(s) in a particular MSTI. The minimum value of
instance-id is 0, representing the CIST, and the maximum value of instance-id is 3.
cost: Path cost of the port, the effective range of which depends on the path cost calculation standard
adopted.
z With the IEEE 802.1d-1998 standard selected for path cost calculation, the cost argument ranges
from 1 to 65535.
z With the IEEE 802.1t standard selected for path cost calculation, the cost argument ranges from 1
to 200000000.

1-20
 z With the private standard selected for path cost calculation, the cost argument ranges from 1 to
200000.

Description

Use the stp cost command to set the path cost of the port(s) in the specified MSTI or all MSTIs.
Use the undo stp cost command to restore the system default.
By default, the device automatically calculates the path costs of ports in each MSTI based on the
corresponding standard.
Note that:
z Configured in Layer 2 Ethernet port view, the setting takes effect on the current port only;
configured in port group view, the setting takes effect on all ports in the port group.
z Configured in Layer 2 aggregate port view, the setting takes effect only on the aggregate port;
configured on a member port in an aggregation group, the setting can take effect only after the port
leaves the aggregation group.
z Path cost is an important factor in spanning tree calculation. Setting different path costs for a port in
MSTIs allows VLAN traffic flows to be forwarded along different physical links, thus achieving
VLAN-based load balancing.
z The path cost setting of a port can affect the role selection of the port. When the path cost of a port
is changed, MSTP will re-compute the role of the port and initiate a state transition.
Related commands: display stp.

Examples

# Set the path cost of port GigabitEthernet 1/0/3 in MSTI 2 to 200.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/3
[Sysname-GigabitEthernet1/0/3] stp instance 2 cost 200

stp edged-port

Syntax

stp edged-port { enable | disable }

undo stp edged-port

View

Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

enable: Configures the current port(s) as an edge port or edge ports.

disable: Configures the current port(s) as a non-edge port or non-edge ports.

Description

Use the stp edged-port enable command to configure the port(s) as an edge port or ports.

1-21
 Use the stp edged-port disable command to configure the port(s) as a non-edge port or non-edge
ports.
Use the undo stp edged-port command to restore the default.
All ports are non-edge ports by default.
Note that:
z Configured in Layer 2 Ethernet port view, the setting takes effect on the current port only;
configured in port group view, the setting takes effect on all ports in the port group.
z Configured in Layer 2 aggregate port view, the setting takes effect only on the aggregate port;
configured on a member port in an aggregation group, the setting can take effect only after the port
leaves the aggregation group.
z If a port directly connects to a user terminal rather than another device or a shared LAN segment,
this port is regarded as an edge port. When the network topology changes, an edge port will not
cause a temporary loop. Therefore, configuring a port as an edge port can enable the port to
transition to the forwarding state rapidly. We recommend that you configure a port directly
connecting to a user terminal as an edge port to enable it to transition to the forwarding state
rapidly.
z Normally, configuration BPDUs from other devices will not be received by an edge port because it
does not connect to any other device. Before the BPDU guard function is enabled, if a port receives
a configuration BPDU, the port is working actually as a non-edge port even if you have configured
it as an edge port.
z Among loop guard, root guard and edge port settings, only one function (whichever is configured
the earliest) can take effect on a port at the same time.
Related commands: stp loop-protection, stp root-protection.

Examples

# Configure GigabitEthernet 1/0/1 as an edge port.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp edged-port enable

stp enable

Syntax

stp enable
undo stp enable

View

System view, Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

None

1-22
Description

Use the stp enable command to enable MSTP globally in system view, on a port in port view, or on
multiple ports in port group view.
Use the undo stp enable command to disable MSTP globally or on the port(s).
The device is globally MSTP-disabled by default. After you enable MSTP globally, MSTP is enabled on
all ports.
Note that:
z Configured in system view, the setting takes effect globally; configured in Layer 2 Ethernet port
view, the setting takes effect on the current port only; configured in port group view, the setting
takes effect on all ports in the port group; configured in Layer 2 aggregate port view, the setting
takes effect only on the aggregate port; configured on a member port in an aggregation group, the
setting can take effect only after the port leaves the aggregation group.
z After you enable MSTP, the device works in STP-compatible mode, RSTP mode or MSTP mode
depending on the MSTP mode setting.
z After being enabled, MSTP dynamically maintains the spanning tree status of VLANs based on
received configuration BPDUs; after being disabled, it stops maintaining the spanning tree status.
Related commands: stp mode.

Examples

# Enable the MSTP feature globally.

<Sysname> system-view
[Sysname] stp enable

# Disable MSTP on port GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo stp enable

stp ignored vlan

Syntax

stp ignored vlan vlan-list

undo stp ignored vlan vlan-list

View

System view

Default Level

2: System level

Parameters

vlan vlan-list: Specifeis a VLAN list in the format of vlan-list = { vlan-id [ to vlan-id2 }&<1-10>, in which
vlan-id represents the VLAN ID and ranges from 1 to 4094. &<1-10> indicates you can specify up to 10
VLAN IDs or VLAN ID ranges.

1-23
Description

Use the stp ignored vlan command to enable VLAN Ignore for the specified VLAN(s).
Use the undo stp ignored vlan command to disable VLAN Ignore for the specified VLAN(s).

Examples

# Enable VLAN Ignore for VLAN 2.

<Sysname> system-view
[Sysname] stp ignored vlan 2

# Enable VLAN Ignore for VLAN 1 through VLAN 10.

[Sysname] stp ignored vlan 1 to 10

stp loop-protection

Syntax

stp loop-protection
undo stp loop-protection

View

Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

None

Description

Use the stp loop-protection command to enable the loop guard function on the port(s).
Use the undo stp loop-protection command to restore the system default.
By default, the loop guard function is disabled.
Note that:
z Configured in Layer 2 Ethernet port view, the setting takes effect on the current port only;
configured in port group view, the setting takes effect on all ports in the port group; configured in
Layer 2 aggregate port view, the setting takes effect only on the aggregate port; configured on a
member port in an aggregation group, the setting can take effect only after the port leaves the
aggregation group.
z Among loop guard, root guard and edge port settings, only one function (whichever is configured
the earliest) can take effect on a port at the same time.
Related commands: stp edged-port, stp root-protection.

Examples

# Enable the loop guard function on GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1

1-24
 [Sysname-GigabitEthernet1/0/1] stp loop-protection

stp max-hops

Syntax

stp max-hops hops

undo stp max-hops

View

System view

Default Level

2: System level

Parameters

hops: Maximum hops, in the range of 1 to 40

Description

Use the stp max-hops command to set the maximum hops of the MST region on the device.
Use the undo stp max-hops command to restore the maximum hops to the default setting.
Setting the maximum hops of MST regions is to limit the sizes of MST regions. By default, the maximum
number of hops of an MST region is 20.
Related commands: display stp.

Examples

# Set the maximum hops of the MST region on the device to 35.
<Sysname> system-view
[Sysname] stp max-hops 35

stp mcheck

Syntax

stp mcheck

View

System view, Layer 2 Ethernet port view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

None

Description

Use the stp mcheck command to carry out the mCheck operation globally or on the current port.

1-25
 If a port on a device running MSTP (or RSTP) connects to a device running STP, this port will
automatically migrate to the STP-compatible mode. However, it will not be able to migrate automatically
back to the MSTP (or RSTP) mode, but will remain working in the STP-compatible mode under the
following circumstances:
z The device running STP is shut down or removed.
z The device running STP migrates to the MSTP (or RSTP) mode.
By then, you can perform an mCheck operation to force the port to migrate to the MSTP (or RSTP)
mode.
Note that:
z The device works in STP-compatible mode, RSTP mode or MSTP mode depending on the MSTP
mode setting.
z The stp mcheck command is meaningful only when the device works in RSTP or MSTP mode.
z Configured in system view, the setting takes effect globally; configured in Layer 2 Ethernet port
view, the setting takes effect on the current port only; configured in port group view, the setting
takes effect on all member ports in the port group.
z Configured in Layer 2 aggregate port view, the setting takes effect only on the aggregate port;
configured on a member port in an aggregation group, the setting can take effect only after the port
leaves the aggregation group.
Related commands: stp mode.

Examples

# Carry out mCheck on GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp mcheck

stp mode

Syntax

stp mode { stp | rstp | mstp }

undo stp mode

View

System view

Default Level

2: System level

Parameters

stp: Configures the MSTP-enabled device to work in STP-compatible mode.

rstp: Configures an MSTP-enabled device to work in RSTP mode.
mstp: Configures an MSTP-enabled device to work in MSTP mode.

Description

Use the stp mode command to configure the MSTP work mode of the device.

1-26
 Use the undo stp mode command to restore the MSTP work mode to the default setting.
By default, an MSTP-enabled device works in MSTP mode.
Related commands: stp mcheck, stp enable.

Examples

# Configure the MSTP-enabled device to work in STP-compatible mode.

<Sysname> system-view
[Sysname] stp mode stp

stp no-agreement-check

Syntax

stp no-agreement-check
undo stp no-agreement-check

View

Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

None

Description

Use the stp no-agreement-check command to enable No Agreement Check on the port(s).
Use the undo stp no-agreement-check command to disable No Agreement Check on the port(s).
By default, No Agreement Check is disabled.
Note that:
z Configured in Layer 2 Ethernet port view, the setting takes effect on the current port only;
configured in port group view, the setting takes effect on all member ports in the port group.
z Configured in Layer 2 aggregate port view, the setting takes effect only on the aggregate port;
configured on a member port in an aggregation group, the setting can take effect only after the port
leaves the aggregation group.
z This feature takes effect only after you enable it on the root port.

Examples

# Enable No Agreement Check on GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp no-agreement-check

1-27
 stp pathcost-standard

Syntax

stp pathcost-standard { dot1d-1998 | dot1t | legacy }

undo stp pathcost-standard

View

System view

Default Level

2: System level

Parameters

dot1d-1998: The device calculates the default path cost for ports based on IEEE 802.1d-1998.
dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.
legacy: The device calculates the default path cost for ports based on a private standard.

Description

Use the stp pathcost-standard command to specify a standard for the device to use when calculating
the default path costs for ports of the device.
Use the undo stp pathcost-standard command to restore the system default.
By default, the device calculates the default path cost for ports based on a private standard.
Note that:
z If you change the standard that the device uses in calculating the default path cost, the port path
cost value set through the stp cost command will be invalid.
z Table 1-11 shows the path costs calculated using different standards at different link speed. When
calculating path cost for an aggregate port, 802.1d-1998 does not take into account the number of
member ports in its aggregation group as 802.1t does. The calculation formula of 802.1t is: Path
Cost = 200,000,000/link speed (in 100 kbps), where link speed is the sum of the link speed values
of the non-blocked ports in the aggregation group.

Table 1-11 Link speed vs. path cost

Path cost in Path cost in

Path cost in
Link speed Duplex state 802.1d-1998 IEEE 802.1t
private standard
standard standard
0 — 65535 200,000,000 200,000

Single Port 100 2,000,000 2,000

Aggregate Link 2 Ports 100 1,000,000 1,800
10 Mbps
Aggregate Link 3 Ports 100 666,666 1,600
Aggregate Link 4 Ports 100 500,000 1,400
Single Port 19 200,000 200
Aggregate Link 2 Ports 19 100,000 180
100 Mbps
Aggregate Link 3 Ports 19 66,666 160
Aggregate Link 4 Ports 19 50,000 140

1-28
 Path cost in Path cost in
Path cost in
Link speed Duplex state 802.1d-1998 IEEE 802.1t
private standard
standard standard
Single Port 4 20,000 20
Aggregate Link 2 Ports 4 10,000 18
1000 Mbps
Aggregate Link 3 Ports 4 6,666 16
Aggregate Link 4 Ports 4 5,000 14
Single Port 2 2,000 2
Aggregate Link 2 Ports 2 1,000 1
10 Gbps
Aggregate Link 3 Ports 2 666 1
Aggregate Link 4 Ports 2 500 1

Related commands: stp cost, display stp.

Examples

# Configure the device to calculate the default path cost for ports based on IEEE 802.1d-1998.
<Sysname> system-view
[Sysname] stp pathcost-standard dot1d-1998

stp point-to-point

Syntax

stp point-to-point { auto | force-false | force-true }

undo stp point-to-point

View

Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

auto: Specifies automatic detection of the link type.

force-false: Specifies the non-point-to-point link type.
force-true: Specifies the point-to-point link type.

Description

Use the stp point-to-point command to configure the link type of the current port(s).
Use the undo stp point-to-point command to restore the system default.
The default setting is auto; namely the MSTP-enabled device automatically detects whether a port
connects to a point-to-point link.
Note that:
z Configured in Layer 2 Ethernet port view, the setting takes effect on the current port only;
configured in port group view, the setting takes effect on all member ports in the port group.

1-29
 z Configured in Layer 2 aggregate port view, the setting takes effect only on the aggregate port.
Configured on a member port in an aggregation group, the setting can take effect only after the port
leaves the aggregation group.
z When connecting to a non-point-to-point link, a port is incapable of rapid state transition.
z If the current port is a Layer 2 aggregate port or if it works in full duplex mode, the link to which the
current port connects is a point-to-point link. We recommend that you use the default setting,
namely let MSTP detect the link status automatically.
z This setting takes effect on the CIST and all MSTIs. If a port is configured as connecting to a
point-to-point link or a non-point-to-point link, the setting takes effect for the port in all MSTIs. If the
physical link to which the port connects is not a point-to-point link and you force it to be a
point-to-point link by configuration, your configuration may incur a temporary loop.
Related commands: display stp.

Examples

# Configure the link connecting GigabitEthernet 1/0/3 as a point-to-point link.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/3
[Sysname-GigabitEthernet1/0/3] stp point-to-point force-true

stp port priority

Syntax

stp [ instance instance-id ] port priority priority

undo stp [ instance instance-id ] port priority

View

Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

instance instance-id: Sets the priority of the current port(s) in a particular MSTI. The minimum value of
instance-id is 0, representing the CIST, and the maximum value of instance-id is 3.
priority: Port priority, in the range of 0 to 240 at the step of 16 (0, 16, 32…, for example).

Description

Use the stp port priority command to set the priority of the port(s).
Use the undo stp port priority command to restore the system default.
Port priority affects the role of a port in an MSTI.
By default, the port priority is 128.
Note that:
z Configured in Layer 2 Ethernet port view, the setting takes effect on the current port only;
configured in port group view, the setting takes effect on all ports in the port group.

1-30
 z Configured in Layer 2 aggregate port view, the setting takes effect only on the aggregate port.
Configured on a member port in an aggregation group, the setting can take effect only after the port
leaves the aggregation group.
z Setting different priorities for the same port in different MSTIs allows VLAN traffic flows to be
forwarded along different physical links, thus to achieve VLAN-based load balancing.
z When the priority of a port is changed in an MSTI, MSTP will re-compute the role of the port and
initiate a state transition in the MSTI.
Related commands: display stp.

Examples

# Set the priority of port GigabitEthernet 1/0/3 in MSTI 2 to 16.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/3
[Sysname-GigabitEthernet1/0/3] stp instance 2 port priority 16

stp port-log

Syntax

stp port-log { all | instance instance-id }

undo stp port-log { all | instance instance-id }

View

System view

Default Level

2: System level

Parameters

all: Enables output of port state transition information for all MSTIs.
instance instance-id: Enables output of port state transition information for the specified MSTI. The
minimum value of instance-id is 0, representing the CIST, and the maximum value of this argument is 3.

Description

Use the stp port-log command to enable output of port state transition information for the specified
MSTI or all MSTIs.
Use the undo stp port-log command to disable output of port state transition information for the
specified MSTI or all MSTIs.
This function is enabled by default.

Examples

# Enable output of port state transition information for MSTI 2.

<Sysname> system-view
[Sysname] stp port-log instance 2
%Aug 16 00:49:41:856 2006 Sysname MSTP/3/PDISC: Instance 2's GigabitEthernet1/0/1 has been
set to discarding state!

1-31
 %Aug 16 00:49:41:856 2006 Sysname MSTP/3/PFWD: Instance 2's GigabitEthernet1/0/2 has been
set to forwarding state!

// The information above shows that in MSTI 2 the state of GigabitEthernet 1/0/1 has changed to
discarding and that of GigabitEthernet 1/0/2 has changed to forwarding.

stp priority

Syntax

stp [ instance instance-id ] priority priority

undo stp [ instance instance-id ] priority

View

System view

Default Level

2: System level

Parameters

instance instance-id: Sets the priority of the device in a MSTI. The minimum value of instance-id is 0,
representing the CIST, and the maximum value of instance-id is 3.
priority: Device priority, in the range of 0 to 61440 at the step of 4096, namely you can set up to 16
priority values, such as 0, 4096, 8192…, on the device. The smaller the priority value, the higher the
device priority.

Description

Use the stp priority command to set the priority of the device.
Use the undo stp priority command to restore the default device priority.
By default, the device priority is 32768.

Examples

# Set the device priority in MSTI 1 to 4096.

<Sysname> system-view
[Sysname] stp instance 1 priority 4096

stp region-configuration

Syntax

stp region-configuration
undo stp region-configuration

View

System view

Default Level

2: System level

1-32
Parameters

None

Description

Use the stp region-configuration command to enter MST region view.

Use the undo stp region-configuration command to restore the default MST region configurations.
By default, the default settings are used for all the three MST region parameters. Namely, the device’s
MST region name is the device’s MAC address, all VLANs are mapped to the CIST, and the MSTP
revision level is 0.
After you enter MST region view, you can configure the MST region-related parameters, including the
region name, VLAN-to-instance mappings and revision level.

Examples

# Enter MST region view.

<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region]

stp root primary

Syntax

stp [ instance instance-id ] root primary

undo stp [ instance instance-id ] root

View

System view

Default Level

2: System level

Parameters

instance instance-id: Configures the device as the root bridge in a particular MSTI. The minimum value
of instance-id is 0, representing the CIST, and the maximum value of instance-id is 3.

Description

Use the stp root primary command to configure the current device as the root bridge.
Use the undo stp root command to restore the system default.
By default, a device is not a root bridge in any MSTI.
Note that:
z There is only one root bridge in effect in an MSTI. If two or more devices have been designated to
be root bridges of the same MSTI, MSTP will select the device with the lowest MAC address as the
root bridge.
z You can specify a root bridge for each MSTI without caring about the device priority. After
specifying the current device as the root bridge or a secondary root bridge, you cannot change the
priority of the device.

1-33
 Related commands: stp priority, stp root secondary.

Examples

# Specify the current device as the root bridge of MSTI 0.

<Sysname> system-view
[Sysname] stp instance 0 root primary

stp root secondary

Syntax

stp [ instance instance-id ] root secondary

undo stp [ instance instance-id ] root

View

System view

Default Level

2: System level

Parameters

instance instance-id: Configures the device as a secondary root bridge in a particular MSTI. The
minimum value of instance-id is 0, representing the CIST, and the maximum value of instance-id is 3.

Description

Use the stp root secondary command to configure the device as a secondary root bridge.
Use the undo stp root command to restore the system default.
By default, a device is not a secondary root bridge.
Note that:
z You can configure one or more secondary root bridges for each MSTI. When the root bridge of an
MSTI fails or is shut down, the secondary root bridge can take over the role of the root bridge of the
specified MSTI. However, if you specify a new primary root bridge for the instance then, the
secondary root bridge will not become the root bridge. If you specify more than one secondary root
bridge, the secondary root bridge with the lowest MAC address will become the root bridge.
z After specifying the current device as a secondary root bridge, you cannot change the priority of the
device.
Related commands: stp priority, stp root primary.

Examples

# Specify the current device as a secondary root bridge of MSTI 0.

<Sysname> system-view
[Sysname] stp instance 0 root secondary

stp root-protection

Syntax

stp root-protection
1-34
 undo stp root-protection

View

Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

None

Description

Use the stp root-protection command to enable the root guard function on the port(s).
Use the undo stp root-protection command to restore the default.
By default, the root guard function is disabled.
Note that:
z Configured in Layer 2 Ethernet port view, the setting takes effect on the current port only;
configured in port group view, the setting takes effect on all ports in the port group; configured in
Layer 2 aggregate port view, the setting takes effect only on the aggregate port; configured on the
member port in an aggregation group, the setting can take effect only after the port leaves the
aggregation group.
z Among loop guard, root guard and edge port settings, only one function (whichever is configured
the earliest) can take effect on a port at the same time.
Related commands: stp edged-port, stp loop-protection.

Examples

# Enable the root guard function for GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp root-protection

stp tc-protection

Syntax

stp tc-protection enable

stp tc-protection disable

View

System view

Default Level

2: System level

Parameters

None

1-35
Description

Use the stp tc-protection enable command to enable the TC-BPDU attack guard function for the
device.
Use the stp tc-protection disable command to disable the TC-BPDU attack guard function for the
device.
By default, the TC-BPDU attack guard function is enabled.

Examples

# Disable the TC-BPDU attack guard function for the device.

<Sysname> system-view
[Sysname] stp tc-protection disable

stp tc-protection threshold

Syntax

stp tc-protection threshold number

undo stp tc-protection threshold

View

System view

Default Level

2: System level

Parameters

number: Maximum number of immediate forwarding address entry flushes that the switch can perform
within a certain period of time after it receives the first TC-BPDU. The value range for the argument is 1
to 255.

Description

Use the stp tc-protection threshold command to configure the maximum number of forwarding
address entry flushes that the device can perform within a certain period of time after it receives the first
TC-BPDU.
Use the undo stp tc-protection threshold command to restore the default.
By default, the device can perform a maximum of six forwarding address entry flushes within 10
seconds after it receives the first TC-BPDU.

Examples

# Set the maximum number of forwarding address entry flushes that the device can perform within 10
seconds after it receives the first TC-BPDU to 10.
<Sysname> system-view
[Sysname] stp tc-protection threshold 10

1-36
stp timer forward-delay

Syntax

stp timer forward-delay time

undo stp timer forward-delay

View

System view

Default Level

2: System level

Parameters

time: Forward delay in centiseconds, ranging form 400 to 3000 at the step of 100.

Description

Use the stp timer forward-delay command to set the forward delay timer of the device.
Use the undo stp timer forward-delay command to restore the system default.
By default, the forward delay timer is set to 1,500 centiseconds.
In order to prevent temporary loops, a port must go through an intermediate state, the learning state,
before it transitions from the discarding state to the forwarding state, and must wait a certain period of
time before it transitions from one state to another to keep synchronized with the remote device during
state transition. The forward delay timer set on the root bridge determines the time interval of state
transition.
If the current device is the root bridge, the state transition interval of the device depends on the forward
delay value configured through this command; for a non- root bridge, its state transition interval is
determined by the forward delay timer set on the root bridge.
The settings of the hello time, forward delay and max age timers must meet the following formulae, thus
avoiding frequent network changes:
z 2 × (forward delay – 1 second) ƒ max age
z Max age ƒ 2 × (hello Time + 1 second)
We recommend that you specify the network diameter of the switched network using the stp root
primary command and let MSTP automatically calculate optimal settings of these three timers.
Related commands: stp timer hello, stp timer max-age, stp bridge-diameter.

Examples

# Set the forward delay timer of the device to 2,000 centiseconds.

<Sysname> system-view
[Sysname] stp timer forward-delay 2000

stp timer hello

Syntax

stp timer hello time

undo stp timer hello
1-37
View

System view

Default Level

2: System level

Parameters

time: Hello time in centiseconds, ranging from 100 to 1000 at the step of 100.

Description

Use the stp timer hello command to set the hello time of the device.
Use the undo stp timer hello command to restore the system default.
By default, the hello time is set to 200 centiseconds.
Hello time is the time interval at which MSTP-enabled devices send configuration BPDUs to maintain
spanning tree. If a device fails to receive configuration BPDUs within the set period of time, a new
spanning tree calculation process will be triggered due to timeout. The root bridge sends configuration
BPDUs at the interval of the hello time set through this command, while non-root bridges use the hello
time set on the root bridge.
The settings of the hello time, forward delay and max age timers must meet the following formulae, thus
avoiding frequent network changes:
z 2 × (forward delay – 1 second) ƒ max age
z Max age ƒ 2 × (hello time + 1 second)
We recommend that you specify the network diameter of the switched network using the stp root
primary command and let MSTP automatically calculate optimal settings of these three timers.
Related commands: stp timer forward-delay, stp timer max-age, stp bridge-diameter.

Examples

# Set the hello time of the device to 400 centiseconds.

<Sysname> system-view
[Sysname] stp timer hello 400

stp timer max-age

Syntax

stp timer max-age time

undo stp timer max-age

View

System view

Default Level

2: System level

Parameters

time: Max age in centiseconds, ranging from 600 to 4000 at the step of 100.

1-38
Description

Use the stp timer max-age command to set the max age timer of the device.
Use the undo stp timer max-age command to restore the system default.
By default, the max age is set to 2,000 centiseconds.
MSTP can detect link failures and automatically restore the forwarding state of the redundant link. In the
CIST, the device determines whether a configuration BPDU received on a port has expired based on
the max age timer. If a port receives a configuration BPDU that has expired, that MSTI needs to be
re-computed.
The max age timer is not meaningful for MSTIs. If the current device is the root bridge of the CIST, it
determines whether a configuration BPDU has expired based on the configured max age timer; if the
current device is not the root bridge of the CIST, it uses the max age timer set on the CIST root bridge.
The settings of the hello time, forward delay and max age timers must meet the following formulae, thus
avoiding frequent network changes:
z 2 × (forward delay – 1 second) ƒ max age
z Max age ƒ 2 × (hello time + 1 second)
We recommend that you specify the network diameter using the stp root primary command and let
MSTP automatically calculate an optimal setting of these three timers.
Related commands: stp timer forward-delay, stp timer hello, stp bridge-diameter.

Examples

# Set the max age timer of the device to 1,000 centiseconds.

<Sysname> system-view
[Sysname] stp timer max-age 1000

stp timer-factor

Syntax

stp timer-factor factor

undo stp timer-factor

View

System view

Default Level

2: System level

Parameters

factor: Timeout factor, in the range of 1 to 20.

Description

Use the stp timer-factor command to set the timeout factor, which decides the timeout time. Timeout
time = timeout factor × 3 × hello time.
Use the undo stp timer-factor command to restore the default.
By default, the timeout factor is 3.

1-39
 Note that:
z After the network topology is stabilized, each non-root-bridge device forwards configuration
BPDUs to the surrounding devices at the interval of hello time to check whether any link is faulty.
Typically, if a device does not receive a BPDU from the upstream device within nine times the hello
time, it will assume that the upstream device has failed and start a new spanning tree calculation
process.
z In a very stable network, this kind of spanning tree calculation may occur because the upstream
device is busy. In this case, you can avoid such unwanted spanning tree calculations by
lengthening the timeout time, thus saving the network resources. We recommend that you set the
timeout factor to 5, or 6, or 7 for a stable network.

Examples

# Set the timeout factor of the device to 7.

<Sysname> system-view
[Sysname] stp timer-factor 7

stp transmit-limit

Syntax

stp transmit-limit limit

undo stp transmit-limit

View

Layer 2 Ethernet port view, port group view, Layer 2 aggregate port view

Default Level

2: System level

Parameters

limit: Maximum number of BPDUs the port(s) can send within each hello time, in the range of 1 to 255.

Description

Use the stp transmit-limit command to set the maximum transmission rate of the port(s), that is, the
maximum number of BPDUs the port(s) can send within each hello time.
Use the undo stp transmit-limit command to restore the system default.
By default, the maximum transmission rate of all ports of the device is 10, that is, each port can send up
to 10 BPDUs within each hello time.
Note that:
z Configured in Layer 2 Ethernet port view, the setting takes effect on the current port only;
configured in port group view, the setting takes effect on all member ports in the port group.
z Configured in Layer 2 aggregate port view, the setting takes effect only on the aggregate port;
configured on a member port in an aggregation group, the setting can take effect only after the port
leaves the aggregation group.
z A larger maximum transmission rate value represents more BPDUs that the port will send within
each hello time, but this means that more system resources will be used. An appropriate maximum
transmission rate setting can limit the speed at which a port sends BPDUs and prevent MSTP from

1-40
 using excessive bandwidth resources during network topology changes. You are recommended to
use the default value.

Examples

# Set the maximum transmission rate of port GigabitEthernet 1/0/1 to 5.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp transmit-limit 5

vlan-mapping modulo

Syntax

vlan-mapping modulo modulo

View

MST region view

Default Level

2: System level

Parameters

modulo: Modulo value. The minimum value is 1, and the maximum value is 3.

Description

Use the vlan-mapping modulo command to map VLANs in the current MST region to MSTIs
according to the specified modulo value, thus quickly creating a VLAN-to-instance mapping table.
By default, all VLANs are mapped to the CIST (MSTI 0).
Note that:
z You cannot map the same VLAN to different MSTIs. If you map a VLAN that has been mapped to
an MSTI to a new MSTI, the old mapping will be automatically removed.
z This command maps each VLAN to the MSTI whose ID is (VLAN ID–1) %modulo + 1, where
(VLAN ID-1) %modulo is the modulo operation for (VLAN ID–1). If the modulo value is 3, for
example, then VLAN 1 will be mapped to MSTI 1, VLAN 2 to MSTI 2, VLAN 3 to MSTI 3, VLAN 4 to
MSTI 1, and so on.
Related commands: region-name, revision-level, display stp region-configuration, check
region-configuration, active region-configuration.

Examples

# Map VLANs to MSTIs as per modulo 3.

<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region] vlan-mapping modulo 3

1-41
 Table of Contents

1 IP Addressing Configuration Commands ·······························································································1-1

IP Addressing Configuration Commands································································································1-1
display ip interface···························································································································1-1
display ip interface brief···················································································································1-3
ip address ········································································································································1-4

i
1 IP Addressing Configuration Commands

IP Addressing Configuration Commands

display ip interface

Syntax

display ip interface [ interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display ip interface command to display information about a specified or all Layer 3
interfaces.

Examples

# Display information about interface VLAN-interface 1.

<Sysname> display ip interface vlan-interface 1
Vlan-interface1 current state : DOWN
Line protocol current state : DOWN
Internet Address is 1.1.1.1/8 Primary
Broadcast address : 1.255.255.255
The Maximum Transmit Unit : 1500 bytes
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
ARP packet input number: 0
Request packet: 0
Reply packet: 0
Unknown packet: 0
TTL invalid packet number: 0
ICMP packet input number: 0
Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0

1-1
 Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0

Table 1-1 display ip interface command output description

Field Description
Current physical state of the interface, which can be
z Administrative DOWN: Indicates that the interface is
administratively down; that is, the interface is shut down with
the shutdown command.
current state z DOWN: Indicates that the interface is administratively up but
its physical state is down, which may be caused by a
connection or link failure.
z UP: Indicates that both the administrative and physical
states of the interface are up.
Current state of the link layer protocol, which can be
z DOWN: Indicates that the protocol state of the interface is
Line protocol current state down, which is usually because that no IP address is
assigned to the interface.
z UP: Indicates that the protocol state of the interface is up.
IP address of an interface followed by:
Internet Address z Primary: Identifies a primary IP address, or
z Sub: Identifies a secondary IP address.
Broadcast address Broadcast address of the subnet attached to an interface
The Maximum Transmit Unit Maximum transmission units on the interface, in bytes
input packets, bytes, multicasts Unicast packets, bytes, and multicast packets received on an
output packets, bytes, multicasts interface (the statistics start at the device startup)

ARP packet input number: Total number of ARP packets received on the interface (the
statistics start at the device startup), including
Request packet:
z ARP request packets
Reply packet:
z ARP reply packets
Unknown packet: z Unknown packets
Number of TTL-invalid packets received on the interface (the
TTL invalid packet number
statistics start at the device startup)

1-2
 Field Description
ICMP packet input number: Total number of ICMP packets received on the interface (the
Echo reply: statistics start at the device startup), including the following
Unreachable: packets:
Source quench: z Echo reply packets
z Unreachable packets
Routing redirect:
z Source quench packets
Echo request:
z Routing redirect packets
Router advert: z Echo request packets
Router solicit: z Router advertisement packets
Time exceed: z Router solicitation packets
IP header bad: z Time exceeded packets
Timestamp request: z IP header bad packets
z Timestamp request packets
Timestamp reply:
z Timestamp reply packets
Information request:
z Information request packets
Information reply: z Information reply packets
Netmask request: z Netmask request packets
Netmask reply: z Netmask reply packets
Unknown type: z Unknown type packets

display ip interface brief

Syntax

display ip interface brief [ interface-type [ interface-number ] ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type: Interface type.

interface-number: Interface number.

Description

Use the display ip interface brief command to display brief information about a specified or all Layer 3
interfaces.
Note that,without the interface type and interface number specified, the information about all Layer 3
interfaces is displayed; with only the interface type specified, the information about all Layer 3 interfaces
of the specified type is displayed; with both the interface type and interface number specified, only the
information about the specified interface is displayed.
Related commands: display ip interface.

Examples

# Display brief information about VLAN interfaces.

1-3
 <Sysname> display ip interface brief vlan-interface
*down: administratively down
(s): spoofing
Interface Physical Protocol IP Address Description
Vlan-interface1 up up 6.6.6.6 Vlan-inte...
Vlan-interface2 up up 7.7.7.7 VLAN2

Table 1-2 display ip interface brief command output description

Field Description
The interface is administratively shut down with the shutdown
*down: administratively down
command.
Spoofing attribute of the interface. It indicates that an interface
(s) : spoofing whose network layer protocol is displayed up may have no link
present or the link is set up only on demand.
Interface Interface name
Physical state of the interface, which can be
z *down: Indicates that the interface is administratively down; that
is, the interface is shut down with the shutdown command.
Physical z down: Indicates that the interface is administratively up but its
physical state is down, which may be caused by a connection or
link failure.
z up: Indicates that both the administrative and physical states of
the interface are up.
Link layer protocol state of the interface, which can be
z down: Indicates that the protocol state of the interface is down,
Protocol which is usually because that no IP address is assigned to the
interface.
z up: Indicates that the protocol state of the interface is up.
IP address of the interface (If no IP address is configured,
IP Address
“unassigned” is displayed.)
Interface description information, for which at most 12 characters
Description can be displayed. If there are more that 12 characters, only the first
nine characters are displayed.

ip address

Syntax

ip address ip-address { mask | mask-length }

undo ip address [ ip-address { mask | mask-length } ]

View

Interface view

Default Level

2: System level

Parameters

ip-address: IP address of interface, in dotted decimal notation.

1-4
 mask: Subnet mask in dotted decimal notation.
mask-length: Subnet mask length, the number of consecutive ones in the mask.

Description

Use the ip address command to assign an IP address and mask to the interface.
Use the undo ip address command to remove all IP addresses from the interface.
By default, no IP address is assigned to any interface.
Related commands: display ip interface.

Examples

# Assign VLAN-interface 1 a primary IP address 129.12.0.1, with subnet masks being 255.255.255.0.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ip address 129.12.0.1 255.255.255.0

1-5
 Table of Contents

1 IP Performance Optimization Configuration Commands ······································································1-1

IP Performance Optimization Configuration Commands ········································································1-1
display fib·········································································································································1-1
display fib ip-address·······················································································································1-3
display icmp statistics ······················································································································1-4
display ip socket ······························································································································1-5
display ip statistics···························································································································1-8
display tcp statistics·························································································································1-9
display tcp status ···························································································································1-12
display udp statistics······················································································································1-13
ip forward-broadcast (interface view) ····························································································1-14
ip forward-broadcast (system view)·······························································································1-14
ip ttl-expires enable ·······················································································································1-15
ip unreachables enable ·················································································································1-16
reset ip statistics ····························································································································1-16
reset tcp statistics ··························································································································1-17
reset udp statistics·························································································································1-17
tcp anti-naptha enable ···················································································································1-18
tcp state ·········································································································································1-18
tcp syn-cookie enable····················································································································1-19
tcp timer check-state ·····················································································································1-20
tcp timer fin-timeout ·······················································································································1-21
tcp timer syn-timeout ·····················································································································1-21
tcp window·····································································································································1-22

i
1 IP Performance Optimization Configuration
Commands

IP Performance Optimization Configuration Commands

display fib

Syntax

display fib [ | { begin | include | exclude } regular-expression | acl acl-number | ip-prefix

ip-prefix-name ]

View

Any view

Default Level

1: Monitor level

Parameters

|: Uses a regular expression to match FIB entries. For detailed information about regular expression,
refer to CLI display in Basic System Configuration.
begin: Displays the first entry that matches the specified regular expression and all the FIB entries
following it.
exclude: Displays the FIB entries that do not match the specified regular expression.
include: Displays the FIB entries that match the specified regular expression.
regular-expression: A case-sensitive string of 1 to 256 characters, excluding spaces.
acl acl-number: Displays FIB entries matching a specified ACL numbered from 2000 to 2999. If the
specified ACL does not exist, all FIB entries are displayed.
ip-prefix ip-prefix-name: Displays FIB entries matching a specified IP prefix list, a string of 1 to 19
characters. If the specified IP prefix list does not exist, all FIB entries are displayed.

Currently, the S5120-SI series Ethernet switches do not support the ip-prefix keyword. That is, they do
not display FIB entries matching a specified IP prefix list.

1-1
Description

Use the display fib command to display FIB entries. If no parameters are specified, all FIB entries will
be displayed.

Examples

# Display all FIB entries.

<Sysname> display fib
Destination count: 4 FIB entry count: 4

Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay

Destination/Mask Nexthop Flag OutInterface InnerLabel Token

10.2.0.0/16 10.2.1.1 U Vlan1 Null Invalid
10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid
127.0.0.0/8 127.0.0.1 U InLoop0 Null Invalid
127.0.0.1/32 127.0.0.1 UH InLoop0 Null Invalid

# Display FIB information passing ACL 2000.

<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 10.2.0.0 0.0.255.255
[Sysname-acl-basic-2000] display fib acl 2000
Destination count: 2 FIB entry count: 2

Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay

Destination/Mask Nexthop Flag OutInterface InnerLabel Token

10.2.0.0/16 10.2.1.1 U Vlan1 Null Invalid
10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid

# Display all entries that contain the string 127 and start from the first one.
<Sysname> display fib | begin 127
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay

Destination/Mask Nexthop Flag OutInterface InnerLabel Token

10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid
127.0.0.0/8 127.0.0.1 U InLoop0 Null Invalid
127.0.0.1/32 127.0.0.1 UH InLoop0 Null Invalid

1-2
 Table 1-1 display fib command output description

Field Description
Destination count Total number of destination addresses
FIB entry count Total number of FIB entries
Destination/Mask Destination address/length of mask
Nexthop Address of next hop
Flags of routes:
z “U”—Usable route
z “G”—Gateway route
Flag z “H”—Host route
z “B”—Blackhole route
z “D”—Dynamic route
z “S”—Static route
z “R”—Relay route
OutInterface Outbound interface
InnerLabel Inner label
Token LSP index number

display fib ip-address

Syntax

display fib ip-address [ mask | mask-length ]

View

Any view

Default Level

1: Monitor level

Parameters

ip-address: Destination IP address, in dotted decimal notation.

mask: IP address mask.
mask-length: Length of IP address mask.

Description

Use the display fib ip-address command to display FIB entries that match the specified destination IP
address.
If no mask or mask length is specified, the FIB entry that matches the destination IP address and has
the longest mask will be displayed; if the mask is specified, the FIB entry that exactly matches the
specified destination IP address will be displayed.

Examples

# Display the FIB entries that match the destination IP address of 10.2.1.1.

1-3
 <Sysname> display fib 10.2.1.1
Destination count: 1 FIB entry count: 1

Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay

Destination/Mask Nexthop Flag OutInterface InnerLabel Token

10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid

For description about the above output, refer to Table 1-1.

display icmp statistics

Syntax

display icmp statistics

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display icmp statistics command to display ICMP statistics.

Related commands: display ip interface in IP Addressing Commands; reset ip statistics.

Examples

# Display ICMP statistics.

<Sysname> display icmp statistics
Input: bad formats 0 bad checksum 0
echo 5 destination unreachable 0
source quench 0 redirects 0
echo reply 10 parameter problem 0
timestamp 0 information request 0
mask requests 0 mask replies 0
time exceeded 0
Output:echo 10 destination unreachable 0
source quench 0 redirects 0
echo reply 5 parameter problem 0
timestamp 0 information reply 0
mask requests 0 mask replies 0
time exceeded 0

1-4
 Table 1-2 display icmp statistics command output description

Field Description
bad formats Number of input wrong format packets
bad checksum Number of input wrong checksum packets
echo Number of input/output echo packets
destination unreachable Number of input/output destination unreachable packets
source quench Number of input/output source quench packets
redirects Number of input/output redirection packets
echo reply Number of input/output replies
parameter problem Number of input/output parameter problem packets
timestamp Number of input/output time stamp packets
information request Number of input information request packets
mask requests Number of input/output mask requests
mask replies Number of input/output mask replies

information reply Number of output information reply packets

time exceeded Number of input/output expiration packets

display ip socket

Syntax

display ip socket [ socktype sock-type ] [ task-id socket-id ]

View

Any view

Default Level

1: Monitor level

Parameters

socktype sock-type: Displays the socket information of this type. The sock type is in the range 1 to 3,
corresponding to TCP, UDP and raw IP respectively.
task-id: Displays the socket information of this task. Task ID is in the range 1 to 150.
socket-id: Displays the information of the socket. Socket ID is in the range 0 to 3072.

Description

Use the display ip socket command to display socket information.

Examples

# Display the TCP socket information.

<Sysname> display ip socket
SOCK_STREAM:

1-5
Task = VTYD(38), socketid = 1, Proto = 6,
LA = 0.0.0.0:23, FA = 0.0.0.0:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_REUSEPORT SO_SENDVPNID(3073) SO_SETKEEPALIVE,
socket state = SS_PRIV SS_ASYNC

Task = HTTP(36), socketid = 1, Proto = 6,

LA = 0.0.0.0:80, FA = 0.0.0.0:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT,
socket state = SS_PRIV SS_NBIO

Task = ROUT(69), socketid = 10, Proto = 6,

LA = 0.0.0.0:179, FA = 192.168.1.45:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEADDR SO_REUSEPORT SO_SENDVPNID(0),
socket state = SS_PRIV SS_ASYNC

Task = VTYD(38), socketid = 4, Proto = 6,

LA = 192.168.1.40:23, FA = 192.168.1.52:1917,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 237, rb_cc = 0,
socket option = SO_KEEPALIVE SO_OOBINLINE SO_REUSEPORT SO_SENDVPNID(0) SO_SETKEEPALIVE,
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC

Task = VTYD(38), socketid = 3, Proto = 6,

LA = 192.168.1.40:23, FA = 192.168.1.84:1503,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_KEEPALIVE SO_OOBINLINE SO_REUSEPORT SO_SENDVPNID(0) SO_SETKEEPALIVE,
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC

Task = ROUT(69), socketid = 11, Proto = 6,

LA = 192.168.1.40:1025, FA = 192.168.1.45:179,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_REUSEADDR SO_LINGER SO_SENDVPNID(0),
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC

SOCK_DGRAM:
Task = NTPT(37), socketid = 1, Proto = 17,
LA = 0.0.0.0:123, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM SO_SENDVPNID(3073),
socket state = SS_PRIV

Task = AGNT(51), socketid = 1, Proto = 17,

LA = 0.0.0.0:161, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM SO_SENDVPNID(3073),

1-6
socket state = SS_PRIV SS_NBIO SS_ASYNC

Task = RDSO(56), socketid = 1, Proto = 17,

LA = 0.0.0.0:1024, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM,
socket state = SS_PRIV

Task = TRAP(52), socketid = 1, Proto = 17,

LA = 0.0.0.0:1025, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 0, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM,
socket state = SS_PRIV

Task = RDSO(56), socketid = 2, Proto = 17,

LA = 0.0.0.0:1812, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM,
socket state = SS_PRIV

SOCK_RAW:
Task = ROUT(69), socketid = 8, Proto = 89,
LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 262144, rcvbuf = 262144, sb_cc = 0, rb_cc = 0,
socket option = SO_SENDVPNID(0) SO_RCVVPNID(0),
socket state = SS_PRIV SS_ASYNC

Task = ROUT(69), socketid = 3, Proto = 2,

LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 32767, rcvbuf = 256000, sb_cc = 0, rb_cc = 0,
socket option = SO_SENDVPNID(0) SO_RCVVPNID(0),
socket state = SS_PRIV SS_NBIO SS_ASYNC

Task = ROUT(69), socketid = 2, Proto = 103,

LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 65536, rcvbuf = 256000, sb_cc = 0, rb_cc = 0,
socket option = SO_SENDVPNID(0) SO_RCVVPNID(0),
socket state = SS_PRIV SS_NBIO SS_ASYNC

Task = ROUT(69), socketid = 1, Proto = 65,

LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 32767, rcvbuf = 256000, sb_cc = 0, rb_cc = 0,
socket option = 0,
socket state = SS_PRIV SS_NBIO SS_ASYNC

Task = RSVP(73), socketid = 1, Proto = 46,

LA = 0.0.0.0, FA = 0.0.0.0,

1-7
 sndbuf = 4194304, rcvbuf = 4194304, sb_cc = 0, rb_cc = 0,
socket option = 0,
socket state = SS_PRIV SS_NBIO SS_ASYNC

Table 1-3 display ip socket command output description

Field Description
SOCK_STREAM TCP socket
SOCK_DGRAM UDP socket
SOCK_RAW Raw IP socket

Task Task number

socketid Socket ID
Proto Protocol number of the socket, indicating the protocol type that IP carries
LA Local address and local port number
FA Remote address and remote port number
sndbuf Sending buffer size of the socket, in bytes

rcvbuf Receiving buffer size of the socket, in bytes

Current data size in the sending buffer (It is available only for TCP that can
sb_cc
buffer data)
rb_cc Data size currently in the receiving buffer
socket option Socket option
socket state Socket state

display ip statistics

Syntax

display ip statistics

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ip statistics command to display statistics of IP packets.

Related commands: display ip interface in IP Addressing Commands; reset ip statistics.

Examples

# Display statistics of IP packets.

1-8
 <Sysname> display ip statistics
Input: sum 7120 local 112
bad protocol 0 bad format 0
bad checksum 0 bad options 0
Output: forwarding 0 local 27
dropped 0 no route 2
compress fails 0
Fragment:input 0 output 0
dropped 0
fragmented 0 couldn't fragment 0
Reassembling:sum 0 timeouts 0

Table 1-4 display ip statistics command output description

Field Description
sum Total number of packets received
local Total number of packets with destination being local
bad protocol Total number of unknown protocol packets
Input:
bad format Total number of packets with incorrect format
bad checksum Total number of packets with incorrect checksum
bad options Total number of packets with incorrect option
forwarding Total number of packets forwarded
local Total number of packets sent from the local
Output: dropped Total number of packets discarded
no route Total number of packets for which no route is available
compress fails Total number of packets failed to be compressed
input Total number of fragments received
output Total number of fragments sent
Fragment: dropped Total number of fragments dropped
fragmented Total number of packets successfully fragmented

couldn't fragment Total number of packets that failed to be fragmented

sum Total number of packets reassembled
Reassembling
timeouts Total number of reassembly timeout fragments

display tcp statistics

Syntax

display tcp statistics

View

Any view

1-9
Default Level

1: Monitor level

Parameters

None

Description

Use the display tcp statistics command to display statistics of TCP traffic.
Related commands: display tcp status, reset tcp statistics.

Examples

# Display statistics of TCP traffic.

<Sysname> display tcp statistics
Received packets:
Total: 8457
packets in sequence: 3660 (5272 bytes)
window probe packets: 0, window update packets: 0
checksum error: 0, offset error: 0, short error: 0

duplicate packets: 1 (8 bytes), partially duplicate packets: 0 (0 bytes)

out-of-order packets: 17 (0 bytes)
packets of data after window: 0 (0 bytes)
packets received after close: 0

ACK packets: 4625 (141989 bytes)

duplicate ACK packets: 1702, too much ACK packets: 0

Sent packets:
Total: 6726
urgent packets: 0
control packets: 21 (including 0 RST)
window probe packets: 0, window update packets: 0

data packets: 6484 (141984 bytes) data packets retransmitted: 0 (0 bytes)

ACK-only packets: 221 (177 delayed)

Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0

Keepalive timeout: 1682, keepalive probe: 1682, Keepalive timeout, so connections
disconnected : 0
Initiated connections: 0, accepted connections: 22, established connections: 22
Closed connections: 49 (dropped: 0, initiated dropped: 0)
Packets dropped with MD5 authentication: 0
Packets permitted with MD5 authentication: 0

1-10
Table 1-5 display tcp statistics command output description

Field Description
Total Total number of packets received
packets in sequence Number of packets arriving in sequence
window probe packets Number of window probe packets received
window update packets Number of window update packets received
checksum error Number of checksum error packets received
offset error Number of offset error packets received
Number of received packets with length being too
short error
small
Received duplicate packets Number of completely duplicate packets received
packets:
partially duplicate packets Number of partially duplicate packets received
out-of-order packets Number of out-of-order packets received
packets of data after
Number of packets outside the receiving window
window
packets received after Number of packets that arrived after connection is
close closed
ACK packets Number of ACK packets received
duplicate ACK packets Number of duplicate ACK packets received
too much ACK packets Number of ACK packets for data unsent
Total Total number of packets sent
urgent packets Number of urgent packets sent
control packets Number of control packets sent
Number of window probe packets sent; in the brackets
window probe packets
Sent are resent packets
packets: window update packets Number of window update packets sent
data packets Number of data packets sent
data packets retransmitted Number of data packets retransmitted

Number of ACK packets sent; in brackets are delayed

ACK-only packets
ACK packets
Retransmitted timeout Number of retransmission timer timeouts
connections dropped in retransmitted Number of connections broken due to retransmission
timeout timeouts
Keepalive timeout Number of keepalive timer timeouts
keepalive probe Number of keepalive probe packets sent
Keepalive timeout, so connections Number of connections broken due to timeout of the
disconnected keepalive timer
Initiated connections Number of connections initiated
accepted connections Number of connections accepted
established connections Number of connections established

1-11
 Field Description
Number of connections closed; in brackets are
connections closed accidentally (before receiving SYN
Closed connections
from the peer) and connections closed initiatively (after
receiving SYN from the peer)
Packets dropped with MD5 authentication Number of packets dropped by MD5 authentication
Packets permitted with MD5 authentication Number of packets permitted by MD5 authentication

display tcp status

Syntax

display tcp status

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display tcp status command to display status of all TCP connections for monitoring TCP
connections.

Examples

# Display status of all TCP connections.

<Sysname> display tcp status
*: TCP MD5 Connection
TCPCB Local Add:port Foreign Add:port State
03e37dc4 0.0.0.0:4001 0.0.0.0:0 Listening
04217174 100.0.0.204:23 100.0.0.253:65508 Established

Table 1-6 display tcp status command output description

Field Description
If the status information of a TCP connection contains *, the TCP adopts
*
the MD5 algorithm for authentication.
TCPCB TCP control block
Local Add:port Local IP address and port number
Foreign Add:port Remote IP address and port number
State State of the TCP connection

1-12
display udp statistics

Syntax

display udp statistics

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display udp statistics command to display statistics of UDP packets.
Related commands: reset udp statistics.

Examples

# Display statistics of UDP packets.

<Sysname> display udp statistics
Received packets:
Total: 0
checksum error: 0
shorter than header: 0, data length larger than packet: 0
unicast(no socket on port): 0
broadcast/multicast(no socket on port): 0
not delivered, input socket full: 0
input packets missing pcb cache: 0
Sent packets:
Total: 0

Table 1-7 display udp statistics command output description

Field Description
Total Total number of UDP packets received
checksum error Total number of packets with incorrect checksum
shorter than header Number of packets with data shorter than head

data length larger than packet Number of packets with data longer than packet

Received unicast(no socket on port) Number of unicast packets with no socket on port
packets:
broadcast/multicast(no socket Number of broadcast/multicast packets without
on port) socket on port
Number of packets not delivered to an upper layer
not delivered, input socket full
due to a full socket cache
input packets missing pcb Number of packets without matching protocol
cache control block (PCB) cache

1-13
 Field Description
Sent
Total Total number of UDP packets sent
packets:

ip forward-broadcast (interface view)

Syntax

ip forward-broadcast [ acl acl-number ]

undo ip forward-broadcast

View

Interface view

Default Level

2: System level

Parameters

acl acl-number: Access control list number, in the range 2000 to 3999. From 2000 to 2999 are numbers
for basic ACLs, and from 3000 to 3999 are numbers for advanced ACLs. Only directed broadcasts
permitted by the ACL can be forwarded.

Description

Use the ip forward-broadcast command to enable the interface to forward directed broadcasts to a
directly-connected network.
Use the undo ip forward-broadcast command to disable the interface from forwarding directed
broadcasts to a directly-connected network.
By default, an interface is disabled from forwarding directed broadcasts to a directly-connected
network.

Examples

# Enable VLAN-interface 2 to forward the directed broadcasts to a directly-connected network matching

ACL 2001.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] ip forward-broadcast acl 2001

ip forward-broadcast (system view)

Syntax

ip forward-broadcast
undo ip forward-broadcast

View

System view

1-14
Default Level

2: System level

Parameters

None

Description

Use the ip forward-broadcast command to enable the device to receive directed broadcasts.
Use the undo ip forward-broadcast command to disable the device from receiving directed
broadcasts.
By default, the device is enabled from receiving directed broadcasts.

Currently, this command is ineffective on the S5120-SI series Ethernet switches. That is, the switches
cannot be disabled from receiving directed broadcasts.

Examples

# Enable the device to receive directed broadcasts.

<Sysname> system-view
[Sysname] ip forward-broadcast

ip ttl-expires enable

Syntax

ip ttl-expires enable
undo ip ttl-expires

View

System view

Default Level

2: System level

Parameters

None

Description

Use the ip ttl-expires enable command to enable sending of ICMP timeout packets.
Use the undo ip ttl-expires command to disable sending of ICMP timeout packets.
Sending ICMP timeout packets is disabled by default.

1-15
 If the feature is disabled, the device will not send TTL timeout ICMP packets, but still send “reassembly
timeout” ICMP packets.

Examples

# Enable sending of ICMP timeout packets.

<Sysname> system-view
[Sysname] ip ttl-expires enable

ip unreachables enable

Syntax

ip unreachables enable
undo ip unreachables

View

System view

Default Level

2: System level

Parameters

None

Description

Use the ip unreachables enable command to enable sending of ICMP destination unreachable
packets.
Use the undo ip unreachables command to disable sending of ICMP destination unreachable
packets.
Sending ICMP destination unreachable packets is disabled by default.

Examples

# Enable sending of ICMP destination unreachable packets.

<Sysname> system-view
[Sysname] ip unreachables enable

reset ip statistics

Syntax

reset ip statistics

View

User view

Default Level

2: System level

1-16
Parameters

None

Description

Use the reset ip statistics command to clear statistics of IP packets.

Related commands: display ip interface in IP Addressing Commands; display ip statistics.

Examples

# Clear statistics of IP packets.

<Sysname> reset ip statistics

reset tcp statistics

Syntax

reset tcp statistics

View

User view

Default Level

2: System level

Parameters

None

Description

Use the reset tcp statistics command to clear statistics of TCP traffic.
Related commands: display tcp statistics.

Examples

# Display statistics of TCP traffic.

<Sysname> reset tcp statistics

reset udp statistics

Syntax

reset udp statistics

View

User view

Default Level

2: System level

Parameters

None

1-17
Description

Use the reset udp statistics command to clear statistics of UDP traffic.

Examples

# Display statistics of UDP traffic.

<Sysname> reset udp statistics

tcp anti-naptha enable

Syntax

tcp anti-naptha enable

undo tcp anti-naptha enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the tcp anti-naptha enable command to enable the protection against Naptha attack.
Use the undo tcp anti-naptha enable command to disable the protection against Naptha attack.
By default, the protection against Naptha attack is disabled.
Note that the configurations made by using the tcp state and tcp timer check-state commands will be
removed after the protection against Naptha attack is disabled.

Examples

# Enable the protection against Naptha attack.

<Sysname> system-view
[Sysname] tcp anti-naptha enable

tcp state

Syntax

tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received }

connection-number number
undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received }
connection-number

View

System view

1-18
Default Level

2: System level

Parameters

closing: CLOSING state of a TCP connection.

established: ESTABLISHED state of a TCP connection.
fin-wait-1: FIN_WAIT_1 state of a TCP connection.
fin-wait-2: FIN_WAIT_2 state of a TCP connection.
last-ack: LAST_ACK state of a TCP connection.
syn-received: SYN_RECEIVED state of a TCP connection.
connected-number number: Maximum number of TCP connections in a certain state. The argument
number is in the range of 0 to 500.

Description

Use the tcp state command to configure the maximum number of TCP connections in a state. When
this number is exceeded, the aging of TCP connections in this state will be accelerated.
Use the undo tcp state command to restore the default.
By default, the maximum number of TCP connections in each state is 5.
Note the following points:
z You need to enable the protection against Naptha attack before executing this command.
Otherwise, an error will be prompted.
z You can respectively configure the maximum number of TCP connections in each state.
z If the maximum number of TCP connections in a state is 0, the aging of TCP connections in this
state will not be accelerated.
Related commands: tcp anti-naptha enable.

Examples

# Set the maximum number of TCP connections in the ESTABLISHED state to 100.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
[Sysname] tcp state established connection-number 100

tcp syn-cookie enable

Syntax

tcp syn-cookie enable

undo tcp syn-cookie enable

View

System view

Default Level

2: System level

1-19
Parameters

None

Description

Use the tcp syn-cookie enable command to enable the SYN Cookie feature to protect the device
against SYN Flood attacks.
Use the undo tcp syn-cookie enable command to disable the SYN Cookie feature.
By default, the SYN Cookie feature is disabled.

Examples

# Enable the SYN Cookie feature.

<Sysname> system-view
[Sysname] tcp syn-cookie enable

tcp timer check-state

Syntax

tcp timer check-state time-value

undo tcp timer check-state

View

System view

Default Level

2: System level

Parameters

time-value: TCP connection state check interval in seconds, in the range of 1 to 60.

Description

Use the tcp timer check-state command to configure the TCP connection state check interval.
Use the undo tcp timer check-state command to restore the default.
By default, the TCP connection state check interval is 30 seconds.
The device periodically checks the number of TCP connections in each state. If it detects that the
number of TCP connections in a state exceeds the maximum number, it will accelerate the aging of TCP
connections in such a state.
Note that you need to enable the protection against Naptha attack before executing this command.
Otherwise, an error will be prompted.
Related commands: tcp anti-naptha enable.

Example

# Set the TCP connection state check interval to 40 seconds.

<Sysname> system-view
[Sysname] tcp anti-naptha enable

1-20
 [Sysname] tcp timer check-state 40

tcp timer fin-timeout

Syntax

tcp timer fin-timeout time-value

undo tcp timer fin-timeout

View

System view

Default Level

2: System level

Parameters

time-value: Length of the TCP finwait timer in seconds, in the range 76 to 3,600.

Description

Use the tcp timer fin-timeout command to configure the length of the TCP finwait timer.
Use the undo tcp timer fin-timeout command to restore the default.
By default, the length of the TCP finwait timer is 675 seconds.
Note that the actual length of the finwait timer is determined by the following formula:
Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the
synwait timer
Related commands: tcp timer syn-timeout, tcp window.

Examples

# Set the length of the TCP finwait timer to 800 seconds.

<Sysname> system-view
[Sysname] tcp timer fin-timeout 800

tcp timer syn-timeout

Syntax

tcp timer syn-timeout time-value

undo tcp timer syn-timeout

View

System view

Default Level

2: System level

Parameters

time-value: TCP finwait timer in seconds, in the range 2 to 600.

1-21
Description

Use the tcp timer syn-timeout command to configure the length of the TCP synwait timer.
Use the undo tcp timer syn-timeout command to restore the default.
By default, the value of the TCP synwait timer is 75 seconds.
Related commands: tcp timer fin-timeout, tcp window.

Examples

# Set the length of the TCP synwait timer to 80 seconds.

<Sysname> system-view
[Sysname] tcp timer syn-timeout 80

tcp window

Syntax

tcp window window-size

undo tcp window

View

System view

Default Level

2: System level

Parameters

window-size: Size of the send/receive buffer in KB, in the range 1 to 32.

Description

Use the tcp window command to configure the size of the TCP send/receive buffer.
Use the undo tcp window command to restore the default.
The size of the TCP send/receive buffer is 8 KB by default.
Related commands: tcp timer fin-timeout, tcp timer syn-timeout.

Examples

# Configure the size of the TCP send/receive buffer as 3 KB.

<Sysname> system-view
[Sysname] tcp window 3

1-22
 Table of Contents

1 ARP Configuration Commands················································································································1-1

ARP Configuration Commands···············································································································1-1
arp check enable ·····························································································································1-1
arp max-learning-num ·····················································································································1-1
arp static ··········································································································································1-2
arp timer aging·································································································································1-3
display arp ·······································································································································1-4
display arp ip-address ·····················································································································1-5
display arp timer aging ····················································································································1-6
reset arp ··········································································································································1-6
Gratuitous ARP Configuration Commands ·····························································································1-7
gratuitous-arp-sending enable·········································································································1-7
gratuitous-arp-learning enable ········································································································1-7

2 ARP Attack Defense Configuration Commands·····················································································2-1

ARP Active Acknowledgement Configuration Commands ·····································································2-1
arp anti-attack active-ack enable·····································································································2-1
Source MAC Address Based ARP Attack Detection Configuration Commands ····································2-2
arp anti-attack source-mac··············································································································2-2
arp anti-attack source-mac aging-time ····························································································2-2
arp anti-attack source-mac exclude-mac ························································································2-3
arp anti-attack source-mac threshold ······························································································2-4
display arp anti-attack source-mac··································································································2-4
ARP Packet Rate Limit Configuration Commands ·················································································2-5
arp rate-limit·····································································································································2-5
ARP Detection Configuration Commands·······························································································2-6
arp detection enable ························································································································2-6
arp detection mode··························································································································2-6
arp detection static-bind ··················································································································2-7
arp detection trust····························································································································2-8
arp detection validate ······················································································································2-8
display arp detection························································································································2-9
display arp detection statistics·······································································································2-10
reset arp detection statistics··········································································································2-11
Periodic Sending of Gratuitous ARP Packets Configuration Commands·············································2-11
arp anti-attack send-gratuitous-arp ·······························································································2-11

i
1 ARP Configuration Commands

ARP Configuration Commands

arp check enable

Syntax

arp check enable

undo arp check enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the arp check enable command to enable ARP entry check. With this function enabled, the device
cannot learn any ARP entry with a multicast MAC address. Configuring such a static ARP entry is not
allowed either; otherwise, the system displays error messages.
Use the undo arp check enable command to disable the function. After the ARP entry check is
disabled, the device can learn the ARP entry with a multicast MAC address, and you can also configure
such a static ARP entry on the device.
By default, ARP entry check is enabled.

Examples

# Enable ARP entry check.

<Sysname> system-view
[Sysname] arp check enable

arp max-learning-num

Syntax

arp max-learning-num number

undo arp max-learning-num

View

Ethernet interface view, VLAN interface view, Layer-2 aggregate interface view

1-1
Default Level

2: System level

Parameters

number: Maximum number of dynamic ARP entries that an interface can learn. The value is in the range
0 to 256.

Description

Use the arp max-learning-num command to configure the maximum number of dynamic ARP entries
that an interface can learn.
Use the undo arp max-learning-num command to restore the default.
By default, the maximum number of dynamic ARP entries that a interface can learn is 256.

Examples

# Specify VLAN-interface 40 to learn up to 50 dynamic ARP entries.

<Sysname> system-view
[Sysname] interface vlan-interface 40
[Sysname-Vlan-interface40] arp max-learning-num 50

# Specifiy Layer-2 aggregate interface Bridge-aggregation 1 to learn up to 100 dynamic ARP entries.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] arp max-learning-num 100

arp static

Syntax

arp static ip-address mac-address [ vlan-id interface-type interface-number ]

undo arp ip-address

View

System view

Default Level

2: System level

Parameters

ip-address: IP address in an ARP entry.

mac-address: MAC address in an ARP entry, in the format H-H-H.
vlan-id: ID of a VLAN to which a static ARP entry belongs to, in the range 1 to 4094.
interface-type interface-number: Interface type and interface number.

Description

Use the arp static command to configure a static ARP entry in the ARP mapping table.
Use the undo arp command to remove an ARP entry.

1-2
 Note that:
z A static ARP entry is effective when the device works normally. However, when the VLAN or VLAN
interface to which an ARP entry corresponds is deleted, the entry, if permanent, will be deleted,
and if non-permanent and resolved, will become unresolved.
z The vlan-id argument is used to specify the corresponding VLAN of an ARP entry and must be the
ID of an existing VLAN. In addition, the Ethernet interface following the argument must belong to
that VLAN. The VLAN interface of the VLAN must have been created.
z If both the vlan-id and ip-address arguments are specified, the IP address of the VLAN interface
corresponding to the vlan-id argument must belong to the same network segment as the IP
address specified by the ip-addres argument.
Related commands: reset arp, display arp.

Examples

# Configure a static ARP entry, with the IP address being 202.38.10.2, the MAC address being
00e0-fc01-0000, and the outbound interface being GigabitEthernet 1/0/1 of VLAN 10.
<Sysname> system-view
[Sysname] arp static 202.38.10.2 00e0-fc01-0000 10 GigabitEthernet 1/0/1

arp timer aging

Syntax

arp timer aging aging-time

undo arp timer aging

View

System view

Default Level

2: System level

Parameters

aging-time: Aging time for dynamic ARP entries in minutes, in the range 1 to 1,440.

Description

Use the arp timer aging command to set aging time for dynamic ARP entries.
Use the undo arp timer aging command to restore the default.
By default, the aging time for dynamic ARP entries is 20 minutes.
Related commands: display arp timer aging.

Examples

# Set aging time for dynamic ARP entries to 10 minutes.

<Sysname> system-view
[Sysname] arp timer aging 10

1-3
display arp

Syntax

display arp [ [ all | dynamic | static ] | vlan vlan-id | interface interface-type interface-number ] [ [ |
{ begin | exclude | include } regular-expression ] | count ]

View

Any view

Default Level

1: Monitor level

Parameters

all: Displays all ARP entries.

dynamic: Displays dynamic ARP entries.
static: Displays static ARP entries.
vlan vlan-id: Displays the ARP entries of the specified VLAN. The VLAN ID ranges from 1 to 4,094.
interface interface-type interface-number: Displays the ARP entries of the interface specified by the
argument interface-type interface-number.
|: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about
regular expressions, refer to Basic System Configuration.
begin: Displays ARP entries from the first one containing the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries containing the specified string.
regular-expression: A case-sensitive string for matching, consisting of 1 to 256 characters.
count: Displays the number of ARP entries.

Description

Use the display arp command to display ARP entries in the ARP mapping table.
If no parameter is specified, all ARP entries are displayed.
Related commands: arp static, reset arp.

Examples

# Display the detailed information of all ARP entries.

<Sysname> display arp all
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
192.168.0.57 00e0-fc00-000b 1 GE1/0/23 10 D
192.168.0.56 000f-cb00-5601 1 GE1/0/23 10 D

Table 1-1 display arp command output description

Field Description
IP Address IP address in an ARP entry

1-4
 Field Description
MAC Address MAC address in an ARP entry
VLAN ID VLAN ID contained a static ARP entry
Interface Outbound interface in an ARP entry
Aging time for a dynamic ARP entry in minutes (“N/A” means unknown
Aging
aging time or no aging time)
Type ARP entry type: D for dynamic, S for static.

# Display the number of all ARP entries.

<Sysname> display arp all count
Total Entry(ies): 2

display arp ip-address

Syntax

display arp ip-address [ | { begin | exclude | include } regular-expression ]

View

Any view

Default Level

1: Monitor level

Parameters

ip-address: Displays the ARP entry for the specified IP address.

|: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about
regular expressions, refer to Basic System Configuration.
begin: Displays the ARP entries from the first one containing the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries that contain the specified string.
regular-expression: A case-sensitive string for matching, consisting of 1 to 256 characters.

Description

Use the display arp ip-address command to display the ARP entry for a specified IP address.
Related commands: arp static, reset arp.

Examples

# Display the corresponding ARP entry for the IP address 20.1.1.1.

<Sysname> display arp 20.1.1.1
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
20.1.1.1 00e0-fc00-0001 N/A N/A N/A S

1-5
display arp timer aging

Syntax

display arp timer aging

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display arp timer aging command to display the aging time for dynamic ARP entries.
Related commands: arp timer aging.

Examples

# Display the aging time for dynamic ARP entries.

<Sysname> display arp timer aging
Current ARP aging time is 10 minute(s)

reset arp

Syntax

reset arp { all | dynamic | static | interface interface-type interface-number }

View

User view

Default Level

2: System level

Parameters

all: Clears all ARP entries.

dynamic: Clears all dynamic ARP entries.
static: Clears all static ARP entries.
interface interface-type interface-number: Clears the ARP entries for the interface specified by the
argument interface-type interface-number.

Description

Use the reset arp command to clear ARP entries except authorized ARP entries from the ARP mapping
table.
Related commands: arp static, display arp.

1-6
Examples

# Clear all static ARP entries.

<Sysname> reset arp static

Gratuitous ARP Configuration Commands

gratuitous-arp-sending enable

Syntax

gratuitous-arp-sending enable
undo gratuitous-arp-sending enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the gratuitous-arp-sending enable command to enable a device to send gratuitous ARP packets
when receiving ARP requests from another network segment.
Use the undo gratuitous-arp-sending enable command to restore the default.
By default, a device cannot send gratuitous ARP packets when receiving ARP requests from another
network segment.

Examples

# Disable a device from sending gratuitous ARP packets.

<Sysname> system-view
[Sysname] undo gratuitous-arp-sending enable

gratuitous-arp-learning enable

Syntax

gratuitous-arp-learning enable
undo gratuitous-arp-learning enable

View

System view

Default Level

2: System level

1-7
Parameters

None

Description

Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning
function.
Use the undo gratuitous-arp-learning enable command to disable the function.
By default, the function is enabled.
With this function enabled, a device receiving a gratuitous ARP packet can add the source IP and MAC
addresses carried in the packet to its own dynamic ARP table if it finds no ARP entry in the cache
corresponding to the source IP address of the ARP packet exists; if the corresponding ARP entry exists
in the cache, the device updates the ARP entry regardless of whether this function is enabled.

Examples

# Enable the gratuitous ARP packet learning function.

<Sysname> system-view
[Sysname] gratuitous-arp-learning enable

1-8
2 ARP Attack Defense Configuration Commands

ARP Active Acknowledgement Configuration Commands

arp anti-attack active-ack enable

Syntax

arp anti-attack active-ack enable

undo arp anti-attack active-ack enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement
function.
Use the undo arp anti-attack active-ack enable command to restore the default.
By default, the ARP active acknowledgement function is disabled.
Typically, this feature is configured on gateway devices to identify invalid ARP packets.
With this feature enabled, the gateway, upon receiving an ARP packet with a different source MAC
address from that in the corresponding ARP entry, checks whether the ARP entry has been updated
within the last minute:
z If yes, the ARP entry is not updated;
z If not, the gateway sends a unicast request to the source MAC address of the ARP entry.
Then,
z If a response is received within five seconds, the ARP packet is ignored;
z If no response is received, the gateway sends a unicast request to the source MAC address of the
ARP packet.
Then,
z If a response is received within five seconds, the gateway updates the ARP entry;
z If not, the ARP entry is not updated.

Examples

# Enable the ARP active acknowledgement function.

2-1
 <Sysname> system-view
[Sysname] arp anti-attack active-ack enable

Source MAC Address Based ARP Attack Detection Configuration

Commands
arp anti-attack source-mac

Syntax

arp anti-attack source-mac { filter | monitor }

undo arp anti-attack source-mac [ filter | monitor ]

View

System view

Default Level

2: System level

Parameters

filter: Specifies the filter mode.

monitor: Specifies the monitor mode.

Description

Use the arp anti-attack source-mac command to enable source MAC address based ARP attack
detection and specify the detection mode.
Use the undo arp anti-attack source-mac command to restore the default.
By default, source MAC address based ARP attack detection is disabled.
After you enable this feature, the device checks the source MAC address of ARP packets received from
the VLAN. If the number of ARP packets received from a source MAC address within five seconds
exceeds the specified threshold:
z In filter detection mode, the device displays an alarm and filters out the ARP packets from the MAC
address.
z In monitor detection mode, the device only displays an alarm.
Note that: If no detection mode is specified in the undo arp anti-attack source-mac command, both
detection modes are disabled.

Examples

# Enable filter-mode source MAC address based ARP attack detection

<Sysname> system-view
[Sysname] arp anti-attack source-mac filter

arp anti-attack source-mac aging-time

Syntax

arp anti-attack source-mac aging-time time

2-2
 undo arp anti-attack source-mac aging-time

View

System view

Default Level

2: System level

Parameters

time: Aging timer for protected MAC addresses, in the range of 60 to 6000 seconds.

Description

Use the arp anti-attack source-mac aging-time command to configure the aging timer for protected
MAC addresses.
Use the undo arp anti-attack source-mac aging-time command to restore the default.
By default, the aging timer for protected MAC addresses is 300 seconds (five minutes).

Examples

# Configure the aging timer for protected MAC addresses as 60 seconds.

<Sysname> system-view
[Sysname] arp anti-attack source-mac aging-time 60

arp anti-attack source-mac exclude-mac

Syntax

arp anti-attack source-mac exclude-mac mac-address&<1-10>

undo arp anti-attack source-mac exclude-mac [ mac-address&<1-10> ]

View

System view

Default Level

2: System level

Parameters

mac-address&<1-10>: MAC address list. The mac-address argument indicates a protected MAC
address in the format H-H-H. &<1-10> indicates the number of protected MAC addresses that you can
configure.

Description

Use the arp anti-attack source-mac exclude-mac command to configure protected MAC addresses
which will be excluded from ARP packet detection.
Use the undo arp anti-attack source-mac exclude-mac command to remove the configured
protected MAC addresses.
By default, no protected MAC address is configured.

2-3
 Note that: If no MAC address is specified in the undo arp anti-attack source-mac exclude-mac
command, all the configured protected MAC addresses are removed.

Examples

# Configure a protected MAC address.

<Sysname> system-view
[Sysname] arp anti-attack source-mac exclude-mac 2-2-2

arp anti-attack source-mac threshold

Syntax

arp anti-attack source-mac threshold threshold-value

undo arp anti-attack source-mac threshold

View

System view

Default Level

2: System level

Parameters

threshold-value: Threshold for source MAC address based ARP attack detection, in the range of 10 to
100.

Description

Use the arp anti-attack source-mac threshold command to configure the threshold for source MAC
address based ARP attack detection. If the number of ARP packets sent from a MAC address within five
seconds exceeds this threshold, the device considers this an attack.
Use the undo arp anti-attack source-mac threshold command to restore the default.
By default, the threshold for source MAC address based ARP attack detection is 50.

Examples

# Configure the threshold for source MAC address based ARP attack detection as 30.
<Sysname> system-view
[Sysname] arp anti-attack source-mac threshold 30

display arp anti-attack source-mac

Syntax

display arp anti-attack source-mac [ interface interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

2-4
Parameters

interface interface-type interface-number: Displays attacking MAC addresses detected on the

interface.

Description

Use the display arp anti-attack source-mac command to display attacking MAC addresses detected
by source MAC address based ARP attack detection.
If no interface is specified, the display arp anti-attack source-mac command displays attacking MAC
addresses detected on all the interfaces.

Examples

# Display the attacking MAC addresses detected by source MAC address based ARP attack detection.
<Sysname> display arp anti-attack source-mac
Source-MAC VLAN ID Interface Aging-time
23f3-1122-3344 4094 GE1/0/1 10
23f3-1122-3355 4094 GE1/0/2 30
23f3-1122-33ff 4094 GE1/0/3 25
23f3-1122-33ad 4094 GE1/0/4 30
23f3-1122-33ce 4094 GE1/0/5 2

ARP Packet Rate Limit Configuration Commands

arp rate-limit

Syntax

arp rate-limit { disable | rate pps drop }

undo arp rate-limit

View

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

disable: Disables ARP packet rate limit.

rate pps: ARP packet rate in pps, in the range 5 to 100.
drop: Discards the exceeded packets.

Description

Use the arp rate-limit command to configure or disable ARP packet rate limit on an interface.
Use the undo arp rate-limit command to restore the default.
By default, ARP packet rate limit is not enabled.

2-5
Examples

# Specify the ARP packet rate on GigabitEthernet1/0/1 as 50 pps, and exceeded packets will be
discarded.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp rate-limit rate 50 drop

ARP Detection Configuration Commands

arp detection enable

Syntax

arp detection enable

undo arp detection enable

View

VLAN view

Default Level

2: System level

Parameters

None

Description

Use the arp detection enable command to enable ARP detection for the VLAN.
Use the undo arp detection enable command to disable ARP detection for the VLAN.
By default, ARP detection is disabled for a VLAN.

Examples

# Enable ARP detection for VLAN 1.

<Sysname> system-view
[Sysname] vlan 1
[Sysname-Vlan1] arp detection enable

arp detection mode

Syntax

arp detection mode { dhcp-snooping | dot1x | static-bind }

undo arp detection mode { dhcp-snooping | dot1x | static-bind }

View

System view

2-6
Default Level

2: System level

Parameters

dhcp-snooping: Implements ARP attack detection based on DHCP snooping entries. This mode is
mainly used to prevent source address spoofing attacks.
dot1x: Implements ARP attack detection based on 802.1X security entries. This mode is mainly used to
prevent source address spoofing attacks.
static-bind: Implements ARP attack detection based on static IP-to-MAC binding entries. This mode is
mainly used to prevent gateway spoofing attacks.

Description

Use the arp detection mode command to specify an ARP attack detection mode.
Use the undo arp detection mode command to cancel the specified ARP detection mode.
By default, no ARP detection mode is specified, that is, all packets are considered to be invalid.
Note that, if you specify the three modes at the same time, the system uses static IP-to-MAC bindings
first, then DHCP snooping entries, and then 802.1X security entries.

Examples

# Enable ARP detection based on both DHCP snooping entries and 802.1X security entries.
<Sysname> system-view
[Sysname] arp detection mode dhcp-snooping
[Sysname] arp detection mode dot1x

arp detection static-bind

Syntax

arp detection static-bind ip-address mac-address

undo arp detection static-bind [ ip-address ]

View

System view

Default Level

2: System level

Parameters

ip-address: IP address of the static binding.

mac-address: MAC address of the static binding, in the format of H-H-H.

Description

Use the arp detection static-bind command to configure a static IP-to-MAC binding.
Use the undo arp detection static-bind command to remove the configure static binding.
By default, no static IP-to-MAC binding is configured.

2-7
 With ARP detection based on static IP-to-MAC bindings configured, the device, upon receiving an ARP
packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of the ARP
packet against the static IP-to-MAC bindings.
z If an entry with a matching IP address but different MAC address is found, the ARP packet is
considered invalid and discarded.
z If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid
and can pass the detection.
z If no match is found, the ARP packet is considered valid and can pass the detection.
Note that: If no IP address is specified in the undo arp detection static-bind command, all configured
static IP-to-MAC bindings are removed.

Examples

# Configure a static IP-to-MAC binding.

<Sysname> system-view
[Sysname] arp detection static-bind 192.168.1.2 2-1-201

arp detection trust

Syntax

arp detection trust

undo arp detection trust

View

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

None

Description

Use the arp detection trust command to configure the port as an ARP trusted port.
Use the undo arp detection trust command to configure the port as an ARP untrusted port.
By default, the port is an ARP untrusted port.

Examples

# Configure GigabitEthernet1/0/1 as an ARP trusted port.

<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp detection trust

arp detection validate

Syntax

arp detection validate { dst-mac | ip | src-mac } *

2-8
 undo arp detection validate [ dst-mac | ip | src-mac ] *

View

System view

Default Level

2: System level

Parameters

dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero,
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one or multicast
IP addresses are considered invalid and the corresponding packets are discarded. With this keyword
specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP
requests will be checked.
src-mac: Checks whether the source MAC address of an ARP packet is identical to that in its Ethernet
header. If they are identical, the packet is considered valid; otherwise, the packet is discarded.

Description

Use the arp detection validate command to configure ARP detection based on specified objects. You
can specify one or more objects in one command line.
Use the undo arp detection validate command to remove detected objects. If no keyword is specified,
all the detected objects are removed.
By default, ARP detection based on specified objects is disabled.

Examples

# Enable the checking of the MAC addresses and IP addresses of ARP packets.
<Sysname> system-view
[Sysname] arp detection validate dst-mac src-mac ip

display arp detection

Syntax

display arp detection

View

Any view

Default Level

1: Monitor level

Parameters

None

2-9
Description

Use the display arp detection command to display the VLAN(s) enabled with ARP detection.
Related commands: arp detection enable.

Examples

# Display the VLANs enabled with ARP detection.

<Sysname> display arp detection
ARP detection is enabled in the following VLANs:
1, 2, 4-5

Table 2-1 display arp detection command output description

Field Description
ARP detection is enabled in the following VLANs VLANs that are enabled with ARP detection

display arp detection statistics

Syntax

display arp detection statistics [ interface interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the ARP detection statistics of a specified interface.

Description

Use the display arp detection statistics command to display statistics about ARP detection. This
command only displays numbers of discarded packets. If no interface is specified, the statistics of all the
interfaces will be displayed.

Examples

# Display the ARP detection statistics of all the interfaces.

<Sysname> display arp detection statistics
State: U-Untrusted T-Trusted
ARP packets dropped by ARP inspect checking:
Interface(State) IP Src-MAC Dst-MAC Inspect
BAGG1(U) 0 0 0 0
GE1/0/1(T) 0 0 0 0
GE1/0/2(U) 0 0 0 0
GE1/0/3(U) 0 0 0 0
GE1/0/4(U) 0 0 0 0
GE1/0/5(U) 0 0 0 0

2-10
 GE1/0/6(U) 0 0 0 0

Table 2-2 display arp detection statistics command output description

Field Description
Interface(State) State T or U identifies a trusted or untrusted port.
Number of ARP packets discarded due to invalid source and
IP
destination IP addresses
Src-MAC Number of ARP packets discarded due to invalid source MAC address
Number of ARP packets discarded due to invalid destination MAC
Dst-MAC
address
Number of ARP packets that failed to pass ARP detection (based on
Inspect DHCP snooping entries/802.1X security entries/static IP-to-MAC
bindings)

reset arp detection statistics

Syntax

reset arp detection statistics [ interface interface-type interface-number ]

View

User view

Default Level

2: System level

Parameters

interface interface-type interface-number: Clears the ARP detection statistics of a specified interface.

Description

Use the reset arp detection statistics command to clear ARP detection statistics of a specified
interface. If no interface is specified, the statistics of all the interfaces will be cleared.

Examples

# Clear the ARP detection statistics of all the interfaces.

<Sysname> reset arp detection statistics

Periodic Sending of Gratuitous ARP Packets Configuration

Commands
arp anti-attack send-gratuitous-arp

Syntax

arp anti-attack send-gratuitous-arp [ interval milliseconds ]

undo arp anti-attack send-gratuitous-arp

2-11
View

VLAN interface view

Default Level

2: System level

Parameters

interval milliseconds: Sets the interval at which gratuitous ARP packets are sent. The value ranges 200
to 5000, in milliseconds. The default value is 2000 ms.

Description

Use the arp anti-attack send-gratuitous-arp command to enable periodic sending of gratuitous ARP
packets and set the sending interval.
Use the undo arp anti-attack send-gratuitous-arp command to disable the device from periodically
sending gratuitous ARP packets.
By default, the device is disabled from sending gratuitous ARP packets periodically.
Note that:
z This function takes effect only when the link of the interface goes up and an IP address has been
assigned to the interface.
z If you change the interval of sending ARP packets, the configuration is effective at the next sending
interval.

Examples

# Enable VLAN-interface 2 to send gratuitous ARP packets every 300 ms.

<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] arp anti-attack send-gratuitous-arp 300

2-12
 Table of Contents

1 DHCP Relay Agent Configuration Commands ·······················································································1-1

DHCP Relay Agent Configuration Commands ·······················································································1-1
dhcp relay address-check················································································································1-1
dhcp relay information circuit-id format-type ···················································································1-1
dhcp relay information circuit-id string·····························································································1-2
dhcp relay information enable ·········································································································1-3
dhcp relay information format··········································································································1-4
dhcp relay information remote-id format-type ·················································································1-5
dhcp relay information remote-id string ···························································································1-5
dhcp relay information strategy ·······································································································1-6
dhcp relay release ip ·······················································································································1-7
dhcp relay security static ·················································································································1-8
dhcp relay security refresh enable ··································································································1-9
dhcp relay security tracker ··············································································································1-9
dhcp relay server-detect ················································································································1-10
dhcp relay server-group·················································································································1-11
dhcp relay server-select ················································································································1-11
dhcp select relay····························································································································1-12
display dhcp relay··························································································································1-13
display dhcp relay information·······································································································1-14
display dhcp relay security ············································································································1-15
display dhcp relay security statistics ·····························································································1-16
display dhcp relay security tracker ································································································1-17
display dhcp relay server-group ····································································································1-17
display dhcp relay statistics···········································································································1-18
reset dhcp relay statistics ··············································································································1-20

2 DHCP Client Configuration Commands ··································································································2-1

DHCP Client Configuration Commands··································································································2-1
display dhcp client ···························································································································2-1
ip address dhcp-alloc·······················································································································2-3

3 DHCP Snooping Configuration Commands ···························································································3-1

DHCP Snooping Configuration Commands····························································································3-1
dhcp-snooping ·································································································································3-1
dhcp-snooping information circuit-id format-type ············································································3-2
dhcp-snooping information circuit-id string······················································································3-2
dhcp-snooping information enable ··································································································3-3
dhcp-snooping information format···································································································3-4
dhcp-snooping information remote-id format-type ··········································································3-5
dhcp-snooping information remote-id string ····················································································3-5
dhcp-snooping information strategy ································································································3-7
dhcp-snooping trust ·························································································································3-7
display dhcp-snooping·····················································································································3-8

i
 display dhcp-snooping information··································································································3-9
display dhcp-snooping packet statistics ························································································3-10
display dhcp-snooping trust···········································································································3-10
reset dhcp-snooping ······················································································································3-11
reset dhcp-snooping packet statistics ···························································································3-12

4 BOOTP Client Configuration Commands ·······························································································4-1

BOOTP Client Configuration Commands ·······························································································4-1
display bootp client ··························································································································4-1
ip address bootp-alloc ·····················································································································4-2

ii
1 DHCP Relay Agent Configuration Commands

DHCP Relay Agent Configuration Commands

dhcp relay address-check

Syntax

dhcp relay address-check { disable | enable }

View

Interface view

Default Level

2: System level

Parameters

disable: Disables IP address match check on the relay agent.

enable: Enables IP address match check on the relay agent.

Description

Use the dhcp relay address-check enable command to enable IP address match check on the relay
agent.
Use the dhcp relay address-check disable command to disable IP address match check on the relay
agent.
By default, the function is disabled.
If a requesting client’s IP and MAC addresses do not match any binding (both dynamic and static
bindings) on the DHCP relay agent, the client cannot access external networks via the DHCP relay
agent.
Note that,The dhcp relay address-check enable command only checks IP and MAC addresses of
clients.

Examples

# Enable IP address match check on the DHCP relay agent.

<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay address-check enable

dhcp relay information circuit-id format-type

Syntax

dhcp relay information circuit-id format-type { ascii | hex }

1-1
 undo dhcp relay information circuit-id format-type

View

Interface view

Default Level

2: System level

Parameters

ascii: Specifies the code type for the circuit ID sub-option as ascii.
hex: Specifies the code type for the circuit ID sub-option as hex.

Description

Use the dhcp relay information circuit-id format-type command to configure the code type for the
non-user-defined circuit ID sub-option.
Use the undo dhcp relay information circuit-id format-type command to restore the default.
By default, the code type for the circuit ID sub-option depends on the specified padding format of Option
82. Each field has its own code type.
Note that:
This command applies to configuring the non-user-defined circuit ID sub-option only. After you
configure the padding content for the circuit ID sub-option using the dhcp relay information circuit-id
string command, ASCII is adopted as the code type.
Related commands: display dhcp relay information.

Examples

# Configure the code type for the non-user-defined circuit ID sub-option as ascii.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay information circuit-id format-type ascii

dhcp relay information circuit-id string

Syntax

dhcp relay information circuit-id string circuit-id

undo dhcp relay information circuit-id string

View

Interface view

Default Level

2: System level

Parameters

circuit-id: Padding content for the user-defined circuit ID sub-option, a case-sensitive string of 3 to 63
characters.

1-2
Description

Use the dhcp relay information circuit-id string command to configure the padding content for the
user-defined circuit ID sub-option.
Use the undo dhcp relay information circuit-id string command to restore the default.
By default, the padding content for the circuit ID sub-option depends on the padding format of Option
82.
Note that:
After you configure the padding content for the circuit ID sub-option using this command, ASCII is
adopted as the code type.
Related commands: dhcp relay information format, display dhcp relay information.

Examples

# Configure the padding content for the circuit ID sub-option as company001.

<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay information circuit-id string company001

dhcp relay information enable

Syntax

dhcp relay information enable

undo dhcp relay information enable

View

Interface view

Default Level

2: System level

Parameters

None

Description

Use the dhcp relay information enable command to enable the relay agent to support Option 82.
Use the undo dhcp relay information enable command to disable Option 82 support.
By default, Option 82 support is disabled on DHCP relay agent.
Related commands: display dhcp relay information.

Examples

# Enable Option 82 support on the relay agent.

<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay information enable

1-3
dhcp relay information format

Syntax

dhcp relay information format { normal | verbose [ node-identifier { mac | sysname | user-defined
node-identifier } ] }
undo dhcp relay information format [ verbose node-identifier ]

View

Interface view

Default Level

2: System level

Parameters

normal: Specifies the normal padding format.

verbose: Specifies the verbose padding format.
node-identifier { mac | sysname | user-defined node-identifier }: Specifies access node identifier. By
default, the node MAC address is used as the node identifier.
z mac indicates using MAC address as the node identifier.
z sysname indicates using the device name of a node as the node identifier.
z user-defined node-identifier indicates using a specified character string as the node identifier, in
which node-identifier is a string with 1 to 50 characters.

Description

Use the dhcp relay information format command to specify a padding format for Option 82.
Use the undo dhcp relay information format command to restore the default padding format.
The Option 82 padding format defaults to normal.

z Using the undo dhcp relay information format command without the keyword verbose
node-identifier restores the default normal padding format, or with the keyword verbose
node-identifier restores the mac mode of the verbose padding format.
z If configuring the handling strategy of the DHCP relay agent as replace, you need to configure a
padding format of Option 82. If the handling strategy is keep or drop, you need not configure any
padding format.
z If sub-option 1 (node identifier) of Option 82 is padded with the device name (sysname) of a node,
the device name must contain no spaces. Otherwise, the DHCP relay agent will drop the message.

Related commands: display dhcp relay information.

Examples

# Specify the verbose padding format for Option 82.

1-4
 <Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay information enable
[Sysname-Vlan-interface1] dhcp relay information strategy replace
[Sysname-Vlan-interface1] dhcp relay information format verbose

dhcp relay information remote-id format-type

Syntax

dhcp relay information remote-id format-type { ascii | hex }

undo dhcp relay information remote-id format-type

View

Interface view

Default Level

2: System view

Parameters

ascii: Specifies the code type for the remote ID sub-option as ascii.
hex: Specifies the code type for the remote ID sub-option as hex.

Description

Use the dhcp relay information remote-id format-type command to configure the code type for the
non-user-defined remote ID sub-option.
Use the undo dhcp relay information remote-id format-type command to restore the default.
By default, the code type for the remote ID sub-option is HEX.
Note that:
This command applies to configuring the non-user-defined remote ID sub-option only. After you
configure the padding content for the remote ID sub-option using the dhcp relay information
remote-id string command, ASCII is adopted as the code type.
Related commands: display dhcp relay information.

Examples

# Configure the code type for the non-user-defined remote ID sub-option as ascii.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay information remote-id format-type ascii

dhcp relay information remote-id string

Syntax

dhcp relay information remote-id string { remote-id | sysname }

undo dhcp relay information remote-id string

1-5
View

Interface view

Default Level

2: System level

Parameters

remote-id: Padding content for the user-defined remote ID sub-option, a case sensitive string of 1 to 63
characters.
sysname: Specifies the device name as the padding content for the remote ID sub-option.

Description

Use the dhcp relay information remote-id string command to configure the padding content for the
user-defined remote ID sub-option.
Use the undo dhcp relay information remote-id string command to restore the default.
By default, the padding content for the remote ID sub-option depends on the padding format of Option
82.
Note that: After you configure the padding content for the remote ID sub-option using this command,
ASCII is adopted as the code type.

If you want to specify the character string sysname (a case-insensitive character string) as the padding
content for the remote ID sub-option, you need to use quotation marks to make it take effect. For
example, if you want to specify Sysname as the padding content for the remote ID sub-option, you
need to enter the dhcp relay information remote-id string “Sysname” command.

Related commands: dhcp relay information format, display dhcp relay information.

Examples

# Configure the padding content for the remote ID sub-option as device001.

<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay information remote-id string device001

dhcp relay information strategy

Syntax

dhcp relay information strategy { drop | keep | replace }

undo dhcp relay information strategy

View

Interface view

1-6
Default Level

2: System level

Parameters

drop: Specifies to drop messages containing Option 82.

keep: Specifies to forward messages containing Option 82 without any change.
replace: Specifies to forward messages containing Option 82 after replacing the original Option 82 with
the Option 82 padded in the specified padding format.

Description

Use the dhcp relay information strategy command to configure DHCP relay agent handling strategy
for messages containing Option 82.
Use the undo dhcp relay information strategy command to restore the default handling strategy.
The handling strategy for messages containing Option 82 defaults to replace.
Related commands: display dhcp relay information.

Examples

# Configure the DHCP relay agent handling strategy for messages containing Option 82 as keep.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay information enable
[Sysname-Vlan-interface1] dhcp relay information strategy keep

dhcp relay release ip

Syntax

dhcp relay release ip client-ip

View

System view

Default Level

2: System level

Parameters

client-ip: DHCP client IP address.

Description

Use the dhcp relay release ip command to request the DHCP server to release a specified client IP
address.

Examples

# Request the DHCP server to release the IP address 1.1.1.1.

<Sysname> system-view
[Sysname] dhcp relay release ip 1.1.1.1

1-7
dhcp relay security static

Syntax

dhcp relay security static ip-address mac-address [ interface interface-type interface-number ]

undo dhcp relay security { ip-address | all | dynamic | interface interface-type interface-number |
static }

View

System view

Default Level

2: System level

Parameters

ip-address: Client IP address for creating a static binding.

mac-address: Client MAC address for creating a static binding, in the format H-H-H.
interface interface-type interface-number: Specifies a Layer 3 interface connecting to the DHCP client.
interface-type interface-number specifies the interface type and interface number.
all: Specifies all client entries to be removed.
dynamic: Specifies dynamic client entries to be removed.
static: Specifies manual client entries to be removed.

Description

Use the dhcp relay security static command to configure a static client entry, that is, the binding
between IP address, MAC address, and Layer 3 interface on the relay agent.
Use the undo dhcp relay security command to remove specified client entries from the relay agent.
No manual client entry is configured on the DHCP relay agent by default.
Note that:
z When using the dhcp relay security static command to bind an interface to a static client entry,
make sure that the interface is configured as a DHCP relay agent; otherwise, entry conflicts may
occur.
z The undo dhcp relay security interface command is used to remove all the dynamic client
entries from the interface.
Related commands: display dhcp relay security.

Examples

# Bind DHCP relay interface VLAN-interface 2 to IP address 10.10.1.1 and MAC address
0005-5d02-f2b3 of the client.
<Sysname> system-view
[Sysname] dhcp relay security static 10.10.1.1 0005-5d02-f2b3 interface vlan-interface 2

1-8
dhcp relay security refresh enable

Syntax

dhcp relay security refresh enable

undo dhcp relay security refresh enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the dhcp relay security refresh enable command to enable the DHCP relay agent to periodically
refresh dynamic client entries.
Use the undo dhcp relay security refresh enable command to disable periodic refresh of dynamic
client entries.
By default, the DHCP relay agent is enabled to periodically refresh dynamic client entries.
Note that:
If you disable the DHCP relay agent from periodically refreshing dynamic client entries, such entries do
not age automatically. Therefore, if a client relinquishes its IP address, you need to manually remove
the corresponding dynamic client entry on the DHCP relay agent.
Related commands: dhcp relay security tracker and dhcp relay security static.

Examples

# Disable the DHCP relay agent from periodically refreshing dynamic client entries.
<Sysname> system-view
[Sysname] undo dhcp relay security refresh enable

dhcp relay security tracker

Syntax

dhcp relay security tracker { interval | auto }

undo dhcp relay security tracker [ interval ]

View

System view

Default Level

2: System level

1-9
Parameters

interval: Refreshing interval in seconds, in the range of 1 to 120.

auto: Specifies the auto refreshing interval, which is the value of 60 seconds divided by the number of
binding entries. Thus, the more entries are, the shorter interval is, but the shortest interval is no less
than 500 ms.

Description

Use the dhcp relay security tracker command to set a refreshing interval at which the relay agent
contacts the DHCP server for refreshing dynamic bindings.
Use the undo dhcp relay security tracker command to restore the default interval.
The default refreshing interval is auto, the value of 60 seconds divided by the number of binding entries.
Related commands: display dhcp relay security tracker.

Examples

# Set the refreshing interval as 100 seconds.

<Sysname> system-view
[Sysname] dhcp relay security tracker 100

dhcp relay server-detect

Syntax

dhcp relay server-detect

undo dhcp relay server-detect

View

System view

Default Level

2: System level

Parameters

None

Description

Use the dhcp relay server-detect command to enable unauthorized DHCP server detection.
Use the undo dhcp relay server-detect command to disable unauthorized DHCP server detection.
By default, unauthorized DHCP server detection is disabled.
With this function enabled, upon receiving a DHCP request, the DHCP relay agent will record the IP
addresses of all DHCP servers which ever offered IP addresses to the DHCP client and the receiving
interface. Each server detected is recorded only once. The administrator can get this information from
logs to check out unauthorized DHCP servers.
After the information of recorded DHCP servers is cleared, the relay agent will re-record server
information following this mechanism.

1-10
Examples

# Enable unauthorized DHCP server detection.

<Sysname> system-view
[Sysname] dhcp relay server-detect

dhcp relay server-group

Syntax

dhcp relay server-group group-id ip ip-address

undo dhcp relay server-group group-id [ ip ip-address ]

View

System view

Default Level

2: System level

Parameters

group-id: DHCP server group number, in the range of 0 to 19.

ip ip-address: DHCP server IP address.

Description

Use the dhcp relay server-group command to specify a DHCP server for a DHCP server group.
Use the undo dhcp relay server-group command to remove a DHCP server from a DHCP server
group, if no ip ip-address is specified, all servers in the DHCP server group and the server group itself
will be removed.
By default, no DHCP server is specified for a DHCP server group.
Note that:
z The IP address of any DHCP server and any interface’s IP address of the DHCP relay agent
cannot be in the same network segment. Otherwise, the client may fail to obtain an IP address.
z If a server group has been correlated to multiple interfaces, you need to cancel these correlations
before removing the server group.
Related commands: display dhcp relay server-group.

Examples

# Specify DHCP server 1.1.1.1 for DHCP server group 1 on the relay agent.
<Sysname> system-view
[Sysname] dhcp relay server-group 1 ip 1.1.1.1

dhcp relay server-select

Syntax

dhcp relay server-select group-id

undo dhcp relay server-select

1-11
View

Interface view

Default Level

2: System level

Parameters

group-id: DHCP server group number to be correlated, in the range of 0 to 19.

Description

Use the dhcp relay server-select command to correlate specified interface(s) to a specified DHCP
server group.
Use the undo dhcp relay server-select command to remove a configured correlation.
By default, no DHCP server group is correlated with an interface on the relay agent.
Note that:
z A DHCP server group can correlate with one or multiple DHCP relay agent interfaces.
z A relay agent interface can only correlate with one DHCP server group, and a newly configured
correlation overwrites the previous one. If the server group in the new correlation does not exist,
the new configuration will not work. The interface still maintains the previous correlation.
z The DHCP server group referenced in this command should have been configured by using the
dhcp relay server-group command.
Related commands: dhcp relay server-group, display dhcp relay.

Examples

# Correlate VLAN-interface 1 to DHCP server group 1.

<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay server-select 1

dhcp select relay

Syntax

dhcp select relay

undo dhcp select relay

View

Interface view

Default Level

2: System level

Parameters

None

1-12
Description

Use the dhcp select relay command to enable the relay agent on the current interface. Upon receiving
requests from an enabled interface, the relay agent will forward these requests to outside DHCP
servers for IP address allocation.
Use the undo dhcp select relay command to restore the default.
After DHCP is enabled, the DHCP server is enabled on an interface by default. That is, upon receiving a
client’s request from the interface, the DHCP server allocates an IP address from the DHCP address
pool to the client.
When the working mode of the interface is changed from DHCP server to DHCP relay agent, neither the
IP address leases nor the authorized ARP entries will be deleted. However, these ARP entries may
conflict with new ARP entries generated on the DHCP relay agent; therefore, you are recommended to
delete the existing IP address leases when changing the interface working mode to DHCP relay agent.

Examples

# Enable the DHCP relay agent on VLAN-interface 1.

<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp select relay

display dhcp relay

Syntax

display dhcp relay { all | interface interface-type interface-number }

View

Any view

Default Level

1: Monitor level

Parameters

all: Displays information of DHCP server groups that all interfaces correspond to.
interface interface-type interface-number: Displays information of the DHCP server group that a
specified interface corresponds to.

Description

Use the display dhcp relay command to display information about DHCP server groups correlated to
an interface or all interfaces.

Examples

# Display information about DHCP server groups correlated to all interfaces.

<Sysname> display dhcp relay all
Interface name Server-group
Vlan-interface 1 2

1-13
 Table 1-1 display dhcp relay all command output description

Field Description
Server-group DHCP server group number correlated to the interface.

display dhcp relay information

Syntax

display dhcp relay information { all | interface interface-type interface-number }

View

Any view

Default Level

1: Monitor level

Parameters

all: Displays the Option 82 configuration information of all interfaces.

interface interface-type interface-number: Displays the Option 82 configuration information of a
specified interface.

Description

Use the display dhcp relay information command to display Option 82 configuration information on
the DHCP relay agent.

Examples

# Display the Option 82 configuration information of all interfaces.

<Sysname> display dhcp relay information all
Interface: Vlan-interface100
Status: Enable
Strategy: Replace
Format: Verbose
Circuit ID format-type: HEX
Remote ID format-type: ASCII
Node identifier: abaci
User defined:
Circuit ID: company001
Interface: Vlan-interface200
Status: Enable
Strategy: Keep
Format: Normal
Circuit ID format-type: HEX
Remote ID format-type: ASCII
User defined:
Remote ID: device001

1-14
 Table 1-2 display dhcp relay information all command output description

Field Description
Interface Interface name
Status Option 82 state, which can be Enable or Disable.
Handling strategy for requesting messages containing Option 82,
Strategy
which can be Drop, Keep, or Replace.
Format Padding format of Option 82, which can be Normal or Verbose.
Non-user-defined code type of the circuit ID sub-option, which can be
Circuit ID format-type
ASCII or HEX.
Non-user-defined code type of the remote ID sub-option, which can
Remote ID format-type
be ASCII or HEX.
Node identifier Access node identifier
User defined Content of user-defined sub-options
Circuit ID User-defined padding content of the circuit ID sub-option
Remote ID User-defined padding content of the remote ID sub-option

display dhcp relay security

Syntax

display dhcp relay security [ ip-address | dynamic | static ]

View

Any view

Default Level

1: Monitor level

Parameters

ip-address: Displays the binding information of an IP address.

dynamic: Displays information about dynamic bindings.
static: Displays information about static bindings.

Description

Use the display dhcp relay security command to display information about bindings of DHCP relay
agents. If no parameter is specified, information about all bindings will be displayed.

Examples

# Display information about all bindings.

<Sysname> display dhcp relay security
IP Address MAC Address Type Interface
10.1.1.1 00e0-0000-0001 Static Vlan1
10.1.1.5 00e0-0000-0000 Static Vlan2
--- 2 dhcp-security item(s) found ---

1-15
 Table 1-3 display dhcp relay security command output description

Field Description
IP Address Client IP address
MAC Address Client MAC address
Type Type of binding, including dynamic, static, and temporary.
Layer 3 interface connecting to the DHCP client. If no interface is recorded in
Interface
the binding entry, “N/A” is displayed.

display dhcp relay security statistics

Syntax

display dhcp relay security statistics

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display dhcp relay security statistics command to display statistics information about
bindings of DHCP relay agents.

Examples

# Display statistics about bindings of DHCP relay agents.

<Sysname> display dhcp relay security statistics
Static Items :1
Dynamic Items :0
Temporary Items :0
All Items :1

Table 1-4 display dhcp relay security statistics command output description

Field Description
Static Items Static binding items
Dynamic Items Dynamic binding items

Temporary Items Temporary binding items

All Items All binding items

1-16
display dhcp relay security tracker

Syntax

display dhcp relay security tracker

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display dhcp relay security tracker command to display the interval for refreshing dynamic
bindings on the relay agent.

Examples

# Display the interval for refreshing dynamic bindings on the relay agent.
<Sysname> display dhcp relay security tracker
Current tracker interval : 10s

The interval is 10 seconds.

display dhcp relay server-group

Syntax

display dhcp relay server-group { group-id | all }

View

Any view

Default Level

1: Monitor level

Parameters

group-id: Displays the information of the specified DHCP server group numbered from 0 to 19.
all: Displays the information of all DHCP server groups.

Description

Use the display dhcp relay server-group command to display the configuration information of a
specified or all DHCP server groups.

Examples

# Display IP addresses of DHCP servers in DHCP server group 1.

<Sysname> display dhcp relay server-group 1

1-17
 No. Group IP
1 1.1.1.1
2 1.1.1.2

Table 1-5 display dhcp relay server-group command output description

Field Description
No. Sequence number
Group IP IP address in the server group

display dhcp relay statistics

Syntax

display dhcp relay statistics [ server-group { group-id | all } ]

View

Any view

Default Level

1: Monitor level

Parameters

group-id: Specifies a server group number in the range of 0 to 19 about which to display DHCP packet
statistics.
all: Specifies all server groups about which to display DHCP packet statistics. Information for each
group will be displayed.

Description

Use the display dhcp relay statistics command to display DHCP packet statistics related to a
specified or all DHCP server groups.
Note that if no parameter (server-group and all) is specified, all DHCP packet statistics on the relay
agent will be displayed.
Related commands: reset dhcp relay statistics.

Examples

# Display all DHCP packet statistics on the relay agent.

<Sysname> display dhcp relay statistics
Bad packets received: 0
DHCP packets received from clients: 0
DHCPDISCOVER packets received: 0
DHCPREQUEST packets received: 0
DHCPINFORM packets received: 0
DHCPRELEASE packets received: 0
DHCPDECLINE packets received: 0
BOOTPREQUEST packets received: 0
DHCP packets received from servers: 0

1-18
 DHCPOFFER packets received: 0
DHCPACK packets received: 0
DHCPNAK packets received: 0
BOOTPREPLY packets received: 0
DHCP packets relayed to servers: 0
DHCPDISCOVER packets relayed: 0
DHCPREQUEST packets relayed: 0
DHCPINFORM packets relayed: 0
DHCPRELEASE packets relayed: 0
DHCPDECLINE packets relayed: 0
BOOTPREQUEST packets relayed: 0
DHCP packets relayed to clients: 0
DHCPOFFER packets relayed: 0
DHCPACK packets relayed: 0
DHCPNAK packets relayed: 0
BOOTPREPLY packets relayed: 0
DHCP packets sent to servers: 0
DHCPDISCOVER packets sent: 0
DHCPREQUEST packets sent: 0
DHCPINFORM packets sent: 0
DHCPRELEASE packets sent: 0
DHCPDECLINE packets sent: 0
BOOTPREQUEST packets sent: 0
DHCP packets sent to clients: 0
DHCPOFFER packets sent: 0
DHCPACK packets sent: 0
DHCPNAK packets sent: 0
BOOTPREPLY packets sent: 0

# Display DHCP packet statistics related to every server group on the relay agent.
<Sysname> display dhcp relay statistics server-group all
DHCP relay server-group #0
Packet type Packet number
Client -> Server:
DHCPDISCOVER 0
DHCPREQUEST 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPDECLINE 0
BOOTPREQUEST 0
Server -> Client:
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
BOOTPREPLY 0

1-19
reset dhcp relay statistics

Syntax

reset dhcp relay statistics [ server-group group-id ]

View

User view

Default Level

1: Monitor level

Parameters

server-group group-id: Specifies a server group ID (in the range of 0 to 19) about which to remove
statistics from the relay agent.

Description

Use the reset dhcp relay statistics command to remove statistics from the relay agent.
If no server-group is specified, all statistics will be removed from the relay agent.
Related commands: display dhcp relay statistics.

Examples

# Remove all statistics from the DHCP relay agent.

<Sysname> reset dhcp relay statistics

1-20
2 DHCP Client Configuration Commands

When multiple VLAN interfaces having the same MAC address use DHCP for IP address acquisition via
a relay agent, the DHCP server cannot be the Windows 2000 Server or Windows 2003 Server.

DHCP Client Configuration Commands

display dhcp client

Syntax

display dhcp client [ verbose ] [ interface interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

verbose: Specifies verbose DHCP client information to be displayed.

interface interface-type interface-number: Specifies an interface of which to display DHCP client
information.

Description

Use the display dhcp client command to display DHCP client information. If no interface
interface-type interface-number is specified, DHCP client information of all interfaces will be displayed.

Examples

# Display DHCP client information of all interfaces.

<Sysname> display dhcp client
Vlan-interface1 DHCP client information:
Current machine state: BOUND
Allocated IP: 40.1.1.20 255.255.255.0
Allocated lease: 259200 seconds, T1: 129600 seconds, T2: 226800 seconds
DHCP server: 40.1.1.2

# Display verbose DHCP client information.

2-1
<Sysname> display dhcp client verbose
Vlan-interface1 DHCP client information:
Current machine state: BOUND
Allocated IP: 40.1.1.20 255.255.255.0
Allocated lease: 259200 seconds, T1: 129600 seconds, T2: 226800 seconds
Lease from 2005.08.13 15:37:59 to 2005.08.16 15:37:59
DHCP server: 40.1.1.2
Transaction ID: 0x1c09322d
Default router: 40.1.1.2
Classless static route:
Destination: 1.1.0.1, Mask: 255.0.0.0, NextHop: 192.168.40.16
Destination: 10.198.122.63, Mask: 255.255.255.255, NextHop: 192.168.40.16
DNS server: 44.1.1.11
DNS server: 44.1.1.12
Domain name: ddd.com
Boot server: 200.200.200.200 1.1.1.1
Client ID: 3030-3066-2e65-3234-
392e-3830-3438-2d56-
6c61-6e2d-696e-7465-
7266-6163-6531
T1 will timeout in 1 day 11 hours 58 minutes 52 seconds.

Table 2-1 display dhcp client command output description

Field Description
Vlan-interface1 DHCP client
Information of the interface acting as the DHCP client
information

Current state of the DHCP client, which can be:

z HALT: Indicates that the client stops applying for an IP
address.
z INIT: Indicates the initialization state.
z SELECTING: Indicates that the client has sent out a
DHCP-DISCOVER message in search of a DHCP server
and is waiting for the response from DHCP servers.
Current machine state z REQUESTING: Indicates that the client has sent out a
DHCP-REQUEST message requesting for an IP address
and is waiting for the response from DHCP servers.
z BOUND: Indicates that the client has received the
DHCP-ACK message from a DHCP server and obtained
an IP address successfully.
z RENEWING: Indicates that the T1 timer expires.
z REBOUNDING: Indicates that the T2 timer expires.
Allocated IP The IP address allocated by the DHCP server
Allocated lease The allocated lease time
The 1/2 lease time (in seconds) of the DHCP client IP
T1
address
The 7/8 lease time (in seconds) of the DHCP client IP
T2
address
Lease from….to…. The start and end time of the lease.
DHCP Server DHCP server IP address that assigned the IP address

2-2
 Field Description
Transaction ID, a random number chosen by the client to
Transaction ID
identify an IP address allocation.
Default router The gateway address assigned to the client
Classless static route Classless static routes assigned to the client
Static route Classful static routes assigned to the client

DNS server The DNS server address assigned to the client

Domain name The domain name suffix assigned to the client
PXE server addresses (up to 16 addresses) specified for the
Boot server
DHCP client, which are obtained through Option 43.
Client ID Client ID
T1 will timeout in 1 day 11 hours 58
How long the T1 (1/2 lease time) timer will timeout.
minutes 52 seconds.

ip address dhcp-alloc

Syntax

ip address dhcp-alloc [ client-identifier mac interface-type interface-number ]

undo ip address dhcp-alloc

View

Interface view

Default Level

2: System level

Parameters

client-identifier mac interface-type interface-number: Specifies the MAC address of an interface using
which as the client ID to obtain an IP address.

Description

Use the ip address dhcp-alloc command to configure an interface to use DHCP for IP address
acquisition.
Use the undo ip address dhcp-alloc command to cancel an interface from using DHCP.
By default, an interface does not use DHCP for IP address acquisition.
Note that:
z If no parameter is specified, the client uses a character string comprised of the current interface
name and MAC address as its ID for address acquisition.
z The DHCP client sends a DHCP-RELEASE message for releasing the IP address obtained via
DHCP, if the interface of the client is down, the message cannot be sent.

Examples

# Configure VLAN-interface 1 to use DHCP for IP address acquisition.

2-3
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ip address dhcp-alloc

2-4
3 DHCP Snooping Configuration Commands

The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP
server, and it can work when it is between the DHCP client and relay agent or between the DHCP client
and server.

DHCP Snooping Configuration Commands

dhcp-snooping

Syntax

dhcp-snooping
undo dhcp-snooping

View

System view

Default Level

2: System level

Parameters

None

Description

Use the dhcp-snooping command to enable DHCP snooping.

Use the undo dhcp-snooping command to disable DHCP snooping.
With DHCP snooping disabled, all ports can forward responses from any DHCP servers and does not
record binding information about MAC addresses of DHCP clients and the obtained IP addresses.
By default, DHCP snooping is disabled.
Related commands: display dhcp-snooping.

Examples

# Enable DHCP snooping.

<Sysname> system-view
[Sysname] dhcp-snooping

3-1
dhcp-snooping information circuit-id format-type

Syntax

dhcp-snooping information circuit-id format-type { ascii | hex }

undo dhcp-snooping information circuit-id format-type

View

Layer 2 Ethernet port view, Layer 2 aggregation interface view

Default Level

2: System level

Parameters

ascii: Specifies the code type for the circuit ID sub-option as ascii.
hex: Specifies the code type for the circuit ID sub-option as hex.

Description

Use the dhcp-snooping information circuit-id format-type command to configure the code type for
the non-user-defined circuit ID sub-option.
Use the undo dhcp-snooping information circuit-id format-type command to restore the default.
By default, the code type for the circuit ID sub-option depends on the padding format of Option 82. Each
field has its own code type.
Note that:
This command applies to configuring the non-user-defined circuit ID sub-option only. After you
configure the padding content for the circuit ID sub-option using the dhcp-snooping information
circuit-id string command, ASCII is adopted as the code type.
Related commands: display dhcp-snooping information.

Examples

# Configure the padding format for the non-user-defined circuit ID sub-option as ascii.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information circuit-id format-type ascii

dhcp-snooping information circuit-id string

Syntax

dhcp-snooping information [ vlan vlan-id ] circuit-id string circuit-id

undo dhcp-snooping information [ vlan vlan-id ] circuit-id string

View

Layer 2 Ethernet port view, Layer 2 aggregation interface view

Default Level

2: System level

3-2
Parameters

vlan vlan-id: Specifies a VLAN ID, in the range of 1 to 4094.

circuit-id: Padding content for the user-defined circuit ID sub-option, a case-sensitive string of 3 to 63
characters.

Description

Use the dhcp-snooping information circuit-id string command to configure the padding content for
the user-defined circuit ID sub-option.
Use the undo dhcp-snooping information circuit-id string command to restore the default.
By default, the padding content for the circuit ID sub-option depends on the padding format of Option
82.
Note that:
z After you configure the padding content for the circuit ID sub-option using this command, ASCII is
adopted as the code type.
z If a VLAN is specified, the configured circuit ID sub-option only takes effect within the VLAN; if no
VLAN is specified, the configured circuit ID sub-option takes effect in all VLANs. The former case
has a higher priority; that is, the circuit ID sub-option specified for a VLAN will be padded for
packets within the VLAN.
Related commands: dhcp-snooping information format, display dhcp-snooping information.

Examples

# Configure the global padding content for the user-defined circuit ID sub-option as company001.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information circuit-id string company001

dhcp-snooping information enable

Syntax

dhcp-snooping information enable

undo dhcp-snooping information enable

View

Layer 2 Ethernet interface view, Layer 2 aggregation interface view

Default Level

2: System level

Parameters

None

Description

Use the dhcp-snooping information enable command to configure DHCP snooping to support Option
82.
Use the undo dhcp-snooping information enable command to disable this function.
3-3
 By default, DHCP snooping does not support Option 82.
Related commands: display dhcp-snooping information.

Examples

# Configure DHCP snooping to support Option 82.

<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information enable

dhcp-snooping information format

Syntax

dhcp-snooping information format { normal | verbose [ node-identifier { mac | sysname |

user-defined node-identifier } ] }
undo dhcp-snooping information format [ verbose node-identifier ]

View

Layer 2 Ethernet interface view, Layer 2 aggregation interface view

Default Level

2: System level

Parameters

normal: Specifies the normal padding format.

verbose: Specifies the verbose padding format.
node-identifier { mac | sysname | user-defined node-identifier }: Specifies access node identifier. By
default, the node MAC address is used as the node identifier.
z mac indicates using MAC address as the node identifier.
z sysname indicates using the device name of a node as the node identifier.
z user-defined node-identifier indicates using a specified character string as the node identifier, in
which node-identifier is a string of 1 to 50 characters.

Description

Use the dhcp-snooping information format command to specify the padding format for Option 82.
Use the undo dhcp-snooping information format command to restore the default.
By default, the padding format for Option 82 is normal.
Note that when you use the undo dhcp-snooping information format command, if the verbose
node-identifier argument is not specified, the padding format will be restored to normal; if the verbose
node-identifier argument is specified, the padding format will be restored to verbose with MAC
address as the node identifier.
Related commands: display dhcp-snooping information.

Examples

# Specify the padding format as verbose for Option 82.

<Sysname> system-view

3-4
 [Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information enable
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information strategy replace
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information format verbose

dhcp-snooping information remote-id format-type

Syntax

dhcp-snooping information remote-id format-type { ascii | hex }

undo dhcp-snooping information remote-id format-type

View

Layer 2 Ethernet port view, Layer 2 aggregation interface view

Default Level

2: System level

Parameters

ascii: Specifies the code type for the remote ID sub-option as ascii.
hex: Specifies the code type for the remote ID sub-option as hex.

Description

Use the dhcp-snooping information remote-id format-type command to configure the code type for
the non-user-defined remote ID sub-option.
Use the undo dhcp-snooping information remote-id format-type command to restore the default.
By default, the code type for the remote ID sub-option is HEX.
Note that:
This command applies to configuring a non-user-defined remote ID sub-option only. After you configure
the padding content for the remote ID sub-option using the dhcp-snooping information remote-id
string command, ASCII is adopted as the code type.
Related commands: display dhcp-snooping information.

Examples

# Configure the code type for the non-user-defined remote ID sub-option as ascii.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information remote-id format-type ascii

dhcp-snooping information remote-id string

Syntax

dhcp-snooping information [ vlan vlan-id ] remote-id string { remote-id | sysname }

undo dhcp-snooping information [ vlan vlan-id ] remote-id string

3-5
View

Layer 2 Ethernet port view, Layer 2 aggregation interface view

Default Level

2: System level

Parameters

vlan vlan-id: Specifies a VLAN ID, in the range of 1 to 4094.

remote-id: Padding content for the user-defined circuit ID sub-option, a case-sensitive string of 1 to 63
characters.
sysname: Specifies the device name as the padding content for the remote ID sub-option.

Description

Use the dhcp-snooping information remote-id string command to configure the padding content for
the user-defined remote ID sub-option.
Use the undo dhcp-snooping information remote-id string command to restore the default.
By default, the padding content for the remote ID sub-option depends on the padding format of Option
82.
Note that:
z After you configure the padding content for the remote ID sub-option using this command, ASCII is
adopted as the code type.
z If a VLAN is specified, the configured remote ID sub-option only takes effect within the VLAN; if no
VLAN is specified, the configured remote ID sub-option takes effect in all VLANs. The former case
has a higher priority; that is, the remote ID sub-option configured for a VLAN will be padded for the
packets within the VLAN.

If you want to specify the character string sysname (a case-insensitive character string) as the padding
content for the remote ID sub-option, you need to use quotation marks to make it take effect. For
example, if you want to specify Sysname as the padding content for the remote ID sub-option, you
need to enter the dhcp relay information remote-id string “Sysname” command.

Related commands: dhcp-snooping information format, display dhcp-snooping information.

Examples

# Configure the padding content for the remote ID sub-option as device001.

<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information remote-id string device001

3-6
dhcp-snooping information strategy

Syntax

dhcp-snooping information strategy { drop | keep | replace }

undo dhcp-snooping information strategy

View

Layer 2 Ethernet interface view, Layer 2 aggregation interface view

Default Level

2: System level

Parameters

drop: Drops the requesting message containing Option 82.

keep: Forwards the requesting message containing Option 82 without changing Option 82.
replace: Forwards the requesting message containing Option 82 after replacing the original Option 82
with the one padded in specified format.

Description

Use the dhcp-snooping information strategy command to configure the handling strategy for Option
82 in requesting messages.
Use the undo dhcp-snooping information strategy command to restore the default.
By default, the handling strategy for Option 82 in requesting messages is replace.
Related commands: display dhcp-snooping information.

Examples

# Configure the handling strategy for Option 82 in requesting messages as keep.

<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information enable
[Sysname-GigabitEthernet1/0/1] dhcp-snooping information strategy keep

dhcp-snooping trust

Syntax

dhcp-snooping trust [ no-user-binding ]

undo dhcp-snooping trust

View

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Default Level

2: System level

3-7
Parameters

no-user-binding: Specifies the port not to record the clients’ IP-to-MAC bindings in DHCP requests it
receives. The command without this keyword records the IP-to-MAC bindings of clients.

Description

Use the dhcp-snooping trust command to configure a port as a trusted port.

Use the undo dhcp-snooping trust command to restore the default state of a port.
All ports are untrusted by default.
After enabling DHCP snooping, you need to specify the ports connected to the valid DHCP servers as
trusted to ensure that DHCP clients can obtain valid IP addresses.
Related commands: display dhcp-snooping trust.

Examples

# Specify GigabitEthernet 1/0/1 as a trusted port and enable it to record the IP-to-MAC bindings of
clients.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp-snooping trust

display dhcp-snooping

Syntax

display dhcp-snooping [ ip ip-address ]

View

Any view

Default Level

1: Monitor level

Parameters

ip ip-address: Displays the DHCP snooping entries corresponding to the specified IP address.

Description

Use the display dhcp-snooping command to display DHCP snooping entries.

Only the DHCP snooping entries containing IP-to-MAC bindings that are present both in the
DHCP-ACK and DHCP-REQUEST messages are displayed by using the display dhcp-snooping
command.

Related commands: dhcp-snooping, reset dhcp-snooping.

3-8
Examples

# Display all DHCP snooping entries.

<Sysname> display dhcp-snooping
DHCP Snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static
Type IP Address MAC Address Lease VLAN Interface
==== =============== =============== ========== ==== =================
D 10.1.1.1 00e0-fc00-0006 286 1 GigabitEthernet1/0/1
--- 1 dhcp-snooping item(s) found ---

Table 3-1 display dhcp snooping command output description

Field Description
Binding type, which can be:
Type z D: Dynamic IP-to-MAC binding.
z S: Static IP-to-MAC binding. Currently, static IP-to-MAC bindings
are not supported.
IP Address IP address assigned to the DHCP client
MAC Address MAC address of the DHCP client

Lease Lease period left (in seconds)

VLAN VLAN where the port connecting the DHCP client resides
Interface Port to which the DHCP client is connected

display dhcp-snooping information

Syntax

display dhcp-snooping information { all | interface interface-type interface-number }

View

Any view

Default Level

1: Monitor level

Parameters

all: Displays the Option 82 configuration information of all Layer 2 Ethernet interfaces.
interface interface-type interface-number: Displays the Option 82 configuration information of a
specified interface.

Description

Use the display dhcp-snooping information command to display Option 82 configuration information
on the DHCP snooping device.

3-9
Examples

# Display the Option 82 configuration information of all interfaces.

<Sysname> display dhcp-snooping information all
Interface: GigabitEthernet1/0/1
Status: Enable
Strategy: Replace
Format: Verbose
Circuit ID format-type: HEX
Remote ID format-type: ASCII
Node identifier: aabbcc
User defined:
Circuit ID: company001

display dhcp-snooping packet statistics

Syntax

display dhcp-snooping packet statistics

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display dhcp-snooping packet statistics command to display DHCP packet statistics on the
DHCP snooping device.
Related commands: reset dhcp-snooping packet statistics.

Examples

# Display DHCP packet statistics on the DHCP snooping device.

<Sysname> display dhcp-snooping packet statistics
DHCP packets received : 100
DHCP packets sent : 200
Packets dropped due to rate limitation : 20
Dropped invalid packets : 0

display dhcp-snooping trust

Syntax

display dhcp-snooping trust

3-10
View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display dhcp-snooping trust command to display information about trusted ports.
Related commands: dhcp-snooping trust.

Examples

# Display information about trusted ports.

<Sysname> display dhcp-snooping trust
DHCP Snooping is enabled.
DHCP Snooping trust becomes active.
Interface Trusted
========================= ============
GigabitEthernet1/0/1 Trusted

The above output shows that DHCP snooping is enabled, DHCP snooping trust is active, and port
GigabitEthernet1/0/1 is trusted.

reset dhcp-snooping

Syntax

reset dhcp-snooping { all | ip ip-address }

View

User view

Default Level

1: Monitor level

Parameters

all: Clears all DHCP snooping entries.

ip ip-address: Clears the DHCP snooping entries of the specified IP address.

Description

Use the reset dhcp-snooping command to clear DHCP snooping entries.

DHCP snooping entries on all slots will be cleared after you execute this command.
Related commands: display dhcp-snooping.

3-11
Examples

# Clear all DHCP snooping entries.

<Sysname> reset dhcp-snooping all

reset dhcp-snooping packet statistics

Syntax

reset dhcp-snooping packet statistics

View

User view

Default Level

2: System level

Parameters

None

Description

Use the reset dhcp-snooping packet statistics command to clear DHCP packet statistics on the
DHCP snooping device.
Related commands: display dhcp-snooping packet statistics.

Examples

# Clear DHCP packet statistics on the DHCP snooping device.

<Sysname> reset dhcp-snooping packet statistics

3-12
4 BOOTP Client Configuration Commands

If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay
agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.

BOOTP Client Configuration Commands

display bootp client

Syntax

display bootp client [ interface interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the BOOTP client information of the interface.

Description

Use the display bootp client command to display related information about a BOOTP client.
Note:
z If interface interface-type interface-number is not specified, the command will display information
about BOOTP clients on all interfaces.
z If interface interface-type interface-number is specified, the command will display information
about the BOOTP client on the specified interface.

Examples

# Display related information of the BOOTP client on VLAN-interface 1.

<Sysname> display bootp client interface vlan-interface 1
Vlan-interface1 BOOTP client information:
Allocated IP: 169.254.0.2 255.255.0.0
Transaction ID = 0x3d8a7431
Mac Address 00e0-fc0a-c3ef

4-1
 Table 4-1 display bootp client command output description

Field Description
Ethernet1/1 BOOTP client information or Information of the interface serving as a BOOTP
Vlan-interface1 BOOTP client information client
BOOTP client’s IP address allocated by the BOOTP
Allocated IP
server
Value of the XID field in a BOOTP message, namely,
a random number chosen while the BOOTP client
sends a BOOTP request to the BOOTP server. It is
Transaction ID used to match a response message from the BOOTP
server. If the values of the XID field are different in the
BOOTP response and request, the BOOTP client will
drop the BOOTP response.
Mac Address MAC address of a BOOTP client

ip address bootp-alloc

Syntax

ip address bootp-alloc
undo ip address bootp-alloc

View

Interface view

Default Level

2: System level

Parameters

None

Description

Use the ip address bootp-alloc command to enable an interface to obtain an IP address through
BOOTP.
Use the undo ip address bootp-alloc command to disable the interface from obtaining an IP address
through BOOTP.
By default, an interface does not obtain an IP address through BOOTP.
Related commands: display bootp client.

Examples

# Configure VLAN-interface 1 to obtain IP address through BOOTP protocol.

<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ip address bootp-alloc

4-2
 Table of Contents

1 FTP Configuration Commands·················································································································1-1

FTP Server Configuration Commands····································································································1-1
display ftp-server ·····························································································································1-1
display ftp-user ································································································································1-2
free ftp user ·····································································································································1-3
ftp server acl ····································································································································1-3
ftp server enable······························································································································1-4
ftp timeout········································································································································1-4
ftp update·········································································································································1-5
FTP Client Configuration Commands ·····································································································1-6
ascii··················································································································································1-6
binary ···············································································································································1-7
bye ···················································································································································1-7
cd ·····················································································································································1-8
cdup ·················································································································································1-9
close ················································································································································1-9
debugging······································································································································1-10
delete ·············································································································································1-11
dir···················································································································································1-12
disconnect ·····································································································································1-13
display ftp client configuration ·······································································································1-13
ftp···················································································································································1-14
ftp client source ·····························································································································1-15
get··················································································································································1-16
lcd ··················································································································································1-17
ls ····················································································································································1-17
mkdir ··············································································································································1-19
open···············································································································································1-19
passive ··········································································································································1-20
put··················································································································································1-21
pwd ················································································································································1-21
quit ·················································································································································1-22
remotehelp·····································································································································1-22
rmdir···············································································································································1-25
user················································································································································1-25
verbose··········································································································································1-26

2 TFTP Configuration Commands ··············································································································2-1

TFTP Client Configuration Commands ···································································································2-1
display tftp client configuration ········································································································2-1
tftp-server acl···································································································································2-1
tftp····················································································································································2-2
tftp client source ······························································································································2-3

i
ii
1 FTP Configuration Commands

FTP Server Configuration Commands

display ftp-server

Syntax

display ftp-server

View

Any view

Default Level

3: Manage level

Parameters

None

Description

Use the display ftp-server command to display the FTP server configuration.
After configuring FTP server parameters, you may verify them with this command.
Related commands: ftp server enable, ftp timeout, ftp update.

Examples

# Display the FTP server configuration.

<Sysname> display ftp-server
FTP server is running
Max user number: 1
User count: 1
Timeout value(in minute): 30
Put Method: fast

Table 1-1 display ftp-server command output description

Field Description
Max user number Maximum number of login users at a time
User count Number of the current login users
Allowed idle time of an FTP connection. If there is no packet
Timeout value (in minute) exchange between the FTP server and client during the whole
period, the FTP connection will be disconnected.

1-1
 Field Description
File update method of the FTP server, including:
Put Method z fast: Fast update
z normal: Normal update

display ftp-user

Syntax

display ftp-user

View

Any view

Default Level

3: Manage level

Parameters

None

Description

Use the display ftp-user command to display the detailed information of current FTP users.

Examples

# Display the detailed information of FTP users.

<Sysname> display ftp-user
UserName HostIP Port Idle HomeDir
ftp 192.168.1.54 1190 0 flash:

# If the name of the logged-in user exceeds 10 characters, the exceeded characters will be displayed in
the next line and right justified, for example, if the logged-in user name is administrator, the information
is displayed as follows:
<Sysname> display ftp-user
UserName HostIP Port Idle HomeDir
administra
tor 192.168.0.152 1031 0 flash:

Table 1-2 display ftp-user command output description

Field Description
UserName Name of the currently logged-in user
HostIP IP address of the currently logged-in user
Port Port which the currently logged-in user is using
Idle Duration time of the current FTP connection, in minutes
HomeDir Authorized path of the present logged-in user

1-2
free ftp user

Syntax

free ftp user username

View

User view

Default Level

3: Manage level

Parameters

username: Username. You can use the display ftp-user command to view the logged-in user name of
the current FTP connection.

Description

Use the free ftp user command to manually release the FTP connection established with the specified
username.
Note that if the user to be released is transmitting a file, the connection between the user and the FTP
server is terminated after the file transmission.

Examples

# Manually release the FTP connection established with username ftpuser.

<Sysname> free ftp user ftpuser
Are you sure to free FTP user ftpuser? [Y/N]:y
<Sysname>

ftp server acl

Syntax

ftp server acl acl-number

undo ftp server acl

View

System view

Default Level

3: Manage level

Parameters

acl-number: Basic access control list (ACL) number, in the range 2000 to 2999.

Description

Use the ftp server acl command to control FTP clients’ access to the device using an ACL.
Use the undo ftp server acl command to restore the default.
By default, no ACL is used to control FTP clients’ access to the device.

1-3
 Associated with an ACL, the FTP server can deny the FTP requests of some FTP clients and only
permit the access of clients allowed by the ACL rules. This configuration only filters the FTP
connections to be established, and has no effect on the established FTP connections and operations. If
you execute the command for multiple times, the last specified ACL takes effect.

Examples

# Associate the FTP service with ACL 2001 to allow only the client 1.1.1.1 to access the device through
FTP.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule 0 permit source 1.1.1.1 0
[Sysname-acl-basic-2001] rule 1 deny source any
[Sysname-acl-basic-2001] quit
[Sysname] ftp server acl 2001

ftp server enable

Syntax

ftp server enable

undo ftp server

View

System view

Default Level

3: Manage level

Parameters

None

Description

Use the ftp server enable command to enable the FTP server and allow the login of FTP users.
Use the undo ftp server command to disable the FTP server.
By default, the FTP server is disabled.

Examples

# Enable the FTP server.

<Sysname> system-view
[Sysname] ftp server enable

ftp timeout

Syntax

ftp timeout minute

undo ftp timeout

1-4
View

System view

Default Level

3: Manage level

Parameters

minute: Idle-timeout timer in minutes, in the range 1 to 35791.

Description

Use the ftp timeout command to set the idle-timeout timer.

Use the undo ftp timeout command to restore the default.
By default, the FTP idle time is 30 minutes.
After you log in to an FTP server, if the connection is disrupted and the FTP server is not notified, the
system will maintain the connection, which will cause the occupation of the system resources and affect
the login of other FTP users. To address this problem, you can set an idle-timeout timer so that the FTP
server can disconnect from the user if no information is received or/and transmitted before the timer
expires.

Examples

# Set the idle-timeout timer to 36 minutes.

<Sysname> system-view
[Sysname] ftp timeout 36

ftp update

Syntax

ftp update { fast | normal }

undo ftp update

View

System view

Default Level

3: Manage level

Parameters

fast: Fast update.

normal: Normal update.

Description

Use the ftp update command to set the file update mode that the FTP server uses while receiving data.
Use the undo ftp update command to restore the default, namely, the normal mode.

1-5
Examples

# Set the FTP update mode to normal.

<Sysname> system-view
[Sysname] ftp update normal

FTP Client Configuration Commands

z In this section, the configuration procedure of entering FTP client view is omitted. You must use the
ftp command to enter FTP client view for configurations under this view. For details, refer to ftp.
z Before executing the FTP client configuration commands in this section, make sure you have
configured the proper authority for users on the FTP server, such as view the files under the current
directory, read/download the specified file, create directory/upload files, rename/remove files, and
so on.
z The prompt information in the examples of this section varies with FTP server types.

ascii

Syntax

ascii

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the ascii command to set the file transfer mode to ASCII.
By default, the file transfer mode is ASCII.
The carriage return characters vary with operating systems. For example, to indicate the end of a line
and transfer to the next line, the H3C device system and Windows system use characters /r/n, and the
Linux system uses characters /n. Therefore, after the file transmission between two systems that use
different carriage return characters, such as Linux system and H3C device system, the FTP
transmission mode must be applied to ensure the correct resolution of the files.
FTP transfers files in two modes:
z Binary mode: for program file or picture transmission.
z ASCII mode: for text file transmission.

1-6
 Related commands: binary.

Examples

# Set the file transfer mode to ASCII.

[ftp] ascii
200 Type set to A.

binary

Syntax

binary

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the binary command to set the file transfer mode to binary (also called flow mode).
By default, the transfer mode is ASCII mode.
Related commands: ascii.

Examples

# Set the file transfer mode to binary.

[ftp] binary
200 Type set to I.

bye

Syntax

bye

View

FTP client view

Default Level

3: Manage level

Parameters

None

1-7
Description

Use the bye command to disconnect from the remote FTP server and return to user view. If the device
establishes no connection with the remote FTP server, you will return to user view directly.
Related commands: close, disconnect, quit.

Examples

# Terminate the connection with the remote FTP server and return to user view.
[ftp] bye
221 Server closing.

cd

Syntax

cd { directory | .. | / }

View

FTP client view

Default Level

3: Manage level

Parameters

directory: Name of the target directory, in the format of [drive:/]path. For the detailed explanation of the
drive and path arguments, refer to File System Management Configuration. If no drive information is
provided, the argument represents a folder or subfolder under the current directory.
..: Returns to an upper directory. If the current working directory is the root directory, or no upper
directory exists, the current working directory does not change when the cd .. command is executed.
This argument does not support command online help.
/: Returns to the root directory of the storage medium. The keyword does not support command line
online help.

Description

Use the cd command to change the current working directory on the remote FTP server.
You can use this command to access another authorized directory on the FTP server.
Related commands: pwd.

Examples

# Change the working directory to the sub-directory logfile of the current directory.
[ftp] cd logfile
250 CWD command successful.

# Change the working directory to the sub-directory folder of the authorized directory.
[ftp] cd /folder
250 CWD command successful.

1-8
cdup

Syntax

cdup

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the cdup command to exit the current directory and enter the upper directory of the FTP server.
Execution of this command will not change the working directory if the current directory is already the
authorized directory (that is, work-directory).
Related commands: cd, pwd.

Examples

# Change the current working directory path to the upper directory.

[ftp] pwd
257 "/ftp/subdir" is current directory.
[ftp] cdup
200 CDUP command successful.
[ftp] pwd
257 "/ftp" is current directory.

close

Syntax

close

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the close command to terminate the connection to the FTP server, but remain in FTP client view.
This command is equal to the disconnect command.

1-9
Examples

# Terminate the connection to the FTP server and remain in FTP client view.
[ftp] close
221 Server closing.
[ftp]

debugging

Syntax

debugging
undo debugging

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the debugging command to enable FTP client debugging.

Use the undo debugging command to disable FTP client debugging.
By default, FTP client debugging is disabled.

Examples

# The device serves as the FTP client. Enable FTP client debugging and use the active mode to
download file sample.file from the current directory of the FTP server.
<Sysname> terminal monitor
<Sysname> terminal debugging
<Sysname> ftp 192.168.1.46
Trying 192.168.1.46 ...
Press CTRL+K to abort
Connected to 192.168.1.46.
220 FTP service ready.
User(192.168.1.46:(none)):ftp
331 Password required for ftp.
Password:
230 User logged in.

[ftp]undo passive
FTP: passive is off
[ftp] debugging
FTP: debugging switch is on
[ftp] get sample.file

1-10
 ---> PORT 192,168,1,44,4,21
200 Port command okay.
The parsed reply is 200
---> RETR sample.file
150 Opening ASCII mode data connection for /sample.file.
The parsed reply is 150
FTPC: File transfer started with the signal light turned on.
FTPC: File transfer completed with the signal light turned off.
.226 Transfer complete.
FTP: 3304 byte(s) received in 4.889 second(s), 675.00 byte(s)/sec.

[ftp]

Table 1-3 debugging command output description

Field Description
Give an FTP order, with data port numbers
---> PORT
being…
The received reply code, which is defined in RFC
The parsed reply is
959.
---> RETR Download the file
FTPC: File transfer started with the signal light File transfer starts, and the signal light is turned
turned on. on.
FTPC: File transfer completed with the signal File transfer is completed, and the signal light is
light turned off. turned off.

delete

Syntax

delete remotefile

View

FTP client view

Default Level

3: Manage level

Parameters

remotefile: File name.

Description

Use the delete command to permanently delete a specified file on the remote FTP server. A deleted file
cannot be restored.
To do this, you must be a user with the delete permission on the FTP server.

1-11
Examples

# Delete file temp.c.

[ftp] delete temp.c
250 DELE command successful.

dir

Syntax

dir [ remotefile [ localfile ] ]

View

FTP client view

Default Level

3: Manage level

Parameters

remotefile: Name of the file or directory on the remote FTP server.

localfile: Name of the local file to save the displayed information.

Description

Use the dir command to view the detailed information of the files and subdirectories under the current
directory on the remote FTP server.
Use the dir remotefile command to display the detailed information of the specified file or directory on
the remote FTP server.
Use the dir remotefile localfile command to display the detailed information of the specified file or
directory on the remote FTP server, and save the displayed information into a local file specified by the
localfile argument.

You can use the dir command to display the folder- and file-related information, such as the size, and
the date they were created. If you only need to view the name of all the files and subdirectories under
the current directory, you can use the Is command.

Examples

# View the detailed information of the files and subdirectories under the current directory on the remote
FTP server.
[ftp] dir
227 Entering Passive Mode (192,168,1,46,5,68).
125 ASCII mode data connection already open, transfer starting for /*.
drwxrwxrwx 1 noone nogroup 0 Aug 08 2006 logfile
-rwxrwxrwx 1 noone nogroup 20471748 May 11 10:21 test.app

1-12
 -rwxrwxrwx 1 noone nogroup 4001 Dec 08 2007 config.cfg
-rwxrwxrwx 1 noone nogroup 3608 Jun 13 2007 startup.cfg
drwxrwxrwx 1 noone nogroup 0 Dec 03 2007 test
-rwxrwxrwx 1 noone nogroup 299 Oct 15 2007 key.pub
226 Transfer complete.
FTP: 394 byte(s) received in 0.189 second(s), 2.00K byte(s)/sec.

[ftp]

# View the information of the file ar-router.cfg, and save the result to aa.txt.
[ftp] dir ar-router.cfg aa.txt
227 Entering Passive Mode (192,168,1,50,17,158).
125 ASCII mode data connection already open, transfer starting for /ar-router.cfg.
....226 Transfer complete.
FTP: 67 byte(s) received in 4.600 second(s), 14.00 byte(s)/sec.

View the content of aa.txt.

[ftp] quit
<Sysname> more aa.txt
-rwxrwxrwx 1 noone nogroup 3077 Jun 20 15:34 ar-router.cfg

disconnect

Syntax

disconnect

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the disconnect command to disconnect from the remote FTP server but remain in FTP client view.
This command is equal to the close command.

Examples

# Disconnect from the remote FTP server but remain in FTP client view.
[ftp] disconnect
221 Server closing.

display ftp client configuration

Syntax

display ftp client configuration

1-13
View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ftp client configuration command to display the configuration information of the FTP
client.

Currently this command displays the configured source IP address or source interface of the FTP client.

Related commands: ftp client source.

Examples

# Display the current configuration information of the FTP client.

<Sysname> display ftp client configuration
The source IP address is 192.168.0.123

ftp

Syntax

ftp [ server-address [ service-port ] [ source { interface interface-type interface-number | ip

source-ip-address } ] ]

View

User view

Default Level

3: Manage level

Parameters

server-address: IP address or host name (a string of 1 to 20 characters) of a remote FTP server.

service-port: TCP port number of the remote FTP server, in the range 0 to 65535. The default value is
21.
interface interface-type interface-number: Specifies the source interface by its type and number. The
primary IP address configured on this interface is the source address of the transmitted packets. If no
primary IP address is configured on the source interface, the connection fails.

1-14
 ip source-ip-address: The source IP address of the current FTP client. This source address must be the
one that has been configured on the device.

Description

Use the ftp command to log in to the remote FTP server and enter FTP client view.
Note that:
z This command applies to IPv4 networks.
z If you use this command without specifying any parameters, you will simply enter the FTP client
view without logging in to the FTP server.
z If you specify the parameters, you will be prompted to enter the username and password for
accessing the FTP server.
z The priority of the source address specified with this command is higher than that with the ftp
client source command. If you specify the source address with the ftp client source command
first and then with the ftp command, the source address specified with the ftp command is used to
communicate with the FTP server.
Related commands: ftp client source.

Examples

# Log in from the current device Sysname1 to the device Sysname2 with the IP address of
192.168.0.211. The source IP address of the packets sent is 192.168.0.212.
<Sysname> ftp 192.168.0.211 source ip 192.168.0.212
Trying 192.168.0.211 ...
Press CTRL+K to abort
Connected to 192.168.0.211.
220 FTP Server ready.
User(192.168.0.211:(none)):abc
331 Password required for abc
Password:
230 User logged in.

[ftp]

ftp client source

Syntax

ftp client source { interface interface-type interface-number | ip source-ip-address }

undo ftp client source

View

System view

Default Level

2: System level

1-15
Parameters

interface interface-type interface-number: Source interface for the FTP connection, including interface
type and interface number. The primary IP address configured on the source interface is the source IP
address of the packets sent by FTP. If no primary IP address is configured on the source interface, the
connection fails.
ip source-ip-address: Source IP address of the FTP connection. It must be an IP address that has been
configured on the device.

Description

Use the ftp client source command to configure the source address of the transmitted FTP packets
from the FTP client.
Use the undo ftp client source command to restore the default.
By default, a device uses the IP address of the interface determined by the matched route as the source
IP address to communicate with an FTP server.
Note that:
z The source address can be specified as the source interface and the source IP address. If you use
the ftp client source command to specify the source interface and then the source IP address, the
newly specified source IP address overwrites the configured source interface and vice versa.
z If the source address is specified with the ftp client source command and then with the ftp
command, the source address specified with the latter one is used to communicate with the FTP
server.
z The source address specified with the ftp client source command is valid for all FTP connections
and the source address specified with the ftp command is valid only for the current FTP
connection.
Related commands: display ftp client configuration.

Examples

# Specify the source IP address of the FTP client as 2.2.2.2.

<Sysname> system-view
[Sysname] ftp client source ip 2.2.2.2

# Specify the source interface of the FTP client as Vlan-interface1.

<Sysname> system-view
[Sysname] ftp client source interface vlan-interface1

get

Syntax

get remotefile [ localfile ]

View

FTP client view

Default Level

3: Manage level

1-16
Parameters

remotefile: Name of the file to be downloaded.

localfile: File name used after a file is downloaded and saved locally. If this argument is not specified,
the file is saved locally using the source file name to the current working directory, namely the directory
where the user executes the ftp command.

Description

Use the get command to download a file from a remote FTP server and save it.

Examples

# Download file testcfg.cfg and save it as aa.cfg.

[ftp] get testcfg.cfg aa.cfg

227 Entering Passive Mode (192,168,1,50,17,163).

125 ASCII mode data connection already open, transfer starting for /testcfg.cfg.
.....226 Transfer complete.
FTP: 5190 byte(s) received in 7.754 second(s), 669.00 byte(s)/sec.

lcd

Syntax

lcd

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the lcd command to display the local working directory of the FTP client.

Examples

# Display the local working directory.

[ftp] lcd
FTP: Local directory now flash:/clienttemp.

The above information indicates that the working directory of the FTP client before execution of the ftp
command is flash:/clienttemp.

ls

Syntax

ls [ remotefile [ localfile ] ]

1-17
View

FTP client view

Default Level

3: Manage level

Parameters

remotefile: Filename or directory on the remote FTP server.

localfile: Name of a local file used to save the displayed information.

Description

Use the ls command to view the information of all the files and subdirectories under the current
directory of the remote FTP server. The file names and subdirectory names are displayed.
Use the ls remotefile command to view the information of a specified file or subdirectory.
Use the ls remotefile localfile command to view the information of a specified file or subdirectory, and
save the result to a local file specified by the localfile argument.

The Is command can only display the names of files and directories on the FTP server, whereas the dir
command can display other related information of the files and directories, such as the size, and the
date they were created.

Examples

# View the information of all files and subdirectories under the current directory of the FTP server.
[ftp] ls
227 Entering Passive Mode (192,168,1,50,17,165).
125 ASCII mode data connection already open, transfer starting for /*.
ar-router.cfg
logfile
mainar.app
arbasicbtm.app
ftp
test
bb.cfg
testcfg.cfg
226 Transfer complete.
FTP: 87 byte(s) received in 0.132 second(s) 659.00 byte(s)/sec.

# View the information of directory logfile, and save the result to file aa.txt.
[ftp] ls logfile aa.txt
227 Entering Passive Mode (192,168,1,46,4,3).
125 ASCII mode data connection already open, transfer starting for /logfile/*.

1-18
 ....226 Transfer complete.
FTP: 20 byte(s) received in 3.962 second(s), 5.00 byte(s)/sec.

# View the content of file aa.txt.

[ftp] quit
<Sysname> more aa.txt
.
..
logfile.log

mkdir

Syntax

mkdir directory

View

FTP client view

Default Level

3: Manage level

Parameters

directory: Name of the directory to be created.

Description

Use the mkdir command to create a subdirectory under the current directory on the remote FTP server.
To do this, you must be a user with the permission on the FTP server.

Examples

# Create subdirectory mytest on the current directory of the remote FTP server.
[ftp] mkdir mytest
257 "/mytest" new directory created.

open

Syntax

open server-address [ service-port ]

View

FTP client view

Default Level

3: Manage level

Parameters

server-address: IP address or host name of a remote FTP server.

1-19
 service-port: Port number of the remote FTP server, in the range 0 to 65535, with the default value of
21.

Description

Use the open command to log in to the IPv4 FTP server under FTP client view.
At login, you will be asked to enter the username and password for accessing the FTP server. If your
input is correct, the login succeeds; otherwise, it fails.
If you have logged in to the IPv4 FTP server currently, you cannot use the open command to log in to
another server. You need to disconnect with the current server first, and then try to connect with another
one.
Related commands: close.

Examples

# In FTP client view, log in to the FTP server with the IP address of 192.168.1.50.
<Sysname> ftp
[ftp] open 192.168.1.50
Trying 192.168.1.50 ...
Press CTRL+K to abort
Connected to 192.168.1.50.
220 FTP service ready.
User(192.168.1.50:(none)):aa
331 Password required for aa.
Password:
230 User logged in.

[ftp]

passive

Syntax

passive
undo passive

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the passive command to set the data transmission mode to passive.
Use the undo passive command to set the data transmission mode to active.
The default transmission mode is passive.
1-20
 Data transmission modes fall into the passive mode and the active mode. The active mode means that
the data connection request is initiated by a server. The passive mode means that the data connection
request is initiated by a client. This command is mainly used in conjunction with a firewall to restrict the
FTP session connection between private and public network users.

Examples

# Set the data transmission mode to passive.

[ftp] passive
FTP: passive is on

put

Syntax

put localfile [ remotefile ]

View

FTP client view

Default Level

3: Manage level

Parameters

localfile: Name of the local file to be uploaded.

remotefile: File name used after a file is uploaded and saved on the FTP server.

Description

Use the put command to upload a file on the client to the remote FTP server.
If no name is assigned to the file to be saved on the FTP server, the name of the source file is used by
default. After a file is uploaded, it will be saved under the user’s authorized directory, which can be set
with the authorization-attribute command.

Examples

# Upload source file cc.txt to the remote FTP server and save it as dd.txt.
[ftp] put cc.txt dd.txt
227 Entering Passive Mode (192,168,1,50,17,169).
125 ASCII mode data connection already open, transfer starting for /dd.txt.
226 Transfer complete.
FTP: 9 byte(s) sent in 0.112 second(s), 80.00 byte(s)/sec.

pwd

Syntax

pwd

View

FTP client view

1-21
Default Level

3: Manage level

Parameters

None

Description

Use the pwd command to display the currently accessed directory on the remote FTP server.

Examples

# Display the currently accessed directory on the remote FTP server.

[ftp] cd servertemp
[ftp] pwd
257 "/servertemp" is current directory.

The above information indicates that the servertemp folder under the root directory of the remote FTP
server is being accessed by the user.

quit

Syntax

quit

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the quit command to disconnect from the remote FTP server and exit to user view.

Examples

# Disconnect from the remote FTP server and exit to user view.
[ftp] quit
221 Server closing.

<Sysname>

remotehelp

Syntax

remotehelp [ protocol-command ]

1-22
View

FTP client view

Default Level

3: Manage level

Parameters

protocol-command: FTP command.

Description

Use the remotehelp command to display the help information of FTP-related commands supported by
the remote FTP server.
If no argument is specified, FTP-related commands supported by the remote FTP server are displayed.

Examples

# Display FTP commands supported by the remote FTP server.

[ftp] remotehelp
214-Here is a list of available ftp commands
Those with '*' are not yet implemented.
USER PASS ACCT* CWD CDUP SMNT* QUIT REIN*
PORT PASV TYPE STRU* MODE* RETR STOR STOU*
APPE* ALLO* REST* RNFR* RNTO* ABOR* DELE RMD
MKD PWD LIST NLST SITE* SYST STAT* HELP
NOOP* XCUP XCWD XMKD XPWD XRMD
214 Direct comments to H3C company.

# Display the help information for the user command.

[ftp] remotehelp user
214 Syntax: USER <sp> <username>.

[ftp]

Table 1-4 remotehelp command output description

Field Description
214-Here is a list of available ftp commands The following is an available FTP command list.
Those commands with “*” are not yet
Those with '*' are not yet implemented.
implemented.
USER Username
PASS Password
CWD Change the current working directory
CDUP Change to parent directory
SMNT* File structure setting
QUIT Quit
REIN* Re-initialization

1-23
 Field Description
PORT Port number
PASV Passive mode
TYPE Request type

STRU* File structure

MODE* Transmission mode
RETR Download a file

STOR Upload a file

STOU* Store unique
APPE* Appended file
ALLO* Allocation space
REST* Restart
RNFR* Rename the source
RNTO* Rename the destination
ABOR* Abort the transmission
DELE Delete a file
RMD Delete a folder
MKD Create a folder
PWD Print working directory
LIST List files
NLST List file description
SITE* Locate a parameter
SYST Display system parameters
STAT* State
HELP Help
NOOP* No operation
XCUP Extension command, the same meaning as CUP
Extension command, the same meaning as
XCWD
CWD
XMKD Extension command, the same meaning as MKD
Extension command, the same meaning as
XPWD
PWD
Extension command, the same meaning as
XRMD
RMD
Syntax of the user command: user (keyword) +
Syntax: USER <sp> <username>.
space + username

1-24
rmdir

Syntax

rmdir directory

View

FTP client view

Default Level

3: Manage level

Parameters

directory: Directory name on the remote FTP server.

Description

Use the rmdir command to remove a specified directory from the FTP server.
Note that only authorized users are allowed to use this command.
Note that:
z The directory to be deleted must be empty, meaning you should delete all files and subdirectories
under the directory before you delete a directory. For the deletion of files, refer to the delete
command.
z After you execute the rmdir command successfully, the files in the remote recycle bin under the
directory will be automatically deleted.

Examples

# Delete the temp1 directory from the authorized directory on the FTP server.
[ftp] rmdir /temp1
200 RMD command successful.

user

Syntax

user username [ password ]

View

FTP client view

Default Level

3: Manage level

Parameters

username: Login username.

password: Login password. You can input this argument after the username argument plus a space; or
you can input this argument when the “Password:” prompt appears after you input the username and
then press Enter.

1-25
Description

Use the user command to relog in to the currently accessed FTP server with another username.
Before using this command, you must configure the corresponding username and password on the FTP
server; otherwise, your login fails and the FTP connection is closed.

Examples

# User ftp1 has logged in to the FTP server. Use username ftp2 to log in to the current FTP server.
(Suppose username ftp2 and password 123123123123 have been configured on the FTP server).
z Method 1
[ftp] user ftp2
331 Password required for ftp2.
Password:
230 User logged in.

[ftp]

z Method 2
[ftp] user ftp2 123123123123
331 Password required for ftp.
230 User logged in.

[ftp]

verbose

Syntax

verbose
undo verbose

View

FTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the verbose command to enable the protocol information function to display detailed prompt
information.
Use the undo verbose command to disable the protocol information function.
By default, the protocol information function is enabled.

Examples

# Enable the protocol information function.

1-26
[ftp] verbose
FTP: verbose is on

# Disable the protocol information function and perform the Get operation.
[ftp] undo verbose
FTP: verbose is off

[ftp] get startup.cfg bb.cfg

FTP: 3608 byte(s) received in 0.052 second(s), 69.00K byte(s)/sec.

[ftp]

# Enable the protocol information function and perform the Get operation.
[ftp] verbose
FTP: verbose is on

[ftp] get startup.cfg aa.cfg

227 Entering Passive Mode (192,168,1,46,5,85).

125 ASCII mode data connection already open, transfer starting for /startup.cfg.
226 Transfer complete.
FTP: 3608 byte(s) received in 0.193 second(s), 18.00K byte(s)/sec.

1-27
2 TFTP Configuration Commands

TFTP Client Configuration Commands

display tftp client configuration

Syntax

display tftp client configuration

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display tftp client configuration command to display the configuration information of the
TFTP client.
Related commands: tftp client source.

Examples

# Display the current configuration information of the TFTP client.

<Sysname> display tftp client configuration
The source IP address is 192.168.0.123

Currently this command displays the configured source IP address or source interface of the TFTP
client.

tftp-server acl

Syntax

tftp-server acl acl-number

undo tftp-server acl

2-1
View

System view

Default Level

3: Manage level

Parameters

acl-number: Number of a basic ACL, in the range 2000 to 2999.

Description

Use the tftp server acl command to control the device’s access to a specific TFTP server using an
ACL.
Use the undo tftp server acl command to restore the default.
By default, no ACL is used to control the device’s access to TFTP servers.
You can use the rules in an ACL to allow or permit the device’s access to a specific TFTP server in a
network.
For more information about ACL, refer to ACL Configuration and ACL Commands.

Examples

# In IPv4 networking environment, allow the device to access the TFTP server with the IP address of
1.1.1.1 only.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 1.1.1.1 0
[Sysname-acl-basic-2000] quit
[Sysname] tftp-server acl 2000

tftp

Syntax

tftp server-address { get | put | sget } source-filename [ destination-filename ] [ source { interface

interface-type interface-number | ip source-ip-address } ]

View

User view

Default Level

3: Manage level

Parameters

server-address: IP address or host name of a TFTP server.

get: Downloads a file in normal mode.
put: Uploads a file.
sget: Downloads a file in secure mode.

2-2
 source-filename: Source file name.
destination-filename: Destination file name.
source: Configures parameters for source address binding.
z interface interface-type interface-number: Specifies the source interface by its type and number.
The primary IP address configured on the source interface is the source IP address of the packets
sent by TFTP. If no primary IP address is configured on the source interface, the transmission fails.
z ip source-ip-address: Specifies the source IP address for the current TFTP client to transmit
packets. This source address must be an IP address that has been configured on the device.

Description

Use the tftp command to upload files from the local device to a TFTP server or download files from the
TFTP server to the local device.
z If no destination file name is specified, a file is saved using the same name as that on the remote
FTP server to the current working directory of the user (namely, the working directory where the
tftp command is executed).
z The priority of the source address specified with this command is higher than that specified with the
tftp client source command. If you use the tftp client source command to specify the source
address first and then with the tftp command, the latter one is adopted.
Related commands: tftp client source.

Examples

# Download the config.cfg file from the TFTP server with the IP address of 192.168.0.98 and save it as
config.bak. Specify the source IP address to be 192.168.0.92.
<Sysname> tftp 192.168.0.98 get config.cfg config.bak source ip 192.168.0.92
...
File will be transferred in binary mode
Downloading file from remote TFTP server, please wait....
TFTP: 372800 bytes received in 1 second(s)
File downloaded successfully.

# Upload the config.cfg file from the local device to the default path of the TFTP server with the IP
address of 192.168.0.98 and save it as config.bak. Specify the source IP interface to be
Vlan-interface1.
<Sysname> tftp 192.168.0.98 put config.cfg config.bak source interface vlan-interface1

File will be transferred in binary mode

Sending file to remote TFTP server. Please wait...
TFTP: 345600 bytes sent in 1 second(s).
File uploaded successfully.

tftp client source

Syntax

tftp client source { interface interface-type interface-number | ip source-ip-address }

undo tftp client source

2-3
View

System view

Default Level

2: System level

Parameters

interface interface-type interface-number: Specifies the source interface by its type and number. The
primary IP address configured on the source interface is the source IP address of the packets sent by
TFTP. If no primary IP address is configured on the source interface, the transmission fails.
ip source-ip-address: The source IP address of TFTP connections. It must be an IP address that has
been configured on the device.

Description

Use the tftp client source command to configure the source address of the TFTP packets from the
TFTP client.
Use the undo tftp client source command to restore the default.
By default, a device uses the IP address of the interface determined by the matched route as the source
IP address to communicate with a TFTP server.
Note that:
z The source address can be specified as the source interface and the source IP; if you use the tftp
client source command to specify the source interface and then the source IP, the newly specified
source IP overwrites the configured source interface and vice versa.
z If the source address is specified with the tftp client source command and then with the tftp
command, the source address specified with the latter one is used to communicate with the TFTP
server.
z The source address specified with the tftp client source command is valid for all tftp connections
and the source address specified with the tftp command is valid for the current tftp command.
Related commands: display tftp client configuration.

Examples

# Specify the source IP address of the TFTP client as 2.2.2.2.

<Sysname> system-view
[Sysname] tftp client source ip 2.2.2.2

# Specify the source interface of the TFTP client as Vlan-interface1.

<Sysname> system-view
[Sysname] tftp client source interface vlan-interface1

2-4
 Table of Contents

1 IP Routing Basics Configuration Commands·························································································1-1

IP Routing Basics Configuration Commands··························································································1-1
display ip routing-table·····················································································································1-1
display ip routing-table acl···············································································································1-5
display ip routing-table ip-address···································································································1-7
display ip routing-table protocol·······································································································1-9
display ip routing-table statistics····································································································1-10
reset ip routing-table statistics protocol ·························································································1-11

i
1 IP Routing Basics Configuration Commands

The term “router” in this document refers to a router in a generic sense or a Layer 3 switch.

IP Routing Basics Configuration Commands

display ip routing-table

Syntax

display ip routing-table [ verbose | | { begin | exclude | include } regular-expression ]

View

Any view

Default Level

1: Monitor level

Parameters

verbose: Displays detailed routing table information, including that for inactive routes. With this
keyword absent, the command displays only brief information about active routes.
|: Uses a regular expression to filter output information. For details about regular expressions, refer to
the section CLI Display in Basic System Configuration.
begin: Displays route entries starting from the one specified by the regular expression.
exclude: Displays route entries not matching the regular expression.
include: Displays route entries matching the regular expression.
regular-expression: Regular expression, a string of 1 to 256 case-sensitive characters used for
specifying routing entries.

Description

Use the display ip routing-table command to display brief information about active routes in the
routing table.
This command displays brief information about a routing table, with a routing entry contained in one line.
The information displayed includes destination IP address/mask length, protocol, priority, cost, next hop
and outbound interface. This command only displays the routes currently in use, that is, the optimal
routes.

1-1
 Use the display ip routing-table verbose command to display detailed information about all routes in
the routing table.
This command displays detailed information about all active and inactive routes, including the statistics
of the entire routing table and information for each route.

Examples

# Display brief information about active routes in the routing table.

<Sysname> display ip routing-table
Routing Tables: Public
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Static 60 0 1.1.1.1 Vlan1
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.0.0/24 Direct 0 0 192.168.0.53 Vlan1
192.168.0.53/32 Direct 0 0 127.0.0.1 InLoop0

Table 1-1 display ip routing-table command output description

Field Description
Destinations Number of destination addresses
Routes Number of routes
Destination/Mask Destination address/mask length
Proto Protocol that presents the route
Pre Priority of the route
Cost Cost of the route
Nexthop Address of the next hop on the route
Interface Outbound interface for packets to be forwarded along the route

# Display detailed information about all routes in the routing table.

<Sysname> display ip routing-table verbose

Routing Table : Public

Destinations : 5 Routes : 5
Destination: 0.0.0.0/32
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 1.1.1.1 Interface: Vlan-interface1
BkNextHop: 0.0.0.0 BkInterface:
RelyNextHop: 0.0.0.0 Neighbor : 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active Adv Age: 00h00m14s
Tag: 0
Destination: 127.0.0.0/8
Protocol: Direct Process ID: 0

1-2
 Preference: 0 Cost: 0
NextHop: 127.0.0.1 Interface: InLoopBack0
BkNextHop: 0.0.0.0 BkInterface:
RelyNextHop: 0.0.0.0 Neighbor : 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active NoAdv Age: 04h20m03s
Tag: 0
Destination: 127.0.0.1/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 127.0.0.1 Interface: InLoopBack0
BkNextHop: 0.0.0.0 BkInterface:
RelyNextHop: 0.0.0.0 Neighbor : 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active NoAdv Age: 04h20m03s
Tag: 0
Destination: 192.168.0.0/24
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 192.168.0.53 Interface: Vlan-interface1
BkNextHop: 0.0.0.0 BkInterface:
RelyNextHop: 0.0.0.0 Neighbor : 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active Adv Age: 04h12m07s
Tag: 0
Destination: 192.168.0.53/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 127.0.0.1 Interface: InLoopBack0
BkNextHop: 0.0.0.0 BkInterface:
RelyNextHop: 0.0.0.0 Neighbor : 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active NoAdv Age: 04h12m07s
Tag: 0

Displayed first are statistics for the whole routing table, followed by detailed description of each route (in
sequence).

Table 1-2 display ip routing-table verbose command output description

Field Description
Destination Destination address/mask length
Protocol Protocol that presents the route
Process ID Process ID
Preference Priority of the route
Cost Cost of the route
NextHop Address of the next hop on the route

1-3
 Field Description
Interface Outbound interface for packets to be forwarded along the route
BkNexthop Backup next hop
BkInterface Backup outbound interface

RelyNextHop The next hop address obtained through routing recursion

Neighbour Neighboring address determined by Routing Protocol
Tunnel ID Tunnel ID

Label Label
Route status:
Active This is an active unicast route.
Adv This route can be advertised.
Delete This route is deleted.
Gateway This is an indirect route.

Holddown Number of holddown routes.

The route was discovered by an Interior Gateway Protocol

Int
(IGP).
The route is not advertised when the router advertises routes
NoAdv
based on policies.
Normally, among routes to a destination, the route with the
highest priority is installed into the core routing table and
NotInstall
advertised, while a NotInstall route cannot be installed into the
core routing table but may be advertised.
State
The packets matching a Reject route will be dropped.
Besides, the router sends ICMP unreachable messages to
Reject
the sources of the dropped packets. The Reject routes are
usually used for network testing.
A static route is not lost when you perform the save operation
Static and then restart the router. Routes configured manually are
marked as static.

Unicast Unicast routes

Inactive Inactive routes

Invalid Invalid routes

WaitQ The route is the WaitQ during route recursion.
TunE Tunnel
GotQ The route is in the GotQ during route recursion.
Time for which the route has been in the routing table, in the sequence of hour,
Age
minute, and second from left to right.
Tag Route tag

1-4
display ip routing-table acl

Syntax

display ip routing-table acl acl-number [ verbose ]

View

Any view

Default Level

1: Monitor level

Parameters

acl-number: Basic ACL number, in the range of 2000 to 2999.

verbose: Displays detailed routing table information, including that for inactive routes. With this
argument absent, the command displays only brief information about active routes.

Description

Use the display ip routing-table acl command to display information about routes permitted by a
specified basic ACL.
This command is intended for the follow-up display of routing policies.

If the specified ACL does not exist or it has no rules configured, the entire routing table is displayed.

Examples

# Define basic ACL 2000 and set the route filtering rules.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 10.1.0.0 0.0.255.255
[Sysname-acl-basic-2000] rule deny source any

# Display brief information about active routes permitted by basic ACL 2000.
[Sysname-acl-basic-2000] display ip routing-table acl 2000
Routes Matched by Access list : 2000
Summary Count : 6

Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan1

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
10.1.2.0/24 Direct 0 0 10.1.2.1 Vlan2
10.1.2.1/32 Direct 0 0 127.0.0.1 InLoop0
10.1.3.0/24 Direct 0 0 10.1.3.1 Vlan1

1-5
10.1.3.1/32 Direct 0 0 127.0.0.1 InLoop0

For detailed description of the above output, see Table 1-1.

# Display detailed information about both active and inactive routes permitted by basic ACL 2000.
<Sysname> display ip routing-table acl 2000 verbose
Routes Matched by Access list : 2000
Summary Count: 6

Destination: 10.1.1.0/24
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 10.1.1.2 Interface: Vlan-interface1
RelyNextHop: 0.0.0.0 Neighbour: 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active Adv Age: 1d00h25m32s
Tag: 0

Destination: 10.1.1.2/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 127.0.0.1 Interface: InLoopBack0
RelyNextHop: 0.0.0.0 Neighbour: 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active NoAdv Age: 1d00h41m34s
Tag: 0

Destination: 10.1.2.0/24
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 10.1.2.1 Interface: Vlan-interface2
RelyNextHop: 0.0.0.0 Neighbour: 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active Adv Age: 1d00h05m42s
Tag: 0

Destination: 10.1.2.1/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 127.0.0.1 Interface: InLoopBack0
RelyNextHop: 0.0.0.0 Neighbour: 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active NoAdv Age: 1d00h05m42s
Tag: 0

Destination: 10.1.3.0/24
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 10.1.3.1 Interface: Vlan-interface1

1-6
 RelyNextHop: 0.0.0.0 Neighbour: 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active Adv Age: 1d00h05m31s
Tag: 0

Destination: 10.1.3.1/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 127.0.0.1 Interface: InLoopBack0
RelyNextHop: 0.0.0.0 Neighbour: 0.0.0.0
Tunnel ID: 0x0 Label: NULL
State: Active NoAdv Age: 1d00h05m32s
Tag: 0

For the description of the command output above, see Table 1-2.

display ip routing-table ip-address

Syntax

display ip routing-table ip-address [ mask-length | mask ] [ longer-match ] [ verbose ]

display ip routing-table ip-address1 { mask-length | mask } ip-address2 { mask-length | mask }
[ verbose ]

View

Any view

Default Level

1: Monitor level

Parameters

ip-address: Destination IP address, in dotted decimal format.

mask-length: IP address mask length in the range 0 to 32.
mask: IP address mask in dotted decimal format.
longer-match: Displays the route with the longest mask.
verbose: Displays detailed routing table information, including both active and inactive routes. With this
argument absent, the command displays only brief information about active routes.

Description

Use the display ip routing-table ip-address command to display information about routes to a
specified destination address.
Executing the command with different parameters yields different output:
z display ip routing-table ip-address
The system ANDs the input destination IP address with the subnet mask in each route entry; and ANDs
the destination IP address in each route entry with its corresponding subnet mask.
If the two operations yield the same result for an entry and this entry is active, it is displayed.
z display ip routing-table ip-address mask
1-7
 The system ANDs the input destination IP address with the input subnet mask; and ANDs the
destination IP address in each route entry with the input subnet mask.
If the two operations yield the same result for an entry and the entry is active with a subnet mask less
than or equal to the input subnet mask, the entry is displayed.
Only route entries that exactly match the input destination address and mask are displayed.
z display ip routing-table ip-address longer-match
The system ANDs the input destination IP address with the subnet mask in each route entry; and ANDs
the destination IP address in each route entry with its corresponding subnet mask.
If the two operations yield the same result for multiple entries that are active, the one with longest mask
length is displayed.
z display ip routing-table ip-address mask longer-match
The system ANDs the input destination IP address with the input subnet mask; and ANDs the
destination IP address in each route entry with the input subnet mask.
If the two operations yield the same result for multiple entries with a mask less than or equal to the input
subnet mask, the one that is active with longest mask length is displayed.
Use the display ip routing-table ip-address1 { mask-length | mask } ip-address2 { mask-length | mask }
command to display route entries with destination addresses within a specified range.

Examples

# Display route entries for the destination IP address 11.1.1.1.

[Sysname] display ip routing-table 11.1.1.1
Routing Table : Public
Summary Count : 4

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/0 Static 60 0 0.0.0.0 NULL0

11.0.0.0/8 Static 60 0 0.0.0.0 NULL0
11.1.0.0/16 Static 60 0 0.0.0.0 NULL0
11.1.1.0/24 Static 60 0 0.0.0.0 NULL0

For detailed description about the output, see Table 1-1.

# Display route entries by specifying a destination IP address and the longer-match keyword.
[Sysname] display ip routing-table 11.1.1.1 longer-match
Routing Table : Public
Summary Count : 1

Destination/Mask Proto Pre Cost NextHop Interface

11.1.1.0/24 Static 60 0 0.0.0.0 NULL0

# Display route entries by specifying a destination IP address and mask.

[Sysname] display ip routing-table 11.1.1.1 24
Routing Table : Public
Summary Count : 3

1-8
 Destination/Mask Proto Pre Cost NextHop Interface

11.0.0.0/8 Static 60 0 0.0.0.0 NULL0

11.1.0.0/16 Static 60 0 0.0.0.0 NULL0
11.1.1.0/24 Static 60 0 0.0.0.0 NULL0

# Display route entries by specifying a destination IP address and mask and the longer-match
keyword.
[Sysname] display ip routing-table 11.1.1.1 24 longer-match
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost NextHop Interface
11.1.1.0/24 Static 60 0 0.0.0.0 NULL0

For detailed description of the above output, see Table 1-1.

# Display route entries for destination addresses in the range 1.1.1.0 to 5.5.5.0.
<Sysname> display ip routing-table 1.1.1.0 24 5.5.5.0 24
Routing Table : Public

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.0/24 Direct 0 0 1.1.1.1 Vlan1
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
2.2.2.0/24 Direct 0 0 2.2.2.1 Vlan2
3.3.3.0/24 Direct 0 0 3.3.3.1 Vlan2
3.3.3.1/32 Direct 0 0 127.0.0.1 InLoop0
4.4.4.0/24 Direct 0 0 4.4.4.1 Vlan1
4.4.4.1/32 Direct 0 0 127.0.0.1 InLoop0

display ip routing-table protocol

Syntax

display ip routing-table protocol protocol [ inactive | verbose ]

View

Any view

Default Level

1: Monitor level

Parameters

protocol: Routing protocol. It can be direct, or static.

inactive: Displays information about only inactive routes. With this argument absent, the command
displays information about both active and inactive routes.
verbose: Displays detailed routing table information. With this argument absent, the command displays
brief routing table information.

1-9
Description

Use the display ip routing-table protocol command to display routing information of a specified
routing protocol.

Examples

# Display brief information about direct routes.

<Sysname> display ip routing-table protocol direct
Public Routing Table : Direct
Summary Count : 6

Direct Routing table Status : < Active>

Summary Count : 6

Destination/Mask Proto Pre Cost NextHop Interface

2.2.2.0/24 Direct 0 0 2.2.2.1 Vlan2

2.2.2.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.80.0/24 Direct 0 0 192.168.80.10 Vlan1
192.168.80.10/32 Direct 0 0 127.0.0.1 InLoop0

Direct Routing table Status : < Inactive>

Summary Count : 0

# Display brief information about static routes.

<Sysname> display ip routing-table protocol static
Public Routing Table : Static
Summary Count : 2

Static Routing table Status : < Active>

Summary Count : 0

Static Routing table Status : < Inactive>

Summary Count : 2
Destination/Mask Proto Pre Cost NextHop Interface
1.2.3.0/24 Static 60 0 1.2.4.5 Vlan10
3.0.0.0/8 Static 60 0 2.2.2.2 Vlan1

For detailed description of the above output, see Table 1-1.

display ip routing-table statistics

Syntax

display ip routing-table statistics

View

Any view

1-10
Default Level

1: Monitor level

Parameters

None

Description

Use the display ip routing-table statistics command to display the route statistics of the network
routing table.

Examples

# Display route statistics in the routing table.

<Sysname> display ip routing-table statistics
Proto route active added deleted freed
DIRECT 24 4 25 1 0
STATIC 4 1 4 0 0
Total 28 5 29 1 0

Table 1-3 display ip routing-table statistics command output description

Field Description
Proto Origin of the routes.
route Number of routes from the origin

active Number of active routes from the origin

Number of routes added into the routing table since the router started up or the
added
routing table was last cleared
deleted Number of routes marked as deleted, which will be freed after a period.
freed Number of routes that got freed, that is, got removed permanently.
Total Total number

reset ip routing-table statistics protocol

Syntax

reset ip routing-table statistics protocol { protocol | all }

View

User view

Default Level

2: System level

Parameters

protocol: Clears statistics for the IPv4 routing protocol, which can be direct or static.
all: Clears statistics for all IPv4 routing protocols.

1-11
Description

Use the reset ip routing-table statistics protocol command to clear routing statistics for the routing
table.

Examples

# Clear all routing statistics information.

<Sysname> reset ip routing-table statistics protocol all

1-12
 Table of Contents

1 Static Routing Configuration Commands·······························································································1-1

Static Routing Configuration Commands································································································1-1
delete static-routes all······················································································································1-1
ip route-static ···································································································································1-2
ip route-static default-preference·····································································································1-3

i
1 Static Routing Configuration Commands

The term “router” in this document refers to a router in a generic sense or a Layer 3 switch.

Static Routing Configuration Commands

delete static-routes all

Syntax

delete static-routes all

View

System view

Default Level

2: System level

Parameters

None

Description

Use the delete static-routes all command to delete all static routes.
When you use this command to delete static routes, the system will prompt you to confirm the operation
before deleting all the static routes.
Related commands: ip route-static and display ip routing-table in IP Routing Basics Commands.

Examples

# Delete all static routes on the router.

<Sysname> system-view
[Sysname] delete static-routes all
This will erase all ipv4 static routes and their configurations, you must reconf
igure all static routes
Are you sure?[Y/N]:Y

1-1
ip route-static

Syntax

ip route-static dest-address { mask | mask-length } { next-hop-address | interface-type

interface-number next-hop-address } [ preference preference-value ] [ description description-text ]
undo ip route-static dest-address { mask | mask-length } [ next-hop-address | interface-type
interface-number [ next-hop-address ] ] [ preference preference-value ]

View

System view

Default Level

2: System level

Parameters

dest-address: Destination IP address of the static route, in dotted decimal notation.

mask: Mast of the IP address, in dotted decimal notation.
mask-length: Mask length, in the range 0 to 32.
next-hop-address: IP address of the next hop, in dotted decimal notation.
interface-type interface-number: Specifies the output interface by its type and number. If the output
interface is a broadcast interface, such as an Ethernet interface, a virtual template or a VLAN interface,
the next hop address must be specified.
preference preference-value : Specifies the preference of the static route, which is in the range of 1 to
255 and defaults to 60.
description description-text: Configures a description for the static route, which consists of 1 to 60
characters, including special characters like space, but excluding ?.

Description

Use the ip route-static command to configure a unicast static route.

Use the undo ip route-static command to delete a unicast static route.
When configuring a unicast static route, note that:
1) If the destination IP address and the mask are both 0.0.0.0, the configured route is a default route.
If routing table searching fails, the router will use the default route for packet forwarding.
2) Different route management policies can be implemented for different route preference
configurations. For example, specifying the same preference for different routes to the same
destination address enables load sharing, while specifying different preferences for these routes
enables route backup.

1-2
 3) When configuring a static route, you can specify the output interface or the next hop address based
on the actual requirement. Note that the next hop address must not be the IP address of the local
interface; otherwise, the route configuration will not take effect. For interfaces that support network
address to link layer address resolution or point-to-point interfaces, you can specify the output
interface or next hop address. When specifying the output interface, note that:
z For a Null 0 interface, if the output interface has already been configured, there is no need to
configure the next hop address.
z If you specify a broadcast interface (such as a VLAN interface) as the output interface, you must
specify the corresponding next hop of the interface at the same time.
Related commands: ip route-static default-preference and display ip routing-table in IP Routing
Basics Commands.

z The static route does not take effect if you specify its next hop address first and then configure the
address as the IP address of a local interface, such as VLAN interface.
z To configure track monitoring for an existing static route, simply associate the static route with a
track entry. For a non-existent static route, configure it and associate it with a track entry.
z If a static route needs route recursion, the associated track entry must monitor the nexthop of the
recursive route instead of that of the static route; otherwise, a valid route may be mistakenly
considered invalid.

Examples

# Configure a static route, whose destination address is 1.1.1.1/24, next hop address is 2.2.2.2, and
description information is for internet & intranet.
<Sysname> system-view
[Sysname] ip route-static 1.1.1.1 24 2.2.2.2 description for internet & intranet

ip route-static default-preference

Syntax

ip route-static default-preference default-preference-value

undo ip route-static default-preference

View

System view

Default Level

2: System level

Parameters

default-preference-value: Default preference for static routes, which is in the range of 1 to 255.

1-3
Description

Use the ip route-static default-preference command to configure the default preference for static
routes.
Use the undo ip route-static default-preference command to restore the default.
By default, the default preference of static routes is 60.
Note that:
z If no preference is specified when configuring a static route, the default preference is used.
z When the default preference is re-configured, it applies to newly added static routes only.
Related commands: ip route-static and display ip routing-table in IP Routing Basics Commands.

Examples

# Set the default preference of static routes to 120.

<Sysname> system-view
[Sysname] ip route-static default-preference 120

1-4
 Table of Contents

1 IGMP Snooping Configuration Commands ····························································································1-1

IGMP Snooping Configuration Commands·····························································································1-1
display igmp-snooping group ··········································································································1-1
display igmp-snooping statistics······································································································1-2
dot1p-priority····································································································································1-3
fast-leave (IGMP-Snooping view)····································································································1-4
group-policy (IGMP-Snooping view)································································································1-5
host-aging-time (IGMP-Snooping view) ··························································································1-6
igmp-snooping ·································································································································1-6
igmp-snooping dot1p-priority···········································································································1-7
igmp-snooping drop-unknown ·········································································································1-8
igmp-snooping enable ·····················································································································1-8
igmp-snooping fast-leave ················································································································1-9
igmp-snooping general-query source-ip························································································1-10
igmp-snooping group-limit ·············································································································1-11
igmp-snooping group-policy ··········································································································1-12
igmp-snooping host-aging-time ·····································································································1-13
igmp-snooping host-join ················································································································1-14
igmp-snooping last-member-query-interval···················································································1-15
igmp-snooping leave source-ip ·····································································································1-15
igmp-snooping max-response-time ·······························································································1-16
igmp-snooping overflow-replace ···································································································1-17
igmp-snooping proxying enable ····································································································1-18
igmp-snooping querier···················································································································1-19
igmp-snooping query-interval ········································································································1-20
igmp-snooping report source-ip·····································································································1-20
igmp-snooping router-aging-time ··································································································1-21
igmp-snooping special-query source-ip·························································································1-22
igmp-snooping static-group ···········································································································1-23
igmp-snooping static-router-port ···································································································1-24
igmp-snooping version ··················································································································1-25
last-member-query-interval (IGMP-Snooping view) ······································································1-25
max-response-time (IGMP-Snooping view) ··················································································1-26
overflow-replace (IGMP-Snooping view)·······················································································1-27
report-aggregation (IGMP-Snooping view)····················································································1-27
reset igmp-snooping group············································································································1-28
reset igmp-snooping statistics ·······································································································1-29
router-aging-time (IGMP-Snooping view)······················································································1-29

2 Multicast VLAN Configuration Commands·····························································································2-1

Multicast VLAN Configuration Commands······························································································2-1
display multicast-vlan ······················································································································2-1
multicast-vlan···································································································································2-2

i
port (multicast VLAN view) ··············································································································2-2
port multicast-vlan ···························································································································2-3

ii
1 IGMP Snooping Configuration Commands

IGMP Snooping Configuration Commands

display igmp-snooping group

Syntax

display igmp-snooping group [ vlan vlan-id ] [ verbose ]

View

Any view

Default Level

1: Monitor level

Parameters

vlan vlan-id: Displays the IGMP snooping multicast group information in the specified VLAN, where
vlan-id is in the range of 1 to 4094. If you do not specify a VLAN, this command will display the IGMP
snooping multicast group information in all VLANs.
verbose: Specifies to display the detailed IGMP snooping multicast group information.

Description

Use the display igmp-snooping group command to view the IGMP snooping multicast group
information.

Examples

# View the detailed IGMP snooping multicast group information in VLAN 2.

<Sysname> display igmp-snooping group vlan 2 verbose
Total 1 IP Group(s).
Total 1 IP Source(s).
Total 1 MAC Group(s).
Port flags: D-Dynamic port, S-Static port, C-Copy port
Subvlan flags: R-Real VLAN, C-Copy VLAN
Vlan(id):2.
Total 1 IP Group(s).
Total 1 IP Source(s).
Total 1 MAC Group(s).
Router port(s):total 1 port.
GE1/0/1 (D) ( 00:01:30 )
IP group(s):the following ip group(s) match to one mac group.
IP group address:224.1.1.1
(0.0.0.0, 224.1.1.1):

1-1
 Attribute: Host Port
Host port(s):total 1 port.
GE1/0/2 (D) ( 00:03:23 )
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):total 1 port.
GE1/0/2

Table 1-1 display igmp-snooping group command output description

Field Description
Total 1 IP Group(s). Total number of IP multicast groups
Total 1 IP Source(s). Total number of multicast sources
Total 1 MAC Group(s). Total number of MAC multicast groups
Port flags: D-Dynamic port, Port flags: D for dynamic port, S for static port, C for port copied
S-Static port, C-Copy port from a (*, G) entry to an (S, G) entry
Subvlan flags: R-Real VLAN, Sub-VLAN flags: R for real egress sub-VLAN under the current
C-Copy VLAN entry, C for sub-VLAN copied from a (*, G) entry to an (S, G) entry
Router port(s) Number of router ports
Remaining time of the aging timer for the dynamic member port or
( 00:01:30 )
router port.
IP group address Address of IP multicast group
(0.0.0.0, 224.1.1.1) An (S, G), where 0.0.0.0 implies any multicast source
MAC group address Address of MAC multicast group
Attribute Attribute of IP multicast group
Host port(s) Number of member ports

display igmp-snooping statistics

Syntax

display igmp-snooping statistics

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display igmp-snooping statistics command to view the statistics information of IGMP
messages learned by IGMP snooping.

1-2
Examples

# View the statistics information of IGMP messages learned by IGMP snooping.

<Sysname> display igmp-snooping statistics
Received IGMP general queries:0.
Received IGMPv1 reports:0.
Received IGMPv2 reports:19.
Received IGMP leaves:0.
Received IGMPv2 specific queries:0.
Sent IGMPv2 specific queries:0.
Received IGMPv3 reports:1.
Received IGMPv3 reports with right and wrong records:0.
Received IGMPv3 specific queries:0.
Received IGMPv3 specific sg queries:0.
Sent IGMPv3 specific queries:0.
Sent IGMPv3 specific sg queries:0.
Received error IGMP messages:19.

Table 1-2 display igmp-snooping statistics command output description

Field Description
general queries General query messages
specific queries Group-specific query messages

reports Report messages

leaves Leave messages
reports with right and wrong records Report messages with correct and incorrect records

specific sg query packet(s) Group-and-source-specific query message(s)

error IGMP messages IGMP messages with errors

dot1p-priority

Syntax

dot1p-priority priority-number
undo dot1p-priority

View

IGMP-Snooping view

Default Level

2: System level

Parameters

priority-number: Specifies 802.1p precedence for IGMP messages, in the range of 0 to 7. The higher the
number, the higher the precedence.

1-3
Description

Use the dot1p-priority command to configure 802.1p precedence for IGMP messages globally.

Use the undo dot1p-priority command to restore the default.

The default 802.1p precedence for IGMP messages is 0.

Examples

# Set 802.1p precedence for IGMP messages to 3 globally.

<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] dot1p-priority 3

fast-leave (IGMP-Snooping view)

Syntax

fast-leave [ vlan vlan-list ]

undo fast-leave [ vlan vlan-list ]

View

IGMP-Snooping view

Default Level

2: System level

Parameters

vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which
you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to
end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a
VLAN ID is 1 to 4094.

Description

Use the fast-leave command to enable fast leave processing globally. With this function enabled, when
the switch receives an IGMP leave message on a port, it directly removes that port from the multicast
forwarding entry of the specific group.
Use the undo fast-leave command to disable fast leave processing globally.
By default, fast leave processing is disabled.
Note that:
z This command works on IGMP snooping–enabled VLANs.
z If you do not specify any VLAN, the command will take effect for all VLANs; if you specify a VLAN or
multiple VLANs, the command will take effect for the specified VLAN(s) only.
Related commands: igmp-snooping fast-leave.

Examples

# Enable fast leave processing globally in VLAN 2.

<Sysname> system-view

1-4
 [Sysname] igmp-snooping
[Sysname-igmp-snooping] fast-leave vlan 2

group-policy (IGMP-Snooping view)

Syntax

group-policy acl-number [ vlan vlan-list ]

undo group-policy [ vlan vlan-list ]

View

IGMP-Snooping view

Default Level

2: System level

Parameters

acl-number: Basic or advanced ACL number, in the range of 2000 to 3999. The source address or
address range specified in the advanced ACL rule is used to match the multicast source address(es)
specified in IGMPv3 reports, rather than the source address in the IP packets. The system assumes
that an IGMPv1 or IGMPv2 report or an IGMPv3 IS_EX or TO_EX report that does not carry a multicast
source address carries a multicast source address of 0.0.0.0.
vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which
you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to
end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a
VLAN ID is 1 to 4094.

Description

Use the group-policy command to configure a global multicast group filter, namely to control the
multicast groups a host can join.
Use the undo group-policy command to remove the configured global multicast group filter.
By default, no global multicast group filter is configured, namely a host can join any valid multicast
group.
Note that:
z If you do not specify any VLAN, the command will take effect for all VLANs; if you specify a VLAN or
multiple VLANs, the command will take effect for the specified VLAN(s) only.
z If the specified ACL does not exist or the ACL rule is null, all multicast groups will be filtered out.
z You can configure different ACL rules for a port in different VLANs; for a given VLAN, a newly
configured ACL rule will override the existing one.
Related commands: igmp-snooping group-policy.

Examples

# Apply ACL 2000 as a multicast group filter in VLAN 2 so that hosts in this VLAN can join 225.1.1.1
only.
<Sysname> system-view
[Sysname] acl number 2000

1-5
 [Sysname-acl-basic-2000] rule permit source 225.1.1.1 0
[Sysname-acl-basic-2000] quit
[Sysname] igmp-snooping
[Sysname-igmp-snooping] group-policy 2000 vlan 2

host-aging-time (IGMP-Snooping view)

Syntax

host-aging-time interval
undo host-aging-time

View

IGMP-Snooping view

Default Level

2: System level

Parameters

interval: Dynamic member port aging time, in seconds. The effective range is 200 to 1,000.

Description

Use the host-aging-time command to configure the aging time of dynamic member ports globally.
Use the undo host-aging-time command to restore the default setting.
By default, the aging time of dynamic member ports is 260 seconds.
This command works only on IGMP snooping–enabled VLANs.
Related commands: igmp-snooping host-aging-time.

Examples

# Set the aging time of dynamic member ports globally to 300 seconds.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] host-aging-time 300

igmp-snooping

Syntax

igmp-snooping
undo igmp-snooping

View

System view

Default Level

2: System level

1-6
Parameters

None

Description

Use the igmp-snooping command to enable IGMP snooping globally and enter IGMP-Snooping view.
Use the undo igmp-snooping command to disable IGMP snooping globally.
By default, IGMP snooping is disabled.
Related commands: igmp-snooping enable.

Examples

# Enable IGMP snooping globally and enter IGMP-Snooping view.

<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping]

igmp-snooping dot1p-priority

Syntax

igmp-snooping dot1p-priority priority-number

undo igmp-snooping dot1p-priority

View

VLAN view

Default Level

2: System level

Parameters

priority-number: Specifies 802.1p precedence for IGMP messages, in the range of 0 to 7. The higher the
number, the higher the precedence.

Description

Use the igmp-snooping dot1p-priority command to configure 802.1p precedence for IGMP
messages in a VLAN.

Use the undo igmp-snooping dot1p-priority command to restore the default.

The default 802.1p precedence for IGMP messages is 0.

Before configuring this command in a VLAN, enable IGMP Snooping in the VLAN.

Related commands: igmp-snooping enable.

Examples

# Enable IGMP Snooping in VLAN 2 and set 802.1p precedence for IGMP messages in the VLAN to 3.

<Sysname> system-view

1-7
 [Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping dot1p-priority 3

igmp-snooping drop-unknown

Syntax

igmp-snooping drop-unknown
undo igmp-snooping drop-unknown

View

VLAN view

Default Level

2: System level

Parameters

None

Description

Use the igmp-snooping drop-unknown command to enable the function of dropping unknown
multicast data in the current VLAN.
Use the undo igmp-snooping drop-unknown command to disable the function of dropping unknown
multicast data in the current VLAN.
By default, this function is disabled, that is, unknown multicast data is flooded.
This command takes effect only if IGMP snooping is enabled in the VLAN.
Related commands: igmp-snooping enable.

Examples

# In VLAN 2, enable IGMP snooping and the function of dropping unknown multicast data.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping drop-unknown

igmp-snooping enable

Syntax

igmp-snooping enable
undo igmp-snooping enable

1-8
View

VLAN view

Default Level

2: System level

Parameters

None

Description

Use the igmp-snooping enable command to enable IGMP snooping in the current VLAN.
Use the undo igmp-snooping enable command to disable IGMP snooping in the current VLAN.
By default, IGMP snooping is disabled in a VLAN.
IGMP snooping must be enabled globally before it can be enabled in a VLAN.
Related commands: igmp-snooping.

Examples

# Enable IGMP snooping in VLAN 2.

<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable

igmp-snooping fast-leave

Syntax

igmp-snooping fast-leave [ vlan vlan-list ]

undo igmp-snooping fast-leave [ vlan vlan-list ]

View

Ethernet interface view, Layer 2 aggregate interface view, port group view

Default Level

2: System level

Parameters

vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which
you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to
end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a
VLAN ID is 1 to 4094.

Description

Use the igmp-snooping fast-leave command to enable fast leave processing on the current port or
group of ports.

1-9
 Use the undo igmp-snooping fast-leave command to disable fast leave processing on the current
port or group of ports.
By default, fast leave processing is disabled.
Note that:
z This command works on IGMP snooping–enabled VLANs.
z If you do not specify any VLAN when using this command in Ethernet interface view or Layer 2
aggregate interface view, the command will take effect for all VLANs the interface belongs to; if you
specify a VLAN or multiple VLANs, the command will take effect only if the interface belongs to the
specified VLAN(s).
z If you do not specify any VLAN when using this command in port group view, the command will
take effect on all the ports in this group; if you specify a VLAN or multiple VLANs, the command will
take effect only on those ports in this group that belong to the specified VLAN(s).
Related commands: fast-leave.

Examples

# Enable fast leave processing on GigabitEthernet 1/0/1 in VLAN 2.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-Gigabitethernet1/0/1] igmp-snooping fast-leave vlan 2

igmp-snooping general-query source-ip

Syntax

igmp-snooping general-query source-ip { ip-address | current-interface }

undo igmp-snooping general-query source-ip

View

VLAN view

Default Level

2: System level

Parameters

ip-address: Specifies the source address of IGMP general queries, which can be any legal IP address.
current-interface: Sets the source address of IGMP general queries to the address of the current
VLAN interface. If the current VLAN interface does not have an IP address, the default IP address
0.0.0.0 will be used as the source IP address of IGMP general queries.

Description

Use the igmp-snooping general-query source-ip command to configure the source address of IGMP
general queries.
Use the undo igmp-snooping general-query source-ip command to restore the default
configuration.
By default, the source IP address of IGMP general queries is 0.0.0.0.
This command takes effect only if IGMP snooping is enabled in the VLAN.

1-10
 Related commands: igmp-snooping enable.

Examples

# In VLAN 2, enable IGMP snooping and specify 10.1.1.1 as the source IP address of IGMP general
queries.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping general-query source-ip 10.1.1.1

igmp-snooping group-limit

Syntax

igmp-snooping group-limit limit [ vlan vlan-list ]

undo igmp-snooping group-limit [ vlan vlan-list ]

View

Ethernet interface view, Layer 2 aggregate interface view, port group view

Default Level

2: System level

Parameters

limit: Maximum number of multicast groups that can be joined on a port. The effective range is 1 to 256.
vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which
you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to
end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a
VLAN ID is 1 to 4094.

Description

Use the igmp-snooping group-limit command to configure the maximum number of multicast groups
that can be joined on a port.
Use the undo igmp-snooping group-limit command to restore the default setting.
The default the maximum number of multicast groups is 256.
Note that:
z If you do not specify any VLAN when using this command in Ethernet interface view or Layer 2
aggregate interface view, the command will take effect for all VLANs the interface belongs to; if you
specify a VLAN or multiple VLANs, the command will take effect only if the interface belongs to the
specified VLAN(s).
z If you do not specify any VLAN when using this command in port group view, the command will
take effect on all the ports in this group; if you specify a VLAN or multiple VLANs, the command will
take effect only on those ports in this group that belong to the specified VLAN(s).

1-11
Examples

# Specify to allow a maximum of 10 multicast groups to be joined on GigabitEthernet 1/0/1 in VLAN 2.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-Gigabitethernet1/0/1] igmp-snooping group-limit 10 vlan 2

igmp-snooping group-policy

Syntax

igmp-snooping group-policy acl-number [ vlan vlan-list ]

undo igmp-snooping group-policy [ vlan vlan-list ]

View

Ethernet interface view, Layer 2 aggregate interface view, port group view

Default Level

2: System level

Parameters

acl-number: Basic or advanced ACL number, in the range of 2000 to 3999. The source address or
address range specified in the advanced ACL rule is used to match the multicast source address(es)
specified in IGMPv3 reports, rather than the source address in the IP packets. The system assumes
that an IGMPv1 or IGMPv2 report or an IGMPv3 IS_EX and TO_EX report that does not carry a
multicast source address carries a multicast source address of 0.0.0.0.
vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which
you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to
end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a
VLAN ID is 1 to 4094.

Description

Use the igmp-snooping group-policy command to configure a multicast group filter on the current
port(s).
Use the undo igmp-snooping group-policy command to remove a multicast group filter on the
current port(s), namely to control the multicast groups hosts on the port(s) can join.
By default, no multicast group filter is configured on an interface, namely a host can join any valid
multicast group.
Note that:
z If you do not specify any VLAN when using this command in Ethernet interface view or Layer 2
aggregate interface view, the command will take effect for all VLANs the interface belongs to; if you
specify a VLAN or multiple VLANs, the command will take effect only if the interface belongs to the
specified VLAN(s).
z If you do not specify any VLAN when using this command in port group view, the command will
take effect on all the ports in this group; if you specify a VLAN or multiple VLANs, the command will
take effect only on those ports in this group that belong to the specified VLAN(s).
z If the specified ACL does not exist or the ACL rule is null, all multicast groups will be filtered out.

1-12
 z You can configure different ACL rules for a port in different VLANs; for a given VLAN, a newly
configured ACL rule will override the existing one.
Related commands: group-policy.

Examples

# Apply ACL 2000 as a multicast group filter so that hosts on GigabitEthernet 1/0/1 in VLAN 2 can join
225.1.1.1 only.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 225.1.1.1 0
[Sysname-acl-basic-2000] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] igmp-snooping group-policy 2000 vlan 2

igmp-snooping host-aging-time

Syntax

igmp-snooping host-aging-time interval

undo igmp-snooping host-aging-time

View

VLAN view

Default Level

2: System level

Parameters

interval: Dynamic member port aging time, in seconds. The effective range is 200 to 1,000.

Description

Use the igmp-snooping host-aging-time command to configure the aging time of dynamic member
ports in the current VLAN.
Use the undo igmp-snooping host-aging-time command to restore the default setting.
By default, the aging time of dynamic member ports is 260 seconds.
This command takes effect only if IGMP snooping is enabled in the VLAN.
Related commands: igmp-snooping enable, host-aging-time.

Examples

# Enable IGMP snooping and set the aging time of dynamic member ports to 300 seconds in VLAN 2.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping host-aging-time 300

1-13
igmp-snooping host-join

Syntax

igmp-snooping host-join group-address [ source-ip source-address ] vlan vlan-id

undo igmp-snooping host-join group-address [ source-ip source-address ] vlan vlan-id

View

Ethernet interface view, Layer 2 aggregate interface view, port group view

Default Level

2: System level

Parameters

group-address: Address of the multicast group that the simulated host is to join, in the range of
224.0.1.0 to 239.255.255.255.
source-address: Address of the multicast source that the simulated host is to join. The value of this
argument should be a valid unicast address or 0.0.0.0. If the value is 0.0.0.0, this means that no
multicast source is specified.
vlan vlan-id: Specifies the VLAN that comprises the port(s), where vlan-id is in the range of 1 to 4094.

Description

Use the igmp-snooping host-join command to configure the current port(s) as simulated member
host(s), namely configure the current port as a member host for the specified multicast group or source
and group.
Use the undo igmp-snooping host-join command to remove the current port(s) as simulated member
host(s) for the specified multicast group or source and group.
By default, this function is disabled.
Note that:
z This command works on IGMP snooping–enabled VLANs. The version of IGMP on the simulated
host depends on the version of IGMP snooping running in the VLAN.
z The source-ip source-address option in the command is meaningful only for IGMP snooping
version 3. If IGMP snooping version 2 is running, although you can include source-ip
source-address in the command, the simulated host does not respond to a query message.
z If configured in Ethernet interface view or Layer 2 aggregate interface view, this feature takes effect
only if the interface belongs to the specified VLAN.
z If configured in port group view, this feature takes effect only on those ports in this port group that
belong to the specified VLAN.

Examples

# Configure GigabitEthernet 1/0/1 as a simulated member host in VLAN 2 for multicast source 1.1.1.1
and multicast group 232.1.1.1.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2

1-14
 [Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping version 3
[Sysname-vlan2] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-Gigabitethernet1/0/1] igmp-snooping host-join 232.1.1.1 source-ip 1.1.1.1 vlan 2

igmp-snooping last-member-query-interval

Syntax

igmp-snooping last-member-query-interval interval

undo igmp-snooping last-member-query-interval

View

VLAN view

Default Level

2: System level

Parameters

interval: Interval between IGMP last-member queries, in seconds. The effective range is 1 to 5.

Description

Use the igmp-snooping last-member-query-interval command to configure the interval between

IGMP last-member queries in the VLAN.
Use the undo igmp-snooping last-member-query-interval command to restore the default setting.
By default, the IGMP last-member query interval is 1 second.
This command takes effect only if IGMP snooping is enabled in the VLAN.
Related commands: igmp-snooping enable, last-member-query-interval.

Examples

# Enable IGMP snooping and set the interval between IGMP last-member queries to 3 seconds in VLAN
2.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping last-member-query-interval 3

igmp-snooping leave source-ip

Syntax

igmp-snooping leave source-ip { ip-address | current-interface }

undo igmp-snooping leave source-ip

1-15
View

VLAN view

Default Level

2: System level

Parameters

ip-address: Specifies a source address for the IGMP leave messages sent by the IGMP Snooping proxy,
which can be any legal IP address.

current-interface: Specifies the IP address of the current VLAN interface as the source address of
IGMP leave messages sent by the IGMP Snooping proxy. If no IP address has been assigned to the
current VLAN interface, the default IP address 0.0.0.0 is used.

Description

Use the igmp-snooping leave source-ip command to configure the source IP address of the IGMP
leave messages sent by the IGMP Snooping proxy.

Use the undo igmp-snooping leave source-ip command to restore the default.

By default, the source IP address of the IGMP leave messages sent by the IGMP Snooping proxy is
0.0.0.0.

Note that:

z Before configuring this command in a VLAN, enable IGMP Snooping in the VLAN.
z The source IP address configured in the igmp-snooping leave source-ip command also applies
when the simulated host sends IGMP leave messages.

Related commands: igmp-snooping enable.

Examples

# Enable IGMP Snooping in VLAN 2 and configure the source IP address of IGMP leave messages sent
by the IGMP Snooping proxy in VLAN 2 to 10.1.1.1.

<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping leave source-ip 10.1.1.1

igmp-snooping max-response-time

Syntax

igmp-snooping max-response-time interval

undo igmp-snooping max-response-time

1-16
View

VLAN view

Default Level

2: System level

Parameters

interval: Maximum response time to IGMP general queries, in seconds. The effective range is 1 to 25.

Description

Use the igmp-snooping max-response-time command to configure the maximum response time to
IGMP general queries in the VLAN.
Use the undo igmp-snooping max-response-time command to restore the default setting.
By default, the maximum response time to IGMP general queries is 10 seconds.
This command takes effect only if IGMP snooping is enabled in the VLAN.
Related commands: igmp-snooping enable, max-response-time, igmp-snooping query-interval.

Examples

# Enable IGMP snooping and set the maximum response time to IGMP general queries to 5 seconds in
VLAN 2.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping max-response-time 5

igmp-snooping overflow-replace

Syntax

igmp-snooping overflow-replace [ vlan vlan-list ]

undo igmp-snooping overflow-replace [ vlan vlan-list ]

View

Ethernet interface view, Layer 2 aggregate interface view, port group view

Default Level

2: System level

Parameters

vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which
you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to
end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a
VLAN ID is 1 to 4094.

1-17
Description

Use the igmp-snooping overflow-replace command to enable the multicast group replacement
function on the current port(s).
Use the undo igmp-snooping overflow-replace command to disable the multicast group replacement
function on the current port(s).
By default, the multicast group replacement function is disabled.
Note that:
z This command works on IGMP snooping–enabled VLANs.
z If you do not specify any VLAN when using this command in Ethernet interface view or Layer 2
aggregate interface view, the command will take effect for all VLANs the interface belongs to; if you
specify a VLAN or multiple VLANs, the command will take effect only if the interface belongs to the
specified VLAN(s).
z If you do not specify any VLAN when using this command in port group view, the command will
take effect on all the ports in this group; if you specify a VLAN or multiple VLANs, the command will
take effect only on those ports in this group that belong to the specified VLAN(s).
Related commands: overflow-replace.

Examples

# Enable the multicast group replacement function on GigabitEthernet 1/0/1 in VLAN 2.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-Gigabitethernet1/0/1] igmp-snooping overflow-replace vlan 2

igmp-snooping proxying enable

Syntax

igmp-snooping proxying enable

undo igmp-snooping proxying enable

View

VLAN view

Default Level

2: System level

Parameters

None

Description

Use the igmp-snooping proxying enable command to enable the IGMP snooping Proxying function
in a VLAN.
Use the undo igmp-snooping proxying enable command to disable the IGMP snooping Proxying
function in a VLAN.
By default, IGMP snooping Proxying is disabled in all VLANs.

1-18
 Before configuring this command in a VLAN, enable IGMP snooping in the VLAN.
Related commands: igmp-snooping enable.

Examples

# Enable IGMP Snooping and then IGMP Snooping Proxying in VLAN 2.

<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping proxying enable

igmp-snooping querier

Syntax

igmp-snooping querier
undo igmp-snooping querier

View

VLAN view

Default Level

2: System level

Parameters

None

Description

Use the igmp-snooping querier command to enable the IGMP snooping querier function.
Use the undo igmp-snooping querier command to disable the IGMP snooping querier function.
By default, the IGMP snooping querier function is disabled.
Note that: This command takes effect only if IGMP snooping is enabled in the VLAN.
Related commands: igmp-snooping enable.

Examples

# Enable IGMP snooping and the IGMP snooping querier function in VLAN 2.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping querier

1-19
igmp-snooping query-interval

Syntax

igmp-snooping query-interval interval

undo igmp-snooping query-interval

View

VLAN view

Default Level

2: System level

Parameters

interval: Interval between IGMP general queries, in seconds. The effective range is 2 to 300.

Description

Use the igmp-snooping query-interval command to configure the interval between IGMP general
queries.
Use the undo igmp-snooping query-interval command to restore the default setting.
By default, the IGMP general query interval is 60 seconds.
This command takes effect only if IGMP snooping is enabled in the VLAN.
Related commands: igmp-snooping enable, igmp-snooping querier, igmp-snooping
max-response-time, max-response-time.

Examples

# Enable IGMP snooping and set the interval between IGMP general queries to 20 seconds in VLAN 2.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping query-interval 20

igmp-snooping report source-ip

Syntax

igmp-snooping report source-ip { ip-address | current-interface }

undo igmp-snooping report source-ip

View

VLAN view

Default Level

2: System level

1-20
Parameters

ip-address: Specifies a source address for the IGMP reports sent by the IGMP Snooping proxy, which
can be any legal IP address.

current-interface: Specifies the IP address of the current VLAN interface as the source address of
IGMP reports sent by the IGMP Snooping proxy. If no IP address has been assigned to the current
VLAN interface, the default IP address 0.0.0.0 is used.

Description

Use the igmp-snooping report source-ip command to configure the source IP address of the IGMP
reports sent by the IGMP snooping proxy.
Use the undo igmp-snooping report source-ip command to restore the default.
By default, the source IP address of the IGMP reports sent by the IGMP snooping proxy is 0.0.0.0.
Note that:
z Before configuring this command in a VLAN, enable IGMP snooping in the VLAN.
z The source IP address configured in the igmp-snooping report source-ip command also applies
when the simulated host sends IGMP reports.
Related commands: igmp-snooping enable.

Examples

# Enable IGMP Snooping in VLAN 2 and configure the source IP address of IGMP reports sent by the
IGMP Snooping proxy in VLAN 2 to 10.1.1.1.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping report source-ip 10.1.1.1

igmp-snooping router-aging-time

Syntax

igmp-snooping router-aging-time interval

undo igmp-snooping router-aging-time

View

VLAN view

Default Level

2: System level

Parameters

interval: Dynamic router port aging time, in seconds. The effective range is 1 to 1,000.

1-21
Description

Use the igmp-snooping router-aging-time command to configure the aging time of dynamic router
ports in the current VLAN.
Use the undo igmp-snooping router-aging-time command to restore the default setting.
By default, the aging time of dynamic router ports is 105 seconds.
This command takes effect only if IGMP snooping is enabled in the VLAN.
Related commands: igmp-snooping enable, router-aging-time.

Examples

# Enable IGMP snooping and set the aging time of dynamic router ports to 100 seconds in VLAN 2.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping router-aging-time 100

igmp-snooping special-query source-ip

Syntax

igmp-snooping special-query source-ip { ip-address | current-interface }

undo igmp-snooping special-query source-ip

View

VLAN view

Default Level

2: System level

Parameters

ip-address: Sets the source address of IGMP group-specific queries to the specified address.
current-interface: Sets the source address of IGMP group-specific queries to the address of the
current VLAN interface. If the current VLAN interface does not have an IP address, the default IP
address 0.0.0.0 will be used as the source IP address of IGMP group-specific queries.

Description

Use the igmp-snooping special-query source-ip command to configure the source IP address of
IGMP group-specific queries.
Use the undo igmp-snooping special-query source-ip command to restore the default configuration.
By default, the source IP address of IGMP group-specific queries is 0.0.0.0.
This command takes effect only if IGMP snooping is enabled in the VLAN.
Related commands: igmp-snooping enable.

1-22
Examples

# In VLAN 2, enable IGMP snooping and specify 10.1.1.1 as the source IP address of IGMP
group-specific queries.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping special-query source-ip 10.1.1.1

igmp-snooping static-group

Syntax

igmp-snooping static-group group-address [ source-ip source-address ] vlan vlan-id

undo igmp-snooping static-group group-address [ source-ip source-address ] vlan vlan-id

View

Ethernet interface view, Layer 2 aggregate interface view, port group view

Default Level

2: System level

Parameters

group-address: Address of the multicast group to be statically joined, in the range of 224.0.0.0 to
239.255.255.255.
source-address: Address of the multicast source to be statically joined. The value of this argument
should be a valid unicast address or 0.0.0.0. If the value is 0.0.0.0, this means no multicast source is
specified.
vlan vlan-id: Specifies the VLAN that comprises the port(s), where vlan-id is in the range of 1 to 4094.

Description

Use the igmp-snooping static-group command to configure the static (*, G) or (S, G) joining function,
namely to configure the current port or port group as static multicast group or source-group member(s).
Use the undo igmp-snooping static-group command to restore the system default.
By default, no ports are static member ports.
Note that:
z The source-ip source-address option in the command is meaningful only for IGMP snooping
version 3. If IGMP snooping version 2 is running, although you can include the source-ip
source-address option in your command, the configuration will not take effect.
z If configured in Ethernet interface view or Layer 2 aggregate interface view, this feature takes effect
only if the interface belongs to the specified VLAN.
z If configured in port group view, this feature takes effect only on those ports in this port group that
belong to the specified VLAN.

1-23
Examples

# Configure GigabitEthernet 1/0/1 in VLAN 2 to be a static member port for (1.1.1.1, 232.1.1.1).
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping version 3
[Sysname-vlan2] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-Gigabitethernet1/0/1] igmp-snooping static-group 232.1.1.1 source-ip 1.1.1.1 vlan
2

igmp-snooping static-router-port

Syntax

igmp-snooping static-router-port vlan vlan-id

undo igmp-snooping static-router-port vlan vlan-id

View

Ethernet interface view, Layer 2 aggregate interface view, port group view

Default Level

2: System level

Parameters

vlan vlan-id: Specifies a VLAN in which one or more static router ports are to be configured, where
vlan-id is in the range of 1 to 4094.

Description

Use the igmp-snooping static-router-port command to configure the current port(s) as static router
port(s).
Use the undo igmp-snooping static-router-port command to restore the system default.
By default, no ports are static router ports.
Note that:
z This command works on IGMP snooping–enabled VLANs.
z If configured in Ethernet interface view or Layer 2 aggregate interface view, this feature takes effect
only if the interface belongs to the specified VLAN.
z If configured in port group view, this feature takes effect only on those ports in this port group that
belong to the specified VLAN.

Examples

# Enable the static router port function on GigabitEthernet 1/0/1 in VLAN 2.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1

1-24
 [Sysname-Gigabitethernet1/0/1] igmp-snooping static-router-port vlan 2

igmp-snooping version

Syntax

igmp-snooping version version-number

undo igmp-snooping version

View

VLAN view

Default Level

2: System level

Parameters

version-number: IGMP snooping version, in the range of 2 to 3.

Description

Use the igmp-snooping version command to configure the IGMP snooping version.
Use the undo igmp-snooping version command to restore the default setting.
By default, the IGMP snooping version is 2.
Note that: This command can take effect only if IGMP snooping is enabled in the VLAN.
Related commands: igmp-snooping enable.

Examples

# Enable IGMP snooping in VLAN 2, and set the IGMP snooping version to version 3.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 2
[Sysname-vlan2] igmp-snooping enable
[Sysname-vlan2] igmp-snooping version 3

last-member-query-interval (IGMP-Snooping view)

Syntax

last-member-query-interval interval
undo last-member-query-interval

View

IGMP-Snooping view

Default Level

2: System level

1-25
Parameters

interval: Interval between IGMP last-member queries, in seconds. The effective range is 1 to 5.

Description

Use the last-member-query-interval command to configure the interval between IGMP last-member
queries globally.
Use the undo last-member-query-interval command to restore the default setting.
By default, the interval between IGMP last-member queries is 1 second.
This command works only on IGMP snooping–enabled VLANs.
Related commands: igmp-snooping last-member-query-interval.

Examples

# Set the interval between IGMP last-member queries globally to 3 seconds.

<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] last-member-query-interval 3

max-response-time (IGMP-Snooping view)

Syntax

max-response-time interval
undo max-response-time

View

IGMP-Snooping view

Default Level

2: System level

Parameters

interval: Maximum response time to IGMP general queries, in seconds. The effective range is 1 to 25.

Description

Use the max-response-time command to configure the maximum response time to IGMP general
queries globally.
Use the undo max-response-time command to restore the default value.
This command works only on IGMP snooping–enabled VLANs.
Related commands: igmp-snooping max-response-time, igmp-snooping query-interval.

Examples

# Set the maximum response time to IGMP general queries globally to 5 seconds.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] max-response-time 5

1-26
overflow-replace (IGMP-Snooping view)

Syntax

overflow-replace [ vlan vlan-list ]

undo overflow-replace [ vlan vlan-list ]

View

IGMP-Snooping view

Default Level

2: System level

Parameters

vlan vlan-list: Defines one or multiple VLANs. You can provide up to 10 VLAN lists, by each of which
you can specify an individual VLAN in the form of vlan-id, or a VLAN range in the form of start-vlan-id to
end-vlan-id, where the end VLAN ID must be greater than the start VLAN ID. The effective range of a
VLAN ID is 1 to 4094.

Description

Use the overflow-replace command to enable the multicast group replacement function globally.
Use the undo overflow-replace command to disable the multicast group replacement function
globally.
By default, the multicast group replacement function is disabled.
Note that:
z This command works on IGMP snooping–enabled VLANs.
z If you do not specify any VLAN, the command will take effect for all VLANs; if you specify a VLAN or
multiple VLANs, the command will take effect for the specified VLAN(s) only.
Related commands: igmp-snooping overflow-replace.

Examples

# Enable the multicast group replacement function globally in VLAN 2.

<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] overflow-replace vlan 2

report-aggregation (IGMP-Snooping view)

Syntax

report-aggregation
undo report-aggregation

View

IGMP-Snooping view

1-27
Default Level

2: System level

Parameters

None

Description

Use the report-aggregation command to enable IGMP report suppression.

Use the undo report-aggregation command to disable IGMP report suppression.
By default, IGMP report suppression is enabled.
This command works on IGMP snooping–enabled VLANs.

Examples

# Disable IGMP report suppression.

<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] undo report-aggregation

reset igmp-snooping group

Syntax

reset igmp-snooping group { group-address | all } [ vlan vlan-id ]

View

User view

Default Level

2: System level

Parameters

group-address: Specifies an IGMP snooping group. The value range of group-address is 224.0.1.0 to
239.255.255.255.
all: Specifies all IGMP snooping groups.
vlan vlan-id: Specifies a VLAN. The effective range of vlan-id is 1 to 4094.

Description

Use the reset igmp-snooping group command to clear IGMP snooping multicast group information.
Note that:
z This command works only on IGMP snooping–enabled VLANs.
z This command cannot remove the static group entries of IGMP snooping groups.

Examples

# Remove dynamic group entries of all IGMP snooping groups.

<Sysname> reset igmp-snooping group all

1-28
reset igmp-snooping statistics

Syntax

reset igmp-snooping statistics

View

User view

Default Level

2: System level

Parameters

None

Description

Use the reset igmp-snooping statistics command to clear the statistics information of IGMP
messages learned by IGMP snooping.

Examples

# Clear the statistics information of all kinds of IGMP messages learned by IGMP snooping.
<Sysname> reset igmp-snooping statistics

router-aging-time (IGMP-Snooping view)

Syntax

router-aging-time interval
undo router-aging-time

View

IGMP-Snooping view

Default Level

2: System level

Parameters

interval: Dynamic router port aging time, in seconds. The effective range is 1 to 1,000.

Description

Use the router-aging-time command to configure the aging time of dynamic router ports globally.
Use the undo router-aging-time command to restore the default setting.
By default, the aging time of dynamic router ports is 105 seconds.
This command works only on IGMP snooping–enabled VLANs.
Related commands: igmp-snooping router-aging-time.

1-29
Examples

# Set the aging time of dynamic router ports globally to 100 seconds.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] router-aging-time 100

1-30
2 Multicast VLAN Configuration Commands

Multicast VLAN Configuration Commands

display multicast-vlan

Syntax

display multicast-vlan [ vlan-id ]

View

Any view

Default Level

1: Monitor level

Parameters

vlan-id: VLAN ID of a multicast VLAN, in the range of 1 to 4094. If this argument is not provided, the
information about all multicast VLANs will be displayed.

Description

Use the display multicast-vlan command to view the information about the specified multicast VLAN.

Examples

# View the information about all multicast VLANs.

<Sysname> display multicast-vlan
Total 1 multicast-vlan(s)

Multicast vlan 1
port list:
GE1/0/1

Table 2-1 display multicast-vlan command output description

Field Description
Total 1 multicast-vlan(s) Total number of multicast VLANs
Multicast vlan A multicast VLAN

port list Port list of the multicast VLAN

2-1
multicast-vlan

Syntax

multicast-vlan vlan-id
undo multicast-vlan { all | vlan-id }

View

System view

Default Level

2: System level

Parameters

vlan-id: Specifies a VLAN by its ID, in the range of 1 to 4094.

all: Deletes all multicast VLANs.

Description

Use the multicast-vlan command to configure the specified VLAN as a multicast VLAN and enter
multicast VLAN view.
Use the undo multicast-vlan command to remove the specified VLAN as a multicast VLAN.
The VLAN to be configured is not a multicast VLAN by default.
Note that:
z The specified VLAN to be configured as a multicast VLAN must exist.
z For a port-based multicast VLAN, you need to enable IGMP Snooping in both the multicast VLAN
and all the user VLANs.
Related commands: igmp-snooping enable.

Examples

# Enable IGMP Snooping in VLAN 100. Configure it as a multicast VLAN and enter multicast VLAN
view.
<Sysname> system-view
[Sysname] igmp-snooping
[Sysname-igmp-snooping] quit
[Sysname] vlan 100
[Sysname-vlan100] igmp-snooping enable
[Sysname-vlan100] quit
[Sysname] multicast-vlan 100
[Sysname-mvlan-100]

port (multicast VLAN view)

Syntax

port interface-list
undo port { all | interface-list }

2-2
View

Multicast VLAN view

Default Level

2: System level

Parameters

interface-list: Specifies a port in the form of interface-type interface-number, or a port range in the form
of interface-type start-interface-number to interface-type end-interface-number, where the end
interface number must be greater than the start interface number.
all: Deletes all the ports in the current multicast VLAN.

Description

Use the port command to assign the specified port(s) to the current multicast VLAN.
Use the undo port command to delete the specified port(s) or all ports from the current multicast VLAN.
By default, a multicast VLAN has no ports.
Note that:
z A port can belong to only one multicast VLAN.
z Only the following types of interfaces can be configured as multicast VLAN ports: Ethernet, or
Layer 2 aggregate interfaces.

Examples

# Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 to multicast VLAN 100.
<Sysname> system-view
[Sysname] multicast-vlan 100
[Sysname-mvlan-100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/5

port multicast-vlan

Syntax

port multicast-vlan vlan-id

undo port multicast-vlan

View

Ethernet interface view, Layer 2 aggregate interface view, port group view.

Default Level

2: System level

Parameters

vlan-id: VLAN ID of the multicast VLAN you want to assign the current port(s) to, in the range of 1 to
4094.

Description

Use the port multicast-vlan command to assign the current port(s) to the specified multicast VLAN.

2-3
 Use the undo port multicast-vlan command to restore the system default.
By default, a port does not belong to any multicast VLAN.
Note that a port can belong to only one multicast VLAN.

Examples

# Assign GigabitEthernet 1/0/1 to multicast VLAN 100.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-Gigabitethernet1/0/1] port multicast-vlan 100

2-4
 Table of Contents

1 QoS Policy Configuration Commands ····································································································1-1

Class Configuration Commands ·············································································································1-1
display traffic classifier·····················································································································1-1
if-match············································································································································1-2
traffic classifier·································································································································1-5
Traffic Behavior Configuration Commands ·····························································································1-6
display traffic behavior·····················································································································1-6
filter ··················································································································································1-7
redirect·············································································································································1-8
traffic behavior ·································································································································1-8
QoS Policy Configuration and Application Commands···········································································1-9
classifier behavior····························································································································1-9
display qos policy ··························································································································1-10
display qos policy interface ···········································································································1-11
qos apply policy ·····························································································································1-12
qos policy·······································································································································1-13

2 Priority Mapping Configuration Commands···························································································2-1

Priority Mapping Table Configuration Commands ··················································································2-1
display qos map-table······················································································································2-1
import···············································································································································2-2
qos map-table··································································································································2-2
Port Priority Configuration Commands ···································································································2-3
qos priority ·······································································································································2-3
Trusted Precedence Type Configuration Commands·············································································2-4
display qos trust interface················································································································2-4
qos trust···········································································································································2-5

3 Line Rate Configuration Commands ·······································································································3-1

Line Rate Configuration Commands·······································································································3-1
display qos lr interface·····················································································································3-1
qos lr ················································································································································3-2

4 Congestion Management Configuration Commands ············································································4-1

Congestion Management Configuration Commands··············································································4-1
display qos wrr interface··················································································································4-1
qos wrr ·············································································································································4-2

i
1 QoS Policy Configuration Commands

Class Configuration Commands

display traffic classifier

Syntax

display traffic classifier user-defined [ tcl-name ]

View

Any view

Default Level

1: Monitor level

Parameters

user-defined: Displays user-defined classes.

tcl-name: Class name, a string of 1 to 31 characters.

Description

Use the display traffic classifier command to display information about classes.
If no class name is specified, information about all user-defined classes is displayed.

Examples

# Display information about all user-defined classes.

<Sysname> display traffic classifier user-defined
User Defined Classifier Information:
Classifier: USER1
Operator: AND
Rule(s) : if-match ip-precedence 5

Classifier: database
Operator: AND
Rule(s) : if-match acl 3131

Table 1-1 display traffic classifier user-defined command output description

Field Description
User Defined Classifier Information User-defined class information
Classifier Class name and its match criteria
Operator Logical relationship between match criteria

1-1
 Field Description
Rule(s) Match criteria

if-match

Syntax

if-match match-criteria
undo if-match match-criteria
undo if-match acl { acl-number | name acl-name } [ update acl { acl-number | name acl-name } ]

View

Class view

Default Level

2: System level

Parameters

match-criteria: Match criterion. Table 1-2 shows the available criteria.

acl { acl-number | name acl-name }: Specifies an ACL currently referenced in the class by the ACL
name or ACL number
update acl { acl-number | name acl-name }: Specifies a new ACL to replace the specified current ACL
by the number or name of the new ACL.

Table 1-2 The form of the match-criteria argument

Form Description
Specifies to match an IPv4 ACL specified by its number or name.
The access-list-number argument specifies an ACL by its
number, which ranges from 2000 to 4999; the name acl-name
acl { access-list-number | name keyword-argument combination specifies an ACL by its name.
acl-name }
In a class configured with the operator and, the logical
relationship between rules defined in the referenced IPv4 ACL is
or.

any Specifies to match all packets.

Specifies to match packets by 802.1p precedence of the
customer-dot1p 8021p-list customer network. The 8021p-list argument is a list of CoS
values, in the range of 0 to 7.

Specifies to match the packets of specified VLANs of user

networks. The vlan-id-list argument specifies a list of VLAN IDs,
customer-vlan-id vlan-id-list in the form of vlan-id to vlan-id or multiple discontinuous VLAN
IDs (separated by space). You can specify up to eight VLAN IDs
for this argument at a time. VLAN ID is in the range 1 to 4094.
Specifies to match the packets with a specified destination MAC
destination-mac mac-address
address.
Specifies to match packets by DSCP precedence. The dscp-list
dscp dscp-list
argument is a list of DSCP values in the range of 0 to 63.

1-2
 Form Description
Specifies to match packets by IP precedence. The
ip-precedence
ip-precedence-list argument is a list of IP precedence values in
ip-precedence-list
the range of 0 to 7.
Specifies to match the packets of a specified protocol. The
protocol protocol-name
protocol-name argument can be IP.

Specifies to match the packets of the VLANs of the operator’s

network. The vlan-id-list argument is a list of VLAN IDs, in the
service-vlan-id vlan-id-list form of vlan-id to vlan-id or multiple discontinuous VLAN IDs
(separated by space). You can specify up to eight VLAN IDs for
this argument at a time. VLAN ID is in the range of 1 to 4094.
Specifies to match the packets with a specified source MAC
source-mac mac-address
address.

To successfully execute the traffic behavior associated with a traffic class that uses the AND operator,
define only one if-match clause for any of the following match criteria and input only one value for any
of the following list arguments, for example, the 8021p-list argument:
z customer-dot1p 8021p-list
z customer-vlan-id vlan-id-list
z destination-mac mac-address
z dscp dscp-list
z ip-precedence ip-precedence-list
z service-vlan-id vlan-id-list
z source-mac mac-address
To create multiple if-match clauses for these match criteria or specify multiple values for the list
arguments, ensure that the operator of the class is OR.

Description

Use the if-match command to define a match criterion.

Use the undo if-match command to remove the match criterion.
When defining match criteria, note the following:
1) Define an ACL-based match criterion
z If the ACL referenced in the if-match command does not exist, the class cannot be applied.
z For a class, you can reference an ACL twice by its name and number respectively with the if-match
command.
2) Define a criterion to match a destination MAC address or a source MAC address.
z You can configure multiple destination MAC address or source MAC address match criteria in a
class.
3) Define a criterion to match DSCP values
z You can configure multiple DSCP match criteria in a class. All the defined DSCP values are
arranged in ascending order automatically.

1-3
 z You can configure up to eight DSCP values in one command line. If multiple identical DSCP values
are specified, the system considers them as one. If a packet matches one of the defined DSCP
values, it is considered matching the if-match clause.
z To delete a criterion matching DSCP values, the specified DSCP values must be identical with
those defined in the rule (sequence may be different).
4) Define a criterion to match the 802.1p precedence values of the customer network
z You can configure multiple 802.1p precedence match criteria in a class. All the defined 802.1p
values are arranged in ascending order automatically.
z You can configure up to eight 802.1p precedence values in one command line. If the same 802.1p
precedence value is specified multiple times, the system considers them as one. If a packet
matches one of the defined 802.1p precedence values, it is considered matching the if-match
clause.
z To delete a criterion matching 802.1p precedence values, the specified 802.1p precedence values
in the command must be identical with those defined in the criterion (sequence may be different).
5) Define a criterion to match IP precedence values
z You can configure multiple IP precedence match criteria in a class. The defined IP precedence
values are arranged automatically in ascending order.
z You can configure up to eight IP precedence values in one command line. If the same IP
precedence is specified multiple times, the system considers them as one. If a packet matches one
of the defined IP precedence values, it is considered matching the if-match clause.
z To delete a criterion matching IP precedence values, the specified IP precedence values in the
command must be identical with those defined in the criterion (sequence may be different).
6) Define a criterion to match customer network VLAN IDs or service provider network VLAN IDs
z You can configure multiple VLAN ID match criteria in a class. The defined VLAN IDs are
automatically arranged in ascending order.
z You can configure multiple VLAN IDs in one command line. If the same VLAN ID is specified
multiple times, the system considers them as one. If a packet matches one of the defined VLAN IDs,
it is considered matching the if-match clause.
z To delete a criterion matching VLAN IDs, the specified VLAN IDs in the command must be identical
with those defined in the criterion (sequence may be different).
Related commands: traffic classifier.

Examples

# Define a criterion to match IP packets.

<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match protocol ip

# Define a match criterion for class class1 to match the packets with the destination MAC address
0050-ba27-bed3.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match destination-mac 0050-ba27-bed3

# Define a match criterion for class class2 to match the packets with the source MAC address
0050-ba27-bed2.
<Sysname> system-view
[Sysname] traffic classifier class2

1-4
 [Sysname-classifier-class2] if-match source-mac 0050-ba27-bed2

# Define a match criterion for class class1 to match ACL 3101.

<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match acl 3101

# Define a match criterion for class class1 to match the ACL named flow.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match acl name flow

# Define a match criterion for class class1 to match all packets.

<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match any

# Define a match criterion for class class1 to match the packets with DSCP values 1, 6 or 9.
<Sysname> system-view
[Sysname] traffic classifier class1 operator or
[Sysname-classifier-class1] if-match dscp 1
[Sysname-classifier-class1] if-match dscp 6
[Sysname-classifier-class1] if-match dscp 9

# Define a match criterion for class class1 to match the packets with an IP precedence of 1 or 6.
<Sysname> system-view
[Sysname] traffic classifier class1 operator or
[Sysname-classifier-class1] if-match ip-precedence 1
[Sysname-classifier-class1] if-match ip-precedence 6

# Define a match criterion for class class1 to match the packets with customer network VLAN ID 1, 6, or
9.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match customer-vlan-id 1 6 9

# Change the match criterion of class class1 from ACL 2008 to ACL 2009.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] undo if-match acl 2008 update acl 2009

traffic classifier

Syntax

traffic classifier tcl-name [ operator { and | or } ]

undo traffic classifier tcl-name

View

System view

1-5
Default Level

2: System level

Parameters

tcl-name: Class name, a string of 1 to 31 characters.

and: Specifies the relationship between the match criteria in the class as logical AND. That is, the
packets that match all the criteria belong to this class.
or: Specifies the relationship between the criteria in the class as logical OR. That is, the packets that
match any of the criteria belong to this class.

Description

Use the traffic classifier command to define a class and enter class view.
Use the undo traffic classifier command to remove a class.
By default, the relationship between match criteria is and.
Related commands: qos policy, qos apply policy, classifier behavior.

Examples

# Define a class named class1.

<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1]

Traffic Behavior Configuration Commands

display traffic behavior

Syntax

display traffic behavior user-defined [ behavior-name ]

View

Any view

Default Level

1: Monitor level

Parameters

user-defined: Displays user-defined traffic behaviors.

behavior-name: Behavior name, a string of 1 to 31 characters. If no traffic behavior is specified, the
information of all the user-defined behaviors is displayed.

Description

Use the display traffic behavior command to display traffic behavior information.

Examples

# Display user-defined traffic behaviors.

1-6
 User Defined Behavior Information:
Behavior: 2
Redirect enable:
Redirect type: interface
Redirect destination: GigabitEthernet1/0/4
Behavior: 1
Filter enable: deny

Table 1-3 display traffic behavior user-defined command output description

Field Description
User Defined Behavior Information User-defined behavior information.
Behavior Name of a behavior.
Redirect enable Traffic redirecting configuration information.
Traffic redirecting type, which can be redirecting
Redirect type
to an interface.
Redirect destination Traffic redirecting destination port .
Filter enable Traffic filtering option: permit or deny.

filter

Syntax

filter { deny | permit }

undo filter

View

Traffic behavior view

Default Level

2: System level

Parameters

deny: Drops the packets.

permit: Permits the packet to pass through.

Description

Use the filter command to configure a traffic filtering action for the traffic behavior.
Use the undo filter command to remove the traffic filtering action.

filter deny is mutually exclusive with redirect.

1-7
Examples

# Configure the traffic filtering action as deny for traffic behavior database.
<Sysname> system-view
[Sysname] traffic behavior database
[Sysname-behavior-database] filter deny

redirect

Syntax

redirect interface interface-type interface-number

undo redirect interface interface-type interface-number

View

Traffic behavior view

Default Level

2: System level

Parameters

interface: Redirects traffic to the specified interface.

interface-type interface-number: Interface identified by an interface number and interface type.

Description

Use the redirect command to configure a traffic redirect action for the traffic behavior.
Use the undo redirect command to remove the traffic redirect action.

filter deny is mutually exclusive with redirect.

Examples

# Configure the action of redirecting traffic to GigabitEthernet 1/0/1 for traffic behavior database.
<Sysname> system-view
[Sysname] traffic behavior database
[Sysname-behavior-database] redirect interface gigabitethernet1/0/1

traffic behavior

Syntax

traffic behavior behavior-name

undo traffic behavior behavior-name

1-8
View

System view

Default Level

2: System level

Parameters

behavior-name: Behavior name, a string of 1 to 31 characters.

Description

Use the traffic behavior command to create a traffic behavior and enter traffic behavior view.
Use the undo traffic classifier command to remove a traffic behavior.
Related commands: qos policy, qos apply policy, classifier behavior.

Examples

# Create a traffic behavior named behavior1.

<Sysname> system-view
[Sysname] traffic behavior behavior1
[Sysname-behavior-behavior1]

QoS Policy Configuration and Application Commands

classifier behavior

Syntax

classifier tcl-name behavior behavior-name

undo classifier tcl-name

View

Policy view

Default Level

2: System level

Parameters

tcl-name: Class name, a string of 1 to 31 characters.

behavior-name: Behavior name, a string of 1 to 31 characters.

Description

Use the classifier behavior command to specify a behavior for a class in the policy.
Use the undo classifier command to remove a class from the policy.
Note that:
z Each class in the policy can be associated with only one behavior.
z If the class and traffic behavior specified for the command do not exist, the system creates a null
class and a null traffic behavior.
1-9
 Related commands: qos policy.

Examples

# Associate traffic class database with traffic behavior test in QoS policy user1.
<Sysname> system-view
[Sysname] qos policy user1
[Sysname-qospolicy-user1] classifier database behavior test
[Sysname-qospolicy-user1]

display qos policy

Syntax

display qos policy user-defined [ policy-name [ classifier tcl-name ] ]

View

Any view

Default Level

1: Monitor level

Parameters

user-defined: Displays user-defined QoS policies.

policy-name: QoS policy name, a string of 1 to 31 characters. If no policy is specified, configuration
information of all the policies is displayed.
tcl-name: Class name, a string of 1 to 31 characters.

Description

Use the display qos policy command to display user-defined QoS policy configuration information.

Examples

# Display the configuration information of user-defined QoS policies.

<Sysname> display qos policy user-defined
User Defined QoS Policy Information:
Policy: 1
Classifier: 1
Behavior: 1
Redirect enable:
Redirect type: interface
Redirect destination: GigabitEthernet1/0/7

Table 1-4 display qos policy command output description

Field Description
Policy Policy name

1-10
 Field Description
Class name
A policy can contain multiple classes, and each
Classifier class is associated with a traffic behavior. A
class can be configured with multiple match
criteria. Refer to the traffic classifier command
for related information.
Behavior associated with the class. A behavior is
associated with a class. It can be configured with
Behavior
multiple actions. Refer to the traffic behavior
command for related information.

display qos policy interface

Syntax

display qos policy interface [ interface-type interface-number ] [ inbound ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display qos policy interface command to display QoS policy configuration and operational
information on an interface or all interfaces.

Examples

# Display the QoS configuration and operational information on GigabitEthernet1/0/1.

<Sysname> display qos policy interface gigabitethernet 1/0/1
Interface: GigabitEthernet1/0/1
Direction: Inbound
Policy: 1
Classifier: 1
Operator: AND
Rule(s) : If-match customer-dot1p 1
Behavior: 1
Redirect enable:
Redirect type: interface
Redirect destination: GigabitEthernet1/0/7

1-11
 Table 1-5 display qos policy interface command output description

Field Description
Interface Interface type and interface number
The direction in which the policy is applied to the
Direction
interface
Policy Name of the policy applied to the interface
Class name and corresponding configuration
Classifier
information
Logical relationship between match criteria in the
Operator
class
Rule(s) Match criteria in the class
Behavior name and corresponding configuration
Behavior
information

qos apply policy

Syntax

qos apply policy policy-name inbound

undo qos apply policy inbound

View

Interface view, port group view

Default Level

2: System level

Parameters

inbound: Inbound direction.

policy-name: Specifies a policy name, a string of 1 to 31 characters.

Description

Use the qos apply policy command to apply a QoS policy.

Use the undo qos apply policy command to remove the QoS policy.

Examples

# Apply policy USER1 in the inbound direction of GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos apply policy USER1 outbound

1-12
qos policy

Syntax

qos policy policy-name

undo qos policy policy-name

View

System view

Default Level

2: System level

Parameters

policy-name: Policy name, a string of 1 to 31 characters.

Description

Use the qos policy command to create a policy and enter policy view.
Use the undo qos policy command to remove a policy.
A policy applied to an interface cannot be deleted directly. You need to cancel application of the policy
on the interface before deleting the policy with the undo qos policy command.
Related commands: classifier behavior, qos apply policy.

Examples

# Define a policy named user1.

<Sysname> system-view
[Sysname] qos policy user1
[Sysname-qospolicy-user1]

1-13
2 Priority Mapping Configuration Commands

Priority Mapping Table Configuration Commands

display qos map-table

Syntax

display qos map-table [ dot1p-dot1p | dot1p-dscp | dot1p-lp | dscp-dot1p| dscp-dscp | dscp-lp ]

View

Any view

Default Level

1: Monitor level

Parameters

dot1p-dot1p: 802.1p-precedence-to-802.1p-precedence mapping table.

dot1p-dscp: 802.1p-precedence-to-DSCP mapping table.
dot1p-lp: 802.1p-precedence-to-local-precedence mapping table.
dscp-dot1p: DSCP-to-802.1p-precedence mapping table.
dscp-dscp: DSCP-to-DSCP mapping table.
dscp-lp: DSCP-to-local-precedence mapping table.

Description

Use the display qos map-table command to display the configuration of a priority mapping table.
If no priority mapping table is specified, the configuration information of all priority mapping tables is
displayed.
Related commands: qos map-table.

Examples

# Display the configuration information of the 802.1p-precedence-to-local-precedence mapping table.

<Sysname> display qos map-table dot1p-lp
MAP-TABLE NAME: dot1p-lp TYPE: pre-define
IMPORT : EXPORT
0 : 2
1 : 0
2 : 1
3 : 3
4 : 4
5 : 5
6 : 6

2-1
 7 : 7

Table 2-1 display qos map-table command output description

Field Description
MAP-TABLE NAME Name of the mapping table
TYPE Type of the mapping table
IMPORT Input values of the mapping table

EXPORT Output values of the mapping table

import

Syntax

import import-value-list export export-value

undo import { import-value-list | all }

View

Priority mapping table view

Default Level

2: System level

Parameters

import-value-list: List of input values.

export-value: Output value.
all: Deletes all the mappings in the priority mapping table.

Description

Use the import command to configure a mapping from one or multiple input values to an output value.
Use the undo import command to restore the specified or all mappings to the default mappings.
Related commands: display qos map-table.

Examples

# Configure the 802.1p-precedence-to-local-precedence mapping table to map 802.1p precedence

values 4 and 5 to local precedence 1.
<Sysname> system-view
[Sysname] qos map-table dot1p-lp
[Sysname-maptbl-dot1p-lp] import 4 5 export 1

qos map-table

Syntax

qos map-table { dot1p-dot1p | dot1p-dscp | dot1p-lp | dscp-dot1p | dscp-dscp | dscp-lp }

2-2
View

System view

Default Level

2: System level

Parameters

dot1p-dot1p: 802.1p-precedence-to-802.1p-precedence mapping table.

dot1p-dscp: 802.1p-precedence-to-DSCP mapping table.
dot1p-lp: 802.1p-precedence-to-local-precedence mapping table.
dscp-dot1p: DSCP-to-802.1p-precedence mapping table.
dscp-dscp: DSCP-to-DSCP mapping table.
dscp-lp: DSCP-to-local-precedence mapping table.

Description

Use the qos map-table command to enter the specified priority mapping table view.
Related commands: display qos map-table.

Examples

# Enter the inbound 802.1p-precedence-to-local-precedence mapping table view.

<Sysname> system-view
[Sysname] qos map-table dot1p-lp
[Sysname-maptbl-dot1p-lp]

Port Priority Configuration Commands

qos priority

Syntax

qos priority priority-value

undo qos priority

View

Interface view, port group view

Default Level

2: System level

Parameters

priority-value: Port priority value, which defaults to 0 and ranges from 0 to 7.

Description

Use the qos priority command to configure a priority for the current port.
Use the undo qos priority command to restore the default value.

2-3
 The default port priority is 0.

Examples

# Set the priority of GigabitEthernet 1/0/1 to 2

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos priority 2

Trusted Precedence Type Configuration Commands

display qos trust interface

Syntax

display qos trust interface [ interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display qos trust interface command to display the trusted precedence type and priority of an
interface.
If no interface is specified, the trusted precedence types on all interfaces are displayed.

Examples

# Display the trusted precedence type and priority of GigabitEthernet 1/0/1.

<Sysname> display qos trust interface gigabitethernet 1/0/1
Interface: GigabitEthernet1/0/1
Port priority information
Port priority: 0
Port priority trust type: untrust

Table 2-2 display qos trust interface command output description

Field Description
Interface Interface type and interface number
Port priority Port priority
Trusted precedence type, which can be dot1p,
Port priority trust type
dscp, or untrust

2-4
qos trust

Syntax

qos trust { dot1p | dscp }

undo qos trust

View

Interface view, port group view

Default Level

2: System level

Parameters

dot1p: Trusts the 802.1p precedence and uses this priority for priority mapping.
dscp: Trusts the DSCP values and uses DSCP values for priority mapping.

Description

Use the qos trust command to configure the trusted precedence type on an interface.
Use the undo qos trust command to restore the default.
By default, the port priority is trusted.

Examples

# Configure GigabitEthernet 1/0/1 to trust the 802.1p precedence.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos trust dot1p

2-5
3 Line Rate Configuration Commands

Line Rate Configuration Commands

display qos lr interface

Syntax

display qos lr interface [ interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display qos lr interface command to view the line rate configuration information and
operational statistics on a specified interface or all the interfaces.
If no interface is specified, the line rate configuration information and operational statistics on all the
interfaces are displayed.

Examples

# Display the line rate configuration information and operational statistics on all the interfaces.
<Sysname> display qos lr interface
Interface: GigabitEthernet1/0/2
Direction: Inbound
CIR 1280 (kbps)
Direction: Outbound
CIR 2560 (kbps)
Interface: GigabitEthernet1/0/4
Direction: Inbound
CIR 1280 (kbps)
Direction: Outbound
CIR 2560 (kbps)

Table 3-1 display qos lr command output description

Field Description
Interface Interface type and interface number

3-1
 Field Description
The direction in which the line rate configuration
Direction
is applied: inbound or outbound
CIR Committed information rate (CIR) in kbps

qos lr

Syntax

qos lr { inbound | outbound } cir committed-information-rate

undo qos lr { inbound | outbound }

View

Interface view, port group view

Default Level

2: System level

Parameters

inbound: Limits the rate of incoming packets on the interface.

outbound: Limits the rate of outgoing packets on the interface.
cir committed-information-rate: Specifies the committed information rate (CIR) in kbps, which must be a
multiple of 64. CIR ranges from 64 to 1000000.

Description

Use the qos lr command to limit the rate of incoming packets or outgoing packets on the interface.
Use the undo qos lr command to remove the rate limit.
Settings in interface view are effective on the current interface; settings in port group view are effective
on all ports in the port group.

Examples

# Limit the rate of outgoing packets on GigabitEthernet 1/0/1, with CIR 1280 kbps.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos lr outbound cir 1280

3-2
4 Congestion Management Configuration
Commands

Congestion Management Configuration Commands

display qos wrr interface

Syntax

display qos wrr interface [ interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display qos wrr interface command to display the queuing configuration on an interface.
If no interface is specified, the queuing configuration of all the interfaces is displayed.
Related commands: qos wrr.

Examples

# Display the WRR queuing configuration of GigabitEthernet 1/0/1.

<Sysname> display qos wrr interface gigabitethernet 1/0/1
Interface: GigabitEthernet1/0/1
Output queue: Weighted round robin queue
Queue ID Group Weight
-------------------------------------
0 1 10
1 sp N/A
2 sp N/A
3 2 30

Table 4-1 display qos wrr interface command output description

Field Description
Interface Interface type and interface number
Output queue Pattern of the current output queue

4-1
 Field Description
Queue ID ID of a queue
Number of the group a queue is assigned to. By
Group
default, all queues belong to group SP.
Queue weight based on which queues are
Weight scheduled. N/A indicates that the queue adopts
the SP queue scheduling algorithm.

qos wrr

Syntax

qos wrr queue-id group { group-id weight queue-weight | sp }

undo qos wrr [ queue-id group { group-id weight | sp } ]

View

Interface view, port group view

Default Level

2: System level

Parameters

wrr queue-id: Queue ID, in the range of 0 to n-3.

group group-id: Specifies a group the queue belongs to, group 1 or group 2. SP queue scheduling
algorithm is adopted between each group.
weight schedule-value: Configures the scheduling weight for the queue. The schedule-value ranges
from 8 to 100.

Description

Use the qos wrr command to configure WRR or SP+WRR queuing.

Use the undo qos wrr command to disable WRR queuing.
The default queuing algorithm on an interface is SP queuing.
A port on an S5120-SI switch supports four output queues. As required, you can configure part of the
queues on a port to adopt the SP queue scheduling algorithm and part of the queues to adopt the WRR
queue scheduling algorithm. The SP+WRR queue scheduling algorithm is implemented by adding
queues on a port to SP scheduling queues and WRR queue scheduling queues respectively. For
example, queue 0 and queue 1 are in the SP queue scheduling group, and queue 2 is in the WRR
queue scheduling group 1, queue 3 is in WRR queue scheduling group 2. Round robin is performed in
WRR group 1 firstly. If no packet is to be sent in WRR group 1, round robin is performed in WRR group
2. At last, packets in the SP queue scheduling group are processed.

Examples

# Enable the SP+WRR queue scheduling algorithm on GigabitEthernet1/0/1. Add queue 0 to the SP
queue scheduling group; add queue 1 to WRR queue scheduling group 1, with the weight being 20; add
queue 2 and queue 3 to WRR queue scheduling group 2, with the weight being 10 and 50 respectively.

4-2
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos wrr 0 group sp
[Sysname-GigabitEthernet1/0/1] qos wrr 1 group 1 weight 20
[Sysname-GigabitEthernet1/0/1] qos wrr 2 group 2 weight 10
[Sysname-GigabitEthernet1/0/1] qos wrr 3 group 2 weight 50

4-3
 Table of Contents

1 802.1X Configuration Commands ············································································································1-1

802.1X Configuration Commands···········································································································1-1
display dot1x····································································································································1-1
dot1x ················································································································································1-4
dot1x auth-fail vlan ··························································································································1-5
dot1x authentication-method ···········································································································1-6
dot1x guest-vlan ······························································································································1-7
dot1x handshake ·····························································································································1-8
dot1x mandatory-domain·················································································································1-9
dot1x max-user······························································································································1-10
dot1x multicast-trigger ···················································································································1-11
dot1x port-control···························································································································1-11
dot1x port-method ·························································································································1-12
dot1x quiet-period··························································································································1-13
dot1x re-authenticate·····················································································································1-14
dot1x retry······································································································································1-15
dot1x timer·····································································································································1-16
reset dot1x statistics ······················································································································1-17

i
1 802.1X Configuration Commands

802.1X Configuration Commands

display dot1x

Syntax

display dot1x [ sessions | statistics ] [ interface interface-list ]

View

Any view

Default Level

1: Monitor level

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 port
indexes/port index lists for this argument. The start port number must be smaller than the end number
and the two ports must be of the same type.

Description

Use the display dot1x command to display information about 802.1X.

If you specify neither the sessions keyword nor the statistics keyword, the command displays all
information about 802.1X, including session information, statistics, and configurations.
Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x
port-method, dot1x timer.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x
Equipment 802.1X protocol is enabled
CHAP authentication is enabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s

1-1
 Reauth Period 3600 s
The maximal retransmitting times 3

The maximum 802.1X user resource number is 1024 per slot

Total current used 802.1X resource number is 1

GigabitGigabitEthernet1/0/0/1 is link-up
802.1X protocol is enabled
Handshake is disabled
Periodic reauthentication is disabled
The port is an authenticator
Authenticate Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: NOT configured
Guest VLAN: 4
Auth-fail VLAN: NOT configured
Max number of on-line users is 256

EAPOL Packet: Tx 1087, Rx 986

Sent EAP Request/Identity Packets : 943
EAP Request/Challenge Packets: 60
EAP Success Packets: 29, Fail Packets: 55
Received EAPOL Start Packets : 60
EAPOL LogOff Packets: 24
EAP Response/Identity Packets : 724
EAP Response/Challenge Packets: 54
Error Packets: 0
1. Authenticated user : MAC address: 0015-e9a6-7cfe

Controlled User(s) amount to 1

Table 1-1 display dot1x command output description

Field Description
Equipment 802.1X protocol is enabled Indicates whether 802.1X is enabled globally
Indicates whether CHAP authentication is
CHAP authentication is enabled
enabled
Transmit Period Setting of the username request timeout timer
Handshake Period Setting of the handshake timer

Reauth Period Setting of the periodic re-authentication timer

Quiet Period Setting of the quiet timer
Quiet Period Timer is disabled Indicates whether the quiet timer is enabled
Supp Timeout Setting of the client timeout timer
Server Timeout Setting of the server timeout timer

1-2
 Field Description
Maximum number of attempts for the device to
The maximal retransmitting times
send authentication requests to the client
The maximum 802.1X user resource number per
Maximum number of clients supported per board
slot
Total current used 802.1X resource number Total number of online users
GigabitEthernet1/0/1 is link-up Status of port GigabitEthernet1/0/1
802.1X protocol is disabled Indicates whether 802.1X is enabled on the port
Indicates whether handshake is enabled on the
Handshake is disabled
port
Indicates whether periodic re-authentication is
Periodic reauthentication is disabled
enabled on the port
The port is an authenticator Role of the port
Authenticate Mode is Auto Authorization mode for the port
Indicates whether the 802.1X multicast-trigger
802.1X Multicast-trigger is enabled
function is enabled
Mandatory authentication domain for users
Mandatory authentication domain
accessing the port
Port Control Type is Mac-based Access control method for the port
Guest VLAN configured for the port. NOT
Guest VLAN configured will be displayed if no guest VLAN is
configured.
Auth-Fail VLAN configured for the port. NOT
Auth-fail VLAN configured means no Auth-Fail VLAN is
configured.
Max number of on-line users Maximum number of users supported on the port
Counts of EAPOL packets sent (Tx) and
EAPOL Packet
received (Rx)
Sent EAP Request/Identity Packets Number of EAP Request/Identity packets sent
EAP Request/Challenge Packets Number of EAP Request/Challenge packets sent
EAP Success Packets Number of EAP Success packets sent
Received EAPOL Start Packets Number of EAPOL Start packets received
EAPOL LogOff Packets Number of EAPOL LogOff packets received
Number of EAP Response/Identity packets
EAP Response/Identity Packets
received
Number of EAP Response/Challenge packets
EAP Response/Challenge Packets
received
Error Packets Number of erroneous packets received
Authenticated user User that has passed the authentication
Controlled User(s) amount Number of controlled users on the port

1-3
dot1x

Syntax

In system view:
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
In Ethernet interface view:
dot1x
undo dot1x

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list
argument is in the format of interface-list = { interface-type interface-number [ to interface-type
interface-number ] } & <1-10>, where interface-type represents the port type, interface-number
represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index
lists for this argument. The start port number must be smaller than the end number and the two ports
must be of the same type.

Description

Use the dot1x command in system view to enable 802.1X globally.

Use the undo dot1x command in system view to disable 802.1X globally.
Use the dot1x interface command in system view or the dot1x command in interface view to enable
802.1X for specified ports.
Use the undo dot1x interface command in system view or the undo dot1x command in interface view
to disable 802.1X for specified ports.
By default, 802.1X is neither enabled globally nor enabled for any port.
Note that:
z 802.1X must be enabled both globally in system view and for the intended ports in system view or
interface view. Otherwise, it does not function.
z You can configure 802.1X parameters either before or after enabling 802.1X.
Related commands: display dot1x.

Examples

# Enable 802.1X for ports GigabitEthernet 1/0/1, and GigabitEthernet 1/0/5 to GigabitEthernet 1/0/7.
<Sysname> system-view
[Sysname] dot1x interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 to gigabitethernet
1/0/7

Or
1-4
 <Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] interface gigabitethernet 1/0/5
[Sysname-GigabitEthernet1/0/5] dot1x
[Sysname-GigabitEthernet1/0/5] quit
[Sysname] interface gigabitethernet 1/0/6
[Sysname-GigabitEthernet1/0/6] dot1x
[Sysname-GigabitEthernet1/0/6] quit
[Sysname] interface gigabitethernet 1/0/7
[Sysname-GigabitEthernet1/0/7] dot1x

# Enable 802.1X globally.

<Sysname> system-view
[Sysname] dot1x

dot1x auth-fail vlan

Syntax

dot1x auth-fail vlan authfail-vlan-id

undo dot1x auth-fail vlan

View

Ethernet interface view

Default Level

2: System level

Parameters

authfail-vlan-id: ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. The VLAN must already
exist.

Descriptions

Use the dot1x auth-fail vlan command to configure the Auth-Fail VLAN for a port, that is, the VLAN for
users failing authentication.
Use the undo dot1x auth-fail vlan command to restore the default.
By default, no Auth-Fail VLAN is configured on a port.
An Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or a MAC-based Auth-Fail VLAN
(MAFV), depending on the port access control method.
Currently, on the switch, An Auth-Fail VLAN can be only a port-based Auth-Fail VLAN (PAFV).
Note that:
z Note that failing authentication means being denied by the authentication server due to reasons
such as wrong password. Authentication failures caused by authentication timeout or network
connection problems do not fall into this category.

1-5
 z After a PAFV takes effect, if you change the port access method from portbased to macbased,
the port will leave the Auth-Fail VLAN.
z It is not allowed to delete a VLAN that is configured as an Auth-Fail VLAN directly. To delete such a
VLAN, you need to remove the Auth-Fail VLAN configuration first by using the undo dot1x
auth-fail vlan command.
z You can configure both an Auth-Fail VLAN and a guest VLAN for a port, but they cannot both take
effect at a time.
Related commands: dot1x, dot1x port-method.

Examples

# Configure VLAN 3 as the Auth-Fail VLAN on port GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x auth-fail vlan 3

dot1x authentication-method

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

View

System view

Default Level

2: System level

Parameters

chap: Authenticates clients using CHAP.

eap: Authenticates clients using EAP.
pap: Authenticates clients using PAP.

Description

Use the dot1x authentication-method command to set the 802.1X authentication method.
Use the undo dot1x authentication-method command to restore the default.
By default, CHAP is used.
z The Password Authentication Protocol (PAP) transports passwords in clear text.
z The Challenge Handshake Authentication Protocol (CHAP) transports only usernames over the
network. Compared with PAP, CHAP provides better security.
z With EAP relay authentication, the device encapsulates 802.1X user information in the EAP
attributes of RADIUS packets and sends the packets to the RADIUS server for authentication; it
does not need to repackage the EAP packets into standard RADIUS packets for authentication. In
this case, you can configure the user-name-format command but it does not take effect. For
information about the user-name-format command, refer to AAA Commands.
Note that:

1-6
 z Local authentication supports PAP and CHAP.
z For RADIUS authentication, the RADIUS server must be configured accordingly to support PAP,
CHAP, or EAP authentication.
Related commands: display dot1x.

Examples

# Set the 802.1X authentication method to PAP.

<Sysname> system-view
[Sysname] dot1x authentication-method pap

dot1x guest-vlan

Syntax

In system view:
dot1x guest-vlan guest-vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
In interface view:
dot1x guest-vlan guest-vlan-id
undo dot1x guest-vlan

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

guest-vlan-id: ID of the VLAN to be specified as the guest VLAN, in the range 1 to 4094. It must already
exist.
interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list =
{ interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type
represents the port type, interface-number represents the port number, and & <1-10> means that you
can provide up to 10 port indexes/port index lists for this argument. The start port number must be
smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x guest-vlan command to configure the guest VLAN for specified or all ports.
Use the undo dot1x guest-vlan command to remove the guest VLAN(s) configured for specified or all
ports.
By default, a port is configured with no guest VLAN.
A guest VLAN can be a port-based guest VLAN (PGV) or a MAC-based guest VLAN (MGV), depending
on the port access control method.
Currently, on the switch, a guest VLAN can be only a port-based guest VLAN (PGV).
Note that:

1-7
 z In system view, this command configures a guest VLAN for all Layer 2 Ethernet ports if you do not
specify the interface-list argument, and configures a guest VLAN for specified ports if you specify
the interface-list argument.
z In interface view, you cannot specify the interface-list argument and can only configure guest VLAN
for the current port.
z You must enable 802.1X for a guest VLAN to take effect.
z You must enable the 802.1X multicast trigger function for a PGV to take effect.
z If you change the port access method from portbased to macbased, the port will leave the guest
VLAN.
z It is not allowed to delete a VLAN that is configured as a guest VLAN. To delete such a VLAN, you
need to remove the guest VLAN configuration first.
z You can configure both an Auth-Fail VLAN and a guest VLAN for a port, but they cannot both take
effect at a time.
Related commands: dot1x; dot1x port-method; dot1x multicast-trigge.

Examples

# Specify port GigabitEthernet 1/0/7 to use VLAN 3 as its guest VLAN.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/7
[Sysname-GigabitEthernet1/0/7] dot1x port-method portbased
[Sysname-GigabitEthernet1/0/7] dot1x guest-vlan 3

dot1x handshake

Syntax

dot1x handshake
undo dot1x handshake

View

Ethernet Interface view

Default Level

2: System level

Parameters

None

Description

Use the dot1x handshake command to enable the online user handshake function so that the device
can periodically send handshake messages to the client to check whether a user is online.
Use the undo dot1x handshake command to disable the function.
By default, the function is enabled.
Note that: To ensure that the online user handshake function can work normally, you are recommended
to use the iNode client software.

1-8
Examples

# Enable online user handshake.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/4
[Sysname-GigabitEthernet1/0/4] dot1x handshake

dot1x mandatory-domain

Syntax

dot1x mandatory-domain domain-name

undo dot1x mandatory-domain

View

Ethernet Interface view

Default Level

2: System level

Parameters

domain-name: ISP domain name, a case-insensitive string of 1 to 24 characters.

Description

Use the dot1x mandatory-domain command to specify the mandatory authentication domain for
users accessing the port.
Use the undo dot1x mandatory-domain command to remove the mandatory authentication domain.
By default, no mandatory authentication domain is specified.
Note that:
z When authenticating an 802.1X user trying to access the port, the system selects an authentication
domain in the following order: the mandatory domain, the ISP domain specified in the username,
and the default ISP domain.
z The specified mandatory authentication domain must exist.
z On a port configured with a mandatory authentication domain, the user domain name displayed by
the display connection command is the name of the mandatory authentication domain. For
detailed information about the display connection command, refer to AAA Commands.
Related commands: display dot1x.

Examples

# Configure the mandatory authentication domain my-domain for 802.1X users on GigabitEthernet
1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain

# After 802.1X user usera passes the authentication, execute the display connection command to
display the user connection information on GigabitEthernet 1/0/1.

1-9
 [Sysname-GigabitEthernet1/0/1] display connection interface gigabitethernet 1/0/1

Index=68 ,Username=usera@my-domian
MAC=0015-e9a6-7cfe ,IP=3.3.3.3
Total 1 connection(s) matched.

dot1x max-user

Syntax

In system view:
dot1x max-user user-number [ interface interface-list ]
undo dot1x max-user [ interface interface-list ]
In Ethernet interface view:
dot1x max-user user-number
undo dot1x max-user

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

user-number: Maximum number of users to be supported simultaneously. It ranges from 1 to 256.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 port
indexes/port index lists for this argument. The start port number must be smaller than the end number
and the two ports must be of the same type.

Description

Use the dot1x max-user command to set the maximum number of users an Ethernet port can support
simultaneously.
Use the undo dot1x max-user command to restore the default.
In system view:
z If you do not specify the interface-list argument, execution of the command applies to all ports.
z If you specify the interface-list argument, execution of the command applies to the specified ports.
In Ethernet port view, the interface-list argument is not available and the command applies to only the
current port.
Related commands: display dot1x.

Examples

# Set the maximum number of users for port GigabitEthernet 1/0/1 to support simultaneously as 32.

1-10
 <Sysname> system-view
[Sysname] dot1x max-user 32 interface gigabitethernet 1/0/1

Or
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x max-user 32

dot1x multicast-trigger

Syntax

dot1x multicast-trigger
undo dot1x multicast-trigger

View

Ethernet Interface view

Default Level

2: System level

Parameters

None

Description

Use the dot1x multicast-trigger command to enable the multicast trigger function of 802.1X to send
multicast trigger messages to the clients periodically.
Use the undo dot1x multicast-trigger command to disable this function.
By default, the multicast trigger function is enabled.
Related commands: display dot1x.

Examples

# Enable the multicast trigger function for interface GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x multicast-trigger

dot1x port-control

Syntax

In system view:
dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ]
undo dot1x port-control [ interface interface-list ]
In Ethernet interface view:
dot1x port-control { authorized-force | auto | unauthorized-force }
undo dot1x port-control

1-11
View

System view, Ethernet interface view

Default Level

2: System level

Parameters

authorized-force: Places the specified or all ports in the authorized state, allowing users of the ports to
access the network without authentication.
auto: Places the specified or all ports in the unauthorized state initially to allow only EAPOL packets to
pass, and turns the ports into the authorized state to allow access to the network after the users pass
authentication. This is the most common choice.
unauthorized-force: Places the specified or all ports in the unauthorized state, denying any access
requests from users of the ports.
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 port
indexes/port index lists for this argument. The start port number must be smaller than the end number
and the two ports must be of the same type.

Description

Use the dot1x port-control command to set the authorization mode for specified or all ports.
Use the undo dot1x port-control command to restore the default.
Note that: In system view, if no interface-list argument is specified, this command sets the authorization
mode for all ports.
The default port authorization mode is auto.
Related commands: display dot1x.

Examples

# Set the authorization mode of port GigabitEthernet 1/0/1 to unauthorized-force.

<Sysname> system-view
[Sysname] dot1x port-control unauthorized-force interface gigabitethernet 1/0/1

Or
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x port-control unauthorized-force

dot1x port-method

Syntax

In system view:
dot1x port-method { macbased | portbased } [ interface interface-list ]
undo dot1x port-method [ interface interface-list ]

1-12
 In Ethernet interface view:
dot1x port-method { macbased | portbased }
undo dot1x port-method

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

macbased: Specifies to use the macbased authentication method. With this method, each user of a
port must be authenticated separately, and when an authenticated user goes offline, no other users are
affected.
portbased: Specifies to use the portbased authentication method. With this method, after the first user
of a port passes authentication, all other users of the port can access the network without authentication,
and when the first user goes offline, all other users get offline at the same time.
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 port
indexes/port index lists for this argument. The start port number must be smaller than the end number
and the two ports must be of the same type.

Description

Use the dot1x port-method command to set the access control method for specified or all ports.
Use the undo dot1x port-method command to restore the default.
The default access control method is macbased.
Note that: In system view, if no interface-list argument is specified, this command sets the authorization
mode for all ports.
Related commands: display dot1x.

Examples

# Set the access control method to portbased for port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] dot1x port-method portbased interface gigabitethernet 1/0/1

Or
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x port-method portbased

dot1x quiet-period

Syntax

dot1x quiet-period
1-13
 undo dot1x quiet-period

View

System view

Default Level

2: System level

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet timer.

Use the undo dot1x quiet-period command to disable the timer.
By default, the timer is disabled.
After a client fails the authentication, the device refuses further authentication requests from the client in
the period dictated by the quiet timer.
Related commands: display dot1x, dot1x timer.

Examples

# Enable the quiet timer.

<Sysname> system-view
[Sysname] dot1x quiet-period

dot1x re-authenticate

Syntax

dot1x re-authenticate
undo dot1x re-authenticate

View

Ethernet interface view

Default Level

2: System level

Parameters

None

Description

Use the dot1x re-authenticate command to enable the periodic re-authentication function.
Use the undo dot1x re-authenticate command to disable the function.
By default, this function is disabled.
After periodic re-authentication is enabled on a port, the device will perform 802.1X authentication for
online users on the port at the interval specified by the periodic re-authentication timer (which is

1-14
 configured by the dot1x timer reauth-period command). This is intended to track the connection
status of online users and update the authorization attributes assigned by the server, such as the ACL,
VLAN, and QoS Profile, ensuring that the users are in normal online state.
Related commands: dot1x timer reauth-period.

Examples

# Enable the 802.1X re-authentication function on GigabitEthernet 1/0/1 and configure the periodic
re-authentication interval as 1800 seconds.
<Sysname> system-view
[Sysname] dot1x timer reauth-period 1800
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x re-authenticate

dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Default Level

2: System level

Parameters

max-retry-value: Maximum number of attempts to send an authentication request to a client, in the

range 1 to 10.

Description

Use the dot1x retry command to set the maximum number of attempts to send an authentication
request to a client.
Use the undo dot1x retry command to restore the default.
By default, the device can send an authentication request to a client twice at most.
Note that after sending an authentication request to a client, the device may retransmit the request if it
does not receive any response at an interval specified by the username request timeout timer or client
timeout timer. The number of retransmission attempts is one less than the value set by this command.
Related commands: display dot1x.

Examples

# Set the maximum number of attempts to send an authentication request to a client as 9.

<Sysname> system-view
[Sysname] dot1x retry 9

1-15
dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value |

reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout
supp-timeout-value | tx-period tx-period-value }
undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout |
supp-timeout | tx-period }

View

System view

Default Level

2: System level

Parameters

handshake-period-value: Setting for the handshake timer in seconds. It ranges from 5 to 1024.
quiet-period-value: Setting for the quiet timer in seconds. It ranges from 10 to 120.
reauth-period-value: Setting for the periodic re-authentication timer in seconds. It ranges from 60 to
7200.
server-timeout-value: Setting for the server timeout timer in seconds. It ranges from 100 to 300.
supp-timeout-value: Setting for the client timeout timer in seconds. It ranges from 1 to 120.
tx-period-value: Setting for the username request timeout timer in seconds. It ranges from 10 to 120.

Description

Use the dot1x timer command to set 802.1X timers.

Use the undo dot1x timer command to restore the defaults.
By default, the handshake timer value is 15 seconds, the quiet timer value is 60 seconds, the periodic
re-authentication timer value is 3600 seconds, the server timeout timer value is 100 seconds, the client
timeout timer value is 30 seconds, and the username request timeout timer value is 30 seconds.
Several timers are used in the 802.1X authentication process to guarantee that the clients, the device,
and the RADIUS server interact with each other in a reasonable manner. You can use this command to
set these timers:
z Handshake timer (handshake-period): After a client passes authentication, the device sends to the
client handshake requests at this interval to check whether the client is online. If the device
receives no response after sending the allowed maximum number of handshake requests, it
considers that the client is offline.
z Quiet timer (quiet-period): When a client fails the authentication, the device refuses further
authentication requests from the client in this period of time.
z Periodic re-authentication timer (reauth-period): If you enable periodic re-authentication on a port
(by the dot1x re-authenticate command), the device will re-authenticate online users on the port
at the interval specified by this timer. If you change the re-authentication interval when there are
users online, the device will continue to re-authenticate such users according to the original
re-authentication interval setting for one time. Then the device will use the new interval for
re-authentication of all online users.
1-16
 z Server timeout timer (server-timeout): Once the device sends a RADIUS Access-Request packet
to the authentication server, it starts this timer. If this timer expires but it receives no response from
the server, it retransmits the request.
z Client timeout timer (supp-timeout): Once the device sends an EAP-Request/MD5 Challenge
packet to a client, it starts this timer. If this timer expires but it receives no response from the client,
it retransmits the request.
z Username request timeout timer (tx-period): Once the device sends an EAP-Request/Identity
packet to a client, it starts this timer. If this timer expires but it receives no response from the client,
it retransmits the request. In addition, to be compatible with clients that do not send EAPOL-Start
requests unsolicitedly, the device multicasts EAP-Request/Identity packet periodically to detect the
clients, with the multicast interval defined by tx-period.
It is unnecessary to change the timers unless in some special or extreme network environments. The
change of a timer takes effect immediately.
Related commands: display dot1x.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view
[Sysname] dot1x timer server-timeout 150

reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Default Level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 port
indexes/port index lists for this argument. The start port number must be smaller than the end number
and the two ports must be of the same type.

Description

Use the reset dot1x statistics command to clear 802.1X statistics.

With the interface interface-list argument specified, the command clears 802.1X statistics on the
specified ports. With the argument unspecified, the command clears global 802.1X statistics and
802.1X statistics on all ports.
Related commands: display dot1x.

1-17
Examples

# Clear 802.1X statistics on port GigabitEthernet 1/0/1.

<Sysname> reset dot1x statistics interface gigabitethernet 1/0/1

1-18
 Table of Contents

1 AAA Configuration Commands················································································································1-1

AAA Configuration Commands ···············································································································1-1
aaa nas-id profile ·····························································································································1-1
access-limit······································································································································1-1
access-limit enable ··························································································································1-2
accounting default ···························································································································1-3
accounting lan-access ·····················································································································1-4
accounting login·······························································································································1-5
accounting optional··························································································································1-5
authentication default ······················································································································1-6
authentication lan-access ················································································································1-7
authentication login··························································································································1-8
authorization command ···················································································································1-9
authorization default ························································································································1-9
authorization lan-access················································································································1-10
authorization login ·························································································································1-11
authorization-attribute····················································································································1-12
bind-attribute··································································································································1-14
cut connection ·······························································································································1-15
display connection ·························································································································1-16
display domain·······························································································································1-17
display local-user···························································································································1-19
display user-group ·························································································································1-20
domain ···········································································································································1-21
domain default enable ···················································································································1-22
expiration-date·······························································································································1-23
group··············································································································································1-23
idle-cut enable ·······························································································································1-24
local-user ·······································································································································1-25
local-user password-display-mode································································································1-26
nas-id bind vlan ·····························································································································1-26
password ·······································································································································1-27
self-service-url enable ···················································································································1-28
service-type ···································································································································1-29
state ···············································································································································1-30
user-group ·····································································································································1-31

2 RADIUS Configuration Commands··········································································································2-1

RADIUS Configuration Commands·········································································································2-1
accounting-on enable ······················································································································2-1
accounting-on enable interval ·········································································································2-2
accounting-on enable send ·············································································································2-2
data-flow-format (RADIUS scheme view)························································································2-3

i
display radius scheme ·····················································································································2-4
display radius statistics····················································································································2-6
display stop-accounting-buffer ········································································································2-9
key (RADIUS scheme view) ··········································································································2-10
nas-ip (RADIUS scheme view)······································································································2-11
primary accounting (RADIUS scheme view) ·················································································2-11
primary authentication (RADIUS scheme view) ············································································2-12
radius client ···································································································································2-13
radius nas-ip ··································································································································2-14
radius scheme ·······························································································································2-15
radius trap······································································································································2-16
reset radius statistics ·····················································································································2-16
reset stop-accounting-buffer··········································································································2-17
retry················································································································································2-18
retry realtime-accounting ···············································································································2-19
retry stop-accounting (RADIUS scheme view) ··············································································2-20
secondary accounting (RADIUS scheme view) ············································································2-20
secondary authentication (RADIUS scheme view) ·······································································2-21
server-type·····································································································································2-22
state ···············································································································································2-23
stop-accounting-buffer enable (RADIUS scheme view)································································2-24
timer quiet (RADIUS scheme view)·······························································································2-25
timer realtime-accounting (RADIUS scheme view) ·······································································2-26
timer response-timeout (RADIUS scheme view)···········································································2-27
user-name-format (RADIUS scheme view) ···················································································2-27

ii
1 AAA Configuration Commands

AAA Configuration Commands

aaa nas-id profile

Syntax

aaa nas-id profile profile-name

undo aaa nas-id profile profile-name

View

System view

Default Level

2: System level

Parameters

profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.

Description

Use the aaa nas-id profile command to create a NAS ID profile and enter its view.
Use the undo aaa nas-id profile command to remove a NAS ID profile.
Related commands: nas-id bind vlan.

Examples

# Create a NAS ID profile named aaa.

<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa]

access-limit

Syntax

access-limit max-user-number
undo access-limit

View

Local user view

Default Level

3: Manage level

1-1
Parameters

max-user-number: Maximum number of users using the current username, in the range 1 to 1024.

Description

Use the access-limit command to enable the limit on the number of user s using the current username
and set the allowed maximum number.
Use the undo access-limit command to remove the limitation.
By default, there is no limit to the number of users using the same username.
Note that:
z The access-limit command takes effect only when local accounting is configured.
z This limit is not effective for FTP users because accounting is not available for FTP users
Related commands: display local-user.

Examples

# Enable the limit on the number of users using the username abc and set the allowed maximum
number to 5.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] access-limit 5

access-limit enable

Syntax

access-limit enable max-user-number

undo access-limit enable

View

ISP domain view

Default Level

2: System level

Parameters

max-user-number: Maximum number of users, in the range 1 to 2147483646.

Description

Use the access-limit enable command to enable the limit on the number of users in an ISP domain and
set the allowed maximum number. After the number of users reaches the maximum number allowed, no
more users will be accepted.
Use the undo access-limit enable command to restore the default.
By default, there is no limit to the number of users in an ISP domain.
As user connections may compete for network resources, setting a proper limit to the number of users
helps provide a reliable system performance.

1-2
Examples

# Set a limit of 500 user connections for ISP domain test.

<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] access-limit enable 500

accounting default

Syntax

accounting default { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting default

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1
to 32 characters.

Description

Use the accounting default command to configure the default accounting method for all types of
users.
Use the undo accounting default command to restore the default.
By default, the accounting method is local.
Note that:
z The RADIUS scheme specified for the current ISP domain must have been configured.
z The accounting method configured with the accounting default command is for all types of users
and has a priority lower than that for a specific access mode.
z Local accounting is only for managing the local user connection number; it does not provide the
statistics function. The local user connection number management is only for local accounting; it
does not affect local authentication and authorization.
Related commands: authentication default, authorization default, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting method for all types of users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting default local

1-3
 # Configure ISP domain test to use RADIUS accounting scheme rd for all types of users and use local
accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting default radius-scheme rd local

accounting lan-access

Syntax

accounting lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1
to 32 characters.

Description

Use the accounting lan-access command to configure the accounting method for LAN access users.
Use the undo accounting lan-access command to restore the default.
By default, the default accounting method that the accounting default command prescribes is used for
LAN access users.
Note that the RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: accounting default, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting method for LAN access users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting lan-access local

# Configure ISP domain test to use RADIUS accounting scheme rd for LAN access users and use local
accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access radius-scheme rd local

1-4
accounting login

Syntax

accounting login { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting login

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and
limiting the number of local user connections.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1
to 32 characters.

Description

Use the accounting login command to configure the accounting method for login users.
Use the undo accounting login command to restore the default.
By default, the default accounting method is used for login users.
Note that:
z The RADIUS scheme specified for the current ISP domain must have been configured.
z Accounting is not supported for login users’ FTP services.
Related commands: accounting default, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting method for login users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting login local

# Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local
accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login radius-scheme rd local

accounting optional

Syntax

accounting optional
undo accounting optional

1-5
View

ISP domain view

Default Level

2: System level

Parameters

None

Description

Use the accounting optional command to enable the accounting optional feature.
Use the undo accounting optional command to disable the feature.
By default, the feature is disabled.
Note that with the accounting optional command configured for a domain:
z A user that will be disconnected otherwise can use the network resources even when there is no
accounting server available or communication with the current accounting server fails. This
command applies to scenarios where authentication is required but accounting is not.
z If accounting for a user in the domain fails, the device will not send real-time accounting updates for
the user any more.
z The limit on the number of local user connections configured by using the access-limit command
in local user view is not effective.

Examples

# Enable the accounting optional feature for users in domain test.

<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting optional

authentication default

Syntax

authentication default { local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication default

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1
to 32 characters.

1-6
Description

Use the authentication default command to configure the default authentication method for all types of
users.
Use the undo authentication default command to restore the default.
By default, the authentication method is local.
Note that:
z The RADIUS scheme specified for the current ISP domain must have been configured.
z The authentication method specified with the authentication default command is for all types of
users and has a priority lower than that for a specific access mode.
Related commands: authorization default, accounting default, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for all types of users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication default local

# Configure ISP domain test to use RADIUS authentication scheme rd for all types of users and use
local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication default radius-scheme rd local

authentication lan-access

Syntax

authentication lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1
to 32 characters.

Description

Use the authentication lan-access command to configure the authentication method for LAN access
users.
Use the undo authentication login command to restore the default.

1-7
 By default, the default authentication method is used for LAN access users.
Note that the RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: authentication default, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for LAN access users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication lan-access local

# Configure ISP domain test to use RADIUS authentication scheme rd for LAN access users and use
local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access radius-scheme rd local

authentication login

Syntax

authentication login { local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication login

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1
to 32 characters.

Description

Use the authentication login command to configure the authentication method for login users.
Use the undo authentication login command to restore the default.
By default, the default authentication method is used for login users.
Note that the RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: authentication default, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for login users.
<Sysname> system-view
[Sysname] domain system

1-8
 [Sysname-isp-system] authentication login local

# Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local
authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login radius-scheme rd local

authorization command

Syntax

authorization command { local | none }

undo authorization command

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically
authorized with the corresponding default rights.

Description

Use the authorization command command to configure the authorization method for command line
users.
Use the undo authorization command command to restore the default.
By default, the default authorization method is used for command line users.
Note that: For local authorization, the local users must have been configured for the command line
users on the device, and the level of the commands authorized to a local user must be lower than or
equal to that of the local user. Otherwise, local authorization will fail.
Related commands: authorization default.

Examples

# Configure the default ISP domain system to use local authorization for command line users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization command local

authorization default

Syntax

authorization default { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization default

1-9
View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically
authorized with the corresponding default rights.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1
to 32 characters.

Description

Use the authorization default command to configure the authorization method for all types of users.
Use the undo authorization default command to restore the default.
By default, the authorization method for all types of users is local.
Note that:
z The RADIUS scheme specified for the current ISP domain must have been configured.
z The authorization method specified with the authorization default command is for all types of
users and has a priority lower than that for a specific access mode.
z RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme
is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is
different from the RADIUS authentication scheme, RADIUS authorization will fail. In addition, if a
RADIUS authorization fails, the error message returned to the NAS says that the server is not
responding.
Related commands: authentication default, accounting default, radius scheme.

Examples

# Configure the default ISP domain system to use local authorization for all types of users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization default local

# Configure ISP domain test to use RADIUS authorization scheme rd for all types of users and use
local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local

authorization lan-access

Syntax

authorization lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization lan-access

1-10
View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically
authorized with the default rights.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1
to 32 characters.

Description

Use the authorization lan-access command to configure the authorization method for LAN access
users.
Use the undo authorization lan-access command to restore the default.
By default, the default authorization method is used for LAN access users.
Note that:
z The RADIUS scheme specified for the current ISP domain must have been configured.
z RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme
is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is
different from the RADIUS authentication scheme, RADIUS authorization will fail.
Related commands: authorization default, radius scheme.

Examples

# Configure the default ISP domain system to use local authorization for LAN access users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization lan-access local

# Configure ISP domain test to use RADIUS authorization scheme rd for LAN access users and use
local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access radius-scheme rd local

authorization login

Syntax

authorization login { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization login

View

ISP domain view

1-11
Default Level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically
authorized with the default rights.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1
to 32 characters.

Description

Use the authorization login command to configure the authorization method for login users.
Use the undo authorization login command to restore the default.
By default, the default authorization method is used for login users.
Note that:
z The RADIUS scheme specified for the current ISP domain must have been configured.
z RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme
is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is
different from the RADIUS authentication scheme, RADIUS authorization will fail.
Related commands: authorization default, radius scheme.

Examples

# Configure the default ISP domain system to use local authorization for login users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization login local

# Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local
authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login radius-scheme rd local

authorization-attribute

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level

level | user-profile profile-name | vlan vlan-id | work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | level | user-profile | vlan |
work-directory } *

View

Local user view, user group view

1-12
Default Level

3: Manage level

Parameters

acl: Specifies the authorization ACL of the local user(s).

acl-number: Authorization ACL for the local user(s), in the range 2000 to 5999.
callback-number: Specifies the authorization PPP callback number of the local user(s).
callback-number: Authorization PPP callback number for the local user(s), a case-sensitive string of 1
to 64 characters.
idle-cut: Specifies the idle cut function for the local user(s). With the idle cut function enabled, an online
user whose idle period exceeds the specified idle time will be logged out.
minute: Idle time allowed, in the range 1 to 120 minutes.
level: Specifies the level of the local user(s).
level: Level of the local user(s), which can be 0 for visit level, 1 for monitor level, 2 for system level, and
3 for manage level. A smaller number means a lower level. The default is 0.
user-profile: Specifies the authorization user profile of the local user(s).
profile-name: Name of the authorization user profile for the local user(s), a case-sensitive string of 1 to
32 characters. It can consist of English letters, digits, and underlines and must start with an English
letter.
vlan: Specifies the authorized VLAN of the local user(s).
vlan-id: Authorized VLAN for the local user(s), in the range 1 to 4094.
work-directory: Specifies the authorized work directory of the local user(s), if the user or users are
authorized the FTP or SFTP service type.
directory-name: Authorized work directory, a case-insensitive string of 1 to 135 characters. This
directory must already exist.

Description

Use the authorization-attribute command to configure authorization attributes for the local user or
user group. After the local user or a local user of the user group passes authentication, the device will
assign these attributes to the user.
Use the undo authorization-attribute command to remove authorization attributes.
By default, no authorization attribute is configured for a local user or user group.
Note that:
z Every configurable authorization attribute has its definite application environments and purposes.
However, the assignment of local user authorization attributes does not take the service type into
account. Therefore, when configuring authorization attributes for a local user, consider what
attributes are needed.
z Authorization attributes configured for a user group are effective on all local users of the group.
z An authorization attribute configured in local user view takes precedence over the same attribute
configured in user group view.
z If you specify to perform no authentication or perform password authentication, the levels of
commands that a user can access after login depends on the level of the user interface. For
information about user interface login authentication method, refer to the authentication-mode
1-13
 command in Login Commands. If the authentication method requires users to provide usernames
and passwords, the levels of commands that a user can access after login depends on the level of
the user. For an SSH user authenticated with an RSA public key, which commands are available
depends on the level specified on the user interface.
z If you remove the specified work directory from the file system, the FTP/SFTP user(s) will not be
able to access the directory.

Examples

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3

bind-attribute

Syntax

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port

slot-number subslot-number port-number | mac mac-address | vlan vlan-id } *
undo bind-attribute { call-number| ip | location | mac | vlan } *

View

Local user view

Default Level

3: Manage level

Parameters

call-number call-number: Specifies a calling number for ISDN user authentication. The call-number
argument is a string of 1 to 64 characters.
subcall-number: Specifies the sub-calling number. The total length of the calling number and the
sub-calling number cannot be more than 62 characters.
ip ip-address: Specifies the IP address of the user.
location: Specifies the port binding attribute of the user.
port slot-number subslot-number port-number: Specifies the port to which the user is bound. The
slot-number argument is in the range 0 to 1024, the subslot-number argument is in the range 0 to 15,
and the port-number argument is in the range 0 to 255. Only the numbers make sense here; port types
are not taken into account.
mac mac-address: Specifies the MAC address of the user in the format of H-H-H.
vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range 1 to
4094.

Description

Use the bind-attribute command to configure binding attributes for a local user.
Use the undo bind-attribute command to remove binding attributes of a local user.
By default, no binding attribute is configured for a local user.

1-14
 Note that:
z Binding attributes are checked upon authentication of a local user. If the binding attributes of a local
user do not match the configured ones, the checking will fail and the user will fail the authentication
as a result. In addition, such binding attribute checking does not take the service types of the users
into account. That is, a configured binding attribute is effective on all types of users. Therefore, be
cautious when deciding which binding attributes should be configured for which type of local users.
z The bind-attribute ip command applies only when the authentication method (802.1X, for
example) supports IP address upload. If you configure the command when the authentication
method (MAC address authentication, for example) does not support IP address upload, local
authentication will fail.

Examples

# Configure the bound IP of local user abc as 3.3.3.3.

<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] bind-attribute ip 3.3.3.3

cut connection

Syntax

cut connection { access-type dot1x | all | domain isp-name | interface interface-type

interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name |
vlan vlan-id }

View

System view

Default Level

2: System level

Parameters

access-type dot1x: Specifies the user connections of 802.1X authentication access type.
all: Specifies all user connections.
domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to
the name of an existing ISP domain and is a string of 1 to 24 characters.
interface interface-type interface-number: Specifies user connections on an interface by the interface
type and number.
ip ip-address: Specifies the user connections of an IP address.
mac mac-address: Specifies the user connections of a MAC address, with mac-address in the format of
H-H-H.
ucibindex ucib-index: Specifies a user connection by connection index. The value ranges from 0 to
4294967295.
user-name user-name: Specifies a user connection by username. The user-name argument is a
case-sensitive string of 1 to 80 characters and must contain the domain name. If you enter a username
without any domain name, the system assumes that the default domain name is used for the username.

1-15
 vlan vlan-id: Specifies user connections of a VLAN, with vlan-id ranging from 1 to 4094.

Description

Use the cut connection command to tear down the specified connections forcibly.
At present, this command applies to only LAN access user connections.
Related commands: display connection, service-type.

Examples

# Tear down all connections of ISP domain test.

<Sysname> system-view
[Sysname] cut connection domain test

display connection

Syntax

display connection [ access-type dot1x | domain isp-name | interface interface-type

interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name |
vlan vlan-id ]

View

Any view

Default Level

1: Monitor level

Parameters

access-type dot1x: Specifies the user connections of 802.1X authentication access type.
domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to
the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.
interface interface-type interface-number: Specifies user connections on an interface by the interface
type and number.
ip ip-address: Specifies the user connections of an IP address.
mac mac-address: Specifies the user connections of a MAC address, with mac-address in the format of
H-H-H.
ucibindex ucib-index: Specifies all user connections using the specified connection index. The value
ranges from 0 to 4294967295.
user-name user-name: Specifies all user connections using the specified username. The user-name
argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. If you
enter a username without any domain name, the system assumes that the default domain name is used
for the username.
vlan vlan-id: Specifies user connections of a VLAN, with vlan-id ranging from 1 to 4094.

Description

Use the display connection command to display information about specified or all AAA user
connections.

1-16
 Note that:
z With no parameter specified, the command displays brief information about all AAA user
connections.
z If you specify the ucibindex ucib-index combination, the command displays detailed information;
otherwise, the command displays brief information.
z This command does not apply to FTP user connections.
Related commands: cut connection.

Examples

# Display information about all AAA user connections.

<Sysname> display connection

Index=1 ,Username=telnet@system
IP=10.0.0.1
Total 1 connection(s) matched.

Table 1-1 display connection command output description

Field Description
Index Index number
Username Username of the connection, in the format username@domain
IP IP address of the user

Total 1 connection(s) matched. Total number of user connections

display domain

Syntax

display domain [ isp-name ]

View

Any view

Default Level

1: Monitor level

Parameters

isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.

Description

Use the display domain command to display the configuration information of a specified ISP domain or
all ISP domains.
Related commands: access-limit enable, domain, state.

Examples

# Display the configuration information of all ISP domains.

1-17
<Sysname> display domain
0 Domain = system
State = Active
Access-limit = Disable
Accounting method = Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut = Disabled
Self-service = Disabled

1 Domain = test
State = Active
Access-limit = Disable
Accounting method = Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Lan-access authentication scheme : radius=test, local
Lan-access authorization scheme : radius=test, local
Lan-access accounting scheme : radius=test, local
Domain User Template:
Idle-cut = Disabled
Self-service = Disabled

Default Domain Name: system

Total 2 domain(s)

Table 1-2 display domain command output description

Field Description
Domain Domain name
State Status of the domain (active or block)
Access-limit Limit on the number of user connections
Accounting method Accounting method (either required or optional)
Default authentication scheme Default authentication method
Default authorization scheme Default authorization method
Default accounting scheme Default accounting method
Lan-access authentication scheme Authentication method for LAN users
Lan-access authorization scheme Authentication method for LAN users
Lan-access accounting scheme Accounting method for LAN users
Domain User Template Template for users in the domain
Idle-cut Whether idle cut is enabled
Self-service Whether self service is enabled

1-18
 Field Description
Default Domain Name Default ISP domain name
Total 2 domain(s). 2 ISP domains in total

display local-user

Syntax

display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | ssh | telnet |
terminal } | state { active | block } | user-name user-name | vlan vlan-id ]

View

Any view

Default Level

1: Monitor level

Parameters

idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.
service-type: Specifies the local users of a type.
z ftp refers to users using FTP.
z lan-access refers to users accessing the network through an Ethernet, such as 802.1X users.
z ssh refers to users using SSH.
z telnet refers to users using Telnet.
z terminal refers to users logging in through the console port, AUX port, or Asyn port. Supported port
types vary by the device model.
state { active | block }: Specifies all local users in the state of active or block. A local user in the state of
active can access network services, while a local user in the state of blocked cannot.
user-name user-name: Specifies all local users using the specified username. The username is a
case-sensitive string of 1 to 55 characters and does not contain the domain name.
vlan vlan-id: Specifies all local users in a VLAN. The VLAN ID ranges from 1 to 4094.

Description

Use the display local-user command to display information about specified or all local users.
Related commands: local-user.

Examples

# Display information about all local users.

<Sysname> display local-user
The contents of local user abc:
State: Active
ServiceType: ftp
Access-limit: Enable Current AccessNum: 0
Max AccessNum: 300
User-group: system

1-19
 Bind attributes:
IP address: 1.2.3.4
Bind location: 0/4/1 (SLOT/SUBSLOT/PORT)
MAC address: 0001-0002-0003
Vlan ID: 100
Authorization attributes:
Idle TimeOut: 10(min)
Work Directory: flash:/
User Privilege: 3
Acl ID: 2000
Vlan ID: 100
User Profile: prof1
Expiration date: 12:12:12-2018/09/16
Total 1 local user(s) matched.

Table 1-3 display local-user command output description

Field Description
State Status of the local user, Active or Block
Service types that the local user can use, including FTP, LAN,
ServiceType
SSH, Telnet, and terminal.
Limit on the number of user connections using the current
Access-limit
username
Current AccessNum Current number of user connections using the current username
Maximum number of user connections using the current
Max AccessNum
username
VLAN ID VLAN to which the user is bound
Calling Number Calling number of the ISDN user
Authorization attributes Authorization attributes of the local user
Idle TimeOut Idle threshold of the user, in minutes.
Callback-number Authorized PPP callback number of the local user
Work Directory Directory accessible to the FTP user
VLAN ID Authorized VLAN of the local user
Expiration date Expiration time of the local user

display user-group

Syntax

display user-group [ group-name ]

View

Any view

1-20
Default Level

2: System level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Description

Use the display user-group command to display configuration information about one or all user
groups.
Related commands: user-group.

Examples

# Display configuration information about user group abc.

<Sysname> display user-group abc
The contents of user group abc:
Authorization attributes:
Idle-cut: 120(min)
Work Directory: FLASH:
Level: 1
Acl Number: 2000
Vlan ID: 1
User-Profile: 1
Callback-number: 1
Total 1 user group(s) matched.

domain

Syntax

domain isp-name
undo domain isp-name

View

System view

Default Level

3: Manage level

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any
forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or @.

Description

Use the domain isp-name command to create an ISP domain and/or enter ISP domain view.
Use the undo domain command to remove an ISP domain.
By default, a default ISP domain named system exists in the system.

1-21
 Note that:
z If the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP
domains are in the active state when they are created.
z The default domain cannot be deleted and can only be changed.
Related commands: state, display domain.

Examples

# Create ISP domain test, and enter ISP domain view.

<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test]

domain default enable

Syntax

domain default enable isp-name

undo domain default enable

View

System view

Default Level

3: Manage level

Parameters

isp-name: Name of the ISP domain, a string of 1 to 24 characters.

Description

Use the domain default enable command to specify the system default ISP domain. Users without any
domain name carried in the usernames are considered to be in the default domain.
Use the undo domain default enable command to restore the default.
By default, there is a default ISP domain named system.
Note that:
z There must be only one default ISP domain.
z The specified domain must have existed; otherwise, users without any domain name carried in the
user name will fail to be authenticated.
z The default ISP domain configured cannot be deleted unless you configure it as a non-default
domain again.
Related commands: state, display domain.

Examples

# Create a new ISP domain named test, and configure it as the default ISP domain.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] quit

1-22
 [Sysname] domain default enable test

expiration-date

Syntax

expiration-date time
undo expiration-date

View

Local user view

Default Level

3: Manage level

Parameters

time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY or

HH:MM:SS-YYYY/MM/DD. HH:MM:SS indicates the time, where HH ranges from 0 to 23, MM and SS
range from 0 to 59. YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM
ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00,
leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals to 02:02:00-2008/02/02.

Description

Use the expiration-date command to configure the expiration time of a local user.
Use the undo expiration-date command to remove the configuration.
By default, a local user has no expiration time and no time validity checking is performed.
When some users need to access the network temporarily, you can create a guest account and specify
an expiration time for the account. When a user uses the guest account for local authentication and
passes the authentication, the access device checks whether the current system time is within the
expiration time. If so, it permits the user to access the network. Otherwise, it denies the access request
of the user.
Note that if you change the system time manually or the system time is changed in any other way, the
access device uses the new system time for time validity checking.

Examples

# Configure the expiration time of user abc to be 12:10:20 on May 31, 2008.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31

group

Syntax

group group-name
undo group

1-23
View

Local user view

Default Level

3: Manage level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Description

Use the group command to assign a local user to a user group.

Use the undo group command to restore the default.
By default, a local user belongs to the system default user group system.

Examples

# Assign local user 111 to user group abc.

<Sysname> system-view
[Sysname] local-user 111
[Sysname-luser-111] group abc

idle-cut enable

Syntax

idle-cut enable minute [ flow ]

undo idle-cut enable

View

ISP domain view

Default Level

2: System level

Parameters

minute: Maximum idle duration allowed, in the range 1 to 120 minutes.

flow: User idle threshold, which is in the range 1 to 10240000 bytes and defaults to 10240.

Description

Use the idle-cut enable command to enable the idle cut function and set the relevant parameters. With
the idle cut function enabled for a domain, the system will log out any user in the domain whose traffic is
less than the specified user idle threshold during the maximum idle duration.
Use the undo idle-cut enable command to restore the default.
By default, the function is disabled.
Note that:
z You can also set the maximum idle duration parameter on the server. In this case, if you enable the
idle cut function and set the relevant parameters on the device, the settings on the device will take

1-24
 effect; if you disable the function on the device, the setting of the maximum idle duration parameter
on the server will take effect.
z The user idle threshold parameter can only be set on the device. The server always assigns a user
idle threshold of 10240 bytes to a user. If you set the parameter on the device, the device uses your
setting; otherwise, the device uses that assigned by the server.
Related commands: domain.

Examples

# Enable the idle cut function and set the idle duration threshold to 50 minutes and the traffic threshold
to 1024 bytes for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] idle-cut enable 50 1024

local-user

Syntax

local-user user-name
undo local-user { user-name | all [ service-type { ftp | lan-access | ssh | telnet | terminal } ] }

View

System view

Default Level

3: Manage level

Parameters

user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain
the domain name. It cannot contain any backward slash (\), forward slash (/), vertical line (|), colon (:),
asterisk (*), question mark (?), less-than sign (<), greater-than sign (>) and the @ sign and cannot be a,
al, or all.
all: Specifies all users.
service-type: Specifies the users of a type.
z ftp refers to users using FTP.
z lan-access refers to users accessing the network through an Ethernet, such as 802.1X users.
z ssh refers to users using SSH.
z telnet refers to users using Telnet.
z terminal refers to users logging in through the console port, or AUX port.

Description

Use the local-user command to add a local user and enter local user view.
Use the undo local-user command to remove the specified local users.
By default, no local user is configured.
Related commands: display local-user, service-type.

1-25
Examples

# Add a local user named user1.

<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1]

local-user password-display-mode

Syntax

local-user password-display-mode { auto | cipher-force }

undo local-user password-display-mode

View

System view

Default Level

2: System level

Parameters

auto: Displays the password of a user based on the configuration of the user by using the password
command.
cipher-force: Displays the passwords of all users in cipher text.

Description

Use the local-user password-display-mode command to set the password display mode for all local
users.
Use the undo local-user password-display-mode command to restore the default.
The default mode is auto.
With the cipher-force mode configured:
z A local user password is always displayed in cipher text, regardless of the configuration of the
password command.
z If you use the save command to save the configuration, all existing local user passwords will still be
displayed in cipher text after the device restarts, even if you restore the display mode to auto.
Related commands: display local-user, password.

Examples

# Specify to display the passwords of all users in cipher text.

<Sysname> system-view
[Sysname] local-user password-display-mode cipher-force

nas-id bind vlan

Syntax

nas-id nas-identifier bind vlan vlan-id

undo nas-id nas-identifier bind vlan vlan-id

1-26
View

NAS ID profile view

Default Level

2: System level

Parameters

nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters

vlan-id: ID of the VLAN to be bound with the NAS ID, in the range 1 to 4094.

Description

Use the nas-id bind vlan command to bind a NAS ID with a VLAN.
Use the undo nas-id bind vlan command to remove a NAS ID-VLAN binding.
By default, no NAS ID-VLAN binding exists.
Note that:
z In a NAS ID profile view, you can bind the NAS ID with more than one VLAN.
z A NAS ID can be bound with more than one VLAN, but one VLAN can be bound with only one NAS
ID. If you bind a VLAN with different NAS IDs, only the last binding takes effect.
Related commands: aaa nas-id profile.

Examples

# Bind NAS ID 222 with VLAN 2.

<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

password

Syntax

password { cipher | simple } password

undo password

View

Local user view

Default Level

2: System level

Parameters

cipher: Specifies to display the password in cipher text.

simple: Specifies to display the password in simple text.
password: Password for the local user.
z In simple text, it must be a string of 1 to 63 characters that contains no blank space, for example,
aabbcc.

1-27
 z In cipher text, it must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.
z With the simple keyword, you must specify the password in simple text. With the cipher keyword,
you can specify the password in either simple or cipher text.

Description

Use the password command to configure a password for a local user.

Use the undo password command to delete the password of a local user.
Note that:
z With the local-user password-display-mode cipher-force command configured, the password is
always displayed in cipher text, regardless of the configuration of the password command.
z With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted
into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text
will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters,
if the system can decrypt the password, the system treats it as a password in cipher text. Otherwise,
the system treats it as a password in plain text.
Related commands: display local-user.

Examples

# Set the password of user1 to 123456 and specify to display the password in plain text.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] password simple 123456

self-service-url enable

Syntax

self-service-url enable url-string

undo self-service-url enable

View

ISP domain view

Default Level

2: System level

Parameters

url-string: URL of the self-service server for changing user password, a string of 1 to 64 characters. It
must start with http:// and contain no question mark.

Description

Use the self-service-url enable command to enable the self-service server location function and
specify the URL of the self-service server for changing user password.
Use the undo self-service-url enable command to restore the default.
By default, the function is disabled.
Note that:

1-28
 z A self-service RADIUS server, for example, iMC, is required for the self-service server location
function. With the self-service function, a user can manage and control his or her accounting
information or card number. A server with self-service software is a self-service server.
z After you configure the self-service-url enable command, a user can locate the self-service server
by selecting [Service/Change Password] from the 802.1X client. The client software automatically
launches the default browser, IE or Netscape, and opens the URL page of the self-service server
for changing the user password. A user can change his or her password through the page.
z Only authenticated users can select [Service/Change Password] from the 802.1X client. The option
is gray and unavailable for unauthenticated users.

Examples

# Enable the self-service server location function and specify the URL of the self-service server for
changing user password to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName for the default
ISP domain system.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] self-service-url enable
http://10.153.89.94/selfservice/modPasswd1x.jsp|userName

service-type

Syntax

service-type { ftp | lan-access | { ssh | telnet | terminal } * }

undo service-type { ftp | lan-access | { ssh | telnet | terminal } * }

View

Local user view

Default Level

3: Manage level

Parameters

ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by
default.
lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users,
for example, 802.1X users.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service, allowing the user to login from the console, or
AUX port.

Description

Use the service-type command to specify the service types that a user can use.
Use the undo service-type command to delete one or all service types configured for a user.
By default, a user is authorized with no service.

1-29
Examples

# Authorize user user1 to use the Telnet service.

<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] service-type telnet

state

Syntax

state { active | block }

undo state

View

ISP domain view, local user view

Default Level

2: System level

Parameters

active: Places the current ISP domain or local user in the active state, allowing the users in the current
ISP domain or the current local user to request network services.
block: Places the current ISP domain or local user in the blocked state, preventing users in the current
ISP domain or the current local user from requesting network services.

Description

Use the state command to configure the status of the current ISP domain or local user.
Use the undo state command to restore the default.
By default, an ISP domain is active when created. So is a local user.
By blocking an ISP domain, you disable users of the domain that are offline from requesting network
services. Note that the online users are not affected.
By blocking a user, you disable the user from requesting network services. No other users are affected.
Related commands: domain.

Examples

# Place the current ISP domain test to the state of blocked.

<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block

# Place the current user user1 to the state of blocked.

<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] state block

1-30
user-group

Syntax

user-group group-name
undo user-group group-name

View

System view

Default Level

3: Manage level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Description

Use the user-group command to create a user group and enter its view.
Use the undo user-group command to remove a user group.
A user group consists of a group of local users and has a set of local user attributes. You can configure
local user attributes for a user group to implement centralized management of user attributes for the
local users in the group. Currently, you can configure authorization attributes for a user group.
Note that:
z A user group with one or more local users cannot be removed.
z The default system user group system cannot be removed but you can change its configurations.
Related commands: display user-group.

Examples

# Create a user group named abc and enter its view.

<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]

1-31
2 RADIUS Configuration Commands

RADIUS Configuration Commands

accounting-on enable

Syntax

accounting-on enable
undo accounting-on enable

View

RADIUS scheme view

Default Level

2: System level

Parameters

None

Description

Use the accounting-on enable command to enable the accounting-on feature. After doing so, when
the device reboots, an accounting-on message will be sent to the RADIUS server to log out the online
users of the device.
Use the undo accounting-on enable command to disable the accounting-on feature.
By default, the accounting-on feature is disabled.
Note that:
z Execution of this command does not affect the results of other accounting-on related commands
such as accounting-on enable send.
z When you execute the accounting-on enable command, if the system has another authentication
scheme already enabled with the accounting-on feature, the command takes effect immediately.
Otherwise, you need to save the configuration by using the save command, so that the command
takes effect after the device reboots. For information about the save command, refer to File System
Management Commands.
Related commands: radius scheme.

Examples

# Enable the accounting-on feature for RADIUS authentication scheme rd.

<Sysname> system-view
[Sysname] radius scheme rd
[Sysname-radius-rd] accounting-on enable

2-1
accounting-on enable interval

Syntax

accounting-on enable interval seconds

undo accounting-on interval

View

RADIUS scheme view

Default Level

2: System level

Parameters

seconds: Time interval to retransmit accounting-on packet in seconds, ranging from 1 to 15.

Description

Use the accounting-on enable interval command to configure the retransmission interval of
accounting-on packets.
Use the undo accounting-on enable interval command to restore the default.
By default, the retransmission interval of accounting-on packets is 3 seconds.
Note that:
z Execution of this command does not affect the results of other accounting-on related commands
such as accounting-on enable. That is, execution of the undo accounting-on enable interval
command will not disable the accounting-on feature.
z The retransmission interval configured with this command takes effect immediately.
Related commands: radius scheme, accounting-on enable.

Examples

# In RADIUS scheme rd, set the retransmission interval of accounting-on packet to 5 seconds.
<Sysname> system-view
[Sysname] radius scheme rd
[Sysname-radius-rd] accounting-on enable interval 5

accounting-on enable send

Syntax

accounting-on enable send send-times

undo accounting-on send

View

RADIUS scheme view

Default Level

2: System level

2-2
Parameters

send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255.

Description

Use the accounting-on enable send command to set the maximum number of accounting-on packet
transmission attempts.
Use the undo accounting-on enable send command to restore the default.
By default, the maximum number of accounting-on packet transmission attempts is 5.
Note that:
z Execution of this command does not affect the results of other accounting-on related commands
such as accounting-on enable. That is, execution of the undo accounting-on enable interval
command will not disable the accounting-on feature.
z The maximum number of accounting-on packet transmission attempts configured with this
command takes effect immediately.
Related commands: radius scheme, accounting-on enable.

Examples

# In RADIUS scheme rd, set the maximum number of accounting-on packet transmission attempts to
10.
<Sysname> system-view
[Sysname] radius scheme rd
[Sysname-radius-rd] accounting-on enable send 10

data-flow-format (RADIUS scheme view)

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet |

kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }

View

RADIUS scheme view

Default Level

2: System level

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or
giga-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a RADIUS
server.

2-3
 Use the undo data-flow-format command to restore the default.
By default, the unit for data flows is byte and that for data packets is one-packet.
Note that:
z The specified unit of data flows sent to the RADIUS server must be consistent with the traffic
statistics unit of the RADIUS server. Otherwise, accounting cannot be performed correctly.
z You can use these commands to change the settings only when no user is using the RADIUS
scheme.
Related commands: display radius scheme.

Examples

# Define RADIUS scheme radius1 to send data flows and packets destined for the RADIUS server in
kilobytes and kilo-packets.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

display radius scheme

Syntax

display radius scheme [ radius-scheme-name ]

View

Any view

Default Level

2: System level

Parameters

radius-scheme-name: RADIUS scheme name.

Description

Use the display radius scheme command to display the configuration information of a specified
RADIUS scheme or all RADIUS schemes.
Note that: If no RADIUS scheme is specified, the command will display the configuration information of
all RADIUS schemes.
Related commands: radius scheme.

Examples

# Display the configurations of all RADIUS schemes.

<Sysname> display radius scheme
------------------------------------------------------------------
SchemeName : radius1
Index : 0 Type : extended
Primary Auth Server:
IP: 1.1.1.1 Port: 1812 State: block

2-4
 Primary Acct Server:
IP: 1.1.1.1 Port: 1813 State: block
Second Auth Server:
IP: N/A Port: 1812 State: block
Second Acct Server:
IP: N/A Port: 1813 State: block
Auth Server Encryption Key : 123
Acct Server Encryption Key : Not configured
Accounting-On packet disable, send times : 5 , interval : 3s
Interval for timeout(second) : 3
Retransmission times for timeout : 3
Interval for realtime accounting(minute) : 12
Retransmission times of realtime-accounting packet : 5
Retransmission times of stop-accounting packet : 500
Quiet-interval(min) : 5
Username format : without-domain
Data flow unit : Byte
Packet unit : one
nas-ip address : 1.1.1.1
------------------------------------------------------------------
Total 1 RADIUS scheme(s).

Table 2-1 display radius scheme command output description

Field Description
SchemeName Name of the RADIUS scheme
Index Index number of the RADIUS scheme
Type Type of the RADIUS server
Primary Auth Server Primary authentication server
Primary Acct Server Primary accounting server
Second Auth Server Secondary authentication server
Second Acct Server Secondary accounting server
IP address of the server. N/A means not
IP
configured.
Service port of the server. If no port configuration
Port is performed, the default port number is
displayed.
State Status of the server, active or block.
Auth Server Encryption Key Shared key of the authentication server
Acct Server Encryption Key Shared key of the accounting server
Accounting-On packet disable The accounting-on feature is disabled
send times Retransmission times of accounting-on packets
interval Interval to retransmit accounting-on packets
Interval for timeout(second) Timeout time in seconds

2-5
 Field Description
Retransmission times for timeout Times of retransmission in case of timeout
Interval for realtime accounting(minute) Interval for realtime accounting in minutes
Retransmission times of realtime-accounting Retransmission times of realtime-accounting
packet packet
Retransmission times of stop-accounting packet Retransmission times of stop-accounting packet
Quiet-interval(min) Quiet interval for the primary server
Username format Format of the username
Data flow unit Unit of data flows
Packet unit Unit of packets
Source IP address for RADIUS packets to be
nas-ip address
sent

display radius statistics

Syntax

display radius statistics

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display radius statistics command to display statistics about RADIUS packets.
Related commands: radius scheme.

Examples

# Display statistics about RADIUS packets.

<Sysname> display radius statistics
state statistic(total=1048):
DEAD = 18000 AuthProc = 0 AuthSucc = 0
AcctStart = 0 RLTSend = 0 RLTWait = 0
AcctStop = 0 OnLine = 0 Stop = 0
Received and Sent packets statistic:
Sent PKT total = 1547 Received PKT total = 23
Resend Times Resend total
1 508
2 508

2-6
Total 1016
RADIUS received packets statistic:
Code = 2 Num = 15 Err = 0
Code = 3 Num = 4 Err = 0
Code = 5 Num = 4 Err = 0
Code = 11 Num = 0 Err = 0
Running statistic:
RADIUS received messages statistic:
Normal auth request Num = 24 Err = 0 Succ = 24
EAP auth request Num = 0 Err = 0 Succ = 0
Account request Num = 4 Err = 0 Succ = 4
Account off request Num = 503 Err = 0 Succ = 503
PKT auth timeout Num = 15 Err = 5 Succ = 10
PKT acct_timeout Num = 1509 Err = 503 Succ = 1006
Realtime Account timer Num = 0 Err = 0 Succ = 0
PKT response Num = 23 Err = 0 Succ = 23
Session ctrl pkt Num = 0 Err = 0 Succ = 0
Normal author request Num = 0 Err = 0 Succ = 0
Set policy result Num = 0 Err = 0 Succ = 0
RADIUS sent messages statistic:
Auth accept Num = 10
Auth reject Num = 14
EAP auth replying Num = 0
Account success Num = 4
Account failure Num = 3
Server ctrl req Num = 0
RecError_MSG_sum = 0
SndMSG_Fail_sum = 0
Timer_Err = 0
Alloc_Mem_Err = 0
State Mismatch = 0
Other_Error = 0
No-response-acct-stop packet = 1
Discarded No-response-acct-stop packet for buffer overflow = 0

Table 2-2 display radius statistics command output description

Field Description
state statistic state statistics
DEAD Number of idle users
AuthProc Number of users waiting for authentication
Number of users who have passed
AuthSucc
authentication
Number of users for whom accounting has been
AcctStart
started
Number of users for whom the system sends
RLTSend
real-time accounting packets

2-7
 Field Description
RLTWait Number of users waiting for real-time accounting
Number of users in the state of accounting
AcctStop
waiting stopped
OnLine Number of online users
Stop Number of users in the state of stop
Received and Sent packets statistic Statistics of packets received and sent
Sent PKT total Number of packets sent
Received PKT total Number of packets received
Resend Times Number of retransmission attempts
Resend total Number of packets retransmitted
RADIUS received packets statistic Statistics of packets received by RADIUS
Code Packet type
Num Total number of packets

Err Number of error packets

Running statistic RADIUS operation message statistics
RADIUS received messages statistic Number of messages received by RADIUS
Normal auth request Number of normal authentication requests
EAP auth request Number of EAP authentication requests
Account request Number of accounting requests
Account off request Number of stop-accounting requests
PKT auth timeout Number of authentication timeout messages
PKT acct_timeout Number of accounting timeout messages
Realtime Account timer Number of realtime accounting requests
PKT response Number of responses
Session ctrl pkt Number of session control messages
Normal author request Number of normal authorization requests
Succ Number of acknowledgement messages
Set policy result Number of responses to the Set policy packets
Number of messages that have been sent by
RADIUS sent messages statistic
RADIUS
Auth accept Number of accepted authentication packets
Auth reject Number of rejected authentication packets
Number of replying packets of EAP
EAP auth replying
authentication
Account success Number of accounting succeeded packets
Account failure Number of accounting failed packets
Server ctrl req Number of server control requests

2-8
 Field Description
RecError_MSG_sum Number of received packets in error
SndMSG_Fail_sum Number of packets that failed to be sent out
Timer_Err Number of timer errors
Alloc_Mem_Err Number of memory errors
State Mismatch Number of errors for mismatching status
Other_Error Number of errors of other types
Number of times that no response was received
No-response-acct-stop packet
for stop-accounting packets
Discarded No-response-acct-stop packet for Number of stop-accounting packets that were
buffer overflow buffered but then discarded due to full memory

display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id |

time-range start-time stop-time | user-name user-name }

View

Any view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1

to 32 characters.
session-id session-id: Specifies a session by its ID. The ID is a string of 1 to 50 characters.
time-range start-time stop-time: Specifies a time range by its start time and end time in the format of
hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
user-name user-name: Specifies a user by the username, which is a case-sensitive string of 1 to 80
characters. Whether the user-name argument should include the domain name depends on the setting
by the user-name-format command for the RADIUS scheme.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting
requests buffered in the device by scheme, session ID, time range, username, or slot.
Note that if receiving no response after sending a stop-accounting request to a RADIUS server, the
device buffers the request and retransmits it. You can use the retry stop-accounting command to set
the number of allowed transmission attempts.
Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable,
user-name-format, retry stop-accounting.

2-9
Examples

# Display information about the buffered stop-accounting requests from 0:0:0 to 23:59:59 on August 31,
2006.
<Sysname> display stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006
Total find 0 record (0)

key (RADIUS scheme view)

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Default Level

2: System level

Parameters

accounting: Sets the shared key for RADIUS accounting packets.

authentication: Sets the shared key for RADIUS authentication/authorization packets.
string: Shared key, a case-sensitive string of 1 to 64 characters.

Description

Use the key command to set the shared key for RADIUS authentication/authorization or accounting
packets.
Use the undo key command to restore the default.
By default, no shared key is configured.
Note that:
z You must ensure that the same shared key is set on the device and the RADIUS server.
z You can use the commands to change the settings only when no user is using the RADIUS
scheme.
Related commands: display radius scheme.

Examples

# Set the shared key for authentication/authorization packets to hello for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key authentication hello

# Set the shared key for accounting packets to ok for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting ok

2-10
nas-ip (RADIUS scheme view)

Syntax

nas-ip ip-address
undo nas-ip

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be
0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

Description

Use the nas-ip command to specify the IP address for the device to use as the source address of the
RADIUS packets to be sent to the server.
Use the undo nas-ip command to restore the default.
By default, the source IP address of a packet sent to the server is that configured by the radius nas-ip
command in system view.
Note that:
z Specifying a source address for the RADIUS packets to be sent to the server can avoid the
situation where the packets sent back by the RADIUS server cannot reach the device as the result
of a physical interface failure. The address of a loopback interface is recommended.
z The nas-ip command in RADIUS scheme view is only for the current RADIUS scheme, while the
radius nas-ip command in system view is for all RADIUS schemes. However, the nas-ip
command in RADIUS scheme view overwrites the configuration of the radius nas-ip command.
z You can use the commands to change the setting only when no user is using the RADIUS scheme.
Related commands: radius nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 10.1.1.1.
<Sysname> system-view
[Sysname] radius scheme test1
[Sysname-radius-test1] nas-ip 10.1.1.1

primary accounting (RADIUS scheme view)

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

2-11
View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IPv4 address of the primary accounting server.

port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535 and
defaults to 1813.

Description

Use the primary accounting command to specify the primary RADIUS accounting server.
Use the undo primary accounting command to remove the configuration.
By default, no primary RADIUS accounting server is specified.
Note that:
z The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise,
the configuration fails.
z The RADIUS service port configured on the device and that of the RADIUS server must be
consistent.
z You can use the commands to change the settings only when no user is using the RADIUS
scheme.
Related commands: key, radius scheme, state.

Examples

# Specify the IP address of the primary accounting server for RADIUS scheme radius1 as 10.110.1.2
and the UDP port of the server as 1813.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813

primary authentication (RADIUS scheme view)

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IPv4 address of the primary authentication/authorization server.

2-12
 port-number: UDP port number of the primary authentication/authorization server, which ranges from 1
to 65535 and defaults to 1812.

Description

Use the primary authentication command to specify the primary RADIUS authentication/authorization
server.
Use the undo primary authentication command to remove the configuration.
By default, no primary RADIUS authentication/authorization server is specified.
Note that:
z After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of
each RADIUS server (primary/secondary authentication/authorization or accounting server).
Ensure that at least one authentication/authorization server and one accounting server are
configured, and that the RADIUS service port settings on the device are consistent with the port
settings on the RADIUS servers.
z The IP addresses of the primary and secondary authentication/authorization servers cannot be the
same. Otherwise, the configuration fails.
z You can use the commands to change the settings only when no user is using the RADIUS
scheme.
Related commands: key, radius scheme, state.

Examples

# Specify the primary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812

radius client

Syntax

radius client enable

undo radius client

View

System view

Default Level

2: System level

Parameters

None

Description

Use the radius client enable command to enable the listening port of the RADIUS client.
Use the undo radius client command to disable the listening port of the RADIUS client.
By default, the listening port is enabled.

2-13
 Note that when the listening port of the RADIUS client is disabled:
z The RADIUS client can either accept authentication, authorization or accounting requests or
process timer messages. However, it fails to transmit and receive packets to and from the RADIUS
server.
z The end account packets of online users cannot be sent out and buffered. This may cause a
problem that the RADIUS server still has the user record after a user goes offline for a period of
time.
z The authentication, authorization and accounting turn to the local scheme after the RADIUS
request fails if the RADIUS scheme and the local authentication, authorization and accounting
scheme are configured.
z The buffered accounting packets cannot be sent out and will be deleted from the buffer when the
configured maximum number of attempts is reached.

Examples

# Enable the listening port of the RADIUS client.

<Sysname> system-view
[Sysname] radius client enable

radius nas-ip

Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view

Default Level

2: System level

Parameters

ip-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be
0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

Description

Use the radius nas-ip command to specify the IP address for the device to use as the source address
of the RADIUS packets to be sent to the server.
Use the undo radius nas-ip command to remove the configuration.
By default, the source IP address of a packet sent to the server is the IP address of the outbound port.
Note that:
z Specifying a source address for the RADIUS packets to be sent to the server can avoid the
situation where the packets sent back by the RADIUS server cannot reach the device as the result
of a physical interface failure.
z If you configure the command for more than one time, the last configuration takes effect.

2-14
 z The nas-ip command in RADIUS scheme view is only for the current RADIUS scheme, while the
radius nas-ip command in system view is for all RADIUS schemes. However, the nas-ip
command in RADIUS scheme view overwrites the configuration of the radius nas-ip command.
Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] radius nas-ip 129.10.10.1

radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Default Level

3: Manage level

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the radius scheme command to create a RADIUS scheme and enter RADIUS scheme view.
Use the undo radius scheme command to delete a RADIUS scheme.
By default, no RADIUS scheme is defined.
Note that:
z The RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least
specify the IP addresses and UDP ports of the RADIUS authentication/authorization/accounting
servers and the parameters necessary for a RADIUS client to interact with the servers.
z A RADIUS scheme can be referenced by more than one ISP domain at the same time.
z You cannot remove the RADIUS scheme being used by online users with the undo radius
scheme command.
Related commands: key, retry realtime-accounting, timer realtime-accounting,
stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format,
retry, display radius scheme, display radius statistics.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1]

2-15
radius trap

Syntax

radius trap { accounting-server-down | authentication-server-down }

undo radius trap { accounting-server-down | authentication-server-down }

View

System view

Default Level

2: System level

Parameters

accounting-server-down: RADIUS trap for accounting servers.

authentication-server-down: RADIUS trap for authentication servers.

Description

Use the radius trap command to enable the RADIUS trap function.
Use the undo radius trap command to disable the function.
By default, the RADIUS trap function is disabled.
Note that:
z If a NAS sends an accounting or authentication request to the RADIUS server but gets no response,
the NAS retransmits the request. With the RADIUS trap function enabled, when the NAS transmits
the request for half of the specified maximum number of transmission attempts, it sends a trap
message; when the NAS transmits the request for the specified maximum number, it sends another
trap message.
z If the specified maximum number of transmission attempts is odd, the half of the number refers to
the smallest integer greater than the half of the number.

Examples

# Enable the RADIUS trap function for accounting servers.

<Sysname> system-view
[Sysname] radius trap accounting-server-down

reset radius statistics

Syntax

reset radius statistics

View

User view

Default Level

2: System level

2-16
Parameters

None

Description

Use the reset radius statistics command to clear RADIUS statistics.

Related commands: display radius scheme.

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id |

time-range start-time stop-time | user-name user-name }

View

User view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a string of 1 to 32

characters.
session-id session-id: Specifies a session by its ID, a string of 1 to 50 characters.
time-range start-time stop-time: Specifies a time range by its start time and end time in the format of
hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
user-name user-name: Specifies a username based on which to reset the stop-accounting buffer. The
username is a case-sensitive string of 1 to 80 characters. The format of the user-name argument (for
example, whether the domain name should be included) must comply with that specified for usernames
to be sent to the RADIUS server in the RADIUS scheme.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests,
which get no responses.
Related commands: stop-accounting-buffer enable, retry stop-accounting, user-name-format,
display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for user user0001@test.

<Sysname> reset stop-accounting-buffer user-name user0001@test

# Clear the buffered stop-accounting requests in the time range from 0:0:0 to 23:59:59 on August 31,
2006.
2-17
 <Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

retry

Syntax

retry retry-times
undo retry

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of transmission attempts, in the range 1 to 20.

Description

Use the retry command to set the maximum number of RADIUS transmission attempts.
Use the undo retry command to restore the default.
The default value for the retry-times argument is 3.
Note that:
z As RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device
does not receive a response to its request from the RADIUS server within the response timeout
time, it will retransmit the RADIUS request. If the number of transmission attempts exceeds the limit
but the device still receives no response from the RADIUS server, the device regards that the
authentication fails.
z The maximum number of transmission attempts defined by this command refers to the sum of all
transmission attempts sent by the device to the primary server and the secondary server. For
example, assume that the maximum number of transmission attempts is N and both the primary
server and secondary RADIUS server are specified and exist, the device will send a request to the
other server if the current server does not respond after the sum of transmission attempts reaches
N/2 (if N is an even number) or (N+1)/2 (if N is an odd number).
z The maximum number of transmission attempts multiplied by the RADIUS server response timeout
period cannot be greater than 75.
Related commands: radius scheme, timer response-timeout.

Examples

# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme
radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry 5

2-18
retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of accounting request transmission attempts. It ranges from 1 to 255 and
defaults to 5.

Description

Use the retry realtime-accounting command to set the maximum number of accounting request
transmission attempts.
Use the undo retry realtime-accounting command to restore the default.
Note that:
z A RADIUS server usually checks whether a user is online by a timeout timer. If it receives from the
NAS no real-time accounting packet for a user in the timeout period, it considers that there may be
line or device failure and stops accounting for the user. This may happen when some unexpected
failure occurs. In this case, the NAS is required to disconnect the user in accordance. This is done
by the maximum number of accounting request transmission attempts. Once the limit is reached
but the NAS still receives no response, the NAS disconnects the user.
z Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer
response-timeout command), the timeout retransmission attempts is 3 (set with the retry
command), and the real-time accounting interval is 12 minutes (set with the timer
realtime-accounting command), and the maximum number of accounting request transmission
attempts is 5 (set with the retry realtime-accounting command). In such a case, the device
generates an accounting request every 12 minutes, and retransmits the request when receiving no
response within 3 seconds. The accounting is deemed unsuccessful if no response is received
within 3 requests. Then the device sends a request every 12 minutes, and if for 5 times it still
receives no response, the device will cut the user connection.
Related commands: radius scheme, timer realtime-accounting.

Examples

# Set the maximum number of accounting request transmission attempts to 10 for RADIUS scheme
radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry realtime-accounting 10

2-19
retry stop-accounting (RADIUS scheme view)

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 10 to

65,535 and defaults to 500.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request
transmission attempts.
Use the undo retry stop-accounting command to restore the default.
Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer
response-timeout command), the timeout retransmission attempts is 5 (set with the retry command),
and the maximum number of stop-accounting request transmission attempts is 20 (set with the retry
stop-accounting command). This means that for each stop-accounting request, if the device receives
no response within 3 seconds, it will initiate a new request. If still no responses are received within 5
renewed requests, the stop-accounting request is deemed unsuccessful. Then the device will
temporarily store the request in the device and resend a request and repeat the whole process
described above. Only when 20 consecutive attempts fail will the device discard the request.
Related commands: reset stop-accounting-buffer, radius scheme, display
stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 1,000 for RADIUS
scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry stop-accounting 1000

secondary accounting (RADIUS scheme view)

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

2-20
View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IPv4 address of the secondary accounting server, in dotted decimal notation. The default is
0.0.0.0.
port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and
defaults to 1813.

Description

Use the secondary accounting command to specify the secondary RADIUS accounting server.
Use the undo secondary accounting command to remove the configuration.
By default, no secondary RADIUS accounting server is specified.
Note that:
z The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise,
the configuration fails.
z The RADIUS service port configured on the device and that of the RADIUS server must be
consistent.
z You can use the commands to change the settings only when no user is using the RADIUS
scheme.
Related commands: key, radius scheme, state.

Examples

# Specify the secondary accounting server for RADIUS scheme radius1.

<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

secondary authentication (RADIUS scheme view)

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Default Level

2: System level

2-21
Parameters

ip-address: IPv4 address of the secondary authentication/authorization server, in dotted decimal

notation. The default is 0.0.0.0.
port-number: UDP port number of the secondary authentication/authorization server, which ranges from
1 to 65535 and defaults to 1812.

Description

Use the secondary authentication command to specify the secondary RADIUS

authentication/authorization server.
Use the undo secondary authentication command to remove the configuration.
By default, no secondary RADIUS authentication/authorization server is specified.
Note that:
z The IP addresses of the primary and secondary authentication/authorization servers cannot be the
same. Otherwise, the configuration fails.
z The RADIUS service port configured on the device and that of the RADIUS server must be
consistent.
z You can use the commands to change the settings only when no user is using the RADIUS
scheme.
Related commands: key, radius scheme, state.

Examples

# Specify the secondary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Default Level

2: System level

Parameters

extended: Specifies the extended RADIUS server (generally iMC), which requires the RADIUS client
and RADIUS server to interact according to the procedures and packet formats provisioned by the
private RADIUS protocol.

2-22
 standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS
server to interact according to the regulation and packet format of the standard RADIUS protocol (RFC
2865/2866 or newer).

Description

Use the server-type command to specify the RADIUS server type supported by the device.
Use the undo server-type command to restore the default.
By default, the supported RADIUS server type is standard.
Note that you can use the commands to change the setting only when no user is using the RADIUS
scheme.
Related commands: radius scheme.

Examples

# Set the RADIUS server type of RADIUS scheme radius1 to standard.

<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] server-type standard

state

Syntax

state { primary | secondary } { accounting | authentication } { active | block }

View

RADIUS scheme view

Default Level

2: System level

Parameters

primary: Sets the status of the primary RADIUS server.

secondary: Sets the status of the secondary RADIUS server.
accounting: Sets the status of the RADIUS accounting server.
authentication: Sets the status of the RADIUS authentication/authorization server.
active: Sets the status of the RADIUS server to active, namely the normal operation state.
block: Sets the status of the RADIUS server to block.

Description

Use the state command to set the status of a RADIUS server.

By default, every RADIUS server configured with an IP address in the RADIUS scheme is in the state of
active.
Note that:
z When a primary server, authentication/authorization server or accounting server, fails, the device
automatically turns to the secondary server.

2-23
 z Once the primary server fails, the primary server turns into the blocked state, and the device turns
to the secondary server. In this case, if the secondary server is available, the device triggers the
primary server quiet timer. After the quiet timer times out, the status of the primary server is active
again and the status of the secondary server remains the same. If the secondary server fails, the
device restores the status of the primary server to active immediately. If the primary server has
resumed, the device turns to use the primary server and stops communicating with the secondary
server. After accounting starts, the communication between the client and the secondary server
remains unchanged.
z When both the primary server and the secondary server are in the state of blocked, you need to set
the status of the secondary server to active to use the secondary server for authentication.
Otherwise, the switchover will not occur.
z If one server is in the active state while the other is blocked, the switchover will not take place even
if the active server is not reachable.
z You can use this command to change the settings only when no user is using the RADIUS scheme.
Related commands: radius scheme, primary authentication, secondary authentication, primary
accounting, secondary accounting.

Examples

# Set the status of the secondary server in RADIUS scheme radius1 to active.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state secondary authentication active

stop-accounting-buffer enable (RADIUS scheme view)

Syntax

stop-accounting-buffer enable
undo stop-accounting-buffer enable

View

RADIUS scheme view

Default Level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting
requests getting no responses.
Use the undo stop-accounting-buffer enable command to disable the device from buffering
stop-accounting requests getting no responses.
By default, the device is enabled to buffer stop-accounting requests getting no responses.
Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send
every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request
2-24
 getting no response in the specified period of time, the NAS buffers and resends the packet until it
receives a response or the number of transmission retries reaches the configured limit. In the latter case,
the NAS discards the packet.
Note that you can use the commands to change the setting only when no user is using the RADIUS
scheme.
Related commands: reset stop-accounting-buffer, radius scheme, display
stop-accounting-buffer.

Examples

# In RADIUS scheme radius1, enable the device to buffer the stop-accounting requests getting no
responses.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] stop-accounting-buffer enable

timer quiet (RADIUS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the
status of the primary server stays blocked before resuming the active state.
Use the undo timer quiet command to restore the default.
Related commands: display radius scheme.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view
[Sysname] radius scheme test1
[Sysname-radius-test1] timer quiet 10

2-25
timer realtime-accounting (RADIUS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range 3 to 60. The
default is 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.
Use the undo timer realtime-accounting command to restore the default.
Note that:
z For real-time accounting, a NAS must transmit the accounting information of online users to the
RADIUS accounting server periodically. This command is for setting the interval.
z When the real-time accounting interval on the device is zero, the device will send online user
accounting information to the RADIUS accounting server at the real-time accounting interval
configured on the server (if any) or will not send online user accounting information.
z The setting of the real-time accounting interval somewhat depends on the performance of the NAS
and the RADIUS server: a shorter interval means higher accounting precision but requires higher
performance. You are therefore recommended to adopt a longer interval when there are a large
number of users (1000 or more). The following table lists the recommended ratios of the interval to
the number of users.

Table 2-3 Recommended ratios of the accounting interval to the number of users

Number of users Real-time accounting interval (minute)

1 to 99 3
100 to 499 6
500 to 999 12
1000 or more 15 or more

Related commands: retry realtime-accounting, radius scheme.

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1

2-26
 [Sysname-radius-radius1] timer realtime-accounting 51

timer response-timeout (RADIUS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Default Level

2: System level

Parameters

seconds: RADIUS server response timeout period in seconds. It ranges from 1 to 10 and defaults to 3.

Description

Use the timer response-timeout command to set the RADIUS server response timeout timer.
Use the undo timer command to restore the default.
Note that:
z If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS
request (authentication/authorization or accounting request), it has to resend the request so that
the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server
response timeout timer to control the transmission interval.
z A proper value for the RADIUS server response timeout timer can help improve the system
performance. Set the timer based on the network conditions.
z The maximum total number of all types of retransmission attempts multiplied by the RADIUS server
response timeout period cannot be greater than 75.
Related commands: radius scheme, retry.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer response-timeout 5

user-name-format (RADIUS scheme view)

Syntax

user-name-format { keep-original | with-domain | without-domain }

View

RADIUS scheme view

2-27
Default Level

2: System level

Parameters

keep-original: Sends the username to the RADIUS server as it is input.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a RADIUS
server.
By default, the ISP domain name is included in the username.
Note that:
z A username is generally in the format of userid@isp-name, of which isp-name is used by the device
to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however,
cannot recognize a username including an ISP domain name. Before sending a username
including a domain name to such a RADIUS server, the device must remove the domain name.
This command is thus provided for you to decide whether to include a domain name in a username
to be sent to a RADIUS server.
z If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply
the RADIUS scheme to more than one ISP domain, thus avoiding the confused situation where the
RADIUS server regards two users in different ISP domains but with the same user ID as one.
z For 802.1X users using EAP authentication, the user-name-format command configured for a
RADIUS scheme does not take effect and the device does not change the usernames from clients
before forwarding them to the RADIUS server.
z You can use this command to change the setting only when no user is using the RADIUS scheme.
Related commands: radius scheme.

Examples

# Specify the device to remove the domain name in the username sent to the RADIUS servers for the
RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] user-name-format without-domain

2-28
 Table of Contents

1 PKI Configuration Commands ·················································································································1-1

PKI Configuration Commands ················································································································1-1
attribute············································································································································1-1
ca identifier ······································································································································1-2
certificate request entity···················································································································1-3
certificate request from ····················································································································1-3
certificate request mode ··················································································································1-4
certificate request polling·················································································································1-5
certificate request url ·······················································································································1-5
common-name·································································································································1-6
country·············································································································································1-7
crl check ··········································································································································1-7
crl update-period······························································································································1-8
crl url ················································································································································1-9
display pki certificate ·······················································································································1-9
display pki certificate access-control-policy···················································································1-11
display pki certificate attribute-group·····························································································1-12
display pki crl domain ····················································································································1-13
fqdn················································································································································1-14
ip (PKI entity view)·························································································································1-15
ldap-server·····································································································································1-15
locality············································································································································1-16
organization ···································································································································1-16
organization-unit ····························································································································1-17
pki certificate access-control-policy·······························································································1-18
pki certificate attribute-group ·········································································································1-18
pki delete-certificate·······················································································································1-19
pki domain ·····································································································································1-19
pki entity ········································································································································1-20
pki import-certificate ······················································································································1-21
pki request-certificate domain ·······································································································1-21
pki retrieval-certificate····················································································································1-22
pki retrieval-crl domain ··················································································································1-23
pki validate-certificate ····················································································································1-23
root-certificate fingerprint···············································································································1-24
rule (PKI CERT ACP view) ············································································································1-25
state ···············································································································································1-26

i
1 PKI Configuration Commands

PKI Configuration Commands

attribute

Syntax

attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn |

equ | nctn | nequ} attribute-value
undo attribute { id | all }

View

Certificate attribute group view

Default Level

2: System level

Parameters

id: Sequence number of the certificate attribute rule, in the range 1 to 16.
alt-subject-name: Specifies the name of the alternative certificate subject.
fqdn: Specifies the FQDN of the entity.
ip: Specifies the IP address of the entity.
issuer-name: Specifies the name of the certificate issuer.
subject-name: Specifies the name of the certificate subject.
dn: Specifies the distinguished name of the entity.
ctn: Specifies the contain operation.
equ: Specifies the equal operation.
nctn: Specifies the not-contain operation.
nequ: Specifies the not-equal operation.
attribute-value: Value of the certificate attribute, a case-insensitive string of 1 to 128 characters.
all: Specifies all certificate attributes.

Description

Use the attribute command to configure the attribute rules of the certificate issuer name, certificate
subject name and alternative certificate subject name.
Use the undo attribute command to delete the attribute rules of one or all certificates.
By default, there is no restriction on the issuer name, subject name, and alternative subject name of a
certificate.

1-1
 Note that the attribute of the alternative certificate subject name does not appear as a distinguished
name, and therefore the dn keyword is not available for the attribute.

Examples

# Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc

# Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of
abc.
[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc

# Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot
be 10.0.0.1.
[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1

ca identifier

Syntax

ca identifier name
undo ca identifier

View

PKI domain view

Default Level

2: System level

Parameters

name: Identifier of the trusted CA, a case-insensitive string of 1 to 63 characters.

Description

Use the ca identifier command to specify the trusted CA and bind the device with the CA.
Use the undo ca identifier command to remove the configuration.
By default, no trusted CA is specified for a PKI domain.
Certificate request, retrieval, revocation, and query all depend on the trusted CA.

Examples

# Specify the trusted CA as new-ca.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier new-ca

1-2
certificate request entity

Syntax

certificate request entity entity-name

undo certificate request entity

View

PKI domain view

Default Level

2: System level

Parameters

entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters.

Description

Use the certificate request entity command to specify the entity for certificate request.
Use the undo certificate request entity command to remove the configuration.
By default, no entity is specified for certificate request.
Related commands: pki entity.

Examples

# Specify the entity for certificate request as entity1.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request entity entity1

certificate request from

Syntax

certificate request from { ca | ra }

undo certificate request from

View

PKI domain view

Default Level

2: System level

Parameters

ca: Indicates that the entity requests a certificate from a CA.

ra: Indicates that the entity requests a certificate from an RA.

Description

Use the certificate request from command to specify the authority for certificate request.

1-3
 Use the undo certificate request from command to remove the configuration.
By default, no authority is specified for certificate request..

Examples

# Specify that the entity requests a certificate from the CA.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request from ca

certificate request mode

Syntax

certificate request mode { auto [ key-length key-length | password { cipher | simple } password ]* |
manual }
undo certificate request mode

View

PKI domain view

Default Level

2: System level

Parameters

auto: Specifies to request a certificate in auto mode.

key-length: Length of the RSA keys in bits, in the range 512 to 2,048. It is 1,024 bits by default.
password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters.
cipher: Specifies to display the password in cipher text.
simple: Specifies to display the password in clear text.
manual: Specifies to request a certificate in manual mode.

Description

Use the certificate request mode command to set the certificate request mode.
Use the undo certificate request mode command to restore the default.
By default, manual mode is used.
In auto mode, an entity automatically requests a certificate from an RA or CA when it has no certificate.
However, if the certificate is to expire or has expired, the entity does not initiate a re-request
automatically. To have a new local certificate, you need to request one manually. In manual mode, all
operations associated with certificate request are carried out manually.
Related commands: pki request-certificate.

Examples

# Specify to request a certificate in auto mode.

<Sysname> system-view
[Sysname] pki domain 1

1-4
 [Sysname-pki-domain-1] certificate request mode auto

certificate request polling

Syntax

certificate request polling { count count | interval minutes }

undo certificate request polling { count | interval }

View

PKI domain view

Default Level

2: System level

Parameters

count count: Specifies the maximum number of attempts to poll the status of the certificate request, in
the range 1 to 100.
interval minutes: Specifies the polling interval in minutes, in the range 5 to 168.

Description

Use the certificate request polling command to specify the certificate request polling interval and
attempt limit.
Use the undo certificate request polling command to restore the defaults.
By default, the polling is executed every 20 minutes for up to 50 times.
After an applicant makes a certificate request, the CA may need a long period of time if it verifies the
certificate request manually. During this period, the applicant needs to query the status of the request
periodically to get the certificate as soon as possible after the certificate is signed.
Related commands: display pki certificate.

Examples

# Specify the polling interval as 15 minutes and the maximum number of attempts as 40.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request polling interval 15
[Sysname-pki-domain-1] certificate request polling count 40

certificate request url

Syntax

certificate request url url-string

undo certificate request url

View

PKI domain view

1-5
Default Level

2: System level

Parameters

url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It
comprises the location of the server and the location of CGI command interface script in the format of
http: //server_location/ca_script_location, where server_location must be an IP address and does not
support domain name resolution currently.

Description

Use the certificate request url command to specify the URL of the server for certificate request
through SCEP.
Use the undo certificate request url command to remove the configuration.
By default, no URL is specified for a PKI domain.

Examples

# Specify the URL of the server for certificate request.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request url
http://169.254.0.100/certsrv/mscep/mscep.dll

common-name

Syntax

common-name name
undo common-name

View

PKI entity view

Default Level

2: System level

Parameters

name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be

included.

Description

Use the common-name command to configure the common name of an entity, which can be, for
example, the user name.
Use the undo common-name command to remove the configuration.
By default, no common name is specified.

1-6
Examples

# Configure the common name of an entity as test.

<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] common-name test

country

Syntax

country country-code-str
undo country

View

PKI entity view

Default Level

2: System level

Parameters

country-code-str: Country code for the entity, a 2-character case-insensitive string.

Description

Use the country command to specify the code of the country to which an entity belongs. It is a standard
2-character code, for example, CN for China.
Use the undo country command to remove the configuration.
By default, no country code is specified.

Examples

# Set the country code of an entity to CN.

<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] country CN

crl check

Syntax

crl check { disable | enable }

View

PKI domain view

Default Level

2: System level

1-7
Parameters

disable: Disables CRL checking.

enable: Enables CRL checking.

Description

Use the crl check command to enable or disable CRL checking.

By default, CRL checking is enabled.
CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a
certificate may occur before the certificate expires. CRL checking is intended for checking whether a
certificate has been revoked. A revoked certificate is no longer trusted.

Examples

# Disable CRL checking.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl check disable

crl update-period

Syntax

crl update-period hours

undo crl update-period

View

PKI domain view

Default Level

2: System level

Parameters

hours: CRL update period in hours, in the range 1 to 720.

Description

Use the crl update-period command to set the CRL update period, that is, the interval at which a PKI
entity with a certificate downloads the latest CRL from the LDAP server.
Use the undo crl update-period command to restore the default.
By default, the CRL update period depends on the next update field in the CRL file.

Examples

# Set the CRL update period to 20 hours.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl update-period 20

1-8
crl url

Syntax

crl url url-string

undo crl url

View

PKI domain view

Default Level

2: System level

Parameters

url-string: URL of the CRL distribution point, a case-insensitive string of 1 to 127 characters in the format
of ldap://server_location or http://server_location, where server_location must be an IP address and
does not support domain name resolution currently.

Description

Use the crl url command to specify the URL of the CRL distribution point.
Use the undo crl url command to remove the configuration.
By default, no CRL distribution point URL is specified.
Note that when the URL of the CRL distribution point is not set, you should acquire the CA certificate
and a local certificate, and then acquire a CRL through SCEP.

Examples

# Specify the URL of the CRL distribution point.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl url ldap://169.254.0.30

display pki certificate

Syntax

display pki certificate { { ca | local } domain domain-name | request-status }

View

Any view

Default Level

2: System level

Parameters

ca: Displays the CA certificate.

local: Displays the local certificate.
domain-name: Name of the PKI domain, a string of 1 to 15 characters.

1-9
 request-status: Displays the status of a certificate request.

Description

Use the display pki certificate command to display the contents or request status of a certificate.
Related commands: pki retrieval-certificate, pki domain and certificate request polling.

Examples

# Display the local certificate.

<Sysname> display pki certificate local domain 1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
10B7D4E3 00010000 0086
Signature Algorithm: md5WithRSAEncryption
Issuer:
emailAddress=myca@aabbcc.net
C=CN
ST=Country A
L=City X
O=abc
OU=bjs
CN=new-ca
Validity
Not Before: Jan 13 08:57:21 2004 GMT
Not After : Jan 20 09:07:21 2005 GMT
Subject:
C=CN
ST=Country B
L=City Y
CN=pki test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00D41D1F …
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: hyf.xxyyzz.net
X509v3 CRL Distribution Points:
URI:http://1.1.1.1:447/myca.crl
… …
Signature Algorithm: md5WithRSAEncryption
A3A5A447 4D08387D …

1-10
 Table 1-1 display pki certificate command output description

Field Description
Version Version of the certificate
Serial Number Serial number of the certificate
Signature Algorithm Signature algorithm
Issuer Issuer of the certificate
Validity Validity period of the certificate
Subject Entity holding the certificate
Subject Public Key Info Public key information of the entity
X509v3 extensions Extensions of the X.509 (version 3) certificate
X509v3 CRL Distribution Points Distribution points of X.509 (version 3) CRLs

display pki certificate access-control-policy

Syntax

display pki certificate access-control-policy { policy-name | all }

View

Any view

Default Level

1: Monitor level

Parameters

policy-name: Name of the certificate attribute-based access control policy, a string of 1 to 16 characters.
all: Specifies all certificate attribute-based access control policies.

Description

Use the display pki certificate access-control-policy command to display information about a
specified or all certificate attribute-based access control policies.

Examples

# Display information about the certificate attribute-based access control policy named mypolicy.
<Sysname> display pki certificate access-control-policy mypolicy
access-control-policy name: mypolicy
rule 1 deny mygroup1
rule 2 permit mygroup2

Table 1-2 display pki certificate access-control-policy command output description

Field Description
Name of the certificate attribute-based access
access-control-policy
control policy

1-11
 Field Description
rule number Number of the access control rule

display pki certificate attribute-group

Syntax

display pki certificate attribute-group { group-name | all }

View

Any view

Default Level

1: Monitor level

Parameters

group-name: Name of a certificate attribute group, a string of 1 to 16 characters.

all: Specifies all certificate attribute groups.

Description

Use the display pki certificate attribute-group command to display information about a specified or
all certificate attribute groups.

Examples

# Display information about certificate attribute group mygroup.

<Sysname> display pki certificate attribute-group mygroup
attribute group name: mygroup
attribute 1 subject-name dn ctn abc
attribute 2 issuer-name fqdn nctn app

Table 1-3 display pki certificate attribute-group command output description

Field Description
attribute group name Name of the certificate attribute group
attribute number Number of the attribute rule
subject-name Name of the certificate subject
dn DN of the entity
ctn Indicates the contain operations
abc Value of attribute 1
issuer-name Name of the certificate issuer
fqdn FQDN of the entity
nctn Indicates the not-contain operations
app Value of attribute 2

1-12
display pki crl domain

Syntax

display pki crl domain domain-name

View

Any view

Default Level

2: System level

Parameters

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

Description

Use the display pki crl domain command to display the locally saved CRLs.
Related commands: pki retrieval-crl, pki domain.

Examples

# Display the locally saved CRLs.

<Sysname> display pki crl domain 1
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer:
C=CN
O=abc
OU=soft
CN=A Test Root
Last Update: Jan 5 08:44:19 2004 GMT
Next Update: Jan 5 21:42:13 2004 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC
Revoked Certificates:
Serial Number: 05a234448E…
Revocation Date: Sep 6 12:33:22 2004 GMT
CRL entry extensions:…
Serial Number: 05a278445E…
Revocation Date: Sep 7 12:33:22 2004 GMT
CRL entry extensions:…

Table 1-4 display pki crl domain command output description

Field Description
Version Version of the CRL
Signature Algorithm Signature algorithm used by the CRLs

1-13
 Field Description
Issuer CA issuing the CRLs
Last Update Last update time
Next Update Next update time

CRL extensions Extensions of CRL

CA issuing the CRLs. The certificate version is
X509v3 Authority Key Identifier
X.509 v3.

ID of the public key

keyid A CA may have multiple key pairs. This field
indicates the key pair used by the CRL’s
signature.
Revoked Certificates Revoked certificates
Serial Number Serial number of the revoked certificate
Revocation Date Revocation date of the certificate

fqdn

Syntax

fqdn name-str
undo fqdn

View

PKI entity view

Default Level

2: System level

Parameters

name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127
characters.

Description

Use the fqdn command to configure the FQDN of an entity.

Use the undo fqdn command to remove the configuration.
By default, no FQDN is specified for an entity.
An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain
name and can be resolved into an IP address.

Examples

# Configure the FQDN of an entity as pki.domain-name.com.

<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] fqdn pki.domain-name.com

1-14
ip (PKI entity view)

Syntax

ip ip-address
undo ip

View

PKI entity view

Default Level

2: System level

Parameters

ip-address: IP address for an entity.

Description

Use the ip command to configure the IP address of an entity.

Use the undo ip command to remove the configuration.
By default, no IP address is specified for an entity.

Examples

# Configure the IP address of an entity as 11.0.0.1.

<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] ip 11.0.0.1

ldap-server

Syntax

ldap-server ip ip-address [ port port-number ] [ version version-number ]

undo ldap-server

View

PKI domain view

Default Level

2: System level

Parameters

ip-address: IP address of the LDAP server, in dotted decimal format.

port-number: Port number of the LDAP server, in the range 1 to 65535. The default is 389.
version-number: LDAP version number, either 2 or 3. By default, it is 2.

Description

Use the ldap-server command to specify an LDAP server for a PKI domain.

1-15
 Use the undo ldap-server command to remove the configuration.
By default, no LDP server is specified for a PKI domain.

Examples

# Specify an LDAP server for PKI domain 1.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] ldap-server ip 169.254.0.30

locality

Syntax

locality locality-name
undo locality

View

PKI entity view

Default Level

2: System level

Parameters

locality-name: Name for the geographical locality, a case-insensitive string of 1 to 31 characters. No

comma can be included.

Description

Use the locality command to configure the geographical locality of an entity, which can be, for example,
a city name.
Use the undo locality command to remove the configuration.
By default, no geographical locality is specified for an entity.

Examples

# Configure the locality of an entity as city.

<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] locality city

organization

Syntax

organization org-name
undo organization

View

PKI entity view

1-16
Default Level

2: System level

Parameters

org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be

included.

Description

Use the organization command to configure the name of the organization to which the entity belongs.
Use the undo organization command to remove the configuration.
By default, no organization name is specified for an entity.

Examples

# Configure the name of the organization to which an entity belongs as org-name.

<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] organization org-name

organization-unit

Syntax

organization-unit org-unit-name
undo organization-unit

View

PKI entity view

Default Level

2: System level

Parameters

org-unit-name: Organization unit name for distinguishing different units in an organization, a

case-insensitive string of 1 to 31 characters. No comma can be included.

Description

Use the organization-unit command to specify the name of the organization unit to which this entity
belongs.
Use the undo organization-unit command to remove the configuration.
By default, no organization unit name is specified for an entity.

Examples

# Configure the name of the organization unit to which an entity belongs as unit-name.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] organization-unit unit-name

1-17
pki certificate access-control-policy

Syntax

pki certificate access-control-policy policy-name

undo pki certificate access-control-policy { policy-name | all }

View

System view

Default Level

2: System level

Parameters

policy-name: Name of the certificate attribute-based access control policy, a case-insensitive string of 1
to 16 characters. It cannot be “a”, “al” or “all”.
all: Specifies all certificate attribute-based access control policies.

Description

Use the pki certificate access-control-policy command to create a certificate attribute-based access
control policy and enter its view.
Use the undo pki certificate access-control-policy command to remove a specified or all certificate
attribute-based access control policies.
No access control policy exists by default.

Examples

# Configure an access control policy named mypolicy and enter its view.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy]

pki certificate attribute-group

Syntax

pki certificate attribute-group group-name

undo pki certificate attribute-group { group-name | all }

View

System view

Default Level

2: System level

Parameters

group-name: Name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It
cannot be “a”, “al” or “all”.

1-18
 all: Specifies all certificate attribute groups.

Description

Use the pki certificate attribute-group command to create a certificate attribute group and enter its
view.
Use the undo pki certificate attribute-group command to delete one or all certificate attribute groups.
By default, no certificate attribute group exists.

Examples

# Create a certificate attribute group named mygroup and enter its view.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup]

pki delete-certificate

Syntax

pki delete-certificate { ca | local } domain domain-name

View

System view

Default Level

2: System level

Parameters

ca: Deletes the locally stored CA certificate.

local: Deletes the locally stored local certificate.
domain-name: Name of the PKI domain whose certificates are to be deleted, a string of 1 to 15
characters.

Description

Use the pki delete-certificate command to delete the certificate locally stored for a PKI domain.

Examples

# Delete the local certificate for PKI domain cer.

<Sysname> system-view
[Sysname] pki delete-certificate local domain cer

pki domain

Syntax

pki domain domain-name

undo pki domain domain-name

1-19
View

System view

Default Level

2: System level

Parameters

domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters.

Description

Use the pki domain command to create a PKI domain and enter PKI domain view or enter the view of
an existing PKI domain.
Use the undo pki domain command to remove a PKI domain.
By default, no PKI domain exists.

Examples

# Create a PKI domain and enter its view.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1]

pki entity

Syntax

pki entity entity-name

undo pki entity entity-name

View

System view

Default Level

2: System level

Parameters

entity-name: Name for the entity, a case-insensitive string of 1 to 15 characters.

Description

Use the pki entity command to create a PKI entity and enter its view.
Use the undo pki entity command to remove a PKI entity.
By default, no entity exists.
You can configure a variety of attributes for an entity in PKI entity view. An entity is intended only for
convenience of reference by other commands.

Examples

# Create a PKI entity named en and enter its view.

1-20
 <Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en]

pki import-certificate

Syntax

pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ]

View

System view

Default Level

2: System level

Parameters

ca: Specifies the CA certificate.

local: Specifies the local certificate.
domain-name: Name of the PKI domain, a string of 1 to 15 characters.
der: Specifies the certificate format of DER.
p12: Specifies the certificate format of P12.
pem: Specifies the certificate format of PEM.
filename filename: Specifies the name of the certificate file, which is a case-insensitive string of 1 to
127 characters. It defaults to domain-name_ca.cer, or domain-name_local.cer the name for the file to
be created to save the imported certificate.

Description

Use the pki import-certificate command to import a CA certificate or local certificate from a file and
save it locally.
Related commands: pki domain.

Examples

# Import the CA certificate for PKI domain cer in the format of PEM.
<Sysname> system-view
[Sysname] pki import-certificate ca domain cer pem

pki request-certificate domain

Syntax

pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]

View

System view

1-21
Default Level

2: System level

Parameters

domain-name: Name of the PKI domain name, a string of 1 to 15 characters.

password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters.
pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to
request a certification by an out-of-band means, like phone, disk, or email.
filename filename: Specifies the name of the local file for saving the PKCS#10 certificate request, a
case-insensitive string of 1 to 127 characters.

Description

Use the pki request-certificate domain command to request a local certificate from a CA through
SCEP. If SCEP fails, you can use the pkcs10 keyword to print the request information in BASE64
format, or use the pkcs10 filename filename keyword and argument combination to save the request
information to a local file and send the file to the CA by an out-of-band means.
This operation will not be saved in the configuration file.
Related commands: pki domain.

Examples

# Display the PKCS#10 certificate request information.

<Sysname> system-view
[Sysname] pki request-certificate domain 1 pkcs10
-----BEGIN CERTIFICATE REQUEST-----
MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5
ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nvdu5TED6iN8
4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G
CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw
R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ
JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c
-----END CERTIFICATE REQUEST-----

pki retrieval-certificate

Syntax

pki retrieval-certificate { ca | local } domain domain-name

View

System view

Default Level

2: System level

1-22
Parameters

ca: Retrieves the CA certificate.

local: Retrieves the local certificate.
domain-name: Name of the PKI domain used for certificate request.

Description

Use the pki retrieval-certificate command to retrieve a certificate from the server for certificate
distribution.
Related commands: pki domain.

Examples

# Retrieve the CA certificate from the certificate issuing server.

<Sysname> system-view
[Sysname] pki retrieval-certificate ca domain 1

pki retrieval-crl domain

Syntax

pki retrieval-crl domain domain-name

View

System view

Default Level

2: System level

Parameters

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

Description

Use the pki retrieval-crl command to retrieve the latest CRLs from the server for CRL distribution.
CRLs are used to verify the validity of certificates.
Related commands: pki domain.

Examples

# Retrieve CRLs.
<Sysname> system-view
[Sysname] pki retrieval-crl domain 1

pki validate-certificate

Syntax

pki validate-certificate { ca | local } domain domain-name

1-23
View

System view

Default Level

2: System level

Parameters

ca: Verifies the CA certificate.

local: Verifies the local certificate.
domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15
characters.

Description

Use the pki validate-certificate command to verify the validity of a certificate.

The focus of certificate validity verification is to check that the certificate is signed by the CA and that the
certificate has neither expired nor been revoked.
Related commands: pki domain.

Examples

# Verify the validity of the local certificate.

<Sysname> system-view
[Sysname] pki validate-certificate local domain 1

root-certificate fingerprint

Syntax

root-certificate fingerprint { md5 | sha1 } string

undo root-certificate fingerprint

View

PKI domain view

Default Level

2: System level

Parameters

md5: Uses an MD5 fingerprint.

sha1: Uses a SHA1 fingerprint.
string: Fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. A
SHA1 fingerprint must be a string of 40 characters in hexadecimal.

Description

Use the root-certificate fingerprint command to configure the fingerprint to be used for verifying the
validity of the CA root certificate.

1-24
 Use the undo root-certificate fingerprint command to remove the configuration.
By default, no fingerprint is configured for verifying the validity of the CA root certificate.

Examples

# Configure an MD5 fingerprint for verifying the validity of the CA root certificate.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E

# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate.
[Sysname-pki-domain-1] root-certificate fingerprint sha1
D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

rule (PKI CERT ACP view)

Syntax

rule [ id ] { deny | permit } group-name

undo rule { id | all }

View

PKI certificate access control policy view

Default Level

2: System level

Parameters

id: Number of the certificate attribute access control rule, in the range 1 to 16. The default is the smallest
unused number in this range.
deny: Indicates that a certificate whose attributes match an attribute rule in the specified attribute group
is considered invalid and denied.
permit: Indicates that a certificate whose attributes match an attribute rule in the specified attribute
group is considered valid and permitted.
group-name: Name of the certificate attribute group to be associated with the rule, a case-insensitive
string of 1 to 16 characters. It cannot be “a”, “al” or “all”.
all: Specifies all access control rules.

Description

Use the rule command to create a certificate attribute access control rule.
Use the undo rule command to delete a specified or all access control rules.
By default, no access control rule exists.
Note that a certificate attribute group must exist to be associated with a rule.

Examples

# Create an access control rule, specifying that a certificate is considered valid when it matches an
attribute rule in certificate attribute group mygroup.

1-25
 <Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup

state

Syntax

state state-name
undo state

View

PKI entity view

Default Level

2: System level

Parameters

state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be

included.

Description

Use the state command to specify the name of the state or province where an entity resides.
Use the undo state command to remove the configuration.
By default, no state or province is specified.

Examples

# Specify the state where an entity resides.

<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] state country

1-26
 Table of Contents

1 SSL Configuration Commands ················································································································1-1

SSL Configuration Commands ···············································································································1-1
ciphersuite ·······································································································································1-1
client-verify enable···························································································································1-2
close-mode wait·······························································································································1-2
display ssl client-policy ····················································································································1-3
display ssl server-policy···················································································································1-4
handshake timeout ··························································································································1-5
pki-domain ·······································································································································1-6
prefer-cipher ····································································································································1-6
session ············································································································································1-7
ssl client-policy ································································································································1-8
ssl server-policy·······························································································································1-9
version ·············································································································································1-9

i
1 SSL Configuration Commands

SSL Configuration Commands

ciphersuite

Syntax

ciphersuite [ rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *

View

SSL server policy view

Default Level

2: System level

Parameters

rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit AES_CBC, and the MAC algorithm of SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
DES_CBC, and the MAC algorithm of SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit RC4, and the MAC algorithm of MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit RC4, and the MAC algorithm of SHA.

Description

Use the ciphersuite command to specify the cipher suite(s) for an SSL server policy to support.
By default, an SSL server policy supports all cipher suites.
Note that:
z With no keyword specified, the command configures an SSL server policy to support all cipher
suites.
z If you execute the command repeatedly, the last one takes effect.
Related commands: display ssl server-policy.

Examples

# Configure SSL server policy policy1 to support cipher suites rsa_rc4_128_md5 and
rsa_rc4_128_sha.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha

1-1
client-verify enable

Syntax

client-verify enable
undo client-verify enable

View

SSL server policy view

Default Level

2: System level

Parameters

None

Description

Use the client-verify enable command to enable certificate-based SSL client authentication, that is, to
enable the SSL server to authenticate the client by the client’s certificate during the SSL handshake
process.
Use the undo client-verify enable command to restore the default.
By default, certificate-based SSL client authentication is disabled.
Related commands: display ssl server-policy.

Examples

# Enable certificate-based SSL client authentication.

<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable

close-mode wait

Syntax

close-mode wait
undo close-mode wait

View

SSL server policy view

Default Level

2: System level

Parameters

None

1-2
Description

Use the close-mode wait command to set the SSL connection close mode to wait mode. In this mode,
after sending a close-notify alert message to a client, the server does not close the connection until it
receives a close-notify alert message from the client.
Use the undo close-mode wait command to restore the default.
By default, an SSL server sends a close-notify alert message to the client and close the connection
without waiting for the close-notify alert message from the client.
Related commands: display ssl server-policy.

Examples

# Set the SSL connection close mode to wait.

<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] close-mode wait

display ssl client-policy

Syntax

display ssl client-policy { policy-name | all }

View

Any view

Default Level

1: Monitor level

Parameters

policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters.

all: Displays information about all SSL client policies.

Description

Use the display ssl client-policy command to view information about a specified or all SSL client
policies.

Examples

# Display information about SSL client policy policy1.

<Sysname> display ssl client-policy policy1
SSL Client Policy: policy1
SSL Version: SSL 3.0
PKI Domain: 1
Prefer Ciphersuite:
RSA_RC4_128_SHA

1-3
 Table 1-1 display ssl client-policy command output description

Field Description
SSL Client Policy SSL client policy name
SSL Version Version of the protocol used by the SSL client policy, SSL 3.0 or TLS 1.0.
PKI Domain PKI domain of the SSL client policy
Prefer Ciphersuite Preferred cipher suite of the SSL client policy

display ssl server-policy

Syntax

display ssl server-policy { policy-name | all }

View

Any view

Default Level

1: Monitor level

Parameters

policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters.

all: Displays information about all SSL server policies.

Description

Use the display ssl server-policy command to view information about a specified or all SSL server
policies.

Examples

# Display information about SSL server policy policy1.

<Sysname> display ssl server-policy policy1
SSL Server Policy: policy1
PKI Domain: domain1
Ciphersuite:
RSA_RC4_128_MD5
RSA_RC4_128_SHA
RSA_DES_CBC_SHA
RSA_AES_128_CBC_SHA
Handshake Timeout: 3600
Close-mode: wait disabled
Session Timeout: 3600
Session Cachesize: 500
Client-verify: disabled

1-4
 Table 1-2 display ssl server-policy command output description

Field Description
SSL Server Policy SSL server policy name
PKI Domain PKI domain used by the SSL server policy
Ciphersuite Cipher suites supported by the SSL server policy
Handshake Timeout Handshake timeout time of the SSL server policy, in seconds
Close mode of the SSL server policy, which can be:
z wait disabled: In this mode, the server sends a close-notify alert
message to the client and then closes the connection immediately
Close-mode without waiting for the close-notify alert message of the client.
z wait enabled: In this mode, the server sends a close-notify alert
message to the client and then waits for the close-notify alert message
of the client. Only after receiving the expected message, does the
server close the connection.
Session Timeout Session timeout time of the SSL server policy, in seconds
Session Cachesize Maximum number of buffered sessions of the SSL server policy
Client-verify Whether client authentication is enabled for the SSL server policy

handshake timeout

Syntax

handshake timeout time

undo handshake timeout

View

SSL server policy view

Default Level

2: System level

Parameters

time: Handshake timeout time in seconds, in the range 180 to 7200.

Description

Use the handshake timeout command to set the handshake timeout time for an SSL server policy.
Use the undo handshake timeout command to restore the default.
By default, the handshake timeout time is 3600 seconds.
If the SSL server does not receive any packet from the SSL client before the handshake timeout time
expires, the SSL server will terminate the handshake process.
Related commands: display ssl server-policy.

Examples

# Set the handshake timeout time of SSL server policy policy1 to 3000 seconds.
<Sysname> system-view

1-5
 [Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] handshake timeout 3000

pki-domain

Syntax

pki-domain domain-name
undo pki-domain

View

SSL server policy view, SSL client policy view

Default Level

2: System level

Parameters

domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters.

Description

Use the pki-domain command to specify a PKI domain for an SSL server policy or SSL client policy.
Use the undo pki-domain command to restore the default.
By default, no PKI domain is configured for an SSL server policy or SSL client policy.
Related commands: display ssl server-policy and display ssl client-policy.

Examples

# Configure SSL server policy policy1 to use PKI domain server-domain.

<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] pki-domain server-domain

# Configure SSL client policy policy1 to use PKI domain client-domain.

<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] pki-domain client-domain

prefer-cipher

Syntax

prefer-cipher { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

undo prefer-cipher

View

SSL client policy view

Default Level

2: System level

1-6
Parameters

rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit AES_CBC, and the MAC algorithm of SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
DES_CBC, and the MAC algorithm of SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit RC4, and the MAC algorithm of MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit RC4, and the MAC algorithm of SHA.

Description

Use the prefer-cipher command to specify the preferred cipher suite for an SSL client policy.
Use the undo prefer-cipher command to restore the default.
By default, the preferred cipher suite for an SSL client policy is rsa_rc4_128_md5.
Related commands: display ssl client-policy.

Examples

# Set the preferred cipher suite for SSL client policy policy1 to rsa_aes_128_cbc_sha.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha

session

Syntax

session { cachesize size | timeout time } *

undo session { cachesize | timeout } *

View

SSL server policy view

Default Level

2: System level

Parameters

cachesize size: Specifies the maximum number of cached sessions, in the range 100 to 1000.
timeout time: Specifies the caching timeout time in seconds, in the range 1800 to 72000.

Description

Use the session command to set the maximum number of cached sessions and the caching timeout
time.
Use the undo session command to restore the default.
By default, the maximum number of cached sessions is 500 and the caching timeout time is 3,600
seconds.

1-7
 The process of the session parameters negotiation and session establishment by using the SSL
handshake protocol is quite complicated. SSL allows reusing the negotiated session parameters to
establish sessions. Therefore, the SSL server needs to maintain information about existing sessions.
Note that the number of cached sessions and the session information caching time are limited:
z If the number of sessions in the cache reaches the maximum, SSL rejects to cache new sessions.
z If a session has been cached for a period equal to the caching timeout time, SSL will remove the
information of the session.
Related commands: display ssl server-policy.

Examples

# Set the caching timeout time to 4000 seconds and the maximum number of cached sessions to 600.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] session timeout 4000 cachesize 600

ssl client-policy

Syntax

ssl client-policy policy-name

undo ssl client-policy { policy-name | all }

View

System view

Default Level

2: System level

Parameters

policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be “a”,
“al” and “all”.
all: Specifies all SSL client policies.

Description

Use the ssl client-policy command to create an SSL policy and enter its view.
Use the undo ssl client-policy command to delete a specified or all SSL client policies.
Related commands: display ssl client-policy.

Examples

# Create SSL client policy policy1 and enter its view.

<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1]

1-8
ssl server-policy

Syntax

ssl server-policy policy-name

undo ssl server-policy { policy-name | all }

View

System view

Default Level

2: System level

Parameters

policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters, which cannot be
“a”, “al” and “all”.
all: Specifies all SSL server policies.

Description

Use the ssl server-policy command to create an SSL server policy and enter its view.
Use the undo ssl server-policy command to delete a specified or all SSL server policies.
Note that you cannot delete an SSL server policy that has been associated with one or more application
layer protocols.
Related commands: display ssl server-policy.

Examples

# Create SSL server policy policy1 and enter its view.

<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]

version

Syntax

version { ssl3.0 | tls1.0 }

undo version

View

SSL client policy view

Default Level

2: System level

Parameters

ssl3.0: Specifies SSL 3.0.

tls1.0: Specifies TLS 1.0.

1-9
Description

Use the version command to specify the SSL protocol version for an SSL client policy.
Use the undo version command to restore the default.
By default, the SSL protocol version for an SSL client policy is TLS 1.0.
Related commands: display ssl client-policy.

Examples

# Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] version ssl3.0

1-10
 Table of Contents

1 SSH2.0 Configuration Commands ···········································································································1-1

SSH2.0 Server Configuration Commands ······························································································1-1
display ssh server····························································································································1-1
display ssh user-information············································································································1-2
ssh server authentication-retries ·····································································································1-3
ssh server authentication-timeout ···································································································1-4
ssh server compatible-ssh1x enable ·······························································································1-5
ssh server enable ····························································································································1-6
ssh server rekey-interval ·················································································································1-6
ssh user ···········································································································································1-7
SSH2.0 Client Configuration Commands································································································1-8
display ssh client source··················································································································1-8
display ssh server-info·····················································································································1-9
ssh client authentication server ·····································································································1-10
ssh client first-time enable ·············································································································1-11
ssh client source····························································································································1-11
ssh2 ···············································································································································1-12
SFTP Server Configuration Commands ·······························································································1-13
sftp server enable ··························································································································1-13
sftp server idle-timeout ··················································································································1-14
SFTP Client Configuration Commands·································································································1-15
bye ·················································································································································1-15
cd ···················································································································································1-15
cdup ···············································································································································1-16
delete ·············································································································································1-16
dir···················································································································································1-17
display sftp client source ···············································································································1-18
exit ·················································································································································1-19
get··················································································································································1-19
help ················································································································································1-20
ls ····················································································································································1-20
mkdir ··············································································································································1-21
put··················································································································································1-22
pwd ················································································································································1-22
quit ·················································································································································1-23
remove···········································································································································1-23
rename ··········································································································································1-24
rmdir···············································································································································1-24
sftp ·················································································································································1-25
sftp client source····························································································································1-26

i
1 SSH2.0 Configuration Commands

SSH2.0 Server Configuration Commands

display ssh server

Syntax

display ssh server { session | status }

View

Any view

Default Level

1: Monitor level

Parameters

session: Displays the session information of the SSH server.

status: Displays the status information of the SSH server.

Description

Use the display ssh server command on an SSH server to display SSH server status information or
session information.
Related commands: ssh server authentication-retries, ssh server rekey-interval, ssh server
authentication-timeout, ssh server enable, ssh server compatible-ssh1x enable.

This command is also available on an SFTP server.

Examples

# Display the SSH server status information.

<Sysname> display ssh server status
SSH Server: Disable
SSH version : 1.99
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH Authentication retries : 3 time(s)

1-1
 SFTP Server: Disable
SFTP Server Idle-Timeout: 10 minute(s)

Table 1-1 display ssh server status command output description

Field Description
SSH Server Whether the SSH server function is enabled
SSH protocol version
SSH version When the SSH supports SSH1, the protocol version is 1.99.
Otherwise, the protocol version is 2.0.
SSH authentication-timeout Authentication timeout period
SSH server key generating interval SSH server key pair update interval
SSH Authentication retries Maximum number of SSH authentication attempts
SFTP Server Whether the SFTP server function is enabled
SFTP Server Idle-Timeout SFTP connection idle timeout period

# Display the SSH server session information.

<Sysname> display ssh server session
Conn Ver Encry State Retry SerType Username
VTY 0 2.0 DES Established 0 SFTP client001

Table 1-2 display ssh server session command output description

Field Description
Conn Connected VTY channel
Ver SSH server protocol version

Encry Encryption algorithm

Status of the session, including: Init, Ver-exchange, Keys-exchange,
State
Auth-request, Serv-request, Established, Disconnected
Retry Number of authentication attempts
SerType Service type (SFTP, Stelnet)
Username Name of a user for login

display ssh user-information

Syntax

display ssh user-information [ username ]

View

Any view

Default Level

1: Monitor level

1-2
Parameters

username: SSH username, a string of 1 to 80 characters.

Description

Use the display ssh user-information command on an SSH server to display information about one or
all SSH users.
Note that:
z This command displays only information about SSH users configured through the ssh user
command on the SSH server.
z With the username argument not specified, the command displays information about all SSH
users.
Related commands: ssh user.

This command is also available on an SFTP server.

Examples

# Display information about all SSH users.

<Sysname> display ssh user-information
Total ssh users : 2
Username Authentication-type User-public-key-name Service-type
yemx password null stelnet|sftp
test publickey pubkey sftp

Table 1-3 display ssh user-information command output description

Field Description
Username Name of the user
Authentication method. If this field has a value of password, the next
Authentication-type
field will have a value of null.
User-public-key-name Public key of the user

Service-type Service type

ssh server authentication-retries

Syntax

ssh server authentication-retries times

undo ssh server authentication-retries

1-3
View

System view

Default Level

2: System level

Parameters

times: Maximum number of authentication attempts, in the range 1 to 5.

Description

Use the ssh server authentication-retries command to set the maximum number of SSH connection
authentication attempts.
Use the undo ssh server authentication-retries command to restore the default.
By default, the maximum number of SSH connection authentication attempts is 3.
Note that:
z This configuration takes effect only for users trying to log in after the configuration.
z Authentication will fail if the number of authentication attempts (including both publickey and
password authentication) exceeds that specified in the ssh server authentication-retries
command.
z If the authentication method of SSH users is password-publickey, the maximum number of SSH
connection authentication attempts must be at least 2. This is because SSH2.0 users must pass
both password and publickey authentication.
Related commands: display ssh server.

Examples

# Set the maximum number of SSH connection authentication attempts to 4.

<Sysname> system-view
[Sysname] ssh server authentication-retries 4

ssh server authentication-timeout

Syntax

ssh server authentication-timeout time-out-value

undo ssh server authentication-timeout

View

System view

Default Level

2: System level

Parameters

time-out-value: Authentication timeout period in seconds, in the range 1 to 120.

1-4
Description

Use the ssh server authentication-timeout command to set the SSH user authentication timeout
period on the SSH server.
Use the undo ssh server authentication-timeout command to restore the default.
By default, the authentication timeout period is 60 seconds.
Related commands: display ssh server.

Examples

# Set the SSH user authentication timeout period to 10 seconds.

<Sysname> system-view
[Sysname] ssh server authentication-timeout 10

ssh server compatible-ssh1x enable

Syntax

ssh server compatible-ssh1x enable

undo ssh server compatible-ssh1x

View

System view

Default Level

2: System level

Parameters

None

Description

Use the ssh server compatible-ssh1x command to enable the SSH server to support SSH1 clients.
Use the undo ssh server compatible-ssh1x command to disable the SSH server from supporting
SSH1 clients.
By default, the SSH server supports SSH1 clients.
This configuration takes effect only for users logging in after the configuration.
Related commands: display ssh server.

Examples

# Enable the SSH server to support SSH1 clients.

<Sysname> system-view
[Sysname] ssh server compatible-ssh1x enable

1-5
ssh server enable

Syntax

ssh server enable

undo ssh server enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the ssh server enable command to enable the SSH server function.
Use the undo ssh server enable command to disable the SSH server function.
By default, SSH server is disabled.

Examples

# Enable SSH server.

<Sysname> system-view
[Sysname] ssh server enable

ssh server rekey-interval

Syntax

ssh server rekey-interval hours

undo ssh server rekey-interval

View

System view

Default Level

2: System level

Parameters

hours: Server key pair update interval in hours, in the range 1 to 24.

Description

Use the ssh server rekey-interval command to set the interval for updating the RSA server key.
Use the undo ssh server rekey-interval command to restore the default.
By default, the update interval of the RSA server key is 0, that is, the RSA server key is not updated.

1-6
 Related commands: display ssh server.

z This command is only available to SSH users using SSH1 client software.
z The system does not update any DSA key pair periodically.

Examples

# Set the RSA server key pair update interval to 3 hours.

<Sysname> system-view
[Sysname] ssh server rekey-interval 3

ssh user

Syntax

ssh user username service-type stelnet authentication-type { password | { any |

password-publickey | publickey } assign publickey keyname }
ssh user username service-type { all | sftp } authentication-type { password | { any |
password-publickey | publickey } assign publickey keyname work-directory directory-name }
undo ssh user username

View

System view

Default Level

2: System level

Parameters

username: SSH username, a case-sensitive string of 1 to 80 characters.

service-type: Specifies the service type of an SSH user, which can be one of the following:
z all: Specifies both secure Telnet and secure FTP.
z sftp: Specifies the service type as secure FTP.
z stelnet: Specifies the service type of secure Telnet.
authentication-type: Specifies the authentication method of an SSH user, which can be one the
following:
z password: Performs password authentication.
z any: Performs either password authentication or publickey authentication.
z password-publickey: Specifies that SSH2 clients perform both password authentication and
publickey authentication and that SSH1 clients perform either type of authentication.
z publickey: Performs publickey authentication.

1-7
 assign publickey keyname: Assigns an existing public key to an SSH user. keyname indicates the
name of the client public key and is a string of 1 to 64 characters.
work-directory directory-name: Specifies the working directory for an SFTP user. directory-name
indicates the name of the working directory and is a string of 1 to 135 characters.

Description

Use the ssh user command to create an SSH user and specify the service type and authentication
method.
Use the undo ssh user command to delete an SSH user.
Note that:
z For a publickey authentication user, you must configure the username and the public key on the
device. For a password authentication user, you can configure the account information on either
the device or the remote authentication server such as a RADIUS server.
z If you use the ssh user command to configure a public key for a user who has already had a public
key, the new one overwrites the old one.
z You can change the authentication method and public key of an SSH user when the user is
communicating with the SSH server. However, your changes take effect only after the user logs out
and logs in again.
z If an SFTP user has been assigned a public key, it is necessary to set a working folder for the user.
z The working folder of an SFTP user is subject to the user authentication method. For a user using
only password authentication, the working folder is the AAA authorized one. For a user using only
publickey authentication or using both publickey authentication and password authentication, the
working folder is the one set by using the ssh user command.
Related commands: display ssh user-information.

Examples

# Create an SSH user named user1, setting the service type as sftp, the authentication method as
publickey, the working directory of the SFTP server as flash, and assigning a public key named key1
to the user.
<Sysname> system-view
[Sysname] ssh user user1 service-type sftp authentication-type publickey assign publickey
key1 work-directory flash:

SSH2.0 Client Configuration Commands

display ssh client source

Syntax

display ssh client source

View

Any view

Default Level

1: Monitor level

1-8
Parameters

None

Description

Use the display ssh client source command to display the source IP address or source interface
currently set for the SSH client.
If neither source IP address nor source interface is specified for the SSH client, the system will display
such a message “Neither source IP address nor source interface was specified for the STelnet client.”
Related commands: ssh client source.

Examples

# Display the source IP address of the SSH client.

<Sysname> display ssh client source
The source IP address you specified is 192.168.0.1

display ssh server-info

Syntax

display ssh server-info

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ssh server-info command on a client to display mappings between SSH servers and
their host public keys saved on the client.
When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the
server for the authentication. If the authentication fails, you can use this command to check the public
key of the server saved on the client.
Related commands: ssh client authentication server.

This command is also available on an SFTP client.

1-9
Examples

# Display the mappings between host public keys and SSH servers saved on the client.
<Sysname> display ssh server-info
Server Name(IP) Server public key name
______________________________________________________
192.168.0.1 abc_key01
192.168.0.2 abc_key02

Table 1-4 display ssh server-info command output description

Field Description
Server Name(IP) Name or IP address of the server
Server public key name Name of the host public key of the server

ssh client authentication server

Syntax

ssh client authentication server server assign publickey keyname

undo ssh client authentication server server assign publickey

View

System view

Default Level

2: System level

Parameters

server: IP address or name of the server, a string of 1 to 80 characters.

assign publickey keyname: Specifies the name of the host public key of the server, a string of 1 to 64
characters.

Description

Use the ssh client authentication server command on a client to configure the host public key of a
specified server so that the client can determine whether the server is trustworthy.
Use the undo ssh authentication server command to remove the configuration.
By default, the host public key of the server is not configured, and when logging into the server, the
client uses the IP address or host name used for login as the public key name.
If the client does not support first-time authentication, it will reject unauthenticated servers. In this case,
you need to configure the public keys of the servers and specify the mappings between public keys and
servers on the client, so that the client uses the correct public key of a server to authenticate the server.
Note that the specified host public key of the server must already exist.
Related commands: ssh client first-time enable.

1-10
Examples

# Configure the public key of the server with the IP address of 192.168.0.1 to be key1.
<Sysname> system-view
[Sysname] ssh client authentication server 192.168.0.1 assign publickey key1

ssh client first-time enable

Syntax

ssh client first-time enable

undo ssh client first-time

View

System view

Default Level

2: System level

Parameters

None

Description

Use the ssh client first-time enable command to enable the first-time authentication function.
Use the undo ssh client first-time command to disable the function.
By default, the function is enabled.
With first-time authentication, when an SSH client not configured with the server host public key
accesses the server for the first time, the user can continue accessing the server, and save the host
public key on the client. When accessing the server again, the client will use the saved server host
public key to authenticate the server.
Without first-time authentication, a client not configured with the server host public key will deny to
access the server. To access the server, a user must configure in advance the server host public key
locally and specify the public key name for authentication.
Note that as the server may update its key pairs periodically, clients must obtain the most recent public
keys of the server for successful authentication of the server.

Examples

# Enable the first-time authentication function.

<Sysname> system-view
[Sysname] ssh client first-time enable

ssh client source

Syntax

ssh client source { ip ip-address | interface interface-type interface-number }

undo ssh client source

1-11
View

System view

Default Level

3: Manage level

Parameters

ip ip-address: Specifies a source IPv4 address.

interface interface-type interface-number: Specifies a source interface by its type and number.

Description

Use the ssh client source command to specify the source IPv4 address or source interface of the SSH
client.
Use the undo ssh client source command to remove the configuration.
By default, an SSH client uses the IP address of the interface specified by the route to access the SSH
server.
Related commands: display ssh client source.

Examples

# Specify the source IPv4 address of the SSH client as 192.168.0.1.

<Sysname> system-view
[Sysname] ssh client source ip 192.168.0.1

ssh2

Syntax

ssh2 server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1
| sha1-96 } ] *

View

User view

Default Level

0: Visit level

Parameters

server: IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters.
port-number: Port number of the server, in the range 0 to 65535. The default is 22.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.
prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
z 3des: Encryption algorithm 3des-cbc.

1-12
 z aes128: Encryption algorithm aes128-cbc
z des: Encryption algorithm des-cbc.
prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1-96.
z md5: HMAC algorithm hmac-md5.
z md5-96: HMAC algorithm hmac-md5-96.
z sha1: HMAC algorithm hmac-sha1.
z sha1-96: HMAC algorithm hmac-sha1-96.
prefer-kex: Preferred key exchange algorithm, defaulted to dh-group-exchange.
z dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1.
z dh-group1: Key exchange algorithm diffie-hellman-group1-sha1.
z dh-group14: Key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Preferred encryption algorithm from server to client, defaulted to aes128.
prefer-stoc-hmac: Preferred HMAC algorithm from server to client, defaulted to sha1-96.

Description

Use the ssh2 command to establish a connection to an IPv4 SSH server and specify the public key
algorithm, the preferred key exchange algorithm, and the preferred encryption algorithms and preferred
HMAC algorithm between the client and server.
Note that when the client’s authentication method is publickey, the client needs to get the local private
key for validation. As the publickey authentication includes RSA and DSA algorithms, you must specify
an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key.
By default, the encryption algorithm is DSA.

Examples

# Log in to remote SSH2.0 server 10.214.50.51, using the following algorithms:

z Preferred key exchange algorithm: DH-group1
z Preferred encryption algorithm from server to client: AES128
z Preferred HMAC algorithm from client to server: MD5
z Preferred HMAC algorithm from server to client: SHA1-96.
<Sysname> ssh2 10.214.50.51 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac
md5 prefer-stoc-hmac sha1-96

SFTP Server Configuration Commands

sftp server enable

Syntax

sftp server enable

undo sftp server enable

View

System view

1-13
Default Level

2: System level

Parameters

None

Description

Use the sftp server enable command to enable SFTP server.

Use the undo sftp server enable command to disable SFTP server.
By default, SFTP server is disabled.
Related commands: display ssh server.

Examples

# Enable SFTP server.

<Sysname> system-view
[Sysname] sftp server enable

sftp server idle-timeout

Syntax

sftp server idle-timeout time-out-value

undo sftp server idle-timeout

View

System view

Default Level

2: System level

Parameters

time-out-value: Timeout period in minutes. It ranges from 1 to 35,791.

Description

Use the sftp server idle-timeout command to set the idle timeout period for SFTP user connections.
Use the undo sftp server idle-timeout command to restore the default.
By default, the idle timeout period is 10 minutes.
Related commands: display ssh server.

Examples

# Set the idle timeout period for SFTP user connections to 500 minutes.
<Sysname> system-view
[Sysname] sftp server idle-timeout 500

1-14
SFTP Client Configuration Commands

bye

Syntax

bye

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the bye command to terminate the connection with a remote SFTP server and return to user view.
This command functions as the exit and quit commands.

Examples

# Terminate the connection with the remote SFTP server.

sftp-client> bye
Bye
Connection closed.
<Sysname>

cd

Syntax

cd [ remote-path ]

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-path: Name of a path on the server.

Description

Use the cd command to change the working path on a remote SFTP server. With the argument not
specified, the command displays the current working path.

1-15
 z You can use the cd .. command to return to the upper-level directory.
z You can use the cd / command to return to the root directory of the system.

Examples

# Change the working path to new1.

sftp-client> cd new1
Current Directory is:
/new1

cdup

Syntax

cdup

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the cdup command to return to the upper-level directory.

Examples

# From the current working directory /new1, return to the upper-level directory.
sftp-client> cdup
Current Directory is:
/

delete

Syntax

delete remote-file&<1-10>

View

SFTP client view

1-16
Default Level

3: Manage level

Parameters

remote-file&<1-10>: Names of files on the server. &<1-10> means that you can provide up to 10
filenames, which are separated by space.

Description

Use the delete command to delete the specified file(s) from a server.
This command functions as the remove command.

Examples

# Delete file temp.c from the server.

sftp-client> delete temp.c
The following files will be deleted:
/temp.c
Are you sure to delete it? [Y/N]:y
This operation may take a long time. Please wait...

File successfully Removed

dir

Syntax

dir [ -a | -l ] [ remote-path ]

View

SFTP client view

Default Level

3: Manage level

Parameters

-a: Displays the names of the files and sub-directories under the specified directory.
-l: Displays the detailed information of the files and sub-directories under the specified directory in the
form of a list.
remote-path: Name of the directory to be queried.

Description

Use the dir command to display information about the files and sub-directories under a specified
directory.
With the –a and –l keyword not specified, the command displays detailed information of the files and
sub-directories under the specified directory in the form of a list.

1-17
 With the remote-path not specified, the command displays information about the files and
sub-directories of the current working directory.
This command functions as the ls command.

Examples

# Display detailed information about the files and sub-directories under the current working directory in
the form of a list.
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

display sftp client source

Syntax

display sftp client source

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display sftp client source command to display the source IP address or source interface
currently set for the SFTP client.
If neither source IP address nor source interface is specified for the SFTP client, the system will display
such a message “Neither source IP address nor source interface was specified for the SFTP client.”
Related commands: sftp client source.

Examples

# Display the source IP address of the SFTP client.

<Sysname> display sftp client source
The source IP address you specified is 192.168.0.1

1-18
exit

Syntax

exit

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the exit command to terminate the connection with a remote SFTP server and return to user view.
This command functions as the bye and quit commands.

Examples

# Terminate the connection with the remote SFTP server.

sftp-client> exit
Bye
Connection closed.
<Sysname>

get

Syntax

get remote-file [ local-file ]

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-file: Name of a file on the remote SFTP server.

local-file: Name for the local file.

Description

Use the get command to download a file from a remote SFTP server and save it locally.
If you do not specify the local-file argument, the file will be saved locally with the same name as that on
the remote SFTP server.

1-19
Examples

# Download file temp1.c and save it as temp.c locally.

sftp-client> get temp1.c temp.c
Remote file:/temp1.c ---> Local file: temp.c
Downloading file successfully ended

help

Syntax

help [ all | command-name ]

View

SFTP client view

Default Level

3: Manage level

Parameters

all: Displays a list of all commands.

command-name: Name of a command.

Description

Use the help command to display a list of all commands or the help information of an SFTP client
command.
With neither the argument nor the keyword specified, the command displays a list of all commands.

Examples

# Display the help information of the get command.

sftp-client> help get
get remote-path [local-path] Download file.Default local-path is the same
as remote-path

ls

Syntax

ls [ -a | -l ] [ remote-path ]

View

SFTP client view

Default Level

3: Manage level

Parameters

-a: Displays the filenames and the folder names of the specified directory.

1-20
 -l: Displays in a list form detailed information of the files and folders of the specified directory
remote-path: Name of the directory to be queried.

Description

Use the ls command to display file and folder information under a specified directory.
With the –a and –l keyword not specified, the command displays detailed information of files and folders
under the specified directory in a list form.
With the remote-path not specified, the command displays the file and folder information of the current
working directory.
This command functions as the dir command.

Examples

# Display in a list form detailed file and folder information under the current working directory.
sftp-client> ls
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

mkdir

Syntax

mkdir remote-path

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-path: Name for the directory on a remote SFTP server.

Description

Use the mkdir command to create a directory on a remote SFTP server.

Examples

# Create a directory named test on the remote SFTP server.

sftp-client> mkdir test
New directory created

1-21
put

Syntax

put local-file [ remote-file ]

View

SFTP client view

Default Level

3: Manage level

Parameters

local-file: Name of a local file.

remote-file: Name for the file on a remote SFTP server.

Description

Use the put command to upload a local file to a remote SFTP server.
If you do not specify the remote-file argument, the file will be saved remotely with the same name as the
local one.

Examples

# Upload local file temp.c to the remote SFTP server and save it as temp1.c.
sftp-client> put temp.c temp1.c
Local file:temp.c ---> Remote file: /temp1.c
Uploading file successfully ended

pwd

Syntax

pwd

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the pwd command to display the current working directory of a remote SFTP server.

Examples

# Display the current working directory of the remote SFTP server.

1-22
 sftp-client> pwd
/

quit

Syntax

quit

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the quit command to terminate the connection with a remote SFTP server and return to user view.
This command functions as the bye and exit commands.

Examples

# Terminate the connection with the remote SFTP server.

sftp-client> quit
Bye
Connection closed.
<Sysname>

remove

Syntax

remove remote-file&<1-10>

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-file&<1-10>: Names of files on an SFTP server. &<1-10> means that you can provide up to 10
filenames, which are separated by space.

Description

Use the remove command to delete the specified file(s) from a remote server.
This command functions as the delete command.

1-23
Examples

# Delete file temp.c from the server.

sftp-client> remove temp.c
The following files will be deleted:
/temp.c
Are you sure to delete it? [Y/N]:y
This operation may take a long time.Please wait...

File successfully Removed

rename

Syntax

rename oldname newname

View

SFTP client view

Default Level

3: Manage level

Parameters

oldname: Original file name or directory name.

newname: New file name or directory name.

Description

Use the rename command to change the name of a specified file or directory on an SFTP server.

Examples

# Change the name of a file on the SFTP server from temp1.c to temp2.c.
sftp-client> rename temp1.c temp2.c
File successfully renamed

rmdir

Syntax

rmdir remote-path&<1-10>

View

SFTP client view

Default Level

3: Manage level

1-24
Parameters

remote-path&<1-10>: Names of the directoris on the remote SFTP server. &<1-10> means that you can
provide up to 10 directory names that are separated by space.

Description

Use the rmdir command to delete the specified directories from an SFTP server.

Examples

# On the SFTP server, delete directory temp1 in the current directory.

sftp-client> rmdir temp1
Directory successfully removed

sftp

Syntax

sftp server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1
| sha1-96 } ] *

View

User view

Default Level

3: Manage level

Parameters

server: IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters.
port-number: Port number of the server, in the range 0 to 65535. The default is 22.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.
prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
z 3des: Encryption algorithm 3des-cbc.
z aes128: Encryption algorithm aes128-cbc.
z des: Encryption algorithm des-cbc.
prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1-96.
z md5: HMAC algorithm hmac-md5.
z md5-96: HMAC algorithm hmac-md5-96.
z sha1: HMAC algorithm hmac-sha1.
z sha1-96: HMAC algorithm hmac-sha1-96.
prefer-kex: Preferred key exchange algorithm, defaulted to dh-group-exchange.
z dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1.
z dh-group1: Key exchange algorithm diffie-hellman-group1-sha1.
z dh-group14: Key exchange algorithm diffie-hellman-group14-sha1.

1-25
 prefer-stoc-cipher: Preferred encryption algorithm from server to client, defaulted to aes128.
prefer-stoc-hmac: Preferred HMAC algorithm from server to client, defaulted to sha1-96.

Description

Use the sftp command to establish a connection to a remote IPv4 SFTP server and enter SFTP client
view.
Note that when the client’s authentication method is publickey, the client needs to get the local private
key for validation. As the publickey authentication includes RSA and DSA algorithms, you must specify
an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key.
By default, the encryption algorithm is DSA.

Examples

# Connect to SFTP server 10.1.1.2, using the following algorithms:

z Preferred key exchange algorithm: dh-group1.
z Preferred encryption algorithm from server to client: aes128.
z Preferred HMAC algorithm from client to server: md5.
z Preferred HMAC algorithm from server to client: sha1-96.
<Sysname> sftp 10.1.1.2 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5
prefer-stoc-hmac sha1-96
Input Username:

sftp client source

Syntax

sftp client source { ip ip-address | interface interface-type interface-number }

undo sftp client source

View

System view

Default Level

3: Manage level

Parameters

ip ip-address: Specifies a source IPv4 address.

interface interface-type interface-number: Specifies a source interface by its type and number.

Description

Use the sftp client source command to specify the source IPv4 address or interface of an SFTP client.
Use the undo sftp source-interface command to remove the configuration.
By default, an SFTP client uses the IP address of the interface specified by the route of the device to
access the SFTP server.
Related commands: display sftp client source.

1-26
Examples

# Specify the source IP address of the SFTP client as 192.168.0.1.

<Sysname> system-view
[Sysname] sftp client source ip 192.168.0.1

1-27
 Table of Contents

1 Public Key Configuration Commands ·····································································································1-1

Public Key Configuration Commands ·····································································································1-1
display public-key local public ·········································································································1-1
display public-key peer ····················································································································1-2
peer-public-key end ·························································································································1-3
public-key-code begin······················································································································1-4
public-key-code end ························································································································1-5
public-key local create ·····················································································································1-6
public-key local destroy ···················································································································1-7
public-key local export dsa ··············································································································1-8
public-key local export rsa ···············································································································1-9
public-key peer ······························································································································1-10
public-key peer import sshkey·······································································································1-10

i
1 Public Key Configuration Commands

Public Key Configuration Commands

display public-key local public

Syntax

display public-key local { dsa | rsa } public

View

Any view

Default Level

1: Monitor level

Parameters

dsa: DSA key pair.

rsa: RSA key pair.

Description

Use the display public-key local public command to display the public key information of the local key
pairs.
Related commands: public-key local create.

Examples

# Display the public key information of the local RSA key pairs.
<Sysname> display public-key local rsa public

=====================================================
Time of Key pair created: 19:59:16 2007/10/25
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100BC4C392A97734A633BA0F1DB01F84E
B51228EC86ADE1DBA597E0D9066FDC4F04776CEA3610D2578341F5D049143656F1287502C06D39D39F28F0F5
CBA630DA8CD1C16ECE8A7A65282F2407E8757E7937DCCDB5DB620CD1F471401B7117139702348444A2D89004
97A87B8D5F13D61C4DEFA3D14A7DC07624791FC1D226F62DF3020301
0001

=====================================================
Time of Key pair created: 19:59:17 2007/10/25

1-1
 Key name: SERVER_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12B2B
1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE751EE0EC
EF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001

# Display the public key information of the local DSA key pair.
<Sysname> display public-key local dsa public

=====================================================
Time of Key pair created: 20:00:16 2007/10/25
Key name: HOST_KEY
Key type: DSA Encryption Key
=====================================================
Key code:
308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD96E5F061C4F0A4
23F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1EDBD13EC8B274DA9F75BA26CCB987
723602787E922BA84421F22C3C89CB9B06FD60FE01941DDD77FE6B12893DA76EEBC1D128D97F0678D7722B53
41C8506F358214B16A2FAC4B368950387811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F
0281810082269009E14EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B
20CD35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B612391C76C1FB2
E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC9B09EEF
0381850002818100CCF1F78E0860BE937FD3CA07D2F2A1B66E74E5D1E16693EB374D677A7A6124EBABD59FE4
8796C56F3FF919F999AEB97D1F2B83D9B98AC09BC1F72E80DBE337CB29989A23378EB21C38EE083F11ED6DC8
D4DBE001BA85450CEA071C2A471C83761E4CF32C174B418612CDD597B441F0CAA05DC01CB93A0ABB247C06FB
A4C79054

Table 1-1 display public-key local public command output description

Field Description
Time of Key pair created Time at which the local key pair is created
Key name, which can be:
Key name z HOST_KEY: Host public key.
z SERVER_KEY: Server public key. This value is available only for
RSA key pairs.
Key type, which can be:
Key type z RSA Encryption Key: RSA key pair.
z DSA Encryption Key: DSA key pair.
Key code Key data

display public-key peer

Syntax

display public-key peer [ brief | name publickey-name ]

1-2
View

Any view

Default Level

1: Monitor level

Parameters

brief: Displays brief information about all the host public keys of peers.
name publickey-name: Displays information about a peer's host public key. publickey-name specifies a
host public key by its name, which is a case-sensitive string of 1 to 64 characters.

Description

Use the display public-key peer command to display information about the specified or all locally
saved public keys of peers.
With neither the brief keyword nor the name publickey-name combination specified, the command
displays detailed information about all locally saved public keys of peers.
You can use the public-key peer command or the public-key peer import sshkey command to get a
local copy of the public keys of a peer.
Related commands: public-key peer, public-key peer import sshkey.

Examples

# Display detailed information about the peer host public key named idrsa.
<Sysname> display public-key peer name idrsa
=====================================
Key name : idrsa
Key type : RSA
Key module: 1024
=====================================
Key Code:
30819D300D06092A864886F70D010101050003818B00308187028181009C46A8710216CEC0C01C7CE136BA76
C79AA6040E79F9E305E453998C7ADE8276069410803D5974F708496947AB39B3F39C5CE56C95B6AB7442D563
93BF241F99A639DD02D9E29B1F5C1FD05CC1C44FBD6CFFB58BE6F035FAA2C596B27D1231D159846B7CB9A775
7C5800FADA9FD72F65672F4A549EE99F63095E11BD37789955020123

# Display brief information about all locally saved public keys of the peers.
<Sysname> display public-key peer brief
Type Module Name
---------------------------
RSA 1024 idrsa
DSA 1024 10.1.1.1

peer-public-key end

Syntax

peer-public-key end

1-3
View

Public key view

Default Level

2: System level

Parameters

None

Description

Use the peer-public-key end command to return from public key view to system view.
Related commands: public-key peer.

Examples

# Exit public key view.

<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] peer-public-key end
[Sysname]

public-key-code begin

Syntax

public-key-code begin

View

Public key view

Default Level

2: System level

Parameters

None

Description

Use the public-key-code begin command to enter public key code view.
After entering public key code view, input the key data in the correct format. Spaces and carriage returns
are allowed between characters.
You can input the key data displayed with the display public-key local public command to make sure
the format requirements are met.
You can configure the RSA server public key of the peer. However, the public key configured cannot be
used for identity authentication in SSH applications, which use the RSA host public key. For more
information about SSH, see SSH2.0 Configuration.

1-4
Examples

# Enter public key code view and input the key.

<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] public-key-code begin
[Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC801
4F82515F6335A0A
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D164313
5877E13B1C531B4
[Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80
EB5F52698FCF3D6
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE
675AC30CB020301
[Sysname-pkey-key-code]0001

public-key-code end

Syntax

public-key-code end

View

Public key code view

Default Level

2: System level

Parameters

None

Description

Use the public-key-code end command to return from public key code view to public key view and to
save the configured public key.
The system verifies the key before saving it. If the key is not in the correct format, the system discards
the key and displays an error message. If the key is valid, the system saves the key.
Related commands: public-key peer, public-key-code begin.

Examples

# Exit public key code view and save the configured public key.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] public-key-code begin
[Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC801
4F82515F6335A0A
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D164313
5877E13B1C531B4

1-5
 [Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80
EB5F52698FCF3D6
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE
675AC30CB020301
[Sysname-pkey-key-code]0001
[Sysname-pkey-key-code] public-key-code end
[Sysname-pkey-public-key]

public-key local create

Syntax

public-key local create { dsa | rsa }

View

System view

Default Level

2: System level

Parameters

dsa: DSA key pair.

rsa: RSA key pair.

Description

Use the public-key local create command to create local key pair(s).
Note that:
z When using this command to create DSA or RSA key pairs, you will be prompted to provide the
length of the key modulus. The modulus length is in the range 512 to 2048 bits, and defaults to
1024 bits. If the type of key pair already exists, the system will ask you whether you want to
overwrite it.
z The local key pairs created with the public-key local create command are saved automatically
and can survive a reboot.
Related commands: public-key local destroy, display public-key local public.

Examples

# Create local RSA key pairs.

<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++
++++++

1-6
 ++++++++
++++++++

# Create a local DSA key pair.

<Sysname> system-view
[Sysname] public-key local create dsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
*
*

public-key local destroy

Syntax

public-key local destroy { dsa | rsa }

View

System view

Default Level

2: System level

Parameters

dsa: DSA key pair.

rsa: RSA key pair.

Description

Use the public-key local destroy command to destroy the local key pair(s).
Related commands: public-key local create.

Examples

# Destroy the local RSA key pairs.

<Sysname> system-view

[Sysname] public-key local destroy rsa

Warning: Confirm to destroy these keys? [Y/N]:y

# Destroy the local DSA key pair.

<Sysname> system-view
[Sysname] public-key local destroy dsa
Warning: Confirm to destroy these keys? [Y/N] :y

1-7
public-key local export dsa

Syntax

public-key local export dsa { openssh | ssh2 } [ filename ]

View

System view

Default Level

1: Monitor level

Parameters

openssh: Uses the format of OpenSSH.

ssh2: Uses the format of SSH2.0.
filename: Name of the file for storing the local public key. For detailed information about file name, see
File System Management.

Description

Use the public-key local export dsa command to display the local DSA public key on the screen or
export it to a specified file.
If you do not specify the filename argument, the command displays the local DSA public key on the
screen; otherwise, the command exports the local DSA public key to the specified file and saves the file.
SSH2.0 and OpenSSH are two different public key formats for different requirements.
Related commands: public-key local create, public-key local destroy.

Examples

# Export the local DSA public key in OpenSSH format to a file named key.pub.
<Sysname> system-view
[Sysname] public-key local export dsa openssh key.pub

# Display the local DSA public key in SSH2.0 format.

<Sysname> system-view
[Sysname] public-key local export dsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-20070625"
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b
0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFq
L6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN
/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2B
cdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatpRjxsSrhXFVIdRjx
w59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOLo2/RyGqDJIqB4FQwmr
kwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22
---- END SSH2 PUBLIC KEY ----

# Display the local DSA public key in OpenSSH format.

<Sysname> system-view
[Sysname] public-key local export dsa openssh

1-8
 ssh-dss
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b
0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFq
L6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN
/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2B
cdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatpRjxsSrhXFVIdRjx
w59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOLo2/RyGqDJIqB4FQwmr
kwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22 dsa-key

public-key local export rsa

Syntax

public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ]

View

System view

Default Level

1: Monitor level

Parameters

openssh: Uses the format of OpenSSH.

ssh1: Uses the format of SSH1.5.
ssh2: Uses the format of SSH2.0.
filename: Name of the file for storing the public key. For detailed information about file name, see File
System Management.

Description

Use the public-key local export rsa command to display the local RSA public key on the screen or
export them to a specified file.
If you do not specify the filename argument, the command displays the local RSA public key on the
screen; otherwise, the command exports the local RSA public key to the specified file and saves the file.
SSH1, SSH2.0 and OpenSSH are three different public key formats for different requirements.
Related commands: public-key local create, public-key local destroy.

Examples

# Export the local RSA public key in OpenSSH format to a file named key.pub.
<Sysname> system-view
[Sysname] public-key local export rsa openssh key.pub

# Display the local RSA public key in SSH2.0 format.

<Sysname> system-view
[Sysname] public-key local export rsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20070625"

1-9
 AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6ut5N
Ic5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j+o0MpO
pzh3W768/+u1riz+1LcwVTs51Q==
---- END SSH2 PUBLIC KEY ----

# Display the local RSA public key in OpenSSH format.

<Sysname> system-view
[Sysname] public-key local export rsa openssh
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6ut5N
Ic5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j+o0MpO
pzh3W768/+u1riz+1LcwVTs51Q== rsa-key

public-key peer

Syntax

public-key peer keyname

undo public-key peer keyname

View

System view

Default Level

2: System level

Parameters

keyname: Host public key name of the peer, a case-sensitive string of 1 to 64 characters.

Description

Use the public-key peer command to specify a name for a peer's host public key and enter public key
view.
Use the undo public-key peer command to remove a peer’s host public key.
After entering public key view, you can configure the public key of the peer with the public-key-code
begin and public-key-code end commands. This operation requires that you obtain the hexadecimal
public key from the peer beforehand.
Related commands: public-key-code begin, public-key-code end, display public-key peer.

Examples

# Specify the name for the peer's host public key as key1 and enter public key view.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key]

public-key peer import sshkey

Syntax

public-key peer keyname import sshkey filename

1-10
 undo public-key peer keyname

View

System view

Default Level

2: System level

Parameters

keyname: Public key name, a case-sensitive string of 1 to 64 characters.

filename: Name of the file that saves a peer's public key. For detailed information about file name, see
File System Management.

Description

Use the public-key peer import sshkey command to import the public key of a peer from the public
key file.
Use the undo public-key peer command to remove a configured peer public key.
After execution of this command, the system automatically transforms the public key in SSH1, SSH2.0
or OpenSSH format to PKCS format, and imports the peer public key. This operation requires that you
get a copy of the public key file from the peer through FTP or TFTP in advance.
Related commands: display public-key peer.

Examples

# Import the peer host public key named key2 from the public key file key.pub.
<Sysname> system-view
[Sysname] public-key peer key2 import sshkey key.pub

1-11
 Table of Contents

1 HABP Configuration Commands ·············································································································1-1

HABP Configuration Commands ············································································································1-1
display habp ····································································································································1-1
display habp table····························································································································1-2
display habp traffic···························································································································1-2
habp enable·····································································································································1-3
habp server vlan ······························································································································1-4
habp timer········································································································································1-4

i
1 HABP Configuration Commands

HABP Configuration Commands

display habp

Syntax

display habp

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display habp command to display HABP configuration information.

If the HABP function is not enabled on the device, this command does not display the HABP
configuration but only the running status of the HABP function.

Examples

# Display HABP configuration information.

<Sysname> display habp
Global HABP information:
HABP Mode: Server
Sending HABP request packets every 20 seconds
Bypass VLAN: 2

Table 1-1 display habp command output description

Field Description
HABP Mode HABP mode of the current device, server or client
Sending HABP request packets every 20 The HABP server sends HABP request packets at an
seconds interval of 20 seconds.
ID of the VLAN in which HABP packets are
Bypass VLAN
transmitted

1-1
display habp table

Syntax

display habp table

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display habp table command to display HABP MAC address table entries.
Note that this command is only applicable on an HABP server to display the MAC address entries
collected by the HABP server.

Examples

# On the HABP server, display HABP MAC address table entries.

<Sysname> display habp table
MAC Holdtime Receive Port
001f-3c00-0030 53 GigabitEthernet1/0/1

Table 1-2 display habp table command output description

Field Description
MAC MAC address
Lifetime of an entry in seconds. The initial value is three times of the interval to
Holdtime send HABP request packets. An entry will age out if it is not updated during the
period.
Receive Port Port that learned the MAC address

display habp traffic

Syntax

display habp traffic

View

Any view

Default Level

1: Monitor level

1-2
Parameters

None

Description

Use the display habp traffic command to display HABP packet statistics.

Examples

# Display HABP packet statistics.

<Sysname> display habp traffic

HABP counters :
Packets output: 0, Input: 0
ID error: 0, Type error: 0, Version error: 0
Sent failed: 0

Table 1-3 display habp traffic command output description

Field Description
Packets output Number of HABP packets sent
Input Number of HABP packets received
ID error Number of packets with an incorrect ID

Type error Number of packets with an incorrect type

Number of packets with an incorrect version
Version error
number
Sent failed Number of packets failed to be sent

habp enable

Syntax

habp enable
undo habp enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the habp enable command to enable HABP.

Use the undo habp enable command to disable HABP.
By default, HABP is enabled.

1-3
Examples

# Enable HABP.

<Sysname> system-view
[Sysname] habp enable

habp server vlan

Syntax

habp server vlan vlan-id

undo habp server

View

System view

Default Level

2: System level

Parameters

vlan-id: ID of the VLAN in which HABP packets are to be transmitted, in the range 1 to 4094.

Description

Use the habp server vlan command to configure HABP to work in server mode and specify the VLAN
in which HABP packets are to be transmitted.
Use the undo habp server command to configure HABP to work in the default mode.
By default, HABP works in client mode.
Note that in a cluster, if a member device with 802.1X authentication or MAC authentication enabled is
attached with some other member devices of the cluster, you also need to configure HABP server on
this device. Otherwise, the cluster management device will not be able to manage the devices attached
to this member device. For information about the cluster function, see Cluster Management
Configuration.

Examples

# Configure HABP to work in server mode and specify the VLAN for HABP packets as VLAN 2.
<Sysname> system-view
[Sysname] habp server vlan 2

habp timer

Syntax

habp timer interval

undo habp timer

View

System view

1-4
Default Level

2: System level

Parameters

interval: Interval (in seconds) at which the switch sends HABP request packets, in the range 5 to 600.

Description

Use the habp timer command to set the interval at which the switch sends HABP request packets.
Use the undo habp timer command to restore the default.
The default interval is 20 seconds.
This command is required only on the HABP server.

Examples

# Set the interval at which the switch sends HABP request packets to 50 seconds.
<Sysname> system-view
[Sysname] habp timer 50

1-5
 Table of Contents

1 ACL Configuration Commands ················································································································1-1

ACL Configuration Commands ···············································································································1-1
acl ····················································································································································1-1
acl copy ···········································································································································1-2
acl name ··········································································································································1-3
description ·······································································································································1-3
display acl········································································································································1-4
display acl resource·························································································································1-5
display time-range ···························································································································1-6
packet-filter ······································································································································1-7
reset acl counter ······························································································································1-8
rule (advanced ACL view) ···············································································································1-8
rule (basic ACL view)·····················································································································1-13
rule (Ethernet frame header ACL view)·························································································1-14
rule comment·································································································································1-16
step ················································································································································1-16
time-range ·····································································································································1-17

i
1 ACL Configuration Commands

ACL Configuration Commands

acl

Syntax

acl number acl-number [ name acl-name ] [ match-order { auto | config } ]

undo acl { all | name acl-name | number acl-number }

View

System view

Default Level

2: System level

Parameters

number acl-number: Specifies the number of an access control list (ACL):

z 2000 to 2999 for basic ACLs
z 3000 to 3999 for advanced ACLs
z 4000 to 4999 for Ethernet frame header ACLs
name acl-name: Assigns a name for the ACL for the ease of identification. The acl-name argument
takes a case insensitive string of 1 to 32 characters. It must start with an English letter, and, to avoid
confusion, cannot be all.
match-order: Sets the order in which ACL rules are compared against packets:
z auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories.
See ACL Configuration for more information.
z config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher
priority. If no match order is specified, the config order applies by default.
all: Deletes all ACLs.

Description

Use the acl command to create an ACL and enter its view. If the ACL has been created, you enter its
view directly.
Use the undo acl command to delete the specified or all ACLs.
By default, no ACL exists.
Note that:
z You can assign a name for an ACL only when you create it. After creating an ACL, you can neither
rename it nor remove its name, if any.

1-1
 z The name of an ACL must be unique among ACLs.
z If you specify both an ACL number and an ACL name in one command to enter the view of an
existing ACL, be sure that the ACL number and ACL name identify the same ACL.
z You can change match order only for ACLs that do not contain any rules.

Examples

# Create basic ACL 2000, and enter its view.

<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000]

# Create basic ACL 2001, named flow, and enter its view.
<Sysname> system-view
[Sysname] acl number 2001 name flow
[Sysname-acl-basic-2001-flow]

acl copy

Syntax

acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

View

System view

Default Level

2: System level

Parameters

source-acl-number: Specifies a source ACL that already exists by its number:

z 2000 to 2999 for basic ACLs
z 3000 to 3999 for advanced ACLs
z 4000 to 4999 for Ethernet frame header ACLs
name source-acl-name: Specifies a source ACL that already exists by its name. The source-acl-name
argument takes a case insensitive string of 1 to 32 characters.
dest-acl-number: Assigns a unique number for the ACL you are creating. This number must be from the
same ACL category as the source ACL. Available value ranges include:
z 2000 to 2999 for basic ACLs
z 3000 to 3999 for advanced ACLs
z 4000 to 4999 for Ethernet frame header ACLs
name dest-acl-name: Assigns a unique name for the ACL you are creating. The dest-acl-name takes a
case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion,
cannot be all. For this ACL, the system automatically picks the smallest number from all available
numbers in the same ACL category as the source ACL.

1-2
Description

Use the acl copy command to create an IPv4 ACL by copying an IPv4 ACL that already exists. Except
the number and name (if any), the new ACL has the same configuration as the source ACL.
You can assign a name for an IPv4 ACL only when you create it. After it is created, you can neither
rename it nor remove its name, if any.

Examples

# Create ACL 2002 by copying ACL 2001.

<Sysname> system-view
[Sysname] acl copy 2001 to 2002

acl name

Syntax

acl name acl-name

View

System view

Default Level

2: System level

Parameters

acl-name: Specifies the name of an existing ACL, which is a case insensitive string of 1 to 32 characters.
It must start with an English letter.

Description

Use the acl name command to enter the view of an existing ACL by specifying its name.
Related commands: acl.

Examples

# Enter the view of ACL flow.

<Sysname> system-view
[Sysname] acl name flow
[Sysname-acl-basic-2001-flow]

description

Syntax

description text
undo description

View

Basic ACL view, advanced ACL view, Ethernet frame header ACL view

1-3
Default Level

2: System level

Parameters

text: ACL description, a case-sensitive string of 1 to 127 characters.

Description

Use the description command to configure a description for an ACL.

Use the undo description command to remove the ACL description.
By default, an ACL has no ACL description.
Related commands: display acl.

Examples

# Configure a description for basic ACL 2000.

<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] description This acl is used on GE1/0/1

display acl

Syntax

display acl { acl-number | all | name acl-name }

View

Any view

Default Level

1: Monitor level

Parameters

acl-number: Specifies an ACL by its number:

z 2000 to 2999 for basic ACLs
z 3000 to 3999 for advanced ACLs
z 4000 to 4999 for Ethernet frame header ACLs
all: Displays information for all ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument takes a case insensitive string
of 1 to 32 characters. It must start with an English letter.

Description

Use the display acl command to display configuration and match statistics for the specified or all ACLs.
This command displays ACL rules in the config or depth-first order, whichever is configured.

Examples

# Display information about ACL 2001.

<Sysname> display acl 2001

1-4
 Basic ACL 2001, named flow, 1 rule,
ACL's step is 5
rule 5 permit source 1.1.1.1 0 (5 times matched)
rule 5 comment This rule is used on GE1/0/1

Table 1-1 display acl command output description

Field Description
Category and number of the ACL. The following
Basic ACL 2001
field information is about basic ACL 2001.
The name of the ACL is flow. "–none-" means
named flow
the ACL is not named.
1 rule The ACL contains one rule.
ACL's step is 5 The rule numbering step is 5.

There have been five matches for the rule. Only

ACL matches performed by software are
5 times matched counted.
This field is not displayed when no packets have
matched the rule.
The description of ACL rule 5 is “This rule is used
rule 5 comment This rule is used on GE1/0/1
on GE1/0/1.”

display acl resource

Syntax

display acl resource

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display acl resource command to display the usage of ACL resources on a device.

Examples

# Display the ACL resource usage of device.

<Sysname> display acl resource
----------------------------------------------------
GE1/0/1..GE1/0/24
GE1/0/49 GE1/0/50
----------------------------------------------------
Type Total Reserved Configured Remaining

1-5
 ----------------------------------------------------
ACL 1024 370 0 654
Meter 256 0 0 256
----------------------------------------------------
GE1/0/25..GE1/0/48
GE1/0/51 GE1/0/52
----------------------------------------------------
Type Total Reserved Configured Remaining
----------------------------------------------------
ACL 1024 374 0 650
Meter 256 0 0 256

Table 1-2 display acl resource command output description

Field Description
Resource type. Possible values are as follows:
Type z METER for traffic policing resources,
z ACL for rule resources,
Total Total number of ACL rules supported
Reserved Number of reserved ACL rules
Configured Number of configured ACL rules
Remaining Number of remaining ACL rules

display time-range

Syntax

display time-range { time-range-name | all }

View

Any view

Default Level

1: Monitor level

Parameters

time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an
English letter.
all: Displays the configuration and status of all existing time ranges.

Description

Use the display time-range command to display the configuration and status of a specified time range
or all time ranges.
A time range is active if the system time falls into its range.

Examples

# Display the configuration and status of time range trname.

1-6
 <Sysname> display time-range trname
Current time is 10:45:15 4/14/2005 Thursday
Time-range : trname ( Inactive )
from 08:00 12/1/2005 to 23:59 12/31/2100

Table 1-3 display time-range command output description

Field Description
Current time Current system time
Configuration and status of the time range, including the
Time-range name of the time range, its status (active or inactive), and
its start time and end time.

packet-filter
Syntax

packet-filter { acl-number | name acl-name } inbound

undo packet-filter { acl-number | name acl-name } inbound

View

Ethernet port view, VLAN interface view

Default Level

2: System level

Parameters

acl-number: Specifies an ACL by its number:

z 2000 to 2999 for basic ACLs
z 3000 to 3999 for advanced ACLs
z 4000 to 4999 for Ethernet frame header ACLs
name acl-name: Specifies an ACL by its name. The acl-name argument takes a case insensitive string
of 1 to 32 characters. It must start with an English letter.
inbound: Filters incoming packets.

Description

Use the packet-filter command to apply an ACL to an interface to filter IPv4 packets or Ethernet
frames.
Use the undo packet-filter command to restore the default.
By default, an interface does not filter IPv4 packets or Ethernet frames.
If you execute the command repeatedly, the last configuration takes effect.

Examples

# Apply basic ACL 2001 to the inbound direction of interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1

1-7
 [Sysname-GigabitEtherhet1/0/1] packet-filter 2001 inbound

# Apply Ethernet frame header ACL 4001 to the inbound direction of interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEtherhet1/0/1] packet-filter 4001 inbound

reset acl counter

Syntax

reset acl counter { acl-number | all | name acl-name }

View

User view

Default Level

2: System level

Parameters

acl-number: Specifies an ACL by its number:

z 2000 to 2999 for basic ACLs
z 3000 to 3999 for advanced ACLs
z 4000 to 4999 for Ethernet frame header ACLs
all: Clears statistics for all ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument takes a case insensitive string
of 1 to 32 characters. It must start with an English letter.

Description

Use the reset acl counter command to clear statistics for the specified or all ACLs.
Related commands: display acl.

Examples

# Clear statistics on ACL 2001.

<Sysname> reset acl counter 2001

# Clear statistics on ACL flow.

<Sysname> reset acl counter name flow

rule (advanced ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value
| rst rst-value | syn syn-value | urg urg-value } * } | destination { dest-addr dest-wildcard | any } |
destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code |
icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard |
any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos ] *

1-8
 undo rule rule-id [ { established | { ack | fin | psh | rst | syn | urg } * } | destination | destination-port
| dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port |
time-range | tos ] *

View

Advanced ACL view

Default Level

2: System level

Parameters

rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is not provided when you create
an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple
of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Drops matching packets.
permit: Allows matching packets to pass.
protocol: Protocol carried by IPv4. It can be a number in the range 0 to 255, or in words, gre (47), icmp
(1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 1-4 describes the parameters that can
be specified after the protocol argument.

Table 1-4 Match criteria and other rule information for advanced ACL rules

Parameters Function Description

The sour-addr sour-wildcard arguments
represent a source IP address in dotted
source { sour-addr Specifies a source decimal notation. An all-zero wildcard
sour-wildcard | any } address. specifies a host address.
The any keyword specifies any source IP
address.
The dest-addr dest-wildcard arguments
represent a destination IP address in
destination { dest-addr Specifies a destination dotted decimal notation. An all-zero
dest-wildcard | any } address. wildcard specifies a host address.
The any keyword represents any
destination IP address.
The precedence argument can be a
number in the range 0 to 7, or in words,
Specifies an IP
precedence precedence routine (0), priority (1), immediate (2),
precedence value.
flash (3), flash-override (4), critical (5),
internet (6), or network (7).
The tos argument can be a number in the
Specifies a ToS range 0 to 15, or in words, max-reliability
tos tos
preference. (2), max-throughput (4), min-delay (8),
min-monetary-cost (1), or normal (0).
The dscp argument can be a number in the
range 0 to 63, or in words, af11 (10), af12
(12), af13 (14), af21 (18), af22 (20), af23
dscp dscp Specifies a DSCP priority. (22), af31 (26), af32 (28), af33 (30), af41
(34), af42 (36), af43 (38), cs1 (8), cs2 (16),
cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7
(56), default (0), or ef (46).

1-9
 Parameters Function Description
Specifies to log matched This function requires that the module
logging
packets. using the ACL support logging.
Specifies that the rule be
reflective Not supported.
reflective.
Indicates that the rule
Without this keyword, the rule applies to all
fragment applies to only non-first
fragments and non-fragments.
fragments.
The time-range-name argument takes a
time-range Specifies a time range for case insensitive string of 1 to 32
time-range-name the rule. characters. It must start with an English
letter.

If you provide the precedence or tos keyword in addition to the dscp keyword, the dscp keyword takes
effect.

Setting the protocol argument to tcp or udp, you may define the parameters shown in Table 1-5.

Table 1-5 TCP/UDP-specific parameters for advanced ACL rules

Parameters Function Description

The operator argument can be lt (lower than), gt
Specifies one or more
source-port operator (greater than), eq (equal to), neq (not equal to),
UDP or TCP source
port1 [ port2 ] or range (inclusive range).
ports.
The port1 and port2 arguments are TCP or UDP
port numbers in the range 0 to 65535. port2 is
needed only when the operator argument is
range.
TCP port numbers can be represented in these
words: chargen (19), bgp (179), cmd (514),
daytime (13), discard (9), domain (53), echo
(7), exec (512), finger (79), ftp (21), ftp-data
(20), gopher (70), hostname (101), irc (194),
klogin (543), kshell (544), login (513), lpd
(515), nntp (119), pop2 (109), pop3 (110), smtp
Specifies one or more (25), sunrpc (111), tacacs (49), talk (517),
destination-port telnet (23), time (37), uucp (540), whois (43),
UDP or TCP
operator port1 [ port2 ] and www (80).
destination ports.
UDP port numbers can be represented in these
words: biff (512), bootpc (68), bootps (67),
discard (9), dns (53), dnsix (90), echo (7),
mobilip-ag (434), mobilip-mn (435),
nameserver (42), netbios-dgm (138),
netbios-ns (137), netbios-ssn (139), ntp (123),
rip (520), snmp (161), snmptrap (162), sunrpc
(111), syslog (514), tacacs-ds (65), talk (517),
tftp (69), time (37), who (513), and xdmcp
(177).

1-10
 Parameters Function Description
{ ack ack-value | fin
fin-value | psh Parameters specific to TCP.
psh-value | rst Specifies one or more
The value for each argument can be 0 or 1.
rst-value | syn TCP flags
syn-value | urg The TCP flags in one rule are ANDed.
urg-value } *
Specifies the TCP flags
established Parameter specific to TCP.
ACK and RST

Setting the protocol argument to icmp, you may define the parameters shown in Table 1-6.

Table 1-6 ICMP-specific parameters for advanced ACL rules

Parameters Function Description

The icmp-type argument ranges from
0 to 255.
The icmp-code argument ranges
icmp-type { icmp-type from 0 to 255.
Specifies the ICMP message
icmp-code | The icmp-message argument
type and code.
icmp-message } specifies a message name.
Supported ICMP message names
and their corresponding type and
code values are listed in Table 1-7.

Table 1-7 ICMP message names supported in advanced ACL rules

ICMP message name Type Code

echo 8 0

echo-reply 0 0
fragmentneed-DFset 3 4
host-redirect 5 1
host-tos-redirect 5 3
host-unreachable 3 1
information-reply 16 0
information-request 15 0
net-redirect 5 0
net-tos-redirect 5 2
net-unreachable 3 0
parameter-problem 12 0
port-unreachable 3 3
protocol-unreachable 3 2
reassembly-timeout 11 1
source-quench 4 0

1-11
 ICMP message name Type Code
source-route-failed 3 5
timestamp-reply 14 0
timestamp-request 13 0

ttl-exceeded 11 0

Description

Use the rule command to create or edit an advanced ACL rule.

Use the undo rule command to delete an entire advanced ACL rule or some attributes in the rule.
By default, an advanced ACL does not contain any rule.
If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise,
the command removes only the specified criteria. Before performing the undo rule command, you may
use the display acl command to view the ID of the rule.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule
IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest
multiple of the step that is bigger than the current biggest number. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing
rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When modifying a
rule of such an ACL, you may choose to change just some of the settings, in which case the other
settings remain the same.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the
depth-first match order. Note that the IDs of the rules still remain the same.
If the ACL match order is auto, rules are displayed in the depth-first match order rather than by rule
number.

For a basic ACL rule to be referenced by a QoS policy for traffic classification, the logging keyword is
not supported.

Related commands: display acl.

Examples

# Create a rule to permit TCP packets with the destination port of 80 from 129.9.0.0 to 202.38.160.0.
<Sysname> system-view
[Sysname] acl number 3101
[Sysname-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0
0.0.0.255 destination-port eq 80

1-12
rule (basic ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } |
time-range time-range-name ] *
undo rule rule-id [ fragment | logging | source | time-range ] *

View

Basic ACL view

Default Level

2: System level

Parameters

rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is specified when you create an
ACL rule, assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the
current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current
highest rule ID is 28, the rule is numbered 30.
deny: Drops matching packets.
permit: Allows matching packets to pass.
fragment: Indicates that the rule applies to only non-first fragments. A rule without this keyword applies
to all fragments and non-fragments.
logging: Generates log entries for matched packets.
source { sour-addr sour-wildcard | any }: Matches a source address. The sour-addr sour-wildcard
arguments represent a source IP address in dotted decimal notation. A wildcard mask of zeros specifies
a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a
case insensitive string of 1 to 32 characters. It must start with an English letter.

Description

Use the rule command to create or edit a basic ACL rule.

Use the undo rule command to delete an entire basic ACL rule or some attributes in the rule.
By default, a basic ACL does not contain any rule.
If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise,
the command removes only the specified criteria. Before performing the undo rule command, you may
use the display acl command to view the ID of the rule.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule
IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest
multiple of the step that is bigger than the current biggest number. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing
rule in the ACL.

1-13
 You can only modify the existing rules of an ACL that uses the match order of config. When modifying a
rule of such an ACL, you may choose to change just some of the settings, in which case the other
settings remain the same.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the
depth-first match order. Note that the IDs of the rules still remain the same.

For a basic ACL rule to be referenced by a QoS policy for traffic classification, the logging keyword is
not supported.

Related commands: display acl.

Examples

# Create a rule in ACL 2000 to deny packets sourced from 1.1.1.1.

<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0

rule (Ethernet frame header ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | { lsap lsap-type
lsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask |
time-range time-range-name ] *
undo rule rule-id [ time-range ]

View

Ethernet frame header ACL view

Default Level

2: System level

Parameters

rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is not provided when you create
an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple
of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Drops matching packets.
permit: Allows matching packets to pass.
cos vlan-pri: Defines an 802.1p priority. The vlan-pri argument can be a number in the range 0 to 7 or in
words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5),
voice (6), or network-management (7).

1-14
 dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and
dest-mask arguments represent a destination MAC address and mask in H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The
lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The
lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.
source-mac sour-addr source-mask: Matches a source MAC address range. The sour-addr argument
represents a source MAC address, and the sour-mask argument represents a mask in H-H-H format.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a
case insensitive string of 1 to 32 characters. It must start with an English letter.

Description

Use the rule command to create or edit an Ethernet frame header ACL rule.
Use the undo rule command to delete an Ethernet frame header ACL rule or some attributes in the rule.
By default, an Ethernet frame header ACL does not contain any rule.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule
IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest
multiple of the step that is bigger than the current biggest number. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
Before performing the undo rule command to remove an Ethernet frame header ACL rule, you may use
the display acl command to view the ID of the rule.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing
rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When modifying a
rule of such an ACL, you may choose to change just some of the settings, in which case the other
settings remain the same.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the
depth-first match order. Note that the IDs of the rules still remain the same.
If the ACL match order is auto, rules are displayed in the depth-first match order rather than by rule
number.

For an Ethernet frame header ACL to be referenced by a QoS policy for traffic classification, the lsap
keyword is not supported.

Related commands: display acl.

Examples

# Create a rule in ACL 4000 to deny packets with the 802.1p priority of 3.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule deny cos 3

1-15
rule comment

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Basic ACL view, advanced ACL view, Ethernet frame header ACL view

Default Level

2: System level

Parameters

rule-id: Specifies the ID of an existing ACL rule. The ID ranges from 0 to 65534.
text: Provides a description for the ACL rule, a case sensitive string of 1 to 127 characters.

Description

Use the rule comment command to configure a description for an existing ACL rule or edit its
description for the ease of identification.
Use the undo rule comment command to delete the ACL rule description.
By default, an ACL rule has no rule description.
Related commands: display acl.

Examples

# Create a rule in basic ACL 2000 and configure a description for this rule.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0
[Sysname-acl-basic-2000] rule 0 comment This rule is used on GE1/0/1

step

Syntax

step step-value
undo step

View

Basic ACL view, advanced ACL view, Ethernet frame header ACL view

Default Level

2: System level

Parameters

step-value: ACL rule numbering step, which ranges from 1 to 20.

1-16
Description

Use the step command to set a rule numbering step for an ACL.
Use the undo step command to restore the default.
By default, the rule numbering step is 5.
Related commands: display acl.

Examples

# Set the rule numbering step to 2 for basic ACL 2000.

<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] step 2

# Set the rule numbering step to 2 for advanced ACL 3000.

<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] step 2

# Set the rule numbering step to 2 for Ethernet frame header ACL 4000.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] step 2

time-range

Syntax

time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from
time1 date1 [ to time2 date2 ] | to time2 date2 }
undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ]
| from time1 date1 [ to time2 date2 ] | to time2 date2 ]

View

System view

Default Level

2: System level

Parameters

time-range-name: Assign a name for a time range. The name is a case insensitive string of 1 to 32
characters. It must start with an English letter and, to avoid confusion, cannot be all.
start-time to end-time: Specifies a periodic time range. Both start-time and end-time are in hh:mm
format (24-hour clock), and each value ranges from 00:00 to 23:59. The end time must be greater than
the start time.
days: Specifies the day or days of the week on which the periodic time range is valid. You may specify
multiple values, in words or in digits, separated by spaces, but make sure that they do not overlap. The
values are ANDed. These values can take one of the following forms:

1-17
 z A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday,
Friday, and Saturday.
z A day of a week in words, sun, mon, tue, wed, thu, fri, and sat.
z working-day for Monday through Friday.
z off-day for Saturday and Sunday.
z daily for the whole week.
from time1 date1: Specifies the start time and date of an absolute time range. The time1 argument
specifies the time of the day in hh:mm format (24-hour clock). Its value ranges from 00:00 to 23:59. The
date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of
the year in the range 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is
the year in the usual Gregorian calendar in the range 1970 to 2100. If not specified, the start time is the
earliest time available in the system, 01/01/1970 00:00:00 AM.
to time2 date2: Specifies the end time and date of the absolute time range. The time2 argument is in the
same format as that of the time1 argument, but its value ranges from 00:00 to 24:00. The format and
value range of the date2 argument are the same as those of the date1 argument. The end time must be
greater than the start time. If not specified, the end time is the maximum time available in the system,
12/31/2100 24:00:00 PM.

Description

Use the time-range command to create a time range.

Use the undo time-range command to delete a time range.
By default, no time range exists.
You may create a maximum of 256 time ranges.
A time range can be one of the following:
z Periodic time range created using the time-range time-range-name start-time to end-time days
command. A time range thus created recurs periodically on the day or days of the week.
z Absolute time range created using the time-range time-range-name { from time1 date1 [ to time2
date2 ] | to time2 date2 } command. Unlike a periodic time range, a time range thus created does
not recur. For example, to create an absolute time range that is active between January 1, 2004
00:00 and December 31, 2004 23:59, you may use the time-range test from 00:00 01/01/2004 to
23:59 12/31/2004 command.
z Compound time range created using the time-range time-range-name start-time to end-time days
{ from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs
on the day or days of the week only within the specified period. For example, to create a time range
that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December
31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00
01/01/2004 to 23:59 12/31/2004 command.
You may create individual time ranges identified with the same name. They are regarded as one time
range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing
periodic and absolute ones.

Examples

# Create a periodic time range 11, setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 working-day

1-18
# Create an absolute time range t2, setting it to be active in the whole year of 2010.
<Sysname> system-view
[Sysname] time-range t1 from 0:0 1/1/2010 to 23:59 12/31/2010

# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and
Sundays of the year 2010.
<Sysname> system-view
[Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010

# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from
14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.
<Sysname> system-view
[Sysname] time-range t4 10:0 to 12:0 1 from 0:0 1/1/2010 to 23:59 1/31/2010
[Sysname] time-range t4 14:0 to 16:0 3 from 0:0 6/1/2010 to 23:59 6/30/2010

1-19
 Table of Contents

1 Device Management Commands ·············································································································1-1

Device Management Commands············································································································1-1
boot-loader ······································································································································1-1
bootrom ···········································································································································1-2
bootrom-update security-check enable ···························································································1-2
display boot-loader ··························································································································1-3
display cpu-usage····························································································································1-3
display cpu-usage history················································································································1-5
display device ··································································································································1-7
display device manuinfo ··················································································································1-8
display environment·························································································································1-9
display fan ·····································································································································1-10
display memory ·····························································································································1-10
display power·································································································································1-11
display reboot-type ························································································································1-11
display schedule job ······················································································································1-12
display schedule reboot·················································································································1-13
display system-failure ····················································································································1-13
display transceiver alarm···············································································································1-14
display transceiver diagnosis ········································································································1-17
display transceiver·························································································································1-18
display transceiver manuinfo·········································································································1-19
reboot·············································································································································1-20
reset unused porttag······················································································································1-21
schedule job ··································································································································1-22
schedule reboot at ·························································································································1-23
schedule reboot delay ···················································································································1-25
system-failure ································································································································1-26

i
1 Device Management Commands

Device Management Commands

boot-loader

Syntax

boot-loader file file-url { main | backup }

View

User view

Default Level

2: System level

Parameters

file file-url: Specifies a file name, a string of 1 to 63 characters, If you enter a relative path here, the
system automatically converts it to an absolute path. The absolute path should contain no more than 63
characters; otherwise, the command cannot be successfully executed. The file name is in the format of
[drive:/]file-name, where
z The items in square brackets [ ] are optional.
z drive specifies the storage medium of the file. The value is the name of the storage medium. If a
device has only one storage medium, you can execute this command without providing this
argument.
z file-name specifies the filename, which is usually suffixed by .bin. Suffixes vary with devices.
main: Specifies a file as a main boot file. A main boot file is used to boot a device.
backup: Specifies a file as a backup boot file. A backup boot file is used to boot a device only when a
main boot file is unavailable.

Description

Use the boot-loader command to specify a boot file for the next boot.
Related commands: display boot-loader.

Examples

# Specify the main boot file for the next device boot as test.bin. (The output of this command varies with
devices.)
<Sysname> boot-loader file test.bin main
This command will set the boot file. Continue? [Y/N]:y
The specified file will be used as the main boot file at the next reboot on sl
ot 1!

1-1
bootrom

Syntax

bootrom update file file-url

View

User view

Default Level

2: System level

Parameters

update file file-url: Upgrades Boot ROM, where file-url is a string of 1 to 63 characters and represents
name of the file to be upgraded. See boot-loader.

Description

Use the bootrom command to upgrade the Boot ROM program on a device(s).

Examples

# Read the Boot ROM program.

<Sysname> bootrom update file a.btm
This command will update bootrom file, Continue? [Y/N]:y
Now updating bootrom, please wait...
BootRom file updating finished!

bootrom-update security-check enable

Syntax

bootrom-update security-check enable

undo bootrom-update security-check enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the bootrom-update security-check enable command to enable the validity check function.
Use the undo bootrom-update security-check enable command to disable the validity check
function.
By default, the validity check function is enabled at the time of upgrading Boot ROM.

1-2
 After the validity check function is enabled, the device will strictly check whether the Boot ROM upgrade
files are valid and can match the hardware.

Examples

# Enable the validity check function when upgrading Boot ROM.

<Sysname> system-view
[Sysname] bootrom-update security-check enable

display boot-loader

Syntax

display boot-loader

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display boot-loader command to display information of the boot file.
Related commands: boot-loader.

Examples

# Display the file adopted for the current and next boot of the device. (The output of this command
varies with devices.)
<Sysname> display boot-loader
The current boot app is: flash:/test.bin
The main boot app is: flash:/test.bin
The backup boot app is: flash:/test.bin

Table 1-1 display boot-loader command output description

Field Description
The current boot app is Boot file used for the device for the current device boot
The main boot app is Main boot file used for the next device boot of the device
The backup boot app is Backup boot file used for the next device boot of the device

display cpu-usage

Syntax

display cpu-usage [ number [ offset ] [ verbose ] [ from-device ] ]

1-3
View

Any view

Default Level

1: Monitor level

Parameters

entry-number: Number of entries to be displayed, in the range of 1 to 60.

offset: Offset between the serial number of the first CPU usage statistics record to be displayed and that
of the last CPU usage record to be displayed. It is in the range of 0 to 59. For example, the idx of the
latest statistics record is 12, if the offset is set to 3, the system will display the statistics records from the
one with the idx of 9. idx represents the serial number of the period for the statistics, and its value
ranges from 0 to 60 cyclically. The system makes CPU usage statistics periodically; after each period,
the system records the average CPU usage during this period, and the idx value is added by 1
automatically.
verbose: Specifies to display detailed information of CPU usage statistics. If this keyword is not
provided, the system displays the brief information of the CPU usage statistics; if this keyword is
provided, the system displays the average CPU usage statistics for each task in the specified period.
from-device: Displays external storage media such as flash and hard disk. The device currently does
not support the from-device keyword.

Description

Use the display cpu-usage command to display the CPU usage statistics.
The system takes statistics of CPU usage at intervals (usually every 60 seconds) and saves the
statistical results in the history record area. The maximum number of records that can be saved
depends on the device model. display cpu-usage entry-number indicates the system displays
entry-number records from the newest (last) record. display cpu-usage entry-number offset indicates
the system displays number records from the last but offset record.
Equivalent to the display cpu-usage 1 0 verbose command, the display cpu-usage command
displays detailed information of the last CPU usage statistics record.

Examples

# Display information of the current CPU usage statistics.

<Sysname> display cpu-usage
Unit CPU usage:
1% in last 5 seconds
1% in last 1 minute
1% in last 5 minutes

# Display the last fifth and sixth records of the CPU usage statistics history.
<Sysname> display cpu-usage 2 4
===== CPU usage info (no: 0 idx: 58) =====
CPU Usage Stat. Cycle: 60 (Second)
CPU Usage : 3%
CPU Usage Stat. Time : 2006-07-10 10:56:55
CPU Usage Stat. Tick : 0x1d9d(CPU Tick High) 0x3a659a70(CPU Tick Low)

1-4
 Actual Stat. Cycle : 0x0(CPU Tick High) 0x95030517(CPU Tick Low)

===== CPU usage info (no: 1 idx: 57) =====

CPU Usage Stat. Cycle: 60 (Second)
CPU Usage : 3%
CPU Usage Stat. Time : 2006-07-10 10:55:55
CPU Usage Stat. Tick : 0x1d9c(CPU Tick High) 0xa50e5351(CPU Tick Low)
Actual Stat. Cycle : 0x0(CPU Tick High) 0x950906af(CPU Tick Low)

Table 1-2 display cpu-usage command output description

Field Description
Unit CPU usage CPU usage statistics
After the device boots, the system calculates and records the average
1% in last 5 seconds CPU usage in every five seconds.
This field displays the average CPU usage in the last five seconds.
After the device boots, the system calculates and records the average
1% in last 1 minute CPU usage in every one minute.
This field displays the average CPU usage in the last minute.
After the device boots, the system calculates and records the average
1% in last 5 minutes CPU usage in every five minutes.
This field displays the average CPU usage in the last five minutes.
Information of CPU usage records (no: The (no+1)th record is currently
displayed. no numbers from 0, a smaller number equals a newer
CPU usage info (no: idx:) record. idx: index of the current record in the history record table). If
only the information of the current record is displayed, no and idx are
not displayed.
CPU usage measurement interval, in seconds. For example, if the
CPU Usage Stat. Cycle value is 41, it indicates that the average CPU usage during the last 41
seconds is calculated. The value range of this field is 1 to 60.
CPU Usage Average CPU usage in a measurement interval, in percentage
CPU usage statistics time in seconds, that is, the system time when the
CPU Usage Stat. Time
command is executed
System runtime in ticks, represented by a 64-bit hexadecimal. CPU
CPU Usage Stat. Tick Tick High represents the most significant 32 bits and the CPU Tick Low
the least significant 32 bits.

Actual CPU usage measurement interval in ticks, represented by a

64-bit hexadecimal. CPU Tick High represents the most significant 32
Actual Stat. Cycle bits and the CPU Tick Low the least significant 32 bits. Owing to the
precision of less than one second, the actual measurement periods of
different CPU usage records may differ slightly.

display cpu-usage history

Syntax

display cpu-usage history [ task task-id ]

View

Any view

1-5
Default Level

1: Monitor level

Parameters

task task-id: Displays the history statistics of the CPU usage of the specified task, where task-id
represents the task number. If the task-id argument is not provided, the system displays the history
statistics of the CPU usage of the entire system (the CPU usage of the entire system is the sum of CPU
usages of all tasks).

Description

Use the display cpu-usage history command to display the history statistics of the CPU usage in a
chart.
If no argument is provided, the system displays the CPU usage of the whole system.
The system takes statistics of the CPU usage at an interval and saves the statistical results in the
history record area. You can use the display cpu-usage history command to display the CPU usage
statistics records in the last 60 minutes. The statistical results are displayed through geographical
coordinates. In the output information:
z Latitude indicates the CPU usage, which is displayed based on the step. For example, if the step of
the CPU usage is 5%, then the actual statistics value 53% is displayed as 55%, and actual
statistics value 52% is displayed as 50%.
z Longitude indicates the time.
z Consecutive pond marks (#) indicate the CPU usage at a certain moment. The value of the latitude
corresponding to the # mark on the top of a moment is the CPU usage at this moment.

Examples

# Display the CPU usage statistics of the whole system.

<Sysname> display cpu-usage history
100%|
95%|
90%|
85%|
80%|
75%|
70%|
65%|
60%|
55%|
50%|
45%|
40%|
35%|
30%|
25%|
20%|
15%| #
10%| ### #

1-6
 5%| ########
------------------------------------------------------------
10 20 30 40 50 60 (minutes)
cpu-usage last 60 minutes(SYSTEM)

The above output information indicates the CPU usage of the whole system in the last 60 minutes: 5%
in the twelfth minute, 10% in the thirteenth minute, 15% in the fourteenth minute, 10% in the fifteenth
minute, 5% in the sixteenth and seventeenth minute, 10% in the eighteenth minute, 5% in the
nineteenth minute, and 2% or lower than 2% at other times.
# Display the CPU usage statistics of task 6.
<Sysname> display cpu-usage history task 6

100%|

95%|

90%|

85%|

80%|

75%|

70%|

65%|

60%|

55%|

50%|

45%|

40%|

35%|

30%|

25%|

20%|

15%|

10%|

5%| #

------------------------------------------------------------

10 20 30 40 50 60 (minutes)

cpu-usage last 60 minutes(T03M)

The above output information indicates the CPU usage of task 6 (with the task name T03M) in the last
60 minutes: 5% in the twentieth minute, and 2% or lower than 2% at other times.

display device

Syntax

display device [verbose ]

1-7
View

Any view

Default Level

2: System level

Parameters

verbose: Displays detailed information.

Description

Use the display device command to display information about the device.

Examples

# Display information of the device. (The output of this command varies with devices.)
<Sysname> display device
SubSNo PortNum PCBVer FPGAVer CPLDVer BootRomVer AddrLM Type State
0 52 Ver.B NULL 001 119 IVL LS51LTSS Normal

Table 1-3 display device command output description

Field Description
SubSNo Number of the slot in which the subcard resides
PortNum Maximum number of ports that a subcard supports
AddrLM Address learning mode
Card status, which can be the following values:
z Absent: No card is in the slot.
Brd Status z Fault: Error occurred, and the card cannot start normally.
z Normal: The card is an interface card and functions
normally.

display device manuinfo

Syntax

display device manuinfo

View

Any view

Default Level

3: Manage level

Parameters

None

Description

Use the display device manuinfo command to display electrical label information about the device.

1-8
 Electrical label information is also called permanent configuration data or archive information, which is
written to the storage medium of the device during debugging or test of a device. The information
includes name of the device serial number, and vendor name. This command displays part of the
electrical label information of the device.

Examples

# Display electrical label information. (The output of this command varies with devices.)
DEVICE_NAME : S5120-28P-SI
DEVICE_SERIAL_NUMBER : DPPMWWB123456
MAC_ADDRESS : 000F-E26A-58EA
MANUFACTURING_DATE : 2007-11-10
VENDOR_NAME : H3C

Table 1-4 display device manuinfo command output description

Field Description
DEVICE_NAME Device name
DEVICE_SERIAL_NUMBER Device serial number

MAC_ADDRESS MAC address of the device

MANUFACTURING_DATE Manufacturing date of the device
VENDOR_NAME Vendor name

display environment

Syntax

display environment

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display environment command to display the temperature information, including the current
temperature and temperature thresholds.

Examples

# Display the temperature information of the device.

<Sysname> display environment
System temperature information (degree centigrade):
-------------------------------------------------------------------------------

1-9
 Sensor Temperature LowerLimit WarningLimit AlarmLimit ShutdownLimit
hotspot 1 45 NA 85 95 NA

display fan

Syntax

display fan [ fan-id ]

View

Any view

Default Level

1: Monitor level

Parameters

fan-id: Displays the operating state of the specified fan, where fan-id represents the built-in fan number.

Description

Use the display fan command to display the operating state of built-in fans.

Examples

# Display the operating state of all fans in a device.

<Sysname> display fan
Fan 1 State: Normal

display memory

Syntax

display memory

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display memory command to display the usage of the memory of a device.

Examples

# Display the usage of the memory of a device.

<Sysname> display memory
System Total Memory(bytes): 83947760
Total Used Memory(bytes): 24881784

1-10
 Used Rate: 16%

Table 1-5 display memory command output description

Field Description
System Total Memory(bytes) Total size of the system memory (in bytes)
Total Used Memory(bytes) Size of the memory used (in bytes)
Used Rate Percentage of the memory used to the total memory

display power

Syntax

display power [ power-id ]

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display power command to display the PSU information of a device.

Examples

# Display the PSU information of the device.

<Sysname> display power
Power 0 State: Normal

Table 1-6 display power command output description

Field Description
Power PSU number
PSU state:

State z Normal
z Absent
z Fault

display reboot-type

Syntax

display reboot-type

1-11
View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display reboot-type command to display the reboot mode of the device.

Examples

# Display the reboot mode of the device.

<Sysname> display reboot-type
The rebooting type this time is: Cold

The above information indicates that the last reboot mode of the device is Cold boot (cold boot is to
restart a device by powering it on). (The display of Warm represents a warm boot, which means to
restart a device by using the commands like reboot).

display schedule job

Syntax

display schedule job

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display schedule job command to display the detailed configurations of the scheduled
automatic execution function.

Examples

# Display the detailed configurations of the current scheduled automatic execution function.
<Sysname> display schedule job
Specified command: execute 1.bat
Specified view: system view
Executed time: at 12:00 10/31/2007 (in 0 hours and 16 minutes)

1-12
 If you modify the system time within 16 minutes, the configurations of scheduled automatic execution of
the batch file will become invalid, and then when you execute the display schedule job command
again, the system displays nothing.

display schedule reboot

Syntax

display schedule reboot

View

Any view

Default Level

3: Manage level

Parameters

None

Description

Use the display schedule reboot command to display the device reboot time set by the user.
Related commands: schedule reboot at and schedule reboot delay.

Examples

# Display the reboot time of a device.

<Sysname> display schedule reboot
System will reboot at 16:00:00 03/10/2006 (in 2 hours and 5 minutes).

The above information indicates the system will reboot at 16:00:00 on March 10, 2006 (in two hours and
five minutes).

display system-failure

Syntax

display system-failure

View

Any view

Default Level

3: Manage level

Parameters

None

Description

Use the display system-failure command to display the exception handling method.
Related commands: system-failure.

1-13
Examples

# Display the exception handling method.

<Sysname> display system-failure
System failure handling method: reboot

display transceiver alarm

Syntax

display transceiver alarm interface [ interface-type interface-number ]

View

Any view

Default Level

2: System level

Parameters

interface [ interface-type interface-number ]: Displays the current alarm information of the pluggable
transceiver plugged in the specified interface. interface-type interface-number represents interface type
and interface number. If it is not specified, the command displays the current alarm information of the
pluggable transceiver in all the interfaces.

Description

Use the display transceiver alarm command to display the current alarm information of a single or all
transceivers.
If no error occurs, None is displayed.
Table 1-7 shows the alarm information that may occur for the four types of commonly used transceivers.

Table 1-7 display transceiver alarm command output description

Field Remarks
GBIC/SFP
RX loss of signal Incoming (RX) signal is lost.
RX power high Incoming (RX) power level is high.
RX power low Incoming (RX) power level is low.
TX fault Transmit (TX) fault

TX bias high TX bias current is high.

TX bias low TX bias current is low.
TX power high TX power is high.

TX power low TX power is low.

Temp high Temperature is high.
Temp low Temperature is low.
Voltage high Voltage is high.

1-14
 Field Remarks
Voltage low Voltage is low.
Transceiver info I/O error Transceiver information read and write error
Transceiver info checksum error Transceiver information checksum error

Transceiver type and port configuration

Transceiver type does not match port configuration.
mismatch
Transceiver type not supported by port
Transceiver type is not supported on the port.
hardware
XFP
RX loss of signal Incoming (RX) signal is lost.
RX not ready RX is not ready
RX CDR loss of lock RX clock cannot be recovered.
RX power high RX power is high.
RX power low RX power is low.
TX not ready TX is not ready.
TX fault TX fault
TX CDR loss of lock TX clock cannot be recovered.
TX bias high TX bias current is high.
TX bias low TX bias current is low.
TX power high TX power is high.
TX power low TX power is low.
Module not ready Module is not ready.
APD supply fault APD (Avalanche Photo Diode) supply fault
TEC fault TEC (Thermoelectric Cooler) fault
Wavelength of optical signal exceeds the
Wavelength unlocked
manufacturer’s tolerance.
Temp high Temperature is high.
Temp low Temperature is low.
Voltage high Voltage is high.
Voltage low Voltage is low.
Transceiver info I/O error Transceiver information read and write error

Transceiver info checksum error Transceiver information checksum error

Transceiver type and port configuration
Transceiver type does not match port configuration.
mismatch
Transceiver type not supported by port
Transceiver type is not supported on the port.
hardware
XENPAK
WIS local fault WIS (WAN Interface Sublayer) local fault
Receive optical power fault Receive optical power fault

1-15
 Field Remarks
PMA/PMD (Physical Medium Attachment/Physical
PMA/PMD receiver local fault
Medium Dependent) receiver local fault
PCS receive local fault PCS (Physical Coding Sublayer) receiver local fault
PHY XS receive local fault PHY XS (PHY Extended Sublayer) receive local fault
RX power high RX power is high.

RX power low RX power is low.

Laser bias current fault Laser bias current fault
Laser temperature fault Laser temperature fault

Laser output power fault Laser output power fault

TX fault TX fault
PMA/PMD receiver local fault PMA/PMD receiver local fault
PCS receive local fault PCS receive local fault
PHY XS receive local fault PHY XS receive local fault
TX bias high TX bias current is high.

TX bias low TX bias current is low.

TX power high TX power is high.
TX power low TX power is low.
Temp high Temperature is high.
Temp low Temperature is low.
Transceiver info I/O error Transceiver information read and write error
Transceiver info checksum error Transceiver information checksum error
Transceiver type and port configuration
Transceiver type does not match port configuration.
mismatch
Transceiver type not supported by port
Transceiver type is not supported on the port.
hardware

Examples

# Display the alarm information of the pluggable transceiver plugged in interface GigabitEthernet1/0/25.
(The output of this command varies with devices.)
<Sysname> display transceiver alarm interface GigabitEthernet1/0/25
GigabitEthernet1/0/25 transceiver current alarm information:
RX loss of signal
RX power low

Table 1-8 display transceiver alarm command output description

Field Description
transceiver current alarm information Current alarm information of the transceiver
RX loss of signal Incoming (RX) signal is lost.

1-16
 Field Description
RX power low Incoming (RX) power level is low.

display transceiver diagnosis

Syntax

display transceiver diagnosis interface [ interface-type interface-number ]

View

Any view

Default Level

2: System level

Parameters

interface [ interface-type interface-number ]: Displays the currently measured value of digital diagnosis
parameters of the H3C customized anti-spoofing pluggable optical transceiver plugged in the specified
interface. interface-type interface-number represents interface type and interface number. If it is not
specified, the command displays the currently measured value of digital diagnosis parameters of H3C
customized anti-spoofing pluggable optical transceivers in all the interfaces.

Description

Use the display transceiver diagnosis command to display the currently measured value of digital
diagnosis parameters of H3C customized anti-spoofing pluggable optical transceivers.

Examples

# Display the currently measured value of the digital diagnosis parameters of the H3C customized
anti-spoofing pluggable optical transceiver plugged in interface GigabitEthernet1/0/25. (The output of
this command varies with devices.)
<Sysname> display transceiver diagnosis interface GigabitEthernet1/0/25
GigabitEthernet1/0/25 transceiver diagnostic information:
Current diagnostic parameters:
Temp(°C) Voltage(V) Bias(mA) RX power(dBM) TX power(dBM)
36 3.31 6.13 -35.64 -5.19

Table 1-9 display transceiver diagnosis command output description

Field Description
Digital diagnosis information of the transceiver
transceiver diagnostic information
plugged in the interface
Current diagnostic parameters Current diagnostic parameters
Digital diagnosis parameter-temperature, in °C, with
Temp.(°C)
the precision to 1°C.
Digital diagnosis parameter-voltage, in V, with the
Voltage(V)
precision to 0.01 V.

1-17
 Field Description
Digital diagnosis parameter-bias current, in mA, with
Bias(mA)
the precision to 0.01 mA.
Digital diagnosis parameter-RX power, in dBM, with
RX power(dBM)
the precision to 0.01 dBM.
Digital diagnosis parameter-TX power, in dBM, with
TX power(dBM)
the precision to 0.01 dBM.

display transceiver

Syntax

display transceiver interface [ interface-type interface-number ]

View

Any view

Default Level

2: System level

Parameters

interface [ interface-type interface-number ]: Displays main parameters of the pluggable transceiver

plugged in the specified interface. interface-type interface-number represents interface type and
interface number. If it is not specified, the command displays main parameters of the pluggable
transceiver(s) in all the interfaces.

Description

Use the display transceiver command to display main parameters of a single or all pluggable
transceivers.

Examples

# Display main parameters of the pluggable transceiver plugged in interface GigabitEthernet1/0/25.

(The output of this command varies with devices.)
<Sysname> display transceiver interface GigabitEthernet1/0/25
GigabitEthernet1/0/25 transceiver information:
Transceiver Type : 1000_BASE_SX_SFP
Connector Type : LC
Wavelength(nm) : 850
Transfer Distance(m) : 550(50um),270(62.5um)
Digital Diagnostic Monitoring : YES
Vendor Name : H3C
Ordering Name : SFP-GE-SX-MM850

Table 1-10 display transceiver command output description

Field Description
transceiver information Pluggable transceiver information

1-18
 Field Description
Transceiver Type Pluggable transceiver type
Type of the connectors of the transceiver:
z Optical connectors, including SC (SC connector,
Connector Type developed by NTT) and LC (LC connector, 1.25
mm/RJ-45 optical connector developed by Lucent).
z Other connectors, including RJ-45 and CX 4.
z Optical transceiver: central wavelength of the laser
sent, in nm. If the transceiver supports multiple
Wavelength(nm) wavelengths, every two wavelength values are
separated by a comma.
z Electrical transceiver: displayed as N/A.
Transfer distance, with xx representing km for single-mode
transceivers and m for other transceivers. If the transceiver
supports multiple transfer medium, every two values of the
transfer distance are separated by a comma. The
corresponding transfer medium is included in the bracket
following the transfer distance value. The following are the
Transfer distance(xx) transfer media:
z 9 um: 9/125 um single-mode fiber
z 50 um: 50/125 um multi-mode fiber
z 62.5 um: 62.5/125 um multi-mode fiber
z TP: Twisted pair
z CX4: CX4 cable
Whether the digital diagnosis function is supported, where:
Digital Diagnostic Monitoring z YES: supported
z NO: not supported
Vendor name or name of the vendor who customizes the
transceiver:
Vendor Name z H3C customized anti-spoofing transceiver: H3C is
displayed.
z Other transceivers: The vendor name is displayed.
Ordering Name Pluggable transceiver model

display transceiver manuinfo

Syntax

display transceiver manuinfo interface [ interface-type interface-number ]

View

Any view

Default Level

2: System level

Parameters

interface [ interface-type interface-number ]: Displays part of the electrical label information of the H3C
customized anti-spoofing pluggable transceiver plugged in the specified interface. interface-type
interface-number represents interface type and interface number. If it is not specified, the command

1-19
 displays part of the electrical label information of the H3C customized anti-spoofing pluggable
transceiver(s) in all the interfaces.

Description

Use the display transceiver manuinfo command to display part of the electrical label information of a
single or all H3C customized anti-spoofing pluggable transceivers.

Examples

# Display the electrical label information of the H3C customized anti-spoofing pluggable transceiver
plugged in interface GigabitEthernet1/0/25. (The output of this command varies with devices.)
<Sysname> display transceiver manuinfo interface GigabitEthernet1/0/25
GigabitEthernet1/0/25 transceiver manufacture information:
Manu. Serial Number : 213410A0000054000251
Manufacturing Date : 2006-09-01
Vendor Name : H3C

Table 1-11 display transceiver manuinfo command output description

Field Description
Serial number generated during debugging and testing of
Manu. Serial Number
the customized transceivers
Debugging and testing date. The date takes the value of
Manufacturing Date the system clock of the computer that performs debugging
and testing.
Name of the vendor who customizes the transceiver, that
Vendor Name
is, H3C.

reboot

Syntax

reboot

View

User view

Default Level

2: System level

Parameters

None

Description

Use the reboot command to reboot the device.

1-20
 z Device reboot may result in the interruption of the ongoing services. Use these commands with
caution.
z If a main boot file fails or does not exist, the device cannot be rebooted with the reboot command.
In this case, you can re-specify a main boot file to reboot the device, or you can power off the
device, then power it on and the system automatically uses the backup boot file to restart the
device.
z If you are performing file operations when the device is to be rebooted, the system does not
execute the command for the sake of security.

Examples

# If the current configuration does not change, reboot the device.

<Sysname> reboot
Start to check configuration with next startup configuration file, please wait.........DONE!
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait...

# If the current configuration changes, reboot the device.

<Sysname> reboot
Start to check configuration with next startup configuration file, please wait.........DONE!
This command will reboot the device. Current configuration will be lost in next startup if
you continue. Continue? [Y/N]:y
Now rebooting, please wait...

reset unused porttag

Syntax

reset unused porttag

View

User view

Default Level

1: Monitor level

Parameters

None

Description

Use the reset unused porttag command to clear the 16-bit index saved but not used in the current
system.

Examples

# Clear the 16-bit index saved but not used in the current system.

1-21
 <Sysname> reset unused porttag
Current operation will delete all unused port tag(s). Continue? [Y/N]:y
<Sysname>

schedule job

Syntax

schedule job { at time1 [ date ] | delay time2 } view view command

undo schedule job

View

User view

Default Level

3: Manage level

Parameters

at time1 [ date ]: Specifies the execution time of a specified command.

z time1: Execution time of the command, in the format of hh:mm (hour/minute). The hh value ranges
from 0 to 23, and the mm value ranges from 0 to 59.
z date: Execution date of the command, in the format of MM/DD/YYYY (month/day/year) or
YYYY/MM/DD (year/month/day). The YYYY value ranges from 2000 to 2035, the MM value ranges
from 1 to 12, and the DD value range depends on a specific month.
delay time2: Specifies the execution waiting time of a specified command. time2 represents the waiting
time, which can be in the following format:
z hh:mm (hour/minute): The hh value ranges from 0 to 720, and the mm value ranges from 0 to 59.
The value of hh:mm cannot exceed 720:00.
z mm (minute): It ranges from 0 to 432000, with 0 indicating that a command is executed immediately
without any delay.
view view: Specifies the view in which a command is executed. view represents the view name, and it
takes the following values at present:
z shell, represents user view.
z system, represents system view.
command: The command string to be automatically executed at the scheduled time.

Description

Use the schedule job command to automatically execute a specified command at the scheduled time.
Use the undo schedule job command to remove the configuration.
Note the following:
z If you provide both the time1 and date arguments, the execution time must be a future time.
z If you only provide the time1 argument, when time1 is earlier than the current system time, the
specified command is executed at time1 of the next day; when time1 is later than the current
system time, the specified command is executed at time1 of the current day.
z No matter whether you use the at or delay keyword, the difference between the execution time of a
command and the current system time cannot exceed 720 hours (namely, 30 days).

1-22
 z At present, you can specify only user view and system view. To automatically execute the specified
commands in other views or automatically execute multiple commands at a time, you can configure
the system to automatically execute a batch file at a specified time (note that you must provide a
complete file path for the system to execute the batch file.).
z The system does not check the view and command arguments. Therefore, ensure the correctness
of the command argument (including the correct format of command and the correct relationship
between the command and view arguments.).
z After the specified automatic execution time is reached, the system executes the specified
commands without displaying any information except system information such as log, trap and
debug.
z When the system is executing the specified command, you do not need to input any information. If
there is information for you to confirm, the system automatically inputs Y or Yes; if certain
characters need to be input, the system automatically inputs a default character string, and inputs
an empty character string when there is no default character string.
z For the commands used to switch user interfaces, such as telnet, ftp, and ssh2, the commands
used to switch views, such as system-view, quit and interface ethernet, and the commands used
to modify status of the user that is executing commands, such as super, the operation interface,
command view and status of the current user are not changed after the automatic execution
function is performed.
z If you modify the system time after the automatic execution function is configured, the scheduled
automatic execution configuration turns invalid automatically.
z Only the latest configuration takes effect if you execute the schedule job command repeatedly.

Examples

# Configure that the device will execute the batch file 1.bat in system view in 60 minutes (supposing that
the current time is 11:43).
<Sysname> schedule job delay 60 view system execute 1.bat
Info: Command execute 1.bat in system view will be executed at 12:43 10/31/2007 (in 1 hours
and 0 minutes).

# Configure that the device will execute the batch file 1.bat in system view at 12:00 in the current day
(supposing that the current time is 11:43).
<Sysname> schedule job at 12:00 view system execute 1.bat
Info: Command execute 1.bat in system view will be executed at 12:00 10/31/2007 (in 0 hours
and 16 minutes).

schedule reboot at

Syntax

schedule reboot at hh:mm [ date ]

undo schedule reboot

View

User view

Default Level

3: Manage level

1-23
Parameters

hh:mm: Reboot time of a device, in the format of hh:mm (hours:minutes). The value of the hh argument
ranges from 0 to 23, and the value of the mm argument ranges from 0 to 59.
date: Reboot date of a device, in the format mm/dd/yyyy (month/day/year) or in the format yyyy/mm/dd
(year/month/day) The yyyy value ranges from 2000 to 2035, the mm value ranges from 1 to 12, and the
dd value depends on a specific month.

Description

Use the schedule reboot at command to enable the scheduled reboot function and specify a specific
reboot time and date.
By default, the scheduled reboot function is disabled.
There are two cases if no specific reboot date is specified:
z When the specified reboot time is later than the current time, the device will be rebooted at the
reboot time of the current day.
z When the specified reboot time is earlier than the current time, the device will be rebooted at the
reboot time the next day.
z If you are performing file operations when the device is to be rebooted, the system does not
execute the command for the sake of security.
Note that:
z The precision of the device timer is 1 minute. One minute before the reboot time, the device will
prompt “REBOOT IN ONE MINUTE” and will be rebooted in one minute.
z The difference between the reboot date and the current date cannot exceed 30 x 24 hours (namely,
30 days).
z After you execute the above command, the device will prompt you to confirm the configuration. You
must enter Y or y to make the configuration take effect. The original configuration will be
overwritten at the same time.
z If a date (month/day/year or year/month/day) later than the current date is specified for the
schedule reboot at command, the device will be rebooted at the reboot time.
z If you use the clock command after the schedule reboot at command to adjust the system time,
the reboot time set by the schedule reboot at command will become invalid.

This command reboots the device in a future time, thus resulting in service interruption. Please use it
with caution.

Examples

# Configure the device to reboot at 12:00 AM (supposing that the current time is 11:43).
<Sysname> schedule reboot at 12:00
Reboot system at 12:00 06/06/2006(in 0 hour(s) and 16 minute(s))
confirm? [Y/N]:

1-24
 # If you have used the terminal logging command to enable the log display function on the terminal
before setting a reboot time, the system will automatically display related log information after you enter
<y>. By default, the log display function is enabled.
<Sysname>
%Jun 6 11:43:11:629 2006 Sysname CMD/4/REBOOT:
vty0(192.168.1.54): Set schedule reboot parameters at 11:43:11 06/06/2006, and system will
reboot at 12:00 06/06/2006.

schedule reboot delay

Syntax

schedule reboot delay { hh:mm | mm }

undo schedule reboot

View

User view

Default Level

3: Manage level

Parameters

hh:mm: Device reboot wait time, in the format of hh:mm (hours:minutes). The value of the hh argument
ranges from 0 to 720, and the value of the mm argument ranges from 0 to 59, and the value of the
hh:mm argument cannot exceed 720:00.
mm: Device reboot wait time in minutes, in the range of 0 to 43,200.

Description

Use the schedule reboot delay command to enable the scheduled reboot function and set a reboot
wait time.
By default, the scheduled reboot function is disabled.
Note that:
z The reboot wait time can be in the format of hh:mm (hours:minutes) or mm (absolute minutes). The
absolute minutes cannot exceed 30 x 24 x 60 minutes, namely, 30 days.
z The precision of the device timer is 1 minute. One minute before the reboot time, the device will
prompt “REBOOT IN ONE MINUTE” and will be rebooted in one minute.
z After you execute the above command, the device will prompt you to confirm the configuration. You
must enter <Y> or <y> to make the configuration take effect. The original configuration will be
overwritten at the same time.
z If you use the clock command after the schedule reboot delay command to adjust the system
time, the reboot wait time set by the schedule reboot delay command will become invalid.
z If you are performing file operations when the device is to be rebooted, the system does not
execute the command for the sake of security.

1-25
 This command reboots the device after the specified delay time, thus resulting in service interruption.
Please use it with caution.

Examples

# Configure the device to reboot in 88 minutes (supposing the current time is 11:48).
<Sysname> schedule reboot delay 88
Reboot system at 13:16 06/06/2006(in 1 hour(s) and 28 minute(s)). confirm? [Y/N]:

# If you have used the terminal logging command to enable the log display function on the terminal
before setting a reboot time, the system will automatically display related log information after you enter
y. By default, the log display function is enabled on the terminal.
<Sysname>
%Jun 6 11:48:44:860 2006 Sysname CMD/4/REBOOT:
vty0(192.168.1.54): Set schedule reboot parameters at 11:48:44 06/06/2006, and system will
reboot at 13:16 06/06/2006.

system-failure

Syntax

system-failure { maintain | reboot }

undo system-failure

View

System view

Default Level

3: Manage level

Parameters

maintain: Specifies that when the system detects any software abnormality, it maintains the current
situation, and does not take any measure to recover itself.
reboot: Specifies that when the system detects any software abnormality, it recovers itself through
automatic reboot.

Description

Use the system-failure command to configure the exception handling method.

By default, the system adopts the reboot method to handle exceptions.

Examples

# Set the exception handling method to reboot.

<Sysname> system-view
[Sysname] system-failure reboot

1-26
1-27
 Table of Contents

1 NTP Configuration Commands ················································································································1-1

NTP Configuration Commands ···············································································································1-1
display ntp-service sessions············································································································1-1
display ntp-service status ················································································································1-5
display ntp-service trace··················································································································1-7
ntp-service access···························································································································1-8
ntp-service authentication enable····································································································1-9
ntp-service authentication-keyid······································································································1-9
ntp-service broadcast-client ··········································································································1-10
ntp-service broadcast-server·········································································································1-11
ntp-service in-interface disable······································································································1-12
ntp-service max-dynamic-sessions ·······························································································1-12
ntp-service multicast-client ············································································································1-13
ntp-service multicast-server ··········································································································1-14
ntp-service reliable authentication-keyid ·······················································································1-15
ntp-service source-interface ··········································································································1-15
ntp-service unicast-peer ················································································································1-16
ntp-service unicast-server ·············································································································1-17

i
1 NTP Configuration Commands

NTP Configuration Commands

display ntp-service sessions

Syntax

display ntp-service sessions [ verbose ]

View

Any view

Default Level

1: Monitor level

Parameters

verbose: Displays the detailed information of all NTP sessions. If you do not specify this keyword, only
the brief information of the NTP sessions will be displayed.

Description

Use the display ntp-service sessions command to view the information of all NTP sessions.

Examples

# View the brief information of NTP sessions.

<Sysname> display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[12345]127.127.1.0 127.127.1.0 3 1 64 33 0.0 0.0 0.0
note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured
Total associations : 1

1-1
Table 1-1 display ntp-service sessions command output description

Field Description
source IP address of the clock source
Reference clock ID of the clock source
1) If the reference clock is the local clock, the value of this
field is related to the value of the stra field:
z When the value of the stra field is 0 or 1, this field will be
reference “LOCL”;
z When the stra field has another value, this filed will be the
IP address of the local clock.
2) If the reference clock is the clock of another device on
the network, the value of this field will be the IP address
of that device.
Stratum level of the clock source, which determines the clock
precision. The value range is 1 to 16. The clock precision
stra decreases from stratum 1 to stratum 16. A stratum 1 clock
has the highest precision, and a stratum 16 clock is not
synchronized.
Reachability count of the clock source. 0 indicates that the
reach
clock source in unreachable.
Poll interval in seconds, namely, the maximum interval
poll
between successive NTP messages.
The length of time from when the last NTP message was
received or when the local clock was last updated to the
current time
now
The time is in second by default. If the time length is greater
than 2048 seconds, it is displayed in minute; if greater than
300 minutes, in hour; if greater than 96 hours, in day.
The offset of the system clock relative to the reference clock,
offset
in milliseconds
the roundtrip delay from the local device to the clock source,
delay
in milliseconds
The maximum error of the system clock relative to the
disper
reference source.

1: Clock source selected by the switch, namely, the current

reference source.
2: Stratum level of the clock source is less than or equal to
15.
[12345]
3: This clock source has passed the clock selection process.
4: This clock source is a candidate clock source.
5: This clock source was created by a configuration
command.
Total associations Total number of associations

# View the detailed information of all NTP sessions.

<Sysname> display ntp-service sessions verbose
clock source: 127.127.1.0
clock stratum: 3
clock status: configured, master, sane, valid
reference clock ID: 127.127.1.0

1-2
 local mode: client, local poll: 6
peer mode: server, peer poll: 6
offset: 0.0000 ms,delay: 0.00 ms, disper: 0.02 ms
root delay: 0.00 ms, root disper: 10.00 ms
reach: 1, sync dist: 0.010, sync state: 2
precision: 2^18, version: 3, peer interface: InLoopBack0
reftime: 10:56:22.442 UTC Aug 7 2009(CE2686D6.71484513)
orgtime: 10:56:22.442 UTC Aug 7 2009(CE2686D6.71484513)
rcvtime: 10:56:22.442 UTC Aug 7 2009(CE2686D6.7149E881)
xmttime: 10:56:22.442 UTC Aug 7 2009(CE2686D6.71464DC2)
filter delay : 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filter offset: 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filter disper: 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

Total associations : 1

Table 1-2 display ntp-service sessions verbose command output description

Field Description
clock source IP address of the clock source
Stratum level of the clock source, which determines the clock
precision. The value range is 1 to 16. The clock precision
clock stratum decreases from stratum 1 to stratum 16. A stratum 1 clock
has the highest precision, and a stratum 16 clock is not
synchronized.
Status of the clock source corresponding to this session,
including
z configured: The session was created by a configuration
command.
z dynamic: This session is established dynamically.
z master: The clock source is the primary reference source
of the current system.
z selected: The clock source has survived the clock
selection algorithm.
z candidate: The clock source is the candidate reference
source.
clock status z sane: The clock source has passed the sane
authentication.
z insane: The clock source has failed the sane
authentication.
z valid: The clock source is valid, which means the clock
source meet the following requirements: it has passed the
authentication and is being synchronized; its stratum level
is valid; its root delay and root dispersion values are within
their ranges.
z invalid: The clock source is invalid.
z unsynced: The clock source has not been synchronized
or the value of the stratum level is invalid.

1-3
 Field Description
Reference clock ID of the clock source
1) If the reference clock is the local clock, the value of this
field is related to the stratum level of the clock source:
z When the stratum level of the clock source is 0 or 1, this
reference clock ID field will be “LOCL”;
z When the stratum level of the clock source has another
value, this field will be the IP address of the local clock.
2) If the reference clock is the clock of another device on
the network, the value of this field will be the IP address
of that device.
Operation mode of the local device, including
z unspec: The mode is unspecified.
z active: Active mode.
z passive: Passive mode.
local mode z client: Client mode.
z server: Server mode.
z bdcast: Broadcast server mode.
z control: Control query mode.
z private: Private message mode.
Poll interval of the local device, in seconds. The value
displayed is a power of 2, for example, if the displayed value
local poll 6
is 6, it indicates that the poll interval of the local device is 2 ,
that is, 64 seconds.
Operation mode of the peer device, including
z unspec: The mode is unspecified.
z active: Active mode.
z passive: Passive mode.
peer mode z client: Client mode.
z server: Server mode.
z bdcast: Broadcast server mode.
z control: Control query mode.
z private: Private message mode.
Poll interval of the peer device, in seconds. The value
displayed is a power of 2, for example, if the displayed value
peer poll 6
is 6, it indicates that the poll interval of the local device is 2 ,
that is, 64 seconds.
The offset of the system clock relative to the reference clock,
offset
in milliseconds
The roundtrip delay from the local device to the clock source,
delay
in milliseconds
The maximum error of the system clock relative to the
disper
reference clock
The roundtrip delay from the local device to the primary
root delay
reference source, in milliseconds
The maximum error of the system clock relative to the
root disper
primary reference clock, in milliseconds
Reachability count of the clock source. 0 indicates that the
reach
clock source is unreachable.
The synchronization distance relative to the upper-level
sync dist clock, in seconds, and calculated from dispersion and
roundtrip delay values.

1-4
 Field Description
State of the state machine
sync state
The displayed value is an integral that ranges from 0 to 5.
precision Precision of the system clock

NTP version
version
The displayed value is an integral that ranges from 1 to 3.
Source interface
peer interface If the source interface is not specified, this field will be
wildcard.
reftime Reference timestamp in the NTP message
orgtime Originate timestamp in the NTP message
rcvtime Receive timestamp in the NTP message
xmttime Transmit timestamp in the NTP message
filter delay Delay information
filter offset Offset information

filter disper Dispersion information

Total associations Total number of associations

When a device is working in the NTP broadcast/multicast server mode, the display ntp-service
sessions command executed on the device will not display the NTP session information corresponding
to the broadcast/multicast server, but the sessions will be counted in the total number of associations.

display ntp-service status

Syntax

display ntp-service status

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ntp-service status command to view the NTP service status information.

1-5
Examples

# View the NTP service status information.

<Sysname> display ntp-service status
Clock status: unsynchronized
Clock stratum: 16
Reference clock ID: none
Nominal frequency: 100.0000 Hz
Actual frequency: 100.0000 Hz
Clock precision: 2^18
Clock offset: 0.0000 ms
Root delay: 0.00 ms
Root dispersion: 0.00 ms
Peer dispersion: 0.00 ms
Reference time: 00:00:00.000 UTC Jan 1 1900(00000000.00000000)

Table 1-3 display ntp-service status command output description

Field Description
Status of the system clock, including
z Synchronized: The system clock has been
Clock status synchronized.
z Unsynchronized: The system clock has not been
synchronized.
Clock stratum Stratum level of the system clock
After the system clock is synchronized to a remote time
server, this field indicates the address of the remote time
server; after the system clock is synchronized to a local
reference source, this field indicates the address of the
Reference clock ID local clock source:
z When the local clock has a stratum level of 1, the value
of this field is “LOCL”;
z When the stratum of the local clock has another value,
the value of this filed is the IP address of the local clock.
The nominal frequency of the local system hardware clock,
Nominal frequency
in Hz
The actual frequency of the local system hardware clock,
Actual frequency
in Hz
Clock precision The precision of the system clock
The offset of the system clock relative to the reference
Clock offset
source, in milliseconds
The roundtrip delay from the local device to the primary
Root delay
reference source, in milliseconds
The maximum error of the system clock relative to the
Root dispersion
primary reference source, in milliseconds
The maximum error of the system clock relative to the
Peer dispersion
reference source, in milliseconds
Reference time Reference timestamp

1-6
display ntp-service trace

Syntax

display ntp-service trace

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ntp-service trace command view the brief information of each NTP server along the
NTP server chain from the local device back to the primary reference source.
The display ntp-service trace command takes effect only if routes are available between the local
device and all the devices on the NTP server chain; otherwise, this command will fail to display all the
NTP servers on the NTP chain due to timeout.

Examples

# View the brief information of each NTP server from the local device back to the primary reference
source.
<Sysname> display ntp-service trace
server 127.0.0.1,stratum 2, offset -0.013500, synch distance 0.03154
server 133.1.1.1,stratum 1, offset -0.506500, synch distance 0.03429
refid LOCL

The information above shows an NTP server chain for the server 127.0.0.1: The server 127.0.0.1 is
synchronized to the server 133.1.1.1, and the server 133.1.1.1 is synchronized to the local clock
source.

Table 1-4 display ntp-service trace command output description

Field Description
server IP address of the NTP server

stratum The stratum level of the corresponding system clock

offset The clock offset relative to the upper-level clock, in seconds
The synchronization distance relative to the upper-level
synch distance clock, in seconds, and calculated from dispersion and
roundtrip delay values.
Identifier of the primary reference source. When the stratum
level of the primary reference clock is 0, it is displayed as
refid
LOCL; otherwise, it is displayed as the IP address of the
primary reference clock.

1-7
ntp-service access

Syntax

ntp-service access { peer | query | server | synchronization } acl-number

undo ntp-service access { peer | query | server | synchronization }

View

System view

Default Level

2: System level

Parameters

peer: Specifies to permit full access. This level of right permits the peer devices to perform
synchronization and control query to the local device and also permits the local device to synchronize
its clock to that of a peer device. Control query refers to query of NTP status information, such as alarm
information, authentication status, and clock source information.
query: Specifies to permit control query. This level of right permits the peer devices to perform control
query to the NTP service on the local device but does not permit a peer device to synchronize its clock
to that of the local device.
server: Specifies to permit server access and query. This level of right permits the peer devices to
perform synchronization and control query to the local device but does not permit the local device to
synchronize its clock to that of a peer device.
synchronization: Specifies to permit server access only. This level of right permits a peer device to
synchronize its clock to that of the local device but does not permit the peer devices to perform control
query.
acl-number: Basic ACL number, in the range of 2000 to 2999

Description

Use the ntp-service access command to configure the access-control right for the peer devices to
access the NTP services of the local device.
Use the undo ntp-service access command to remove the configured NTP service access-control
right to the local device.
By default, the access-control right for the peer devices to access the NTP services of the local device is
set to peer.
From the highest NTP service access-control right to the lowest one are peer, server,
synchronization, and query. When a device receives an NTP request, it will match against the
access-control right in this order and will use the first matched right.
Note that:
z The ntp-service access command provides only a minimum degree of security protection. A more
secure method is identity authentication. The related command is ntp-service authentication
enable.
z Before specifying an ACL number in the ntp-service access command, make sure you have
already created and configured this ACL.

1-8
Examples

# Configure the peer devices on subnet 10.10.0.0/16 to have the full access right to the local device.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-basic-2001] quit
[Sysname] ntp-service access peer 2001

ntp-service authentication enable

Syntax

ntp-service authentication enable

undo ntp-service authentication enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the ntp-service authentication enable command to enable NTP authentication.

Use the undo ntp-service authentication enable command to disable NTP authentication.
By default, NTP authentication is disabled.
Related commands: ntp-service authentication-keyid, ntp-service reliable authentication-keyid.

Examples

# Enable NTP authentication.

<Sysname> system-view
[Sysname] ntp-service authentication enable

ntp-service authentication-keyid

Syntax

ntp-service authentication-keyid keyid authentication-mode md5 value

undo ntp-service authentication-keyid keyid

View

System view

Default Level

2: System level

1-9
Parameters

keyid: Authentication key ID, in the range of 1 to 4294967295.

authentication-mode md5 value: Specifies to use the MD5 algorithm for key authentication, where
value represents authentication key and is a string of 1 to 32 characters.

Description

Use the ntp-service authentication-keyid command to set the NTP authentication key.
Use the undo ntp-service authentication-keyid command to remove the set NTP authentication key.
By default, no NTP authentication key is set.
In a network where there is a high security demand, the NTP authentication feature should be enabled
for a system running NTP. This feature enhances the network security by means of the client-server key
authentication, which prohibits a client from synchronizing with a device that has failed authentication.
After the NTP authentication key is configured, you need to configure the key as a trusted key by using
the ntp-service reliable authentication-keyid command.

z Presently the system supports only the MD5 algorithm for key authentication.
z You can set a maximum of 1,024 keys for each device.
z If an NTP authentication key is specified as a trusted key, the key automatically changes to
untrusted after you delete the key. In this case, you do not need to execute the undo ntp-service
reliable authentication-keyid command.

Related commands: ntp-service reliable authentication-keyid.

Examples

# Set an MD5 authentication key, with the key ID of 10 and key value of BetterKey.
<Sysname> system-view
[Sysname] ntp-service authentication enable
[Sysname] ntp-service authentication-keyid 10 authentication-mode md5 BetterKey

ntp-service broadcast-client

Syntax

ntp-service broadcast-client
undo ntp-service broadcast-client

View

Interface view

Default Level

2: System level

1-10
Parameters

None

Description

Use the ntp-service broadcast-client command to configure the device to work in the NTP broadcast
client mode and use the current interface to receive NTP broadcast packets.
Use the undo ntp-service broadcast-client command to remove the configuration.
By default, the device does not work in any NTP operation mode.

Examples

# Configure the device to work in the broadcast client mode and receive NTP broadcast messages on
VLAN-interface 1.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ntp-service broadcast-client

ntp-service broadcast-server

Syntax

ntp-service broadcast-server [ authentication-keyid keyid | version number ] *

undo ntp-service broadcast-server

View

Interface view

Default Level

2: System level

Parameters

authentication-keyid keyid: Specifies the key ID to be used for sending broadcast messages to
broadcast clients, where keyid is in the range of 1 to 4294967295. This parameter is not meaningful if
authentication is not required.
version number: Specifies the NTP version, where number is in the range of 1 to 3 and defaults to 3.

Description

Use the ntp-service broadcast-server command to configure the device to work in the NTP broadcast
server mode and use the current interface to send NTP broadcast packets.
Use the undo ntp-service broadcast-server command to remove the configuration.
By default, the device does not work in any NTP operation mode.

Examples

# Configure the device to work in the broadcast server mode and send NTP broadcast messages on
VLAN-interface 1, using key 4 for encryption, and set the NTP version to 3.
<Sysname> system-view
[Sysname] interface vlan-interface 1

1-11
 [Sysname-Vlan-interface1] ntp-service broadcast-server authentication-keyid 4 version 3

ntp-service in-interface disable

Syntax

ntp-service in-interface disable

undo ntp-service in-interface disable

View

Interface view

Default Level

2: System level

Parameters

None

Description

Use the ntp-service in-interface disable command to disable an interface from receiving NTP
messages.
Use the undo ntp-service in-interface disable command to restore the default.
By default, all interfaces are enabled to receive NTP messages.

Examples

# Disable VLAN-interface 1 from receiving NTP messages.

<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ntp-service in-interface disable

ntp-service max-dynamic-sessions

Syntax

ntp-service max-dynamic-sessions number

undo ntp-service max-dynamic-sessions

View

System view

Default Level

2: System level

Parameters

number: Maximum number of dynamic NTP sessions that are allowed to be established, in the range of
0 to 100.

1-12
Description

Use the ntp-service max-dynamic-sessions command to set the maximum number of dynamic NTP
sessions that are allowed to be established locally.
Use the undo ntp-service max-dynamic-sessions command to restore the maximum number of
dynamic NTP sessions to the system default.
By default, the number is 100.
A single device can have a maximum of 128 associations at the same time, including static associations
and dynamic associations. A static association refers to an association that a user has manually created
by using an NTP command, while a dynamic association is a temporary association created by the
system during operation. A dynamic association will be removed if the system fails to receive messages
from it over a specific long time. In the client/server mode, for example, when you carry out a command
to synchronize the time to a server, the system will create a static association, and the server will just
respond passively upon the receipt of a message, rather than creating an association (static or
dynamic). In the symmetric mode, static associations will be created at the symmetric-active peer side,
and dynamic associations will be created at the symmetric-passive peer side; in the broadcast or
multicast mode, static associations will be created at the server side, and dynamic associations will be
created at the client side.

Examples

# Set the maximum number of dynamic NTP sessions allowed to be established to 50.
<Sysname> system-view
[Sysname] ntp-service max-dynamic-sessions 50

ntp-service multicast-client

Syntax

ntp-service multicast-client [ ip-address ]

undo ntp-service multicast-client [ ip-address ]

View

Interface view

Default Level

2: System level

Parameters

ip-address: Multicast IP address, defaulting to 224.0.1.1.

Description

Use the ntp-service multicast-client command to configure the device to work in the NTP multicast
client mode and use the current interface to receive NTP multicast packets.
Use the undo ntp-service multicast-client command to remove the configuration.
By default, the device does not work in any NTP operation mode.

1-13
Examples

# Configure the device to work in the multicast client mode and receive NTP multicast messages on
VLAN-interface 1, and set the multicast address to 224.0.1.1.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ntp-service multicast-client 224.0.1.1

ntp-service multicast-server

Syntax

ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version

number ] *
undo ntp-service multicast-server [ ip-address ]

View

Interface view

Default Level

2: System level

Parameters

ip-address: Multicast IP address, defaulting to 224.0.1.1.

authentication-keyid keyid: Specifies the key ID to be used for sending multicast messages to
multicast clients, where keyid is in the range of 1 to 4294967295. This parameter is not meaningful if
authentication is not required.
ttl ttl-number: Specifies the TTL of NTP multicast messages, where ttl-number is in the range of 1 to 255
and defaults to 16.
version number: Specifies the NTP version, where number is in the range of 1 to 3 and defaults to 3.

Description

Use the ntp-service multicast-server command to configure the device to work in the NTP multicast
server mode and use the current interface to send NTP multicast packets.
Use the undo ntp-service multicast-server command to remove the configuration.
By default, the device does not work in any NTP operation mode.

Examples

# Configure the device to work in the multicast server mode and send NTP multicast messages on
VLAN-interface 1 to the multicast address 224.0.1.1, using key 4 for encryption, and set the NTP
version to 3.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ntp-service multicast-server 224.0.1.1 version 3
authentication-keyid 4

1-14
ntp-service reliable authentication-keyid

Syntax

ntp-service reliable authentication-keyid keyid

undo ntp-service reliable authentication-keyid keyid

View

System view

Default Level

2: System level

Parameters

keyid: Authentication key number, in the range of 1 to 4294967295.

Description

Use the ntp-service reliable authentication-keyid command to specify that the created
authentication key is a trusted key. When NTP authentication is enabled, a client can be synchronized
only to a server that can provide a trusted authentication key.
Use the undo ntp-service reliable authentication-keyid command to remove the configuration.
No authentication key is configured to be trusted by default.

Examples

# Enable NTP authentication, specify to use MD5 encryption algorithm, with the key ID of 37 and key
value of BetterKey.
<Sysname> system-view
[Sysname] ntp-service authentication enable
[Sysname] ntp-service authentication-keyid 37 authentication-mode md5 BetterKey

# Specify this key as a trusted key.

[Sysname] ntp-service reliable authentication-keyid 37

ntp-service source-interface

Syntax

ntp-service source-interface interface-type interface-number

undo ntp-service source-interface

View

System view

Default Level

2: System level

Parameters

interface-type interface-number: Specifies an interface by its interface type and interface number.

1-15
Description

Use the ntp-service source-interface command to specify the source interface for NTP messages.
Use the undo ntp-service source-interface command to restore the default.
By default, no source interface is specified for NTP messages, and the system uses the IP address of
the interface determined by the matched route as the source IP address of NTP messages.
If you do not wish the IP address of a certain interface on the local device to become the destination
address of response messages, you can use this command to specify the source interface for NTP
messages, so that the source IP address in NTP messages is the primary IP address of this interface.

Examples

# Specify the source interface of NTP messages as VLAN-interface 1.

<Sysname> system-view
[Sysname] ntp-service source-interface vlan-interface 1

ntp-service unicast-peer

Syntax

ntp-service unicast-peer { ip-address | peer-name } [ authentication-keyid keyid | priority |

source-interface interface-type interface-number | version number ] *
undo ntp-service unicast-peer { ip-address | peer-name }

View

System view

Default Level

2: System level

Parameters

ip-address: IP address of the symmetric-passive peer. It must be a unicast address, rather than a
broadcast address, a multicast address or the IP address of the local clock.
peer-name: Host name of the symmetric-passive peer, a string of 1 to 20 characters.
authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the peer,
where keyid is in the range of 1 to 4294967295.
priority: Specifies the peer designated by ip-address or peer-name as the first choice under the same
condition.
source-interface interface-type interface-number: Specifies the source interface for NTP messages. In
an NTP message the local device sends to its peer, the source IP address is the primary IP address of
this interface. interface-type interface-number represents the interface type and number.
version number: Specifies the NTP version, where number is in the range of 1 to 3 and defaults to 3.

Description

Use the ntp-service unicast-peer command to designate a symmetric-passive peer for the device.
Use the undo ntp-service unicast-peer command to remove the symmetric-passive peer designated
for the device.

1-16
 No symmetric-passive peer is designated for the device by default.

Examples

# Designate the device with the IP address of 10.1.1.1 as the symmetric-passive peer of the device,
configure the device to run NTP version 3, and specify the source interface of NTP messages as
VLAN-interface 1.
<Sysname> system-view
[Sysname] ntp-service unicast-peer 10.1.1.1 version 3 source-interface vlan-interface 1

ntp-service unicast-server

Syntax

ntp-service unicast-server { ip-address | server-name } [ authentication-keyid keyid | priority |

source-interface interface-type interface-number | version number ] *
undo ntp-service unicast-server { ip-address | server-name }

View

System view

Default Level

2: System level

Parameters

ip-address: IP address of the NTP server. It must be a unicast address, rather than a broadcast address,
a multicast address or the IP address of the local clock.
server-name: Host name of the NTP server, a string of 1 to 20 characters.
authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the NTP
server, where keyid is in the range of 1 to 4294967295.
priority: Specifies this NTP server as the first choice under the same condition.
source-interface interface-type interface-number: Specifies the source interface for NTP messages. In
an NTP message the local device sends to the NTP server, the source IP address is the primary IP
address of this interface. interface-type interface-number represents the interface type and number.
version number: Specifies the NTP version, where number is in the range of 1 to 3 and defaults to 3.

Description

Use the ntp-service unicast-server command to designate an NTP server for the device.
Use the undo ntp-service unicast-server command to remove an NTP server designated for the
device.
No NTP server is designated for the device by default.

Examples

# Designate NTP server 10.1.1.1 for the device, and configure the device to run NTP version 3.
<Sysname> system-view
[Sysname] ntp-service unicast-server 10.1.1.1 version 3

1-17
 Table of Contents

1 SNMP Configuration Commands ·············································································································1-1

SNMP Configuration Commands············································································································1-1
display snmp-agent community·······································································································1-1
display snmp-agent group ···············································································································1-2
display snmp-agent local-engineid ··································································································1-3
display snmp-agent mib-view ··········································································································1-4
display snmp-agent statistics ··········································································································1-5
display snmp-agent sys-info ············································································································1-7
display snmp-agent trap queue ·······································································································1-8
display snmp-agent trap-list ············································································································1-8
display snmp-agent usm-user ·········································································································1-9
enable snmp trap updown ·············································································································1-10
snmp-agent····································································································································1-11
snmp-agent calculate-password····································································································1-12
snmp-agent community ·················································································································1-13
snmp-agent group ·························································································································1-15
snmp-agent local-engineid ············································································································1-16
snmp-agent log······························································································································1-17
snmp-agent mib-view ····················································································································1-18
snmp-agent packet max-size ········································································································1-19
snmp-agent sys-info ······················································································································1-19
snmp-agent target-host ·················································································································1-21
snmp-agent trap enable·················································································································1-22
snmp-agent trap if-mib link extended ····························································································1-23
snmp-agent trap life·······················································································································1-24
snmp-agent trap queue-size··········································································································1-25
snmp-agent trap source·················································································································1-25
snmp-agent usm-user { v1 | v2c }··································································································1-26
snmp-agent usm-user v3···············································································································1-27

2 MIB Configuration Commands·················································································································2-1

MIB Configuration Commands················································································································2-1
display mib-style ······························································································································2-1
mib-style ··········································································································································2-1

i
1 SNMP Configuration Commands

SNMP Configuration Commands

display snmp-agent community

Syntax

display snmp-agent community [ read | write ]

View

Any view

Default Level

1: Monitor level

Parameters

read: Displays the information of communities with read-only access right.

write: Displays the information of communities with read and write access right.

Description

Use the display snmp-agent community command to display community information for SNMPv1 or
SNMPv2c.

Examples

# Display the information of all the communities that have been configured.
<Sysname> display snmp-agent community
Community name: aa
Group name: aa
Acl:2001
Storage-type: nonVolatile

Community name: bb
Group name: bb
Storage-type: nonVolatile

Community name: userv1

Group name: testv1
Storage-type: nonVolatile

1-1
 Table 1-1 display snmp-agent community command output description

Field Description
Community name.
z If a community name is created by using the snmp-agent
community command, the community name will be
Community name displayed.
z If a community name is created by using the snmp-agent
usm-user { v1 | v2c } command, the user name will be
displayed.
SNMP group name.
z If a community name is created by using the snmp-agent
community command, the group name and the community
Group name name are the same, which means the community name will
be displayed.
z If a community name is created by using the snmp-agent
usm-user { v1 | v2c } command, the name of the group to
which the user belongs will be displayed.
The number of the ACL in use.
Acl After an ACL is configured, only the Network Management
Station (NMS) with the IP address that matches the ACL rule
can access the device.
Storage type, which could be:
z volatile: Information will be lost if the system is rebooted
z nonVolatile: Information will not be lost if the system is
rebooted
Storage-type z permanent: Information will not be lost if the system is
rebooted. Modification is permitted, but deletion is forbidden
z readOnly: Information will not be lost if the system is
rebooted. Read only, that is, no modification, no deletion
z other: Other storage types

display snmp-agent group

Syntax

display snmp-agent group [ group-name ]

View

Any view

Default Level

1: Monitor level

Parameters

group-name: Specifies the SNMP group name, a string of 1 to 32 characters, case sensitive.

Description

Use the display snmp-agent group command to display information for the SNMPv3 agent group,
including group name, security model, MIB view, storage type, and so on. Absence of the group-name
parameter indicates that information for all groups will be displayed.

1-2
Examples

# Display the information of all SNMP agent groups.

<Sysname> display snmp-agent group
Group name: groupv3
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview: <no specified>
Storage-type: nonVolatile

Table 1-2 display snmp-agent group command output description

Field Description
Group name SNMP group name
Security model of the SNMP group, which can be: authPriv
(authentication with privacy), authNoPriv (authentication
Security model
without privacy), or noAuthNoPriv (no authentication no
privacy).
Readview The read only MIB view associated with the SNMP group
Writeview The writable MIB view associated with the SNMP group
The notify MIB view associated with the SNMP group, the
Notifyview
view with entries that can generate traps
Storage type, which includes: volatile, nonVolatile,
Storage-type permanent, readOnly, and other. For detailed information,
refer to Table 1-1.

display snmp-agent local-engineid

Syntax

display snmp-agent local-engineid

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display snmp-agent local-engineid command to display the local SNMP agent engine ID.
SNMP engine ID identifies an SNMP entity uniquely within an SNMP domain. SNMP engine is an
indispensable part of an SNMP entity. It provides the SNMP message allocation, message handling,
authentication, and access control.

1-3
Examples

# Display the local SNMP agent engine ID.

<Sysname> display snmp-agent local-engineid
SNMP local EngineID: 800007DB7F0000013859

display snmp-agent mib-view

Syntax

display snmp-agent mib-view [ exclude | include | viewname view-name ]

View

Any view

Default Level

1: Monitor level

Parameters

exclude: Displays MIB view information of the excluded type.

include: Displays MIB view information of the included type.
viewname view-name: Displays MIB view information with a specified MIB view name, where
view-name is the name of the specified MIB view.

Description

Use the display snmp-agent mib-view command to display MIB view information. Absence of
parameters indicates that information for all MIB views will be displayed.

Examples

# Display all SNMP MIB views of the device.

<Sysname> display snmp-agent mib-view
View name:ViewDefault
MIB Subtree:iso
Subtree mask:
Storage-type: nonVolatile
View Type:included
View status:active

View name:ViewDefault
MIB Subtree:snmpUsmMIB
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active

View name:ViewDefault
MIB Subtree:snmpVacmMIB
Subtree mask:

1-4
 Storage-type: nonVolatile
View Type:excluded
View status:active

View name:ViewDefault
MIB Subtree:snmpModules.18
Subtree mask:
Storage-type: nonVolatile
View Type:excluded
View status:active

ViewDefault is the default view of the device. When you access the device through the ViewDefault view,
you can access all the MIB objects of the iso subtree except for the MIB objects under the
snmpUsmMIB, snmpVacmMIB, and snmpModules.18 subtrees.

Table 1-3 display snmp-agent mib-view command output description

Field Description
View name MIB view name

MIB Subtree MIB subtree corresponding to the MIB view

Subtree mask MIB subtree mask
Storage-type Storage type
View type (that is, the relationship between this view and the
MIB subtree), which can be included or excluded:
z Included indicates that all nodes of the MIB tree are
View Type included in current view, namely, you are allowed to
access all the MIB objects of the subtree
z Excluded indicates that none of the nodes of the MIB tree
are included in current view, namely, you are allowed to
access none of the MIB objects of the subtree
View status The status of MIB view

display snmp-agent statistics

Syntax

display snmp-agent statistics

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display snmp-agent statistics command to display SNMP statistics.

1-5
Examples

# Display the statistics on the current SNMP.

<Sysname> display snmp-agent statistics
1684 Messages delivered to the SNMP entity
5 Messages which were for an unsupported version
0 Messages which used a SNMP community name not known
0 Messages which represented an illegal operation for the community supplied
0 ASN.1 or BER errors in the process of decoding
1679 Messages passed from the SNMP entity
0 SNMP PDUs which had badValue error-status
0 SNMP PDUs which had genErr error-status
0 SNMP PDUs which had noSuchName error-status
0 SNMP PDUs which had tooBig error-status (Maximum packet size 1500)
16544 MIB objects retrieved successfully
2 MIB objects altered successfully
7 GetRequest-PDU accepted and processed
7 GetNextRequest-PDU accepted and processed
1653 GetBulkRequest-PDU accepted and processed
1669 GetResponse-PDU accepted and processed
2 SetRequest-PDU accepted and processed
0 Trap PDUs accepted and processed
0 Alternate Response Class PDUs dropped silently
0 Forwarded Confirmed Class PDUs dropped silently

Table 1-4 display snmp-agent statistics command output description

Field Description
Messages delivered to the SNMP entity Number of packets delivered to the SNMP agent
Number of packets from a device with an SNMP
Messages which were for an unsupported
version that is not supported by the current
version
SNMP agent
Messages which used a SNMP community Number of packets that use an unknown
name not known community name
Messages which represented an illegal Number of packets carrying an operation that the
operation for the community supplied community has no right to perform
Number of packets with ASN.1 or BER errors in
ASN.1 or BER errors in the process of decoding
the process of decoding
Messages passed from the SNMP entity Number of packets sent by the SNMP agent
SNMP PDUs which had badValue error-status Number of SNMP PDUs with a badValue error
SNMP PDUs which had genErr error-status Number of SNMP PDUs with a genErr error

SNMP PDUs which had noSuchName

Number of PDUs with a noSuchName error
error-status
SNMP PDUs which had tooBig error-status Number of PDUs with a tooBig error (the
(Maximum packet size 1500) maximum packet size is 1,500 bytes)
Number of MIB objects that have been
MIB objects retrieved successfully
successfully retrieved

1-6
 Field Description
Number of MIB objects that have been
MIB objects altered successfully
successfully modified
Number of get requests that have been received
GetRequest-PDU accepted and processed
and processed
Number of getNext requests that have been
GetNextRequest-PDU accepted and processed
received and processed
Number of getBulk requests that have been
GetBulkRequest-PDU accepted and processed
received and processed
Number of get responses that have been
GetResponse-PDU accepted and processed
received and processed
Number of set requests that have been received
SetRequest-PDU accepted and processed
and processed
Number of traps that have been received and
Trap PDUs accepted and processed
processed
Alternate Response Class PDUs dropped
Number of dropped response packets
silently
Forwarded Confirmed Class PDUs dropped Number of forwarded packets that have been
silently dropped

display snmp-agent sys-info

Syntax

display snmp-agent sys-info [ contact | location | version ] *

View

Any view

Default Level

1: Monitor level

Parameters

contact: Displays the contact information of the current network administrator.

location: Displays the location information of the current device.
version: Displays the version of the current SNMP agent.

Description

Use the display snmp-agent sys-info command to display the current SNMP system information.
If no keyword is specified, all SNMP agent system information will be displayed.

Examples

# Display the current SNMP agent system information.

<Sysname> display snmp-agent sys-info
The contact person for this managed node:
Hangzhou H3C Technologies Co., Ltd.

1-7
 The physical location of this node:
Hangzhou, China

SNMP version running in the system:

SNMPv3

display snmp-agent trap queue

Syntax

display snmp-agent trap queue

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display snmp-agent trap queue command to display basic information of the trap queue,
including trap queue name, queue length and the number of traps in the queue currently.
Related commands: snmp-agent trap life, snmp-agent trap queue-size.

Examples

# Display the current configuration and usage of the trap queue.

<Sysname> display snmp-agent trap queue
Queue name: SNTP
Queue size: 100
Message number: 6

Table 1-5 display snmp-agent trap queue command output description

Field Description
Queue name Trap queue name
Queue size Trap queue size
Message number Number of traps in the current trap queue

display snmp-agent trap-list

Syntax

display snmp-agent trap-list

1-8
View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display snmp-agent trap-list command to display the modules that can generate traps and
whether their trap function is enabled or not. If a module comprises multiple sub-modules, then as long
as one sub-module has the trap function enabled, the whole module will be displayed as being enabled
with the trap function.
Related commands: snmp-agent trap enable.

Examples

# Display the modules that can generate traps and whether their trap function is enabled or not.
<Sysname> display snmp-agent trap-list
configuration trap enable
flash trap enable
standard trap enable
system trap enable
Enable traps: 4; Disable traps: 0

In the above output, enable indicates that the module is allowed to generate traps whereas disable
indicates the module is not allowed to generate traps. You can configure the trap function (enable or
disable) of each module through command lines.

display snmp-agent usm-user

Syntax

display snmp-agent usm-user [ engineid engineid | username user-name | group group-name ] *

View

Any view

Default Level

1: Monitor level

Parameters

engineid engineid: Displays SNMPv3 user information for a specified engine ID, where engineid
indicates the SNMP engine ID. When an SNMPv3 user is created, the system records the current local
SNMP entity engine ID of the device. If the engine ID is modified, the user becomes invalid and will
become valid again if the engine ID is restored.
username user-name: Displays SNMPv3 user information for a specified user name. It is case
sensitive.

1-9
 group group-name: Displays SNMPv3 user information for a specified SNMP group name. It is case
sensitive.

Description

Use the display snmp-agent usm-user command to display SNMPv3 user information.

Examples

# Display SNMPv3 information of all created users.

<Sysname> display snmp-agent usm-user
User name: userv3
Group name: mygroupv3
Engine ID: 800063A203000FE240A1A6
Storage-type: nonVolatile
UserStatus: active

User name: userv3code

Group name: groupv3code
Engine ID: 800063A203000FE240A1A6
Storage-type: nonVolatile
UserStatus: active

Table 1-6 display snmp-agent usm-user command output description

Field Description
User name SNMP user name
Group name SNMP group name

Engine ID Engine ID for an SNMP entity

Storage type, which can be the following:
z volatile
z nonvolatile
Storage-type z permanent
z readOnly
z other
See Table 1-1 for details.
UserStatus SNMP user status

enable snmp trap updown

Syntax

enable snmp trap updown

undo enable snmp trap updown

View

Interface view

1-10
Default Level

2: System level

Parameters

None

Description

Use the enable snmp trap updown command to enable the trap function for interface state changes.
Use the undo enable snmp trap updown command to disable the trap function for interface state
changes.
By default, the trap function for interface state changes is enabled.
Note that:
To enable an interface to generate linkUp/linkDown traps when its state changes, you need to enable
the linkUp/linkDown trap function on the interface and globally. Use the enable snmp trap updown
command to enable this function on an interface, and use the snmp-agent trap enable [ standard
[ linkdown | linkup ] * ] command to enable this function globally.
Related commands: snmp-agent target-host, snmp-agent trap enable.

Examples

# Enable the sending of linkUp/linkDown SNMP traps on port GigabitEthernet 1/0/1 and use the
community name public.
<Sysname> system-view
[Sysname] snmp-agent trap enable
[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] enable snmp trap updown

snmp-agent

Syntax

snmp-agent
undo snmp-agent

View

System view

Default Level

3: Manage level

Parameters

None

Description

Use the snmp-agent command to enable SNMP agent.

Use the undo snmp-agent command to disable SNMP agent.

1-11
 By default, SNMP agent is disabled.
You can enable SNMP agent through any commands that begin with snmp-agent.

Examples

# Enable SNMP agent on the device.

<Sysname> system-view
[Sysname] snmp-agent

snmp-agent calculate-password

Syntax

snmp-agent calculate-password plain-password mode { 3desmd5 | 3dessha | md5 | sha }

{ local-engineid | specified-engineid engineid }

View

System view

Default Level

3: Manage level

Parameters

plain-password: Plain text password to be encrypted.

mode: Specifies the encryption algorithm and authentication algorithm. The three encryption algorithms
Advanced Encryption Standard (AES), triple data encryption standard (3DES), and Data Encryption
Standard (DES) are in descending order in terms of security. Higher security means more complex
implementation mechanism and lower speed. DES is enough to meet general requirements.
Message-Digest Algorithm 5 (MD5) and Secure Hash Algorithm (SHA-1) are the two authentication
algorithms. MD5 is faster than SHA-1, while SHA-1 provides higher security than MD5.
z 3desmd5: Converts a plain text encryption password to a cipher text encryption password. In this
case, the authentication protocol must be MD5, and the encryption algorithm must be 3DES.
z 3dessha: Converts a plain text encryption password to a cipher text encryption password. In this
case, the authentication protocol must be SHA-1, and the encryption algorithm must be 3DES.
z md5: Converts a plain text authentication password to a cipher text authentication password. In
this case, the authentication protocol must be MD5. Or, this algorithm can convert the plain text
encryption password to a cipher text encryption password, In this case, the authentication protocol
must be MD5, and the encryption algorithm can be either AES or DES (when the authentication
protocol is specified as MD5, cipher text passwords are the same by using the encryption
algorithms AES and DES).
z sha: Converts the plain text authentication password to a cipher text authentication password. In
this case, the authentication protocol must be SHA-1. Or, this algorithm can convert the plain text
encryption password to a cipher text encryption password, In this case, the authentication protocol
must be SHA-1, and the encryption algorithm can be either AES or DES (when the authentication
protocol is specified as SHA-1, cipher text passwords are the same by using the encryption
algorithms AES and DES).
local-engineid: Uses local engine ID to calculate cipher text password. For engine ID-related
configuration, refer to the snmp-agent local-engineid command.

1-12
 specified-engineid: Uses user-defined engine ID to calculate cipher text password.
engineid: The engine ID string, an even number of hexadecimal characters, in the range 10 to 64. Its
length must not be an odd number, and the all-zero and all-F strings are invalid.

Description

Use the snmp-agent calculate-password command to convert the user-defined plain text password to
a cipher text password.
Note that:
z The cipher text password converted with the sha keyword specified in this command is a string of
40 hexadecimal characters. For an authentication password, all of the 40 hexadecimal characters
are valid; while for a privacy password, only the first 32 hexadecimal characters are valid.
z Enable SNMP on the device before executing the command.
When creating an SNMPv3 user, if you specify to use the cipher text authentication/encryption
password, you can use this command to generate a cipher text password.
The converted password is associated with the engine ID, namely, the password is valid only under the
specified engine ID based on which the password was configured.
Related commands: snmp-agent usm-user v3.

Examples

# Use local engine ID and MD5 authentication protocol to convert the plain text password authkey.
<Sysname> system-view
[Sysname] snmp-agent calculate-password authkey mode md5 local-engineid
The secret key is: 09659EC5A9AE91BA189E5845E1DDE0CC

snmp-agent community

Syntax

snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ] *

undo snmp-agent community { read | write } community-name

View

System view

Default Level

3: Manage level

Parameters

read: Indicates that the community has read only access right to the MIB objects; that is, the NMS can
perform read-only operations when it uses this community name to access the agent.
write: Indicates that the community has read and write access right to the MIB objects; that is, the NMS
can perform read and write operations when it uses this community name to access the agent.
community-name: Community name, a string of 1 to 32 characters.
acl acl-number: Associates a basic ACL with the community name. acl-number is in the range 2,000 to
2,999. By using an ACL, you can configure to allow or prohibit the access to the agent from the NMS
with the specified source IP address.
1-13
 mib-view view-name: S Specifies MIB objects that the NMS can access, view-name represents the
MIB view name, a string of 1 to 32 characters. If no keyword is specified, the default view is ViewDefault
(The view created by the system after SNMP agent is enabled).

Description

Use the snmp-agent community command to create a new SNMP community. Parameters to be
configured include access right, community name, ACL, and accessible MIB views.
Use the undo snmp-agent community command to delete a specified community.
This command can be applied in SNMPv1 and v2c networking environments.
A community is composed of NMSs and SNMP agents, and is identified by the community name, which
functions as a password. In a community, when devices communicate with each other, they use
community name for authentication. The NMS and the SNMP agent can access each other only when
they are configured with the same community name. Typically, public is used as the read-only
community name, and private is used as the read and write community name. For security purposes,
you are recommended to configure a community name other than public and private.
z The keyword acl specifies that only the NMS with a qualified IP address can access the agent.
z The argument community-name specifies the community name used by the NMS when it accesses
the agent.
z The keyword mib-view specifies the MIB objects which the NMS can access.
z The keywords read and write specify the access type.
Related commands: snmp-agent mib-view.

Examples

# Create a community with the name of readaccess, allowing read-only access right using this
community name.
<Sysname> system-view
[Sysname] snmp-agent sys-info version v1 v2c
[Sysname] snmp-agent community read readaccess

z Set the SNMP version on the NMS to SNMPv1 or SNMPv2c

z Fill in the read-only community name readaccess
z Establish a connection, and the NMS can perform read-only operations to the MIB objects in the
ViewDefault view on the device
# Create a community with the name of writeaccess, allowing only the NMS with the IP address of
1.1.1.1 to configure the values of the agent MIB objects by using this community name; other NMSs are
not allowed to perform the write operations by using this community name.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0
[Sysname-acl-basic-2001] rule deny source any
[Sysname-acl-basic-2001] quit
[Sysname] snmp-agent sys-info version v2c
[Sysname] snmp-agent community write writeaccess acl 2001

z Set the IP address of the NMS to 1.1.1.1

z Set the SNMP version on the NMS to SNMPv2c

1-14
 z Fill in the write community name writeaccess; namely, the NMS can perform read-only operations
to the MIB objects in the ViewDefault view on the device
# Create a community with the name of wr-sys-acc. The NMS can perform the read and write
operations to the MIB objects of the system subtree (with the OID of 1.3.6.1.2.1.1).
<Sysname> system-view
[Sysname] snmp-agent sys-info version v1 v2c
[Sysname] snmp-agent mib-view included test system
[Sysname] snmp-agent community write wr-sys-acc mib-view system

z Set the SNMP version on the NMS to SNMPv1 or SNMPv2c

z Fill in the write community name wr-sys-acc
z Establish a connection, and the NMS can perform read and write operations to the MIB objects in
system view on the device

snmp-agent group

Syntax

The following syntax applies to SNMPv1 and SNMP v2c:

snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ]
[ notify-view notify-view ] [ acl acl-number ]
undo snmp-agent group { v1 | v2c } group-name
The following syntax applies to SNMPv3:
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view
write-view ] [ notify-view notify-view ] [ acl acl-number ]
undo snmp-agent group v3 group-name [ authentication | privacy ]

View

System view

Default Level

3: Manage level

Parameters

v1: SNMPv1.
v2c: SNMPv2c.
v3: SNMPv3.
group-name: Group name, a string of 1 to 32 characters.
authentication: Specifies the security model of the SNMP group to be authentication only (without
privacy).
privacy: Specifies the security model of the SNMP group to be authentication and privacy.
read-view read-view: Read view, a string of 1 to 32 characters. The default read view is ViewDefault.
write-view write-view: Write view, a string of 1 to 32 characters. By default, no write view is configured,
namely, the NMS cannot perform the write operations to all MIB objects on the device.
notify-view notify-view: Notify view, for sending traps, a string of 1 to 32 characters. By default, no
notify view is configured, namely, the agent does not send traps to the NMS.
1-15
 acl acl-number: Associates a basic ACL with the group. acl-number is in the range 2000 to 2999. By
using a basic ACL, you can restrict the source IP address of SNMP packets, that is, you can configure to
allow or prohibit SNMP packets with a specific source IP address, so as to restrict the
intercommunication between the NMS and the agent.

Description

Use the snmp-agent group command to configure a new SNMP group and specify its access right.
Use the undo snmp-agent group command to delete a specified SNMP group.
By default, SNMP groups configured by the snmp-agent group v3 command use a
no-authentication-no-privacy security model.
An SNMP group defines security model, access right, and so on. A user in this SNMP group has all
these public properties.
Related commands: snmp-agent mib-view, snmp-agent usm-user.

Examples

# Create an SNMP group group1 on an SNMPv3 enabled device, no authentication, no privacy.

<Sysname> system-view
[Sysname] snmp-agent group v3 group1

snmp-agent local-engineid

Syntax

snmp-agent local-engineid engineid

undo snmp-agent local-engineid

View

System view

Default Level

3: Manage level

Parameters

engineid: Engine ID, an even number of hexadecimal characters, in the range 10 to 64. Its length must
not be an odd number, and the all-zero and all-F strings are invalid.

Description

Use the snmp-agent local-engineid command to configure a local engine ID for an SNMP entity.
Use the undo snmp-agent local-engineid command to restore the default local engine ID.
By default, the engine ID of a device is the combination of company ID and device ID. Device ID varies
by product; it could be an IP address, a MAC address, or a self-defined string of hexadecimal numbers.
An engine ID has two functions:
z For all devices managed by one NMS, each device needs a unique engine ID to identify the SNMP
agent. By default, each device has an engine ID. The network administrator has to ensure that
there is no repeated engine ID within an SNMP domain.

1-16
 z In SNMPv3, the user name and cipher text password are associated with the engine ID. Therefore,
if the engine ID changes, the user name and cipher text password configured under the engine ID
become invalid.
Typically, the device uses its default engine ID. For ease of remembrance, you can set engine IDs for
the devices according to the network planning. For example, if both device 1 and device 2 are on the
first floor of building A, you can set the engine ID of device 1 to 000Af0010001, and that of device 2 to
000Af0010002.
Related commands: snmp-agent usm-user.

Examples

# Configure the local engine ID as 123456789A.

<Sysname> system-view
[Sysname] snmp-agent local-engineid 123456789A

snmp-agent log

Syntax

snmp-agent log { all | get-operation | set-operation }

undo snmp-agent log { all | get-operation | set-operation }

View

System view

Default Level

3: Manage level

Parameters

all: Enables logging of SNMP GET and SET operations.

get-operation: Enables logging of SNMP GET operation.
set-operation: Enables logging of SNMP SET operation.

Description

Use the snmp-agent log command to enable SNMP logging.

Use the undo snmp-agent log command to restore the default.
By default, SNMP logging is disabled.
If specified SNMP logging is enabled, when the NMS performs a specified operation to the SNMP agent,
the latter records the operation-related information and saves it to the information center. With
parameters for the information center set, output rules of the SNMP logs are decided (that is, whether
logs are permitted to output and the output destinations).

Examples

# Enable logging of SNMP GET operation.

<Sysname> system-view
[Sysname] snmp-agent log get-operation

# Enable logging of SNMP SET operation.

1-17
 <Sysname> system-view
[Sysname] snmp-agent log set-operation

snmp-agent mib-view

Syntax

snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ]

undo snmp-agent mib-view view-name

View

System view

Default Level

3: Manage level

Parameters

excluded: Indicates that no nodes of the MIB tree are included in current view, which means the access
to all nodes of this MIB subtree is forbidden.
included: Indicates that all nodes of the MIB tree are included in current view, which means the access
to all nodes of this MIB subtree is permitted.
view-name: View name, a string of 1 to 32 characters.
oid-tree: MIB subtree, identified by the OID of the subtree root node, such as 1.4.5.3.1, or the name of
the subtree root node, such as “system”. OID is made up of a series of integers, which marks the
position of the node in the MIB tree and uniquely identifies a MIB object.
mask mask-value: Mask for a MIB subtree, in the range 1 to 32 hexadecimal digits. It must be an even
digit.

Description

Use the snmp-agent mib-view command to create or update MIB view information so that MIB objects
can be specified.
Use the undo snmp-agent mib-view command to delete the current configuration.
By default, MIB view name is ViewDefault.
MIB view is a subset of MIB, and it may include all nodes of a MIB subtree (that is, the access to all
nodes of this MIB subtree is permitted), or may exclude all nodes of a MIB subtree (that is, the access to
all nodes of this MIB subtree is forbidden).
You can use the display snmp-agent mib-view command to view the access right of the default view.
Also, you can use the undo snmp-agent mib-view command to remove the default view, after that,
however, you may not be able to read or write all MIB nodes on the agent.
Related commands: snmp-agent group.

Examples

# Create a MIB view mibtest, which includes all objects of the subtree mib-2, and excludes all objects
of the subtree ip.
<Sysname> system-view
[Sysname] snmp-agent mib-view included mibtest 1.3.6.1

1-18
 [Sysname] snmp-agent mib-view excluded mibtest ip
[Sysname] snmp-agent community read public mib-view mibtest

If the SNMP version on the NMS is set to SNMPv1, when the NMS uses the community name public to
access the device, it cannot access all objects of the ip subtree (such as the ipForwarding node, the
ipDefaultTTL node, and so on), but it can access all objects of the mib-2 subtree.

snmp-agent packet max-size

Syntax

snmp-agent packet max-size byte-count

undo snmp-agent packet max-size

View

System view

Default Level

3: Manage level

Parameters

byte-count: Maximum size of the SNMP packets that can be received or sent by the agent, in the range
484 to 17,940.

Description

Use the snmp-agent packet max-size command to configure the maximum size of the SNMP packets
that can be received or sent by the agent.
Use the undo snmp-agent packet max-size command to restore the default packet size.
By default, the maximum size of the SNMP packets that can be received or sent by the agent is 1,500
bytes.
If devices not supporting fragmentation exist on the routing path between the NMS and the agent, you
can use the command to configure the maximum SNMP packet size, and thus to prevent giant packets
from being discarded.
Typically, you are recommended to apply the default value.

Examples

# Configure the maximum size of the SNMP packets that can be received or sent by the SNMP agent as
1,042 bytes.
<Sysname> system-view
[Sysname] snmp-agent packet max-size 1042

snmp-agent sys-info

Syntax

snmp-agent sys-info { contact sys-contact | location sys-location | version { all | { v1 | v2c | v3 }* } }

undo snmp-agent sys-info { contact | location | version { all | { v1 | v2c | v3 }* } }

1-19
View

System view

Default Level

3: Manage level

Parameters

contact sys-contact: A string of 1 to 200 characters that describes the contact information for system
maintenance.
location sys-location: A string of 1 to 200 characters that describes the location of the device.
version: The SNMP version in use.
z all: Specifies SNMPv1, SNMPv2c, and SNMPv3.
z v1: SNMPv1.
z v2c: SNMPv2c.
z v3: SNMPv3.

Description

Use the snmp-agent sys-info command to configure system information, including the contact
information, the location, and the SNMP version in use.
Use the undo snmp-agent sys-info contact and undo snmp-agent sys-info location command to
restore the default.
Use the undo snmp-agent sys-info version command to disable use of the SNMP function of the
specified version.
By default, the location information is Hangzhou China, version is SNMPv3, and the contact is
Hangzhou H3C Technologies Co., Ltd.
Successful interaction between an NMS and the agents requires consistency of SNMP versions
configured on them.
Related commands: display snmp-agent sys-info.

Network maintenance engineers can use the system contact information to get in touch with the
manufacturer in case of network failures. The system location information is a management variable
under the system branch as defined in RFC1213-MIB, identifying the location of the managed object.

Examples

# Configure the contact information as “Dial System Operator at beeper # 27345”.

<Sysname> system-view
[Sysname] snmp-agent sys-info contact Dial System Operator at beeper # 27345

1-20
snmp-agent target-host

Syntax

snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number ] params

securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ]
undo snmp-agent target-host trap address udp-domain ip-address params securityname
security-string

View

System view

Default Level

3: Manage level

Parameters

trap: Specifies the host to be the target host which will receive traps and notifications from the device.
address: Specifies the destination IP address in the SNMP messages sent from the device.
udp-domain: Indicates that the trap is transmitted using UDP.
ip-address: The IPv4 address of the trap target host.
udp-port port-number: Specifies the number of the port on the target host to receive traps.
params securityname security-string: Specifies the authentication related parameter, which is an
SNMPv1 or SNMPv2c community name or an SNMPv3 user name, a string of 1 to 32 characters.
v1: SNMPv1. This keyword must be the same with the SNMP version on the NMS; otherwise, the NMS
cannot receive any trap.
v2c: SNMPv2c. This keyword must be the same with the SNMP version on the NMS; otherwise, the
NMS cannot receive any trap.
v3: SNMPv3. This keyword must be the same with the SNMP version on the NMS; otherwise, the NMS
cannot receive any trap.
z authentication: Specifies the security model to be authentication without privacy. Authentication is
a process to check whether the packet is integral and whether it has been tampered. You need to
configure the authentication password when creating an SNMPv3 user.
z privacy: Specifies the security model to be authentication with privacy. Privacy is to encrypt the
data part of a packet to prevent it from being intercepted. You need to configure the authentication
password and privacy password when creating an SNMPv3 user.

Description

Use the snmp-agent target-host command to configure the related settings for a trap target host.
Use the undo snmp-agent target-host command to remove the current settings. According to the
networking requirements, you can use this command for multiple times to configure different settings for
a target host, enabling the device to send trap messages to different NMSs. Up to 20 target hosts that
can be configured.
z If udp-port port-number is not specified, port number 162 is used.
z If the key words v1, v2 and v3 are not specified, v1 is used.

1-21
 z If the key words authentication and privacy are not specified, the authentication mode is no
authentication, no privacy.
Related commands: enable snmp trap updown, snmp-agent trap enable, snmp-agent trap source,
snmp-agent trap life.

Examples

# Enable the device to send SNMPv1 traps to 10.1.1.1, using the community name of public.
<Sysname> system-view
[Sysname] snmp-agent trap enable standard
[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public

snmp-agent trap enable

Syntax

snmp-agent trap enable [ configuration | flash | standard [ authentication | coldstart | linkdown |

linkup | warmstart ]* | system ]
undo snmp-agent trap enable [ configuration | flash | standard [ authentication | coldstart |
linkdown | linkup | warmstart ]* | system ]

View

System view

Default Level

3: Manage level

Parameters

configuration: Enables the sending of configuration traps.

flash: Enables the sending of FLASH-related traps.
standard: Standard traps.
z authentication: Enables the sending of authentication failure traps in the event of authentication
failure.
z coldstart: Sends coldstart traps when the device restarts.
z linkdown: Sends linkdown traps when the port is in a linkdown status. It should be configured
globally.
z linkup: Sends linkup traps when the port is in a linkup status. It should be configured globally.
z warmstart: Sends warmstart traps when the SNMP restarts.
system: Sends H3C-SYS-MAN-MIB (a private MIB) traps.

Description

Use the snmp-agent trap enable command to enable the trap function globally.
Use the undo snmp-agent trap enable command to disable the trap function globally.
By default, the trap function is enabled.
Only after the trap function is enabled can each module generate corresponding traps.
Note that:

1-22
 To enable an interface to generate Linkup/Linkdown traps when its state changes, you need to enable
the linkUp/linkDown trap function on the interface and globally. Use the enable snmp trap updown
command to enable this function on an interface, and use the snmp-agent trap enable [ standard
[ linkdown | linkup ] * ] command to enable this function globally.
Related commands: snmp-agent target-host, enable snmp trap updown.

Examples

# Enable the device to send SNMP authentication failure packets to 10.1.1.1, using the community
name public.
<Sysname> system-view
[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public
[Sysname] snmp-agent trap enable standard authentication

snmp-agent trap if-mib link extended

Syntax

snmp-agent trap if-mib link extended

undo snmp-agent trap if-mib link extended

View

System view

Default Level

3: Manage level

Parameters

None

Description

Use the snmp-agent trap if-mib link extended command to extend the standard linkUp/linkDown
traps defined in RFC. An extended linkUp/linkDown trap is the standard linkUp/linkDown trap defined in
RFC appended with the interface description and interface type information.
Use the undo snmp-agent trap if-mib link extended command to restore the default.
By default, standard linkUp/linkDown traps defined in RFC are used.
z A standard linkUp trap is in the following format:
#Apr 24 11:48:04:896 2008 Sysname IFNET/4/INTERFACE UPDOWN:
Trap 1.3.6.1.6.3.1.1.5.4<linkUp>: Interface 983555 is Up, ifAdminStatus is 1, ifOperStatus
is 1

z An extended linkUp trap is in the following format:

#Apr 24 11:43:09:896 2008 Sysname IFNET/4/INTERFACE UPDOWN:
Trap 1.3.6.1.6.3.1.1.5.4<linkUp>: Interface 983555 is Up, ifAdminStatus is 1, ifOperStatus
is 1, ifDescr is GigabitEthernet1/0/1, ifType is 6

z A standard linkDown trap is in the following format:

#Apr 24 11:47:35:224 2008 Sysname IFNET/4/INTERFACE UPDOWN:
Trap 1.3.6.1.6.3.1.1.5.3<linkDown>: Interface 983555 is Down, ifAdminStatus is 2,
ifOperStatus is 2

1-23
 z An extended linkDown trap is in the following format:
#Apr 24 11:42:54:314 2008 AR29.46 IFNET/4/INTERFACE UPDOWN:
Trap 1.3.6.1.6.3.1.1.5.3<linkDown>: Interface 983555 is Down, ifAdminStatus is 2,
ifOperStatus is 2, ifDescr is GigabitEthernet1/0/1, ifType is 6

The format of an extended linkup/ linkDown trap is the standard format followed with the ifDescr and
ifType information, facilitating problem location.
Note that after this command is configured, the device sends extended linkUp/linkDown traps. If the
extended messages are not supported on NMS, the device may not be able to resolve the messages.

Examples

# Extend standard linkUp/linkDown traps defined in RFC.

<Sysname> system-view
[Sysname] snmp-agent trap if-mib link extended

snmp-agent trap life

Syntax

snmp-agent trap life seconds

undo snmp-agent trap life

View

System view

Default Level

3: Manage level

Parameters

seconds: Timeout time, in the range 1 to 2,592,000 seconds.

Description

Use the snmp-agent trap life command to configure the holding time of the traps in the queue. Traps
will be discarded when the holding time expires.
Use the undo snmp-agent trap life command to restore the default holding time of traps in the queue.
By default, the holding time of SNMP traps in the queue is 120 seconds.
The SNMP module sends traps in queues. As soon as the traps are saved in the trap queue, a timer is
started. If traps are not sent out until the timer times out (namely, the holding time configured by using
this command expires), the system removes the traps from the trap sending queue.
Related commands: snmp-agent trap enable, snmp-agent target-host.

Examples

# Configure the holding time of traps in the queue as 60 seconds.

<Sysname> system-view
[Sysname] snmp-agent trap life 60

1-24
snmp-agent trap queue-size

Syntax

snmp-agent trap queue-size size

undo snmp-agent trap queue-size

View

System view

Default Level

3: Manage level

Parameters

size: Number of traps that can be stored in the trap sending queue, in the range 1 to 1,000.

Description

Use the snmp-agent trap queue-size command to set the size of the trap sending queue.
Use the undo snmp-agent trap queue-size command to restore the default queue size.
By default, up to 100 traps can be stored in the trap sending queue.
After traps are generated, they will be saved into the trap sending queue. The size of the queue
determines the maximum number of the traps that can be stored in the queue. When the size of the trap
sending queue reaches the configured value, the newly generated traps are saved into the queue, and
the earliest ones are discarded.
Related commands: snmp-agent trap enable, snmp-agent target-host, snmp-agent trap life.

Examples

# Set the maximum number of traps that can be stored in the trap sending queue to 200.
<Sysname> system-view
[Sysname] snmp-agent trap queue-size 200

snmp-agent trap source

Syntax

snmp-agent trap source interface-type { interface-number }

undo snmp-agent trap source

View

System view

Default Level

3: Manage level

Parameters

interface-type interface-number: Specifies the interface type and interface number.

1-25
Description

Use the snmp-agent trap source command to specify the source IP address contained in the trap.
Use the undo snmp-agent trap source command to restore the default.
By default, SNMP chooses the IP address of an interface to be the source IP address of the trap.
Upon the execution of this command, the system uses the primary IP address of the specified interface
as the source IP address of the traps, and the NMS will use this IP address to uniquely identify the agent.
Even if the agent sends out traps through different interfaces, the NMS uses this IP address to filter all
traps sent from the agent.
Use this command to trace a specific event by the source IP address of a trap.
Note that:
Before you can configure the IP address of a particular interface as the source IP address of the trap,
ensure that the interface already exists and that it has a legal IP address. Otherwise, if the configured
interface does not exist, the configurations will fail; if the specified IP address is illegal, the configuration
will be invalid. After a legal IP address is configured for the interface, the configuration becomes valid
automatically.
Related commands: snmp-agent trap enable, snmp-agent target-host.

Examples

# Configure the IP address for the Vlan-interface 1 as the source address for traps.
<Sysname> system-view
[Sysname] snmp-agent trap source Vlan-interface 1

snmp-agent usm-user { v1 | v2c }

Syntax

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]

undo snmp-agent usm-user { v1 | v2c } user-name group-name

View

System view

Default Level

3: Manage level

Parameters

v1: The configured user name should be applied in the SNMPv1 networking environment. If the agent
and the NMS use SNMPv1 packets to communicate with each other, this keyword is needed.
v2c: The configured user name should be applied in the SNMPv2c networking environment. If the agent
and the NMS use SNMPv2c packets to communicate with each other, this keyword is needed.
user-name: User name, a string of 1 to 32 characters. It is case sensitive.
group-name: Group name, a string of 1 to 32 characters. It is case sensitive.
acl acl-number: Associates a basic ACL with the user. acl-number is in the range 2000 to 2999. By
using a basic ACL, you can restrict the source IP address of SNMP packets, that is, you can configure to

1-26
 allow or prohibit SNMP packets with a specific source IP address, so as to allow or prohibit the specified
NMS to access the agent by using this user name.

Description

Use the snmp-agent usm-user { v1 | v2c } command to add a user to an SNMP group.
Use the undo snmp-agent usm-user { v1 | v2c } command to delete a user from an SNMP group.
As defined in the SNMP protocol, in SNMPv1 and SNMPv2c networking applications, the NMS and the
agent use community name to authenticate each other; in SNMPv3 networking applications, they use
user name to authenticate each other. If you prefer using the user name in the authentication, the
device supports configuration of SNMPv1 and SNMPv2c users. Creating an SNMPv1 or SNMPv2c user
equals adding of a new read-only community name. After you add the user name into the read-only
community name field of the NMS, the NMS can establish SNMP connection with the device.
To make the configured user take effect, create an SNMP group first.
Related commands: snmp-agent group, snmp-agent community, snmp-agent usm-user v3.

Examples

# Create a v2c user userv2c in group readCom.

<Sysname> system-view
[Sysname] snmp-agent sys-info version v2c
[Sysname] snmp-agent group v2c readCom
[Sysname] snmp-agent usm-user v2c userv2c readCom

z Set the SNMP version on the NMS to SNMPv2c

z Fill in the read community name userv2c, and then the NMS can access the agent
# Create a v2c user userv2c in group readCom, allowing only the NMS with the IP address of
1.1.1.1 to access the agent by using this user name; other NMSs are not allowed to access the
agent by using this user name.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0
[Sysname-acl-basic-2001] rule deny source any
[Sysname-acl-basic-2001] quit
[Sysname] snmp-agent sys-info version v2c
[Sysname] snmp-agent group v2c readCom
[Sysname] snmp-agent usm-user v2c userv2c readCom acl 2001

z Set the IP address of the NMS to 1.1.1.1

z Set the SNMP version on the NMS to SNMPv2c
z Fill in both the read community and write community options with userv2c, and then the NMS can
access the agent.

snmp-agent usm-user v3

Syntax

snmp-agent usm-user v3 user-name group-name [ cipher ] [ authentication-mode { md5 | sha }

auth-password [ privacy-mode { 3des | aes128 | des56 } priv-password ] ] [ acl acl-number ]
undo snmp-agent usm-user v3 user-name group-name { local | engineid engineid-string }

1-27
View

System view

Default Level

3: Manage level

Parameters

user-name: User name, a string of 1 to 32 characters. It is case sensitive.

group-name: Group name, a string of 1 to 32 characters. It is case sensitive.
cipher: Specifies that auth-password and priv-password are cipher text passwords, which can be
calculated by using the snmp-agent calculate-password command.
authentication-mode: Specifies the security model to be authentication. MD5 is faster than SHA, while
SHA provides a higher security than MD5.
z md5: Specifies the authentication protocol as MD5.
z sha: Specifies the authentication protocol as SHA-1.
auth-password: Authentication password. If the cipher keyword is not specified, auth-password
indicates a plain text password, which is a string of 1 to 64 visible characters. If the cipher keyword is
specified, auth-password indicates a cipher text password. If the md5 keyword is specified,
auth-password is a string of 32 hexadecimal characters. If the sha keyword is specified, auth-password
is a string of 40 hexadecimal characters.
privacy-mode: Specifies the security model to be privacy. The three encryption algorithms AES, 3DES,
and DES are in descending order in terms of security. Higher security means more complex
implementation mechanism and lower speed. DES is enough to meet general requirements.
z 3des: Specifies the privacy protocol as 3DES.
z des56: Specifies the privacy protocol as DES.
z aes128: Specifies the privacy protocol as AES.
priv-password: The privacy password. If the cipher keyword is not specified, priv-password indicates a
plain text password, which is a string of 1 to 64 characters; if the cipher keyword is specified,
priv-password indicates a cipher text password; if the 3des keyword is specified, priv-password is a
string of 80 hexadecimal characters; if the aes128 keyword is specified, priv-password is a string of 40
hexadecimal characters; if the des56 keyword is specified, priv-password is a string of 40 hexadecimal
characters.
acl acl-number: Associates a basic ACL with the user. acl-number is in the range 2000 to 2999. By
using a basic ACL, you can restrict the source IP address of SNMP packets, that is, you can configure to
allow or prohibit SNMP packets with a specific source IP address, so as to allow or prohibit the specified
NMS to access the agent by using this user name.
local: Represents a local SNMP entity user.
engineid engineid-string: The engine ID string, an even number of hexadecimal characters, in the
range 10 to 64. Its length must not be an odd number, and the all-zero and all-F strings are invalid.

Description

Use the snmp-agent usm-user v3 command to add a user to an SNMP group.

Use the undo snmp-agent usm-user v3 command to delete a user from an SNMP group.

1-28
 The user name configured by using this command is applicable to the SNMPv3 networking
environments, If the agent and the NMS use SNMPv3 packets to communicate with each other, you
need to create an SNMPv3 user.
To make the configured user valid, create an SNMP group first. Configure the authentication and
encryption modes when you create a group, and configure the authentication and encryption
passwords when you create a user.
z If you specify the cipher keyword, the system considers the arguments auth-password and
priv-password as cipher text passwords. In this case, the command supports copy and paste,
meaning if the engine IDs of the two devices are the same, you can copy and paste the SNMPv3
configuration commands in the configuration file on device A to device B and execute the
commands on device B. The cipher text password and plain text password on the two devices are
the same.
z If you do not specify the cipher keyword, the system considers the arguments auth-password and
priv-password as plain text passwords. In this case, if you perform the copy and paste operation,
the system will encrypt these two passwords, resulting in inconsistency of the cipher text and plain
text passwords of the two devices.
Note that:
z If you use the snmp-agent usm-user v3 cipher command, the pri-password argument in this
command can be obtained by the snmp-agent calculate-password command. To make the
calculated cipher text password applicable to the snmp-agent usm-user v3 cipher command and
have the same effect as that in the snmp-agent usm-user v3 cipher command, ensure that the
same privacy protocol is specified for the two commands and the local engine ID specified in the
snmp-agent usm-user v3 cipher command is consistent with the SNMP entity engine ID
specified in the snmp-agent calculate-password command.
z If you execute this command repeatedly to configure the same user (namely, the user names are
the same, no limitation to other keywords and arguments), the last configuration takes effect.
z A plain text password is required when the NMS accesses the device; therefore, please remember
the user name and the plain text password when you create a user.
Related commands: snmp-agent calculate-password, snmp-agent group, snmp-agent usm-user
{ v1 | v2c }.

Examples

# Add a user testUser to the SNMPv3 group testGroup. Configure the security model as
authentication without privacy, the authentication protocol as MD5, the plain-text authentication
password as authkey.
<Sysname> system-view
[Sysname] snmp-agent group v3 testGroup authentication
[Sysname] snmp-agent usm-user v3 testUser testGroup authentication-mode md5 authkey

z Set the SNMP version on the NMS to SNMPv3

z Fill in the user name testUser,
z Set the authentication protocol to MD5
z Set the authentication password to authkey
z Establish a connection, and the NMS can access the MIB objects in the ViewDefault view on the
device

1-29
# Add a user testUser to the SNMPv3 group testGroup. Configure the security model as
authentication and privacy, the authentication protocol as MD5, the privacy protocol as DES56, the
plain-text authentication password as authkey, and the plain-text privacy password as prikey.
<Sysname> system-view
[Sysname] snmp-agent group v3 testGroup privacy
[Sysname] snmp-agent usm-user v3 testUser testGroup authentication-mode md5 authkey
privacy-mode des56 prikey

z Set the SNMP version on the NMS to SNMPv3

z Fill in the user name testUser,
z Set the authentication protocol to MD5
z Set the authentication password to authkey
z Set the privacy protocol to DES
z Set the privacy password to prikey
z Establish a connection, and the NMS can access the MIB objects in the ViewDefault view on the
device
# Add a user testUser to the SNMPv3 group testGroup with the cipher keyword specified. Configure
the security model as authentication and privacy, the authentication protocol as MD5, the privacy
protocol as DES56, the plain-text authentication password as authkey, and the plain-text privacy
password as prikey
<Sysname> system-view
[Sysname] snmp-agent group v3 testGroup privacy
[Sysname] snmp-agent calculate-password authkey mode md5 local-engineid
The secret key is: 09659EC5A9AE91BA189E5845E1DDE0CC
[Sysname] snmp-agent calculate-password prikey mode md5 local-engineid
The secret key is: 800D7F26E786C4BECE61BF01E0A22705
[Sysname] snmp-agent usm-user v3 testUser testGroup cipher authentication-mode md5
09659EC5A9AE91BA189E5845E1DDE0CC privacy-mode des56 800D7F26E786C4BECE61BF01E0A22705

z Set the SNMP version on the NMS to SNMPv3

z Fill in the user name testUser,
z Set the authentication protocol to MD5
z Set the authentication password to authkey
z Set the privacy protocol to DES
z Set the privacy password to prikey
z Establish a connection, and the NMS can access the MIB objects in the ViewDefault view on the
device

1-30
2 MIB Configuration Commands

MIB Configuration Commands

display mib-style

Syntax

display mib-style

View

Any view

Default Level

3: Manage level

Parameters

None

Description

Use the display mib-style command to display the MIB style of the device.
Two MIB styles are available on the device: new and compatible. After obtaining the MIB style, you can
select matched H3C network management software based on the MIB style.
Related commands: mib-style.

Examples

# After getting the device ID from node sysObjectID, you find that it is an H3C device, and hope to
know the current MIB style or the MIB style after next boot of the device.
<Sysname> display mib-style
Current MIB style: new
Next reboot MIB style: new

The above output information indicates that the current MIB style of the device is new, and the MIB style
after next boot is still new.

mib-style

Syntax

mib-style [ new | compatible ]

View

System view

2-1
Default Level

3: Manage level

Parameters

new: Specifies the MIB style of the device as H3C new; that is, both sysOID and private MIB of the
device are located under the H3C enterprise ID 25506.
compatible: Specifies the MIB style of the device as H3C compatible; that is, sysOID of the device is
located under the H3C enterprise ID 25506, and private MIB is located under the enterprise ID 2011.

Description

Use the mib-style command to set the MIB style of the device.
By default, the MIB style of the device is new.
Note that the configuration takes effect only after the device reboots.

Examples

# Modify the MIB style of the device as compatible.

<Sysname> system-view
[Sysname] mib-style compatible
[Sysname] quit
<Sysname> display mib-style
Current MIB style: new
Next reboot MIB style: compatible
<Sysname> reboot

2-2
 Table of Contents

1 RMON Configuration Commands ············································································································1-1

RMON Configuration Commands ···········································································································1-1
display rmon alarm ··························································································································1-1
display rmon event ··························································································································1-2
display rmon eventlog······················································································································1-3
display rmon history·························································································································1-5
display rmon prialarm ······················································································································1-7
display rmon statistics ·····················································································································1-9
rmon alarm ····································································································································1-11
rmon event·····································································································································1-13
rmon history···································································································································1-14
rmon prialarm ································································································································1-15
rmon statistics································································································································1-17

i
1 RMON Configuration Commands

RMON Configuration Commands

display rmon alarm

Syntax

display rmon alarm [ entry-number ]

View

Any view

Default Level

1: Monitor level

Parameters

entry-number: Index of an RMON alarm entry, in the range 1 to 65535. If no entry is specified, the
configuration of all alarm entries is displayed.

Description

Use the display rmon alarm command to display the configuration of the specified or all RMON alarm
entries.
Related commands: rmon alarm.

Examples

# Display the configuration of all RMON alarm table entries.

<Sysname> display rmon alarm
AlarmEntry 1 owned by user1 is VALID.
Samples type : absolute
Variable formula : 1.3.6.1.2.1.16.1.1.1.4.1<etherStatsOctets.1>
Sampling interval : 10(sec)
Rising threshold : 50(linked with event 1)
Falling threshold : 5(linked with event 2)
When startup enables : risingOrFallingAlarm
Latest value : 0

Table 1-1 display rmon alarm command output description

Field Description
The status of the alarm entry entry-number created by
the owner is status.
AlarmEntry entry-number owned by
owner is status z entry-number: Alarm entry, corresponding to the
management information base (MIB) node
alarmIndex.

1-1
 Field Description
z owner: Owner of the entry, corresponding to the MIB
node alarmOwner.
z Status: Status of the entry identified by the index
(VALID means the entry is valid, and
UNDERCREATION means invalid. You can use the
display rmon command to view the invalid entry,
while with the display current-configuration and
display this commands you cannot view the
corresponding rmon commands.), corresponding to
the MIB node alarmStatus.
The sampling type (the value can be absolute or delta),
Samples type
corresponding to the MIB node alarmSampleType.
Alarm variable, namely, the monitored MIB node,
Variable formula
corresponding to the MIB node alarmVariable.
Sampling interval, in seconds, corresponding to the MIB
Sampling interval
node alarmInterval.
Alarm rising threshold (When the sampling value is
bigger than or equal to this threshold, a rising alarm is
Rising threshold
triggered.), corresponding to the MIB node
alarmRisingThreshold.
Alarm falling threshold (When the sampling value is
smaller than or equal to this threshold, a falling alarm is
Falling threshold
triggered.), corresponding to the MIB node
alarmFallingThreshold.
How an alarm can be triggered, corresponding to the
When startup enables
MIB node alarmStartupAlarm.
The last sampled value, corresponding to the MIB node
Latest value
alarmValue.

display rmon event

Syntax

display rmon event [ entry-number ]

View

Any view

Default Level

1: Monitor level

Parameters

entry-number: Index of an RMON event entry, in the range 1 to 65535. If no entry is specified, the
configuration of all event entries is displayed.

Description

Use the display rmon event command to display the configuration of the specified or all RMON event
entries.

1-2
 Displayed information includes event index, event owner, event description, action triggered by the
event (such as sending log or trap messages), and last time the event occurred (the elapsed time since
system initialization/startup) in seconds.
Related commands: rmon event.

Examples

# Display the configuration of RMON event table.

<Sysname> display rmon event
EventEntry 1 owned by user1 is VALID.
Description: null.
Will cause log-trap when triggered, last triggered at 0days 00h:02m:27s.

Table 1-2 display rmon event command output description

Field Description
EventEntry Event entry, corresponding to the MIB node eventIndex.
Owner of the entry, corresponding to the MIB node
owned by
eventOwner.
Status of the entry identified by the index (VALID means
the entry is valid, and UNDERCREATION means invalid.
You can use the display rmon command to view the
VALID invalid entry; while with the display
current-configuration and display this commands you
cannot view the corresponding rmon commands.),
corresponding to the MIB node eventStatus.
Description for the event, corresponding to the MIB node
Description
eventDescription.
The actions that the system will take when the event is
triggered:
z none: The system will take no action
z log: The system will log the event
cause log-trap when triggered
z snmp-trap: The system will send a trap to the NMS
z log-and-trap: The system will log the event and send a
trap to the NMS
This field corresponds to the MIB node eventType.
Time when the last event was triggered, corresponding to
last triggered at
the MIB node eventLastTimeSent.

display rmon eventlog

Syntax

display rmon eventlog [ entry-number ]

View

Any view

Default Level

1: Monitor level

1-3
Parameters

entry-number: Index of an event entry, in the range 1 to 65535.

Description

Use the display rmon eventlog command to display log information for the specified or all event
entries.
If entry-number is not specified, the log information for all event entries is displayed.
If you use the rmon event command to configure the system to log an event when the event is triggered,
the event is recorded into the RMON log. You can use this command to display the details of the log
table: event index, current event state, time the event was logged (the elapsed time in seconds since
system initialization/startup), and event description.

Examples

# Display the RMON log information for event entry 1.

<Sysname> display rmon eventlog 1
LogEntry 1 owned by null is VALID.
Generates eventLog 1.1 at 0day(s) 00h:00m:33s.
Description: The alarm formula defined in prialarmEntry 1,
uprise 80 with alarm value 85. Alarm sample type is absolute.
Generates eventLog 1.2 at 0day(s) 00h:42m:03s.
Description: The alarm formula defined in prialarmEntry 2,
less than(or =) 5 with alarm value 0. Alarm sample type is delta.

Table 1-3 display rmon eventlog command output description

Field Description
LogEntry Event log entry, corresponding to the MIB node logIndex.
owned by Owner of the entry, corresponding to the MIB node eventOwner.
Status of the entry identified by the index (VALID means the entry
is valid, and UNDERCREATION means invalid. You can use the
display rmon command to view the invalid entry; while with the
VALID
display current-configuration and display this commands you
cannot view the corresponding rmon commands.), corresponding
to the MIB node eventStatus.
Time when the log was created (Time passed since the device
Generates eventLog at
was booted), corresponding to the MIB node logTime.
Description Log description, corresponding to the MIB node logDescription.

The above example shows that event 1 has generated two logs:
z eventLog 1.1, generated by private alarm entry 1, which is triggered because the alarm value (85)
exceeds the rising threshold (80). The sampling type is absolute.
z eventLog 1.2, generated by private alarm entry 2, which is triggered because the alarm value (0) is
lower than the falling threshold (5). The sampling type is delta.

1-4
display rmon history

Syntax

display rmon history [ interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display rmon history command to display RMON history control entry and history sampling
information.
After you have created history control entry on an interface, the system calculates the information of the
interface periodically and saves this information to the etherHistoryEntry table. You can use this
command to display the entries in this table.
You can configure the number of history sampling records that can be displayed and the history
sampling interval through the rmon history command.
Related commands: rmon history.

Examples

# Display RMON history control entry and history sampling information for interface GigabitEthernet
1/0/1.
<Sysname> display rmon history GigabitEthernet 1/0/1
HistoryControlEntry 1 owned by null is VALID
Samples interface : GigabitEthernet1/0/1<ifIndex.1>
Sampling interval : 10(sec) with 5 buckets max
Sampled values of record 1 :
dropevents : 0 , octets : 0
packets : 0 , broadcast packets : 0
multicast packets : 0 , CRC alignment errors : 0
undersize packets : 0 , oversize packets : 0
fragments : 0 , jabbers : 0
collisions : 0 , utilization : 0
Sampled values of record 2 :
dropevents : 0 , octets : 0
packets : 0 , broadcast packets : 0
multicast packets : 0 , CRC alignment errors : 0
undersize packets : 0 , oversize packets : 0
fragments : 0 , jabbers : 0
collisions : 0 , utilization : 0
Sampled values of record 3 :

1-5
 dropevents : 0 , octets : 0
packets : 0 , broadcast packets : 0
multicast packets : 0 , CRC alignment errors : 0
undersize packets : 0 , oversize packets : 0
fragments : 0 , jabbers : 0
collisions : 0 , utilization : 0
Sampled values of record 4 :
dropevents : 0 , octets : 0
packets : 0 , broadcast packets : 0
multicast packets : 0 , CRC alignment errors : 0
undersize packets : 0 , oversize packets : 0
fragments : 0 , jabbers : 0
collisions : 0 , utilization : 0
Sampled values of record 5 :
dropevents : 0 , octets : 0
packets : 0 , broadcast packets : 0
multicast packets : 0 , CRC alignment errors : 0
undersize packets : 0 , oversize packets : 0
fragments : 0 , jabbers : 0
collisions : 0 , utilization : 0

Table 1-4 display rmon history command output description

Field Description
History control entry, corresponding to the MIB node
HistoryControlEntry
etherHistoryIndex.
Owner of the entry, corresponding to the MIB node
owned by
historyControlOwner.
Status of the entry identified by the index (VALID means
the entry is valid, and UNDERCREATION means
invalid. You can use the display rmon command to
VALID view the invalid entry; while with the display
current-configuration and display this commands
you cannot view the corresponding rmon commands.),
corresponding to the MIB node historyControlStatus.
Samples Interface The sampled interface
Sampling period, in seconds, corresponding to the MIB
Sampling interval node historyControlInterval. The system samples the
information of an interface periodically.
The maximum number of history table entries that can
be saved, corresponding to the MIB node
historyControlBucketsGranted.
If the specified value of the buckets argument exceeds
buckets max the history table size supported by the device, the
supported history table size is displayed.
If the current number of the entries in the table has
reached the maximum number, the system will delete
the earliest entry to save the latest one.
The (number)th statistics recorded in the system cache.
Sampled values of record number Statistics records are numbered according to the order
of time they are saved into the cache.

1-6
 Field Description
Dropped packets during the sampling period,
dropevents corresponding to the MIB node
etherHistoryDropEvents.
Number of octets received during the sampling period,
octets
corresponding to the MIB node etherHistoryOctets.
Number of packets received during the sampling period,
packets
corresponding to the MIB node etherHistoryPkts.
Number of broadcasts received during the sampling
broadcastpackets period, corresponding to the MIB node
etherHistoryBroadcastPkts.
Number of multicasts received during the sampling
multicastpackets period, corresponding to the MIB node
etherHistoryMulticastPkts.
Number of packets received with CRC alignment errors
CRC alignment errors during the sampling period, corresponding to the MIB
node etherHistoryCRCAlignErrors.
Number of undersize packets received during the
undersize packets sampling period, corresponding to the MIB node
etherHistoryUndersizePkts.
Number of oversize packets received during the
oversize packets sampling period, corresponding to the MIB node
etherHistoryOversizePkts.
Number of fragments received during the sampling
fragments period, corresponding to the MIB node
etherHistoryFragments.
Number of jabbers received during the sampling period,
jabbers
corresponding to the MIB node etherHistoryJabbers.
Number of colliding packets received during the
collisions sampling period, corresponding to the MIB node
etherHistoryCollisions.
Bandwidth utilization during the sampling period,
utilization
corresponding to the MIB node etherHistoryUtilization.

display rmon prialarm

Syntax

display rmon prialarm [ entry-number ]

View

Any view

Default Level

1: Monitor level

Parameters

entry-number: Private alarm entry index, in the range 1 to 65535. If no entry is specified, the
configuration of all private alarm entries is displayed.

1-7
Description

Use the display rmon prialarm command to display the configuration of the specified or all private
alarm entries.
Related commands: rmon prialarm.

Examples

# Display the configuration of all private alarm entries.

<Sysname> display rmon prialarm
PrialarmEntry 1 owned by user1 is VALID.
Samples type : absolute
Variable formula : (.1.3.6.1.2.1.16.1.1.1.6.1*100/.1.3.6.1.2.1.16.1.1.1.5.1)
Description : ifUtilization.GigabitEthernet1/0/1
Sampling interval : 10(sec)
Rising threshold : 80(linked with event 1)
Falling threshold : 5(linked with event 2)
When startup enables : risingOrFallingAlarm
This entry will exist : forever
Latest value : 85

Table 1-5 display rmon prialarm command output description

Field Description
PrialarmEntry The entry of the private alarm table
owned by Owner of the entry, user1 in this example

Status of the entry identified by the index (VALID means

the entry is valid, and UNDERCREATION means
invalid. You can use the display rmon command to
VALID
view the invalid entry; while with the display
current-configuration and display this commands
you cannot view the corresponding rmon commands.)
Samples type Sampling type, whose value can be absolute or delta.
Sampling interval, in seconds. The system performs
Sampling interval absolute sample or delta sample to sampling variables
according to the sampling interval.
Alarm rising threshold. An event is triggered when the
Rising threshold
sampled value is greater than or equal to this threshold.
Alarm falling threshold. An event is triggered when the
Falling threshold
sampled value is less than or equal to this threshold.
linked with event Event index associated with the prialarm

When startup enables How can an alarm be triggered

The lifetime of the entry, which can be forever or span
This entry will exist
the specified period
Latest value The count result of the last sample

1-8
display rmon statistics

Syntax

display rmon statistics [ interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display rmon statistics command to display RMON statistics.

This command displays the interface statistics during the period from the time the statistics entry is
created to the time the command is executed. The statistics are cleared after the device reboots.
Related commands: rmon statistics.

Examples

# Display RMON statistics for interface GigabitEthernet 1/0/1.

<Sysname> display rmon statistics GigabitEthernet 1/0/1
EtherStatsEntry 1 owned by null is VALID.
Interface : GigabitEthernet1/0/1<ifIndex.3>
etherStatsOctets : 43393306 , etherStatsPkts : 619825
etherStatsBroadcastPkts : 503581 , etherStatsMulticastPkts : 44013
etherStatsUndersizePkts : 0 , etherStatsOversizePkts : 0
etherStatsFragments : 0 , etherStatsJabbers : 0
etherStatsCRCAlignErrors : 0 , etherStatsCollisions : 0
etherStatsDropEvents (insufficient resources): 0
Packets received according to length:
64 : 0 , 65-127 : 0 , 128-255 : 0
256-511: 0 , 512-1023: 0 , 1024-1518: 0

Table 1-6 display rmon statistics command output description

Field Description
The entry of the statistics table, corresponding to the MIB node
EtherStatsEntry
etherStatsIndex.

Status of the entry identified by the index (VALID means the

entry is valid, and UNDERCREATION means invalid. You can
use the display rmon command to view the invalid entry; while
VALID
with the display current-configuration and display this
commands you cannot view the corresponding rmon
commands.), corresponding to the MIB node etherStatsStatus.
Interface on which statistics are gathered, corresponding to the
Interface
MIB node etherStatsDataSource.

1-9
 Field Description
Number of octets received by the interface during the statistical
etherStatsOctets
period, corresponding to the MIB node etherStatsOctets.
Number of packets received by the interface during the
etherStatsPkts statistical period, corresponding to the MIB node
etherStatsPkts.
Number of broadcast packets received by the interface during
etherStatsBroadcastPkts the statistical period, corresponding to the MIB node
etherStatsBroadcastPkts.
Number of multicast packets received by the interface during
etherStatsMulticastPkts the statistical period, corresponding to the MIB node
etherStatsMulticastPkts.
Number of undersize packets received by the interface during
etherStatsUndersizePkts the statistical period, corresponding to the MIB node
etherStatsUndersizePkts.
Number of oversize packets received by the interface during
etherStatsOversizePkts the statistical period, corresponding to the MIB node
etherStatsOversizePkts.
Number of undersize packets with CRC errors received by the
etherStatsFragments interface during the statistical period, corresponding to the MIB
node etherStatsFragments.
Number of oversize packets with CRC errors received by the
etherStatsJabbers interface during the statistical period, corresponding to the MIB
node etherStatsJabbers.
Number of packets with CRC errors received on the interface
etherStatsCRCAlignErrors during the statistical period, corresponding to the MIB node
etherStatsCRCAlignErrors.
Number of collisions received on the interface during the
etherStatsCollisions statistical period, corresponding to the MIB node
etherStatsCollisions.
Total number of drop events received on the interface during
etherStatsDropEvents the statistical period, corresponding to the MIB node
etherStatsDropEvents.
Statistics of packets received according to length during the
statistical period (Hardware support is needed for the statistics.
If the hardware does not support the function, all statistics are
displayed as 0.), in which:
z Information of the field 64 corresponds to the MIB node
Packets received according to etherStatsPkts64Octets
length: z Information of the field 65-127 corresponds to the MIB node
64 : 0 , 65-127 : 0 , etherStatsPkts65to127Octets
128-255 : 0 z Information of the field 128-255 corresponds to the MIB
256-511: 0 , 512-1023: node etherStatsPkts128to255Octets
0 , 1024-1518: 0 z Information of the field 256-511 corresponds to the MIB
node etherStatsPkts256to511Octets
z Information of the field 512-1023 corresponds to the MIB
node etherStatsPkts512to1023Octets
z Information of the field 1024-1518 corresponds to the MIB
node etherStatsPkts1024to1518Octets

1-10
rmon alarm

Syntax

rmon alarm entry-number alarm-variable sampling-interval { absolute | delta } rising-threshold

threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 [ owner text ]
undo rmon alarm entry-number

View

System view

Default Level

2: System level

Parameters

entry-number: Alarm entry index, in the range 1 to 65535.

alarm-variable: Alarm variable, a string of 1 to 256 characters. It can be in dotted object identifier (OID)
format (in the format of entry.integer.instance or leaf node name.instance, for example,
1.3.6.1.2.1.2.1.10.1), or a node name like ifInOctets.1. Only variables that can be parsed into INTEGER
(INTEGER, Counter, Gauge, or Time Ticks) in the ASN.1 can be used for the alarm-variable argument,
such as the instance of the leaf node (like etherStatsOctets, etherStatsPkts, etherStatsBroadcastPkts,
and so on) of the etherStatsEntry entry, the instance of the leaf node (like ifInOctets, ifInUcastPkts,
ifInNUcastPkts, and so on) of the ifEntry entry.
sampling-interval: Sampling interval, in the range 5 to 65,535 seconds.
absolute: Sets the sampling type to absolute, namely, the system obtains the value of the variable
when the sampling time is reached.
delta: Sets the sampling type to delta, namely, the system obtains the variation value of the variable
during the sampling interval when the sampling time is reached.
rising-threshold threshold-value1 event-entry1: Sets the rising threshold, where threshold-value1
represents the rising threshold, in the range –2,147,483,648 to +2,147,483,647, and event-entry1
represents the index of the event triggered when the rising threshold is reached. event-entry1 ranges
from 0 to 65,535, with 0 meaning no corresponding event is triggered and no event action is taken when
an alarm is triggered.
falling-threshold threshold-value2 event-entry2: Sets the falling threshold, where threshold-value2
represents the falling threshold, in the range –2,147,483,648 to +2,147,483,647 and event-entry2
represents the index of the event triggered when the falling threshold is reached. event-entry2 ranges
from 1 to 65,535.
owner text: Owner of the entry, a string of 1 to 127 characters. It is case sensitive and space is
supported.

Description

Use the rmon alarm command to create an entry in the RMON alarm table.
Use the undo rmon alarm command to remove a specified entry from the RMON alarm table.
This command defines an alarm entry, so as to trigger the specified event when abnormity occurs. The
event defines how to deal with the abnormity. After you define an alarm entry, the system will obtain the

1-11
 value of the monitored alarm variable at specified interval, and compares the sampled values with the
predefined threshold and does the following:
z If the rising threshold is reached, triggers the event specified by the event-entry1 argument.
z If the falling threshold is reached, triggers the event specified by the event-entry2 argument.
Note the following:
z Before creating an alarm entry, define the events to be referenced in the event table with the rmon
event command; otherwise, although the alarm entry can be created, no alarm event is triggered.
z If the alarm variable is an instance of the leaf node of the Ethernet statistics table etherStatsEntry
with the OID of 1.3.6.1.2.1.16.1.1.1, you must create a statistics entry on the monitored Ethernet
interface with the rmon statistics command; if the alarm variable is an instance of the leaf node of
the history record table etherHistoryEntry with the OID of 1.3.6.1.2.1.16.2.2.1, you must create a
history entry on the monitored Ethernet interface with the rmon history command. Otherwise,
although the alarm entry can be created, no alarm event is triggered.
z An entry cannot be created if the values of the specified alarm variable (alarm-variable), sampling
interval (sampling-interval), sampling type (absolute or delta), rising threshold (threshold-value1)
and falling threshold (threshold-value2) are identical to those of the existing alarm entry in the
system.
z You can create up to 60 alarm entries.

Related commands: display rmon alarm, rmon event, rmon history, rmon statistics.

Examples

# Add entry 1 in the alarm table and sample the node 1.3.6.1.2.1.16.1.1.1.4.1 at a sampling interval of
10 seconds in absolute sampling type. Trigger event 1 when the sampled value is greater than or equal
to the rising threshold of 5000, and event 2 when the sampled value is less than or equal to the falling
threshold of 5. Set the owner of the entry to be user1.
<Sysname> system-view
[Sysname] rmon event 1 log
[Sysname] rmon event 2 none
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] rmon statistics 1
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] rmon alarm 1 1.3.6.1.2.1.16.1.1.1.4.1 10 absolute rising-threshold 5000 1
falling-threshold 5 2 owner user1

1.3.6.1.2.1.16.1.1.1.4 is the OID of the leaf node etherStatsOctets. It represents the statistics of the
received packets on the interface, in bytes. In the above example, you can use etherStatsOctets.1 to
replace the parameter 1.3.6.1.2.1.16.1.1.1.4.1, where 1 indicates the serial number of the interface
statistics entry. Therefore, if you execute the rmon statistics 5 command, you can use
etherStatsOctets.5 to replace the parameter.
The above configuration implements the following:
z Sampling and monitoring interface GigabitEthernet 1/0/1
z Obtaining the absolute value of the number of received packets. If the total bytes of the received
packets reach 5,000, the system will log the event; if the total bytes of the received packets are no
more than 5, the system will take no action.

1-12
rmon event

Syntax

rmon event entry-number [ description string ] { log | log-trap log-trapcommunity | none | trap
trap-community } [ owner text ]
undo rmon event entry-number

View

System view

Default Level

2: System level

Parameters

entry-number: Event entry index, in the range 1 to 65,535.

description string: Event description, a string of 1 to 127 characters.
log: Logs the event when it occurs.
log-trap log-trapcommunity: Log and trap events. The system performs both logging and trap sending
when the event occurs. log-trapcommunity indicates the community name of the network management
station that receives trap messages, a string of 1 to 127 characters.
none: Performs no action when the event occurs.
trap trap-community: Trap event. The system sends a trap with a community name when the event
occurs. trap-community specifies the community name of the network management station that
receives trap messages, a string of 1 to 127 characters.
owner text: Owner of the entry, a string of 1 to 127 characters. It is case sensitive and space is
supported.

Description

Use the rmon event command to create an entry in the RMON event table.
Use the undo rmon event command to remove a specified entry from the RMON event table.
When create an event entry, you can define the actions that the system will take when the event is
triggered by its associated alarm in the alarm table. According to your configuration, the system can log
the event, send a trap, do both, or do neither at all.
Related commands: display rmon event, rmon alarm, rmon prialarm.

z An entry cannot be created if the values of the specified event description (description string),
event type (log, trap, logtrap or none), and community name (trap-community or
log-trapcommunity) are identical to those of the existing event entry in the system.
z You can create up to 60 event entries.

1-13
Examples

# Create event 10 in the RMON event table.

<Sysname> system-view
[Sysname] rmon event 10 log owner user1

rmon history

Syntax

rmon history entry-number buckets number interval sampling-interval [ owner text ]

undo rmon history entry-number

View

Ethernet interface view

Default Level

2: System level

Parameters

entry-number: History control entry index, in the range 1 to 65535.

buckets number: History table size for the entry, in the range 1 to 65,535. The number varies by device.
interval sampling-interval: Sampling period, in the range 5 to 3600 seconds.
owner text: Owner of the entry, a string of 1 to 127 characters. It is case sensitive and space is
supported.

Description

Use the rmon history command to create an entry in the RMON history control table.
Use the undo rmon history command to remove a specified entry from the RMON history control
table.
After an entry is created, the system periodically samples the number of packets received/sent on the
current interface, and saves the statistics as an instance under the leaf node of the etherHistoryEntry
table. The maximum number of history entries can be saved in the table is specified by buckets number.
If the number of the entries in the table has reached the maximum number, the system will delete the
earliest entry to save the latest one. The statistics include total number of received packets on the
current interface, total number of broadcast packets, total number of multicast packets in a sampling
period, and so on.
When you create an entry in the history table, if the specified history table size exceeds that supported
by the device, the entry will be created. However, the validated value of the history table size
corresponding to the entry is that supported by the device. You can use the display rmon history
command to view the configuration result.

1-14
 z An entry cannot be created if the value of the specified sampling interval (interval
sampling-interval) is identical to that of the existing history entry in the system.
z You can create up to 100 history entries.

Related commands: display rmon history.

Examples

# Create RMON history control entry 1 for interface GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] rmon history 1 buckets 10 interval 5 owner user1

rmon prialarm

Syntax

rmon prialarm entry-number prialarm-formula prialarm-des sampling-interval { absolute |

changeratio | delta } rising-threshold threshold-value1 event-entry1 falling-threshold
threshold-value2 event-entry2 entrytype { forever | cycle cycle-period } [ owner text ]
undo rmon prialarm entry-number

View

System view

Default Level

2: System level

Parameters

entry-number: Index of a private alarm entry, in the range 1 to 65535.

prialarm-formula: Private alarm variable formula, a string of 1 to 256 characters. The variables in the
formula must be represented in OID format that starts with a point “.”, the formula
(.1.3.6.1.2.1.2.1.10.1)*8 for example. You may perform the basic operations of addition, subtraction,
multiplication, and division on these variables. The operations should yield a long integer. To prevent
errors, make sure that the result of each calculating step falls into the value range for long integers.
prialarm-des: Private alarm entry description, a string of 1 to 127 characters.
sampling-interval: Sampling interval, in the range 10 to 65,535 seconds.
absolute | changeratio | delta: Sets the sampling type to absolute, delta, or change ratio. Absolute
sampling is to obtain the value of the variable when the sampling time is reached; delta sampling is to
obtain the variation value of the variable during the sampling interval when the sampling time is reached;
change ratio sampling is not supported at present.
rising-threshold threshold-value1 event-entry1: Sets the rising threshold, where threshold-value1
represents the rising threshold, in the range –2,147,483,648 to +2,147,483,647, and event-entry1
represents the index of the event triggered when the rising threshold is reached. event-entry1 ranges

1-15
 from 0 to 65,535, with 0 meaning no corresponding event is triggered and no event action is taken when
an alarm is triggered.
falling-threshold threshold-value2 event-entry2: Sets the falling threshold, where threshold-value2
represents the falling threshold, in the range –2,147,483,648 to +2,147,483,647 and event-entry2
represents the index of the event triggered when the falling threshold is reached. event-entry2 ranges
from 1 to 65,535.
forever: Indicates that the lifetime of the private alarm entry is infinite.
cycle cycle-period: Sets the lifetime period of the private alarm entry, in the range 0 to 2,147,483,647
seconds.
owner text: Owner of the entry, a string of 1 to 127 characters. It is case sensitive and space is
supported.

Description

Use the rmon prialarm command to create an entry in the private alarm table of RMON.
Use the undo rmon prialarm command to remove a private alarm entry from the private alarm table of
RMON.
The following is how the system handles private alarm entries:
1) Samples the private alarm variables in the private alarm formula at the specified sampling interval.
2) Performs calculation on the sampled values with the formula.
3) Compares the calculation result with the predefined thresholds and does the following:
z If the result is equal to or greater than the rising threshold, triggers the event specified by the
event-entry1 argument.
z If the result is equal to or smaller than the falling threshold, triggers the event specified by the
event-entry2 argument.

z Before creating an alarm entry, define the events to be referenced in the event table with the rmon
event command.
z An entry cannot be created if the values of the specified alarm variable formula (prialarm-formula),
sampling type (absolute changeratio or delta), rising threshold (threshold-value1) and falling
threshold (threshold-value2) are identical to those of the existing alarm entry in the system.
z You can create up to 50 pri-alarm entries.

Related commands: display rmon prialarm, rmon event, rmon history, rmon statistics.

Examples

# Monitor the ratio of the broadcast packets received on the interface by using the private alarm.
Create entry 5 in the private alarm table. Calculate the private alarm variables with the
(1.3.6.1.2.1.16.1.1.1.6.1*100/.1.3.6.1.2.1.16.1.1.1.5.1) formula and sample the corresponding
variables at intervals of 10 seconds. Rising threshold of 80 corresponds to event 1 (and record the
event into the log table); falling threshold of 5 corresponds to event 2 (but neither log it nor send a trap).
Set the lifetime of the entry to forever and owner to user1. (Broadcast packet ratio= total number of

1-16
 broadcast packets received on the interface/total number of packets received on the interface; the
formula is customized by users.)
<Sysname> system-view
[Sysname] rmon event 1 log
[Sysname] rmon event 2 none
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] rmon statistics 1
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] rmon prialarm 1 (.1.3.6.1.2.1.16.1.1.1.6.1*100/.1.3.6.1.2.1.16.1.1.1.5.1)
BroadcastPktsRatioOfEth1/1 10 absolute rising-threshold 80 1 falling-threshold 5 2 entrytype
forever owner user1

1.3.6.1.2.1.16.1.1.1.6.1 is the OID of the node etherStatsBroadcastPkts.1, and 1.3.6.1.2.1.16.1.1.1.5.1

is the OID of the node etherStatsPkts.1. 1 indicates the serial number of the interface statistics entry.
Therefore, if you execute the rmon statistics 5 command, you should use 1.3.6.1.2.1.16.1.1.1.6.5 and
1.3.6.1.2.1.16.1.1.1.5.5.
The above configuration implements the following:
z Sampling and monitoring interface GigabitEthernet1/0/1
z If the portion of broadcast packets received in the total packets is greater than or equal to 80%, the
system will log the event; if the portion is less than or equal to 5%, the system will take no action.
You can view the event log using the display rmon eventlog command.

rmon statistics

Syntax

rmon statistics entry-number [ owner text ]

undo rmon statistics entry-number

View

Ethernet interface view

Default Level

2: System level

Parameters

entry-number: Index of statistics entry, in the range 1 to 65535.

owner text: Owner of the entry, a string of 1 to 127 characters. It is case sensitive and space is
supported.

Description

Use the rmon statistics command to create an entry in the RMON statistics table.
Use the undo rmon statistics command to remove a specified entry from the RMON statistics table.
After an entry is created, the system continuously calculates the information of the interface. Statistics
include number of collisions, CRC alignment errors, number of undersize or oversize packets, number
of broadcasts, number of multicasts, number of bytes received, number of packets received. The
statistics are cleared after the device reboots.

1-17
 To display information for the RMON statistics table, use the display rmon statistics command.

z Only one statistics entry can be created on one interface.

z You can create up to 100 statistics entries.

Examples

# Create an entry in the RMON statistics table for interface GigabitEthernet 1/0/1. The index of the entry
is 20, and the owner of the entry is user1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] rmon statistics 20 owner user1

1-18
 Table of Contents

1 File System Management Commands ·····································································································1-1

File System Management Commands····································································································1-1
cd ·····················································································································································1-1
copy ·················································································································································1-2
delete ···············································································································································1-2
dir·····················································································································································1-3
display nandflash file-location ·········································································································1-4
display nandflash badblock-location································································································1-5
display nandflash page-data ···········································································································1-6
execute ············································································································································1-7
file prompt········································································································································1-7
fixdisk···············································································································································1-8
format···············································································································································1-9
mkdir ················································································································································1-9
more···············································································································································1-10
move ··············································································································································1-11
pwd ················································································································································1-11
rename ··········································································································································1-12
reset recycle-bin ····························································································································1-13
rmdir···············································································································································1-15
undelete·········································································································································1-15

2 Configuration File Management Commands ··························································································2-1

Configuration File Management Commands ··························································································2-1
archive configuration ·······················································································································2-1
archive configuration interval···········································································································2-1
archive configuration location··········································································································2-2
archive configuration max················································································································2-3
backup startup-configuration ···········································································································2-4
configuration replace file··················································································································2-5
display archive configuration ···········································································································2-6
display saved-configuration·············································································································2-6
display startup ·································································································································2-8
reset saved-configuration ················································································································2-9
restore startup-configuration ·········································································································2-10
save ···············································································································································2-11
startup saved-configuration ···········································································································2-12

i
1 File System Management Commands

z The current working directory is the root directory of the storage medium on the device in the
examples in this manual.
z For the qualified filename formats, refer to File System Management Configuration.

File System Management Commands

cd

Syntax

cd { directory | .. | / }

View

User view

Default Level

3: Manage level

Parameters

directory: Name of the target directory, in the format of [drive:/]path. For the detailed introduction to the
drive and path arguments, refer to File System Management Configuration. If no drive information is
provided, the argument represents a folder or subfolder under the current directory.
..: Returns to an upper directory. If the current working directory is the root directory, or no upper
directory exists, the current working directory does not change when the cd .. command is executed.
This argument does not support command online help.
/: Returns to the root directory of the storage medium. The keyword does not support command line
online help.

Description

Use the cd command to change the current working directory.

Examples

# Enter the test folder after logging in to the device.

<Sysname> cd test

# Return to the upper directory (Remember to enter a space after the keyword cd).

1-1
 <Sysname> cd ..

# Return to the root directory.

<Sysname> cd /

After you change the current directory using the cd command, you can use the pwd command to view
the path of the current working directory.

copy

Syntax

copy fileurl-source fileurl-dest

View

User view

Default Level

3: Manage level

Parameters

fileurl-source: Name of the source file.

fileurl-dest: Name of the target file or folder.

Description

Use the copy command to copy a file.

If you specify a target folder, the system will copy the file to the specified folder and use the name of the
source file as the file name.

Examples

# Copy file testcfg.cfg under the current folder and save it as testbackup.cfg.
<Sysname> copy testcfg.cfg testbackup.cfg
Copy flash:/test.cfg to flash:/testbackup.cfg?[Y/N]:y
....
%Copy file flash:/test.cfg to flash:/testbackup.cfg...Done.

delete

Syntax

delete [ /unreserved ] file-url

View

User view

Default Level

3: Manage level

Parameters

/unreserved: Permanently deletes the specified file, and the deleted file can never be restored.

1-2
 file-url: Name of the file to be deleted. Asterisks (*) are acceptable as wildcards. For example, to remove
files with the extension of .txt in the current directory, you may use the delete *.txt command.

Description

Use the delete file-url command to temporarily delete a file. The deleted file is saved in the recycle bin.
To restore it, use the undelete command.
The dir /all command displays the files deleted from the current directory and moved to the recycle bin.
These files are enclosed in pairs of square brackets. To remove the files from the recycle bin, use the
reset recycle-bin command.
The delete /unreserved file-url command permanently deletes a file, and the deleted file cannot be
restored. Use it with caution.

If you delete two files in different directories but with the same filename, only the last one is retained in
the recycle bin.

Examples

# Remove file tt.cfg from the current directory.

<Sysname> delete tt.cfg
Delete flash:/tt.cfg? [Y/N]:y
.
%Delete file flash:/tt.cfg...Done.

dir

Syntax

dir [ /all ] [ file-url ]

View

User view

Default Level

3: Manage level

Parameters

/all: Displays all files.

file-url: Name of the file or directory to be displayed. Asterisks (*) are acceptable as wildcards. For
example, to display files with the .txt extension under the current directory, you may use the dir *.txt
command.

Description

Use the dir command to display information about all visible files and folders in the current directory.

1-3
 Use the dir /all command to display information about all files and folders in the current directory,
including hidden files, hidden sub-folders and the files in the recycle bin that originally belong to the
current directory. The names of these deleted files are enclosed in pairs of brackets [ ].
The dir file-url command displays information about a file or folder.

Examples

# Display information about all files and folders.

<Sysname> dir /all
Directory of flash:/

0 drw- 6985954 Apr 26 2007 21:06:29 logfile

1 -rw- 1842 Apr 27 2007 04:37:17 mainup.app
2 -rw- 1518 Apr 26 2007 12:05:38 config.cfg
3 -rw- 2045 May 04 2007 15:50:01 backcfg.cfg
4 -rwh 428 Apr 27 2007 16:41:21 hostkey
5 -rwh 572 Apr 27 2007 16:41:31 serverkey
6 -rw- 2737556 Oct 12 2007 01:31:44 [old.app]

97920 KB total (5096 KB free)

[ ] indicates this file is in the recycle bin.

Table 1-1 dir command output description

Field Description
Directory of The current working directory
d Indicates a directory; if this field does not exist, it indicates a file.
r Indicates that the file or directory is readable.
w Indicates that the file or directory is writable.
h Indicates that the file or directory is hidden.
[] Indicates that the file is in the recycle bin.

display nandflash file-location

Syntax

display nandflash file-location filename

View

Any view

Default Level

2: System level

Parameters

filename: File name.

1-4
Description

Use the display nandflash file-location command to display the location of the specified file in the
NAND flash memory.
The displayed information includes all the physical pages corresponding to the logical pages of the
specified file.

Examples

# Display the location of the file test.cfg in the NAND flash memory.
<Sysname> display nandflash file-location test.cfg
Logical Chunk Physical Page
---------------------------
chunk(0) 1234
chunk(1) 1236
chunk(2) 1235
filename: test.cfg

Table 1-2 display nandflash file-location command output description

Field Description
Logic Chunk Serial number of the logical pages

Physical Page Serial number of the physical pages

The first logical page of this file corresponds to the 1234th
chunk(0) 1234
physical page on the device.

display nandflash badblock-location

Syntax

display nandflash badblock-location

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display nandflash badblock-location command to display the number and location of bad
blocks in the NAND flash memory.

Examples

# Display the number and location of bad blocks in the NAND flash memory.
<Sysname> display nandflash badblock-location

1-5
 No Physical block
------------------------------
badblock(0) 1234
badblock(1) 1235
badblock(2) 1236
3200 block(s) total, 3 block(s) bad.

Table 1-3 display nandflash badblock-location command output description

Field Description
No Serial number of the bad blocks
Serial number of the physical pages on which there are bad
Physical block
blocks
3200 block(s) total, 3 block(s)
Total number of blocks and bad blocks in the NAND flash memory
bad.

display nandflash page-data

Syntax

display nandflash page-data page-value

View

Any view

Default Level

1: Monitor level

Parameters

page-value: Serial number of a physical page.

Description

Use the display nandflash page-data command to display the data on the specified physical page in
the NAND flash memory.
This command is always used in combination with the display nandflash file-location command to
check the correctness of the data in the NAND flash memory.

Examples

# Display the content of the file test.cfg which is saved in the NAND flash memory.
<Sysname> display nandflash file-location test.cfg
Logical Chunk Physical Page
---------------------------
chunk(0) 1234
chunk(1) 1236
chunk(2) 1235
filename: test.cfg
<Sysname> display nandflash page-data 1236

1-6
 0000: 0D 0A 23 0D 0A 20 76 65 72 73 69 6F 6E 20 35 2E ..#.. version 5.
0010: 32 30 2C 20 41 6C 70 68 61 20 31 30 31 31 0D 0A 20, Alpha 1011..
0020: 23 0D 0A 20 73 79 73 6E 61 6D 65 20 48 33 43 0D #.. sysname H3C.
0030: 0A 23 0D 0A 20 70 61 73 73 77 6F 72 64 2D 63 6F .#.. password-co

...Omitted...

execute

Syntax

execute filename

View

System view

Default Level

2: System level

Parameters

filename: Name of a batch file with a .bat extension. You can use the rename command to change the
suffix of the configuration file to .bat to use it as a batch file.

Description

Use the execute command to execute the specified batch file.

Batch files are command line files. Executing a batch file is to execute a set of command lines in the file.
z You should not include invisible characters in a batch file. If an invisible character is found during
the execution, the batch process will abort and the commands that have been executed cannot be
cancelled.
z Not every command in a batch file is sure to be executed. For example, if a certain command is not
correctly configured, the system omits this command and goes to the next one.
z Each configuration command in a batch file must be a standard configuration command, meaning
that the valid configuration information can be displayed with the display current-configuration
command after this command is configured successfully; otherwise, this command may not be
executed correctly.

Examples

# Execute the batch file test.bat in the root directory.

<Sysname> system-view
[Sysname] execute test.bat

file prompt

Syntax

file prompt { alert | quiet }

View

System view

1-7
Default Level

3: Manage level

Parameters

alert: Enables the system to warn you about operations that may bring undesirable results such as file
corruption or data loss.
quiet: Disables the system from warning you about any operation.

Description

Use the file prompt command to set a prompt mode for file operations.
By default, the prompt mode is alert.
Note that when the prompt mode is set to quiet, the system does not warn for any file operation. To
avoid undesirable consequences resulting from misoperation, you are recommended to use the alert
mode.

Examples

# Set the file operation prompt mode to alert.

<Sysname> system-view
[Sysname] file prompt alert

fixdisk

Syntax

fixdisk device

View

User view

Default Level

3: Manage level

Parameters

device: Storage medium name.

Description

Use the fixdisk command to restore the space of a storage medium when it becomes unavailable
because of some abnormal operation.

Examples

# Restore the space of the flash.

<Sysname> fixdisk flash:
Fixdisk flash: may take some time to complete...
%Fixdisk flash: completed.

1-8
format

Syntax

format device

View

User view

Default Level

3: Manage level

Parameters

device: Name of a storage medium

Description

Use the format command to format a storage medium.

Formatting a storage medium results in loss of all the files on the storage medium and these files cannot
be restored. In particular, if there is a startup configuration file on a storage medium, formatting the
storage medium results in loss of the startup configuration file.

Examples

# Format the flash.

<Sysname> format flash:
All data on flash: will be lost, proceed with format? [Y/N]:y
./
%Format flash: completed.

mkdir

Syntax

mkdir directory

View

User view

Default Level

3: Manage level

Parameters

directory: Name of a folder.

1-9
Description

Use the mkdir command to create a folder under a specified directory on the storage medium.
Note that:
z The name of the folder to be created must be unique under the specified directory. Otherwise, you
will fail to create the folder under the directory.
z To use this command to create a folder, the specified directory must exist. For instance, to create
folder flash:/test/mytest, the test folder must exist. Otherwise, you will fail to create folder mytest.

Examples

# Create a folder named test under the current directory.

<Sysname> mkdir test
....
%Created dir flash:/test

# Create folder test/subtest under the current directory.

<Sysname> mkdir test/subtest
....
%Created dir flash:/test/subtest

more

Syntax

more file-url

View

User view

Default Level

3: Manage level

Parameters

file-url: File name.

Description

Use the more command to display the contents of the specified file.
So far, this command is valid only for text files.

Examples

# Display the contents of file test.txt.

<Sysname> more test.txt
Welcome to H3C.

# Display the contents of file testcfg.cfg.

<Sysname> more testcfg.cfg

#
version 5.20, Beta 1201, Standard

1-10
 #
sysname Sysname
#
vlan 2
#
return
<Sysname>

move

Syntax

move fileurl-source fileurl-dest

View

User view

Default Level

3: Manage level

Parameters

fileurl-source: Name of the source file.

fileurl-dest: Name of the target file or folder.

Description

Use the move command to move a file.

If you specify a target folder, the system will move the source file to the specified folder, with the file
name unchanged.

Examples

# Move file flash:/test/sample.txt to flash:/, and save it as 1.txt.

<Sysname> move test/sample.txt 1.txt
Move flash:/test/sample.txt to flash:/1.txt?[Y/N]:y
...
% Moved file flash:/test/sample.txt to flash:/1.txt

# Move file b.cfg to the subfolder test2.

<Sysname> move b.cfg test2
Move flash:/b.cfg to flash:/test2/b.cfg?[Y/N]:y
.
%Moved file flash:/b.cfg to flash:/test2/b.cfg.

pwd

Syntax

pwd

1-11
View

User view

Default Level

3: Manage level

Parameters

None

Description

Use the pwd command to display the current path.

Examples

# Display the current path.

<Sysname> pwd
flash:

rename

Syntax

rename fileurl-source fileurl-dest

View

User view

Default Level

3: Manage level

Parameters

fileurl-source: Name of the source file or folder.

fileurl-dest: Name of the target file or folder.

Description

Use the rename command to rename a file or folder.

The target file name must be unique under the current path.

Examples

# Rename file sample.txt as sample.bat.

<Sysname> rename sample.txt sample.bat
Rename flash:/sample.txt to flash:/sample.bat? [Y/N]:y

% Renamed file flash:/sample.txt to flash:/sample.bat

1-12
reset recycle-bin

Syntax

reset recycle-bin [ /force ]

View

User view

Default Level

3: Manage level

Parameters

/force: Deletes all files in the recycle bin, including files that cannot be deleted by the command without
the /force keyword.

Description

Use the reset recycle-bin command to permanently delete the files in the recycle bin in the current
directory.
If a file is corrupted, you may not be able to delete the file using the reset recycle-bin command. In this
case, you can use the reset recycle-bin /force command, which can delete all the files in the recycle
bin forcibly.
Note that:
z Unlike this command, the delete file-url command only moves a file to the recycle bin, and the file
still occupies the memory space. To delete the file in the recycle bin, you need to execute the reset
recycle-bin command in the original directory of the file.
z The reset recycle-bin command deletes files in the current directory and in the recycle bin. If the
original path of the file to be deleted is not the current directory, use the cd command to enter the
original directory of the file, and then execute the reset recycle-bin command.

Examples

# Delete file b.cfg under the current directory and in the recycle bin.
z Display all the files in the recycle bin and under the current directory.
<Sysname> dir /all
Directory of flash:/

0 -rwh 3080 Apr 26 2008 16:41:43 private-data.txt

1 -rw- 2416 Apr 26 2008 13:45:36 config.cfg
2 -rw- 8036197 May 14 2008 10:13:18 main.app
3 -rw- 2386 Apr 26 2008 13:30:30 back.cfg
4 drw- - May 08 2008 09:49:25 test
5 -rwh 716 Apr 24 2007 16:17:30 hostkey
6 -rwh 572 Apr 24 2007 16:17:44 serverkey
7 -rw- 2386 May 08 2008 11:14:20 [a.cfg]
8 -rw- 3608 Dec 03 2007 17:29:30 [b.cfg]

97920 KB total (6730 KB free)

1-13
//The above information indicates that the current directory is flash:, and there are two files a.cfg and
b.cfg in the recycle bin.
z Delete file b.cfg under the current directory and in the recycle bin.
<Sysname> reset recycle-bin
Clear flash:/~/a.cfg ?[Y/N]:n
Clear flash:/~/b.cfg ?[Y/N]:y
Clearing files from flash may take a long time. Please wait...
......
%Cleared file flash:/~/b.cfg...

z In directory flash:, check whether the file b.cfg in the recycle bin is deleted.
<Sysname> dir /all
Directory of flash:/

0 -rwh 3080 Apr 26 2008 16:41:43 private-data.txt

1 -rw- 2416 Apr 26 2008 13:45:36 config.cfg
2 -rw- 8036197 May 14 2008 10:13:18 main.app
3 -rw- 2386 Apr 26 2008 13:30:30 back.cfg
4 drw- - May 08 2008 09:49:25 test
5 -rwh 716 Apr 24 2007 16:17:30 hostkey
6 -rwh 572 Apr 24 2007 16:17:44 serverkey
7 -rw- 2386 May 08 2008 11:14:20 [a.cfg]

97920 KB total (6734 KB free)

// The above information indicates that file flash:/b.cfg is deleted permanently.

# Delete file aa.cfg in the subdirectory test and in the recycle bin.
z Enter the subdirectory
<Sysname> cd test/

z Check all the files in the subfolder test.

<Sysname> dir /all
Directory of flash:/test

0 -rw- 2161 Apr 26 2000 21:22:35 [aa.cfg]

97920 KB total (6734 KB free)

// The above information indicates only one file exists in the folder, and the file has been moved to the
recycle bin.
z Permanently delete file test/aa.cfg.
<Sysname> reset recycle-bin
Clear flash:/test/~/aa.cfg ?[Y/N]:y
Clearing files from flash may take a long time. Please wait...
..
%Cleared file flash:/test/~/aa.cfg...

1-14
rmdir

Syntax

rmdir directory

View

User view

Default Level

3: Manage level

Parameters

directory: Name of the folder.

Description

Use the rmdir command to remove a folder.

z The folder must be an empty one. If not, you need to delete all files and subfolders under it with the
delete command.
z After you execute the rmdir command successfully, the files in the recycle bin under the folder will
be automatically deleted.

Examples

# Remove folder mydir.

<Sysname> rmdir mydir
Rmdir flash:/mydir?[Y/N]:y

%Removed directory flash:/mydir.

undelete

Syntax

undelete file-url

View

User view

Default Level

3: Manage level

Parameters

file-url: Name of the file to be restored.

Description

Use the undelete command to restore a file from the recycle bin.
If another file with the same name exists under the same path, the undelete operation will cause it to be
overwritten and the system will prompt you whether to continue.

1-15
Examples

# Restore file a.cfg in directory flash: from the recycle bin.

<Sysname> undelete a.cfg
Undelete flash:/a.cfg?[Y/N]:y
.....
%Undeleted file flash:/a.cfg.

# Restore file b.cfg in directory flash:/test from the recycle bin.

<Sysname> undelete flash:/test/b.cfg
Undelete flash:/test/b.cfg?[Y/N]:y
.......
%Undeleted file flash:/test/b.cfg.

Or, you can use the following steps to restore file flash:/test/b.cfg.
<Sysname> cd test
<Sysname> undelete b.cfg
Undelete flash:/test/b.cfg?[Y/N]:y
.....
%Undeleted file flash:/test/b.cfg.

1-16
2 Configuration File Management Commands

Configuration File Management Commands

archive configuration

Syntax

archive configuration

View

User view

Default Level

3: Manage level

Parameters

None

Description

Use the archive configuration command to save the current running configuration manually.
After the execution of this command, the system saves the current running configuration with the
specified filename (filename prefix + serial number) to the specified path.
Note the following:
Before executing the archive configuration command, you must configure the filename prefix and
path of the saved configuration file by using the archive configuration location command.

Examples

# Save the current running configuration manually.

<Sysname> archive configuration
Warning: Save the running configuration to an archive file. Continue? [Y/N]: Y
Please wait...
Info: The archive configuration file myarchive_1.cfg is saved.

archive configuration interval

Syntax

archive configuration interval minutes

undo archive configuration interval

View

System view

2-1
Default Level

3: Manage level

Parameters

minutes: Specifies the interval for automatically saving the current running configuration, in minutes.
The value ranges from 10 to 525,600 (365 days).

Description

Use the archive configuration interval command to enable the automatic saving of the current
running configuration and set the interval.
Use the undo archive configuration interval command to restore the default.
By default, the system does not save the current running configuration automatically.
After the execution of this command, the system saves the current running configuration with the
specified filename to the specified path at a specified interval (the value of the minutes argument).
Configure an automatic saving interval according to the storage medium performance and the
frequency of configuration modification:
z If the configuration of the device does not change frequently, you are recommended to save the
current running configuration manually as needed
z If a low-speed storage medium (such as a flash) is used, you are recommended either to save the
current running configuration manually, or to configure automatic saving with an interval longer
than 1,440 minutes (24 hours).
Note the following:
Before executing the archive configuration interval command, you must configure the filename prefix
and path of the saved configuration file by using the archive configuration location command.

Examples

# Configure the system to save the current running configuration every 60 minutes.
<Sysname> system-view
[Sysname] archive configuraion interval 60
Info: Archive files will be saved every 60 minutes.

archive configuration location

Syntax

archive configuration location directory filename-prefix filename-prefix

undo archive configuration location

View

System view

Default Level

3: Manage level

2-2
Parameters

directory: The path of the folder for saving the saved configuration file, a case insensitive string of 1 to
63 characters, in the format of storage medium name:/[folder name]/subfolder name. The folder must
be created before the configuration.
filename-prefix: The filename prefix of a saved configuration file, a case insensitive string of 1 to 30
characters (can include letters, numbers, _, and - only).

Description

Use the archive configuration location command to configure the path and filename prefix of a saved
configuration file.
Use the undo archive configuration location command to restore the default.
By default, the path and filename prefix of a saved configuration file are not configured, and the system
does not save the configuration file periodically.
Note the following:
z Before the current running configuration is saved either manually or automatically, the file path and
filename prefix must be configured.
z If the undo archive configuration location command is executed, the current running
configuration can neither be saved manually nor automatically, and the configuration by executing
the archive configuration interval and archive configuration max commands restores to the
default, meanwhile, the saved configuration files are cleared.

Examples

# Configure the path and the filename prefix of a saved configuration file as flash:/archive/ and
my_archive respectively.
<Sysname> mkdir archive
.
%Created dir flash:/archive.
<Sysname> system-view
[Sysname] archive configuration location flash:/archive filename-prefix my_archive

archive configuration max

Syntax

archive configuration max file-number

undo archive configuration max

View

System view

Default Level

3: Manage level

2-3
Parameters

file-number: The maximum number of configuration files that can be saved, in the range 1 to 10. The
value of the file-number argument is determined by the memory space. You are recommended to set a
comparatively small value for this argument if the available memory space is small.

Description

Use the archive configuration max command to set the maximum number of configuration files that
can be saved.
Use the undo archive configuration max command to restore the default.
By default, a maximum of 5 configuration files can be saved.
Since excessive configuration files occupy large memory space, you can use this command to control
the number of the files. After the maximum number of configuration files is saved, the system deletes
the oldest files when the next file is saved (either automatically or manually). When you change the
maximum number of configuration files that can be saved, the exceeded files are not deleted. If the
number of the existing configuration files is larger than or equal to the newly configured upper limit, the
system deletes the oldest n files when the next file is saved, where n = the current number - the newly
configured number + 1, for example: if the number of configuration files that have been saved is 7, and
the newly configured upper limit is 4, when there is a new configuration file to be saved, the system
deletes 4 oldest files, where 4 = 7-4+1.
Before executing this command, configure the path and filename prefix of a saved configuration file by
using the archive configuration location command; otherwise, the execution of this command fails.
Note that, if the undo archive configuration location command is executed, the maximum number of
configuration files that can be saved also restores to the default.

Examples

# Set the maximum number of configuration files that can be saved to 10.
<Sysname> system-view
[Sysname] archive configuration max 10

backup startup-configuration

Syntax

backup startup-configuration to dest-addr [ dest-filename ]

View

User view

Default Level

2: System level

Parameters

dest-addr: IP address or name of a TFTP server.

dest-filename: Target filename used to save the startup configuration file for the next system startup on
the server.

2-4
Description

Use the backup startup-configuration command to back up the startup configuration file (used at the
next system startup) to a specified TFTP server. If you do not specify this filename, the original filename
is used.
This command only backs up the main startup configuration file.
Presently, the device uses TFTP to back up configuration files.

Examples

# Back up the startup configuration file of the device to the TFTP server with IP address 2.2.2.2, using
filename 192-168-1-26.cfg.
<Sysname> display startup
Current startup saved-configuration file: flash:/config.cfg
Next startup saved-configuration file: flash:/test.cfg
<Sysname> backup startup-configuration to 2.2.2.2 192-168-1-26.cfg
Backup next startup-configuration file to 2.2.2.2, please wait…finished!
<Sysname>

After the above operation, the device backs up file test.cfg to TFTP server 2.2.2.2, where the file is
saved as 192-168-1-26.cfg.

configuration replace file

Syntax

configuration replace file filename

View

System view

Default Level

3: Manage level

Parameters

filename: Specifies the name of the replacement configuration file for configuration rollback.

Description

Use the configuration replace file command to set configuration rollback.

After the execution of this command, the current running configuration rolls back to the configuration
state based on the specified configuration file (filename).

Examples

# Roll back from the current running configuration to a previous configuration state based on a saved
configuration file my_archive_1.cfg.
<Sysname> system-view
[Sysname] configuration replace file my_archive_1.cfg
Info: Now replacing the current configuration. Please wait...
Info: Succeeded in replacing current configuration with the file my_archive_1.cfg.

2-5
display archive configuration

Syntax

display archive configuration

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display archive configuration command to display the information about configuration
rollback.

Examples

# Display the information about configuration rollback.

<Sysname> display archive configuration
Location: flash:/archive
Filename prefix: my_archive
Archive interval in minutes: 120
Maximum number of archive files: 10
Saved archive files:
No. TimeStamp FileName
1 Aug 05 2007 20:24:54 my_archive_1.cfg
2 Aug 05 2007 20:34:54 my_archive_2.cfg
# 3 Aug 05 2007 20:44:54 my_archive_3.cfg
‘#’ indicates the most recent archive file.
Next archive file to be saved: my_archive_4.cfg

Table 2-1 display archive configuration command output description

Field Description
Location Absolute path of the saved configuration files

Configuration file saving interval, in minutes.

Archive interval in minutes
If the automatic saving is disabled, this field is not displayed.

display saved-configuration

Syntax

display saved-configuration [ by-linenum ]

2-6
View

Any view

Default Level

2: System level

Parameters

by-linenum: Identifies each line of displayed information with a line number.

Description

Use the display saved-configuration command to display the contents of the configuration file saved
for the next startup of the device.
During device management and maintenance, you can use this command to check whether important
configurations are saved to the configuration file to be used for the next startup of the device.
For a device supporting main and backup configuration files, this command displays the main
configuration file to be used for the next system startup.
If the system is not specified with a configuration file for the next startup or the specified configuration
file does not exist, no information will be displayed when you execute the display saved-configuration
command.
Related commands: save, reset saved-configuration; display current-configuration in Basic
System Configuration Commands.

Examples

# Display the configuration file saved for the next startup of the device.
<Sysname> display saved-configuration
#
version 5.20, Test 5310
#
sysname Sysname
#
domain default enable system
#
telnet server enable
#
multicast routing-enable
#
vlan 1
#
vlan 999
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#

2-7
 interface NULL0
#
---- More ----

The configurations are displayed in the order of global, port, and user interface. “ ---- More ----” means
that all information on this screen has been displayed, and if you press the Space key, the next screen
will be displayed.
# Display the contents of the configuration file saved for the next startup of the device with a number
identifying each line.
<Sysname> display saved-configuration by-linenum
1: #
2: version 5.20, Test 5310
3: #
4: sysname Sysname
5: #
6: domain default enable system
7: #
8: telnet server enable
9: #
10: multicast routing-enable
11: #
12: vlan 1
13: #
14: vlan 999
15: #
16: domain system
17: access-limit disable
18: state active
19: idle-cut disable
20: self-service-url disable
21: #
22: interface NULL0
23: #
---- More ----

“ ---- More ----” means that all information on this screen has been displayed, and if you press the
Space key, the next screen will be displayed.

display startup

Syntax

display startup

View

Any view

Default Level

1: Monitor level

2-8
Parameters

None

Description

Use the display startup command to display the configuration files used at the current system startup.
Related commands: startup saved-configuration.

Examples

# Display the configuration file used at the current system startup and the one to be used at the next
system startup.
<Sysname> display startup
Current startup saved-configuration file: flash:/config.cfg
Next main startup saved-configuration file: flash:/config.cfg
Next backup startup saved-configuration file: NULL

Table 2-2 display startup command output description

Field Description
Current Startup saved-configuration file The configuration file used for the current startup
Next main startup saved-configuration file Main configuration file used for the next startup

Next backup startup saved-configuration file Backup configuration file used for the next startup

reset saved-configuration

Syntax

reset saved-configuration [ backup | main ]

View

User view

Default Level

2: System level

Parameters

backup: Deletes the backup startup configuration file.

main: Deletes the main startup configuration file.

Description

Use the reset saved-configuration command to delete the startup configuration file saved on the
storage medium of the device.
Note that:
z This command will permanently delete the configuration file from the device. Use it with caution.
z On a device that has the main and backup startup configuration files, you can choose to delete
either the main or backup startup configuration file. However, in the case that the main and backup
startup configuration files are the same, if you perform the delete operation for once, the system will

2-9
 not delete the configuration file but only set the corresponding startup configuration file (main or
backup, according to which one you specified in the command) to NULL.
z For a device that supports the main and backup keywords, the execution of the reset
saved-configuration command and that of the reset saved-configuration main command have
the same effect, that is, they will delete the main startup configuration file.
Related commands: save, display saved-configuration.

Examples

# Delete the configuration file for the next startup from the storage medium of the device.
<Sysname> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]:y
Configuration file in flash is being cleared.
Please wait ...........
Configuration file is cleared.

restore startup-configuration

Syntax

restore startup-configuration from src-addr src-filename

View

User view

Default Level

2: System level

Parameters

src-addr: IP address or name of a TFTP server.

src-filename: Filename of the configuration file to be downloaded from the specified server.

Description

Use the restore startup-configuration command to download a configuration file from the specified
TFTP server to the device and specify the configuration file as the startup configuration file to be used at
the next startup of the device.
The file downloaded is set as the main startup configuration file to be used at the next system startup.

Examples

# Download configuration file test.cfg from the TFTP server whose IP address is 2.2.2.2, and the
configuration file is to be used at the next startup of the device.
<Sysname> restore startup-configuration from 2.2.2.2 test.cfg
Restore next startup-configuration file from 2.2.2.2. Please wait..............
finished!

2-10
save

Syntax

save file-url
save [ safely ] [ backup | main ]

View

Any view

Default Level

2: System level

Parameters

file-url: File path, where the extension of the file name must be .cfg.
safely: Sets the configuration saving mode to safe. If this argument is not specified, the configuration
file is saved in fast mode.
backup: Saves the current configuration to the startup configuration file specified in the interactive
mode, and specifies the file as the backup startup configuration file to be used at the next startup of the
device.
main: Saves the current configuration to the main startup configuration file specified in the interactive
mode, and specifies the file as the main startup configuration file to be used at the next startup of the
device.

Description

Use the save file-url command to save the current configuration to the specified configuration file, but
the system will not specify the file as the startup configuration file for the next system startup. If the file
specified by file-url does not exist, the system will create the file and then save the configuration to the
file.
Use the save [ safely ] [ backup | main ] command to save the current configuration to the root
directory of the storage medium, and specify the file as the startup configuration file for the next system
startup.
Related commands: reset saved-configuration, display current-configuration, display
saved-configuration.

Examples

# Save the current configuration file to the specified directory, but do not specify the configuration file as
the configuration file for the next startup.
<Sysname> save test.cfg
The current configuration will be saved to flash:/test.cfg. Continue? [Y/N]:y
Now saving current configuration to the device.
Saving configuration flash:/test.cfg. Please wait...
............
Configuration is saved to flash successfully.

# Save the current configuration file to the root directory of the storage medium, and specify the
configuration file as the configuration file for the next startup.

2-11
 <Sysname> display startup
Current startup saved-configuration file: flash:/hmr.cfg
Next main startup saved-configuration file: flash:/aa.cfg
Next backup startup saved-configuration file: NULL

// The above information indicates that the main startup configuration file for the next system startup is
aa.cfg.
<Sysname> save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/aa.cfg]
(To leave the existing filename unchanged, press the enter key):startup.cfg
Validating file. Please wait............
Configuration is saved to device successfully.
<Sysname> display startup
Current startup saved-configuration file: flash:/hmr.cfg
Next main startup saved-configuration file: flash:/startup.cfg
Next backup startup saved-configuration file: NULL

// The above information indicates that the main startup configuration file for the next system startup is
changed to startup.cfg.

startup saved-configuration

Syntax

startup saved-configuration cfgfile [ backup | main ]

undo startup saved-configuration

View

User view

Default Level

2: System level

Parameters

cfgfile: Configuration file name. The file must be a file with an extension .cfg stored in the root directory
of the storage medium.
backup: Sets the configuration file as the backup startup configuration file that will be used at the next
startup of the device.
main: Sets the configuration file as the main startup configuration file that will be used at the next
startup of the device.

Description

Use the startup saved-configuration command to specify a startup configuration file (the
configuration file to be used at the next system startup).
Use the undo startup saved-configuration command to configure the system to start up with the null
configuration, that is, the factory configuration.

2-12
 z The startup saved-configuration and startup saved-configuration main commands have the
same effect: Both of them are used to specify the main startup configuration file.
z The main and backup startup configuration files can be specified as the same file. However, it is
recommended you use different files, or, save the same configuration as two files using different
file names, one specified as the main startup configuration file, and the other specified as the
backup.
z If you execute the undo startup saved-configuration command, the system will set the main and
backup startup configuration file as NULL, but will not delete the two configuration files.
Related commands: display startup.

Examples

# Specify a startup configuration file for the next system startup.

<Sysname> startup saved-configuration testcfg.cfg
Please wait ....
... Done!

2-13
 Table of Contents

1 System Maintaining and Debugging Commands···················································································1-1

System Maintaining Commands ·············································································································1-1
ping ··················································································································································1-1
tracert···············································································································································1-4
System Debugging Commands ··············································································································1-6
debugging········································································································································1-6
display debugging····························································································································1-7

i
1 System Maintaining and Debugging Commands

System Maintaining Commands

ping

Syntax

ping [ ip ] [ -a source-ip | -c count | -f | -h ttl | -i interface-type interface-number | -m interval | -n | -p pad

| -q | -r | -s packet-size | -t timeout | -tos tos | -v ] * host

View

Any view

Default Level

0: Visit level

Parameters

ip: Supports IPv4 protocol. If this keyword is not provided, IPv4 is also supported.
-a source-ip: Specifies the source IP address of an ICMP echo request (ECHO-REQUEST). It must be
an IP address configured on the device. If this parameter is not provided, the source IP address of an
ICMP echo request is the primary IP address of the outbound interface of the request.
-c count: Specifies the number of times that an ICMP echo request is sent, in the range 1 to
4294967295. The default value is 5.
-f: Discards packets larger than the MTU of a given interface, that is, the ICMP echo request is not
allowed to be fragmented.
-h ttl: Specifies the TTL value for an ICMP echo request, in the range 1 to 255. The default value is 255.
-i interface-type interface-number: Specifies the ICMP echo request sending interface by its type and
number. If this parameter is not provided, the ICMP echo request sending interface is determined by
searching the routing table or forwarding table according to the destination IP address.
-m interval: Specifies the interval (in milliseconds) to send an ICMP echo response, in the range 1 to
65535. The default value is 200 ms.
z If a response from the destination is received within the timeout time, the interval to send the next
echo request equals the actual response period plus the value of interval.
z If no response from the destination is received within the timeout time, the interval to send the next
echo request equals the timeout value plus the value of interval.
-n: Specifies that the Domain Name System (DNS) is disabled for the host argument. When this
keyword is not provided, if the host argument represents the host name of the destination, the device
will translate host into an address.
-p pad: Specifies the value of the pad field in an ICMP echo request, in hexadecimal format, 1 to 8 bits,
in the range 0 to ffffffff. If the specified value is less than 8 bits, 0s will be added in front of the value to

1-1
 extend it to 8 bits. For example, if pad is configured as 0x2f, then the packets will be padded with
0x0000002f repeatedly to make the total length of the packet meet the requirements of the device. By
default, the padded value starts from 0x01 up to 0xff, where another round starts again if necessary, like
0x010203…feff01….
-q: Presence of this keyword indicates that only statistics are displayed. Absence of this keyword
indicates that all information is displayed.
-r: Records routing information. If this keyword is not provided, routes are not recorded.
-s packet-size: Specifies length (in bytes) of an ICMP echo request, in the range 20 to 8100. The default
value is 56.
-t timeout: Specifies the timeout value (in milliseconds) of an ICMP echo reply (ECHO-REPLY). If the
source does not receive an ICMP echo reply within the timeout, it considers the ICMP echo reply timed
out. The value ranges from 0 to 65535 and defaults to 2000.
-tos tos: Specifies type of service (ToS) of an echo request, in the range 0 to 255. The default value is 0.
-v: Displays non ICMP echo reply received. If this keyword is not provided, the system does not display
non ICMP echo reply.
host: IP address or host name (a string of 1 to 20 characters) of the destination.

Description

Use the ping command to verify whether the destination in an IP network is reachable, and to display
the related statistics.
After you execute the ping command, the source will send an ICMP echo request to the destination:
z If the destination name is unrecognizable, the system outputs “Error: Ping: Unknown host
host-name”.
z If the source receives an ICMP echo reply from the destination within the timeout, the system
outputs the related information of the reply.
z If the source does not receive an ICMP echo reply from the destination within the timeout, the
system outputs “Request time out”.
z To use the name of the destination host to perform the ping operation, you must configure Domain
Name System (DNS) on the device first; otherwise, the ping operation fails. For the introduction
and configuration to DNS, refer to DNS Configuration. In addition, you must use the command in
the form of ping ip ip instead of ping ip if the destination name is a key word, such as ip.
During the execution of the command, you can press Ctrl+C to abort the ping operation.

Examples

# Check whether the device with an IP address of 1.1.2.2 is reachable.

<Sysname> ping 1.1.2.2
PING 1.1.2.2: 56 data bytes, press CTRL_C to break
Reply from 1.1.2.2: bytes=56 Sequence=1 ttl=254 time=205 ms
Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms

--- 1.1.2.2 ping statistics ---

5 packet(s) transmitted

1-2
 5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/41/205 ms

The above information indicates the following:

z The destination was reachable.
z All ICMP echo requests sent by the source got responses.
z The minimum time, average time, and maximum time for the packet’s roundtrip time are 1 ms, 41
ms, and 205 ms respectively.
# Check whether the device with an IP address of 1.1.2.2 is reachable. Only the check results are
displayed.
<Sysname> ping -q 1.1.2.2
PING 1.1.2.2: 56 data bytes, press CTRL_C to break

--- 1.1.2.2 ping statistics ---

5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 1/12/29 ms

# Check whether the device with an IP address of 1.1.2.2 is reachable. The route information is required
to be displayed.
<Sysname> ping -r 1.1.2.2
PING 1.1.2.2: 56 data bytes, press CTRL_C to break
Reply from 1.1.2.2: bytes=56 Sequence=1 ttl=254 time=53 ms
Record Route:
1.1.2.1
1.1.2.2
1.1.1.2
1.1.1.1
Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms
Record Route:
1.1.2.1
1.1.2.2
1.1.1.2
1.1.1.1
Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms
Record Route:
1.1.2.1
1.1.2.2
1.1.1.2
1.1.1.1
Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms
Record Route:
1.1.2.1
1.1.2.2
1.1.1.2
1.1.1.1

1-3
 Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms
Record Route:
1.1.2.1
1.1.2.2
1.1.1.2
1.1.1.1

--- 1.1.2.2 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/11/53 ms

The above information indicates the following:

z The destination was reachable.
z The route is 1.1.1.1 <-> {1.1.1.2; 1.1.2.1} <-> 1.1.2.2.

Table 1-1 ping command output description

Field Description
PING 1.1.2.2 Check whether the device with IP address 1.1.2.2 is reachable
56 data bytes Number of data bytes in each ICMP echo request
During the execution of the command, you can press Ctrl+C to
press CTRL_C to break
abort the ping operation.

Received the ICMP reply from the device whose IP address is

1.1.2.2. If no reply is received during the timeout period, “Request
time out” will be displayed.
Reply from 1.1.2.2 : bytes=56 z bytes= indicates the number of data bytes in the ICMP reply.
Sequence=1 ttl=255 time=1 ms z Sequence= indicates the packet sequence, used to determine
whether a segment is lost, disordered or repeated.
z ttl= indicates the TTL value in the ICMP reply.
z time= indicates the response time.
The routers through which the ICMP echo request passed. They
Record Route: are displayed in inversed order, that is, the router with a smaller
distance to the destination is displayed first.
--- 1.1.2.2 ping statistics --- Statistics on data received and sent in the ping operation
5 packet(s) transmitted Number of ICMP echo requests sent
5 packet(s) received Number of ICMP echo requests received

0.00% packet loss Percentage of packets not responded to the total packets sent
Minimum/average/maximum response time, in ms. The field is
round-trip min/avg/max = 0/4/20
not available for failed ping attempts in an IPv4 network. In an
ms
IPv6 network, however, the field is available and set to 0/0/0 ms

tracert

Syntax

tracert [ -a source-ip | -f first-ttl | -m max-ttl | -p port | -q packet-number | -w timeout ] * host

1-4
View

Any view

Default Level

0: Visit level

Parameters

-a source-ip: Specifies the source IP address of a tracert packet. It must be a legal IP address
configured on the device. If this parameter is not provided, the source IP address of an ICMP echo
request is the primary IP address of the outbound interface of the tracert packet.
-f first-ttl: Specifies the first TTL, that is, the allowed number of hops for the first packet, in the range 1 to
255. It defaults to 1 and must be less than the maximum TTL.
-m max-ttl: Specifies the maximum TTL, that is, the maximum allowed number of hops for a packet, in
the range 1 to 255. It defaults to 30, and must be greater than the first TTL.
-p port: Specifies the UDP port number of the destination, in the range 1 to 65535. The default value is
33434. You do not need to modify this parameter.
-q packet-number: Specifies the number of probe packets sent each time, in the range 1 to 65535. The
default value is 3.
-w timeout: Specifies the timeout time of the reply packet of a probe packet, in the range 1 to 65535, in
milliseconds. The default value is 5000 ms.
host: IP address or host name (a string of 1 to 20 characters) of the destination.

Description

Use the tracert command to trace the path the packets traverse from source to destination.
After having identified network failure with the ping command, you can use the tracert command to
determine the failed node(s).
Output information of the tracert command includes IP addresses of all the Layer 3 devices the packets
traverse from source to destination. If a device times out, "* * *" will be displayed.
During the execution of the command, you can press Ctrl+C to abort the tracert operation.

Examples

# Display the path the packets traverse from source to destination with an IP address of 1.1.2.2.
<Sysname> system-view
[Sysname] ip ttl-expires enable
[Sysname] ip unreachables enable
[Sysname] tracert 1.1.2.2
traceroute to 1.1.2.2(1.1.2.2) 30 hops max,40 bytes packet, press CTRL_C to break
1 1.1.1.2 673 ms 425 ms 30 ms
2 1.1.2.2 580 ms 470 ms 80 ms

Table 1-2 tracert command output description

Field Description
Display the route the IP packets traverse from the current
traceroute to 1.1.2.2(1.1.2.2)
device to the device whose IP address is 1.1.2.2.

1-5
 Field Description
Maximum number of hops of the probe packets, which can be
hops max
set through the -m keyword
bytes packet Number of bytes of a probe packet
During the execution of the command, you can press Ctrl+C to
press CTRL_C to break
abort the tracert operation.
The probe result of the probe packets whose TTL is 1, including
the IP address of the first hop and the roundtrip time of three
1 1.1.1.2 673 ms 425 ms 30 ms probe packets.
The number of packets that can be sent in each probe can be
set through the -q keyword.

System Debugging Commands

debugging

Syntax

debugging { all [ timeout time ] | module-name [ option ] }

undo debugging { all | module-name [ option ] }

View

User view

Default Level

1: Monitor level

Parameters

all: All debugging functions.

timeout time: Specifies the timeout time for the debugging all command. When all debugging is
enabled, the system automatically executes the undo debugging all command after the time. The
value ranges from 1 to 1440, in minutes.
module-name: Module name, such as arp or device. You can use the debugging ? command to display
the current module name.
option: The debugging option for a specific module. Different modules have different debugging options
in terms of their number and content. You can use the debugging module-name ? command to display
the currently supported options.

Description

Use the debugging command to enable the debugging of a specific module.

Use the undo debugging command to disable the debugging of a specific module.
By default, debugging functions of all modules are disabled.
Note the following:

1-6
 z Output of the debugging information may degrade system efficiency, so you are recommended to
enable the debugging of the corresponding module for diagnosing network failure, and not to
enable the debugging of multiple modules at the same time.
z Default Level describes the default level of the debugging all command. Different debugging
commands may have different default levels.
z You must configure the debugging, terminal debugging and terminal monitor commands first
to display detailed debugging information on the terminal. For the detailed description on the
terminal debugging and terminal monitor commands, refer to Information Center Commands.
Related commands: display debugging.

Examples

# Enable IP packet debugging.

<Sysname> debugging ip packet

display debugging

Syntax

display debugging [ interface interface-type interface-number ] [ module-name ]

View

Any view

Default Level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the debugging settings of the specified interface,
where interface-type interface-number represents the interface type and number.
module-name: Module name.

Description

Use the display debugging command to display enabled debugging functions.

Related commands: debugging.

Examples

# Display all enabled debugging functions.

<Sysname> display debugging
IP packet debugging is on

1-7
 Table of Contents

1 Basic Configuration Commands··············································································································1-1

Basic Configuration Commands ·············································································································1-1
clock datetime··································································································································1-1
clock summer-time one-off ··············································································································1-2
clock summer-time repeating ··········································································································1-3
clock timezone·································································································································1-4
command-privilege ··························································································································1-5
copyright-info enable ·······················································································································1-6
display clipboard······························································································································1-7
display clock ····································································································································1-8
display current-configuration ···········································································································1-9
display default-configuration··········································································································1-10
display diagnostic-information ·······································································································1-10
display hotkey································································································································1-12
display this·····································································································································1-13
display version·······························································································································1-14
header ···········································································································································1-15
hotkey ············································································································································1-17
super··············································································································································1-18
super password ·····························································································································1-19
sysname ········································································································································1-20

i
1 Basic Configuration Commands

Basic Configuration Commands

clock datetime

Syntax

clock datetime time date

View

User view

Default Level

3: Manage level

Parameters

time: Configured time, in the format of HH:MM:SS, where HH is hours in the range 00 to 23, MM is
minutes in the range 00 to 59, and SS is seconds in the range 00 to 59. The first zero in the HH, MM, or
SS value can be omitted; if the value of SS is 00, the time argument can be represented in the format of
HH:MM; if both the values of MM and SS are 00s, the time argument can be represented in the format
of HH.
date: Configured date, in the format of MM/DD/YYYY or YYYY/MM/DD. MM is the month of the year in
the range 1 to 12, DD is the day of the month that varies with months, and YYYY is a year in the range
2000 to 2035.

Description

Use the clock datetime command to set the current time and date of the device.
The current time and date of the device must be set in an environment that requires the acquisition of
absolute time.
You may choose not to provide seconds when inputting the time parameters.
Related commands: clock summer-time one-off, clock summer-time repeating, clock timezone,
display clock.

Examples

# Set the current system time to 14:10:20 08/01/2005.

<Sysname> clock datetime 14:10:20 8/1/2005

# Set the current system time to 00:06:00 01/01/2007.

<Sysname> clock datetime 0:6 2007/1/1

1-1
clock summer-time one-off

Syntax

clock summer-time zone-name one-off start-time start-date end-time end-date add-time

undo clock summer-time

View

System view

Default Level

3: Manage level

Parameters

zone-name: Name of the daylight saving time, a string of 1 to 32 characters. It is case sensitive.
start-time: Start time, in the format of HH:MM:SS (hours/minutes/seconds). The zeros in the argument
can be omitted except for indicating 0 hours.
start-date: Start date, in the format of MM/DD/YYYY (months/days/years) or YYYY/MM/DD.
end-time: End time, in the format of HH:MM:SS (hours/minutes/seconds). The zeros in the argument
can be omitted except for indicating 0 hours.
end-date: End date, in the format of MM/DD/YYYY (months/days/years) or YYYY/MM/DD.
add-time: Time added to the standard time of the device, in the format of HH:MM:SS
(hours/minutes/seconds). The zeros in the argument can be omitted except for indicating 0 hours.

Description

Use the clock summer-time one-off command to adopt daylight saving time from the start-time of the
start-date to the end-time of the end-date. Daylight saving time adds the add-time to the current time of
the device.
Use the undo clock summer-time command to cancel the configuration of the daylight saving time.
By default, daylight saving time is configured on the device, and the universal time coordinated (UTC)
time zone is applied.
After the configuration takes effect, you can use the display clock command to view it. Besides, the
time of the log or debug information is the local time of which the time zone and daylight saving time
have been adjusted.
Note that:
z The time range from start-time in start-date to end-time in end-date must be longer than one day
and shorter than one year. Otherwise, the argument is considered as invalid and the configuration
fails.
z If the current system time is in the time range specified with this command, the system time
automatically adds “add-time” after the execution of this command.
Related commands: clock datetime, clock summer-time repeating, clock timezone, display clock.

Examples

# For daylight saving time in abc1 between 06:00:00 on 08/01/2006 and 06:00:00 on 09/01/2006, set
the system clock ahead one hour.

1-2
 <Sysname> system-view
[Sysname] clock summer-time abc1 one-off 6 08/01/2006 6 09/01/2006 1

clock summer-time repeating

Syntax

clock summer-time zone-name repeating start-time start-date end-time end-date add-time

undo clock summer-time

View

System view

Default Level

3: Manage level

Parameters

zone-name: Name of the daylight saving time, a string of 1 to 32 characters.

start-time: Start time, in the format of HH:MM:SS (hours/minutes/seconds). The zeros in the argument
can be omitted except for indicating 0 hours.
start-date: Start date which can be set in two ways:
z Enter the year, month and date at one time, in the format of MM/DD/YYYY (months/days/years) or
YYYY/MM/DD.
z Enter the year, month and date one by one, separated by spaces. The year ranges from 2000 to
2035; the month can be January, February, March, April, May, June, July, August,
September, October, November or December; the start week can be the first, second, third,
fourth, fifth or last week of the month; the start date is Sunday, Monday, Tuesday, Wednesday,
Thursday, Friday, Saturday.
end-time: End time, in the format of HH:MM:SS (hours/minutes/seconds). The zeros in the argument
can be omitted except for indicating 0 hours.
end-date: End date which can be set in two ways:
z Enter the year, month and date at one time, in the format of MM/DD/YYYY (months/days/years) or
YYYY/MM/DD.
z Enter the year, month and date one by one, separated by spaces. The year ranges from 2000 to
2035; the month can be January, February, March, April, May, June, July, August, September,
October, November or December; the end week can be the first, second, third, fourth, fifth or
last week of the month; the end date is Sunday, Monday, Tuesday, Wednesday, Thursday,
Friday, Saturday.
add-time: Time added to the current standard time of the device, in the format of HH:MM:SS
(hours/minutes/seconds). The zeros in the argument can be omitted except for indicating 0 hours.

Description

Use the clock summer-time repeating command to adopt summer-time repeatedly.

Use the undo clock summer-time command to cancel the configuration of the daylight saving time.
By default, daylight saving time is configured on the device, and the universal time coordinated (UTC)
time zone is applied.

1-3
 For example, when start-date and start-time are set to 2007/6/6 and 00:00:00, end-date and end-time to
2007/10/01 and 00:00:00, and add-time to 01:00:00, it specifies to adopt daylight saving time from
00:00:00 of June 6 until 00:00:00 of October 1 each year from 2007 (2007 inclusive). The daylight
saving time adds one hour to the current device time.
After the configuration takes effect, use the display clock command to view the result. The information
such as log file and debug adopts the local time modified by time-zone and daylight saving time.
Note that:
z The time range from “start-time” in “start-date” to “end-time” in “end-date” must be longer than one
day and shorter than one year. Otherwise, the argument is considered as invalid and the
configuration fails.
z If the current system time is in the time range specified with this command, the system time
automatically adds “add-time” after the execution of this command.
Related commands: clock datetime, clock summer-time one-off, clock timezone, display clock.

Examples

# For the daylight saving time in abc2 between 06:00:00 on 08/01/2007 and 06:00:00 on 09/01/2007
and from 06:00:00 08/01 to 06:00:00 on 09/01 each year after 2007, set the system clock ahead one
hour.
<Sysname> system-view
[Sysname] clock summer-time abc2 repeating 06:00:00 08/01/2007 06:00:00 09/01/2007 01:00:00

clock timezone

Syntax

clock timezone zone-name { add | minus } zone-offset

undo clock timezone

View

System view

Default Level

3: Manage level

Parameters

zone-name: Time zone name, a string of 1 to 32 characters. It is case sensitive.

add: Adds a specified offset to universal time coordinated (UTC) time.
minus: Subtracts a specified offset to UTC time.
zone-offset: Offset to the UTC time, in the format of HH/MM/SS (hours/minutes/seconds), where HH is
hours in the range 0 to 23, MM is minutes in the range 0 to 59, and SS is seconds in the range 0 to 59.
The zeros in the argument can be omitted except for indicating 0 hours.

Description

Use the clock timezone command to set the local time zone.
Use the undo clock timezone command to restore the local time zone to the default UTC time zone.
By default, the local time zone is UTC zone.
1-4
 After the configuration takes effect, use the display clock command to view the result. The information
such as log file and debug adopts the local time modified by time-zone and daylight saving time.
Related commands: clock datetime, clock summer-time one-off, clock summer-time repeating,
display clock.

Examples

# Set the name of the local time zone to Z5, five hours ahead of UTC time.
<Sysname> system-view
[Sysname] clock timezone z5 add 5

command-privilege

Syntax

command-privilege level level view view command

undo command-privilege view view command

View

System view

Default Level

3: Manage level

Parameters

level level: Command level, in the range 0 to 3.

view view: Specifies a view. The value shell of the argument view represents user view. The specified
view must be the view to which the command provided by the command argument belongs; for the
corresponding view, refer to the "View" section of the specified command.
command: Command to be set in the specified view.

Description

Use the command-privilege command to assign a level for the specified command in the specified
view.
Use the undo command-privilege view command to restore the default.
By default, each command in a view has its specified level. For the details, refer to the related part of
Basic System Configuration in this manual. Command level falls into four levels: visit, monitor, system,
and manage, which are identified by 0 through 3. The administrator can assign a privilege level for a
user according to his need. When the user logs on a device, the commands available depend on the
user’s privilege. For example, if a user’s privilege is 3 and the command privilege of VTY 0 user
interface is 1, and the user logs on the system from VTY 0, he can use all the commands with privilege
smaller than three (inclusive).
Note that:
z You are recommended to use the default command level or modify the command level under the
guidance of professional staff; otherwise, the change of command level may bring inconvenience
to your maintenance and operation, or even potential security problem.

1-5
 z When you configure the command-privilege command, the value of the command argument must
be a complete form of the specified command, that is, you must enter all needed keywords and
arguments of the command. The argument should be in the value range. For example, the default
level of the tftp server-address { get | put | sget } source-filename [ destination-filename ] [ source
{ interface interface-type interface-number | ip source-ip-address } ] command is 3; after the
command-privilege level 0 view shell tftp 1.1.1.1 put a.cfg command is executed, when users
with the user privilege level of 0 log in to the device, they can execute the tftp server-address put
source-filename command (such as the tftp 192.168.1.26 put syslog.txt command); users with the
user privilege level of 0 cannot execute the command with the get, sget or source keyword, and
cannot specify the destination-filename argument.
z When you configure the undo command-privilege view command, the value of the command
argument can be an abbreviated form of the specified command, that is, you only need to enter the
keywords at the beginning of the command. For example, after the undo command-privilege
view system ftp command is executed, all commands starting with the keyword ftp (such as ftp
server acl, ftp server enable, and ftp timeout) will be restored to the default level; if you have
modified the command level of commands ftp server enable and ftp timeout, and you want to
restore only the ftp server enable command to its default level, you should use the undo
command-privilege view system ftp server command.
z If you modify the command level of a command in a specified view from the default command level
to a lower level, remember to modify the command levels of the quit command and the
corresponding command that is used to enter this view. For example, the default command level of
commands interface and system-view is 2 (system level); if you want to make the interface
command available to the users with the user privilege level of 1, you need to execute the following
three commands: command-privilege level 1 view shell system-view, command-privilege level
1 view system interface ethernet 1/1, and command-privilege level 1 view system quit, so that
the login users with the user privilege level of 1 can enter system view, execute the interface
ethernet command, and then return to user view.

Examples

# Set the command level of the system-view command in user view to 3. (By default, users with the
user privilege level of 2 or 3 can use the system-view command after login; after the following
configuration, only users with the user privilege level of 3 can use this command to enter system view
and configure the device. Therefore, the device security is improved.)
<Sysname> system-view
[Sysname] command-privilege level 3 view shell system-view

copyright-info enable

Syntax

copyright-info enable
undo copyright-info enable

View

System view

Default Level

3: Manage level

1-6
Parameters

None

Description

Use the copyright-info enable command to enable the display of copyright information.
Use the undo copyright-info enable command to disable the display of copyright information.
By default, the display of copyright information is enabled.

Examples

# Enable the display of copyright information

<Sysname> system-view
[Sysname] copyright-info enable

z If a user logs in to the device through Telnet, the following information is displayed:
****************************************************************************
* Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
****************************************************************************

<Sysname>

z If a user has already logged in through the console port, and then quits user view, the following
information is displayed:
**************************************************************************
* Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
****************************************************************************

User interface aux0 is available.

Please press ENTER.

display clipboard

Syntax

display clipboard

View

Any view

Default Level

1: Monitor level

1-7
Parameters

None

Description

Use the display clipboard command to view the contents of the clipboard.
To copy the specified content to the clipboard:
Move the cursor to the starting position of the content and press the <Esc+Shift+,> combination (“,” is
an English comma).
Move the cursor to the ending position of the content and press the <Esc+Shift+.> combination (“.” is an
English dot) to copy the specified content to the clipboard.

Examples

# View the content of the clipboard.

<Sysname> display clipboard
---------------- CLIPBOARD-----------------
telnet server enable

display clock

Syntax

display clock

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display clock command to view the current system time and date.
The current system time and date are decided by the clock datetime, clock summer-time one-off (or
clock summer-time repeating), clock timezone. Refer to Configuring the system clock in the
operation manual for the detailed rules.
Related commands: clock datetime, clock summer-time one-off, clock summer-time repeating,
clock timezone.

Examples

# Display the current time and date.

<Sysname> display clock
09:41:23 UTC Thu 12/15/2005

1-8
display current-configuration

Syntax

display current-configuration [ [ configuration [ configuration ] | interface [ interface-type ]

[ interface-number ] ] [ by-linenum ] [ | { begin | exclude | include } regular-expression ] ]

View

Any view

Default Level

2: System level

Parameters

configuration [ configuration ]: Specifies to display non-interface configuration. if parameters are used,

display the specified information. For example:
z isp: Displays the ISP configuration.
z post-system: Displays the post-system configuration.
z system: Displays the system configuration.
z user-interface: Displays the user interface configuration.
interface [ interface-type ] [ interface-number ]: Displays the interface configuration, where
interface-type represents the interface type and interface-number represents the interface number.
by-linenum: Specifies to display the number of each line.
|: Specifies to use regular expression to filter the configuration of display device. For the detailed
description of the regular expression, refer to the CLI Display part of Basic System Configuration.
z begin: Displays the line that matches the regular expression and all the subsequent lines.
z exclude: Displays the lines that do not match the regular expression.
z include: Displays only the lines that match the regular expression.
regular-expression: Regular expression, a string of 1 to 256 characters. Note that this argument is
case-sensitive and can have spaces included.

Description

Use the display current-configuration command to display the current validated configuration of a
device.
You can use the display current-configuration command to view the currently validated configuration.
A parameter is not displayed if it has the default configuration. If the validated parameter is changed,
although you have configured it, the validated parameter is displayed. For example, ip address
11.11.11.11 24 has been configured on a Loopback interface. In this case, if you execute the display
current-configuration command, ip address 11.11.11.11 255.255.255.255 is displayed, meaning the
validated subnet mask is 32 bits.
Related commands: save, reset saved-configuration, display saved-configuration.

Examples

# Display the configuration from the line containing “user-interface” to the last line in the current
validated configuration (the output information depends on the device model and the current
configuration).

1-9
 <Sysname> display current-configuration | begin user-interface
user-interface aux 0
user-interface vty 0 15
authentication-mode none
user privilege level 3
#
return

# Display the current valid SNMP configuration on the device (the output information depends on the
device model and the current configuration).
<Sysname> display current-configuration | include snmp
snmp-agent
snmp-agent local-engineid 800063A203000FE240A1A6
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all

display default-configuration

Syntax

display default-configuration

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display default-configuration command to display the factory defaults of a device. The
command displays all commands to be executed when the device boots with the factory defaults.
Related commands: display current-configuration, display saved-configuration.

Examples

# Display the factory defaults of the device (The factory defaults vary with device models. The detailed
displays are omitted here).
<Sysname> display default-configuration

display diagnostic-information

Syntax

display diagnostic-information

1-10
View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display diagnostic-information command to display or save the statistics of the running
status of multiple modules in the system.
During daily maintenance or when the system is out of order, you need to display the running
information of each functional module to locate the problem. Generally, you need to execute the
corresponding display commands for each module, because each module has independent running
information. To collect more information at one time, you can execute the display
diagnostic-information command to display or save the statistics of the running status of multiple
modules in the system. Execution of the display diagnostic-information command equals execution
of the commands display clock, display version, display device, and display
current-configuration one by one.

Examples

# Save the statistics of each module's running status in the system.

<Sysname> display diagnostic-information
Save or display diagnostic information (Y=save, N=display)?[Y/N]y
Please input the file name(*.diag)[flash:/default.diag]:aa.diag
Diagnostic information is outputting to flash:/aa.diag.
Please wait...
Save succeeded.

You can view the content of the file aa.diag by executing the more.aa.diag command in user view, in
combination of the Page Up and Page Down keys.
# Display the statistics of each module's running status in the system.
<Sysname> display diagnostic-information
Save or display diagnostic information (Y=save, N=display)? [Y/N]:n
=================================================
===============display clock===============
=================================================
08:54:16 UTC Fri 11/15/2008
===================================================
===============display version===============
===================================================

……Omitted……

1-11
display hotkey

Syntax

display hotkey

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display hotkey command to display hotkey information.

Examples

# Display hotkey information.

<Sysname> display hotkey
----------------- HOTKEY -----------------

=Defined hotkeys=
Hotkeys Command
CTRL_G display current-configuration
CTRL_L display ip routing-table
CTRL_O undo debug all

=Undefined hotkeys=
Hotkeys Command
CTRL_T NULL
CTRL_U NULL

=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.
CTRL_H Erase the character left of the cursor.
CTRL_K Kill outgoing connection.
CTRL_N Display the next command from the history buffer.
CTRL_P Display the previous command from the history buffer.
CTRL_R Redisplay the current line.
CTRL_V Paste text from the clipboard.

1-12
 CTRL_W Delete the word left of the cursor.
CTRL_X Delete all characters up to the cursor.
CTRL_Y Delete all characters after the cursor.
CTRL_Z Return to the User View.
CTRL_] Kill incoming connection or redirect connection.
ESC_B Move the cursor one word back.
ESC_D Delete remainder of word.
ESC_F Move the cursor forward one word.
ESC_N Move the cursor down a line.
ESC_P Move the cursor up a line.
ESC_< Specify the beginning of clipboard.
ESC_> Specify the end of clipboard.

display this

Syntax

display this [ by-linenum ]

View

Any view

Default Level

1: Monitor level

Parameters

by-linenum: Specifies to display the number of each line.

Description

Use the display this command to display the validated configuration information under the current
view.
After finishing a set of configurations under a view, you can use the display this command to check
whether the configuration takes effect.
Note that:
z A parameter is not displayed if it has the default configuration.
z A parameter is not displayed if the configuration has not taken effect.
z Execution of this command in any user interface view displays the valid configuration in all the user
interfaces.
z Execution of this command in any VLAN view displays the configurations of all the created VLANs.

Examples

# Display the valid configuration information on interface GigabitEthernet1/0/1 (the output information
depends on the current configuration of the device).
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-gigabitethernet 1/0/1] display this
#

1-13
 interface gigabitethernet 1/0/1
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 2 to 4 untagged
port hybrid pvid vlan 2
#
return

# Display the valid configuration information of all user interfaces (the output information depends on
the current configuration of the device).
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname-ui-vty0] display this
#
user-interface aux 0
user-interface vty 0
history-command max-size 256
user-interface vty 1 15
#
return

display version

Syntax

display version

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display version command to view system version information.

By viewing system version information, you can learn about the current software version, rack type and
the information related to the main control board and interface boards.

Examples

# Display system version information (The system version information varies with devices.).
<Sysname> display version
H3C Comware Platform Software
Comware Software, Version 5.20, Release 1101P09
Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved.

1-14
 H3C S5120-52P-SI uptime is 0 week, 0 day, 0 hour, 50 minutes

H3C S5120-52P-SI
128M bytes DRAM
128M bytes Nand Flash Memory
Config Register points to Nand Flash

Hardware Version is REV.B

CPLD Version is 001
Bootrom Version is 119
[SubSlot 0] 48GE+4SFP Hardware Version is REV.B

header

Syntax

header { incoming | legal | login | motd | shell } text

undo header { incoming | legal | login | motd | shell }

View

System view

Default Level

2: System level

Parameters

incoming: Sets the banner displayed when a Modem login user enters user view. If authentication is
needed, the incoming banner is displayed after the authentication is passed.
legal: Sets the authorization banner before a user logs onto the terminal interface. The legal banner is
displayed before the user inputs the username and password.
login: Sets the login banner at authentication.
motd: Banner displayed before login. If authentication is required, the banner is displayed before
authentication.
shell: Sets the banner displayed when a non Modem login user enters user view.
text: Banner message, which can be input in two formats. Refer to Basic System Configuration for the
detailed information.

Description

Use the header command to create a banner.

Use the undo header command to clear a banner.

Examples

# Configure banners.
<Sysname> system-view
[Sysname] header incoming %
Please input banner content, and quit with the character '%'.

1-15
Welcome to incoming(header incoming)%
[Sysname] header legal %
Please input banner content, and quit with the character '%'.
Welcome to legal (header legal)%
[Sysname] header login %
Please input banner content, and quit with the character '%'.
Welcome to login(header login)%
[Sysname] header motd %
Please input banner content, and quit with the character '%'.
Welcome to motd(header motd)%
[Sysname] header shell %
Please input banner content, and quit with the character '%'.
Welcome to shell(header shell)%

The character % is the starting/ending character of text in this example. Entering % after the displayed
text quits the header command.
As the starting and ending character, % is not a part of a banner.

# Test the configuration remotely using Telnet. (only when login authentication is configured can the
login banner be displayed).
******************************************************************************
* Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************

Welcome to legal(header legal)

Press Y or ENTER to continue, N to exit.
Welcome to motd(header motd)
Welcome to login(header login)

Login authentication

Password:
Welcome to shell(header shell)

<Sysname>

1-16
hotkey

Syntax

hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command

undo hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U }

View

System view

Default Level

2: System level

Parameters

CTRL_G: Assigns the hot key Ctrl+G to a command.

CTRL_L: Assigns the hot key Ctrl+L to a command.
CTRL_O: Assigns the hot key Ctrl+O to a command.
CTRL_T: Assigns the hot key Ctrl+T to a command.
CTRL_U: Assigns the hot key Ctrl+U to a command.
command: The command line associated with the hot key.

Description

Use the hotkey command to assign a hot key to a command line.

Use the undo hotkey command to restore the default.
By default, the system specifies corresponding commands for Ctrl+G, Ctrl+L and Ctrl+O, while the
others are null.
z Ctrl+G corresponds to display current-configuration
z Ctrl+L corresponds to display ip routing-table
z Ctrl+O corresponds to undo debugging all
You can customize this scheme as needed however.

Examples

# Assign the hot key Ctrl+T to the display tcp status command.
<Sysname> system-view
[Sysname] hotkey ctrl_t display tcp status

# Display the configuration of hotkeys.

[Sysname] display hotkey
----------------- HOTKEY -----------------

=Defined hotkeys=
Hotkeys Command
CTRL_G display current-configuration
CTRL_L display ip routing-table
CTRL_O undo debug all
CTRL_T display tcp status

1-17
 =Undefined hotkeys=
Hotkeys Command
CTRL_U NULL

=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.
CTRL_H Erase the character left of the cursor.
CTRL_K Kill outgoing connection.
CTRL_N Display the next command from the history buffer.
CTRL_P Display the previous command from the history buffer.
CTRL_R Redisplay the current line.
CTRL_V Paste text from the clipboard.
CTRL_W Delete the word left of the cursor.
CTRL_X Delete all characters up to the cursor.
CTRL_Y Delete all characters after the cursor.
CTRL_Z Return to the user view.
CTRL_] Kill incoming connection or redirect connection.
ESC_B Move the cursor one word back.
ESC_D Delete remainder of word.
ESC_F Move the cursor forward one word.
ESC_N Move the cursor down a line.
ESC_P Move the cursor up a line.
ESC_< Specify the beginning of clipboard.
ESC_> Specify the end of clipboard.

super

Syntax

super [ level ]

View

User view

Default Level

0: Visit level

Parameters

level: User level, in the range 0 to 3, and defaults to 3.

1-18
Description

Use the super command to switch from the current user privilege level to a specified user privilege
level.
If you do not provide the level argument, the current user privilege level will be switched to 3.
Login users are classified into four levels that correspond to the four command levels. After users at
different levels log in, they can only use commands at their own, or lower, levels.
Note that:
Users can switch to a lower user privilege level unconditionally. However, no password is needed only
for AUX login user level switching; to switch to a higher user privilege level, and log in from VTY user
interfaces, users need to enter the password needed for the security’s sake. If the entered password is
incorrect or no password is configured, the switching fails. Therefore, before switching a user to a
higher user privilege level, you should configure the password needed.
Related commands: super password.

Examples

# Set the user privilege level to 2 (The current user privilege level is 3.).
<Sysname> super 2
User privilege level is 2, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

# Switch the user privilege level back to 3 (Suppose password 123 has been set; otherwise, the user
privilege level cannot be switched to 3.).
<Sysname> super 3
Password:
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

super password

Syntax

super password [ level user-level ] { simple | cipher } password

undo super password [ level user-level ]

View

System view

Default Level

2: System level

Parameters

level user-level: User privilege level in the range 1 to 3, with the default as 3.
simple: Plain text password.
cipher: Cipher text password.

1-19
 password: Password, a string of characters. It is case-sensitive.
z For simple password, it is a string of 1 to 16 characters.
z For cipher password, it is a string of 1 to 16 characters in plain text or 24 characters in cipher text.
For example, the simple text “1234567” corresponds to the cipher text
“(TT8F]Y\5SQ=^Q`MAF4<1!!”.

Description

Use the super password command to set the password needed to switch from a lower user privilege
level to a higher one.
Use the undo super password command to restore the default.
By default, no password is set to switch from a lower user privilege level to a higher one.
Note that:
z If simple is specified, the configuration file saves a simple password.
z If cipher is specified, the configuration file saves a cipher password.
z The user must always enter a simple password, no matter simple or cipher is specified.
z Cipher passwords are recommended, as simple ones are easily getting cracked.

Examples

# Set the password to abc in simple form for switching user-level to 3.

<Sysname> system-view
[Sysname] super password level 3 simple abc

Display the password for switching user-level.

[Sysname] display current-configuration
#
super password level 3 simple abc

# Set the password to abc in cipher form for switching user-level to 3.

<Sysname> system-view
[Sysname] super password level 3 cipher abc

Display the password for switching user-level.

[Sysname] display current-configuration
#
super password level 3 cipher =`*Y=F>*.%-a_SW8\MYM2A!!

sysname

Syntax

sysname sysname
undo sysname

View

System view

Default Level

2: System level

1-20
Parameters

sysname: Name of the device, a string of 1 to 30 characters.

Description

Use the sysname command to set the name of the device.

Use the undo sysname demand to restore the device name to the default.
The default name is H3C.
Modifying device name affects the prompt of the CLI. For example, if the device name is Sysname, the
prompt of user view is <Sysname>.

Examples

# Set the name of the device to R2000.

<Sysname> system-view
[Sysname] sysname R2000
[R2000]

1-21
 Table of Contents

1 Information Center Configuration Commands ·······················································································1-1

Information Center Configuration Commands ························································································1-1
display channel································································································································1-1
display info-center ···························································································································1-2
display logbuffer ······························································································································1-4
display logbuffer summary ··············································································································1-6
display logfile buffer·························································································································1-7
display logfile summary ···················································································································1-8
display trapbuffer ·····························································································································1-9
enable log updown ························································································································1-10
info-center channel name··············································································································1-11
info-center console channel ··········································································································1-11
info-center enable··························································································································1-12
info-center logbuffer·······················································································································1-13
info-center logfile enable ···············································································································1-14
info-center logfile frequency ··········································································································1-14
info-center logfile size-quota ·········································································································1-15
info-center logfile switch-directory ·································································································1-15
info-center loghost ·························································································································1-16
info-center loghost source ·············································································································1-17
info-center monitor channel ···········································································································1-18
info-center snmp channel ··············································································································1-19
info-center source··························································································································1-20
info-center synchronous ················································································································1-22
info-center syslog channel·············································································································1-23
info-center timestamp ····················································································································1-24
info-center timestamp loghost ·······································································································1-25
info-center trapbuffer ·····················································································································1-26
logfile save·····································································································································1-27
reset logbuffer································································································································1-27
reset trapbuffer ······························································································································1-28
terminal debugging ························································································································1-28
terminal logging ·····························································································································1-29
terminal monitor·····························································································································1-30
terminal trapping····························································································································1-31

i
1 Information Center Configuration Commands

Information Center Configuration Commands

display channel

Syntax

display channel [ channel-number | channel-name ]

View

Any view

Default Level

1: Monitor level

Parameters

channel-number: Displays information of the channel with a specified number, where channel-number
represents the channel number, in the range 0 to 9.
channel-name: Displays information of the channel with a specified name, where channel-name
represents the channel name, which could be a default name or a self-defined name. The user needs to
specify a channel name first before using it as a self-defined channel name. For more information, refer
to the info-center channel name command.

Table 1-1 Information channels for different output destinations

Output destination Information channel number Default channel name

Console 0 console
Monitor terminal 1 monitor
Log host 2 loghost
Trap buffer 3 trapbuffer
Log buffer 4 logbuffer

SNMP module 5 snmpagent

Web interface 6 channel6
Log file 9 Channel9

Description

Use the display channel command to display channel information.

If no channel is specified, information for all channels is displayed.

1-1
Examples

# Display information for channel 0.

<Sysname> display channel 0
channel number:0, channel name:console
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y warnings Y debugging Y debugging

The above information indicates to output log information with the severity from 0 to 4, trap information
with the severity from 0 to 7 and debugging information with the severity from 0 to 7 to the console. The
information source modules are all modules (default).

Table 1-2 display channel command output description

Field Description
channel number A specified channel number, in the range 0 to 9.
A specified channel name, which varies with user’s configuration.
channel name For more information, refer to the info-center channel name
command.
The ID of the module to which the information permitted to pass
MODU_ID
through the current channel belongs
The name of the module to which the information permitted to pass
through the current channel belongs
NAME
Default means all modules are allowed to output system
information, but the module type varies with devices.
Indicates whether to enable or disable the output of log
ENABLE
information, which could be Y or N.
LOG_LEVEL The severity of log information, refer to Table 1-4 for details.
Indicates whether to enable or disable the output of trap
ENABLE
information, which could be Y or N.
TRAP_LEVEL The severity of trap information, refer to Table 1-4 for details.
Indicates whether to enable or disable the output of debugging
ENABLE
information, which could be Y or N.
The severity of debugging information, refer to Table 1-4 for
DEBUG_LEVEL
details.

display info-center

Syntax

display info-center

View

Any view

Default Level

1: Monitor level

1-2
Parameters

None

Description

Use the display info-center command to display the information of each output destination.

Examples

# Display configurations on each output destination.

<Sysname> display info-center
Information Center:enabled
Log host:
1.1.1.1, port number : 514, host facility : local2,
channel number : 8, channel name : channel8
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 512, dropped messages 0, overwritten messages 740
channel number : 4, channel name : logbuffer
Trap buffer:
enabled,max buffer size 1024, current buffer size 256,
current messages 216, dropped messages 0, overwritten messages 0
channel number : 3, channel name : trapbuffer
logfile:
channel number:9, channel name:channel9
syslog:
channel number:6, channel name:channel6
Information timestamp setting:
log - date, trap - date, debug - date,
loghost - date

Table 1-3 display info-center command output description

Field Description
The current state of the information center, which
Information Center
could be enabled or disabled.
Configurations on the log host destination (It can
Log host: be displayed only when the info-center loghost
command is configured), including IP address of
1.1.1.1, port number : 514, host facility :
the log host, number of the port that receives the
local2,
system information on the log host, logging
channel number : 8, channel name : channel8 facility used, and the channel number and
channel name used.)

1-3
 Field Description

Console: Configurations on the console destination,

including the channel number and channel name
channel number : 0, channel name : console used

Monitor: Configurations on the monitor terminal

destination, including the channel number and
channel number : 1, channel name : monitor channel name used
SNMP Agent: Configurations on the SNMP module destination,
channel number : 5, channel name : including the channel number and channel name
snmpagent used

Configurations on the log buffer destination,

Log buffer:
including whether information output to this
enabled,max buffer size 1024, current buffer destination is enabled or disabled, the maximum
size 512, capacity, the current capacity, the current
current messages 512, dropped messages 0, number of messages, the number of dropped
overwritten messages 740 messages, the number of messages that have
been overwritten, and the channel number and
channel number : 4, channel name : logbuffer
channel name used.
Configurations on the trap buffer destination,
Trap buffer:
including whether information output to this
enabled,max buffer size 1024, current buffer destination is enabled or disabled, the maximum
size 256, capacity, the current capacity, the current
current messages 216, dropped messages 0, number of messages, the number of dropped
overwritten messages 0 messages, the number of messages that have
been overwritten, and the channel number and
channel number : 3, channel name : trapbuffer
channel name used.

logfile: Configurations on the log file destination,

including the channel number, and channel
channel number:9, channel name:channel9 name used.

syslog: Configurations on the Web interface destination,

including the channel number, and channel
channel number:6, channel name:channel6 name used.
The timestamp configurations, specifying the
Information timestamp setting timestamp format for log, trap, debug, and log
host information.

display logbuffer

Syntax

display logbuffer [ reverse ] [ level severity | size buffersize ] * [ | { begin | exclude | include }
regular-expression ]

View

Any view

Default Level

1: Monitor level

1-4
Parameters

reverse: Displays log entries chronologically, with the most recent entry at the top. If this keyword is not
specified, the log entries will be displayed chronologically, with the oldest entry at the top.
level severity: Displays information of the log with specified level, where severity represents information
level, in the range 0 to 7.

Table 1-4 Severity description

Severity Value Description

Emergency 0 The system is unusable.
Action must be taken
Alert 1
immediately
Critical 2 Critical conditions
Error 3 Error conditions
Warning 4 Warning conditions
Notice 5 Normal but significant condition
Informational 6 Informational messages

Debug 7 Debug-level messages

size buffersize: Displays specified number of the latest log messages in the log buffer, where buffersize
represents the number of the latest log messages to be displayed in the log buffer, in the range 1 to
1,024.
|: Uses a regular expression to filter the output information. For detailed information about regular
expression, refer to section CLI Display in Basic System Configuration.
z begin: Displays the line that matches the regular expression and all the subsequent lines.
z exclude: Displays the lines that do not match the regular expression.
z include: Displays the lines that match the regular expression.
regular-expression: Regular expression, a string of 1 to 256 characters. Note that this argument is
case-sensitive and can have spaces included.

Description

Use the display logbuffer command to display the state of the log buffer and the log information
recorded. Absence of the size buffersize argument indicates that all log information recorded in the log
buffer is displayed.

Examples

# Display the state of the log buffer and the log information recorded.
<Sysname> display logbuffer
Logging buffer configuration and contents:enabled
Allowed max buffer size : 1024
Actual buffer size : 512
Channel number : 4 , Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 718

1-5
 Current messages : 512

%Jun 17 15:57:09:578 2006 Sysname IC/7/SYS_RESTART:

System restarted --

The rest is omitted here.

# Display the state of the log buffer and the log information recorded.
<Sysname> display logbuffer
Logging buffer configuration and contents:enabled
Allowed max buffer size : 1024
Actual buffer size : 512
Channel number : 4 , Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 127

%Jun 19 18:03:24:55 2006 Sysname IC/7/SYS_RESTART:

System restarted --

The rest is omitted here.

Table 1-5 display logbuffer command output description

Field Description
Indicates the current state of the log buffer and
Logging buffer configuration and contents
its contents, which could be enabled or disabled.
Allowed max buffer size The maximum buffer size allowed
Actual buffer size The actual buffer size
The channel number of the log buffer, defaults to
Channel number
4.
The channel name of the log buffer, defaults to
Channel name
logbuffer.
Dropped messages The number of dropped messages
The number of overwritten messages (when the
buffer size is not big enough to hold all
Overwritten messages
messages, the latest messages overwrite the old
ones).
Current messages The number of the current messages

display logbuffer summary

Syntax

display logbuffer summary [ level severity ]

View

Any view

1-6
Default Level

1: Monitor level

Parameters

level severity: Displays the summary of the log buffer, where severity represents information level, in
the range 0 to 7.

Description

Use the display logbuffer summary command to display the summary of the log buffer.

Examples

# Display the summary of the log buffer.

<Sysname> display logbuffer summary
EMERG ALERT CRIT ERROR WARN NOTIF INFO DEBUG
0 0 0 0 22 0 1 0

Table 1-6 display logbuffer summary command output description

Field Description
EMERG Represents emergency, refer to Table 1-4 for details
ALERT Represents alert, refer to Table 1-4 for details

CRIT Represents critical, refer to Table 1-4 for details

ERROR Represents error, refer to Table 1-4 for details
WARN Represents warning, refer to Table 1-4 for details

NOTIF Represents notice, refer to Table 1-4 for details

INFO Represents informational, refer to Table 1-4 for details
DEBUG Represents debug, refer to Table 1-4 for details

display logfile buffer

Syntax

display logfile buffer [ | { begin | exclude | include } regular-expression ]

View

Any view

Default Level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular
expressions, see CLI in the Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays the lines that do not match the specified regular expression.
1-7
 include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256
characters.

Description

Use the display logfile buffer command to display contents of the log file buffer.
Note that all contents in the log file buffer will be cleared after they are successfully saved into the log file
automatically or manually.

Examples

# Display the contents of the log file buffer.

<Sysname> display logfile buffer
%@27091414#Aug 7 08:04:02:470 2009 Sysname IFNET/4/INTERFACE UPDOWN:
Trap 1.3.6.1.6.3.1.1.5.4<linkUp>: Interface 983040 is Up, ifAdminStatus is 1, ifOperStatus
is 1

The rest is omitted here.

display logfile summary

Syntax

display logfile summary [ | { begin | exclude | include } regular-expression ]

View

Any view

Default Level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular
expressions, see CLI in the Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays the lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, which is a case sensitive string of 1 to 256
characters.

Description

Use the display logfile summary command to display the configuration of the log file.

Examples

# Display the configuration of the log file.

<Sysname> display logfile summary
Log file is enabled.
Channel number : 9

1-8
 Log file size quota : 5 MB
Log file directory : flash:/logfile
Writing frequency : 24 hour 0 min 10 sec

Table 1-7 display logfile summary command output description

Field Description
The current state of a log file, which could be enabled or
Log file is
disabled.
Channel number The channel number of a log file, defaults to 9.
Log file size quota The maximum storage space reserved for a log file
Log file directory Log file directory

Writing frequency Log file writing frequency

display trapbuffer

Syntax

display trapbuffer [ reverse ] [ size buffersize ]

View

Any view

Default Level

1: Monitor level

Parameters

reverse: Displays trap entries chronologically, with the most recent entry at the top. If this keyword is
not specified, trap entries will be displayed chronologically, with the oldest entry at the top.
size buffersize: Displays specified number of the latest trap messages in a trap buffer, where buffersize
represents the number of the latest trap messages in a trap buffer, in the range 1 to 1,024.

Description

Use the display trapbuffer command to display the state and the trap information recorded.
Absence of the size buffersize argument indicates that all trap information is displayed.

Examples

# Display the state of the trap buffer and the trap information recorded.
<Sysname> display trapbuffer
Trapping buffer configuration and contents:enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 2

1-9
 #Aug 7 14:47:35:636 2008 Sysname IFNET/4/INTERFACE UPDOWN:
Trap 1.3.6.1.6.3.1.1.5.3<linkDown>: Interface 983041 is Down, ifAdminStatus is 2,
ifOperStatus is 2
#Aug 7 14:47:47:724 2008 Sysname IFNET/4/INTERFACE UPDOWN:
Trap 1.3.6.1.6.3.1.1.5.4<linkUp>: Interface 983041 is Up, ifAdminStatus is 1, ifOperStatus
is 1

Table 1-8 display trapbuffer command output description

Field Description
Indicates the current state of the trap buffer and its
Trapping buffer configuration and contents
contents, which could be enabled or disabled.
Allowed max buffer size The maximum buffer size allowed
Actual buffer size The actual buffer size
Channel number The channel number of the trap buffer, defaults to 3.
The channel name of the trap buffer, defaults to
channel name
trapbuffer.
Dropped messages The number of dropped messages
The number of overwritten messages (when the
Overwritten messages buffer size is not big enough to hold all messages, the
latest messages overwrite the old ones).
Current messages The number of the current messages

enable log updown

Syntax

enable log updown

undo enable log updown

View

Interface view

Default Level

2: System level

Parameters

None

Description

Use the enable log updown command to allow a port to generate link up/down logging information
when the port state changes.
Use the undo enable log updown command to disable a port from generating link up/down logging
information when the port state changes.

1-10
 By default, all the ports are allowed to generate port link up/down logging information when the port
state changes.

Examples

# Disable port Vlan-interface1 from generating link up/down logging information.

<Sysname> system-view
[Sysname] interface vlan-interface1
[Sysname- Vlan-interface1] undo enable log updown

info-center channel name

Syntax

info-center channel channel-number name channel-name

undo info-center channel channel-number

View

System view

Default Level

2: System level

Parameters

channel-number: Specifies a channel number, in the range 0 to 9.

channel-name: Specifies a channel name, a string of 1 to 30 characters. It must be a combination of
letters and numbers, and start with a letter and is case insensitive.

Description

Use the info-center channel name command to name a channel with a specified channel number.
Use the undo info-center channel command to restore the default name for a channel with a specified
channel number.
Refer to Table 1-1 for details of default channel names and channel numbers.

Examples

# Name channel 0 as abc.

<Sysname> system-view
[Sysname] info-center channel 0 name abc

info-center console channel

Syntax

info-center console channel { channel-number | channel-name }

undo info-center console channel

View

System view

1-11
Default Level

2: System level

Parameters

channel-number: Specifies a channel number, in the range 0 to 9.

channel-name: Specifies a channel name, which could be a default name or a self-defined name. The
user needs to specify a channel name first before using it as a self-defined channel name. For more
information, refer to the info-center channel name command.

Description

Use the info-center console channel command to specify the channel to output system information to
the console.
Use the undo info-center console channel command to restore the default output channel to the
console.
By default, output of information to the console is enabled with channel 0 as the default channel (known
as console).
Note that the info-center console channel command takes effect only after the information center is
enabled first with the info-center enable command.

Examples

# Set channel 0 to output system information to the console.

<Sysname> system-view
[Sysname] info-center console channel 0

info-center enable

Syntax

info-center enable
undo info-center enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the info-center enable command to enable information center.

Use the undo info-center enable command to disable the information center.
The system outputs information to the log host or the console only after the information center is
enabled first.

1-12
 By default, the information center is enabled.

Examples

# Enable the information center.

<Sysname> system-view
[Sysname] info-center enable
Info: Information center is enabled.

info-center logbuffer

Syntax

info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ] *

undo info-center logbuffer [ channel | size ]

View

System view

Default Level

2: System level

Parameters

channel-number: A specified channel number, in the range 0 to 9.

channel-name: Specifies a channel name, which could be a default name or a self-defined name. The
user needs to specify a channel name first before using it as a self-defined channel name. For more
information, refer to the info-center channel name command.
buffersize: Specifies the maximum number of log messages that can be stored in a log buffer, in the
range 0 to 1,024 with 512 as the default value.

Description

Use the info-center logbuffer command to enable information output to a log buffer and set the
corresponding parameters.
Use the undo info-center logbuffer command to disable information output to a log buffer.
By default, information is output to the log buffer with the default channel of channel 4 (logbuffer) and
the default buffer size of 512.
Note that the info-center logbuffer command takes effect only after the information center is enabled
with the info-center enable command.

Examples

# Configure the system to output information to the log buffer through channel 4, and set the log buffer
size to 50.
<Sysname> system-view
[Sysname] info-center logbuffer size 50

1-13
info-center logfile enable

Syntax

info-center logfile enable

undo info-center logfile enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the info-center logfile enable command to enable the output of system information to the log file.
Use the undo info-center logfile enable command to disable the output of system information to the
log file.
By default, the output of system information to the log file is enabled.

Examples

# Enable the log file feature.

<Sysname> system-view
[Sysname] info-center logfile enable

info-center logfile frequency

Syntax

info-center logfile frequency freq-sec

undo info-center logfile frequency

View

System view

Default Level

2: System level

Parameters

freq-sec: Frequency with which the system saves the log file, which ranges from 1 to 86,400 seconds.
The default value is 86,400.

Description

Use the info-center logfile frequency command to configure the frequency with which the system
saves the log file.

1-14
 Use the undo info-center logfile frequency command to restore the default frequency.
By default, the frequency with which the system saves the log file is 86,400.

Examples

# Configure the frequency with which the system saves the log file as 60,000 seconds.
<Sysname> system-view
[Sysname] info-center logfile frequency 60000

info-center logfile size-quota

Syntax

info-center logfile size-quota size

undo info-center logfile size-quota

View

System view

Default Level

2: System level

Parameters

size: The maximum storage space reserved for a log file, in MB. The default range form 1 to 10MB.

Description

Use the info-center logfile size-quota command to set the maximum storage space reserved for a log
file.
Use the undo info-center logfile size-quota command to restore the default maximum storage space
reserved for a log file.
By default, the storage space reserved for a log file is 5 MB

Examples

# Set the maximum storage space reserved for a log file to 6 MB.
<Sysname> system-view
[Sysname] info-center logfile size-quota 6

info-center logfile switch-directory

Syntax

info-center logfile switch-directory dir-name

View

System view

Default Level

2: System level

1-15
Parameters

dir-name: The name of the directory where a log file is saved, which is a string of 1 to 64 characters.

Description

Use the info-center logfile switch-directory command to configure the directory where a log file is
saved. Ensure that the directory is created first before saving a log file into it.
By default, the directory to save a log file is the log file directory under the logfile directory of the Flash.
Note that this command can be used to configure the directory to which a log file can be saved. The
configuration will lose after system restart.

Examples

# Set the directory to save the log file to flash:/test.

<Sysname> system-view
[Sysname] info-center logfile switch-directory flash:/test

info-center loghost

Syntax

info-center loghost host-ip [ port port-number ] [ channel { channel-number | channel-name } | facility

local-number ] *
undo info-center loghost host-ip

View

System view

Default Level

2: System level

Parameters

host-ip: The IP address of the log host.

port port-number: Specifies the number of the port that receives the system information on the log host.
The value ranges from 1 to 65535 and defaults to 514. Besides, the value of the port-number argument
should be the same as the value configured on the log host, otherwise, the log host cannot receive
system information.
channel: Specifies the channel through which system information can be output to the log host.
channel-number: Specifies a channel number, in the range 0 to 9.
channel-name: Specifies a channel name, which could be a default name or a self-defined name. The
user needs to specify a channel name first before using it as a self-defined channel name. For more
information, refer to the info-center channel name command.
facility local-number: The logging facility of the log host. The value can be local0 to local7 and defaults
to local7. Logging facility is mainly used to mark different logging sources, query and filer the logs of the
corresponding log source.

Description

Use the info-center loghost command to specify a log host and to configure the related parameters.
1-16
 Use the undo info-center loghost command to restore the default configurations on a log host.
By default, output of system information to the log host is disabled. When it is enabled, the default
channel name will be loghost and the default channel number will be 2.
Note that:
z The info-center loghost command takes effect only after the information center is enabled with
the info-center enable command.
z Ensure to input a correct IP address while using the info-center loghost command to configure
the IP address for a log host. System will prompt an invalid address if the loopback address
(127.0.0.1) is input.
z A maximum number of 4 hosts (different) can be designated as the log host.

Examples

# Output log information to a Unix station with the IP address being 1.1.1.1/16.
<Sysname> system-view
[Sysname] info-center loghost 1.1.1.1

info-center loghost source

Syntax

info-center loghost source interface-type interface-number

undo info-center loghost source

View

System view

Default Level

2: System level

Parameters

interface-type interface-number: Specifies the egress interface for log information by the interface type
and interface number.

Description

Use the info-center loghost source command to specify the source IP address for log information.
Use the undo info-center loghost source command to restore the default.
By default, the interface for sending log information is determined by the matched route, and the
primary IP address of this interface is the source IP address of the log information.
After the source IP address of log information is specified, no matter the log information is actually
output through which physical interface, the source IP address of the log information is the primary IP
address of the specified interface. If you want to display the source IP address in the log information,
you can configure it by using this command.
Note that:
z The info-center loghost source command takes effect only after the information center is
enabled with the info-center enable command.

1-17
 z The IP address of the specified source interface must be configured; otherwise, although the
info-center loghost source command can be configured successfully, the log host will not receive
any log information.

Examples

When the source IP address for log information is not specified, the status of interface GigabitEthernet
1/0/1 is up, and the log information in the following format is displayed on the log host:
<187>Jul 22 05:58:06 2008 Sysname %%10IFNET/3/LINK UPDOWN(l): GigabitEthernet1/0/1 link
status is UP.

# Specify the IP address of interface loopback 0 as the source IP address of log information.
<Sysname> system-view
[Sysname] interface loopback 0
[Sysname-LoopBack0] ip address 2.2.2.2 32
[Sysname-LoopBack0] quit
[Sysname] info-center loghost source loopback 0

After the above configuration, the status of interface GigabitEthernet 1/0/1 becomes up, and the log
information in the following format is displayed on the log host (compared with the format displayed
when the source IP address for log information is not specified, the following format has the
-DevIP=2.2.2.2 field which indicates the source IP address):
<187>Jul 22 06:11:31 2008 Sysname %%10IFNET/3/LINK UPDOWN(l):-DevIP=2.2.2.2;
GigabitEthernet1/0/1 link status is UP.

info-center monitor channel

Syntax

info-center monitor channel { channel-number | channel-name }

undo info-center monitor channel

View

System view

Default Level

2: System level

Parameters

channel-number: Specifies a channel number, in the range 0 to 9.

channel-name: Specifies a channel name, which could be a default name or a self-defined name. The
user needs to specify a channel name first before using it as a self-defined channel name. For more
information, refer to the info-center channel name command.

Description

Use the info-center monitor channel command to configure the channel to output system information
to the monitor.
Use the undo info-center monitor channel command to restore the default channel to output system
information to the monitor.

1-18
 By default, output of system information to the monitor is enabled with a default channel name of
monitor and a default channel number of 1.
Note that the info-center monitor channel command takes effect only after the information center is
enabled with the info-center enable command.

Examples

# Output system information to the monitor through channel 0.

<Sysname> system-view
[Sysname] info-center monitor channel 0

info-center snmp channel

Syntax

info-center snmp channel { channel-number | channel-name }

undo info-center snmp channel

View

System view

Default Level

2: System level

Parameters

channel-number: Specifies a channel number, in the range 0 to 9.

channel-name: Specifies a channel name, which could be a default name or a self-defined name. The
user needs to specify a channel name first before using it as a self-defined channel name. For more
information, refer to the info-center channel name command.

Description

Use the info-center snmp channel command to configure the channel to output system information to
the SNMP module.
Use the undo info-center snmp channel command to restore the default channel to output system
information to the SNMP module.
By default, output of system information to the SNMP module is enabled with a default channel name of
snmpagent and a default channel number of 5.
For more information, refer to the display snmp-agent command in the SNMP Commands.

Examples

# Output system information to the SNMP module through channel 6.

<Sysname> system-view
[Sysname] info-center snmp channel 6

1-19
info-center source

Syntax

info-center source { module-name | default } channel { channel-number | channel-name } [ debug

{ level severity | state state } * | log { level severity | state state } * | trap { level severity | state state }
*]*
undo info-center source { module-name | default } channel { channel-number | channel-name }

View

System view

Default Level

2: System level

Parameters

module-name: Specifies the output rules of the system information of the specified modules. For
instance, if information on ARP module is to be output, you can configure this argument as ARP. You
can use the info-center source ? command to view the modules supported by the device.
default: Specifies the output rules of the system information of all the modules allowed to output the
system information, including all the modules displayed by using the info-center source ? command.
debug: Debugging information.
log: Log information.
trap: Trap information.
level severity: Specifies the severity of system information, refer to Table 1-4 for details. With this
keyword, you can specify the severity level of the information allowed/denied to output.
state state: Configures whether to output the system information, which could be on (enabled) or off
(disabled). With this keyword, you can specify whether to output the specified system information.
channel-number: Specifies a channel number, in the range 0 to 9.
channel-name: Specifies a channel name, which could be a default name or a self-defined name. The
user needs to specify a channel name first before using it as a self-defined channel name. For more
information, refer to the info-center channel name command.

Description

Use the info-center source command to specify the output rules of the system information.
Use the undo info-center source command to remove the specified output rules.
By default, the output rules for the system information are listed in Table 1-9.
This command can be used to set the filter and redirection rules of log, trap and debugging information.
For example, the user can set to output log information with severity higher than warning to the log host,
and information with severity higher than informational to the log buffer. The user can also set to output
trap information of the IP module to a specified output destination.
Note that:

1-20
z If you do not use the module-name argument to set output rules for a module, the module uses the
default output rules or the output rules set by the default keyword; otherwise the module uses the
output rules separately set for it.
z If you use the default keyword to set the output rules for all the modules without specifying the
debug, log, and trap keywords, the default output rules for the modules are used. Refer to Table
1-9 for details.
z If you use the module-name argument to set the output rules for a module without specifying the
debug, log, and trap keywords, the default output rules for the module are as follows: the output of
log and trap information is enabled, with severity being informational; the output of debugging
information is disabled, with severity being debug. For example, if you execute the command
info-center source snmp channel 5, the command is actually equal to the command info-center
source snmp channel 5 debug level debugging state off log level informational state on trap
level informational state on.
z If you repeatedly use the command to set the output rules for a module or for all the modules with
the default keyword, the last configured output rules take effect
z After you separately set the output rules for a module, you must use the module-name argument to
modify or remove the rules. The new configuration by using the default keyword is invalid on the
module.
z You can configure to output the log, trap and debugging information to the trap buffer, but the trap
buffer only receives the trap information and discards the log and debugging information.
z You can configure to output the log, trap and debugging information to the log buffer, but the log
buffer only receives the log and debugging information and discards the trap information.
z You can configure to output the log, trap and debugging information to the SNMP module, but the
SNMP module only receives the trap information and discards the log and debugging information.

Table 1-9 Default output rules for different output destinations

Output LOG TRAP DEBUG

Modules
destinati
allowed Enabled/ Enabled/ Enabled/
on Severity Severity Severity
disabled disabled disabled
default
Console (all Enabled Warning Enabled Debug Enabled Debug
modules)
default
Monitor
(all Enabled Warning Enabled Debug Enabled Debug
terminal
modules)
default
Informatio
Log host (all Enabled Enabled Debug Disabled Debug
nal
modules)
default
Trap Informatio
(all Disabled Enabled Warning Disabled Debug
buffer nal
modules)
default
Log buffer (all Enabled Warning Disabled Debug Disabled Debug
modules)
default
SNMP
(all Disabled Debug Enabled Warning Disabled Debug
module
modules)

1-21
Examples

# Set the output channel for the log information of VLAN module to snmpagent and to output
information with severity being emergency. Log information of other modules cannot be output to this
channel; other types of information of this module may or may not be output to this channel.
<Sysname> system-view
[Sysname] info-center source default channel snmpagent log state off
[Sysname] info-center source vlan channel snmpagent log level emergencies state on

# Set the output channel for the log information of VLAN module to snmpagent and to output
information with severity being emergency. Log information of other modules and all the other system
information cannot be output to this channel.
<Sysname> system-view
[Sysname] info-center source default channel snmpagent debug state off log state off trap
state off
[Sysname] info-center source vlan channel snmpagent log level emergencies state on

info-center synchronous

Syntax

info-center synchronous
undo info-center synchronous

View

System view

Default Level

2: System level

Parameters

None

Description

Use the info-center synchronous command to enable synchronous information output.

Use the undo info-center synchronous command to disable the synchronous information output.
By default, the synchronous information output is disabled.

1-22
 z If system information, such as log information, is output before you input any information under a
current command line prompt, the system will not display the command line prompt after the
system information output.
z If system information is output when you are inputting some interactive information (non Y/N
confirmation information), then after the system information output, the system will not display the
command line prompt but your previous input in a new line.

Examples

# Enable the synchronous information output function, and then input the display interface gigabiethe
command to view Ethernet interface information.
<Sysname> system-view
[Sysname] info-center synchronous
% Info-center synchronous output is on
[Sysname] display interface ethe

At this time, the system receives log messages, and it then displays the log messages first. After the
system displays all the log messages, it displays the user’s previous input, which is display interface
ethe in this example.
%Apr 29 08:12:44:71 2007 Sysname IFNET/4/LINK UPDOWN:
GigabitEthernet1/0/1: link status is UP
[Sysname] display interface gigabitethe

After the above information is displayed, you can input rnet to complete your input of the display
interface gigabitethernet command, and then press the Enter key to execute the command.
# Enable the synchronous information output function, and then save the current configuration (input
interactive information).
<Sysname> system-view
[Sysname] info-center synchronous
% Info-center synchronous output is on
[Sysname] save
The current configuration will be written to the device. Are you sure? [Y/N]:

At this time, the system receives the log information, and it then displays the log information first. After
the system displays all the log information, it displays the user’s previous input, which is [Y/N] in this
example.
%May 21 14:33:19:425 2007 Sysname SHELL/4/LOGIN: VTY login from 192.168.1.44
[Y/N]:

After the above information is displayed, you can input Y or N to complete your input before the output
of the log information.

info-center syslog channel

Syntax

info-center syslog channel { channel-number | channel-name }

1-23
 undo info-center syslog channel

View

System view

Default Level

2: System level

Parameters

channel-number: Specifies a channel number, in the range 0 to 9.

channel-name: Specifies a channel name, which could be a default name or a self-defined name. You
need to specify a channel name first before using it as a self-defined channel name. For more
information, refer to the info-center channel name command.

Description

Use the info-center syslog channel command to enable the output of system information to the Web
interface.
Use the undo info-center syslog channel command to restore the default.
By default, information is output to the Web interface with the default channel of channel 6.

Examples

# Configure the system to output information to the Web interface through channel 7.
<Sysname> system-view
[Sysname] info-center syslog channel 7

info-center timestamp

Syntax

info-center timestamp { debugging | log | trap } { boot | date | none }

undo info-center timestamp { debugging | log | trap }

View

System view

Default Level

2: System level

Parameters

debugging: Sets the timestamp format of the debugging information.

log: Sets the timestamp output format of the log information.
trap: Sets the timestamp output format of the trap information.
boot: The time taken to boot up the system, in the format of xxxxxx.yyyyyy, in which xxxxxx represents
the most significant 32 bits of the time taken to boot up the system (in milliseconds) whereas yyyyyy is
the least significant 32 bits. For example, 0.21990989 equals Jun 25 14:09:26:881 2007.
date: The current system date and time, in the format of “Mmm dd hh:mm:ss:sss yyyy”.

1-24
 z Mmm: The abbreviations of the months in English, which could be Jan, Feb, Mar, Apr, May, Jun,
Jul, Aug, Sep, Oct, Nov, or Dec.
z dd: The date, starting with a space if less than 10, for example “ 7”.
z hh:mm:ss:sss: The local time, with hh ranging from 00 to 23, mm and ss ranging from 00 to 59, and
sss ranging from 0 to 999.
z yyyy: Represents the year.
none: Indicates no time information is provided.

Description

Use the info-center timestamp command to configure the timestamp format.

Use the undo info-center timestamp command to restore the default.
By default, the timestamp format of log, trap and debugging information is date.

Examples

# Configure the timestamp format for log information as boot.

<Sysname> system-view
[Sysname] info-center timestamp log boot

At this time, if you execute the shutdown command on GigabitEthernet1/0/1 that is in the UP state, the
log information generated is as follows:
%0.1382605158 Sysname IFNET/4/LINK UPDOWN:
GigabitEthernet1/0/1: link status is DOWN

# Configure the timestamp format for log information as date.

<Sysname> system-view
[Sysname] info-center timestamp log date

At this time, if you execute the shutdown command on GigabitEthernet1/0/1 that is in the UP state, the
log information generated is as follows:
%Sep 29 17:19:11:188 2007 Sysname IFNET/4/LINK UPDOWN:
GigabitEthernet1/0/1: link status is DOWN

# Configure the timestamp format for log information as none.

<Sysname> system-view
[Sysname] info-center timestamp log none

At this time, if you execute the shutdown command on GigabitEthernet1/0/1 that is in the UP state, the
log information generated is as follows:
% Sysname IFNET/4/LINK UPDOWN:
GigabitEthernet1/0/1: link status is DOWN

info-center timestamp loghost

Syntax

info-center timestamp loghost { date | no-year-date | none }

undo info-center timestamp loghost

View

System view
1-25
Default Level

2: System level

Parameters

date: Indicates the current system date and time, in the format of "Mmm dd hh:mm:ss:ms yyyy".
However, the display format depends on the log host.
no-year-date: Indicates the current system date and time (year exclusive).
none: Indicates that no time stamp information is provided.

Description

Use the info-center timestamp loghost command to configure the time stamp format of the system
information sent to the log host.
Use the undo info-center timestamp loghost command to restore the default.
By default, the time stamp format for system information sent to the log host is date.

Examples

# Configure that the system information output to the log host does not include the year information.
<Sysname> system-view
[Sysname] info-center timestamp loghost no-year-date

info-center trapbuffer

Syntax

info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] *

undo info-center trapbuffer [ channel | size ]

View

System view

Default Level

2: System level

Parameters

size buffersize: Specifies the maximum number of trap messages in a trap buffer, in the range 0 to
1,024 with 256 as the default value.
channel-number: Specifies a channel number, in the range 0 to 9.
channel-name: Specifies a channel name, which could be a default name or a self-defined name. The
user needs to specify a channel name first before using it as a self-defined channel name. For more
information, refer to the info-center channel name command.

Description

Use the info-center trapbuffer command to enable information output to the trap buffer and set the
corresponding parameters.
Use the undo info-center trapbuffer command to disable information output to the trap buffer.

1-26
 By default, information output to the trap buffer is enabled with channel 3 (trapbuffer) as the default
channel and a maximum buffer size of 256.
Note that the info-center trapbuffer command takes effect only after the information center is enabled
with the info-center enable command.

Examples

# Configure the system to output information to the trap buffer through the default channel, and set the
trap buffer size to 30.
<Sysname> system-view
[Sysname] info-center trapbuffer size 30

logfile save

Syntax

logfile save

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the logfile save command to save all the contents in the log file buffer into the log file.
By default, the system automatically saves the log file based on a frequency configured by the
info-center logfile frequency command into a directory configured by the info-center logfile
switch-directory command.
Note that all contents in the log file buffer will be cleared after they are successfully saved into the log file
automatically or manually.

Examples

# Save the contents in the log file buffer into the log file.
<Sysname> logfile save

reset logbuffer

Syntax

reset logbuffer

View

User view

1-27
Default Level

3: Manage level

Parameters

None

Description

Use the reset logbuffer command to reset the log buffer contents.

Examples

# Reset the log buffer contents.

<Sysname> reset logbuffer

reset trapbuffer

Syntax

reset trapbuffer

View

User view

Default Level

3: Manage level

Parameters

None

Description

Use the reset trapbuffer command to reset the trap buffer contents.

Examples

# Reset the trap buffer contents.

<Sysname> reset trapbuffer

terminal debugging

Syntax

terminal debugging
undo terminal debugging

View

User view

Default Level

1: Monitor level

1-28
Parameters

None

Description

Use the terminal debugging command to enable the display of debugging information on the current
terminal.
Use the undo terminal debugging command to disable the display of debugging information on the
current terminal.
By default, the display of debugging information on the current terminal is disabled.
Note that:
z The debugging information is displayed (using the terminal debugging command) only after the
monitoring of system information is enabled on the current terminal first (using the terminal
monitor command).
z The configuration of this command is valid for only the current connection between the terminal and
the device. If a new connection is established, the display of debugging information on the terminal
restores the default.

Examples

# Enable the display of debugging information on the current terminal.

<Sysname> terminal debugging
Info: Current terminal debugging is on.

terminal logging

Syntax

terminal logging
undo terminal logging

View

User view

Default Level

1: Monitor level

Parameters

None

Description

Use the terminal logging command to enable the display of log information on the current terminal.
Use the undo terminal logging command to disable the display of log information on the current
terminal.
By default, the display of log information on the current terminal is disabled.
Note that:

1-29
 z The log information is displayed (using the terminal logging command) only after the monitoring
of system information is enabled on the current terminal first (using the terminal monitor
command).
z The configuration of this command is valid for only the current connection between the terminal and
the device. If a new connection is established, the display of log information on the terminal
restores the default.

Examples

# Disable the display of log information on the current terminal.

<Sysname> undo terminal logging
Info: Current terminal logging is off.

terminal monitor

Syntax

terminal monitor
undo terminal monitor

View

User view

Default Level

1: Monitor level

Parameters

None

Description

Use the terminal monitor command to enable the monitoring of system information on the current
terminal.
Use the undo terminal monitor command to disable the monitoring of system information on the
current terminal.
By default, monitoring of the system information on the console is enabled and that on the monitor
terminal is disabled.
Note that:
z You need to configure the terminal monitor command before you can display the log, trap, and
debugging information.
z Configuration of the undo terminal monitor command automatically disables the monitoring of log,
trap, and debugging information.
z The configuration of this command is valid for only the current connection between the terminal and
the device. If a new connection is established, the monitoring of system information on the terminal
restores the default.

Examples

# Enable the monitoring of system information on the current terminal.

<Sysname> terminal monitor

1-30
 Info: Current terminal monitor is on.

terminal trapping

Syntax

terminal trapping
undo terminal trapping

View

User view

Default Level

1: Monitor level

Parameters

None

Description

Use the terminal trapping command to enable the display of trap information on the current terminal.
Use the undo terminal trapping command to disable the display of trap information on the current
terminal.
By default, the display of trap information on the current terminal is enabled.
Note that:
z The trap information is displayed (using the terminal trapping command) only after the monitoring
of system information is enabled on the current terminal first (using the terminal monitor
command).
z The configuration of this command is valid for only the current connection between the terminal and
the device. If a new connection is established, the display of trap information on the terminal
restores the default.

Examples

# Enable the display of trap information on the current terminal.

<Sysname> terminal trapping
Info: Current terminal trapping is on.

1-31
 Table of Contents

1 MAC Address Table Configuration Commands ·····················································································1-1

MAC Address Table Configuration Commands······················································································1-1
display mac-address························································································································1-1
display mac-address aging-time······································································································1-2
display mac-address statistics·········································································································1-3
mac-address (Interface view) ··········································································································1-4
mac-address (system view)·············································································································1-5
mac-address max-mac-count (Interface view) ················································································1-6
mac-address timer···························································································································1-7

i
1 MAC Address Table Configuration Commands

Currently, interfaces involved in MAC address table configuration can only be Layer 2 Ethernet ports
and Layer 2 aggregate interfaces.

MAC Address Table Configuration Commands

display mac-address

Syntax

display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type

interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ]

View

Any view

Default Level

1: Monitor level

Parameters

blackhole: Destination blackhole MAC address entries. These entries do not age but you can add
or remove them. Packets whose destination MAC addresses match destination blackhole MAC
address entries are dropped.

vlan vlan-id: Displays MAC address entries of the specified VLAN, where vlan-id is in the range 1 to
4094.
count: Displays the number of MAC address entries specified by related parameters in the command.
When this keyword is used, the command displays only the number of specified MAC address entries,
rather than related information about these MAC address entries.
mac-address: Displays MAC address entries in a specified MAC address, in the format of H-H-H.
dynamic: Displays dynamic MAC address entries. Aging time is set for these entries.
static: Displays static MAC address entries. Similar to blackhole MAC address entries, these entries do
not age but you can add or remove them.
interface interface-type interface-number: Displays MAC address learning status of the specified
interface. interface-type interface-number specifies an interface by its type and number.

1-1
Description

Use the display mac-address command to display information about the MAC address table.
Note that:
z If you execute this command without specifying any parameters, this command displays
information of all MAC address entries on the device, including unicast MAC address entries and
static multicast MAC address entries.
z If you execute this command using only the vlan keyword or the count keyword, or only these two
keywords, the command output will include information of unicast MAC address entries as well as
that of static multicast MAC address entries.

Examples

# Display the MAC address table entry for MAC address 000f-e201-0101.
<Sysname> display mac-address 000f-e201-0101
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e201-0101 1 Learned GigabitEthernet1/0/1 AGING

--- 1 mac address(es) found ---

Table 1-1 display mac-address command output description

Field Description

MAC ADDR MAC address

VLAN ID ID of the VLAN to which the MAC address belongs

State of a MAC address entry, includes:

z Config static: static entry configured by the user manually
STATE z Config dynamic: dynamic entry configured by the user
manually
z Learned: entry learned by the device
z Blackhole: destination blackhole entry
Number of the port corresponding to the MAC address, that is,
PORT INDEX packets destined to this MAC address will be sent out from this
port. (Displayed as N/A for a blackhole MAC address entry).

Aging time, which could be:

AGING TIME z AGING, indicates that the entry is aging.
z NOAGED, indicates that the entry does not age.
1 mac address(es) found One MAC address entry is found

display mac-address aging-time

Syntax

display mac-address aging-time

View

Any view

1-2
Default Level

1: Monitor level

Parameters

None

Description

Use the display mac-address aging-time command to display the aging time of dynamic entries in the
MAC address table.
Related commands: mac-address (system view), mac-address (Ethernet interface view),
mac-address timer, display mac-address.

Examples

# Display the aging time of dynamic entries in the MAC address table.
<Sysname> display mac-address aging-time
Mac address aging time: 300s

The above information indicates that the aging time of dynamic entries in the MAC address table is 300
seconds.

display mac-address statistics

Syntax

display mac-address statistics

View

Any view

Default Level

1: Monitor level

Parameters

statistics: Displays the statistics of the MAC address table.

Description

Use the display mac-address statistics command to display the statistics of the MAC address table.

Examples

# Display the statistics of the MAC address table.

<Sysname> display mac-address statistics
MAC TYPE LEARNED USER-DEFINED SYSTEM-DEFINED IN-USE AVAILABLE
Dynamic Unicast 24 0 0 24
Static Unicast 0 0 0 0 1024
Total Unicast 24 8192
Dynamic Multicast 0 0 0 0
Static Multicast 0 0 0 0 4094
Total Multicast 0 0

1-3
 Table 1-2 display mac-address statistics command output description

Field Description

MAC address type:

z Dynamic Unicast
z Static Unicast
MAC TYPE z Total Unicast
z Dynamic Multicast
z Static Multicast
z Total Multicast
LEARNED Dynamically learned MAC addresses

USER-DEFINED User defined MAC addresses (dynamic and static)

SYSTEM-DEFINED MAC addresses generated by the system (for example, 802.1x)

IN-USE Number of existing MAC addresses of a specific type

AVAILABLE Maximum number of MAC addresses supported by the system

mac-address (Interface view)

Syntax

mac-address { dynamic | static } mac-address vlan vlan-id

undo mac-address { dynamic | static } mac-address vlan vlan-id

View

Ethernet interface view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

dynamic: Dynamic MAC address entries. Aging time is set for these entries.
static: Static MAC address entries. They do not age but you can add or remove them.
mac-address: Specifies a MAC address in the format of H-H-H, where 0s at the beginning of each H
(16-bit hexadecimal digit) can be omitted; for example, inputting “f-e2-1” indicates that the MAC address
is “000f-00e2-0001”.
vlan vlan-id: Specifies an existing VLAN to which the Ethernet interface belongs, where vlan-id is the
specified VLAN ID, in the range 1 to 4094.

Description

Use the mac-address command to add or modify a MAC address entry on a specified interface.
Use the undo mac-address command to remove a MAC address entry on the interface.
Note that, as your MAC address entries configuration cannot survive a reboot, save it after completing
the configuration. The dynamic MAC address table entries however will be lost whether you save the
configuration or not.

1-4
 Related commands: display mac-address.

Examples

# Add a static entry for MAC address 000f-e201-0101 on port GigabitEthernet1/0/1 that belongs to
VLAN 2.
<Sysname> system-view
[Sysname] interface GigabitEthernet1/0/1
[Sysname- GigabitEthernet1/0/1] mac-address static 000f-e201-0101 vlan 2

# Add a static entry for MAC address 000f-e201-0102 on port Bridge-Aggregation 1 that belongs to
VLAN 1.
<Sysname> system-view
[Sysname] interface bridge-Aggregation 1
[Sysname-Bridge-Aggregation1] mac-address static 000f-e201-0102 vlan 1

mac-address (system view)

Syntax

mac-address blackhole mac-address vlan vlan-id

mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id
undo mac-address [ { dynamic | static } mac-address interface interface-type interface-number vlan
vlan-id ]
undo mac-address [ blackhole | dynamic | static ] [ mac-address ] vlan vlan-id
undo mac-address [ dynamic | static ] mac-address interface interface-type interface-number vlan
vlan-id
undo mac-address [ dynamic | static ] interface interface-type interface-number

View

System view

Default Level

2: System level

Parameters

blackhole: Destination blackhole MAC address entries. These entries do not age but you can add
or remove them. The packets whose destination MAC addresses match destination blackhole MAC
address entries are dropped.

mac-address: Specifies a MAC address in the format of H-H-H, where 0s at the beginning of each H
(16-bit hexadecimal digit) can be omitted; for example, inputting “f-e2-1” indicates that the MAC address
is “000f-00e2-0001”.
vlan vlan-id: Specifies an existing VLAN to which the Ethernet interface belongs, where vlan-id is the
specified VLAN ID, in the range 1 to 4094.
dynamic: Dynamic MAC address entries. Aging time is set for these entries.
static: Static MAC address entries. These entries do not age but you can add or remove them.

1-5
 interface interface-type interface-number: Outbound interface, with interface-type interface-number
representing the interface type and number.

Description

Use the mac-address command to add or modify a MAC address entry.

Use the undo mac-address command to remove one or all MAC address entries.
Note that:
z A static or blackhole MAC address entry will not be overwritten by a dynamic MAC address entry,
but a dynamic MAC address entry can be overwritten by a static or blackhole MAC address entry.
z If you execute the undo mac-address command without specifying any parameters, this
command deletes all unicast MAC address entries and static multicast MAC address entries.
z You can delete all the MAC address entries (including unicast MAC address entries and static
multicast MAC address entries) of a VLAN, or you can choose to delete its dynamic, static, or
blackhole MAC address entries only. You can single out some ports and delete the corresponding
unicast MAC address entries, but not the corresponding static multicast MAC address entries.
z As your MAC address entries configuration cannot survive a reboot, save it after completing the
configuration. The dynamic entries however will be lost whether you save the configuration or not.
Related commands: display mac-address.

Examples

# Add a static entry for MAC address 000f-e201-0101. All frames destined to this MAC address are sent
out of port GigabitEthernet1/0/1 which belongs to VLAN 2.
<Sysname> system-view
[Sysname] mac-address static 000f-e201-0101 interface gigabitethernet1/0/1 vlan 2

mac-address max-mac-count (Interface view)

Syntax

mac-address max-mac-count { count | disable-forwarding }

undo mac-address max-mac-count [ disable-forwarding ]

View

Ethernet interface view, port group view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

count: Maximum number of MAC addresses that can be learned on a port. When the argument takes 0,
the VLAN is not allowed to learn MAC addresses. The value range is 0 to 8192.
disable-forwarding: Disables forwarding of frames with unknown source MAC addresses after the
number of learned MAC addresses reaches the upper limit. Frames with the source MAC addresses
listed in the MAC address table will be forwarded normally.

1-6
Description

Use the mac-address max-mac-count count command to configure the maximum number of MAC
addresses that can be learned on a port.
Use the mac-address max-mac-count disable-forwarding command to configure not to forward
frames with unknown source MAC addresses after the number of learned MAC addresses reaches the
upper limit.
Use the undo mac-address max-mac-count command to restore the default maximum number of
MAC addresses that can be learned on an Ethernet port.
Use the undo mac-address max-mac-count disable-forwarding command to allow forwarding
frames received on an Ethernet port with unknown source MAC addresses after the number of learned
MAC addresses reaches the upper limit.
The default maximum number of MAC addresses that can be learned is not configured. When the upper
limit is reached, frames received are forwarded by default.
If the command is executed in interface view, the configuration takes effect on the current interface; if
the command is executed in port group view, the configuration takes effect on all ports belonging to the
port group.
Related commands: mac-address, mac-address timer.

Examples

# Set the maximum number of MAC addresses that can be learned on port GigabitEthernet1/0/1 to 600.
After this upper limit is reached, frames received with unknown source MAC addresses on the port will
not be forwarded.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-address max-mac-count 600
[Sysname-GigabitEthernet1/0/1] mac-address max-mac-count disable-forwarding

mac-address timer

Syntax

mac-address timer { aging seconds | no-aging }

undo mac-address timer aging

View

System view

Default Level

2: System level

Parameters

aging seconds: Sets an aging timer (in seconds) for dynamic MAC address entries. The value range for
the seconds argument is 10～630.
no-aging: Sets dynamic MAC address entries not to age.

1-7
Description

Use the mac-address timer command to configure the aging timer for dynamic MAC address entries.
Use the undo mac-address timer command to restore the default.
The default of this command is 300 seconds.
Set the aging timer appropriately: a long aging interval may cause the MAC address table to retain
outdated entries and fail to accommodate the latest network changes; a short interval may result in
removal of valid entries and hence unnecessary broadcasts which may affect device performance.

Examples

# Set the aging timer for dynamic MAC address entries to 500 seconds.
<Sysname> system-view
[Sysname] mac-address timer aging 500

1-8
 Table of Contents

1 Cluster Management Configuration Commands····················································································1-1

NDP Configuration Commands···············································································································1-1
display ndp ······································································································································1-1
ndp enable·······································································································································1-4
ndp timer aging································································································································1-5
ndp timer hello ·································································································································1-5
reset ndp statistics···························································································································1-6
NTDP Configuration Commands ············································································································1-7
display ntdp ·····································································································································1-7
display ntdp device-list ····················································································································1-8
display ntdp single-device ···············································································································1-9
ntdp enable····································································································································1-11
ntdp explore···································································································································1-12
ntdp hop·········································································································································1-12
ntdp timer·······································································································································1-13
ntdp timer hop-delay······················································································································1-14
ntdp timer port-delay······················································································································1-14
Cluster Configuration Commands·········································································································1-15
add-member ··································································································································1-15
administrator-address····················································································································1-16
auto-build·······································································································································1-16
black-list add-mac··························································································································1-18
black-list delete-mac······················································································································1-18
build ···············································································································································1-19
cluster ············································································································································1-20
cluster enable ································································································································1-20
cluster switch-to·····························································································································1-21
cluster-local-user ···························································································································1-22
cluster-mac ····································································································································1-23
cluster-mac syn-interval·················································································································1-23
cluster-snmp-agent community ·····································································································1-24
cluster-snmp-agent group v3·········································································································1-25
cluster-snmp-agent mib-view ········································································································1-26
cluster-snmp-agent usm-user v3···································································································1-27
delete-member ······························································································································1-28
display cluster································································································································1-29
display cluster base-topology ········································································································1-30
display cluster black-list·················································································································1-32
display cluster candidates ·············································································································1-33
display cluster current-topology·····································································································1-34
display cluster members················································································································1-36
ftp-server ·······································································································································1-38
holdtime ·········································································································································1-39

1-1
ip-pool ············································································································································1-40
logging-host ···································································································································1-40
management-vlan··························································································································1-41
management-vlan synchronization enable····················································································1-42
nm-interface vlan-interface ············································································································1-43
reboot member ······························································································································1-43
snmp-host······································································································································1-44
tftp-server ······································································································································1-45
timer···············································································································································1-45
topology accept ·····························································································································1-46
topology restore-from ····················································································································1-47
topology save-to ····························································································································1-48

1-2
1 Cluster Management Configuration Commands

NDP Configuration Commands

display ndp

Syntax

display ndp [ interface interface-list ]

View

Any view

Default Level

1: Monitor level

Parameters

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>,where, interface-type is port type and interface-number is
port number, and &<1-10> means that you can provide up to 10 port indexes/port index lists for this
argument.

Description

Use the display ndp command to display NDP configuration information, which includes the interval to
send NDP packets, the time for the receiving device to hold NDP information and the information about
the neighbors of all ports.

Examples

# Display NDP configuration information.

<Sysname> display ndp
Neighbor Discovery Protocol is enabled.
Neighbor Discovery Protocol Ver: 1, Hello Timer: 60(s), Aging Timer: 180(s)
Interface: GigabitEthernet1/0/1
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/2
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/3
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/4
Status: Enabled, Pkts Snd: 28440, Pkts Rvd: 27347, Pkts Err: 0

1-1
 Neighbor 1: Aging Time: 122(s)
MAC Address : 00e0-fc00-2579
Host Name : Sysname
Port Name : GigabitEthernet1/0/4
Software Ver: ESS 11011101
Device Name : S5120
Port Duplex : AUTO
Product Ver : ESS 1101
BootROM Ver : 105BootROM Ver : 107

Interface: GigabitEthernet1/0/5
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/6
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/7
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/8
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/9
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/10
Status: Enabled, Pkts Snd: 28450, Pkts Rvd: 26520, Pkts Err: 0
Neighbor 1: Aging Time: 134(s)
MAC Address : 00e0-fc00-3133
Host Name : Sysname
Port Name : GigabitEthernet1/0/11
Software Ver: ESS 1101
Device Name : S5120
Port Duplex : AUTO
Product Ver : 105

Interface: GigabitEthernet1/0/11
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/12
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/13
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/14
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

1-2
 Interface: GigabitEthernet1/0/15
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/16
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/17
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/18
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/19
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Interface: GigabitEthernet1/0/20
Status: Enabled, Pkts Snd: 0, Pkts Rvd: 0, Pkts Err: 0

Table 1-1 display ndp command output description

Field Description
Neighbor Discovery Protocol is enabled NDP is enabled globally on the current device.
Neighbor Discovery Protocol Ver Version of NDP

Hello Timer Interval to send NDP packets

The time for the receiving device to hold NDP
Aging Timer
information
Interface A specified port
Status NDP state of a port
Number of the NDP packets sent through the
Pkts Snd
port
Pkts Rvd Number of the NDP packets received on the port
Pkts Err Number of the error NDP packets received
Aging time of the NDP information of a neighbor
Neighbor 1: Aging Time
device
MAC Address MAC address of a neighbor device
Host Name System name of a neighbor device
Port Name Port name of a neighbor device
Software Ver Software version of the neighbor device

Device Name Device model of a neighbor device

Port Duplex Port duplex mode of a neighbor device
Product Ver Product version of a neighbor device
BootROM Ver Boot ROM version of a neighbor device

1-3
ndp enable

Syntax

In Ethernet interface view or Layer 2 aggregate interface view:

ndp enable
undo ndp enable
In system view:
ndp enable [ interface interface-list ]
undo ndp enable [ interface interface-list ]

View

System view, Ethernet interface view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 port
indexes/port index lists for this argument.

Description

Use the ndp enable command to enable NDP.

Use the undo ndp enable command to disable this feature.
By default, NDP is enabled globally and also on all ports.
Note that:
z When being executed in system view, the ndp enable command enables NDP globally if you do
not specify the interface keyword; if you specify the interface keyword, the command enables
NDP for the specified Ethernet port(s).
z When being executed in interface view, this command enables NDP for the current port only.
z Configured in Layer 2 aggregate interface view, the configuration will not take effect on the member
ports of the aggregation group that corresponds to the aggregate interface; configured on a
member port of an aggregation group, the configuration will take effect only after the member port
quit the aggregation group. For description of aggregation configurations, refer to Link Aggregation
Configuration.

Examples

# Enable NDP globally.

<Sysname> system-view
[Sysname] ndp enable

# Enable NDP for port GigabitEthernet 1/0/1.

<Sysname> system-view

1-4
 [Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ndp enable

ndp timer aging

Syntax

ndp timer aging aging-time

undo ndp timer aging

View

System view

Default Level

2: System level

Parameters

aging-time: Time for a device to keep the NDP packets it receives, in the range 5 to 255 seconds.

Description

Use the ndp timer aging command to specify the time that a device should keep the NDP packets it
received from the adjacent device.
Use the undo timer aging command to restore the default.
By default, the time that a receiving device should keep the NDP packets is 180 seconds.
Note that the time for the receiving device to hold NDP packets cannot be shorter than the interval to
send NDP packets; otherwise, the NDP table may become instable.
Related commands: ndp timer hello.

Examples

# Configure the time that a receiving device should keep the NDP packets as 100 seconds.
<Sysname> system-view
[Sysname] ndp timer aging 100

ndp timer hello

Syntax

ndp timer hello hello-time

undo ndp timer hello

View

System view

Default Level

2: System level

1-5
Parameters

hello-time: Interval to send NDP packets, in the range 5 to 254 seconds.

Description

Use the ndp timer hello command to set the interval to send NDP packets.
Use the undo ndp timer hello command to restore the default.
By default, the interval to send NDP packets is 60 seconds.
Note that the interval for sending NDP packets cannot be longer than the time for the receiving device to
hold NDP packets; otherwise, the NDP table may become instable.
Related commands: ndp timer aging.

Examples

# Set the interval to send NDP packets to 80 seconds.

<Sysname> system-view
[Sysname] ndp timer hello 80

reset ndp statistics

Syntax

reset ndp statistics [ interface interface-list ]

View

User view

Default Level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 port
indexes/port index lists for this argument. If you provide this keyword, NDP statistics of the specified
port will be cleared; otherwise, NDP statistics of all ports will be cleared.

Description

Use the reset ndp statistics command to clear NDP statistics.

Examples

# Clear NDP statistics of all ports.

<Sysname> reset ndp statistics

1-6
NTDP Configuration Commands
display ntdp

Syntax

display ntdp

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ntdp command to display NTDP configuration information.

Examples

# Display NTDP configuration information.

<Sysname> display ntdp
NTDP is running.
Hops : 4
Timer : 1 min
Hop Delay : 100 ms
Port Delay: 10 ms
Last collection total time: 92ms

Table 1-2 display ntdp command output description

Field Description
NTDP is running NTDP is enabled globally on the local device.
Hops Hop count for topology collection
Interval to collect topology information (after the cluster is
Timer
created)
Indicates the device is not a management device and unable to
disable
perform periodical topology collection
Delay time for the device to forward topology collection
Hop Delay
requests
Delay time for a topology-collection request to be forwarded
Port Delay
through a port
Last collection total time Time cost during the last collection

1-7
display ntdp device-list

Syntax

display ntdp device-list [ verbose ]

View

Any view

Default Level

1: Monitor level

Parameters

verbose: Displays the detailed device information collected through NTDP.

Description

Use the display ntdp device-list command to display the device information collected through NTDP.
Note that the information displayed may not be that of the latest device if you do not execute the ntdp
explore command before using this command.
Related commands: ntdp explore.

Examples

# Display the device information collected through NTDP.

<Sysname> display ntdp device-list
MAC HOP IP Device
00e0-fc00-3133 2 S5120
000f-e20f-c415 2 31.31.31.5/24 S5120
00e0-fc00-2579 1 S5120
00e0-fc00-1751 0 31.31.31.1/24 S5120
00e0-fd00-0043 2 S3610
00e0-fc00-3199 3 S5120

Table 1-3 display ntdp device-list command output description

Field Description
MAC MAC address of a device
HOP Hops to the collecting device
IP address and mask length of the management VLAN interface
IP
on the device
Device Device model

# Display the detailed device information collected through NTDP.

<aaa_0.Sysname> display ntdp device-list verbose

Hostname : aaa_0.Sysname
MAC : 00e0-fc00-1400
Hop : 0

1-8
 Device : H3C S5120
IP : 192.168.1.5/24
Version :
H3C Comware Platform Software
Comware Software, Version 5.20, Alpha 1101
Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C S5120

Cluster : Administrator switch of cluster aaa

Peer MAC Peer Port ID Native Port ID Speed Duplex

00e0-fc00-5175 GigabitEthernet1/0/1 GigabitEthernet1/0/1 100 FULL
display ntdp device-list verbose command output description

Field Description
Hostname System name of the device
MAC MAC address of the device
Hops from the current device to the device that collect topology
Hop
information
Device Device model
IP address and subnet mask length of the management VLAN
IP
interface on the device
Version Version information
Role of the device in the cluster:
z Member switch of cluster aaa: The device is a member
device of the cluster aaa.
z Administrator switch of cluster aaa: The device is the
Cluster management device of the cluster aaa.
z Candidate switch: The device is a candidate device of
cluster aaa.
z Independent switch: The device is connected to the cluster,
but it has not joined the cluster. This may be because the
cluster function is not enabled on the device.
Administrator MAC MAC address of the management device
Peer MAC MAC address of a neighbor device

Peer Port ID Name of the peer port connected to the local port

Native Port ID Name of the local port to which a neighbor device is connected
Speed Speed of the local port to which a neighbor device is connected
Duplex mode of the local port to which a neighbor device is
Duplex
connected

display ntdp single-device

Syntax

display ntdp single-device mac-address mac-address

1-9
View

Any view

Default Level

1: Monitor level

Parameters

mac-address: MAC address of the device, in the format of H-H-H.

Description

Use the display ntdp single-device mac-address command to view the detailed NTDP information of
a specified device.

Examples

# Display the detailed NTDP information of the device with a MAC address of 00E0-FC00-5111.
<Sysname> display ntdp single-device mac-address 00e0-fc00-5111

Hostname : aaa_1.42-com2
MAC : 00e0-fc00-5111
Hop : 1
Device : S5120
IP : 16.168.1.2/24
Version :
H3C Comware Platform Software
Comware Software, Version 5.20, Alpha 1101
Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C S5120

Cluster : Member switch of cluster aaa , Administrator MAC: 00e0-fc00-5175

Peer MAC Peer Port ID Native Port ID Speed Duplex

00e0-fc00-5175 GigabitEthernet1/0/1 GigabitEthernet1/0/1 100 FULL
00e0-fc00-5175 GigabitEthernet1/0/5 GigabitEthernet1/0/7 100 FULL

Table 1-4 display ntdp device-list command output description

Field Description
Hostname System name of the device

MAC MAC address of the device

Hops from the current device to the device that collect topology
Hop
information
Device Device model
IP address and subnet mask length of the management VLAN
IP
interface on the device
Version Version information

1-10
 Field Description
Role of the device in the cluster:
z Member switch of cluster aaa: The device is a member
device of the cluster aaa.
z Administrator switch of cluster aaa: The device is the
Cluster management device of the cluster aaa.
z Candidate switch: The device is a candidate device of
cluster aaa.
z Independent switch: The device is connected to the cluster,
but it has not joined the cluster. This may be because the
cluster function is not enabled on the device.
Administrator MAC MAC address of the management device

Peer MAC MAC address of a neighbor device

Peer Port ID Name of the peer port connected to the local port

Native Port ID Name of the local port to which a neighbor device is connected
Speed Speed of the local port to which a neighbor device is connected
Duplex mode of the local port to which a neighbor device is
Duplex
connected

ntdp enable

Syntax

ntdp enable
undo ntdp enable

View

System view, Ethernet interface view, Layer 2 aggregate interface view

Default Level

2: System level

Parameters

None

Description

Use the ntdp enable command to enable NTDP.

Use the undo ntdp enable command to disable NTDP.
By default, NTDP is enabled globally and on all ports.
Note that:
z Execution of the command in system view enables the global NTDP; execution of the command in
interface view enables NTDP of the current port.
z Configured in Layer 2 aggregate interface view, the configuration will not take effect on the member
ports of the aggregation group that corresponds to the aggregate interface; configured on a
member port of an aggregation group, the configuration will take effect only after the member port

1-11
 quit the aggregation group. For description of aggregation configurations, refer to Link Aggregation
Configuration.

Examples

# Enable NTDP globally.

<Sysname> system-view
[Sysname] ntdp enable

# Enable NTDP for port GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ntdp enable

ntdp explore

Syntax

ntdp explore

View

User view

Default Level

2: System level

Parameters

None

Description

Use the ntdp explore command to start topology information collection manually.

Examples

# Start topology information collection manually.

<Sysname> ntdp explore

ntdp hop

Syntax

ntdp hop hop-value

undo ntdp hop

View

System view

Default Level

2: System level

1-12
Parameters

hop-value: Maximum hop for collecting topology information, in the range 1 to 16.

Description

Use the ntdp hop command to set maximum hop for collecting topology information.
Use the undo ntdp hop command to restore the default.
By default, the value is 3.
Note that this command is only applicable to the topology-collecting device. A bigger number of hops
requires more memory of the topology-collecting device.

Examples

# Set the hop count for topology information collection to 5.

<Sysname> system-view
[Sysname] ntdp hop 5

ntdp timer

Syntax

ntdp timer interval

undo ntdp timer

View

System view

Default Level

2: System level

Parameters

interval: Interval (in minutes) to collect topology information, in the range 0 to 65,535. The value 0
means not to collect topology information.

Description

Use the ntdp timer command to configure the interval to collect topology information.
Use the undo ntdp timer command to restore the default.
By default, the interval to collect topology information is 1 minute.
Note that the management device can start to collect the topology information only after the cluster is
set up.

Examples

# Set the interval to collect the topology information to 30 minutes.

<Sysname> system-view
[Sysname] ntdp timer 30

1-13
ntdp timer hop-delay

Syntax

ntdp timer hop-delay delay-time

undo ntdp timer hop-delay

View

System view

Default Level

2: System level

Parameters

delay-time: Delay time (in milliseconds) for a device receiving topology-collection requests to forward
them through its first port. This argument ranges from 1 to 1,000.

Description

Use the ntdp timer hop-delay command to set the delay time for the device to forward
topology-collection requests through the first port.
Use the undo ntdp timer hop-delay command to restore the default delay time, which is 200 ms.

Examples

# Set the delay time for the device to forward topology-collection requests through the first port to 300
ms.
<Sysname> system-view
[Sysname] ntdp timer hop-delay 300

ntdp timer port-delay

Syntax

ntdp timer port-delay delay-time

undo ntdp timer port-delay

View

System view

Default Level

2: System level

Parameters

delay-time: Delay time (in milliseconds) for a device to forward a topology-collection request through its
successive ports, in the range 1 to 100.

Description

Use the ntdp timer port-delay command to set the delay time for a device to forward a received
topology-collection request through its successive ports.

1-14
 Use the undo ntdp timer port-delay command to restore the default delay time, or 20 ms.

Examples

# Set the delay time for the device to forward topology-collection requests through the successive ports
to 40 ms.
<Sysname> system-view
[Sysname] ntdp timer port-delay 40

Cluster Configuration Commands

add-member

Syntax

add-member [ member-number ] mac-address mac-address [ password password ]

View

Cluster view

Default Level

2: System level

Parameters

member-number: Member number assigned to the candidate device to be added to a cluster. This
argument varies with devices.
mac-address: MAC address of the candidate device (in hexadecimal form of H-H-H).
password: Password of the candidate device, a string of 1 to 16 characters. The password is required
when you add a candidate device to a cluster. However, this argument is not needed if the candidate
device is not configured with a super password.

Description

Use the add-member command to add a candidate device to a cluster.

Note that:
z This command can be executed only on the management device.
z When adding a member device to a cluster, you need not assign a number to the device. The
management device will automatically assign a usable number to the newly added member device.
z After a candidate device joins the cluster, its level 3 password is replaced by the super password of
the management device in cipher text.

Examples

#Add a candidate device to the cluster on the management device, setting the member number to 6.
(Assume that the MAC address and user password of the candidate device are 00E0-FC00-35E7 and
123456 respectively.)
<aaa_0.Sysname> system-view
[aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] add-member 6 mac-address 00e0-fc00-35e7 password 123456

1-15
administrator-address

Syntax

administrator-address mac-address name cluster-name

undo administrator-address

View

Cluster view

Default Level

2: System level

Parameters

mac-address: MAC address of the management device (in hexadecimal form of H-H-H).
cluster-name: Name of an existing cluster, a string of 1 to 8 characters, which can only be letters,
numbers, subtraction sign (-), and underline (_).

Description

Use the administrator-address command to add a candidate device to a cluster.

Use the undo administrator-address command to remove a member device from the cluster.
By default, a device belongs to no cluster.
Note that:
z The administrator-address command is applicable on candidate devices only, while the undo
administrator-address command is applicable on member devices only.
z You are recommended to use the delete-member command on the management device to
remove a cluster member from a cluster.

Examples

# Remove a member device from the cluster on the member device.

<aaa_1.Sysname> system-view
[aaa_1.Sysname] cluster
[aaa_1.Sysname-cluster] undo administrator-address

auto-build

Syntax

auto-build [ recover ]

View

Cluster view

Default Level

2: System level

1-16
Parameters

recover: Automatically reestablishes communication with all the member devices.

Description

Use the auto-build command to establish a cluster automatically.

Note that:
z This command can be executed on a candidate device or the management device.
z If you execute this command on a candidate device, you will be required to enter the cluster name
to build a cluster. Then the system will collect candidates and add the collected candidates into the
cluster automatically.
z If you execute this command on the management device, the system will collect candidates directly
and add them into the cluster automatically.
z The recover keyword is used to recover a cluster. Using the auto-build recover command, you
can find the members that are currently not in the member list and add them to the cluster again.
z Ensure that NTDP is enabled, because it is the basis of candidate and member collection. The
collection range is also decided through NTDP. You can use the ntdp hop command in system
view to modify the collection range.
z If a member is configured with a super password different from the super password of the
management device, it cannot be added to the cluster automatically.

Examples

# Establish a cluster automatically on the management device.

<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] auto-build
There is no base topology, if set up from local flash file?(Y/N)
y
Begin get base topology file from local flash......
Get file error, can not finish base topology recover

Please input cluster name:aaa

Collecting candidate list, please wait...

#Jul 22 14:35:18:841 2006 Sysname CLST/5/Cluster_Trap:

OID:1.3.6.1.4.1.2011.6.7.1.0.3: member 0.0.0.0.0.224.252.0.0.0 role change, NTDP
Index:0.0.0.0.0.0.224.252.0.0.0, Role:1
Candidate list:

Name Hops MAC Address Device

Processing...please wait
Cluster auto-build Finish!
0 member(s) added successfully.

1-17
black-list add-mac

Syntax

black-list add-mac mac-address

View

Cluster view

Default Level

2: System level

Parameters

mac-address: MAC address of the device to be added into the blacklist, in the form of H-H-H.

Description

Use the black-list add-mac command to add a device to the blacklist.

Note that this command can be executed on the management device only.

Examples

# Add a device with the MAC address of 0EC0-FC00-0001 to the blacklist on the management device.
<aaa_0.Sysname> system-view
[aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] black-list add-mac 0ec0-fc00-0001
The black-list is cleared!

black-list delete-mac

Syntax

black-list delete-mac { all | mac-address }

View

Cluster view

Default Level

2: System level

Parameters

all: Deletes all devices from the blacklist.

mac-address: MAC address of the device to be deleted from the blacklist, in the form of H-H-H.

Description

Use the black-list delete-mac command to delete a device from the blacklist.
Note that this command can be executed on the management device only.

1-18
Examples

# Delete a device with the MAC address of 0EC0-FC00-0001 from the blacklist on the management
device.
<aaa_0.Sysname> system-view
[aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] black-list delete-mac 0ec0-fc00-0001

# Delete all devices in the blacklist on the management device.

[aaa_0.Sysname-cluster] black-list delete-mac all

build

Syntax

build cluster-name
undo build

View

Cluster view

Default Level

2: System level

Parameters

cluster-name: Cluster name, a string of 1 to 8 characters, which can only be letters, numbers,
subtraction sign (-), and underline (_).

Description

Use the build command to configure the current device as the management device and specify a name
for it.
Use the undo build command to configure the current management device as a candidate device.
By default, the device is not a management device.
Note that:
z When executing this command, you will be asked whether to create a standard topology map or
not.
z This command can only be applied to devices that are capable of being a management device and
are not members of other clusters. The command takes no effect if you execute the command on a
device which is already a member of another cluster. If you execute this command on a
management device, you will replace the cluster name with the one you specify.
z The member number of the management device is 0.

Examples

# Configure the current device as a management device and specify the cluster name as aaa.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] build aaa
[Sysname-cluster] ip-pool 172.16.0.1 255.255.255.248

1-19
 Restore topology from local flash file,for there is no base topology.
(Please confirm in 30 seconds, default No). (Y/N)
Y
Begin get base topology file from local flash......
Get file error, can not finish base topology recover

#Sep 18 19:56:03:804 2006 Sysname IFNET/4/INTERFACE UPDOWN:

Trap 1.3.6.1.6.3.1.1.5.4: Interface 3276899 is Up, ifAdminStatus is 1, ifOperSt
atus is 1
#Sep 18 19:56:03:804 2006 Sysname CLST/4/Cluster_Trap:
OID:1.3.6.1.4.1.2011.6.7.1.0.3: member 0.0.0.0.0.224.252.0.29.0 role change, NTD
PIndex:0.0.0.0.0.0.224.252.0.29.0, Role:1
%Sep 18 19:56:03:804 2006 Sysname IFNET/4/UPDOWN:
Line protocol on the interface Vlan-interface100 is UP
[aaa_0.Sysname-cluster]
%Sep 18 19:56:18:782 2006 Sysname CLST/4/LOG:
Member 00e0-fc00-1e00 is joined in cluster aaa.
[aaa_0.Sysname-cluster]

cluster

Syntax

cluster

View

System view

Default Level

2: System level

Parameters

None

Description

Use the cluster command to enter cluster view.

Examples

# Enter cluster view

<Sysname> system-view
[Sysname] cluster
[Sysname-cluster]

cluster enable

Syntax

cluster enable
undo cluster enable

1-20
View

System view

Default Level

2: System level

Parameters

None

Description

Use the cluster enable command to enable the cluster function.

Use the undo cluster enable command to disable the cluster function.
By default, the cluster function is enabled.
Note that:
z When you execute the undo cluster enable command on a management device, you remove the
cluster and its members, and the device stops operating as a management device.
z When you execute the undo cluster enable command on a member device, you disable the
cluster function on the device, and the device leaves the cluster.
z When you execute the undo cluster enable command on a device that belongs to no cluster, you
disable the cluster function on the device.

Examples

# Enable the cluster function.

<Sysname> system-view
[Sysname] cluster enable

cluster switch-to

Syntax

cluster switch-to { member-number | mac-address mac-address | administrator | sysname

member-sysname }

View

User view

Default Level

0: Visit level

Parameters

member-number: Number of a member device in a cluster, which ranges from 1 to 255.

mac-address mac-address: MAC address of a member device, which is in the format of H-H-H.
administrator: Switches from a member device to the management device.
sysname member-sysname: System name of a member device, which is a string of 1 to 32 characters.

1-21
Description

Use the cluster switch-to command to switch between the management device and member devices.

Examples

# Switch from the operation interface of the management device to that of the member device
numbered 6 and then switch back to the operation interface of the management device.
<aaa_0.Sysname> cluster switch-to 6
<aaa_6.Sysname> quit
<aaa_0.Sysname>

cluster-local-user

Syntax

cluster-local-user user-name password { cipher | simple } password

undo cluster-local-user user-name

View

Cluster view

Default Level

1: Monitor level

Parameters

cipher: Indicates that the password is in cipher text.

simple: Indicates that the password is in plain text.
user-name: Username used for logging onto the devices within a cluster through Web, which is a string
of 1 to 55 characters.
password: Password used for logging onto the devices within a cluster through Web. This password is a
string of 1 to 63 characters when the simple keyword is specified, and can be in either plain text or
cipher text when the cipher keyword is specified. A plain text password must be a string of 1 to 63
characters. The cipher text password must have a fixed length of 24 or 88 characters. The password is
case sensitive.

Description

Use the cluster-local-user command to configure Web user accounts in batches.

Use the undo cluster-local-user command to remove the configuration.
Note that the command can be configured once on the management device only.

Examples

# On the management device, configure Web user accounts for the devices within a cluster, with
username being abc, password being 123456 and displayed in plain text.
<aaa_0.Sysname> system-view
[aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] cluster-local-user abc password simple 123456

1-22
cluster-mac

Syntax

cluster-mac mac-address
undo cluster-mac

View

Cluster view

Default Level

2: System level

Parameters

mac-address: Multicast MAC address (in hexadecimal in the format of H-H-H), which can be
0180-C200-0000, 0180-C200-000A, 0180-C200-0020 through 0180-C200-002F, or 010F-E200-0002.

Description

Use the cluster-mac command to configure the destination MAC address for cluster management
protocol packets.
Use the undo cluster-mac command to restore the default.
By default, the destination MAC address for cluster management protocol packets is 0180-C200-000A.
Note that this command can be executed on the management device only.

Examples

# Set the destination MAC address of the cluster management protocol packets to 0180-C200-0000 on
the management device.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] cluster-mac 0180-C200-0000

cluster-mac syn-interval

Syntax

cluster-mac syn-interval interval

View

Cluster view

Default Level

2: System level

1-23
Parameters

interval: Interval (in minutes) to send MAC address negotiation broadcast packets, which ranges from 0
to 30. If the interval is set to 0, the management device does not send broadcast packets to the member
devices.

Description

Use the cluster-mac syn-interval command to set the interval for a management device to send MAC
address negotiation broadcast packets for cluster management.
By default, the interval is set to one minute.
Note that this command can be executed on the management device only.

Examples

# Set the interval for the management device to send MAC address negotiation broadcast packets for
cluster management to two minutes on the management device.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] cluster-mac syn-interval 2

cluster-snmp-agent community

Syntax

cluster-snmp-agent community { read | write } community-name [ mib-view view-name ]

undo cluster-snmp-agent community community-name

View

Cluster view

Default Level

1: Monitor level

Parameters

read: Indicates to allow the community’s read-only access to MIB objects. The community with
read-only authority can only query the device information.
write: Indicates to allow the community’s read-write access to MIB objects. The community with
read-write authority can configure the device information.
community-name: Community name, which is a string of 1 to 26 characters.
view-name: MIB view name, which is a string of 1 to 32 characters.

Description

Use the cluster-snmp-agent community command to configure an SNMP community shared by a

cluster and set its access authority.
Use the undo cluster-snmp-agent community command to remove a specified community name.
Note that:

1-24
 z The command used to configure the SNMP community with read-only or read-and-write authority
can only be executed once on the management device. This configuration will be synchronized to
the member devices in the whitelist, which is equal to configuring multiple member devices at one
time.
z SNMP community name will be retained if a cluster is dismissed or a member device is removed
from the whitelist.
z If the same community name as the current one has been configured on a member device, the
current community name will replace the original one.

Examples

# Configure the SNMP community name shared by a cluster as comaccess and allow the community’s
read-only access to MIB objects.
<aaa_0.Sysname> system-view
[aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] cluster-snmp-agent community read comaccess

# Configure the SNMP community name shared by a cluster as comaccesswr and allow the
community’s read-write access to MIB objects.
[aaa_0.Sysname-cluster] cluster-snmp-agent community write comacceswr

cluster-snmp-agent group v3

Syntax

cluster-snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ]

[ write-view write-view ] [ notify-view notify-view ]
undo cluster-snmp-agent group v3 group-name [ authentication | privacy ]

View

Cluster view

Default Level

1: Monitor level

Parameters

group-name: Group name, which is a string of 1 to 32 characters.

authentication: Specifies to authenticate a packet but not to encrypt it.
privacy: Specifies to authenticate and encrypt a packet.
read-view: Read-only view name, which is a string of 1 to 32 characters.
write-view: Read-write view name, which is a string of 1 to 32 characters.
notify-view: View name in which trap messages can be sent. It is a string of 1 to 32 characters.

Description

Use the cluster-snmp-agent group command to configure the SNMPv3 group shared by a cluster and
set its access rights.
Use the undo cluster-snmp-agent group command to remove the SNMPv3 group shared by a
cluster.

1-25
 Note that:
z The command can be executed once on the management device only. This configuration will be
synchronized to the member devices in the whitelist, which is equal to configuring multiple member
devices at one time.
z SNMPv3 group name will be retained if a cluster is dismissed or a member device is deleted from
the whitelist.
z If the same group name as the current one has been configured on a member device, the current
group name will replace the original one.

Examples

# Create an SNMP group snmpgroup.

<aaa_0.Sysname> system-view
[aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] cluster-snmp-agent group v3 snmpgroup

cluster-snmp-agent mib-view

Syntax

cluster-snmp-agent mib-view included view-name oid-tree

undo cluster-snmp-agent mib-view view-name

View

Cluster view

Default Level

1: Monitor level

Parameters

included: Includes MIB view.

view-name: MIB view name, which is a string of 1 to 32 characters.
oid-tree: MIB subtree. It is a string of 1 to 255 characters, which can only be a variable OID string or
variable name string. OID is composed of a series of integers, indicating where a node is in the MIB tree.
It can uniquely identify an object in a MIB.

Description

Use the cluster-snmp-agent mib-view command to create or update the MIB view information shared
by a cluster.
Use the undo cluster-snmp-agent mib-view command to delete the MIB view information shared by a
cluster.
By default, the MIB view name shared by a cluster is ViewDefault, in which the cluster can access ISO
subtree.
Note that:
z This command can be executed once on the management device only. This configuration will be
synchronized to member devices on the whitelist, which is equal to configuring multiple member
devices at one time.

1-26
 z The MIB view will be retained if a cluster is dismissed or a member device is deleted from the
whitelist.
z If the same view name as the current one has been configured on a member device, the current
view will replace the original one on the member device.

Examples

# Create a view including all objects of mib2.

<aaa_0.Sysname> system-view
[aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] cluster-snmp-agent mib-view included mib2 1.3.6.1.2.1

cluster-snmp-agent usm-user v3

Syntax

cluster-snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha }

auth-password ] [ privacy-mode des56 priv-password ]
undo cluster-snmp-agent usm-user v3 user-name group-name

View

Cluster view

Default Level

1: Monitor level

Parameters

user-name: User name, which is a string of 1 to 32 characters.

group-name: Group name, which is a string of 1 to 32 characters.
authentication-mode: Specifies the security level to be authentication needed.
md5: Specifies the authentication protocol to be HMAC-MD5-96.
sha: Specifies the authentication protocol to be HMAC-SHA-96.
auth-password: Authentication password, which is a string of 1 to 16 characters if in plain text; it can
only be a string of 24 characters if in cipher text.
privacy-mode: Specifies the security level to be encrypted.
des56: Specifies the encryption protocol to be DES (data encryption standard).
priv-password: Encryption password, which is a string of 1 to 16 characters in plain text; it can only be a
string of 24 characters in cipher text.

Description

Use the cluster-snmp-agent usm-user v3 command to add a new user to the SNMP v3 group shared
by a cluster.
Use the undo cluster-snmp-agent usm-user v3 command to delete the SNMP v3 group user shared
by the cluster.
Note that:

1-27
 z The command can be executed once on the management device only. This configuration will be
synchronized to member devices on the whitelist, which is equal to configuring multiple member
devices at one time.
z SNMPv3 group user will be retained if a cluster is dismissed or a member device is deleted from
the whitelist.
z If the same username as the current one has been configured on a member device, the current
username will replace the original one on the member device.

Examples

# Add a user wang to the SNMP group snmpgroup, set the security level to authentication-needed and
specify the authentication protocol as HMAC-MD5-96 and authentication password as pass.
<aaa_0.Sysname> system-view
[aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] cluster-snmp-agent usm-user v3 wang snmpgroup authentication-mode
md5 pass

delete-member

Syntax

delete-member member-number [ to-black-list ]

View

Cluster view

Default Level

2: System level

Parameters

member-number: Number of a member device in a cluster, in the range 1 to 255.

to-black-list: Adds the device removed from a cluster to the blacklist to prevent it from being added to
the cluster again.

Description

Use the delete-member command to remove a member device from the cluster.
Note that:
z This command can be executed only on the management device.
z If you only remove a member device from the cluster without adding it to the blacklist, the device
will be automatically added to the cluster again.

Examples

# Remove the member device numbered 2 from the cluster on the management device.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] delete-member 2 to-black-list

1-28
display cluster

Syntax

display cluster

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display cluster command to display the information of the cluster to which the current device
belongs.
Note that this command can be executed on the management device and member devices only.

Examples

# Display the information of the cluster to which the current device belongs on the management device.
<aaa_0.Sysname> display cluster
Cluster name:"aaa"
Role:Administrator
Management-vlan:100
Handshake timer:10 sec
Handshake hold-time:60 sec
IP-Pool:1.1.1.1/16
cluster-mac:0180-c200-000a
No logging host configured
No SNMP host configured
No FTP server configured
No TFTP server configured

2 member(s) in the cluster, and 0 of them down.

# Display the information of the cluster to which the current device belongs on a member device.
<aaa_1.Sysname> display cluster
Cluster name:"aaa"
Role:Member
Member number:1
Management-vlan:100
cluster-mac:0180-c200-000a
Handshake timer:10 sec
Handshake hold-time:60 sec

Administrator device IP address:1.1.1.1

1-29
 Administrator device mac address:00e0-fc00-1d00
Administrator status:Up

Table 1-5 display cluster command output description

Field Description
Cluster name Name of the cluster
Role of the switch in the cluster"
Role z Administrator: The current device is a management
device.
z Member: The current device is a member device.
Member number Member number of the switch in the cluster
Management-vlan Management VLAN of the cluster
Handshake timer Interval to send handshake packets
Handshake hold-time Value of handshake timer
IP-Pool Private IP addresses of the member devices in the cluster
cluster-mac Multicast MAC address of cluster management packets
Administrator device IP address IP address of the management device

Administrator device mac address MAC address of the management device

Administrator status State of the management device

display cluster base-topology

Syntax

display cluster base-topology [ mac-address mac-address | member-id member-number ]

View

Any view

Default Level

2: System level

Parameters

mac-address: Specifies a device by its MAC address. The system will display the standard topology
with the device as the root.
member-number: Specifies a device by its number. The system will display the standard topology with
the device as the root.

Description

Use the display cluster topology command to display the standard topology information of a cluster.
You can create a standard topology map when executing the build or auto-build command, or you can
use the topology accept command to save the current topology map as the standard topology map.
Note that this command can be executed on the management device only.

1-30
Examples

# Display the standard topology of a cluster.

<aaa_0.Sysname> display cluster base-topology
--------------------------------------------------------------------
(PeerPort) ConnectFlag (NativePort) [SysName:DeviceMac]
--------------------------------------------------------------------
[aaa_0.Sysname:00e0-fc00-1400]
|
├-(P_4/1)<-->(P_1/7)[Sysname:00e0-fc00-3333]
| |
| ├-(P_1/7)<-->(P_4/1)[aaa_3.Sysname:00e0-fc00-0000]
| | |
| | ├-(P_4/1)<-->(P_4/1)[aaa_0.Sysname:00e0-fc00-1400]
| | |
| | ├-(P_4/1)<-->(P_1/9)[Sysname:00e0-fc00-5500]
| | |
| | └-(P_4/1)<-->(P_1/11)[Sysname:00e0-fc00-7000]
| |
| ├-(P_1/7)<-->(P_1/9)[Sysname:00e0-fc00-5500]
| | |
| | ├-(P_1/9)<-->(P_4/1)[aaa_0.H3C:00e0-fc00-1400]
| | |
| | └-(P_1/9)<-->(P_1/11)[Sysname:00e0-fc00-7000]
| |
| └-(P_1/7)<-->(P_1/11)[Sysname:00e0-fc00-7000]
| |
| ├-(P_1/3)<-->(P_1/2)[aaa_2.Sysname:00e0-fd00-5500]
| |
| ├-(P_1/10)<-->(P_4/1)[Sysname:00e0-fc05-4300]
| |
| ├-(P_1/11)<-->(P_4/1)[aaa_0.Sysname:00e0-fc00-1400]
| |
| └-(P_1/8)<-->(P_1/12)[aaa_1.Sysname:00e0-fc00-7016]
|
├-(P_4/1)<-->(P_4/1)[aaa_3.Sysname:00e0-fc00-0000]
| |
| ├-(P_4/1)<-->(P_1/9)[Sysname:00e0-fc00-5500]
| |
| └-(P_4/1)<-->(P_1/11)[Sysname:00e0-fc00-7000]
|
├-(P_4/1)<-->(P_1/9)[Sysname:00e0-fc00-5500]
| |
| └-(P_1/9)<-->(P_1/11)[Sysname:00e0-fc00-7000]
|
└-(P_4/1)<-->(P_1/11)[Sysname:00e0-fc00-7000]
|
├-(P_1/3)<-->(P_1/2)[aaa_2.Sysname:00e0-fd00-5500]

1-31
 |
├-(P_1/10)<-->(P_4/1)[Sysname:00e0-fc05-4300]
|
└-(P_1/8)<-->(P_1/12)[aaa_1.Sysname:00e0-fc00-7016]

Table 1-6 display cluster base-topology command output description

Field Description
PeerPort Peer port

ConnectFlag Connection flag: <-->

NativePort Local port

SysName System name of the peer device

DeviceMac MAC address of the peer device

display cluster black-list

Syntax

display cluster black-list

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display cluster black-list command to display the current blacklist of a cluster.
Note that this command can be executed on the management device only.

Examples

# View the current blacklist of the cluster.

<aaa_0.Sysname> display cluster black-list
Device ID Access Device ID Access port
00e0-fc00-0010 00e0-fc00-3550 GigabitEthernet1/0/1

Table 1-7 display cluster black-list command output description

Field Description
Device ID ID of the blacklist device, indicated by its MAC address.
ID of the device connected to the blacklist device,
Access Device ID
indicated by its MAC address.
Access port Port connected to the blacklist device.

1-32
display cluster candidates

Syntax

display cluster candidates [ mac-address mac-address | verbose ]

View

Any view

Default Level

1: Monitor level

Parameters

mac-address mac-address: Specifies the MAC address of a candidate device, in the format of H-H-H.
verbose: Displays the detailed information about a candidate device.

Description

Use the display cluster candidates command to display the information about the candidate devices
of a cluster.
Note that the command can be executed on the management device only.

Examples

# Display the information about all the candidate devices.

<aaa_0.Sysname> display cluster candidates
MAC HOP IP Device
00e0-fc00-3199 3 S5120
000f-cbb8-9528 1 31.31.31.56/24 S5120

# Display the information about a specified candidate device.

<aaa_0.Sysname> display cluster candidates mac-address 00e0-fc61-c4c0
Hostname : LSW1
MAC : 00e0-fc61-c4c0
Hop : 1
Device : Sysname S5120
IP : 1.5.6.9/16

# Display the detailed information about all the candidate devices.

<aaa_0.Sysname> display cluster candidates verbose
Hostname : 3100_4
MAC : 00e0-fc00-3199
Hop : 3
Device : S5120
IP :

Hostname : Sysname
MAC : 000f-cbb8-9528
Hop : 1

1-33
 Device : S5120
IP : 31.31.31.56/24

Table 1-8 display cluster candidates command output description

Field Description
Hostname System name of a candidate device
MAC MAC address of a candidate device
Hop Hops from a candidate device to the management device
IP IP address of a candidate device
Device Product model of a candidate device

display cluster current-topology

Syntax

display cluster current-topology [ mac-address mac-address [ to-mac-address mac-address ] |

member-id member-number [ to-member-id member-number ] ]

View

Any view

Default Level

2: System level

Parameters

member-number: Number of the devices in a cluster (including the management device and member
devices).
mac-address: MAC addresses of the devices in a cluster (including the management device and
member devices).

Description

Use the display cluster current-topology command to display the current topology information of the
cluster.
Note that:
z If you specify both the mac-address mac-address and to-mac-address mac-address arguments,
the topology information of the devices that are in a cluster and form the connection between two
specified devices is displayed.
z If you specify both the member-id member-number and to-member-id member-number
arguments, the topology information of the devices that are in a cluster and form the connection
between two specified devices is displayed.
z If you specify only the mac-address mac-address or member-id member-number argument, the
topology information of all the devices in a cluster is displayed, with a specified device as the root
node.
This command can be executed on the management device only.

1-34
Examples

# Display the information of the current topology of a cluster.

<aaa_0.Sysname> display cluster current-topology
--------------------------------------------------------------------
(PeerPort) ConnectFlag (NativePort) [SysName:DeviceMac]
--------------------------------------------------------------------
ConnectFlag:
<--> normal connect ---> odd connect **** in blacklist
???? lost device ++++ new device -||- STP discarding
--------------------------------------------------------------------
[aaa_0.Sysname:00e0-fc00-7016]
|
└-(P_1/12)++++(P_1/8)[Sysname:00e0-fc00-7000]
|
|-(P_1/11)++++(P_1/9)[Sysname:00e0-fc00-5500]
| |
| |-(P_1/9)++++(P_4/1)[aaa_2.Sysname:00e0-fc00-0000]
| |
| └-(P_1/9)++++(P_1/7)[Sysname:00e0-fc00-3333]
|
|-(P_1/11)++++(P_4/1)[bbb_2.H3C:00e0-fc00-0000]
| |
| └-(P_4/1)++++(P_1/7)[Sysname:00e0-fc00-3333]
|
└-(P_1/11)++++(P_1/7)[Sysname:00e0-fc00-3333]

Table 1-9 display cluster current-topology command output description

Field Description
PeerPort Peer port

ConnectFlag Connection flag

NativePort Local port

SysName:DeviceMac System name of the device

Indicates a normal connection between the device and the
<--> normal connect
management device
Indicates a unidirectional connection between the device
---> odd connect
and the management device
**** in blacklist Indicates the device is in the blacklist
Indicates a lost connection between the device and the
???? lost device
management device
Indicates this is a new device, whose identity is to be
++++ new device
recognized by the administrator
-||- STP discarding STP is blocked

1-35
 A new device in the topology information is identified based on the standard topology. After you add a
device into a cluster, if you do not use the topology accept command to confirm the current topology
and save it as the standard topology, this device is still regarded as a new device.

display cluster members

Syntax

display cluster members [ member-number | verbose ]

View

Any view

Default Level

1: Monitor level

Parameters

member-number: Number of the member device, in the range 0 to 255.

verbose: Displays the detailed information about all the devices in a cluster.

Description

Use the display cluster members command to display the information about cluster members.
Note that this command can be executed on the management device only.

Examples

# Display the information about all the devices in a cluster.

<aaa_0.Sysname> display cluster members
SN Device MAC Address Status Name
0 S3100 00e0-fc00-1751 Admin aaa_0.Sysname
2 S3100 00e0-fc00-3199 Up aaa_2.S5120_4
3 Sysname S3528P 00e0-fd00-0043 Up aaa_3.S5120
4 S3100 00e0-fc00-2579 Up aaa_4.S5120_2
5 S3100 000f-e20f-c415 Up aaa_5.S5120_5

Table 1-10 display cluster members command output description

Field Description
SN Member number
Device Device model
MAC Address MAC address of a device

1-36
 Field Description
State of a device:
z up: The member device which is up
Status z down: The member which is down
z deleting: The member which is being deleted
z admin: The management device
Name System name of a device

# Display the detailed information about the management device and all member devices.
<aaa_0.Sysname> display cluster members verbose
Member number:0
Name:aaa_0.Sysname
Device:H3C S5120
MAC Address:00e0-fc00-1400
Member status:Admin
Hops to administrator device:0
IP:
Version:
H3C Comware Platform Software
Comware Software, Version 5.20, Alpha 1101
Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C S5120

Member number:1
Name:aaa_1.Sysname
Device:H3C S5120
MAC Address:00e0-fc00-7016
Member status:Up
Hops to administrator device:2
IP: 192.168.100.245/24
Version:
H3C Comware Platform Software
Comware Software, Version 5.20, Alpha 1101
Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C S5120

Member number:2
Name:aaa_2.Sysname
Device:H3C S5120
MAC Address:00e0-fd00-5500
Member status:Up
Hops to administrator device:2
IP:
Version:
H3C Comware Platform Software
Comware Software, Version 5.20, Alpha 1101

1-37
 Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C S5120

Table 1-11 display cluster members verbose command output description

Field Description
Member number Device member number
Name of a member device, composed of the cluster name
and the system name of the member device, in the format of
cluster name.systemname
When the management device type is not consistent with the
Name member device type, if a user modifies the cluster name on
the management device continuously, the cluster name may
appear twice in the cluster member name, for example,
“clustername.clustername.systemname”. This abnormal
case can restore in a period of time.
Device Device model
MAC Address MAC address of a device
Member status State of a device

Hops to administrator device Hops from the current device to the management device
IP IP address of a device
Version Software version of the current device

ftp-server

Syntax

ftp-server ip-address [ user-name username password { simple | cipher } password ]

undo ftp-server

View

Cluster view

Default Level

3: Manage level

Parameters

ip-address: IP address of the FTP server.

username: Username used to log onto the FTP server, a string of 1 to 32 characters.
simple: Indicates that the password is in plain text.
cipher: Indicates that the password is in cipher text.
password: Password used to log onto the FTP server. This password must be in plain text when the
simple keyword is specified, and can be in either plain text or cipher text when the cipher keyword is
specified. A plain text password must be a string of no more than 16 characters, such as “aaa”. The
cipher text password must have a fixed length of 24 characters, such as _(TT8F]Y\5SQ=^Q`MAF4<1!!.

1-38
Description

Use the ftp-server command to configure a public FTP server (by setting its IP address, username, and
password) on the management device for the member devices in the cluster.
Use the undo ftp-server command to remove the FTP server configured for the member devices in the
cluster.
By default, a cluster is not configured with a public FTP server.
Note that the command can be executed on the management device only.

Examples

# Set the IP address, username and password of an FTP server shared by the cluster on the
management device to be 1.0.0.9, ftp, and in plain text respectively.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] ftp-server 1.0.0.9 user-name ftp password simple ftp

holdtime

Syntax

holdtime hold-time
undo holdtime

View

Cluster view

Default Level

2: System level

Parameters

hold-time: Holdtime in seconds, in the range 1 to 255.

Description

Use the holdtime command to configure the holdtime of a device.

Use the undo holdtime command to restore the default.
By default, the holdtime of a device is 60 seconds.
Note that:
z This command can be executed on the management device only.
z The configuration is valid on all member devices in a cluster.

Examples

# Set the holdtime to 30 seconds on the management device.

<Sysname> system-view
[Sysname] cluster

1-39
 [Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] holdtime 30

ip-pool

Syntax

ip-pool ip-address { mask | mask-length }

undo ip-pool

View

Cluster view

Default Level

2: System level

Parameters

ip-address: Private IP address of the management device in a cluster.

{ mask | mask-length }: Mask of the IP address pool of a cluster. It is an integer or in dotted decimal
notation. When it is an integer, it ranges from 1 to 30. A network address can be obtained by ANDing this
mask with the private IP address of the administrator device. The private IP addresses of all member
devices in a cluster belong to this network segment.

Description

Use the ip-pool command to configure a private IP address range for cluster members.
Use the undo ip-pool command to remove the IP address range configuration.
By default, no private IP address range is configured for cluster members.
Note that:
z You must configure the IP address range on the management device only and before establishing
a cluster. If a cluster has already been established, you are not allowed to change the IP address
range.
z For a cluster to work normally, the IP addresses of the VLAN interfaces of the management device
and member devices must not be in the same network segment as that of the cluster address pool.

Examples

# Configure the IP address range of a cluster.

<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.200.0.1 20

logging-host

Syntax

logging-host ip-address
undo logging-host

1-40
View

Cluster view

Default Level

2: System level

Parameters

ip-address: IP address of the logging host.

Description

Use the logging-host command to configure a logging host shared by a cluster.

Use the undo logging-host command to remove the logging host configuration.
By default, no logging host is configured for a cluster.
Note that:
z This command can be executed on the management device only.
z You have to execute the info-center loghost command in system view first for the logging host
you configured to take effect.
For related configuration, refer to the info-center loghost command in Information Center Commands.

Examples

# Configure the IP address of the logging host shared by a cluster on the management device as
10.10.10.9.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] logging-host 10.10.10.9

management-vlan

Syntax

management-vlan vlan-id
undo management-vlan

View

System view

Default Level

2: System level

Parameters

vlan-id: ID of the management VLAN, which ranges from 1 to 4094.

Description

Use the management-vlan command to specify the management VLAN.

1-41
 Use the undo management-vlan command to restore the default.
By default, VLAN 1 is the management VLAN.
Note that:
z The management VLAN must be specified before a cluster is created. Once a member device is
added to a cluster, the management VLAN configuration cannot be modified. To modify the
management VLAN for a device belonging to a cluster, you need to cancel the cluster-related
configurations on the device, specify the desired VLAN to be the management VLAN, and then
re-create the cluster.
z For the purpose of security, you are not recommended to configure the management VLAN as the
default VLAN ID of the port connecting the management device and the member devices.
z Only when the default VLAN ID of all cascade ports and the port connecting the management
device and the member device is the management VLAN, can the packets in the management
VLAN packets be passed without a tag. Otherwise, you must configure the packets from a
management VLAN to pass these ports. For the configuration procedure, see VLAN Configuration.

Examples

# Specify VLAN 2 as the management VLAN.

<Sysname> system-view
[Sysname] management-vlan 2

management-vlan synchronization enable

Syntax

management-vlan synchronization enable

undo management-vlan synchronization enable

View

Cluster view

Default Level

1: Monitor level

Parameters

None

Description

Use the management-vlan synchronization enable command to enable the management VLAN
auto-negotiation function.
Use the undo management-vlan synchronization enable command to disable the management
VLAN auto-negotiation function.
By default, the management VLAN auto-negotiation function is disabled.

Examples

# Enable the management VLAN auto-negotiation function on the management device.

<aaa_0.Sysname> system-view

1-42
 [aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] management-vlan synchronization enable

nm-interface vlan-interface

Syntax

nm-interface vlan-interface interface-name

View

Cluster view

Default Level

2: System level

Parameters

interface-name: ID of the VLAN interface. The value range is the same as that of the existing VLAN
interface ID.

Description

Use the nm-interface vlan-interface command to configure the VLAN interface of the access
management device (including FTP/TFTP server, management host and log host) as the network
management interface of the management device.

Examples

# Configure VLAN-interface 1 as the network management interface.

<aaa_0.Sysname> system-view
[aaa_0.Sysname] cluster
[aaa_0.Sysname-cluster] nm-interface vlan-interface 1

reboot member

Syntax

reboot member { member-number | mac-address mac-address } [ eraseflash ]

View

Cluster view

Default Level

2: System level

Parameters

member-number: Number of the member device, in the range 1 to 255.

mac-address mac-address: MAC address of the member device to be rebooted, in the format of
H-H-H.
eraseflash: Deletes the configuration file when the member device reboots.

1-43
Description

Use the reboot member command to reboot a specified member device.

Note that this command can be executed only on the management device.

Examples

# Reboot the member device numbered 2 on the management device.

<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] reboot member 2

snmp-host

Syntax

snmp-host ip-address [ community-string read string1 write string2 ]

undo snmp-host

View

Cluster view

Default Level

3: Manage level

Parameters

ip-address: IP address of an SNMP host.

string1: Community name of read-only access, a string of 1 to 26 characters.
string2: Community name of read-write access, a string of 1 to 26 characters.

Description

Use the snmp-host command to configure a shared SNMP host for a cluster.
Use the undo snmp-host command to cancel the SNMP host configuration.
By default, no SNMP host is configured for a cluster.
Note that this command can be executed on the management device only.

Examples

# Configure a shared SNMP host for the cluster on the management device.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] snmp-host 1.0.0.9 community-string read 123 write 456

1-44
tftp-server

Syntax

tftp-server ip-address
undo tftp-server

View

Cluster view

Default Level

2: System level

Parameters

ip-address: IP address of a TFTP server.

Description

Use the tftp-server command to configure a shared TFTP server for a cluster.
Use the undo tftp-server command to cancel the TFTP server of the cluster.
By default, no TFTP server is configured.
Note that this command can be executed on the management device only.

Examples

# Configure a shared TFTP server on the management device as 1.0.0.9.

<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] tftp-server 1.0.0.9

timer

Syntax

timer interval
undo timer

View

Cluster view

Default Level

2: System level

Parameters

interval: Interval (in seconds) to send handshake packets. This argument ranges from 1 to 255.

1-45
Description

Use the timer command to set the interval to send handshake packets.
Use the undo timer command to restore the default.
By default, the interval to send handshake packets is 10 seconds.
Note that:
z This command can be executed on the management device only.
z This configuration is valid for all member devices in a cluster.

Examples

# Configure the interval to send handshake packets as 3 seconds on the management device.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] timer 3

topology accept

Syntax

topology accept { all [ save-to { ftp-server | local-flash } ] | mac-address mac-address | member-id

member-number }
undo topology accept { all | mac-address mac-address | member-id member-number }

View

Cluster view

Default Level

2: System level

Parameters

all: Accepts the current cluster topology information as the standard topology information.
mac-address mac-address: Specifies a device by its MAC address. The device will be accepted to join
the standard topology of the cluster.
member-id member-number: Specifies a device by its member number. The device will be accepted to
join the standard topology of the cluster. The member-number argument is in the range 0 to 255.
save-to: Confirms the current topology as the standard topology, and backs up the standard topology
on the FTP server or local flash in a file named “topology.top”.

Description

Use the topology accept command to confirm the current topology information and save it as the
standard topology.
Use the undo topology accept to delete the standard topology information.
Note that:
z This command can be executed on the management device only.

1-46
 z The file used to save standard topology on the FTP server or the local flash is named “topology.top”,
which includes both the information of blacklist and whitelist. A blacklist contains the devices that
are prohibited to be added to a cluster. A whitelist contains devices that can be added to a cluster.

Examples

# Take the current topology as the standard topology on the management device.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] topology accept all

topology restore-from

Syntax

topology restore-from { ftp-server | local-flash }

View

Cluster view

Default Level

2: System level

Parameters

ftp-server: Restores the standard topology information from the FTP server.
local-flash: Restores the standard topology information from the local flash.

Description

Use the topology restore-from command to restore the standard topology information in case the
cluster topology information is incorrect.
Note that:
z This command can be executed on the management device only.
z If the stored standard topology is not correct, the device cannot be aware of if. Therefore, you must
ensure that the standard topology is correct.

Examples

# Restore the standard topology on the management device.

<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] topology restore-from local-flash

1-47
topology save-to

Syntax

topology save-to { ftp-server | local-flash }

View

Cluster view

Default Level

2: System level

Parameters

ftp-server: Saves the standard topology information to the FTP server.

local-flash: Saves the standard topology information to the local flash.

Description

Use the topology save-to command to save the standard topology information to the FTP server or the
local flash.
Note that:
z The file used to save standard topology on the FTP server or the local flash is named “topology.top”,
which includes both the information of blacklist and whitelist. A blacklist contains the devices that
are prohibited to be added to a cluster. A whitelist contains devices that can be added to a cluster.
z This command can be executed on the management device only.

Examples

# Save the standard topology information to the local flash on the management device.
<Sysname> system-view
[Sysname] cluster
[Sysname-cluster] ip-pool 10.1.1.1 24
[Sysname-cluster] build aaa
[aaa_0.Sysname-cluster] topology save-to local-flash

1-48
 Table of Contents

1 HTTP Configuration Commands ··············································································································1-1

HTTP Configuration Commands·············································································································1-1
display ip http···································································································································1-1
ip http acl ·········································································································································1-2
ip http enable ···································································································································1-2
ip http port········································································································································1-3

2 HTTPS Configuration Commands············································································································2-1

HTTPS Configuration Commands ··········································································································2-1
display ip https·································································································································2-1
ip https acl ·······································································································································2-2
ip https certificate access-control-policy··························································································2-2
ip https enable ·································································································································2-3
ip https port······································································································································2-4
ip https ssl-server-policy ··················································································································2-5

i
1 HTTP Configuration Commands

HTTP Configuration Commands

display ip http

Syntax

display ip http

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ip http command to display information about HTTP.

Examples

# Display information about HTTP..

<Sysname> display ip http
HTTP port: 80
Basic ACL: 2222
Current connection: 0
Operation status: Running

Table 1-1 display ip http command output description

Field Description

HTTP port Port number used by the HTTP service

Basic ACL A basic ACL number associated with the HTTP service

Current connection The number of current connections

Operation status, which takes the following values:

Operation status z Running: The HTTP service is enabled.
z Stopped: The HTTP service is disabled.

1-1
ip http acl

Syntax

ip http acl acl-number

undo ip http acl

View

System view

Default Level

2: System level

Parameters

acl-number: ACL number, in the range 2000 to 2999 (basic IPv4 ACL).

Description

Use the ip http acl command to associate the HTTP service with an ACL.
Use the undo ip http acl command to remove the association.
By default, the HTTP service is not associated with any ACL.
After the HTTP service is associated with an ACL, only the clients permitted by the ACL can access the
device.
Note that: If you execute the ip http acl command for multiple times to associate the HTTP service with
different ACLs, the HTTP service is only associated with the last specified ACL.
Related commands: display ip http and acl number in ACL Commands.

Examples

# Configure to associate the HTTP service with ACL 2001 and only allow the clients within the
10.10.0.0/16 network segment to access the device through the Web function.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-basic-2001] quit
[Sysname] ip http acl 2001

ip http enable

Syntax

ip http enable
undo ip http enable

View

System view

Default Level

2: System level

1-2
Parameters

None

Description

Use the ip http enable command to enable the HTTP service.

Use the undo ip http enable command to disable the HTTP service.
The device can act as the HTTP server and the users can access and control the device through the
Web function only after the HTTP service is enabled.
By default, HTTP service is enabled.
Related commands: display ip http.

Examples

# Disable the HTTP service.

<Sysname> system-view
[Sysname] undo ip http enable

ip http port

Syntax

ip http port port-number

undo ip http port

View

System view

Default Level

3: Manage level

Parameters

port-number: Port number of the HTTP service, which ranges from 1 to 65535.

Description

Use the ip http port command to configure the port number of the HTTP service.
Use the undo ip http port command to restore the default.
By default, the port number of the HTTP service is 80.
Note that this command does not check whether the configured port number conflicts with that of an
existing service. Therefore, ensure that the port number is not used by another service before the
configuration.
Related commands: display ip http.

Examples

# Configure the port number of the HTTP service as 8080.

<Sysname> system-view
[Sysname] ip http port 8080

1-3
2 HTTPS Configuration Commands

HTTPS Configuration Commands

display ip https

Syntax

display ip https

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ip https command to display information about HTTPS.

Examples

# Display information about HTTPS.

<Sysname> display ip https
HTTPS port: 443
SSL server policy: test
Certificate access-control-policy:
Basic ACL: 2222
Current connection: 0
Operation status: Running

Table 2-1 display ip https command output description

Field Description

HTTPS port Port number used by the HTTPS service

SSL server policy The SSL server policy associated with the HTTPS service

The certificate attribute access control policy associated with

Certificate access-control-policy
the HTTPS service

Basic ACL The basic ACL number associated with the HTTPS service

Current connection The number of current connections

2-1
 Field Description

Operation status, which takes the following values:

Operation status z Running: The HTTPS service is enabled.
z Stopped: The HTTPS service is disabled.

ip https acl

Syntax

ip https acl acl-number

undo ip https acl

View

System view

Default Level

3: Manage level

Parameters

acl-number: ACL number, in the range 2000 to 2999 (basic IPv4 ACL).

Description

Use the ip https acl command to associate the HTTPS service with an ACL.
Use the undo ip https acl command to remove the association.
By default, the HTTPS service is not associated with any ACL.
After the HTTPS service is associated with an ACL, only the clients permitted by the ACL can access
the device.
Note that: If you execute the ip https acl command for multiple times to associate the HTTPS service
with dirrenrent ACLs, the HTTPS service is only associated with the last specified ACL.
Related commands: display ip https and acl number in ACL Commands.

Examples

# Associate the HTTPS service with ACL 2001 and only allow the clients within the 10.10.0.0/16
network segment to access the HTTPS server through the Web function.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-basic-2001] quit
[Sysname] ip https acl 2001

ip https certificate access-control-policy

Syntax

ip https certificate access-control-policy policy-name

undo ip https certificate access-control-policy

2-2
View

System view

Default Level

3: Manage level

Parameters

policy-name: Name of the certificate attribute access control policy, a string of 1 to 16 characters.

Description

Use the ip https certificate access-control-policy command to associate the HTTPS service with a
certificate attribute access control policy.
Use the undo ip https certificate access-control-policy command to remove the association.
By default, the HTTPS service is not associated with any certificate attribute access control policy.
Association of the HTTPS service with a certificate attribute access control policy can control the
access rights of clients.
Related commands: display ip https and pki certificate access-control-policy. (In PKI Commands)

Examples

# Associate the HTTPS server to certificate attribute access control policy myacl.
<Sysname> system-view
[Sysname] ip https certificate access-control-policy myacl

ip https enable

Syntax

ip https enable
undo ip https enable

View

System view

Default Level

3: Manage level

Parameters

None

Description

Use the ip https enable command to enable the HTTPS service.

Use the undo ip https enable command to disable the HTTPS service.
By default, the HTTPS service is disabled.
The device can act as the HTTP server and the users can access and control the device through the
Web function only after the HTTP service is enabled.

2-3
 Note that enabling of the HTTPS service triggers an SSL handshake negotiation process. During the
process, if a local certificate of the device already exists, the SSL negotiation is successfully performed,
and the HTTPS service can be started normally. If no local certificate exists, a certificate application
process will be triggered by the SSL negotiation. Because the application process takes much time, the
SSL negotiation often fails and the HTTPS service cannot be started normally. Therefore, execute the
ip https enable command for multiple times to ensure normal startup of the HTTPS service.
Related commands: display ip https.

Examples

# Enable the HTTPS service.

<Sysname> system-view
[Sysname] ip https enable

ip https port

Syntax

ip https port port-number

undo ip https port

View

System view

Default Level

3: Manage level

Parameters

port-number: Port number of the HTTPS service, which ranges from 1 to 65535.

Description

Use the ip https port command to configure the port number of the HTTPS service.
Use the undo ip https port command to restore the default.
By default, the port number of the HTTPS service is 443.
Note that this command does not check whether the configured port number conflicts with that of an
existing service. Therefore, ensure that the port number is not used by another service before the
configuration.
Related commands: display ip https.

Examples

# Configure the port number of the HTTPS service as 6000.

<Sysname> system-view
[Sysname] ip https port 6000

2-4
ip https ssl-server-policy

Syntax

ip https ssl-server-policy policy-name

undo ip https ssl-server-policy

View

System view

Default Level

3: Manage level

Parameters

policy-name: Name of an SSL server policy, a string of 1 to 16 characters.

Description

Use the ip https ssl-server-policy command to associate the HTTPS service with an SSL server-end
policy.
Use the undo ip https ssl-server-policy to remove the association between the HTTPS service and
an SSL server-end policy.
By default, the HTTPS service is not associated with any SSL server-end policy.
Note that:
z The HTTPS service can be enabled only after this command is configured successfully.
z You cannot modify an SSL server-end policy or remove the association between the HTTPS
service and an SSL server-end policy after the HTTPS service is enabled.
Related commands: display ip https and ssl server-policy in SSL Commands.

Examples

# Configure the HTTPS service to use SSL server-end policy myssl.

<Sysname> system-view
[Sysname] ip https ssl-server-policy myssl

2-5
 Table of Contents

1 Stack Management Configuration Commands·······················································································1-1

Stack Management Configuration Commands ·······················································································1-1
display stack ····································································································································1-1
stack ip-pool ····································································································································1-3
stack role master ·····························································································································1-3
stack stack-port ·······························································································································1-4
stack switch-to ·································································································································1-5

i
1 Stack Management Configuration Commands

Stack Management Configuration Commands

display stack

Syntax

display stack [ members ]

View

Any view

Default Level

1: Monitor level

Parameters

members: Displays stack information of the stack members, including the master device and the slave
devices. This keyword is only available to the master device of a stack.

Description

Use the display stack command to display the stack information.

Examples

# Display stack information on the master device.

<stack_0.Sysname> display stack
Role: Master
Management VLAN: 1
IP pool: 1.1.1.1/24
Device total number: 3

# Display stack information on a slave device.

<stack_1.Sysname> display stack
Role: Slave
Management VLAN: 1
IP pool: 1.1.1.1/24
Master MAC address: 000f-e200-1000

1-1
Table 1-1 display stack command output description

Field Description
Role of the device in the stack.
z Master indicates that the device is the master device of
Role the stack.
z Slave indicates that the device is a slave device of the
stack.
ID of the management VLAN, where interactive packets of
the stack are transmitted to implement the internal
Management VLAN
communication between the master device and the slave
devices.
IP pool Range of the private IP addresses used by the stack
Total number of the devices in the stack, which is displayed
Device total number
on the master device only.
MAC address of the master device, which is displayed on a
Master MAC address
slave device only.

# Display stack information of all the stack members on the master.

<stack_0.Sysname> display stack members
Number: 0
Role: Master
Sysname: stack_0.Sysname
Device type: S5120
MAC Address: 000f-e200-1000

Number: 1
Role: Slave
Sysname: stack_1.Sysname
Device type: S5120
MAC Address: 000f-e200-2000

Table 1-2 display stack members command output description

Field Description
Sequence number of the device in the stack.
z Value 0 indicates that the device is the master device of
Number the stack.
z A value other than 0 indicates that the device is a slave
device and the value is the sequence number of the slave
device in the stack.
Role of the device in the stack.
z Master indicates that the device is the master device of
Role the stack.
z Slave indicates that the device is a slave device of the
stack.
Sysname Host name of the device
MAC Address MAC address of the device

1-2
stack ip-pool

Syntax

stack ip-pool ip-address { mask | mask-length }

undo stack ip-pool

View

System view

Default Level

2: System level

Parameters

ip-address: Start IP address of the stack IP address pool.

mask: IP address mask, in dotted decimal notation. The system ANDs the mask with the specified IP
address to get a network segment address, which will be the private IP address pool providing IP
addresses for the slave devices.
mask-length: IP address mask length, based on which a network segment address is calculated, which
will be the private IP address pool providing IP addresses for the slave devices.

Description

Use the stack ip-pool command to configure a private IP address pool for a stack.
Use the undo stack ip-pool command to remove the configured private IP address pool.
By default, no private IP address pool is configured for a stack.
Before creating a stack, you need to configure a private IP address pool for the stack, so that when a
slave device joins the stack, the master device can assign an available IP address to it automatically.

Examples

# Configure a private IP address pool containing IP addresses from 192.168.1.1 to 192.168.1.255 for a
stack.
<Sysname> system-view
[Sysname] stack ip-pool 192.168.1.1 24

stack role master

Syntax

stack role master

undo stack role master

View

System view

Default Level

2: System level

1-3
Parameters

None

Description

Use the stack role master command to create a stack.

Use the undo stack role master command to remove a stack.
After you execute the stack role master command on a stack-supporting device, the device becomes
the master device of a stack and automatically adds the devices connected with its stack ports to the
stack.
Note that you can remove a stack only on the master device of the stack.

Examples

# Create a stack.
<Sysname> system-view
[Sysname] stack role master
[stack_0.Sysname]

stack stack-port

Syntax

stack stack-port stack-port-num port interface-list

undo stack stack-port stack-port-num port interface-list

View

System view

Default Level

2: System level

Parameters

stack-port-num: Number of stack ports to be configured. The value range varies with the device model
and the number of ports.
interface-list: List of Ethernet ports to be configured as stack ports. You can specify multiple Ethernet
ports by providing this argument in the format of interface-list = { interface-type
interface-number }&<1-n>, where interface-type is the interface type, interface-number is the interface
number, and &<1-n> indicates that you can specify up to n ports or port lists. The value of n equals that
of stack-port-num.

Description

Use the stack stack-port command to configure the specified ports as stack ports.
Use the undo stack stack-port command to remove the configuration.
By default, a port is not a stack port.

Examples

# Configure a stack port on the device and assign port GigabitEthernet 1/0/1 as a stack port.

1-4
 <Sysname> system-view
[Sysname] stack stack-port 1 gigabitethernet 1/0/1

stack switch-to

Syntax

stack switch-to member-id

View

User view

Default Level

2: System level

Parameters

member-id: ID of the slave device which you want to switch to. The value ranges from 1 to 8.

Description

Use the stack switch-to command to switch from the master device to a slave device to perform
configurations.
This command is used to switch from the master device to a slave device with the user level unchanged.
To switch back, use the quit command.

Examples

# Switch from the master device to slave device 1.

<stack_0.Sysname> stack switch-to 1
<stack_1.Sysname>

1-5
 Table of Contents

1 PoE Configuration Commands ················································································································1-1

PoE Configuration Commands ···············································································································1-1
apply poe-profile ······························································································································1-1
apply poe-profile interface ···············································································································1-2
display poe device ···························································································································1-2
display poe interface························································································································1-3
display poe interface power·············································································································1-6
display poe pse································································································································1-8
display poe-profile ···························································································································1-9
display poe-profile interface ··········································································································1-10
poe disconnect ······························································································································1-11
poe enable·····································································································································1-12
poe legacy enable ·························································································································1-13
poe max-power······························································································································1-13
poe mode·······································································································································1-14
poe pd-description ·························································································································1-14
poe priority·····································································································································1-15
poe update·····································································································································1-16
poe utilization-threshold·················································································································1-17
poe-profile······································································································································1-18

i
1 PoE Configuration Commands

PoE Configuration Commands

apply poe-profile

Syntax

apply poe-profile { index index | name profile-name }

undo apply poe-profile { index index | name profile-name }

View

PoE interface view

Default Level

2: System level

Parameters

index index: Index number of the PoE configuration file, in the range 1 to 100.
name profile-name: Name of the PoE configuration file, a string of 1 to 15 characters.

Description

Use the apply poe-profile command to apply the PoE configuration file to the current PoE interface.
Use the undo apply poe-profile command to remove the application of the PoE configuration file to
the current PoE interface.
Note that the index number, instead of the name, of the PoE configuration file is displayed when you
execute the display this command.
Related commands: display poe-profile, apply poe-profile interface.

Examples

# Apply the PoE configuration file named forIPphone to the PoE interface GigabitEthernet 1/0/20.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/20
[Sysname-GigabitEthernet1/0/20] apply poe-profile name forIPphone
[Sysname-GigabitEthernet1/0/20] display this
#
interface GigabitEthernet1/0/20
apply poe-profile index 1
#
return

1-1
apply poe-profile interface

Syntax

apply poe-profile { index index | name profile-name } interface interface-range

undo apply poe-profile { index index | name profile-name } interface interface-range

View

System view

Default Level

2: System level

Parameters

index index: Index number of the PoE configuration file, in the range 1 to 100.
name profile-name: Name of the PoE configuration file, a string of 1 to 15 characters.
interface-range: Range of Ethernet interface numbers, indicating multiple Ethernet interfaces. The
expression is interface-range = interface-type interface-number [ to interface-type interface-number ],
where interface-type interface-number represents the interface type and interface number. The start
interface number should be smaller than the end interface number. Ethernet interface numbers can
be in any range. If any interface in the specified range does not support PoE, it is ignored when the
PoE configuration file is applied.

Description

Use the apply poe-profile interface command to apply the PoE configuration file to one or more PoE
interfaces.
Use the undo apply poe-profile interface command to remove the application of the PoE
configuration file to the specified PoE interface(s).
Related commands: display poe-profile interface, apply poe-profile.

Examples

# Apply the PoE configuration file named forIPphone to the PoE interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] apply poe-profile name forIPphone interface gigabitethernet 1/0/1

# Apply the PoE configuration file with index number being 1 to PoE interfaces GigabitEthernet 1/0/2
through GigabitEthernet 1/0/8.
<Sysname> system-view
[Sysname] apply poe-profile index 1 interface gigabitethernet 1/0/2 to gigabitethernet 1/0/8

display poe device

Syntax

display poe device

View

Any view

1-2
Default Level

1: Monitor level

Parameters

None

Description

Use the display poe device command to display information about power sourcing equipments
(PSEs).

Examples

# Display the PSE information.

<Sysname> display poe device
PSE ID SlotNo SubSNo PortNum MaxPower(W) State Model
1 1 0 24 370 on LSW124POED

Table 1-1 display poe device command output description

Field Description
ID of the PSE. For a centralized device, this
PSE ID
field is 1.
Slot number of the PSE. For a centralized
SlotNo
device, this filed is 1.
Sub-slot number of the PSE. For a centralized
SubSNo
device, this field is 0.
PortNum Number of PoE interfaces on the PSE
MaxPower(W) Maximum power of the PSE (W)

PSE state:
on: The PSE is supplying power.
State
off: The PSE stops supplying power.
faulty: The PSE fails.
Model PSE model

display poe interface

Syntax

display poe interface [ interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

1-3
Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display poe interface command to display the power information of the specified interface.
If no interface is specified, the power information of all PoE interfaces is displayed.

Examples

# Display the power state of GigabitEthernet 1/0/1.

<Sysname> display poe interface gigabitethernet 1/0/1
Port Power Enabled : enabled
Port Power Priority : critical
Port Operating Status : on
Port IEEE Class : 1
Port Detection Status : delivering-power
Port Power Mode : signal
Port Current Power : 11592 mW
Port Average Power : 11610 mW
Port Peak : 11684 mW
Port Max Power : 30000 mW
Port Current : 244 mA
Port Voltage : 51.7 V
Port PD Description : IP Phone For Room 101

Table 1-2 display poe interface ethernet command output description

Field Description
PoE state: enabled/disabled
Port Power Enabled z enabled: PoE is enabled.
z disabled: PoE is disabled.
Power priority of the PoE interface:

Port Power Priority z critical (highest)

z high
z low
Operating state of a PoE interface:
z off: PoE is disabled.
z on: Power is supplied for a PoE interface
normally.
z power-lack: The guaranteed remaining
power of the PSE is not high enough to
supply power for a critical PoE interface.
z power-deny: The PSE refuses to supply
Port Operating Status power. The power required by the powered
device (PD) is higher than the configured
power.
z power-itself: The external equipment is
supplying power for itself.
z power-limit: The PSE is supplying a limited
power. The power required by the PD is
higher than the configured power and the
PSE still supplies the configured power.

1-4
 Field Description
Port operating status varies with devices.

PD power class: 0, 1, 2, 3, 4, and -

Port IEEE class
- indicates not supported.
Power detection state of a PoE interface:
z disabled: The PoE function is disabled.
z searching: The PoE interface is searching
for the PD.
z delivering-power: The PoE interface is
Port Detection Status supplying power for the PD.
z fault: There is a fault defined in 802.3af.
z test: The PoE interface is under test.
z other-fault: There is a fault other than
defined in 802.3af.
z pd-disconnect: The PD is disconnected.
Power mode of a PoE interface:
Port Power Mode z signal: Power is supplied over signal cables.
z spare: Power is supplied over spare cables.
Current power of a PoE interface, including PD
Port Current Power
consumption power and transmission loss.
Port Average Power Average power of a PoE interface

Port Peak Power Peak power of a PoE interface

Port Max Power Maximum power of a PoE interface
Port Current Current of a PoE interface

Port Voltage Voltage of a PoE interface

Description of the PD connected to the PoE
Port PD Description interface, which is used to identify the type and
location of the PD.

# Display the state of all PoE interfaces.

<Sysname> display poe interface
Interface Status Priority CurPower Operating IEEE Detection
(W) Status class Status
GE1/0/1 enabled low 4.4 on 1 delivering-power
GE1/0/2 enabled critical 0.0 on - disabled
GE1/0/3 enabled low 0.0 on - disabled
GE1/0/4 enabled critical 0.0 on - searching
GE1/0/5 enabled low 4.0 on 2 delivering-power
GE1/0/6 enabled low 0.0 on - disabled
GE1/0/7 disabled low 0.0 off - fault

--- 2 port(s) on, 8.4(W) consumed, 361.6(W) Remaining ---

Table 1-3 display poe interface command output description

Field Description
Interface Shortened form of a PoE interface

1-5
 Field Description
PoE state: enabled/disabled
Status z enabled: PoE is enabled.
z disabled: PoE is disabled.
Power priority of a PoE interface:

Priority z critical (highest)

z high
z low
CurPower Current power of a PoE interface

Operating state of a PoE interface

z off: PoE is disabled.
z on: Power is supplied for a PoE interface
normally.
z power-lack: The guaranteed remaining
power of the PSE is not high enough to
supply power for a critical PoE interface.
z power-deny: The PSE refuses to supply
Operating Status power. The power required by the powered
device (PD) is higher than the configured
power.
z power-itself: The external equipment is
supplying power for itself.
z power-limit: The PSE is supplying a limited
power. The power required by the PD is
higher than the configured power and the
PSE still supplies the configured power.
IEEE class PD power class defined by IEEE
Power detection state of a PoE interface:
z disabled: The PoE function is disabled.
z searching: The PoE interface is searching
for the PD.
Detection Status z delivering-power: The PoE interface is
supplying power for the PD.
z fault: There is a fault defined in 802.3af.
z test: The PoE interface is under test.
z There is a fault other than defined in 802.3af.
z pd-disconnect: The PD is disconnected.
Number of PoE interfaces that are supplying
port(s) on
power
consumed Power consumed by the current PoE interface
Remaining Total remaining power of the system

display poe interface power

Syntax

display poe interface power [ interface-type interface-number ]

View

Any view

1-6
Default Level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display poe interface power command to display the power information of a PoE
interface(s).
If no interface is specified, the power information of all PoE interfaces will be displayed.

Examples

# Display the power information of GigabitEthernet 1/0/1.

<Sysname> display poe interface power gigabitethernet 1/0/1
Interface CurPower PeakPower MaxPower PD Description
(W) (W) (W)
GE1/0/1 15.0 15.3 15.4 Acess Point on Room 509 for Pete r

# Display the power information of all PoE interfaces.

<Sysname> display poe interface power
Interface CurPower PeakPower MaxPower PD Description
(W) (W) (W)
GE1/0/25 4.4 4.5 4.6 IP Phone on Room 309 for Peter Smith
GE1/0/26 4.4 4.5 15.4 IP Phone on Room 409 for Peter Pan
GE1/0/27 15.0 15.3 15.4 Acess Point on Room 509 for Peter
GE1/0/28 0.0 0.0 0.0 IP Phone on Room 609 for Peter John....
GE1/0/29 0.0 0.0 0.0 IP Phone on Room 709 for Jack
GE1/0/30 0.0 0.0 0.0 IP Phone on Room 809 for Alien
--- 3 port(s) on, 23.8(W) consumed, 356.2(W) Remaining ---

Table 1-4 display poe interface power command output description

Field Description
Interface Shortened form of a PoE interface
CurPower Current power of a PoE interface
PeakPower Peak power of a PoE interface
MaxPower Maximum power of a PoE interface
Description of the PD connected with a PoE
interface When the description contains more
PD Description
than 34 characters, the first 30 characters
followed by four dots are displayed.
Number of PoE interfaces that are supplying
port(s) on
power
consumed Power currently consumed by all PoE interfaces
Remaining Total remaining power of the system

1-7
display poe pse

Syntax

display poe pse

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display poe pse command to display the information of PSE(s).

Examples

# Display the information of the PSE.

<Sysname> display poe pse
PSE ID : 1
PSE Slot No : 1
PSE SubSlot No : 0
PSE Model : LSW124POED
PSE Current Power : 130 W
PSE Average Power : 20 W
PSE Peak Power : 240 W
PSE Max Power : 370 W
PSE Remaining Guaranteed : 130 W
PSE CPLD Version : -
PSE Software Version : 390
PSE Hardware Version : 57603
PSE Legacy Detection : disabled
PSE Utilization-threshold : 80
PSE PD Disconnect Detect Mode : AC

Table 1-5 display poe pse command output description

Field Description
PSE ID ID of the PSE
PSE Slot No Slot number of the PSE
PSE SubSlot No SubSlot number of the PSE
PSE Model Model of the PSE module
PSE Power Enabled PoE is enabled for the PSE
PSE Current Power Current power of the PSE
PSE Average Power Average power of the PSE

1-8
 Field Description
PSE Peak Power Peak power of the PSE
PSE Max Power Maximum power of the PSE
Guaranteed remaining power of the PSE =
Guaranteed maximum power of the PSE– the
PSE Remaining Guaranteed
sum of the maximum power of the critical PoE
interfaces of the PSE
PSE CPLD Version PSE CPLD version
PSE Software Version PSE software version number
PSE Hardware Version PSE hardware version number
Nonstandard PD detection by the PSE:
PSE Legacy Detection z enabled: Enabled
z disabled: Disabled
PSE Utilization-threshold PSE power alarm threshold

PSE PD Disconnect Detect Mode PD disconnection detection mode

display poe-profile

Syntax

display poe-profile [ index index | name profile-name ]

View

Any view

Default Level

1: Monitor level

Parameters

index index: Index number of the PoE configuration file, in the range 1 to 100.
name profile-name: Name of the PoE configuration file, a string of 1 to 15 characters.

Description

Use the display poe-profile command to display the information of the PoE configuration file.
If no argument is specified, all information of the configurations and applications of existing PoE
configuration files is displayed.

Examples

# Display the information of all PoE configuration files.

<Sysname> display poe-profile
Poe-profile Index ApplyNum Interface Configuration
forIPphone 1 6 GE1/0/5 poe enable
GE1/0/6 poe priority critical
GE1/0/7
GE1/0/8

1-9
 GE1/0/9
GE1/0/10
forAP 2 2 GE1/0/11 poe enable
GE1/0/12 poe max-power 14000
--- 2 poe-profile(s) created, 8 port(s) applied ---

# Display the information of the PoE configuration file with index number being 1.
<Sysname> display poe-profile index 1
Poe-profile Index ApplyNum Interface Configuration
forIPphone 1 6 GE1/0/5 poe enable
GE1/0/6 poe priority critical
GE1/0/7
GE1/0/8
GE1/0/9
GE1/0/10
--- 6 port(s) applied ---

# Display the information of the PoE configuration file forIPphone.

<Sysname> display poe-profile name AA
Poe-profile Index ApplyNum Interface Configuration
forIPphone 1 6 GE1/0/5 poe enable
GE1/0/6 poe priority critical
GE1/0/7
GE1/0/8
GE1/0/9
GE1/0/10
--- 6 port(s) applied ---

Table 1-6 display poe-profile command output description

Field Description
Poe-profile Name of the PoE configuration file
Index Index number of the PoE configuration file
ApplyNum Number of PoE interfaces to which a PoE configuration file is applied
Shortened form of the PoE interface to which the PoE configuration is
Interface
applied
Configuration Configurations of the PoE configuration file
poe-profile(s) created Number of PoE configuration files
Sum of the number of PoE interfaces to which all PoE configuration files
port(s) applied
are respectively applied

display poe-profile interface

Syntax

display poe-profile interface interface-type interface-number

1-10
View

Any view

Default Level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display poe-profile interface command to display all information of the configurations and
applications of the PoE configuration file that currently takes effect on the specified PoE interface.

Examples

# Display all information of the configurations and applications of the current PoE configuration file
applied to GigabitEthernet1/0/1.
<Sysname> display poe-profile interface gigabitethernet 1/0/1
Poe-profile Index ApplyNum Interface Current Configuration
forIPphone 1 6 GE1/0/1 poe enable
poe priority critical

Because not all the configurations of a PoE configuration file can be applied successfully, only the
configurations that currently take effect on the interface are displayed. For the descriptions for other
fields, refer to Table 1-6.

poe disconnect

Syntax

poe disconnect { ac | dc }
undo poe disconnect

View

System view

Default Level

2: System level

Parameters

ac: Specifies the PD disconnection detection mode as ac.

dc: Specifies the PD disconnection detection mode as dc.

Description

Use the poe disconnect command to configure a PD disconnection detection mode.

Use the undo poe disconnect command to restore the default.
The default PD disconnection detection mode is ac.
Note that change to the PD disconnection detection mode may lead to power-off of some PDs.

1-11
Examples

# Set the PD disconnection detection mode to dc.

<Sysname> system-view
[Sysname] poe disconnect dc

poe enable

Syntax

poe enable
undo poe enable

View

PoE interface view, PoE-profile file view

Default Level

2: System level

Parameters

None

Description

Use the poe enable command to enable PoE on a PoE interface.

Use the undo poe enable command to disable PoE on a PoE interface.
By default, PoE is disabled on a PoE interface.

z If a PoE configuration file is already applied to a PoE interface, you need to remove the
application of the file to the PoE interface before configuring the interface in PoE-profile view.
z If a PoE configuration file is applied to a PoE interface, you need to remove the application of the
file to the PoE interface before configuring the interface in PoE interface view.

Examples

# Enable PoE on a PoE interface.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] poe enable

# Enable PoE on a PoE interface through a PoE configuration file.

<Sysname> system-view
[Sysname] poe-profile abc
[Sysname-poe-profile-abc-1] poe enable
[Sysname-poe-profile-abc-1] quit

1-12
 [Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] apply poe-profile name abc

poe legacy enable

Syntax

poe legacy enable

undo poe legacy enable

View

System view

Default Level

2: System level

Parameters

pse pse-id: Specifies a PSE ID.

Description

Use the poe legacy enable command to enable the PSE to detect nonstandard PDs.
Use the undo poe legacy enable command to disable the PSE from detecting nonstandard PDs.
By default, the PSE is disabled from detecting nonstandard PDs.

Examples

# Enable the PSE to detect nonstandard PDs (for a device with a single PSE).
<Sysname> system-view
[Sysname] poe legacy enable

poe max-power

Syntax

poe max-power max-power

undo poe max-power

View

PoE interface view, PoE-profile file view

Default Level

2: System level

Parameters

max-power: Maximum power in milliwatts allocated to a PoE interface. The range from 1000 to 30000.

Description

Use the poe max-power command to configure the maximum power for a PoE interface.
Use the undo poe max-power command to restore the default.

1-13
 By default, the maximum power of the PoE interface is 30000 milliwatts.

Examples

# Set the maximum power of GigabitEthernet 1/0/1 to 12000 milliwatts.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] poe max-power 12000

poe mode

Syntax

poe mode signal

undo poe mode

View

PoE interface view, PoE-profile file view

Default Level

2: System level

Parameters

signal: Specifies the PoE mode as signal (power over signal cables), that is, using the pairs (1, 2, 3,
6) for transmitting data in category 3/5 twisted pair cable to supply DC power.

Description

Use the poe mode command to configure a PoE mode.

Use the undo poe mode command to restore the default.
By default, the PoE mode is signal (power over signal cables).

Examples

# Set the PoE mode to signal (power over signal cables).

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] poe mode signal

poe pd-description

Syntax

poe pd-description text

undo poe pd-description

View

PoE interface view

Default Level

2: System level

1-14
Parameters

text: Description of the PD connected to a PoE interface, a string of 1 to 80 characters.

Description

Use the poe pd-description command to configure a description for the PD connected to a PoE
interface.
Use the undo poe pd-description command to restore the default.
By default, no description is available for the PD connected to a PoE interface.

Examples

# Configure the description for the PD connected to GigabitEthernet 1/0/1 as IP Phone for Room 101.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] poe pd-description IP Phone For Room 101

poe priority

Syntax

poe priority { critical | high | low }

undo poe priority

View

PoE interface view, PoE-profile file view

Default Level

2: System level

Parameters

critical: Sets the power priority of a PoE interface to critical. The PoE interface whose power priority
level is critical works in guaranteed mode, that is, power is first supplied to the PD connected to this
critical PoE interface.
high: Sets the power priority of a PoE interface to high.
low: Sets the power priority of a PoE interface to low.

Description

Use the poe priority command to configure a power priority level for a PoE interface.
Use the undo poe priority command to restore the default.
By default, the power priority of a PoE interface is low.
Note that:
z When the PoE power is insufficient, power is first supplied to PoE interfaces with a higher priority
level.
z If a PoE configuration file is already applied to a PoE interface, you need to remove the
application of the file to the PoE interface before configuring the interface in PoE-profile view.

1-15
 z If a PoE configuration file is applied to a PoE interface, you need to remove the application of the
file to the PoE interface before configuring the interface in PoE interface view.
z If two PoE interfaces have the same priority level, the PoE interface with a smaller ID has the
higher priority level.

Examples

# Set the power priority of GigabitEthernet 1/0/1 to critical.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] poe priority critical

# Set the power priority of GigabitEthernet 1/0/1 to critical through a PoE configuration file.
<Sysname> system-view
[Sysname] poe-profile abc
[Sysname-poe-profile-abc-1] poe priority critical
[Sysname-poe-profile-abc-1] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] apply poe-profile name abc

poe update

Syntax

poe update { full | refresh } filename

View

System view

Default Level

2: System level

Parameters

full: Specifies to upgrade the PSE processing software in full mode when the software is unavailable.
refresh: Specifies to upgrade the PSE processing software in refresh mode when the software is
available.
filename: Name of the upgrade file, a string of 1 to 64 characters. This file must be under the root
directory of the file system of the device. The extension of the upgrade file varies with devices.

Description

Use the poe update command to upgrade the PSE processing software online.

1-16
 z The full mode is used only in the case that anomalies occur when you use the refresh mode to
upgrade the PSE processing software. Do not use the full mode in other circumstances.
z You can use the full mode to upgrade the PSE processing software to restore the PSE firmware
when the PSE processing software is unavailable (it means that none of the PoE commands are
executed successfully).

Examples

# Upgrade the PSE processing software in service.

<Sysname> system-view
[Sysname] poe update refresh 0400_001.S19

poe utilization-threshold

Syntax

poe utilization-threshold utilization-threshold-value

undo poe utilization-threshold

View

System view

Default Level

2: System level

Parameters

utilization-threshold-value: Power alarm threshold in percentage, in the range 1 to 99.

Description

Use the poe utilization-threshold command to configure a power alarm threshold for the PSE.
Use the undo poe utilization-threshold command to restore the default power alarm threshold of
the PSE.
By default, the power alarm threshold for the PSE is 80%.
The system sends a Trap message when the percentage of power utilization exceeds the alarm
threshold. If the percentage of the power utilization always keeps above the alarm threshold, the
system does not send any Trap message. Instead, when the percentage of the power utilization drops
below the alarm threshold, the system sends a Trap message again.

Examples

# Set the power alarm threshold of the PSE to 90%.

<Sysname> system-view
[Sysname] poe utilization-threshold 90

1-17
poe-profile

Syntax

poe-profile profile-name [ index ]

undo poe-profile { index index | name profile-name }

View

System view

Default Level

2: System level

Parameters

profile-name: Name of a PoE configuration file, a string of 1 to 15 characters. A PoE configuration file
name begins with a letter (a through z or A through Z) and must not contain reserved keywords such
as undo, all, name, interface, user, poe, disable, max-power, mode, priority and enable.
index: Index number of a PoE configuration file, in the range 1 to 100.

Description

Use the poe-profile profile-name command to create a PoE configuration file and enter PoE-profile
view.
Use the undo poe-profile command to delete the specified PoE configuration file.
If no index is specified, the system automatically assigns an index to the PoE configuration file,
starting from 1.
Note that if a PoE configuration file is already applied to a PoE interface, you cannot delete it. To
delete the file, you must first execute the undo apply poe-profile command to remove the application
of the PoE configuration file to the PoE interface.

Examples

# Create a PoE configuration file, name it abc, and specify the index number as 3.
<Sysname> system-view
[Sysname] poe-profile abc 3

1-18
 Table of Contents

1 IP Source Guard Configuration Commands ···························································································1-1

IP Source Guard Configuration Commands ···························································································1-1
display ip check source ···················································································································1-1
display user-bind ·····························································································································1-2
ip check source································································································································1-3
user-bind··········································································································································1-4

i
1 IP Source Guard Configuration Commands

IP Source Guard Configuration Commands

display ip check source

Syntax

display ip check source [ interface interface-type interface-number | ip-address ip-address |

mac-address mac-address ]

View

Any view

Default Level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the dynamic bindings of the interface specified by
its type and number.
ip-address ip-address: Displays the dynamic bindings of an IP address.
mac-address mac-address: Displays the dynamic bindings of an MAC address (in the format of
H-H-H).

Description

Use the display ip check source command to display dynamic bindings.

With no options specified, the command displays the dynamic bindings of all interfaces.
Related commands: ip check source.

Examples

# Display all dynamic bindings.

<Sysname> display ip check source
Total entries found: 3
MAC IP Vlan Port Status
040a-0000-4000 10.1.0.9 2 GigabitEthernet1/0/1 DHCP-SNP
N/A 10.1.0.8 2 GigabitEthernet1/0/1 DHCP-SNP
040a-0000-2000 10.1.0.7 2 GigabitEthernet1/0/1 DHCP-SNP

Table 1-1 display ip check source command output description

Field Description
Total entries found Total number of found entries

1-1
 Field Description
MAC address of the dynamic binding. N/A means that no MAC address is
MAC
bound in the entry.
IP address of the dynamic binding. N/A means that no IP address is
IP
bound in the entry.
VLAN to which the obtained binding entry belongs. N/A means that no
Vlan
VLAN is bound in the entry.
Port Port to which the dynamic binding entry is applied
Status Type of dynamically obtaining the binding entry

display user-bind

Syntax

display user-bind [ interface interface-type interface-number | ip-address ip-address | mac-address

mac-address ]

View

Any view

Default Level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the static bindings of the interface specified by its
type and number.
ip-address ip-address: Displays the static bindings of an IP address.
mac-address mac-address: Displays the static bindings of an MAC address (in the format of H-H-H).

Description

Use the display user-bind command to display static bindings.

With no options specified, the command displays static bindings of all interfaces.
Related commands: user-bind.

Examples

# Display all static bindings.

<Sysname> display user-bind
Total entries found: 4
MAC IP Vlan Port Status
N/A 1.1.1.1 N/A GigabitEthernet1/0/1 Static
0001-0001-0001 2.2.2.2 200 GigabitEthernet1/0/1 Static
0003-0003-0003 N/A N/A GigabitEthernet1/0/1 Static
0004-0004-0004 4.4.4.4 N/A GigabitEthernet1/0/1 Static

1-2
 Table 1-2 display user-bind command output description

Field Description
Total entries found Total number of found entries
MAC address of the binding. N/A means that no MAC address is bound in
MAC
the entry.
IP address of the binding. N/A means that no IP address is bound in the
IP
entry.
Vlan VLAN of the binding. N/A means that no VLAN is bound in the entry.
Port Port of the binding
Status Type of the binding. Static means that the binding is manually configured.

ip check source

Syntax

ip check source { ip-address | ip-address mac-address | mac-address }

undo ip check source

View

Ethernet interface view, VLAN interface view

Default Level

2: System level

Parameters

ip-address: Specifies to bind source IP address to the port.

ip-address mac-address: Specifies to bind source IP address and MAC address to the port.
mac-address: Specifies to bind source MAC address to the port.

Description

Use the ip check source command to configure the dynamic binding function on a port.
Use the undo ip check source command to restore the default.
By default, the dynamic binding function is disabled.
Note that: You cannot configure the dynamic binding function on a port that is in an aggregation group.
Related commands: display ip check source.

Examples

# Configure dynamic binding function on port GigabitEthernet 1/0/1 to filter packets based on both
source IP address and MAC address.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip check source ip-address mac-address

1-3
user-bind

Syntax

user-bind { ip-address ip-address | ip-address ip-address mac-address mac-address |

mac-address mac-address } [ vlan vlan-id ]
undo user-bind { ip-address ip-address | ip-address ip-address mac-address mac-address |
mac-address mac-address } [ vlan vlan-id ]

View

Layer-2 Ethernet interface view

Default Level

2: System level

Parameters

ip-address ip-address: Specifies the IP address for the static binding. The IP address can only be a
Class A, Class B, or Class C address and can be neither 127.x.x.x nor 0.0.0.0.
mac-address mac-address: Specifies the MAC address for the static binding in the format of H-H-H.
The MAC address cannot be all 0s, all Fs (a broadcast address), or a multicast address.
vlan vlan-id: Specifies the VLAN for the static binding. vlan-id is the ID of the VLAN to be bound, in the
range 1 to 4094.

Description

Use the user-bind command to configure a static binding.

Use the undo user-bind command to delete a static binding.
By default, no static binding exists on a port.
Note that:
z The system does not support repeatedly configuring a binding entry to one port.
z A binding entry can be configured to multiple ports.
z You cannot configure a static binding on a port that is in an aggregation group.
Related commands: display user-bind.

Examples

# Configure a static binding on port GigabitEthernet 1/0/1.

<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0001-0001

1-4
Appendix A Command Index

The command index includes all the commands in the Command Manual, which are arranged alphabetically.

ABCDEFGHIJKLMNOPQRSTUVWXYZ

A
aaa nas-id profile 21-AAA Commands 1-1

access-limit 21-AAA Commands 1-1

access-limit enable 21-AAA Commands 1-2

accounting default 21-AAA Commands 1-3

accounting lan-access 21-AAA Commands 1-4

accounting login 21-AAA Commands 1-5

accounting optional 21-AAA Commands 1-5

accounting-on enable 21-AAA Commands 2-1

accounting-on enable interval 21-AAA Commands 2-2

accounting-on enable send 21-AAA Commands 2-2

acl 02-Login Commands 2-1

acl 27-ACL Commands 1-1

acl copy 27-ACL Commands 1-2

acl name 27-ACL Commands 1-3

activation-key 02-Login Commands 1-1

active region-configuration 10-MSTP Commands 1-1

add-member 37-Cluster Management Commands 1-15

administrator-address 37-Cluster Management Commands 1-16

apply poe-profile 40-PoE Commands 1-1

apply poe-profile interface 40-PoE Commands 1-2

archive configuration 32-File System Management Commands 2-1

archive configuration interval 32-File System Management Commands 2-1

archive configuration location 32-File System Management Commands 2-2

archive configuration max 32-File System Management Commands 2-3

A-1
arp anti-attack active-ack enable 13-ARP Commands 2-1

arp anti-attack send-gratuitous-arp 13-ARP Commands 2-11

arp anti-attack source-mac 13-ARP Commands 2-2

arp anti-attack source-mac aging-time 13-ARP Commands 2-2

arp anti-attack source-mac exclude-mac 13-ARP Commands 2-3

arp anti-attack source-mac threshold 13-ARP Commands 2-4

arp check enable 13-ARP Commands 1-1

arp detection enable 13-ARP Commands 2-6

arp detection mode 13-ARP Commands 2-6

arp detection static-bind 13-ARP Commands 2-7

arp detection trust 13-ARP Commands 2-8

arp detection validate 13-ARP Commands 2-8

arp max-learning-num 13-ARP Commands 1-1

arp rate-limit 13-ARP Commands 2-5

arp static 13-ARP Commands 1-2

arp timer aging 13-ARP Commands 1-3

ascii 15-FTP and TFTP Commands 1-6

attribute 22-PKI Commands 1-1

authentication default 21-AAA Commands 1-6

authentication lan-access 21-AAA Commands 1-7

authentication login 21-AAA Commands 1-8

authentication-mode 02-Login Commands 1-2

authorization command 21-AAA Commands 1-9

authorization default 21-AAA Commands 1-9

authorization lan-access 21-AAA Commands 1-10

authorization login 21-AAA Commands 1-11

authorization-attribute 21-AAA Commands 1-12

auto-build 37-Cluster Management Commands 1-16

auto-execute command 02-Login Commands 1-3

B
backup startup-configuration 32-File System Management Commands 2-4

A-2
binary 15-FTP and TFTP Commands 1-7

bind-attribute 21-AAA Commands 1-14

black-list add-mac 37-Cluster Management Commands 1-18

black-list delete-mac 37-Cluster Management Commands 1-18

boot-loader 28-Device Management Commands 1-1

bootrom 28-Device Management Commands 1-2

bootrom-update security-check enable 28-Device Management Commands 1-2

broadcast-suppression 03-Ethernet Port Commands 1-1

build 37-Cluster Management Commands 1-19

bye 15-FTP and TFTP Commands 1-7

bye 24-SSH2.0 Commands 1-15

C
ca identifier 22-PKI Commands 1-2

cd 15-FTP and TFTP Commands 1-8

cd 24-SSH2.0 Commands 1-15

cd 32-File System Management Commands 1-1

cdup 15-FTP and TFTP Commands 1-9

cdup 24-SSH2.0 Commands 1-16

certificate request entity 22-PKI Commands 1-3

certificate request from 22-PKI Commands 1-3

certificate request mode 22-PKI Commands 1-4

certificate request polling 22-PKI Commands 1-5

certificate request url 22-PKI Commands 1-5

check region-configuration 10-MSTP Commands 1-2

ciphersuite 23-SSL Commands 1-1

classifier behavior 19-QoS Commands 1-9

client-verify enable 23-SSL Commands 1-2

clock datetime 34-Basic System Configuration Commands 1-1

clock summer-time one-off 34-Basic System Configuration Commands 1-2

clock summer-time repeating 34-Basic System Configuration Commands 1-3

clock timezone 34-Basic System Configuration Commands 1-4

A-3
close 15-FTP and TFTP Commands 1-9

close-mode wait 23-SSL Commands 1-2

cluster 37-Cluster Management Commands 1-20

cluster enable 37-Cluster Management Commands 1-20

cluster switch-to 37-Cluster Management Commands 1-21

cluster-local-user 37-Cluster Management Commands 1-22

cluster-mac 37-Cluster Management Commands 1-23

cluster-mac syn-interval 37-Cluster Management Commands 1-23

cluster-snmp-agent community 37-Cluster Management Commands 1-24

cluster-snmp-agent group v3 37-Cluster Management Commands 1-25

cluster-snmp-agent mib-view 37-Cluster Management Commands 1-26

cluster-snmp-agent usm-user v3 37-Cluster Management Commands 1-27

command-privilege 34-Basic System Configuration Commands 1-5

common-name 22-PKI Commands 1-6

configuration replace file 32-File System Management Commands 2-5

copy 32-File System Management Commands 1-2

copyright-info enable 34-Basic System Configuration Commands 1-6

country 22-PKI Commands 1-7

crl check 22-PKI Commands 1-7

crl update-period 22-PKI Commands 1-8

crl url 22-PKI Commands 1-9

cut connection 21-AAA Commands 1-15

D
databits 02-Login Commands 1-4

data-flow-format (RADIUS scheme view) 21-AAA Commands 2-3

debugging 15-FTP and TFTP Commands 1-10

debugging 33-System Maintaining and Debugging 1-6

Commands

delete 15-FTP and TFTP Commands 1-11

delete 24-SSH2.0 Commands 1-16

delete 32-File System Management Commands 1-2

A-4
delete static-routes all 17-Static Routing Commands 1-1

delete-member 37-Cluster Management Commands 1-28

description 03-Ethernet Port Commands 1-2

description 04-Loopback Interface and Null Interface 1-1

Commands

description 05-Ethernet Link Aggregation Commands 1-1

description 09-VLAN Commands 1-1

description 27-ACL Commands 1-3

dhcp relay address-check 14-DHCP Commands 1-1

dhcp relay information circuit-id format-type 14-DHCP Commands 1-1

dhcp relay information circuit-id string 14-DHCP Commands 1-2

dhcp relay information enable 14-DHCP Commands 1-3

dhcp relay information format 14-DHCP Commands 1-4

dhcp relay information remote-id format-type 14-DHCP Commands 1-5

dhcp relay information remote-id string 14-DHCP Commands 1-5

dhcp relay information strategy 14-DHCP Commands 1-6

dhcp relay release ip 14-DHCP Commands 1-7

dhcp relay security refresh enable 14-DHCP Commands 1-9

dhcp relay security static 14-DHCP Commands 1-8

dhcp relay security tracker 14-DHCP Commands 1-9

dhcp relay server-detect 14-DHCP Commands 1-10

dhcp relay server-group 14-DHCP Commands 1-11

dhcp relay server-select 14-DHCP Commands 1-11

dhcp select relay 14-DHCP Commands 1-12

dhcp-snooping 14-DHCP Commands 3-1

dhcp-snooping information circuit-id 14-DHCP Commands 3-2

format-type

dhcp-snooping information circuit-id string 14-DHCP Commands 3-2

dhcp-snooping information enable 14-DHCP Commands 3-3

dhcp-snooping information format 14-DHCP Commands 3-4

dhcp-snooping information remote-id 14-DHCP Commands 3-5

format-type

A-5
dhcp-snooping information remote-id string 14-DHCP Commands 3-5

dhcp-snooping information strategy 14-DHCP Commands 3-7

dhcp-snooping trust 14-DHCP Commands 3-7

dir 15-FTP and TFTP Commands 1-12

dir 24-SSH2.0 Commands 1-17

dir 32-File System Management Commands 1-3

disconnect 15-FTP and TFTP Commands 1-13

display acl 27-ACL Commands 1-4

display acl resource 27-ACL Commands 1-5

display archive configuration 32-File System Management Commands 2-6

display arp 13-ARP Commands 1-4

display arp anti-attack source-mac 13-ARP Commands 2-4

display arp detection 13-ARP Commands 2-9

display arp detection statistics 13-ARP Commands 2-10

display arp ip-address 13-ARP Commands 1-5

display arp timer aging 13-ARP Commands 1-6

display boot-loader 28-Device Management Commands 1-3

display bootp client 14-DHCP Commands 4-1

display brief interface 03-Ethernet Port Commands 1-3

display channel 35-Information Center Commands 1-1

display clipboard 34-Basic System Configuration Commands 1-7

display clock 34-Basic System Configuration Commands 1-8

display cluster 37-Cluster Management Commands 1-29

display cluster base-topology 37-Cluster Management Commands 1-30

display cluster black-list 37-Cluster Management Commands 1-32

display cluster candidates 37-Cluster Management Commands 1-33

display cluster current-topology 37-Cluster Management Commands 1-34

display cluster members 37-Cluster Management Commands 1-36

display connection 21-AAA Commands 1-16

display cpu-usage 28-Device Management Commands 1-3

display cpu-usage history 28-Device Management Commands 1-5

A-6
display current-configuration 34-Basic System Configuration Commands 1-9

display debugging 33-System Maintaining and Debugging 1-7

Commands

display default-configuration 34-Basic System Configuration Commands 1-10

display device 28-Device Management Commands 1-7

display device manuinfo 28-Device Management Commands 1-8

display dhcp client 14-DHCP Commands 2-1

display dhcp relay 14-DHCP Commands 1-13

display dhcp relay information 14-DHCP Commands 1-14

display dhcp relay security 14-DHCP Commands 1-15

display dhcp relay security statistics 14-DHCP Commands 1-16

display dhcp relay security tracker 14-DHCP Commands 1-17

display dhcp relay server-group 14-DHCP Commands 1-17

display dhcp relay statistics 14-DHCP Commands 1-18

display dhcp-snooping 14-DHCP Commands 3-8

display dhcp-snooping information 14-DHCP Commands 3-9

display dhcp-snooping packet statistics 14-DHCP Commands 3-10

display dhcp-snooping trust 14-DHCP Commands 3-10

display diagnostic-information 34-Basic System Configuration Commands 1-10

display domain 21-AAA Commands 1-17

display dot1x 20-802.1X Commands 1-1

display environment 28-Device Management Commands 1-9

display fan 28-Device Management Commands 1-10

display fib 12-IP Performance Optimization Commands 1-1

display fib ip-address 12-IP Performance Optimization Commands 1-3

display ftp client configuration 15-FTP and TFTP Commands 1-13

display ftp-server 15-FTP and TFTP Commands 1-1

display ftp-user 15-FTP and TFTP Commands 1-2

display habp 26-HABP Commands 1-1

display habp table 26-HABP Commands 1-2

display habp traffic 26-HABP Commands 1-2

display history-command 01-CLI Command 1-1

A-7
display hotkey 34-Basic System Configuration Commands 1-12

display icmp statistics 12-IP Performance Optimization Commands 1-4

display igmp-snooping group 18-Mulitcast Commands 1-1

display igmp-snooping statistics 18-Mulitcast Commands 1-2

display info-center 35-Information Center Commands 1-2

display interface 03-Ethernet Port Commands 1-6

display interface loopback 04-Loopback Interface and Null Interface 1-2

Commands

display interface null 04-Loopback Interface and Null Interface 1-3

Commands

display interface vlan-interface 09-VLAN Commands 1-2

display ip check source 41-IP Source Guard Commands 1-1

display ip http 38-HTTP Commands 1-1

display ip https 38-HTTP Commands 2-1

display ip interface 11-IP Addressing Commands 1-1

display ip interface brief 11-IP Addressing Commands 1-3

display ip routing-table 16-IP Routing Basics Commands 1-1

display ip routing-table acl 16-IP Routing Basics Commands 1-5

display ip routing-table ip-address 16-IP Routing Basics Commands 1-7

display ip routing-table protocol 16-IP Routing Basics Commands 1-9

display ip routing-table statistics 16-IP Routing Basics Commands 1-10

display ip socket 12-IP Performance Optimization Commands 1-5

display ip statistics 12-IP Performance Optimization Commands 1-8

display lacp system-id 05-Ethernet Link Aggregation Commands 1-1

display link-aggregation member-port 05-Ethernet Link Aggregation Commands 1-2

display link-aggregation summary 05-Ethernet Link Aggregation Commands 1-4

display link-aggregation verbose 05-Ethernet Link Aggregation Commands 1-6

display lldp local-information 08-LLDP Commands 1-1

display lldp neighbor-information 08-LLDP Commands 1-5

display lldp statistics 08-LLDP Commands 1-9

display lldp status 08-LLDP Commands 1-10

display lldp tlv-config 08-LLDP Commands 1-12

A-8
display local-user 21-AAA Commands 1-19

display logbuffer 35-Information Center Commands 1-4

display logbuffer summary 35-Information Center Commands 1-6

display logfile buffer 35-Information Center Commands 1-7

display logfile summary 35-Information Center Commands 1-8

display loopback-detection 03-Ethernet Port Commands 1-5

display mac-address 36-MAC Address Table Commands 1-1

display mac-address aging-time 36-MAC Address Table Commands 1-2

display mac-address statistics 36-MAC Address Table Commands 1-3

display memory 28-Device Management Commands 1-10

display mib-style 30-SNMP Commands 2-1

display mirroring-group 07-Port Mirroring Commands 1-1

display multicast-vlan 18-Mulitcast Commands 2-1

display nandflash badblock-location 32-File System Management Commands 1-5

display nandflash file-location 32-File System Management Commands 1-4

display nandflash page-data 32-File System Management Commands 1-6

display ndp 37-Cluster Management Commands 1-1

display ntdp 37-Cluster Management Commands 1-7

display ntdp device-list 37-Cluster Management Commands 1-8

display ntdp single-device 37-Cluster Management Commands 1-9

display ntp-service sessions 29-NTP Commands 1-1

display ntp-service status 29-NTP Commands 1-5

display ntp-service trace 29-NTP Commands 1-7

display pki certificate 22-PKI Commands 1-9

display pki certificate access-control-policy 22-PKI Commands 1-11

display pki certificate attribute-group 22-PKI Commands 1-12

display pki crl domain 22-PKI Commands 1-13

display poe device 40-PoE Commands 1-2

display poe interface 40-PoE Commands 1-3

display poe interface power 40-PoE Commands 1-6

display poe pse 40-PoE Commands 1-8

A-9
display poe-profile 40-PoE Commands 1-9

display poe-profile interface 40-PoE Commands 1-10

display port 09-VLAN Commands 1-9

display port-group manual 03-Ethernet Port Commands 1-10

display port-isolate group 06-Port Isolation Commands 1-1

display power 28-Device Management Commands 1-11

display public-key local public 25-Public Key Commands 1-1

display public-key peer 25-Public Key Commands 1-2

display qos lr interface 19-QoS Commands 3-1

display qos map-table 19-QoS Commands 2-1

display qos policy 19-QoS Commands 1-10

display qos policy interface 19-QoS Commands 1-11

display qos trust interface 19-QoS Commands 2-4

display qos wrr interface 19-QoS Commands 4-1

display radius scheme 21-AAA Commands 2-4

display radius statistics 21-AAA Commands 2-6

display reboot-type 28-Device Management Commands 1-11

display rmon alarm 31-RMON Commands 1-1

display rmon event 31-RMON Commands 1-2

display rmon eventlog 31-RMON Commands 1-3

display rmon history 31-RMON Commands 1-5

display rmon prialarm 31-RMON Commands 1-7

display rmon statistics 31-RMON Commands 1-9

display saved-configuration 32-File System Management Commands 2-6

display schedule job 28-Device Management Commands 1-12

display schedule reboot 28-Device Management Commands 1-13

display sftp client source 24-SSH2.0 Commands 1-18

display snmp-agent community 30-SNMP Commands 1-1

display snmp-agent group 30-SNMP Commands 1-2

display snmp-agent local-engineid 30-SNMP Commands 1-3

display snmp-agent mib-view 30-SNMP Commands 1-4

A-10
display snmp-agent statistics 30-SNMP Commands 1-5

display snmp-agent sys-info 30-SNMP Commands 1-7

display snmp-agent trap queue 30-SNMP Commands 1-8

display snmp-agent trap-list 30-SNMP Commands 1-8

display snmp-agent usm-user 30-SNMP Commands 1-9

display ssh client source 24-SSH2.0 Commands 1-8

display ssh server 24-SSH2.0 Commands 1-1

display ssh server-info 24-SSH2.0 Commands 1-9

display ssh user-information 24-SSH2.0 Commands 1-2

display ssl client-policy 23-SSL Commands 1-3

display ssl server-policy 23-SSL Commands 1-4

display stack 39-Stack Management Commands 1-1

display startup 32-File System Management Commands 2-8

display stop-accounting-buffer 21-AAA Commands 2-9

display storm-constrain 03-Ethernet Port Commands 1-11

display stp 10-MSTP Commands 1-3

display stp abnormal-port 10-MSTP Commands 1-8

display stp down-port 10-MSTP Commands 1-9

display stp history 10-MSTP Commands 1-10

display stp ignored-vlan 10-MSTP Commands 1-11

display stp region-configuration 10-MSTP Commands 1-11

display stp root 10-MSTP Commands 1-12

display stp tc 10-MSTP Commands 1-13

display system-failure 28-Device Management Commands 1-13

display tcp statistics 12-IP Performance Optimization Commands 1-9

display tcp status 12-IP Performance Optimization Commands 1-12

display telnet client configuration 02-Login Commands 1-5

display tftp client configuration 15-FTP and TFTP Commands 2-1

display this 34-Basic System Configuration Commands 1-13

display time-range 27-ACL Commands 1-6

display traffic behavior 19-QoS Commands 1-6

A-11
display traffic classifier 19-QoS Commands 1-1

display transceiver 28-Device Management Commands 1-18

display transceiver alarm 28-Device Management Commands 1-14

display transceiver diagnosis 28-Device Management Commands 1-17

display transceiver manuinfo 28-Device Management Commands 1-19

display trapbuffer 35-Information Center Commands 1-9

display udp statistics 12-IP Performance Optimization Commands 1-13

display user-bind 41-IP Source Guard Commands 1-2

display user-group 21-AAA Commands 1-20

display user-interface 02-Login Commands 1-5

display users 02-Login Commands 1-7

display version 34-Basic System Configuration Commands 1-14

display vlan 09-VLAN Commands 1-3

display voice vlan oui 09-VLAN Commands 2-1

display voice vlan state 09-VLAN Commands 2-2

display web users 02-Login Commands 1-8

domain 21-AAA Commands 1-21

domain default enable 21-AAA Commands 1-22

dot1p-priority 18-Mulitcast Commands 1-3

dot1x 20-802.1X Commands 1-4

dot1x authentication-method 20-802.1X Commands 1-6

dot1x auth-fail vlan 20-802.1X Commands 1-5

dot1x guest-vlan 20-802.1X Commands 1-7

dot1x handshake 20-802.1X Commands 1-8

dot1x mandatory-domain 20-802.1X Commands 1-9

dot1x max-user 20-802.1X Commands 1-10

dot1x multicast-trigger 20-802.1X Commands 1-11

dot1x port-control 20-802.1X Commands 1-11

dot1x port-method 20-802.1X Commands 1-12

dot1x quiet-period 20-802.1X Commands 1-13

dot1x re-authenticate 20-802.1X Commands 1-14

A-12
dot1x retry 20-802.1X Commands 1-15

dot1x timer 20-802.1X Commands 1-16

duplex 03-Ethernet Port Commands 1-12

E
enable log updown 35-Information Center Commands 1-10

enable snmp trap updown 05-Ethernet Link Aggregation Commands 1-8

enable snmp trap updown 30-SNMP Commands 1-10

escape-key 02-Login Commands 1-9

execute 32-File System Management Commands 1-7

exit 24-SSH2.0 Commands 1-19

expiration-date 21-AAA Commands 1-23

F
fast-leave (IGMP-Snooping view) 18-Mulitcast Commands 1-4

file prompt 32-File System Management Commands 1-7

filter 19-QoS Commands 1-7

fixdisk 32-File System Management Commands 1-8

flow-control 02-Login Commands 1-10

flow-control 03-Ethernet Port Commands 1-13

flow-interval 03-Ethernet Port Commands 1-13

format 32-File System Management Commands 1-9

fqdn 22-PKI Commands 1-14

free ftp user 15-FTP and TFTP Commands 1-3

free user-interface 02-Login Commands 1-11

free web-users 02-Login Commands 2-2

ftp 15-FTP and TFTP Commands 1-14

ftp client source 15-FTP and TFTP Commands 1-15

ftp server acl 15-FTP and TFTP Commands 1-3

ftp server enable 15-FTP and TFTP Commands 1-4

ftp timeout 15-FTP and TFTP Commands 1-4

ftp update 15-FTP and TFTP Commands 1-5

A-13
ftp-server 37-Cluster Management Commands 1-38

G
get 15-FTP and TFTP Commands 1-16

get 24-SSH2.0 Commands 1-19

gratuitous-arp-learning enable 13-ARP Commands 1-7

gratuitous-arp-sending enable 13-ARP Commands 1-7

group 21-AAA Commands 1-23

group-member 03-Ethernet Port Commands 1-14

group-policy (IGMP-Snooping view) 18-Mulitcast Commands 1-5

H
habp enable 26-HABP Commands 1-3

habp server vlan 26-HABP Commands 1-4

habp timer 26-HABP Commands 1-4

handshake timeout 23-SSL Commands 1-5

header 34-Basic System Configuration Commands 1-15

help 24-SSH2.0 Commands 1-20

history-command max-size 02-Login Commands 1-11

holdtime 37-Cluster Management Commands 1-39

host-aging-time (IGMP-Snooping view) 18-Mulitcast Commands 1-6

hotkey 34-Basic System Configuration Commands 1-17

I
idle-cut enable 21-AAA Commands 1-24

idle-timeout 02-Login Commands 1-12

if-match 19-QoS Commands 1-2

igmp-snooping 18-Mulitcast Commands 1-6

igmp-snooping dot1p-priority 18-Mulitcast Commands 1-7

igmp-snooping drop-unknown 18-Mulitcast Commands 1-8

igmp-snooping enable 18-Mulitcast Commands 1-8

igmp-snooping fast-leave 18-Mulitcast Commands 1-9

A-14
igmp-snooping general-query source-ip 18-Mulitcast Commands 1-10

igmp-snooping group-limit 18-Mulitcast Commands 1-11

igmp-snooping group-policy 18-Mulitcast Commands 1-12

igmp-snooping host-aging-time 18-Mulitcast Commands 1-13

igmp-snooping host-join 18-Mulitcast Commands 1-14

igmp-snooping last-member-query-interval 18-Mulitcast Commands 1-15

igmp-snooping leave source-ip 18-Mulitcast Commands 1-15

igmp-snooping max-response-time 18-Mulitcast Commands 1-16

igmp-snooping overflow-replace 18-Mulitcast Commands 1-17

igmp-snooping proxying enable 18-Mulitcast Commands 1-18

igmp-snooping querier 18-Mulitcast Commands 1-19

igmp-snooping query-interval 18-Mulitcast Commands 1-20

igmp-snooping report source-ip 18-Mulitcast Commands 1-20

igmp-snooping router-aging-time 18-Mulitcast Commands 1-21

igmp-snooping special-query source-ip 18-Mulitcast Commands 1-22

igmp-snooping static-group 18-Mulitcast Commands 1-23

igmp-snooping static-router-port 18-Mulitcast Commands 1-24

igmp-snooping version 18-Mulitcast Commands 1-25

import 19-QoS Commands 2-2

info-center channel name 35-Information Center Commands 1-11

info-center console channel 35-Information Center Commands 1-11

info-center enable 35-Information Center Commands 1-12

info-center logbuffer 35-Information Center Commands 1-13

info-center logfile enable 35-Information Center Commands 1-14

info-center logfile frequency 35-Information Center Commands 1-14

info-center logfile size-quota 35-Information Center Commands 1-15

info-center logfile switch-directory 35-Information Center Commands 1-15

info-center loghost 35-Information Center Commands 1-16

info-center loghost source 35-Information Center Commands 1-17

info-center monitor channel 35-Information Center Commands 1-18

info-center snmp channel 35-Information Center Commands 1-19

A-15
info-center source 35-Information Center Commands 1-20

info-center synchronous 35-Information Center Commands 1-22

info-center syslog channel 35-Information Center Commands 1-23

info-center timestamp 35-Information Center Commands 1-24

info-center timestamp loghost 35-Information Center Commands 1-25

info-center trapbuffer 35-Information Center Commands 1-26

instance 10-MSTP Commands 1-14

interface 03-Ethernet Port Commands 1-15

interface bridge-aggregation 05-Ethernet Link Aggregation Commands 1-9

interface loopback 04-Loopback Interface and Null Interface 1-4

Commands

interface null 04-Loopback Interface and Null Interface 1-5

Commands

interface vlan-interface 09-VLAN Commands 1-5

ip (PKI entity view) 22-PKI Commands 1-15

ip address 09-VLAN Commands 1-6

ip address 11-IP Addressing Commands 1-4

ip address bootp-alloc 14-DHCP Commands 4-2

ip address dhcp-alloc 14-DHCP Commands 2-3

ip check source 41-IP Source Guard Commands 1-3

ip forward-broadcast (interface view) 12-IP Performance Optimization Commands 1-14

ip forward-broadcast (system view) 12-IP Performance Optimization Commands 1-14

ip http acl 02-Login Commands 2-2

ip http acl 38-HTTP Commands 1-2

ip http enable 02-Login Commands 1-13

ip http enable 38-HTTP Commands 1-2

ip http port 38-HTTP Commands 1-3

ip https acl 38-HTTP Commands 2-2

ip https certificate access-control-policy 38-HTTP Commands 2-2

ip https enable 38-HTTP Commands 2-3

ip https port 38-HTTP Commands 2-4

ip https ssl-server-policy 38-HTTP Commands 2-5

A-16
ip route-static 17-Static Routing Commands 1-2

ip route-static default-preference 17-Static Routing Commands 1-3

ip ttl-expires enable 12-IP Performance Optimization Commands 1-15

ip unreachables enable 12-IP Performance Optimization Commands 1-16

ip-pool 37-Cluster Management Commands 1-40

J
jumboframe enable 03-Ethernet Port Commands 1-15

K
key (RADIUS scheme view) 21-AAA Commands 2-10

L
lacp port-priority 05-Ethernet Link Aggregation Commands 1-9

lacp system-priority 05-Ethernet Link Aggregation Commands 1-10

last-member-query-interval (IGMP-Snooping 18-Mulitcast Commands 1-25

view)

lcd 15-FTP and TFTP Commands 1-17

ldap-server 22-PKI Commands 1-15

link-aggregation mode 05-Ethernet Link Aggregation Commands 1-10

lldp admin-status 08-LLDP Commands 1-14

lldp check-change-interval 08-LLDP Commands 1-14

lldp compliance admin-status cdp 08-LLDP Commands 1-15

lldp compliance cdp 08-LLDP Commands 1-16

lldp enable 08-LLDP Commands 1-16

lldp encapsulation snap 08-LLDP Commands 1-17

lldp fast-count 08-LLDP Commands 1-18

lldp hold-multiplier 08-LLDP Commands 1-18

lldp management-address-format string 08-LLDP Commands 1-19

lldp management-address-tlv 08-LLDP Commands 1-19

lldp notification remote-change enable 08-LLDP Commands 1-20

lldp timer notification-interval 08-LLDP Commands 1-21

lldp timer reinit-delay 08-LLDP Commands 1-21

A-17
lldp timer tx-delay 08-LLDP Commands 1-22

lldp timer tx-interval 08-LLDP Commands 1-22

lldp tlv-enable 08-LLDP Commands 1-23

locality 22-PKI Commands 1-16

local-user 21-AAA Commands 1-25

local-user password-display-mode 21-AAA Commands 1-26

lock 02-Login Commands 1-13

logfile save 35-Information Center Commands 1-27

logging-host 37-Cluster Management Commands 1-40

loopback 03-Ethernet Port Commands 1-16

loopback-detection control enable 03-Ethernet Port Commands 1-17

loopback-detection enable 03-Ethernet Port Commands 1-17

loopback-detection interval-time 03-Ethernet Port Commands 1-18

loopback-detection per-vlan enable 03-Ethernet Port Commands 1-19

ls 15-FTP and TFTP Commands 1-17

ls 24-SSH2.0 Commands 1-20

M
mac-address (Interface view) 36-MAC Address Table Commands 1-4

mac-address (system view) 36-MAC Address Table Commands 1-5

mac-address max-mac-count (Interface view) 36-MAC Address Table Commands 1-6

mac-address timer 36-MAC Address Table Commands 1-7

management-vlan 37-Cluster Management Commands 1-41

management-vlan synchronization enable 37-Cluster Management Commands 1-42

max-response-time (IGMP-Snooping view) 18-Mulitcast Commands 1-26

mdi 03-Ethernet Port Commands 1-20

mib-style 30-SNMP Commands 2-1

mirroring-group 07-Port Mirroring Commands 1-2

mirroring-group mirroring-port 07-Port Mirroring Commands 1-2

mirroring-group monitor-port 07-Port Mirroring Commands 1-3

mirroring-port 07-Port Mirroring Commands 1-4

mkdir 15-FTP and TFTP Commands 1-19

A-18
mkdir 24-SSH2.0 Commands 1-21

mkdir 32-File System Management Commands 1-9

monitor-port 07-Port Mirroring Commands 1-5

more 32-File System Management Commands 1-10

move 32-File System Management Commands 1-11

multicast-suppression 03-Ethernet Port Commands 1-21

multicast-vlan 18-Mulitcast Commands 2-2

N
name 09-VLAN Commands 1-6

nas-id bind vlan 21-AAA Commands 1-26

nas-ip (RADIUS scheme view) 21-AAA Commands 2-11

ndp enable 37-Cluster Management Commands 1-4

ndp timer aging 37-Cluster Management Commands 1-5

ndp timer hello 37-Cluster Management Commands 1-5

nm-interface vlan-interface 37-Cluster Management Commands 1-43

ntdp enable 37-Cluster Management Commands 1-11

ntdp explore 37-Cluster Management Commands 1-12

ntdp hop 37-Cluster Management Commands 1-12

ntdp timer 37-Cluster Management Commands 1-13

ntdp timer hop-delay 37-Cluster Management Commands 1-14

ntdp timer port-delay 37-Cluster Management Commands 1-14

ntp-service access 29-NTP Commands 1-8

ntp-service authentication enable 29-NTP Commands 1-9

ntp-service authentication-keyid 29-NTP Commands 1-9

ntp-service broadcast-client 29-NTP Commands 1-10

ntp-service broadcast-server 29-NTP Commands 1-11

ntp-service in-interface disable 29-NTP Commands 1-12

ntp-service max-dynamic-sessions 29-NTP Commands 1-12

ntp-service multicast-client 29-NTP Commands 1-13

ntp-service multicast-server 29-NTP Commands 1-14

ntp-service reliable authentication-keyid 29-NTP Commands 1-15

A-19
ntp-service source-interface 29-NTP Commands 1-15

ntp-service unicast-peer 29-NTP Commands 1-16

ntp-service unicast-server 29-NTP Commands 1-17

O
open 15-FTP and TFTP Commands 1-19

organization 22-PKI Commands 1-16

organization-unit 22-PKI Commands 1-17

overflow-replace (IGMP-Snooping view) 18-Mulitcast Commands 1-27

P
packet-filter 27-ACL Commands 1-7

parity 02-Login Commands 1-14

passive 15-FTP and TFTP Commands 1-20

password 21-AAA Commands 1-27

peer-public-key end 25-Public Key Commands 1-3

ping 33-System Maintaining and Debugging 1-1

Commands

pki certificate access-control-policy 22-PKI Commands 1-18

pki certificate attribute-group 22-PKI Commands 1-18

pki delete-certificate 22-PKI Commands 1-19

pki domain 22-PKI Commands 1-19

pki entity 22-PKI Commands 1-20

pki import-certificate 22-PKI Commands 1-21

pki request-certificate domain 22-PKI Commands 1-21

pki retrieval-certificate 22-PKI Commands 1-22

pki retrieval-crl domain 22-PKI Commands 1-23

pki validate-certificate 22-PKI Commands 1-23

pki-domain 23-SSL Commands 1-6

poe disconnect 40-PoE Commands 1-11

poe enable 40-PoE Commands 1-12

poe legacy enable 40-PoE Commands 1-13

A-20
poe max-power 40-PoE Commands 1-13

poe mode 40-PoE Commands 1-14

poe pd-description 40-PoE Commands 1-14

poe priority 40-PoE Commands 1-15

poe update 40-PoE Commands 1-16

poe utilization-threshold 40-PoE Commands 1-17

poe-profile 40-PoE Commands 1-18

port 09-VLAN Commands 1-10

port (multicast VLAN view) 18-Mulitcast Commands 2-2

port access vlan 09-VLAN Commands 1-11

port auto-power-down 03-Ethernet Port Commands 1-22

port bridge enable 03-Ethernet Port Commands 1-23

port hybrid pvid 09-VLAN Commands 1-12

port hybrid vlan 09-VLAN Commands 1-13

port link-aggregation group 05-Ethernet Link Aggregation Commands 1-11

port link-type 09-VLAN Commands 1-14

port multicast-vlan 18-Mulitcast Commands 2-3

port trunk permit vlan 09-VLAN Commands 1-16

port trunk pvid 09-VLAN Commands 1-17

port-group manual 03-Ethernet Port Commands 1-23

port-isolate enable 06-Port Isolation Commands 1-2

port-isolate group 06-Port Isolation Commands 1-3

prefer-cipher 23-SSL Commands 1-6

primary accounting (RADIUS scheme view) 21-AAA Commands 2-11

primary authentication (RADIUS scheme view) 21-AAA Commands 2-12

protocol inbound 02-Login Commands 1-15

public-key local create 25-Public Key Commands 1-6

public-key local destroy 25-Public Key Commands 1-7

public-key local export dsa 25-Public Key Commands 1-8

public-key local export rsa 25-Public Key Commands 1-9

public-key peer 25-Public Key Commands 1-10

A-21
public-key peer import sshkey 25-Public Key Commands 1-10

public-key-code begin 25-Public Key Commands 1-4

public-key-code end 25-Public Key Commands 1-5

put 15-FTP and TFTP Commands 1-21

put 24-SSH2.0 Commands 1-22

pwd 15-FTP and TFTP Commands 1-21

pwd 24-SSH2.0 Commands 1-22

pwd 32-File System Management Commands 1-11

Q
qos apply policy 19-QoS Commands 1-12

qos lr 19-QoS Commands 3-2

qos map-table 19-QoS Commands 2-2

qos policy 19-QoS Commands 1-13

qos priority 19-QoS Commands 2-3

qos trust 19-QoS Commands 2-5

qos wrr 19-QoS Commands 4-2

quit 01-CLI Command 1-1

quit 15-FTP and TFTP Commands 1-22

quit 24-SSH2.0 Commands 1-23

R
radius client 21-AAA Commands 2-13

radius nas-ip 21-AAA Commands 2-14

radius scheme 21-AAA Commands 2-15

radius trap 21-AAA Commands 2-16

reboot 28-Device Management Commands 1-20

reboot member 37-Cluster Management Commands 1-43

redirect 19-QoS Commands 1-8

region-name 10-MSTP Commands 1-15

remotehelp 15-FTP and TFTP Commands 1-22

remove 24-SSH2.0 Commands 1-23

A-22
rename 24-SSH2.0 Commands 1-24

rename 32-File System Management Commands 1-12

report-aggregation (IGMP-Snooping view) 18-Mulitcast Commands 1-27

reset acl counter 27-ACL Commands 1-8

reset arp 13-ARP Commands 1-6

reset arp detection statistics 13-ARP Commands 2-11

reset counters interface 03-Ethernet Port Commands 1-24

reset counters interface 04-Loopback Interface and Null Interface 1-6

Commands

reset counters interface 05-Ethernet Link Aggregation Commands 1-12

reset dhcp relay statistics 14-DHCP Commands 1-20

reset dhcp-snooping 14-DHCP Commands 3-11

reset dhcp-snooping packet statistics 14-DHCP Commands 3-12

reset dot1x statistics 20-802.1X Commands 1-17

reset igmp-snooping group 18-Mulitcast Commands 1-28

reset igmp-snooping statistics 18-Mulitcast Commands 1-29

reset ip routing-table statistics protocol 16-IP Routing Basics Commands 1-11

reset ip statistics 12-IP Performance Optimization Commands 1-16

reset lacp statistics 05-Ethernet Link Aggregation Commands 1-13

reset logbuffer 35-Information Center Commands 1-27

reset ndp statistics 37-Cluster Management Commands 1-6

reset radius statistics 21-AAA Commands 2-16

reset recycle-bin 32-File System Management Commands 1-13

reset saved-configuration 32-File System Management Commands 2-9

reset stop-accounting-buffer 21-AAA Commands 2-17

reset stp 10-MSTP Commands 1-16

reset tcp statistics 12-IP Performance Optimization Commands 1-17

reset trapbuffer 35-Information Center Commands 1-28

reset udp statistics 12-IP Performance Optimization Commands 1-17

reset unused porttag 28-Device Management Commands 1-21

restore startup-configuration 32-File System Management Commands 2-10

retry 21-AAA Commands 2-18

A-23
retry realtime-accounting 21-AAA Commands 2-19

retry stop-accounting (RADIUS scheme view) 21-AAA Commands 2-20

return 01-CLI Command 1-2

revision-level 10-MSTP Commands 1-16

rmdir 15-FTP and TFTP Commands 1-25

rmdir 24-SSH2.0 Commands 1-24

rmdir 32-File System Management Commands 1-15

rmon alarm 31-RMON Commands 1-11

rmon event 31-RMON Commands 1-13

rmon history 31-RMON Commands 1-14

rmon prialarm 31-RMON Commands 1-15

rmon statistics 31-RMON Commands 1-17

root-certificate fingerprint 22-PKI Commands 1-24

router-aging-time (IGMP-Snooping view) 18-Mulitcast Commands 1-29

rule (advanced ACL view) 27-ACL Commands 1-8

rule (basic ACL view) 27-ACL Commands 1-13

rule (Ethernet frame header ACL view) 27-ACL Commands 1-14

rule (PKI CERT ACP view) 22-PKI Commands 1-25

rule comment 27-ACL Commands 1-16

S
save 32-File System Management Commands 2-11

schedule job 28-Device Management Commands 1-22

schedule reboot at 28-Device Management Commands 1-23

schedule reboot delay 28-Device Management Commands 1-25

screen-length 02-Login Commands 1-16

screen-length disable 01-CLI Command 1-3

secondary accounting (RADIUS scheme view) 21-AAA Commands 2-20

secondary authentication (RADIUS scheme 21-AAA Commands 2-21

view)

self-service-url enable 21-AAA Commands 1-28

send 02-Login Commands 1-16

A-24
server-type 21-AAA Commands 2-22

service-type 21-AAA Commands 1-29

session 23-SSL Commands 1-7

set authentication password 02-Login Commands 1-17

sftp 24-SSH2.0 Commands 1-25

sftp client source 24-SSH2.0 Commands 1-26

sftp server enable 24-SSH2.0 Commands 1-13

sftp server idle-timeout 24-SSH2.0 Commands 1-14

shell 02-Login Commands 1-18

shutdown 03-Ethernet Port Commands 1-25

shutdown 04-Loopback Interface and Null Interface 1-6

Commands

shutdown 05-Ethernet Link Aggregation Commands 1-13

shutdown 09-VLAN Commands 1-7

snmp-agent 30-SNMP Commands 1-11

snmp-agent calculate-password 30-SNMP Commands 1-12

snmp-agent community 30-SNMP Commands 1-13

snmp-agent group 30-SNMP Commands 1-15

snmp-agent local-engineid 30-SNMP Commands 1-16

snmp-agent log 30-SNMP Commands 1-17

snmp-agent mib-view 30-SNMP Commands 1-18

snmp-agent packet max-size 30-SNMP Commands 1-19

snmp-agent sys-info 30-SNMP Commands 1-19

snmp-agent target-host 30-SNMP Commands 1-21

snmp-agent trap enable 30-SNMP Commands 1-22

snmp-agent trap if-mib link extended 30-SNMP Commands 1-23

snmp-agent trap life 30-SNMP Commands 1-24

snmp-agent trap queue-size 30-SNMP Commands 1-25

snmp-agent trap source 30-SNMP Commands 1-25

snmp-agent usm-user { v1 | v2c } 30-SNMP Commands 1-26

snmp-agent usm-user v3 30-SNMP Commands 1-27

snmp-host 37-Cluster Management Commands 1-44

A-25
speed 02-Login Commands 1-19

speed 03-Ethernet Port Commands 1-25

speed auto 03-Ethernet Port Commands 1-26

ssh client authentication server 24-SSH2.0 Commands 1-10

ssh client first-time enable 24-SSH2.0 Commands 1-11

ssh client source 24-SSH2.0 Commands 1-11

ssh server authentication-retries 24-SSH2.0 Commands 1-3

ssh server authentication-timeout 24-SSH2.0 Commands 1-4

ssh server compatible-ssh1x enable 24-SSH2.0 Commands 1-5

ssh server enable 24-SSH2.0 Commands 1-6

ssh server rekey-interval 24-SSH2.0 Commands 1-6

ssh user 24-SSH2.0 Commands 1-7

ssh2 24-SSH2.0 Commands 1-12

ssl client-policy 23-SSL Commands 1-8

ssl server-policy 23-SSL Commands 1-9

stack ip-pool 39-Stack Management Commands 1-3

stack role master 39-Stack Management Commands 1-3

stack stack-port 39-Stack Management Commands 1-4

stack switch-to 39-Stack Management Commands 1-5

startup saved-configuration 32-File System Management Commands 2-12

state 21-AAA Commands 1-30

state 21-AAA Commands 2-23

state 22-PKI Commands 1-26

step 27-ACL Commands 1-16

stop-accounting-buffer enable (RADIUS 21-AAA Commands 2-24

scheme view)

stopbits 02-Login Commands 1-20

storm-constrain 03-Ethernet Port Commands 1-27

storm-constrain control 03-Ethernet Port Commands 1-29

storm-constrain enable log 03-Ethernet Port Commands 1-29

storm-constrain enable trap 03-Ethernet Port Commands 1-30

storm-constrain interval 03-Ethernet Port Commands 1-31

A-26
stp bpdu-protection 10-MSTP Commands 1-17

stp bridge-diameter 10-MSTP Commands 1-18

stp compliance 10-MSTP Commands 1-18

stp config-digest-snooping 10-MSTP Commands 1-19

stp cost 10-MSTP Commands 1-20

stp edged-port 10-MSTP Commands 1-21

stp enable 10-MSTP Commands 1-22

stp ignored vlan 10-MSTP Commands 1-23

stp loop-protection 10-MSTP Commands 1-24

stp max-hops 10-MSTP Commands 1-25

stp mcheck 10-MSTP Commands 1-25

stp mode 10-MSTP Commands 1-26

stp no-agreement-check 10-MSTP Commands 1-27

stp pathcost-standard 10-MSTP Commands 1-28

stp point-to-point 10-MSTP Commands 1-29

stp port priority 10-MSTP Commands 1-30

stp port-log 10-MSTP Commands 1-31

stp priority 10-MSTP Commands 1-32

stp region-configuration 10-MSTP Commands 1-32

stp root primary 10-MSTP Commands 1-33

stp root secondary 10-MSTP Commands 1-34

stp root-protection 10-MSTP Commands 1-34

stp tc-protection 10-MSTP Commands 1-35

stp tc-protection threshold 10-MSTP Commands 1-36

stp timer forward-delay 10-MSTP Commands 1-37

stp timer hello 10-MSTP Commands 1-37

stp timer max-age 10-MSTP Commands 1-38

stp timer-factor 10-MSTP Commands 1-39

stp transmit-limit 10-MSTP Commands 1-40

super 34-Basic System Configuration Commands 1-18

super password 34-Basic System Configuration Commands 1-19

A-27
sysname 02-Login Commands 1-21

sysname 34-Basic System Configuration Commands 1-20

system-failure 28-Device Management Commands 1-26

system-view 01-CLI Command 1-3

T
tcp anti-naptha enable 12-IP Performance Optimization Commands 1-18

tcp state 12-IP Performance Optimization Commands 1-18

tcp syn-cookie enable 12-IP Performance Optimization Commands 1-19

tcp timer check-state 12-IP Performance Optimization Commands 1-20

tcp timer fin-timeout 12-IP Performance Optimization Commands 1-21

tcp timer syn-timeout 12-IP Performance Optimization Commands 1-21

tcp window 12-IP Performance Optimization Commands 1-22

telnet 02-Login Commands 1-21

telnet client source 02-Login Commands 1-22

telnet server enable 02-Login Commands 1-23

terminal debugging 35-Information Center Commands 1-28

terminal logging 35-Information Center Commands 1-29

terminal monitor 35-Information Center Commands 1-30

terminal trapping 35-Information Center Commands 1-31

terminal type 02-Login Commands 1-23

tftp 15-FTP and TFTP Commands 2-2

tftp client source 15-FTP and TFTP Commands 2-3

tftp-server 37-Cluster Management Commands 1-45

tftp-server acl 15-FTP and TFTP Commands 2-1

timer 37-Cluster Management Commands 1-45

timer quiet (RADIUS scheme view) 21-AAA Commands 2-25

timer realtime-accounting (RADIUS scheme 21-AAA Commands 2-26

view)

timer response-timeout (RADIUS scheme view) 21-AAA Commands 2-27

time-range 27-ACL Commands 1-17

topology accept 37-Cluster Management Commands 1-46

A-28
topology restore-from 37-Cluster Management Commands 1-47

topology save-to 37-Cluster Management Commands 1-48

tracert 33-System Maintaining and Debugging 1-4

Commands

traffic behavior 19-QoS Commands 1-8

traffic classifier 19-QoS Commands 1-5

U
undelete 32-File System Management Commands 1-15

unicast-suppression 03-Ethernet Port Commands 1-31

user 15-FTP and TFTP Commands 1-25

user privilege level 02-Login Commands 1-25

user-bind 41-IP Source Guard Commands 1-4

user-group 21-AAA Commands 1-31

user-interface 02-Login Commands 1-24

user-name-format (RADIUS scheme view) 21-AAA Commands 2-27

V
verbose 15-FTP and TFTP Commands 1-26

version 23-SSL Commands 1-9

virtual-cable-test 03-Ethernet Port Commands 1-33

vlan 09-VLAN Commands 1-8

vlan-mapping modulo 10-MSTP Commands 1-41

voice vlan aging 09-VLAN Commands 2-3

voice vlan enable 09-VLAN Commands 2-4

voice vlan mac-address 09-VLAN Commands 2-4

voice vlan mode auto 09-VLAN Commands 2-6

voice vlan security enable 09-VLAN Commands 2-6

W
X

A-29
Y
Z

A-30